]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.39.1-201106131719.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.39.1-201106131719.patch
1 diff -urNp linux-2.6.39.1/arch/alpha/include/asm/dma-mapping.h linux-2.6.39.1/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.39.1/arch/alpha/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3 +++ linux-2.6.39.1/arch/alpha/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
4 @@ -3,9 +3,9 @@
5
6 #include <linux/dma-attrs.h>
7
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
10
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
13 {
14 return dma_ops;
15 }
16 diff -urNp linux-2.6.39.1/arch/alpha/include/asm/elf.h linux-2.6.39.1/arch/alpha/include/asm/elf.h
17 --- linux-2.6.39.1/arch/alpha/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
18 +++ linux-2.6.39.1/arch/alpha/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
20
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
22
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25 +
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
28 +#endif
29 +
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.39.1/arch/alpha/include/asm/pgtable.h linux-2.6.39.1/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.39.1/arch/alpha/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
35 +++ linux-2.6.39.1/arch/alpha/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
40 +
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
45 +#else
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
49 +#endif
50 +
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
52
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_apecs.c linux-2.6.39.1/arch/alpha/kernel/core_apecs.c
55 --- linux-2.6.39.1/arch/alpha/kernel/core_apecs.c 2011-05-19 00:06:34.000000000 -0400
56 +++ linux-2.6.39.1/arch/alpha/kernel/core_apecs.c 2011-05-22 19:36:30.000000000 -0400
57 @@ -305,7 +305,7 @@ apecs_write_config(struct pci_bus *bus,
58 return PCIBIOS_SUCCESSFUL;
59 }
60
61 -struct pci_ops apecs_pci_ops =
62 +const struct pci_ops apecs_pci_ops =
63 {
64 .read = apecs_read_config,
65 .write = apecs_write_config,
66 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_cia.c linux-2.6.39.1/arch/alpha/kernel/core_cia.c
67 --- linux-2.6.39.1/arch/alpha/kernel/core_cia.c 2011-05-19 00:06:34.000000000 -0400
68 +++ linux-2.6.39.1/arch/alpha/kernel/core_cia.c 2011-05-22 19:36:30.000000000 -0400
69 @@ -239,7 +239,7 @@ cia_write_config(struct pci_bus *bus, un
70 return PCIBIOS_SUCCESSFUL;
71 }
72
73 -struct pci_ops cia_pci_ops =
74 +const struct pci_ops cia_pci_ops =
75 {
76 .read = cia_read_config,
77 .write = cia_write_config,
78 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_irongate.c linux-2.6.39.1/arch/alpha/kernel/core_irongate.c
79 --- linux-2.6.39.1/arch/alpha/kernel/core_irongate.c 2011-05-19 00:06:34.000000000 -0400
80 +++ linux-2.6.39.1/arch/alpha/kernel/core_irongate.c 2011-05-22 19:36:30.000000000 -0400
81 @@ -155,7 +155,7 @@ irongate_write_config(struct pci_bus *bu
82 return PCIBIOS_SUCCESSFUL;
83 }
84
85 -struct pci_ops irongate_pci_ops =
86 +const struct pci_ops irongate_pci_ops =
87 {
88 .read = irongate_read_config,
89 .write = irongate_write_config,
90 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_lca.c linux-2.6.39.1/arch/alpha/kernel/core_lca.c
91 --- linux-2.6.39.1/arch/alpha/kernel/core_lca.c 2011-05-19 00:06:34.000000000 -0400
92 +++ linux-2.6.39.1/arch/alpha/kernel/core_lca.c 2011-05-22 19:36:30.000000000 -0400
93 @@ -231,7 +231,7 @@ lca_write_config(struct pci_bus *bus, un
94 return PCIBIOS_SUCCESSFUL;
95 }
96
97 -struct pci_ops lca_pci_ops =
98 +const struct pci_ops lca_pci_ops =
99 {
100 .read = lca_read_config,
101 .write = lca_write_config,
102 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_marvel.c linux-2.6.39.1/arch/alpha/kernel/core_marvel.c
103 --- linux-2.6.39.1/arch/alpha/kernel/core_marvel.c 2011-05-19 00:06:34.000000000 -0400
104 +++ linux-2.6.39.1/arch/alpha/kernel/core_marvel.c 2011-05-22 19:36:30.000000000 -0400
105 @@ -588,7 +588,7 @@ marvel_write_config(struct pci_bus *bus,
106 return PCIBIOS_SUCCESSFUL;
107 }
108
109 -struct pci_ops marvel_pci_ops =
110 +const struct pci_ops marvel_pci_ops =
111 {
112 .read = marvel_read_config,
113 .write = marvel_write_config,
114 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_mcpcia.c linux-2.6.39.1/arch/alpha/kernel/core_mcpcia.c
115 --- linux-2.6.39.1/arch/alpha/kernel/core_mcpcia.c 2011-05-19 00:06:34.000000000 -0400
116 +++ linux-2.6.39.1/arch/alpha/kernel/core_mcpcia.c 2011-05-22 19:36:30.000000000 -0400
117 @@ -235,7 +235,7 @@ mcpcia_write_config(struct pci_bus *bus,
118 return PCIBIOS_SUCCESSFUL;
119 }
120
121 -struct pci_ops mcpcia_pci_ops =
122 +const struct pci_ops mcpcia_pci_ops =
123 {
124 .read = mcpcia_read_config,
125 .write = mcpcia_write_config,
126 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_polaris.c linux-2.6.39.1/arch/alpha/kernel/core_polaris.c
127 --- linux-2.6.39.1/arch/alpha/kernel/core_polaris.c 2011-05-19 00:06:34.000000000 -0400
128 +++ linux-2.6.39.1/arch/alpha/kernel/core_polaris.c 2011-05-22 19:36:30.000000000 -0400
129 @@ -136,7 +136,7 @@ polaris_write_config(struct pci_bus *bus
130 return PCIBIOS_SUCCESSFUL;
131 }
132
133 -struct pci_ops polaris_pci_ops =
134 +const struct pci_ops polaris_pci_ops =
135 {
136 .read = polaris_read_config,
137 .write = polaris_write_config,
138 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_t2.c linux-2.6.39.1/arch/alpha/kernel/core_t2.c
139 --- linux-2.6.39.1/arch/alpha/kernel/core_t2.c 2011-05-19 00:06:34.000000000 -0400
140 +++ linux-2.6.39.1/arch/alpha/kernel/core_t2.c 2011-05-22 19:36:30.000000000 -0400
141 @@ -314,7 +314,7 @@ t2_write_config(struct pci_bus *bus, uns
142 return PCIBIOS_SUCCESSFUL;
143 }
144
145 -struct pci_ops t2_pci_ops =
146 +const struct pci_ops t2_pci_ops =
147 {
148 .read = t2_read_config,
149 .write = t2_write_config,
150 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_titan.c linux-2.6.39.1/arch/alpha/kernel/core_titan.c
151 --- linux-2.6.39.1/arch/alpha/kernel/core_titan.c 2011-05-19 00:06:34.000000000 -0400
152 +++ linux-2.6.39.1/arch/alpha/kernel/core_titan.c 2011-05-22 19:36:30.000000000 -0400
153 @@ -191,7 +191,7 @@ titan_write_config(struct pci_bus *bus,
154 return PCIBIOS_SUCCESSFUL;
155 }
156
157 -struct pci_ops titan_pci_ops =
158 +const struct pci_ops titan_pci_ops =
159 {
160 .read = titan_read_config,
161 .write = titan_write_config,
162 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_tsunami.c linux-2.6.39.1/arch/alpha/kernel/core_tsunami.c
163 --- linux-2.6.39.1/arch/alpha/kernel/core_tsunami.c 2011-05-19 00:06:34.000000000 -0400
164 +++ linux-2.6.39.1/arch/alpha/kernel/core_tsunami.c 2011-05-22 19:36:30.000000000 -0400
165 @@ -166,7 +166,7 @@ tsunami_write_config(struct pci_bus *bus
166 return PCIBIOS_SUCCESSFUL;
167 }
168
169 -struct pci_ops tsunami_pci_ops =
170 +const struct pci_ops tsunami_pci_ops =
171 {
172 .read = tsunami_read_config,
173 .write = tsunami_write_config,
174 diff -urNp linux-2.6.39.1/arch/alpha/kernel/core_wildfire.c linux-2.6.39.1/arch/alpha/kernel/core_wildfire.c
175 --- linux-2.6.39.1/arch/alpha/kernel/core_wildfire.c 2011-05-19 00:06:34.000000000 -0400
176 +++ linux-2.6.39.1/arch/alpha/kernel/core_wildfire.c 2011-05-22 19:36:30.000000000 -0400
177 @@ -431,7 +431,7 @@ wildfire_write_config(struct pci_bus *bu
178 return PCIBIOS_SUCCESSFUL;
179 }
180
181 -struct pci_ops wildfire_pci_ops =
182 +const struct pci_ops wildfire_pci_ops =
183 {
184 .read = wildfire_read_config,
185 .write = wildfire_write_config,
186 diff -urNp linux-2.6.39.1/arch/alpha/kernel/module.c linux-2.6.39.1/arch/alpha/kernel/module.c
187 --- linux-2.6.39.1/arch/alpha/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
188 +++ linux-2.6.39.1/arch/alpha/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
189 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
190
191 /* The small sections were sorted to the end of the segment.
192 The following should definitely cover them. */
193 - gp = (u64)me->module_core + me->core_size - 0x8000;
194 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
195 got = sechdrs[me->arch.gotsecindex].sh_addr;
196
197 for (i = 0; i < n; i++) {
198 diff -urNp linux-2.6.39.1/arch/alpha/kernel/osf_sys.c linux-2.6.39.1/arch/alpha/kernel/osf_sys.c
199 --- linux-2.6.39.1/arch/alpha/kernel/osf_sys.c 2011-05-19 00:06:34.000000000 -0400
200 +++ linux-2.6.39.1/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:07.000000000 -0400
201 @@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
202 return -EFAULT;
203
204 len = namelen;
205 - if (namelen > 32)
206 + if (len > 32)
207 len = 32;
208
209 down_read(&uts_sem);
210 @@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
211 down_read(&uts_sem);
212 res = sysinfo_table[offset];
213 len = strlen(res)+1;
214 - if (len > count)
215 + if ((unsigned long)len > (unsigned long)count)
216 len = count;
217 if (copy_to_user(buf, res, len))
218 err = -EFAULT;
219 @@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
220 return 1;
221
222 case GSI_GET_HWRPB:
223 - if (nbytes < sizeof(*hwrpb))
224 + if (nbytes > sizeof(*hwrpb))
225 return -EINVAL;
226 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
227 return -EFAULT;
228 @@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
229 {
230 struct rusage r;
231 long ret, err;
232 + unsigned int status = 0;
233 mm_segment_t old_fs;
234
235 if (!ur)
236 @@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
237 old_fs = get_fs();
238
239 set_fs (KERNEL_DS);
240 - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
241 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
242 + (struct rusage __user *) &r);
243 set_fs (old_fs);
244
245 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
246 return -EFAULT;
247
248 err = 0;
249 + err |= put_user(status, ustatus);
250 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
251 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
252 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
253 @@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
254 /* At this point: (!vma || addr < vma->vm_end). */
255 if (limit - len < addr)
256 return -ENOMEM;
257 - if (!vma || addr + len <= vma->vm_start)
258 + if (check_heap_stack_gap(vma, addr, len))
259 return addr;
260 addr = vma->vm_end;
261 vma = vma->vm_next;
262 @@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
263 merely specific addresses, but regions of memory -- perhaps
264 this feature should be incorporated into all ports? */
265
266 +#ifdef CONFIG_PAX_RANDMMAP
267 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
268 +#endif
269 +
270 if (addr) {
271 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
272 if (addr != (unsigned long) -ENOMEM)
273 @@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
274 }
275
276 /* Next, try allocating at TASK_UNMAPPED_BASE. */
277 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
278 - len, limit);
279 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
280 +
281 if (addr != (unsigned long) -ENOMEM)
282 return addr;
283
284 diff -urNp linux-2.6.39.1/arch/alpha/kernel/pci_iommu.c linux-2.6.39.1/arch/alpha/kernel/pci_iommu.c
285 --- linux-2.6.39.1/arch/alpha/kernel/pci_iommu.c 2011-05-19 00:06:34.000000000 -0400
286 +++ linux-2.6.39.1/arch/alpha/kernel/pci_iommu.c 2011-05-22 19:36:30.000000000 -0400
287 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
288 return 0;
289 }
290
291 -struct dma_map_ops alpha_pci_ops = {
292 +const struct dma_map_ops alpha_pci_ops = {
293 .alloc_coherent = alpha_pci_alloc_coherent,
294 .free_coherent = alpha_pci_free_coherent,
295 .map_page = alpha_pci_map_page,
296 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
297 .set_dma_mask = alpha_pci_set_mask,
298 };
299
300 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
301 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
302 EXPORT_SYMBOL(dma_ops);
303 diff -urNp linux-2.6.39.1/arch/alpha/kernel/pci-noop.c linux-2.6.39.1/arch/alpha/kernel/pci-noop.c
304 --- linux-2.6.39.1/arch/alpha/kernel/pci-noop.c 2011-05-19 00:06:34.000000000 -0400
305 +++ linux-2.6.39.1/arch/alpha/kernel/pci-noop.c 2011-05-22 19:36:30.000000000 -0400
306 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
307 return 0;
308 }
309
310 -struct dma_map_ops alpha_noop_ops = {
311 +const struct dma_map_ops alpha_noop_ops = {
312 .alloc_coherent = alpha_noop_alloc_coherent,
313 .free_coherent = alpha_noop_free_coherent,
314 .map_page = alpha_noop_map_page,
315 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
316 .set_dma_mask = alpha_noop_set_mask,
317 };
318
319 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
320 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
321 EXPORT_SYMBOL(dma_ops);
322
323 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
324 diff -urNp linux-2.6.39.1/arch/alpha/kernel/proto.h linux-2.6.39.1/arch/alpha/kernel/proto.h
325 --- linux-2.6.39.1/arch/alpha/kernel/proto.h 2011-05-19 00:06:34.000000000 -0400
326 +++ linux-2.6.39.1/arch/alpha/kernel/proto.h 2011-05-22 19:36:30.000000000 -0400
327 @@ -17,14 +17,14 @@ struct pci_dev;
328 struct pci_controller;
329
330 /* core_apecs.c */
331 -extern struct pci_ops apecs_pci_ops;
332 +extern const struct pci_ops apecs_pci_ops;
333 extern void apecs_init_arch(void);
334 extern void apecs_pci_clr_err(void);
335 extern void apecs_machine_check(unsigned long vector, unsigned long la_ptr);
336 extern void apecs_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
337
338 /* core_cia.c */
339 -extern struct pci_ops cia_pci_ops;
340 +extern const struct pci_ops cia_pci_ops;
341 extern void cia_init_pci(void);
342 extern void cia_init_arch(void);
343 extern void pyxis_init_arch(void);
344 @@ -33,19 +33,19 @@ extern void cia_machine_check(unsigned l
345 extern void cia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
346
347 /* core_irongate.c */
348 -extern struct pci_ops irongate_pci_ops;
349 +extern const struct pci_ops irongate_pci_ops;
350 extern int irongate_pci_clr_err(void);
351 extern void irongate_init_arch(void);
352 #define irongate_pci_tbi ((void *)0)
353
354 /* core_lca.c */
355 -extern struct pci_ops lca_pci_ops;
356 +extern const struct pci_ops lca_pci_ops;
357 extern void lca_init_arch(void);
358 extern void lca_machine_check(unsigned long vector, unsigned long la_ptr);
359 extern void lca_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
360
361 /* core_marvel.c */
362 -extern struct pci_ops marvel_pci_ops;
363 +extern const struct pci_ops marvel_pci_ops;
364 extern void marvel_init_arch(void);
365 extern void marvel_kill_arch(int);
366 extern void marvel_machine_check(unsigned long, unsigned long);
367 @@ -60,14 +60,14 @@ struct io7 *marvel_next_io7(struct io7 *
368 void io7_clear_errors(struct io7 *io7);
369
370 /* core_mcpcia.c */
371 -extern struct pci_ops mcpcia_pci_ops;
372 +extern const struct pci_ops mcpcia_pci_ops;
373 extern void mcpcia_init_arch(void);
374 extern void mcpcia_init_hoses(void);
375 extern void mcpcia_machine_check(unsigned long vector, unsigned long la_ptr);
376 extern void mcpcia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
377
378 /* core_polaris.c */
379 -extern struct pci_ops polaris_pci_ops;
380 +extern const struct pci_ops polaris_pci_ops;
381 extern int polaris_read_config_dword(struct pci_dev *, int, u32 *);
382 extern int polaris_write_config_dword(struct pci_dev *, int, u32);
383 extern void polaris_init_arch(void);
384 @@ -75,14 +75,14 @@ extern void polaris_machine_check(unsign
385 #define polaris_pci_tbi ((void *)0)
386
387 /* core_t2.c */
388 -extern struct pci_ops t2_pci_ops;
389 +extern const struct pci_ops t2_pci_ops;
390 extern void t2_init_arch(void);
391 extern void t2_kill_arch(int);
392 extern void t2_machine_check(unsigned long vector, unsigned long la_ptr);
393 extern void t2_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
394
395 /* core_titan.c */
396 -extern struct pci_ops titan_pci_ops;
397 +extern const struct pci_ops titan_pci_ops;
398 extern void titan_init_arch(void);
399 extern void titan_kill_arch(int);
400 extern void titan_machine_check(unsigned long, unsigned long);
401 @@ -90,14 +90,14 @@ extern void titan_pci_tbi(struct pci_con
402 extern struct _alpha_agp_info *titan_agp_info(void);
403
404 /* core_tsunami.c */
405 -extern struct pci_ops tsunami_pci_ops;
406 +extern const struct pci_ops tsunami_pci_ops;
407 extern void tsunami_init_arch(void);
408 extern void tsunami_kill_arch(int);
409 extern void tsunami_machine_check(unsigned long vector, unsigned long la_ptr);
410 extern void tsunami_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
411
412 /* core_wildfire.c */
413 -extern struct pci_ops wildfire_pci_ops;
414 +extern const struct pci_ops wildfire_pci_ops;
415 extern void wildfire_init_arch(void);
416 extern void wildfire_kill_arch(int);
417 extern void wildfire_machine_check(unsigned long vector, unsigned long la_ptr);
418 diff -urNp linux-2.6.39.1/arch/alpha/mm/fault.c linux-2.6.39.1/arch/alpha/mm/fault.c
419 --- linux-2.6.39.1/arch/alpha/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
420 +++ linux-2.6.39.1/arch/alpha/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
421 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
422 __reload_thread(pcb);
423 }
424
425 +#ifdef CONFIG_PAX_PAGEEXEC
426 +/*
427 + * PaX: decide what to do with offenders (regs->pc = fault address)
428 + *
429 + * returns 1 when task should be killed
430 + * 2 when patched PLT trampoline was detected
431 + * 3 when unpatched PLT trampoline was detected
432 + */
433 +static int pax_handle_fetch_fault(struct pt_regs *regs)
434 +{
435 +
436 +#ifdef CONFIG_PAX_EMUPLT
437 + int err;
438 +
439 + do { /* PaX: patched PLT emulation #1 */
440 + unsigned int ldah, ldq, jmp;
441 +
442 + err = get_user(ldah, (unsigned int *)regs->pc);
443 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
444 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
445 +
446 + if (err)
447 + break;
448 +
449 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
450 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
451 + jmp == 0x6BFB0000U)
452 + {
453 + unsigned long r27, addr;
454 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
455 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
456 +
457 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
458 + err = get_user(r27, (unsigned long *)addr);
459 + if (err)
460 + break;
461 +
462 + regs->r27 = r27;
463 + regs->pc = r27;
464 + return 2;
465 + }
466 + } while (0);
467 +
468 + do { /* PaX: patched PLT emulation #2 */
469 + unsigned int ldah, lda, br;
470 +
471 + err = get_user(ldah, (unsigned int *)regs->pc);
472 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
473 + err |= get_user(br, (unsigned int *)(regs->pc+8));
474 +
475 + if (err)
476 + break;
477 +
478 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
479 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
480 + (br & 0xFFE00000U) == 0xC3E00000U)
481 + {
482 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
483 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
484 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
485 +
486 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
487 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
488 + return 2;
489 + }
490 + } while (0);
491 +
492 + do { /* PaX: unpatched PLT emulation */
493 + unsigned int br;
494 +
495 + err = get_user(br, (unsigned int *)regs->pc);
496 +
497 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
498 + unsigned int br2, ldq, nop, jmp;
499 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
500 +
501 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
502 + err = get_user(br2, (unsigned int *)addr);
503 + err |= get_user(ldq, (unsigned int *)(addr+4));
504 + err |= get_user(nop, (unsigned int *)(addr+8));
505 + err |= get_user(jmp, (unsigned int *)(addr+12));
506 + err |= get_user(resolver, (unsigned long *)(addr+16));
507 +
508 + if (err)
509 + break;
510 +
511 + if (br2 == 0xC3600000U &&
512 + ldq == 0xA77B000CU &&
513 + nop == 0x47FF041FU &&
514 + jmp == 0x6B7B0000U)
515 + {
516 + regs->r28 = regs->pc+4;
517 + regs->r27 = addr+16;
518 + regs->pc = resolver;
519 + return 3;
520 + }
521 + }
522 + } while (0);
523 +#endif
524 +
525 + return 1;
526 +}
527 +
528 +void pax_report_insns(void *pc, void *sp)
529 +{
530 + unsigned long i;
531 +
532 + printk(KERN_ERR "PAX: bytes at PC: ");
533 + for (i = 0; i < 5; i++) {
534 + unsigned int c;
535 + if (get_user(c, (unsigned int *)pc+i))
536 + printk(KERN_CONT "???????? ");
537 + else
538 + printk(KERN_CONT "%08x ", c);
539 + }
540 + printk("\n");
541 +}
542 +#endif
543
544 /*
545 * This routine handles page faults. It determines the address,
546 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
547 good_area:
548 si_code = SEGV_ACCERR;
549 if (cause < 0) {
550 - if (!(vma->vm_flags & VM_EXEC))
551 + if (!(vma->vm_flags & VM_EXEC)) {
552 +
553 +#ifdef CONFIG_PAX_PAGEEXEC
554 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
555 + goto bad_area;
556 +
557 + up_read(&mm->mmap_sem);
558 + switch (pax_handle_fetch_fault(regs)) {
559 +
560 +#ifdef CONFIG_PAX_EMUPLT
561 + case 2:
562 + case 3:
563 + return;
564 +#endif
565 +
566 + }
567 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
568 + do_group_exit(SIGKILL);
569 +#else
570 goto bad_area;
571 +#endif
572 +
573 + }
574 } else if (!cause) {
575 /* Allow reads even for write-only mappings */
576 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
577 diff -urNp linux-2.6.39.1/arch/arm/common/it8152.c linux-2.6.39.1/arch/arm/common/it8152.c
578 --- linux-2.6.39.1/arch/arm/common/it8152.c 2011-05-19 00:06:34.000000000 -0400
579 +++ linux-2.6.39.1/arch/arm/common/it8152.c 2011-05-22 19:36:30.000000000 -0400
580 @@ -221,7 +221,7 @@ static int it8152_pci_write_config(struc
581 return PCIBIOS_SUCCESSFUL;
582 }
583
584 -static struct pci_ops it8152_ops = {
585 +static const struct pci_ops it8152_ops = {
586 .read = it8152_pci_read_config,
587 .write = it8152_pci_write_config,
588 };
589 diff -urNp linux-2.6.39.1/arch/arm/common/via82c505.c linux-2.6.39.1/arch/arm/common/via82c505.c
590 --- linux-2.6.39.1/arch/arm/common/via82c505.c 2011-05-19 00:06:34.000000000 -0400
591 +++ linux-2.6.39.1/arch/arm/common/via82c505.c 2011-05-22 19:36:30.000000000 -0400
592 @@ -52,7 +52,7 @@ via82c505_write_config(struct pci_bus *b
593 return PCIBIOS_SUCCESSFUL;
594 }
595
596 -static struct pci_ops via82c505_ops = {
597 +static const struct pci_ops via82c505_ops = {
598 .read = via82c505_read_config,
599 .write = via82c505_write_config,
600 };
601 diff -urNp linux-2.6.39.1/arch/arm/include/asm/cacheflush.h linux-2.6.39.1/arch/arm/include/asm/cacheflush.h
602 --- linux-2.6.39.1/arch/arm/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
603 +++ linux-2.6.39.1/arch/arm/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
604 @@ -115,7 +115,7 @@ struct cpu_cache_fns {
605 */
606 #ifdef MULTI_CACHE
607
608 -extern struct cpu_cache_fns cpu_cache;
609 +extern const struct cpu_cache_fns cpu_cache;
610
611 #define __cpuc_flush_icache_all cpu_cache.flush_icache_all
612 #define __cpuc_flush_kern_all cpu_cache.flush_kern_all
613 diff -urNp linux-2.6.39.1/arch/arm/include/asm/elf.h linux-2.6.39.1/arch/arm/include/asm/elf.h
614 --- linux-2.6.39.1/arch/arm/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
615 +++ linux-2.6.39.1/arch/arm/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
616 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
617 the loader. We need to make sure that it is out of the way of the program
618 that it will "exec", and that there is sufficient room for the brk. */
619
620 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
621 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
622 +
623 +#ifdef CONFIG_PAX_ASLR
624 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
625 +
626 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
627 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
628 +#endif
629
630 /* When the program starts, a1 contains a pointer to a function to be
631 registered with atexit, as per the SVR4 ABI. A value of 0 means we
632 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
633 extern void elf_set_personality(const struct elf32_hdr *);
634 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
635
636 -struct mm_struct;
637 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
638 -#define arch_randomize_brk arch_randomize_brk
639 -
640 extern int vectors_user_mapping(void);
641 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
642 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
643 diff -urNp linux-2.6.39.1/arch/arm/include/asm/kmap_types.h linux-2.6.39.1/arch/arm/include/asm/kmap_types.h
644 --- linux-2.6.39.1/arch/arm/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
645 +++ linux-2.6.39.1/arch/arm/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
646 @@ -21,6 +21,7 @@ enum km_type {
647 KM_L1_CACHE,
648 KM_L2_CACHE,
649 KM_KDB,
650 + KM_CLEARPAGE,
651 KM_TYPE_NR
652 };
653
654 diff -urNp linux-2.6.39.1/arch/arm/include/asm/outercache.h linux-2.6.39.1/arch/arm/include/asm/outercache.h
655 --- linux-2.6.39.1/arch/arm/include/asm/outercache.h 2011-05-19 00:06:34.000000000 -0400
656 +++ linux-2.6.39.1/arch/arm/include/asm/outercache.h 2011-05-22 19:36:30.000000000 -0400
657 @@ -38,7 +38,7 @@ struct outer_cache_fns {
658
659 #ifdef CONFIG_OUTER_CACHE
660
661 -extern struct outer_cache_fns outer_cache;
662 +extern const struct outer_cache_fns outer_cache;
663
664 static inline void outer_inv_range(phys_addr_t start, phys_addr_t end)
665 {
666 diff -urNp linux-2.6.39.1/arch/arm/include/asm/page.h linux-2.6.39.1/arch/arm/include/asm/page.h
667 --- linux-2.6.39.1/arch/arm/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
668 +++ linux-2.6.39.1/arch/arm/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
669 @@ -126,7 +126,7 @@ struct cpu_user_fns {
670 };
671
672 #ifdef MULTI_USER
673 -extern struct cpu_user_fns cpu_user;
674 +extern const struct cpu_user_fns cpu_user;
675
676 #define __cpu_clear_user_highpage cpu_user.cpu_clear_user_highpage
677 #define __cpu_copy_user_highpage cpu_user.cpu_copy_user_highpage
678 diff -urNp linux-2.6.39.1/arch/arm/include/asm/uaccess.h linux-2.6.39.1/arch/arm/include/asm/uaccess.h
679 --- linux-2.6.39.1/arch/arm/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
680 +++ linux-2.6.39.1/arch/arm/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
681 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
682
683 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
684 {
685 + if ((long)n < 0)
686 + return n;
687 +
688 if (access_ok(VERIFY_READ, from, n))
689 n = __copy_from_user(to, from, n);
690 else /* security hole - plug it */
691 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
692
693 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
694 {
695 + if ((long)n < 0)
696 + return n;
697 +
698 if (access_ok(VERIFY_WRITE, to, n))
699 n = __copy_to_user(to, from, n);
700 return n;
701 diff -urNp linux-2.6.39.1/arch/arm/kernel/kgdb.c linux-2.6.39.1/arch/arm/kernel/kgdb.c
702 --- linux-2.6.39.1/arch/arm/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
703 +++ linux-2.6.39.1/arch/arm/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
704 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
705 * and we handle the normal undef case within the do_undefinstr
706 * handler.
707 */
708 -struct kgdb_arch arch_kgdb_ops = {
709 +const struct kgdb_arch arch_kgdb_ops = {
710 #ifndef __ARMEB__
711 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
712 #else /* ! __ARMEB__ */
713 diff -urNp linux-2.6.39.1/arch/arm/kernel/process.c linux-2.6.39.1/arch/arm/kernel/process.c
714 --- linux-2.6.39.1/arch/arm/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
715 +++ linux-2.6.39.1/arch/arm/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
716 @@ -28,7 +28,6 @@
717 #include <linux/tick.h>
718 #include <linux/utsname.h>
719 #include <linux/uaccess.h>
720 -#include <linux/random.h>
721 #include <linux/hw_breakpoint.h>
722
723 #include <asm/cacheflush.h>
724 @@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru
725 return 0;
726 }
727
728 -unsigned long arch_randomize_brk(struct mm_struct *mm)
729 -{
730 - unsigned long range_end = mm->brk + 0x02000000;
731 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
732 -}
733 -
734 #ifdef CONFIG_MMU
735 /*
736 * The vectors page is always readable from user space for the
737 diff -urNp linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c
738 --- linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c 2011-05-19 00:06:34.000000000 -0400
739 +++ linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c 2011-05-22 19:36:30.000000000 -0400
740 @@ -162,7 +162,7 @@ static int cns3xxx_pci_setup(int nr, str
741 return 1;
742 }
743
744 -static struct pci_ops cns3xxx_pcie_ops = {
745 +static const struct pci_ops cns3xxx_pcie_ops = {
746 .read = cns3xxx_pci_read_config,
747 .write = cns3xxx_pci_write_config,
748 };
749 diff -urNp linux-2.6.39.1/arch/arm/mach-dove/pcie.c linux-2.6.39.1/arch/arm/mach-dove/pcie.c
750 --- linux-2.6.39.1/arch/arm/mach-dove/pcie.c 2011-05-19 00:06:34.000000000 -0400
751 +++ linux-2.6.39.1/arch/arm/mach-dove/pcie.c 2011-05-22 19:36:30.000000000 -0400
752 @@ -155,7 +155,7 @@ static int pcie_wr_conf(struct pci_bus *
753 return ret;
754 }
755
756 -static struct pci_ops pcie_ops = {
757 +static const struct pci_ops pcie_ops = {
758 .read = pcie_rd_conf,
759 .write = pcie_wr_conf,
760 };
761 diff -urNp linux-2.6.39.1/arch/arm/mach-footbridge/dc21285.c linux-2.6.39.1/arch/arm/mach-footbridge/dc21285.c
762 --- linux-2.6.39.1/arch/arm/mach-footbridge/dc21285.c 2011-05-19 00:06:34.000000000 -0400
763 +++ linux-2.6.39.1/arch/arm/mach-footbridge/dc21285.c 2011-05-22 19:36:30.000000000 -0400
764 @@ -129,7 +129,7 @@ dc21285_write_config(struct pci_bus *bus
765 return PCIBIOS_SUCCESSFUL;
766 }
767
768 -static struct pci_ops dc21285_ops = {
769 +static const struct pci_ops dc21285_ops = {
770 .read = dc21285_read_config,
771 .write = dc21285_write_config,
772 };
773 diff -urNp linux-2.6.39.1/arch/arm/mach-integrator/pci_v3.c linux-2.6.39.1/arch/arm/mach-integrator/pci_v3.c
774 --- linux-2.6.39.1/arch/arm/mach-integrator/pci_v3.c 2011-05-19 00:06:34.000000000 -0400
775 +++ linux-2.6.39.1/arch/arm/mach-integrator/pci_v3.c 2011-05-22 19:36:30.000000000 -0400
776 @@ -340,7 +340,7 @@ static int v3_write_config(struct pci_bu
777 return PCIBIOS_SUCCESSFUL;
778 }
779
780 -static struct pci_ops pci_v3_ops = {
781 +static const struct pci_ops pci_v3_ops = {
782 .read = v3_read_config,
783 .write = v3_write_config,
784 };
785 diff -urNp linux-2.6.39.1/arch/arm/mach-iop13xx/pci.c linux-2.6.39.1/arch/arm/mach-iop13xx/pci.c
786 --- linux-2.6.39.1/arch/arm/mach-iop13xx/pci.c 2011-05-19 00:06:34.000000000 -0400
787 +++ linux-2.6.39.1/arch/arm/mach-iop13xx/pci.c 2011-05-22 19:36:30.000000000 -0400
788 @@ -324,7 +324,7 @@ iop13xx_atux_write_config(struct pci_bus
789 return PCIBIOS_SUCCESSFUL;
790 }
791
792 -static struct pci_ops iop13xx_atux_ops = {
793 +static const struct pci_ops iop13xx_atux_ops = {
794 .read = iop13xx_atux_read_config,
795 .write = iop13xx_atux_write_config,
796 };
797 @@ -471,7 +471,7 @@ iop13xx_atue_write_config(struct pci_bus
798 return PCIBIOS_SUCCESSFUL;
799 }
800
801 -static struct pci_ops iop13xx_atue_ops = {
802 +static const struct pci_ops iop13xx_atue_ops = {
803 .read = iop13xx_atue_read_config,
804 .write = iop13xx_atue_write_config,
805 };
806 diff -urNp linux-2.6.39.1/arch/arm/mach-ixp2000/enp2611.c linux-2.6.39.1/arch/arm/mach-ixp2000/enp2611.c
807 --- linux-2.6.39.1/arch/arm/mach-ixp2000/enp2611.c 2011-05-19 00:06:34.000000000 -0400
808 +++ linux-2.6.39.1/arch/arm/mach-ixp2000/enp2611.c 2011-05-22 19:36:30.000000000 -0400
809 @@ -137,7 +137,7 @@ static int enp2611_pci_write_config(stru
810 return PCIBIOS_DEVICE_NOT_FOUND;
811 }
812
813 -static struct pci_ops enp2611_pci_ops = {
814 +static const struct pci_ops enp2611_pci_ops = {
815 .read = enp2611_pci_read_config,
816 .write = enp2611_pci_write_config
817 };
818 diff -urNp linux-2.6.39.1/arch/arm/mach-ixp2000/pci.c linux-2.6.39.1/arch/arm/mach-ixp2000/pci.c
819 --- linux-2.6.39.1/arch/arm/mach-ixp2000/pci.c 2011-05-19 00:06:34.000000000 -0400
820 +++ linux-2.6.39.1/arch/arm/mach-ixp2000/pci.c 2011-05-22 19:36:30.000000000 -0400
821 @@ -125,7 +125,7 @@ int ixp2000_pci_write_config(struct pci_
822 }
823
824
825 -static struct pci_ops ixp2000_pci_ops = {
826 +static const struct pci_ops ixp2000_pci_ops = {
827 .read = ixp2000_pci_read_config,
828 .write = ixp2000_pci_write_config
829 };
830 diff -urNp linux-2.6.39.1/arch/arm/mach-ixp23xx/pci.c linux-2.6.39.1/arch/arm/mach-ixp23xx/pci.c
831 --- linux-2.6.39.1/arch/arm/mach-ixp23xx/pci.c 2011-05-19 00:06:34.000000000 -0400
832 +++ linux-2.6.39.1/arch/arm/mach-ixp23xx/pci.c 2011-05-22 19:36:30.000000000 -0400
833 @@ -136,7 +136,7 @@ static int ixp23xx_pci_write_config(stru
834 return PCIBIOS_SUCCESSFUL;
835 }
836
837 -struct pci_ops ixp23xx_pci_ops = {
838 +const struct pci_ops ixp23xx_pci_ops = {
839 .read = ixp23xx_pci_read_config,
840 .write = ixp23xx_pci_write_config,
841 };
842 diff -urNp linux-2.6.39.1/arch/arm/mach-ixp4xx/common-pci.c linux-2.6.39.1/arch/arm/mach-ixp4xx/common-pci.c
843 --- linux-2.6.39.1/arch/arm/mach-ixp4xx/common-pci.c 2011-05-19 00:06:34.000000000 -0400
844 +++ linux-2.6.39.1/arch/arm/mach-ixp4xx/common-pci.c 2011-05-22 19:36:30.000000000 -0400
845 @@ -283,7 +283,7 @@ static int ixp4xx_pci_write_config(struc
846 return PCIBIOS_SUCCESSFUL;
847 }
848
849 -struct pci_ops ixp4xx_ops = {
850 +const struct pci_ops ixp4xx_ops = {
851 .read = ixp4xx_pci_read_config,
852 .write = ixp4xx_pci_write_config,
853 };
854 diff -urNp linux-2.6.39.1/arch/arm/mach-kirkwood/pcie.c linux-2.6.39.1/arch/arm/mach-kirkwood/pcie.c
855 --- linux-2.6.39.1/arch/arm/mach-kirkwood/pcie.c 2011-05-19 00:06:34.000000000 -0400
856 +++ linux-2.6.39.1/arch/arm/mach-kirkwood/pcie.c 2011-05-22 19:36:30.000000000 -0400
857 @@ -111,7 +111,7 @@ static int pcie_wr_conf(struct pci_bus *
858 return ret;
859 }
860
861 -static struct pci_ops pcie_ops = {
862 +static const struct pci_ops pcie_ops = {
863 .read = pcie_rd_conf,
864 .write = pcie_wr_conf,
865 };
866 diff -urNp linux-2.6.39.1/arch/arm/mach-ks8695/pci.c linux-2.6.39.1/arch/arm/mach-ks8695/pci.c
867 --- linux-2.6.39.1/arch/arm/mach-ks8695/pci.c 2011-05-19 00:06:34.000000000 -0400
868 +++ linux-2.6.39.1/arch/arm/mach-ks8695/pci.c 2011-05-22 19:36:30.000000000 -0400
869 @@ -136,7 +136,7 @@ static void ks8695_local_writeconfig(int
870 __raw_writel(value, KS8695_PCI_VA + KS8695_PBCD);
871 }
872
873 -static struct pci_ops ks8695_pci_ops = {
874 +static const struct pci_ops ks8695_pci_ops = {
875 .read = ks8695_pci_readconfig,
876 .write = ks8695_pci_writeconfig,
877 };
878 diff -urNp linux-2.6.39.1/arch/arm/mach-mmp/clock.c linux-2.6.39.1/arch/arm/mach-mmp/clock.c
879 --- linux-2.6.39.1/arch/arm/mach-mmp/clock.c 2011-05-19 00:06:34.000000000 -0400
880 +++ linux-2.6.39.1/arch/arm/mach-mmp/clock.c 2011-05-22 19:36:30.000000000 -0400
881 @@ -29,7 +29,7 @@ static void apbc_clk_disable(struct clk
882 __raw_writel(0, clk->clk_rst);
883 }
884
885 -struct clkops apbc_clk_ops = {
886 +const struct clkops apbc_clk_ops = {
887 .enable = apbc_clk_enable,
888 .disable = apbc_clk_disable,
889 };
890 @@ -44,7 +44,7 @@ static void apmu_clk_disable(struct clk
891 __raw_writel(0, clk->clk_rst);
892 }
893
894 -struct clkops apmu_clk_ops = {
895 +const struct clkops apmu_clk_ops = {
896 .enable = apmu_clk_enable,
897 .disable = apmu_clk_disable,
898 };
899 diff -urNp linux-2.6.39.1/arch/arm/mach-msm/iommu.c linux-2.6.39.1/arch/arm/mach-msm/iommu.c
900 --- linux-2.6.39.1/arch/arm/mach-msm/iommu.c 2011-05-19 00:06:34.000000000 -0400
901 +++ linux-2.6.39.1/arch/arm/mach-msm/iommu.c 2011-05-22 19:36:30.000000000 -0400
902 @@ -669,7 +669,7 @@ fail:
903 return 0;
904 }
905
906 -static struct iommu_ops msm_iommu_ops = {
907 +static const struct iommu_ops msm_iommu_ops = {
908 .domain_init = msm_iommu_domain_init,
909 .domain_destroy = msm_iommu_domain_destroy,
910 .attach_dev = msm_iommu_attach_dev,
911 diff -urNp linux-2.6.39.1/arch/arm/mach-msm/last_radio_log.c linux-2.6.39.1/arch/arm/mach-msm/last_radio_log.c
912 --- linux-2.6.39.1/arch/arm/mach-msm/last_radio_log.c 2011-05-19 00:06:34.000000000 -0400
913 +++ linux-2.6.39.1/arch/arm/mach-msm/last_radio_log.c 2011-05-22 19:36:30.000000000 -0400
914 @@ -48,6 +48,7 @@ static ssize_t last_radio_log_read(struc
915 }
916
917 static struct file_operations last_radio_log_fops = {
918 + /* cannot be const, see msm_init_last_radio_log */
919 .read = last_radio_log_read,
920 .llseek = default_llseek,
921 };
922 diff -urNp linux-2.6.39.1/arch/arm/mach-mv78xx0/pcie.c linux-2.6.39.1/arch/arm/mach-mv78xx0/pcie.c
923 --- linux-2.6.39.1/arch/arm/mach-mv78xx0/pcie.c 2011-05-19 00:06:34.000000000 -0400
924 +++ linux-2.6.39.1/arch/arm/mach-mv78xx0/pcie.c 2011-05-22 19:36:30.000000000 -0400
925 @@ -222,7 +222,7 @@ static int pcie_wr_conf(struct pci_bus *
926 return ret;
927 }
928
929 -static struct pci_ops pcie_ops = {
930 +static const struct pci_ops pcie_ops = {
931 .read = pcie_rd_conf,
932 .write = pcie_wr_conf,
933 };
934 diff -urNp linux-2.6.39.1/arch/arm/mach-orion5x/pci.c linux-2.6.39.1/arch/arm/mach-orion5x/pci.c
935 --- linux-2.6.39.1/arch/arm/mach-orion5x/pci.c 2011-05-19 00:06:34.000000000 -0400
936 +++ linux-2.6.39.1/arch/arm/mach-orion5x/pci.c 2011-05-22 19:36:30.000000000 -0400
937 @@ -130,7 +130,7 @@ static int pcie_wr_conf(struct pci_bus *
938 return ret;
939 }
940
941 -static struct pci_ops pcie_ops = {
942 +static const struct pci_ops pcie_ops = {
943 .read = pcie_rd_conf,
944 .write = pcie_wr_conf,
945 };
946 @@ -368,7 +368,7 @@ static int orion5x_pci_wr_conf(struct pc
947 PCI_FUNC(devfn), where, size, val);
948 }
949
950 -static struct pci_ops pci_ops = {
951 +static const struct pci_ops pci_ops = {
952 .read = orion5x_pci_rd_conf,
953 .write = orion5x_pci_wr_conf,
954 };
955 diff -urNp linux-2.6.39.1/arch/arm/mach-sa1100/pci-nanoengine.c linux-2.6.39.1/arch/arm/mach-sa1100/pci-nanoengine.c
956 --- linux-2.6.39.1/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-19 00:06:34.000000000 -0400
957 +++ linux-2.6.39.1/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-22 19:36:30.000000000 -0400
958 @@ -117,7 +117,7 @@ static int nanoengine_write_config(struc
959 return PCIBIOS_SUCCESSFUL;
960 }
961
962 -static struct pci_ops pci_nano_ops = {
963 +static const struct pci_ops pci_nano_ops = {
964 .read = nanoengine_read_config,
965 .write = nanoengine_write_config,
966 };
967 diff -urNp linux-2.6.39.1/arch/arm/mach-tegra/pcie.c linux-2.6.39.1/arch/arm/mach-tegra/pcie.c
968 --- linux-2.6.39.1/arch/arm/mach-tegra/pcie.c 2011-05-19 00:06:34.000000000 -0400
969 +++ linux-2.6.39.1/arch/arm/mach-tegra/pcie.c 2011-05-22 19:36:30.000000000 -0400
970 @@ -336,7 +336,7 @@ static int tegra_pcie_write_conf(struct
971 return PCIBIOS_SUCCESSFUL;
972 }
973
974 -static struct pci_ops tegra_pcie_ops = {
975 +static const struct pci_ops tegra_pcie_ops = {
976 .read = tegra_pcie_read_conf,
977 .write = tegra_pcie_write_conf,
978 };
979 diff -urNp linux-2.6.39.1/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.39.1/arch/arm/mach-ux500/mbox-db5500.c
980 --- linux-2.6.39.1/arch/arm/mach-ux500/mbox-db5500.c 2011-05-19 00:06:34.000000000 -0400
981 +++ linux-2.6.39.1/arch/arm/mach-ux500/mbox-db5500.c 2011-05-22 19:41:32.000000000 -0400
982 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
983 return sprintf(buf, "0x%X\n", mbox_value);
984 }
985
986 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
987 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
988
989 static int mbox_show(struct seq_file *s, void *data)
990 {
991 diff -urNp linux-2.6.39.1/arch/arm/mach-versatile/pci.c linux-2.6.39.1/arch/arm/mach-versatile/pci.c
992 --- linux-2.6.39.1/arch/arm/mach-versatile/pci.c 2011-05-19 00:06:34.000000000 -0400
993 +++ linux-2.6.39.1/arch/arm/mach-versatile/pci.c 2011-05-22 19:36:30.000000000 -0400
994 @@ -165,7 +165,7 @@ static int versatile_write_config(struct
995 return PCIBIOS_SUCCESSFUL;
996 }
997
998 -static struct pci_ops pci_versatile_ops = {
999 +static const struct pci_ops pci_versatile_ops = {
1000 .read = versatile_read_config,
1001 .write = versatile_write_config,
1002 };
1003 diff -urNp linux-2.6.39.1/arch/arm/mm/fault.c linux-2.6.39.1/arch/arm/mm/fault.c
1004 --- linux-2.6.39.1/arch/arm/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1005 +++ linux-2.6.39.1/arch/arm/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1006 @@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
1007 }
1008 #endif
1009
1010 +#ifdef CONFIG_PAX_PAGEEXEC
1011 + if (fsr & FSR_LNX_PF) {
1012 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
1013 + do_group_exit(SIGKILL);
1014 + }
1015 +#endif
1016 +
1017 tsk->thread.address = addr;
1018 tsk->thread.error_code = fsr;
1019 tsk->thread.trap_no = 14;
1020 @@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign
1021 }
1022 #endif /* CONFIG_MMU */
1023
1024 +#ifdef CONFIG_PAX_PAGEEXEC
1025 +void pax_report_insns(void *pc, void *sp)
1026 +{
1027 + long i;
1028 +
1029 + printk(KERN_ERR "PAX: bytes at PC: ");
1030 + for (i = 0; i < 20; i++) {
1031 + unsigned char c;
1032 + if (get_user(c, (__force unsigned char __user *)pc+i))
1033 + printk(KERN_CONT "?? ");
1034 + else
1035 + printk(KERN_CONT "%02x ", c);
1036 + }
1037 + printk("\n");
1038 +
1039 + printk(KERN_ERR "PAX: bytes at SP-4: ");
1040 + for (i = -1; i < 20; i++) {
1041 + unsigned long c;
1042 + if (get_user(c, (__force unsigned long __user *)sp+i))
1043 + printk(KERN_CONT "???????? ");
1044 + else
1045 + printk(KERN_CONT "%08lx ", c);
1046 + }
1047 + printk("\n");
1048 +}
1049 +#endif
1050 +
1051 /*
1052 * First Level Translation Fault Handler
1053 *
1054 diff -urNp linux-2.6.39.1/arch/arm/mm/mmap.c linux-2.6.39.1/arch/arm/mm/mmap.c
1055 --- linux-2.6.39.1/arch/arm/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
1056 +++ linux-2.6.39.1/arch/arm/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
1057 @@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
1058 if (len > TASK_SIZE)
1059 return -ENOMEM;
1060
1061 +#ifdef CONFIG_PAX_RANDMMAP
1062 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
1063 +#endif
1064 +
1065 if (addr) {
1066 if (do_align)
1067 addr = COLOUR_ALIGN(addr, pgoff);
1068 @@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
1069 addr = PAGE_ALIGN(addr);
1070
1071 vma = find_vma(mm, addr);
1072 - if (TASK_SIZE - len >= addr &&
1073 - (!vma || addr + len <= vma->vm_start))
1074 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1075 return addr;
1076 }
1077 if (len > mm->cached_hole_size) {
1078 - start_addr = addr = mm->free_area_cache;
1079 + start_addr = addr = mm->free_area_cache;
1080 } else {
1081 - start_addr = addr = TASK_UNMAPPED_BASE;
1082 - mm->cached_hole_size = 0;
1083 + start_addr = addr = mm->mmap_base;
1084 + mm->cached_hole_size = 0;
1085 }
1086 /* 8 bits of randomness in 20 address space bits */
1087 if ((current->flags & PF_RANDOMIZE) &&
1088 @@ -100,14 +103,14 @@ full_search:
1089 * Start a new search - just in case we missed
1090 * some holes.
1091 */
1092 - if (start_addr != TASK_UNMAPPED_BASE) {
1093 - start_addr = addr = TASK_UNMAPPED_BASE;
1094 + if (start_addr != mm->mmap_base) {
1095 + start_addr = addr = mm->mmap_base;
1096 mm->cached_hole_size = 0;
1097 goto full_search;
1098 }
1099 return -ENOMEM;
1100 }
1101 - if (!vma || addr + len <= vma->vm_start) {
1102 + if (check_heap_stack_gap(vma, addr, len)) {
1103 /*
1104 * Remember the place where we stopped the search:
1105 */
1106 diff -urNp linux-2.6.39.1/arch/arm/plat-iop/pci.c linux-2.6.39.1/arch/arm/plat-iop/pci.c
1107 --- linux-2.6.39.1/arch/arm/plat-iop/pci.c 2011-05-19 00:06:34.000000000 -0400
1108 +++ linux-2.6.39.1/arch/arm/plat-iop/pci.c 2011-05-22 19:36:30.000000000 -0400
1109 @@ -161,7 +161,7 @@ iop3xx_write_config(struct pci_bus *bus,
1110 return PCIBIOS_SUCCESSFUL;
1111 }
1112
1113 -static struct pci_ops iop3xx_ops = {
1114 +static const struct pci_ops iop3xx_ops = {
1115 .read = iop3xx_read_config,
1116 .write = iop3xx_write_config,
1117 };
1118 diff -urNp linux-2.6.39.1/arch/avr32/include/asm/elf.h linux-2.6.39.1/arch/avr32/include/asm/elf.h
1119 --- linux-2.6.39.1/arch/avr32/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1120 +++ linux-2.6.39.1/arch/avr32/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1121 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
1122 the loader. We need to make sure that it is out of the way of the program
1123 that it will "exec", and that there is sufficient room for the brk. */
1124
1125 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
1126 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1127
1128 +#ifdef CONFIG_PAX_ASLR
1129 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
1130 +
1131 +#define PAX_DELTA_MMAP_LEN 15
1132 +#define PAX_DELTA_STACK_LEN 15
1133 +#endif
1134
1135 /* This yields a mask that user programs can use to figure out what
1136 instruction set this CPU supports. This could be done in user space,
1137 diff -urNp linux-2.6.39.1/arch/avr32/include/asm/kmap_types.h linux-2.6.39.1/arch/avr32/include/asm/kmap_types.h
1138 --- linux-2.6.39.1/arch/avr32/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1139 +++ linux-2.6.39.1/arch/avr32/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1140 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
1141 D(11) KM_IRQ1,
1142 D(12) KM_SOFTIRQ0,
1143 D(13) KM_SOFTIRQ1,
1144 -D(14) KM_TYPE_NR
1145 +D(14) KM_CLEARPAGE,
1146 +D(15) KM_TYPE_NR
1147 };
1148
1149 #undef D
1150 diff -urNp linux-2.6.39.1/arch/avr32/mm/fault.c linux-2.6.39.1/arch/avr32/mm/fault.c
1151 --- linux-2.6.39.1/arch/avr32/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1152 +++ linux-2.6.39.1/arch/avr32/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1153 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
1154
1155 int exception_trace = 1;
1156
1157 +#ifdef CONFIG_PAX_PAGEEXEC
1158 +void pax_report_insns(void *pc, void *sp)
1159 +{
1160 + unsigned long i;
1161 +
1162 + printk(KERN_ERR "PAX: bytes at PC: ");
1163 + for (i = 0; i < 20; i++) {
1164 + unsigned char c;
1165 + if (get_user(c, (unsigned char *)pc+i))
1166 + printk(KERN_CONT "???????? ");
1167 + else
1168 + printk(KERN_CONT "%02x ", c);
1169 + }
1170 + printk("\n");
1171 +}
1172 +#endif
1173 +
1174 /*
1175 * This routine handles page faults. It determines the address and the
1176 * problem, and then passes it off to one of the appropriate routines.
1177 @@ -156,6 +173,16 @@ bad_area:
1178 up_read(&mm->mmap_sem);
1179
1180 if (user_mode(regs)) {
1181 +
1182 +#ifdef CONFIG_PAX_PAGEEXEC
1183 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1184 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1185 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1186 + do_group_exit(SIGKILL);
1187 + }
1188 + }
1189 +#endif
1190 +
1191 if (exception_trace && printk_ratelimit())
1192 printk("%s%s[%d]: segfault at %08lx pc %08lx "
1193 "sp %08lx ecr %lu\n",
1194 diff -urNp linux-2.6.39.1/arch/blackfin/kernel/kgdb.c linux-2.6.39.1/arch/blackfin/kernel/kgdb.c
1195 --- linux-2.6.39.1/arch/blackfin/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
1196 +++ linux-2.6.39.1/arch/blackfin/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
1197 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
1198 return -1; /* this means that we do not want to exit from the handler */
1199 }
1200
1201 -struct kgdb_arch arch_kgdb_ops = {
1202 +const struct kgdb_arch arch_kgdb_ops = {
1203 .gdb_bpt_instr = {0xa1},
1204 .flags = KGDB_HW_BREAKPOINT,
1205 .set_hw_breakpoint = bfin_set_hw_break,
1206 diff -urNp linux-2.6.39.1/arch/blackfin/mm/maccess.c linux-2.6.39.1/arch/blackfin/mm/maccess.c
1207 --- linux-2.6.39.1/arch/blackfin/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
1208 +++ linux-2.6.39.1/arch/blackfin/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
1209 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
1210 return bfin_mem_access_type(addr, size);
1211 }
1212
1213 -long probe_kernel_read(void *dst, void *src, size_t size)
1214 +long probe_kernel_read(void *dst, const void *src, size_t size)
1215 {
1216 unsigned long lsrc = (unsigned long)src;
1217 int mem_type;
1218 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
1219 return -EFAULT;
1220 }
1221
1222 -long probe_kernel_write(void *dst, void *src, size_t size)
1223 +long probe_kernel_write(void *dst, const void *src, size_t size)
1224 {
1225 unsigned long ldst = (unsigned long)dst;
1226 int mem_type;
1227 diff -urNp linux-2.6.39.1/arch/frv/include/asm/kmap_types.h linux-2.6.39.1/arch/frv/include/asm/kmap_types.h
1228 --- linux-2.6.39.1/arch/frv/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1229 +++ linux-2.6.39.1/arch/frv/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1230 @@ -23,6 +23,7 @@ enum km_type {
1231 KM_IRQ1,
1232 KM_SOFTIRQ0,
1233 KM_SOFTIRQ1,
1234 + KM_CLEARPAGE,
1235 KM_TYPE_NR
1236 };
1237
1238 diff -urNp linux-2.6.39.1/arch/frv/mb93090-mb00/pci-frv.h linux-2.6.39.1/arch/frv/mb93090-mb00/pci-frv.h
1239 --- linux-2.6.39.1/arch/frv/mb93090-mb00/pci-frv.h 2011-05-19 00:06:34.000000000 -0400
1240 +++ linux-2.6.39.1/arch/frv/mb93090-mb00/pci-frv.h 2011-05-22 19:36:30.000000000 -0400
1241 @@ -34,7 +34,7 @@ void pcibios_resource_survey(void);
1242
1243 extern int __nongpreldata pcibios_last_bus;
1244 extern struct pci_bus *__nongpreldata pci_root_bus;
1245 -extern struct pci_ops *__nongpreldata pci_root_ops;
1246 +extern const struct pci_ops *__nongpreldata pci_root_ops;
1247
1248 /* pci-irq.c */
1249 extern unsigned int pcibios_irq_mask;
1250 diff -urNp linux-2.6.39.1/arch/frv/mb93090-mb00/pci-vdk.c linux-2.6.39.1/arch/frv/mb93090-mb00/pci-vdk.c
1251 --- linux-2.6.39.1/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-19 00:06:34.000000000 -0400
1252 +++ linux-2.6.39.1/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-22 19:36:30.000000000 -0400
1253 @@ -27,7 +27,7 @@ unsigned int __nongpreldata pci_probe =
1254
1255 int __nongpreldata pcibios_last_bus = -1;
1256 struct pci_bus *__nongpreldata pci_root_bus;
1257 -struct pci_ops *__nongpreldata pci_root_ops;
1258 +const struct pci_ops *__nongpreldata pci_root_ops;
1259
1260 /*
1261 * The accessible PCI window does not cover the entire CPU address space, but
1262 @@ -169,7 +169,7 @@ static int pci_frv_write_config(struct p
1263 return PCIBIOS_SUCCESSFUL;
1264 }
1265
1266 -static struct pci_ops pci_direct_frv = {
1267 +static const struct pci_ops pci_direct_frv = {
1268 pci_frv_read_config,
1269 pci_frv_write_config,
1270 };
1271 @@ -356,7 +356,7 @@ void __init pcibios_fixup_bus(struct pci
1272
1273 int __init pcibios_init(void)
1274 {
1275 - struct pci_ops *dir = NULL;
1276 + const struct pci_ops *dir = NULL;
1277
1278 if (!mb93090_mb00_detected)
1279 return -ENXIO;
1280 diff -urNp linux-2.6.39.1/arch/frv/mm/elf-fdpic.c linux-2.6.39.1/arch/frv/mm/elf-fdpic.c
1281 --- linux-2.6.39.1/arch/frv/mm/elf-fdpic.c 2011-05-19 00:06:34.000000000 -0400
1282 +++ linux-2.6.39.1/arch/frv/mm/elf-fdpic.c 2011-05-22 19:36:30.000000000 -0400
1283 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
1284 if (addr) {
1285 addr = PAGE_ALIGN(addr);
1286 vma = find_vma(current->mm, addr);
1287 - if (TASK_SIZE - len >= addr &&
1288 - (!vma || addr + len <= vma->vm_start))
1289 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1290 goto success;
1291 }
1292
1293 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
1294 for (; vma; vma = vma->vm_next) {
1295 if (addr > limit)
1296 break;
1297 - if (addr + len <= vma->vm_start)
1298 + if (check_heap_stack_gap(vma, addr, len))
1299 goto success;
1300 addr = vma->vm_end;
1301 }
1302 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
1303 for (; vma; vma = vma->vm_next) {
1304 if (addr > limit)
1305 break;
1306 - if (addr + len <= vma->vm_start)
1307 + if (check_heap_stack_gap(vma, addr, len))
1308 goto success;
1309 addr = vma->vm_end;
1310 }
1311 diff -urNp linux-2.6.39.1/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.39.1/arch/ia64/hp/common/hwsw_iommu.c
1312 --- linux-2.6.39.1/arch/ia64/hp/common/hwsw_iommu.c 2011-05-19 00:06:34.000000000 -0400
1313 +++ linux-2.6.39.1/arch/ia64/hp/common/hwsw_iommu.c 2011-05-22 19:36:30.000000000 -0400
1314 @@ -17,7 +17,7 @@
1315 #include <linux/swiotlb.h>
1316 #include <asm/machvec.h>
1317
1318 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1319 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1320
1321 /* swiotlb declarations & definitions: */
1322 extern int swiotlb_late_init_with_default_size (size_t size);
1323 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
1324 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
1325 }
1326
1327 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1328 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1329 {
1330 if (use_swiotlb(dev))
1331 return &swiotlb_dma_ops;
1332 diff -urNp linux-2.6.39.1/arch/ia64/hp/common/sba_iommu.c linux-2.6.39.1/arch/ia64/hp/common/sba_iommu.c
1333 --- linux-2.6.39.1/arch/ia64/hp/common/sba_iommu.c 2011-05-19 00:06:34.000000000 -0400
1334 +++ linux-2.6.39.1/arch/ia64/hp/common/sba_iommu.c 2011-05-22 19:36:30.000000000 -0400
1335 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
1336 },
1337 };
1338
1339 -extern struct dma_map_ops swiotlb_dma_ops;
1340 +extern const struct dma_map_ops swiotlb_dma_ops;
1341
1342 static int __init
1343 sba_init(void)
1344 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
1345
1346 __setup("sbapagesize=",sba_page_override);
1347
1348 -struct dma_map_ops sba_dma_ops = {
1349 +const struct dma_map_ops sba_dma_ops = {
1350 .alloc_coherent = sba_alloc_coherent,
1351 .free_coherent = sba_free_coherent,
1352 .map_page = sba_map_page,
1353 diff -urNp linux-2.6.39.1/arch/ia64/include/asm/dma-mapping.h linux-2.6.39.1/arch/ia64/include/asm/dma-mapping.h
1354 --- linux-2.6.39.1/arch/ia64/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
1355 +++ linux-2.6.39.1/arch/ia64/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
1356 @@ -14,7 +14,7 @@
1357
1358 #define DMA_ERROR_CODE 0
1359
1360 -extern struct dma_map_ops *dma_ops;
1361 +extern const struct dma_map_ops *dma_ops;
1362 extern struct ia64_machine_vector ia64_mv;
1363 extern void set_iommu_machvec(void);
1364
1365 @@ -26,7 +26,7 @@ extern void machvec_dma_sync_sg(struct d
1366 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1367 dma_addr_t *daddr, gfp_t gfp)
1368 {
1369 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1370 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1371 void *caddr;
1372
1373 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
1374 @@ -37,7 +37,7 @@ static inline void *dma_alloc_coherent(s
1375 static inline void dma_free_coherent(struct device *dev, size_t size,
1376 void *caddr, dma_addr_t daddr)
1377 {
1378 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1379 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1380 debug_dma_free_coherent(dev, size, caddr, daddr);
1381 ops->free_coherent(dev, size, caddr, daddr);
1382 }
1383 @@ -51,13 +51,13 @@ static inline void dma_free_coherent(str
1384
1385 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
1386 {
1387 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1388 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1389 return ops->mapping_error(dev, daddr);
1390 }
1391
1392 static inline int dma_supported(struct device *dev, u64 mask)
1393 {
1394 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1395 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1396 return ops->dma_supported(dev, mask);
1397 }
1398
1399 diff -urNp linux-2.6.39.1/arch/ia64/include/asm/elf.h linux-2.6.39.1/arch/ia64/include/asm/elf.h
1400 --- linux-2.6.39.1/arch/ia64/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1401 +++ linux-2.6.39.1/arch/ia64/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1402 @@ -42,6 +42,13 @@
1403 */
1404 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1405
1406 +#ifdef CONFIG_PAX_ASLR
1407 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1408 +
1409 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1410 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1411 +#endif
1412 +
1413 #define PT_IA_64_UNWIND 0x70000001
1414
1415 /* IA-64 relocations: */
1416 diff -urNp linux-2.6.39.1/arch/ia64/include/asm/machvec.h linux-2.6.39.1/arch/ia64/include/asm/machvec.h
1417 --- linux-2.6.39.1/arch/ia64/include/asm/machvec.h 2011-05-19 00:06:34.000000000 -0400
1418 +++ linux-2.6.39.1/arch/ia64/include/asm/machvec.h 2011-05-22 19:36:30.000000000 -0400
1419 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1420 /* DMA-mapping interface: */
1421 typedef void ia64_mv_dma_init (void);
1422 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1423 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1424 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1425
1426 /*
1427 * WARNING: The legacy I/O space is _architected_. Platforms are
1428 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1429 # endif /* CONFIG_IA64_GENERIC */
1430
1431 extern void swiotlb_dma_init(void);
1432 -extern struct dma_map_ops *dma_get_ops(struct device *);
1433 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1434
1435 /*
1436 * Define default versions so we can extend machvec for new platforms without having
1437 diff -urNp linux-2.6.39.1/arch/ia64/include/asm/pgtable.h linux-2.6.39.1/arch/ia64/include/asm/pgtable.h
1438 --- linux-2.6.39.1/arch/ia64/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
1439 +++ linux-2.6.39.1/arch/ia64/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
1440 @@ -12,7 +12,7 @@
1441 * David Mosberger-Tang <davidm@hpl.hp.com>
1442 */
1443
1444 -
1445 +#include <linux/const.h>
1446 #include <asm/mman.h>
1447 #include <asm/page.h>
1448 #include <asm/processor.h>
1449 @@ -143,6 +143,17 @@
1450 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1451 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1452 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1453 +
1454 +#ifdef CONFIG_PAX_PAGEEXEC
1455 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1456 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1457 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1458 +#else
1459 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1460 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1461 +# define PAGE_COPY_NOEXEC PAGE_COPY
1462 +#endif
1463 +
1464 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1465 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1466 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1467 diff -urNp linux-2.6.39.1/arch/ia64/include/asm/spinlock.h linux-2.6.39.1/arch/ia64/include/asm/spinlock.h
1468 --- linux-2.6.39.1/arch/ia64/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
1469 +++ linux-2.6.39.1/arch/ia64/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
1470 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1471 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1472
1473 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1474 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1475 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1476 }
1477
1478 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
1479 diff -urNp linux-2.6.39.1/arch/ia64/include/asm/uaccess.h linux-2.6.39.1/arch/ia64/include/asm/uaccess.h
1480 --- linux-2.6.39.1/arch/ia64/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
1481 +++ linux-2.6.39.1/arch/ia64/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
1482 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1483 const void *__cu_from = (from); \
1484 long __cu_len = (n); \
1485 \
1486 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1487 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1488 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1489 __cu_len; \
1490 })
1491 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1492 long __cu_len = (n); \
1493 \
1494 __chk_user_ptr(__cu_from); \
1495 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1496 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1497 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1498 __cu_len; \
1499 })
1500 diff -urNp linux-2.6.39.1/arch/ia64/kernel/dma-mapping.c linux-2.6.39.1/arch/ia64/kernel/dma-mapping.c
1501 --- linux-2.6.39.1/arch/ia64/kernel/dma-mapping.c 2011-05-19 00:06:34.000000000 -0400
1502 +++ linux-2.6.39.1/arch/ia64/kernel/dma-mapping.c 2011-05-22 19:36:30.000000000 -0400
1503 @@ -3,7 +3,7 @@
1504 /* Set this to 1 if there is a HW IOMMU in the system */
1505 int iommu_detected __read_mostly;
1506
1507 -struct dma_map_ops *dma_ops;
1508 +const struct dma_map_ops *dma_ops;
1509 EXPORT_SYMBOL(dma_ops);
1510
1511 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1512 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1513 }
1514 fs_initcall(dma_init);
1515
1516 -struct dma_map_ops *dma_get_ops(struct device *dev)
1517 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1518 {
1519 return dma_ops;
1520 }
1521 diff -urNp linux-2.6.39.1/arch/ia64/kernel/module.c linux-2.6.39.1/arch/ia64/kernel/module.c
1522 --- linux-2.6.39.1/arch/ia64/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
1523 +++ linux-2.6.39.1/arch/ia64/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
1524 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1525 void
1526 module_free (struct module *mod, void *module_region)
1527 {
1528 - if (mod && mod->arch.init_unw_table &&
1529 - module_region == mod->module_init) {
1530 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1531 unw_remove_unwind_table(mod->arch.init_unw_table);
1532 mod->arch.init_unw_table = NULL;
1533 }
1534 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1535 }
1536
1537 static inline int
1538 +in_init_rx (const struct module *mod, uint64_t addr)
1539 +{
1540 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1541 +}
1542 +
1543 +static inline int
1544 +in_init_rw (const struct module *mod, uint64_t addr)
1545 +{
1546 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1547 +}
1548 +
1549 +static inline int
1550 in_init (const struct module *mod, uint64_t addr)
1551 {
1552 - return addr - (uint64_t) mod->module_init < mod->init_size;
1553 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1554 +}
1555 +
1556 +static inline int
1557 +in_core_rx (const struct module *mod, uint64_t addr)
1558 +{
1559 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1560 +}
1561 +
1562 +static inline int
1563 +in_core_rw (const struct module *mod, uint64_t addr)
1564 +{
1565 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1566 }
1567
1568 static inline int
1569 in_core (const struct module *mod, uint64_t addr)
1570 {
1571 - return addr - (uint64_t) mod->module_core < mod->core_size;
1572 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1573 }
1574
1575 static inline int
1576 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1577 break;
1578
1579 case RV_BDREL:
1580 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1581 + if (in_init_rx(mod, val))
1582 + val -= (uint64_t) mod->module_init_rx;
1583 + else if (in_init_rw(mod, val))
1584 + val -= (uint64_t) mod->module_init_rw;
1585 + else if (in_core_rx(mod, val))
1586 + val -= (uint64_t) mod->module_core_rx;
1587 + else if (in_core_rw(mod, val))
1588 + val -= (uint64_t) mod->module_core_rw;
1589 break;
1590
1591 case RV_LTV:
1592 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1593 * addresses have been selected...
1594 */
1595 uint64_t gp;
1596 - if (mod->core_size > MAX_LTOFF)
1597 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1598 /*
1599 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1600 * at the end of the module.
1601 */
1602 - gp = mod->core_size - MAX_LTOFF / 2;
1603 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1604 else
1605 - gp = mod->core_size / 2;
1606 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1607 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1608 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1609 mod->arch.gp = gp;
1610 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1611 }
1612 diff -urNp linux-2.6.39.1/arch/ia64/kernel/pci-dma.c linux-2.6.39.1/arch/ia64/kernel/pci-dma.c
1613 --- linux-2.6.39.1/arch/ia64/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
1614 +++ linux-2.6.39.1/arch/ia64/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
1615 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1616 .dma_mask = &fallback_dev.coherent_dma_mask,
1617 };
1618
1619 -extern struct dma_map_ops intel_dma_ops;
1620 +extern const struct dma_map_ops intel_dma_ops;
1621
1622 static int __init pci_iommu_init(void)
1623 {
1624 diff -urNp linux-2.6.39.1/arch/ia64/kernel/pci-swiotlb.c linux-2.6.39.1/arch/ia64/kernel/pci-swiotlb.c
1625 --- linux-2.6.39.1/arch/ia64/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
1626 +++ linux-2.6.39.1/arch/ia64/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
1627 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1628 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1629 }
1630
1631 -struct dma_map_ops swiotlb_dma_ops = {
1632 +const struct dma_map_ops swiotlb_dma_ops = {
1633 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1634 .free_coherent = swiotlb_free_coherent,
1635 .map_page = swiotlb_map_page,
1636 diff -urNp linux-2.6.39.1/arch/ia64/kernel/sys_ia64.c linux-2.6.39.1/arch/ia64/kernel/sys_ia64.c
1637 --- linux-2.6.39.1/arch/ia64/kernel/sys_ia64.c 2011-05-19 00:06:34.000000000 -0400
1638 +++ linux-2.6.39.1/arch/ia64/kernel/sys_ia64.c 2011-05-22 19:36:30.000000000 -0400
1639 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1640 if (REGION_NUMBER(addr) == RGN_HPAGE)
1641 addr = 0;
1642 #endif
1643 +
1644 +#ifdef CONFIG_PAX_RANDMMAP
1645 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1646 + addr = mm->free_area_cache;
1647 + else
1648 +#endif
1649 +
1650 if (!addr)
1651 addr = mm->free_area_cache;
1652
1653 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1654 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1655 /* At this point: (!vma || addr < vma->vm_end). */
1656 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1657 - if (start_addr != TASK_UNMAPPED_BASE) {
1658 + if (start_addr != mm->mmap_base) {
1659 /* Start a new search --- just in case we missed some holes. */
1660 - addr = TASK_UNMAPPED_BASE;
1661 + addr = mm->mmap_base;
1662 goto full_search;
1663 }
1664 return -ENOMEM;
1665 }
1666 - if (!vma || addr + len <= vma->vm_start) {
1667 + if (check_heap_stack_gap(vma, addr, len)) {
1668 /* Remember the address where we stopped this search: */
1669 mm->free_area_cache = addr + len;
1670 return addr;
1671 diff -urNp linux-2.6.39.1/arch/ia64/kernel/vmlinux.lds.S linux-2.6.39.1/arch/ia64/kernel/vmlinux.lds.S
1672 --- linux-2.6.39.1/arch/ia64/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
1673 +++ linux-2.6.39.1/arch/ia64/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
1674 @@ -199,7 +199,7 @@ SECTIONS {
1675 /* Per-cpu data: */
1676 . = ALIGN(PERCPU_PAGE_SIZE);
1677 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
1678 - __phys_per_cpu_start = __per_cpu_load;
1679 + __phys_per_cpu_start = per_cpu_load;
1680 /*
1681 * ensure percpu data fits
1682 * into percpu page size
1683 diff -urNp linux-2.6.39.1/arch/ia64/mm/fault.c linux-2.6.39.1/arch/ia64/mm/fault.c
1684 --- linux-2.6.39.1/arch/ia64/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1685 +++ linux-2.6.39.1/arch/ia64/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1686 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1687 return pte_present(pte);
1688 }
1689
1690 +#ifdef CONFIG_PAX_PAGEEXEC
1691 +void pax_report_insns(void *pc, void *sp)
1692 +{
1693 + unsigned long i;
1694 +
1695 + printk(KERN_ERR "PAX: bytes at PC: ");
1696 + for (i = 0; i < 8; i++) {
1697 + unsigned int c;
1698 + if (get_user(c, (unsigned int *)pc+i))
1699 + printk(KERN_CONT "???????? ");
1700 + else
1701 + printk(KERN_CONT "%08x ", c);
1702 + }
1703 + printk("\n");
1704 +}
1705 +#endif
1706 +
1707 void __kprobes
1708 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1709 {
1710 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1711 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1712 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1713
1714 - if ((vma->vm_flags & mask) != mask)
1715 + if ((vma->vm_flags & mask) != mask) {
1716 +
1717 +#ifdef CONFIG_PAX_PAGEEXEC
1718 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1719 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1720 + goto bad_area;
1721 +
1722 + up_read(&mm->mmap_sem);
1723 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1724 + do_group_exit(SIGKILL);
1725 + }
1726 +#endif
1727 +
1728 goto bad_area;
1729
1730 + }
1731 +
1732 /*
1733 * If for any reason at all we couldn't handle the fault, make
1734 * sure we exit gracefully rather than endlessly redo the
1735 diff -urNp linux-2.6.39.1/arch/ia64/mm/hugetlbpage.c linux-2.6.39.1/arch/ia64/mm/hugetlbpage.c
1736 --- linux-2.6.39.1/arch/ia64/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
1737 +++ linux-2.6.39.1/arch/ia64/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
1738 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1739 /* At this point: (!vmm || addr < vmm->vm_end). */
1740 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1741 return -ENOMEM;
1742 - if (!vmm || (addr + len) <= vmm->vm_start)
1743 + if (check_heap_stack_gap(vmm, addr, len))
1744 return addr;
1745 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1746 }
1747 diff -urNp linux-2.6.39.1/arch/ia64/mm/init.c linux-2.6.39.1/arch/ia64/mm/init.c
1748 --- linux-2.6.39.1/arch/ia64/mm/init.c 2011-05-19 00:06:34.000000000 -0400
1749 +++ linux-2.6.39.1/arch/ia64/mm/init.c 2011-05-22 19:36:30.000000000 -0400
1750 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1751 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1752 vma->vm_end = vma->vm_start + PAGE_SIZE;
1753 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1754 +
1755 +#ifdef CONFIG_PAX_PAGEEXEC
1756 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1757 + vma->vm_flags &= ~VM_EXEC;
1758 +
1759 +#ifdef CONFIG_PAX_MPROTECT
1760 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1761 + vma->vm_flags &= ~VM_MAYEXEC;
1762 +#endif
1763 +
1764 + }
1765 +#endif
1766 +
1767 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1768 down_write(&current->mm->mmap_sem);
1769 if (insert_vm_struct(current->mm, vma)) {
1770 diff -urNp linux-2.6.39.1/arch/ia64/pci/pci.c linux-2.6.39.1/arch/ia64/pci/pci.c
1771 --- linux-2.6.39.1/arch/ia64/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
1772 +++ linux-2.6.39.1/arch/ia64/pci/pci.c 2011-05-22 19:36:30.000000000 -0400
1773 @@ -109,7 +109,7 @@ static int pci_write(struct pci_bus *bus
1774 devfn, where, size, value);
1775 }
1776
1777 -struct pci_ops pci_root_ops = {
1778 +const struct pci_ops pci_root_ops = {
1779 .read = pci_read,
1780 .write = pci_write,
1781 };
1782 diff -urNp linux-2.6.39.1/arch/ia64/sn/pci/pci_dma.c linux-2.6.39.1/arch/ia64/sn/pci/pci_dma.c
1783 --- linux-2.6.39.1/arch/ia64/sn/pci/pci_dma.c 2011-05-19 00:06:34.000000000 -0400
1784 +++ linux-2.6.39.1/arch/ia64/sn/pci/pci_dma.c 2011-05-22 19:36:30.000000000 -0400
1785 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1786 return ret;
1787 }
1788
1789 -static struct dma_map_ops sn_dma_ops = {
1790 +static const struct dma_map_ops sn_dma_ops = {
1791 .alloc_coherent = sn_dma_alloc_coherent,
1792 .free_coherent = sn_dma_free_coherent,
1793 .map_page = sn_dma_map_page,
1794 diff -urNp linux-2.6.39.1/arch/m32r/lib/usercopy.c linux-2.6.39.1/arch/m32r/lib/usercopy.c
1795 --- linux-2.6.39.1/arch/m32r/lib/usercopy.c 2011-05-19 00:06:34.000000000 -0400
1796 +++ linux-2.6.39.1/arch/m32r/lib/usercopy.c 2011-05-22 19:36:30.000000000 -0400
1797 @@ -14,6 +14,9 @@
1798 unsigned long
1799 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1800 {
1801 + if ((long)n < 0)
1802 + return n;
1803 +
1804 prefetch(from);
1805 if (access_ok(VERIFY_WRITE, to, n))
1806 __copy_user(to,from,n);
1807 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1808 unsigned long
1809 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1810 {
1811 + if ((long)n < 0)
1812 + return n;
1813 +
1814 prefetchw(to);
1815 if (access_ok(VERIFY_READ, from, n))
1816 __copy_user_zeroing(to,from,n);
1817 diff -urNp linux-2.6.39.1/arch/microblaze/include/asm/device.h linux-2.6.39.1/arch/microblaze/include/asm/device.h
1818 --- linux-2.6.39.1/arch/microblaze/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
1819 +++ linux-2.6.39.1/arch/microblaze/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
1820 @@ -13,7 +13,7 @@ struct device_node;
1821
1822 struct dev_archdata {
1823 /* DMA operations on that device */
1824 - struct dma_map_ops *dma_ops;
1825 + const struct dma_map_ops *dma_ops;
1826 void *dma_data;
1827 };
1828
1829 diff -urNp linux-2.6.39.1/arch/microblaze/include/asm/dma-mapping.h linux-2.6.39.1/arch/microblaze/include/asm/dma-mapping.h
1830 --- linux-2.6.39.1/arch/microblaze/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
1831 +++ linux-2.6.39.1/arch/microblaze/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
1832 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1833 return 0xfffffffful;
1834 }
1835
1836 -extern struct dma_map_ops *dma_ops;
1837 +extern const struct dma_map_ops *dma_ops;
1838
1839 /*
1840 * Available generic sets of operations
1841 */
1842 -extern struct dma_map_ops dma_direct_ops;
1843 +extern const struct dma_map_ops dma_direct_ops;
1844
1845 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1846 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1847 {
1848 /* We don't handle the NULL dev case for ISA for now. We could
1849 * do it via an out of line call but it is not needed for now. The
1850 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1851 return dev->archdata.dma_ops;
1852 }
1853
1854 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1855 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1856 {
1857 dev->archdata.dma_ops = ops;
1858 }
1859
1860 static inline int dma_supported(struct device *dev, u64 mask)
1861 {
1862 - struct dma_map_ops *ops = get_dma_ops(dev);
1863 + const struct dma_map_ops *ops = get_dma_ops(dev);
1864
1865 if (unlikely(!ops))
1866 return 0;
1867 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1868
1869 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1870 {
1871 - struct dma_map_ops *ops = get_dma_ops(dev);
1872 + const struct dma_map_ops *ops = get_dma_ops(dev);
1873
1874 if (unlikely(ops == NULL))
1875 return -EIO;
1876 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1877
1878 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1879 {
1880 - struct dma_map_ops *ops = get_dma_ops(dev);
1881 + const struct dma_map_ops *ops = get_dma_ops(dev);
1882 if (ops->mapping_error)
1883 return ops->mapping_error(dev, dma_addr);
1884
1885 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1886 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1887 dma_addr_t *dma_handle, gfp_t flag)
1888 {
1889 - struct dma_map_ops *ops = get_dma_ops(dev);
1890 + const struct dma_map_ops *ops = get_dma_ops(dev);
1891 void *memory;
1892
1893 BUG_ON(!ops);
1894 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1895 static inline void dma_free_coherent(struct device *dev, size_t size,
1896 void *cpu_addr, dma_addr_t dma_handle)
1897 {
1898 - struct dma_map_ops *ops = get_dma_ops(dev);
1899 + const struct dma_map_ops *ops = get_dma_ops(dev);
1900
1901 BUG_ON(!ops);
1902 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1903 diff -urNp linux-2.6.39.1/arch/microblaze/include/asm/pci.h linux-2.6.39.1/arch/microblaze/include/asm/pci.h
1904 --- linux-2.6.39.1/arch/microblaze/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
1905 +++ linux-2.6.39.1/arch/microblaze/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
1906 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1907 }
1908
1909 #ifdef CONFIG_PCI
1910 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1911 -extern struct dma_map_ops *get_pci_dma_ops(void);
1912 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1913 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1914 #else /* CONFIG_PCI */
1915 #define set_pci_dma_ops(d)
1916 #define get_pci_dma_ops() NULL
1917 diff -urNp linux-2.6.39.1/arch/microblaze/kernel/dma.c linux-2.6.39.1/arch/microblaze/kernel/dma.c
1918 --- linux-2.6.39.1/arch/microblaze/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
1919 +++ linux-2.6.39.1/arch/microblaze/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
1920 @@ -134,7 +134,7 @@ static inline void dma_direct_unmap_page
1921 __dma_sync_page(dma_address, 0 , size, direction);
1922 }
1923
1924 -struct dma_map_ops dma_direct_ops = {
1925 +const struct dma_map_ops dma_direct_ops = {
1926 .alloc_coherent = dma_direct_alloc_coherent,
1927 .free_coherent = dma_direct_free_coherent,
1928 .map_sg = dma_direct_map_sg,
1929 diff -urNp linux-2.6.39.1/arch/microblaze/kernel/kgdb.c linux-2.6.39.1/arch/microblaze/kernel/kgdb.c
1930 --- linux-2.6.39.1/arch/microblaze/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
1931 +++ linux-2.6.39.1/arch/microblaze/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
1932 @@ -141,7 +141,7 @@ void kgdb_arch_exit(void)
1933 /*
1934 * Global data
1935 */
1936 -struct kgdb_arch arch_kgdb_ops = {
1937 +const struct kgdb_arch arch_kgdb_ops = {
1938 #ifdef __MICROBLAZEEL__
1939 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1940 #else
1941 diff -urNp linux-2.6.39.1/arch/microblaze/pci/indirect_pci.c linux-2.6.39.1/arch/microblaze/pci/indirect_pci.c
1942 --- linux-2.6.39.1/arch/microblaze/pci/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
1943 +++ linux-2.6.39.1/arch/microblaze/pci/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
1944 @@ -140,7 +140,7 @@ indirect_write_config(struct pci_bus *bu
1945 return PCIBIOS_SUCCESSFUL;
1946 }
1947
1948 -static struct pci_ops indirect_pci_ops = {
1949 +static const struct pci_ops indirect_pci_ops = {
1950 .read = indirect_read_config,
1951 .write = indirect_write_config,
1952 };
1953 diff -urNp linux-2.6.39.1/arch/microblaze/pci/pci-common.c linux-2.6.39.1/arch/microblaze/pci/pci-common.c
1954 --- linux-2.6.39.1/arch/microblaze/pci/pci-common.c 2011-05-19 00:06:34.000000000 -0400
1955 +++ linux-2.6.39.1/arch/microblaze/pci/pci-common.c 2011-05-22 19:36:30.000000000 -0400
1956 @@ -48,14 +48,14 @@ resource_size_t isa_mem_base;
1957 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1958 unsigned int pci_flags;
1959
1960 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1961 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1962
1963 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1964 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1965 {
1966 pci_dma_ops = dma_ops;
1967 }
1968
1969 -struct dma_map_ops *get_pci_dma_ops(void)
1970 +const struct dma_map_ops *get_pci_dma_ops(void)
1971 {
1972 return pci_dma_ops;
1973 }
1974 @@ -1583,7 +1583,7 @@ null_write_config(struct pci_bus *bus, u
1975 return PCIBIOS_DEVICE_NOT_FOUND;
1976 }
1977
1978 -static struct pci_ops null_pci_ops = {
1979 +static const struct pci_ops null_pci_ops = {
1980 .read = null_read_config,
1981 .write = null_write_config,
1982 };
1983 diff -urNp linux-2.6.39.1/arch/mips/alchemy/common/pci.c linux-2.6.39.1/arch/mips/alchemy/common/pci.c
1984 --- linux-2.6.39.1/arch/mips/alchemy/common/pci.c 2011-05-19 00:06:34.000000000 -0400
1985 +++ linux-2.6.39.1/arch/mips/alchemy/common/pci.c 2011-05-22 19:36:30.000000000 -0400
1986 @@ -51,7 +51,7 @@ static struct resource pci_mem_resource
1987 .flags = IORESOURCE_MEM
1988 };
1989
1990 -extern struct pci_ops au1x_pci_ops;
1991 +extern const struct pci_ops au1x_pci_ops;
1992
1993 static struct pci_controller au1x_controller = {
1994 .pci_ops = &au1x_pci_ops,
1995 diff -urNp linux-2.6.39.1/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.39.1/arch/mips/cavium-octeon/dma-octeon.c
1996 --- linux-2.6.39.1/arch/mips/cavium-octeon/dma-octeon.c 2011-05-19 00:06:34.000000000 -0400
1997 +++ linux-2.6.39.1/arch/mips/cavium-octeon/dma-octeon.c 2011-05-22 19:36:30.000000000 -0400
1998 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1999 }
2000
2001 struct octeon_dma_map_ops {
2002 - struct dma_map_ops dma_map_ops;
2003 + const struct dma_map_ops dma_map_ops;
2004 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
2005 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
2006 };
2007 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
2008 },
2009 };
2010
2011 -struct dma_map_ops *octeon_pci_dma_map_ops;
2012 +const struct dma_map_ops *octeon_pci_dma_map_ops;
2013
2014 void __init octeon_pci_dma_init(void)
2015 {
2016 diff -urNp linux-2.6.39.1/arch/mips/cobalt/pci.c linux-2.6.39.1/arch/mips/cobalt/pci.c
2017 --- linux-2.6.39.1/arch/mips/cobalt/pci.c 2011-05-19 00:06:34.000000000 -0400
2018 +++ linux-2.6.39.1/arch/mips/cobalt/pci.c 2011-05-22 19:36:30.000000000 -0400
2019 @@ -14,7 +14,7 @@
2020
2021 #include <asm/gt64120.h>
2022
2023 -extern struct pci_ops gt64xxx_pci0_ops;
2024 +extern const struct pci_ops gt64xxx_pci0_ops;
2025
2026 static struct resource cobalt_mem_resource = {
2027 .start = GT_DEF_PCI0_MEM0_BASE,
2028 diff -urNp linux-2.6.39.1/arch/mips/include/asm/device.h linux-2.6.39.1/arch/mips/include/asm/device.h
2029 --- linux-2.6.39.1/arch/mips/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2030 +++ linux-2.6.39.1/arch/mips/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2031 @@ -10,7 +10,7 @@ struct dma_map_ops;
2032
2033 struct dev_archdata {
2034 /* DMA operations on that device */
2035 - struct dma_map_ops *dma_ops;
2036 + const struct dma_map_ops *dma_ops;
2037 };
2038
2039 struct pdev_archdata {
2040 diff -urNp linux-2.6.39.1/arch/mips/include/asm/dma-mapping.h linux-2.6.39.1/arch/mips/include/asm/dma-mapping.h
2041 --- linux-2.6.39.1/arch/mips/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2042 +++ linux-2.6.39.1/arch/mips/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2043 @@ -9,9 +9,9 @@
2044 #include <dma-coherence.h>
2045 #endif
2046
2047 -extern struct dma_map_ops *mips_dma_map_ops;
2048 +extern const struct dma_map_ops *mips_dma_map_ops;
2049
2050 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2051 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2052 {
2053 if (dev && dev->archdata.dma_ops)
2054 return dev->archdata.dma_ops;
2055 @@ -33,13 +33,13 @@ static inline void dma_mark_clean(void *
2056
2057 static inline int dma_supported(struct device *dev, u64 mask)
2058 {
2059 - struct dma_map_ops *ops = get_dma_ops(dev);
2060 + const struct dma_map_ops *ops = get_dma_ops(dev);
2061 return ops->dma_supported(dev, mask);
2062 }
2063
2064 static inline int dma_mapping_error(struct device *dev, u64 mask)
2065 {
2066 - struct dma_map_ops *ops = get_dma_ops(dev);
2067 + const struct dma_map_ops *ops = get_dma_ops(dev);
2068 return ops->mapping_error(dev, mask);
2069 }
2070
2071 @@ -61,7 +61,7 @@ static inline void *dma_alloc_coherent(s
2072 dma_addr_t *dma_handle, gfp_t gfp)
2073 {
2074 void *ret;
2075 - struct dma_map_ops *ops = get_dma_ops(dev);
2076 + const struct dma_map_ops *ops = get_dma_ops(dev);
2077
2078 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
2079
2080 @@ -73,7 +73,7 @@ static inline void *dma_alloc_coherent(s
2081 static inline void dma_free_coherent(struct device *dev, size_t size,
2082 void *vaddr, dma_addr_t dma_handle)
2083 {
2084 - struct dma_map_ops *ops = get_dma_ops(dev);
2085 + const struct dma_map_ops *ops = get_dma_ops(dev);
2086
2087 ops->free_coherent(dev, size, vaddr, dma_handle);
2088
2089 diff -urNp linux-2.6.39.1/arch/mips/include/asm/elf.h linux-2.6.39.1/arch/mips/include/asm/elf.h
2090 --- linux-2.6.39.1/arch/mips/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
2091 +++ linux-2.6.39.1/arch/mips/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
2092 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
2093 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
2094 #endif
2095
2096 +#ifdef CONFIG_PAX_ASLR
2097 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2098 +
2099 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2100 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2101 +#endif
2102 +
2103 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2104 struct linux_binprm;
2105 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
2106 int uses_interp);
2107
2108 -struct mm_struct;
2109 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2110 -#define arch_randomize_brk arch_randomize_brk
2111 -
2112 #endif /* _ASM_ELF_H */
2113 diff -urNp linux-2.6.39.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.39.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
2114 --- linux-2.6.39.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-19 00:06:34.000000000 -0400
2115 +++ linux-2.6.39.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-22 19:36:30.000000000 -0400
2116 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
2117 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
2118
2119 struct dma_map_ops;
2120 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
2121 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
2122 extern char *octeon_swiotlb;
2123
2124 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
2125 diff -urNp linux-2.6.39.1/arch/mips/include/asm/page.h linux-2.6.39.1/arch/mips/include/asm/page.h
2126 --- linux-2.6.39.1/arch/mips/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
2127 +++ linux-2.6.39.1/arch/mips/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
2128 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
2129 #ifdef CONFIG_CPU_MIPS32
2130 typedef struct { unsigned long pte_low, pte_high; } pte_t;
2131 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
2132 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
2133 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
2134 #else
2135 typedef struct { unsigned long long pte; } pte_t;
2136 #define pte_val(x) ((x).pte)
2137 diff -urNp linux-2.6.39.1/arch/mips/include/asm/pci/bridge.h linux-2.6.39.1/arch/mips/include/asm/pci/bridge.h
2138 --- linux-2.6.39.1/arch/mips/include/asm/pci/bridge.h 2011-05-19 00:06:34.000000000 -0400
2139 +++ linux-2.6.39.1/arch/mips/include/asm/pci/bridge.h 2011-05-22 19:36:30.000000000 -0400
2140 @@ -849,6 +849,6 @@ struct bridge_controller {
2141 extern void register_bridge_irq(unsigned int irq);
2142 extern int request_bridge_irq(struct bridge_controller *bc);
2143
2144 -extern struct pci_ops bridge_pci_ops;
2145 +extern const struct pci_ops bridge_pci_ops;
2146
2147 #endif /* _ASM_PCI_BRIDGE_H */
2148 diff -urNp linux-2.6.39.1/arch/mips/include/asm/system.h linux-2.6.39.1/arch/mips/include/asm/system.h
2149 --- linux-2.6.39.1/arch/mips/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
2150 +++ linux-2.6.39.1/arch/mips/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
2151 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
2152 */
2153 #define __ARCH_WANT_UNLOCKED_CTXSW
2154
2155 -extern unsigned long arch_align_stack(unsigned long sp);
2156 +#define arch_align_stack(x) ((x) & ~0xfUL)
2157
2158 #endif /* _ASM_SYSTEM_H */
2159 diff -urNp linux-2.6.39.1/arch/mips/kernel/binfmt_elfn32.c linux-2.6.39.1/arch/mips/kernel/binfmt_elfn32.c
2160 --- linux-2.6.39.1/arch/mips/kernel/binfmt_elfn32.c 2011-05-19 00:06:34.000000000 -0400
2161 +++ linux-2.6.39.1/arch/mips/kernel/binfmt_elfn32.c 2011-05-22 19:36:30.000000000 -0400
2162 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2163 #undef ELF_ET_DYN_BASE
2164 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2165
2166 +#ifdef CONFIG_PAX_ASLR
2167 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2168 +
2169 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2170 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2171 +#endif
2172 +
2173 #include <asm/processor.h>
2174 #include <linux/module.h>
2175 #include <linux/elfcore.h>
2176 diff -urNp linux-2.6.39.1/arch/mips/kernel/binfmt_elfo32.c linux-2.6.39.1/arch/mips/kernel/binfmt_elfo32.c
2177 --- linux-2.6.39.1/arch/mips/kernel/binfmt_elfo32.c 2011-05-19 00:06:34.000000000 -0400
2178 +++ linux-2.6.39.1/arch/mips/kernel/binfmt_elfo32.c 2011-05-22 19:36:30.000000000 -0400
2179 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2180 #undef ELF_ET_DYN_BASE
2181 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2182
2183 +#ifdef CONFIG_PAX_ASLR
2184 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2185 +
2186 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2187 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2188 +#endif
2189 +
2190 #include <asm/processor.h>
2191
2192 /*
2193 diff -urNp linux-2.6.39.1/arch/mips/kernel/kgdb.c linux-2.6.39.1/arch/mips/kernel/kgdb.c
2194 --- linux-2.6.39.1/arch/mips/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2195 +++ linux-2.6.39.1/arch/mips/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2196 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
2197 return -1;
2198 }
2199
2200 -struct kgdb_arch arch_kgdb_ops;
2201 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
2202
2203 /*
2204 * We use kgdb_early_setup so that functions we need to call now don't
2205 diff -urNp linux-2.6.39.1/arch/mips/kernel/process.c linux-2.6.39.1/arch/mips/kernel/process.c
2206 --- linux-2.6.39.1/arch/mips/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
2207 +++ linux-2.6.39.1/arch/mips/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
2208 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
2209 out:
2210 return pc;
2211 }
2212 -
2213 -/*
2214 - * Don't forget that the stack pointer must be aligned on a 8 bytes
2215 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
2216 - */
2217 -unsigned long arch_align_stack(unsigned long sp)
2218 -{
2219 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2220 - sp -= get_random_int() & ~PAGE_MASK;
2221 -
2222 - return sp & ALMASK;
2223 -}
2224 diff -urNp linux-2.6.39.1/arch/mips/kernel/syscall.c linux-2.6.39.1/arch/mips/kernel/syscall.c
2225 --- linux-2.6.39.1/arch/mips/kernel/syscall.c 2011-05-19 00:06:34.000000000 -0400
2226 +++ linux-2.6.39.1/arch/mips/kernel/syscall.c 2011-05-22 19:36:30.000000000 -0400
2227 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
2228 do_color_align = 0;
2229 if (filp || (flags & MAP_SHARED))
2230 do_color_align = 1;
2231 +
2232 +#ifdef CONFIG_PAX_RANDMMAP
2233 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
2234 +#endif
2235 +
2236 if (addr) {
2237 if (do_color_align)
2238 addr = COLOUR_ALIGN(addr, pgoff);
2239 else
2240 addr = PAGE_ALIGN(addr);
2241 vmm = find_vma(current->mm, addr);
2242 - if (task_size - len >= addr &&
2243 - (!vmm || addr + len <= vmm->vm_start))
2244 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
2245 return addr;
2246 }
2247 addr = current->mm->mmap_base;
2248 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
2249 /* At this point: (!vmm || addr < vmm->vm_end). */
2250 if (task_size - len < addr)
2251 return -ENOMEM;
2252 - if (!vmm || addr + len <= vmm->vm_start)
2253 + if (check_heap_stack_gap(vmm, addr, len))
2254 return addr;
2255 addr = vmm->vm_end;
2256 if (do_color_align)
2257 @@ -154,33 +158,6 @@ void arch_pick_mmap_layout(struct mm_str
2258 mm->unmap_area = arch_unmap_area;
2259 }
2260
2261 -static inline unsigned long brk_rnd(void)
2262 -{
2263 - unsigned long rnd = get_random_int();
2264 -
2265 - rnd = rnd << PAGE_SHIFT;
2266 - /* 8MB for 32bit, 256MB for 64bit */
2267 - if (TASK_IS_32BIT_ADDR)
2268 - rnd = rnd & 0x7ffffful;
2269 - else
2270 - rnd = rnd & 0xffffffful;
2271 -
2272 - return rnd;
2273 -}
2274 -
2275 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2276 -{
2277 - unsigned long base = mm->brk;
2278 - unsigned long ret;
2279 -
2280 - ret = PAGE_ALIGN(base + brk_rnd());
2281 -
2282 - if (ret < mm->brk)
2283 - return mm->brk;
2284 -
2285 - return ret;
2286 -}
2287 -
2288 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
2289 unsigned long, prot, unsigned long, flags, unsigned long,
2290 fd, off_t, offset)
2291 diff -urNp linux-2.6.39.1/arch/mips/mm/dma-default.c linux-2.6.39.1/arch/mips/mm/dma-default.c
2292 --- linux-2.6.39.1/arch/mips/mm/dma-default.c 2011-05-19 00:06:34.000000000 -0400
2293 +++ linux-2.6.39.1/arch/mips/mm/dma-default.c 2011-05-22 19:36:30.000000000 -0400
2294 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
2295
2296 EXPORT_SYMBOL(dma_cache_sync);
2297
2298 -static struct dma_map_ops mips_default_dma_map_ops = {
2299 +static const struct dma_map_ops mips_default_dma_map_ops = {
2300 .alloc_coherent = mips_dma_alloc_coherent,
2301 .free_coherent = mips_dma_free_coherent,
2302 .map_page = mips_dma_map_page,
2303 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
2304 .dma_supported = mips_dma_supported
2305 };
2306
2307 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2308 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2309 EXPORT_SYMBOL(mips_dma_map_ops);
2310
2311 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
2312 diff -urNp linux-2.6.39.1/arch/mips/mm/fault.c linux-2.6.39.1/arch/mips/mm/fault.c
2313 --- linux-2.6.39.1/arch/mips/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
2314 +++ linux-2.6.39.1/arch/mips/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
2315 @@ -28,6 +28,23 @@
2316 #include <asm/highmem.h> /* For VMALLOC_END */
2317 #include <linux/kdebug.h>
2318
2319 +#ifdef CONFIG_PAX_PAGEEXEC
2320 +void pax_report_insns(void *pc, void *sp)
2321 +{
2322 + unsigned long i;
2323 +
2324 + printk(KERN_ERR "PAX: bytes at PC: ");
2325 + for (i = 0; i < 5; i++) {
2326 + unsigned int c;
2327 + if (get_user(c, (unsigned int *)pc+i))
2328 + printk(KERN_CONT "???????? ");
2329 + else
2330 + printk(KERN_CONT "%08x ", c);
2331 + }
2332 + printk("\n");
2333 +}
2334 +#endif
2335 +
2336 /*
2337 * This routine handles page faults. It determines the address,
2338 * and the problem, and then passes it off to one of the appropriate
2339 diff -urNp linux-2.6.39.1/arch/mips/mti-malta/malta-pci.c linux-2.6.39.1/arch/mips/mti-malta/malta-pci.c
2340 --- linux-2.6.39.1/arch/mips/mti-malta/malta-pci.c 2011-05-19 00:06:34.000000000 -0400
2341 +++ linux-2.6.39.1/arch/mips/mti-malta/malta-pci.c 2011-05-22 19:36:30.000000000 -0400
2342 @@ -64,9 +64,9 @@ static struct resource msc_io_resource =
2343 .flags = IORESOURCE_IO,
2344 };
2345
2346 -extern struct pci_ops bonito64_pci_ops;
2347 -extern struct pci_ops gt64xxx_pci0_ops;
2348 -extern struct pci_ops msc_pci_ops;
2349 +extern const struct pci_ops bonito64_pci_ops;
2350 +extern const struct pci_ops gt64xxx_pci0_ops;
2351 +extern const struct pci_ops msc_pci_ops;
2352
2353 static struct pci_controller bonito64_controller = {
2354 .pci_ops = &bonito64_pci_ops,
2355 diff -urNp linux-2.6.39.1/arch/mips/nxp/pnx8550/common/pci.c linux-2.6.39.1/arch/mips/nxp/pnx8550/common/pci.c
2356 --- linux-2.6.39.1/arch/mips/nxp/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2357 +++ linux-2.6.39.1/arch/mips/nxp/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2358 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2359 .flags = IORESOURCE_MEM
2360 };
2361
2362 -extern struct pci_ops pnx8550_pci_ops;
2363 +extern const struct pci_ops pnx8550_pci_ops;
2364
2365 static struct pci_controller pnx8550_controller = {
2366 .pci_ops = &pnx8550_pci_ops,
2367 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-au1000.c linux-2.6.39.1/arch/mips/pci/ops-au1000.c
2368 --- linux-2.6.39.1/arch/mips/pci/ops-au1000.c 2011-05-19 00:06:34.000000000 -0400
2369 +++ linux-2.6.39.1/arch/mips/pci/ops-au1000.c 2011-05-22 19:36:30.000000000 -0400
2370 @@ -302,7 +302,7 @@ static int config_write(struct pci_bus *
2371 }
2372 }
2373
2374 -struct pci_ops au1x_pci_ops = {
2375 +const struct pci_ops au1x_pci_ops = {
2376 config_read,
2377 config_write
2378 };
2379 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-bcm63xx.c linux-2.6.39.1/arch/mips/pci/ops-bcm63xx.c
2380 --- linux-2.6.39.1/arch/mips/pci/ops-bcm63xx.c 2011-05-19 00:06:34.000000000 -0400
2381 +++ linux-2.6.39.1/arch/mips/pci/ops-bcm63xx.c 2011-05-22 19:36:30.000000000 -0400
2382 @@ -173,7 +173,7 @@ static int bcm63xx_pci_write(struct pci_
2383 where, size, val);
2384 }
2385
2386 -struct pci_ops bcm63xx_pci_ops = {
2387 +const struct pci_ops bcm63xx_pci_ops = {
2388 .read = bcm63xx_pci_read,
2389 .write = bcm63xx_pci_write
2390 };
2391 @@ -402,7 +402,7 @@ static int bcm63xx_cb_write(struct pci_b
2392 return PCIBIOS_DEVICE_NOT_FOUND;
2393 }
2394
2395 -struct pci_ops bcm63xx_cb_ops = {
2396 +const struct pci_ops bcm63xx_cb_ops = {
2397 .read = bcm63xx_cb_read,
2398 .write = bcm63xx_cb_write,
2399 };
2400 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-bonito64.c linux-2.6.39.1/arch/mips/pci/ops-bonito64.c
2401 --- linux-2.6.39.1/arch/mips/pci/ops-bonito64.c 2011-05-19 00:06:34.000000000 -0400
2402 +++ linux-2.6.39.1/arch/mips/pci/ops-bonito64.c 2011-05-22 19:36:30.000000000 -0400
2403 @@ -155,7 +155,7 @@ static int bonito64_pcibios_write(struct
2404 return PCIBIOS_SUCCESSFUL;
2405 }
2406
2407 -struct pci_ops bonito64_pci_ops = {
2408 +const struct pci_ops bonito64_pci_ops = {
2409 .read = bonito64_pcibios_read,
2410 .write = bonito64_pcibios_write
2411 };
2412 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-bridge.c linux-2.6.39.1/arch/mips/pci/ops-bridge.c
2413 --- linux-2.6.39.1/arch/mips/pci/ops-bridge.c 2011-05-19 00:06:34.000000000 -0400
2414 +++ linux-2.6.39.1/arch/mips/pci/ops-bridge.c 2011-05-22 19:36:30.000000000 -0400
2415 @@ -316,7 +316,7 @@ static int pci_write_config(struct pci_b
2416 return pci_conf0_write_config(bus, devfn, where, size, value);
2417 }
2418
2419 -struct pci_ops bridge_pci_ops = {
2420 +const struct pci_ops bridge_pci_ops = {
2421 .read = pci_read_config,
2422 .write = pci_write_config,
2423 };
2424 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-emma2rh.c linux-2.6.39.1/arch/mips/pci/ops-emma2rh.c
2425 --- linux-2.6.39.1/arch/mips/pci/ops-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2426 +++ linux-2.6.39.1/arch/mips/pci/ops-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2427 @@ -176,7 +176,7 @@ static int pci_config_write(struct pci_b
2428 return PCIBIOS_SUCCESSFUL;
2429 }
2430
2431 -struct pci_ops emma2rh_pci_ops = {
2432 +const struct pci_ops emma2rh_pci_ops = {
2433 .read = pci_config_read,
2434 .write = pci_config_write,
2435 };
2436 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-gt64xxx_pci0.c linux-2.6.39.1/arch/mips/pci/ops-gt64xxx_pci0.c
2437 --- linux-2.6.39.1/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-19 00:06:34.000000000 -0400
2438 +++ linux-2.6.39.1/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-22 19:36:30.000000000 -0400
2439 @@ -146,7 +146,7 @@ static int gt64xxx_pci0_pcibios_write(st
2440 return PCIBIOS_SUCCESSFUL;
2441 }
2442
2443 -struct pci_ops gt64xxx_pci0_ops = {
2444 +const struct pci_ops gt64xxx_pci0_ops = {
2445 .read = gt64xxx_pci0_pcibios_read,
2446 .write = gt64xxx_pci0_pcibios_write
2447 };
2448 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-loongson2.c linux-2.6.39.1/arch/mips/pci/ops-loongson2.c
2449 --- linux-2.6.39.1/arch/mips/pci/ops-loongson2.c 2011-05-19 00:06:34.000000000 -0400
2450 +++ linux-2.6.39.1/arch/mips/pci/ops-loongson2.c 2011-05-22 19:36:30.000000000 -0400
2451 @@ -174,7 +174,7 @@ static int loongson_pcibios_write(struct
2452 return PCIBIOS_SUCCESSFUL;
2453 }
2454
2455 -struct pci_ops loongson_pci_ops = {
2456 +const struct pci_ops loongson_pci_ops = {
2457 .read = loongson_pcibios_read,
2458 .write = loongson_pcibios_write
2459 };
2460 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-mace.c linux-2.6.39.1/arch/mips/pci/ops-mace.c
2461 --- linux-2.6.39.1/arch/mips/pci/ops-mace.c 2011-05-19 00:06:34.000000000 -0400
2462 +++ linux-2.6.39.1/arch/mips/pci/ops-mace.c 2011-05-22 19:36:30.000000000 -0400
2463 @@ -96,7 +96,7 @@ mace_pci_write_config(struct pci_bus *bu
2464 return PCIBIOS_SUCCESSFUL;
2465 }
2466
2467 -struct pci_ops mace_pci_ops = {
2468 +const struct pci_ops mace_pci_ops = {
2469 .read = mace_pci_read_config,
2470 .write = mace_pci_write_config,
2471 };
2472 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-msc.c linux-2.6.39.1/arch/mips/pci/ops-msc.c
2473 --- linux-2.6.39.1/arch/mips/pci/ops-msc.c 2011-05-19 00:06:34.000000000 -0400
2474 +++ linux-2.6.39.1/arch/mips/pci/ops-msc.c 2011-05-22 19:36:30.000000000 -0400
2475 @@ -142,7 +142,7 @@ static int msc_pcibios_write(struct pci_
2476 return PCIBIOS_SUCCESSFUL;
2477 }
2478
2479 -struct pci_ops msc_pci_ops = {
2480 +const struct pci_ops msc_pci_ops = {
2481 .read = msc_pcibios_read,
2482 .write = msc_pcibios_write
2483 };
2484 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-nile4.c linux-2.6.39.1/arch/mips/pci/ops-nile4.c
2485 --- linux-2.6.39.1/arch/mips/pci/ops-nile4.c 2011-05-19 00:06:34.000000000 -0400
2486 +++ linux-2.6.39.1/arch/mips/pci/ops-nile4.c 2011-05-22 19:36:30.000000000 -0400
2487 @@ -141,7 +141,7 @@ static int nile4_pcibios_write(struct pc
2488 return PCIBIOS_SUCCESSFUL;
2489 }
2490
2491 -struct pci_ops nile4_pci_ops = {
2492 +const struct pci_ops nile4_pci_ops = {
2493 .read = nile4_pcibios_read,
2494 .write = nile4_pcibios_write,
2495 };
2496 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-pmcmsp.c linux-2.6.39.1/arch/mips/pci/ops-pmcmsp.c
2497 --- linux-2.6.39.1/arch/mips/pci/ops-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
2498 +++ linux-2.6.39.1/arch/mips/pci/ops-pmcmsp.c 2011-05-22 19:36:30.000000000 -0400
2499 @@ -904,7 +904,7 @@ msp_pcibios_write_config(struct pci_bus
2500 * write - function for Linux to generate PCI Configuration writes.
2501 *
2502 ****************************************************************************/
2503 -struct pci_ops msp_pci_ops = {
2504 +const struct pci_ops msp_pci_ops = {
2505 .read = msp_pcibios_read_config,
2506 .write = msp_pcibios_write_config
2507 };
2508 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-pnx8550.c linux-2.6.39.1/arch/mips/pci/ops-pnx8550.c
2509 --- linux-2.6.39.1/arch/mips/pci/ops-pnx8550.c 2011-05-19 00:06:34.000000000 -0400
2510 +++ linux-2.6.39.1/arch/mips/pci/ops-pnx8550.c 2011-05-22 19:36:30.000000000 -0400
2511 @@ -276,7 +276,7 @@ static int config_write(struct pci_bus *
2512 }
2513 }
2514
2515 -struct pci_ops pnx8550_pci_ops = {
2516 +const struct pci_ops pnx8550_pci_ops = {
2517 config_read,
2518 config_write
2519 };
2520 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-rc32434.c linux-2.6.39.1/arch/mips/pci/ops-rc32434.c
2521 --- linux-2.6.39.1/arch/mips/pci/ops-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2522 +++ linux-2.6.39.1/arch/mips/pci/ops-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2523 @@ -201,7 +201,7 @@ static int pci_config_write(struct pci_b
2524 }
2525 }
2526
2527 -struct pci_ops rc32434_pci_ops = {
2528 +const struct pci_ops rc32434_pci_ops = {
2529 .read = pci_config_read,
2530 .write = pci_config_write,
2531 };
2532 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-sni.c linux-2.6.39.1/arch/mips/pci/ops-sni.c
2533 --- linux-2.6.39.1/arch/mips/pci/ops-sni.c 2011-05-19 00:06:34.000000000 -0400
2534 +++ linux-2.6.39.1/arch/mips/pci/ops-sni.c 2011-05-22 19:36:30.000000000 -0400
2535 @@ -83,7 +83,7 @@ static int pcimt_write(struct pci_bus *b
2536 return 0;
2537 }
2538
2539 -struct pci_ops sni_pcimt_ops = {
2540 +const struct pci_ops sni_pcimt_ops = {
2541 .read = pcimt_read,
2542 .write = pcimt_write,
2543 };
2544 @@ -158,7 +158,7 @@ static int pcit_write(struct pci_bus *bu
2545 }
2546
2547
2548 -struct pci_ops sni_pcit_ops = {
2549 +const struct pci_ops sni_pcit_ops = {
2550 .read = pcit_read,
2551 .write = pcit_write,
2552 };
2553 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-titan.c linux-2.6.39.1/arch/mips/pci/ops-titan.c
2554 --- linux-2.6.39.1/arch/mips/pci/ops-titan.c 2011-05-19 00:06:34.000000000 -0400
2555 +++ linux-2.6.39.1/arch/mips/pci/ops-titan.c 2011-05-22 19:36:30.000000000 -0400
2556 @@ -105,7 +105,7 @@ static int titan_write_config(struct pci
2557 /*
2558 * Titan PCI structure
2559 */
2560 -struct pci_ops titan_pci_ops = {
2561 +const struct pci_ops titan_pci_ops = {
2562 titan_read_config,
2563 titan_write_config,
2564 };
2565 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-titan-ht.c linux-2.6.39.1/arch/mips/pci/ops-titan-ht.c
2566 --- linux-2.6.39.1/arch/mips/pci/ops-titan-ht.c 2011-05-19 00:06:34.000000000 -0400
2567 +++ linux-2.6.39.1/arch/mips/pci/ops-titan-ht.c 2011-05-22 19:36:30.000000000 -0400
2568 @@ -118,7 +118,7 @@ static int titan_ht_config_write(struct
2569 return PCIBIOS_SUCCESSFUL;
2570 }
2571
2572 -struct pci_ops titan_ht_pci_ops = {
2573 +const struct pci_ops titan_ht_pci_ops = {
2574 .read = titan_ht_config_read,
2575 .write = titan_ht_config_write,
2576 };
2577 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-tx3927.c linux-2.6.39.1/arch/mips/pci/ops-tx3927.c
2578 --- linux-2.6.39.1/arch/mips/pci/ops-tx3927.c 2011-05-19 00:06:34.000000000 -0400
2579 +++ linux-2.6.39.1/arch/mips/pci/ops-tx3927.c 2011-05-22 19:36:30.000000000 -0400
2580 @@ -121,7 +121,7 @@ static int tx3927_pci_write_config(struc
2581 return check_abort();
2582 }
2583
2584 -static struct pci_ops tx3927_pci_ops = {
2585 +static const struct pci_ops tx3927_pci_ops = {
2586 .read = tx3927_pci_read_config,
2587 .write = tx3927_pci_write_config,
2588 };
2589 diff -urNp linux-2.6.39.1/arch/mips/pci/ops-vr41xx.c linux-2.6.39.1/arch/mips/pci/ops-vr41xx.c
2590 --- linux-2.6.39.1/arch/mips/pci/ops-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2591 +++ linux-2.6.39.1/arch/mips/pci/ops-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2592 @@ -120,7 +120,7 @@ static int pci_config_write(struct pci_b
2593 return PCIBIOS_SUCCESSFUL;
2594 }
2595
2596 -struct pci_ops vr41xx_pci_ops = {
2597 +const struct pci_ops vr41xx_pci_ops = {
2598 .read = pci_config_read,
2599 .write = pci_config_write,
2600 };
2601 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-bcm1480.c linux-2.6.39.1/arch/mips/pci/pci-bcm1480.c
2602 --- linux-2.6.39.1/arch/mips/pci/pci-bcm1480.c 2011-05-19 00:06:34.000000000 -0400
2603 +++ linux-2.6.39.1/arch/mips/pci/pci-bcm1480.c 2011-05-22 19:36:30.000000000 -0400
2604 @@ -171,7 +171,7 @@ static int bcm1480_pcibios_write(struct
2605 return PCIBIOS_SUCCESSFUL;
2606 }
2607
2608 -struct pci_ops bcm1480_pci_ops = {
2609 +const struct pci_ops bcm1480_pci_ops = {
2610 bcm1480_pcibios_read,
2611 bcm1480_pcibios_write,
2612 };
2613 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-bcm1480ht.c linux-2.6.39.1/arch/mips/pci/pci-bcm1480ht.c
2614 --- linux-2.6.39.1/arch/mips/pci/pci-bcm1480ht.c 2011-05-19 00:06:34.000000000 -0400
2615 +++ linux-2.6.39.1/arch/mips/pci/pci-bcm1480ht.c 2011-05-22 19:36:30.000000000 -0400
2616 @@ -166,7 +166,7 @@ static int bcm1480ht_pcibios_get_busno(v
2617 return 0;
2618 }
2619
2620 -struct pci_ops bcm1480ht_pci_ops = {
2621 +const struct pci_ops bcm1480ht_pci_ops = {
2622 .read = bcm1480ht_pcibios_read,
2623 .write = bcm1480ht_pcibios_write,
2624 };
2625 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-bcm63xx.h linux-2.6.39.1/arch/mips/pci/pci-bcm63xx.h
2626 --- linux-2.6.39.1/arch/mips/pci/pci-bcm63xx.h 2011-05-19 00:06:34.000000000 -0400
2627 +++ linux-2.6.39.1/arch/mips/pci/pci-bcm63xx.h 2011-05-22 19:36:30.000000000 -0400
2628 @@ -16,8 +16,8 @@
2629 /*
2630 * defined in ops-bcm63xx.c
2631 */
2632 -extern struct pci_ops bcm63xx_pci_ops;
2633 -extern struct pci_ops bcm63xx_cb_ops;
2634 +extern const struct pci_ops bcm63xx_pci_ops;
2635 +extern const struct pci_ops bcm63xx_cb_ops;
2636
2637 /*
2638 * defined in pci-bcm63xx.c
2639 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-emma2rh.c linux-2.6.39.1/arch/mips/pci/pci-emma2rh.c
2640 --- linux-2.6.39.1/arch/mips/pci/pci-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2641 +++ linux-2.6.39.1/arch/mips/pci/pci-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2642 @@ -43,7 +43,7 @@ static struct resource pci_mem_resource
2643 .flags = IORESOURCE_MEM,
2644 };
2645
2646 -extern struct pci_ops emma2rh_pci_ops;
2647 +extern const struct pci_ops emma2rh_pci_ops;
2648
2649 static struct pci_controller emma2rh_pci_controller = {
2650 .pci_ops = &emma2rh_pci_ops,
2651 diff -urNp linux-2.6.39.1/arch/mips/pci/pcie-octeon.c linux-2.6.39.1/arch/mips/pci/pcie-octeon.c
2652 --- linux-2.6.39.1/arch/mips/pci/pcie-octeon.c 2011-05-19 00:06:34.000000000 -0400
2653 +++ linux-2.6.39.1/arch/mips/pci/pcie-octeon.c 2011-05-22 19:36:30.000000000 -0400
2654 @@ -1237,7 +1237,7 @@ static int octeon_pcie1_write_config(str
2655 return octeon_pcie_write_config(1, bus, devfn, reg, size, val);
2656 }
2657
2658 -static struct pci_ops octeon_pcie0_ops = {
2659 +static const struct pci_ops octeon_pcie0_ops = {
2660 octeon_pcie0_read_config,
2661 octeon_pcie0_write_config,
2662 };
2663 @@ -1258,7 +1258,7 @@ static struct pci_controller octeon_pcie
2664 .io_resource = &octeon_pcie0_io_resource,
2665 };
2666
2667 -static struct pci_ops octeon_pcie1_ops = {
2668 +static const struct pci_ops octeon_pcie1_ops = {
2669 octeon_pcie1_read_config,
2670 octeon_pcie1_write_config,
2671 };
2672 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-ip27.c linux-2.6.39.1/arch/mips/pci/pci-ip27.c
2673 --- linux-2.6.39.1/arch/mips/pci/pci-ip27.c 2011-05-19 00:06:34.000000000 -0400
2674 +++ linux-2.6.39.1/arch/mips/pci/pci-ip27.c 2011-05-22 19:36:30.000000000 -0400
2675 @@ -39,7 +39,7 @@ static struct bridge_controller bridges[
2676 struct bridge_controller *irq_to_bridge[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2677 int irq_to_slot[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2678
2679 -extern struct pci_ops bridge_pci_ops;
2680 +extern const struct pci_ops bridge_pci_ops;
2681
2682 int __cpuinit bridge_probe(nasid_t nasid, int widget_id, int masterwid)
2683 {
2684 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-ip32.c linux-2.6.39.1/arch/mips/pci/pci-ip32.c
2685 --- linux-2.6.39.1/arch/mips/pci/pci-ip32.c 2011-05-19 00:06:34.000000000 -0400
2686 +++ linux-2.6.39.1/arch/mips/pci/pci-ip32.c 2011-05-22 19:36:30.000000000 -0400
2687 @@ -82,7 +82,7 @@ static irqreturn_t macepci_error(int irq
2688 }
2689
2690
2691 -extern struct pci_ops mace_pci_ops;
2692 +extern const struct pci_ops mace_pci_ops;
2693 #ifdef CONFIG_64BIT
2694 static struct resource mace_pci_mem_resource = {
2695 .name = "SGI O2 PCI MEM",
2696 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-lasat.c linux-2.6.39.1/arch/mips/pci/pci-lasat.c
2697 --- linux-2.6.39.1/arch/mips/pci/pci-lasat.c 2011-05-19 00:06:34.000000000 -0400
2698 +++ linux-2.6.39.1/arch/mips/pci/pci-lasat.c 2011-05-22 19:36:30.000000000 -0400
2699 @@ -14,8 +14,8 @@
2700
2701 #include <irq.h>
2702
2703 -extern struct pci_ops nile4_pci_ops;
2704 -extern struct pci_ops gt64xxx_pci0_ops;
2705 +extern const struct pci_ops nile4_pci_ops;
2706 +extern const struct pci_ops gt64xxx_pci0_ops;
2707 static struct resource lasat_pci_mem_resource = {
2708 .name = "LASAT PCI MEM",
2709 .start = 0x18000000,
2710 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-octeon.c linux-2.6.39.1/arch/mips/pci/pci-octeon.c
2711 --- linux-2.6.39.1/arch/mips/pci/pci-octeon.c 2011-05-19 00:06:34.000000000 -0400
2712 +++ linux-2.6.39.1/arch/mips/pci/pci-octeon.c 2011-05-22 19:36:30.000000000 -0400
2713 @@ -334,7 +334,7 @@ static int octeon_write_config(struct pc
2714 }
2715
2716
2717 -static struct pci_ops octeon_pci_ops = {
2718 +static const struct pci_ops octeon_pci_ops = {
2719 octeon_read_config,
2720 octeon_write_config,
2721 };
2722 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-rc32434.c linux-2.6.39.1/arch/mips/pci/pci-rc32434.c
2723 --- linux-2.6.39.1/arch/mips/pci/pci-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2724 +++ linux-2.6.39.1/arch/mips/pci/pci-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2725 @@ -75,7 +75,7 @@ static struct resource rc32434_res_pci_i
2726 .flags = IORESOURCE_IO,
2727 };
2728
2729 -extern struct pci_ops rc32434_pci_ops;
2730 +extern const struct pci_ops rc32434_pci_ops;
2731
2732 #define PCI_MEM1_START PCI_ADDR_START
2733 #define PCI_MEM1_END (PCI_ADDR_START + CPUTOPCI_MEM_WIN - 1)
2734 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-sb1250.c linux-2.6.39.1/arch/mips/pci/pci-sb1250.c
2735 --- linux-2.6.39.1/arch/mips/pci/pci-sb1250.c 2011-05-19 00:06:34.000000000 -0400
2736 +++ linux-2.6.39.1/arch/mips/pci/pci-sb1250.c 2011-05-22 19:36:30.000000000 -0400
2737 @@ -181,7 +181,7 @@ static int sb1250_pcibios_write(struct p
2738 return PCIBIOS_SUCCESSFUL;
2739 }
2740
2741 -struct pci_ops sb1250_pci_ops = {
2742 +const struct pci_ops sb1250_pci_ops = {
2743 .read = sb1250_pcibios_read,
2744 .write = sb1250_pcibios_write,
2745 };
2746 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-vr41xx.c linux-2.6.39.1/arch/mips/pci/pci-vr41xx.c
2747 --- linux-2.6.39.1/arch/mips/pci/pci-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2748 +++ linux-2.6.39.1/arch/mips/pci/pci-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2749 @@ -36,7 +36,7 @@
2750
2751 #include "pci-vr41xx.h"
2752
2753 -extern struct pci_ops vr41xx_pci_ops;
2754 +extern const struct pci_ops vr41xx_pci_ops;
2755
2756 static void __iomem *pciu_base;
2757
2758 diff -urNp linux-2.6.39.1/arch/mips/pci/pci-yosemite.c linux-2.6.39.1/arch/mips/pci/pci-yosemite.c
2759 --- linux-2.6.39.1/arch/mips/pci/pci-yosemite.c 2011-05-19 00:06:34.000000000 -0400
2760 +++ linux-2.6.39.1/arch/mips/pci/pci-yosemite.c 2011-05-22 19:36:30.000000000 -0400
2761 @@ -11,7 +11,7 @@
2762 #include <linux/pci.h>
2763 #include <asm/titan_dep.h>
2764
2765 -extern struct pci_ops titan_pci_ops;
2766 +extern const struct pci_ops titan_pci_ops;
2767
2768 static struct resource py_mem_resource = {
2769 .start = 0xe0000000UL,
2770 diff -urNp linux-2.6.39.1/arch/mips/pmc-sierra/yosemite/ht.c linux-2.6.39.1/arch/mips/pmc-sierra/yosemite/ht.c
2771 --- linux-2.6.39.1/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-19 00:06:34.000000000 -0400
2772 +++ linux-2.6.39.1/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-22 19:36:30.000000000 -0400
2773 @@ -366,7 +366,7 @@ resource_size_t pcibios_align_resource(v
2774 return start;
2775 }
2776
2777 -struct pci_ops titan_pci_ops = {
2778 +const struct pci_ops titan_pci_ops = {
2779 titan_ht_config_read_byte,
2780 titan_ht_config_read_word,
2781 titan_ht_config_read_dword,
2782 diff -urNp linux-2.6.39.1/arch/mips/pnx8550/common/pci.c linux-2.6.39.1/arch/mips/pnx8550/common/pci.c
2783 --- linux-2.6.39.1/arch/mips/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2784 +++ linux-2.6.39.1/arch/mips/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2785 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2786 .flags = IORESOURCE_MEM
2787 };
2788
2789 -extern struct pci_ops pnx8550_pci_ops;
2790 +extern const struct pci_ops pnx8550_pci_ops;
2791
2792 static struct pci_controller pnx8550_controller = {
2793 .pci_ops = &pnx8550_pci_ops,
2794 diff -urNp linux-2.6.39.1/arch/mips/sni/pcimt.c linux-2.6.39.1/arch/mips/sni/pcimt.c
2795 --- linux-2.6.39.1/arch/mips/sni/pcimt.c 2011-05-19 00:06:34.000000000 -0400
2796 +++ linux-2.6.39.1/arch/mips/sni/pcimt.c 2011-05-22 19:36:30.000000000 -0400
2797 @@ -183,7 +183,7 @@ static void __init sni_pcimt_resource_in
2798 request_resource(&sni_mem_resource, pcimt_mem_resources + i);
2799 }
2800
2801 -extern struct pci_ops sni_pcimt_ops;
2802 +extern const struct pci_ops sni_pcimt_ops;
2803
2804 static struct pci_controller sni_controller = {
2805 .pci_ops = &sni_pcimt_ops,
2806 diff -urNp linux-2.6.39.1/arch/mips/sni/pcit.c linux-2.6.39.1/arch/mips/sni/pcit.c
2807 --- linux-2.6.39.1/arch/mips/sni/pcit.c 2011-05-19 00:06:34.000000000 -0400
2808 +++ linux-2.6.39.1/arch/mips/sni/pcit.c 2011-05-22 19:36:30.000000000 -0400
2809 @@ -145,7 +145,7 @@ static void __init sni_pcit_resource_ini
2810 }
2811
2812
2813 -extern struct pci_ops sni_pcit_ops;
2814 +extern const struct pci_ops sni_pcit_ops;
2815
2816 static struct pci_controller sni_pcit_controller = {
2817 .pci_ops = &sni_pcit_ops,
2818 diff -urNp linux-2.6.39.1/arch/mips/wrppmc/pci.c linux-2.6.39.1/arch/mips/wrppmc/pci.c
2819 --- linux-2.6.39.1/arch/mips/wrppmc/pci.c 2011-05-19 00:06:34.000000000 -0400
2820 +++ linux-2.6.39.1/arch/mips/wrppmc/pci.c 2011-05-22 19:36:30.000000000 -0400
2821 @@ -14,7 +14,7 @@
2822
2823 #include <asm/gt64120.h>
2824
2825 -extern struct pci_ops gt64xxx_pci0_ops;
2826 +extern const struct pci_ops gt64xxx_pci0_ops;
2827
2828 static struct resource pci0_io_resource = {
2829 .name = "pci_0 io",
2830 diff -urNp linux-2.6.39.1/arch/mn10300/unit-asb2305/pci-asb2305.h linux-2.6.39.1/arch/mn10300/unit-asb2305/pci-asb2305.h
2831 --- linux-2.6.39.1/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-19 00:06:34.000000000 -0400
2832 +++ linux-2.6.39.1/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-22 19:36:30.000000000 -0400
2833 @@ -39,7 +39,7 @@ extern void pcibios_resource_survey(void
2834
2835 extern int pcibios_last_bus;
2836 extern struct pci_bus *pci_root_bus;
2837 -extern struct pci_ops *pci_root_ops;
2838 +extern const struct pci_ops *pci_root_ops;
2839
2840 extern struct irq_routing_table *pcibios_get_irq_routing_table(void);
2841 extern int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq);
2842 diff -urNp linux-2.6.39.1/arch/mn10300/unit-asb2305/pci.c linux-2.6.39.1/arch/mn10300/unit-asb2305/pci.c
2843 --- linux-2.6.39.1/arch/mn10300/unit-asb2305/pci.c 2011-05-19 00:06:34.000000000 -0400
2844 +++ linux-2.6.39.1/arch/mn10300/unit-asb2305/pci.c 2011-05-22 19:36:30.000000000 -0400
2845 @@ -24,7 +24,7 @@ unsigned int pci_probe = 1;
2846
2847 int pcibios_last_bus = -1;
2848 struct pci_bus *pci_root_bus;
2849 -struct pci_ops *pci_root_ops;
2850 +const struct pci_ops *pci_root_ops;
2851
2852 /*
2853 * The accessible PCI window does not cover the entire CPU address space, but
2854 @@ -274,7 +274,7 @@ static int pci_ampci_write_config(struct
2855 }
2856 }
2857
2858 -static struct pci_ops pci_direct_ampci = {
2859 +static const struct pci_ops pci_direct_ampci = {
2860 pci_ampci_read_config,
2861 pci_ampci_write_config,
2862 };
2863 @@ -289,7 +289,7 @@ static struct pci_ops pci_direct_ampci =
2864 * This should be close to trivial, but it isn't, because there are buggy
2865 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
2866 */
2867 -static int __init pci_sanity_check(struct pci_ops *o)
2868 +static int __init pci_sanity_check(const struct pci_ops *o)
2869 {
2870 struct pci_bus bus; /* Fake bus and device */
2871 u32 x;
2872 diff -urNp linux-2.6.39.1/arch/parisc/include/asm/elf.h linux-2.6.39.1/arch/parisc/include/asm/elf.h
2873 --- linux-2.6.39.1/arch/parisc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
2874 +++ linux-2.6.39.1/arch/parisc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
2875 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
2876
2877 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
2878
2879 +#ifdef CONFIG_PAX_ASLR
2880 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
2881 +
2882 +#define PAX_DELTA_MMAP_LEN 16
2883 +#define PAX_DELTA_STACK_LEN 16
2884 +#endif
2885 +
2886 /* This yields a mask that user programs can use to figure out what
2887 instruction set this CPU supports. This could be done in user space,
2888 but it's not easy, and we've already done it here. */
2889 diff -urNp linux-2.6.39.1/arch/parisc/include/asm/pgtable.h linux-2.6.39.1/arch/parisc/include/asm/pgtable.h
2890 --- linux-2.6.39.1/arch/parisc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
2891 +++ linux-2.6.39.1/arch/parisc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
2892 @@ -207,6 +207,17 @@ struct vm_area_struct;
2893 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
2894 #define PAGE_COPY PAGE_EXECREAD
2895 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
2896 +
2897 +#ifdef CONFIG_PAX_PAGEEXEC
2898 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
2899 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
2900 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
2901 +#else
2902 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
2903 +# define PAGE_COPY_NOEXEC PAGE_COPY
2904 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
2905 +#endif
2906 +
2907 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
2908 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
2909 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
2910 diff -urNp linux-2.6.39.1/arch/parisc/kernel/module.c linux-2.6.39.1/arch/parisc/kernel/module.c
2911 --- linux-2.6.39.1/arch/parisc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
2912 +++ linux-2.6.39.1/arch/parisc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
2913 @@ -96,16 +96,38 @@
2914
2915 /* three functions to determine where in the module core
2916 * or init pieces the location is */
2917 +static inline int in_init_rx(struct module *me, void *loc)
2918 +{
2919 + return (loc >= me->module_init_rx &&
2920 + loc < (me->module_init_rx + me->init_size_rx));
2921 +}
2922 +
2923 +static inline int in_init_rw(struct module *me, void *loc)
2924 +{
2925 + return (loc >= me->module_init_rw &&
2926 + loc < (me->module_init_rw + me->init_size_rw));
2927 +}
2928 +
2929 static inline int in_init(struct module *me, void *loc)
2930 {
2931 - return (loc >= me->module_init &&
2932 - loc <= (me->module_init + me->init_size));
2933 + return in_init_rx(me, loc) || in_init_rw(me, loc);
2934 +}
2935 +
2936 +static inline int in_core_rx(struct module *me, void *loc)
2937 +{
2938 + return (loc >= me->module_core_rx &&
2939 + loc < (me->module_core_rx + me->core_size_rx));
2940 +}
2941 +
2942 +static inline int in_core_rw(struct module *me, void *loc)
2943 +{
2944 + return (loc >= me->module_core_rw &&
2945 + loc < (me->module_core_rw + me->core_size_rw));
2946 }
2947
2948 static inline int in_core(struct module *me, void *loc)
2949 {
2950 - return (loc >= me->module_core &&
2951 - loc <= (me->module_core + me->core_size));
2952 + return in_core_rx(me, loc) || in_core_rw(me, loc);
2953 }
2954
2955 static inline int in_local(struct module *me, void *loc)
2956 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
2957 }
2958
2959 /* align things a bit */
2960 - me->core_size = ALIGN(me->core_size, 16);
2961 - me->arch.got_offset = me->core_size;
2962 - me->core_size += gots * sizeof(struct got_entry);
2963 -
2964 - me->core_size = ALIGN(me->core_size, 16);
2965 - me->arch.fdesc_offset = me->core_size;
2966 - me->core_size += fdescs * sizeof(Elf_Fdesc);
2967 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
2968 + me->arch.got_offset = me->core_size_rw;
2969 + me->core_size_rw += gots * sizeof(struct got_entry);
2970 +
2971 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
2972 + me->arch.fdesc_offset = me->core_size_rw;
2973 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
2974
2975 me->arch.got_max = gots;
2976 me->arch.fdesc_max = fdescs;
2977 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
2978
2979 BUG_ON(value == 0);
2980
2981 - got = me->module_core + me->arch.got_offset;
2982 + got = me->module_core_rw + me->arch.got_offset;
2983 for (i = 0; got[i].addr; i++)
2984 if (got[i].addr == value)
2985 goto out;
2986 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
2987 #ifdef CONFIG_64BIT
2988 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
2989 {
2990 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
2991 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
2992
2993 if (!value) {
2994 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
2995 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
2996
2997 /* Create new one */
2998 fdesc->addr = value;
2999 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3000 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3001 return (Elf_Addr)fdesc;
3002 }
3003 #endif /* CONFIG_64BIT */
3004 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
3005
3006 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
3007 end = table + sechdrs[me->arch.unwind_section].sh_size;
3008 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3009 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3010
3011 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
3012 me->arch.unwind_section, table, end, gp);
3013 diff -urNp linux-2.6.39.1/arch/parisc/kernel/sys_parisc.c linux-2.6.39.1/arch/parisc/kernel/sys_parisc.c
3014 --- linux-2.6.39.1/arch/parisc/kernel/sys_parisc.c 2011-05-19 00:06:34.000000000 -0400
3015 +++ linux-2.6.39.1/arch/parisc/kernel/sys_parisc.c 2011-05-22 19:36:30.000000000 -0400
3016 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
3017 /* At this point: (!vma || addr < vma->vm_end). */
3018 if (TASK_SIZE - len < addr)
3019 return -ENOMEM;
3020 - if (!vma || addr + len <= vma->vm_start)
3021 + if (check_heap_stack_gap(vma, addr, len))
3022 return addr;
3023 addr = vma->vm_end;
3024 }
3025 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
3026 /* At this point: (!vma || addr < vma->vm_end). */
3027 if (TASK_SIZE - len < addr)
3028 return -ENOMEM;
3029 - if (!vma || addr + len <= vma->vm_start)
3030 + if (check_heap_stack_gap(vma, addr, len))
3031 return addr;
3032 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
3033 if (addr < vma->vm_end) /* handle wraparound */
3034 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
3035 if (flags & MAP_FIXED)
3036 return addr;
3037 if (!addr)
3038 - addr = TASK_UNMAPPED_BASE;
3039 + addr = current->mm->mmap_base;
3040
3041 if (filp) {
3042 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
3043 diff -urNp linux-2.6.39.1/arch/parisc/kernel/traps.c linux-2.6.39.1/arch/parisc/kernel/traps.c
3044 --- linux-2.6.39.1/arch/parisc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
3045 +++ linux-2.6.39.1/arch/parisc/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400
3046 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
3047
3048 down_read(&current->mm->mmap_sem);
3049 vma = find_vma(current->mm,regs->iaoq[0]);
3050 - if (vma && (regs->iaoq[0] >= vma->vm_start)
3051 - && (vma->vm_flags & VM_EXEC)) {
3052 -
3053 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
3054 fault_address = regs->iaoq[0];
3055 fault_space = regs->iasq[0];
3056
3057 diff -urNp linux-2.6.39.1/arch/parisc/mm/fault.c linux-2.6.39.1/arch/parisc/mm/fault.c
3058 --- linux-2.6.39.1/arch/parisc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
3059 +++ linux-2.6.39.1/arch/parisc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
3060 @@ -15,6 +15,7 @@
3061 #include <linux/sched.h>
3062 #include <linux/interrupt.h>
3063 #include <linux/module.h>
3064 +#include <linux/unistd.h>
3065
3066 #include <asm/uaccess.h>
3067 #include <asm/traps.h>
3068 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
3069 static unsigned long
3070 parisc_acctyp(unsigned long code, unsigned int inst)
3071 {
3072 - if (code == 6 || code == 16)
3073 + if (code == 6 || code == 7 || code == 16)
3074 return VM_EXEC;
3075
3076 switch (inst & 0xf0000000) {
3077 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
3078 }
3079 #endif
3080
3081 +#ifdef CONFIG_PAX_PAGEEXEC
3082 +/*
3083 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
3084 + *
3085 + * returns 1 when task should be killed
3086 + * 2 when rt_sigreturn trampoline was detected
3087 + * 3 when unpatched PLT trampoline was detected
3088 + */
3089 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3090 +{
3091 +
3092 +#ifdef CONFIG_PAX_EMUPLT
3093 + int err;
3094 +
3095 + do { /* PaX: unpatched PLT emulation */
3096 + unsigned int bl, depwi;
3097 +
3098 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
3099 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
3100 +
3101 + if (err)
3102 + break;
3103 +
3104 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
3105 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
3106 +
3107 + err = get_user(ldw, (unsigned int *)addr);
3108 + err |= get_user(bv, (unsigned int *)(addr+4));
3109 + err |= get_user(ldw2, (unsigned int *)(addr+8));
3110 +
3111 + if (err)
3112 + break;
3113 +
3114 + if (ldw == 0x0E801096U &&
3115 + bv == 0xEAC0C000U &&
3116 + ldw2 == 0x0E881095U)
3117 + {
3118 + unsigned int resolver, map;
3119 +
3120 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
3121 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
3122 + if (err)
3123 + break;
3124 +
3125 + regs->gr[20] = instruction_pointer(regs)+8;
3126 + regs->gr[21] = map;
3127 + regs->gr[22] = resolver;
3128 + regs->iaoq[0] = resolver | 3UL;
3129 + regs->iaoq[1] = regs->iaoq[0] + 4;
3130 + return 3;
3131 + }
3132 + }
3133 + } while (0);
3134 +#endif
3135 +
3136 +#ifdef CONFIG_PAX_EMUTRAMP
3137 +
3138 +#ifndef CONFIG_PAX_EMUSIGRT
3139 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
3140 + return 1;
3141 +#endif
3142 +
3143 + do { /* PaX: rt_sigreturn emulation */
3144 + unsigned int ldi1, ldi2, bel, nop;
3145 +
3146 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
3147 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
3148 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
3149 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
3150 +
3151 + if (err)
3152 + break;
3153 +
3154 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
3155 + ldi2 == 0x3414015AU &&
3156 + bel == 0xE4008200U &&
3157 + nop == 0x08000240U)
3158 + {
3159 + regs->gr[25] = (ldi1 & 2) >> 1;
3160 + regs->gr[20] = __NR_rt_sigreturn;
3161 + regs->gr[31] = regs->iaoq[1] + 16;
3162 + regs->sr[0] = regs->iasq[1];
3163 + regs->iaoq[0] = 0x100UL;
3164 + regs->iaoq[1] = regs->iaoq[0] + 4;
3165 + regs->iasq[0] = regs->sr[2];
3166 + regs->iasq[1] = regs->sr[2];
3167 + return 2;
3168 + }
3169 + } while (0);
3170 +#endif
3171 +
3172 + return 1;
3173 +}
3174 +
3175 +void pax_report_insns(void *pc, void *sp)
3176 +{
3177 + unsigned long i;
3178 +
3179 + printk(KERN_ERR "PAX: bytes at PC: ");
3180 + for (i = 0; i < 5; i++) {
3181 + unsigned int c;
3182 + if (get_user(c, (unsigned int *)pc+i))
3183 + printk(KERN_CONT "???????? ");
3184 + else
3185 + printk(KERN_CONT "%08x ", c);
3186 + }
3187 + printk("\n");
3188 +}
3189 +#endif
3190 +
3191 int fixup_exception(struct pt_regs *regs)
3192 {
3193 const struct exception_table_entry *fix;
3194 @@ -192,8 +303,33 @@ good_area:
3195
3196 acc_type = parisc_acctyp(code,regs->iir);
3197
3198 - if ((vma->vm_flags & acc_type) != acc_type)
3199 + if ((vma->vm_flags & acc_type) != acc_type) {
3200 +
3201 +#ifdef CONFIG_PAX_PAGEEXEC
3202 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
3203 + (address & ~3UL) == instruction_pointer(regs))
3204 + {
3205 + up_read(&mm->mmap_sem);
3206 + switch (pax_handle_fetch_fault(regs)) {
3207 +
3208 +#ifdef CONFIG_PAX_EMUPLT
3209 + case 3:
3210 + return;
3211 +#endif
3212 +
3213 +#ifdef CONFIG_PAX_EMUTRAMP
3214 + case 2:
3215 + return;
3216 +#endif
3217 +
3218 + }
3219 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
3220 + do_group_exit(SIGKILL);
3221 + }
3222 +#endif
3223 +
3224 goto bad_area;
3225 + }
3226
3227 /*
3228 * If for any reason at all we couldn't handle the fault, make
3229 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/device.h linux-2.6.39.1/arch/powerpc/include/asm/device.h
3230 --- linux-2.6.39.1/arch/powerpc/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
3231 +++ linux-2.6.39.1/arch/powerpc/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
3232 @@ -17,7 +17,7 @@ struct device_node;
3233 */
3234 struct dev_archdata {
3235 /* DMA operations on that device */
3236 - struct dma_map_ops *dma_ops;
3237 + const struct dma_map_ops *dma_ops;
3238
3239 /*
3240 * When an iommu is in use, dma_data is used as a ptr to the base of the
3241 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/dma-mapping.h linux-2.6.39.1/arch/powerpc/include/asm/dma-mapping.h
3242 --- linux-2.6.39.1/arch/powerpc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3243 +++ linux-2.6.39.1/arch/powerpc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
3244 @@ -67,12 +67,13 @@ static inline unsigned long device_to_ma
3245 /*
3246 * Available generic sets of operations
3247 */
3248 +/* cannot be const */
3249 #ifdef CONFIG_PPC64
3250 -extern struct dma_map_ops dma_iommu_ops;
3251 +extern const struct dma_map_ops dma_iommu_ops;
3252 #endif
3253 -extern struct dma_map_ops dma_direct_ops;
3254 +extern const struct dma_map_ops dma_direct_ops;
3255
3256 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3257 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3258 {
3259 /* We don't handle the NULL dev case for ISA for now. We could
3260 * do it via an out of line call but it is not needed for now. The
3261 @@ -85,7 +86,7 @@ static inline struct dma_map_ops *get_dm
3262 return dev->archdata.dma_ops;
3263 }
3264
3265 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
3266 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
3267 {
3268 dev->archdata.dma_ops = ops;
3269 }
3270 @@ -119,7 +120,7 @@ static inline void set_dma_offset(struct
3271
3272 static inline int dma_supported(struct device *dev, u64 mask)
3273 {
3274 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3275 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3276
3277 if (unlikely(dma_ops == NULL))
3278 return 0;
3279 @@ -133,7 +134,7 @@ extern int dma_set_mask(struct device *d
3280 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3281 dma_addr_t *dma_handle, gfp_t flag)
3282 {
3283 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3284 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3285 void *cpu_addr;
3286
3287 BUG_ON(!dma_ops);
3288 @@ -148,7 +149,7 @@ static inline void *dma_alloc_coherent(s
3289 static inline void dma_free_coherent(struct device *dev, size_t size,
3290 void *cpu_addr, dma_addr_t dma_handle)
3291 {
3292 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3293 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3294
3295 BUG_ON(!dma_ops);
3296
3297 @@ -159,7 +160,7 @@ static inline void dma_free_coherent(str
3298
3299 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3300 {
3301 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3302 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3303
3304 if (dma_ops->mapping_error)
3305 return dma_ops->mapping_error(dev, dma_addr);
3306 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/elf.h linux-2.6.39.1/arch/powerpc/include/asm/elf.h
3307 --- linux-2.6.39.1/arch/powerpc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3308 +++ linux-2.6.39.1/arch/powerpc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3309 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
3310 the loader. We need to make sure that it is out of the way of the program
3311 that it will "exec", and that there is sufficient room for the brk. */
3312
3313 -extern unsigned long randomize_et_dyn(unsigned long base);
3314 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
3315 +#define ELF_ET_DYN_BASE (0x20000000)
3316 +
3317 +#ifdef CONFIG_PAX_ASLR
3318 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
3319 +
3320 +#ifdef __powerpc64__
3321 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
3322 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
3323 +#else
3324 +#define PAX_DELTA_MMAP_LEN 15
3325 +#define PAX_DELTA_STACK_LEN 15
3326 +#endif
3327 +#endif
3328
3329 /*
3330 * Our registers are always unsigned longs, whether we're a 32 bit
3331 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
3332 (0x7ff >> (PAGE_SHIFT - 12)) : \
3333 (0x3ffff >> (PAGE_SHIFT - 12)))
3334
3335 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3336 -#define arch_randomize_brk arch_randomize_brk
3337 -
3338 #endif /* __KERNEL__ */
3339
3340 /*
3341 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/iommu.h linux-2.6.39.1/arch/powerpc/include/asm/iommu.h
3342 --- linux-2.6.39.1/arch/powerpc/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
3343 +++ linux-2.6.39.1/arch/powerpc/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
3344 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
3345 extern void iommu_init_early_dart(void);
3346 extern void iommu_init_early_pasemi(void);
3347
3348 +/* dma-iommu.c */
3349 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
3350 +
3351 #ifdef CONFIG_PCI
3352 extern void pci_iommu_init(void);
3353 extern void pci_direct_iommu_init(void);
3354 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/kmap_types.h linux-2.6.39.1/arch/powerpc/include/asm/kmap_types.h
3355 --- linux-2.6.39.1/arch/powerpc/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
3356 +++ linux-2.6.39.1/arch/powerpc/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
3357 @@ -27,6 +27,7 @@ enum km_type {
3358 KM_PPC_SYNC_PAGE,
3359 KM_PPC_SYNC_ICACHE,
3360 KM_KDB,
3361 + KM_CLEARPAGE,
3362 KM_TYPE_NR
3363 };
3364
3365 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/page_64.h linux-2.6.39.1/arch/powerpc/include/asm/page_64.h
3366 --- linux-2.6.39.1/arch/powerpc/include/asm/page_64.h 2011-05-19 00:06:34.000000000 -0400
3367 +++ linux-2.6.39.1/arch/powerpc/include/asm/page_64.h 2011-05-22 19:36:30.000000000 -0400
3368 @@ -172,15 +172,18 @@ do { \
3369 * stack by default, so in the absence of a PT_GNU_STACK program header
3370 * we turn execute permission off.
3371 */
3372 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3373 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3374 +#define VM_STACK_DEFAULT_FLAGS32 \
3375 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3376 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3377
3378 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3379 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3380
3381 +#ifndef CONFIG_PAX_PAGEEXEC
3382 #define VM_STACK_DEFAULT_FLAGS \
3383 (is_32bit_task() ? \
3384 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
3385 +#endif
3386
3387 #include <asm-generic/getorder.h>
3388
3389 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/page.h linux-2.6.39.1/arch/powerpc/include/asm/page.h
3390 --- linux-2.6.39.1/arch/powerpc/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
3391 +++ linux-2.6.39.1/arch/powerpc/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
3392 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
3393 * and needs to be executable. This means the whole heap ends
3394 * up being executable.
3395 */
3396 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3397 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3398 +#define VM_DATA_DEFAULT_FLAGS32 \
3399 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3400 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3401
3402 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3403 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3404 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
3405 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
3406 #endif
3407
3408 +#define ktla_ktva(addr) (addr)
3409 +#define ktva_ktla(addr) (addr)
3410 +
3411 #ifndef __ASSEMBLY__
3412
3413 #undef STRICT_MM_TYPECHECKS
3414 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/pci.h linux-2.6.39.1/arch/powerpc/include/asm/pci.h
3415 --- linux-2.6.39.1/arch/powerpc/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
3416 +++ linux-2.6.39.1/arch/powerpc/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
3417 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
3418 }
3419
3420 #ifdef CONFIG_PCI
3421 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
3422 -extern struct dma_map_ops *get_pci_dma_ops(void);
3423 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
3424 +extern const struct dma_map_ops *get_pci_dma_ops(void);
3425 #else /* CONFIG_PCI */
3426 #define set_pci_dma_ops(d)
3427 #define get_pci_dma_ops() NULL
3428 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/pgtable.h linux-2.6.39.1/arch/powerpc/include/asm/pgtable.h
3429 --- linux-2.6.39.1/arch/powerpc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3430 +++ linux-2.6.39.1/arch/powerpc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3431 @@ -2,6 +2,7 @@
3432 #define _ASM_POWERPC_PGTABLE_H
3433 #ifdef __KERNEL__
3434
3435 +#include <linux/const.h>
3436 #ifndef __ASSEMBLY__
3437 #include <asm/processor.h> /* For TASK_SIZE */
3438 #include <asm/mmu.h>
3439 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/pte-hash32.h linux-2.6.39.1/arch/powerpc/include/asm/pte-hash32.h
3440 --- linux-2.6.39.1/arch/powerpc/include/asm/pte-hash32.h 2011-05-19 00:06:34.000000000 -0400
3441 +++ linux-2.6.39.1/arch/powerpc/include/asm/pte-hash32.h 2011-05-22 19:36:30.000000000 -0400
3442 @@ -21,6 +21,7 @@
3443 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
3444 #define _PAGE_USER 0x004 /* usermode access allowed */
3445 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
3446 +#define _PAGE_EXEC _PAGE_GUARDED
3447 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
3448 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
3449 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
3450 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/reg.h linux-2.6.39.1/arch/powerpc/include/asm/reg.h
3451 --- linux-2.6.39.1/arch/powerpc/include/asm/reg.h 2011-05-19 00:06:34.000000000 -0400
3452 +++ linux-2.6.39.1/arch/powerpc/include/asm/reg.h 2011-05-22 19:36:30.000000000 -0400
3453 @@ -201,6 +201,7 @@
3454 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
3455 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
3456 #define DSISR_NOHPTE 0x40000000 /* no translation found */
3457 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
3458 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
3459 #define DSISR_ISSTORE 0x02000000 /* access was a store */
3460 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
3461 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/swiotlb.h linux-2.6.39.1/arch/powerpc/include/asm/swiotlb.h
3462 --- linux-2.6.39.1/arch/powerpc/include/asm/swiotlb.h 2011-05-19 00:06:34.000000000 -0400
3463 +++ linux-2.6.39.1/arch/powerpc/include/asm/swiotlb.h 2011-05-22 19:36:30.000000000 -0400
3464 @@ -13,7 +13,7 @@
3465
3466 #include <linux/swiotlb.h>
3467
3468 -extern struct dma_map_ops swiotlb_dma_ops;
3469 +extern const struct dma_map_ops swiotlb_dma_ops;
3470
3471 static inline void dma_mark_clean(void *addr, size_t size) {}
3472
3473 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/system.h linux-2.6.39.1/arch/powerpc/include/asm/system.h
3474 --- linux-2.6.39.1/arch/powerpc/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
3475 +++ linux-2.6.39.1/arch/powerpc/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
3476 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
3477 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
3478 #endif
3479
3480 -extern unsigned long arch_align_stack(unsigned long sp);
3481 +#define arch_align_stack(x) ((x) & ~0xfUL)
3482
3483 /* Used in very early kernel initialization. */
3484 extern unsigned long reloc_offset(void);
3485 diff -urNp linux-2.6.39.1/arch/powerpc/include/asm/uaccess.h linux-2.6.39.1/arch/powerpc/include/asm/uaccess.h
3486 --- linux-2.6.39.1/arch/powerpc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
3487 +++ linux-2.6.39.1/arch/powerpc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
3488 @@ -13,6 +13,8 @@
3489 #define VERIFY_READ 0
3490 #define VERIFY_WRITE 1
3491
3492 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3493 +
3494 /*
3495 * The fs value determines whether argument validity checking should be
3496 * performed or not. If get_fs() == USER_DS, checking is performed, with
3497 @@ -327,52 +329,6 @@ do { \
3498 extern unsigned long __copy_tofrom_user(void __user *to,
3499 const void __user *from, unsigned long size);
3500
3501 -#ifndef __powerpc64__
3502 -
3503 -static inline unsigned long copy_from_user(void *to,
3504 - const void __user *from, unsigned long n)
3505 -{
3506 - unsigned long over;
3507 -
3508 - if (access_ok(VERIFY_READ, from, n))
3509 - return __copy_tofrom_user((__force void __user *)to, from, n);
3510 - if ((unsigned long)from < TASK_SIZE) {
3511 - over = (unsigned long)from + n - TASK_SIZE;
3512 - return __copy_tofrom_user((__force void __user *)to, from,
3513 - n - over) + over;
3514 - }
3515 - return n;
3516 -}
3517 -
3518 -static inline unsigned long copy_to_user(void __user *to,
3519 - const void *from, unsigned long n)
3520 -{
3521 - unsigned long over;
3522 -
3523 - if (access_ok(VERIFY_WRITE, to, n))
3524 - return __copy_tofrom_user(to, (__force void __user *)from, n);
3525 - if ((unsigned long)to < TASK_SIZE) {
3526 - over = (unsigned long)to + n - TASK_SIZE;
3527 - return __copy_tofrom_user(to, (__force void __user *)from,
3528 - n - over) + over;
3529 - }
3530 - return n;
3531 -}
3532 -
3533 -#else /* __powerpc64__ */
3534 -
3535 -#define __copy_in_user(to, from, size) \
3536 - __copy_tofrom_user((to), (from), (size))
3537 -
3538 -extern unsigned long copy_from_user(void *to, const void __user *from,
3539 - unsigned long n);
3540 -extern unsigned long copy_to_user(void __user *to, const void *from,
3541 - unsigned long n);
3542 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
3543 - unsigned long n);
3544 -
3545 -#endif /* __powerpc64__ */
3546 -
3547 static inline unsigned long __copy_from_user_inatomic(void *to,
3548 const void __user *from, unsigned long n)
3549 {
3550 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
3551 if (ret == 0)
3552 return 0;
3553 }
3554 +
3555 + if (!__builtin_constant_p(n))
3556 + check_object_size(to, n, false);
3557 +
3558 return __copy_tofrom_user((__force void __user *)to, from, n);
3559 }
3560
3561 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
3562 if (ret == 0)
3563 return 0;
3564 }
3565 +
3566 + if (!__builtin_constant_p(n))
3567 + check_object_size(from, n, true);
3568 +
3569 return __copy_tofrom_user(to, (__force const void __user *)from, n);
3570 }
3571
3572 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
3573 return __copy_to_user_inatomic(to, from, size);
3574 }
3575
3576 +#ifndef __powerpc64__
3577 +
3578 +static inline unsigned long __must_check copy_from_user(void *to,
3579 + const void __user *from, unsigned long n)
3580 +{
3581 + unsigned long over;
3582 +
3583 + if ((long)n < 0)
3584 + return n;
3585 +
3586 + if (access_ok(VERIFY_READ, from, n)) {
3587 + if (!__builtin_constant_p(n))
3588 + check_object_size(to, n, false);
3589 + return __copy_tofrom_user((__force void __user *)to, from, n);
3590 + }
3591 + if ((unsigned long)from < TASK_SIZE) {
3592 + over = (unsigned long)from + n - TASK_SIZE;
3593 + if (!__builtin_constant_p(n - over))
3594 + check_object_size(to, n - over, false);
3595 + return __copy_tofrom_user((__force void __user *)to, from,
3596 + n - over) + over;
3597 + }
3598 + return n;
3599 +}
3600 +
3601 +static inline unsigned long __must_check copy_to_user(void __user *to,
3602 + const void *from, unsigned long n)
3603 +{
3604 + unsigned long over;
3605 +
3606 + if ((long)n < 0)
3607 + return n;
3608 +
3609 + if (access_ok(VERIFY_WRITE, to, n)) {
3610 + if (!__builtin_constant_p(n))
3611 + check_object_size(from, n, true);
3612 + return __copy_tofrom_user(to, (__force void __user *)from, n);
3613 + }
3614 + if ((unsigned long)to < TASK_SIZE) {
3615 + over = (unsigned long)to + n - TASK_SIZE;
3616 + if (!__builtin_constant_p(n))
3617 + check_object_size(from, n - over, true);
3618 + return __copy_tofrom_user(to, (__force void __user *)from,
3619 + n - over) + over;
3620 + }
3621 + return n;
3622 +}
3623 +
3624 +#else /* __powerpc64__ */
3625 +
3626 +#define __copy_in_user(to, from, size) \
3627 + __copy_tofrom_user((to), (from), (size))
3628 +
3629 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
3630 +{
3631 + if ((long)n < 0 || n > INT_MAX)
3632 + return n;
3633 +
3634 + if (!__builtin_constant_p(n))
3635 + check_object_size(to, n, false);
3636 +
3637 + if (likely(access_ok(VERIFY_READ, from, n)))
3638 + n = __copy_from_user(to, from, n);
3639 + else
3640 + memset(to, 0, n);
3641 + return n;
3642 +}
3643 +
3644 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
3645 +{
3646 + if ((long)n < 0 || n > INT_MAX)
3647 + return n;
3648 +
3649 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
3650 + if (!__builtin_constant_p(n))
3651 + check_object_size(from, n, true);
3652 + n = __copy_to_user(to, from, n);
3653 + }
3654 + return n;
3655 +}
3656 +
3657 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
3658 + unsigned long n);
3659 +
3660 +#endif /* __powerpc64__ */
3661 +
3662 extern unsigned long __clear_user(void __user *addr, unsigned long size);
3663
3664 static inline unsigned long clear_user(void __user *addr, unsigned long size)
3665 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/dma.c linux-2.6.39.1/arch/powerpc/kernel/dma.c
3666 --- linux-2.6.39.1/arch/powerpc/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
3667 +++ linux-2.6.39.1/arch/powerpc/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
3668 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
3669 }
3670 #endif
3671
3672 -struct dma_map_ops dma_direct_ops = {
3673 +const struct dma_map_ops dma_direct_ops = {
3674 .alloc_coherent = dma_direct_alloc_coherent,
3675 .free_coherent = dma_direct_free_coherent,
3676 .map_sg = dma_direct_map_sg,
3677 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
3678
3679 int dma_set_mask(struct device *dev, u64 dma_mask)
3680 {
3681 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3682 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3683
3684 if (ppc_md.dma_set_mask)
3685 return ppc_md.dma_set_mask(dev, dma_mask);
3686 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/dma-iommu.c linux-2.6.39.1/arch/powerpc/kernel/dma-iommu.c
3687 --- linux-2.6.39.1/arch/powerpc/kernel/dma-iommu.c 2011-05-19 00:06:34.000000000 -0400
3688 +++ linux-2.6.39.1/arch/powerpc/kernel/dma-iommu.c 2011-05-22 19:36:30.000000000 -0400
3689 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
3690 }
3691
3692 /* We support DMA to/from any memory page via the iommu */
3693 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
3694 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
3695 {
3696 struct iommu_table *tbl = get_iommu_table_base(dev);
3697
3698 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
3699 return 1;
3700 }
3701
3702 -struct dma_map_ops dma_iommu_ops = {
3703 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
3704 .alloc_coherent = dma_iommu_alloc_coherent,
3705 .free_coherent = dma_iommu_free_coherent,
3706 .map_sg = dma_iommu_map_sg,
3707 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.39.1/arch/powerpc/kernel/dma-swiotlb.c
3708 --- linux-2.6.39.1/arch/powerpc/kernel/dma-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
3709 +++ linux-2.6.39.1/arch/powerpc/kernel/dma-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
3710 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
3711 * map_page, and unmap_page on highmem, use normal dma_ops
3712 * for everything else.
3713 */
3714 -struct dma_map_ops swiotlb_dma_ops = {
3715 +const struct dma_map_ops swiotlb_dma_ops = {
3716 .alloc_coherent = dma_direct_alloc_coherent,
3717 .free_coherent = dma_direct_free_coherent,
3718 .map_sg = swiotlb_map_sg_attrs,
3719 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/exceptions-64e.S linux-2.6.39.1/arch/powerpc/kernel/exceptions-64e.S
3720 --- linux-2.6.39.1/arch/powerpc/kernel/exceptions-64e.S 2011-05-19 00:06:34.000000000 -0400
3721 +++ linux-2.6.39.1/arch/powerpc/kernel/exceptions-64e.S 2011-05-22 19:36:30.000000000 -0400
3722 @@ -495,6 +495,7 @@ storage_fault_common:
3723 std r14,_DAR(r1)
3724 std r15,_DSISR(r1)
3725 addi r3,r1,STACK_FRAME_OVERHEAD
3726 + bl .save_nvgprs
3727 mr r4,r14
3728 mr r5,r15
3729 ld r14,PACA_EXGEN+EX_R14(r13)
3730 @@ -504,8 +505,7 @@ storage_fault_common:
3731 cmpdi r3,0
3732 bne- 1f
3733 b .ret_from_except_lite
3734 -1: bl .save_nvgprs
3735 - mr r5,r3
3736 +1: mr r5,r3
3737 addi r3,r1,STACK_FRAME_OVERHEAD
3738 ld r4,_DAR(r1)
3739 bl .bad_page_fault
3740 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/exceptions-64s.S linux-2.6.39.1/arch/powerpc/kernel/exceptions-64s.S
3741 --- linux-2.6.39.1/arch/powerpc/kernel/exceptions-64s.S 2011-05-19 00:06:34.000000000 -0400
3742 +++ linux-2.6.39.1/arch/powerpc/kernel/exceptions-64s.S 2011-05-22 19:36:30.000000000 -0400
3743 @@ -848,10 +848,10 @@ handle_page_fault:
3744 11: ld r4,_DAR(r1)
3745 ld r5,_DSISR(r1)
3746 addi r3,r1,STACK_FRAME_OVERHEAD
3747 + bl .save_nvgprs
3748 bl .do_page_fault
3749 cmpdi r3,0
3750 beq+ 13f
3751 - bl .save_nvgprs
3752 mr r5,r3
3753 addi r3,r1,STACK_FRAME_OVERHEAD
3754 lwz r4,_DAR(r1)
3755 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/ibmebus.c linux-2.6.39.1/arch/powerpc/kernel/ibmebus.c
3756 --- linux-2.6.39.1/arch/powerpc/kernel/ibmebus.c 2011-05-19 00:06:34.000000000 -0400
3757 +++ linux-2.6.39.1/arch/powerpc/kernel/ibmebus.c 2011-05-22 19:36:30.000000000 -0400
3758 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
3759 return 1;
3760 }
3761
3762 -static struct dma_map_ops ibmebus_dma_ops = {
3763 +static const struct dma_map_ops ibmebus_dma_ops = {
3764 .alloc_coherent = ibmebus_alloc_coherent,
3765 .free_coherent = ibmebus_free_coherent,
3766 .map_sg = ibmebus_map_sg,
3767 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/kgdb.c linux-2.6.39.1/arch/powerpc/kernel/kgdb.c
3768 --- linux-2.6.39.1/arch/powerpc/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
3769 +++ linux-2.6.39.1/arch/powerpc/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
3770 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
3771 /*
3772 * Global data
3773 */
3774 -struct kgdb_arch arch_kgdb_ops = {
3775 +const struct kgdb_arch arch_kgdb_ops = {
3776 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
3777 };
3778
3779 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/module_32.c linux-2.6.39.1/arch/powerpc/kernel/module_32.c
3780 --- linux-2.6.39.1/arch/powerpc/kernel/module_32.c 2011-05-19 00:06:34.000000000 -0400
3781 +++ linux-2.6.39.1/arch/powerpc/kernel/module_32.c 2011-05-22 19:36:30.000000000 -0400
3782 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
3783 me->arch.core_plt_section = i;
3784 }
3785 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
3786 - printk("Module doesn't contain .plt or .init.plt sections.\n");
3787 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
3788 return -ENOEXEC;
3789 }
3790
3791 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
3792
3793 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
3794 /* Init, or core PLT? */
3795 - if (location >= mod->module_core
3796 - && location < mod->module_core + mod->core_size)
3797 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
3798 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
3799 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3800 - else
3801 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
3802 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
3803 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3804 + else {
3805 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
3806 + return ~0UL;
3807 + }
3808
3809 /* Find this entry, or if that fails, the next avail. entry */
3810 while (entry->jump[0]) {
3811 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/module.c linux-2.6.39.1/arch/powerpc/kernel/module.c
3812 --- linux-2.6.39.1/arch/powerpc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
3813 +++ linux-2.6.39.1/arch/powerpc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
3814 @@ -31,11 +31,24 @@
3815
3816 LIST_HEAD(module_bug_list);
3817
3818 +#ifdef CONFIG_PAX_KERNEXEC
3819 void *module_alloc(unsigned long size)
3820 {
3821 if (size == 0)
3822 return NULL;
3823
3824 + return vmalloc(size);
3825 +}
3826 +
3827 +void *module_alloc_exec(unsigned long size)
3828 +#else
3829 +void *module_alloc(unsigned long size)
3830 +#endif
3831 +
3832 +{
3833 + if (size == 0)
3834 + return NULL;
3835 +
3836 return vmalloc_exec(size);
3837 }
3838
3839 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
3840 vfree(module_region);
3841 }
3842
3843 +#ifdef CONFIG_PAX_KERNEXEC
3844 +void module_free_exec(struct module *mod, void *module_region)
3845 +{
3846 + module_free(mod, module_region);
3847 +}
3848 +#endif
3849 +
3850 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
3851 const Elf_Shdr *sechdrs,
3852 const char *name)
3853 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/pci-common.c linux-2.6.39.1/arch/powerpc/kernel/pci-common.c
3854 --- linux-2.6.39.1/arch/powerpc/kernel/pci-common.c 2011-05-19 00:06:34.000000000 -0400
3855 +++ linux-2.6.39.1/arch/powerpc/kernel/pci-common.c 2011-05-22 19:36:30.000000000 -0400
3856 @@ -53,14 +53,14 @@ resource_size_t isa_mem_base;
3857 unsigned int ppc_pci_flags = 0;
3858
3859
3860 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
3861 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
3862
3863 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
3864 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
3865 {
3866 pci_dma_ops = dma_ops;
3867 }
3868
3869 -struct dma_map_ops *get_pci_dma_ops(void)
3870 +const struct dma_map_ops *get_pci_dma_ops(void)
3871 {
3872 return pci_dma_ops;
3873 }
3874 @@ -1639,7 +1639,7 @@ null_write_config(struct pci_bus *bus, u
3875 return PCIBIOS_DEVICE_NOT_FOUND;
3876 }
3877
3878 -static struct pci_ops null_pci_ops =
3879 +static const struct pci_ops null_pci_ops =
3880 {
3881 .read = null_read_config,
3882 .write = null_write_config,
3883 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/process.c linux-2.6.39.1/arch/powerpc/kernel/process.c
3884 --- linux-2.6.39.1/arch/powerpc/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
3885 +++ linux-2.6.39.1/arch/powerpc/kernel/process.c 2011-05-22 19:41:32.000000000 -0400
3886 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
3887 * Lookup NIP late so we have the best change of getting the
3888 * above info out without failing
3889 */
3890 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
3891 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
3892 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
3893 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
3894 #endif
3895 show_stack(current, (unsigned long *) regs->gpr[1]);
3896 if (!user_mode(regs))
3897 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
3898 newsp = stack[0];
3899 ip = stack[STACK_FRAME_LR_SAVE];
3900 if (!firstframe || ip != lr) {
3901 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
3902 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
3903 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
3904 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
3905 - printk(" (%pS)",
3906 + printk(" (%pA)",
3907 (void *)current->ret_stack[curr_frame].ret);
3908 curr_frame--;
3909 }
3910 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
3911 struct pt_regs *regs = (struct pt_regs *)
3912 (sp + STACK_FRAME_OVERHEAD);
3913 lr = regs->link;
3914 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
3915 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
3916 regs->trap, (void *)regs->nip, (void *)lr);
3917 firstframe = 1;
3918 }
3919 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
3920 }
3921
3922 #endif /* THREAD_SHIFT < PAGE_SHIFT */
3923 -
3924 -unsigned long arch_align_stack(unsigned long sp)
3925 -{
3926 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3927 - sp -= get_random_int() & ~PAGE_MASK;
3928 - return sp & ~0xf;
3929 -}
3930 -
3931 -static inline unsigned long brk_rnd(void)
3932 -{
3933 - unsigned long rnd = 0;
3934 -
3935 - /* 8MB for 32bit, 1GB for 64bit */
3936 - if (is_32bit_task())
3937 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
3938 - else
3939 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
3940 -
3941 - return rnd << PAGE_SHIFT;
3942 -}
3943 -
3944 -unsigned long arch_randomize_brk(struct mm_struct *mm)
3945 -{
3946 - unsigned long base = mm->brk;
3947 - unsigned long ret;
3948 -
3949 -#ifdef CONFIG_PPC_STD_MMU_64
3950 - /*
3951 - * If we are using 1TB segments and we are allowed to randomise
3952 - * the heap, we can put it above 1TB so it is backed by a 1TB
3953 - * segment. Otherwise the heap will be in the bottom 1TB
3954 - * which always uses 256MB segments and this may result in a
3955 - * performance penalty.
3956 - */
3957 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
3958 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
3959 -#endif
3960 -
3961 - ret = PAGE_ALIGN(base + brk_rnd());
3962 -
3963 - if (ret < mm->brk)
3964 - return mm->brk;
3965 -
3966 - return ret;
3967 -}
3968 -
3969 -unsigned long randomize_et_dyn(unsigned long base)
3970 -{
3971 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
3972 -
3973 - if (ret < base)
3974 - return base;
3975 -
3976 - return ret;
3977 -}
3978 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/rtas_pci.c linux-2.6.39.1/arch/powerpc/kernel/rtas_pci.c
3979 --- linux-2.6.39.1/arch/powerpc/kernel/rtas_pci.c 2011-05-19 00:06:34.000000000 -0400
3980 +++ linux-2.6.39.1/arch/powerpc/kernel/rtas_pci.c 2011-05-22 19:36:30.000000000 -0400
3981 @@ -149,7 +149,7 @@ static int rtas_pci_write_config(struct
3982 return PCIBIOS_DEVICE_NOT_FOUND;
3983 }
3984
3985 -static struct pci_ops rtas_pci_ops = {
3986 +static const struct pci_ops rtas_pci_ops = {
3987 .read = rtas_pci_read_config,
3988 .write = rtas_pci_write_config,
3989 };
3990 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/signal_32.c linux-2.6.39.1/arch/powerpc/kernel/signal_32.c
3991 --- linux-2.6.39.1/arch/powerpc/kernel/signal_32.c 2011-05-19 00:06:34.000000000 -0400
3992 +++ linux-2.6.39.1/arch/powerpc/kernel/signal_32.c 2011-05-22 19:36:30.000000000 -0400
3993 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
3994 /* Save user registers on the stack */
3995 frame = &rt_sf->uc.uc_mcontext;
3996 addr = frame;
3997 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
3998 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
3999 if (save_user_regs(regs, frame, 0, 1))
4000 goto badframe;
4001 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
4002 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/signal_64.c linux-2.6.39.1/arch/powerpc/kernel/signal_64.c
4003 --- linux-2.6.39.1/arch/powerpc/kernel/signal_64.c 2011-05-19 00:06:34.000000000 -0400
4004 +++ linux-2.6.39.1/arch/powerpc/kernel/signal_64.c 2011-05-22 19:36:30.000000000 -0400
4005 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
4006 current->thread.fpscr.val = 0;
4007
4008 /* Set up to return from userspace. */
4009 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
4010 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4011 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
4012 } else {
4013 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
4014 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/vdso.c linux-2.6.39.1/arch/powerpc/kernel/vdso.c
4015 --- linux-2.6.39.1/arch/powerpc/kernel/vdso.c 2011-05-19 00:06:34.000000000 -0400
4016 +++ linux-2.6.39.1/arch/powerpc/kernel/vdso.c 2011-05-22 19:36:30.000000000 -0400
4017 @@ -36,6 +36,7 @@
4018 #include <asm/firmware.h>
4019 #include <asm/vdso.h>
4020 #include <asm/vdso_datapage.h>
4021 +#include <asm/mman.h>
4022
4023 #include "setup.h"
4024
4025 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
4026 vdso_base = VDSO32_MBASE;
4027 #endif
4028
4029 - current->mm->context.vdso_base = 0;
4030 + current->mm->context.vdso_base = ~0UL;
4031
4032 /* vDSO has a problem and was disabled, just don't "enable" it for the
4033 * process
4034 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
4035 vdso_base = get_unmapped_area(NULL, vdso_base,
4036 (vdso_pages << PAGE_SHIFT) +
4037 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
4038 - 0, 0);
4039 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
4040 if (IS_ERR_VALUE(vdso_base)) {
4041 rc = vdso_base;
4042 goto fail_mmapsem;
4043 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/vio.c linux-2.6.39.1/arch/powerpc/kernel/vio.c
4044 --- linux-2.6.39.1/arch/powerpc/kernel/vio.c 2011-05-19 00:06:34.000000000 -0400
4045 +++ linux-2.6.39.1/arch/powerpc/kernel/vio.c 2011-05-22 19:36:30.000000000 -0400
4046 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
4047 return dma_iommu_ops.dma_supported(dev, mask);
4048 }
4049
4050 -struct dma_map_ops vio_dma_mapping_ops = {
4051 +const struct dma_map_ops vio_dma_mapping_ops = {
4052 .alloc_coherent = vio_dma_iommu_alloc_coherent,
4053 .free_coherent = vio_dma_iommu_free_coherent,
4054 .map_sg = vio_dma_iommu_map_sg,
4055 .unmap_sg = vio_dma_iommu_unmap_sg,
4056 + .dma_supported = dma_iommu_dma_supported,
4057 .map_page = vio_dma_iommu_map_page,
4058 .unmap_page = vio_dma_iommu_unmap_page,
4059 .dma_supported = vio_dma_iommu_dma_supported,
4060 diff -urNp linux-2.6.39.1/arch/powerpc/lib/usercopy_64.c linux-2.6.39.1/arch/powerpc/lib/usercopy_64.c
4061 --- linux-2.6.39.1/arch/powerpc/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
4062 +++ linux-2.6.39.1/arch/powerpc/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
4063 @@ -9,22 +9,6 @@
4064 #include <linux/module.h>
4065 #include <asm/uaccess.h>
4066
4067 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4068 -{
4069 - if (likely(access_ok(VERIFY_READ, from, n)))
4070 - n = __copy_from_user(to, from, n);
4071 - else
4072 - memset(to, 0, n);
4073 - return n;
4074 -}
4075 -
4076 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4077 -{
4078 - if (likely(access_ok(VERIFY_WRITE, to, n)))
4079 - n = __copy_to_user(to, from, n);
4080 - return n;
4081 -}
4082 -
4083 unsigned long copy_in_user(void __user *to, const void __user *from,
4084 unsigned long n)
4085 {
4086 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
4087 return n;
4088 }
4089
4090 -EXPORT_SYMBOL(copy_from_user);
4091 -EXPORT_SYMBOL(copy_to_user);
4092 EXPORT_SYMBOL(copy_in_user);
4093
4094 diff -urNp linux-2.6.39.1/arch/powerpc/mm/fault.c linux-2.6.39.1/arch/powerpc/mm/fault.c
4095 --- linux-2.6.39.1/arch/powerpc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
4096 +++ linux-2.6.39.1/arch/powerpc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
4097 @@ -31,6 +31,10 @@
4098 #include <linux/kdebug.h>
4099 #include <linux/perf_event.h>
4100 #include <linux/magic.h>
4101 +#include <linux/slab.h>
4102 +#include <linux/pagemap.h>
4103 +#include <linux/compiler.h>
4104 +#include <linux/unistd.h>
4105
4106 #include <asm/firmware.h>
4107 #include <asm/page.h>
4108 @@ -42,6 +46,7 @@
4109 #include <asm/tlbflush.h>
4110 #include <asm/siginfo.h>
4111 #include <mm/mmu_decl.h>
4112 +#include <asm/ptrace.h>
4113
4114 #ifdef CONFIG_KPROBES
4115 static inline int notify_page_fault(struct pt_regs *regs)
4116 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
4117 }
4118 #endif
4119
4120 +#ifdef CONFIG_PAX_PAGEEXEC
4121 +/*
4122 + * PaX: decide what to do with offenders (regs->nip = fault address)
4123 + *
4124 + * returns 1 when task should be killed
4125 + */
4126 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4127 +{
4128 + return 1;
4129 +}
4130 +
4131 +void pax_report_insns(void *pc, void *sp)
4132 +{
4133 + unsigned long i;
4134 +
4135 + printk(KERN_ERR "PAX: bytes at PC: ");
4136 + for (i = 0; i < 5; i++) {
4137 + unsigned int c;
4138 + if (get_user(c, (unsigned int __user *)pc+i))
4139 + printk(KERN_CONT "???????? ");
4140 + else
4141 + printk(KERN_CONT "%08x ", c);
4142 + }
4143 + printk("\n");
4144 +}
4145 +#endif
4146 +
4147 /*
4148 * Check whether the instruction at regs->nip is a store using
4149 * an update addressing form which will update r1.
4150 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
4151 * indicate errors in DSISR but can validly be set in SRR1.
4152 */
4153 if (trap == 0x400)
4154 - error_code &= 0x48200000;
4155 + error_code &= 0x58200000;
4156 else
4157 is_write = error_code & DSISR_ISSTORE;
4158 #else
4159 @@ -258,7 +290,7 @@ good_area:
4160 * "undefined". Of those that can be set, this is the only
4161 * one which seems bad.
4162 */
4163 - if (error_code & 0x10000000)
4164 + if (error_code & DSISR_GUARDED)
4165 /* Guarded storage error. */
4166 goto bad_area;
4167 #endif /* CONFIG_8xx */
4168 @@ -273,7 +305,7 @@ good_area:
4169 * processors use the same I/D cache coherency mechanism
4170 * as embedded.
4171 */
4172 - if (error_code & DSISR_PROTFAULT)
4173 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
4174 goto bad_area;
4175 #endif /* CONFIG_PPC_STD_MMU */
4176
4177 @@ -342,6 +374,23 @@ bad_area:
4178 bad_area_nosemaphore:
4179 /* User mode accesses cause a SIGSEGV */
4180 if (user_mode(regs)) {
4181 +
4182 +#ifdef CONFIG_PAX_PAGEEXEC
4183 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4184 +#ifdef CONFIG_PPC_STD_MMU
4185 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
4186 +#else
4187 + if (is_exec && regs->nip == address) {
4188 +#endif
4189 + switch (pax_handle_fetch_fault(regs)) {
4190 + }
4191 +
4192 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
4193 + do_group_exit(SIGKILL);
4194 + }
4195 + }
4196 +#endif
4197 +
4198 _exception(SIGSEGV, regs, code, address);
4199 return 0;
4200 }
4201 diff -urNp linux-2.6.39.1/arch/powerpc/mm/mmap_64.c linux-2.6.39.1/arch/powerpc/mm/mmap_64.c
4202 --- linux-2.6.39.1/arch/powerpc/mm/mmap_64.c 2011-05-19 00:06:34.000000000 -0400
4203 +++ linux-2.6.39.1/arch/powerpc/mm/mmap_64.c 2011-05-22 19:36:30.000000000 -0400
4204 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
4205 */
4206 if (mmap_is_legacy()) {
4207 mm->mmap_base = TASK_UNMAPPED_BASE;
4208 +
4209 +#ifdef CONFIG_PAX_RANDMMAP
4210 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4211 + mm->mmap_base += mm->delta_mmap;
4212 +#endif
4213 +
4214 mm->get_unmapped_area = arch_get_unmapped_area;
4215 mm->unmap_area = arch_unmap_area;
4216 } else {
4217 mm->mmap_base = mmap_base();
4218 +
4219 +#ifdef CONFIG_PAX_RANDMMAP
4220 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4221 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4222 +#endif
4223 +
4224 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4225 mm->unmap_area = arch_unmap_area_topdown;
4226 }
4227 diff -urNp linux-2.6.39.1/arch/powerpc/mm/slice.c linux-2.6.39.1/arch/powerpc/mm/slice.c
4228 --- linux-2.6.39.1/arch/powerpc/mm/slice.c 2011-05-19 00:06:34.000000000 -0400
4229 +++ linux-2.6.39.1/arch/powerpc/mm/slice.c 2011-05-22 19:36:30.000000000 -0400
4230 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
4231 if ((mm->task_size - len) < addr)
4232 return 0;
4233 vma = find_vma(mm, addr);
4234 - return (!vma || (addr + len) <= vma->vm_start);
4235 + return check_heap_stack_gap(vma, addr, len);
4236 }
4237
4238 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
4239 @@ -256,7 +256,7 @@ full_search:
4240 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
4241 continue;
4242 }
4243 - if (!vma || addr + len <= vma->vm_start) {
4244 + if (check_heap_stack_gap(vma, addr, len)) {
4245 /*
4246 * Remember the place where we stopped the search:
4247 */
4248 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
4249 }
4250 }
4251
4252 - addr = mm->mmap_base;
4253 - while (addr > len) {
4254 + if (mm->mmap_base < len)
4255 + addr = -ENOMEM;
4256 + else
4257 + addr = mm->mmap_base - len;
4258 +
4259 + while (!IS_ERR_VALUE(addr)) {
4260 /* Go down by chunk size */
4261 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
4262 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
4263
4264 /* Check for hit with different page size */
4265 mask = slice_range_to_mask(addr, len);
4266 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
4267 * return with success:
4268 */
4269 vma = find_vma(mm, addr);
4270 - if (!vma || (addr + len) <= vma->vm_start) {
4271 + if (check_heap_stack_gap(vma, addr, len)) {
4272 /* remember the address as a hint for next time */
4273 if (use_cache)
4274 mm->free_area_cache = addr;
4275 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
4276 mm->cached_hole_size = vma->vm_start - addr;
4277
4278 /* try just below the current vma->vm_start */
4279 - addr = vma->vm_start;
4280 + addr = skip_heap_stack_gap(vma, len);
4281 }
4282
4283 /*
4284 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
4285 if (fixed && addr > (mm->task_size - len))
4286 return -EINVAL;
4287
4288 +#ifdef CONFIG_PAX_RANDMMAP
4289 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
4290 + addr = 0;
4291 +#endif
4292 +
4293 /* If hint, make sure it matches our alignment restrictions */
4294 if (!fixed && addr) {
4295 addr = _ALIGN_UP(addr, 1ul << pshift);
4296 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/52xx/efika.c linux-2.6.39.1/arch/powerpc/platforms/52xx/efika.c
4297 --- linux-2.6.39.1/arch/powerpc/platforms/52xx/efika.c 2011-05-19 00:06:34.000000000 -0400
4298 +++ linux-2.6.39.1/arch/powerpc/platforms/52xx/efika.c 2011-05-22 19:36:30.000000000 -0400
4299 @@ -60,7 +60,7 @@ static int rtas_write_config(struct pci_
4300 return rval ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
4301 }
4302
4303 -static struct pci_ops rtas_pci_ops = {
4304 +static const struct pci_ops rtas_pci_ops = {
4305 .read = rtas_read_config,
4306 .write = rtas_write_config,
4307 };
4308 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_pci.c linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_pci.c
4309 --- linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-19 00:06:34.000000000 -0400
4310 +++ linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-22 19:36:30.000000000 -0400
4311 @@ -234,7 +234,7 @@ static int celleb_fake_pci_write_config(
4312 return PCIBIOS_SUCCESSFUL;
4313 }
4314
4315 -static struct pci_ops celleb_fake_pci_ops = {
4316 +static const struct pci_ops celleb_fake_pci_ops = {
4317 .read = celleb_fake_pci_read_config,
4318 .write = celleb_fake_pci_write_config,
4319 };
4320 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_epci.c linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_epci.c
4321 --- linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-19 00:06:34.000000000 -0400
4322 +++ linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-22 19:36:30.000000000 -0400
4323 @@ -245,7 +245,7 @@ static int celleb_epci_write_config(stru
4324 return celleb_epci_check_abort(hose, addr);
4325 }
4326
4327 -struct pci_ops celleb_epci_ops = {
4328 +const struct pci_ops celleb_epci_ops = {
4329 .read = celleb_epci_read_config,
4330 .write = celleb_epci_write_config,
4331 };
4332 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_pciex.c linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_pciex.c
4333 --- linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-19 00:06:34.000000000 -0400
4334 +++ linux-2.6.39.1/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-22 19:36:30.000000000 -0400
4335 @@ -399,7 +399,7 @@ static int scc_pciex_write_config(struct
4336 return PCIBIOS_SUCCESSFUL;
4337 }
4338
4339 -static struct pci_ops scc_pciex_pci_ops = {
4340 +static const struct pci_ops scc_pciex_pci_ops = {
4341 scc_pciex_read_config,
4342 scc_pciex_write_config,
4343 };
4344 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/cell/iommu.c linux-2.6.39.1/arch/powerpc/platforms/cell/iommu.c
4345 --- linux-2.6.39.1/arch/powerpc/platforms/cell/iommu.c 2011-05-19 00:06:34.000000000 -0400
4346 +++ linux-2.6.39.1/arch/powerpc/platforms/cell/iommu.c 2011-05-22 19:36:30.000000000 -0400
4347 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
4348
4349 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
4350
4351 -struct dma_map_ops dma_iommu_fixed_ops = {
4352 +const struct dma_map_ops dma_iommu_fixed_ops = {
4353 .alloc_coherent = dma_fixed_alloc_coherent,
4354 .free_coherent = dma_fixed_free_coherent,
4355 .map_sg = dma_fixed_map_sg,
4356 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/chrp/pci.c linux-2.6.39.1/arch/powerpc/platforms/chrp/pci.c
4357 --- linux-2.6.39.1/arch/powerpc/platforms/chrp/pci.c 2011-05-19 00:06:34.000000000 -0400
4358 +++ linux-2.6.39.1/arch/powerpc/platforms/chrp/pci.c 2011-05-22 19:36:30.000000000 -0400
4359 @@ -84,7 +84,7 @@ int gg2_write_config(struct pci_bus *bus
4360 return PCIBIOS_SUCCESSFUL;
4361 }
4362
4363 -static struct pci_ops gg2_pci_ops =
4364 +static const struct pci_ops gg2_pci_ops =
4365 {
4366 .read = gg2_read_config,
4367 .write = gg2_write_config,
4368 @@ -122,7 +122,7 @@ int rtas_write_config(struct pci_bus *bu
4369 return rval? PCIBIOS_DEVICE_NOT_FOUND: PCIBIOS_SUCCESSFUL;
4370 }
4371
4372 -static struct pci_ops rtas_pci_ops =
4373 +static const struct pci_ops rtas_pci_ops =
4374 {
4375 .read = rtas_read_config,
4376 .write = rtas_write_config,
4377 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/iseries/pci.c linux-2.6.39.1/arch/powerpc/platforms/iseries/pci.c
4378 --- linux-2.6.39.1/arch/powerpc/platforms/iseries/pci.c 2011-05-19 00:06:34.000000000 -0400
4379 +++ linux-2.6.39.1/arch/powerpc/platforms/iseries/pci.c 2011-05-22 19:36:30.000000000 -0400
4380 @@ -533,7 +533,7 @@ static int iSeries_pci_write_config(stru
4381 return 0;
4382 }
4383
4384 -static struct pci_ops iSeries_pci_ops = {
4385 +static const struct pci_ops iSeries_pci_ops = {
4386 .read = iSeries_pci_read_config,
4387 .write = iSeries_pci_write_config
4388 };
4389 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/maple/pci.c linux-2.6.39.1/arch/powerpc/platforms/maple/pci.c
4390 --- linux-2.6.39.1/arch/powerpc/platforms/maple/pci.c 2011-05-19 00:06:34.000000000 -0400
4391 +++ linux-2.6.39.1/arch/powerpc/platforms/maple/pci.c 2011-05-22 19:36:30.000000000 -0400
4392 @@ -180,7 +180,7 @@ static int u3_agp_write_config(struct pc
4393 return PCIBIOS_SUCCESSFUL;
4394 }
4395
4396 -static struct pci_ops u3_agp_pci_ops =
4397 +static const struct pci_ops u3_agp_pci_ops =
4398 {
4399 .read = u3_agp_read_config,
4400 .write = u3_agp_write_config,
4401 @@ -276,7 +276,7 @@ static int u3_ht_write_config(struct pci
4402 return PCIBIOS_SUCCESSFUL;
4403 }
4404
4405 -static struct pci_ops u3_ht_pci_ops =
4406 +static const struct pci_ops u3_ht_pci_ops =
4407 {
4408 .read = u3_ht_read_config,
4409 .write = u3_ht_write_config,
4410 @@ -381,7 +381,7 @@ static int u4_pcie_write_config(struct p
4411 return PCIBIOS_SUCCESSFUL;
4412 }
4413
4414 -static struct pci_ops u4_pcie_pci_ops =
4415 +static const struct pci_ops u4_pcie_pci_ops =
4416 {
4417 .read = u4_pcie_read_config,
4418 .write = u4_pcie_write_config,
4419 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/pasemi/pci.c linux-2.6.39.1/arch/powerpc/platforms/pasemi/pci.c
4420 --- linux-2.6.39.1/arch/powerpc/platforms/pasemi/pci.c 2011-05-19 00:06:34.000000000 -0400
4421 +++ linux-2.6.39.1/arch/powerpc/platforms/pasemi/pci.c 2011-05-22 19:36:30.000000000 -0400
4422 @@ -176,7 +176,7 @@ static int pa_pxp_write_config(struct pc
4423 return PCIBIOS_SUCCESSFUL;
4424 }
4425
4426 -static struct pci_ops pa_pxp_ops = {
4427 +static const struct pci_ops pa_pxp_ops = {
4428 .read = pa_pxp_read_config,
4429 .write = pa_pxp_write_config,
4430 };
4431 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/powermac/pci.c linux-2.6.39.1/arch/powerpc/platforms/powermac/pci.c
4432 --- linux-2.6.39.1/arch/powerpc/platforms/powermac/pci.c 2011-05-19 00:06:34.000000000 -0400
4433 +++ linux-2.6.39.1/arch/powerpc/platforms/powermac/pci.c 2011-05-22 19:36:30.000000000 -0400
4434 @@ -218,7 +218,7 @@ static int macrisc_write_config(struct p
4435 return PCIBIOS_SUCCESSFUL;
4436 }
4437
4438 -static struct pci_ops macrisc_pci_ops =
4439 +static const struct pci_ops macrisc_pci_ops =
4440 {
4441 .read = macrisc_read_config,
4442 .write = macrisc_write_config,
4443 @@ -273,7 +273,7 @@ chaos_write_config(struct pci_bus *bus,
4444 return macrisc_write_config(bus, devfn, offset, len, val);
4445 }
4446
4447 -static struct pci_ops chaos_pci_ops =
4448 +static const struct pci_ops chaos_pci_ops =
4449 {
4450 .read = chaos_read_config,
4451 .write = chaos_write_config,
4452 diff -urNp linux-2.6.39.1/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.39.1/arch/powerpc/platforms/ps3/system-bus.c
4453 --- linux-2.6.39.1/arch/powerpc/platforms/ps3/system-bus.c 2011-05-19 00:06:34.000000000 -0400
4454 +++ linux-2.6.39.1/arch/powerpc/platforms/ps3/system-bus.c 2011-05-22 19:36:30.000000000 -0400
4455 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
4456 return mask >= DMA_BIT_MASK(32);
4457 }
4458
4459 -static struct dma_map_ops ps3_sb_dma_ops = {
4460 +static const struct dma_map_ops ps3_sb_dma_ops = {
4461 .alloc_coherent = ps3_alloc_coherent,
4462 .free_coherent = ps3_free_coherent,
4463 .map_sg = ps3_sb_map_sg,
4464 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
4465 .unmap_page = ps3_unmap_page,
4466 };
4467
4468 -static struct dma_map_ops ps3_ioc0_dma_ops = {
4469 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
4470 .alloc_coherent = ps3_alloc_coherent,
4471 .free_coherent = ps3_free_coherent,
4472 .map_sg = ps3_ioc0_map_sg,
4473 diff -urNp linux-2.6.39.1/arch/powerpc/sysdev/fsl_pci.c linux-2.6.39.1/arch/powerpc/sysdev/fsl_pci.c
4474 --- linux-2.6.39.1/arch/powerpc/sysdev/fsl_pci.c 2011-05-19 00:06:34.000000000 -0400
4475 +++ linux-2.6.39.1/arch/powerpc/sysdev/fsl_pci.c 2011-05-22 19:36:30.000000000 -0400
4476 @@ -573,7 +573,7 @@ static int mpc83xx_pcie_write_config(str
4477 return PCIBIOS_SUCCESSFUL;
4478 }
4479
4480 -static struct pci_ops mpc83xx_pcie_ops = {
4481 +static const struct pci_ops mpc83xx_pcie_ops = {
4482 .read = mpc83xx_pcie_read_config,
4483 .write = mpc83xx_pcie_write_config,
4484 };
4485 diff -urNp linux-2.6.39.1/arch/powerpc/sysdev/indirect_pci.c linux-2.6.39.1/arch/powerpc/sysdev/indirect_pci.c
4486 --- linux-2.6.39.1/arch/powerpc/sysdev/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
4487 +++ linux-2.6.39.1/arch/powerpc/sysdev/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
4488 @@ -148,7 +148,7 @@ indirect_write_config(struct pci_bus *bu
4489 return PCIBIOS_SUCCESSFUL;
4490 }
4491
4492 -static struct pci_ops indirect_pci_ops =
4493 +static const struct pci_ops indirect_pci_ops =
4494 {
4495 .read = indirect_read_config,
4496 .write = indirect_write_config,
4497 diff -urNp linux-2.6.39.1/arch/powerpc/sysdev/ppc4xx_pci.c linux-2.6.39.1/arch/powerpc/sysdev/ppc4xx_pci.c
4498 --- linux-2.6.39.1/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-19 00:06:34.000000000 -0400
4499 +++ linux-2.6.39.1/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-22 19:36:30.000000000 -0400
4500 @@ -1514,7 +1514,7 @@ static int ppc4xx_pciex_write_config(str
4501 return PCIBIOS_SUCCESSFUL;
4502 }
4503
4504 -static struct pci_ops ppc4xx_pciex_pci_ops =
4505 +static const struct pci_ops ppc4xx_pciex_pci_ops =
4506 {
4507 .read = ppc4xx_pciex_read_config,
4508 .write = ppc4xx_pciex_write_config,
4509 diff -urNp linux-2.6.39.1/arch/powerpc/sysdev/tsi108_pci.c linux-2.6.39.1/arch/powerpc/sysdev/tsi108_pci.c
4510 --- linux-2.6.39.1/arch/powerpc/sysdev/tsi108_pci.c 2011-05-19 00:06:34.000000000 -0400
4511 +++ linux-2.6.39.1/arch/powerpc/sysdev/tsi108_pci.c 2011-05-22 19:36:30.000000000 -0400
4512 @@ -190,7 +190,7 @@ void tsi108_clear_pci_cfg_error(void)
4513 tsi108_clear_pci_error(tsi108_pci_cfg_phys);
4514 }
4515
4516 -static struct pci_ops tsi108_direct_pci_ops = {
4517 +static const struct pci_ops tsi108_direct_pci_ops = {
4518 .read = tsi108_direct_read_config,
4519 .write = tsi108_direct_write_config,
4520 };
4521 diff -urNp linux-2.6.39.1/arch/s390/include/asm/elf.h linux-2.6.39.1/arch/s390/include/asm/elf.h
4522 --- linux-2.6.39.1/arch/s390/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
4523 +++ linux-2.6.39.1/arch/s390/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
4524 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
4525 the loader. We need to make sure that it is out of the way of the program
4526 that it will "exec", and that there is sufficient room for the brk. */
4527
4528 -extern unsigned long randomize_et_dyn(unsigned long base);
4529 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
4530 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
4531 +
4532 +#ifdef CONFIG_PAX_ASLR
4533 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
4534 +
4535 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4536 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4537 +#endif
4538
4539 /* This yields a mask that user programs can use to figure out what
4540 instruction set this CPU supports. */
4541 @@ -222,7 +228,4 @@ struct linux_binprm;
4542 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
4543 int arch_setup_additional_pages(struct linux_binprm *, int);
4544
4545 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
4546 -#define arch_randomize_brk arch_randomize_brk
4547 -
4548 #endif
4549 diff -urNp linux-2.6.39.1/arch/s390/include/asm/system.h linux-2.6.39.1/arch/s390/include/asm/system.h
4550 --- linux-2.6.39.1/arch/s390/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
4551 +++ linux-2.6.39.1/arch/s390/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
4552 @@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co
4553 extern void (*_machine_halt)(void);
4554 extern void (*_machine_power_off)(void);
4555
4556 -extern unsigned long arch_align_stack(unsigned long sp);
4557 +#define arch_align_stack(x) ((x) & ~0xfUL)
4558
4559 static inline int tprot(unsigned long addr)
4560 {
4561 diff -urNp linux-2.6.39.1/arch/s390/include/asm/uaccess.h linux-2.6.39.1/arch/s390/include/asm/uaccess.h
4562 --- linux-2.6.39.1/arch/s390/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
4563 +++ linux-2.6.39.1/arch/s390/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
4564 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
4565 copy_to_user(void __user *to, const void *from, unsigned long n)
4566 {
4567 might_fault();
4568 +
4569 + if ((long)n < 0)
4570 + return n;
4571 +
4572 if (access_ok(VERIFY_WRITE, to, n))
4573 n = __copy_to_user(to, from, n);
4574 return n;
4575 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
4576 static inline unsigned long __must_check
4577 __copy_from_user(void *to, const void __user *from, unsigned long n)
4578 {
4579 + if ((long)n < 0)
4580 + return n;
4581 +
4582 if (__builtin_constant_p(n) && (n <= 256))
4583 return uaccess.copy_from_user_small(n, from, to);
4584 else
4585 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
4586 unsigned int sz = __compiletime_object_size(to);
4587
4588 might_fault();
4589 +
4590 + if ((long)n < 0)
4591 + return n;
4592 +
4593 if (unlikely(sz != -1 && sz < n)) {
4594 copy_from_user_overflow();
4595 return n;
4596 diff -urNp linux-2.6.39.1/arch/s390/Kconfig linux-2.6.39.1/arch/s390/Kconfig
4597 --- linux-2.6.39.1/arch/s390/Kconfig 2011-05-19 00:06:34.000000000 -0400
4598 +++ linux-2.6.39.1/arch/s390/Kconfig 2011-05-22 19:36:30.000000000 -0400
4599 @@ -234,11 +234,9 @@ config S390_EXEC_PROTECT
4600 prompt "Data execute protection"
4601 help
4602 This option allows to enable a buffer overflow protection for user
4603 - space programs and it also selects the addressing mode option above.
4604 - The kernel parameter noexec=on will enable this feature and also
4605 - switch the addressing modes, default is disabled. Enabling this (via
4606 - kernel parameter) on machines earlier than IBM System z9 this will
4607 - reduce system performance.
4608 + space programs.
4609 + Enabling this (via kernel parameter) on machines earlier than IBM
4610 + System z9 this will reduce system performance.
4611
4612 comment "Code generation options"
4613
4614 diff -urNp linux-2.6.39.1/arch/s390/kernel/module.c linux-2.6.39.1/arch/s390/kernel/module.c
4615 --- linux-2.6.39.1/arch/s390/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4616 +++ linux-2.6.39.1/arch/s390/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4617 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
4618
4619 /* Increase core size by size of got & plt and set start
4620 offsets for got and plt. */
4621 - me->core_size = ALIGN(me->core_size, 4);
4622 - me->arch.got_offset = me->core_size;
4623 - me->core_size += me->arch.got_size;
4624 - me->arch.plt_offset = me->core_size;
4625 - me->core_size += me->arch.plt_size;
4626 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
4627 + me->arch.got_offset = me->core_size_rw;
4628 + me->core_size_rw += me->arch.got_size;
4629 + me->arch.plt_offset = me->core_size_rx;
4630 + me->core_size_rx += me->arch.plt_size;
4631 return 0;
4632 }
4633
4634 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4635 if (info->got_initialized == 0) {
4636 Elf_Addr *gotent;
4637
4638 - gotent = me->module_core + me->arch.got_offset +
4639 + gotent = me->module_core_rw + me->arch.got_offset +
4640 info->got_offset;
4641 *gotent = val;
4642 info->got_initialized = 1;
4643 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4644 else if (r_type == R_390_GOTENT ||
4645 r_type == R_390_GOTPLTENT)
4646 *(unsigned int *) loc =
4647 - (val + (Elf_Addr) me->module_core - loc) >> 1;
4648 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
4649 else if (r_type == R_390_GOT64 ||
4650 r_type == R_390_GOTPLT64)
4651 *(unsigned long *) loc = val;
4652 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4653 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
4654 if (info->plt_initialized == 0) {
4655 unsigned int *ip;
4656 - ip = me->module_core + me->arch.plt_offset +
4657 + ip = me->module_core_rx + me->arch.plt_offset +
4658 info->plt_offset;
4659 #ifndef CONFIG_64BIT
4660 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
4661 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4662 val - loc + 0xffffUL < 0x1ffffeUL) ||
4663 (r_type == R_390_PLT32DBL &&
4664 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
4665 - val = (Elf_Addr) me->module_core +
4666 + val = (Elf_Addr) me->module_core_rx +
4667 me->arch.plt_offset +
4668 info->plt_offset;
4669 val += rela->r_addend - loc;
4670 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4671 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
4672 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
4673 val = val + rela->r_addend -
4674 - ((Elf_Addr) me->module_core + me->arch.got_offset);
4675 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
4676 if (r_type == R_390_GOTOFF16)
4677 *(unsigned short *) loc = val;
4678 else if (r_type == R_390_GOTOFF32)
4679 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4680 break;
4681 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
4682 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
4683 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
4684 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
4685 rela->r_addend - loc;
4686 if (r_type == R_390_GOTPC)
4687 *(unsigned int *) loc = val;
4688 diff -urNp linux-2.6.39.1/arch/s390/kernel/process.c linux-2.6.39.1/arch/s390/kernel/process.c
4689 --- linux-2.6.39.1/arch/s390/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4690 +++ linux-2.6.39.1/arch/s390/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
4691 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
4692 }
4693 return 0;
4694 }
4695 -
4696 -unsigned long arch_align_stack(unsigned long sp)
4697 -{
4698 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4699 - sp -= get_random_int() & ~PAGE_MASK;
4700 - return sp & ~0xf;
4701 -}
4702 -
4703 -static inline unsigned long brk_rnd(void)
4704 -{
4705 - /* 8MB for 32bit, 1GB for 64bit */
4706 - if (is_32bit_task())
4707 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
4708 - else
4709 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
4710 -}
4711 -
4712 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4713 -{
4714 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
4715 -
4716 - if (ret < mm->brk)
4717 - return mm->brk;
4718 - return ret;
4719 -}
4720 -
4721 -unsigned long randomize_et_dyn(unsigned long base)
4722 -{
4723 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4724 -
4725 - if (!(current->flags & PF_RANDOMIZE))
4726 - return base;
4727 - if (ret < base)
4728 - return base;
4729 - return ret;
4730 -}
4731 diff -urNp linux-2.6.39.1/arch/s390/kernel/setup.c linux-2.6.39.1/arch/s390/kernel/setup.c
4732 --- linux-2.6.39.1/arch/s390/kernel/setup.c 2011-05-19 00:06:34.000000000 -0400
4733 +++ linux-2.6.39.1/arch/s390/kernel/setup.c 2011-05-22 19:36:30.000000000 -0400
4734 @@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
4735 }
4736 early_param("mem", early_parse_mem);
4737
4738 -unsigned int user_mode = HOME_SPACE_MODE;
4739 +unsigned int user_mode = SECONDARY_SPACE_MODE;
4740 EXPORT_SYMBOL_GPL(user_mode);
4741
4742 static int set_amode_and_uaccess(unsigned long user_amode,
4743 @@ -300,17 +300,6 @@ static int set_amode_and_uaccess(unsigne
4744 }
4745 }
4746
4747 -/*
4748 - * Switch kernel/user addressing modes?
4749 - */
4750 -static int __init early_parse_switch_amode(char *p)
4751 -{
4752 - if (user_mode != SECONDARY_SPACE_MODE)
4753 - user_mode = PRIMARY_SPACE_MODE;
4754 - return 0;
4755 -}
4756 -early_param("switch_amode", early_parse_switch_amode);
4757 -
4758 static int __init early_parse_user_mode(char *p)
4759 {
4760 if (p && strcmp(p, "primary") == 0)
4761 @@ -327,20 +316,6 @@ static int __init early_parse_user_mode(
4762 }
4763 early_param("user_mode", early_parse_user_mode);
4764
4765 -#ifdef CONFIG_S390_EXEC_PROTECT
4766 -/*
4767 - * Enable execute protection?
4768 - */
4769 -static int __init early_parse_noexec(char *p)
4770 -{
4771 - if (!strncmp(p, "off", 3))
4772 - return 0;
4773 - user_mode = SECONDARY_SPACE_MODE;
4774 - return 0;
4775 -}
4776 -early_param("noexec", early_parse_noexec);
4777 -#endif /* CONFIG_S390_EXEC_PROTECT */
4778 -
4779 static void setup_addressing_mode(void)
4780 {
4781 if (user_mode == SECONDARY_SPACE_MODE) {
4782 diff -urNp linux-2.6.39.1/arch/s390/mm/maccess.c linux-2.6.39.1/arch/s390/mm/maccess.c
4783 --- linux-2.6.39.1/arch/s390/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
4784 +++ linux-2.6.39.1/arch/s390/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
4785 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
4786 return rc ? rc : count;
4787 }
4788
4789 -long probe_kernel_write(void *dst, void *src, size_t size)
4790 +long probe_kernel_write(void *dst, const void *src, size_t size)
4791 {
4792 long copied = 0;
4793
4794 diff -urNp linux-2.6.39.1/arch/s390/mm/mmap.c linux-2.6.39.1/arch/s390/mm/mmap.c
4795 --- linux-2.6.39.1/arch/s390/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
4796 +++ linux-2.6.39.1/arch/s390/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
4797 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
4798 */
4799 if (mmap_is_legacy()) {
4800 mm->mmap_base = TASK_UNMAPPED_BASE;
4801 +
4802 +#ifdef CONFIG_PAX_RANDMMAP
4803 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4804 + mm->mmap_base += mm->delta_mmap;
4805 +#endif
4806 +
4807 mm->get_unmapped_area = arch_get_unmapped_area;
4808 mm->unmap_area = arch_unmap_area;
4809 } else {
4810 mm->mmap_base = mmap_base();
4811 +
4812 +#ifdef CONFIG_PAX_RANDMMAP
4813 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4814 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4815 +#endif
4816 +
4817 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4818 mm->unmap_area = arch_unmap_area_topdown;
4819 }
4820 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
4821 */
4822 if (mmap_is_legacy()) {
4823 mm->mmap_base = TASK_UNMAPPED_BASE;
4824 +
4825 +#ifdef CONFIG_PAX_RANDMMAP
4826 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4827 + mm->mmap_base += mm->delta_mmap;
4828 +#endif
4829 +
4830 mm->get_unmapped_area = s390_get_unmapped_area;
4831 mm->unmap_area = arch_unmap_area;
4832 } else {
4833 mm->mmap_base = mmap_base();
4834 +
4835 +#ifdef CONFIG_PAX_RANDMMAP
4836 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4837 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4838 +#endif
4839 +
4840 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
4841 mm->unmap_area = arch_unmap_area_topdown;
4842 }
4843 diff -urNp linux-2.6.39.1/arch/score/include/asm/system.h linux-2.6.39.1/arch/score/include/asm/system.h
4844 --- linux-2.6.39.1/arch/score/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
4845 +++ linux-2.6.39.1/arch/score/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
4846 @@ -17,7 +17,7 @@ do { \
4847 #define finish_arch_switch(prev) do {} while (0)
4848
4849 typedef void (*vi_handler_t)(void);
4850 -extern unsigned long arch_align_stack(unsigned long sp);
4851 +#define arch_align_stack(x) (x)
4852
4853 #define mb() barrier()
4854 #define rmb() barrier()
4855 diff -urNp linux-2.6.39.1/arch/score/kernel/process.c linux-2.6.39.1/arch/score/kernel/process.c
4856 --- linux-2.6.39.1/arch/score/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4857 +++ linux-2.6.39.1/arch/score/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
4858 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
4859
4860 return task_pt_regs(task)->cp0_epc;
4861 }
4862 -
4863 -unsigned long arch_align_stack(unsigned long sp)
4864 -{
4865 - return sp;
4866 -}
4867 diff -urNp linux-2.6.39.1/arch/sh/drivers/pci/ops-dreamcast.c linux-2.6.39.1/arch/sh/drivers/pci/ops-dreamcast.c
4868 --- linux-2.6.39.1/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-19 00:06:34.000000000 -0400
4869 +++ linux-2.6.39.1/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-22 19:36:30.000000000 -0400
4870 @@ -76,7 +76,7 @@ static int gapspci_write(struct pci_bus
4871 return PCIBIOS_SUCCESSFUL;
4872 }
4873
4874 -struct pci_ops gapspci_pci_ops = {
4875 +const struct pci_ops gapspci_pci_ops = {
4876 .read = gapspci_read,
4877 .write = gapspci_write,
4878 };
4879 diff -urNp linux-2.6.39.1/arch/sh/drivers/pci/ops-sh4.c linux-2.6.39.1/arch/sh/drivers/pci/ops-sh4.c
4880 --- linux-2.6.39.1/arch/sh/drivers/pci/ops-sh4.c 2011-05-19 00:06:34.000000000 -0400
4881 +++ linux-2.6.39.1/arch/sh/drivers/pci/ops-sh4.c 2011-05-22 19:36:30.000000000 -0400
4882 @@ -96,7 +96,7 @@ static int sh4_pci_write(struct pci_bus
4883 return PCIBIOS_SUCCESSFUL;
4884 }
4885
4886 -struct pci_ops sh4_pci_ops = {
4887 +const struct pci_ops sh4_pci_ops = {
4888 .read = sh4_pci_read,
4889 .write = sh4_pci_write,
4890 };
4891 diff -urNp linux-2.6.39.1/arch/sh/drivers/pci/ops-sh5.c linux-2.6.39.1/arch/sh/drivers/pci/ops-sh5.c
4892 --- linux-2.6.39.1/arch/sh/drivers/pci/ops-sh5.c 2011-05-19 00:06:34.000000000 -0400
4893 +++ linux-2.6.39.1/arch/sh/drivers/pci/ops-sh5.c 2011-05-22 19:36:30.000000000 -0400
4894 @@ -62,7 +62,7 @@ static int sh5pci_write(struct pci_bus *
4895 return PCIBIOS_SUCCESSFUL;
4896 }
4897
4898 -struct pci_ops sh5_pci_ops = {
4899 +const struct pci_ops sh5_pci_ops = {
4900 .read = sh5pci_read,
4901 .write = sh5pci_write,
4902 };
4903 diff -urNp linux-2.6.39.1/arch/sh/drivers/pci/ops-sh7786.c linux-2.6.39.1/arch/sh/drivers/pci/ops-sh7786.c
4904 --- linux-2.6.39.1/arch/sh/drivers/pci/ops-sh7786.c 2011-05-19 00:06:34.000000000 -0400
4905 +++ linux-2.6.39.1/arch/sh/drivers/pci/ops-sh7786.c 2011-05-22 19:36:30.000000000 -0400
4906 @@ -165,7 +165,7 @@ out:
4907 return ret;
4908 }
4909
4910 -struct pci_ops sh7786_pci_ops = {
4911 +const struct pci_ops sh7786_pci_ops = {
4912 .read = sh7786_pcie_read,
4913 .write = sh7786_pcie_write,
4914 };
4915 diff -urNp linux-2.6.39.1/arch/sh/drivers/pci/pcie-sh7786.c linux-2.6.39.1/arch/sh/drivers/pci/pcie-sh7786.c
4916 --- linux-2.6.39.1/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-19 00:06:34.000000000 -0400
4917 +++ linux-2.6.39.1/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-22 19:36:30.000000000 -0400
4918 @@ -109,7 +109,7 @@ static struct resource sh7786_pci2_resou
4919 },
4920 };
4921
4922 -extern struct pci_ops sh7786_pci_ops;
4923 +extern const struct pci_ops sh7786_pci_ops;
4924
4925 #define DEFINE_CONTROLLER(start, idx) \
4926 { \
4927 diff -urNp linux-2.6.39.1/arch/sh/drivers/pci/pci-sh4.h linux-2.6.39.1/arch/sh/drivers/pci/pci-sh4.h
4928 --- linux-2.6.39.1/arch/sh/drivers/pci/pci-sh4.h 2011-05-19 00:06:34.000000000 -0400
4929 +++ linux-2.6.39.1/arch/sh/drivers/pci/pci-sh4.h 2011-05-22 19:36:30.000000000 -0400
4930 @@ -161,7 +161,7 @@
4931 #define SH4_PCIPDR 0x220 /* Port IO Data Register */
4932
4933 /* arch/sh/kernel/drivers/pci/ops-sh4.c */
4934 -extern struct pci_ops sh4_pci_ops;
4935 +extern const struct pci_ops sh4_pci_ops;
4936 int pci_fixup_pcic(struct pci_channel *chan);
4937
4938 struct sh4_pci_address_space {
4939 diff -urNp linux-2.6.39.1/arch/sh/drivers/pci/pci-sh5.h linux-2.6.39.1/arch/sh/drivers/pci/pci-sh5.h
4940 --- linux-2.6.39.1/arch/sh/drivers/pci/pci-sh5.h 2011-05-19 00:06:34.000000000 -0400
4941 +++ linux-2.6.39.1/arch/sh/drivers/pci/pci-sh5.h 2011-05-22 19:36:30.000000000 -0400
4942 @@ -105,6 +105,6 @@ extern unsigned long pcicr_virt;
4943 #define PCISH5_MEM_SIZCONV(x) (((x / 0x40000) - 1) << 18)
4944 #define PCISH5_IO_SIZCONV(x) (((x / 0x40000) - 1) << 18)
4945
4946 -extern struct pci_ops sh5_pci_ops;
4947 +extern const struct pci_ops sh5_pci_ops;
4948
4949 #endif /* __PCI_SH5_H */
4950 diff -urNp linux-2.6.39.1/arch/sh/include/asm/dma-mapping.h linux-2.6.39.1/arch/sh/include/asm/dma-mapping.h
4951 --- linux-2.6.39.1/arch/sh/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
4952 +++ linux-2.6.39.1/arch/sh/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
4953 @@ -1,10 +1,10 @@
4954 #ifndef __ASM_SH_DMA_MAPPING_H
4955 #define __ASM_SH_DMA_MAPPING_H
4956
4957 -extern struct dma_map_ops *dma_ops;
4958 +extern const struct dma_map_ops *dma_ops;
4959 extern void no_iommu_init(void);
4960
4961 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
4962 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
4963 {
4964 return dma_ops;
4965 }
4966 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
4967
4968 static inline int dma_supported(struct device *dev, u64 mask)
4969 {
4970 - struct dma_map_ops *ops = get_dma_ops(dev);
4971 + const struct dma_map_ops *ops = get_dma_ops(dev);
4972
4973 if (ops->dma_supported)
4974 return ops->dma_supported(dev, mask);
4975 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
4976
4977 static inline int dma_set_mask(struct device *dev, u64 mask)
4978 {
4979 - struct dma_map_ops *ops = get_dma_ops(dev);
4980 + const struct dma_map_ops *ops = get_dma_ops(dev);
4981
4982 if (!dev->dma_mask || !dma_supported(dev, mask))
4983 return -EIO;
4984 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
4985
4986 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
4987 {
4988 - struct dma_map_ops *ops = get_dma_ops(dev);
4989 + const struct dma_map_ops *ops = get_dma_ops(dev);
4990
4991 if (ops->mapping_error)
4992 return ops->mapping_error(dev, dma_addr);
4993 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
4994 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
4995 dma_addr_t *dma_handle, gfp_t gfp)
4996 {
4997 - struct dma_map_ops *ops = get_dma_ops(dev);
4998 + const struct dma_map_ops *ops = get_dma_ops(dev);
4999 void *memory;
5000
5001 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
5002 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
5003 static inline void dma_free_coherent(struct device *dev, size_t size,
5004 void *vaddr, dma_addr_t dma_handle)
5005 {
5006 - struct dma_map_ops *ops = get_dma_ops(dev);
5007 + const struct dma_map_ops *ops = get_dma_ops(dev);
5008
5009 if (dma_release_from_coherent(dev, get_order(size), vaddr))
5010 return;
5011 diff -urNp linux-2.6.39.1/arch/sh/kernel/dma-nommu.c linux-2.6.39.1/arch/sh/kernel/dma-nommu.c
5012 --- linux-2.6.39.1/arch/sh/kernel/dma-nommu.c 2011-05-19 00:06:34.000000000 -0400
5013 +++ linux-2.6.39.1/arch/sh/kernel/dma-nommu.c 2011-05-22 19:36:30.000000000 -0400
5014 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
5015 }
5016 #endif
5017
5018 -struct dma_map_ops nommu_dma_ops = {
5019 +const struct dma_map_ops nommu_dma_ops = {
5020 .alloc_coherent = dma_generic_alloc_coherent,
5021 .free_coherent = dma_generic_free_coherent,
5022 .map_page = nommu_map_page,
5023 diff -urNp linux-2.6.39.1/arch/sh/kernel/kgdb.c linux-2.6.39.1/arch/sh/kernel/kgdb.c
5024 --- linux-2.6.39.1/arch/sh/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
5025 +++ linux-2.6.39.1/arch/sh/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
5026 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
5027 unregister_die_notifier(&kgdb_notifier);
5028 }
5029
5030 -struct kgdb_arch arch_kgdb_ops = {
5031 +const struct kgdb_arch arch_kgdb_ops = {
5032 /* Breakpoint instruction: trapa #0x3c */
5033 #ifdef CONFIG_CPU_LITTLE_ENDIAN
5034 .gdb_bpt_instr = { 0x3c, 0xc3 },
5035 diff -urNp linux-2.6.39.1/arch/sh/mm/consistent.c linux-2.6.39.1/arch/sh/mm/consistent.c
5036 --- linux-2.6.39.1/arch/sh/mm/consistent.c 2011-05-19 00:06:34.000000000 -0400
5037 +++ linux-2.6.39.1/arch/sh/mm/consistent.c 2011-05-22 19:36:30.000000000 -0400
5038 @@ -22,7 +22,7 @@
5039
5040 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
5041
5042 -struct dma_map_ops *dma_ops;
5043 +const struct dma_map_ops *dma_ops;
5044 EXPORT_SYMBOL(dma_ops);
5045
5046 static int __init dma_init(void)
5047 diff -urNp linux-2.6.39.1/arch/sh/mm/mmap.c linux-2.6.39.1/arch/sh/mm/mmap.c
5048 --- linux-2.6.39.1/arch/sh/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5049 +++ linux-2.6.39.1/arch/sh/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5050 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
5051 addr = PAGE_ALIGN(addr);
5052
5053 vma = find_vma(mm, addr);
5054 - if (TASK_SIZE - len >= addr &&
5055 - (!vma || addr + len <= vma->vm_start))
5056 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5057 return addr;
5058 }
5059
5060 @@ -106,7 +105,7 @@ full_search:
5061 }
5062 return -ENOMEM;
5063 }
5064 - if (likely(!vma || addr + len <= vma->vm_start)) {
5065 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5066 /*
5067 * Remember the place where we stopped the search:
5068 */
5069 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
5070 addr = PAGE_ALIGN(addr);
5071
5072 vma = find_vma(mm, addr);
5073 - if (TASK_SIZE - len >= addr &&
5074 - (!vma || addr + len <= vma->vm_start))
5075 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5076 return addr;
5077 }
5078
5079 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
5080 /* make sure it can fit in the remaining address space */
5081 if (likely(addr > len)) {
5082 vma = find_vma(mm, addr-len);
5083 - if (!vma || addr <= vma->vm_start) {
5084 + if (check_heap_stack_gap(vma, addr - len, len)) {
5085 /* remember the address as a hint for next time */
5086 return (mm->free_area_cache = addr-len);
5087 }
5088 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
5089 if (unlikely(mm->mmap_base < len))
5090 goto bottomup;
5091
5092 - addr = mm->mmap_base-len;
5093 - if (do_colour_align)
5094 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5095 + addr = mm->mmap_base - len;
5096
5097 do {
5098 + if (do_colour_align)
5099 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5100 /*
5101 * Lookup failure means no vma is above this address,
5102 * else if new region fits below vma->vm_start,
5103 * return with success:
5104 */
5105 vma = find_vma(mm, addr);
5106 - if (likely(!vma || addr+len <= vma->vm_start)) {
5107 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5108 /* remember the address as a hint for next time */
5109 return (mm->free_area_cache = addr);
5110 }
5111 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
5112 mm->cached_hole_size = vma->vm_start - addr;
5113
5114 /* try just below the current vma->vm_start */
5115 - addr = vma->vm_start-len;
5116 - if (do_colour_align)
5117 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5118 - } while (likely(len < vma->vm_start));
5119 + addr = skip_heap_stack_gap(vma, len);
5120 + } while (!IS_ERR_VALUE(addr));
5121
5122 bottomup:
5123 /*
5124 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/atomic_64.h linux-2.6.39.1/arch/sparc/include/asm/atomic_64.h
5125 --- linux-2.6.39.1/arch/sparc/include/asm/atomic_64.h 2011-05-19 00:06:34.000000000 -0400
5126 +++ linux-2.6.39.1/arch/sparc/include/asm/atomic_64.h 2011-05-22 19:36:30.000000000 -0400
5127 @@ -14,18 +14,40 @@
5128 #define ATOMIC64_INIT(i) { (i) }
5129
5130 #define atomic_read(v) (*(volatile int *)&(v)->counter)
5131 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5132 +{
5133 + return v->counter;
5134 +}
5135 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
5136 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
5137 +{
5138 + return v->counter;
5139 +}
5140
5141 #define atomic_set(v, i) (((v)->counter) = i)
5142 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5143 +{
5144 + v->counter = i;
5145 +}
5146 #define atomic64_set(v, i) (((v)->counter) = i)
5147 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
5148 +{
5149 + v->counter = i;
5150 +}
5151
5152 extern void atomic_add(int, atomic_t *);
5153 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
5154 extern void atomic64_add(long, atomic64_t *);
5155 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
5156 extern void atomic_sub(int, atomic_t *);
5157 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
5158 extern void atomic64_sub(long, atomic64_t *);
5159 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
5160
5161 extern int atomic_add_ret(int, atomic_t *);
5162 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
5163 extern long atomic64_add_ret(long, atomic64_t *);
5164 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
5165 extern int atomic_sub_ret(int, atomic_t *);
5166 extern long atomic64_sub_ret(long, atomic64_t *);
5167
5168 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
5169 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
5170
5171 #define atomic_inc_return(v) atomic_add_ret(1, v)
5172 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
5173 +{
5174 + return atomic_add_ret_unchecked(1, v);
5175 +}
5176 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
5177 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
5178 +{
5179 + return atomic64_add_ret_unchecked(1, v);
5180 +}
5181
5182 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
5183 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
5184
5185 #define atomic_add_return(i, v) atomic_add_ret(i, v)
5186 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5187 +{
5188 + return atomic_add_ret_unchecked(i, v);
5189 +}
5190 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
5191
5192 /*
5193 @@ -50,6 +84,7 @@ extern long atomic64_sub_ret(long, atomi
5194 * other cases.
5195 */
5196 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
5197 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
5198 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
5199
5200 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
5201 @@ -59,30 +94,59 @@ extern long atomic64_sub_ret(long, atomi
5202 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
5203
5204 #define atomic_inc(v) atomic_add(1, v)
5205 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5206 +{
5207 + atomic_add_unchecked(1, v);
5208 +}
5209 #define atomic64_inc(v) atomic64_add(1, v)
5210 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
5211 +{
5212 + atomic64_add_unchecked(1, v);
5213 +}
5214
5215 #define atomic_dec(v) atomic_sub(1, v)
5216 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
5217 +{
5218 + atomic_sub_unchecked(1, v);
5219 +}
5220 #define atomic64_dec(v) atomic64_sub(1, v)
5221 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
5222 +{
5223 + atomic64_sub_unchecked(1, v);
5224 +}
5225
5226 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
5227 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
5228
5229 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5230 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5231 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
5232 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
5233
5234 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5235 {
5236 - int c, old;
5237 + int c, old, new;
5238 c = atomic_read(v);
5239 for (;;) {
5240 - if (unlikely(c == (u)))
5241 + if (unlikely(c == u))
5242 break;
5243 - old = atomic_cmpxchg((v), c, c + (a));
5244 +
5245 + asm volatile("addcc %2, %0, %0\n"
5246 +
5247 +#ifdef CONFIG_PAX_REFCOUNT
5248 + "tvs %%icc, 6\n"
5249 +#endif
5250 +
5251 + : "=r" (new)
5252 + : "0" (c), "ir" (a)
5253 + : "cc");
5254 +
5255 + old = atomic_cmpxchg(v, c, new);
5256 if (likely(old == c))
5257 break;
5258 c = old;
5259 }
5260 - return c != (u);
5261 + return c != u;
5262 }
5263
5264 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5265 @@ -93,17 +157,28 @@ static inline int atomic_add_unless(atom
5266
5267 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
5268 {
5269 - long c, old;
5270 + long c, old, new;
5271 c = atomic64_read(v);
5272 for (;;) {
5273 - if (unlikely(c == (u)))
5274 + if (unlikely(c == u))
5275 break;
5276 - old = atomic64_cmpxchg((v), c, c + (a));
5277 +
5278 + asm volatile("addcc %2, %0, %0\n"
5279 +
5280 +#ifdef CONFIG_PAX_REFCOUNT
5281 + "tvs %%xcc, 6\n"
5282 +#endif
5283 +
5284 + : "=r" (new)
5285 + : "0" (c), "ir" (a)
5286 + : "cc");
5287 +
5288 + old = atomic64_cmpxchg(v, c, new);
5289 if (likely(old == c))
5290 break;
5291 c = old;
5292 }
5293 - return c != (u);
5294 + return c != u;
5295 }
5296
5297 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
5298 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/cache.h linux-2.6.39.1/arch/sparc/include/asm/cache.h
5299 --- linux-2.6.39.1/arch/sparc/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
5300 +++ linux-2.6.39.1/arch/sparc/include/asm/cache.h 2011-05-22 19:36:30.000000000 -0400
5301 @@ -10,7 +10,7 @@
5302 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
5303
5304 #define L1_CACHE_SHIFT 5
5305 -#define L1_CACHE_BYTES 32
5306 +#define L1_CACHE_BYTES 32U
5307
5308 #ifdef CONFIG_SPARC32
5309 #define SMP_CACHE_BYTES_SHIFT 5
5310 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/dma-mapping.h linux-2.6.39.1/arch/sparc/include/asm/dma-mapping.h
5311 --- linux-2.6.39.1/arch/sparc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5312 +++ linux-2.6.39.1/arch/sparc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5313 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
5314 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
5315 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
5316
5317 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
5318 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
5319 extern struct bus_type pci_bus_type;
5320
5321 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5322 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5323 {
5324 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
5325 if (dev->bus == &pci_bus_type)
5326 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
5327 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5328 dma_addr_t *dma_handle, gfp_t flag)
5329 {
5330 - struct dma_map_ops *ops = get_dma_ops(dev);
5331 + const struct dma_map_ops *ops = get_dma_ops(dev);
5332 void *cpu_addr;
5333
5334 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
5335 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
5336 static inline void dma_free_coherent(struct device *dev, size_t size,
5337 void *cpu_addr, dma_addr_t dma_handle)
5338 {
5339 - struct dma_map_ops *ops = get_dma_ops(dev);
5340 + const struct dma_map_ops *ops = get_dma_ops(dev);
5341
5342 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
5343 ops->free_coherent(dev, size, cpu_addr, dma_handle);
5344 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/elf_32.h linux-2.6.39.1/arch/sparc/include/asm/elf_32.h
5345 --- linux-2.6.39.1/arch/sparc/include/asm/elf_32.h 2011-05-19 00:06:34.000000000 -0400
5346 +++ linux-2.6.39.1/arch/sparc/include/asm/elf_32.h 2011-05-22 19:36:30.000000000 -0400
5347 @@ -114,6 +114,13 @@ typedef struct {
5348
5349 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
5350
5351 +#ifdef CONFIG_PAX_ASLR
5352 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
5353 +
5354 +#define PAX_DELTA_MMAP_LEN 16
5355 +#define PAX_DELTA_STACK_LEN 16
5356 +#endif
5357 +
5358 /* This yields a mask that user programs can use to figure out what
5359 instruction set this cpu supports. This can NOT be done in userspace
5360 on Sparc. */
5361 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/elf_64.h linux-2.6.39.1/arch/sparc/include/asm/elf_64.h
5362 --- linux-2.6.39.1/arch/sparc/include/asm/elf_64.h 2011-05-19 00:06:34.000000000 -0400
5363 +++ linux-2.6.39.1/arch/sparc/include/asm/elf_64.h 2011-05-22 19:36:30.000000000 -0400
5364 @@ -162,6 +162,12 @@ typedef struct {
5365 #define ELF_ET_DYN_BASE 0x0000010000000000UL
5366 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
5367
5368 +#ifdef CONFIG_PAX_ASLR
5369 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
5370 +
5371 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
5372 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
5373 +#endif
5374
5375 /* This yields a mask that user programs can use to figure out what
5376 instruction set this cpu supports. */
5377 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/pgtable_32.h linux-2.6.39.1/arch/sparc/include/asm/pgtable_32.h
5378 --- linux-2.6.39.1/arch/sparc/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
5379 +++ linux-2.6.39.1/arch/sparc/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
5380 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
5381 BTFIXUPDEF_INT(page_none)
5382 BTFIXUPDEF_INT(page_copy)
5383 BTFIXUPDEF_INT(page_readonly)
5384 +
5385 +#ifdef CONFIG_PAX_PAGEEXEC
5386 +BTFIXUPDEF_INT(page_shared_noexec)
5387 +BTFIXUPDEF_INT(page_copy_noexec)
5388 +BTFIXUPDEF_INT(page_readonly_noexec)
5389 +#endif
5390 +
5391 BTFIXUPDEF_INT(page_kernel)
5392
5393 #define PMD_SHIFT SUN4C_PMD_SHIFT
5394 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
5395 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
5396 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
5397
5398 +#ifdef CONFIG_PAX_PAGEEXEC
5399 +extern pgprot_t PAGE_SHARED_NOEXEC;
5400 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
5401 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
5402 +#else
5403 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
5404 +# define PAGE_COPY_NOEXEC PAGE_COPY
5405 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
5406 +#endif
5407 +
5408 extern unsigned long page_kernel;
5409
5410 #ifdef MODULE
5411 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.39.1/arch/sparc/include/asm/pgtsrmmu.h
5412 --- linux-2.6.39.1/arch/sparc/include/asm/pgtsrmmu.h 2011-05-19 00:06:34.000000000 -0400
5413 +++ linux-2.6.39.1/arch/sparc/include/asm/pgtsrmmu.h 2011-05-22 19:36:30.000000000 -0400
5414 @@ -115,6 +115,13 @@
5415 SRMMU_EXEC | SRMMU_REF)
5416 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
5417 SRMMU_EXEC | SRMMU_REF)
5418 +
5419 +#ifdef CONFIG_PAX_PAGEEXEC
5420 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
5421 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5422 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5423 +#endif
5424 +
5425 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
5426 SRMMU_DIRTY | SRMMU_REF)
5427
5428 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/spinlock_64.h linux-2.6.39.1/arch/sparc/include/asm/spinlock_64.h
5429 --- linux-2.6.39.1/arch/sparc/include/asm/spinlock_64.h 2011-05-19 00:06:34.000000000 -0400
5430 +++ linux-2.6.39.1/arch/sparc/include/asm/spinlock_64.h 2011-05-22 19:36:30.000000000 -0400
5431 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
5432
5433 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
5434
5435 -static void inline arch_read_lock(arch_rwlock_t *lock)
5436 +static inline void arch_read_lock(arch_rwlock_t *lock)
5437 {
5438 unsigned long tmp1, tmp2;
5439
5440 __asm__ __volatile__ (
5441 "1: ldsw [%2], %0\n"
5442 " brlz,pn %0, 2f\n"
5443 -"4: add %0, 1, %1\n"
5444 +"4: addcc %0, 1, %1\n"
5445 +
5446 +#ifdef CONFIG_PAX_REFCOUNT
5447 +" tvs %%icc, 6\n"
5448 +#endif
5449 +
5450 " cas [%2], %0, %1\n"
5451 " cmp %0, %1\n"
5452 " bne,pn %%icc, 1b\n"
5453 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
5454 " .previous"
5455 : "=&r" (tmp1), "=&r" (tmp2)
5456 : "r" (lock)
5457 - : "memory");
5458 + : "memory", "cc");
5459 }
5460
5461 -static int inline arch_read_trylock(arch_rwlock_t *lock)
5462 +static inline int arch_read_trylock(arch_rwlock_t *lock)
5463 {
5464 int tmp1, tmp2;
5465
5466 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
5467 "1: ldsw [%2], %0\n"
5468 " brlz,a,pn %0, 2f\n"
5469 " mov 0, %0\n"
5470 -" add %0, 1, %1\n"
5471 +" addcc %0, 1, %1\n"
5472 +
5473 +#ifdef CONFIG_PAX_REFCOUNT
5474 +" tvs %%icc, 6\n"
5475 +#endif
5476 +
5477 " cas [%2], %0, %1\n"
5478 " cmp %0, %1\n"
5479 " bne,pn %%icc, 1b\n"
5480 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
5481 return tmp1;
5482 }
5483
5484 -static void inline arch_read_unlock(arch_rwlock_t *lock)
5485 +static inline void arch_read_unlock(arch_rwlock_t *lock)
5486 {
5487 unsigned long tmp1, tmp2;
5488
5489 __asm__ __volatile__(
5490 "1: lduw [%2], %0\n"
5491 -" sub %0, 1, %1\n"
5492 +" subcc %0, 1, %1\n"
5493 +
5494 +#ifdef CONFIG_PAX_REFCOUNT
5495 +" tvs %%icc, 6\n"
5496 +#endif
5497 +
5498 " cas [%2], %0, %1\n"
5499 " cmp %0, %1\n"
5500 " bne,pn %%xcc, 1b\n"
5501 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
5502 : "memory");
5503 }
5504
5505 -static void inline arch_write_lock(arch_rwlock_t *lock)
5506 +static inline void arch_write_lock(arch_rwlock_t *lock)
5507 {
5508 unsigned long mask, tmp1, tmp2;
5509
5510 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
5511 : "memory");
5512 }
5513
5514 -static void inline arch_write_unlock(arch_rwlock_t *lock)
5515 +static inline void arch_write_unlock(arch_rwlock_t *lock)
5516 {
5517 __asm__ __volatile__(
5518 " stw %%g0, [%0]"
5519 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
5520 : "memory");
5521 }
5522
5523 -static int inline arch_write_trylock(arch_rwlock_t *lock)
5524 +static inline int arch_write_trylock(arch_rwlock_t *lock)
5525 {
5526 unsigned long mask, tmp1, tmp2, result;
5527
5528 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/thread_info_32.h linux-2.6.39.1/arch/sparc/include/asm/thread_info_32.h
5529 --- linux-2.6.39.1/arch/sparc/include/asm/thread_info_32.h 2011-05-19 00:06:34.000000000 -0400
5530 +++ linux-2.6.39.1/arch/sparc/include/asm/thread_info_32.h 2011-06-03 01:14:03.000000000 -0400
5531 @@ -50,6 +50,8 @@ struct thread_info {
5532 unsigned long w_saved;
5533
5534 struct restart_block restart_block;
5535 +
5536 + unsigned long lowest_stack;
5537 };
5538
5539 /*
5540 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/thread_info_64.h linux-2.6.39.1/arch/sparc/include/asm/thread_info_64.h
5541 --- linux-2.6.39.1/arch/sparc/include/asm/thread_info_64.h 2011-05-19 00:06:34.000000000 -0400
5542 +++ linux-2.6.39.1/arch/sparc/include/asm/thread_info_64.h 2011-06-03 01:14:21.000000000 -0400
5543 @@ -63,6 +63,8 @@ struct thread_info {
5544 struct pt_regs *kern_una_regs;
5545 unsigned int kern_una_insn;
5546
5547 + unsigned long lowest_stack;
5548 +
5549 unsigned long fpregs[0] __attribute__ ((aligned(64)));
5550 };
5551
5552 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/uaccess_32.h linux-2.6.39.1/arch/sparc/include/asm/uaccess_32.h
5553 --- linux-2.6.39.1/arch/sparc/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
5554 +++ linux-2.6.39.1/arch/sparc/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
5555 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
5556
5557 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
5558 {
5559 - if (n && __access_ok((unsigned long) to, n))
5560 + if ((long)n < 0)
5561 + return n;
5562 +
5563 + if (n && __access_ok((unsigned long) to, n)) {
5564 + if (!__builtin_constant_p(n))
5565 + check_object_size(from, n, true);
5566 return __copy_user(to, (__force void __user *) from, n);
5567 - else
5568 + } else
5569 return n;
5570 }
5571
5572 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
5573 {
5574 + if ((long)n < 0)
5575 + return n;
5576 +
5577 + if (!__builtin_constant_p(n))
5578 + check_object_size(from, n, true);
5579 +
5580 return __copy_user(to, (__force void __user *) from, n);
5581 }
5582
5583 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
5584 {
5585 - if (n && __access_ok((unsigned long) from, n))
5586 + if ((long)n < 0)
5587 + return n;
5588 +
5589 + if (n && __access_ok((unsigned long) from, n)) {
5590 + if (!__builtin_constant_p(n))
5591 + check_object_size(to, n, false);
5592 return __copy_user((__force void __user *) to, from, n);
5593 - else
5594 + } else
5595 return n;
5596 }
5597
5598 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
5599 {
5600 + if ((long)n < 0)
5601 + return n;
5602 +
5603 return __copy_user((__force void __user *) to, from, n);
5604 }
5605
5606 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/uaccess_64.h linux-2.6.39.1/arch/sparc/include/asm/uaccess_64.h
5607 --- linux-2.6.39.1/arch/sparc/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
5608 +++ linux-2.6.39.1/arch/sparc/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
5609 @@ -10,6 +10,7 @@
5610 #include <linux/compiler.h>
5611 #include <linux/string.h>
5612 #include <linux/thread_info.h>
5613 +#include <linux/kernel.h>
5614 #include <asm/asi.h>
5615 #include <asm/system.h>
5616 #include <asm/spitfire.h>
5617 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
5618 static inline unsigned long __must_check
5619 copy_from_user(void *to, const void __user *from, unsigned long size)
5620 {
5621 - unsigned long ret = ___copy_from_user(to, from, size);
5622 + unsigned long ret;
5623
5624 + if ((long)size < 0 || size > INT_MAX)
5625 + return size;
5626 +
5627 + if (!__builtin_constant_p(size))
5628 + check_object_size(to, size, false);
5629 +
5630 + ret = ___copy_from_user(to, from, size);
5631 if (unlikely(ret))
5632 ret = copy_from_user_fixup(to, from, size);
5633
5634 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
5635 static inline unsigned long __must_check
5636 copy_to_user(void __user *to, const void *from, unsigned long size)
5637 {
5638 - unsigned long ret = ___copy_to_user(to, from, size);
5639 + unsigned long ret;
5640 +
5641 + if ((long)size < 0 || size > INT_MAX)
5642 + return size;
5643 +
5644 + if (!__builtin_constant_p(size))
5645 + check_object_size(from, size, true);
5646
5647 + ret = ___copy_to_user(to, from, size);
5648 if (unlikely(ret))
5649 ret = copy_to_user_fixup(to, from, size);
5650 return ret;
5651 diff -urNp linux-2.6.39.1/arch/sparc/include/asm/uaccess.h linux-2.6.39.1/arch/sparc/include/asm/uaccess.h
5652 --- linux-2.6.39.1/arch/sparc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
5653 +++ linux-2.6.39.1/arch/sparc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
5654 @@ -1,5 +1,13 @@
5655 #ifndef ___ASM_SPARC_UACCESS_H
5656 #define ___ASM_SPARC_UACCESS_H
5657 +
5658 +#ifdef __KERNEL__
5659 +#ifndef __ASSEMBLY__
5660 +#include <linux/types.h>
5661 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
5662 +#endif
5663 +#endif
5664 +
5665 #if defined(__sparc__) && defined(__arch64__)
5666 #include <asm/uaccess_64.h>
5667 #else
5668 diff -urNp linux-2.6.39.1/arch/sparc/kernel/iommu.c linux-2.6.39.1/arch/sparc/kernel/iommu.c
5669 --- linux-2.6.39.1/arch/sparc/kernel/iommu.c 2011-05-19 00:06:34.000000000 -0400
5670 +++ linux-2.6.39.1/arch/sparc/kernel/iommu.c 2011-05-22 19:36:30.000000000 -0400
5671 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
5672 spin_unlock_irqrestore(&iommu->lock, flags);
5673 }
5674
5675 -static struct dma_map_ops sun4u_dma_ops = {
5676 +static const struct dma_map_ops sun4u_dma_ops = {
5677 .alloc_coherent = dma_4u_alloc_coherent,
5678 .free_coherent = dma_4u_free_coherent,
5679 .map_page = dma_4u_map_page,
5680 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
5681 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
5682 };
5683
5684 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5685 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5686 EXPORT_SYMBOL(dma_ops);
5687
5688 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
5689 diff -urNp linux-2.6.39.1/arch/sparc/kernel/ioport.c linux-2.6.39.1/arch/sparc/kernel/ioport.c
5690 --- linux-2.6.39.1/arch/sparc/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
5691 +++ linux-2.6.39.1/arch/sparc/kernel/ioport.c 2011-05-22 19:36:30.000000000 -0400
5692 @@ -402,7 +402,7 @@ static void sbus_sync_sg_for_device(stru
5693 BUG();
5694 }
5695
5696 -struct dma_map_ops sbus_dma_ops = {
5697 +const struct dma_map_ops sbus_dma_ops = {
5698 .alloc_coherent = sbus_alloc_coherent,
5699 .free_coherent = sbus_free_coherent,
5700 .map_page = sbus_map_page,
5701 @@ -653,7 +653,7 @@ static void pci32_sync_sg_for_device(str
5702 }
5703 }
5704
5705 -struct dma_map_ops pci32_dma_ops = {
5706 +const struct dma_map_ops pci32_dma_ops = {
5707 .alloc_coherent = pci32_alloc_coherent,
5708 .free_coherent = pci32_free_coherent,
5709 .map_page = pci32_map_page,
5710 diff -urNp linux-2.6.39.1/arch/sparc/kernel/kgdb_32.c linux-2.6.39.1/arch/sparc/kernel/kgdb_32.c
5711 --- linux-2.6.39.1/arch/sparc/kernel/kgdb_32.c 2011-05-19 00:06:34.000000000 -0400
5712 +++ linux-2.6.39.1/arch/sparc/kernel/kgdb_32.c 2011-05-22 19:36:30.000000000 -0400
5713 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5714 regs->npc = regs->pc + 4;
5715 }
5716
5717 -struct kgdb_arch arch_kgdb_ops = {
5718 +const struct kgdb_arch arch_kgdb_ops = {
5719 /* Breakpoint instruction: ta 0x7d */
5720 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
5721 };
5722 diff -urNp linux-2.6.39.1/arch/sparc/kernel/kgdb_64.c linux-2.6.39.1/arch/sparc/kernel/kgdb_64.c
5723 --- linux-2.6.39.1/arch/sparc/kernel/kgdb_64.c 2011-05-19 00:06:34.000000000 -0400
5724 +++ linux-2.6.39.1/arch/sparc/kernel/kgdb_64.c 2011-05-22 19:36:30.000000000 -0400
5725 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5726 regs->tnpc = regs->tpc + 4;
5727 }
5728
5729 -struct kgdb_arch arch_kgdb_ops = {
5730 +const struct kgdb_arch arch_kgdb_ops = {
5731 /* Breakpoint instruction: ta 0x72 */
5732 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
5733 };
5734 diff -urNp linux-2.6.39.1/arch/sparc/kernel/Makefile linux-2.6.39.1/arch/sparc/kernel/Makefile
5735 --- linux-2.6.39.1/arch/sparc/kernel/Makefile 2011-05-19 00:06:34.000000000 -0400
5736 +++ linux-2.6.39.1/arch/sparc/kernel/Makefile 2011-05-22 19:36:30.000000000 -0400
5737 @@ -3,7 +3,7 @@
5738 #
5739
5740 asflags-y := -ansi
5741 -ccflags-y := -Werror
5742 +#ccflags-y := -Werror
5743
5744 extra-y := head_$(BITS).o
5745 extra-y += init_task.o
5746 diff -urNp linux-2.6.39.1/arch/sparc/kernel/pcic.c linux-2.6.39.1/arch/sparc/kernel/pcic.c
5747 --- linux-2.6.39.1/arch/sparc/kernel/pcic.c 2011-05-19 00:06:34.000000000 -0400
5748 +++ linux-2.6.39.1/arch/sparc/kernel/pcic.c 2011-05-22 19:36:30.000000000 -0400
5749 @@ -268,7 +268,7 @@ static int pcic_write_config(struct pci_
5750 return -EINVAL;
5751 }
5752
5753 -static struct pci_ops pcic_ops = {
5754 +static const struct pci_ops pcic_ops = {
5755 .read = pcic_read_config,
5756 .write = pcic_write_config,
5757 };
5758 diff -urNp linux-2.6.39.1/arch/sparc/kernel/pci_common.c linux-2.6.39.1/arch/sparc/kernel/pci_common.c
5759 --- linux-2.6.39.1/arch/sparc/kernel/pci_common.c 2011-05-19 00:06:34.000000000 -0400
5760 +++ linux-2.6.39.1/arch/sparc/kernel/pci_common.c 2011-05-22 19:36:30.000000000 -0400
5761 @@ -249,7 +249,7 @@ static int sun4u_write_pci_cfg(struct pc
5762 return PCIBIOS_SUCCESSFUL;
5763 }
5764
5765 -struct pci_ops sun4u_pci_ops = {
5766 +const struct pci_ops sun4u_pci_ops = {
5767 .read = sun4u_read_pci_cfg,
5768 .write = sun4u_write_pci_cfg,
5769 };
5770 @@ -310,7 +310,7 @@ static int sun4v_write_pci_cfg(struct pc
5771 return PCIBIOS_SUCCESSFUL;
5772 }
5773
5774 -struct pci_ops sun4v_pci_ops = {
5775 +const struct pci_ops sun4v_pci_ops = {
5776 .read = sun4v_read_pci_cfg,
5777 .write = sun4v_write_pci_cfg,
5778 };
5779 diff -urNp linux-2.6.39.1/arch/sparc/kernel/pci_impl.h linux-2.6.39.1/arch/sparc/kernel/pci_impl.h
5780 --- linux-2.6.39.1/arch/sparc/kernel/pci_impl.h 2011-05-19 00:06:34.000000000 -0400
5781 +++ linux-2.6.39.1/arch/sparc/kernel/pci_impl.h 2011-05-22 19:36:30.000000000 -0400
5782 @@ -175,8 +175,8 @@ extern void pci_config_write8(u8 *addr,
5783 extern void pci_config_write16(u16 *addr, u16 val);
5784 extern void pci_config_write32(u32 *addr, u32 val);
5785
5786 -extern struct pci_ops sun4u_pci_ops;
5787 -extern struct pci_ops sun4v_pci_ops;
5788 +extern const struct pci_ops sun4u_pci_ops;
5789 +extern const struct pci_ops sun4v_pci_ops;
5790
5791 extern volatile int pci_poke_in_progress;
5792 extern volatile int pci_poke_cpu;
5793 diff -urNp linux-2.6.39.1/arch/sparc/kernel/pci_sun4v.c linux-2.6.39.1/arch/sparc/kernel/pci_sun4v.c
5794 --- linux-2.6.39.1/arch/sparc/kernel/pci_sun4v.c 2011-05-19 00:06:34.000000000 -0400
5795 +++ linux-2.6.39.1/arch/sparc/kernel/pci_sun4v.c 2011-05-22 19:36:30.000000000 -0400
5796 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
5797 spin_unlock_irqrestore(&iommu->lock, flags);
5798 }
5799
5800 -static struct dma_map_ops sun4v_dma_ops = {
5801 +static const struct dma_map_ops sun4v_dma_ops = {
5802 .alloc_coherent = dma_4v_alloc_coherent,
5803 .free_coherent = dma_4v_free_coherent,
5804 .map_page = dma_4v_map_page,
5805 diff -urNp linux-2.6.39.1/arch/sparc/kernel/process_32.c linux-2.6.39.1/arch/sparc/kernel/process_32.c
5806 --- linux-2.6.39.1/arch/sparc/kernel/process_32.c 2011-05-19 00:06:34.000000000 -0400
5807 +++ linux-2.6.39.1/arch/sparc/kernel/process_32.c 2011-05-22 19:41:32.000000000 -0400
5808 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
5809 rw->ins[4], rw->ins[5],
5810 rw->ins[6],
5811 rw->ins[7]);
5812 - printk("%pS\n", (void *) rw->ins[7]);
5813 + printk("%pA\n", (void *) rw->ins[7]);
5814 rw = (struct reg_window32 *) rw->ins[6];
5815 }
5816 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
5817 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
5818
5819 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
5820 r->psr, r->pc, r->npc, r->y, print_tainted());
5821 - printk("PC: <%pS>\n", (void *) r->pc);
5822 + printk("PC: <%pA>\n", (void *) r->pc);
5823 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
5824 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
5825 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
5826 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
5827 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
5828 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
5829 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
5830 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
5831
5832 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
5833 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
5834 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
5835 rw = (struct reg_window32 *) fp;
5836 pc = rw->ins[7];
5837 printk("[%08lx : ", pc);
5838 - printk("%pS ] ", (void *) pc);
5839 + printk("%pA ] ", (void *) pc);
5840 fp = rw->ins[6];
5841 } while (++count < 16);
5842 printk("\n");
5843 diff -urNp linux-2.6.39.1/arch/sparc/kernel/process_64.c linux-2.6.39.1/arch/sparc/kernel/process_64.c
5844 --- linux-2.6.39.1/arch/sparc/kernel/process_64.c 2011-05-19 00:06:34.000000000 -0400
5845 +++ linux-2.6.39.1/arch/sparc/kernel/process_64.c 2011-05-22 19:41:32.000000000 -0400
5846 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
5847 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
5848 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
5849 if (regs->tstate & TSTATE_PRIV)
5850 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
5851 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
5852 }
5853
5854 void show_regs(struct pt_regs *regs)
5855 {
5856 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
5857 regs->tpc, regs->tnpc, regs->y, print_tainted());
5858 - printk("TPC: <%pS>\n", (void *) regs->tpc);
5859 + printk("TPC: <%pA>\n", (void *) regs->tpc);
5860 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
5861 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
5862 regs->u_regs[3]);
5863 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
5864 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
5865 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
5866 regs->u_regs[15]);
5867 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
5868 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
5869 show_regwindow(regs);
5870 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
5871 }
5872 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
5873 ((tp && tp->task) ? tp->task->pid : -1));
5874
5875 if (gp->tstate & TSTATE_PRIV) {
5876 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
5877 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
5878 (void *) gp->tpc,
5879 (void *) gp->o7,
5880 (void *) gp->i7,
5881 diff -urNp linux-2.6.39.1/arch/sparc/kernel/sys_sparc_32.c linux-2.6.39.1/arch/sparc/kernel/sys_sparc_32.c
5882 --- linux-2.6.39.1/arch/sparc/kernel/sys_sparc_32.c 2011-05-19 00:06:34.000000000 -0400
5883 +++ linux-2.6.39.1/arch/sparc/kernel/sys_sparc_32.c 2011-05-22 19:36:30.000000000 -0400
5884 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
5885 if (ARCH_SUN4C && len > 0x20000000)
5886 return -ENOMEM;
5887 if (!addr)
5888 - addr = TASK_UNMAPPED_BASE;
5889 + addr = current->mm->mmap_base;
5890
5891 if (flags & MAP_SHARED)
5892 addr = COLOUR_ALIGN(addr);
5893 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
5894 }
5895 if (TASK_SIZE - PAGE_SIZE - len < addr)
5896 return -ENOMEM;
5897 - if (!vmm || addr + len <= vmm->vm_start)
5898 + if (check_heap_stack_gap(vmm, addr, len))
5899 return addr;
5900 addr = vmm->vm_end;
5901 if (flags & MAP_SHARED)
5902 diff -urNp linux-2.6.39.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.1/arch/sparc/kernel/sys_sparc_64.c
5903 --- linux-2.6.39.1/arch/sparc/kernel/sys_sparc_64.c 2011-05-19 00:06:34.000000000 -0400
5904 +++ linux-2.6.39.1/arch/sparc/kernel/sys_sparc_64.c 2011-05-22 19:36:30.000000000 -0400
5905 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
5906 /* We do not accept a shared mapping if it would violate
5907 * cache aliasing constraints.
5908 */
5909 - if ((flags & MAP_SHARED) &&
5910 + if ((filp || (flags & MAP_SHARED)) &&
5911 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
5912 return -EINVAL;
5913 return addr;
5914 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
5915 if (filp || (flags & MAP_SHARED))
5916 do_color_align = 1;
5917
5918 +#ifdef CONFIG_PAX_RANDMMAP
5919 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
5920 +#endif
5921 +
5922 if (addr) {
5923 if (do_color_align)
5924 addr = COLOUR_ALIGN(addr, pgoff);
5925 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
5926 addr = PAGE_ALIGN(addr);
5927
5928 vma = find_vma(mm, addr);
5929 - if (task_size - len >= addr &&
5930 - (!vma || addr + len <= vma->vm_start))
5931 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5932 return addr;
5933 }
5934
5935 if (len > mm->cached_hole_size) {
5936 - start_addr = addr = mm->free_area_cache;
5937 + start_addr = addr = mm->free_area_cache;
5938 } else {
5939 - start_addr = addr = TASK_UNMAPPED_BASE;
5940 + start_addr = addr = mm->mmap_base;
5941 mm->cached_hole_size = 0;
5942 }
5943
5944 @@ -174,14 +177,14 @@ full_search:
5945 vma = find_vma(mm, VA_EXCLUDE_END);
5946 }
5947 if (unlikely(task_size < addr)) {
5948 - if (start_addr != TASK_UNMAPPED_BASE) {
5949 - start_addr = addr = TASK_UNMAPPED_BASE;
5950 + if (start_addr != mm->mmap_base) {
5951 + start_addr = addr = mm->mmap_base;
5952 mm->cached_hole_size = 0;
5953 goto full_search;
5954 }
5955 return -ENOMEM;
5956 }
5957 - if (likely(!vma || addr + len <= vma->vm_start)) {
5958 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5959 /*
5960 * Remember the place where we stopped the search:
5961 */
5962 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
5963 /* We do not accept a shared mapping if it would violate
5964 * cache aliasing constraints.
5965 */
5966 - if ((flags & MAP_SHARED) &&
5967 + if ((filp || (flags & MAP_SHARED)) &&
5968 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
5969 return -EINVAL;
5970 return addr;
5971 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
5972 addr = PAGE_ALIGN(addr);
5973
5974 vma = find_vma(mm, addr);
5975 - if (task_size - len >= addr &&
5976 - (!vma || addr + len <= vma->vm_start))
5977 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5978 return addr;
5979 }
5980
5981 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
5982 /* make sure it can fit in the remaining address space */
5983 if (likely(addr > len)) {
5984 vma = find_vma(mm, addr-len);
5985 - if (!vma || addr <= vma->vm_start) {
5986 + if (check_heap_stack_gap(vma, addr - len, len)) {
5987 /* remember the address as a hint for next time */
5988 return (mm->free_area_cache = addr-len);
5989 }
5990 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
5991 if (unlikely(mm->mmap_base < len))
5992 goto bottomup;
5993
5994 - addr = mm->mmap_base-len;
5995 - if (do_color_align)
5996 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5997 + addr = mm->mmap_base - len;
5998
5999 do {
6000 + if (do_color_align)
6001 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6002 /*
6003 * Lookup failure means no vma is above this address,
6004 * else if new region fits below vma->vm_start,
6005 * return with success:
6006 */
6007 vma = find_vma(mm, addr);
6008 - if (likely(!vma || addr+len <= vma->vm_start)) {
6009 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6010 /* remember the address as a hint for next time */
6011 return (mm->free_area_cache = addr);
6012 }
6013 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
6014 mm->cached_hole_size = vma->vm_start - addr;
6015
6016 /* try just below the current vma->vm_start */
6017 - addr = vma->vm_start-len;
6018 - if (do_color_align)
6019 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6020 - } while (likely(len < vma->vm_start));
6021 + addr = skip_heap_stack_gap(vma, len);
6022 + } while (!IS_ERR_VALUE(addr));
6023
6024 bottomup:
6025 /*
6026 @@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
6027 gap == RLIM_INFINITY ||
6028 sysctl_legacy_va_layout) {
6029 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
6030 +
6031 +#ifdef CONFIG_PAX_RANDMMAP
6032 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6033 + mm->mmap_base += mm->delta_mmap;
6034 +#endif
6035 +
6036 mm->get_unmapped_area = arch_get_unmapped_area;
6037 mm->unmap_area = arch_unmap_area;
6038 } else {
6039 @@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
6040 gap = (task_size / 6 * 5);
6041
6042 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
6043 +
6044 +#ifdef CONFIG_PAX_RANDMMAP
6045 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6046 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
6047 +#endif
6048 +
6049 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
6050 mm->unmap_area = arch_unmap_area_topdown;
6051 }
6052 diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_32.c linux-2.6.39.1/arch/sparc/kernel/traps_32.c
6053 --- linux-2.6.39.1/arch/sparc/kernel/traps_32.c 2011-05-19 00:06:34.000000000 -0400
6054 +++ linux-2.6.39.1/arch/sparc/kernel/traps_32.c 2011-05-22 19:41:32.000000000 -0400
6055 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
6056 count++ < 30 &&
6057 (((unsigned long) rw) >= PAGE_OFFSET) &&
6058 !(((unsigned long) rw) & 0x7)) {
6059 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
6060 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
6061 (void *) rw->ins[7]);
6062 rw = (struct reg_window32 *)rw->ins[6];
6063 }
6064 diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_64.c linux-2.6.39.1/arch/sparc/kernel/traps_64.c
6065 --- linux-2.6.39.1/arch/sparc/kernel/traps_64.c 2011-05-19 00:06:34.000000000 -0400
6066 +++ linux-2.6.39.1/arch/sparc/kernel/traps_64.c 2011-05-22 19:41:32.000000000 -0400
6067 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
6068 i + 1,
6069 p->trapstack[i].tstate, p->trapstack[i].tpc,
6070 p->trapstack[i].tnpc, p->trapstack[i].tt);
6071 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
6072 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
6073 }
6074 }
6075
6076 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
6077
6078 lvl -= 0x100;
6079 if (regs->tstate & TSTATE_PRIV) {
6080 +
6081 +#ifdef CONFIG_PAX_REFCOUNT
6082 + if (lvl == 6)
6083 + pax_report_refcount_overflow(regs);
6084 +#endif
6085 +
6086 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
6087 die_if_kernel(buffer, regs);
6088 }
6089 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
6090 void bad_trap_tl1(struct pt_regs *regs, long lvl)
6091 {
6092 char buffer[32];
6093 -
6094 +
6095 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
6096 0, lvl, SIGTRAP) == NOTIFY_STOP)
6097 return;
6098
6099 +#ifdef CONFIG_PAX_REFCOUNT
6100 + if (lvl == 6)
6101 + pax_report_refcount_overflow(regs);
6102 +#endif
6103 +
6104 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
6105
6106 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
6107 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
6108 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
6109 printk("%s" "ERROR(%d): ",
6110 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
6111 - printk("TPC<%pS>\n", (void *) regs->tpc);
6112 + printk("TPC<%pA>\n", (void *) regs->tpc);
6113 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
6114 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
6115 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
6116 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
6117 smp_processor_id(),
6118 (type & 0x1) ? 'I' : 'D',
6119 regs->tpc);
6120 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
6121 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
6122 panic("Irrecoverable Cheetah+ parity error.");
6123 }
6124
6125 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
6126 smp_processor_id(),
6127 (type & 0x1) ? 'I' : 'D',
6128 regs->tpc);
6129 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
6130 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
6131 }
6132
6133 struct sun4v_error_entry {
6134 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
6135
6136 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
6137 regs->tpc, tl);
6138 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
6139 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
6140 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6141 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
6142 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
6143 (void *) regs->u_regs[UREG_I7]);
6144 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
6145 "pte[%lx] error[%lx]\n",
6146 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
6147
6148 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
6149 regs->tpc, tl);
6150 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
6151 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
6152 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6153 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
6154 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
6155 (void *) regs->u_regs[UREG_I7]);
6156 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
6157 "pte[%lx] error[%lx]\n",
6158 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
6159 fp = (unsigned long)sf->fp + STACK_BIAS;
6160 }
6161
6162 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6163 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6164 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
6165 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
6166 int index = tsk->curr_ret_stack;
6167 if (tsk->ret_stack && index >= graph) {
6168 pc = tsk->ret_stack[index - graph].ret;
6169 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6170 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6171 graph++;
6172 }
6173 }
6174 @@ -2254,7 +2265,7 @@ void die_if_kernel(char *str, struct pt_
6175 while (rw &&
6176 count++ < 30 &&
6177 kstack_valid(tp, (unsigned long) rw)) {
6178 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
6179 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
6180 (void *) rw->ins[7]);
6181
6182 rw = kernel_stack_up(rw);
6183 diff -urNp linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c
6184 --- linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c 2011-05-19 00:06:34.000000000 -0400
6185 +++ linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c 2011-05-22 19:41:32.000000000 -0400
6186 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
6187 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
6188
6189 if (__ratelimit(&ratelimit)) {
6190 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
6191 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
6192 regs->tpc, (void *) regs->tpc);
6193 }
6194 }
6195 diff -urNp linux-2.6.39.1/arch/sparc/lib/atomic_64.S linux-2.6.39.1/arch/sparc/lib/atomic_64.S
6196 --- linux-2.6.39.1/arch/sparc/lib/atomic_64.S 2011-05-19 00:06:34.000000000 -0400
6197 +++ linux-2.6.39.1/arch/sparc/lib/atomic_64.S 2011-05-22 19:36:30.000000000 -0400
6198 @@ -18,7 +18,12 @@
6199 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
6200 BACKOFF_SETUP(%o2)
6201 1: lduw [%o1], %g1
6202 - add %g1, %o0, %g7
6203 + addcc %g1, %o0, %g7
6204 +
6205 +#ifdef CONFIG_PAX_REFCOUNT
6206 + tvs %icc, 6
6207 +#endif
6208 +
6209 cas [%o1], %g1, %g7
6210 cmp %g1, %g7
6211 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6212 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
6213 2: BACKOFF_SPIN(%o2, %o3, 1b)
6214 .size atomic_add, .-atomic_add
6215
6216 + .globl atomic_add_unchecked
6217 + .type atomic_add_unchecked,#function
6218 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6219 + BACKOFF_SETUP(%o2)
6220 +1: lduw [%o1], %g1
6221 + add %g1, %o0, %g7
6222 + cas [%o1], %g1, %g7
6223 + cmp %g1, %g7
6224 + bne,pn %icc, 2f
6225 + nop
6226 + retl
6227 + nop
6228 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6229 + .size atomic_add_unchecked, .-atomic_add_unchecked
6230 +
6231 .globl atomic_sub
6232 .type atomic_sub,#function
6233 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6234 BACKOFF_SETUP(%o2)
6235 1: lduw [%o1], %g1
6236 - sub %g1, %o0, %g7
6237 + subcc %g1, %o0, %g7
6238 +
6239 +#ifdef CONFIG_PAX_REFCOUNT
6240 + tvs %icc, 6
6241 +#endif
6242 +
6243 cas [%o1], %g1, %g7
6244 cmp %g1, %g7
6245 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6246 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
6247 2: BACKOFF_SPIN(%o2, %o3, 1b)
6248 .size atomic_sub, .-atomic_sub
6249
6250 + .globl atomic_sub_unchecked
6251 + .type atomic_sub_unchecked,#function
6252 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6253 + BACKOFF_SETUP(%o2)
6254 +1: lduw [%o1], %g1
6255 + sub %g1, %o0, %g7
6256 + cas [%o1], %g1, %g7
6257 + cmp %g1, %g7
6258 + bne,pn %icc, 2f
6259 + nop
6260 + retl
6261 + nop
6262 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6263 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
6264 +
6265 .globl atomic_add_ret
6266 .type atomic_add_ret,#function
6267 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6268 BACKOFF_SETUP(%o2)
6269 1: lduw [%o1], %g1
6270 - add %g1, %o0, %g7
6271 + addcc %g1, %o0, %g7
6272 +
6273 +#ifdef CONFIG_PAX_REFCOUNT
6274 + tvs %icc, 6
6275 +#endif
6276 +
6277 cas [%o1], %g1, %g7
6278 cmp %g1, %g7
6279 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6280 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
6281 2: BACKOFF_SPIN(%o2, %o3, 1b)
6282 .size atomic_add_ret, .-atomic_add_ret
6283
6284 + .globl atomic_add_ret_unchecked
6285 + .type atomic_add_ret_unchecked,#function
6286 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6287 + BACKOFF_SETUP(%o2)
6288 +1: lduw [%o1], %g1
6289 + addcc %g1, %o0, %g7
6290 + cas [%o1], %g1, %g7
6291 + cmp %g1, %g7
6292 + bne,pn %icc, 2f
6293 + add %g7, %o0, %g7
6294 + sra %g7, 0, %o0
6295 + retl
6296 + nop
6297 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6298 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
6299 +
6300 .globl atomic_sub_ret
6301 .type atomic_sub_ret,#function
6302 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6303 BACKOFF_SETUP(%o2)
6304 1: lduw [%o1], %g1
6305 - sub %g1, %o0, %g7
6306 + subcc %g1, %o0, %g7
6307 +
6308 +#ifdef CONFIG_PAX_REFCOUNT
6309 + tvs %icc, 6
6310 +#endif
6311 +
6312 cas [%o1], %g1, %g7
6313 cmp %g1, %g7
6314 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6315 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
6316 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
6317 BACKOFF_SETUP(%o2)
6318 1: ldx [%o1], %g1
6319 - add %g1, %o0, %g7
6320 + addcc %g1, %o0, %g7
6321 +
6322 +#ifdef CONFIG_PAX_REFCOUNT
6323 + tvs %xcc, 6
6324 +#endif
6325 +
6326 casx [%o1], %g1, %g7
6327 cmp %g1, %g7
6328 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6329 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
6330 2: BACKOFF_SPIN(%o2, %o3, 1b)
6331 .size atomic64_add, .-atomic64_add
6332
6333 + .globl atomic64_add_unchecked
6334 + .type atomic64_add_unchecked,#function
6335 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6336 + BACKOFF_SETUP(%o2)
6337 +1: ldx [%o1], %g1
6338 + addcc %g1, %o0, %g7
6339 + casx [%o1], %g1, %g7
6340 + cmp %g1, %g7
6341 + bne,pn %xcc, 2f
6342 + nop
6343 + retl
6344 + nop
6345 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6346 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
6347 +
6348 .globl atomic64_sub
6349 .type atomic64_sub,#function
6350 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6351 BACKOFF_SETUP(%o2)
6352 1: ldx [%o1], %g1
6353 - sub %g1, %o0, %g7
6354 + subcc %g1, %o0, %g7
6355 +
6356 +#ifdef CONFIG_PAX_REFCOUNT
6357 + tvs %xcc, 6
6358 +#endif
6359 +
6360 casx [%o1], %g1, %g7
6361 cmp %g1, %g7
6362 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6363 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
6364 2: BACKOFF_SPIN(%o2, %o3, 1b)
6365 .size atomic64_sub, .-atomic64_sub
6366
6367 + .globl atomic64_sub_unchecked
6368 + .type atomic64_sub_unchecked,#function
6369 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6370 + BACKOFF_SETUP(%o2)
6371 +1: ldx [%o1], %g1
6372 + subcc %g1, %o0, %g7
6373 + casx [%o1], %g1, %g7
6374 + cmp %g1, %g7
6375 + bne,pn %xcc, 2f
6376 + nop
6377 + retl
6378 + nop
6379 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6380 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
6381 +
6382 .globl atomic64_add_ret
6383 .type atomic64_add_ret,#function
6384 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6385 BACKOFF_SETUP(%o2)
6386 1: ldx [%o1], %g1
6387 - add %g1, %o0, %g7
6388 + addcc %g1, %o0, %g7
6389 +
6390 +#ifdef CONFIG_PAX_REFCOUNT
6391 + tvs %xcc, 6
6392 +#endif
6393 +
6394 casx [%o1], %g1, %g7
6395 cmp %g1, %g7
6396 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6397 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
6398 2: BACKOFF_SPIN(%o2, %o3, 1b)
6399 .size atomic64_add_ret, .-atomic64_add_ret
6400
6401 + .globl atomic64_add_ret_unchecked
6402 + .type atomic64_add_ret_unchecked,#function
6403 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6404 + BACKOFF_SETUP(%o2)
6405 +1: ldx [%o1], %g1
6406 + addcc %g1, %o0, %g7
6407 + casx [%o1], %g1, %g7
6408 + cmp %g1, %g7
6409 + bne,pn %xcc, 2f
6410 + add %g7, %o0, %g7
6411 + mov %g7, %o0
6412 + retl
6413 + nop
6414 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6415 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
6416 +
6417 .globl atomic64_sub_ret
6418 .type atomic64_sub_ret,#function
6419 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6420 BACKOFF_SETUP(%o2)
6421 1: ldx [%o1], %g1
6422 - sub %g1, %o0, %g7
6423 + subcc %g1, %o0, %g7
6424 +
6425 +#ifdef CONFIG_PAX_REFCOUNT
6426 + tvs %xcc, 6
6427 +#endif
6428 +
6429 casx [%o1], %g1, %g7
6430 cmp %g1, %g7
6431 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6432 diff -urNp linux-2.6.39.1/arch/sparc/lib/ksyms.c linux-2.6.39.1/arch/sparc/lib/ksyms.c
6433 --- linux-2.6.39.1/arch/sparc/lib/ksyms.c 2011-05-19 00:06:34.000000000 -0400
6434 +++ linux-2.6.39.1/arch/sparc/lib/ksyms.c 2011-05-22 19:36:30.000000000 -0400
6435 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
6436
6437 /* Atomic counter implementation. */
6438 EXPORT_SYMBOL(atomic_add);
6439 +EXPORT_SYMBOL(atomic_add_unchecked);
6440 EXPORT_SYMBOL(atomic_add_ret);
6441 EXPORT_SYMBOL(atomic_sub);
6442 +EXPORT_SYMBOL(atomic_sub_unchecked);
6443 EXPORT_SYMBOL(atomic_sub_ret);
6444 EXPORT_SYMBOL(atomic64_add);
6445 +EXPORT_SYMBOL(atomic64_add_unchecked);
6446 EXPORT_SYMBOL(atomic64_add_ret);
6447 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
6448 EXPORT_SYMBOL(atomic64_sub);
6449 +EXPORT_SYMBOL(atomic64_sub_unchecked);
6450 EXPORT_SYMBOL(atomic64_sub_ret);
6451
6452 /* Atomic bit operations. */
6453 diff -urNp linux-2.6.39.1/arch/sparc/lib/Makefile linux-2.6.39.1/arch/sparc/lib/Makefile
6454 --- linux-2.6.39.1/arch/sparc/lib/Makefile 2011-05-19 00:06:34.000000000 -0400
6455 +++ linux-2.6.39.1/arch/sparc/lib/Makefile 2011-05-22 19:36:30.000000000 -0400
6456 @@ -2,7 +2,7 @@
6457 #
6458
6459 asflags-y := -ansi -DST_DIV0=0x02
6460 -ccflags-y := -Werror
6461 +#ccflags-y := -Werror
6462
6463 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
6464 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
6465 diff -urNp linux-2.6.39.1/arch/sparc/Makefile linux-2.6.39.1/arch/sparc/Makefile
6466 --- linux-2.6.39.1/arch/sparc/Makefile 2011-05-19 00:06:34.000000000 -0400
6467 +++ linux-2.6.39.1/arch/sparc/Makefile 2011-05-22 19:41:32.000000000 -0400
6468 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
6469 # Export what is needed by arch/sparc/boot/Makefile
6470 export VMLINUX_INIT VMLINUX_MAIN
6471 VMLINUX_INIT := $(head-y) $(init-y)
6472 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
6473 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
6474 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
6475 VMLINUX_MAIN += $(drivers-y) $(net-y)
6476
6477 diff -urNp linux-2.6.39.1/arch/sparc/mm/fault_32.c linux-2.6.39.1/arch/sparc/mm/fault_32.c
6478 --- linux-2.6.39.1/arch/sparc/mm/fault_32.c 2011-05-19 00:06:34.000000000 -0400
6479 +++ linux-2.6.39.1/arch/sparc/mm/fault_32.c 2011-05-22 19:36:30.000000000 -0400
6480 @@ -22,6 +22,9 @@
6481 #include <linux/interrupt.h>
6482 #include <linux/module.h>
6483 #include <linux/kdebug.h>
6484 +#include <linux/slab.h>
6485 +#include <linux/pagemap.h>
6486 +#include <linux/compiler.h>
6487
6488 #include <asm/system.h>
6489 #include <asm/page.h>
6490 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
6491 return safe_compute_effective_address(regs, insn);
6492 }
6493
6494 +#ifdef CONFIG_PAX_PAGEEXEC
6495 +#ifdef CONFIG_PAX_DLRESOLVE
6496 +static void pax_emuplt_close(struct vm_area_struct *vma)
6497 +{
6498 + vma->vm_mm->call_dl_resolve = 0UL;
6499 +}
6500 +
6501 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
6502 +{
6503 + unsigned int *kaddr;
6504 +
6505 + vmf->page = alloc_page(GFP_HIGHUSER);
6506 + if (!vmf->page)
6507 + return VM_FAULT_OOM;
6508 +
6509 + kaddr = kmap(vmf->page);
6510 + memset(kaddr, 0, PAGE_SIZE);
6511 + kaddr[0] = 0x9DE3BFA8U; /* save */
6512 + flush_dcache_page(vmf->page);
6513 + kunmap(vmf->page);
6514 + return VM_FAULT_MAJOR;
6515 +}
6516 +
6517 +static const struct vm_operations_struct pax_vm_ops = {
6518 + .close = pax_emuplt_close,
6519 + .fault = pax_emuplt_fault
6520 +};
6521 +
6522 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
6523 +{
6524 + int ret;
6525 +
6526 + INIT_LIST_HEAD(&vma->anon_vma_chain);
6527 + vma->vm_mm = current->mm;
6528 + vma->vm_start = addr;
6529 + vma->vm_end = addr + PAGE_SIZE;
6530 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
6531 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
6532 + vma->vm_ops = &pax_vm_ops;
6533 +
6534 + ret = insert_vm_struct(current->mm, vma);
6535 + if (ret)
6536 + return ret;
6537 +
6538 + ++current->mm->total_vm;
6539 + return 0;
6540 +}
6541 +#endif
6542 +
6543 +/*
6544 + * PaX: decide what to do with offenders (regs->pc = fault address)
6545 + *
6546 + * returns 1 when task should be killed
6547 + * 2 when patched PLT trampoline was detected
6548 + * 3 when unpatched PLT trampoline was detected
6549 + */
6550 +static int pax_handle_fetch_fault(struct pt_regs *regs)
6551 +{
6552 +
6553 +#ifdef CONFIG_PAX_EMUPLT
6554 + int err;
6555 +
6556 + do { /* PaX: patched PLT emulation #1 */
6557 + unsigned int sethi1, sethi2, jmpl;
6558 +
6559 + err = get_user(sethi1, (unsigned int *)regs->pc);
6560 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
6561 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
6562 +
6563 + if (err)
6564 + break;
6565 +
6566 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
6567 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
6568 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
6569 + {
6570 + unsigned int addr;
6571 +
6572 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6573 + addr = regs->u_regs[UREG_G1];
6574 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6575 + regs->pc = addr;
6576 + regs->npc = addr+4;
6577 + return 2;
6578 + }
6579 + } while (0);
6580 +
6581 + { /* PaX: patched PLT emulation #2 */
6582 + unsigned int ba;
6583 +
6584 + err = get_user(ba, (unsigned int *)regs->pc);
6585 +
6586 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6587 + unsigned int addr;
6588 +
6589 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6590 + regs->pc = addr;
6591 + regs->npc = addr+4;
6592 + return 2;
6593 + }
6594 + }
6595 +
6596 + do { /* PaX: patched PLT emulation #3 */
6597 + unsigned int sethi, jmpl, nop;
6598 +
6599 + err = get_user(sethi, (unsigned int *)regs->pc);
6600 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
6601 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6602 +
6603 + if (err)
6604 + break;
6605 +
6606 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6607 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6608 + nop == 0x01000000U)
6609 + {
6610 + unsigned int addr;
6611 +
6612 + addr = (sethi & 0x003FFFFFU) << 10;
6613 + regs->u_regs[UREG_G1] = addr;
6614 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6615 + regs->pc = addr;
6616 + regs->npc = addr+4;
6617 + return 2;
6618 + }
6619 + } while (0);
6620 +
6621 + do { /* PaX: unpatched PLT emulation step 1 */
6622 + unsigned int sethi, ba, nop;
6623 +
6624 + err = get_user(sethi, (unsigned int *)regs->pc);
6625 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
6626 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6627 +
6628 + if (err)
6629 + break;
6630 +
6631 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6632 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
6633 + nop == 0x01000000U)
6634 + {
6635 + unsigned int addr, save, call;
6636 +
6637 + if ((ba & 0xFFC00000U) == 0x30800000U)
6638 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6639 + else
6640 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
6641 +
6642 + err = get_user(save, (unsigned int *)addr);
6643 + err |= get_user(call, (unsigned int *)(addr+4));
6644 + err |= get_user(nop, (unsigned int *)(addr+8));
6645 + if (err)
6646 + break;
6647 +
6648 +#ifdef CONFIG_PAX_DLRESOLVE
6649 + if (save == 0x9DE3BFA8U &&
6650 + (call & 0xC0000000U) == 0x40000000U &&
6651 + nop == 0x01000000U)
6652 + {
6653 + struct vm_area_struct *vma;
6654 + unsigned long call_dl_resolve;
6655 +
6656 + down_read(&current->mm->mmap_sem);
6657 + call_dl_resolve = current->mm->call_dl_resolve;
6658 + up_read(&current->mm->mmap_sem);
6659 + if (likely(call_dl_resolve))
6660 + goto emulate;
6661 +
6662 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
6663 +
6664 + down_write(&current->mm->mmap_sem);
6665 + if (current->mm->call_dl_resolve) {
6666 + call_dl_resolve = current->mm->call_dl_resolve;
6667 + up_write(&current->mm->mmap_sem);
6668 + if (vma)
6669 + kmem_cache_free(vm_area_cachep, vma);
6670 + goto emulate;
6671 + }
6672 +
6673 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
6674 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
6675 + up_write(&current->mm->mmap_sem);
6676 + if (vma)
6677 + kmem_cache_free(vm_area_cachep, vma);
6678 + return 1;
6679 + }
6680 +
6681 + if (pax_insert_vma(vma, call_dl_resolve)) {
6682 + up_write(&current->mm->mmap_sem);
6683 + kmem_cache_free(vm_area_cachep, vma);
6684 + return 1;
6685 + }
6686 +
6687 + current->mm->call_dl_resolve = call_dl_resolve;
6688 + up_write(&current->mm->mmap_sem);
6689 +
6690 +emulate:
6691 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6692 + regs->pc = call_dl_resolve;
6693 + regs->npc = addr+4;
6694 + return 3;
6695 + }
6696 +#endif
6697 +
6698 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
6699 + if ((save & 0xFFC00000U) == 0x05000000U &&
6700 + (call & 0xFFFFE000U) == 0x85C0A000U &&
6701 + nop == 0x01000000U)
6702 + {
6703 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6704 + regs->u_regs[UREG_G2] = addr + 4;
6705 + addr = (save & 0x003FFFFFU) << 10;
6706 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6707 + regs->pc = addr;
6708 + regs->npc = addr+4;
6709 + return 3;
6710 + }
6711 + }
6712 + } while (0);
6713 +
6714 + do { /* PaX: unpatched PLT emulation step 2 */
6715 + unsigned int save, call, nop;
6716 +
6717 + err = get_user(save, (unsigned int *)(regs->pc-4));
6718 + err |= get_user(call, (unsigned int *)regs->pc);
6719 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
6720 + if (err)
6721 + break;
6722 +
6723 + if (save == 0x9DE3BFA8U &&
6724 + (call & 0xC0000000U) == 0x40000000U &&
6725 + nop == 0x01000000U)
6726 + {
6727 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
6728 +
6729 + regs->u_regs[UREG_RETPC] = regs->pc;
6730 + regs->pc = dl_resolve;
6731 + regs->npc = dl_resolve+4;
6732 + return 3;
6733 + }
6734 + } while (0);
6735 +#endif
6736 +
6737 + return 1;
6738 +}
6739 +
6740 +void pax_report_insns(void *pc, void *sp)
6741 +{
6742 + unsigned long i;
6743 +
6744 + printk(KERN_ERR "PAX: bytes at PC: ");
6745 + for (i = 0; i < 8; i++) {
6746 + unsigned int c;
6747 + if (get_user(c, (unsigned int *)pc+i))
6748 + printk(KERN_CONT "???????? ");
6749 + else
6750 + printk(KERN_CONT "%08x ", c);
6751 + }
6752 + printk("\n");
6753 +}
6754 +#endif
6755 +
6756 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
6757 int text_fault)
6758 {
6759 @@ -281,6 +546,24 @@ good_area:
6760 if(!(vma->vm_flags & VM_WRITE))
6761 goto bad_area;
6762 } else {
6763 +
6764 +#ifdef CONFIG_PAX_PAGEEXEC
6765 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
6766 + up_read(&mm->mmap_sem);
6767 + switch (pax_handle_fetch_fault(regs)) {
6768 +
6769 +#ifdef CONFIG_PAX_EMUPLT
6770 + case 2:
6771 + case 3:
6772 + return;
6773 +#endif
6774 +
6775 + }
6776 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
6777 + do_group_exit(SIGKILL);
6778 + }
6779 +#endif
6780 +
6781 /* Allow reads even for write-only mappings */
6782 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
6783 goto bad_area;
6784 diff -urNp linux-2.6.39.1/arch/sparc/mm/fault_64.c linux-2.6.39.1/arch/sparc/mm/fault_64.c
6785 --- linux-2.6.39.1/arch/sparc/mm/fault_64.c 2011-05-19 00:06:34.000000000 -0400
6786 +++ linux-2.6.39.1/arch/sparc/mm/fault_64.c 2011-05-22 19:41:32.000000000 -0400
6787 @@ -21,6 +21,9 @@
6788 #include <linux/kprobes.h>
6789 #include <linux/kdebug.h>
6790 #include <linux/percpu.h>
6791 +#include <linux/slab.h>
6792 +#include <linux/pagemap.h>
6793 +#include <linux/compiler.h>
6794
6795 #include <asm/page.h>
6796 #include <asm/pgtable.h>
6797 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
6798 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
6799 regs->tpc);
6800 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
6801 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
6802 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
6803 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
6804 dump_stack();
6805 unhandled_fault(regs->tpc, current, regs);
6806 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
6807 show_regs(regs);
6808 }
6809
6810 +#ifdef CONFIG_PAX_PAGEEXEC
6811 +#ifdef CONFIG_PAX_DLRESOLVE
6812 +static void pax_emuplt_close(struct vm_area_struct *vma)
6813 +{
6814 + vma->vm_mm->call_dl_resolve = 0UL;
6815 +}
6816 +
6817 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
6818 +{
6819 + unsigned int *kaddr;
6820 +
6821 + vmf->page = alloc_page(GFP_HIGHUSER);
6822 + if (!vmf->page)
6823 + return VM_FAULT_OOM;
6824 +
6825 + kaddr = kmap(vmf->page);
6826 + memset(kaddr, 0, PAGE_SIZE);
6827 + kaddr[0] = 0x9DE3BFA8U; /* save */
6828 + flush_dcache_page(vmf->page);
6829 + kunmap(vmf->page);
6830 + return VM_FAULT_MAJOR;
6831 +}
6832 +
6833 +static const struct vm_operations_struct pax_vm_ops = {
6834 + .close = pax_emuplt_close,
6835 + .fault = pax_emuplt_fault
6836 +};
6837 +
6838 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
6839 +{
6840 + int ret;
6841 +
6842 + INIT_LIST_HEAD(&vma->anon_vma_chain);
6843 + vma->vm_mm = current->mm;
6844 + vma->vm_start = addr;
6845 + vma->vm_end = addr + PAGE_SIZE;
6846 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
6847 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
6848 + vma->vm_ops = &pax_vm_ops;
6849 +
6850 + ret = insert_vm_struct(current->mm, vma);
6851 + if (ret)
6852 + return ret;
6853 +
6854 + ++current->mm->total_vm;
6855 + return 0;
6856 +}
6857 +#endif
6858 +
6859 +/*
6860 + * PaX: decide what to do with offenders (regs->tpc = fault address)
6861 + *
6862 + * returns 1 when task should be killed
6863 + * 2 when patched PLT trampoline was detected
6864 + * 3 when unpatched PLT trampoline was detected
6865 + */
6866 +static int pax_handle_fetch_fault(struct pt_regs *regs)
6867 +{
6868 +
6869 +#ifdef CONFIG_PAX_EMUPLT
6870 + int err;
6871 +
6872 + do { /* PaX: patched PLT emulation #1 */
6873 + unsigned int sethi1, sethi2, jmpl;
6874 +
6875 + err = get_user(sethi1, (unsigned int *)regs->tpc);
6876 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
6877 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
6878 +
6879 + if (err)
6880 + break;
6881 +
6882 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
6883 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
6884 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
6885 + {
6886 + unsigned long addr;
6887 +
6888 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6889 + addr = regs->u_regs[UREG_G1];
6890 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
6891 +
6892 + if (test_thread_flag(TIF_32BIT))
6893 + addr &= 0xFFFFFFFFUL;
6894 +
6895 + regs->tpc = addr;
6896 + regs->tnpc = addr+4;
6897 + return 2;
6898 + }
6899 + } while (0);
6900 +
6901 + { /* PaX: patched PLT emulation #2 */
6902 + unsigned int ba;
6903 +
6904 + err = get_user(ba, (unsigned int *)regs->tpc);
6905 +
6906 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6907 + unsigned long addr;
6908 +
6909 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
6910 +
6911 + if (test_thread_flag(TIF_32BIT))
6912 + addr &= 0xFFFFFFFFUL;
6913 +
6914 + regs->tpc = addr;
6915 + regs->tnpc = addr+4;
6916 + return 2;
6917 + }
6918 + }
6919 +
6920 + do { /* PaX: patched PLT emulation #3 */
6921 + unsigned int sethi, jmpl, nop;
6922 +
6923 + err = get_user(sethi, (unsigned int *)regs->tpc);
6924 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
6925 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
6926 +
6927 + if (err)
6928 + break;
6929 +
6930 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6931 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6932 + nop == 0x01000000U)
6933 + {
6934 + unsigned long addr;
6935 +
6936 + addr = (sethi & 0x003FFFFFU) << 10;
6937 + regs->u_regs[UREG_G1] = addr;
6938 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
6939 +
6940 + if (test_thread_flag(TIF_32BIT))
6941 + addr &= 0xFFFFFFFFUL;
6942 +
6943 + regs->tpc = addr;
6944 + regs->tnpc = addr+4;
6945 + return 2;
6946 + }
6947 + } while (0);
6948 +
6949 + do { /* PaX: patched PLT emulation #4 */
6950 + unsigned int sethi, mov1, call, mov2;
6951 +
6952 + err = get_user(sethi, (unsigned int *)regs->tpc);
6953 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
6954 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
6955 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
6956 +
6957 + if (err)
6958 + break;
6959 +
6960 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6961 + mov1 == 0x8210000FU &&
6962 + (call & 0xC0000000U) == 0x40000000U &&
6963 + mov2 == 0x9E100001U)
6964 + {
6965 + unsigned long addr;
6966 +
6967 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
6968 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
6969 +
6970 + if (test_thread_flag(TIF_32BIT))
6971 + addr &= 0xFFFFFFFFUL;
6972 +
6973 + regs->tpc = addr;
6974 + regs->tnpc = addr+4;
6975 + return 2;
6976 + }
6977 + } while (0);
6978 +
6979 + do { /* PaX: patched PLT emulation #5 */
6980 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
6981 +
6982 + err = get_user(sethi, (unsigned int *)regs->tpc);
6983 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
6984 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
6985 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
6986 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
6987 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
6988 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
6989 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
6990 +
6991 + if (err)
6992 + break;
6993 +
6994 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6995 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
6996 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
6997 + (or1 & 0xFFFFE000U) == 0x82106000U &&
6998 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
6999 + sllx == 0x83287020U &&
7000 + jmpl == 0x81C04005U &&
7001 + nop == 0x01000000U)
7002 + {
7003 + unsigned long addr;
7004 +
7005 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7006 + regs->u_regs[UREG_G1] <<= 32;
7007 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7008 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7009 + regs->tpc = addr;
7010 + regs->tnpc = addr+4;
7011 + return 2;
7012 + }
7013 + } while (0);
7014 +
7015 + do { /* PaX: patched PLT emulation #6 */
7016 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
7017 +
7018 + err = get_user(sethi, (unsigned int *)regs->tpc);
7019 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7020 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7021 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
7022 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
7023 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
7024 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
7025 +
7026 + if (err)
7027 + break;
7028 +
7029 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7030 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7031 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7032 + sllx == 0x83287020U &&
7033 + (or & 0xFFFFE000U) == 0x8A116000U &&
7034 + jmpl == 0x81C04005U &&
7035 + nop == 0x01000000U)
7036 + {
7037 + unsigned long addr;
7038 +
7039 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
7040 + regs->u_regs[UREG_G1] <<= 32;
7041 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
7042 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7043 + regs->tpc = addr;
7044 + regs->tnpc = addr+4;
7045 + return 2;
7046 + }
7047 + } while (0);
7048 +
7049 + do { /* PaX: unpatched PLT emulation step 1 */
7050 + unsigned int sethi, ba, nop;
7051 +
7052 + err = get_user(sethi, (unsigned int *)regs->tpc);
7053 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7054 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7055 +
7056 + if (err)
7057 + break;
7058 +
7059 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7060 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
7061 + nop == 0x01000000U)
7062 + {
7063 + unsigned long addr;
7064 + unsigned int save, call;
7065 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
7066 +
7067 + if ((ba & 0xFFC00000U) == 0x30800000U)
7068 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7069 + else
7070 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7071 +
7072 + if (test_thread_flag(TIF_32BIT))
7073 + addr &= 0xFFFFFFFFUL;
7074 +
7075 + err = get_user(save, (unsigned int *)addr);
7076 + err |= get_user(call, (unsigned int *)(addr+4));
7077 + err |= get_user(nop, (unsigned int *)(addr+8));
7078 + if (err)
7079 + break;
7080 +
7081 +#ifdef CONFIG_PAX_DLRESOLVE
7082 + if (save == 0x9DE3BFA8U &&
7083 + (call & 0xC0000000U) == 0x40000000U &&
7084 + nop == 0x01000000U)
7085 + {
7086 + struct vm_area_struct *vma;
7087 + unsigned long call_dl_resolve;
7088 +
7089 + down_read(&current->mm->mmap_sem);
7090 + call_dl_resolve = current->mm->call_dl_resolve;
7091 + up_read(&current->mm->mmap_sem);
7092 + if (likely(call_dl_resolve))
7093 + goto emulate;
7094 +
7095 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
7096 +
7097 + down_write(&current->mm->mmap_sem);
7098 + if (current->mm->call_dl_resolve) {
7099 + call_dl_resolve = current->mm->call_dl_resolve;
7100 + up_write(&current->mm->mmap_sem);
7101 + if (vma)
7102 + kmem_cache_free(vm_area_cachep, vma);
7103 + goto emulate;
7104 + }
7105 +
7106 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
7107 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
7108 + up_write(&current->mm->mmap_sem);
7109 + if (vma)
7110 + kmem_cache_free(vm_area_cachep, vma);
7111 + return 1;
7112 + }
7113 +
7114 + if (pax_insert_vma(vma, call_dl_resolve)) {
7115 + up_write(&current->mm->mmap_sem);
7116 + kmem_cache_free(vm_area_cachep, vma);
7117 + return 1;
7118 + }
7119 +
7120 + current->mm->call_dl_resolve = call_dl_resolve;
7121 + up_write(&current->mm->mmap_sem);
7122 +
7123 +emulate:
7124 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7125 + regs->tpc = call_dl_resolve;
7126 + regs->tnpc = addr+4;
7127 + return 3;
7128 + }
7129 +#endif
7130 +
7131 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
7132 + if ((save & 0xFFC00000U) == 0x05000000U &&
7133 + (call & 0xFFFFE000U) == 0x85C0A000U &&
7134 + nop == 0x01000000U)
7135 + {
7136 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7137 + regs->u_regs[UREG_G2] = addr + 4;
7138 + addr = (save & 0x003FFFFFU) << 10;
7139 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7140 +
7141 + if (test_thread_flag(TIF_32BIT))
7142 + addr &= 0xFFFFFFFFUL;
7143 +
7144 + regs->tpc = addr;
7145 + regs->tnpc = addr+4;
7146 + return 3;
7147 + }
7148 +
7149 + /* PaX: 64-bit PLT stub */
7150 + err = get_user(sethi1, (unsigned int *)addr);
7151 + err |= get_user(sethi2, (unsigned int *)(addr+4));
7152 + err |= get_user(or1, (unsigned int *)(addr+8));
7153 + err |= get_user(or2, (unsigned int *)(addr+12));
7154 + err |= get_user(sllx, (unsigned int *)(addr+16));
7155 + err |= get_user(add, (unsigned int *)(addr+20));
7156 + err |= get_user(jmpl, (unsigned int *)(addr+24));
7157 + err |= get_user(nop, (unsigned int *)(addr+28));
7158 + if (err)
7159 + break;
7160 +
7161 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
7162 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7163 + (or1 & 0xFFFFE000U) == 0x88112000U &&
7164 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7165 + sllx == 0x89293020U &&
7166 + add == 0x8A010005U &&
7167 + jmpl == 0x89C14000U &&
7168 + nop == 0x01000000U)
7169 + {
7170 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7171 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7172 + regs->u_regs[UREG_G4] <<= 32;
7173 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7174 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
7175 + regs->u_regs[UREG_G4] = addr + 24;
7176 + addr = regs->u_regs[UREG_G5];
7177 + regs->tpc = addr;
7178 + regs->tnpc = addr+4;
7179 + return 3;
7180 + }
7181 + }
7182 + } while (0);
7183 +
7184 +#ifdef CONFIG_PAX_DLRESOLVE
7185 + do { /* PaX: unpatched PLT emulation step 2 */
7186 + unsigned int save, call, nop;
7187 +
7188 + err = get_user(save, (unsigned int *)(regs->tpc-4));
7189 + err |= get_user(call, (unsigned int *)regs->tpc);
7190 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
7191 + if (err)
7192 + break;
7193 +
7194 + if (save == 0x9DE3BFA8U &&
7195 + (call & 0xC0000000U) == 0x40000000U &&
7196 + nop == 0x01000000U)
7197 + {
7198 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7199 +
7200 + if (test_thread_flag(TIF_32BIT))
7201 + dl_resolve &= 0xFFFFFFFFUL;
7202 +
7203 + regs->u_regs[UREG_RETPC] = regs->tpc;
7204 + regs->tpc = dl_resolve;
7205 + regs->tnpc = dl_resolve+4;
7206 + return 3;
7207 + }
7208 + } while (0);
7209 +#endif
7210 +
7211 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
7212 + unsigned int sethi, ba, nop;
7213 +
7214 + err = get_user(sethi, (unsigned int *)regs->tpc);
7215 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7216 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7217 +
7218 + if (err)
7219 + break;
7220 +
7221 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7222 + (ba & 0xFFF00000U) == 0x30600000U &&
7223 + nop == 0x01000000U)
7224 + {
7225 + unsigned long addr;
7226 +
7227 + addr = (sethi & 0x003FFFFFU) << 10;
7228 + regs->u_regs[UREG_G1] = addr;
7229 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7230 +
7231 + if (test_thread_flag(TIF_32BIT))
7232 + addr &= 0xFFFFFFFFUL;
7233 +
7234 + regs->tpc = addr;
7235 + regs->tnpc = addr+4;
7236 + return 2;
7237 + }
7238 + } while (0);
7239 +
7240 +#endif
7241 +
7242 + return 1;
7243 +}
7244 +
7245 +void pax_report_insns(void *pc, void *sp)
7246 +{
7247 + unsigned long i;
7248 +
7249 + printk(KERN_ERR "PAX: bytes at PC: ");
7250 + for (i = 0; i < 8; i++) {
7251 + unsigned int c;
7252 + if (get_user(c, (unsigned int *)pc+i))
7253 + printk(KERN_CONT "???????? ");
7254 + else
7255 + printk(KERN_CONT "%08x ", c);
7256 + }
7257 + printk("\n");
7258 +}
7259 +#endif
7260 +
7261 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
7262 {
7263 struct mm_struct *mm = current->mm;
7264 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
7265 if (!vma)
7266 goto bad_area;
7267
7268 +#ifdef CONFIG_PAX_PAGEEXEC
7269 + /* PaX: detect ITLB misses on non-exec pages */
7270 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
7271 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
7272 + {
7273 + if (address != regs->tpc)
7274 + goto good_area;
7275 +
7276 + up_read(&mm->mmap_sem);
7277 + switch (pax_handle_fetch_fault(regs)) {
7278 +
7279 +#ifdef CONFIG_PAX_EMUPLT
7280 + case 2:
7281 + case 3:
7282 + return;
7283 +#endif
7284 +
7285 + }
7286 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
7287 + do_group_exit(SIGKILL);
7288 + }
7289 +#endif
7290 +
7291 /* Pure DTLB misses do not tell us whether the fault causing
7292 * load/store/atomic was a write or not, it only says that there
7293 * was no match. So in such a case we (carefully) read the
7294 diff -urNp linux-2.6.39.1/arch/sparc/mm/hugetlbpage.c linux-2.6.39.1/arch/sparc/mm/hugetlbpage.c
7295 --- linux-2.6.39.1/arch/sparc/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
7296 +++ linux-2.6.39.1/arch/sparc/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
7297 @@ -68,7 +68,7 @@ full_search:
7298 }
7299 return -ENOMEM;
7300 }
7301 - if (likely(!vma || addr + len <= vma->vm_start)) {
7302 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7303 /*
7304 * Remember the place where we stopped the search:
7305 */
7306 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
7307 /* make sure it can fit in the remaining address space */
7308 if (likely(addr > len)) {
7309 vma = find_vma(mm, addr-len);
7310 - if (!vma || addr <= vma->vm_start) {
7311 + if (check_heap_stack_gap(vma, addr - len, len)) {
7312 /* remember the address as a hint for next time */
7313 return (mm->free_area_cache = addr-len);
7314 }
7315 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
7316 if (unlikely(mm->mmap_base < len))
7317 goto bottomup;
7318
7319 - addr = (mm->mmap_base-len) & HPAGE_MASK;
7320 + addr = mm->mmap_base - len;
7321
7322 do {
7323 + addr &= HPAGE_MASK;
7324 /*
7325 * Lookup failure means no vma is above this address,
7326 * else if new region fits below vma->vm_start,
7327 * return with success:
7328 */
7329 vma = find_vma(mm, addr);
7330 - if (likely(!vma || addr+len <= vma->vm_start)) {
7331 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7332 /* remember the address as a hint for next time */
7333 return (mm->free_area_cache = addr);
7334 }
7335 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
7336 mm->cached_hole_size = vma->vm_start - addr;
7337
7338 /* try just below the current vma->vm_start */
7339 - addr = (vma->vm_start-len) & HPAGE_MASK;
7340 - } while (likely(len < vma->vm_start));
7341 + addr = skip_heap_stack_gap(vma, len);
7342 + } while (!IS_ERR_VALUE(addr));
7343
7344 bottomup:
7345 /*
7346 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
7347 if (addr) {
7348 addr = ALIGN(addr, HPAGE_SIZE);
7349 vma = find_vma(mm, addr);
7350 - if (task_size - len >= addr &&
7351 - (!vma || addr + len <= vma->vm_start))
7352 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
7353 return addr;
7354 }
7355 if (mm->get_unmapped_area == arch_get_unmapped_area)
7356 diff -urNp linux-2.6.39.1/arch/sparc/mm/init_32.c linux-2.6.39.1/arch/sparc/mm/init_32.c
7357 --- linux-2.6.39.1/arch/sparc/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
7358 +++ linux-2.6.39.1/arch/sparc/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
7359 @@ -318,6 +318,9 @@ extern void device_scan(void);
7360 pgprot_t PAGE_SHARED __read_mostly;
7361 EXPORT_SYMBOL(PAGE_SHARED);
7362
7363 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
7364 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
7365 +
7366 void __init paging_init(void)
7367 {
7368 switch(sparc_cpu_model) {
7369 @@ -346,17 +349,17 @@ void __init paging_init(void)
7370
7371 /* Initialize the protection map with non-constant, MMU dependent values. */
7372 protection_map[0] = PAGE_NONE;
7373 - protection_map[1] = PAGE_READONLY;
7374 - protection_map[2] = PAGE_COPY;
7375 - protection_map[3] = PAGE_COPY;
7376 + protection_map[1] = PAGE_READONLY_NOEXEC;
7377 + protection_map[2] = PAGE_COPY_NOEXEC;
7378 + protection_map[3] = PAGE_COPY_NOEXEC;
7379 protection_map[4] = PAGE_READONLY;
7380 protection_map[5] = PAGE_READONLY;
7381 protection_map[6] = PAGE_COPY;
7382 protection_map[7] = PAGE_COPY;
7383 protection_map[8] = PAGE_NONE;
7384 - protection_map[9] = PAGE_READONLY;
7385 - protection_map[10] = PAGE_SHARED;
7386 - protection_map[11] = PAGE_SHARED;
7387 + protection_map[9] = PAGE_READONLY_NOEXEC;
7388 + protection_map[10] = PAGE_SHARED_NOEXEC;
7389 + protection_map[11] = PAGE_SHARED_NOEXEC;
7390 protection_map[12] = PAGE_READONLY;
7391 protection_map[13] = PAGE_READONLY;
7392 protection_map[14] = PAGE_SHARED;
7393 diff -urNp linux-2.6.39.1/arch/sparc/mm/Makefile linux-2.6.39.1/arch/sparc/mm/Makefile
7394 --- linux-2.6.39.1/arch/sparc/mm/Makefile 2011-05-19 00:06:34.000000000 -0400
7395 +++ linux-2.6.39.1/arch/sparc/mm/Makefile 2011-05-22 19:36:30.000000000 -0400
7396 @@ -2,7 +2,7 @@
7397 #
7398
7399 asflags-y := -ansi
7400 -ccflags-y := -Werror
7401 +#ccflags-y := -Werror
7402
7403 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
7404 obj-y += fault_$(BITS).o
7405 diff -urNp linux-2.6.39.1/arch/sparc/mm/srmmu.c linux-2.6.39.1/arch/sparc/mm/srmmu.c
7406 --- linux-2.6.39.1/arch/sparc/mm/srmmu.c 2011-05-19 00:06:34.000000000 -0400
7407 +++ linux-2.6.39.1/arch/sparc/mm/srmmu.c 2011-05-22 19:36:30.000000000 -0400
7408 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
7409 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
7410 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
7411 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
7412 +
7413 +#ifdef CONFIG_PAX_PAGEEXEC
7414 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
7415 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
7416 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
7417 +#endif
7418 +
7419 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
7420 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
7421
7422 diff -urNp linux-2.6.39.1/arch/tile/kernel/pci.c linux-2.6.39.1/arch/tile/kernel/pci.c
7423 --- linux-2.6.39.1/arch/tile/kernel/pci.c 2011-05-19 00:06:34.000000000 -0400
7424 +++ linux-2.6.39.1/arch/tile/kernel/pci.c 2011-05-22 19:36:30.000000000 -0400
7425 @@ -60,7 +60,7 @@ int __write_once tile_plx_gen1;
7426 static struct pci_controller controllers[TILE_NUM_PCIE];
7427 static int num_controllers;
7428
7429 -static struct pci_ops tile_cfg_ops;
7430 +static const struct pci_ops tile_cfg_ops;
7431
7432
7433 /*
7434 @@ -564,7 +564,7 @@ static int __devinit tile_cfg_write(stru
7435 }
7436
7437
7438 -static struct pci_ops tile_cfg_ops = {
7439 +static const struct pci_ops tile_cfg_ops = {
7440 .read = tile_cfg_read,
7441 .write = tile_cfg_write,
7442 };
7443 diff -urNp linux-2.6.39.1/arch/um/include/asm/kmap_types.h linux-2.6.39.1/arch/um/include/asm/kmap_types.h
7444 --- linux-2.6.39.1/arch/um/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
7445 +++ linux-2.6.39.1/arch/um/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
7446 @@ -23,6 +23,7 @@ enum km_type {
7447 KM_IRQ1,
7448 KM_SOFTIRQ0,
7449 KM_SOFTIRQ1,
7450 + KM_CLEARPAGE,
7451 KM_TYPE_NR
7452 };
7453
7454 diff -urNp linux-2.6.39.1/arch/um/include/asm/page.h linux-2.6.39.1/arch/um/include/asm/page.h
7455 --- linux-2.6.39.1/arch/um/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
7456 +++ linux-2.6.39.1/arch/um/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
7457 @@ -14,6 +14,9 @@
7458 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
7459 #define PAGE_MASK (~(PAGE_SIZE-1))
7460
7461 +#define ktla_ktva(addr) (addr)
7462 +#define ktva_ktla(addr) (addr)
7463 +
7464 #ifndef __ASSEMBLY__
7465
7466 struct page;
7467 diff -urNp linux-2.6.39.1/arch/um/kernel/process.c linux-2.6.39.1/arch/um/kernel/process.c
7468 --- linux-2.6.39.1/arch/um/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
7469 +++ linux-2.6.39.1/arch/um/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
7470 @@ -404,22 +404,6 @@ int singlestepping(void * t)
7471 return 2;
7472 }
7473
7474 -/*
7475 - * Only x86 and x86_64 have an arch_align_stack().
7476 - * All other arches have "#define arch_align_stack(x) (x)"
7477 - * in their asm/system.h
7478 - * As this is included in UML from asm-um/system-generic.h,
7479 - * we can use it to behave as the subarch does.
7480 - */
7481 -#ifndef arch_align_stack
7482 -unsigned long arch_align_stack(unsigned long sp)
7483 -{
7484 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7485 - sp -= get_random_int() % 8192;
7486 - return sp & ~0xf;
7487 -}
7488 -#endif
7489 -
7490 unsigned long get_wchan(struct task_struct *p)
7491 {
7492 unsigned long stack_page, sp, ip;
7493 diff -urNp linux-2.6.39.1/arch/um/sys-i386/syscalls.c linux-2.6.39.1/arch/um/sys-i386/syscalls.c
7494 --- linux-2.6.39.1/arch/um/sys-i386/syscalls.c 2011-05-19 00:06:34.000000000 -0400
7495 +++ linux-2.6.39.1/arch/um/sys-i386/syscalls.c 2011-05-22 19:36:30.000000000 -0400
7496 @@ -11,6 +11,21 @@
7497 #include "asm/uaccess.h"
7498 #include "asm/unistd.h"
7499
7500 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
7501 +{
7502 + unsigned long pax_task_size = TASK_SIZE;
7503 +
7504 +#ifdef CONFIG_PAX_SEGMEXEC
7505 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
7506 + pax_task_size = SEGMEXEC_TASK_SIZE;
7507 +#endif
7508 +
7509 + if (len > pax_task_size || addr > pax_task_size - len)
7510 + return -EINVAL;
7511 +
7512 + return 0;
7513 +}
7514 +
7515 /*
7516 * The prototype on i386 is:
7517 *
7518 diff -urNp linux-2.6.39.1/arch/unicore32/kernel/pci.c linux-2.6.39.1/arch/unicore32/kernel/pci.c
7519 --- linux-2.6.39.1/arch/unicore32/kernel/pci.c 2011-05-19 00:06:34.000000000 -0400
7520 +++ linux-2.6.39.1/arch/unicore32/kernel/pci.c 2011-05-22 19:36:30.000000000 -0400
7521 @@ -66,7 +66,7 @@ puv3_write_config(struct pci_bus *bus, u
7522 return PCIBIOS_SUCCESSFUL;
7523 }
7524
7525 -struct pci_ops pci_puv3_ops = {
7526 +const struct pci_ops pci_puv3_ops = {
7527 .read = puv3_read_config,
7528 .write = puv3_write_config,
7529 };
7530 diff -urNp linux-2.6.39.1/arch/x86/boot/bitops.h linux-2.6.39.1/arch/x86/boot/bitops.h
7531 --- linux-2.6.39.1/arch/x86/boot/bitops.h 2011-05-19 00:06:34.000000000 -0400
7532 +++ linux-2.6.39.1/arch/x86/boot/bitops.h 2011-05-22 19:36:30.000000000 -0400
7533 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
7534 u8 v;
7535 const u32 *p = (const u32 *)addr;
7536
7537 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7538 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7539 return v;
7540 }
7541
7542 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
7543
7544 static inline void set_bit(int nr, void *addr)
7545 {
7546 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7547 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7548 }
7549
7550 #endif /* BOOT_BITOPS_H */
7551 diff -urNp linux-2.6.39.1/arch/x86/boot/boot.h linux-2.6.39.1/arch/x86/boot/boot.h
7552 --- linux-2.6.39.1/arch/x86/boot/boot.h 2011-05-19 00:06:34.000000000 -0400
7553 +++ linux-2.6.39.1/arch/x86/boot/boot.h 2011-05-22 19:36:30.000000000 -0400
7554 @@ -85,7 +85,7 @@ static inline void io_delay(void)
7555 static inline u16 ds(void)
7556 {
7557 u16 seg;
7558 - asm("movw %%ds,%0" : "=rm" (seg));
7559 + asm volatile("movw %%ds,%0" : "=rm" (seg));
7560 return seg;
7561 }
7562
7563 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
7564 static inline int memcmp(const void *s1, const void *s2, size_t len)
7565 {
7566 u8 diff;
7567 - asm("repe; cmpsb; setnz %0"
7568 + asm volatile("repe; cmpsb; setnz %0"
7569 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
7570 return diff;
7571 }
7572 diff -urNp linux-2.6.39.1/arch/x86/boot/compressed/head_32.S linux-2.6.39.1/arch/x86/boot/compressed/head_32.S
7573 --- linux-2.6.39.1/arch/x86/boot/compressed/head_32.S 2011-05-19 00:06:34.000000000 -0400
7574 +++ linux-2.6.39.1/arch/x86/boot/compressed/head_32.S 2011-05-22 19:36:30.000000000 -0400
7575 @@ -76,7 +76,7 @@ ENTRY(startup_32)
7576 notl %eax
7577 andl %eax, %ebx
7578 #else
7579 - movl $LOAD_PHYSICAL_ADDR, %ebx
7580 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7581 #endif
7582
7583 /* Target address to relocate to for decompression */
7584 @@ -162,7 +162,7 @@ relocated:
7585 * and where it was actually loaded.
7586 */
7587 movl %ebp, %ebx
7588 - subl $LOAD_PHYSICAL_ADDR, %ebx
7589 + subl $____LOAD_PHYSICAL_ADDR, %ebx
7590 jz 2f /* Nothing to be done if loaded at compiled addr. */
7591 /*
7592 * Process relocations.
7593 @@ -170,8 +170,7 @@ relocated:
7594
7595 1: subl $4, %edi
7596 movl (%edi), %ecx
7597 - testl %ecx, %ecx
7598 - jz 2f
7599 + jecxz 2f
7600 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
7601 jmp 1b
7602 2:
7603 diff -urNp linux-2.6.39.1/arch/x86/boot/compressed/head_64.S linux-2.6.39.1/arch/x86/boot/compressed/head_64.S
7604 --- linux-2.6.39.1/arch/x86/boot/compressed/head_64.S 2011-05-19 00:06:34.000000000 -0400
7605 +++ linux-2.6.39.1/arch/x86/boot/compressed/head_64.S 2011-05-22 19:36:30.000000000 -0400
7606 @@ -91,7 +91,7 @@ ENTRY(startup_32)
7607 notl %eax
7608 andl %eax, %ebx
7609 #else
7610 - movl $LOAD_PHYSICAL_ADDR, %ebx
7611 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7612 #endif
7613
7614 /* Target address to relocate to for decompression */
7615 @@ -233,7 +233,7 @@ ENTRY(startup_64)
7616 notq %rax
7617 andq %rax, %rbp
7618 #else
7619 - movq $LOAD_PHYSICAL_ADDR, %rbp
7620 + movq $____LOAD_PHYSICAL_ADDR, %rbp
7621 #endif
7622
7623 /* Target address to relocate to for decompression */
7624 diff -urNp linux-2.6.39.1/arch/x86/boot/compressed/misc.c linux-2.6.39.1/arch/x86/boot/compressed/misc.c
7625 --- linux-2.6.39.1/arch/x86/boot/compressed/misc.c 2011-05-19 00:06:34.000000000 -0400
7626 +++ linux-2.6.39.1/arch/x86/boot/compressed/misc.c 2011-05-22 19:36:30.000000000 -0400
7627 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
7628 case PT_LOAD:
7629 #ifdef CONFIG_RELOCATABLE
7630 dest = output;
7631 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
7632 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
7633 #else
7634 dest = (void *)(phdr->p_paddr);
7635 #endif
7636 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
7637 error("Destination address too large");
7638 #endif
7639 #ifndef CONFIG_RELOCATABLE
7640 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
7641 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
7642 error("Wrong destination address");
7643 #endif
7644
7645 diff -urNp linux-2.6.39.1/arch/x86/boot/compressed/relocs.c linux-2.6.39.1/arch/x86/boot/compressed/relocs.c
7646 --- linux-2.6.39.1/arch/x86/boot/compressed/relocs.c 2011-05-19 00:06:34.000000000 -0400
7647 +++ linux-2.6.39.1/arch/x86/boot/compressed/relocs.c 2011-05-22 19:36:30.000000000 -0400
7648 @@ -13,8 +13,11 @@
7649
7650 static void die(char *fmt, ...);
7651
7652 +#include "../../../../include/generated/autoconf.h"
7653 +
7654 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
7655 static Elf32_Ehdr ehdr;
7656 +static Elf32_Phdr *phdr;
7657 static unsigned long reloc_count, reloc_idx;
7658 static unsigned long *relocs;
7659
7660 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
7661 }
7662 }
7663
7664 +static void read_phdrs(FILE *fp)
7665 +{
7666 + unsigned int i;
7667 +
7668 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
7669 + if (!phdr) {
7670 + die("Unable to allocate %d program headers\n",
7671 + ehdr.e_phnum);
7672 + }
7673 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
7674 + die("Seek to %d failed: %s\n",
7675 + ehdr.e_phoff, strerror(errno));
7676 + }
7677 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
7678 + die("Cannot read ELF program headers: %s\n",
7679 + strerror(errno));
7680 + }
7681 + for(i = 0; i < ehdr.e_phnum; i++) {
7682 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
7683 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
7684 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
7685 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
7686 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
7687 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
7688 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
7689 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
7690 + }
7691 +
7692 +}
7693 +
7694 static void read_shdrs(FILE *fp)
7695 {
7696 - int i;
7697 + unsigned int i;
7698 Elf32_Shdr shdr;
7699
7700 secs = calloc(ehdr.e_shnum, sizeof(struct section));
7701 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
7702
7703 static void read_strtabs(FILE *fp)
7704 {
7705 - int i;
7706 + unsigned int i;
7707 for (i = 0; i < ehdr.e_shnum; i++) {
7708 struct section *sec = &secs[i];
7709 if (sec->shdr.sh_type != SHT_STRTAB) {
7710 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
7711
7712 static void read_symtabs(FILE *fp)
7713 {
7714 - int i,j;
7715 + unsigned int i,j;
7716 for (i = 0; i < ehdr.e_shnum; i++) {
7717 struct section *sec = &secs[i];
7718 if (sec->shdr.sh_type != SHT_SYMTAB) {
7719 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
7720
7721 static void read_relocs(FILE *fp)
7722 {
7723 - int i,j;
7724 + unsigned int i,j;
7725 + uint32_t base;
7726 +
7727 for (i = 0; i < ehdr.e_shnum; i++) {
7728 struct section *sec = &secs[i];
7729 if (sec->shdr.sh_type != SHT_REL) {
7730 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
7731 die("Cannot read symbol table: %s\n",
7732 strerror(errno));
7733 }
7734 + base = 0;
7735 + for (j = 0; j < ehdr.e_phnum; j++) {
7736 + if (phdr[j].p_type != PT_LOAD )
7737 + continue;
7738 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
7739 + continue;
7740 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
7741 + break;
7742 + }
7743 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
7744 Elf32_Rel *rel = &sec->reltab[j];
7745 - rel->r_offset = elf32_to_cpu(rel->r_offset);
7746 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
7747 rel->r_info = elf32_to_cpu(rel->r_info);
7748 }
7749 }
7750 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
7751
7752 static void print_absolute_symbols(void)
7753 {
7754 - int i;
7755 + unsigned int i;
7756 printf("Absolute symbols\n");
7757 printf(" Num: Value Size Type Bind Visibility Name\n");
7758 for (i = 0; i < ehdr.e_shnum; i++) {
7759 struct section *sec = &secs[i];
7760 char *sym_strtab;
7761 Elf32_Sym *sh_symtab;
7762 - int j;
7763 + unsigned int j;
7764
7765 if (sec->shdr.sh_type != SHT_SYMTAB) {
7766 continue;
7767 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
7768
7769 static void print_absolute_relocs(void)
7770 {
7771 - int i, printed = 0;
7772 + unsigned int i, printed = 0;
7773
7774 for (i = 0; i < ehdr.e_shnum; i++) {
7775 struct section *sec = &secs[i];
7776 struct section *sec_applies, *sec_symtab;
7777 char *sym_strtab;
7778 Elf32_Sym *sh_symtab;
7779 - int j;
7780 + unsigned int j;
7781 if (sec->shdr.sh_type != SHT_REL) {
7782 continue;
7783 }
7784 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
7785
7786 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
7787 {
7788 - int i;
7789 + unsigned int i;
7790 /* Walk through the relocations */
7791 for (i = 0; i < ehdr.e_shnum; i++) {
7792 char *sym_strtab;
7793 Elf32_Sym *sh_symtab;
7794 struct section *sec_applies, *sec_symtab;
7795 - int j;
7796 + unsigned int j;
7797 struct section *sec = &secs[i];
7798
7799 if (sec->shdr.sh_type != SHT_REL) {
7800 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
7801 !is_rel_reloc(sym_name(sym_strtab, sym))) {
7802 continue;
7803 }
7804 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
7805 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
7806 + continue;
7807 +
7808 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
7809 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
7810 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
7811 + continue;
7812 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
7813 + continue;
7814 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
7815 + continue;
7816 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
7817 + continue;
7818 +#endif
7819 +
7820 switch (r_type) {
7821 case R_386_NONE:
7822 case R_386_PC32:
7823 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
7824
7825 static void emit_relocs(int as_text)
7826 {
7827 - int i;
7828 + unsigned int i;
7829 /* Count how many relocations I have and allocate space for them. */
7830 reloc_count = 0;
7831 walk_relocs(count_reloc);
7832 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
7833 fname, strerror(errno));
7834 }
7835 read_ehdr(fp);
7836 + read_phdrs(fp);
7837 read_shdrs(fp);
7838 read_strtabs(fp);
7839 read_symtabs(fp);
7840 diff -urNp linux-2.6.39.1/arch/x86/boot/cpucheck.c linux-2.6.39.1/arch/x86/boot/cpucheck.c
7841 --- linux-2.6.39.1/arch/x86/boot/cpucheck.c 2011-05-19 00:06:34.000000000 -0400
7842 +++ linux-2.6.39.1/arch/x86/boot/cpucheck.c 2011-05-22 19:36:30.000000000 -0400
7843 @@ -74,7 +74,7 @@ static int has_fpu(void)
7844 u16 fcw = -1, fsw = -1;
7845 u32 cr0;
7846
7847 - asm("movl %%cr0,%0" : "=r" (cr0));
7848 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
7849 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
7850 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
7851 asm volatile("movl %0,%%cr0" : : "r" (cr0));
7852 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
7853 {
7854 u32 f0, f1;
7855
7856 - asm("pushfl ; "
7857 + asm volatile("pushfl ; "
7858 "pushfl ; "
7859 "popl %0 ; "
7860 "movl %0,%1 ; "
7861 @@ -115,7 +115,7 @@ static void get_flags(void)
7862 set_bit(X86_FEATURE_FPU, cpu.flags);
7863
7864 if (has_eflag(X86_EFLAGS_ID)) {
7865 - asm("cpuid"
7866 + asm volatile("cpuid"
7867 : "=a" (max_intel_level),
7868 "=b" (cpu_vendor[0]),
7869 "=d" (cpu_vendor[1]),
7870 @@ -124,7 +124,7 @@ static void get_flags(void)
7871
7872 if (max_intel_level >= 0x00000001 &&
7873 max_intel_level <= 0x0000ffff) {
7874 - asm("cpuid"
7875 + asm volatile("cpuid"
7876 : "=a" (tfms),
7877 "=c" (cpu.flags[4]),
7878 "=d" (cpu.flags[0])
7879 @@ -136,7 +136,7 @@ static void get_flags(void)
7880 cpu.model += ((tfms >> 16) & 0xf) << 4;
7881 }
7882
7883 - asm("cpuid"
7884 + asm volatile("cpuid"
7885 : "=a" (max_amd_level)
7886 : "a" (0x80000000)
7887 : "ebx", "ecx", "edx");
7888 @@ -144,7 +144,7 @@ static void get_flags(void)
7889 if (max_amd_level >= 0x80000001 &&
7890 max_amd_level <= 0x8000ffff) {
7891 u32 eax = 0x80000001;
7892 - asm("cpuid"
7893 + asm volatile("cpuid"
7894 : "+a" (eax),
7895 "=c" (cpu.flags[6]),
7896 "=d" (cpu.flags[1])
7897 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
7898 u32 ecx = MSR_K7_HWCR;
7899 u32 eax, edx;
7900
7901 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7902 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7903 eax &= ~(1 << 15);
7904 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7905 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7906
7907 get_flags(); /* Make sure it really did something */
7908 err = check_flags();
7909 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
7910 u32 ecx = MSR_VIA_FCR;
7911 u32 eax, edx;
7912
7913 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7914 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7915 eax |= (1<<1)|(1<<7);
7916 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7917 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7918
7919 set_bit(X86_FEATURE_CX8, cpu.flags);
7920 err = check_flags();
7921 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
7922 u32 eax, edx;
7923 u32 level = 1;
7924
7925 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7926 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
7927 - asm("cpuid"
7928 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7929 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
7930 + asm volatile("cpuid"
7931 : "+a" (level), "=d" (cpu.flags[0])
7932 : : "ecx", "ebx");
7933 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7934 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7935
7936 err = check_flags();
7937 }
7938 diff -urNp linux-2.6.39.1/arch/x86/boot/header.S linux-2.6.39.1/arch/x86/boot/header.S
7939 --- linux-2.6.39.1/arch/x86/boot/header.S 2011-05-19 00:06:34.000000000 -0400
7940 +++ linux-2.6.39.1/arch/x86/boot/header.S 2011-05-22 19:36:30.000000000 -0400
7941 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
7942 # single linked list of
7943 # struct setup_data
7944
7945 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
7946 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
7947
7948 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
7949 #define VO_INIT_SIZE (VO__end - VO__text)
7950 diff -urNp linux-2.6.39.1/arch/x86/boot/memory.c linux-2.6.39.1/arch/x86/boot/memory.c
7951 --- linux-2.6.39.1/arch/x86/boot/memory.c 2011-05-19 00:06:34.000000000 -0400
7952 +++ linux-2.6.39.1/arch/x86/boot/memory.c 2011-05-22 19:36:30.000000000 -0400
7953 @@ -19,7 +19,7 @@
7954
7955 static int detect_memory_e820(void)
7956 {
7957 - int count = 0;
7958 + unsigned int count = 0;
7959 struct biosregs ireg, oreg;
7960 struct e820entry *desc = boot_params.e820_map;
7961 static struct e820entry buf; /* static so it is zeroed */
7962 diff -urNp linux-2.6.39.1/arch/x86/boot/video.c linux-2.6.39.1/arch/x86/boot/video.c
7963 --- linux-2.6.39.1/arch/x86/boot/video.c 2011-05-19 00:06:34.000000000 -0400
7964 +++ linux-2.6.39.1/arch/x86/boot/video.c 2011-05-22 19:36:30.000000000 -0400
7965 @@ -96,7 +96,7 @@ static void store_mode_params(void)
7966 static unsigned int get_entry(void)
7967 {
7968 char entry_buf[4];
7969 - int i, len = 0;
7970 + unsigned int i, len = 0;
7971 int key;
7972 unsigned int v;
7973
7974 diff -urNp linux-2.6.39.1/arch/x86/boot/video-vesa.c linux-2.6.39.1/arch/x86/boot/video-vesa.c
7975 --- linux-2.6.39.1/arch/x86/boot/video-vesa.c 2011-05-19 00:06:34.000000000 -0400
7976 +++ linux-2.6.39.1/arch/x86/boot/video-vesa.c 2011-05-22 19:36:30.000000000 -0400
7977 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
7978
7979 boot_params.screen_info.vesapm_seg = oreg.es;
7980 boot_params.screen_info.vesapm_off = oreg.di;
7981 + boot_params.screen_info.vesapm_size = oreg.cx;
7982 }
7983
7984 /*
7985 diff -urNp linux-2.6.39.1/arch/x86/ia32/ia32_aout.c linux-2.6.39.1/arch/x86/ia32/ia32_aout.c
7986 --- linux-2.6.39.1/arch/x86/ia32/ia32_aout.c 2011-05-19 00:06:34.000000000 -0400
7987 +++ linux-2.6.39.1/arch/x86/ia32/ia32_aout.c 2011-05-22 19:41:32.000000000 -0400
7988 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
7989 unsigned long dump_start, dump_size;
7990 struct user32 dump;
7991
7992 + memset(&dump, 0, sizeof(dump));
7993 +
7994 fs = get_fs();
7995 set_fs(KERNEL_DS);
7996 has_dumped = 1;
7997 diff -urNp linux-2.6.39.1/arch/x86/ia32/ia32entry.S linux-2.6.39.1/arch/x86/ia32/ia32entry.S
7998 --- linux-2.6.39.1/arch/x86/ia32/ia32entry.S 2011-05-19 00:06:34.000000000 -0400
7999 +++ linux-2.6.39.1/arch/x86/ia32/ia32entry.S 2011-05-23 17:16:01.000000000 -0400
8000 @@ -13,6 +13,7 @@
8001 #include <asm/thread_info.h>
8002 #include <asm/segment.h>
8003 #include <asm/irqflags.h>
8004 +#include <asm/pgtable.h>
8005 #include <linux/linkage.h>
8006
8007 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
8008 @@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit)
8009 ENDPROC(native_irq_enable_sysexit)
8010 #endif
8011
8012 + .macro pax_enter_kernel_user
8013 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8014 + call pax_enter_kernel_user
8015 +#endif
8016 + .endm
8017 +
8018 + .macro pax_exit_kernel_user
8019 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8020 + call pax_exit_kernel_user
8021 +#endif
8022 +#ifdef CONFIG_PAX_RANDKSTACK
8023 + pushq %rax
8024 + call pax_randomize_kstack
8025 + popq %rax
8026 +#endif
8027 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8028 + call pax_erase_kstack
8029 +#endif
8030 + .endm
8031 +
8032 + .macro pax_erase_kstack
8033 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8034 + call pax_erase_kstack
8035 +#endif
8036 + .endm
8037 +
8038 /*
8039 * 32bit SYSENTER instruction entry.
8040 *
8041 @@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target)
8042 CFI_REGISTER rsp,rbp
8043 SWAPGS_UNSAFE_STACK
8044 movq PER_CPU_VAR(kernel_stack), %rsp
8045 - addq $(KERNEL_STACK_OFFSET),%rsp
8046 + pax_enter_kernel_user
8047 /*
8048 * No need to follow this irqs on/off section: the syscall
8049 * disabled irqs, here we enable it straight after entry:
8050 @@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target)
8051 CFI_REL_OFFSET rsp,0
8052 pushfq_cfi
8053 /*CFI_REL_OFFSET rflags,0*/
8054 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
8055 + GET_THREAD_INFO(%r10)
8056 + movl TI_sysenter_return(%r10), %r10d
8057 CFI_REGISTER rip,r10
8058 pushq_cfi $__USER32_CS
8059 /*CFI_REL_OFFSET cs,0*/
8060 @@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target)
8061 SAVE_ARGS 0,0,1
8062 /* no need to do an access_ok check here because rbp has been
8063 32bit zero extended */
8064 +
8065 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8066 + mov $PAX_USER_SHADOW_BASE,%r10
8067 + add %r10,%rbp
8068 +#endif
8069 +
8070 1: movl (%rbp),%ebp
8071 .section __ex_table,"a"
8072 .quad 1b,ia32_badarg
8073 @@ -168,6 +202,7 @@ sysenter_dispatch:
8074 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8075 jnz sysexit_audit
8076 sysexit_from_sys_call:
8077 + pax_exit_kernel_user
8078 andl $~TS_COMPAT,TI_status(%r10)
8079 /* clear IF, that popfq doesn't enable interrupts early */
8080 andl $~0x200,EFLAGS-R11(%rsp)
8081 @@ -194,6 +229,9 @@ sysexit_from_sys_call:
8082 movl %eax,%esi /* 2nd arg: syscall number */
8083 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
8084 call audit_syscall_entry
8085 +
8086 + pax_erase_kstack
8087 +
8088 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
8089 cmpq $(IA32_NR_syscalls-1),%rax
8090 ja ia32_badsys
8091 @@ -246,6 +284,9 @@ sysenter_tracesys:
8092 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
8093 movq %rsp,%rdi /* &pt_regs -> arg1 */
8094 call syscall_trace_enter
8095 +
8096 + pax_erase_kstack
8097 +
8098 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8099 RESTORE_REST
8100 cmpq $(IA32_NR_syscalls-1),%rax
8101 @@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target)
8102 ENTRY(ia32_cstar_target)
8103 CFI_STARTPROC32 simple
8104 CFI_SIGNAL_FRAME
8105 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
8106 + CFI_DEF_CFA rsp,0
8107 CFI_REGISTER rip,rcx
8108 /*CFI_REGISTER rflags,r11*/
8109 SWAPGS_UNSAFE_STACK
8110 movl %esp,%r8d
8111 CFI_REGISTER rsp,r8
8112 movq PER_CPU_VAR(kernel_stack),%rsp
8113 +
8114 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8115 + pax_enter_kernel_user
8116 +#endif
8117 +
8118 /*
8119 * No need to follow this irqs on/off section: the syscall
8120 * disabled irqs and here we enable it straight after entry:
8121 */
8122 ENABLE_INTERRUPTS(CLBR_NONE)
8123 - SAVE_ARGS 8,1,1
8124 + SAVE_ARGS 8*6,1,1
8125 movl %eax,%eax /* zero extension */
8126 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
8127 movq %rcx,RIP-ARGOFFSET(%rsp)
8128 @@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target)
8129 /* no need to do an access_ok check here because r8 has been
8130 32bit zero extended */
8131 /* hardware stack frame is complete now */
8132 +
8133 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8134 + mov $PAX_USER_SHADOW_BASE,%r10
8135 + add %r10,%r8
8136 +#endif
8137 +
8138 1: movl (%r8),%r9d
8139 .section __ex_table,"a"
8140 .quad 1b,ia32_badarg
8141 @@ -327,6 +379,7 @@ cstar_dispatch:
8142 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8143 jnz sysretl_audit
8144 sysretl_from_sys_call:
8145 + pax_exit_kernel_user
8146 andl $~TS_COMPAT,TI_status(%r10)
8147 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
8148 movl RIP-ARGOFFSET(%rsp),%ecx
8149 @@ -364,6 +417,9 @@ cstar_tracesys:
8150 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8151 movq %rsp,%rdi /* &pt_regs -> arg1 */
8152 call syscall_trace_enter
8153 +
8154 + pax_erase_kstack
8155 +
8156 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
8157 RESTORE_REST
8158 xchgl %ebp,%r9d
8159 @@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
8160 CFI_REL_OFFSET rip,RIP-RIP
8161 PARAVIRT_ADJUST_EXCEPTION_FRAME
8162 SWAPGS
8163 + pax_enter_kernel_user
8164 /*
8165 * No need to follow this irqs on/off section: the syscall
8166 * disabled irqs and here we enable it straight after entry:
8167 @@ -441,6 +498,9 @@ ia32_tracesys:
8168 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8169 movq %rsp,%rdi /* &pt_regs -> arg1 */
8170 call syscall_trace_enter
8171 +
8172 + pax_erase_kstack
8173 +
8174 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8175 RESTORE_REST
8176 cmpq $(IA32_NR_syscalls-1),%rax
8177 diff -urNp linux-2.6.39.1/arch/x86/ia32/ia32_signal.c linux-2.6.39.1/arch/x86/ia32/ia32_signal.c
8178 --- linux-2.6.39.1/arch/x86/ia32/ia32_signal.c 2011-05-19 00:06:34.000000000 -0400
8179 +++ linux-2.6.39.1/arch/x86/ia32/ia32_signal.c 2011-05-22 19:36:30.000000000 -0400
8180 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
8181 sp -= frame_size;
8182 /* Align the stack pointer according to the i386 ABI,
8183 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
8184 - sp = ((sp + 4) & -16ul) - 4;
8185 + sp = ((sp - 12) & -16ul) - 4;
8186 return (void __user *) sp;
8187 }
8188
8189 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
8190 * These are actually not used anymore, but left because some
8191 * gdb versions depend on them as a marker.
8192 */
8193 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8194 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8195 } put_user_catch(err);
8196
8197 if (err)
8198 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
8199 0xb8,
8200 __NR_ia32_rt_sigreturn,
8201 0x80cd,
8202 - 0,
8203 + 0
8204 };
8205
8206 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
8207 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
8208
8209 if (ka->sa.sa_flags & SA_RESTORER)
8210 restorer = ka->sa.sa_restorer;
8211 + else if (current->mm->context.vdso)
8212 + /* Return stub is in 32bit vsyscall page */
8213 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
8214 else
8215 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
8216 - rt_sigreturn);
8217 + restorer = &frame->retcode;
8218 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
8219
8220 /*
8221 * Not actually used anymore, but left because some gdb
8222 * versions need it.
8223 */
8224 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8225 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8226 } put_user_catch(err);
8227
8228 if (err)
8229 diff -urNp linux-2.6.39.1/arch/x86/include/asm/alternative.h linux-2.6.39.1/arch/x86/include/asm/alternative.h
8230 --- linux-2.6.39.1/arch/x86/include/asm/alternative.h 2011-05-19 00:06:34.000000000 -0400
8231 +++ linux-2.6.39.1/arch/x86/include/asm/alternative.h 2011-05-22 19:36:30.000000000 -0400
8232 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
8233 ".section .discard,\"aw\",@progbits\n" \
8234 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
8235 ".previous\n" \
8236 - ".section .altinstr_replacement, \"ax\"\n" \
8237 + ".section .altinstr_replacement, \"a\"\n" \
8238 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
8239 ".previous"
8240
8241 diff -urNp linux-2.6.39.1/arch/x86/include/asm/apm.h linux-2.6.39.1/arch/x86/include/asm/apm.h
8242 --- linux-2.6.39.1/arch/x86/include/asm/apm.h 2011-05-19 00:06:34.000000000 -0400
8243 +++ linux-2.6.39.1/arch/x86/include/asm/apm.h 2011-05-22 19:36:30.000000000 -0400
8244 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
8245 __asm__ __volatile__(APM_DO_ZERO_SEGS
8246 "pushl %%edi\n\t"
8247 "pushl %%ebp\n\t"
8248 - "lcall *%%cs:apm_bios_entry\n\t"
8249 + "lcall *%%ss:apm_bios_entry\n\t"
8250 "setc %%al\n\t"
8251 "popl %%ebp\n\t"
8252 "popl %%edi\n\t"
8253 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
8254 __asm__ __volatile__(APM_DO_ZERO_SEGS
8255 "pushl %%edi\n\t"
8256 "pushl %%ebp\n\t"
8257 - "lcall *%%cs:apm_bios_entry\n\t"
8258 + "lcall *%%ss:apm_bios_entry\n\t"
8259 "setc %%bl\n\t"
8260 "popl %%ebp\n\t"
8261 "popl %%edi\n\t"
8262 diff -urNp linux-2.6.39.1/arch/x86/include/asm/atomic64_32.h linux-2.6.39.1/arch/x86/include/asm/atomic64_32.h
8263 --- linux-2.6.39.1/arch/x86/include/asm/atomic64_32.h 2011-05-19 00:06:34.000000000 -0400
8264 +++ linux-2.6.39.1/arch/x86/include/asm/atomic64_32.h 2011-05-22 19:36:30.000000000 -0400
8265 @@ -12,6 +12,14 @@ typedef struct {
8266 u64 __aligned(8) counter;
8267 } atomic64_t;
8268
8269 +#ifdef CONFIG_PAX_REFCOUNT
8270 +typedef struct {
8271 + u64 __aligned(8) counter;
8272 +} atomic64_unchecked_t;
8273 +#else
8274 +typedef atomic64_t atomic64_unchecked_t;
8275 +#endif
8276 +
8277 #define ATOMIC64_INIT(val) { (val) }
8278
8279 #ifdef CONFIG_X86_CMPXCHG64
8280 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
8281 }
8282
8283 /**
8284 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
8285 + * @p: pointer to type atomic64_unchecked_t
8286 + * @o: expected value
8287 + * @n: new value
8288 + *
8289 + * Atomically sets @v to @n if it was equal to @o and returns
8290 + * the old value.
8291 + */
8292 +
8293 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
8294 +{
8295 + return cmpxchg64(&v->counter, o, n);
8296 +}
8297 +
8298 +/**
8299 * atomic64_xchg - xchg atomic64 variable
8300 * @v: pointer to type atomic64_t
8301 * @n: value to assign
8302 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
8303 }
8304
8305 /**
8306 + * atomic64_set_unchecked - set atomic64 variable
8307 + * @v: pointer to type atomic64_unchecked_t
8308 + * @n: value to assign
8309 + *
8310 + * Atomically sets the value of @v to @n.
8311 + */
8312 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
8313 +{
8314 + unsigned high = (unsigned)(i >> 32);
8315 + unsigned low = (unsigned)i;
8316 + asm volatile(ATOMIC64_ALTERNATIVE(set)
8317 + : "+b" (low), "+c" (high)
8318 + : "S" (v)
8319 + : "eax", "edx", "memory"
8320 + );
8321 +}
8322 +
8323 +/**
8324 * atomic64_read - read atomic64 variable
8325 * @v: pointer to type atomic64_t
8326 *
8327 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
8328 }
8329
8330 /**
8331 + * atomic64_read_unchecked - read atomic64 variable
8332 + * @v: pointer to type atomic64_unchecked_t
8333 + *
8334 + * Atomically reads the value of @v and returns it.
8335 + */
8336 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
8337 +{
8338 + long long r;
8339 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
8340 + : "=A" (r), "+c" (v)
8341 + : : "memory"
8342 + );
8343 + return r;
8344 + }
8345 +
8346 +/**
8347 * atomic64_add_return - add and return
8348 * @i: integer value to add
8349 * @v: pointer to type atomic64_t
8350 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
8351 return i;
8352 }
8353
8354 +/**
8355 + * atomic64_add_return_unchecked - add and return
8356 + * @i: integer value to add
8357 + * @v: pointer to type atomic64_unchecked_t
8358 + *
8359 + * Atomically adds @i to @v and returns @i + *@v
8360 + */
8361 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
8362 +{
8363 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
8364 + : "+A" (i), "+c" (v)
8365 + : : "memory"
8366 + );
8367 + return i;
8368 +}
8369 +
8370 /*
8371 * Other variants with different arithmetic operators:
8372 */
8373 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
8374 return a;
8375 }
8376
8377 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8378 +{
8379 + long long a;
8380 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
8381 + : "=A" (a)
8382 + : "S" (v)
8383 + : "memory", "ecx"
8384 + );
8385 + return a;
8386 +}
8387 +
8388 static inline long long atomic64_dec_return(atomic64_t *v)
8389 {
8390 long long a;
8391 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
8392 }
8393
8394 /**
8395 + * atomic64_add_unchecked - add integer to atomic64 variable
8396 + * @i: integer value to add
8397 + * @v: pointer to type atomic64_unchecked_t
8398 + *
8399 + * Atomically adds @i to @v.
8400 + */
8401 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
8402 +{
8403 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
8404 + : "+A" (i), "+c" (v)
8405 + : : "memory"
8406 + );
8407 + return i;
8408 +}
8409 +
8410 +/**
8411 * atomic64_sub - subtract the atomic64 variable
8412 * @i: integer value to subtract
8413 * @v: pointer to type atomic64_t
8414 diff -urNp linux-2.6.39.1/arch/x86/include/asm/atomic64_64.h linux-2.6.39.1/arch/x86/include/asm/atomic64_64.h
8415 --- linux-2.6.39.1/arch/x86/include/asm/atomic64_64.h 2011-05-19 00:06:34.000000000 -0400
8416 +++ linux-2.6.39.1/arch/x86/include/asm/atomic64_64.h 2011-05-22 19:36:30.000000000 -0400
8417 @@ -18,7 +18,19 @@
8418 */
8419 static inline long atomic64_read(const atomic64_t *v)
8420 {
8421 - return (*(volatile long *)&(v)->counter);
8422 + return (*(volatile const long *)&(v)->counter);
8423 +}
8424 +
8425 +/**
8426 + * atomic64_read_unchecked - read atomic64 variable
8427 + * @v: pointer of type atomic64_unchecked_t
8428 + *
8429 + * Atomically reads the value of @v.
8430 + * Doesn't imply a read memory barrier.
8431 + */
8432 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8433 +{
8434 + return (*(volatile const long *)&(v)->counter);
8435 }
8436
8437 /**
8438 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
8439 }
8440
8441 /**
8442 + * atomic64_set_unchecked - set atomic64 variable
8443 + * @v: pointer to type atomic64_unchecked_t
8444 + * @i: required value
8445 + *
8446 + * Atomically sets the value of @v to @i.
8447 + */
8448 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8449 +{
8450 + v->counter = i;
8451 +}
8452 +
8453 +/**
8454 * atomic64_add - add integer to atomic64 variable
8455 * @i: integer value to add
8456 * @v: pointer to type atomic64_t
8457 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
8458 */
8459 static inline void atomic64_add(long i, atomic64_t *v)
8460 {
8461 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
8462 +
8463 +#ifdef CONFIG_PAX_REFCOUNT
8464 + "jno 0f\n"
8465 + LOCK_PREFIX "subq %1,%0\n"
8466 + "int $4\n0:\n"
8467 + _ASM_EXTABLE(0b, 0b)
8468 +#endif
8469 +
8470 + : "=m" (v->counter)
8471 + : "er" (i), "m" (v->counter));
8472 +}
8473 +
8474 +/**
8475 + * atomic64_add_unchecked - add integer to atomic64 variable
8476 + * @i: integer value to add
8477 + * @v: pointer to type atomic64_unchecked_t
8478 + *
8479 + * Atomically adds @i to @v.
8480 + */
8481 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8482 +{
8483 asm volatile(LOCK_PREFIX "addq %1,%0"
8484 : "=m" (v->counter)
8485 : "er" (i), "m" (v->counter));
8486 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
8487 */
8488 static inline void atomic64_sub(long i, atomic64_t *v)
8489 {
8490 - asm volatile(LOCK_PREFIX "subq %1,%0"
8491 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8492 +
8493 +#ifdef CONFIG_PAX_REFCOUNT
8494 + "jno 0f\n"
8495 + LOCK_PREFIX "addq %1,%0\n"
8496 + "int $4\n0:\n"
8497 + _ASM_EXTABLE(0b, 0b)
8498 +#endif
8499 +
8500 + : "=m" (v->counter)
8501 + : "er" (i), "m" (v->counter));
8502 +}
8503 +
8504 +/**
8505 + * atomic64_sub_unchecked - subtract the atomic64 variable
8506 + * @i: integer value to subtract
8507 + * @v: pointer to type atomic64_unchecked_t
8508 + *
8509 + * Atomically subtracts @i from @v.
8510 + */
8511 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
8512 +{
8513 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8514 : "=m" (v->counter)
8515 : "er" (i), "m" (v->counter));
8516 }
8517 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
8518 {
8519 unsigned char c;
8520
8521 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8522 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
8523 +
8524 +#ifdef CONFIG_PAX_REFCOUNT
8525 + "jno 0f\n"
8526 + LOCK_PREFIX "addq %2,%0\n"
8527 + "int $4\n0:\n"
8528 + _ASM_EXTABLE(0b, 0b)
8529 +#endif
8530 +
8531 + "sete %1\n"
8532 : "=m" (v->counter), "=qm" (c)
8533 : "er" (i), "m" (v->counter) : "memory");
8534 return c;
8535 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
8536 */
8537 static inline void atomic64_inc(atomic64_t *v)
8538 {
8539 + asm volatile(LOCK_PREFIX "incq %0\n"
8540 +
8541 +#ifdef CONFIG_PAX_REFCOUNT
8542 + "jno 0f\n"
8543 + LOCK_PREFIX "decq %0\n"
8544 + "int $4\n0:\n"
8545 + _ASM_EXTABLE(0b, 0b)
8546 +#endif
8547 +
8548 + : "=m" (v->counter)
8549 + : "m" (v->counter));
8550 +}
8551 +
8552 +/**
8553 + * atomic64_inc_unchecked - increment atomic64 variable
8554 + * @v: pointer to type atomic64_unchecked_t
8555 + *
8556 + * Atomically increments @v by 1.
8557 + */
8558 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8559 +{
8560 asm volatile(LOCK_PREFIX "incq %0"
8561 : "=m" (v->counter)
8562 : "m" (v->counter));
8563 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
8564 */
8565 static inline void atomic64_dec(atomic64_t *v)
8566 {
8567 - asm volatile(LOCK_PREFIX "decq %0"
8568 + asm volatile(LOCK_PREFIX "decq %0\n"
8569 +
8570 +#ifdef CONFIG_PAX_REFCOUNT
8571 + "jno 0f\n"
8572 + LOCK_PREFIX "incq %0\n"
8573 + "int $4\n0:\n"
8574 + _ASM_EXTABLE(0b, 0b)
8575 +#endif
8576 +
8577 + : "=m" (v->counter)
8578 + : "m" (v->counter));
8579 +}
8580 +
8581 +/**
8582 + * atomic64_dec_unchecked - decrement atomic64 variable
8583 + * @v: pointer to type atomic64_t
8584 + *
8585 + * Atomically decrements @v by 1.
8586 + */
8587 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8588 +{
8589 + asm volatile(LOCK_PREFIX "decq %0\n"
8590 : "=m" (v->counter)
8591 : "m" (v->counter));
8592 }
8593 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
8594 {
8595 unsigned char c;
8596
8597 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8598 + asm volatile(LOCK_PREFIX "decq %0\n"
8599 +
8600 +#ifdef CONFIG_PAX_REFCOUNT
8601 + "jno 0f\n"
8602 + LOCK_PREFIX "incq %0\n"
8603 + "int $4\n0:\n"
8604 + _ASM_EXTABLE(0b, 0b)
8605 +#endif
8606 +
8607 + "sete %1\n"
8608 : "=m" (v->counter), "=qm" (c)
8609 : "m" (v->counter) : "memory");
8610 return c != 0;
8611 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
8612 {
8613 unsigned char c;
8614
8615 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8616 + asm volatile(LOCK_PREFIX "incq %0\n"
8617 +
8618 +#ifdef CONFIG_PAX_REFCOUNT
8619 + "jno 0f\n"
8620 + LOCK_PREFIX "decq %0\n"
8621 + "int $4\n0:\n"
8622 + _ASM_EXTABLE(0b, 0b)
8623 +#endif
8624 +
8625 + "sete %1\n"
8626 : "=m" (v->counter), "=qm" (c)
8627 : "m" (v->counter) : "memory");
8628 return c != 0;
8629 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
8630 {
8631 unsigned char c;
8632
8633 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8634 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8635 +
8636 +#ifdef CONFIG_PAX_REFCOUNT
8637 + "jno 0f\n"
8638 + LOCK_PREFIX "subq %2,%0\n"
8639 + "int $4\n0:\n"
8640 + _ASM_EXTABLE(0b, 0b)
8641 +#endif
8642 +
8643 + "sets %1\n"
8644 : "=m" (v->counter), "=qm" (c)
8645 : "er" (i), "m" (v->counter) : "memory");
8646 return c;
8647 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
8648 static inline long atomic64_add_return(long i, atomic64_t *v)
8649 {
8650 long __i = i;
8651 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8652 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8653 +
8654 +#ifdef CONFIG_PAX_REFCOUNT
8655 + "jno 0f\n"
8656 + "movq %0, %1\n"
8657 + "int $4\n0:\n"
8658 + _ASM_EXTABLE(0b, 0b)
8659 +#endif
8660 +
8661 + : "+r" (i), "+m" (v->counter)
8662 + : : "memory");
8663 + return i + __i;
8664 +}
8665 +
8666 +/**
8667 + * atomic64_add_return_unchecked - add and return
8668 + * @i: integer value to add
8669 + * @v: pointer to type atomic64_unchecked_t
8670 + *
8671 + * Atomically adds @i to @v and returns @i + @v
8672 + */
8673 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8674 +{
8675 + long __i = i;
8676 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8677 : "+r" (i), "+m" (v->counter)
8678 : : "memory");
8679 return i + __i;
8680 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
8681 }
8682
8683 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8684 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8685 +{
8686 + return atomic64_add_return_unchecked(1, v);
8687 +}
8688 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8689
8690 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8691 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
8692 return cmpxchg(&v->counter, old, new);
8693 }
8694
8695 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8696 +{
8697 + return cmpxchg(&v->counter, old, new);
8698 +}
8699 +
8700 static inline long atomic64_xchg(atomic64_t *v, long new)
8701 {
8702 return xchg(&v->counter, new);
8703 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
8704 */
8705 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8706 {
8707 - long c, old;
8708 + long c, old, new;
8709 c = atomic64_read(v);
8710 for (;;) {
8711 - if (unlikely(c == (u)))
8712 + if (unlikely(c == u))
8713 break;
8714 - old = atomic64_cmpxchg((v), c, c + (a));
8715 +
8716 + asm volatile("add %2,%0\n"
8717 +
8718 +#ifdef CONFIG_PAX_REFCOUNT
8719 + "jno 0f\n"
8720 + "sub %2,%0\n"
8721 + "int $4\n0:\n"
8722 + _ASM_EXTABLE(0b, 0b)
8723 +#endif
8724 +
8725 + : "=r" (new)
8726 + : "0" (c), "ir" (a));
8727 +
8728 + old = atomic64_cmpxchg(v, c, new);
8729 if (likely(old == c))
8730 break;
8731 c = old;
8732 }
8733 - return c != (u);
8734 + return c != u;
8735 }
8736
8737 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
8738 diff -urNp linux-2.6.39.1/arch/x86/include/asm/atomic.h linux-2.6.39.1/arch/x86/include/asm/atomic.h
8739 --- linux-2.6.39.1/arch/x86/include/asm/atomic.h 2011-05-19 00:06:34.000000000 -0400
8740 +++ linux-2.6.39.1/arch/x86/include/asm/atomic.h 2011-05-22 19:36:30.000000000 -0400
8741 @@ -22,7 +22,18 @@
8742 */
8743 static inline int atomic_read(const atomic_t *v)
8744 {
8745 - return (*(volatile int *)&(v)->counter);
8746 + return (*(volatile const int *)&(v)->counter);
8747 +}
8748 +
8749 +/**
8750 + * atomic_read_unchecked - read atomic variable
8751 + * @v: pointer of type atomic_unchecked_t
8752 + *
8753 + * Atomically reads the value of @v.
8754 + */
8755 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
8756 +{
8757 + return (*(volatile const int *)&(v)->counter);
8758 }
8759
8760 /**
8761 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
8762 }
8763
8764 /**
8765 + * atomic_set_unchecked - set atomic variable
8766 + * @v: pointer of type atomic_unchecked_t
8767 + * @i: required value
8768 + *
8769 + * Atomically sets the value of @v to @i.
8770 + */
8771 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
8772 +{
8773 + v->counter = i;
8774 +}
8775 +
8776 +/**
8777 * atomic_add - add integer to atomic variable
8778 * @i: integer value to add
8779 * @v: pointer of type atomic_t
8780 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
8781 */
8782 static inline void atomic_add(int i, atomic_t *v)
8783 {
8784 - asm volatile(LOCK_PREFIX "addl %1,%0"
8785 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
8786 +
8787 +#ifdef CONFIG_PAX_REFCOUNT
8788 + "jno 0f\n"
8789 + LOCK_PREFIX "subl %1,%0\n"
8790 + "int $4\n0:\n"
8791 + _ASM_EXTABLE(0b, 0b)
8792 +#endif
8793 +
8794 + : "+m" (v->counter)
8795 + : "ir" (i));
8796 +}
8797 +
8798 +/**
8799 + * atomic_add_unchecked - add integer to atomic variable
8800 + * @i: integer value to add
8801 + * @v: pointer of type atomic_unchecked_t
8802 + *
8803 + * Atomically adds @i to @v.
8804 + */
8805 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
8806 +{
8807 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
8808 : "+m" (v->counter)
8809 : "ir" (i));
8810 }
8811 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
8812 */
8813 static inline void atomic_sub(int i, atomic_t *v)
8814 {
8815 - asm volatile(LOCK_PREFIX "subl %1,%0"
8816 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
8817 +
8818 +#ifdef CONFIG_PAX_REFCOUNT
8819 + "jno 0f\n"
8820 + LOCK_PREFIX "addl %1,%0\n"
8821 + "int $4\n0:\n"
8822 + _ASM_EXTABLE(0b, 0b)
8823 +#endif
8824 +
8825 + : "+m" (v->counter)
8826 + : "ir" (i));
8827 +}
8828 +
8829 +/**
8830 + * atomic_sub_unchecked - subtract integer from atomic variable
8831 + * @i: integer value to subtract
8832 + * @v: pointer of type atomic_unchecked_t
8833 + *
8834 + * Atomically subtracts @i from @v.
8835 + */
8836 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
8837 +{
8838 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
8839 : "+m" (v->counter)
8840 : "ir" (i));
8841 }
8842 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
8843 {
8844 unsigned char c;
8845
8846 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
8847 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
8848 +
8849 +#ifdef CONFIG_PAX_REFCOUNT
8850 + "jno 0f\n"
8851 + LOCK_PREFIX "addl %2,%0\n"
8852 + "int $4\n0:\n"
8853 + _ASM_EXTABLE(0b, 0b)
8854 +#endif
8855 +
8856 + "sete %1\n"
8857 : "+m" (v->counter), "=qm" (c)
8858 : "ir" (i) : "memory");
8859 return c;
8860 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
8861 */
8862 static inline void atomic_inc(atomic_t *v)
8863 {
8864 - asm volatile(LOCK_PREFIX "incl %0"
8865 + asm volatile(LOCK_PREFIX "incl %0\n"
8866 +
8867 +#ifdef CONFIG_PAX_REFCOUNT
8868 + "jno 0f\n"
8869 + LOCK_PREFIX "decl %0\n"
8870 + "int $4\n0:\n"
8871 + _ASM_EXTABLE(0b, 0b)
8872 +#endif
8873 +
8874 + : "+m" (v->counter));
8875 +}
8876 +
8877 +/**
8878 + * atomic_inc_unchecked - increment atomic variable
8879 + * @v: pointer of type atomic_unchecked_t
8880 + *
8881 + * Atomically increments @v by 1.
8882 + */
8883 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
8884 +{
8885 + asm volatile(LOCK_PREFIX "incl %0\n"
8886 : "+m" (v->counter));
8887 }
8888
8889 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
8890 */
8891 static inline void atomic_dec(atomic_t *v)
8892 {
8893 - asm volatile(LOCK_PREFIX "decl %0"
8894 + asm volatile(LOCK_PREFIX "decl %0\n"
8895 +
8896 +#ifdef CONFIG_PAX_REFCOUNT
8897 + "jno 0f\n"
8898 + LOCK_PREFIX "incl %0\n"
8899 + "int $4\n0:\n"
8900 + _ASM_EXTABLE(0b, 0b)
8901 +#endif
8902 +
8903 + : "+m" (v->counter));
8904 +}
8905 +
8906 +/**
8907 + * atomic_dec_unchecked - decrement atomic variable
8908 + * @v: pointer of type atomic_unchecked_t
8909 + *
8910 + * Atomically decrements @v by 1.
8911 + */
8912 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
8913 +{
8914 + asm volatile(LOCK_PREFIX "decl %0\n"
8915 : "+m" (v->counter));
8916 }
8917
8918 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
8919 {
8920 unsigned char c;
8921
8922 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
8923 + asm volatile(LOCK_PREFIX "decl %0\n"
8924 +
8925 +#ifdef CONFIG_PAX_REFCOUNT
8926 + "jno 0f\n"
8927 + LOCK_PREFIX "incl %0\n"
8928 + "int $4\n0:\n"
8929 + _ASM_EXTABLE(0b, 0b)
8930 +#endif
8931 +
8932 + "sete %1\n"
8933 : "+m" (v->counter), "=qm" (c)
8934 : : "memory");
8935 return c != 0;
8936 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
8937 {
8938 unsigned char c;
8939
8940 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
8941 + asm volatile(LOCK_PREFIX "incl %0\n"
8942 +
8943 +#ifdef CONFIG_PAX_REFCOUNT
8944 + "jno 0f\n"
8945 + LOCK_PREFIX "decl %0\n"
8946 + "int $4\n0:\n"
8947 + _ASM_EXTABLE(0b, 0b)
8948 +#endif
8949 +
8950 + "sete %1\n"
8951 + : "+m" (v->counter), "=qm" (c)
8952 + : : "memory");
8953 + return c != 0;
8954 +}
8955 +
8956 +/**
8957 + * atomic_inc_and_test_unchecked - increment and test
8958 + * @v: pointer of type atomic_unchecked_t
8959 + *
8960 + * Atomically increments @v by 1
8961 + * and returns true if the result is zero, or false for all
8962 + * other cases.
8963 + */
8964 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8965 +{
8966 + unsigned char c;
8967 +
8968 + asm volatile(LOCK_PREFIX "incl %0\n"
8969 + "sete %1\n"
8970 : "+m" (v->counter), "=qm" (c)
8971 : : "memory");
8972 return c != 0;
8973 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
8974 {
8975 unsigned char c;
8976
8977 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
8978 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
8979 +
8980 +#ifdef CONFIG_PAX_REFCOUNT
8981 + "jno 0f\n"
8982 + LOCK_PREFIX "subl %2,%0\n"
8983 + "int $4\n0:\n"
8984 + _ASM_EXTABLE(0b, 0b)
8985 +#endif
8986 +
8987 + "sets %1\n"
8988 : "+m" (v->counter), "=qm" (c)
8989 : "ir" (i) : "memory");
8990 return c;
8991 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
8992 #endif
8993 /* Modern 486+ processor */
8994 __i = i;
8995 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8996 +
8997 +#ifdef CONFIG_PAX_REFCOUNT
8998 + "jno 0f\n"
8999 + "movl %0, %1\n"
9000 + "int $4\n0:\n"
9001 + _ASM_EXTABLE(0b, 0b)
9002 +#endif
9003 +
9004 + : "+r" (i), "+m" (v->counter)
9005 + : : "memory");
9006 + return i + __i;
9007 +
9008 +#ifdef CONFIG_M386
9009 +no_xadd: /* Legacy 386 processor */
9010 + local_irq_save(flags);
9011 + __i = atomic_read(v);
9012 + atomic_set(v, i + __i);
9013 + local_irq_restore(flags);
9014 + return i + __i;
9015 +#endif
9016 +}
9017 +
9018 +/**
9019 + * atomic_add_return_unchecked - add integer and return
9020 + * @v: pointer of type atomic_unchecked_t
9021 + * @i: integer value to add
9022 + *
9023 + * Atomically adds @i to @v and returns @i + @v
9024 + */
9025 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
9026 +{
9027 + int __i;
9028 +#ifdef CONFIG_M386
9029 + unsigned long flags;
9030 + if (unlikely(boot_cpu_data.x86 <= 3))
9031 + goto no_xadd;
9032 +#endif
9033 + /* Modern 486+ processor */
9034 + __i = i;
9035 asm volatile(LOCK_PREFIX "xaddl %0, %1"
9036 : "+r" (i), "+m" (v->counter)
9037 : : "memory");
9038 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
9039 }
9040
9041 #define atomic_inc_return(v) (atomic_add_return(1, v))
9042 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
9043 +{
9044 + return atomic_add_return_unchecked(1, v);
9045 +}
9046 #define atomic_dec_return(v) (atomic_sub_return(1, v))
9047
9048 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
9049 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
9050 return cmpxchg(&v->counter, old, new);
9051 }
9052
9053 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
9054 +{
9055 + return cmpxchg(&v->counter, old, new);
9056 +}
9057 +
9058 static inline int atomic_xchg(atomic_t *v, int new)
9059 {
9060 return xchg(&v->counter, new);
9061 }
9062
9063 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
9064 +{
9065 + return xchg(&v->counter, new);
9066 +}
9067 +
9068 /**
9069 * atomic_add_unless - add unless the number is already a given value
9070 * @v: pointer of type atomic_t
9071 @@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
9072 */
9073 static inline int atomic_add_unless(atomic_t *v, int a, int u)
9074 {
9075 - int c, old;
9076 + int c, old, new;
9077 c = atomic_read(v);
9078 for (;;) {
9079 - if (unlikely(c == (u)))
9080 + if (unlikely(c == u))
9081 break;
9082 - old = atomic_cmpxchg((v), c, c + (a));
9083 +
9084 + asm volatile("addl %2,%0\n"
9085 +
9086 +#ifdef CONFIG_PAX_REFCOUNT
9087 + "jno 0f\n"
9088 + "subl %2,%0\n"
9089 + "int $4\n0:\n"
9090 + _ASM_EXTABLE(0b, 0b)
9091 +#endif
9092 +
9093 + : "=r" (new)
9094 + : "0" (c), "ir" (a));
9095 +
9096 + old = atomic_cmpxchg(v, c, new);
9097 if (likely(old == c))
9098 break;
9099 c = old;
9100 }
9101 - return c != (u);
9102 + return c != u;
9103 }
9104
9105 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
9106
9107 +/**
9108 + * atomic_inc_not_zero_hint - increment if not null
9109 + * @v: pointer of type atomic_t
9110 + * @hint: probable value of the atomic before the increment
9111 + *
9112 + * This version of atomic_inc_not_zero() gives a hint of probable
9113 + * value of the atomic. This helps processor to not read the memory
9114 + * before doing the atomic read/modify/write cycle, lowering
9115 + * number of bus transactions on some arches.
9116 + *
9117 + * Returns: 0 if increment was not done, 1 otherwise.
9118 + */
9119 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
9120 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
9121 +{
9122 + int val, c = hint, new;
9123 +
9124 + /* sanity test, should be removed by compiler if hint is a constant */
9125 + if (!hint)
9126 + return atomic_inc_not_zero(v);
9127 +
9128 + do {
9129 + asm volatile("incl %0\n"
9130 +
9131 +#ifdef CONFIG_PAX_REFCOUNT
9132 + "jno 0f\n"
9133 + "decl %0\n"
9134 + "int $4\n0:\n"
9135 + _ASM_EXTABLE(0b, 0b)
9136 +#endif
9137 +
9138 + : "=r" (new)
9139 + : "0" (c));
9140 +
9141 + val = atomic_cmpxchg(v, c, new);
9142 + if (val == c)
9143 + return 1;
9144 + c = val;
9145 + } while (c);
9146 +
9147 + return 0;
9148 +}
9149 +
9150 /*
9151 * atomic_dec_if_positive - decrement by 1 if old value positive
9152 * @v: pointer of type atomic_t
9153 diff -urNp linux-2.6.39.1/arch/x86/include/asm/bitops.h linux-2.6.39.1/arch/x86/include/asm/bitops.h
9154 --- linux-2.6.39.1/arch/x86/include/asm/bitops.h 2011-05-19 00:06:34.000000000 -0400
9155 +++ linux-2.6.39.1/arch/x86/include/asm/bitops.h 2011-05-22 19:36:30.000000000 -0400
9156 @@ -38,7 +38,7 @@
9157 * a mask operation on a byte.
9158 */
9159 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
9160 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
9161 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
9162 #define CONST_MASK(nr) (1 << ((nr) & 7))
9163
9164 /**
9165 diff -urNp linux-2.6.39.1/arch/x86/include/asm/boot.h linux-2.6.39.1/arch/x86/include/asm/boot.h
9166 --- linux-2.6.39.1/arch/x86/include/asm/boot.h 2011-05-19 00:06:34.000000000 -0400
9167 +++ linux-2.6.39.1/arch/x86/include/asm/boot.h 2011-05-22 19:36:30.000000000 -0400
9168 @@ -11,10 +11,15 @@
9169 #include <asm/pgtable_types.h>
9170
9171 /* Physical address where kernel should be loaded. */
9172 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9173 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9174 + (CONFIG_PHYSICAL_ALIGN - 1)) \
9175 & ~(CONFIG_PHYSICAL_ALIGN - 1))
9176
9177 +#ifndef __ASSEMBLY__
9178 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
9179 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
9180 +#endif
9181 +
9182 /* Minimum kernel alignment, as a power of two */
9183 #ifdef CONFIG_X86_64
9184 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
9185 diff -urNp linux-2.6.39.1/arch/x86/include/asm/cacheflush.h linux-2.6.39.1/arch/x86/include/asm/cacheflush.h
9186 --- linux-2.6.39.1/arch/x86/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
9187 +++ linux-2.6.39.1/arch/x86/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
9188 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
9189 unsigned long pg_flags = pg->flags & _PGMT_MASK;
9190
9191 if (pg_flags == _PGMT_DEFAULT)
9192 - return -1;
9193 + return ~0UL;
9194 else if (pg_flags == _PGMT_WC)
9195 return _PAGE_CACHE_WC;
9196 else if (pg_flags == _PGMT_UC_MINUS)
9197 diff -urNp linux-2.6.39.1/arch/x86/include/asm/cache.h linux-2.6.39.1/arch/x86/include/asm/cache.h
9198 --- linux-2.6.39.1/arch/x86/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
9199 +++ linux-2.6.39.1/arch/x86/include/asm/cache.h 2011-05-22 19:36:30.000000000 -0400
9200 @@ -5,12 +5,13 @@
9201
9202 /* L1 cache line size */
9203 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
9204 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9205 +#define L1_CACHE_BYTES (_AC(1,U) << L1_CACHE_SHIFT)
9206
9207 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9208 +#define __read_only __attribute__((__section__(".data..read_only")))
9209
9210 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
9211 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
9212 +#define INTERNODE_CACHE_BYTES (_AC(1,U) << INTERNODE_CACHE_SHIFT)
9213
9214 #ifdef CONFIG_X86_VSMP
9215 #ifdef CONFIG_SMP
9216 diff -urNp linux-2.6.39.1/arch/x86/include/asm/checksum_32.h linux-2.6.39.1/arch/x86/include/asm/checksum_32.h
9217 --- linux-2.6.39.1/arch/x86/include/asm/checksum_32.h 2011-05-19 00:06:34.000000000 -0400
9218 +++ linux-2.6.39.1/arch/x86/include/asm/checksum_32.h 2011-05-22 19:36:30.000000000 -0400
9219 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
9220 int len, __wsum sum,
9221 int *src_err_ptr, int *dst_err_ptr);
9222
9223 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
9224 + int len, __wsum sum,
9225 + int *src_err_ptr, int *dst_err_ptr);
9226 +
9227 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
9228 + int len, __wsum sum,
9229 + int *src_err_ptr, int *dst_err_ptr);
9230 +
9231 /*
9232 * Note: when you get a NULL pointer exception here this means someone
9233 * passed in an incorrect kernel address to one of these functions.
9234 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
9235 int *err_ptr)
9236 {
9237 might_sleep();
9238 - return csum_partial_copy_generic((__force void *)src, dst,
9239 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
9240 len, sum, err_ptr, NULL);
9241 }
9242
9243 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
9244 {
9245 might_sleep();
9246 if (access_ok(VERIFY_WRITE, dst, len))
9247 - return csum_partial_copy_generic(src, (__force void *)dst,
9248 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
9249 len, sum, NULL, err_ptr);
9250
9251 if (len)
9252 diff -urNp linux-2.6.39.1/arch/x86/include/asm/cpufeature.h linux-2.6.39.1/arch/x86/include/asm/cpufeature.h
9253 --- linux-2.6.39.1/arch/x86/include/asm/cpufeature.h 2011-06-03 00:04:13.000000000 -0400
9254 +++ linux-2.6.39.1/arch/x86/include/asm/cpufeature.h 2011-06-03 00:32:04.000000000 -0400
9255 @@ -351,7 +351,7 @@ static __always_inline __pure bool __sta
9256 ".section .discard,\"aw\",@progbits\n"
9257 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
9258 ".previous\n"
9259 - ".section .altinstr_replacement,\"ax\"\n"
9260 + ".section .altinstr_replacement,\"a\"\n"
9261 "3: movb $1,%0\n"
9262 "4:\n"
9263 ".previous\n"
9264 diff -urNp linux-2.6.39.1/arch/x86/include/asm/desc_defs.h linux-2.6.39.1/arch/x86/include/asm/desc_defs.h
9265 --- linux-2.6.39.1/arch/x86/include/asm/desc_defs.h 2011-05-19 00:06:34.000000000 -0400
9266 +++ linux-2.6.39.1/arch/x86/include/asm/desc_defs.h 2011-05-22 19:36:30.000000000 -0400
9267 @@ -31,6 +31,12 @@ struct desc_struct {
9268 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
9269 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
9270 };
9271 + struct {
9272 + u16 offset_low;
9273 + u16 seg;
9274 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
9275 + unsigned offset_high: 16;
9276 + } gate;
9277 };
9278 } __attribute__((packed));
9279
9280 diff -urNp linux-2.6.39.1/arch/x86/include/asm/desc.h linux-2.6.39.1/arch/x86/include/asm/desc.h
9281 --- linux-2.6.39.1/arch/x86/include/asm/desc.h 2011-05-19 00:06:34.000000000 -0400
9282 +++ linux-2.6.39.1/arch/x86/include/asm/desc.h 2011-05-22 19:36:30.000000000 -0400
9283 @@ -4,6 +4,7 @@
9284 #include <asm/desc_defs.h>
9285 #include <asm/ldt.h>
9286 #include <asm/mmu.h>
9287 +#include <asm/pgtable.h>
9288 #include <linux/smp.h>
9289
9290 static inline void fill_ldt(struct desc_struct *desc,
9291 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
9292 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
9293 desc->type = (info->read_exec_only ^ 1) << 1;
9294 desc->type |= info->contents << 2;
9295 + desc->type |= info->seg_not_present ^ 1;
9296 desc->s = 1;
9297 desc->dpl = 0x3;
9298 desc->p = info->seg_not_present ^ 1;
9299 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
9300 }
9301
9302 extern struct desc_ptr idt_descr;
9303 -extern gate_desc idt_table[];
9304 -
9305 -struct gdt_page {
9306 - struct desc_struct gdt[GDT_ENTRIES];
9307 -} __attribute__((aligned(PAGE_SIZE)));
9308 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
9309 +extern gate_desc idt_table[256];
9310
9311 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
9312 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
9313 {
9314 - return per_cpu(gdt_page, cpu).gdt;
9315 + return cpu_gdt_table[cpu];
9316 }
9317
9318 #ifdef CONFIG_X86_64
9319 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
9320 unsigned long base, unsigned dpl, unsigned flags,
9321 unsigned short seg)
9322 {
9323 - gate->a = (seg << 16) | (base & 0xffff);
9324 - gate->b = (base & 0xffff0000) |
9325 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
9326 + gate->gate.offset_low = base;
9327 + gate->gate.seg = seg;
9328 + gate->gate.reserved = 0;
9329 + gate->gate.type = type;
9330 + gate->gate.s = 0;
9331 + gate->gate.dpl = dpl;
9332 + gate->gate.p = 1;
9333 + gate->gate.offset_high = base >> 16;
9334 }
9335
9336 #endif
9337 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
9338 static inline void native_write_idt_entry(gate_desc *idt, int entry,
9339 const gate_desc *gate)
9340 {
9341 + pax_open_kernel();
9342 memcpy(&idt[entry], gate, sizeof(*gate));
9343 + pax_close_kernel();
9344 }
9345
9346 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
9347 const void *desc)
9348 {
9349 + pax_open_kernel();
9350 memcpy(&ldt[entry], desc, 8);
9351 + pax_close_kernel();
9352 }
9353
9354 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
9355 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
9356 size = sizeof(struct desc_struct);
9357 break;
9358 }
9359 +
9360 + pax_open_kernel();
9361 memcpy(&gdt[entry], desc, size);
9362 + pax_close_kernel();
9363 }
9364
9365 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
9366 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
9367
9368 static inline void native_load_tr_desc(void)
9369 {
9370 + pax_open_kernel();
9371 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
9372 + pax_close_kernel();
9373 }
9374
9375 static inline void native_load_gdt(const struct desc_ptr *dtr)
9376 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
9377 unsigned int i;
9378 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
9379
9380 + pax_open_kernel();
9381 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
9382 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
9383 + pax_close_kernel();
9384 }
9385
9386 #define _LDT_empty(info) \
9387 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
9388 desc->limit = (limit >> 16) & 0xf;
9389 }
9390
9391 -static inline void _set_gate(int gate, unsigned type, void *addr,
9392 +static inline void _set_gate(int gate, unsigned type, const void *addr,
9393 unsigned dpl, unsigned ist, unsigned seg)
9394 {
9395 gate_desc s;
9396 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
9397 * Pentium F0 0F bugfix can have resulted in the mapped
9398 * IDT being write-protected.
9399 */
9400 -static inline void set_intr_gate(unsigned int n, void *addr)
9401 +static inline void set_intr_gate(unsigned int n, const void *addr)
9402 {
9403 BUG_ON((unsigned)n > 0xFF);
9404 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
9405 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
9406 /*
9407 * This routine sets up an interrupt gate at directory privilege level 3.
9408 */
9409 -static inline void set_system_intr_gate(unsigned int n, void *addr)
9410 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
9411 {
9412 BUG_ON((unsigned)n > 0xFF);
9413 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
9414 }
9415
9416 -static inline void set_system_trap_gate(unsigned int n, void *addr)
9417 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
9418 {
9419 BUG_ON((unsigned)n > 0xFF);
9420 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
9421 }
9422
9423 -static inline void set_trap_gate(unsigned int n, void *addr)
9424 +static inline void set_trap_gate(unsigned int n, const void *addr)
9425 {
9426 BUG_ON((unsigned)n > 0xFF);
9427 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
9428 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
9429 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
9430 {
9431 BUG_ON((unsigned)n > 0xFF);
9432 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
9433 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
9434 }
9435
9436 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
9437 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
9438 {
9439 BUG_ON((unsigned)n > 0xFF);
9440 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
9441 }
9442
9443 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
9444 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
9445 {
9446 BUG_ON((unsigned)n > 0xFF);
9447 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
9448 }
9449
9450 +#ifdef CONFIG_X86_32
9451 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
9452 +{
9453 + struct desc_struct d;
9454 +
9455 + if (likely(limit))
9456 + limit = (limit - 1UL) >> PAGE_SHIFT;
9457 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
9458 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
9459 +}
9460 +#endif
9461 +
9462 #endif /* _ASM_X86_DESC_H */
9463 diff -urNp linux-2.6.39.1/arch/x86/include/asm/device.h linux-2.6.39.1/arch/x86/include/asm/device.h
9464 --- linux-2.6.39.1/arch/x86/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
9465 +++ linux-2.6.39.1/arch/x86/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
9466 @@ -6,7 +6,7 @@ struct dev_archdata {
9467 void *acpi_handle;
9468 #endif
9469 #ifdef CONFIG_X86_64
9470 -struct dma_map_ops *dma_ops;
9471 + const struct dma_map_ops *dma_ops;
9472 #endif
9473 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
9474 void *iommu; /* hook for IOMMU specific extension */
9475 diff -urNp linux-2.6.39.1/arch/x86/include/asm/dma-mapping.h linux-2.6.39.1/arch/x86/include/asm/dma-mapping.h
9476 --- linux-2.6.39.1/arch/x86/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
9477 +++ linux-2.6.39.1/arch/x86/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
9478 @@ -26,9 +26,9 @@ extern int iommu_merge;
9479 extern struct device x86_dma_fallback_dev;
9480 extern int panic_on_overflow;
9481
9482 -extern struct dma_map_ops *dma_ops;
9483 +extern const struct dma_map_ops *dma_ops;
9484
9485 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
9486 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
9487 {
9488 #ifdef CONFIG_X86_32
9489 return dma_ops;
9490 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
9491 /* Make sure we keep the same behaviour */
9492 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
9493 {
9494 - struct dma_map_ops *ops = get_dma_ops(dev);
9495 + const struct dma_map_ops *ops = get_dma_ops(dev);
9496 if (ops->mapping_error)
9497 return ops->mapping_error(dev, dma_addr);
9498
9499 @@ -115,7 +115,7 @@ static inline void *
9500 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
9501 gfp_t gfp)
9502 {
9503 - struct dma_map_ops *ops = get_dma_ops(dev);
9504 + const struct dma_map_ops *ops = get_dma_ops(dev);
9505 void *memory;
9506
9507 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
9508 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
9509 static inline void dma_free_coherent(struct device *dev, size_t size,
9510 void *vaddr, dma_addr_t bus)
9511 {
9512 - struct dma_map_ops *ops = get_dma_ops(dev);
9513 + const struct dma_map_ops *ops = get_dma_ops(dev);
9514
9515 WARN_ON(irqs_disabled()); /* for portability */
9516
9517 diff -urNp linux-2.6.39.1/arch/x86/include/asm/e820.h linux-2.6.39.1/arch/x86/include/asm/e820.h
9518 --- linux-2.6.39.1/arch/x86/include/asm/e820.h 2011-05-19 00:06:34.000000000 -0400
9519 +++ linux-2.6.39.1/arch/x86/include/asm/e820.h 2011-05-22 19:36:30.000000000 -0400
9520 @@ -69,7 +69,7 @@ struct e820map {
9521 #define ISA_START_ADDRESS 0xa0000
9522 #define ISA_END_ADDRESS 0x100000
9523
9524 -#define BIOS_BEGIN 0x000a0000
9525 +#define BIOS_BEGIN 0x000c0000
9526 #define BIOS_END 0x00100000
9527
9528 #define BIOS_ROM_BASE 0xffe00000
9529 diff -urNp linux-2.6.39.1/arch/x86/include/asm/elf.h linux-2.6.39.1/arch/x86/include/asm/elf.h
9530 --- linux-2.6.39.1/arch/x86/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
9531 +++ linux-2.6.39.1/arch/x86/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
9532 @@ -237,7 +237,25 @@ extern int force_personality32;
9533 the loader. We need to make sure that it is out of the way of the program
9534 that it will "exec", and that there is sufficient room for the brk. */
9535
9536 +#ifdef CONFIG_PAX_SEGMEXEC
9537 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
9538 +#else
9539 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
9540 +#endif
9541 +
9542 +#ifdef CONFIG_PAX_ASLR
9543 +#ifdef CONFIG_X86_32
9544 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
9545 +
9546 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9547 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9548 +#else
9549 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
9550 +
9551 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9552 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9553 +#endif
9554 +#endif
9555
9556 /* This yields a mask that user programs can use to figure out what
9557 instruction set this CPU supports. This could be done in user space,
9558 @@ -291,8 +309,7 @@ do { \
9559 #define ARCH_DLINFO \
9560 do { \
9561 if (vdso_enabled) \
9562 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
9563 - (unsigned long)current->mm->context.vdso); \
9564 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
9565 } while (0)
9566
9567 #define AT_SYSINFO 32
9568 @@ -303,7 +320,7 @@ do { \
9569
9570 #endif /* !CONFIG_X86_32 */
9571
9572 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
9573 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
9574
9575 #define VDSO_ENTRY \
9576 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
9577 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
9578 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
9579 #define compat_arch_setup_additional_pages syscall32_setup_pages
9580
9581 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
9582 -#define arch_randomize_brk arch_randomize_brk
9583 -
9584 #endif /* _ASM_X86_ELF_H */
9585 diff -urNp linux-2.6.39.1/arch/x86/include/asm/emergency-restart.h linux-2.6.39.1/arch/x86/include/asm/emergency-restart.h
9586 --- linux-2.6.39.1/arch/x86/include/asm/emergency-restart.h 2011-05-19 00:06:34.000000000 -0400
9587 +++ linux-2.6.39.1/arch/x86/include/asm/emergency-restart.h 2011-05-22 19:36:30.000000000 -0400
9588 @@ -15,6 +15,6 @@ enum reboot_type {
9589
9590 extern enum reboot_type reboot_type;
9591
9592 -extern void machine_emergency_restart(void);
9593 +extern void machine_emergency_restart(void) __noreturn;
9594
9595 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
9596 diff -urNp linux-2.6.39.1/arch/x86/include/asm/futex.h linux-2.6.39.1/arch/x86/include/asm/futex.h
9597 --- linux-2.6.39.1/arch/x86/include/asm/futex.h 2011-05-19 00:06:34.000000000 -0400
9598 +++ linux-2.6.39.1/arch/x86/include/asm/futex.h 2011-05-22 19:36:30.000000000 -0400
9599 @@ -12,16 +12,18 @@
9600 #include <asm/system.h>
9601
9602 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
9603 + typecheck(u32 *, uaddr); \
9604 asm volatile("1:\t" insn "\n" \
9605 "2:\t.section .fixup,\"ax\"\n" \
9606 "3:\tmov\t%3, %1\n" \
9607 "\tjmp\t2b\n" \
9608 "\t.previous\n" \
9609 _ASM_EXTABLE(1b, 3b) \
9610 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
9611 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
9612 : "i" (-EFAULT), "0" (oparg), "1" (0))
9613
9614 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
9615 + typecheck(u32 *, uaddr); \
9616 asm volatile("1:\tmovl %2, %0\n" \
9617 "\tmovl\t%0, %3\n" \
9618 "\t" insn "\n" \
9619 @@ -34,7 +36,7 @@
9620 _ASM_EXTABLE(1b, 4b) \
9621 _ASM_EXTABLE(2b, 4b) \
9622 : "=&a" (oldval), "=&r" (ret), \
9623 - "+m" (*uaddr), "=&r" (tem) \
9624 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
9625 : "r" (oparg), "i" (-EFAULT), "1" (0))
9626
9627 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
9628 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
9629
9630 switch (op) {
9631 case FUTEX_OP_SET:
9632 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
9633 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
9634 break;
9635 case FUTEX_OP_ADD:
9636 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
9637 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
9638 uaddr, oparg);
9639 break;
9640 case FUTEX_OP_OR:
9641 @@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
9642 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9643 return -EFAULT;
9644
9645 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
9646 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
9647 "2:\t.section .fixup, \"ax\"\n"
9648 "3:\tmov %3, %0\n"
9649 "\tjmp 2b\n"
9650 "\t.previous\n"
9651 _ASM_EXTABLE(1b, 3b)
9652 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
9653 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9654 : "i" (-EFAULT), "r" (newval), "1" (oldval)
9655 : "memory"
9656 );
9657 diff -urNp linux-2.6.39.1/arch/x86/include/asm/hw_irq.h linux-2.6.39.1/arch/x86/include/asm/hw_irq.h
9658 --- linux-2.6.39.1/arch/x86/include/asm/hw_irq.h 2011-05-19 00:06:34.000000000 -0400
9659 +++ linux-2.6.39.1/arch/x86/include/asm/hw_irq.h 2011-05-22 19:36:30.000000000 -0400
9660 @@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void);
9661 extern void enable_IO_APIC(void);
9662
9663 /* Statistics */
9664 -extern atomic_t irq_err_count;
9665 -extern atomic_t irq_mis_count;
9666 +extern atomic_unchecked_t irq_err_count;
9667 +extern atomic_unchecked_t irq_mis_count;
9668
9669 /* EISA */
9670 extern void eisa_set_level_irq(unsigned int irq);
9671 diff -urNp linux-2.6.39.1/arch/x86/include/asm/i387.h linux-2.6.39.1/arch/x86/include/asm/i387.h
9672 --- linux-2.6.39.1/arch/x86/include/asm/i387.h 2011-05-19 00:06:34.000000000 -0400
9673 +++ linux-2.6.39.1/arch/x86/include/asm/i387.h 2011-05-22 19:36:30.000000000 -0400
9674 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
9675 {
9676 int err;
9677
9678 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9679 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9680 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9681 +#endif
9682 +
9683 /* See comment in fxsave() below. */
9684 #ifdef CONFIG_AS_FXSAVEQ
9685 asm volatile("1: fxrstorq %[fx]\n\t"
9686 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
9687 {
9688 int err;
9689
9690 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9691 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9692 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9693 +#endif
9694 +
9695 /*
9696 * Clear the bytes not touched by the fxsave and reserved
9697 * for the SW usage.
9698 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
9699 #endif /* CONFIG_X86_64 */
9700
9701 /* We need a safe address that is cheap to find and that is already
9702 - in L1 during context switch. The best choices are unfortunately
9703 - different for UP and SMP */
9704 -#ifdef CONFIG_SMP
9705 -#define safe_address (__per_cpu_offset[0])
9706 -#else
9707 -#define safe_address (kstat_cpu(0).cpustat.user)
9708 -#endif
9709 + in L1 during context switch. */
9710 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9711
9712 /*
9713 * These must be called with preempt disabled
9714 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
9715 struct thread_info *me = current_thread_info();
9716 preempt_disable();
9717 if (me->status & TS_USEDFPU)
9718 - __save_init_fpu(me->task);
9719 + __save_init_fpu(current);
9720 else
9721 clts();
9722 }
9723 diff -urNp linux-2.6.39.1/arch/x86/include/asm/io.h linux-2.6.39.1/arch/x86/include/asm/io.h
9724 --- linux-2.6.39.1/arch/x86/include/asm/io.h 2011-05-19 00:06:34.000000000 -0400
9725 +++ linux-2.6.39.1/arch/x86/include/asm/io.h 2011-05-22 19:36:30.000000000 -0400
9726 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
9727
9728 #include <linux/vmalloc.h>
9729
9730 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9731 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9732 +{
9733 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9734 +}
9735 +
9736 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9737 +{
9738 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9739 +}
9740 +
9741 /*
9742 * Convert a virtual cached pointer to an uncached pointer
9743 */
9744 diff -urNp linux-2.6.39.1/arch/x86/include/asm/iommu.h linux-2.6.39.1/arch/x86/include/asm/iommu.h
9745 --- linux-2.6.39.1/arch/x86/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
9746 +++ linux-2.6.39.1/arch/x86/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
9747 @@ -1,7 +1,7 @@
9748 #ifndef _ASM_X86_IOMMU_H
9749 #define _ASM_X86_IOMMU_H
9750
9751 -extern struct dma_map_ops nommu_dma_ops;
9752 +extern const struct dma_map_ops nommu_dma_ops;
9753 extern int force_iommu, no_iommu;
9754 extern int iommu_detected;
9755 extern int iommu_pass_through;
9756 diff -urNp linux-2.6.39.1/arch/x86/include/asm/irqflags.h linux-2.6.39.1/arch/x86/include/asm/irqflags.h
9757 --- linux-2.6.39.1/arch/x86/include/asm/irqflags.h 2011-05-19 00:06:34.000000000 -0400
9758 +++ linux-2.6.39.1/arch/x86/include/asm/irqflags.h 2011-05-22 19:36:30.000000000 -0400
9759 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
9760 sti; \
9761 sysexit
9762
9763 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
9764 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
9765 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
9766 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
9767 +
9768 #else
9769 #define INTERRUPT_RETURN iret
9770 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
9771 diff -urNp linux-2.6.39.1/arch/x86/include/asm/kprobes.h linux-2.6.39.1/arch/x86/include/asm/kprobes.h
9772 --- linux-2.6.39.1/arch/x86/include/asm/kprobes.h 2011-05-19 00:06:34.000000000 -0400
9773 +++ linux-2.6.39.1/arch/x86/include/asm/kprobes.h 2011-05-22 19:36:30.000000000 -0400
9774 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
9775 #define RELATIVEJUMP_SIZE 5
9776 #define RELATIVECALL_OPCODE 0xe8
9777 #define RELATIVE_ADDR_SIZE 4
9778 -#define MAX_STACK_SIZE 64
9779 -#define MIN_STACK_SIZE(ADDR) \
9780 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
9781 - THREAD_SIZE - (unsigned long)(ADDR))) \
9782 - ? (MAX_STACK_SIZE) \
9783 - : (((unsigned long)current_thread_info()) + \
9784 - THREAD_SIZE - (unsigned long)(ADDR)))
9785 +#define MAX_STACK_SIZE 64UL
9786 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
9787
9788 #define flush_insn_slot(p) do { } while (0)
9789
9790 diff -urNp linux-2.6.39.1/arch/x86/include/asm/kvm_host.h linux-2.6.39.1/arch/x86/include/asm/kvm_host.h
9791 --- linux-2.6.39.1/arch/x86/include/asm/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
9792 +++ linux-2.6.39.1/arch/x86/include/asm/kvm_host.h 2011-05-22 19:36:30.000000000 -0400
9793 @@ -419,7 +419,7 @@ struct kvm_arch {
9794 unsigned int n_used_mmu_pages;
9795 unsigned int n_requested_mmu_pages;
9796 unsigned int n_max_mmu_pages;
9797 - atomic_t invlpg_counter;
9798 + atomic_unchecked_t invlpg_counter;
9799 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
9800 /*
9801 * Hash table of struct kvm_mmu_page.
9802 @@ -599,7 +599,7 @@ struct kvm_arch_async_pf {
9803 bool direct_map;
9804 };
9805
9806 -extern struct kvm_x86_ops *kvm_x86_ops;
9807 +extern const struct kvm_x86_ops *kvm_x86_ops;
9808
9809 int kvm_mmu_module_init(void);
9810 void kvm_mmu_module_exit(void);
9811 diff -urNp linux-2.6.39.1/arch/x86/include/asm/local.h linux-2.6.39.1/arch/x86/include/asm/local.h
9812 --- linux-2.6.39.1/arch/x86/include/asm/local.h 2011-05-19 00:06:34.000000000 -0400
9813 +++ linux-2.6.39.1/arch/x86/include/asm/local.h 2011-05-22 19:36:30.000000000 -0400
9814 @@ -18,26 +18,58 @@ typedef struct {
9815
9816 static inline void local_inc(local_t *l)
9817 {
9818 - asm volatile(_ASM_INC "%0"
9819 + asm volatile(_ASM_INC "%0\n"
9820 +
9821 +#ifdef CONFIG_PAX_REFCOUNT
9822 + "jno 0f\n"
9823 + _ASM_DEC "%0\n"
9824 + "int $4\n0:\n"
9825 + _ASM_EXTABLE(0b, 0b)
9826 +#endif
9827 +
9828 : "+m" (l->a.counter));
9829 }
9830
9831 static inline void local_dec(local_t *l)
9832 {
9833 - asm volatile(_ASM_DEC "%0"
9834 + asm volatile(_ASM_DEC "%0\n"
9835 +
9836 +#ifdef CONFIG_PAX_REFCOUNT
9837 + "jno 0f\n"
9838 + _ASM_INC "%0\n"
9839 + "int $4\n0:\n"
9840 + _ASM_EXTABLE(0b, 0b)
9841 +#endif
9842 +
9843 : "+m" (l->a.counter));
9844 }
9845
9846 static inline void local_add(long i, local_t *l)
9847 {
9848 - asm volatile(_ASM_ADD "%1,%0"
9849 + asm volatile(_ASM_ADD "%1,%0\n"
9850 +
9851 +#ifdef CONFIG_PAX_REFCOUNT
9852 + "jno 0f\n"
9853 + _ASM_SUB "%1,%0\n"
9854 + "int $4\n0:\n"
9855 + _ASM_EXTABLE(0b, 0b)
9856 +#endif
9857 +
9858 : "+m" (l->a.counter)
9859 : "ir" (i));
9860 }
9861
9862 static inline void local_sub(long i, local_t *l)
9863 {
9864 - asm volatile(_ASM_SUB "%1,%0"
9865 + asm volatile(_ASM_SUB "%1,%0\n"
9866 +
9867 +#ifdef CONFIG_PAX_REFCOUNT
9868 + "jno 0f\n"
9869 + _ASM_ADD "%1,%0\n"
9870 + "int $4\n0:\n"
9871 + _ASM_EXTABLE(0b, 0b)
9872 +#endif
9873 +
9874 : "+m" (l->a.counter)
9875 : "ir" (i));
9876 }
9877 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
9878 {
9879 unsigned char c;
9880
9881 - asm volatile(_ASM_SUB "%2,%0; sete %1"
9882 + asm volatile(_ASM_SUB "%2,%0\n"
9883 +
9884 +#ifdef CONFIG_PAX_REFCOUNT
9885 + "jno 0f\n"
9886 + _ASM_ADD "%2,%0\n"
9887 + "int $4\n0:\n"
9888 + _ASM_EXTABLE(0b, 0b)
9889 +#endif
9890 +
9891 + "sete %1\n"
9892 : "+m" (l->a.counter), "=qm" (c)
9893 : "ir" (i) : "memory");
9894 return c;
9895 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
9896 {
9897 unsigned char c;
9898
9899 - asm volatile(_ASM_DEC "%0; sete %1"
9900 + asm volatile(_ASM_DEC "%0\n"
9901 +
9902 +#ifdef CONFIG_PAX_REFCOUNT
9903 + "jno 0f\n"
9904 + _ASM_INC "%0\n"
9905 + "int $4\n0:\n"
9906 + _ASM_EXTABLE(0b, 0b)
9907 +#endif
9908 +
9909 + "sete %1\n"
9910 : "+m" (l->a.counter), "=qm" (c)
9911 : : "memory");
9912 return c != 0;
9913 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
9914 {
9915 unsigned char c;
9916
9917 - asm volatile(_ASM_INC "%0; sete %1"
9918 + asm volatile(_ASM_INC "%0\n"
9919 +
9920 +#ifdef CONFIG_PAX_REFCOUNT
9921 + "jno 0f\n"
9922 + _ASM_DEC "%0\n"
9923 + "int $4\n0:\n"
9924 + _ASM_EXTABLE(0b, 0b)
9925 +#endif
9926 +
9927 + "sete %1\n"
9928 : "+m" (l->a.counter), "=qm" (c)
9929 : : "memory");
9930 return c != 0;
9931 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
9932 {
9933 unsigned char c;
9934
9935 - asm volatile(_ASM_ADD "%2,%0; sets %1"
9936 + asm volatile(_ASM_ADD "%2,%0\n"
9937 +
9938 +#ifdef CONFIG_PAX_REFCOUNT
9939 + "jno 0f\n"
9940 + _ASM_SUB "%2,%0\n"
9941 + "int $4\n0:\n"
9942 + _ASM_EXTABLE(0b, 0b)
9943 +#endif
9944 +
9945 + "sets %1\n"
9946 : "+m" (l->a.counter), "=qm" (c)
9947 : "ir" (i) : "memory");
9948 return c;
9949 @@ -133,7 +201,15 @@ static inline long local_add_return(long
9950 #endif
9951 /* Modern 486+ processor */
9952 __i = i;
9953 - asm volatile(_ASM_XADD "%0, %1;"
9954 + asm volatile(_ASM_XADD "%0, %1\n"
9955 +
9956 +#ifdef CONFIG_PAX_REFCOUNT
9957 + "jno 0f\n"
9958 + _ASM_MOV "%0,%1\n"
9959 + "int $4\n0:\n"
9960 + _ASM_EXTABLE(0b, 0b)
9961 +#endif
9962 +
9963 : "+r" (i), "+m" (l->a.counter)
9964 : : "memory");
9965 return i + __i;
9966 diff -urNp linux-2.6.39.1/arch/x86/include/asm/mce.h linux-2.6.39.1/arch/x86/include/asm/mce.h
9967 --- linux-2.6.39.1/arch/x86/include/asm/mce.h 2011-05-19 00:06:34.000000000 -0400
9968 +++ linux-2.6.39.1/arch/x86/include/asm/mce.h 2011-05-22 19:36:30.000000000 -0400
9969 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
9970 void mce_notify_process(void);
9971
9972 DECLARE_PER_CPU(struct mce, injectm);
9973 -extern struct file_operations mce_chrdev_ops;
9974 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
9975
9976 /*
9977 * Exception handler
9978 diff -urNp linux-2.6.39.1/arch/x86/include/asm/microcode.h linux-2.6.39.1/arch/x86/include/asm/microcode.h
9979 --- linux-2.6.39.1/arch/x86/include/asm/microcode.h 2011-05-19 00:06:34.000000000 -0400
9980 +++ linux-2.6.39.1/arch/x86/include/asm/microcode.h 2011-05-22 19:36:30.000000000 -0400
9981 @@ -12,13 +12,13 @@ struct device;
9982 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
9983
9984 struct microcode_ops {
9985 - enum ucode_state (*request_microcode_user) (int cpu,
9986 + enum ucode_state (* const request_microcode_user) (int cpu,
9987 const void __user *buf, size_t size);
9988
9989 - enum ucode_state (*request_microcode_fw) (int cpu,
9990 + enum ucode_state (* const request_microcode_fw) (int cpu,
9991 struct device *device);
9992
9993 - void (*microcode_fini_cpu) (int cpu);
9994 + void (* const microcode_fini_cpu) (int cpu);
9995
9996 /*
9997 * The generic 'microcode_core' part guarantees that
9998 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
9999 extern struct ucode_cpu_info ucode_cpu_info[];
10000
10001 #ifdef CONFIG_MICROCODE_INTEL
10002 -extern struct microcode_ops * __init init_intel_microcode(void);
10003 +extern const struct microcode_ops * __init init_intel_microcode(void);
10004 #else
10005 -static inline struct microcode_ops * __init init_intel_microcode(void)
10006 +static inline const struct microcode_ops * __init init_intel_microcode(void)
10007 {
10008 return NULL;
10009 }
10010 #endif /* CONFIG_MICROCODE_INTEL */
10011
10012 #ifdef CONFIG_MICROCODE_AMD
10013 -extern struct microcode_ops * __init init_amd_microcode(void);
10014 +extern const struct microcode_ops * __init init_amd_microcode(void);
10015
10016 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
10017 {
10018 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
10019 }
10020
10021 #else
10022 -static inline struct microcode_ops * __init init_amd_microcode(void)
10023 +static inline const struct microcode_ops * __init init_amd_microcode(void)
10024 {
10025 return NULL;
10026 }
10027 diff -urNp linux-2.6.39.1/arch/x86/include/asm/mman.h linux-2.6.39.1/arch/x86/include/asm/mman.h
10028 --- linux-2.6.39.1/arch/x86/include/asm/mman.h 2011-05-19 00:06:34.000000000 -0400
10029 +++ linux-2.6.39.1/arch/x86/include/asm/mman.h 2011-05-22 19:36:30.000000000 -0400
10030 @@ -5,4 +5,14 @@
10031
10032 #include <asm-generic/mman.h>
10033
10034 +#ifdef __KERNEL__
10035 +#ifndef __ASSEMBLY__
10036 +#ifdef CONFIG_X86_32
10037 +#define arch_mmap_check i386_mmap_check
10038 +int i386_mmap_check(unsigned long addr, unsigned long len,
10039 + unsigned long flags);
10040 +#endif
10041 +#endif
10042 +#endif
10043 +
10044 #endif /* _ASM_X86_MMAN_H */
10045 diff -urNp linux-2.6.39.1/arch/x86/include/asm/mmu_context.h linux-2.6.39.1/arch/x86/include/asm/mmu_context.h
10046 --- linux-2.6.39.1/arch/x86/include/asm/mmu_context.h 2011-05-19 00:06:34.000000000 -0400
10047 +++ linux-2.6.39.1/arch/x86/include/asm/mmu_context.h 2011-05-22 19:36:30.000000000 -0400
10048 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
10049
10050 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
10051 {
10052 +
10053 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10054 + unsigned int i;
10055 + pgd_t *pgd;
10056 +
10057 + pax_open_kernel();
10058 + pgd = get_cpu_pgd(smp_processor_id());
10059 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
10060 + if (paravirt_enabled())
10061 + set_pgd(pgd+i, native_make_pgd(0));
10062 + else
10063 + pgd[i] = native_make_pgd(0);
10064 + pax_close_kernel();
10065 +#endif
10066 +
10067 #ifdef CONFIG_SMP
10068 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
10069 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
10070 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
10071 struct task_struct *tsk)
10072 {
10073 unsigned cpu = smp_processor_id();
10074 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
10075 + int tlbstate = TLBSTATE_OK;
10076 +#endif
10077
10078 if (likely(prev != next)) {
10079 #ifdef CONFIG_SMP
10080 +#ifdef CONFIG_X86_32
10081 + tlbstate = percpu_read(cpu_tlbstate.state);
10082 +#endif
10083 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10084 percpu_write(cpu_tlbstate.active_mm, next);
10085 #endif
10086 cpumask_set_cpu(cpu, mm_cpumask(next));
10087
10088 /* Re-load page tables */
10089 +#ifdef CONFIG_PAX_PER_CPU_PGD
10090 + pax_open_kernel();
10091 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10092 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10093 + pax_close_kernel();
10094 + load_cr3(get_cpu_pgd(cpu));
10095 +#else
10096 load_cr3(next->pgd);
10097 +#endif
10098
10099 /* stop flush ipis for the previous mm */
10100 cpumask_clear_cpu(cpu, mm_cpumask(prev));
10101 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
10102 */
10103 if (unlikely(prev->context.ldt != next->context.ldt))
10104 load_LDT_nolock(&next->context);
10105 - }
10106 +
10107 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10108 + if (!(__supported_pte_mask & _PAGE_NX)) {
10109 + smp_mb__before_clear_bit();
10110 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
10111 + smp_mb__after_clear_bit();
10112 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10113 + }
10114 +#endif
10115 +
10116 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10117 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
10118 + prev->context.user_cs_limit != next->context.user_cs_limit))
10119 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10120 #ifdef CONFIG_SMP
10121 + else if (unlikely(tlbstate != TLBSTATE_OK))
10122 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10123 +#endif
10124 +#endif
10125 +
10126 + }
10127 else {
10128 +
10129 +#ifdef CONFIG_PAX_PER_CPU_PGD
10130 + pax_open_kernel();
10131 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10132 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10133 + pax_close_kernel();
10134 + load_cr3(get_cpu_pgd(cpu));
10135 +#endif
10136 +
10137 +#ifdef CONFIG_SMP
10138 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10139 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
10140
10141 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
10142 * tlb flush IPI delivery. We must reload CR3
10143 * to make sure to use no freed page tables.
10144 */
10145 +
10146 +#ifndef CONFIG_PAX_PER_CPU_PGD
10147 load_cr3(next->pgd);
10148 +#endif
10149 +
10150 load_LDT_nolock(&next->context);
10151 +
10152 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
10153 + if (!(__supported_pte_mask & _PAGE_NX))
10154 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10155 +#endif
10156 +
10157 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10158 +#ifdef CONFIG_PAX_PAGEEXEC
10159 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
10160 +#endif
10161 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10162 +#endif
10163 +
10164 }
10165 - }
10166 #endif
10167 + }
10168 }
10169
10170 #define activate_mm(prev, next) \
10171 diff -urNp linux-2.6.39.1/arch/x86/include/asm/mmu.h linux-2.6.39.1/arch/x86/include/asm/mmu.h
10172 --- linux-2.6.39.1/arch/x86/include/asm/mmu.h 2011-05-19 00:06:34.000000000 -0400
10173 +++ linux-2.6.39.1/arch/x86/include/asm/mmu.h 2011-05-22 19:36:30.000000000 -0400
10174 @@ -9,10 +9,22 @@
10175 * we put the segment information here.
10176 */
10177 typedef struct {
10178 - void *ldt;
10179 + struct desc_struct *ldt;
10180 int size;
10181 struct mutex lock;
10182 - void *vdso;
10183 + unsigned long vdso;
10184 +
10185 +#ifdef CONFIG_X86_32
10186 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10187 + unsigned long user_cs_base;
10188 + unsigned long user_cs_limit;
10189 +
10190 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10191 + cpumask_t cpu_user_cs_mask;
10192 +#endif
10193 +
10194 +#endif
10195 +#endif
10196
10197 #ifdef CONFIG_X86_64
10198 /* True if mm supports a task running in 32 bit compatibility mode. */
10199 diff -urNp linux-2.6.39.1/arch/x86/include/asm/module.h linux-2.6.39.1/arch/x86/include/asm/module.h
10200 --- linux-2.6.39.1/arch/x86/include/asm/module.h 2011-05-19 00:06:34.000000000 -0400
10201 +++ linux-2.6.39.1/arch/x86/include/asm/module.h 2011-05-22 19:41:32.000000000 -0400
10202 @@ -5,6 +5,7 @@
10203
10204 #ifdef CONFIG_X86_64
10205 /* X86_64 does not define MODULE_PROC_FAMILY */
10206 +#define MODULE_PROC_FAMILY ""
10207 #elif defined CONFIG_M386
10208 #define MODULE_PROC_FAMILY "386 "
10209 #elif defined CONFIG_M486
10210 @@ -59,8 +60,30 @@
10211 #error unknown processor family
10212 #endif
10213
10214 -#ifdef CONFIG_X86_32
10215 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
10216 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10217 +#define MODULE_PAX_UDEREF "UDEREF "
10218 +#else
10219 +#define MODULE_PAX_UDEREF ""
10220 +#endif
10221 +
10222 +#ifdef CONFIG_PAX_KERNEXEC
10223 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
10224 +#else
10225 +#define MODULE_PAX_KERNEXEC ""
10226 #endif
10227
10228 +#ifdef CONFIG_PAX_REFCOUNT
10229 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
10230 +#else
10231 +#define MODULE_PAX_REFCOUNT ""
10232 +#endif
10233 +
10234 +#ifdef CONFIG_GRKERNSEC
10235 +#define MODULE_GRSEC "GRSECURITY "
10236 +#else
10237 +#define MODULE_GRSEC ""
10238 +#endif
10239 +
10240 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
10241 +
10242 #endif /* _ASM_X86_MODULE_H */
10243 diff -urNp linux-2.6.39.1/arch/x86/include/asm/page_64_types.h linux-2.6.39.1/arch/x86/include/asm/page_64_types.h
10244 --- linux-2.6.39.1/arch/x86/include/asm/page_64_types.h 2011-05-19 00:06:34.000000000 -0400
10245 +++ linux-2.6.39.1/arch/x86/include/asm/page_64_types.h 2011-05-22 19:36:30.000000000 -0400
10246 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
10247
10248 /* duplicated to the one in bootmem.h */
10249 extern unsigned long max_pfn;
10250 -extern unsigned long phys_base;
10251 +extern const unsigned long phys_base;
10252
10253 extern unsigned long __phys_addr(unsigned long);
10254 #define __phys_reloc_hide(x) (x)
10255 diff -urNp linux-2.6.39.1/arch/x86/include/asm/paravirt.h linux-2.6.39.1/arch/x86/include/asm/paravirt.h
10256 --- linux-2.6.39.1/arch/x86/include/asm/paravirt.h 2011-05-19 00:06:34.000000000 -0400
10257 +++ linux-2.6.39.1/arch/x86/include/asm/paravirt.h 2011-05-22 19:36:30.000000000 -0400
10258 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
10259 pv_mmu_ops.set_fixmap(idx, phys, flags);
10260 }
10261
10262 +#ifdef CONFIG_PAX_KERNEXEC
10263 +static inline unsigned long pax_open_kernel(void)
10264 +{
10265 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
10266 +}
10267 +
10268 +static inline unsigned long pax_close_kernel(void)
10269 +{
10270 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
10271 +}
10272 +#else
10273 +static inline unsigned long pax_open_kernel(void) { return 0; }
10274 +static inline unsigned long pax_close_kernel(void) { return 0; }
10275 +#endif
10276 +
10277 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
10278
10279 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
10280 @@ -955,7 +970,7 @@ extern void default_banner(void);
10281
10282 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
10283 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
10284 -#define PARA_INDIRECT(addr) *%cs:addr
10285 +#define PARA_INDIRECT(addr) *%ss:addr
10286 #endif
10287
10288 #define INTERRUPT_RETURN \
10289 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
10290 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
10291 CLBR_NONE, \
10292 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
10293 +
10294 +#define GET_CR0_INTO_RDI \
10295 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
10296 + mov %rax,%rdi
10297 +
10298 +#define SET_RDI_INTO_CR0 \
10299 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10300 +
10301 +#define GET_CR3_INTO_RDI \
10302 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
10303 + mov %rax,%rdi
10304 +
10305 +#define SET_RDI_INTO_CR3 \
10306 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
10307 +
10308 #endif /* CONFIG_X86_32 */
10309
10310 #endif /* __ASSEMBLY__ */
10311 diff -urNp linux-2.6.39.1/arch/x86/include/asm/paravirt_types.h linux-2.6.39.1/arch/x86/include/asm/paravirt_types.h
10312 --- linux-2.6.39.1/arch/x86/include/asm/paravirt_types.h 2011-05-19 00:06:34.000000000 -0400
10313 +++ linux-2.6.39.1/arch/x86/include/asm/paravirt_types.h 2011-05-22 19:36:30.000000000 -0400
10314 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
10315 an mfn. We can tell which is which from the index. */
10316 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
10317 phys_addr_t phys, pgprot_t flags);
10318 +
10319 +#ifdef CONFIG_PAX_KERNEXEC
10320 + unsigned long (*pax_open_kernel)(void);
10321 + unsigned long (*pax_close_kernel)(void);
10322 +#endif
10323 +
10324 };
10325
10326 struct arch_spinlock;
10327 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pci_x86.h linux-2.6.39.1/arch/x86/include/asm/pci_x86.h
10328 --- linux-2.6.39.1/arch/x86/include/asm/pci_x86.h 2011-05-19 00:06:34.000000000 -0400
10329 +++ linux-2.6.39.1/arch/x86/include/asm/pci_x86.h 2011-05-22 19:36:30.000000000 -0400
10330 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
10331 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
10332
10333 struct pci_raw_ops {
10334 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10335 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10336 int reg, int len, u32 *val);
10337 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10338 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10339 int reg, int len, u32 val);
10340 };
10341
10342 -extern struct pci_raw_ops *raw_pci_ops;
10343 -extern struct pci_raw_ops *raw_pci_ext_ops;
10344 +extern const struct pci_raw_ops *raw_pci_ops;
10345 +extern const struct pci_raw_ops *raw_pci_ext_ops;
10346
10347 -extern struct pci_raw_ops pci_direct_conf1;
10348 +extern const struct pci_raw_ops pci_direct_conf1;
10349 extern bool port_cf9_safe;
10350
10351 /* arch_initcall level */
10352 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgalloc.h linux-2.6.39.1/arch/x86/include/asm/pgalloc.h
10353 --- linux-2.6.39.1/arch/x86/include/asm/pgalloc.h 2011-05-19 00:06:34.000000000 -0400
10354 +++ linux-2.6.39.1/arch/x86/include/asm/pgalloc.h 2011-05-22 19:36:30.000000000 -0400
10355 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
10356 pmd_t *pmd, pte_t *pte)
10357 {
10358 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10359 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
10360 +}
10361 +
10362 +static inline void pmd_populate_user(struct mm_struct *mm,
10363 + pmd_t *pmd, pte_t *pte)
10364 +{
10365 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10366 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
10367 }
10368
10369 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable-2level.h linux-2.6.39.1/arch/x86/include/asm/pgtable-2level.h
10370 --- linux-2.6.39.1/arch/x86/include/asm/pgtable-2level.h 2011-05-19 00:06:34.000000000 -0400
10371 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable-2level.h 2011-05-22 19:36:30.000000000 -0400
10372 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
10373
10374 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10375 {
10376 + pax_open_kernel();
10377 *pmdp = pmd;
10378 + pax_close_kernel();
10379 }
10380
10381 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
10382 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable_32.h linux-2.6.39.1/arch/x86/include/asm/pgtable_32.h
10383 --- linux-2.6.39.1/arch/x86/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
10384 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
10385 @@ -25,9 +25,6 @@
10386 struct mm_struct;
10387 struct vm_area_struct;
10388
10389 -extern pgd_t swapper_pg_dir[1024];
10390 -extern pgd_t initial_page_table[1024];
10391 -
10392 static inline void pgtable_cache_init(void) { }
10393 static inline void check_pgt_cache(void) { }
10394 void paging_init(void);
10395 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
10396 # include <asm/pgtable-2level.h>
10397 #endif
10398
10399 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
10400 +extern pgd_t initial_page_table[PTRS_PER_PGD];
10401 +#ifdef CONFIG_X86_PAE
10402 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
10403 +#endif
10404 +
10405 #if defined(CONFIG_HIGHPTE)
10406 #define pte_offset_map(dir, address) \
10407 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
10408 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
10409 /* Clear a kernel PTE and flush it from the TLB */
10410 #define kpte_clear_flush(ptep, vaddr) \
10411 do { \
10412 + pax_open_kernel(); \
10413 pte_clear(&init_mm, (vaddr), (ptep)); \
10414 + pax_close_kernel(); \
10415 __flush_tlb_one((vaddr)); \
10416 } while (0)
10417
10418 @@ -74,6 +79,9 @@ do { \
10419
10420 #endif /* !__ASSEMBLY__ */
10421
10422 +#define HAVE_ARCH_UNMAPPED_AREA
10423 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
10424 +
10425 /*
10426 * kern_addr_valid() is (1) for FLATMEM and (0) for
10427 * SPARSEMEM and DISCONTIGMEM
10428 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable_32_types.h linux-2.6.39.1/arch/x86/include/asm/pgtable_32_types.h
10429 --- linux-2.6.39.1/arch/x86/include/asm/pgtable_32_types.h 2011-05-19 00:06:34.000000000 -0400
10430 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable_32_types.h 2011-05-22 19:36:30.000000000 -0400
10431 @@ -8,7 +8,7 @@
10432 */
10433 #ifdef CONFIG_X86_PAE
10434 # include <asm/pgtable-3level_types.h>
10435 -# define PMD_SIZE (1UL << PMD_SHIFT)
10436 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
10437 # define PMD_MASK (~(PMD_SIZE - 1))
10438 #else
10439 # include <asm/pgtable-2level_types.h>
10440 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
10441 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
10442 #endif
10443
10444 +#ifdef CONFIG_PAX_KERNEXEC
10445 +#ifndef __ASSEMBLY__
10446 +extern unsigned char MODULES_EXEC_VADDR[];
10447 +extern unsigned char MODULES_EXEC_END[];
10448 +#endif
10449 +#include <asm/boot.h>
10450 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
10451 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
10452 +#else
10453 +#define ktla_ktva(addr) (addr)
10454 +#define ktva_ktla(addr) (addr)
10455 +#endif
10456 +
10457 #define MODULES_VADDR VMALLOC_START
10458 #define MODULES_END VMALLOC_END
10459 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
10460 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable-3level.h linux-2.6.39.1/arch/x86/include/asm/pgtable-3level.h
10461 --- linux-2.6.39.1/arch/x86/include/asm/pgtable-3level.h 2011-05-19 00:06:34.000000000 -0400
10462 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable-3level.h 2011-05-22 19:36:30.000000000 -0400
10463 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
10464
10465 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10466 {
10467 + pax_open_kernel();
10468 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
10469 + pax_close_kernel();
10470 }
10471
10472 static inline void native_set_pud(pud_t *pudp, pud_t pud)
10473 {
10474 + pax_open_kernel();
10475 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
10476 + pax_close_kernel();
10477 }
10478
10479 /*
10480 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable_64.h linux-2.6.39.1/arch/x86/include/asm/pgtable_64.h
10481 --- linux-2.6.39.1/arch/x86/include/asm/pgtable_64.h 2011-05-19 00:06:34.000000000 -0400
10482 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable_64.h 2011-05-22 19:36:30.000000000 -0400
10483 @@ -16,10 +16,13 @@
10484
10485 extern pud_t level3_kernel_pgt[512];
10486 extern pud_t level3_ident_pgt[512];
10487 +extern pud_t level3_vmalloc_pgt[512];
10488 +extern pud_t level3_vmemmap_pgt[512];
10489 +extern pud_t level2_vmemmap_pgt[512];
10490 extern pmd_t level2_kernel_pgt[512];
10491 extern pmd_t level2_fixmap_pgt[512];
10492 -extern pmd_t level2_ident_pgt[512];
10493 -extern pgd_t init_level4_pgt[];
10494 +extern pmd_t level2_ident_pgt[512*2];
10495 +extern pgd_t init_level4_pgt[512];
10496
10497 #define swapper_pg_dir init_level4_pgt
10498
10499 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
10500
10501 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10502 {
10503 + pax_open_kernel();
10504 *pmdp = pmd;
10505 + pax_close_kernel();
10506 }
10507
10508 static inline void native_pmd_clear(pmd_t *pmd)
10509 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
10510
10511 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
10512 {
10513 + pax_open_kernel();
10514 *pgdp = pgd;
10515 + pax_close_kernel();
10516 }
10517
10518 static inline void native_pgd_clear(pgd_t *pgd)
10519 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable_64_types.h linux-2.6.39.1/arch/x86/include/asm/pgtable_64_types.h
10520 --- linux-2.6.39.1/arch/x86/include/asm/pgtable_64_types.h 2011-05-19 00:06:34.000000000 -0400
10521 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable_64_types.h 2011-05-22 19:36:30.000000000 -0400
10522 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
10523 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
10524 #define MODULES_END _AC(0xffffffffff000000, UL)
10525 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
10526 +#define MODULES_EXEC_VADDR MODULES_VADDR
10527 +#define MODULES_EXEC_END MODULES_END
10528 +
10529 +#define ktla_ktva(addr) (addr)
10530 +#define ktva_ktla(addr) (addr)
10531
10532 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
10533 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable.h linux-2.6.39.1/arch/x86/include/asm/pgtable.h
10534 --- linux-2.6.39.1/arch/x86/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
10535 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
10536 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
10537
10538 #define arch_end_context_switch(prev) do {} while(0)
10539
10540 +#define pax_open_kernel() native_pax_open_kernel()
10541 +#define pax_close_kernel() native_pax_close_kernel()
10542 #endif /* CONFIG_PARAVIRT */
10543
10544 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
10545 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10546 +
10547 +#ifdef CONFIG_PAX_KERNEXEC
10548 +static inline unsigned long native_pax_open_kernel(void)
10549 +{
10550 + unsigned long cr0;
10551 +
10552 + preempt_disable();
10553 + barrier();
10554 + cr0 = read_cr0() ^ X86_CR0_WP;
10555 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
10556 + write_cr0(cr0);
10557 + return cr0 ^ X86_CR0_WP;
10558 +}
10559 +
10560 +static inline unsigned long native_pax_close_kernel(void)
10561 +{
10562 + unsigned long cr0;
10563 +
10564 + cr0 = read_cr0() ^ X86_CR0_WP;
10565 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10566 + write_cr0(cr0);
10567 + barrier();
10568 + preempt_enable_no_resched();
10569 + return cr0 ^ X86_CR0_WP;
10570 +}
10571 +#else
10572 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
10573 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
10574 +#endif
10575 +
10576 /*
10577 * The following only work if pte_present() is true.
10578 * Undefined behaviour if not..
10579 */
10580 +static inline int pte_user(pte_t pte)
10581 +{
10582 + return pte_val(pte) & _PAGE_USER;
10583 +}
10584 +
10585 static inline int pte_dirty(pte_t pte)
10586 {
10587 return pte_flags(pte) & _PAGE_DIRTY;
10588 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
10589 return pte_clear_flags(pte, _PAGE_RW);
10590 }
10591
10592 +static inline pte_t pte_mkread(pte_t pte)
10593 +{
10594 + return __pte(pte_val(pte) | _PAGE_USER);
10595 +}
10596 +
10597 static inline pte_t pte_mkexec(pte_t pte)
10598 {
10599 - return pte_clear_flags(pte, _PAGE_NX);
10600 +#ifdef CONFIG_X86_PAE
10601 + if (__supported_pte_mask & _PAGE_NX)
10602 + return pte_clear_flags(pte, _PAGE_NX);
10603 + else
10604 +#endif
10605 + return pte_set_flags(pte, _PAGE_USER);
10606 +}
10607 +
10608 +static inline pte_t pte_exprotect(pte_t pte)
10609 +{
10610 +#ifdef CONFIG_X86_PAE
10611 + if (__supported_pte_mask & _PAGE_NX)
10612 + return pte_set_flags(pte, _PAGE_NX);
10613 + else
10614 +#endif
10615 + return pte_clear_flags(pte, _PAGE_USER);
10616 }
10617
10618 static inline pte_t pte_mkdirty(pte_t pte)
10619 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
10620 #endif
10621
10622 #ifndef __ASSEMBLY__
10623 +
10624 +#ifdef CONFIG_PAX_PER_CPU_PGD
10625 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10626 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10627 +{
10628 + return cpu_pgd[cpu];
10629 +}
10630 +#endif
10631 +
10632 #include <linux/mm_types.h>
10633
10634 static inline int pte_none(pte_t pte)
10635 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
10636
10637 static inline int pgd_bad(pgd_t pgd)
10638 {
10639 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10640 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10641 }
10642
10643 static inline int pgd_none(pgd_t pgd)
10644 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
10645 * pgd_offset() returns a (pgd_t *)
10646 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10647 */
10648 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10649 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10650 +
10651 +#ifdef CONFIG_PAX_PER_CPU_PGD
10652 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10653 +#endif
10654 +
10655 /*
10656 * a shortcut which implies the use of the kernel's pgd, instead
10657 * of a process's
10658 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
10659 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10660 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10661
10662 +#ifdef CONFIG_X86_32
10663 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10664 +#else
10665 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10666 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10667 +
10668 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10669 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10670 +#else
10671 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10672 +#endif
10673 +
10674 +#endif
10675 +
10676 #ifndef __ASSEMBLY__
10677
10678 extern int direct_gbpages;
10679 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
10680 * dst and src can be on the same page, but the range must not overlap,
10681 * and must not cross a page boundary.
10682 */
10683 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10684 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10685 {
10686 - memcpy(dst, src, count * sizeof(pgd_t));
10687 + pax_open_kernel();
10688 + while (count--)
10689 + *dst++ = *src++;
10690 + pax_close_kernel();
10691 }
10692
10693 +#ifdef CONFIG_PAX_PER_CPU_PGD
10694 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10695 +#endif
10696 +
10697 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10698 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10699 +#else
10700 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10701 +#endif
10702
10703 #include <asm-generic/pgtable.h>
10704 #endif /* __ASSEMBLY__ */
10705 diff -urNp linux-2.6.39.1/arch/x86/include/asm/pgtable_types.h linux-2.6.39.1/arch/x86/include/asm/pgtable_types.h
10706 --- linux-2.6.39.1/arch/x86/include/asm/pgtable_types.h 2011-05-19 00:06:34.000000000 -0400
10707 +++ linux-2.6.39.1/arch/x86/include/asm/pgtable_types.h 2011-05-22 19:36:30.000000000 -0400
10708 @@ -16,13 +16,12 @@
10709 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10710 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10711 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10712 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10713 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10714 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10715 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10716 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10717 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10718 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10719 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
10720 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10721 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
10722 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10723
10724 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10725 @@ -40,7 +39,6 @@
10726 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10727 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10728 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10729 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10730 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10731 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10732 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10733 @@ -57,8 +55,10 @@
10734
10735 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10736 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10737 -#else
10738 +#elif defined(CONFIG_KMEMCHECK)
10739 #define _PAGE_NX (_AT(pteval_t, 0))
10740 +#else
10741 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10742 #endif
10743
10744 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10745 @@ -96,6 +96,9 @@
10746 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
10747 _PAGE_ACCESSED)
10748
10749 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
10750 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
10751 +
10752 #define __PAGE_KERNEL_EXEC \
10753 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
10754 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
10755 @@ -106,8 +109,8 @@
10756 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
10757 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
10758 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
10759 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
10760 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
10761 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
10762 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
10763 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
10764 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
10765 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
10766 @@ -166,8 +169,8 @@
10767 * bits are combined, this will alow user to access the high address mapped
10768 * VDSO in the presence of CONFIG_COMPAT_VDSO
10769 */
10770 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
10771 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
10772 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10773 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10774 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
10775 #endif
10776
10777 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
10778 {
10779 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
10780 }
10781 +#endif
10782
10783 +#if PAGETABLE_LEVELS == 3
10784 +#include <asm-generic/pgtable-nopud.h>
10785 +#endif
10786 +
10787 +#if PAGETABLE_LEVELS == 2
10788 +#include <asm-generic/pgtable-nopmd.h>
10789 +#endif
10790 +
10791 +#ifndef __ASSEMBLY__
10792 #if PAGETABLE_LEVELS > 3
10793 typedef struct { pudval_t pud; } pud_t;
10794
10795 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
10796 return pud.pud;
10797 }
10798 #else
10799 -#include <asm-generic/pgtable-nopud.h>
10800 -
10801 static inline pudval_t native_pud_val(pud_t pud)
10802 {
10803 return native_pgd_val(pud.pgd);
10804 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
10805 return pmd.pmd;
10806 }
10807 #else
10808 -#include <asm-generic/pgtable-nopmd.h>
10809 -
10810 static inline pmdval_t native_pmd_val(pmd_t pmd)
10811 {
10812 return native_pgd_val(pmd.pud.pgd);
10813 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
10814
10815 extern pteval_t __supported_pte_mask;
10816 extern void set_nx(void);
10817 -extern int nx_enabled;
10818
10819 #define pgprot_writecombine pgprot_writecombine
10820 extern pgprot_t pgprot_writecombine(pgprot_t prot);
10821 diff -urNp linux-2.6.39.1/arch/x86/include/asm/processor.h linux-2.6.39.1/arch/x86/include/asm/processor.h
10822 --- linux-2.6.39.1/arch/x86/include/asm/processor.h 2011-05-19 00:06:34.000000000 -0400
10823 +++ linux-2.6.39.1/arch/x86/include/asm/processor.h 2011-05-22 19:36:30.000000000 -0400
10824 @@ -266,7 +266,7 @@ struct tss_struct {
10825
10826 } ____cacheline_aligned;
10827
10828 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
10829 +extern struct tss_struct init_tss[NR_CPUS];
10830
10831 /*
10832 * Save the original ist values for checking stack pointers during debugging
10833 @@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co
10834 */
10835 #define TASK_SIZE PAGE_OFFSET
10836 #define TASK_SIZE_MAX TASK_SIZE
10837 +
10838 +#ifdef CONFIG_PAX_SEGMEXEC
10839 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
10840 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
10841 +#else
10842 #define STACK_TOP TASK_SIZE
10843 -#define STACK_TOP_MAX STACK_TOP
10844 +#endif
10845 +
10846 +#define STACK_TOP_MAX TASK_SIZE
10847
10848 #define INIT_THREAD { \
10849 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10850 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10851 .vm86_info = NULL, \
10852 .sysenter_cs = __KERNEL_CS, \
10853 .io_bitmap_ptr = NULL, \
10854 @@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co
10855 */
10856 #define INIT_TSS { \
10857 .x86_tss = { \
10858 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10859 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10860 .ss0 = __KERNEL_DS, \
10861 .ss1 = __KERNEL_CS, \
10862 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
10863 @@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co
10864 extern unsigned long thread_saved_pc(struct task_struct *tsk);
10865
10866 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
10867 -#define KSTK_TOP(info) \
10868 -({ \
10869 - unsigned long *__ptr = (unsigned long *)(info); \
10870 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
10871 -})
10872 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
10873
10874 /*
10875 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
10876 @@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str
10877 #define task_pt_regs(task) \
10878 ({ \
10879 struct pt_regs *__regs__; \
10880 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
10881 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
10882 __regs__ - 1; \
10883 })
10884
10885 @@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str
10886 /*
10887 * User space process size. 47bits minus one guard page.
10888 */
10889 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
10890 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
10891
10892 /* This decides where the kernel will search for a free chunk of vm
10893 * space during mmap's.
10894 */
10895 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
10896 - 0xc0000000 : 0xFFFFe000)
10897 + 0xc0000000 : 0xFFFFf000)
10898
10899 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
10900 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
10901 @@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str
10902 #define STACK_TOP_MAX TASK_SIZE_MAX
10903
10904 #define INIT_THREAD { \
10905 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10906 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10907 }
10908
10909 #define INIT_TSS { \
10910 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10911 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10912 }
10913
10914 /*
10915 @@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs
10916 */
10917 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
10918
10919 +#ifdef CONFIG_PAX_SEGMEXEC
10920 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
10921 +#endif
10922 +
10923 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
10924
10925 /* Get/set a process' ability to use the timestamp counter instruction */
10926 diff -urNp linux-2.6.39.1/arch/x86/include/asm/ptrace.h linux-2.6.39.1/arch/x86/include/asm/ptrace.h
10927 --- linux-2.6.39.1/arch/x86/include/asm/ptrace.h 2011-05-19 00:06:34.000000000 -0400
10928 +++ linux-2.6.39.1/arch/x86/include/asm/ptrace.h 2011-05-22 19:36:30.000000000 -0400
10929 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
10930 }
10931
10932 /*
10933 - * user_mode_vm(regs) determines whether a register set came from user mode.
10934 + * user_mode(regs) determines whether a register set came from user mode.
10935 * This is true if V8086 mode was enabled OR if the register set was from
10936 * protected mode with RPL-3 CS value. This tricky test checks that with
10937 * one comparison. Many places in the kernel can bypass this full check
10938 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
10939 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
10940 + * be used.
10941 */
10942 -static inline int user_mode(struct pt_regs *regs)
10943 +static inline int user_mode_novm(struct pt_regs *regs)
10944 {
10945 #ifdef CONFIG_X86_32
10946 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
10947 #else
10948 - return !!(regs->cs & 3);
10949 + return !!(regs->cs & SEGMENT_RPL_MASK);
10950 #endif
10951 }
10952
10953 -static inline int user_mode_vm(struct pt_regs *regs)
10954 +static inline int user_mode(struct pt_regs *regs)
10955 {
10956 #ifdef CONFIG_X86_32
10957 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
10958 USER_RPL;
10959 #else
10960 - return user_mode(regs);
10961 + return user_mode_novm(regs);
10962 #endif
10963 }
10964
10965 diff -urNp linux-2.6.39.1/arch/x86/include/asm/reboot.h linux-2.6.39.1/arch/x86/include/asm/reboot.h
10966 --- linux-2.6.39.1/arch/x86/include/asm/reboot.h 2011-05-19 00:06:34.000000000 -0400
10967 +++ linux-2.6.39.1/arch/x86/include/asm/reboot.h 2011-05-22 19:36:30.000000000 -0400
10968 @@ -6,19 +6,19 @@
10969 struct pt_regs;
10970
10971 struct machine_ops {
10972 - void (*restart)(char *cmd);
10973 - void (*halt)(void);
10974 - void (*power_off)(void);
10975 + void (* __noreturn restart)(char *cmd);
10976 + void (* __noreturn halt)(void);
10977 + void (* __noreturn power_off)(void);
10978 void (*shutdown)(void);
10979 void (*crash_shutdown)(struct pt_regs *);
10980 - void (*emergency_restart)(void);
10981 + void (* __noreturn emergency_restart)(void);
10982 };
10983
10984 extern struct machine_ops machine_ops;
10985
10986 void native_machine_crash_shutdown(struct pt_regs *regs);
10987 void native_machine_shutdown(void);
10988 -void machine_real_restart(unsigned int type);
10989 +void machine_real_restart(unsigned int type) __noreturn;
10990 /* These must match dispatch_table in reboot_32.S */
10991 #define MRR_BIOS 0
10992 #define MRR_APM 1
10993 diff -urNp linux-2.6.39.1/arch/x86/include/asm/rwsem.h linux-2.6.39.1/arch/x86/include/asm/rwsem.h
10994 --- linux-2.6.39.1/arch/x86/include/asm/rwsem.h 2011-05-19 00:06:34.000000000 -0400
10995 +++ linux-2.6.39.1/arch/x86/include/asm/rwsem.h 2011-05-22 19:36:30.000000000 -0400
10996 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw
10997 {
10998 asm volatile("# beginning down_read\n\t"
10999 LOCK_PREFIX _ASM_INC "(%1)\n\t"
11000 +
11001 +#ifdef CONFIG_PAX_REFCOUNT
11002 + "jno 0f\n"
11003 + LOCK_PREFIX _ASM_DEC "(%1)\n"
11004 + "int $4\n0:\n"
11005 + _ASM_EXTABLE(0b, 0b)
11006 +#endif
11007 +
11008 /* adds 0x00000001 */
11009 " jns 1f\n"
11010 " call call_rwsem_down_read_failed\n"
11011 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
11012 "1:\n\t"
11013 " mov %1,%2\n\t"
11014 " add %3,%2\n\t"
11015 +
11016 +#ifdef CONFIG_PAX_REFCOUNT
11017 + "jno 0f\n"
11018 + "sub %3,%2\n"
11019 + "int $4\n0:\n"
11020 + _ASM_EXTABLE(0b, 0b)
11021 +#endif
11022 +
11023 " jle 2f\n\t"
11024 LOCK_PREFIX " cmpxchg %2,%0\n\t"
11025 " jnz 1b\n\t"
11026 @@ -104,6 +120,14 @@ static inline void __down_write_nested(s
11027 long tmp;
11028 asm volatile("# beginning down_write\n\t"
11029 LOCK_PREFIX " xadd %1,(%2)\n\t"
11030 +
11031 +#ifdef CONFIG_PAX_REFCOUNT
11032 + "jno 0f\n"
11033 + "mov %1,(%2)\n"
11034 + "int $4\n0:\n"
11035 + _ASM_EXTABLE(0b, 0b)
11036 +#endif
11037 +
11038 /* adds 0xffff0001, returns the old value */
11039 " test %1,%1\n\t"
11040 /* was the count 0 before? */
11041 @@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
11042 long tmp;
11043 asm volatile("# beginning __up_read\n\t"
11044 LOCK_PREFIX " xadd %1,(%2)\n\t"
11045 +
11046 +#ifdef CONFIG_PAX_REFCOUNT
11047 + "jno 0f\n"
11048 + "mov %1,(%2)\n"
11049 + "int $4\n0:\n"
11050 + _ASM_EXTABLE(0b, 0b)
11051 +#endif
11052 +
11053 /* subtracts 1, returns the old value */
11054 " jns 1f\n\t"
11055 " call call_rwsem_wake\n" /* expects old value in %edx */
11056 @@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
11057 long tmp;
11058 asm volatile("# beginning __up_write\n\t"
11059 LOCK_PREFIX " xadd %1,(%2)\n\t"
11060 +
11061 +#ifdef CONFIG_PAX_REFCOUNT
11062 + "jno 0f\n"
11063 + "mov %1,(%2)\n"
11064 + "int $4\n0:\n"
11065 + _ASM_EXTABLE(0b, 0b)
11066 +#endif
11067 +
11068 /* subtracts 0xffff0001, returns the old value */
11069 " jns 1f\n\t"
11070 " call call_rwsem_wake\n" /* expects old value in %edx */
11071 @@ -176,6 +216,14 @@ static inline void __downgrade_write(str
11072 {
11073 asm volatile("# beginning __downgrade_write\n\t"
11074 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
11075 +
11076 +#ifdef CONFIG_PAX_REFCOUNT
11077 + "jno 0f\n"
11078 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
11079 + "int $4\n0:\n"
11080 + _ASM_EXTABLE(0b, 0b)
11081 +#endif
11082 +
11083 /*
11084 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
11085 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
11086 @@ -194,7 +242,15 @@ static inline void __downgrade_write(str
11087 */
11088 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
11089 {
11090 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
11091 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
11092 +
11093 +#ifdef CONFIG_PAX_REFCOUNT
11094 + "jno 0f\n"
11095 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
11096 + "int $4\n0:\n"
11097 + _ASM_EXTABLE(0b, 0b)
11098 +#endif
11099 +
11100 : "+m" (sem->count)
11101 : "er" (delta));
11102 }
11103 @@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
11104 {
11105 long tmp = delta;
11106
11107 - asm volatile(LOCK_PREFIX "xadd %0,%1"
11108 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
11109 +
11110 +#ifdef CONFIG_PAX_REFCOUNT
11111 + "jno 0f\n"
11112 + "mov %0,%1\n"
11113 + "int $4\n0:\n"
11114 + _ASM_EXTABLE(0b, 0b)
11115 +#endif
11116 +
11117 : "+r" (tmp), "+m" (sem->count)
11118 : : "memory");
11119
11120 diff -urNp linux-2.6.39.1/arch/x86/include/asm/segment.h linux-2.6.39.1/arch/x86/include/asm/segment.h
11121 --- linux-2.6.39.1/arch/x86/include/asm/segment.h 2011-05-19 00:06:34.000000000 -0400
11122 +++ linux-2.6.39.1/arch/x86/include/asm/segment.h 2011-05-22 19:36:30.000000000 -0400
11123 @@ -64,8 +64,8 @@
11124 * 26 - ESPFIX small SS
11125 * 27 - per-cpu [ offset to per-cpu data area ]
11126 * 28 - stack_canary-20 [ for stack protector ]
11127 - * 29 - unused
11128 - * 30 - unused
11129 + * 29 - PCI BIOS CS
11130 + * 30 - PCI BIOS DS
11131 * 31 - TSS for double fault handler
11132 */
11133 #define GDT_ENTRY_TLS_MIN 6
11134 @@ -79,6 +79,8 @@
11135
11136 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
11137
11138 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
11139 +
11140 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
11141
11142 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
11143 @@ -104,6 +106,12 @@
11144 #define __KERNEL_STACK_CANARY 0
11145 #endif
11146
11147 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
11148 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
11149 +
11150 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
11151 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
11152 +
11153 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
11154
11155 /*
11156 @@ -141,7 +149,7 @@
11157 */
11158
11159 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
11160 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
11161 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
11162
11163
11164 #else
11165 @@ -165,6 +173,8 @@
11166 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
11167 #define __USER32_DS __USER_DS
11168
11169 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
11170 +
11171 #define GDT_ENTRY_TSS 8 /* needs two entries */
11172 #define GDT_ENTRY_LDT 10 /* needs two entries */
11173 #define GDT_ENTRY_TLS_MIN 12
11174 @@ -185,6 +195,7 @@
11175 #endif
11176
11177 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
11178 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
11179 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
11180 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
11181 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
11182 diff -urNp linux-2.6.39.1/arch/x86/include/asm/smp.h linux-2.6.39.1/arch/x86/include/asm/smp.h
11183 --- linux-2.6.39.1/arch/x86/include/asm/smp.h 2011-05-19 00:06:34.000000000 -0400
11184 +++ linux-2.6.39.1/arch/x86/include/asm/smp.h 2011-05-22 19:36:30.000000000 -0400
11185 @@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
11186 /* cpus sharing the last level cache: */
11187 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
11188 DECLARE_PER_CPU(u16, cpu_llc_id);
11189 -DECLARE_PER_CPU(int, cpu_number);
11190 +DECLARE_PER_CPU(unsigned int, cpu_number);
11191
11192 static inline struct cpumask *cpu_sibling_mask(int cpu)
11193 {
11194 @@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
11195 extern int safe_smp_processor_id(void);
11196
11197 #elif defined(CONFIG_X86_64_SMP)
11198 -#define raw_smp_processor_id() (percpu_read(cpu_number))
11199 -
11200 -#define stack_smp_processor_id() \
11201 -({ \
11202 - struct thread_info *ti; \
11203 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
11204 - ti->cpu; \
11205 -})
11206 +#define raw_smp_processor_id() (percpu_read(cpu_number))
11207 +#define stack_smp_processor_id() raw_smp_processor_id()
11208 #define safe_smp_processor_id() smp_processor_id()
11209
11210 #endif
11211 diff -urNp linux-2.6.39.1/arch/x86/include/asm/spinlock.h linux-2.6.39.1/arch/x86/include/asm/spinlock.h
11212 --- linux-2.6.39.1/arch/x86/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
11213 +++ linux-2.6.39.1/arch/x86/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
11214 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
11215 static inline void arch_read_lock(arch_rwlock_t *rw)
11216 {
11217 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
11218 +
11219 +#ifdef CONFIG_PAX_REFCOUNT
11220 + "jno 0f\n"
11221 + LOCK_PREFIX " addl $1,(%0)\n"
11222 + "int $4\n0:\n"
11223 + _ASM_EXTABLE(0b, 0b)
11224 +#endif
11225 +
11226 "jns 1f\n"
11227 "call __read_lock_failed\n\t"
11228 "1:\n"
11229 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
11230 static inline void arch_write_lock(arch_rwlock_t *rw)
11231 {
11232 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
11233 +
11234 +#ifdef CONFIG_PAX_REFCOUNT
11235 + "jno 0f\n"
11236 + LOCK_PREFIX " addl %1,(%0)\n"
11237 + "int $4\n0:\n"
11238 + _ASM_EXTABLE(0b, 0b)
11239 +#endif
11240 +
11241 "jz 1f\n"
11242 "call __write_lock_failed\n\t"
11243 "1:\n"
11244 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
11245
11246 static inline void arch_read_unlock(arch_rwlock_t *rw)
11247 {
11248 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
11249 + asm volatile(LOCK_PREFIX "incl %0\n"
11250 +
11251 +#ifdef CONFIG_PAX_REFCOUNT
11252 + "jno 0f\n"
11253 + LOCK_PREFIX "decl %0\n"
11254 + "int $4\n0:\n"
11255 + _ASM_EXTABLE(0b, 0b)
11256 +#endif
11257 +
11258 + :"+m" (rw->lock) : : "memory");
11259 }
11260
11261 static inline void arch_write_unlock(arch_rwlock_t *rw)
11262 {
11263 - asm volatile(LOCK_PREFIX "addl %1, %0"
11264 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
11265 +
11266 +#ifdef CONFIG_PAX_REFCOUNT
11267 + "jno 0f\n"
11268 + LOCK_PREFIX "subl %1, %0\n"
11269 + "int $4\n0:\n"
11270 + _ASM_EXTABLE(0b, 0b)
11271 +#endif
11272 +
11273 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
11274 }
11275
11276 diff -urNp linux-2.6.39.1/arch/x86/include/asm/stackprotector.h linux-2.6.39.1/arch/x86/include/asm/stackprotector.h
11277 --- linux-2.6.39.1/arch/x86/include/asm/stackprotector.h 2011-05-19 00:06:34.000000000 -0400
11278 +++ linux-2.6.39.1/arch/x86/include/asm/stackprotector.h 2011-05-22 19:36:30.000000000 -0400
11279 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
11280
11281 static inline void load_stack_canary_segment(void)
11282 {
11283 -#ifdef CONFIG_X86_32
11284 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
11285 asm volatile ("mov %0, %%gs" : : "r" (0));
11286 #endif
11287 }
11288 diff -urNp linux-2.6.39.1/arch/x86/include/asm/stacktrace.h linux-2.6.39.1/arch/x86/include/asm/stacktrace.h
11289 --- linux-2.6.39.1/arch/x86/include/asm/stacktrace.h 2011-05-19 00:06:34.000000000 -0400
11290 +++ linux-2.6.39.1/arch/x86/include/asm/stacktrace.h 2011-05-22 19:36:30.000000000 -0400
11291 @@ -11,28 +11,20 @@
11292
11293 extern int kstack_depth_to_print;
11294
11295 -struct thread_info;
11296 +struct task_struct;
11297 struct stacktrace_ops;
11298
11299 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
11300 - unsigned long *stack,
11301 - unsigned long bp,
11302 - const struct stacktrace_ops *ops,
11303 - void *data,
11304 - unsigned long *end,
11305 - int *graph);
11306 -
11307 -extern unsigned long
11308 -print_context_stack(struct thread_info *tinfo,
11309 - unsigned long *stack, unsigned long bp,
11310 - const struct stacktrace_ops *ops, void *data,
11311 - unsigned long *end, int *graph);
11312 -
11313 -extern unsigned long
11314 -print_context_stack_bp(struct thread_info *tinfo,
11315 - unsigned long *stack, unsigned long bp,
11316 - const struct stacktrace_ops *ops, void *data,
11317 - unsigned long *end, int *graph);
11318 +typedef unsigned long walk_stack_t(struct task_struct *task,
11319 + void *stack_start,
11320 + unsigned long *stack,
11321 + unsigned long bp,
11322 + const struct stacktrace_ops *ops,
11323 + void *data,
11324 + unsigned long *end,
11325 + int *graph);
11326 +
11327 +extern walk_stack_t print_context_stack;
11328 +extern walk_stack_t print_context_stack_bp;
11329
11330 /* Generic stack tracer with callbacks */
11331
11332 @@ -43,7 +35,7 @@ struct stacktrace_ops {
11333 void (*address)(void *data, unsigned long address, int reliable);
11334 /* On negative return stop dumping */
11335 int (*stack)(void *data, char *name);
11336 - walk_stack_t walk_stack;
11337 + walk_stack_t *walk_stack;
11338 };
11339
11340 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
11341 diff -urNp linux-2.6.39.1/arch/x86/include/asm/system.h linux-2.6.39.1/arch/x86/include/asm/system.h
11342 --- linux-2.6.39.1/arch/x86/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
11343 +++ linux-2.6.39.1/arch/x86/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
11344 @@ -129,7 +129,7 @@ do { \
11345 "call __switch_to\n\t" \
11346 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
11347 __switch_canary \
11348 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
11349 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
11350 "movq %%rax,%%rdi\n\t" \
11351 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
11352 "jnz ret_from_fork\n\t" \
11353 @@ -140,7 +140,7 @@ do { \
11354 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
11355 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
11356 [_tif_fork] "i" (_TIF_FORK), \
11357 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
11358 + [thread_info] "m" (current_tinfo), \
11359 [current_task] "m" (current_task) \
11360 __switch_canary_iparam \
11361 : "memory", "cc" __EXTRA_CLOBBER)
11362 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
11363 {
11364 unsigned long __limit;
11365 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
11366 - return __limit + 1;
11367 + return __limit;
11368 }
11369
11370 static inline void native_clts(void)
11371 @@ -340,12 +340,12 @@ void enable_hlt(void);
11372
11373 void cpu_idle_wait(void);
11374
11375 -extern unsigned long arch_align_stack(unsigned long sp);
11376 +#define arch_align_stack(x) ((x) & ~0xfUL)
11377 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
11378
11379 void default_idle(void);
11380
11381 -void stop_this_cpu(void *dummy);
11382 +void stop_this_cpu(void *dummy) __noreturn;
11383
11384 /*
11385 * Force strict CPU ordering.
11386 diff -urNp linux-2.6.39.1/arch/x86/include/asm/thread_info.h linux-2.6.39.1/arch/x86/include/asm/thread_info.h
11387 --- linux-2.6.39.1/arch/x86/include/asm/thread_info.h 2011-05-19 00:06:34.000000000 -0400
11388 +++ linux-2.6.39.1/arch/x86/include/asm/thread_info.h 2011-05-22 19:36:30.000000000 -0400
11389 @@ -10,6 +10,7 @@
11390 #include <linux/compiler.h>
11391 #include <asm/page.h>
11392 #include <asm/types.h>
11393 +#include <asm/percpu.h>
11394
11395 /*
11396 * low level task data that entry.S needs immediate access to
11397 @@ -24,7 +25,6 @@ struct exec_domain;
11398 #include <asm/atomic.h>
11399
11400 struct thread_info {
11401 - struct task_struct *task; /* main task structure */
11402 struct exec_domain *exec_domain; /* execution domain */
11403 __u32 flags; /* low level flags */
11404 __u32 status; /* thread synchronous flags */
11405 @@ -34,18 +34,12 @@ struct thread_info {
11406 mm_segment_t addr_limit;
11407 struct restart_block restart_block;
11408 void __user *sysenter_return;
11409 -#ifdef CONFIG_X86_32
11410 - unsigned long previous_esp; /* ESP of the previous stack in
11411 - case of nested (IRQ) stacks
11412 - */
11413 - __u8 supervisor_stack[0];
11414 -#endif
11415 + unsigned long lowest_stack;
11416 int uaccess_err;
11417 };
11418
11419 -#define INIT_THREAD_INFO(tsk) \
11420 +#define INIT_THREAD_INFO \
11421 { \
11422 - .task = &tsk, \
11423 .exec_domain = &default_exec_domain, \
11424 .flags = 0, \
11425 .cpu = 0, \
11426 @@ -56,7 +50,7 @@ struct thread_info {
11427 }, \
11428 }
11429
11430 -#define init_thread_info (init_thread_union.thread_info)
11431 +#define init_thread_info (init_thread_union.stack)
11432 #define init_stack (init_thread_union.stack)
11433
11434 #else /* !__ASSEMBLY__ */
11435 @@ -170,6 +164,23 @@ struct thread_info {
11436 ret; \
11437 })
11438
11439 +#ifdef __ASSEMBLY__
11440 +/* how to get the thread information struct from ASM */
11441 +#define GET_THREAD_INFO(reg) \
11442 + mov PER_CPU_VAR(current_tinfo), reg
11443 +
11444 +/* use this one if reg already contains %esp */
11445 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
11446 +#else
11447 +/* how to get the thread information struct from C */
11448 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
11449 +
11450 +static __always_inline struct thread_info *current_thread_info(void)
11451 +{
11452 + return percpu_read_stable(current_tinfo);
11453 +}
11454 +#endif
11455 +
11456 #ifdef CONFIG_X86_32
11457
11458 #define STACK_WARN (THREAD_SIZE/8)
11459 @@ -180,35 +191,13 @@ struct thread_info {
11460 */
11461 #ifndef __ASSEMBLY__
11462
11463 -
11464 /* how to get the current stack pointer from C */
11465 register unsigned long current_stack_pointer asm("esp") __used;
11466
11467 -/* how to get the thread information struct from C */
11468 -static inline struct thread_info *current_thread_info(void)
11469 -{
11470 - return (struct thread_info *)
11471 - (current_stack_pointer & ~(THREAD_SIZE - 1));
11472 -}
11473 -
11474 -#else /* !__ASSEMBLY__ */
11475 -
11476 -/* how to get the thread information struct from ASM */
11477 -#define GET_THREAD_INFO(reg) \
11478 - movl $-THREAD_SIZE, reg; \
11479 - andl %esp, reg
11480 -
11481 -/* use this one if reg already contains %esp */
11482 -#define GET_THREAD_INFO_WITH_ESP(reg) \
11483 - andl $-THREAD_SIZE, reg
11484 -
11485 #endif
11486
11487 #else /* X86_32 */
11488
11489 -#include <asm/percpu.h>
11490 -#define KERNEL_STACK_OFFSET (5*8)
11491 -
11492 /*
11493 * macros/functions for gaining access to the thread information structure
11494 * preempt_count needs to be 1 initially, until the scheduler is functional.
11495 @@ -216,21 +205,8 @@ static inline struct thread_info *curren
11496 #ifndef __ASSEMBLY__
11497 DECLARE_PER_CPU(unsigned long, kernel_stack);
11498
11499 -static inline struct thread_info *current_thread_info(void)
11500 -{
11501 - struct thread_info *ti;
11502 - ti = (void *)(percpu_read_stable(kernel_stack) +
11503 - KERNEL_STACK_OFFSET - THREAD_SIZE);
11504 - return ti;
11505 -}
11506 -
11507 -#else /* !__ASSEMBLY__ */
11508 -
11509 -/* how to get the thread information struct from ASM */
11510 -#define GET_THREAD_INFO(reg) \
11511 - movq PER_CPU_VAR(kernel_stack),reg ; \
11512 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
11513 -
11514 +/* how to get the current stack pointer from C */
11515 +register unsigned long current_stack_pointer asm("rsp") __used;
11516 #endif
11517
11518 #endif /* !X86_32 */
11519 @@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
11520 extern void free_thread_info(struct thread_info *ti);
11521 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
11522 #define arch_task_cache_init arch_task_cache_init
11523 +
11524 +#define __HAVE_THREAD_FUNCTIONS
11525 +#define task_thread_info(task) (&(task)->tinfo)
11526 +#define task_stack_page(task) ((task)->stack)
11527 +#define setup_thread_stack(p, org) do {} while (0)
11528 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
11529 +
11530 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
11531 +extern struct task_struct *alloc_task_struct_node(int node);
11532 +extern void free_task_struct(struct task_struct *);
11533 +
11534 #endif
11535 #endif /* _ASM_X86_THREAD_INFO_H */
11536 diff -urNp linux-2.6.39.1/arch/x86/include/asm/uaccess_32.h linux-2.6.39.1/arch/x86/include/asm/uaccess_32.h
11537 --- linux-2.6.39.1/arch/x86/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
11538 +++ linux-2.6.39.1/arch/x86/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
11539 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
11540 static __always_inline unsigned long __must_check
11541 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
11542 {
11543 + pax_track_stack();
11544 +
11545 + if ((long)n < 0)
11546 + return n;
11547 +
11548 if (__builtin_constant_p(n)) {
11549 unsigned long ret;
11550
11551 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
11552 return ret;
11553 }
11554 }
11555 + if (!__builtin_constant_p(n))
11556 + check_object_size(from, n, true);
11557 return __copy_to_user_ll(to, from, n);
11558 }
11559
11560 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
11561 __copy_to_user(void __user *to, const void *from, unsigned long n)
11562 {
11563 might_fault();
11564 +
11565 return __copy_to_user_inatomic(to, from, n);
11566 }
11567
11568 static __always_inline unsigned long
11569 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11570 {
11571 + if ((long)n < 0)
11572 + return n;
11573 +
11574 /* Avoid zeroing the tail if the copy fails..
11575 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11576 * but as the zeroing behaviour is only significant when n is not
11577 @@ -138,6 +149,12 @@ static __always_inline unsigned long
11578 __copy_from_user(void *to, const void __user *from, unsigned long n)
11579 {
11580 might_fault();
11581 +
11582 + pax_track_stack();
11583 +
11584 + if ((long)n < 0)
11585 + return n;
11586 +
11587 if (__builtin_constant_p(n)) {
11588 unsigned long ret;
11589
11590 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11591 return ret;
11592 }
11593 }
11594 + if (!__builtin_constant_p(n))
11595 + check_object_size(to, n, false);
11596 return __copy_from_user_ll(to, from, n);
11597 }
11598
11599 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11600 const void __user *from, unsigned long n)
11601 {
11602 might_fault();
11603 +
11604 + if ((long)n < 0)
11605 + return n;
11606 +
11607 if (__builtin_constant_p(n)) {
11608 unsigned long ret;
11609
11610 @@ -182,15 +205,19 @@ static __always_inline unsigned long
11611 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11612 unsigned long n)
11613 {
11614 - return __copy_from_user_ll_nocache_nozero(to, from, n);
11615 -}
11616 + if ((long)n < 0)
11617 + return n;
11618
11619 -unsigned long __must_check copy_to_user(void __user *to,
11620 - const void *from, unsigned long n);
11621 -unsigned long __must_check _copy_from_user(void *to,
11622 - const void __user *from,
11623 - unsigned long n);
11624 + return __copy_from_user_ll_nocache_nozero(to, from, n);
11625 +}
11626
11627 +extern void copy_to_user_overflow(void)
11628 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11629 + __compiletime_error("copy_to_user() buffer size is not provably correct")
11630 +#else
11631 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
11632 +#endif
11633 +;
11634
11635 extern void copy_from_user_overflow(void)
11636 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11637 @@ -200,17 +227,61 @@ extern void copy_from_user_overflow(void
11638 #endif
11639 ;
11640
11641 -static inline unsigned long __must_check copy_from_user(void *to,
11642 - const void __user *from,
11643 - unsigned long n)
11644 +/**
11645 + * copy_to_user: - Copy a block of data into user space.
11646 + * @to: Destination address, in user space.
11647 + * @from: Source address, in kernel space.
11648 + * @n: Number of bytes to copy.
11649 + *
11650 + * Context: User context only. This function may sleep.
11651 + *
11652 + * Copy data from kernel space to user space.
11653 + *
11654 + * Returns number of bytes that could not be copied.
11655 + * On success, this will be zero.
11656 + */
11657 +static inline unsigned long __must_check
11658 +copy_to_user(void __user *to, const void *from, unsigned long n)
11659 +{
11660 + int sz = __compiletime_object_size(from);
11661 +
11662 + if (unlikely(sz != -1 && sz < n))
11663 + copy_to_user_overflow();
11664 + else if (access_ok(VERIFY_WRITE, to, n))
11665 + n = __copy_to_user(to, from, n);
11666 + return n;
11667 +}
11668 +
11669 +/**
11670 + * copy_from_user: - Copy a block of data from user space.
11671 + * @to: Destination address, in kernel space.
11672 + * @from: Source address, in user space.
11673 + * @n: Number of bytes to copy.
11674 + *
11675 + * Context: User context only. This function may sleep.
11676 + *
11677 + * Copy data from user space to kernel space.
11678 + *
11679 + * Returns number of bytes that could not be copied.
11680 + * On success, this will be zero.
11681 + *
11682 + * If some data could not be copied, this function will pad the copied
11683 + * data to the requested size using zero bytes.
11684 + */
11685 +static inline unsigned long __must_check
11686 +copy_from_user(void *to, const void __user *from, unsigned long n)
11687 {
11688 int sz = __compiletime_object_size(to);
11689
11690 - if (likely(sz == -1 || sz >= n))
11691 - n = _copy_from_user(to, from, n);
11692 - else
11693 + if (unlikely(sz != -1 && sz < n))
11694 copy_from_user_overflow();
11695 -
11696 + else if (access_ok(VERIFY_READ, from, n))
11697 + n = __copy_from_user(to, from, n);
11698 + else if ((long)n > 0) {
11699 + if (!__builtin_constant_p(n))
11700 + check_object_size(to, n, false);
11701 + memset(to, 0, n);
11702 + }
11703 return n;
11704 }
11705
11706 diff -urNp linux-2.6.39.1/arch/x86/include/asm/uaccess_64.h linux-2.6.39.1/arch/x86/include/asm/uaccess_64.h
11707 --- linux-2.6.39.1/arch/x86/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
11708 +++ linux-2.6.39.1/arch/x86/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
11709 @@ -11,6 +11,9 @@
11710 #include <asm/alternative.h>
11711 #include <asm/cpufeature.h>
11712 #include <asm/page.h>
11713 +#include <asm/pgtable.h>
11714 +
11715 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
11716
11717 /*
11718 * Copy To/From Userspace
11719 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
11720 return ret;
11721 }
11722
11723 -__must_check unsigned long
11724 -_copy_to_user(void __user *to, const void *from, unsigned len);
11725 -__must_check unsigned long
11726 -_copy_from_user(void *to, const void __user *from, unsigned len);
11727 +static __always_inline __must_check unsigned long
11728 +__copy_to_user(void __user *to, const void *from, unsigned len);
11729 +static __always_inline __must_check unsigned long
11730 +__copy_from_user(void *to, const void __user *from, unsigned len);
11731 __must_check unsigned long
11732 copy_in_user(void __user *to, const void __user *from, unsigned len);
11733
11734 static inline unsigned long __must_check copy_from_user(void *to,
11735 const void __user *from,
11736 - unsigned long n)
11737 + unsigned n)
11738 {
11739 - int sz = __compiletime_object_size(to);
11740 -
11741 might_fault();
11742 - if (likely(sz == -1 || sz >= n))
11743 - n = _copy_from_user(to, from, n);
11744 -#ifdef CONFIG_DEBUG_VM
11745 - else
11746 - WARN(1, "Buffer overflow detected!\n");
11747 -#endif
11748 +
11749 + if (access_ok(VERIFY_READ, from, n))
11750 + n = __copy_from_user(to, from, n);
11751 + else if ((int)n > 0) {
11752 + if (!__builtin_constant_p(n))
11753 + check_object_size(to, n, false);
11754 + memset(to, 0, n);
11755 + }
11756 return n;
11757 }
11758
11759 @@ -65,110 +68,198 @@ int copy_to_user(void __user *dst, const
11760 {
11761 might_fault();
11762
11763 - return _copy_to_user(dst, src, size);
11764 + if (access_ok(VERIFY_WRITE, dst, size))
11765 + size = __copy_to_user(dst, src, size);
11766 + return size;
11767 }
11768
11769 static __always_inline __must_check
11770 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
11771 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
11772 {
11773 - int ret = 0;
11774 + int sz = __compiletime_object_size(dst);
11775 + unsigned ret = 0;
11776
11777 might_fault();
11778 - if (!__builtin_constant_p(size))
11779 - return copy_user_generic(dst, (__force void *)src, size);
11780 +
11781 + pax_track_stack();
11782 +
11783 + if ((int)size < 0)
11784 + return size;
11785 +
11786 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11787 + if (!__access_ok(VERIFY_READ, src, size))
11788 + return size;
11789 +#endif
11790 +
11791 + if (unlikely(sz != -1 && sz < size)) {
11792 +#ifdef CONFIG_DEBUG_VM
11793 + WARN(1, "Buffer overflow detected!\n");
11794 +#endif
11795 + return size;
11796 + }
11797 +
11798 + if (!__builtin_constant_p(size)) {
11799 + check_object_size(dst, size, false);
11800 +
11801 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11802 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11803 + src += PAX_USER_SHADOW_BASE;
11804 +#endif
11805 +
11806 + return copy_user_generic(dst, (__force const void *)src, size);
11807 + }
11808 switch (size) {
11809 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
11810 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
11811 ret, "b", "b", "=q", 1);
11812 return ret;
11813 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
11814 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
11815 ret, "w", "w", "=r", 2);
11816 return ret;
11817 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
11818 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
11819 ret, "l", "k", "=r", 4);
11820 return ret;
11821 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
11822 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11823 ret, "q", "", "=r", 8);
11824 return ret;
11825 case 10:
11826 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11827 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11828 ret, "q", "", "=r", 10);
11829 if (unlikely(ret))
11830 return ret;
11831 __get_user_asm(*(u16 *)(8 + (char *)dst),
11832 - (u16 __user *)(8 + (char __user *)src),
11833 + (const u16 __user *)(8 + (const char __user *)src),
11834 ret, "w", "w", "=r", 2);
11835 return ret;
11836 case 16:
11837 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11838 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11839 ret, "q", "", "=r", 16);
11840 if (unlikely(ret))
11841 return ret;
11842 __get_user_asm(*(u64 *)(8 + (char *)dst),
11843 - (u64 __user *)(8 + (char __user *)src),
11844 + (const u64 __user *)(8 + (const char __user *)src),
11845 ret, "q", "", "=r", 8);
11846 return ret;
11847 default:
11848 - return copy_user_generic(dst, (__force void *)src, size);
11849 +
11850 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11851 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11852 + src += PAX_USER_SHADOW_BASE;
11853 +#endif
11854 +
11855 + return copy_user_generic(dst, (__force const void *)src, size);
11856 }
11857 }
11858
11859 static __always_inline __must_check
11860 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
11861 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
11862 {
11863 - int ret = 0;
11864 + int sz = __compiletime_object_size(src);
11865 + unsigned ret = 0;
11866
11867 might_fault();
11868 - if (!__builtin_constant_p(size))
11869 +
11870 + pax_track_stack();
11871 +
11872 + if ((int)size < 0)
11873 + return size;
11874 +
11875 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11876 + if (!__access_ok(VERIFY_WRITE, dst, size))
11877 + return size;
11878 +#endif
11879 +
11880 + if (unlikely(sz != -1 && sz < size)) {
11881 +#ifdef CONFIG_DEBUG_VM
11882 + WARN(1, "Buffer overflow detected!\n");
11883 +#endif
11884 + return size;
11885 + }
11886 +
11887 + if (!__builtin_constant_p(size)) {
11888 + check_object_size(src, size, true);
11889 +
11890 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11891 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11892 + dst += PAX_USER_SHADOW_BASE;
11893 +#endif
11894 +
11895 return copy_user_generic((__force void *)dst, src, size);
11896 + }
11897 switch (size) {
11898 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
11899 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
11900 ret, "b", "b", "iq", 1);
11901 return ret;
11902 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
11903 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
11904 ret, "w", "w", "ir", 2);
11905 return ret;
11906 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
11907 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
11908 ret, "l", "k", "ir", 4);
11909 return ret;
11910 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
11911 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11912 ret, "q", "", "er", 8);
11913 return ret;
11914 case 10:
11915 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11916 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11917 ret, "q", "", "er", 10);
11918 if (unlikely(ret))
11919 return ret;
11920 asm("":::"memory");
11921 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
11922 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
11923 ret, "w", "w", "ir", 2);
11924 return ret;
11925 case 16:
11926 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11927 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11928 ret, "q", "", "er", 16);
11929 if (unlikely(ret))
11930 return ret;
11931 asm("":::"memory");
11932 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
11933 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
11934 ret, "q", "", "er", 8);
11935 return ret;
11936 default:
11937 +
11938 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11939 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11940 + dst += PAX_USER_SHADOW_BASE;
11941 +#endif
11942 +
11943 return copy_user_generic((__force void *)dst, src, size);
11944 }
11945 }
11946
11947 static __always_inline __must_check
11948 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11949 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11950 {
11951 - int ret = 0;
11952 + unsigned ret = 0;
11953
11954 might_fault();
11955 - if (!__builtin_constant_p(size))
11956 +
11957 + if ((int)size < 0)
11958 + return size;
11959 +
11960 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11961 + if (!__access_ok(VERIFY_READ, src, size))
11962 + return size;
11963 + if (!__access_ok(VERIFY_WRITE, dst, size))
11964 + return size;
11965 +#endif
11966 +
11967 + if (!__builtin_constant_p(size)) {
11968 +
11969 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11970 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11971 + src += PAX_USER_SHADOW_BASE;
11972 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11973 + dst += PAX_USER_SHADOW_BASE;
11974 +#endif
11975 +
11976 return copy_user_generic((__force void *)dst,
11977 - (__force void *)src, size);
11978 + (__force const void *)src, size);
11979 + }
11980 switch (size) {
11981 case 1: {
11982 u8 tmp;
11983 - __get_user_asm(tmp, (u8 __user *)src,
11984 + __get_user_asm(tmp, (const u8 __user *)src,
11985 ret, "b", "b", "=q", 1);
11986 if (likely(!ret))
11987 __put_user_asm(tmp, (u8 __user *)dst,
11988 @@ -177,7 +268,7 @@ int __copy_in_user(void __user *dst, con
11989 }
11990 case 2: {
11991 u16 tmp;
11992 - __get_user_asm(tmp, (u16 __user *)src,
11993 + __get_user_asm(tmp, (const u16 __user *)src,
11994 ret, "w", "w", "=r", 2);
11995 if (likely(!ret))
11996 __put_user_asm(tmp, (u16 __user *)dst,
11997 @@ -187,7 +278,7 @@ int __copy_in_user(void __user *dst, con
11998
11999 case 4: {
12000 u32 tmp;
12001 - __get_user_asm(tmp, (u32 __user *)src,
12002 + __get_user_asm(tmp, (const u32 __user *)src,
12003 ret, "l", "k", "=r", 4);
12004 if (likely(!ret))
12005 __put_user_asm(tmp, (u32 __user *)dst,
12006 @@ -196,7 +287,7 @@ int __copy_in_user(void __user *dst, con
12007 }
12008 case 8: {
12009 u64 tmp;
12010 - __get_user_asm(tmp, (u64 __user *)src,
12011 + __get_user_asm(tmp, (const u64 __user *)src,
12012 ret, "q", "", "=r", 8);
12013 if (likely(!ret))
12014 __put_user_asm(tmp, (u64 __user *)dst,
12015 @@ -204,8 +295,16 @@ int __copy_in_user(void __user *dst, con
12016 return ret;
12017 }
12018 default:
12019 +
12020 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12021 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12022 + src += PAX_USER_SHADOW_BASE;
12023 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12024 + dst += PAX_USER_SHADOW_BASE;
12025 +#endif
12026 +
12027 return copy_user_generic((__force void *)dst,
12028 - (__force void *)src, size);
12029 + (__force const void *)src, size);
12030 }
12031 }
12032
12033 @@ -222,33 +321,72 @@ __must_check unsigned long __clear_user(
12034 static __must_check __always_inline int
12035 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
12036 {
12037 + pax_track_stack();
12038 +
12039 + if ((int)size < 0)
12040 + return size;
12041 +
12042 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12043 + if (!__access_ok(VERIFY_READ, src, size))
12044 + return size;
12045 +
12046 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12047 + src += PAX_USER_SHADOW_BASE;
12048 +#endif
12049 +
12050 return copy_user_generic(dst, (__force const void *)src, size);
12051 }
12052
12053 -static __must_check __always_inline int
12054 +static __must_check __always_inline unsigned long
12055 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
12056 {
12057 + if ((int)size < 0)
12058 + return size;
12059 +
12060 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12061 + if (!__access_ok(VERIFY_WRITE, dst, size))
12062 + return size;
12063 +
12064 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12065 + dst += PAX_USER_SHADOW_BASE;
12066 +#endif
12067 +
12068 return copy_user_generic((__force void *)dst, src, size);
12069 }
12070
12071 -extern long __copy_user_nocache(void *dst, const void __user *src,
12072 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
12073 unsigned size, int zerorest);
12074
12075 -static inline int
12076 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12077 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12078 {
12079 might_sleep();
12080 +
12081 + if ((int)size < 0)
12082 + return size;
12083 +
12084 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12085 + if (!__access_ok(VERIFY_READ, src, size))
12086 + return size;
12087 +#endif
12088 +
12089 return __copy_user_nocache(dst, src, size, 1);
12090 }
12091
12092 -static inline int
12093 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12094 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12095 unsigned size)
12096 {
12097 + if ((int)size < 0)
12098 + return size;
12099 +
12100 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12101 + if (!__access_ok(VERIFY_READ, src, size))
12102 + return size;
12103 +#endif
12104 +
12105 return __copy_user_nocache(dst, src, size, 0);
12106 }
12107
12108 -unsigned long
12109 +extern unsigned long
12110 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
12111
12112 #endif /* _ASM_X86_UACCESS_64_H */
12113 diff -urNp linux-2.6.39.1/arch/x86/include/asm/uaccess.h linux-2.6.39.1/arch/x86/include/asm/uaccess.h
12114 --- linux-2.6.39.1/arch/x86/include/asm/uaccess.h 2011-06-03 00:04:13.000000000 -0400
12115 +++ linux-2.6.39.1/arch/x86/include/asm/uaccess.h 2011-06-03 00:32:04.000000000 -0400
12116 @@ -8,12 +8,15 @@
12117 #include <linux/thread_info.h>
12118 #include <linux/prefetch.h>
12119 #include <linux/string.h>
12120 +#include <linux/sched.h>
12121 #include <asm/asm.h>
12122 #include <asm/page.h>
12123
12124 #define VERIFY_READ 0
12125 #define VERIFY_WRITE 1
12126
12127 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
12128 +
12129 /*
12130 * The fs value determines whether argument validity checking should be
12131 * performed or not. If get_fs() == USER_DS, checking is performed, with
12132 @@ -29,7 +32,12 @@
12133
12134 #define get_ds() (KERNEL_DS)
12135 #define get_fs() (current_thread_info()->addr_limit)
12136 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12137 +void __set_fs(mm_segment_t x);
12138 +void set_fs(mm_segment_t x);
12139 +#else
12140 #define set_fs(x) (current_thread_info()->addr_limit = (x))
12141 +#endif
12142
12143 #define segment_eq(a, b) ((a).seg == (b).seg)
12144
12145 @@ -77,7 +85,33 @@
12146 * checks that the pointer is in the user space range - after calling
12147 * this function, memory access functions may still return -EFAULT.
12148 */
12149 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12150 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12151 +#define access_ok(type, addr, size) \
12152 +({ \
12153 + long __size = size; \
12154 + unsigned long __addr = (unsigned long)addr; \
12155 + unsigned long __addr_ao = __addr & PAGE_MASK; \
12156 + unsigned long __end_ao = __addr + __size - 1; \
12157 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
12158 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
12159 + while(__addr_ao <= __end_ao) { \
12160 + char __c_ao; \
12161 + __addr_ao += PAGE_SIZE; \
12162 + if (__size > PAGE_SIZE) \
12163 + cond_resched(); \
12164 + if (__get_user(__c_ao, (char __user *)__addr)) \
12165 + break; \
12166 + if (type != VERIFY_WRITE) { \
12167 + __addr = __addr_ao; \
12168 + continue; \
12169 + } \
12170 + if (__put_user(__c_ao, (char __user *)__addr)) \
12171 + break; \
12172 + __addr = __addr_ao; \
12173 + } \
12174 + } \
12175 + __ret_ao; \
12176 +})
12177
12178 /*
12179 * The exception table consists of pairs of addresses: the first is the
12180 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
12181 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
12182 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
12183
12184 -
12185 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12186 +#define __copyuser_seg "gs;"
12187 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
12188 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
12189 +#else
12190 +#define __copyuser_seg
12191 +#define __COPYUSER_SET_ES
12192 +#define __COPYUSER_RESTORE_ES
12193 +#endif
12194
12195 #ifdef CONFIG_X86_32
12196 #define __put_user_asm_u64(x, addr, err, errret) \
12197 - asm volatile("1: movl %%eax,0(%2)\n" \
12198 - "2: movl %%edx,4(%2)\n" \
12199 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
12200 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
12201 "3:\n" \
12202 ".section .fixup,\"ax\"\n" \
12203 "4: movl %3,%0\n" \
12204 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
12205 : "A" (x), "r" (addr), "i" (errret), "0" (err))
12206
12207 #define __put_user_asm_ex_u64(x, addr) \
12208 - asm volatile("1: movl %%eax,0(%1)\n" \
12209 - "2: movl %%edx,4(%1)\n" \
12210 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
12211 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
12212 "3:\n" \
12213 _ASM_EXTABLE(1b, 2b - 1b) \
12214 _ASM_EXTABLE(2b, 3b - 2b) \
12215 @@ -374,7 +416,7 @@ do { \
12216 } while (0)
12217
12218 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12219 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
12220 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
12221 "2:\n" \
12222 ".section .fixup,\"ax\"\n" \
12223 "3: mov %3,%0\n" \
12224 @@ -382,7 +424,7 @@ do { \
12225 " jmp 2b\n" \
12226 ".previous\n" \
12227 _ASM_EXTABLE(1b, 3b) \
12228 - : "=r" (err), ltype(x) \
12229 + : "=r" (err), ltype (x) \
12230 : "m" (__m(addr)), "i" (errret), "0" (err))
12231
12232 #define __get_user_size_ex(x, ptr, size) \
12233 @@ -407,7 +449,7 @@ do { \
12234 } while (0)
12235
12236 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
12237 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
12238 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
12239 "2:\n" \
12240 _ASM_EXTABLE(1b, 2b - 1b) \
12241 : ltype(x) : "m" (__m(addr)))
12242 @@ -424,13 +466,24 @@ do { \
12243 int __gu_err; \
12244 unsigned long __gu_val; \
12245 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
12246 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
12247 + (x) = (__typeof__(*(ptr)))__gu_val; \
12248 __gu_err; \
12249 })
12250
12251 /* FIXME: this hack is definitely wrong -AK */
12252 struct __large_struct { unsigned long buf[100]; };
12253 -#define __m(x) (*(struct __large_struct __user *)(x))
12254 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12255 +#define ____m(x) \
12256 +({ \
12257 + unsigned long ____x = (unsigned long)(x); \
12258 + if (____x < PAX_USER_SHADOW_BASE) \
12259 + ____x += PAX_USER_SHADOW_BASE; \
12260 + (void __user *)____x; \
12261 +})
12262 +#else
12263 +#define ____m(x) (x)
12264 +#endif
12265 +#define __m(x) (*(struct __large_struct __user *)____m(x))
12266
12267 /*
12268 * Tell gcc we read from memory instead of writing: this is because
12269 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
12270 * aliasing issues.
12271 */
12272 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12273 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
12274 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
12275 "2:\n" \
12276 ".section .fixup,\"ax\"\n" \
12277 "3: mov %3,%0\n" \
12278 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
12279 ".previous\n" \
12280 _ASM_EXTABLE(1b, 3b) \
12281 : "=r"(err) \
12282 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
12283 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
12284
12285 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
12286 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
12287 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
12288 "2:\n" \
12289 _ASM_EXTABLE(1b, 2b - 1b) \
12290 : : ltype(x), "m" (__m(addr)))
12291 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
12292 * On error, the variable @x is set to zero.
12293 */
12294
12295 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12296 +#define __get_user(x, ptr) get_user((x), (ptr))
12297 +#else
12298 #define __get_user(x, ptr) \
12299 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
12300 +#endif
12301
12302 /**
12303 * __put_user: - Write a simple value into user space, with less checking.
12304 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
12305 * Returns zero on success, or -EFAULT on error.
12306 */
12307
12308 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12309 +#define __put_user(x, ptr) put_user((x), (ptr))
12310 +#else
12311 #define __put_user(x, ptr) \
12312 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
12313 +#endif
12314
12315 #define __get_user_unaligned __get_user
12316 #define __put_user_unaligned __put_user
12317 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
12318 #define get_user_ex(x, ptr) do { \
12319 unsigned long __gue_val; \
12320 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
12321 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
12322 + (x) = (__typeof__(*(ptr)))__gue_val; \
12323 } while (0)
12324
12325 #ifdef CONFIG_X86_WP_WORKS_OK
12326 @@ -567,6 +628,7 @@ extern struct movsl_mask {
12327
12328 #define ARCH_HAS_NOCACHE_UACCESS 1
12329
12330 +#define ARCH_HAS_SORT_EXTABLE
12331 #ifdef CONFIG_X86_32
12332 # include "uaccess_32.h"
12333 #else
12334 diff -urNp linux-2.6.39.1/arch/x86/include/asm/vgtod.h linux-2.6.39.1/arch/x86/include/asm/vgtod.h
12335 --- linux-2.6.39.1/arch/x86/include/asm/vgtod.h 2011-05-19 00:06:34.000000000 -0400
12336 +++ linux-2.6.39.1/arch/x86/include/asm/vgtod.h 2011-05-22 19:36:30.000000000 -0400
12337 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
12338 int sysctl_enabled;
12339 struct timezone sys_tz;
12340 struct { /* extract of a clocksource struct */
12341 + char name[8];
12342 cycle_t (*vread)(void);
12343 cycle_t cycle_last;
12344 cycle_t mask;
12345 diff -urNp linux-2.6.39.1/arch/x86/include/asm/vsyscall.h linux-2.6.39.1/arch/x86/include/asm/vsyscall.h
12346 --- linux-2.6.39.1/arch/x86/include/asm/vsyscall.h 2011-05-19 00:06:34.000000000 -0400
12347 +++ linux-2.6.39.1/arch/x86/include/asm/vsyscall.h 2011-05-22 19:36:30.000000000 -0400
12348 @@ -15,9 +15,10 @@ enum vsyscall_num {
12349
12350 #ifdef __KERNEL__
12351 #include <linux/seqlock.h>
12352 +#include <linux/getcpu.h>
12353 +#include <linux/time.h>
12354
12355 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
12356 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
12357
12358 /* Definitions for CONFIG_GENERIC_TIME definitions */
12359 #define __section_vsyscall_gtod_data __attribute__ \
12360 @@ -31,7 +32,6 @@ enum vsyscall_num {
12361 #define VGETCPU_LSL 2
12362
12363 extern int __vgetcpu_mode;
12364 -extern volatile unsigned long __jiffies;
12365
12366 /* kernel space (writeable) */
12367 extern int vgetcpu_mode;
12368 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
12369
12370 extern void map_vsyscall(void);
12371
12372 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
12373 +extern time_t vtime(time_t *t);
12374 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
12375 #endif /* __KERNEL__ */
12376
12377 #endif /* _ASM_X86_VSYSCALL_H */
12378 diff -urNp linux-2.6.39.1/arch/x86/include/asm/xen/pci.h linux-2.6.39.1/arch/x86/include/asm/xen/pci.h
12379 --- linux-2.6.39.1/arch/x86/include/asm/xen/pci.h 2011-05-19 00:06:34.000000000 -0400
12380 +++ linux-2.6.39.1/arch/x86/include/asm/xen/pci.h 2011-05-22 19:36:30.000000000 -0400
12381 @@ -33,7 +33,7 @@ struct xen_pci_frontend_ops {
12382 void (*disable_msix)(struct pci_dev *dev);
12383 };
12384
12385 -extern struct xen_pci_frontend_ops *xen_pci_frontend;
12386 +extern const struct xen_pci_frontend_ops *xen_pci_frontend;
12387
12388 static inline int xen_pci_frontend_enable_msi(struct pci_dev *dev,
12389 int vectors[])
12390 diff -urNp linux-2.6.39.1/arch/x86/include/asm/xsave.h linux-2.6.39.1/arch/x86/include/asm/xsave.h
12391 --- linux-2.6.39.1/arch/x86/include/asm/xsave.h 2011-05-19 00:06:34.000000000 -0400
12392 +++ linux-2.6.39.1/arch/x86/include/asm/xsave.h 2011-05-22 19:36:30.000000000 -0400
12393 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
12394 {
12395 int err;
12396
12397 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12398 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
12399 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
12400 +#endif
12401 +
12402 /*
12403 * Clear the xsave header first, so that reserved fields are
12404 * initialized to zero.
12405 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
12406 u32 lmask = mask;
12407 u32 hmask = mask >> 32;
12408
12409 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12410 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
12411 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
12412 +#endif
12413 +
12414 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
12415 "2:\n"
12416 ".section .fixup,\"ax\"\n"
12417 diff -urNp linux-2.6.39.1/arch/x86/Kconfig linux-2.6.39.1/arch/x86/Kconfig
12418 --- linux-2.6.39.1/arch/x86/Kconfig 2011-05-19 00:06:34.000000000 -0400
12419 +++ linux-2.6.39.1/arch/x86/Kconfig 2011-05-22 19:41:32.000000000 -0400
12420 @@ -224,7 +224,7 @@ config X86_HT
12421
12422 config X86_32_LAZY_GS
12423 def_bool y
12424 - depends on X86_32 && !CC_STACKPROTECTOR
12425 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12426
12427 config ARCH_HWEIGHT_CFLAGS
12428 string
12429 @@ -1022,7 +1022,7 @@ choice
12430
12431 config NOHIGHMEM
12432 bool "off"
12433 - depends on !X86_NUMAQ
12434 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12435 ---help---
12436 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12437 However, the address space of 32-bit x86 processors is only 4
12438 @@ -1059,7 +1059,7 @@ config NOHIGHMEM
12439
12440 config HIGHMEM4G
12441 bool "4GB"
12442 - depends on !X86_NUMAQ
12443 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12444 ---help---
12445 Select this if you have a 32-bit processor and between 1 and 4
12446 gigabytes of physical RAM.
12447 @@ -1113,7 +1113,7 @@ config PAGE_OFFSET
12448 hex
12449 default 0xB0000000 if VMSPLIT_3G_OPT
12450 default 0x80000000 if VMSPLIT_2G
12451 - default 0x78000000 if VMSPLIT_2G_OPT
12452 + default 0x70000000 if VMSPLIT_2G_OPT
12453 default 0x40000000 if VMSPLIT_1G
12454 default 0xC0000000
12455 depends on X86_32
12456 @@ -1457,7 +1457,7 @@ config ARCH_USES_PG_UNCACHED
12457
12458 config EFI
12459 bool "EFI runtime service support"
12460 - depends on ACPI
12461 + depends on ACPI && !PAX_KERNEXEC
12462 ---help---
12463 This enables the kernel to use EFI runtime services that are
12464 available (such as the EFI variable services).
12465 @@ -1487,6 +1487,7 @@ config SECCOMP
12466
12467 config CC_STACKPROTECTOR
12468 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
12469 + depends on X86_64 || !PAX_MEMORY_UDEREF
12470 ---help---
12471 This option turns on the -fstack-protector GCC feature. This
12472 feature puts, at the beginning of functions, a canary value on
12473 @@ -1544,6 +1545,7 @@ config KEXEC_JUMP
12474 config PHYSICAL_START
12475 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
12476 default "0x1000000"
12477 + range 0x400000 0x40000000
12478 ---help---
12479 This gives the physical address where the kernel is loaded.
12480
12481 @@ -1607,6 +1609,7 @@ config X86_NEED_RELOCS
12482 config PHYSICAL_ALIGN
12483 hex "Alignment value to which kernel should be aligned" if X86_32
12484 default "0x1000000"
12485 + range 0x400000 0x1000000 if PAX_KERNEXEC
12486 range 0x2000 0x1000000
12487 ---help---
12488 This value puts the alignment restrictions on physical address
12489 @@ -1638,9 +1641,10 @@ config HOTPLUG_CPU
12490 Say N if you want to disable CPU hotplug.
12491
12492 config COMPAT_VDSO
12493 - def_bool y
12494 + def_bool n
12495 prompt "Compat VDSO support"
12496 depends on X86_32 || IA32_EMULATION
12497 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12498 ---help---
12499 Map the 32-bit VDSO to the predictable old-style address too.
12500
12501 diff -urNp linux-2.6.39.1/arch/x86/Kconfig.cpu linux-2.6.39.1/arch/x86/Kconfig.cpu
12502 --- linux-2.6.39.1/arch/x86/Kconfig.cpu 2011-05-19 00:06:34.000000000 -0400
12503 +++ linux-2.6.39.1/arch/x86/Kconfig.cpu 2011-05-22 19:36:30.000000000 -0400
12504 @@ -334,7 +334,7 @@ config X86_PPRO_FENCE
12505
12506 config X86_F00F_BUG
12507 def_bool y
12508 - depends on M586MMX || M586TSC || M586 || M486 || M386
12509 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12510
12511 config X86_INVD_BUG
12512 def_bool y
12513 @@ -358,7 +358,7 @@ config X86_POPAD_OK
12514
12515 config X86_ALIGNMENT_16
12516 def_bool y
12517 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12518 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12519
12520 config X86_INTEL_USERCOPY
12521 def_bool y
12522 @@ -404,7 +404,7 @@ config X86_CMPXCHG64
12523 # generates cmov.
12524 config X86_CMOV
12525 def_bool y
12526 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12527 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12528
12529 config X86_MINIMUM_CPU_FAMILY
12530 int
12531 diff -urNp linux-2.6.39.1/arch/x86/Kconfig.debug linux-2.6.39.1/arch/x86/Kconfig.debug
12532 --- linux-2.6.39.1/arch/x86/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
12533 +++ linux-2.6.39.1/arch/x86/Kconfig.debug 2011-05-22 19:36:30.000000000 -0400
12534 @@ -101,7 +101,7 @@ config X86_PTDUMP
12535 config DEBUG_RODATA
12536 bool "Write protect kernel read-only data structures"
12537 default y
12538 - depends on DEBUG_KERNEL
12539 + depends on DEBUG_KERNEL && BROKEN
12540 ---help---
12541 Mark the kernel read-only data as write-protected in the pagetables,
12542 in order to catch accidental (and incorrect) writes to such const
12543 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
12544
12545 config DEBUG_SET_MODULE_RONX
12546 bool "Set loadable kernel module data as NX and text as RO"
12547 - depends on MODULES
12548 + depends on MODULES && BROKEN
12549 ---help---
12550 This option helps catch unintended modifications to loadable
12551 kernel module's text and read-only data. It also prevents execution
12552 diff -urNp linux-2.6.39.1/arch/x86/kernel/acpi/sleep.c linux-2.6.39.1/arch/x86/kernel/acpi/sleep.c
12553 --- linux-2.6.39.1/arch/x86/kernel/acpi/sleep.c 2011-05-19 00:06:34.000000000 -0400
12554 +++ linux-2.6.39.1/arch/x86/kernel/acpi/sleep.c 2011-05-22 19:36:30.000000000 -0400
12555 @@ -88,8 +88,12 @@ int acpi_suspend_lowlevel(void)
12556 header->trampoline_segment = trampoline_address() >> 4;
12557 #ifdef CONFIG_SMP
12558 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12559 +
12560 + pax_open_kernel();
12561 early_gdt_descr.address =
12562 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12563 + pax_close_kernel();
12564 +
12565 initial_gs = per_cpu_offset(smp_processor_id());
12566 #endif
12567 initial_code = (unsigned long)wakeup_long64;
12568 diff -urNp linux-2.6.39.1/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.39.1/arch/x86/kernel/acpi/wakeup_32.S
12569 --- linux-2.6.39.1/arch/x86/kernel/acpi/wakeup_32.S 2011-05-19 00:06:34.000000000 -0400
12570 +++ linux-2.6.39.1/arch/x86/kernel/acpi/wakeup_32.S 2011-05-22 19:36:30.000000000 -0400
12571 @@ -30,13 +30,11 @@ wakeup_pmode_return:
12572 # and restore the stack ... but you need gdt for this to work
12573 movl saved_context_esp, %esp
12574
12575 - movl %cs:saved_magic, %eax
12576 - cmpl $0x12345678, %eax
12577 + cmpl $0x12345678, saved_magic
12578 jne bogus_magic
12579
12580 # jump to place where we left off
12581 - movl saved_eip, %eax
12582 - jmp *%eax
12583 + jmp *(saved_eip)
12584
12585 bogus_magic:
12586 jmp bogus_magic
12587 diff -urNp linux-2.6.39.1/arch/x86/kernel/alternative.c linux-2.6.39.1/arch/x86/kernel/alternative.c
12588 --- linux-2.6.39.1/arch/x86/kernel/alternative.c 2011-05-19 00:06:34.000000000 -0400
12589 +++ linux-2.6.39.1/arch/x86/kernel/alternative.c 2011-05-22 19:36:30.000000000 -0400
12590 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
12591 if (!*poff || ptr < text || ptr >= text_end)
12592 continue;
12593 /* turn DS segment override prefix into lock prefix */
12594 - if (*ptr == 0x3e)
12595 + if (*ktla_ktva(ptr) == 0x3e)
12596 text_poke(ptr, ((unsigned char []){0xf0}), 1);
12597 };
12598 mutex_unlock(&text_mutex);
12599 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
12600 if (!*poff || ptr < text || ptr >= text_end)
12601 continue;
12602 /* turn lock prefix into DS segment override prefix */
12603 - if (*ptr == 0xf0)
12604 + if (*ktla_ktva(ptr) == 0xf0)
12605 text_poke(ptr, ((unsigned char []){0x3E}), 1);
12606 };
12607 mutex_unlock(&text_mutex);
12608 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
12609
12610 BUG_ON(p->len > MAX_PATCH_LEN);
12611 /* prep the buffer with the original instructions */
12612 - memcpy(insnbuf, p->instr, p->len);
12613 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12614 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12615 (unsigned long)p->instr, p->len);
12616
12617 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
12618 if (smp_alt_once)
12619 free_init_pages("SMP alternatives",
12620 (unsigned long)__smp_locks,
12621 - (unsigned long)__smp_locks_end);
12622 + PAGE_ALIGN((unsigned long)__smp_locks_end));
12623
12624 restart_nmi();
12625 }
12626 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
12627 * instructions. And on the local CPU you need to be protected again NMI or MCE
12628 * handlers seeing an inconsistent instruction while you patch.
12629 */
12630 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
12631 +void *__kprobes text_poke_early(void *addr, const void *opcode,
12632 size_t len)
12633 {
12634 unsigned long flags;
12635 local_irq_save(flags);
12636 - memcpy(addr, opcode, len);
12637 +
12638 + pax_open_kernel();
12639 + memcpy(ktla_ktva(addr), opcode, len);
12640 sync_core();
12641 + pax_close_kernel();
12642 +
12643 local_irq_restore(flags);
12644 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12645 that causes hangs on some VIA CPUs. */
12646 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
12647 */
12648 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12649 {
12650 - unsigned long flags;
12651 - char *vaddr;
12652 + unsigned char *vaddr = ktla_ktva(addr);
12653 struct page *pages[2];
12654 - int i;
12655 + size_t i;
12656
12657 if (!core_kernel_text((unsigned long)addr)) {
12658 - pages[0] = vmalloc_to_page(addr);
12659 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12660 + pages[0] = vmalloc_to_page(vaddr);
12661 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12662 } else {
12663 - pages[0] = virt_to_page(addr);
12664 + pages[0] = virt_to_page(vaddr);
12665 WARN_ON(!PageReserved(pages[0]));
12666 - pages[1] = virt_to_page(addr + PAGE_SIZE);
12667 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12668 }
12669 BUG_ON(!pages[0]);
12670 - local_irq_save(flags);
12671 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12672 - if (pages[1])
12673 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12674 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12675 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12676 - clear_fixmap(FIX_TEXT_POKE0);
12677 - if (pages[1])
12678 - clear_fixmap(FIX_TEXT_POKE1);
12679 - local_flush_tlb();
12680 - sync_core();
12681 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12682 - that causes hangs on some VIA CPUs. */
12683 + text_poke_early(addr, opcode, len);
12684 for (i = 0; i < len; i++)
12685 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12686 - local_irq_restore(flags);
12687 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12688 return addr;
12689 }
12690
12691 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
12692 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
12693
12694 #ifdef CONFIG_X86_64
12695 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12696 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12697 #else
12698 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12699 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12700 #endif
12701
12702 void __init arch_init_ideal_nop5(void)
12703 diff -urNp linux-2.6.39.1/arch/x86/kernel/amd_iommu.c linux-2.6.39.1/arch/x86/kernel/amd_iommu.c
12704 --- linux-2.6.39.1/arch/x86/kernel/amd_iommu.c 2011-05-19 00:06:34.000000000 -0400
12705 +++ linux-2.6.39.1/arch/x86/kernel/amd_iommu.c 2011-05-22 19:36:30.000000000 -0400
12706 @@ -48,7 +48,7 @@ static DEFINE_SPINLOCK(iommu_pd_list_loc
12707 */
12708 static struct protection_domain *pt_domain;
12709
12710 -static struct iommu_ops amd_iommu_ops;
12711 +static const struct iommu_ops amd_iommu_ops;
12712
12713 /*
12714 * general struct to manage commands send to an IOMMU
12715 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
12716 }
12717 }
12718
12719 -static struct dma_map_ops amd_iommu_dma_ops = {
12720 +static const struct dma_map_ops amd_iommu_dma_ops = {
12721 .alloc_coherent = alloc_coherent,
12722 .free_coherent = free_coherent,
12723 .map_page = map_page,
12724 @@ -2582,7 +2582,7 @@ static int amd_iommu_domain_has_cap(stru
12725 return 0;
12726 }
12727
12728 -static struct iommu_ops amd_iommu_ops = {
12729 +static const struct iommu_ops amd_iommu_ops = {
12730 .domain_init = amd_iommu_domain_init,
12731 .domain_destroy = amd_iommu_domain_destroy,
12732 .attach_dev = amd_iommu_attach_device,
12733 diff -urNp linux-2.6.39.1/arch/x86/kernel/apic/apic.c linux-2.6.39.1/arch/x86/kernel/apic/apic.c
12734 --- linux-2.6.39.1/arch/x86/kernel/apic/apic.c 2011-05-19 00:06:34.000000000 -0400
12735 +++ linux-2.6.39.1/arch/x86/kernel/apic/apic.c 2011-05-22 19:36:30.000000000 -0400
12736 @@ -1821,7 +1821,7 @@ void smp_error_interrupt(struct pt_regs
12737 apic_write(APIC_ESR, 0);
12738 v1 = apic_read(APIC_ESR);
12739 ack_APIC_irq();
12740 - atomic_inc(&irq_err_count);
12741 + atomic_inc_unchecked(&irq_err_count);
12742
12743 /*
12744 * Here is what the APIC error bits mean:
12745 @@ -2204,6 +2204,8 @@ static int __cpuinit apic_cluster_num(vo
12746 u16 *bios_cpu_apicid;
12747 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
12748
12749 + pax_track_stack();
12750 +
12751 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
12752 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
12753
12754 diff -urNp linux-2.6.39.1/arch/x86/kernel/apic/io_apic.c linux-2.6.39.1/arch/x86/kernel/apic/io_apic.c
12755 --- linux-2.6.39.1/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:04:13.000000000 -0400
12756 +++ linux-2.6.39.1/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:42:37.000000000 -0400
12757 @@ -623,7 +623,7 @@ struct IO_APIC_route_entry **alloc_ioapi
12758 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
12759 GFP_ATOMIC);
12760 if (!ioapic_entries)
12761 - return 0;
12762 + return NULL;
12763
12764 for (apic = 0; apic < nr_ioapics; apic++) {
12765 ioapic_entries[apic] =
12766 @@ -640,7 +640,7 @@ nomem:
12767 kfree(ioapic_entries[apic]);
12768 kfree(ioapic_entries);
12769
12770 - return 0;
12771 + return NULL;
12772 }
12773
12774 /*
12775 @@ -1040,7 +1040,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
12776 }
12777 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
12778
12779 -void lock_vector_lock(void)
12780 +void lock_vector_lock(void) __acquires(vector_lock)
12781 {
12782 /* Used to the online set of cpus does not change
12783 * during assign_irq_vector.
12784 @@ -1048,7 +1048,7 @@ void lock_vector_lock(void)
12785 raw_spin_lock(&vector_lock);
12786 }
12787
12788 -void unlock_vector_lock(void)
12789 +void unlock_vector_lock(void) __releases(vector_lock)
12790 {
12791 raw_spin_unlock(&vector_lock);
12792 }
12793 @@ -2379,7 +2379,7 @@ static void ack_apic_edge(struct irq_dat
12794 ack_APIC_irq();
12795 }
12796
12797 -atomic_t irq_mis_count;
12798 +atomic_unchecked_t irq_mis_count;
12799
12800 /*
12801 * IO-APIC versions below 0x20 don't support EOI register.
12802 @@ -2487,7 +2487,7 @@ static void ack_apic_level(struct irq_da
12803 * at the cpu.
12804 */
12805 if (!(v & (1 << (i & 0x1f)))) {
12806 - atomic_inc(&irq_mis_count);
12807 + atomic_inc_unchecked(&irq_mis_count);
12808
12809 eoi_ioapic_irq(irq, cfg);
12810 }
12811 diff -urNp linux-2.6.39.1/arch/x86/kernel/apm_32.c linux-2.6.39.1/arch/x86/kernel/apm_32.c
12812 --- linux-2.6.39.1/arch/x86/kernel/apm_32.c 2011-05-19 00:06:34.000000000 -0400
12813 +++ linux-2.6.39.1/arch/x86/kernel/apm_32.c 2011-05-22 19:36:30.000000000 -0400
12814 @@ -412,7 +412,7 @@ static DEFINE_MUTEX(apm_mutex);
12815 * This is for buggy BIOS's that refer to (real mode) segment 0x40
12816 * even though they are called in protected mode.
12817 */
12818 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
12819 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
12820 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
12821
12822 static const char driver_version[] = "1.16ac"; /* no spaces */
12823 @@ -590,7 +590,10 @@ static long __apm_bios_call(void *_call)
12824 BUG_ON(cpu != 0);
12825 gdt = get_cpu_gdt_table(cpu);
12826 save_desc_40 = gdt[0x40 / 8];
12827 +
12828 + pax_open_kernel();
12829 gdt[0x40 / 8] = bad_bios_desc;
12830 + pax_close_kernel();
12831
12832 apm_irq_save(flags);
12833 APM_DO_SAVE_SEGS;
12834 @@ -599,7 +602,11 @@ static long __apm_bios_call(void *_call)
12835 &call->esi);
12836 APM_DO_RESTORE_SEGS;
12837 apm_irq_restore(flags);
12838 +
12839 + pax_open_kernel();
12840 gdt[0x40 / 8] = save_desc_40;
12841 + pax_close_kernel();
12842 +
12843 put_cpu();
12844
12845 return call->eax & 0xff;
12846 @@ -666,7 +673,10 @@ static long __apm_bios_call_simple(void
12847 BUG_ON(cpu != 0);
12848 gdt = get_cpu_gdt_table(cpu);
12849 save_desc_40 = gdt[0x40 / 8];
12850 +
12851 + pax_open_kernel();
12852 gdt[0x40 / 8] = bad_bios_desc;
12853 + pax_close_kernel();
12854
12855 apm_irq_save(flags);
12856 APM_DO_SAVE_SEGS;
12857 @@ -674,7 +684,11 @@ static long __apm_bios_call_simple(void
12858 &call->eax);
12859 APM_DO_RESTORE_SEGS;
12860 apm_irq_restore(flags);
12861 +
12862 + pax_open_kernel();
12863 gdt[0x40 / 8] = save_desc_40;
12864 + pax_close_kernel();
12865 +
12866 put_cpu();
12867 return error;
12868 }
12869 @@ -2351,12 +2365,15 @@ static int __init apm_init(void)
12870 * code to that CPU.
12871 */
12872 gdt = get_cpu_gdt_table(0);
12873 +
12874 + pax_open_kernel();
12875 set_desc_base(&gdt[APM_CS >> 3],
12876 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
12877 set_desc_base(&gdt[APM_CS_16 >> 3],
12878 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
12879 set_desc_base(&gdt[APM_DS >> 3],
12880 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
12881 + pax_close_kernel();
12882
12883 proc_create("apm", 0, NULL, &apm_file_ops);
12884
12885 diff -urNp linux-2.6.39.1/arch/x86/kernel/asm-offsets_64.c linux-2.6.39.1/arch/x86/kernel/asm-offsets_64.c
12886 --- linux-2.6.39.1/arch/x86/kernel/asm-offsets_64.c 2011-05-19 00:06:34.000000000 -0400
12887 +++ linux-2.6.39.1/arch/x86/kernel/asm-offsets_64.c 2011-05-22 19:36:30.000000000 -0400
12888 @@ -69,6 +69,7 @@ int main(void)
12889 BLANK();
12890 #undef ENTRY
12891
12892 + DEFINE(TSS_size, sizeof(struct tss_struct));
12893 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
12894 BLANK();
12895
12896 diff -urNp linux-2.6.39.1/arch/x86/kernel/asm-offsets.c linux-2.6.39.1/arch/x86/kernel/asm-offsets.c
12897 --- linux-2.6.39.1/arch/x86/kernel/asm-offsets.c 2011-05-19 00:06:34.000000000 -0400
12898 +++ linux-2.6.39.1/arch/x86/kernel/asm-offsets.c 2011-05-25 17:35:48.000000000 -0400
12899 @@ -33,6 +33,8 @@ void common(void) {
12900 OFFSET(TI_status, thread_info, status);
12901 OFFSET(TI_addr_limit, thread_info, addr_limit);
12902 OFFSET(TI_preempt_count, thread_info, preempt_count);
12903 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
12904 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12905
12906 BLANK();
12907 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
12908 @@ -53,8 +55,26 @@ void common(void) {
12909 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12910 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12911 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
12912 +
12913 +#ifdef CONFIG_PAX_KERNEXEC
12914 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12915 +#endif
12916 +
12917 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12918 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
12919 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
12920 +#ifdef CONFIG_X86_64
12921 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
12922 +#endif
12923 #endif
12924
12925 +#endif
12926 +
12927 + BLANK();
12928 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12929 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
12930 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12931 +
12932 #ifdef CONFIG_XEN
12933 BLANK();
12934 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
12935 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/amd.c linux-2.6.39.1/arch/x86/kernel/cpu/amd.c
12936 --- linux-2.6.39.1/arch/x86/kernel/cpu/amd.c 2011-06-03 00:04:13.000000000 -0400
12937 +++ linux-2.6.39.1/arch/x86/kernel/cpu/amd.c 2011-06-03 00:32:04.000000000 -0400
12938 @@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
12939 unsigned int size)
12940 {
12941 /* AMD errata T13 (order #21922) */
12942 - if ((c->x86 == 6)) {
12943 + if (c->x86 == 6) {
12944 /* Duron Rev A0 */
12945 if (c->x86_model == 3 && c->x86_mask == 0)
12946 size = 64;
12947 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/common.c linux-2.6.39.1/arch/x86/kernel/cpu/common.c
12948 --- linux-2.6.39.1/arch/x86/kernel/cpu/common.c 2011-06-03 00:04:13.000000000 -0400
12949 +++ linux-2.6.39.1/arch/x86/kernel/cpu/common.c 2011-06-03 00:32:04.000000000 -0400
12950 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
12951
12952 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
12953
12954 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
12955 -#ifdef CONFIG_X86_64
12956 - /*
12957 - * We need valid kernel segments for data and code in long mode too
12958 - * IRET will check the segment types kkeil 2000/10/28
12959 - * Also sysret mandates a special GDT layout
12960 - *
12961 - * TLS descriptors are currently at a different place compared to i386.
12962 - * Hopefully nobody expects them at a fixed place (Wine?)
12963 - */
12964 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
12965 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
12966 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
12967 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
12968 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
12969 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
12970 -#else
12971 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
12972 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12973 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
12974 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
12975 - /*
12976 - * Segments used for calling PnP BIOS have byte granularity.
12977 - * They code segments and data segments have fixed 64k limits,
12978 - * the transfer segment sizes are set at run time.
12979 - */
12980 - /* 32-bit code */
12981 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12982 - /* 16-bit code */
12983 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12984 - /* 16-bit data */
12985 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
12986 - /* 16-bit data */
12987 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
12988 - /* 16-bit data */
12989 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
12990 - /*
12991 - * The APM segments have byte granularity and their bases
12992 - * are set at run time. All have 64k limits.
12993 - */
12994 - /* 32-bit code */
12995 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12996 - /* 16-bit code */
12997 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12998 - /* data */
12999 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
13000 -
13001 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13002 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13003 - GDT_STACK_CANARY_INIT
13004 -#endif
13005 -} };
13006 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
13007 -
13008 static int __init x86_xsave_setup(char *s)
13009 {
13010 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
13011 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
13012 {
13013 struct desc_ptr gdt_descr;
13014
13015 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
13016 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13017 gdt_descr.size = GDT_SIZE - 1;
13018 load_gdt(&gdt_descr);
13019 /* Reload the per-cpu base */
13020 @@ -824,6 +770,10 @@ static void __cpuinit identify_cpu(struc
13021 /* Filter out anything that depends on CPUID levels we don't have */
13022 filter_cpuid_features(c, true);
13023
13024 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
13025 + setup_clear_cpu_cap(X86_FEATURE_SEP);
13026 +#endif
13027 +
13028 /* If the model name is still unset, do table lookup. */
13029 if (!c->x86_model_id[0]) {
13030 const char *p;
13031 @@ -1003,6 +953,9 @@ static __init int setup_disablecpuid(cha
13032 }
13033 __setup("clearcpuid=", setup_disablecpuid);
13034
13035 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
13036 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
13037 +
13038 #ifdef CONFIG_X86_64
13039 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
13040
13041 @@ -1018,7 +971,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
13042 EXPORT_PER_CPU_SYMBOL(current_task);
13043
13044 DEFINE_PER_CPU(unsigned long, kernel_stack) =
13045 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
13046 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
13047 EXPORT_PER_CPU_SYMBOL(kernel_stack);
13048
13049 DEFINE_PER_CPU(char *, irq_stack_ptr) =
13050 @@ -1083,7 +1036,7 @@ struct pt_regs * __cpuinit idle_regs(str
13051 {
13052 memset(regs, 0, sizeof(struct pt_regs));
13053 regs->fs = __KERNEL_PERCPU;
13054 - regs->gs = __KERNEL_STACK_CANARY;
13055 + savesegment(gs, regs->gs);
13056
13057 return regs;
13058 }
13059 @@ -1138,7 +1091,7 @@ void __cpuinit cpu_init(void)
13060 int i;
13061
13062 cpu = stack_smp_processor_id();
13063 - t = &per_cpu(init_tss, cpu);
13064 + t = init_tss + cpu;
13065 oist = &per_cpu(orig_ist, cpu);
13066
13067 #ifdef CONFIG_NUMA
13068 @@ -1164,7 +1117,7 @@ void __cpuinit cpu_init(void)
13069 switch_to_new_gdt(cpu);
13070 loadsegment(fs, 0);
13071
13072 - load_idt((const struct desc_ptr *)&idt_descr);
13073 + load_idt(&idt_descr);
13074
13075 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
13076 syscall_init();
13077 @@ -1173,7 +1126,6 @@ void __cpuinit cpu_init(void)
13078 wrmsrl(MSR_KERNEL_GS_BASE, 0);
13079 barrier();
13080
13081 - x86_configure_nx();
13082 if (cpu != 0)
13083 enable_x2apic();
13084
13085 @@ -1227,7 +1179,7 @@ void __cpuinit cpu_init(void)
13086 {
13087 int cpu = smp_processor_id();
13088 struct task_struct *curr = current;
13089 - struct tss_struct *t = &per_cpu(init_tss, cpu);
13090 + struct tss_struct *t = init_tss + cpu;
13091 struct thread_struct *thread = &curr->thread;
13092
13093 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
13094 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/intel.c linux-2.6.39.1/arch/x86/kernel/cpu/intel.c
13095 --- linux-2.6.39.1/arch/x86/kernel/cpu/intel.c 2011-05-19 00:06:34.000000000 -0400
13096 +++ linux-2.6.39.1/arch/x86/kernel/cpu/intel.c 2011-05-22 19:36:30.000000000 -0400
13097 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
13098 * Update the IDT descriptor and reload the IDT so that
13099 * it uses the read-only mapped virtual address.
13100 */
13101 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
13102 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
13103 load_idt(&idt_descr);
13104 }
13105 #endif
13106 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/Makefile linux-2.6.39.1/arch/x86/kernel/cpu/Makefile
13107 --- linux-2.6.39.1/arch/x86/kernel/cpu/Makefile 2011-05-19 00:06:34.000000000 -0400
13108 +++ linux-2.6.39.1/arch/x86/kernel/cpu/Makefile 2011-05-22 19:36:30.000000000 -0400
13109 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
13110 CFLAGS_REMOVE_perf_event.o = -pg
13111 endif
13112
13113 -# Make sure load_percpu_segment has no stackprotector
13114 -nostackp := $(call cc-option, -fno-stack-protector)
13115 -CFLAGS_common.o := $(nostackp)
13116 -
13117 obj-y := intel_cacheinfo.o scattered.o topology.o
13118 obj-y += proc.o capflags.o powerflags.o common.o
13119 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
13120 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.39.1/arch/x86/kernel/cpu/mcheck/mce.c
13121 --- linux-2.6.39.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-19 00:06:34.000000000 -0400
13122 +++ linux-2.6.39.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-22 19:36:30.000000000 -0400
13123 @@ -46,6 +46,7 @@
13124 #include <asm/ipi.h>
13125 #include <asm/mce.h>
13126 #include <asm/msr.h>
13127 +#include <asm/local.h>
13128
13129 #include "mce-internal.h"
13130
13131 @@ -220,7 +221,7 @@ static void print_mce(struct mce *m)
13132 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
13133 m->cs, m->ip);
13134
13135 - if (m->cs == __KERNEL_CS)
13136 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
13137 print_symbol("{%s}", m->ip);
13138 pr_cont("\n");
13139 }
13140 @@ -244,10 +245,10 @@ static void print_mce(struct mce *m)
13141
13142 #define PANIC_TIMEOUT 5 /* 5 seconds */
13143
13144 -static atomic_t mce_paniced;
13145 +static atomic_unchecked_t mce_paniced;
13146
13147 static int fake_panic;
13148 -static atomic_t mce_fake_paniced;
13149 +static atomic_unchecked_t mce_fake_paniced;
13150
13151 /* Panic in progress. Enable interrupts and wait for final IPI */
13152 static void wait_for_panic(void)
13153 @@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct
13154 /*
13155 * Make sure only one CPU runs in machine check panic
13156 */
13157 - if (atomic_inc_return(&mce_paniced) > 1)
13158 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
13159 wait_for_panic();
13160 barrier();
13161
13162 @@ -279,7 +280,7 @@ static void mce_panic(char *msg, struct
13163 console_verbose();
13164 } else {
13165 /* Don't log too much for fake panic */
13166 - if (atomic_inc_return(&mce_fake_paniced) > 1)
13167 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
13168 return;
13169 }
13170 /* First print corrected ones that are still unlogged */
13171 @@ -647,7 +648,7 @@ static int mce_timed_out(u64 *t)
13172 * might have been modified by someone else.
13173 */
13174 rmb();
13175 - if (atomic_read(&mce_paniced))
13176 + if (atomic_read_unchecked(&mce_paniced))
13177 wait_for_panic();
13178 if (!monarch_timeout)
13179 goto out;
13180 @@ -1461,14 +1462,14 @@ void __cpuinit mcheck_cpu_init(struct cp
13181 */
13182
13183 static DEFINE_SPINLOCK(mce_state_lock);
13184 -static int open_count; /* #times opened */
13185 +static local_t open_count; /* #times opened */
13186 static int open_exclu; /* already open exclusive? */
13187
13188 static int mce_open(struct inode *inode, struct file *file)
13189 {
13190 spin_lock(&mce_state_lock);
13191
13192 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
13193 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
13194 spin_unlock(&mce_state_lock);
13195
13196 return -EBUSY;
13197 @@ -1476,7 +1477,7 @@ static int mce_open(struct inode *inode,
13198
13199 if (file->f_flags & O_EXCL)
13200 open_exclu = 1;
13201 - open_count++;
13202 + local_inc(&open_count);
13203
13204 spin_unlock(&mce_state_lock);
13205
13206 @@ -1487,7 +1488,7 @@ static int mce_release(struct inode *ino
13207 {
13208 spin_lock(&mce_state_lock);
13209
13210 - open_count--;
13211 + local_dec(&open_count);
13212 open_exclu = 0;
13213
13214 spin_unlock(&mce_state_lock);
13215 @@ -2174,7 +2175,7 @@ struct dentry *mce_get_debugfs_dir(void)
13216 static void mce_reset(void)
13217 {
13218 cpu_missing = 0;
13219 - atomic_set(&mce_fake_paniced, 0);
13220 + atomic_set_unchecked(&mce_fake_paniced, 0);
13221 atomic_set(&mce_executing, 0);
13222 atomic_set(&mce_callin, 0);
13223 atomic_set(&global_nwo, 0);
13224 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/main.c
13225 --- linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/main.c 2011-05-19 00:06:34.000000000 -0400
13226 +++ linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/main.c 2011-05-22 19:36:30.000000000 -0400
13227 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
13228 u64 size_or_mask, size_and_mask;
13229 static bool mtrr_aps_delayed_init;
13230
13231 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
13232 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
13233
13234 const struct mtrr_ops *mtrr_if;
13235
13236 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/mtrr.h
13237 --- linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-19 00:06:34.000000000 -0400
13238 +++ linux-2.6.39.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-22 19:36:30.000000000 -0400
13239 @@ -12,19 +12,19 @@
13240 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
13241
13242 struct mtrr_ops {
13243 - u32 vendor;
13244 - u32 use_intel_if;
13245 - void (*set)(unsigned int reg, unsigned long base,
13246 + const u32 vendor;
13247 + const u32 use_intel_if;
13248 + void (* const set)(unsigned int reg, unsigned long base,
13249 unsigned long size, mtrr_type type);
13250 - void (*set_all)(void);
13251 + void (* const set_all)(void);
13252
13253 - void (*get)(unsigned int reg, unsigned long *base,
13254 + void (* const get)(unsigned int reg, unsigned long *base,
13255 unsigned long *size, mtrr_type *type);
13256 - int (*get_free_region)(unsigned long base, unsigned long size,
13257 + int (* const get_free_region)(unsigned long base, unsigned long size,
13258 int replace_reg);
13259 - int (*validate_add_page)(unsigned long base, unsigned long size,
13260 + int (* const validate_add_page)(unsigned long base, unsigned long size,
13261 unsigned int type);
13262 - int (*have_wrcomb)(void);
13263 + int (* const have_wrcomb)(void);
13264 };
13265
13266 extern int generic_get_free_region(unsigned long base, unsigned long size,
13267 diff -urNp linux-2.6.39.1/arch/x86/kernel/cpu/perf_event.c linux-2.6.39.1/arch/x86/kernel/cpu/perf_event.c
13268 --- linux-2.6.39.1/arch/x86/kernel/cpu/perf_event.c 2011-05-19 00:06:34.000000000 -0400
13269 +++ linux-2.6.39.1/arch/x86/kernel/cpu/perf_event.c 2011-05-22 19:36:30.000000000 -0400
13270 @@ -774,6 +774,8 @@ static int x86_schedule_events(struct cp
13271 int i, j, w, wmax, num = 0;
13272 struct hw_perf_event *hwc;
13273
13274 + pax_track_stack();
13275 +
13276 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
13277
13278 for (i = 0; i < n; i++) {
13279 @@ -1878,7 +1880,7 @@ perf_callchain_user(struct perf_callchai
13280 break;
13281
13282 perf_callchain_store(entry, frame.return_address);
13283 - fp = frame.next_frame;
13284 + fp = (__force const void __user *)frame.next_frame;
13285 }
13286 }
13287
13288 diff -urNp linux-2.6.39.1/arch/x86/kernel/crash.c linux-2.6.39.1/arch/x86/kernel/crash.c
13289 --- linux-2.6.39.1/arch/x86/kernel/crash.c 2011-05-19 00:06:34.000000000 -0400
13290 +++ linux-2.6.39.1/arch/x86/kernel/crash.c 2011-05-22 19:36:30.000000000 -0400
13291 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
13292 regs = args->regs;
13293
13294 #ifdef CONFIG_X86_32
13295 - if (!user_mode_vm(regs)) {
13296 + if (!user_mode(regs)) {
13297 crash_fixup_ss_esp(&fixed_regs, regs);
13298 regs = &fixed_regs;
13299 }
13300 diff -urNp linux-2.6.39.1/arch/x86/kernel/doublefault_32.c linux-2.6.39.1/arch/x86/kernel/doublefault_32.c
13301 --- linux-2.6.39.1/arch/x86/kernel/doublefault_32.c 2011-05-19 00:06:34.000000000 -0400
13302 +++ linux-2.6.39.1/arch/x86/kernel/doublefault_32.c 2011-05-22 19:36:30.000000000 -0400
13303 @@ -11,7 +11,7 @@
13304
13305 #define DOUBLEFAULT_STACKSIZE (1024)
13306 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13307 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13308 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13309
13310 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13311
13312 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
13313 unsigned long gdt, tss;
13314
13315 store_gdt(&gdt_desc);
13316 - gdt = gdt_desc.address;
13317 + gdt = (unsigned long)gdt_desc.address;
13318
13319 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13320
13321 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13322 /* 0x2 bit is always set */
13323 .flags = X86_EFLAGS_SF | 0x2,
13324 .sp = STACK_START,
13325 - .es = __USER_DS,
13326 + .es = __KERNEL_DS,
13327 .cs = __KERNEL_CS,
13328 .ss = __KERNEL_DS,
13329 - .ds = __USER_DS,
13330 + .ds = __KERNEL_DS,
13331 .fs = __KERNEL_PERCPU,
13332
13333 .__cr3 = __pa_nodebug(swapper_pg_dir),
13334 diff -urNp linux-2.6.39.1/arch/x86/kernel/dumpstack_32.c linux-2.6.39.1/arch/x86/kernel/dumpstack_32.c
13335 --- linux-2.6.39.1/arch/x86/kernel/dumpstack_32.c 2011-05-19 00:06:34.000000000 -0400
13336 +++ linux-2.6.39.1/arch/x86/kernel/dumpstack_32.c 2011-05-22 19:36:30.000000000 -0400
13337 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
13338 bp = stack_frame(task, regs);
13339
13340 for (;;) {
13341 - struct thread_info *context;
13342 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13343
13344 - context = (struct thread_info *)
13345 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13346 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
13347 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13348
13349 - stack = (unsigned long *)context->previous_esp;
13350 - if (!stack)
13351 + if (stack_start == task_stack_page(task))
13352 break;
13353 + stack = *(unsigned long **)stack_start;
13354 if (ops->stack(data, "IRQ") < 0)
13355 break;
13356 touch_nmi_watchdog();
13357 @@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
13358 * When in-kernel, we also print out the stack and code at the
13359 * time of the fault..
13360 */
13361 - if (!user_mode_vm(regs)) {
13362 + if (!user_mode(regs)) {
13363 unsigned int code_prologue = code_bytes * 43 / 64;
13364 unsigned int code_len = code_bytes;
13365 unsigned char c;
13366 u8 *ip;
13367 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13368
13369 printk(KERN_EMERG "Stack:\n");
13370 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
13371
13372 printk(KERN_EMERG "Code: ");
13373
13374 - ip = (u8 *)regs->ip - code_prologue;
13375 + ip = (u8 *)regs->ip - code_prologue + cs_base;
13376 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13377 /* try starting at IP */
13378 - ip = (u8 *)regs->ip;
13379 + ip = (u8 *)regs->ip + cs_base;
13380 code_len = code_len - code_prologue + 1;
13381 }
13382 for (i = 0; i < code_len; i++, ip++) {
13383 @@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
13384 printk(" Bad EIP value.");
13385 break;
13386 }
13387 - if (ip == (u8 *)regs->ip)
13388 + if (ip == (u8 *)regs->ip + cs_base)
13389 printk("<%02x> ", c);
13390 else
13391 printk("%02x ", c);
13392 @@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
13393 {
13394 unsigned short ud2;
13395
13396 + ip = ktla_ktva(ip);
13397 if (ip < PAGE_OFFSET)
13398 return 0;
13399 if (probe_kernel_address((unsigned short *)ip, ud2))
13400 diff -urNp linux-2.6.39.1/arch/x86/kernel/dumpstack_64.c linux-2.6.39.1/arch/x86/kernel/dumpstack_64.c
13401 --- linux-2.6.39.1/arch/x86/kernel/dumpstack_64.c 2011-05-19 00:06:34.000000000 -0400
13402 +++ linux-2.6.39.1/arch/x86/kernel/dumpstack_64.c 2011-05-22 19:36:30.000000000 -0400
13403 @@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task
13404 unsigned long *irq_stack_end =
13405 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13406 unsigned used = 0;
13407 - struct thread_info *tinfo;
13408 int graph = 0;
13409 unsigned long dummy;
13410 + void *stack_start;
13411
13412 if (!task)
13413 task = current;
13414 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
13415 * current stack address. If the stacks consist of nested
13416 * exceptions
13417 */
13418 - tinfo = task_thread_info(task);
13419 for (;;) {
13420 char *id;
13421 unsigned long *estack_end;
13422 +
13423 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13424 &used, &id);
13425
13426 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
13427 if (ops->stack(data, id) < 0)
13428 break;
13429
13430 - bp = ops->walk_stack(tinfo, stack, bp, ops,
13431 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13432 data, estack_end, &graph);
13433 ops->stack(data, "<EOE>");
13434 /*
13435 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
13436 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
13437 if (ops->stack(data, "IRQ") < 0)
13438 break;
13439 - bp = ops->walk_stack(tinfo, stack, bp,
13440 + bp = ops->walk_stack(task, irq_stack, stack, bp,
13441 ops, data, irq_stack_end, &graph);
13442 /*
13443 * We link to the next stack (which would be
13444 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
13445 /*
13446 * This handles the process stack:
13447 */
13448 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13449 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13450 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13451 put_cpu();
13452 }
13453 EXPORT_SYMBOL(dump_trace);
13454 diff -urNp linux-2.6.39.1/arch/x86/kernel/dumpstack.c linux-2.6.39.1/arch/x86/kernel/dumpstack.c
13455 --- linux-2.6.39.1/arch/x86/kernel/dumpstack.c 2011-05-19 00:06:34.000000000 -0400
13456 +++ linux-2.6.39.1/arch/x86/kernel/dumpstack.c 2011-05-22 19:41:32.000000000 -0400
13457 @@ -2,6 +2,9 @@
13458 * Copyright (C) 1991, 1992 Linus Torvalds
13459 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13460 */
13461 +#ifdef CONFIG_GRKERNSEC_HIDESYM
13462 +#define __INCLUDED_BY_HIDESYM 1
13463 +#endif
13464 #include <linux/kallsyms.h>
13465 #include <linux/kprobes.h>
13466 #include <linux/uaccess.h>
13467 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
13468 static void
13469 print_ftrace_graph_addr(unsigned long addr, void *data,
13470 const struct stacktrace_ops *ops,
13471 - struct thread_info *tinfo, int *graph)
13472 + struct task_struct *task, int *graph)
13473 {
13474 - struct task_struct *task = tinfo->task;
13475 unsigned long ret_addr;
13476 int index = task->curr_ret_stack;
13477
13478 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
13479 static inline void
13480 print_ftrace_graph_addr(unsigned long addr, void *data,
13481 const struct stacktrace_ops *ops,
13482 - struct thread_info *tinfo, int *graph)
13483 + struct task_struct *task, int *graph)
13484 { }
13485 #endif
13486
13487 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
13488 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13489 */
13490
13491 -static inline int valid_stack_ptr(struct thread_info *tinfo,
13492 - void *p, unsigned int size, void *end)
13493 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13494 {
13495 - void *t = tinfo;
13496 if (end) {
13497 if (p < end && p >= (end-THREAD_SIZE))
13498 return 1;
13499 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
13500 }
13501
13502 unsigned long
13503 -print_context_stack(struct thread_info *tinfo,
13504 +print_context_stack(struct task_struct *task, void *stack_start,
13505 unsigned long *stack, unsigned long bp,
13506 const struct stacktrace_ops *ops, void *data,
13507 unsigned long *end, int *graph)
13508 {
13509 struct stack_frame *frame = (struct stack_frame *)bp;
13510
13511 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13512 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13513 unsigned long addr;
13514
13515 addr = *stack;
13516 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
13517 } else {
13518 ops->address(data, addr, 0);
13519 }
13520 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13521 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13522 }
13523 stack++;
13524 }
13525 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
13526 EXPORT_SYMBOL_GPL(print_context_stack);
13527
13528 unsigned long
13529 -print_context_stack_bp(struct thread_info *tinfo,
13530 +print_context_stack_bp(struct task_struct *task, void *stack_start,
13531 unsigned long *stack, unsigned long bp,
13532 const struct stacktrace_ops *ops, void *data,
13533 unsigned long *end, int *graph)
13534 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
13535 struct stack_frame *frame = (struct stack_frame *)bp;
13536 unsigned long *ret_addr = &frame->return_address;
13537
13538 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
13539 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
13540 unsigned long addr = *ret_addr;
13541
13542 if (!__kernel_text_address(addr))
13543 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
13544 ops->address(data, addr, 1);
13545 frame = frame->next_frame;
13546 ret_addr = &frame->return_address;
13547 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13548 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13549 }
13550
13551 return (unsigned long)frame;
13552 @@ -202,7 +202,7 @@ void dump_stack(void)
13553
13554 bp = stack_frame(current, NULL);
13555 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13556 - current->pid, current->comm, print_tainted(),
13557 + task_pid_nr(current), current->comm, print_tainted(),
13558 init_utsname()->release,
13559 (int)strcspn(init_utsname()->version, " "),
13560 init_utsname()->version);
13561 @@ -238,6 +238,8 @@ unsigned __kprobes long oops_begin(void)
13562 }
13563 EXPORT_SYMBOL_GPL(oops_begin);
13564
13565 +extern void gr_handle_kernel_exploit(void);
13566 +
13567 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13568 {
13569 if (regs && kexec_should_crash(current))
13570 @@ -259,7 +261,10 @@ void __kprobes oops_end(unsigned long fl
13571 panic("Fatal exception in interrupt");
13572 if (panic_on_oops)
13573 panic("Fatal exception");
13574 - do_exit(signr);
13575 +
13576 + gr_handle_kernel_exploit();
13577 +
13578 + do_group_exit(signr);
13579 }
13580
13581 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13582 @@ -286,7 +291,7 @@ int __kprobes __die(const char *str, str
13583
13584 show_registers(regs);
13585 #ifdef CONFIG_X86_32
13586 - if (user_mode_vm(regs)) {
13587 + if (user_mode(regs)) {
13588 sp = regs->sp;
13589 ss = regs->ss & 0xffff;
13590 } else {
13591 @@ -314,7 +319,7 @@ void die(const char *str, struct pt_regs
13592 unsigned long flags = oops_begin();
13593 int sig = SIGSEGV;
13594
13595 - if (!user_mode_vm(regs))
13596 + if (!user_mode(regs))
13597 report_bug(regs->ip, regs);
13598
13599 if (__die(str, regs, err))
13600 diff -urNp linux-2.6.39.1/arch/x86/kernel/early_printk.c linux-2.6.39.1/arch/x86/kernel/early_printk.c
13601 --- linux-2.6.39.1/arch/x86/kernel/early_printk.c 2011-05-19 00:06:34.000000000 -0400
13602 +++ linux-2.6.39.1/arch/x86/kernel/early_printk.c 2011-05-22 19:36:30.000000000 -0400
13603 @@ -7,6 +7,7 @@
13604 #include <linux/pci_regs.h>
13605 #include <linux/pci_ids.h>
13606 #include <linux/errno.h>
13607 +#include <linux/sched.h>
13608 #include <asm/io.h>
13609 #include <asm/processor.h>
13610 #include <asm/fcntl.h>
13611 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
13612 int n;
13613 va_list ap;
13614
13615 + pax_track_stack();
13616 +
13617 va_start(ap, fmt);
13618 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13619 early_console->write(early_console, buf, n);
13620 diff -urNp linux-2.6.39.1/arch/x86/kernel/entry_32.S linux-2.6.39.1/arch/x86/kernel/entry_32.S
13621 --- linux-2.6.39.1/arch/x86/kernel/entry_32.S 2011-05-19 00:06:34.000000000 -0400
13622 +++ linux-2.6.39.1/arch/x86/kernel/entry_32.S 2011-05-23 17:07:00.000000000 -0400
13623 @@ -185,13 +185,146 @@
13624 /*CFI_REL_OFFSET gs, PT_GS*/
13625 .endm
13626 .macro SET_KERNEL_GS reg
13627 +
13628 +#ifdef CONFIG_CC_STACKPROTECTOR
13629 movl $(__KERNEL_STACK_CANARY), \reg
13630 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13631 + movl $(__USER_DS), \reg
13632 +#else
13633 + xorl \reg, \reg
13634 +#endif
13635 +
13636 movl \reg, %gs
13637 .endm
13638
13639 #endif /* CONFIG_X86_32_LAZY_GS */
13640
13641 -.macro SAVE_ALL
13642 +.macro pax_enter_kernel
13643 +#ifdef CONFIG_PAX_KERNEXEC
13644 + call pax_enter_kernel
13645 +#endif
13646 +.endm
13647 +
13648 +.macro pax_exit_kernel
13649 +#ifdef CONFIG_PAX_KERNEXEC
13650 + call pax_exit_kernel
13651 +#endif
13652 +.endm
13653 +
13654 +#ifdef CONFIG_PAX_KERNEXEC
13655 +ENTRY(pax_enter_kernel)
13656 +#ifdef CONFIG_PARAVIRT
13657 + pushl %eax
13658 + pushl %ecx
13659 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13660 + mov %eax, %esi
13661 +#else
13662 + mov %cr0, %esi
13663 +#endif
13664 + bts $16, %esi
13665 + jnc 1f
13666 + mov %cs, %esi
13667 + cmp $__KERNEL_CS, %esi
13668 + jz 3f
13669 + ljmp $__KERNEL_CS, $3f
13670 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13671 +2:
13672 +#ifdef CONFIG_PARAVIRT
13673 + mov %esi, %eax
13674 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13675 +#else
13676 + mov %esi, %cr0
13677 +#endif
13678 +3:
13679 +#ifdef CONFIG_PARAVIRT
13680 + popl %ecx
13681 + popl %eax
13682 +#endif
13683 + ret
13684 +ENDPROC(pax_enter_kernel)
13685 +
13686 +ENTRY(pax_exit_kernel)
13687 +#ifdef CONFIG_PARAVIRT
13688 + pushl %eax
13689 + pushl %ecx
13690 +#endif
13691 + mov %cs, %esi
13692 + cmp $__KERNEXEC_KERNEL_CS, %esi
13693 + jnz 2f
13694 +#ifdef CONFIG_PARAVIRT
13695 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13696 + mov %eax, %esi
13697 +#else
13698 + mov %cr0, %esi
13699 +#endif
13700 + btr $16, %esi
13701 + ljmp $__KERNEL_CS, $1f
13702 +1:
13703 +#ifdef CONFIG_PARAVIRT
13704 + mov %esi, %eax
13705 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13706 +#else
13707 + mov %esi, %cr0
13708 +#endif
13709 +2:
13710 +#ifdef CONFIG_PARAVIRT
13711 + popl %ecx
13712 + popl %eax
13713 +#endif
13714 + ret
13715 +ENDPROC(pax_exit_kernel)
13716 +#endif
13717 +
13718 +.macro pax_erase_kstack
13719 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13720 + call pax_erase_kstack
13721 +#endif
13722 +.endm
13723 +
13724 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13725 +/*
13726 + * ebp: thread_info
13727 + * ecx, edx: can be clobbered
13728 + */
13729 +ENTRY(pax_erase_kstack)
13730 + pushl %edi
13731 + pushl %eax
13732 +
13733 + mov TI_lowest_stack(%ebp), %edi
13734 + mov $-0xBEEF, %eax
13735 + std
13736 +
13737 +1: mov %edi, %ecx
13738 + and $THREAD_SIZE_asm - 1, %ecx
13739 + shr $2, %ecx
13740 + repne scasl
13741 + jecxz 2f
13742 +
13743 + cmp $2*16, %ecx
13744 + jc 2f
13745 +
13746 + mov $2*16, %ecx
13747 + repe scasl
13748 + jecxz 2f
13749 + jne 1b
13750 +
13751 +2: cld
13752 + mov %esp, %ecx
13753 + sub %edi, %ecx
13754 + shr $2, %ecx
13755 + rep stosl
13756 +
13757 + mov TI_task_thread_sp0(%ebp), %edi
13758 + sub $128, %edi
13759 + mov %edi, TI_lowest_stack(%ebp)
13760 +
13761 + popl %eax
13762 + popl %edi
13763 + ret
13764 +ENDPROC(pax_erase_kstack)
13765 +#endif
13766 +
13767 +.macro __SAVE_ALL _DS
13768 cld
13769 PUSH_GS
13770 pushl_cfi %fs
13771 @@ -214,7 +347,7 @@
13772 CFI_REL_OFFSET ecx, 0
13773 pushl_cfi %ebx
13774 CFI_REL_OFFSET ebx, 0
13775 - movl $(__USER_DS), %edx
13776 + movl $\_DS, %edx
13777 movl %edx, %ds
13778 movl %edx, %es
13779 movl $(__KERNEL_PERCPU), %edx
13780 @@ -222,6 +355,15 @@
13781 SET_KERNEL_GS %edx
13782 .endm
13783
13784 +.macro SAVE_ALL
13785 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
13786 + __SAVE_ALL __KERNEL_DS
13787 + pax_enter_kernel
13788 +#else
13789 + __SAVE_ALL __USER_DS
13790 +#endif
13791 +.endm
13792 +
13793 .macro RESTORE_INT_REGS
13794 popl_cfi %ebx
13795 CFI_RESTORE ebx
13796 @@ -332,7 +474,15 @@ check_userspace:
13797 movb PT_CS(%esp), %al
13798 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
13799 cmpl $USER_RPL, %eax
13800 +
13801 +#ifdef CONFIG_PAX_KERNEXEC
13802 + jae resume_userspace
13803 +
13804 + PAX_EXIT_KERNEL
13805 + jmp resume_kernel
13806 +#else
13807 jb resume_kernel # not returning to v8086 or userspace
13808 +#endif
13809
13810 ENTRY(resume_userspace)
13811 LOCKDEP_SYS_EXIT
13812 @@ -344,7 +494,7 @@ ENTRY(resume_userspace)
13813 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
13814 # int/exception return?
13815 jne work_pending
13816 - jmp restore_all
13817 + jmp restore_all_pax
13818 END(ret_from_exception)
13819
13820 #ifdef CONFIG_PREEMPT
13821 @@ -394,23 +544,34 @@ sysenter_past_esp:
13822 /*CFI_REL_OFFSET cs, 0*/
13823 /*
13824 * Push current_thread_info()->sysenter_return to the stack.
13825 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
13826 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
13827 */
13828 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
13829 + pushl_cfi $0
13830 CFI_REL_OFFSET eip, 0
13831
13832 pushl_cfi %eax
13833 SAVE_ALL
13834 + GET_THREAD_INFO(%ebp)
13835 + movl TI_sysenter_return(%ebp),%ebp
13836 + movl %ebp,PT_EIP(%esp)
13837 ENABLE_INTERRUPTS(CLBR_NONE)
13838
13839 /*
13840 * Load the potential sixth argument from user stack.
13841 * Careful about security.
13842 */
13843 + movl PT_OLDESP(%esp),%ebp
13844 +
13845 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13846 + mov PT_OLDSS(%esp),%ds
13847 +1: movl %ds:(%ebp),%ebp
13848 + push %ss
13849 + pop %ds
13850 +#else
13851 cmpl $__PAGE_OFFSET-3,%ebp
13852 jae syscall_fault
13853 1: movl (%ebp),%ebp
13854 +#endif
13855 +
13856 movl %ebp,PT_EBP(%esp)
13857 .section __ex_table,"a"
13858 .align 4
13859 @@ -433,12 +594,23 @@ sysenter_do_call:
13860 testl $_TIF_ALLWORK_MASK, %ecx
13861 jne sysexit_audit
13862 sysenter_exit:
13863 +
13864 +#ifdef CONFIG_PAX_RANDKSTACK
13865 + pushl_cfi %eax
13866 + call pax_randomize_kstack
13867 + popl_cfi %eax
13868 +#endif
13869 +
13870 + pax_erase_kstack
13871 +
13872 /* if something modifies registers it must also disable sysexit */
13873 movl PT_EIP(%esp), %edx
13874 movl PT_OLDESP(%esp), %ecx
13875 xorl %ebp,%ebp
13876 TRACE_IRQS_ON
13877 1: mov PT_FS(%esp), %fs
13878 +2: mov PT_DS(%esp), %ds
13879 +3: mov PT_ES(%esp), %es
13880 PTGS_TO_GS
13881 ENABLE_INTERRUPTS_SYSEXIT
13882
13883 @@ -455,6 +627,9 @@ sysenter_audit:
13884 movl %eax,%edx /* 2nd arg: syscall number */
13885 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
13886 call audit_syscall_entry
13887 +
13888 + pax_erase_kstack
13889 +
13890 pushl_cfi %ebx
13891 movl PT_EAX(%esp),%eax /* reload syscall number */
13892 jmp sysenter_do_call
13893 @@ -481,11 +656,17 @@ sysexit_audit:
13894
13895 CFI_ENDPROC
13896 .pushsection .fixup,"ax"
13897 -2: movl $0,PT_FS(%esp)
13898 +4: movl $0,PT_FS(%esp)
13899 + jmp 1b
13900 +5: movl $0,PT_DS(%esp)
13901 + jmp 1b
13902 +6: movl $0,PT_ES(%esp)
13903 jmp 1b
13904 .section __ex_table,"a"
13905 .align 4
13906 - .long 1b,2b
13907 + .long 1b,4b
13908 + .long 2b,5b
13909 + .long 3b,6b
13910 .popsection
13911 PTGS_TO_GS_EX
13912 ENDPROC(ia32_sysenter_target)
13913 @@ -518,6 +699,14 @@ syscall_exit:
13914 testl $_TIF_ALLWORK_MASK, %ecx # current->work
13915 jne syscall_exit_work
13916
13917 +restore_all_pax:
13918 +
13919 +#ifdef CONFIG_PAX_RANDKSTACK
13920 + call pax_randomize_kstack
13921 +#endif
13922 +
13923 + pax_erase_kstack
13924 +
13925 restore_all:
13926 TRACE_IRQS_IRET
13927 restore_all_notrace:
13928 @@ -577,14 +766,21 @@ ldt_ss:
13929 * compensating for the offset by changing to the ESPFIX segment with
13930 * a base address that matches for the difference.
13931 */
13932 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
13933 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
13934 mov %esp, %edx /* load kernel esp */
13935 mov PT_OLDESP(%esp), %eax /* load userspace esp */
13936 mov %dx, %ax /* eax: new kernel esp */
13937 sub %eax, %edx /* offset (low word is 0) */
13938 +#ifdef CONFIG_SMP
13939 + movl PER_CPU_VAR(cpu_number), %ebx
13940 + shll $PAGE_SHIFT_asm, %ebx
13941 + addl $cpu_gdt_table, %ebx
13942 +#else
13943 + movl $cpu_gdt_table, %ebx
13944 +#endif
13945 shr $16, %edx
13946 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
13947 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
13948 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
13949 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
13950 pushl_cfi $__ESPFIX_SS
13951 pushl_cfi %eax /* new kernel esp */
13952 /* Disable interrupts, but do not irqtrace this section: we
13953 @@ -613,29 +809,23 @@ work_resched:
13954 movl TI_flags(%ebp), %ecx
13955 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
13956 # than syscall tracing?
13957 - jz restore_all
13958 + jz restore_all_pax
13959 testb $_TIF_NEED_RESCHED, %cl
13960 jnz work_resched
13961
13962 work_notifysig: # deal with pending signals and
13963 # notify-resume requests
13964 + movl %esp, %eax
13965 #ifdef CONFIG_VM86
13966 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
13967 - movl %esp, %eax
13968 - jne work_notifysig_v86 # returning to kernel-space or
13969 + jz 1f # returning to kernel-space or
13970 # vm86-space
13971 - xorl %edx, %edx
13972 - call do_notify_resume
13973 - jmp resume_userspace_sig
13974
13975 - ALIGN
13976 -work_notifysig_v86:
13977 pushl_cfi %ecx # save ti_flags for do_notify_resume
13978 call save_v86_state # %eax contains pt_regs pointer
13979 popl_cfi %ecx
13980 movl %eax, %esp
13981 -#else
13982 - movl %esp, %eax
13983 +1:
13984 #endif
13985 xorl %edx, %edx
13986 call do_notify_resume
13987 @@ -648,6 +838,9 @@ syscall_trace_entry:
13988 movl $-ENOSYS,PT_EAX(%esp)
13989 movl %esp, %eax
13990 call syscall_trace_enter
13991 +
13992 + pax_erase_kstack
13993 +
13994 /* What it returned is what we'll actually use. */
13995 cmpl $(nr_syscalls), %eax
13996 jnae syscall_call
13997 @@ -670,6 +863,10 @@ END(syscall_exit_work)
13998
13999 RING0_INT_FRAME # can't unwind into user space anyway
14000 syscall_fault:
14001 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14002 + push %ss
14003 + pop %ds
14004 +#endif
14005 GET_THREAD_INFO(%ebp)
14006 movl $-EFAULT,PT_EAX(%esp)
14007 jmp resume_userspace
14008 @@ -752,6 +949,36 @@ ptregs_clone:
14009 CFI_ENDPROC
14010 ENDPROC(ptregs_clone)
14011
14012 + ALIGN;
14013 +ENTRY(kernel_execve)
14014 + CFI_STARTPROC
14015 + pushl_cfi %ebp
14016 + sub $PT_OLDSS+4,%esp
14017 + pushl_cfi %edi
14018 + pushl_cfi %ecx
14019 + pushl_cfi %eax
14020 + lea 3*4(%esp),%edi
14021 + mov $PT_OLDSS/4+1,%ecx
14022 + xorl %eax,%eax
14023 + rep stosl
14024 + popl_cfi %eax
14025 + popl_cfi %ecx
14026 + popl_cfi %edi
14027 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14028 + pushl_cfi %esp
14029 + call sys_execve
14030 + add $4,%esp
14031 + CFI_ADJUST_CFA_OFFSET -4
14032 + GET_THREAD_INFO(%ebp)
14033 + test %eax,%eax
14034 + jz syscall_exit
14035 + add $PT_OLDSS+4,%esp
14036 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
14037 + popl_cfi %ebp
14038 + ret
14039 + CFI_ENDPROC
14040 +ENDPROC(kernel_execve)
14041 +
14042 .macro FIXUP_ESPFIX_STACK
14043 /*
14044 * Switch back for ESPFIX stack to the normal zerobased stack
14045 @@ -761,8 +988,15 @@ ENDPROC(ptregs_clone)
14046 * normal stack and adjusts ESP with the matching offset.
14047 */
14048 /* fixup the stack */
14049 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
14050 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
14051 +#ifdef CONFIG_SMP
14052 + movl PER_CPU_VAR(cpu_number), %ebx
14053 + shll $PAGE_SHIFT_asm, %ebx
14054 + addl $cpu_gdt_table, %ebx
14055 +#else
14056 + movl $cpu_gdt_table, %ebx
14057 +#endif
14058 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
14059 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
14060 shl $16, %eax
14061 addl %esp, %eax /* the adjusted stack pointer */
14062 pushl_cfi $__KERNEL_DS
14063 @@ -1213,7 +1447,6 @@ return_to_handler:
14064 jmp *%ecx
14065 #endif
14066
14067 -.section .rodata,"a"
14068 #include "syscall_table_32.S"
14069
14070 syscall_table_size=(.-sys_call_table)
14071 @@ -1259,9 +1492,12 @@ error_code:
14072 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14073 REG_TO_PTGS %ecx
14074 SET_KERNEL_GS %ecx
14075 - movl $(__USER_DS), %ecx
14076 + movl $(__KERNEL_DS), %ecx
14077 movl %ecx, %ds
14078 movl %ecx, %es
14079 +
14080 + pax_enter_kernel
14081 +
14082 TRACE_IRQS_OFF
14083 movl %esp,%eax # pt_regs pointer
14084 call *%edi
14085 @@ -1346,6 +1582,9 @@ nmi_stack_correct:
14086 xorl %edx,%edx # zero error code
14087 movl %esp,%eax # pt_regs pointer
14088 call do_nmi
14089 +
14090 + pax_exit_kernel
14091 +
14092 jmp restore_all_notrace
14093 CFI_ENDPROC
14094
14095 @@ -1382,6 +1621,9 @@ nmi_espfix_stack:
14096 FIXUP_ESPFIX_STACK # %eax == %esp
14097 xorl %edx,%edx # zero error code
14098 call do_nmi
14099 +
14100 + pax_exit_kernel
14101 +
14102 RESTORE_REGS
14103 lss 12+4(%esp), %esp # back to espfix stack
14104 CFI_ADJUST_CFA_OFFSET -24
14105 diff -urNp linux-2.6.39.1/arch/x86/kernel/entry_64.S linux-2.6.39.1/arch/x86/kernel/entry_64.S
14106 --- linux-2.6.39.1/arch/x86/kernel/entry_64.S 2011-05-19 00:06:34.000000000 -0400
14107 +++ linux-2.6.39.1/arch/x86/kernel/entry_64.S 2011-05-23 17:10:49.000000000 -0400
14108 @@ -53,6 +53,7 @@
14109 #include <asm/paravirt.h>
14110 #include <asm/ftrace.h>
14111 #include <asm/percpu.h>
14112 +#include <asm/pgtable.h>
14113
14114 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14115 #include <linux/elf-em.h>
14116 @@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64)
14117 ENDPROC(native_usergs_sysret64)
14118 #endif /* CONFIG_PARAVIRT */
14119
14120 + .macro ljmpq sel, off
14121 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14122 + .byte 0x48; ljmp *1234f(%rip)
14123 + .pushsection .rodata
14124 + .align 16
14125 + 1234: .quad \off; .word \sel
14126 + .popsection
14127 +#else
14128 + pushq $\sel
14129 + pushq $\off
14130 + lretq
14131 +#endif
14132 + .endm
14133 +
14134 + .macro pax_enter_kernel
14135 +#ifdef CONFIG_PAX_KERNEXEC
14136 + call pax_enter_kernel
14137 +#endif
14138 + .endm
14139 +
14140 + .macro pax_exit_kernel
14141 +#ifdef CONFIG_PAX_KERNEXEC
14142 + call pax_exit_kernel
14143 +#endif
14144 + .endm
14145 +
14146 +#ifdef CONFIG_PAX_KERNEXEC
14147 +ENTRY(pax_enter_kernel)
14148 + pushq %rdi
14149 +
14150 +#ifdef CONFIG_PARAVIRT
14151 + PV_SAVE_REGS(CLBR_RDI)
14152 +#endif
14153 +
14154 + GET_CR0_INTO_RDI
14155 + bts $16,%rdi
14156 + jnc 1f
14157 + mov %cs,%edi
14158 + cmp $__KERNEL_CS,%edi
14159 + jz 3f
14160 + ljmpq __KERNEL_CS,3f
14161 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
14162 +2: SET_RDI_INTO_CR0
14163 +3:
14164 +
14165 +#ifdef CONFIG_PARAVIRT
14166 + PV_RESTORE_REGS(CLBR_RDI)
14167 +#endif
14168 +
14169 + popq %rdi
14170 + retq
14171 +ENDPROC(pax_enter_kernel)
14172 +
14173 +ENTRY(pax_exit_kernel)
14174 + pushq %rdi
14175 +
14176 +#ifdef CONFIG_PARAVIRT
14177 + PV_SAVE_REGS(CLBR_RDI)
14178 +#endif
14179 +
14180 + mov %cs,%rdi
14181 + cmp $__KERNEXEC_KERNEL_CS,%edi
14182 + jnz 2f
14183 + GET_CR0_INTO_RDI
14184 + btr $16,%rdi
14185 + ljmpq __KERNEL_CS,1f
14186 +1: SET_RDI_INTO_CR0
14187 +2:
14188 +
14189 +#ifdef CONFIG_PARAVIRT
14190 + PV_RESTORE_REGS(CLBR_RDI);
14191 +#endif
14192 +
14193 + popq %rdi
14194 + retq
14195 +ENDPROC(pax_exit_kernel)
14196 +#endif
14197 +
14198 + .macro pax_enter_kernel_user
14199 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14200 + call pax_enter_kernel_user
14201 +#endif
14202 + .endm
14203 +
14204 + .macro pax_exit_kernel_user
14205 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14206 + call pax_exit_kernel_user
14207 +#endif
14208 +#ifdef CONFIG_PAX_RANDKSTACK
14209 + push %rax
14210 + call pax_randomize_kstack
14211 + pop %rax
14212 +#endif
14213 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14214 + call pax_erase_kstack
14215 +#endif
14216 + .endm
14217 +
14218 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14219 +ENTRY(pax_enter_kernel_user)
14220 + pushq %rdi
14221 + pushq %rbx
14222 +
14223 +#ifdef CONFIG_PARAVIRT
14224 + PV_SAVE_REGS(CLBR_RDI)
14225 +#endif
14226 +
14227 + GET_CR3_INTO_RDI
14228 + mov %rdi,%rbx
14229 + add $__START_KERNEL_map,%rbx
14230 + sub phys_base(%rip),%rbx
14231 +
14232 +#ifdef CONFIG_PARAVIRT
14233 + pushq %rdi
14234 + cmpl $0, pv_info+PARAVIRT_enabled
14235 + jz 1f
14236 + i = 0
14237 + .rept USER_PGD_PTRS
14238 + mov i*8(%rbx),%rsi
14239 + mov $0,%sil
14240 + lea i*8(%rbx),%rdi
14241 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14242 + i = i + 1
14243 + .endr
14244 + jmp 2f
14245 +1:
14246 +#endif
14247 +
14248 + i = 0
14249 + .rept USER_PGD_PTRS
14250 + movb $0,i*8(%rbx)
14251 + i = i + 1
14252 + .endr
14253 +
14254 +#ifdef CONFIG_PARAVIRT
14255 +2: popq %rdi
14256 +#endif
14257 + SET_RDI_INTO_CR3
14258 +
14259 +#ifdef CONFIG_PAX_KERNEXEC
14260 + GET_CR0_INTO_RDI
14261 + bts $16,%rdi
14262 + SET_RDI_INTO_CR0
14263 +#endif
14264 +
14265 +#ifdef CONFIG_PARAVIRT
14266 + PV_RESTORE_REGS(CLBR_RDI)
14267 +#endif
14268 +
14269 + popq %rbx
14270 + popq %rdi
14271 + retq
14272 +ENDPROC(pax_enter_kernel_user)
14273 +
14274 +ENTRY(pax_exit_kernel_user)
14275 + push %rdi
14276 +
14277 +#ifdef CONFIG_PARAVIRT
14278 + pushq %rbx
14279 + PV_SAVE_REGS(CLBR_RDI)
14280 +#endif
14281 +
14282 +#ifdef CONFIG_PAX_KERNEXEC
14283 + GET_CR0_INTO_RDI
14284 + btr $16,%rdi
14285 + SET_RDI_INTO_CR0
14286 +#endif
14287 +
14288 + GET_CR3_INTO_RDI
14289 + add $__START_KERNEL_map,%rdi
14290 + sub phys_base(%rip),%rdi
14291 +
14292 +#ifdef CONFIG_PARAVIRT
14293 + cmpl $0, pv_info+PARAVIRT_enabled
14294 + jz 1f
14295 + mov %rdi,%rbx
14296 + i = 0
14297 + .rept USER_PGD_PTRS
14298 + mov i*8(%rbx),%rsi
14299 + mov $0x67,%sil
14300 + lea i*8(%rbx),%rdi
14301 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14302 + i = i + 1
14303 + .endr
14304 + jmp 2f
14305 +1:
14306 +#endif
14307 +
14308 + i = 0
14309 + .rept USER_PGD_PTRS
14310 + movb $0x67,i*8(%rdi)
14311 + i = i + 1
14312 + .endr
14313 +
14314 +#ifdef CONFIG_PARAVIRT
14315 +2: PV_RESTORE_REGS(CLBR_RDI)
14316 + popq %rbx
14317 +#endif
14318 +
14319 + popq %rdi
14320 + retq
14321 +ENDPROC(pax_exit_kernel_user)
14322 +#endif
14323 +
14324 + .macro pax_erase_kstack
14325 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14326 + call pax_erase_kstack
14327 +#endif
14328 + .endm
14329 +
14330 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14331 +/*
14332 + * r10: thread_info
14333 + * rcx, rdx: can be clobbered
14334 + */
14335 +ENTRY(pax_erase_kstack)
14336 + pushq %rdi
14337 + pushq %rax
14338 +
14339 + GET_THREAD_INFO(%r10)
14340 + mov TI_lowest_stack(%r10), %rdi
14341 + mov $-0xBEEF, %rax
14342 + std
14343 +
14344 +1: mov %edi, %ecx
14345 + and $THREAD_SIZE_asm - 1, %ecx
14346 + shr $3, %ecx
14347 + repne scasq
14348 + jecxz 2f
14349 +
14350 + cmp $2*8, %ecx
14351 + jc 2f
14352 +
14353 + mov $2*8, %ecx
14354 + repe scasq
14355 + jecxz 2f
14356 + jne 1b
14357 +
14358 +2: cld
14359 + mov %esp, %ecx
14360 + sub %edi, %ecx
14361 + shr $3, %ecx
14362 + rep stosq
14363 +
14364 + mov TI_task_thread_sp0(%r10), %rdi
14365 + sub $256, %rdi
14366 + mov %rdi, TI_lowest_stack(%r10)
14367 +
14368 + popq %rax
14369 + popq %rdi
14370 + ret
14371 +ENDPROC(pax_erase_kstack)
14372 +#endif
14373
14374 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14375 #ifdef CONFIG_TRACE_IRQFLAGS
14376 @@ -318,7 +572,7 @@ ENTRY(save_args)
14377 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
14378 movq_cfi rbp, 8 /* push %rbp */
14379 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14380 - testl $3, CS(%rdi)
14381 + testb $3, CS(%rdi)
14382 je 1f
14383 SWAPGS
14384 /*
14385 @@ -409,7 +663,7 @@ ENTRY(ret_from_fork)
14386
14387 RESTORE_REST
14388
14389 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14390 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14391 je int_ret_from_sys_call
14392
14393 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14394 @@ -455,7 +709,7 @@ END(ret_from_fork)
14395 ENTRY(system_call)
14396 CFI_STARTPROC simple
14397 CFI_SIGNAL_FRAME
14398 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14399 + CFI_DEF_CFA rsp,0
14400 CFI_REGISTER rip,rcx
14401 /*CFI_REGISTER rflags,r11*/
14402 SWAPGS_UNSAFE_STACK
14403 @@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs)
14404
14405 movq %rsp,PER_CPU_VAR(old_rsp)
14406 movq PER_CPU_VAR(kernel_stack),%rsp
14407 + pax_enter_kernel_user
14408 /*
14409 * No need to follow this irqs off/on section - it's straight
14410 * and short:
14411 */
14412 ENABLE_INTERRUPTS(CLBR_NONE)
14413 - SAVE_ARGS 8,1
14414 + SAVE_ARGS 8*6,1
14415 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14416 movq %rcx,RIP-ARGOFFSET(%rsp)
14417 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14418 @@ -502,6 +757,7 @@ sysret_check:
14419 andl %edi,%edx
14420 jnz sysret_careful
14421 CFI_REMEMBER_STATE
14422 + pax_exit_kernel_user
14423 /*
14424 * sysretq will re-enable interrupts:
14425 */
14426 @@ -560,6 +816,9 @@ auditsys:
14427 movq %rax,%rsi /* 2nd arg: syscall number */
14428 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14429 call audit_syscall_entry
14430 +
14431 + pax_erase_kstack
14432 +
14433 LOAD_ARGS 0 /* reload call-clobbered registers */
14434 jmp system_call_fastpath
14435
14436 @@ -590,6 +849,9 @@ tracesys:
14437 FIXUP_TOP_OF_STACK %rdi
14438 movq %rsp,%rdi
14439 call syscall_trace_enter
14440 +
14441 + pax_erase_kstack
14442 +
14443 /*
14444 * Reload arg registers from stack in case ptrace changed them.
14445 * We don't reload %rax because syscall_trace_enter() returned
14446 @@ -611,7 +873,7 @@ tracesys:
14447 GLOBAL(int_ret_from_sys_call)
14448 DISABLE_INTERRUPTS(CLBR_NONE)
14449 TRACE_IRQS_OFF
14450 - testl $3,CS-ARGOFFSET(%rsp)
14451 + testb $3,CS-ARGOFFSET(%rsp)
14452 je retint_restore_args
14453 movl $_TIF_ALLWORK_MASK,%edi
14454 /* edi: mask to check */
14455 @@ -793,6 +1055,16 @@ END(interrupt)
14456 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
14457 call save_args
14458 PARTIAL_FRAME 0
14459 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14460 + testb $3, CS(%rdi)
14461 + jnz 1f
14462 + pax_enter_kernel
14463 + jmp 2f
14464 +1: pax_enter_kernel_user
14465 +2:
14466 +#else
14467 + pax_enter_kernel
14468 +#endif
14469 call \func
14470 .endm
14471
14472 @@ -825,7 +1097,7 @@ ret_from_intr:
14473 CFI_ADJUST_CFA_OFFSET -8
14474 exit_intr:
14475 GET_THREAD_INFO(%rcx)
14476 - testl $3,CS-ARGOFFSET(%rsp)
14477 + testb $3,CS-ARGOFFSET(%rsp)
14478 je retint_kernel
14479
14480 /* Interrupt came from user space */
14481 @@ -847,12 +1119,14 @@ retint_swapgs: /* return to user-space
14482 * The iretq could re-enable interrupts:
14483 */
14484 DISABLE_INTERRUPTS(CLBR_ANY)
14485 + pax_exit_kernel_user
14486 TRACE_IRQS_IRETQ
14487 SWAPGS
14488 jmp restore_args
14489
14490 retint_restore_args: /* return to kernel space */
14491 DISABLE_INTERRUPTS(CLBR_ANY)
14492 + pax_exit_kernel
14493 /*
14494 * The iretq could re-enable interrupts:
14495 */
14496 @@ -1027,6 +1301,16 @@ ENTRY(\sym)
14497 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14498 call error_entry
14499 DEFAULT_FRAME 0
14500 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14501 + testb $3, CS(%rsp)
14502 + jnz 1f
14503 + pax_enter_kernel
14504 + jmp 2f
14505 +1: pax_enter_kernel_user
14506 +2:
14507 +#else
14508 + pax_enter_kernel
14509 +#endif
14510 movq %rsp,%rdi /* pt_regs pointer */
14511 xorl %esi,%esi /* no error code */
14512 call \do_sym
14513 @@ -1044,6 +1328,16 @@ ENTRY(\sym)
14514 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14515 call save_paranoid
14516 TRACE_IRQS_OFF
14517 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14518 + testb $3, CS(%rsp)
14519 + jnz 1f
14520 + pax_enter_kernel
14521 + jmp 2f
14522 +1: pax_enter_kernel_user
14523 +2:
14524 +#else
14525 + pax_enter_kernel
14526 +#endif
14527 movq %rsp,%rdi /* pt_regs pointer */
14528 xorl %esi,%esi /* no error code */
14529 call \do_sym
14530 @@ -1052,7 +1346,7 @@ ENTRY(\sym)
14531 END(\sym)
14532 .endm
14533
14534 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
14535 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
14536 .macro paranoidzeroentry_ist sym do_sym ist
14537 ENTRY(\sym)
14538 INTR_FRAME
14539 @@ -1062,8 +1356,24 @@ ENTRY(\sym)
14540 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14541 call save_paranoid
14542 TRACE_IRQS_OFF
14543 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14544 + testb $3, CS(%rsp)
14545 + jnz 1f
14546 + pax_enter_kernel
14547 + jmp 2f
14548 +1: pax_enter_kernel_user
14549 +2:
14550 +#else
14551 + pax_enter_kernel
14552 +#endif
14553 movq %rsp,%rdi /* pt_regs pointer */
14554 xorl %esi,%esi /* no error code */
14555 +#ifdef CONFIG_SMP
14556 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
14557 + lea init_tss(%r12), %r12
14558 +#else
14559 + lea init_tss(%rip), %r12
14560 +#endif
14561 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14562 call \do_sym
14563 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14564 @@ -1080,6 +1390,16 @@ ENTRY(\sym)
14565 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14566 call error_entry
14567 DEFAULT_FRAME 0
14568 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14569 + testb $3, CS(%rsp)
14570 + jnz 1f
14571 + pax_enter_kernel
14572 + jmp 2f
14573 +1: pax_enter_kernel_user
14574 +2:
14575 +#else
14576 + pax_enter_kernel
14577 +#endif
14578 movq %rsp,%rdi /* pt_regs pointer */
14579 movq ORIG_RAX(%rsp),%rsi /* get error code */
14580 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14581 @@ -1099,6 +1419,16 @@ ENTRY(\sym)
14582 call save_paranoid
14583 DEFAULT_FRAME 0
14584 TRACE_IRQS_OFF
14585 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14586 + testb $3, CS(%rsp)
14587 + jnz 1f
14588 + pax_enter_kernel
14589 + jmp 2f
14590 +1: pax_enter_kernel_user
14591 +2:
14592 +#else
14593 + pax_enter_kernel
14594 +#endif
14595 movq %rsp,%rdi /* pt_regs pointer */
14596 movq ORIG_RAX(%rsp),%rsi /* get error code */
14597 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14598 @@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit)
14599 TRACE_IRQS_OFF
14600 testl %ebx,%ebx /* swapgs needed? */
14601 jnz paranoid_restore
14602 - testl $3,CS(%rsp)
14603 + testb $3,CS(%rsp)
14604 jnz paranoid_userspace
14605 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14606 + pax_exit_kernel
14607 + TRACE_IRQS_IRETQ 0
14608 + SWAPGS_UNSAFE_STACK
14609 + RESTORE_ALL 8
14610 + jmp irq_return
14611 +#endif
14612 paranoid_swapgs:
14613 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14614 + pax_exit_kernel_user
14615 +#else
14616 + pax_exit_kernel
14617 +#endif
14618 TRACE_IRQS_IRETQ 0
14619 SWAPGS_UNSAFE_STACK
14620 RESTORE_ALL 8
14621 jmp irq_return
14622 paranoid_restore:
14623 + pax_exit_kernel
14624 TRACE_IRQS_IRETQ 0
14625 RESTORE_ALL 8
14626 jmp irq_return
14627 @@ -1426,7 +1769,7 @@ ENTRY(error_entry)
14628 movq_cfi r14, R14+8
14629 movq_cfi r15, R15+8
14630 xorl %ebx,%ebx
14631 - testl $3,CS+8(%rsp)
14632 + testb $3,CS+8(%rsp)
14633 je error_kernelspace
14634 error_swapgs:
14635 SWAPGS
14636 @@ -1490,6 +1833,16 @@ ENTRY(nmi)
14637 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14638 call save_paranoid
14639 DEFAULT_FRAME 0
14640 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14641 + testb $3, CS(%rsp)
14642 + jnz 1f
14643 + pax_enter_kernel
14644 + jmp 2f
14645 +1: pax_enter_kernel_user
14646 +2:
14647 +#else
14648 + pax_enter_kernel
14649 +#endif
14650 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14651 movq %rsp,%rdi
14652 movq $-1,%rsi
14653 @@ -1500,11 +1853,25 @@ ENTRY(nmi)
14654 DISABLE_INTERRUPTS(CLBR_NONE)
14655 testl %ebx,%ebx /* swapgs needed? */
14656 jnz nmi_restore
14657 - testl $3,CS(%rsp)
14658 + testb $3,CS(%rsp)
14659 jnz nmi_userspace
14660 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14661 + pax_exit_kernel
14662 + SWAPGS_UNSAFE_STACK
14663 + RESTORE_ALL 8
14664 + jmp irq_return
14665 +#endif
14666 nmi_swapgs:
14667 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14668 + pax_exit_kernel_user
14669 +#else
14670 + pax_exit_kernel
14671 +#endif
14672 SWAPGS_UNSAFE_STACK
14673 + RESTORE_ALL 8
14674 + jmp irq_return
14675 nmi_restore:
14676 + pax_exit_kernel
14677 RESTORE_ALL 8
14678 jmp irq_return
14679 nmi_userspace:
14680 diff -urNp linux-2.6.39.1/arch/x86/kernel/ftrace.c linux-2.6.39.1/arch/x86/kernel/ftrace.c
14681 --- linux-2.6.39.1/arch/x86/kernel/ftrace.c 2011-05-19 00:06:34.000000000 -0400
14682 +++ linux-2.6.39.1/arch/x86/kernel/ftrace.c 2011-05-22 19:36:30.000000000 -0400
14683 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
14684 static void *mod_code_newcode; /* holds the text to write to the IP */
14685
14686 static unsigned nmi_wait_count;
14687 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14688 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14689
14690 int ftrace_arch_read_dyn_info(char *buf, int size)
14691 {
14692 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14693
14694 r = snprintf(buf, size, "%u %u",
14695 nmi_wait_count,
14696 - atomic_read(&nmi_update_count));
14697 + atomic_read_unchecked(&nmi_update_count));
14698 return r;
14699 }
14700
14701 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
14702
14703 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14704 smp_rmb();
14705 + pax_open_kernel();
14706 ftrace_mod_code();
14707 - atomic_inc(&nmi_update_count);
14708 + pax_close_kernel();
14709 + atomic_inc_unchecked(&nmi_update_count);
14710 }
14711 /* Must have previous changes seen before executions */
14712 smp_mb();
14713 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
14714 {
14715 unsigned char replaced[MCOUNT_INSN_SIZE];
14716
14717 + ip = ktla_ktva(ip);
14718 +
14719 /*
14720 * Note: Due to modules and __init, code can
14721 * disappear and change, we need to protect against faulting
14722 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
14723 unsigned char old[MCOUNT_INSN_SIZE], *new;
14724 int ret;
14725
14726 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
14727 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
14728 new = ftrace_call_replace(ip, (unsigned long)func);
14729 ret = ftrace_modify_code(ip, old, new);
14730
14731 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
14732 {
14733 unsigned char code[MCOUNT_INSN_SIZE];
14734
14735 + ip = ktla_ktva(ip);
14736 +
14737 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
14738 return -EFAULT;
14739
14740 diff -urNp linux-2.6.39.1/arch/x86/kernel/head32.c linux-2.6.39.1/arch/x86/kernel/head32.c
14741 --- linux-2.6.39.1/arch/x86/kernel/head32.c 2011-05-19 00:06:34.000000000 -0400
14742 +++ linux-2.6.39.1/arch/x86/kernel/head32.c 2011-05-22 19:36:30.000000000 -0400
14743 @@ -19,6 +19,7 @@
14744 #include <asm/io_apic.h>
14745 #include <asm/bios_ebda.h>
14746 #include <asm/tlbflush.h>
14747 +#include <asm/boot.h>
14748
14749 static void __init i386_default_early_setup(void)
14750 {
14751 @@ -34,7 +35,7 @@ void __init i386_start_kernel(void)
14752 {
14753 memblock_init();
14754
14755 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14756 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14757
14758 #ifdef CONFIG_BLK_DEV_INITRD
14759 /* Reserve INITRD */
14760 diff -urNp linux-2.6.39.1/arch/x86/kernel/head_32.S linux-2.6.39.1/arch/x86/kernel/head_32.S
14761 --- linux-2.6.39.1/arch/x86/kernel/head_32.S 2011-05-19 00:06:34.000000000 -0400
14762 +++ linux-2.6.39.1/arch/x86/kernel/head_32.S 2011-05-22 19:36:30.000000000 -0400
14763 @@ -25,6 +25,12 @@
14764 /* Physical address */
14765 #define pa(X) ((X) - __PAGE_OFFSET)
14766
14767 +#ifdef CONFIG_PAX_KERNEXEC
14768 +#define ta(X) (X)
14769 +#else
14770 +#define ta(X) ((X) - __PAGE_OFFSET)
14771 +#endif
14772 +
14773 /*
14774 * References to members of the new_cpu_data structure.
14775 */
14776 @@ -54,11 +60,7 @@
14777 * and small than max_low_pfn, otherwise will waste some page table entries
14778 */
14779
14780 -#if PTRS_PER_PMD > 1
14781 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
14782 -#else
14783 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
14784 -#endif
14785 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
14786
14787 /* Number of possible pages in the lowmem region */
14788 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
14789 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
14790 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14791
14792 /*
14793 + * Real beginning of normal "text" segment
14794 + */
14795 +ENTRY(stext)
14796 +ENTRY(_stext)
14797 +
14798 +/*
14799 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
14800 * %esi points to the real-mode code as a 32-bit pointer.
14801 * CS and DS must be 4 GB flat segments, but we don't depend on
14802 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14803 * can.
14804 */
14805 __HEAD
14806 +
14807 +#ifdef CONFIG_PAX_KERNEXEC
14808 + jmp startup_32
14809 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
14810 +.fill PAGE_SIZE-5,1,0xcc
14811 +#endif
14812 +
14813 ENTRY(startup_32)
14814 movl pa(stack_start),%ecx
14815
14816 @@ -105,6 +120,57 @@ ENTRY(startup_32)
14817 2:
14818 leal -__PAGE_OFFSET(%ecx),%esp
14819
14820 +#ifdef CONFIG_SMP
14821 + movl $pa(cpu_gdt_table),%edi
14822 + movl $__per_cpu_load,%eax
14823 + movw %ax,__KERNEL_PERCPU + 2(%edi)
14824 + rorl $16,%eax
14825 + movb %al,__KERNEL_PERCPU + 4(%edi)
14826 + movb %ah,__KERNEL_PERCPU + 7(%edi)
14827 + movl $__per_cpu_end - 1,%eax
14828 + subl $__per_cpu_start,%eax
14829 + movw %ax,__KERNEL_PERCPU + 0(%edi)
14830 +#endif
14831 +
14832 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14833 + movl $NR_CPUS,%ecx
14834 + movl $pa(cpu_gdt_table),%edi
14835 +1:
14836 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
14837 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
14838 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
14839 + addl $PAGE_SIZE_asm,%edi
14840 + loop 1b
14841 +#endif
14842 +
14843 +#ifdef CONFIG_PAX_KERNEXEC
14844 + movl $pa(boot_gdt),%edi
14845 + movl $__LOAD_PHYSICAL_ADDR,%eax
14846 + movw %ax,__BOOT_CS + 2(%edi)
14847 + rorl $16,%eax
14848 + movb %al,__BOOT_CS + 4(%edi)
14849 + movb %ah,__BOOT_CS + 7(%edi)
14850 + rorl $16,%eax
14851 +
14852 + ljmp $(__BOOT_CS),$1f
14853 +1:
14854 +
14855 + movl $NR_CPUS,%ecx
14856 + movl $pa(cpu_gdt_table),%edi
14857 + addl $__PAGE_OFFSET,%eax
14858 +1:
14859 + movw %ax,__KERNEL_CS + 2(%edi)
14860 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
14861 + rorl $16,%eax
14862 + movb %al,__KERNEL_CS + 4(%edi)
14863 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
14864 + movb %ah,__KERNEL_CS + 7(%edi)
14865 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
14866 + rorl $16,%eax
14867 + addl $PAGE_SIZE_asm,%edi
14868 + loop 1b
14869 +#endif
14870 +
14871 /*
14872 * Clear BSS first so that there are no surprises...
14873 */
14874 @@ -195,8 +261,11 @@ ENTRY(startup_32)
14875 movl %eax, pa(max_pfn_mapped)
14876
14877 /* Do early initialization of the fixmap area */
14878 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
14879 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
14880 +#ifdef CONFIG_COMPAT_VDSO
14881 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
14882 +#else
14883 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
14884 +#endif
14885 #else /* Not PAE */
14886
14887 page_pde_offset = (__PAGE_OFFSET >> 20);
14888 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
14889 movl %eax, pa(max_pfn_mapped)
14890
14891 /* Do early initialization of the fixmap area */
14892 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
14893 - movl %eax,pa(initial_page_table+0xffc)
14894 +#ifdef CONFIG_COMPAT_VDSO
14895 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
14896 +#else
14897 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
14898 +#endif
14899 #endif
14900
14901 #ifdef CONFIG_PARAVIRT
14902 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
14903 cmpl $num_subarch_entries, %eax
14904 jae bad_subarch
14905
14906 - movl pa(subarch_entries)(,%eax,4), %eax
14907 - subl $__PAGE_OFFSET, %eax
14908 - jmp *%eax
14909 + jmp *pa(subarch_entries)(,%eax,4)
14910
14911 bad_subarch:
14912 WEAK(lguest_entry)
14913 @@ -255,10 +325,10 @@ WEAK(xen_entry)
14914 __INITDATA
14915
14916 subarch_entries:
14917 - .long default_entry /* normal x86/PC */
14918 - .long lguest_entry /* lguest hypervisor */
14919 - .long xen_entry /* Xen hypervisor */
14920 - .long default_entry /* Moorestown MID */
14921 + .long ta(default_entry) /* normal x86/PC */
14922 + .long ta(lguest_entry) /* lguest hypervisor */
14923 + .long ta(xen_entry) /* Xen hypervisor */
14924 + .long ta(default_entry) /* Moorestown MID */
14925 num_subarch_entries = (. - subarch_entries) / 4
14926 .previous
14927 #else
14928 @@ -312,6 +382,7 @@ default_entry:
14929 orl %edx,%eax
14930 movl %eax,%cr4
14931
14932 +#ifdef CONFIG_X86_PAE
14933 testb $X86_CR4_PAE, %al # check if PAE is enabled
14934 jz 6f
14935
14936 @@ -340,6 +411,9 @@ default_entry:
14937 /* Make changes effective */
14938 wrmsr
14939
14940 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
14941 +#endif
14942 +
14943 6:
14944
14945 /*
14946 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
14947 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
14948 movl %eax,%ss # after changing gdt.
14949
14950 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
14951 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
14952 movl %eax,%ds
14953 movl %eax,%es
14954
14955 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
14956 */
14957 cmpb $0,ready
14958 jne 1f
14959 - movl $gdt_page,%eax
14960 + movl $cpu_gdt_table,%eax
14961 movl $stack_canary,%ecx
14962 +#ifdef CONFIG_SMP
14963 + addl $__per_cpu_load,%ecx
14964 +#endif
14965 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
14966 shrl $16, %ecx
14967 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
14968 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
14969 1:
14970 -#endif
14971 movl $(__KERNEL_STACK_CANARY),%eax
14972 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
14973 + movl $(__USER_DS),%eax
14974 +#else
14975 + xorl %eax,%eax
14976 +#endif
14977 movl %eax,%gs
14978
14979 xorl %eax,%eax # Clear LDT
14980 @@ -558,22 +639,22 @@ early_page_fault:
14981 jmp early_fault
14982
14983 early_fault:
14984 - cld
14985 #ifdef CONFIG_PRINTK
14986 + cmpl $1,%ss:early_recursion_flag
14987 + je hlt_loop
14988 + incl %ss:early_recursion_flag
14989 + cld
14990 pusha
14991 movl $(__KERNEL_DS),%eax
14992 movl %eax,%ds
14993 movl %eax,%es
14994 - cmpl $2,early_recursion_flag
14995 - je hlt_loop
14996 - incl early_recursion_flag
14997 movl %cr2,%eax
14998 pushl %eax
14999 pushl %edx /* trapno */
15000 pushl $fault_msg
15001 call printk
15002 +; call dump_stack
15003 #endif
15004 - call dump_stack
15005 hlt_loop:
15006 hlt
15007 jmp hlt_loop
15008 @@ -581,8 +662,11 @@ hlt_loop:
15009 /* This is the default interrupt "handler" :-) */
15010 ALIGN
15011 ignore_int:
15012 - cld
15013 #ifdef CONFIG_PRINTK
15014 + cmpl $2,%ss:early_recursion_flag
15015 + je hlt_loop
15016 + incl %ss:early_recursion_flag
15017 + cld
15018 pushl %eax
15019 pushl %ecx
15020 pushl %edx
15021 @@ -591,9 +675,6 @@ ignore_int:
15022 movl $(__KERNEL_DS),%eax
15023 movl %eax,%ds
15024 movl %eax,%es
15025 - cmpl $2,early_recursion_flag
15026 - je hlt_loop
15027 - incl early_recursion_flag
15028 pushl 16(%esp)
15029 pushl 24(%esp)
15030 pushl 32(%esp)
15031 @@ -622,29 +703,43 @@ ENTRY(initial_code)
15032 /*
15033 * BSS section
15034 */
15035 -__PAGE_ALIGNED_BSS
15036 - .align PAGE_SIZE
15037 #ifdef CONFIG_X86_PAE
15038 +.section .initial_pg_pmd,"a",@progbits
15039 initial_pg_pmd:
15040 .fill 1024*KPMDS,4,0
15041 #else
15042 +.section .initial_page_table,"a",@progbits
15043 ENTRY(initial_page_table)
15044 .fill 1024,4,0
15045 #endif
15046 +.section .initial_pg_fixmap,"a",@progbits
15047 initial_pg_fixmap:
15048 .fill 1024,4,0
15049 +.section .empty_zero_page,"a",@progbits
15050 ENTRY(empty_zero_page)
15051 .fill 4096,1,0
15052 +.section .swapper_pg_dir,"a",@progbits
15053 ENTRY(swapper_pg_dir)
15054 +#ifdef CONFIG_X86_PAE
15055 + .fill 4,8,0
15056 +#else
15057 .fill 1024,4,0
15058 +#endif
15059 +
15060 +/*
15061 + * The IDT has to be page-aligned to simplify the Pentium
15062 + * F0 0F bug workaround.. We have a special link segment
15063 + * for this.
15064 + */
15065 +.section .idt,"a",@progbits
15066 +ENTRY(idt_table)
15067 + .fill 256,8,0
15068
15069 /*
15070 * This starts the data section.
15071 */
15072 #ifdef CONFIG_X86_PAE
15073 -__PAGE_ALIGNED_DATA
15074 - /* Page-aligned for the benefit of paravirt? */
15075 - .align PAGE_SIZE
15076 +.section .initial_page_table,"a",@progbits
15077 ENTRY(initial_page_table)
15078 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15079 # if KPMDS == 3
15080 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
15081 # error "Kernel PMDs should be 1, 2 or 3"
15082 # endif
15083 .align PAGE_SIZE /* needs to be page-sized too */
15084 +
15085 +#ifdef CONFIG_PAX_PER_CPU_PGD
15086 +ENTRY(cpu_pgd)
15087 + .rept NR_CPUS
15088 + .fill 4,8,0
15089 + .endr
15090 +#endif
15091 +
15092 #endif
15093
15094 .data
15095 .balign 4
15096 ENTRY(stack_start)
15097 - .long init_thread_union+THREAD_SIZE
15098 + .long init_thread_union+THREAD_SIZE-8
15099 +
15100 +ready: .byte 0
15101
15102 +.section .rodata,"a",@progbits
15103 early_recursion_flag:
15104 .long 0
15105
15106 -ready: .byte 0
15107 -
15108 int_msg:
15109 .asciz "Unknown interrupt or fault at: %p %p %p\n"
15110
15111 @@ -707,7 +811,7 @@ fault_msg:
15112 .word 0 # 32 bit align gdt_desc.address
15113 boot_gdt_descr:
15114 .word __BOOT_DS+7
15115 - .long boot_gdt - __PAGE_OFFSET
15116 + .long pa(boot_gdt)
15117
15118 .word 0 # 32-bit align idt_desc.address
15119 idt_descr:
15120 @@ -718,7 +822,7 @@ idt_descr:
15121 .word 0 # 32 bit align gdt_desc.address
15122 ENTRY(early_gdt_descr)
15123 .word GDT_ENTRIES*8-1
15124 - .long gdt_page /* Overwritten for secondary CPUs */
15125 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
15126
15127 /*
15128 * The boot_gdt must mirror the equivalent in setup.S and is
15129 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
15130 .align L1_CACHE_BYTES
15131 ENTRY(boot_gdt)
15132 .fill GDT_ENTRY_BOOT_CS,8,0
15133 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
15134 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
15135 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
15136 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
15137 +
15138 + .align PAGE_SIZE_asm
15139 +ENTRY(cpu_gdt_table)
15140 + .rept NR_CPUS
15141 + .quad 0x0000000000000000 /* NULL descriptor */
15142 + .quad 0x0000000000000000 /* 0x0b reserved */
15143 + .quad 0x0000000000000000 /* 0x13 reserved */
15144 + .quad 0x0000000000000000 /* 0x1b reserved */
15145 +
15146 +#ifdef CONFIG_PAX_KERNEXEC
15147 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
15148 +#else
15149 + .quad 0x0000000000000000 /* 0x20 unused */
15150 +#endif
15151 +
15152 + .quad 0x0000000000000000 /* 0x28 unused */
15153 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
15154 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
15155 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
15156 + .quad 0x0000000000000000 /* 0x4b reserved */
15157 + .quad 0x0000000000000000 /* 0x53 reserved */
15158 + .quad 0x0000000000000000 /* 0x5b reserved */
15159 +
15160 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
15161 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
15162 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
15163 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
15164 +
15165 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
15166 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
15167 +
15168 + /*
15169 + * Segments used for calling PnP BIOS have byte granularity.
15170 + * The code segments and data segments have fixed 64k limits,
15171 + * the transfer segment sizes are set at run time.
15172 + */
15173 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
15174 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
15175 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
15176 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
15177 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
15178 +
15179 + /*
15180 + * The APM segments have byte granularity and their bases
15181 + * are set at run time. All have 64k limits.
15182 + */
15183 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
15184 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
15185 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
15186 +
15187 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
15188 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
15189 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
15190 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
15191 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
15192 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
15193 +
15194 + /* Be sure this is zeroed to avoid false validations in Xen */
15195 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
15196 + .endr
15197 diff -urNp linux-2.6.39.1/arch/x86/kernel/head_64.S linux-2.6.39.1/arch/x86/kernel/head_64.S
15198 --- linux-2.6.39.1/arch/x86/kernel/head_64.S 2011-05-19 00:06:34.000000000 -0400
15199 +++ linux-2.6.39.1/arch/x86/kernel/head_64.S 2011-05-22 19:36:30.000000000 -0400
15200 @@ -19,6 +19,7 @@
15201 #include <asm/cache.h>
15202 #include <asm/processor-flags.h>
15203 #include <asm/percpu.h>
15204 +#include <asm/cpufeature.h>
15205
15206 #ifdef CONFIG_PARAVIRT
15207 #include <asm/asm-offsets.h>
15208 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
15209 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
15210 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
15211 L3_START_KERNEL = pud_index(__START_KERNEL_map)
15212 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
15213 +L3_VMALLOC_START = pud_index(VMALLOC_START)
15214 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
15215 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
15216
15217 .text
15218 __HEAD
15219 @@ -85,35 +90,22 @@ startup_64:
15220 */
15221 addq %rbp, init_level4_pgt + 0(%rip)
15222 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
15223 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
15224 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
15225 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
15226
15227 addq %rbp, level3_ident_pgt + 0(%rip)
15228 +#ifndef CONFIG_XEN
15229 + addq %rbp, level3_ident_pgt + 8(%rip)
15230 +#endif
15231
15232 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
15233 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
15234 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
15235
15236 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15237 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
15238 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
15239
15240 - /* Add an Identity mapping if I am above 1G */
15241 - leaq _text(%rip), %rdi
15242 - andq $PMD_PAGE_MASK, %rdi
15243 -
15244 - movq %rdi, %rax
15245 - shrq $PUD_SHIFT, %rax
15246 - andq $(PTRS_PER_PUD - 1), %rax
15247 - jz ident_complete
15248 -
15249 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
15250 - leaq level3_ident_pgt(%rip), %rbx
15251 - movq %rdx, 0(%rbx, %rax, 8)
15252 -
15253 - movq %rdi, %rax
15254 - shrq $PMD_SHIFT, %rax
15255 - andq $(PTRS_PER_PMD - 1), %rax
15256 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
15257 - leaq level2_spare_pgt(%rip), %rbx
15258 - movq %rdx, 0(%rbx, %rax, 8)
15259 -ident_complete:
15260 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15261 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
15262
15263 /*
15264 * Fixup the kernel text+data virtual addresses. Note that
15265 @@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
15266 * after the boot processor executes this code.
15267 */
15268
15269 - /* Enable PAE mode and PGE */
15270 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
15271 + /* Enable PAE mode and PSE/PGE */
15272 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15273 movq %rax, %cr4
15274
15275 /* Setup early boot stage 4 level pagetables. */
15276 @@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
15277 movl $MSR_EFER, %ecx
15278 rdmsr
15279 btsl $_EFER_SCE, %eax /* Enable System Call */
15280 - btl $20,%edi /* No Execute supported? */
15281 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
15282 jnc 1f
15283 btsl $_EFER_NX, %eax
15284 + leaq init_level4_pgt(%rip), %rdi
15285 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
15286 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
15287 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
15288 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
15289 1: wrmsr /* Make changes effective */
15290
15291 /* Setup cr0 */
15292 @@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
15293 bad_address:
15294 jmp bad_address
15295
15296 - .section ".init.text","ax"
15297 + __INIT
15298 #ifdef CONFIG_EARLY_PRINTK
15299 .globl early_idt_handlers
15300 early_idt_handlers:
15301 @@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
15302 #endif /* EARLY_PRINTK */
15303 1: hlt
15304 jmp 1b
15305 + .previous
15306
15307 #ifdef CONFIG_EARLY_PRINTK
15308 + __INITDATA
15309 early_recursion_flag:
15310 .long 0
15311 + .previous
15312
15313 + .section .rodata,"a",@progbits
15314 early_idt_msg:
15315 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
15316 early_idt_ripmsg:
15317 .asciz "RIP %s\n"
15318 -#endif /* CONFIG_EARLY_PRINTK */
15319 .previous
15320 +#endif /* CONFIG_EARLY_PRINTK */
15321
15322 + .section .rodata,"a",@progbits
15323 #define NEXT_PAGE(name) \
15324 .balign PAGE_SIZE; \
15325 ENTRY(name)
15326 @@ -338,7 +340,6 @@ ENTRY(name)
15327 i = i + 1 ; \
15328 .endr
15329
15330 - .data
15331 /*
15332 * This default setting generates an ident mapping at address 0x100000
15333 * and a mapping for the kernel that precisely maps virtual address
15334 @@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
15335 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15336 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
15337 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15338 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
15339 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
15340 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
15341 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15342 .org init_level4_pgt + L4_START_KERNEL*8, 0
15343 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
15344 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
15345
15346 +#ifdef CONFIG_PAX_PER_CPU_PGD
15347 +NEXT_PAGE(cpu_pgd)
15348 + .rept NR_CPUS
15349 + .fill 512,8,0
15350 + .endr
15351 +#endif
15352 +
15353 NEXT_PAGE(level3_ident_pgt)
15354 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15355 +#ifdef CONFIG_XEN
15356 .fill 511,8,0
15357 +#else
15358 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
15359 + .fill 510,8,0
15360 +#endif
15361 +
15362 +NEXT_PAGE(level3_vmalloc_pgt)
15363 + .fill 512,8,0
15364 +
15365 +NEXT_PAGE(level3_vmemmap_pgt)
15366 + .fill L3_VMEMMAP_START,8,0
15367 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15368
15369 NEXT_PAGE(level3_kernel_pgt)
15370 .fill L3_START_KERNEL,8,0
15371 @@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
15372 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
15373 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15374
15375 +NEXT_PAGE(level2_vmemmap_pgt)
15376 + .fill 512,8,0
15377 +
15378 NEXT_PAGE(level2_fixmap_pgt)
15379 - .fill 506,8,0
15380 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15381 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
15382 - .fill 5,8,0
15383 + .fill 507,8,0
15384 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
15385 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
15386 + .fill 4,8,0
15387
15388 -NEXT_PAGE(level1_fixmap_pgt)
15389 +NEXT_PAGE(level1_vsyscall_pgt)
15390 .fill 512,8,0
15391
15392 -NEXT_PAGE(level2_ident_pgt)
15393 - /* Since I easily can, map the first 1G.
15394 + /* Since I easily can, map the first 2G.
15395 * Don't set NX because code runs from these pages.
15396 */
15397 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
15398 +NEXT_PAGE(level2_ident_pgt)
15399 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
15400
15401 NEXT_PAGE(level2_kernel_pgt)
15402 /*
15403 @@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
15404 * If you want to increase this then increase MODULES_VADDR
15405 * too.)
15406 */
15407 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
15408 - KERNEL_IMAGE_SIZE/PMD_SIZE)
15409 -
15410 -NEXT_PAGE(level2_spare_pgt)
15411 - .fill 512, 8, 0
15412 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
15413
15414 #undef PMDS
15415 #undef NEXT_PAGE
15416
15417 - .data
15418 + .align PAGE_SIZE
15419 +ENTRY(cpu_gdt_table)
15420 + .rept NR_CPUS
15421 + .quad 0x0000000000000000 /* NULL descriptor */
15422 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
15423 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
15424 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
15425 + .quad 0x00cffb000000ffff /* __USER32_CS */
15426 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15427 + .quad 0x00affb000000ffff /* __USER_CS */
15428 +
15429 +#ifdef CONFIG_PAX_KERNEXEC
15430 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15431 +#else
15432 + .quad 0x0 /* unused */
15433 +#endif
15434 +
15435 + .quad 0,0 /* TSS */
15436 + .quad 0,0 /* LDT */
15437 + .quad 0,0,0 /* three TLS descriptors */
15438 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15439 + /* asm/segment.h:GDT_ENTRIES must match this */
15440 +
15441 + /* zero the remaining page */
15442 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15443 + .endr
15444 +
15445 .align 16
15446 .globl early_gdt_descr
15447 early_gdt_descr:
15448 .word GDT_ENTRIES*8-1
15449 early_gdt_descr_base:
15450 - .quad INIT_PER_CPU_VAR(gdt_page)
15451 + .quad cpu_gdt_table
15452
15453 ENTRY(phys_base)
15454 /* This must match the first entry in level2_kernel_pgt */
15455 .quad 0x0000000000000000
15456
15457 #include "../../x86/xen/xen-head.S"
15458 -
15459 - .section .bss, "aw", @nobits
15460 +
15461 + .section .rodata,"a",@progbits
15462 .align L1_CACHE_BYTES
15463 ENTRY(idt_table)
15464 - .skip IDT_ENTRIES * 16
15465 + .fill 512,8,0
15466
15467 __PAGE_ALIGNED_BSS
15468 .align PAGE_SIZE
15469 diff -urNp linux-2.6.39.1/arch/x86/kernel/i386_ksyms_32.c linux-2.6.39.1/arch/x86/kernel/i386_ksyms_32.c
15470 --- linux-2.6.39.1/arch/x86/kernel/i386_ksyms_32.c 2011-05-19 00:06:34.000000000 -0400
15471 +++ linux-2.6.39.1/arch/x86/kernel/i386_ksyms_32.c 2011-05-22 19:36:30.000000000 -0400
15472 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15473 EXPORT_SYMBOL(cmpxchg8b_emu);
15474 #endif
15475
15476 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15477 +
15478 /* Networking helper routines. */
15479 EXPORT_SYMBOL(csum_partial_copy_generic);
15480 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15481 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15482
15483 EXPORT_SYMBOL(__get_user_1);
15484 EXPORT_SYMBOL(__get_user_2);
15485 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15486
15487 EXPORT_SYMBOL(csum_partial);
15488 EXPORT_SYMBOL(empty_zero_page);
15489 +
15490 +#ifdef CONFIG_PAX_KERNEXEC
15491 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15492 +#endif
15493 diff -urNp linux-2.6.39.1/arch/x86/kernel/i8259.c linux-2.6.39.1/arch/x86/kernel/i8259.c
15494 --- linux-2.6.39.1/arch/x86/kernel/i8259.c 2011-05-19 00:06:34.000000000 -0400
15495 +++ linux-2.6.39.1/arch/x86/kernel/i8259.c 2011-05-22 19:36:30.000000000 -0400
15496 @@ -210,7 +210,7 @@ spurious_8259A_irq:
15497 "spurious 8259A interrupt: IRQ%d.\n", irq);
15498 spurious_irq_mask |= irqmask;
15499 }
15500 - atomic_inc(&irq_err_count);
15501 + atomic_inc_unchecked(&irq_err_count);
15502 /*
15503 * Theoretically we do not have to handle this IRQ,
15504 * but in Linux this does not cause problems and is
15505 diff -urNp linux-2.6.39.1/arch/x86/kernel/init_task.c linux-2.6.39.1/arch/x86/kernel/init_task.c
15506 --- linux-2.6.39.1/arch/x86/kernel/init_task.c 2011-05-19 00:06:34.000000000 -0400
15507 +++ linux-2.6.39.1/arch/x86/kernel/init_task.c 2011-05-22 19:36:30.000000000 -0400
15508 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15509 * way process stacks are handled. This is done by having a special
15510 * "init_task" linker map entry..
15511 */
15512 -union thread_union init_thread_union __init_task_data =
15513 - { INIT_THREAD_INFO(init_task) };
15514 +union thread_union init_thread_union __init_task_data;
15515
15516 /*
15517 * Initial task structure.
15518 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15519 * section. Since TSS's are completely CPU-local, we want them
15520 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15521 */
15522 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15523 -
15524 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15525 +EXPORT_SYMBOL(init_tss);
15526 diff -urNp linux-2.6.39.1/arch/x86/kernel/ioport.c linux-2.6.39.1/arch/x86/kernel/ioport.c
15527 --- linux-2.6.39.1/arch/x86/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
15528 +++ linux-2.6.39.1/arch/x86/kernel/ioport.c 2011-05-22 19:41:32.000000000 -0400
15529 @@ -6,6 +6,7 @@
15530 #include <linux/sched.h>
15531 #include <linux/kernel.h>
15532 #include <linux/capability.h>
15533 +#include <linux/security.h>
15534 #include <linux/errno.h>
15535 #include <linux/types.h>
15536 #include <linux/ioport.h>
15537 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
15538
15539 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15540 return -EINVAL;
15541 +#ifdef CONFIG_GRKERNSEC_IO
15542 + if (turn_on && grsec_disable_privio) {
15543 + gr_handle_ioperm();
15544 + return -EPERM;
15545 + }
15546 +#endif
15547 if (turn_on && !capable(CAP_SYS_RAWIO))
15548 return -EPERM;
15549
15550 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
15551 * because the ->io_bitmap_max value must match the bitmap
15552 * contents:
15553 */
15554 - tss = &per_cpu(init_tss, get_cpu());
15555 + tss = init_tss + get_cpu();
15556
15557 if (turn_on)
15558 bitmap_clear(t->io_bitmap_ptr, from, num);
15559 @@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
15560 return -EINVAL;
15561 /* Trying to gain more privileges? */
15562 if (level > old) {
15563 +#ifdef CONFIG_GRKERNSEC_IO
15564 + if (grsec_disable_privio) {
15565 + gr_handle_iopl();
15566 + return -EPERM;
15567 + }
15568 +#endif
15569 if (!capable(CAP_SYS_RAWIO))
15570 return -EPERM;
15571 }
15572 diff -urNp linux-2.6.39.1/arch/x86/kernel/irq_32.c linux-2.6.39.1/arch/x86/kernel/irq_32.c
15573 --- linux-2.6.39.1/arch/x86/kernel/irq_32.c 2011-05-19 00:06:34.000000000 -0400
15574 +++ linux-2.6.39.1/arch/x86/kernel/irq_32.c 2011-05-22 19:36:30.000000000 -0400
15575 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
15576 __asm__ __volatile__("andl %%esp,%0" :
15577 "=r" (sp) : "0" (THREAD_SIZE - 1));
15578
15579 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15580 + return sp < STACK_WARN;
15581 }
15582
15583 static void print_stack_overflow(void)
15584 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
15585 * per-CPU IRQ handling contexts (thread information and stack)
15586 */
15587 union irq_ctx {
15588 - struct thread_info tinfo;
15589 - u32 stack[THREAD_SIZE/sizeof(u32)];
15590 + unsigned long previous_esp;
15591 + u32 stack[THREAD_SIZE/sizeof(u32)];
15592 } __attribute__((aligned(THREAD_SIZE)));
15593
15594 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15595 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
15596 static inline int
15597 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15598 {
15599 - union irq_ctx *curctx, *irqctx;
15600 + union irq_ctx *irqctx;
15601 u32 *isp, arg1, arg2;
15602
15603 - curctx = (union irq_ctx *) current_thread_info();
15604 irqctx = __this_cpu_read(hardirq_ctx);
15605
15606 /*
15607 @@ -87,21 +86,17 @@ execute_on_irq_stack(int overflow, struc
15608 * handler) we can't do that and just have to keep using the
15609 * current stack (which is the irq stack already after all)
15610 */
15611 - if (unlikely(curctx == irqctx))
15612 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15613 return 0;
15614
15615 /* build the stack frame on the IRQ stack */
15616 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15617 - irqctx->tinfo.task = curctx->tinfo.task;
15618 - irqctx->tinfo.previous_esp = current_stack_pointer;
15619 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15620 + irqctx->previous_esp = current_stack_pointer;
15621 + add_preempt_count(HARDIRQ_OFFSET);
15622
15623 - /*
15624 - * Copy the softirq bits in preempt_count so that the
15625 - * softirq checks work in the hardirq context.
15626 - */
15627 - irqctx->tinfo.preempt_count =
15628 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15629 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15630 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15631 + __set_fs(MAKE_MM_SEG(0));
15632 +#endif
15633
15634 if (unlikely(overflow))
15635 call_on_stack(print_stack_overflow, isp);
15636 @@ -113,6 +108,12 @@ execute_on_irq_stack(int overflow, struc
15637 : "0" (irq), "1" (desc), "2" (isp),
15638 "D" (desc->handle_irq)
15639 : "memory", "cc", "ecx");
15640 +
15641 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15642 + __set_fs(current_thread_info()->addr_limit);
15643 +#endif
15644 +
15645 + sub_preempt_count(HARDIRQ_OFFSET);
15646 return 1;
15647 }
15648
15649 @@ -121,29 +122,11 @@ execute_on_irq_stack(int overflow, struc
15650 */
15651 void __cpuinit irq_ctx_init(int cpu)
15652 {
15653 - union irq_ctx *irqctx;
15654 -
15655 if (per_cpu(hardirq_ctx, cpu))
15656 return;
15657
15658 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15659 - THREAD_FLAGS,
15660 - THREAD_ORDER));
15661 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15662 - irqctx->tinfo.cpu = cpu;
15663 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15664 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15665 -
15666 - per_cpu(hardirq_ctx, cpu) = irqctx;
15667 -
15668 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15669 - THREAD_FLAGS,
15670 - THREAD_ORDER));
15671 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15672 - irqctx->tinfo.cpu = cpu;
15673 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15674 -
15675 - per_cpu(softirq_ctx, cpu) = irqctx;
15676 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15677 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15678
15679 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15680 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15681 @@ -152,7 +135,6 @@ void __cpuinit irq_ctx_init(int cpu)
15682 asmlinkage void do_softirq(void)
15683 {
15684 unsigned long flags;
15685 - struct thread_info *curctx;
15686 union irq_ctx *irqctx;
15687 u32 *isp;
15688
15689 @@ -162,15 +144,22 @@ asmlinkage void do_softirq(void)
15690 local_irq_save(flags);
15691
15692 if (local_softirq_pending()) {
15693 - curctx = current_thread_info();
15694 irqctx = __this_cpu_read(softirq_ctx);
15695 - irqctx->tinfo.task = curctx->task;
15696 - irqctx->tinfo.previous_esp = current_stack_pointer;
15697 + irqctx->previous_esp = current_stack_pointer;
15698
15699 /* build the stack frame on the softirq stack */
15700 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15701 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15702 +
15703 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15704 + __set_fs(MAKE_MM_SEG(0));
15705 +#endif
15706
15707 call_on_stack(__do_softirq, isp);
15708 +
15709 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15710 + __set_fs(current_thread_info()->addr_limit);
15711 +#endif
15712 +
15713 /*
15714 * Shouldn't happen, we returned above if in_interrupt():
15715 */
15716 diff -urNp linux-2.6.39.1/arch/x86/kernel/irq.c linux-2.6.39.1/arch/x86/kernel/irq.c
15717 --- linux-2.6.39.1/arch/x86/kernel/irq.c 2011-05-19 00:06:34.000000000 -0400
15718 +++ linux-2.6.39.1/arch/x86/kernel/irq.c 2011-05-22 19:36:30.000000000 -0400
15719 @@ -17,7 +17,7 @@
15720 #include <asm/mce.h>
15721 #include <asm/hw_irq.h>
15722
15723 -atomic_t irq_err_count;
15724 +atomic_unchecked_t irq_err_count;
15725
15726 /* Function pointer for generic interrupt vector handling */
15727 void (*x86_platform_ipi_callback)(void) = NULL;
15728 @@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
15729 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
15730 seq_printf(p, " Machine check polls\n");
15731 #endif
15732 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
15733 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
15734 #if defined(CONFIG_X86_IO_APIC)
15735 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
15736 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
15737 #endif
15738 return 0;
15739 }
15740 @@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
15741
15742 u64 arch_irq_stat(void)
15743 {
15744 - u64 sum = atomic_read(&irq_err_count);
15745 + u64 sum = atomic_read_unchecked(&irq_err_count);
15746
15747 #ifdef CONFIG_X86_IO_APIC
15748 - sum += atomic_read(&irq_mis_count);
15749 + sum += atomic_read_unchecked(&irq_mis_count);
15750 #endif
15751 return sum;
15752 }
15753 diff -urNp linux-2.6.39.1/arch/x86/kernel/kgdb.c linux-2.6.39.1/arch/x86/kernel/kgdb.c
15754 --- linux-2.6.39.1/arch/x86/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
15755 +++ linux-2.6.39.1/arch/x86/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
15756 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
15757 #ifdef CONFIG_X86_32
15758 switch (regno) {
15759 case GDB_SS:
15760 - if (!user_mode_vm(regs))
15761 + if (!user_mode(regs))
15762 *(unsigned long *)mem = __KERNEL_DS;
15763 break;
15764 case GDB_SP:
15765 - if (!user_mode_vm(regs))
15766 + if (!user_mode(regs))
15767 *(unsigned long *)mem = kernel_stack_pointer(regs);
15768 break;
15769 case GDB_GS:
15770 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
15771 case 'k':
15772 /* clear the trace bit */
15773 linux_regs->flags &= ~X86_EFLAGS_TF;
15774 - atomic_set(&kgdb_cpu_doing_single_step, -1);
15775 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
15776
15777 /* set the trace bit if we're stepping */
15778 if (remcomInBuffer[0] == 's') {
15779 linux_regs->flags |= X86_EFLAGS_TF;
15780 - atomic_set(&kgdb_cpu_doing_single_step,
15781 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
15782 raw_smp_processor_id());
15783 }
15784
15785 @@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
15786 return NOTIFY_DONE;
15787
15788 case DIE_DEBUG:
15789 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
15790 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
15791 if (user_mode(regs))
15792 return single_step_cont(regs, args);
15793 break;
15794 @@ -710,7 +710,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
15795 regs->ip = ip;
15796 }
15797
15798 -struct kgdb_arch arch_kgdb_ops = {
15799 +const struct kgdb_arch arch_kgdb_ops = {
15800 /* Breakpoint instruction: */
15801 .gdb_bpt_instr = { 0xcc },
15802 .flags = KGDB_HW_BREAKPOINT,
15803 diff -urNp linux-2.6.39.1/arch/x86/kernel/kprobes.c linux-2.6.39.1/arch/x86/kernel/kprobes.c
15804 --- linux-2.6.39.1/arch/x86/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
15805 +++ linux-2.6.39.1/arch/x86/kernel/kprobes.c 2011-05-22 19:36:30.000000000 -0400
15806 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
15807 } __attribute__((packed)) *insn;
15808
15809 insn = (struct __arch_relative_insn *)from;
15810 +
15811 + pax_open_kernel();
15812 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
15813 insn->op = op;
15814 + pax_close_kernel();
15815 }
15816
15817 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
15818 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
15819 kprobe_opcode_t opcode;
15820 kprobe_opcode_t *orig_opcodes = opcodes;
15821
15822 - if (search_exception_tables((unsigned long)opcodes))
15823 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
15824 return 0; /* Page fault may occur on this address. */
15825
15826 retry:
15827 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
15828 }
15829 }
15830 insn_get_length(&insn);
15831 + pax_open_kernel();
15832 memcpy(dest, insn.kaddr, insn.length);
15833 + pax_close_kernel();
15834
15835 #ifdef CONFIG_X86_64
15836 if (insn_rip_relative(&insn)) {
15837 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
15838 (u8 *) dest;
15839 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
15840 disp = (u8 *) dest + insn_offset_displacement(&insn);
15841 + pax_open_kernel();
15842 *(s32 *) disp = (s32) newdisp;
15843 + pax_close_kernel();
15844 }
15845 #endif
15846 return insn.length;
15847 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
15848 */
15849 __copy_instruction(p->ainsn.insn, p->addr, 0);
15850
15851 - if (can_boost(p->addr))
15852 + if (can_boost(ktla_ktva(p->addr)))
15853 p->ainsn.boostable = 0;
15854 else
15855 p->ainsn.boostable = -1;
15856
15857 - p->opcode = *p->addr;
15858 + p->opcode = *(ktla_ktva(p->addr));
15859 }
15860
15861 int __kprobes arch_prepare_kprobe(struct kprobe *p)
15862 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
15863 * nor set current_kprobe, because it doesn't use single
15864 * stepping.
15865 */
15866 - regs->ip = (unsigned long)p->ainsn.insn;
15867 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
15868 preempt_enable_no_resched();
15869 return;
15870 }
15871 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
15872 if (p->opcode == BREAKPOINT_INSTRUCTION)
15873 regs->ip = (unsigned long)p->addr;
15874 else
15875 - regs->ip = (unsigned long)p->ainsn.insn;
15876 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
15877 }
15878
15879 /*
15880 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
15881 setup_singlestep(p, regs, kcb, 0);
15882 return 1;
15883 }
15884 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
15885 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
15886 /*
15887 * The breakpoint instruction was removed right
15888 * after we hit it. Another cpu has removed
15889 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
15890 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
15891 {
15892 unsigned long *tos = stack_addr(regs);
15893 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
15894 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
15895 unsigned long orig_ip = (unsigned long)p->addr;
15896 kprobe_opcode_t *insn = p->ainsn.insn;
15897
15898 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
15899 struct die_args *args = data;
15900 int ret = NOTIFY_DONE;
15901
15902 - if (args->regs && user_mode_vm(args->regs))
15903 + if (args->regs && user_mode(args->regs))
15904 return ret;
15905
15906 switch (val) {
15907 @@ -1381,7 +1388,7 @@ int __kprobes arch_prepare_optimized_kpr
15908 * Verify if the address gap is in 2GB range, because this uses
15909 * a relative jump.
15910 */
15911 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
15912 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
15913 if (abs(rel) > 0x7fffffff)
15914 return -ERANGE;
15915
15916 @@ -1402,11 +1409,11 @@ int __kprobes arch_prepare_optimized_kpr
15917 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
15918
15919 /* Set probe function call */
15920 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
15921 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
15922
15923 /* Set returning jmp instruction at the tail of out-of-line buffer */
15924 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
15925 - (u8 *)op->kp.addr + op->optinsn.size);
15926 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
15927
15928 flush_icache_range((unsigned long) buf,
15929 (unsigned long) buf + TMPL_END_IDX +
15930 @@ -1428,7 +1435,7 @@ static void __kprobes setup_optimize_kpr
15931 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
15932
15933 /* Backup instructions which will be replaced by jump address */
15934 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
15935 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
15936 RELATIVE_ADDR_SIZE);
15937
15938 insn_buf[0] = RELATIVEJUMP_OPCODE;
15939 diff -urNp linux-2.6.39.1/arch/x86/kernel/ldt.c linux-2.6.39.1/arch/x86/kernel/ldt.c
15940 --- linux-2.6.39.1/arch/x86/kernel/ldt.c 2011-05-19 00:06:34.000000000 -0400
15941 +++ linux-2.6.39.1/arch/x86/kernel/ldt.c 2011-05-22 19:36:30.000000000 -0400
15942 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
15943 if (reload) {
15944 #ifdef CONFIG_SMP
15945 preempt_disable();
15946 - load_LDT(pc);
15947 + load_LDT_nolock(pc);
15948 if (!cpumask_equal(mm_cpumask(current->mm),
15949 cpumask_of(smp_processor_id())))
15950 smp_call_function(flush_ldt, current->mm, 1);
15951 preempt_enable();
15952 #else
15953 - load_LDT(pc);
15954 + load_LDT_nolock(pc);
15955 #endif
15956 }
15957 if (oldsize) {
15958 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
15959 return err;
15960
15961 for (i = 0; i < old->size; i++)
15962 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
15963 + write_ldt_entry(new->ldt, i, old->ldt + i);
15964 return 0;
15965 }
15966
15967 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
15968 retval = copy_ldt(&mm->context, &old_mm->context);
15969 mutex_unlock(&old_mm->context.lock);
15970 }
15971 +
15972 + if (tsk == current) {
15973 + mm->context.vdso = 0;
15974 +
15975 +#ifdef CONFIG_X86_32
15976 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15977 + mm->context.user_cs_base = 0UL;
15978 + mm->context.user_cs_limit = ~0UL;
15979 +
15980 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
15981 + cpus_clear(mm->context.cpu_user_cs_mask);
15982 +#endif
15983 +
15984 +#endif
15985 +#endif
15986 +
15987 + }
15988 +
15989 return retval;
15990 }
15991
15992 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
15993 }
15994 }
15995
15996 +#ifdef CONFIG_PAX_SEGMEXEC
15997 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
15998 + error = -EINVAL;
15999 + goto out_unlock;
16000 + }
16001 +#endif
16002 +
16003 fill_ldt(&ldt, &ldt_info);
16004 if (oldmode)
16005 ldt.avl = 0;
16006 diff -urNp linux-2.6.39.1/arch/x86/kernel/machine_kexec_32.c linux-2.6.39.1/arch/x86/kernel/machine_kexec_32.c
16007 --- linux-2.6.39.1/arch/x86/kernel/machine_kexec_32.c 2011-05-19 00:06:34.000000000 -0400
16008 +++ linux-2.6.39.1/arch/x86/kernel/machine_kexec_32.c 2011-05-22 19:36:30.000000000 -0400
16009 @@ -27,7 +27,7 @@
16010 #include <asm/cacheflush.h>
16011 #include <asm/debugreg.h>
16012
16013 -static void set_idt(void *newidt, __u16 limit)
16014 +static void set_idt(struct desc_struct *newidt, __u16 limit)
16015 {
16016 struct desc_ptr curidt;
16017
16018 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
16019 }
16020
16021
16022 -static void set_gdt(void *newgdt, __u16 limit)
16023 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16024 {
16025 struct desc_ptr curgdt;
16026
16027 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16028 }
16029
16030 control_page = page_address(image->control_code_page);
16031 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16032 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16033
16034 relocate_kernel_ptr = control_page;
16035 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16036 diff -urNp linux-2.6.39.1/arch/x86/kernel/microcode_amd.c linux-2.6.39.1/arch/x86/kernel/microcode_amd.c
16037 --- linux-2.6.39.1/arch/x86/kernel/microcode_amd.c 2011-05-19 00:06:34.000000000 -0400
16038 +++ linux-2.6.39.1/arch/x86/kernel/microcode_amd.c 2011-05-22 19:36:30.000000000 -0400
16039 @@ -339,7 +339,7 @@ static void microcode_fini_cpu_amd(int c
16040 uci->mc = NULL;
16041 }
16042
16043 -static struct microcode_ops microcode_amd_ops = {
16044 +static const struct microcode_ops microcode_amd_ops = {
16045 .request_microcode_user = request_microcode_user,
16046 .request_microcode_fw = request_microcode_amd,
16047 .collect_cpu_info = collect_cpu_info_amd,
16048 @@ -347,7 +347,7 @@ static struct microcode_ops microcode_am
16049 .microcode_fini_cpu = microcode_fini_cpu_amd,
16050 };
16051
16052 -struct microcode_ops * __init init_amd_microcode(void)
16053 +const struct microcode_ops * __init init_amd_microcode(void)
16054 {
16055 return &microcode_amd_ops;
16056 }
16057 diff -urNp linux-2.6.39.1/arch/x86/kernel/microcode_core.c linux-2.6.39.1/arch/x86/kernel/microcode_core.c
16058 --- linux-2.6.39.1/arch/x86/kernel/microcode_core.c 2011-05-19 00:06:34.000000000 -0400
16059 +++ linux-2.6.39.1/arch/x86/kernel/microcode_core.c 2011-05-22 19:36:30.000000000 -0400
16060 @@ -93,7 +93,7 @@ MODULE_LICENSE("GPL");
16061
16062 #define MICROCODE_VERSION "2.00"
16063
16064 -static struct microcode_ops *microcode_ops;
16065 +static const struct microcode_ops *microcode_ops;
16066
16067 /*
16068 * Synchronization.
16069 diff -urNp linux-2.6.39.1/arch/x86/kernel/microcode_intel.c linux-2.6.39.1/arch/x86/kernel/microcode_intel.c
16070 --- linux-2.6.39.1/arch/x86/kernel/microcode_intel.c 2011-05-19 00:06:34.000000000 -0400
16071 +++ linux-2.6.39.1/arch/x86/kernel/microcode_intel.c 2011-05-22 19:36:30.000000000 -0400
16072 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
16073
16074 static int get_ucode_user(void *to, const void *from, size_t n)
16075 {
16076 - return copy_from_user(to, from, n);
16077 + return copy_from_user(to, (__force const void __user *)from, n);
16078 }
16079
16080 static enum ucode_state
16081 request_microcode_user(int cpu, const void __user *buf, size_t size)
16082 {
16083 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16084 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
16085 }
16086
16087 static void microcode_fini_cpu(int cpu)
16088 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
16089 uci->mc = NULL;
16090 }
16091
16092 -static struct microcode_ops microcode_intel_ops = {
16093 +static const struct microcode_ops microcode_intel_ops = {
16094 .request_microcode_user = request_microcode_user,
16095 .request_microcode_fw = request_microcode_fw,
16096 .collect_cpu_info = collect_cpu_info,
16097 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
16098 .microcode_fini_cpu = microcode_fini_cpu,
16099 };
16100
16101 -struct microcode_ops * __init init_intel_microcode(void)
16102 +const struct microcode_ops * __init init_intel_microcode(void)
16103 {
16104 return &microcode_intel_ops;
16105 }
16106 diff -urNp linux-2.6.39.1/arch/x86/kernel/module.c linux-2.6.39.1/arch/x86/kernel/module.c
16107 --- linux-2.6.39.1/arch/x86/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
16108 +++ linux-2.6.39.1/arch/x86/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
16109 @@ -35,21 +35,66 @@
16110 #define DEBUGP(fmt...)
16111 #endif
16112
16113 -void *module_alloc(unsigned long size)
16114 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
16115 {
16116 if (PAGE_ALIGN(size) > MODULES_LEN)
16117 return NULL;
16118 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
16119 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
16120 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
16121 -1, __builtin_return_address(0));
16122 }
16123
16124 +void *module_alloc(unsigned long size)
16125 +{
16126 +
16127 +#ifdef CONFIG_PAX_KERNEXEC
16128 + return __module_alloc(size, PAGE_KERNEL);
16129 +#else
16130 + return __module_alloc(size, PAGE_KERNEL_EXEC);
16131 +#endif
16132 +
16133 +}
16134 +
16135 /* Free memory returned from module_alloc */
16136 void module_free(struct module *mod, void *module_region)
16137 {
16138 vfree(module_region);
16139 }
16140
16141 +#ifdef CONFIG_PAX_KERNEXEC
16142 +#ifdef CONFIG_X86_32
16143 +void *module_alloc_exec(unsigned long size)
16144 +{
16145 + struct vm_struct *area;
16146 +
16147 + if (size == 0)
16148 + return NULL;
16149 +
16150 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
16151 + return area ? area->addr : NULL;
16152 +}
16153 +EXPORT_SYMBOL(module_alloc_exec);
16154 +
16155 +void module_free_exec(struct module *mod, void *module_region)
16156 +{
16157 + vunmap(module_region);
16158 +}
16159 +EXPORT_SYMBOL(module_free_exec);
16160 +#else
16161 +void module_free_exec(struct module *mod, void *module_region)
16162 +{
16163 + module_free(mod, module_region);
16164 +}
16165 +EXPORT_SYMBOL(module_free_exec);
16166 +
16167 +void *module_alloc_exec(unsigned long size)
16168 +{
16169 + return __module_alloc(size, PAGE_KERNEL_RX);
16170 +}
16171 +EXPORT_SYMBOL(module_alloc_exec);
16172 +#endif
16173 +#endif
16174 +
16175 /* We don't need anything special. */
16176 int module_frob_arch_sections(Elf_Ehdr *hdr,
16177 Elf_Shdr *sechdrs,
16178 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16179 unsigned int i;
16180 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
16181 Elf32_Sym *sym;
16182 - uint32_t *location;
16183 + uint32_t *plocation, location;
16184
16185 DEBUGP("Applying relocate section %u to %u\n", relsec,
16186 sechdrs[relsec].sh_info);
16187 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
16188 /* This is where to make the change */
16189 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
16190 - + rel[i].r_offset;
16191 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
16192 + location = (uint32_t)plocation;
16193 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
16194 + plocation = ktla_ktva((void *)plocation);
16195 /* This is the symbol it is referring to. Note that all
16196 undefined symbols have been resolved. */
16197 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
16198 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16199 switch (ELF32_R_TYPE(rel[i].r_info)) {
16200 case R_386_32:
16201 /* We add the value into the location given */
16202 - *location += sym->st_value;
16203 + pax_open_kernel();
16204 + *plocation += sym->st_value;
16205 + pax_close_kernel();
16206 break;
16207 case R_386_PC32:
16208 /* Add the value, subtract its postition */
16209 - *location += sym->st_value - (uint32_t)location;
16210 + pax_open_kernel();
16211 + *plocation += sym->st_value - location;
16212 + pax_close_kernel();
16213 break;
16214 default:
16215 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
16216 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
16217 case R_X86_64_NONE:
16218 break;
16219 case R_X86_64_64:
16220 + pax_open_kernel();
16221 *(u64 *)loc = val;
16222 + pax_close_kernel();
16223 break;
16224 case R_X86_64_32:
16225 + pax_open_kernel();
16226 *(u32 *)loc = val;
16227 + pax_close_kernel();
16228 if (val != *(u32 *)loc)
16229 goto overflow;
16230 break;
16231 case R_X86_64_32S:
16232 + pax_open_kernel();
16233 *(s32 *)loc = val;
16234 + pax_close_kernel();
16235 if ((s64)val != *(s32 *)loc)
16236 goto overflow;
16237 break;
16238 case R_X86_64_PC32:
16239 val -= (u64)loc;
16240 + pax_open_kernel();
16241 *(u32 *)loc = val;
16242 + pax_close_kernel();
16243 +
16244 #if 0
16245 if ((s64)val != *(s32 *)loc)
16246 goto overflow;
16247 diff -urNp linux-2.6.39.1/arch/x86/kernel/paravirt.c linux-2.6.39.1/arch/x86/kernel/paravirt.c
16248 --- linux-2.6.39.1/arch/x86/kernel/paravirt.c 2011-05-19 00:06:34.000000000 -0400
16249 +++ linux-2.6.39.1/arch/x86/kernel/paravirt.c 2011-05-22 19:36:30.000000000 -0400
16250 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
16251 * corresponding structure. */
16252 static void *get_call_destination(u8 type)
16253 {
16254 - struct paravirt_patch_template tmpl = {
16255 + const struct paravirt_patch_template tmpl = {
16256 .pv_init_ops = pv_init_ops,
16257 .pv_time_ops = pv_time_ops,
16258 .pv_cpu_ops = pv_cpu_ops,
16259 @@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ
16260 .pv_lock_ops = pv_lock_ops,
16261 #endif
16262 };
16263 +
16264 + pax_track_stack();
16265 +
16266 return *((void **)&tmpl + type);
16267 }
16268
16269 @@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type,
16270 if (opfunc == NULL)
16271 /* If there's no function, patch it with a ud2a (BUG) */
16272 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
16273 - else if (opfunc == _paravirt_nop)
16274 + else if (opfunc == (void *)_paravirt_nop)
16275 /* If the operation is a nop, then nop the callsite */
16276 ret = paravirt_patch_nop();
16277
16278 /* identity functions just return their single argument */
16279 - else if (opfunc == _paravirt_ident_32)
16280 + else if (opfunc == (void *)_paravirt_ident_32)
16281 ret = paravirt_patch_ident_32(insnbuf, len);
16282 - else if (opfunc == _paravirt_ident_64)
16283 + else if (opfunc == (void *)_paravirt_ident_64)
16284 ret = paravirt_patch_ident_64(insnbuf, len);
16285
16286 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
16287 @@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn
16288 if (insn_len > len || start == NULL)
16289 insn_len = len;
16290 else
16291 - memcpy(insnbuf, start, insn_len);
16292 + memcpy(insnbuf, ktla_ktva(start), insn_len);
16293
16294 return insn_len;
16295 }
16296 @@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void)
16297 preempt_enable();
16298 }
16299
16300 -struct pv_info pv_info = {
16301 +struct pv_info pv_info __read_only = {
16302 .name = "bare hardware",
16303 .paravirt_enabled = 0,
16304 .kernel_rpl = 0,
16305 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
16306 };
16307
16308 -struct pv_init_ops pv_init_ops = {
16309 +struct pv_init_ops pv_init_ops __read_only = {
16310 .patch = native_patch,
16311 };
16312
16313 -struct pv_time_ops pv_time_ops = {
16314 +struct pv_time_ops pv_time_ops __read_only = {
16315 .sched_clock = native_sched_clock,
16316 };
16317
16318 -struct pv_irq_ops pv_irq_ops = {
16319 +struct pv_irq_ops pv_irq_ops __read_only = {
16320 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
16321 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
16322 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
16323 @@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops = {
16324 #endif
16325 };
16326
16327 -struct pv_cpu_ops pv_cpu_ops = {
16328 +struct pv_cpu_ops pv_cpu_ops __read_only = {
16329 .cpuid = native_cpuid,
16330 .get_debugreg = native_get_debugreg,
16331 .set_debugreg = native_set_debugreg,
16332 @@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops = {
16333 .end_context_switch = paravirt_nop,
16334 };
16335
16336 -struct pv_apic_ops pv_apic_ops = {
16337 +struct pv_apic_ops pv_apic_ops __read_only = {
16338 #ifdef CONFIG_X86_LOCAL_APIC
16339 .startup_ipi_hook = paravirt_nop,
16340 #endif
16341 @@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops = {
16342 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
16343 #endif
16344
16345 -struct pv_mmu_ops pv_mmu_ops = {
16346 +struct pv_mmu_ops pv_mmu_ops __read_only = {
16347
16348 .read_cr2 = native_read_cr2,
16349 .write_cr2 = native_write_cr2,
16350 @@ -465,6 +468,12 @@ struct pv_mmu_ops pv_mmu_ops = {
16351 },
16352
16353 .set_fixmap = native_set_fixmap,
16354 +
16355 +#ifdef CONFIG_PAX_KERNEXEC
16356 + .pax_open_kernel = native_pax_open_kernel,
16357 + .pax_close_kernel = native_pax_close_kernel,
16358 +#endif
16359 +
16360 };
16361
16362 EXPORT_SYMBOL_GPL(pv_time_ops);
16363 diff -urNp linux-2.6.39.1/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.39.1/arch/x86/kernel/paravirt-spinlocks.c
16364 --- linux-2.6.39.1/arch/x86/kernel/paravirt-spinlocks.c 2011-05-19 00:06:34.000000000 -0400
16365 +++ linux-2.6.39.1/arch/x86/kernel/paravirt-spinlocks.c 2011-05-22 19:36:30.000000000 -0400
16366 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
16367 arch_spin_lock(lock);
16368 }
16369
16370 -struct pv_lock_ops pv_lock_ops = {
16371 +struct pv_lock_ops pv_lock_ops __read_only = {
16372 #ifdef CONFIG_SMP
16373 .spin_is_locked = __ticket_spin_is_locked,
16374 .spin_is_contended = __ticket_spin_is_contended,
16375 diff -urNp linux-2.6.39.1/arch/x86/kernel/pci-calgary_64.c linux-2.6.39.1/arch/x86/kernel/pci-calgary_64.c
16376 --- linux-2.6.39.1/arch/x86/kernel/pci-calgary_64.c 2011-05-19 00:06:34.000000000 -0400
16377 +++ linux-2.6.39.1/arch/x86/kernel/pci-calgary_64.c 2011-05-22 19:36:30.000000000 -0400
16378 @@ -179,13 +179,13 @@ static void calioc2_dump_error_regs(stru
16379 static void calgary_init_bitmap_from_tce_table(struct iommu_table *tbl);
16380 static void get_tce_space_from_tar(void);
16381
16382 -static struct cal_chipset_ops calgary_chip_ops = {
16383 +static const struct cal_chipset_ops calgary_chip_ops = {
16384 .handle_quirks = calgary_handle_quirks,
16385 .tce_cache_blast = calgary_tce_cache_blast,
16386 .dump_error_regs = calgary_dump_error_regs
16387 };
16388
16389 -static struct cal_chipset_ops calioc2_chip_ops = {
16390 +static const struct cal_chipset_ops calioc2_chip_ops = {
16391 .handle_quirks = calioc2_handle_quirks,
16392 .tce_cache_blast = calioc2_tce_cache_blast,
16393 .dump_error_regs = calioc2_dump_error_regs
16394 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
16395 free_pages((unsigned long)vaddr, get_order(size));
16396 }
16397
16398 -static struct dma_map_ops calgary_dma_ops = {
16399 +static const struct dma_map_ops calgary_dma_ops = {
16400 .alloc_coherent = calgary_alloc_coherent,
16401 .free_coherent = calgary_free_coherent,
16402 .map_sg = calgary_map_sg,
16403 diff -urNp linux-2.6.39.1/arch/x86/kernel/pci-dma.c linux-2.6.39.1/arch/x86/kernel/pci-dma.c
16404 --- linux-2.6.39.1/arch/x86/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
16405 +++ linux-2.6.39.1/arch/x86/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
16406 @@ -16,7 +16,7 @@
16407
16408 static int forbid_dac __read_mostly;
16409
16410 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
16411 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
16412 EXPORT_SYMBOL(dma_ops);
16413
16414 static int iommu_sac_force __read_mostly;
16415 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
16416
16417 int dma_supported(struct device *dev, u64 mask)
16418 {
16419 - struct dma_map_ops *ops = get_dma_ops(dev);
16420 + const struct dma_map_ops *ops = get_dma_ops(dev);
16421
16422 #ifdef CONFIG_PCI
16423 if (mask > 0xffffffff && forbid_dac > 0) {
16424 diff -urNp linux-2.6.39.1/arch/x86/kernel/pci-gart_64.c linux-2.6.39.1/arch/x86/kernel/pci-gart_64.c
16425 --- linux-2.6.39.1/arch/x86/kernel/pci-gart_64.c 2011-05-19 00:06:34.000000000 -0400
16426 +++ linux-2.6.39.1/arch/x86/kernel/pci-gart_64.c 2011-05-22 19:36:30.000000000 -0400
16427 @@ -695,7 +695,7 @@ static __init int init_amd_gatt(struct a
16428 return -1;
16429 }
16430
16431 -static struct dma_map_ops gart_dma_ops = {
16432 +static const struct dma_map_ops gart_dma_ops = {
16433 .map_sg = gart_map_sg,
16434 .unmap_sg = gart_unmap_sg,
16435 .map_page = gart_map_page,
16436 diff -urNp linux-2.6.39.1/arch/x86/kernel/pci-iommu_table.c linux-2.6.39.1/arch/x86/kernel/pci-iommu_table.c
16437 --- linux-2.6.39.1/arch/x86/kernel/pci-iommu_table.c 2011-05-19 00:06:34.000000000 -0400
16438 +++ linux-2.6.39.1/arch/x86/kernel/pci-iommu_table.c 2011-05-22 19:36:30.000000000 -0400
16439 @@ -2,7 +2,7 @@
16440 #include <asm/iommu_table.h>
16441 #include <linux/string.h>
16442 #include <linux/kallsyms.h>
16443 -
16444 +#include <linux/sched.h>
16445
16446 #define DEBUG 1
16447
16448 @@ -53,6 +53,8 @@ void __init check_iommu_entries(struct i
16449 char sym_p[KSYM_SYMBOL_LEN];
16450 char sym_q[KSYM_SYMBOL_LEN];
16451
16452 + pax_track_stack();
16453 +
16454 /* Simple cyclic dependency checker. */
16455 for (p = start; p < finish; p++) {
16456 q = find_dependents_of(start, finish, p);
16457 diff -urNp linux-2.6.39.1/arch/x86/kernel/pci-nommu.c linux-2.6.39.1/arch/x86/kernel/pci-nommu.c
16458 --- linux-2.6.39.1/arch/x86/kernel/pci-nommu.c 2011-05-19 00:06:34.000000000 -0400
16459 +++ linux-2.6.39.1/arch/x86/kernel/pci-nommu.c 2011-05-22 19:36:30.000000000 -0400
16460 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
16461 flush_write_buffers();
16462 }
16463
16464 -struct dma_map_ops nommu_dma_ops = {
16465 +const struct dma_map_ops nommu_dma_ops = {
16466 .alloc_coherent = dma_generic_alloc_coherent,
16467 .free_coherent = nommu_free_coherent,
16468 .map_sg = nommu_map_sg,
16469 diff -urNp linux-2.6.39.1/arch/x86/kernel/pci-swiotlb.c linux-2.6.39.1/arch/x86/kernel/pci-swiotlb.c
16470 --- linux-2.6.39.1/arch/x86/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
16471 +++ linux-2.6.39.1/arch/x86/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
16472 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
16473 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
16474 }
16475
16476 -static struct dma_map_ops swiotlb_dma_ops = {
16477 +static const struct dma_map_ops swiotlb_dma_ops = {
16478 .mapping_error = swiotlb_dma_mapping_error,
16479 .alloc_coherent = x86_swiotlb_alloc_coherent,
16480 .free_coherent = swiotlb_free_coherent,
16481 diff -urNp linux-2.6.39.1/arch/x86/kernel/process_32.c linux-2.6.39.1/arch/x86/kernel/process_32.c
16482 --- linux-2.6.39.1/arch/x86/kernel/process_32.c 2011-05-19 00:06:34.000000000 -0400
16483 +++ linux-2.6.39.1/arch/x86/kernel/process_32.c 2011-05-22 19:36:30.000000000 -0400
16484 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
16485 unsigned long thread_saved_pc(struct task_struct *tsk)
16486 {
16487 return ((unsigned long *)tsk->thread.sp)[3];
16488 +//XXX return tsk->thread.eip;
16489 }
16490
16491 #ifndef CONFIG_SMP
16492 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
16493 unsigned long sp;
16494 unsigned short ss, gs;
16495
16496 - if (user_mode_vm(regs)) {
16497 + if (user_mode(regs)) {
16498 sp = regs->sp;
16499 ss = regs->ss & 0xffff;
16500 - gs = get_user_gs(regs);
16501 } else {
16502 sp = kernel_stack_pointer(regs);
16503 savesegment(ss, ss);
16504 - savesegment(gs, gs);
16505 }
16506 + gs = get_user_gs(regs);
16507
16508 show_regs_common();
16509
16510 @@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
16511 struct task_struct *tsk;
16512 int err;
16513
16514 - childregs = task_pt_regs(p);
16515 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16516 *childregs = *regs;
16517 childregs->ax = 0;
16518 childregs->sp = sp;
16519
16520 p->thread.sp = (unsigned long) childregs;
16521 p->thread.sp0 = (unsigned long) (childregs+1);
16522 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16523
16524 p->thread.ip = (unsigned long) ret_from_fork;
16525
16526 @@ -293,7 +294,7 @@ __switch_to(struct task_struct *prev_p,
16527 struct thread_struct *prev = &prev_p->thread,
16528 *next = &next_p->thread;
16529 int cpu = smp_processor_id();
16530 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16531 + struct tss_struct *tss = init_tss + cpu;
16532 bool preload_fpu;
16533
16534 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16535 @@ -328,6 +329,10 @@ __switch_to(struct task_struct *prev_p,
16536 */
16537 lazy_save_gs(prev->gs);
16538
16539 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16540 + __set_fs(task_thread_info(next_p)->addr_limit);
16541 +#endif
16542 +
16543 /*
16544 * Load the per-thread Thread-Local Storage descriptor.
16545 */
16546 @@ -363,6 +368,9 @@ __switch_to(struct task_struct *prev_p,
16547 */
16548 arch_end_context_switch(next_p);
16549
16550 + percpu_write(current_task, next_p);
16551 + percpu_write(current_tinfo, &next_p->tinfo);
16552 +
16553 if (preload_fpu)
16554 __math_state_restore();
16555
16556 @@ -372,8 +380,6 @@ __switch_to(struct task_struct *prev_p,
16557 if (prev->gs | next->gs)
16558 lazy_load_gs(next->gs);
16559
16560 - percpu_write(current_task, next_p);
16561 -
16562 return prev_p;
16563 }
16564
16565 @@ -403,4 +409,3 @@ unsigned long get_wchan(struct task_stru
16566 } while (count++ < 16);
16567 return 0;
16568 }
16569 -
16570 diff -urNp linux-2.6.39.1/arch/x86/kernel/process_64.c linux-2.6.39.1/arch/x86/kernel/process_64.c
16571 --- linux-2.6.39.1/arch/x86/kernel/process_64.c 2011-05-19 00:06:34.000000000 -0400
16572 +++ linux-2.6.39.1/arch/x86/kernel/process_64.c 2011-05-22 19:36:30.000000000 -0400
16573 @@ -87,7 +87,7 @@ static void __exit_idle(void)
16574 void exit_idle(void)
16575 {
16576 /* idle loop has pid 0 */
16577 - if (current->pid)
16578 + if (task_pid_nr(current))
16579 return;
16580 __exit_idle();
16581 }
16582 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
16583 struct pt_regs *childregs;
16584 struct task_struct *me = current;
16585
16586 - childregs = ((struct pt_regs *)
16587 - (THREAD_SIZE + task_stack_page(p))) - 1;
16588 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16589 *childregs = *regs;
16590
16591 childregs->ax = 0;
16592 @@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
16593 p->thread.sp = (unsigned long) childregs;
16594 p->thread.sp0 = (unsigned long) (childregs+1);
16595 p->thread.usersp = me->thread.usersp;
16596 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16597
16598 set_tsk_thread_flag(p, TIF_FORK);
16599
16600 @@ -376,7 +376,7 @@ __switch_to(struct task_struct *prev_p,
16601 struct thread_struct *prev = &prev_p->thread;
16602 struct thread_struct *next = &next_p->thread;
16603 int cpu = smp_processor_id();
16604 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16605 + struct tss_struct *tss = init_tss + cpu;
16606 unsigned fsindex, gsindex;
16607 bool preload_fpu;
16608
16609 @@ -472,10 +472,9 @@ __switch_to(struct task_struct *prev_p,
16610 prev->usersp = percpu_read(old_rsp);
16611 percpu_write(old_rsp, next->usersp);
16612 percpu_write(current_task, next_p);
16613 + percpu_write(current_tinfo, &next_p->tinfo);
16614
16615 - percpu_write(kernel_stack,
16616 - (unsigned long)task_stack_page(next_p) +
16617 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16618 + percpu_write(kernel_stack, next->sp0);
16619
16620 /*
16621 * Now maybe reload the debug registers and handle I/O bitmaps
16622 @@ -537,12 +536,11 @@ unsigned long get_wchan(struct task_stru
16623 if (!p || p == current || p->state == TASK_RUNNING)
16624 return 0;
16625 stack = (unsigned long)task_stack_page(p);
16626 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16627 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16628 return 0;
16629 fp = *(u64 *)(p->thread.sp);
16630 do {
16631 - if (fp < (unsigned long)stack ||
16632 - fp >= (unsigned long)stack+THREAD_SIZE)
16633 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16634 return 0;
16635 ip = *(u64 *)(fp+8);
16636 if (!in_sched_functions(ip))
16637 diff -urNp linux-2.6.39.1/arch/x86/kernel/process.c linux-2.6.39.1/arch/x86/kernel/process.c
16638 --- linux-2.6.39.1/arch/x86/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
16639 +++ linux-2.6.39.1/arch/x86/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
16640 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
16641
16642 void free_thread_info(struct thread_info *ti)
16643 {
16644 - free_thread_xstate(ti->task);
16645 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16646 }
16647
16648 +static struct kmem_cache *task_struct_cachep;
16649 +
16650 void arch_task_cache_init(void)
16651 {
16652 - task_xstate_cachep =
16653 - kmem_cache_create("task_xstate", xstate_size,
16654 + /* create a slab on which task_structs can be allocated */
16655 + task_struct_cachep =
16656 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16657 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16658 +
16659 + task_xstate_cachep =
16660 + kmem_cache_create("task_xstate", xstate_size,
16661 __alignof__(union thread_xstate),
16662 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16663 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16664 +}
16665 +
16666 +struct task_struct *alloc_task_struct_node(int node)
16667 +{
16668 + return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
16669 +}
16670 +
16671 +void free_task_struct(struct task_struct *task)
16672 +{
16673 + free_thread_xstate(task);
16674 + kmem_cache_free(task_struct_cachep, task);
16675 }
16676
16677 /*
16678 @@ -70,7 +87,7 @@ void exit_thread(void)
16679 unsigned long *bp = t->io_bitmap_ptr;
16680
16681 if (bp) {
16682 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16683 + struct tss_struct *tss = init_tss + get_cpu();
16684
16685 t->io_bitmap_ptr = NULL;
16686 clear_thread_flag(TIF_IO_BITMAP);
16687 @@ -106,7 +123,7 @@ void show_regs_common(void)
16688
16689 printk(KERN_CONT "\n");
16690 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
16691 - current->pid, current->comm, print_tainted(),
16692 + task_pid_nr(current), current->comm, print_tainted(),
16693 init_utsname()->release,
16694 (int)strcspn(init_utsname()->version, " "),
16695 init_utsname()->version);
16696 @@ -120,6 +137,9 @@ void flush_thread(void)
16697 {
16698 struct task_struct *tsk = current;
16699
16700 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16701 + loadsegment(gs, 0);
16702 +#endif
16703 flush_ptrace_hw_breakpoint(tsk);
16704 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
16705 /*
16706 @@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
16707 regs.di = (unsigned long) arg;
16708
16709 #ifdef CONFIG_X86_32
16710 - regs.ds = __USER_DS;
16711 - regs.es = __USER_DS;
16712 + regs.ds = __KERNEL_DS;
16713 + regs.es = __KERNEL_DS;
16714 regs.fs = __KERNEL_PERCPU;
16715 - regs.gs = __KERNEL_STACK_CANARY;
16716 + savesegment(gs, regs.gs);
16717 #else
16718 regs.ss = __KERNEL_DS;
16719 #endif
16720 @@ -401,7 +421,7 @@ void default_idle(void)
16721 EXPORT_SYMBOL(default_idle);
16722 #endif
16723
16724 -void stop_this_cpu(void *dummy)
16725 +__noreturn void stop_this_cpu(void *dummy)
16726 {
16727 local_irq_disable();
16728 /*
16729 @@ -665,16 +685,34 @@ static int __init idle_setup(char *str)
16730 }
16731 early_param("idle", idle_setup);
16732
16733 -unsigned long arch_align_stack(unsigned long sp)
16734 +#ifdef CONFIG_PAX_RANDKSTACK
16735 +asmlinkage void pax_randomize_kstack(void)
16736 {
16737 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
16738 - sp -= get_random_int() % 8192;
16739 - return sp & ~0xf;
16740 -}
16741 + struct thread_struct *thread = &current->thread;
16742 + unsigned long time;
16743
16744 -unsigned long arch_randomize_brk(struct mm_struct *mm)
16745 -{
16746 - unsigned long range_end = mm->brk + 0x02000000;
16747 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
16748 -}
16749 + if (!randomize_va_space)
16750 + return;
16751 +
16752 + rdtscl(time);
16753 +
16754 + /* P4 seems to return a 0 LSB, ignore it */
16755 +#ifdef CONFIG_MPENTIUM4
16756 + time &= 0x3EUL;
16757 + time <<= 2;
16758 +#elif defined(CONFIG_X86_64)
16759 + time &= 0xFUL;
16760 + time <<= 4;
16761 +#else
16762 + time &= 0x1FUL;
16763 + time <<= 3;
16764 +#endif
16765 +
16766 + thread->sp0 ^= time;
16767 + load_sp0(init_tss + smp_processor_id(), thread);
16768
16769 +#ifdef CONFIG_X86_64
16770 + percpu_write(kernel_stack, thread->sp0);
16771 +#endif
16772 +}
16773 +#endif
16774 diff -urNp linux-2.6.39.1/arch/x86/kernel/ptrace.c linux-2.6.39.1/arch/x86/kernel/ptrace.c
16775 --- linux-2.6.39.1/arch/x86/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
16776 +++ linux-2.6.39.1/arch/x86/kernel/ptrace.c 2011-05-22 19:36:30.000000000 -0400
16777 @@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi
16778 unsigned long addr, unsigned long data)
16779 {
16780 int ret;
16781 - unsigned long __user *datap = (unsigned long __user *)data;
16782 + unsigned long __user *datap = (__force unsigned long __user *)data;
16783
16784 switch (request) {
16785 /* read the word at location addr in the USER area. */
16786 @@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi
16787 if ((int) addr < 0)
16788 return -EIO;
16789 ret = do_get_thread_area(child, addr,
16790 - (struct user_desc __user *)data);
16791 + (__force struct user_desc __user *) data);
16792 break;
16793
16794 case PTRACE_SET_THREAD_AREA:
16795 if ((int) addr < 0)
16796 return -EIO;
16797 ret = do_set_thread_area(child, addr,
16798 - (struct user_desc __user *)data, 0);
16799 + (__force struct user_desc __user *) data, 0);
16800 break;
16801 #endif
16802
16803 @@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas
16804 memset(info, 0, sizeof(*info));
16805 info->si_signo = SIGTRAP;
16806 info->si_code = si_code;
16807 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
16808 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
16809 }
16810
16811 void user_single_step_siginfo(struct task_struct *tsk,
16812 @@ -1363,7 +1363,7 @@ void send_sigtrap(struct task_struct *ts
16813 * We must return the syscall number to actually look up in the table.
16814 * This can be -1L to skip running any syscall at all.
16815 */
16816 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
16817 +long syscall_trace_enter(struct pt_regs *regs)
16818 {
16819 long ret = 0;
16820
16821 @@ -1408,7 +1408,7 @@ asmregparm long syscall_trace_enter(stru
16822 return ret ?: regs->orig_ax;
16823 }
16824
16825 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
16826 +void syscall_trace_leave(struct pt_regs *regs)
16827 {
16828 bool step;
16829
16830 diff -urNp linux-2.6.39.1/arch/x86/kernel/pvclock.c linux-2.6.39.1/arch/x86/kernel/pvclock.c
16831 --- linux-2.6.39.1/arch/x86/kernel/pvclock.c 2011-05-19 00:06:34.000000000 -0400
16832 +++ linux-2.6.39.1/arch/x86/kernel/pvclock.c 2011-05-22 19:36:30.000000000 -0400
16833 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
16834 return pv_tsc_khz;
16835 }
16836
16837 -static atomic64_t last_value = ATOMIC64_INIT(0);
16838 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
16839
16840 void pvclock_resume(void)
16841 {
16842 - atomic64_set(&last_value, 0);
16843 + atomic64_set_unchecked(&last_value, 0);
16844 }
16845
16846 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
16847 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
16848 * updating at the same time, and one of them could be slightly behind,
16849 * making the assumption that last_value always go forward fail to hold.
16850 */
16851 - last = atomic64_read(&last_value);
16852 + last = atomic64_read_unchecked(&last_value);
16853 do {
16854 if (ret < last)
16855 return last;
16856 - last = atomic64_cmpxchg(&last_value, last, ret);
16857 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
16858 } while (unlikely(last != ret));
16859
16860 return ret;
16861 diff -urNp linux-2.6.39.1/arch/x86/kernel/reboot.c linux-2.6.39.1/arch/x86/kernel/reboot.c
16862 --- linux-2.6.39.1/arch/x86/kernel/reboot.c 2011-05-19 00:06:34.000000000 -0400
16863 +++ linux-2.6.39.1/arch/x86/kernel/reboot.c 2011-05-23 17:07:00.000000000 -0400
16864 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
16865 EXPORT_SYMBOL(pm_power_off);
16866
16867 static const struct desc_ptr no_idt = {};
16868 -static int reboot_mode;
16869 +static unsigned short reboot_mode;
16870 enum reboot_type reboot_type = BOOT_KBD;
16871 int reboot_force;
16872
16873 @@ -307,13 +307,17 @@ core_initcall(reboot_init);
16874 extern const unsigned char machine_real_restart_asm[];
16875 extern const u64 machine_real_restart_gdt[3];
16876
16877 -void machine_real_restart(unsigned int type)
16878 +__noreturn void machine_real_restart(unsigned int type)
16879 {
16880 void *restart_va;
16881 unsigned long restart_pa;
16882 - void (*restart_lowmem)(unsigned int);
16883 + void (* __noreturn restart_lowmem)(unsigned int);
16884 u64 *lowmem_gdt;
16885
16886 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
16887 + struct desc_struct *gdt;
16888 +#endif
16889 +
16890 local_irq_disable();
16891
16892 /* Write zero to CMOS register number 0x0f, which the BIOS POST
16893 @@ -339,14 +343,14 @@ void machine_real_restart(unsigned int t
16894 boot)". This seems like a fairly standard thing that gets set by
16895 REBOOT.COM programs, and the previous reset routine did this
16896 too. */
16897 - *((unsigned short *)0x472) = reboot_mode;
16898 + *(unsigned short *)(__va(0x472)) = reboot_mode;
16899
16900 /* Patch the GDT in the low memory trampoline */
16901 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
16902
16903 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
16904 restart_pa = virt_to_phys(restart_va);
16905 - restart_lowmem = (void (*)(unsigned int))restart_pa;
16906 + restart_lowmem = (void *)restart_pa;
16907
16908 /* GDT[0]: GDT self-pointer */
16909 lowmem_gdt[0] =
16910 @@ -357,7 +361,33 @@ void machine_real_restart(unsigned int t
16911 GDT_ENTRY(0x009b, restart_pa, 0xffff);
16912
16913 /* Jump to the identity-mapped low memory code */
16914 +
16915 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
16916 + gdt = get_cpu_gdt_table(smp_processor_id());
16917 + pax_open_kernel();
16918 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16919 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
16920 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
16921 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
16922 +#endif
16923 +#ifdef CONFIG_PAX_KERNEXEC
16924 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
16925 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
16926 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
16927 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
16928 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
16929 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
16930 +#endif
16931 + pax_close_kernel();
16932 +#endif
16933 +
16934 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16935 + asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
16936 + unreachable();
16937 +#else
16938 restart_lowmem(type);
16939 +#endif
16940 +
16941 }
16942 #ifdef CONFIG_APM_MODULE
16943 EXPORT_SYMBOL(machine_real_restart);
16944 @@ -478,7 +508,7 @@ void __attribute__((weak)) mach_reboot_f
16945 {
16946 }
16947
16948 -static void native_machine_emergency_restart(void)
16949 +__noreturn static void native_machine_emergency_restart(void)
16950 {
16951 int i;
16952
16953 @@ -593,13 +623,13 @@ void native_machine_shutdown(void)
16954 #endif
16955 }
16956
16957 -static void __machine_emergency_restart(int emergency)
16958 +static __noreturn void __machine_emergency_restart(int emergency)
16959 {
16960 reboot_emergency = emergency;
16961 machine_ops.emergency_restart();
16962 }
16963
16964 -static void native_machine_restart(char *__unused)
16965 +static __noreturn void native_machine_restart(char *__unused)
16966 {
16967 printk("machine restart\n");
16968
16969 @@ -608,7 +638,7 @@ static void native_machine_restart(char
16970 __machine_emergency_restart(0);
16971 }
16972
16973 -static void native_machine_halt(void)
16974 +static __noreturn void native_machine_halt(void)
16975 {
16976 /* stop other cpus and apics */
16977 machine_shutdown();
16978 @@ -619,7 +649,7 @@ static void native_machine_halt(void)
16979 stop_this_cpu(NULL);
16980 }
16981
16982 -static void native_machine_power_off(void)
16983 +__noreturn static void native_machine_power_off(void)
16984 {
16985 if (pm_power_off) {
16986 if (!reboot_force)
16987 @@ -628,6 +658,7 @@ static void native_machine_power_off(voi
16988 }
16989 /* a fallback in case there is no PM info available */
16990 tboot_shutdown(TB_SHUTDOWN_HALT);
16991 + unreachable();
16992 }
16993
16994 struct machine_ops machine_ops = {
16995 diff -urNp linux-2.6.39.1/arch/x86/kernel/setup.c linux-2.6.39.1/arch/x86/kernel/setup.c
16996 --- linux-2.6.39.1/arch/x86/kernel/setup.c 2011-06-03 00:04:13.000000000 -0400
16997 +++ linux-2.6.39.1/arch/x86/kernel/setup.c 2011-06-03 00:32:04.000000000 -0400
16998 @@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
16999 * area (640->1Mb) as ram even though it is not.
17000 * take them out.
17001 */
17002 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
17003 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
17004 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
17005 }
17006
17007 @@ -775,14 +775,14 @@ void __init setup_arch(char **cmdline_p)
17008
17009 if (!boot_params.hdr.root_flags)
17010 root_mountflags &= ~MS_RDONLY;
17011 - init_mm.start_code = (unsigned long) _text;
17012 - init_mm.end_code = (unsigned long) _etext;
17013 + init_mm.start_code = ktla_ktva((unsigned long) _text);
17014 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
17015 init_mm.end_data = (unsigned long) _edata;
17016 init_mm.brk = _brk_end;
17017
17018 - code_resource.start = virt_to_phys(_text);
17019 - code_resource.end = virt_to_phys(_etext)-1;
17020 - data_resource.start = virt_to_phys(_etext);
17021 + code_resource.start = virt_to_phys(ktla_ktva(_text));
17022 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17023 + data_resource.start = virt_to_phys(_sdata);
17024 data_resource.end = virt_to_phys(_edata)-1;
17025 bss_resource.start = virt_to_phys(&__bss_start);
17026 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17027 diff -urNp linux-2.6.39.1/arch/x86/kernel/setup_percpu.c linux-2.6.39.1/arch/x86/kernel/setup_percpu.c
17028 --- linux-2.6.39.1/arch/x86/kernel/setup_percpu.c 2011-05-19 00:06:34.000000000 -0400
17029 +++ linux-2.6.39.1/arch/x86/kernel/setup_percpu.c 2011-06-04 20:08:30.000000000 -0400
17030 @@ -21,19 +21,17 @@
17031 #include <asm/cpu.h>
17032 #include <asm/stackprotector.h>
17033
17034 -DEFINE_PER_CPU(int, cpu_number);
17035 +#ifdef CONFIG_SMP
17036 +DEFINE_PER_CPU(unsigned int, cpu_number);
17037 EXPORT_PER_CPU_SYMBOL(cpu_number);
17038 +#endif
17039
17040 -#ifdef CONFIG_X86_64
17041 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17042 -#else
17043 -#define BOOT_PERCPU_OFFSET 0
17044 -#endif
17045
17046 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17047 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17048
17049 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17050 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17051 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17052 };
17053 EXPORT_SYMBOL(__per_cpu_offset);
17054 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
17055 {
17056 #ifdef CONFIG_X86_32
17057 struct desc_struct gdt;
17058 + unsigned long base = per_cpu_offset(cpu);
17059
17060 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17061 - 0x2 | DESCTYPE_S, 0x8);
17062 - gdt.s = 1;
17063 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17064 + 0x83 | DESCTYPE_S, 0xC);
17065 write_gdt_entry(get_cpu_gdt_table(cpu),
17066 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17067 #endif
17068 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
17069 /* alrighty, percpu areas up and running */
17070 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17071 for_each_possible_cpu(cpu) {
17072 +#ifdef CONFIG_CC_STACKPROTECTOR
17073 +#ifdef CONFIG_X86_32
17074 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
17075 +#endif
17076 +#endif
17077 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17078 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17079 per_cpu(cpu_number, cpu) = cpu;
17080 @@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
17081 */
17082 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
17083 #endif
17084 +#ifdef CONFIG_CC_STACKPROTECTOR
17085 +#ifdef CONFIG_X86_32
17086 + if (!cpu)
17087 + per_cpu(stack_canary.canary, cpu) = canary;
17088 +#endif
17089 +#endif
17090 /*
17091 * Up to this point, the boot CPU has been using .init.data
17092 * area. Reload any changed state for the boot CPU.
17093 diff -urNp linux-2.6.39.1/arch/x86/kernel/signal.c linux-2.6.39.1/arch/x86/kernel/signal.c
17094 --- linux-2.6.39.1/arch/x86/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
17095 +++ linux-2.6.39.1/arch/x86/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
17096 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
17097 * Align the stack pointer according to the i386 ABI,
17098 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17099 */
17100 - sp = ((sp + 4) & -16ul) - 4;
17101 + sp = ((sp - 12) & -16ul) - 4;
17102 #else /* !CONFIG_X86_32 */
17103 sp = round_down(sp, 16) - 8;
17104 #endif
17105 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
17106 * Return an always-bogus address instead so we will die with SIGSEGV.
17107 */
17108 if (onsigstack && !likely(on_sig_stack(sp)))
17109 - return (void __user *)-1L;
17110 + return (__force void __user *)-1L;
17111
17112 /* save i387 state */
17113 if (used_math() && save_i387_xstate(*fpstate) < 0)
17114 - return (void __user *)-1L;
17115 + return (__force void __user *)-1L;
17116
17117 return (void __user *)sp;
17118 }
17119 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
17120 }
17121
17122 if (current->mm->context.vdso)
17123 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17124 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17125 else
17126 - restorer = &frame->retcode;
17127 + restorer = (void __user *)&frame->retcode;
17128 if (ka->sa.sa_flags & SA_RESTORER)
17129 restorer = ka->sa.sa_restorer;
17130
17131 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
17132 * reasons and because gdb uses it as a signature to notice
17133 * signal handler stack frames.
17134 */
17135 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17136 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17137
17138 if (err)
17139 return -EFAULT;
17140 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
17141 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17142
17143 /* Set up to return from userspace. */
17144 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17145 + if (current->mm->context.vdso)
17146 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17147 + else
17148 + restorer = (void __user *)&frame->retcode;
17149 if (ka->sa.sa_flags & SA_RESTORER)
17150 restorer = ka->sa.sa_restorer;
17151 put_user_ex(restorer, &frame->pretcode);
17152 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
17153 * reasons and because gdb uses it as a signature to notice
17154 * signal handler stack frames.
17155 */
17156 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
17157 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
17158 } put_user_catch(err);
17159
17160 if (err)
17161 @@ -773,6 +776,8 @@ static void do_signal(struct pt_regs *re
17162 int signr;
17163 sigset_t *oldset;
17164
17165 + pax_track_stack();
17166 +
17167 /*
17168 * We want the common case to go fast, which is why we may in certain
17169 * cases get here from kernel mode. Just return without doing anything
17170 @@ -780,7 +785,7 @@ static void do_signal(struct pt_regs *re
17171 * X86_32: vm86 regs switched out by assembly code before reaching
17172 * here, so testing against kernel CS suffices.
17173 */
17174 - if (!user_mode(regs))
17175 + if (!user_mode_novm(regs))
17176 return;
17177
17178 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
17179 diff -urNp linux-2.6.39.1/arch/x86/kernel/smpboot.c linux-2.6.39.1/arch/x86/kernel/smpboot.c
17180 --- linux-2.6.39.1/arch/x86/kernel/smpboot.c 2011-05-19 00:06:34.000000000 -0400
17181 +++ linux-2.6.39.1/arch/x86/kernel/smpboot.c 2011-05-22 19:36:30.000000000 -0400
17182 @@ -696,17 +696,20 @@ static int __cpuinit do_boot_cpu(int api
17183 set_idle_for_cpu(cpu, c_idle.idle);
17184 do_rest:
17185 per_cpu(current_task, cpu) = c_idle.idle;
17186 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
17187 #ifdef CONFIG_X86_32
17188 /* Stack for startup_32 can be just as for start_secondary onwards */
17189 irq_ctx_init(cpu);
17190 #else
17191 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
17192 initial_gs = per_cpu_offset(cpu);
17193 - per_cpu(kernel_stack, cpu) =
17194 - (unsigned long)task_stack_page(c_idle.idle) -
17195 - KERNEL_STACK_OFFSET + THREAD_SIZE;
17196 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
17197 #endif
17198 +
17199 + pax_open_kernel();
17200 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
17201 + pax_close_kernel();
17202 +
17203 initial_code = (unsigned long)start_secondary;
17204 stack_start = c_idle.idle->thread.sp;
17205
17206 @@ -848,6 +851,12 @@ int __cpuinit native_cpu_up(unsigned int
17207
17208 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
17209
17210 +#ifdef CONFIG_PAX_PER_CPU_PGD
17211 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
17212 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17213 + KERNEL_PGD_PTRS);
17214 +#endif
17215 +
17216 err = do_boot_cpu(apicid, cpu);
17217 if (err) {
17218 pr_debug("do_boot_cpu failed %d\n", err);
17219 diff -urNp linux-2.6.39.1/arch/x86/kernel/step.c linux-2.6.39.1/arch/x86/kernel/step.c
17220 --- linux-2.6.39.1/arch/x86/kernel/step.c 2011-05-19 00:06:34.000000000 -0400
17221 +++ linux-2.6.39.1/arch/x86/kernel/step.c 2011-05-22 19:36:30.000000000 -0400
17222 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
17223 struct desc_struct *desc;
17224 unsigned long base;
17225
17226 - seg &= ~7UL;
17227 + seg >>= 3;
17228
17229 mutex_lock(&child->mm->context.lock);
17230 - if (unlikely((seg >> 3) >= child->mm->context.size))
17231 + if (unlikely(seg >= child->mm->context.size))
17232 addr = -1L; /* bogus selector, access would fault */
17233 else {
17234 desc = child->mm->context.ldt + seg;
17235 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
17236 addr += base;
17237 }
17238 mutex_unlock(&child->mm->context.lock);
17239 - }
17240 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
17241 + addr = ktla_ktva(addr);
17242
17243 return addr;
17244 }
17245 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
17246 unsigned char opcode[15];
17247 unsigned long addr = convert_ip_to_linear(child, regs);
17248
17249 + if (addr == -EINVAL)
17250 + return 0;
17251 +
17252 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
17253 for (i = 0; i < copied; i++) {
17254 switch (opcode[i]) {
17255 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
17256
17257 #ifdef CONFIG_X86_64
17258 case 0x40 ... 0x4f:
17259 - if (regs->cs != __USER_CS)
17260 + if ((regs->cs & 0xffff) != __USER_CS)
17261 /* 32-bit mode: register increment */
17262 return 0;
17263 /* 64-bit mode: REX prefix */
17264 diff -urNp linux-2.6.39.1/arch/x86/kernel/syscall_table_32.S linux-2.6.39.1/arch/x86/kernel/syscall_table_32.S
17265 --- linux-2.6.39.1/arch/x86/kernel/syscall_table_32.S 2011-05-19 00:06:34.000000000 -0400
17266 +++ linux-2.6.39.1/arch/x86/kernel/syscall_table_32.S 2011-05-22 19:36:30.000000000 -0400
17267 @@ -1,3 +1,4 @@
17268 +.section .rodata,"a",@progbits
17269 ENTRY(sys_call_table)
17270 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
17271 .long sys_exit
17272 diff -urNp linux-2.6.39.1/arch/x86/kernel/sys_i386_32.c linux-2.6.39.1/arch/x86/kernel/sys_i386_32.c
17273 --- linux-2.6.39.1/arch/x86/kernel/sys_i386_32.c 2011-05-19 00:06:34.000000000 -0400
17274 +++ linux-2.6.39.1/arch/x86/kernel/sys_i386_32.c 2011-05-22 19:36:30.000000000 -0400
17275 @@ -24,17 +24,224 @@
17276
17277 #include <asm/syscalls.h>
17278
17279 -/*
17280 - * Do a system call from kernel instead of calling sys_execve so we
17281 - * end up with proper pt_regs.
17282 - */
17283 -int kernel_execve(const char *filename,
17284 - const char *const argv[],
17285 - const char *const envp[])
17286 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
17287 {
17288 - long __res;
17289 - asm volatile ("int $0x80"
17290 - : "=a" (__res)
17291 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
17292 - return __res;
17293 + unsigned long pax_task_size = TASK_SIZE;
17294 +
17295 +#ifdef CONFIG_PAX_SEGMEXEC
17296 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
17297 + pax_task_size = SEGMEXEC_TASK_SIZE;
17298 +#endif
17299 +
17300 + if (len > pax_task_size || addr > pax_task_size - len)
17301 + return -EINVAL;
17302 +
17303 + return 0;
17304 +}
17305 +
17306 +unsigned long
17307 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
17308 + unsigned long len, unsigned long pgoff, unsigned long flags)
17309 +{
17310 + struct mm_struct *mm = current->mm;
17311 + struct vm_area_struct *vma;
17312 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17313 +
17314 +#ifdef CONFIG_PAX_SEGMEXEC
17315 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17316 + pax_task_size = SEGMEXEC_TASK_SIZE;
17317 +#endif
17318 +
17319 + pax_task_size -= PAGE_SIZE;
17320 +
17321 + if (len > pax_task_size)
17322 + return -ENOMEM;
17323 +
17324 + if (flags & MAP_FIXED)
17325 + return addr;
17326 +
17327 +#ifdef CONFIG_PAX_RANDMMAP
17328 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17329 +#endif
17330 +
17331 + if (addr) {
17332 + addr = PAGE_ALIGN(addr);
17333 + if (pax_task_size - len >= addr) {
17334 + vma = find_vma(mm, addr);
17335 + if (check_heap_stack_gap(vma, addr, len))
17336 + return addr;
17337 + }
17338 + }
17339 + if (len > mm->cached_hole_size) {
17340 + start_addr = addr = mm->free_area_cache;
17341 + } else {
17342 + start_addr = addr = mm->mmap_base;
17343 + mm->cached_hole_size = 0;
17344 + }
17345 +
17346 +#ifdef CONFIG_PAX_PAGEEXEC
17347 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
17348 + start_addr = 0x00110000UL;
17349 +
17350 +#ifdef CONFIG_PAX_RANDMMAP
17351 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17352 + start_addr += mm->delta_mmap & 0x03FFF000UL;
17353 +#endif
17354 +
17355 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
17356 + start_addr = addr = mm->mmap_base;
17357 + else
17358 + addr = start_addr;
17359 + }
17360 +#endif
17361 +
17362 +full_search:
17363 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17364 + /* At this point: (!vma || addr < vma->vm_end). */
17365 + if (pax_task_size - len < addr) {
17366 + /*
17367 + * Start a new search - just in case we missed
17368 + * some holes.
17369 + */
17370 + if (start_addr != mm->mmap_base) {
17371 + start_addr = addr = mm->mmap_base;
17372 + mm->cached_hole_size = 0;
17373 + goto full_search;
17374 + }
17375 + return -ENOMEM;
17376 + }
17377 + if (check_heap_stack_gap(vma, addr, len))
17378 + break;
17379 + if (addr + mm->cached_hole_size < vma->vm_start)
17380 + mm->cached_hole_size = vma->vm_start - addr;
17381 + addr = vma->vm_end;
17382 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
17383 + start_addr = addr = mm->mmap_base;
17384 + mm->cached_hole_size = 0;
17385 + goto full_search;
17386 + }
17387 + }
17388 +
17389 + /*
17390 + * Remember the place where we stopped the search:
17391 + */
17392 + mm->free_area_cache = addr + len;
17393 + return addr;
17394 +}
17395 +
17396 +unsigned long
17397 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
17398 + const unsigned long len, const unsigned long pgoff,
17399 + const unsigned long flags)
17400 +{
17401 + struct vm_area_struct *vma;
17402 + struct mm_struct *mm = current->mm;
17403 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
17404 +
17405 +#ifdef CONFIG_PAX_SEGMEXEC
17406 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17407 + pax_task_size = SEGMEXEC_TASK_SIZE;
17408 +#endif
17409 +
17410 + pax_task_size -= PAGE_SIZE;
17411 +
17412 + /* requested length too big for entire address space */
17413 + if (len > pax_task_size)
17414 + return -ENOMEM;
17415 +
17416 + if (flags & MAP_FIXED)
17417 + return addr;
17418 +
17419 +#ifdef CONFIG_PAX_PAGEEXEC
17420 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
17421 + goto bottomup;
17422 +#endif
17423 +
17424 +#ifdef CONFIG_PAX_RANDMMAP
17425 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17426 +#endif
17427 +
17428 + /* requesting a specific address */
17429 + if (addr) {
17430 + addr = PAGE_ALIGN(addr);
17431 + if (pax_task_size - len >= addr) {
17432 + vma = find_vma(mm, addr);
17433 + if (check_heap_stack_gap(vma, addr, len))
17434 + return addr;
17435 + }
17436 + }
17437 +
17438 + /* check if free_area_cache is useful for us */
17439 + if (len <= mm->cached_hole_size) {
17440 + mm->cached_hole_size = 0;
17441 + mm->free_area_cache = mm->mmap_base;
17442 + }
17443 +
17444 + /* either no address requested or can't fit in requested address hole */
17445 + addr = mm->free_area_cache;
17446 +
17447 + /* make sure it can fit in the remaining address space */
17448 + if (addr > len) {
17449 + vma = find_vma(mm, addr-len);
17450 + if (check_heap_stack_gap(vma, addr - len, len))
17451 + /* remember the address as a hint for next time */
17452 + return (mm->free_area_cache = addr-len);
17453 + }
17454 +
17455 + if (mm->mmap_base < len)
17456 + goto bottomup;
17457 +
17458 + addr = mm->mmap_base-len;
17459 +
17460 + do {
17461 + /*
17462 + * Lookup failure means no vma is above this address,
17463 + * else if new region fits below vma->vm_start,
17464 + * return with success:
17465 + */
17466 + vma = find_vma(mm, addr);
17467 + if (check_heap_stack_gap(vma, addr, len))
17468 + /* remember the address as a hint for next time */
17469 + return (mm->free_area_cache = addr);
17470 +
17471 + /* remember the largest hole we saw so far */
17472 + if (addr + mm->cached_hole_size < vma->vm_start)
17473 + mm->cached_hole_size = vma->vm_start - addr;
17474 +
17475 + /* try just below the current vma->vm_start */
17476 + addr = skip_heap_stack_gap(vma, len);
17477 + } while (!IS_ERR_VALUE(addr));
17478 +
17479 +bottomup:
17480 + /*
17481 + * A failed mmap() very likely causes application failure,
17482 + * so fall back to the bottom-up function here. This scenario
17483 + * can happen with large stack limits and large mmap()
17484 + * allocations.
17485 + */
17486 +
17487 +#ifdef CONFIG_PAX_SEGMEXEC
17488 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17489 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17490 + else
17491 +#endif
17492 +
17493 + mm->mmap_base = TASK_UNMAPPED_BASE;
17494 +
17495 +#ifdef CONFIG_PAX_RANDMMAP
17496 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17497 + mm->mmap_base += mm->delta_mmap;
17498 +#endif
17499 +
17500 + mm->free_area_cache = mm->mmap_base;
17501 + mm->cached_hole_size = ~0UL;
17502 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17503 + /*
17504 + * Restore the topdown base:
17505 + */
17506 + mm->mmap_base = base;
17507 + mm->free_area_cache = base;
17508 + mm->cached_hole_size = ~0UL;
17509 +
17510 + return addr;
17511 }
17512 diff -urNp linux-2.6.39.1/arch/x86/kernel/sys_x86_64.c linux-2.6.39.1/arch/x86/kernel/sys_x86_64.c
17513 --- linux-2.6.39.1/arch/x86/kernel/sys_x86_64.c 2011-05-19 00:06:34.000000000 -0400
17514 +++ linux-2.6.39.1/arch/x86/kernel/sys_x86_64.c 2011-05-22 19:36:30.000000000 -0400
17515 @@ -32,8 +32,8 @@ out:
17516 return error;
17517 }
17518
17519 -static void find_start_end(unsigned long flags, unsigned long *begin,
17520 - unsigned long *end)
17521 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17522 + unsigned long *begin, unsigned long *end)
17523 {
17524 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17525 unsigned long new_begin;
17526 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17527 *begin = new_begin;
17528 }
17529 } else {
17530 - *begin = TASK_UNMAPPED_BASE;
17531 + *begin = mm->mmap_base;
17532 *end = TASK_SIZE;
17533 }
17534 }
17535 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17536 if (flags & MAP_FIXED)
17537 return addr;
17538
17539 - find_start_end(flags, &begin, &end);
17540 + find_start_end(mm, flags, &begin, &end);
17541
17542 if (len > end)
17543 return -ENOMEM;
17544
17545 +#ifdef CONFIG_PAX_RANDMMAP
17546 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17547 +#endif
17548 +
17549 if (addr) {
17550 addr = PAGE_ALIGN(addr);
17551 vma = find_vma(mm, addr);
17552 - if (end - len >= addr &&
17553 - (!vma || addr + len <= vma->vm_start))
17554 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17555 return addr;
17556 }
17557 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17558 @@ -106,7 +109,7 @@ full_search:
17559 }
17560 return -ENOMEM;
17561 }
17562 - if (!vma || addr + len <= vma->vm_start) {
17563 + if (check_heap_stack_gap(vma, addr, len)) {
17564 /*
17565 * Remember the place where we stopped the search:
17566 */
17567 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17568 {
17569 struct vm_area_struct *vma;
17570 struct mm_struct *mm = current->mm;
17571 - unsigned long addr = addr0;
17572 + unsigned long base = mm->mmap_base, addr = addr0;
17573
17574 /* requested length too big for entire address space */
17575 if (len > TASK_SIZE)
17576 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17577 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17578 goto bottomup;
17579
17580 +#ifdef CONFIG_PAX_RANDMMAP
17581 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17582 +#endif
17583 +
17584 /* requesting a specific address */
17585 if (addr) {
17586 addr = PAGE_ALIGN(addr);
17587 - vma = find_vma(mm, addr);
17588 - if (TASK_SIZE - len >= addr &&
17589 - (!vma || addr + len <= vma->vm_start))
17590 - return addr;
17591 + if (TASK_SIZE - len >= addr) {
17592 + vma = find_vma(mm, addr);
17593 + if (check_heap_stack_gap(vma, addr, len))
17594 + return addr;
17595 + }
17596 }
17597
17598 /* check if free_area_cache is useful for us */
17599 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17600 /* make sure it can fit in the remaining address space */
17601 if (addr > len) {
17602 vma = find_vma(mm, addr-len);
17603 - if (!vma || addr <= vma->vm_start)
17604 + if (check_heap_stack_gap(vma, addr - len, len))
17605 /* remember the address as a hint for next time */
17606 return mm->free_area_cache = addr-len;
17607 }
17608 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17609 * return with success:
17610 */
17611 vma = find_vma(mm, addr);
17612 - if (!vma || addr+len <= vma->vm_start)
17613 + if (check_heap_stack_gap(vma, addr, len))
17614 /* remember the address as a hint for next time */
17615 return mm->free_area_cache = addr;
17616
17617 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17618 mm->cached_hole_size = vma->vm_start - addr;
17619
17620 /* try just below the current vma->vm_start */
17621 - addr = vma->vm_start-len;
17622 - } while (len < vma->vm_start);
17623 + addr = skip_heap_stack_gap(vma, len);
17624 + } while (!IS_ERR_VALUE(addr));
17625
17626 bottomup:
17627 /*
17628 @@ -198,13 +206,21 @@ bottomup:
17629 * can happen with large stack limits and large mmap()
17630 * allocations.
17631 */
17632 + mm->mmap_base = TASK_UNMAPPED_BASE;
17633 +
17634 +#ifdef CONFIG_PAX_RANDMMAP
17635 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17636 + mm->mmap_base += mm->delta_mmap;
17637 +#endif
17638 +
17639 + mm->free_area_cache = mm->mmap_base;
17640 mm->cached_hole_size = ~0UL;
17641 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17642 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17643 /*
17644 * Restore the topdown base:
17645 */
17646 - mm->free_area_cache = mm->mmap_base;
17647 + mm->mmap_base = base;
17648 + mm->free_area_cache = base;
17649 mm->cached_hole_size = ~0UL;
17650
17651 return addr;
17652 diff -urNp linux-2.6.39.1/arch/x86/kernel/tboot.c linux-2.6.39.1/arch/x86/kernel/tboot.c
17653 --- linux-2.6.39.1/arch/x86/kernel/tboot.c 2011-05-19 00:06:34.000000000 -0400
17654 +++ linux-2.6.39.1/arch/x86/kernel/tboot.c 2011-05-22 19:36:30.000000000 -0400
17655 @@ -218,7 +218,7 @@ static int tboot_setup_sleep(void)
17656
17657 void tboot_shutdown(u32 shutdown_type)
17658 {
17659 - void (*shutdown)(void);
17660 + void (* __noreturn shutdown)(void);
17661
17662 if (!tboot_enabled())
17663 return;
17664 @@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type)
17665
17666 switch_to_tboot_pt();
17667
17668 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17669 + shutdown = (void *)tboot->shutdown_entry;
17670 shutdown();
17671
17672 /* should not reach here */
17673 @@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17674 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17675 }
17676
17677 -static atomic_t ap_wfs_count;
17678 +static atomic_unchecked_t ap_wfs_count;
17679
17680 static int tboot_wait_for_aps(int num_aps)
17681 {
17682 @@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
17683 {
17684 switch (action) {
17685 case CPU_DYING:
17686 - atomic_inc(&ap_wfs_count);
17687 + atomic_inc_unchecked(&ap_wfs_count);
17688 if (num_online_cpus() == 1)
17689 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17690 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17691 return NOTIFY_BAD;
17692 break;
17693 }
17694 @@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
17695
17696 tboot_create_trampoline();
17697
17698 - atomic_set(&ap_wfs_count, 0);
17699 + atomic_set_unchecked(&ap_wfs_count, 0);
17700 register_hotcpu_notifier(&tboot_cpu_notifier);
17701 return 0;
17702 }
17703 diff -urNp linux-2.6.39.1/arch/x86/kernel/time.c linux-2.6.39.1/arch/x86/kernel/time.c
17704 --- linux-2.6.39.1/arch/x86/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
17705 +++ linux-2.6.39.1/arch/x86/kernel/time.c 2011-05-22 19:36:30.000000000 -0400
17706 @@ -22,17 +22,13 @@
17707 #include <asm/hpet.h>
17708 #include <asm/time.h>
17709
17710 -#ifdef CONFIG_X86_64
17711 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
17712 -#endif
17713 -
17714 unsigned long profile_pc(struct pt_regs *regs)
17715 {
17716 unsigned long pc = instruction_pointer(regs);
17717
17718 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
17719 + if (!user_mode(regs) && in_lock_functions(pc)) {
17720 #ifdef CONFIG_FRAME_POINTER
17721 - return *(unsigned long *)(regs->bp + sizeof(long));
17722 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
17723 #else
17724 unsigned long *sp =
17725 (unsigned long *)kernel_stack_pointer(regs);
17726 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
17727 * or above a saved flags. Eflags has bits 22-31 zero,
17728 * kernel addresses don't.
17729 */
17730 +
17731 +#ifdef CONFIG_PAX_KERNEXEC
17732 + return ktla_ktva(sp[0]);
17733 +#else
17734 if (sp[0] >> 22)
17735 return sp[0];
17736 if (sp[1] >> 22)
17737 return sp[1];
17738 #endif
17739 +
17740 +#endif
17741 }
17742 return pc;
17743 }
17744 diff -urNp linux-2.6.39.1/arch/x86/kernel/tls.c linux-2.6.39.1/arch/x86/kernel/tls.c
17745 --- linux-2.6.39.1/arch/x86/kernel/tls.c 2011-05-19 00:06:34.000000000 -0400
17746 +++ linux-2.6.39.1/arch/x86/kernel/tls.c 2011-05-22 19:36:30.000000000 -0400
17747 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
17748 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
17749 return -EINVAL;
17750
17751 +#ifdef CONFIG_PAX_SEGMEXEC
17752 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
17753 + return -EINVAL;
17754 +#endif
17755 +
17756 set_tls_desc(p, idx, &info, 1);
17757
17758 return 0;
17759 diff -urNp linux-2.6.39.1/arch/x86/kernel/trampoline_32.S linux-2.6.39.1/arch/x86/kernel/trampoline_32.S
17760 --- linux-2.6.39.1/arch/x86/kernel/trampoline_32.S 2011-05-19 00:06:34.000000000 -0400
17761 +++ linux-2.6.39.1/arch/x86/kernel/trampoline_32.S 2011-05-22 19:36:30.000000000 -0400
17762 @@ -32,6 +32,12 @@
17763 #include <asm/segment.h>
17764 #include <asm/page_types.h>
17765
17766 +#ifdef CONFIG_PAX_KERNEXEC
17767 +#define ta(X) (X)
17768 +#else
17769 +#define ta(X) ((X) - __PAGE_OFFSET)
17770 +#endif
17771 +
17772 #ifdef CONFIG_SMP
17773
17774 .section ".x86_trampoline","a"
17775 @@ -62,7 +68,7 @@ r_base = .
17776 inc %ax # protected mode (PE) bit
17777 lmsw %ax # into protected mode
17778 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
17779 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
17780 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
17781
17782 # These need to be in the same 64K segment as the above;
17783 # hence we don't use the boot_gdt_descr defined in head.S
17784 diff -urNp linux-2.6.39.1/arch/x86/kernel/trampoline_64.S linux-2.6.39.1/arch/x86/kernel/trampoline_64.S
17785 --- linux-2.6.39.1/arch/x86/kernel/trampoline_64.S 2011-05-19 00:06:34.000000000 -0400
17786 +++ linux-2.6.39.1/arch/x86/kernel/trampoline_64.S 2011-05-22 19:36:30.000000000 -0400
17787 @@ -90,7 +90,7 @@ startup_32:
17788 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
17789 movl %eax, %ds
17790
17791 - movl $X86_CR4_PAE, %eax
17792 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
17793 movl %eax, %cr4 # Enable PAE mode
17794
17795 # Setup trampoline 4 level pagetables
17796 @@ -138,7 +138,7 @@ tidt:
17797 # so the kernel can live anywhere
17798 .balign 4
17799 tgdt:
17800 - .short tgdt_end - tgdt # gdt limit
17801 + .short tgdt_end - tgdt - 1 # gdt limit
17802 .long tgdt - r_base
17803 .short 0
17804 .quad 0x00cf9b000000ffff # __KERNEL32_CS
17805 diff -urNp linux-2.6.39.1/arch/x86/kernel/traps.c linux-2.6.39.1/arch/x86/kernel/traps.c
17806 --- linux-2.6.39.1/arch/x86/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
17807 +++ linux-2.6.39.1/arch/x86/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400
17808 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
17809
17810 /* Do we ignore FPU interrupts ? */
17811 char ignore_fpu_irq;
17812 -
17813 -/*
17814 - * The IDT has to be page-aligned to simplify the Pentium
17815 - * F0 0F bug workaround.
17816 - */
17817 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
17818 #endif
17819
17820 DECLARE_BITMAP(used_vectors, NR_VECTORS);
17821 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
17822 }
17823
17824 static void __kprobes
17825 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
17826 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
17827 long error_code, siginfo_t *info)
17828 {
17829 struct task_struct *tsk = current;
17830
17831 #ifdef CONFIG_X86_32
17832 - if (regs->flags & X86_VM_MASK) {
17833 + if (v8086_mode(regs)) {
17834 /*
17835 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
17836 * On nmi (interrupt 2), do_trap should not be called.
17837 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
17838 }
17839 #endif
17840
17841 - if (!user_mode(regs))
17842 + if (!user_mode_novm(regs))
17843 goto kernel_trap;
17844
17845 #ifdef CONFIG_X86_32
17846 @@ -157,7 +151,7 @@ trap_signal:
17847 printk_ratelimit()) {
17848 printk(KERN_INFO
17849 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
17850 - tsk->comm, tsk->pid, str,
17851 + tsk->comm, task_pid_nr(tsk), str,
17852 regs->ip, regs->sp, error_code);
17853 print_vma_addr(" in ", regs->ip);
17854 printk("\n");
17855 @@ -174,8 +168,20 @@ kernel_trap:
17856 if (!fixup_exception(regs)) {
17857 tsk->thread.error_code = error_code;
17858 tsk->thread.trap_no = trapnr;
17859 +
17860 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17861 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
17862 + str = "PAX: suspicious stack segment fault";
17863 +#endif
17864 +
17865 die(str, regs, error_code);
17866 }
17867 +
17868 +#ifdef CONFIG_PAX_REFCOUNT
17869 + if (trapnr == 4)
17870 + pax_report_refcount_overflow(regs);
17871 +#endif
17872 +
17873 return;
17874
17875 #ifdef CONFIG_X86_32
17876 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
17877 conditional_sti(regs);
17878
17879 #ifdef CONFIG_X86_32
17880 - if (regs->flags & X86_VM_MASK)
17881 + if (v8086_mode(regs))
17882 goto gp_in_vm86;
17883 #endif
17884
17885 tsk = current;
17886 - if (!user_mode(regs))
17887 + if (!user_mode_novm(regs))
17888 goto gp_in_kernel;
17889
17890 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17891 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
17892 + struct mm_struct *mm = tsk->mm;
17893 + unsigned long limit;
17894 +
17895 + down_write(&mm->mmap_sem);
17896 + limit = mm->context.user_cs_limit;
17897 + if (limit < TASK_SIZE) {
17898 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
17899 + up_write(&mm->mmap_sem);
17900 + return;
17901 + }
17902 + up_write(&mm->mmap_sem);
17903 + }
17904 +#endif
17905 +
17906 tsk->thread.error_code = error_code;
17907 tsk->thread.trap_no = 13;
17908
17909 @@ -304,6 +326,13 @@ gp_in_kernel:
17910 if (notify_die(DIE_GPF, "general protection fault", regs,
17911 error_code, 13, SIGSEGV) == NOTIFY_STOP)
17912 return;
17913 +
17914 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17915 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
17916 + die("PAX: suspicious general protection fault", regs, error_code);
17917 + else
17918 +#endif
17919 +
17920 die("general protection fault", regs, error_code);
17921 }
17922
17923 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
17924 /* It's safe to allow irq's after DR6 has been saved */
17925 preempt_conditional_sti(regs);
17926
17927 - if (regs->flags & X86_VM_MASK) {
17928 + if (v8086_mode(regs)) {
17929 handle_vm86_trap((struct kernel_vm86_regs *) regs,
17930 error_code, 1);
17931 preempt_conditional_cli(regs);
17932 @@ -583,7 +612,7 @@ dotraplinkage void __kprobes do_debug(st
17933 * We already checked v86 mode above, so we can check for kernel mode
17934 * by just checking the CPL of CS.
17935 */
17936 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
17937 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
17938 tsk->thread.debugreg6 &= ~DR_STEP;
17939 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
17940 regs->flags &= ~X86_EFLAGS_TF;
17941 @@ -612,7 +641,7 @@ void math_error(struct pt_regs *regs, in
17942 return;
17943 conditional_sti(regs);
17944
17945 - if (!user_mode_vm(regs))
17946 + if (!user_mode(regs))
17947 {
17948 if (!fixup_exception(regs)) {
17949 task->thread.error_code = error_code;
17950 @@ -723,7 +752,7 @@ asmlinkage void __attribute__((weak)) sm
17951 void __math_state_restore(void)
17952 {
17953 struct thread_info *thread = current_thread_info();
17954 - struct task_struct *tsk = thread->task;
17955 + struct task_struct *tsk = current;
17956
17957 /*
17958 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
17959 @@ -750,8 +779,7 @@ void __math_state_restore(void)
17960 */
17961 asmlinkage void math_state_restore(void)
17962 {
17963 - struct thread_info *thread = current_thread_info();
17964 - struct task_struct *tsk = thread->task;
17965 + struct task_struct *tsk = current;
17966
17967 if (!tsk_used_math(tsk)) {
17968 local_irq_enable();
17969 diff -urNp linux-2.6.39.1/arch/x86/kernel/vm86_32.c linux-2.6.39.1/arch/x86/kernel/vm86_32.c
17970 --- linux-2.6.39.1/arch/x86/kernel/vm86_32.c 2011-05-19 00:06:34.000000000 -0400
17971 +++ linux-2.6.39.1/arch/x86/kernel/vm86_32.c 2011-05-22 19:41:32.000000000 -0400
17972 @@ -41,6 +41,7 @@
17973 #include <linux/ptrace.h>
17974 #include <linux/audit.h>
17975 #include <linux/stddef.h>
17976 +#include <linux/grsecurity.h>
17977
17978 #include <asm/uaccess.h>
17979 #include <asm/io.h>
17980 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
17981 do_exit(SIGSEGV);
17982 }
17983
17984 - tss = &per_cpu(init_tss, get_cpu());
17985 + tss = init_tss + get_cpu();
17986 current->thread.sp0 = current->thread.saved_sp0;
17987 current->thread.sysenter_cs = __KERNEL_CS;
17988 load_sp0(tss, &current->thread);
17989 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
17990 struct task_struct *tsk;
17991 int tmp, ret = -EPERM;
17992
17993 +#ifdef CONFIG_GRKERNSEC_VM86
17994 + if (!capable(CAP_SYS_RAWIO)) {
17995 + gr_handle_vm86();
17996 + goto out;
17997 + }
17998 +#endif
17999 +
18000 tsk = current;
18001 if (tsk->thread.saved_sp0)
18002 goto out;
18003 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
18004 int tmp, ret;
18005 struct vm86plus_struct __user *v86;
18006
18007 +#ifdef CONFIG_GRKERNSEC_VM86
18008 + if (!capable(CAP_SYS_RAWIO)) {
18009 + gr_handle_vm86();
18010 + ret = -EPERM;
18011 + goto out;
18012 + }
18013 +#endif
18014 +
18015 tsk = current;
18016 switch (cmd) {
18017 case VM86_REQUEST_IRQ:
18018 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
18019 tsk->thread.saved_fs = info->regs32->fs;
18020 tsk->thread.saved_gs = get_user_gs(info->regs32);
18021
18022 - tss = &per_cpu(init_tss, get_cpu());
18023 + tss = init_tss + get_cpu();
18024 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
18025 if (cpu_has_sep)
18026 tsk->thread.sysenter_cs = 0;
18027 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
18028 goto cannot_handle;
18029 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
18030 goto cannot_handle;
18031 - intr_ptr = (unsigned long __user *) (i << 2);
18032 + intr_ptr = (__force unsigned long __user *) (i << 2);
18033 if (get_user(segoffs, intr_ptr))
18034 goto cannot_handle;
18035 if ((segoffs >> 16) == BIOSSEG)
18036 diff -urNp linux-2.6.39.1/arch/x86/kernel/vmlinux.lds.S linux-2.6.39.1/arch/x86/kernel/vmlinux.lds.S
18037 --- linux-2.6.39.1/arch/x86/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
18038 +++ linux-2.6.39.1/arch/x86/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
18039 @@ -26,6 +26,13 @@
18040 #include <asm/page_types.h>
18041 #include <asm/cache.h>
18042 #include <asm/boot.h>
18043 +#include <asm/segment.h>
18044 +
18045 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18046 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18047 +#else
18048 +#define __KERNEL_TEXT_OFFSET 0
18049 +#endif
18050
18051 #undef i386 /* in case the preprocessor is a 32bit one */
18052
18053 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18054 #ifdef CONFIG_X86_32
18055 OUTPUT_ARCH(i386)
18056 ENTRY(phys_startup_32)
18057 -jiffies = jiffies_64;
18058 #else
18059 OUTPUT_ARCH(i386:x86-64)
18060 ENTRY(phys_startup_64)
18061 -jiffies_64 = jiffies;
18062 #endif
18063
18064 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18065 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
18066
18067 PHDRS {
18068 text PT_LOAD FLAGS(5); /* R_E */
18069 +#ifdef CONFIG_X86_32
18070 + module PT_LOAD FLAGS(5); /* R_E */
18071 +#endif
18072 +#ifdef CONFIG_XEN
18073 + rodata PT_LOAD FLAGS(5); /* R_E */
18074 +#else
18075 + rodata PT_LOAD FLAGS(4); /* R__ */
18076 +#endif
18077 data PT_LOAD FLAGS(6); /* RW_ */
18078 #ifdef CONFIG_X86_64
18079 user PT_LOAD FLAGS(5); /* R_E */
18080 +#endif
18081 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18082 #ifdef CONFIG_SMP
18083 percpu PT_LOAD FLAGS(6); /* RW_ */
18084 #endif
18085 + text.init PT_LOAD FLAGS(5); /* R_E */
18086 + text.exit PT_LOAD FLAGS(5); /* R_E */
18087 init PT_LOAD FLAGS(7); /* RWE */
18088 -#endif
18089 note PT_NOTE FLAGS(0); /* ___ */
18090 }
18091
18092 SECTIONS
18093 {
18094 #ifdef CONFIG_X86_32
18095 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18096 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18097 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18098 #else
18099 - . = __START_KERNEL;
18100 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18101 + . = __START_KERNEL;
18102 #endif
18103
18104 /* Text and read-only data */
18105 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18106 - _text = .;
18107 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18108 /* bootstrapping code */
18109 +#ifdef CONFIG_X86_32
18110 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18111 +#else
18112 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18113 +#endif
18114 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18115 + _text = .;
18116 HEAD_TEXT
18117 #ifdef CONFIG_X86_32
18118 . = ALIGN(PAGE_SIZE);
18119 @@ -109,13 +129,47 @@ SECTIONS
18120 IRQENTRY_TEXT
18121 *(.fixup)
18122 *(.gnu.warning)
18123 - /* End of text section */
18124 - _etext = .;
18125 } :text = 0x9090
18126
18127 - NOTES :text :note
18128 + . += __KERNEL_TEXT_OFFSET;
18129 +
18130 +#ifdef CONFIG_X86_32
18131 + . = ALIGN(PAGE_SIZE);
18132 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18133 +
18134 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18135 + MODULES_EXEC_VADDR = .;
18136 + BYTE(0)
18137 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18138 + . = ALIGN(HPAGE_SIZE);
18139 + MODULES_EXEC_END = . - 1;
18140 +#endif
18141 +
18142 + } :module
18143 +#endif
18144 +
18145 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18146 + /* End of text section */
18147 + _etext = . - __KERNEL_TEXT_OFFSET;
18148 + }
18149
18150 - EXCEPTION_TABLE(16) :text = 0x9090
18151 +#ifdef CONFIG_X86_32
18152 + . = ALIGN(PAGE_SIZE);
18153 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18154 + *(.idt)
18155 + . = ALIGN(PAGE_SIZE);
18156 + *(.empty_zero_page)
18157 + *(.initial_pg_fixmap)
18158 + *(.initial_pg_pmd)
18159 + *(.initial_page_table)
18160 + *(.swapper_pg_dir)
18161 + } :rodata
18162 +#endif
18163 +
18164 + . = ALIGN(PAGE_SIZE);
18165 + NOTES :rodata :note
18166 +
18167 + EXCEPTION_TABLE(16) :rodata
18168
18169 #if defined(CONFIG_DEBUG_RODATA)
18170 /* .text should occupy whole number of pages */
18171 @@ -127,16 +181,20 @@ SECTIONS
18172
18173 /* Data */
18174 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18175 +
18176 +#ifdef CONFIG_PAX_KERNEXEC
18177 + . = ALIGN(HPAGE_SIZE);
18178 +#else
18179 + . = ALIGN(PAGE_SIZE);
18180 +#endif
18181 +
18182 /* Start of data section */
18183 _sdata = .;
18184
18185 /* init_task */
18186 INIT_TASK_DATA(THREAD_SIZE)
18187
18188 -#ifdef CONFIG_X86_32
18189 - /* 32 bit has nosave before _edata */
18190 NOSAVE_DATA
18191 -#endif
18192
18193 PAGE_ALIGNED_DATA(PAGE_SIZE)
18194
18195 @@ -145,6 +203,8 @@ SECTIONS
18196 DATA_DATA
18197 CONSTRUCTORS
18198
18199 + jiffies = jiffies_64;
18200 +
18201 /* rarely changed data like cpu maps */
18202 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
18203
18204 @@ -199,12 +259,6 @@ SECTIONS
18205 }
18206 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18207
18208 - . = ALIGN(L1_CACHE_BYTES);
18209 - .jiffies : AT(VLOAD(.jiffies)) {
18210 - *(.jiffies)
18211 - }
18212 - jiffies = VVIRT(.jiffies);
18213 -
18214 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18215 *(.vsyscall_3)
18216 }
18217 @@ -220,12 +274,19 @@ SECTIONS
18218 #endif /* CONFIG_X86_64 */
18219
18220 /* Init code and data - will be freed after init */
18221 - . = ALIGN(PAGE_SIZE);
18222 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18223 + BYTE(0)
18224 +
18225 +#ifdef CONFIG_PAX_KERNEXEC
18226 + . = ALIGN(HPAGE_SIZE);
18227 +#else
18228 + . = ALIGN(PAGE_SIZE);
18229 +#endif
18230 +
18231 __init_begin = .; /* paired with __init_end */
18232 - }
18233 + } :init.begin
18234
18235 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18236 +#ifdef CONFIG_SMP
18237 /*
18238 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18239 * output PHDR, so the next output section - .init.text - should
18240 @@ -234,12 +295,27 @@ SECTIONS
18241 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
18242 #endif
18243
18244 - INIT_TEXT_SECTION(PAGE_SIZE)
18245 -#ifdef CONFIG_X86_64
18246 - :init
18247 -#endif
18248 + . = ALIGN(PAGE_SIZE);
18249 + init_begin = .;
18250 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18251 + VMLINUX_SYMBOL(_sinittext) = .;
18252 + INIT_TEXT
18253 + VMLINUX_SYMBOL(_einittext) = .;
18254 + . = ALIGN(PAGE_SIZE);
18255 + } :text.init
18256
18257 - INIT_DATA_SECTION(16)
18258 + /*
18259 + * .exit.text is discard at runtime, not link time, to deal with
18260 + * references from .altinstructions and .eh_frame
18261 + */
18262 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18263 + EXIT_TEXT
18264 + . = ALIGN(16);
18265 + } :text.exit
18266 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18267 +
18268 + . = ALIGN(PAGE_SIZE);
18269 + INIT_DATA_SECTION(16) :init
18270
18271 /*
18272 * Code and data for a variety of lowlevel trampolines, to be
18273 @@ -306,19 +382,12 @@ SECTIONS
18274 }
18275
18276 . = ALIGN(8);
18277 - /*
18278 - * .exit.text is discard at runtime, not link time, to deal with
18279 - * references from .altinstructions and .eh_frame
18280 - */
18281 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18282 - EXIT_TEXT
18283 - }
18284
18285 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18286 EXIT_DATA
18287 }
18288
18289 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18290 +#ifndef CONFIG_SMP
18291 PERCPU(INTERNODE_CACHE_BYTES, PAGE_SIZE)
18292 #endif
18293
18294 @@ -337,16 +406,10 @@ SECTIONS
18295 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
18296 __smp_locks = .;
18297 *(.smp_locks)
18298 - . = ALIGN(PAGE_SIZE);
18299 __smp_locks_end = .;
18300 + . = ALIGN(PAGE_SIZE);
18301 }
18302
18303 -#ifdef CONFIG_X86_64
18304 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18305 - NOSAVE_DATA
18306 - }
18307 -#endif
18308 -
18309 /* BSS */
18310 . = ALIGN(PAGE_SIZE);
18311 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18312 @@ -362,6 +425,7 @@ SECTIONS
18313 __brk_base = .;
18314 . += 64 * 1024; /* 64k alignment slop space */
18315 *(.brk_reservation) /* areas brk users have reserved */
18316 + . = ALIGN(HPAGE_SIZE);
18317 __brk_limit = .;
18318 }
18319
18320 @@ -388,13 +452,12 @@ SECTIONS
18321 * for the boot processor.
18322 */
18323 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
18324 -INIT_PER_CPU(gdt_page);
18325 INIT_PER_CPU(irq_stack_union);
18326
18327 /*
18328 * Build-time check on the image size:
18329 */
18330 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18331 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18332 "kernel image bigger than KERNEL_IMAGE_SIZE");
18333
18334 #ifdef CONFIG_SMP
18335 diff -urNp linux-2.6.39.1/arch/x86/kernel/vsyscall_64.c linux-2.6.39.1/arch/x86/kernel/vsyscall_64.c
18336 --- linux-2.6.39.1/arch/x86/kernel/vsyscall_64.c 2011-05-19 00:06:34.000000000 -0400
18337 +++ linux-2.6.39.1/arch/x86/kernel/vsyscall_64.c 2011-05-22 19:36:30.000000000 -0400
18338 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18339
18340 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18341 /* copy vsyscall data */
18342 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18343 vsyscall_gtod_data.clock.vread = clock->vread;
18344 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18345 vsyscall_gtod_data.clock.mask = clock->mask;
18346 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18347 We do this here because otherwise user space would do it on
18348 its own in a likely inferior way (no access to jiffies).
18349 If you don't like it pass NULL. */
18350 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18351 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18352 p = tcache->blob[1];
18353 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18354 /* Load per CPU data from RDTSCP */
18355 diff -urNp linux-2.6.39.1/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.39.1/arch/x86/kernel/x8664_ksyms_64.c
18356 --- linux-2.6.39.1/arch/x86/kernel/x8664_ksyms_64.c 2011-05-19 00:06:34.000000000 -0400
18357 +++ linux-2.6.39.1/arch/x86/kernel/x8664_ksyms_64.c 2011-05-22 19:36:30.000000000 -0400
18358 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
18359 EXPORT_SYMBOL(copy_user_generic_string);
18360 EXPORT_SYMBOL(copy_user_generic_unrolled);
18361 EXPORT_SYMBOL(__copy_user_nocache);
18362 -EXPORT_SYMBOL(_copy_from_user);
18363 -EXPORT_SYMBOL(_copy_to_user);
18364
18365 EXPORT_SYMBOL(copy_page);
18366 EXPORT_SYMBOL(clear_page);
18367 diff -urNp linux-2.6.39.1/arch/x86/kernel/xsave.c linux-2.6.39.1/arch/x86/kernel/xsave.c
18368 --- linux-2.6.39.1/arch/x86/kernel/xsave.c 2011-05-19 00:06:34.000000000 -0400
18369 +++ linux-2.6.39.1/arch/x86/kernel/xsave.c 2011-05-22 19:36:30.000000000 -0400
18370 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
18371 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18372 return -EINVAL;
18373
18374 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18375 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18376 fx_sw_user->extended_size -
18377 FP_XSTATE_MAGIC2_SIZE));
18378 if (err)
18379 @@ -267,7 +267,7 @@ fx_only:
18380 * the other extended state.
18381 */
18382 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18383 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18384 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
18385 }
18386
18387 /*
18388 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
18389 if (use_xsave())
18390 err = restore_user_xstate(buf);
18391 else
18392 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
18393 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
18394 buf);
18395 if (unlikely(err)) {
18396 /*
18397 diff -urNp linux-2.6.39.1/arch/x86/kvm/emulate.c linux-2.6.39.1/arch/x86/kvm/emulate.c
18398 --- linux-2.6.39.1/arch/x86/kvm/emulate.c 2011-05-19 00:06:34.000000000 -0400
18399 +++ linux-2.6.39.1/arch/x86/kvm/emulate.c 2011-05-22 19:36:30.000000000 -0400
18400 @@ -89,7 +89,7 @@
18401 #define Src2ImmByte (2<<29)
18402 #define Src2One (3<<29)
18403 #define Src2Imm (4<<29)
18404 -#define Src2Mask (7<<29)
18405 +#define Src2Mask (7U<<29)
18406
18407 #define X2(x...) x, x
18408 #define X3(x...) X2(x), x
18409 @@ -190,6 +190,7 @@ struct group_dual {
18410
18411 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
18412 do { \
18413 + unsigned long _tmp; \
18414 __asm__ __volatile__ ( \
18415 _PRE_EFLAGS("0", "4", "2") \
18416 _op _suffix " %"_x"3,%1; " \
18417 @@ -203,8 +204,6 @@ struct group_dual {
18418 /* Raw emulation: instruction has two explicit operands. */
18419 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
18420 do { \
18421 - unsigned long _tmp; \
18422 - \
18423 switch ((_dst).bytes) { \
18424 case 2: \
18425 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
18426 @@ -220,7 +219,6 @@ struct group_dual {
18427
18428 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
18429 do { \
18430 - unsigned long _tmp; \
18431 switch ((_dst).bytes) { \
18432 case 1: \
18433 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
18434 diff -urNp linux-2.6.39.1/arch/x86/kvm/lapic.c linux-2.6.39.1/arch/x86/kvm/lapic.c
18435 --- linux-2.6.39.1/arch/x86/kvm/lapic.c 2011-05-19 00:06:34.000000000 -0400
18436 +++ linux-2.6.39.1/arch/x86/kvm/lapic.c 2011-05-22 19:36:30.000000000 -0400
18437 @@ -53,7 +53,7 @@
18438 #define APIC_BUS_CYCLE_NS 1
18439
18440 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
18441 -#define apic_debug(fmt, arg...)
18442 +#define apic_debug(fmt, arg...) do {} while (0)
18443
18444 #define APIC_LVT_NUM 6
18445 /* 14 is the version for Xeon and Pentium 8.4.8*/
18446 diff -urNp linux-2.6.39.1/arch/x86/kvm/mmu.c linux-2.6.39.1/arch/x86/kvm/mmu.c
18447 --- linux-2.6.39.1/arch/x86/kvm/mmu.c 2011-05-19 00:06:34.000000000 -0400
18448 +++ linux-2.6.39.1/arch/x86/kvm/mmu.c 2011-05-22 19:36:30.000000000 -0400
18449 @@ -3240,7 +3240,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18450
18451 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
18452
18453 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
18454 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
18455
18456 /*
18457 * Assume that the pte write on a page table of the same type
18458 @@ -3275,7 +3275,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18459 smp_rmb();
18460
18461 spin_lock(&vcpu->kvm->mmu_lock);
18462 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18463 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18464 gentry = 0;
18465 kvm_mmu_free_some_pages(vcpu);
18466 ++vcpu->kvm->stat.mmu_pte_write;
18467 diff -urNp linux-2.6.39.1/arch/x86/kvm/paging_tmpl.h linux-2.6.39.1/arch/x86/kvm/paging_tmpl.h
18468 --- linux-2.6.39.1/arch/x86/kvm/paging_tmpl.h 2011-05-19 00:06:34.000000000 -0400
18469 +++ linux-2.6.39.1/arch/x86/kvm/paging_tmpl.h 2011-05-22 19:36:30.000000000 -0400
18470 @@ -552,6 +552,8 @@ static int FNAME(page_fault)(struct kvm_
18471 unsigned long mmu_seq;
18472 bool map_writable;
18473
18474 + pax_track_stack();
18475 +
18476 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
18477
18478 r = mmu_topup_memory_caches(vcpu);
18479 @@ -672,7 +674,7 @@ static void FNAME(invlpg)(struct kvm_vcp
18480 if (need_flush)
18481 kvm_flush_remote_tlbs(vcpu->kvm);
18482
18483 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
18484 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
18485
18486 spin_unlock(&vcpu->kvm->mmu_lock);
18487
18488 diff -urNp linux-2.6.39.1/arch/x86/kvm/svm.c linux-2.6.39.1/arch/x86/kvm/svm.c
18489 --- linux-2.6.39.1/arch/x86/kvm/svm.c 2011-05-19 00:06:34.000000000 -0400
18490 +++ linux-2.6.39.1/arch/x86/kvm/svm.c 2011-05-22 19:36:30.000000000 -0400
18491 @@ -3278,7 +3278,11 @@ static void reload_tss(struct kvm_vcpu *
18492 int cpu = raw_smp_processor_id();
18493
18494 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
18495 +
18496 + pax_open_kernel();
18497 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
18498 + pax_close_kernel();
18499 +
18500 load_TR_desc();
18501 }
18502
18503 @@ -3656,6 +3660,10 @@ static void svm_vcpu_run(struct kvm_vcpu
18504 #endif
18505 #endif
18506
18507 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18508 + __set_fs(current_thread_info()->addr_limit);
18509 +#endif
18510 +
18511 reload_tss(vcpu);
18512
18513 local_irq_disable();
18514 @@ -3871,7 +3879,7 @@ static void svm_fpu_deactivate(struct kv
18515 update_cr0_intercept(svm);
18516 }
18517
18518 -static struct kvm_x86_ops svm_x86_ops = {
18519 +static const struct kvm_x86_ops svm_x86_ops = {
18520 .cpu_has_kvm_support = has_svm,
18521 .disabled_by_bios = is_disabled,
18522 .hardware_setup = svm_hardware_setup,
18523 diff -urNp linux-2.6.39.1/arch/x86/kvm/vmx.c linux-2.6.39.1/arch/x86/kvm/vmx.c
18524 --- linux-2.6.39.1/arch/x86/kvm/vmx.c 2011-05-19 00:06:34.000000000 -0400
18525 +++ linux-2.6.39.1/arch/x86/kvm/vmx.c 2011-05-22 19:36:30.000000000 -0400
18526 @@ -725,7 +725,11 @@ static void reload_tss(void)
18527 struct desc_struct *descs;
18528
18529 descs = (void *)gdt->address;
18530 +
18531 + pax_open_kernel();
18532 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
18533 + pax_close_kernel();
18534 +
18535 load_TR_desc();
18536 }
18537
18538 @@ -1648,8 +1652,11 @@ static __init int hardware_setup(void)
18539 if (!cpu_has_vmx_flexpriority())
18540 flexpriority_enabled = 0;
18541
18542 - if (!cpu_has_vmx_tpr_shadow())
18543 - kvm_x86_ops->update_cr8_intercept = NULL;
18544 + if (!cpu_has_vmx_tpr_shadow()) {
18545 + pax_open_kernel();
18546 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
18547 + pax_close_kernel();
18548 + }
18549
18550 if (enable_ept && !cpu_has_vmx_ept_2m_page())
18551 kvm_disable_largepages();
18552 @@ -2693,7 +2700,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
18553 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
18554
18555 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
18556 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
18557 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
18558 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
18559 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
18560 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
18561 @@ -4068,6 +4075,12 @@ static void __noclone vmx_vcpu_run(struc
18562 "jmp .Lkvm_vmx_return \n\t"
18563 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
18564 ".Lkvm_vmx_return: "
18565 +
18566 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18567 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
18568 + ".Lkvm_vmx_return2: "
18569 +#endif
18570 +
18571 /* Save guest registers, load host registers, keep flags */
18572 "mov %0, %c[wordsize](%%"R"sp) \n\t"
18573 "pop %0 \n\t"
18574 @@ -4116,6 +4129,11 @@ static void __noclone vmx_vcpu_run(struc
18575 #endif
18576 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
18577 [wordsize]"i"(sizeof(ulong))
18578 +
18579 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18580 + ,[cs]"i"(__KERNEL_CS)
18581 +#endif
18582 +
18583 : "cc", "memory"
18584 , R"ax", R"bx", R"di", R"si"
18585 #ifdef CONFIG_X86_64
18586 @@ -4130,7 +4148,16 @@ static void __noclone vmx_vcpu_run(struc
18587
18588 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
18589
18590 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
18591 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
18592 +
18593 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18594 + loadsegment(fs, __KERNEL_PERCPU);
18595 +#endif
18596 +
18597 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18598 + __set_fs(current_thread_info()->addr_limit);
18599 +#endif
18600 +
18601 vmx->launched = 1;
18602
18603 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
18604 @@ -4368,7 +4395,7 @@ static void vmx_set_supported_cpuid(u32
18605 {
18606 }
18607
18608 -static struct kvm_x86_ops vmx_x86_ops = {
18609 +static const struct kvm_x86_ops vmx_x86_ops = {
18610 .cpu_has_kvm_support = cpu_has_kvm_support,
18611 .disabled_by_bios = vmx_disabled_by_bios,
18612 .hardware_setup = hardware_setup,
18613 diff -urNp linux-2.6.39.1/arch/x86/kvm/x86.c linux-2.6.39.1/arch/x86/kvm/x86.c
18614 --- linux-2.6.39.1/arch/x86/kvm/x86.c 2011-05-19 00:06:34.000000000 -0400
18615 +++ linux-2.6.39.1/arch/x86/kvm/x86.c 2011-05-22 19:36:30.000000000 -0400
18616 @@ -94,7 +94,7 @@ static void update_cr8_intercept(struct
18617 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
18618 struct kvm_cpuid_entry2 __user *entries);
18619
18620 -struct kvm_x86_ops *kvm_x86_ops;
18621 +const struct kvm_x86_ops *kvm_x86_ops;
18622 EXPORT_SYMBOL_GPL(kvm_x86_ops);
18623
18624 int ignore_msrs = 0;
18625 @@ -2050,6 +2050,8 @@ long kvm_arch_dev_ioctl(struct file *fil
18626 if (n < msr_list.nmsrs)
18627 goto out;
18628 r = -EFAULT;
18629 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
18630 + goto out;
18631 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
18632 num_msrs_to_save * sizeof(u32)))
18633 goto out;
18634 @@ -2217,15 +2219,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
18635 struct kvm_cpuid2 *cpuid,
18636 struct kvm_cpuid_entry2 __user *entries)
18637 {
18638 - int r;
18639 + int r, i;
18640
18641 r = -E2BIG;
18642 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
18643 goto out;
18644 r = -EFAULT;
18645 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
18646 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18647 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18648 goto out;
18649 + for (i = 0; i < cpuid->nent; ++i) {
18650 + struct kvm_cpuid_entry2 cpuid_entry;
18651 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
18652 + goto out;
18653 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
18654 + }
18655 vcpu->arch.cpuid_nent = cpuid->nent;
18656 kvm_apic_set_version(vcpu);
18657 kvm_x86_ops->cpuid_update(vcpu);
18658 @@ -2240,15 +2247,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
18659 struct kvm_cpuid2 *cpuid,
18660 struct kvm_cpuid_entry2 __user *entries)
18661 {
18662 - int r;
18663 + int r, i;
18664
18665 r = -E2BIG;
18666 if (cpuid->nent < vcpu->arch.cpuid_nent)
18667 goto out;
18668 r = -EFAULT;
18669 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
18670 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18671 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18672 goto out;
18673 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
18674 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
18675 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
18676 + goto out;
18677 + }
18678 return 0;
18679
18680 out:
18681 @@ -2526,7 +2537,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
18682 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
18683 struct kvm_interrupt *irq)
18684 {
18685 - if (irq->irq < 0 || irq->irq >= 256)
18686 + if (irq->irq >= 256)
18687 return -EINVAL;
18688 if (irqchip_in_kernel(vcpu->kvm))
18689 return -ENXIO;
18690 @@ -4672,7 +4683,7 @@ static unsigned long kvm_get_guest_ip(vo
18691 return ip;
18692 }
18693
18694 -static struct perf_guest_info_callbacks kvm_guest_cbs = {
18695 +static const struct perf_guest_info_callbacks kvm_guest_cbs = {
18696 .is_in_guest = kvm_is_in_guest,
18697 .is_user_mode = kvm_is_user_mode,
18698 .get_guest_ip = kvm_get_guest_ip,
18699 @@ -4690,10 +4701,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
18700 }
18701 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
18702
18703 -int kvm_arch_init(void *opaque)
18704 +int kvm_arch_init(const void *opaque)
18705 {
18706 int r;
18707 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
18708 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
18709
18710 if (kvm_x86_ops) {
18711 printk(KERN_ERR "kvm: already loaded the other module\n");
18712 diff -urNp linux-2.6.39.1/arch/x86/lib/atomic64_32.c linux-2.6.39.1/arch/x86/lib/atomic64_32.c
18713 --- linux-2.6.39.1/arch/x86/lib/atomic64_32.c 2011-05-19 00:06:34.000000000 -0400
18714 +++ linux-2.6.39.1/arch/x86/lib/atomic64_32.c 2011-05-22 19:36:30.000000000 -0400
18715 @@ -8,18 +8,30 @@
18716
18717 long long atomic64_read_cx8(long long, const atomic64_t *v);
18718 EXPORT_SYMBOL(atomic64_read_cx8);
18719 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
18720 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
18721 long long atomic64_set_cx8(long long, const atomic64_t *v);
18722 EXPORT_SYMBOL(atomic64_set_cx8);
18723 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
18724 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
18725 long long atomic64_xchg_cx8(long long, unsigned high);
18726 EXPORT_SYMBOL(atomic64_xchg_cx8);
18727 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
18728 EXPORT_SYMBOL(atomic64_add_return_cx8);
18729 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18730 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
18731 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
18732 EXPORT_SYMBOL(atomic64_sub_return_cx8);
18733 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18734 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
18735 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
18736 EXPORT_SYMBOL(atomic64_inc_return_cx8);
18737 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18738 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
18739 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
18740 EXPORT_SYMBOL(atomic64_dec_return_cx8);
18741 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18742 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
18743 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
18744 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
18745 int atomic64_inc_not_zero_cx8(atomic64_t *v);
18746 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
18747 #ifndef CONFIG_X86_CMPXCHG64
18748 long long atomic64_read_386(long long, const atomic64_t *v);
18749 EXPORT_SYMBOL(atomic64_read_386);
18750 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
18751 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
18752 long long atomic64_set_386(long long, const atomic64_t *v);
18753 EXPORT_SYMBOL(atomic64_set_386);
18754 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
18755 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
18756 long long atomic64_xchg_386(long long, unsigned high);
18757 EXPORT_SYMBOL(atomic64_xchg_386);
18758 long long atomic64_add_return_386(long long a, atomic64_t *v);
18759 EXPORT_SYMBOL(atomic64_add_return_386);
18760 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
18761 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
18762 long long atomic64_sub_return_386(long long a, atomic64_t *v);
18763 EXPORT_SYMBOL(atomic64_sub_return_386);
18764 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
18765 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
18766 long long atomic64_inc_return_386(long long a, atomic64_t *v);
18767 EXPORT_SYMBOL(atomic64_inc_return_386);
18768 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
18769 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
18770 long long atomic64_dec_return_386(long long a, atomic64_t *v);
18771 EXPORT_SYMBOL(atomic64_dec_return_386);
18772 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
18773 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
18774 long long atomic64_add_386(long long a, atomic64_t *v);
18775 EXPORT_SYMBOL(atomic64_add_386);
18776 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
18777 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
18778 long long atomic64_sub_386(long long a, atomic64_t *v);
18779 EXPORT_SYMBOL(atomic64_sub_386);
18780 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
18781 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
18782 long long atomic64_inc_386(long long a, atomic64_t *v);
18783 EXPORT_SYMBOL(atomic64_inc_386);
18784 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
18785 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
18786 long long atomic64_dec_386(long long a, atomic64_t *v);
18787 EXPORT_SYMBOL(atomic64_dec_386);
18788 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
18789 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
18790 long long atomic64_dec_if_positive_386(atomic64_t *v);
18791 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
18792 int atomic64_inc_not_zero_386(atomic64_t *v);
18793 diff -urNp linux-2.6.39.1/arch/x86/lib/atomic64_386_32.S linux-2.6.39.1/arch/x86/lib/atomic64_386_32.S
18794 --- linux-2.6.39.1/arch/x86/lib/atomic64_386_32.S 2011-05-19 00:06:34.000000000 -0400
18795 +++ linux-2.6.39.1/arch/x86/lib/atomic64_386_32.S 2011-05-22 19:36:30.000000000 -0400
18796 @@ -48,6 +48,10 @@ BEGIN(read)
18797 movl (v), %eax
18798 movl 4(v), %edx
18799 RET_ENDP
18800 +BEGIN(read_unchecked)
18801 + movl (v), %eax
18802 + movl 4(v), %edx
18803 +RET_ENDP
18804 #undef v
18805
18806 #define v %esi
18807 @@ -55,6 +59,10 @@ BEGIN(set)
18808 movl %ebx, (v)
18809 movl %ecx, 4(v)
18810 RET_ENDP
18811 +BEGIN(set_unchecked)
18812 + movl %ebx, (v)
18813 + movl %ecx, 4(v)
18814 +RET_ENDP
18815 #undef v
18816
18817 #define v %esi
18818 @@ -70,6 +78,20 @@ RET_ENDP
18819 BEGIN(add)
18820 addl %eax, (v)
18821 adcl %edx, 4(v)
18822 +
18823 +#ifdef CONFIG_PAX_REFCOUNT
18824 + jno 0f
18825 + subl %eax, (v)
18826 + sbbl %edx, 4(v)
18827 + int $4
18828 +0:
18829 + _ASM_EXTABLE(0b, 0b)
18830 +#endif
18831 +
18832 +RET_ENDP
18833 +BEGIN(add_unchecked)
18834 + addl %eax, (v)
18835 + adcl %edx, 4(v)
18836 RET_ENDP
18837 #undef v
18838
18839 @@ -77,6 +99,24 @@ RET_ENDP
18840 BEGIN(add_return)
18841 addl (v), %eax
18842 adcl 4(v), %edx
18843 +
18844 +#ifdef CONFIG_PAX_REFCOUNT
18845 + into
18846 +1234:
18847 + _ASM_EXTABLE(1234b, 2f)
18848 +#endif
18849 +
18850 + movl %eax, (v)
18851 + movl %edx, 4(v)
18852 +
18853 +#ifdef CONFIG_PAX_REFCOUNT
18854 +2:
18855 +#endif
18856 +
18857 +RET_ENDP
18858 +BEGIN(add_return_unchecked)
18859 + addl (v), %eax
18860 + adcl 4(v), %edx
18861 movl %eax, (v)
18862 movl %edx, 4(v)
18863 RET_ENDP
18864 @@ -86,6 +126,20 @@ RET_ENDP
18865 BEGIN(sub)
18866 subl %eax, (v)
18867 sbbl %edx, 4(v)
18868 +
18869 +#ifdef CONFIG_PAX_REFCOUNT
18870 + jno 0f
18871 + addl %eax, (v)
18872 + adcl %edx, 4(v)
18873 + int $4
18874 +0:
18875 + _ASM_EXTABLE(0b, 0b)
18876 +#endif
18877 +
18878 +RET_ENDP
18879 +BEGIN(sub_unchecked)
18880 + subl %eax, (v)
18881 + sbbl %edx, 4(v)
18882 RET_ENDP
18883 #undef v
18884
18885 @@ -96,6 +150,27 @@ BEGIN(sub_return)
18886 sbbl $0, %edx
18887 addl (v), %eax
18888 adcl 4(v), %edx
18889 +
18890 +#ifdef CONFIG_PAX_REFCOUNT
18891 + into
18892 +1234:
18893 + _ASM_EXTABLE(1234b, 2f)
18894 +#endif
18895 +
18896 + movl %eax, (v)
18897 + movl %edx, 4(v)
18898 +
18899 +#ifdef CONFIG_PAX_REFCOUNT
18900 +2:
18901 +#endif
18902 +
18903 +RET_ENDP
18904 +BEGIN(sub_return_unchecked)
18905 + negl %edx
18906 + negl %eax
18907 + sbbl $0, %edx
18908 + addl (v), %eax
18909 + adcl 4(v), %edx
18910 movl %eax, (v)
18911 movl %edx, 4(v)
18912 RET_ENDP
18913 @@ -105,6 +180,20 @@ RET_ENDP
18914 BEGIN(inc)
18915 addl $1, (v)
18916 adcl $0, 4(v)
18917 +
18918 +#ifdef CONFIG_PAX_REFCOUNT
18919 + jno 0f
18920 + subl $1, (v)
18921 + sbbl $0, 4(v)
18922 + int $4
18923 +0:
18924 + _ASM_EXTABLE(0b, 0b)
18925 +#endif
18926 +
18927 +RET_ENDP
18928 +BEGIN(inc_unchecked)
18929 + addl $1, (v)
18930 + adcl $0, 4(v)
18931 RET_ENDP
18932 #undef v
18933
18934 @@ -114,6 +203,26 @@ BEGIN(inc_return)
18935 movl 4(v), %edx
18936 addl $1, %eax
18937 adcl $0, %edx
18938 +
18939 +#ifdef CONFIG_PAX_REFCOUNT
18940 + into
18941 +1234:
18942 + _ASM_EXTABLE(1234b, 2f)
18943 +#endif
18944 +
18945 + movl %eax, (v)
18946 + movl %edx, 4(v)
18947 +
18948 +#ifdef CONFIG_PAX_REFCOUNT
18949 +2:
18950 +#endif
18951 +
18952 +RET_ENDP
18953 +BEGIN(inc_return_unchecked)
18954 + movl (v), %eax
18955 + movl 4(v), %edx
18956 + addl $1, %eax
18957 + adcl $0, %edx
18958 movl %eax, (v)
18959 movl %edx, 4(v)
18960 RET_ENDP
18961 @@ -123,6 +232,20 @@ RET_ENDP
18962 BEGIN(dec)
18963 subl $1, (v)
18964 sbbl $0, 4(v)
18965 +
18966 +#ifdef CONFIG_PAX_REFCOUNT
18967 + jno 0f
18968 + addl $1, (v)
18969 + adcl $0, 4(v)
18970 + int $4
18971 +0:
18972 + _ASM_EXTABLE(0b, 0b)
18973 +#endif
18974 +
18975 +RET_ENDP
18976 +BEGIN(dec_unchecked)
18977 + subl $1, (v)
18978 + sbbl $0, 4(v)
18979 RET_ENDP
18980 #undef v
18981
18982 @@ -132,6 +255,26 @@ BEGIN(dec_return)
18983 movl 4(v), %edx
18984 subl $1, %eax
18985 sbbl $0, %edx
18986 +
18987 +#ifdef CONFIG_PAX_REFCOUNT
18988 + into
18989 +1234:
18990 + _ASM_EXTABLE(1234b, 2f)
18991 +#endif
18992 +
18993 + movl %eax, (v)
18994 + movl %edx, 4(v)
18995 +
18996 +#ifdef CONFIG_PAX_REFCOUNT
18997 +2:
18998 +#endif
18999 +
19000 +RET_ENDP
19001 +BEGIN(dec_return_unchecked)
19002 + movl (v), %eax
19003 + movl 4(v), %edx
19004 + subl $1, %eax
19005 + sbbl $0, %edx
19006 movl %eax, (v)
19007 movl %edx, 4(v)
19008 RET_ENDP
19009 @@ -143,6 +286,13 @@ BEGIN(add_unless)
19010 adcl %edx, %edi
19011 addl (v), %eax
19012 adcl 4(v), %edx
19013 +
19014 +#ifdef CONFIG_PAX_REFCOUNT
19015 + into
19016 +1234:
19017 + _ASM_EXTABLE(1234b, 2f)
19018 +#endif
19019 +
19020 cmpl %eax, %esi
19021 je 3f
19022 1:
19023 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
19024 1:
19025 addl $1, %eax
19026 adcl $0, %edx
19027 +
19028 +#ifdef CONFIG_PAX_REFCOUNT
19029 + into
19030 +1234:
19031 + _ASM_EXTABLE(1234b, 2f)
19032 +#endif
19033 +
19034 movl %eax, (v)
19035 movl %edx, 4(v)
19036 movl $1, %eax
19037 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
19038 movl 4(v), %edx
19039 subl $1, %eax
19040 sbbl $0, %edx
19041 +
19042 +#ifdef CONFIG_PAX_REFCOUNT
19043 + into
19044 +1234:
19045 + _ASM_EXTABLE(1234b, 1f)
19046 +#endif
19047 +
19048 js 1f
19049 movl %eax, (v)
19050 movl %edx, 4(v)
19051 diff -urNp linux-2.6.39.1/arch/x86/lib/atomic64_cx8_32.S linux-2.6.39.1/arch/x86/lib/atomic64_cx8_32.S
19052 --- linux-2.6.39.1/arch/x86/lib/atomic64_cx8_32.S 2011-05-19 00:06:34.000000000 -0400
19053 +++ linux-2.6.39.1/arch/x86/lib/atomic64_cx8_32.S 2011-05-22 19:36:30.000000000 -0400
19054 @@ -39,6 +39,14 @@ ENTRY(atomic64_read_cx8)
19055 CFI_ENDPROC
19056 ENDPROC(atomic64_read_cx8)
19057
19058 +ENTRY(atomic64_read_unchecked_cx8)
19059 + CFI_STARTPROC
19060 +
19061 + read64 %ecx
19062 + ret
19063 + CFI_ENDPROC
19064 +ENDPROC(atomic64_read_unchecked_cx8)
19065 +
19066 ENTRY(atomic64_set_cx8)
19067 CFI_STARTPROC
19068
19069 @@ -52,6 +60,19 @@ ENTRY(atomic64_set_cx8)
19070 CFI_ENDPROC
19071 ENDPROC(atomic64_set_cx8)
19072
19073 +ENTRY(atomic64_set_unchecked_cx8)
19074 + CFI_STARTPROC
19075 +
19076 +1:
19077 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
19078 + * are atomic on 586 and newer */
19079 + cmpxchg8b (%esi)
19080 + jne 1b
19081 +
19082 + ret
19083 + CFI_ENDPROC
19084 +ENDPROC(atomic64_set_unchecked_cx8)
19085 +
19086 ENTRY(atomic64_xchg_cx8)
19087 CFI_STARTPROC
19088
19089 @@ -66,8 +87,8 @@ ENTRY(atomic64_xchg_cx8)
19090 CFI_ENDPROC
19091 ENDPROC(atomic64_xchg_cx8)
19092
19093 -.macro addsub_return func ins insc
19094 -ENTRY(atomic64_\func\()_return_cx8)
19095 +.macro addsub_return func ins insc unchecked=""
19096 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19097 CFI_STARTPROC
19098 SAVE ebp
19099 SAVE ebx
19100 @@ -84,27 +105,43 @@ ENTRY(atomic64_\func\()_return_cx8)
19101 movl %edx, %ecx
19102 \ins\()l %esi, %ebx
19103 \insc\()l %edi, %ecx
19104 +
19105 +.ifb \unchecked
19106 +#ifdef CONFIG_PAX_REFCOUNT
19107 + into
19108 +2:
19109 + _ASM_EXTABLE(2b, 3f)
19110 +#endif
19111 +.endif
19112 +
19113 LOCK_PREFIX
19114 cmpxchg8b (%ebp)
19115 jne 1b
19116 -
19117 -10:
19118 movl %ebx, %eax
19119 movl %ecx, %edx
19120 +
19121 +.ifb \unchecked
19122 +#ifdef CONFIG_PAX_REFCOUNT
19123 +3:
19124 +#endif
19125 +.endif
19126 +
19127 RESTORE edi
19128 RESTORE esi
19129 RESTORE ebx
19130 RESTORE ebp
19131 ret
19132 CFI_ENDPROC
19133 -ENDPROC(atomic64_\func\()_return_cx8)
19134 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19135 .endm
19136
19137 addsub_return add add adc
19138 addsub_return sub sub sbb
19139 +addsub_return add add adc _unchecked
19140 +addsub_return sub sub sbb _unchecked
19141
19142 -.macro incdec_return func ins insc
19143 -ENTRY(atomic64_\func\()_return_cx8)
19144 +.macro incdec_return func ins insc unchecked
19145 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19146 CFI_STARTPROC
19147 SAVE ebx
19148
19149 @@ -114,21 +151,38 @@ ENTRY(atomic64_\func\()_return_cx8)
19150 movl %edx, %ecx
19151 \ins\()l $1, %ebx
19152 \insc\()l $0, %ecx
19153 +
19154 +.ifb \unchecked
19155 +#ifdef CONFIG_PAX_REFCOUNT
19156 + into
19157 +2:
19158 + _ASM_EXTABLE(2b, 3f)
19159 +#endif
19160 +.endif
19161 +
19162 LOCK_PREFIX
19163 cmpxchg8b (%esi)
19164 jne 1b
19165
19166 -10:
19167 movl %ebx, %eax
19168 movl %ecx, %edx
19169 +
19170 +.ifb \unchecked
19171 +#ifdef CONFIG_PAX_REFCOUNT
19172 +3:
19173 +#endif
19174 +.endif
19175 +
19176 RESTORE ebx
19177 ret
19178 CFI_ENDPROC
19179 -ENDPROC(atomic64_\func\()_return_cx8)
19180 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19181 .endm
19182
19183 incdec_return inc add adc
19184 incdec_return dec sub sbb
19185 +incdec_return inc add adc _unchecked
19186 +incdec_return dec sub sbb _unchecked
19187
19188 ENTRY(atomic64_dec_if_positive_cx8)
19189 CFI_STARTPROC
19190 @@ -140,6 +194,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
19191 movl %edx, %ecx
19192 subl $1, %ebx
19193 sbb $0, %ecx
19194 +
19195 +#ifdef CONFIG_PAX_REFCOUNT
19196 + into
19197 +1234:
19198 + _ASM_EXTABLE(1234b, 2f)
19199 +#endif
19200 +
19201 js 2f
19202 LOCK_PREFIX
19203 cmpxchg8b (%esi)
19204 @@ -174,6 +235,13 @@ ENTRY(atomic64_add_unless_cx8)
19205 movl %edx, %ecx
19206 addl %esi, %ebx
19207 adcl %edi, %ecx
19208 +
19209 +#ifdef CONFIG_PAX_REFCOUNT
19210 + into
19211 +1234:
19212 + _ASM_EXTABLE(1234b, 3f)
19213 +#endif
19214 +
19215 LOCK_PREFIX
19216 cmpxchg8b (%ebp)
19217 jne 1b
19218 @@ -206,6 +274,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
19219 movl %edx, %ecx
19220 addl $1, %ebx
19221 adcl $0, %ecx
19222 +
19223 +#ifdef CONFIG_PAX_REFCOUNT
19224 + into
19225 +1234:
19226 + _ASM_EXTABLE(1234b, 3f)
19227 +#endif
19228 +
19229 LOCK_PREFIX
19230 cmpxchg8b (%esi)
19231 jne 1b
19232 diff -urNp linux-2.6.39.1/arch/x86/lib/checksum_32.S linux-2.6.39.1/arch/x86/lib/checksum_32.S
19233 --- linux-2.6.39.1/arch/x86/lib/checksum_32.S 2011-05-19 00:06:34.000000000 -0400
19234 +++ linux-2.6.39.1/arch/x86/lib/checksum_32.S 2011-05-22 19:36:30.000000000 -0400
19235 @@ -28,7 +28,8 @@
19236 #include <linux/linkage.h>
19237 #include <asm/dwarf2.h>
19238 #include <asm/errno.h>
19239 -
19240 +#include <asm/segment.h>
19241 +
19242 /*
19243 * computes a partial checksum, e.g. for TCP/UDP fragments
19244 */
19245 @@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
19246
19247 #define ARGBASE 16
19248 #define FP 12
19249 -
19250 -ENTRY(csum_partial_copy_generic)
19251 +
19252 +ENTRY(csum_partial_copy_generic_to_user)
19253 CFI_STARTPROC
19254 +
19255 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19256 + pushl_cfi %gs
19257 + popl_cfi %es
19258 + jmp csum_partial_copy_generic
19259 +#endif
19260 +
19261 +ENTRY(csum_partial_copy_generic_from_user)
19262 +
19263 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19264 + pushl_cfi %gs
19265 + popl_cfi %ds
19266 +#endif
19267 +
19268 +ENTRY(csum_partial_copy_generic)
19269 subl $4,%esp
19270 CFI_ADJUST_CFA_OFFSET 4
19271 pushl_cfi %edi
19272 @@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
19273 jmp 4f
19274 SRC(1: movw (%esi), %bx )
19275 addl $2, %esi
19276 -DST( movw %bx, (%edi) )
19277 +DST( movw %bx, %es:(%edi) )
19278 addl $2, %edi
19279 addw %bx, %ax
19280 adcl $0, %eax
19281 @@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
19282 SRC(1: movl (%esi), %ebx )
19283 SRC( movl 4(%esi), %edx )
19284 adcl %ebx, %eax
19285 -DST( movl %ebx, (%edi) )
19286 +DST( movl %ebx, %es:(%edi) )
19287 adcl %edx, %eax
19288 -DST( movl %edx, 4(%edi) )
19289 +DST( movl %edx, %es:4(%edi) )
19290
19291 SRC( movl 8(%esi), %ebx )
19292 SRC( movl 12(%esi), %edx )
19293 adcl %ebx, %eax
19294 -DST( movl %ebx, 8(%edi) )
19295 +DST( movl %ebx, %es:8(%edi) )
19296 adcl %edx, %eax
19297 -DST( movl %edx, 12(%edi) )
19298 +DST( movl %edx, %es:12(%edi) )
19299
19300 SRC( movl 16(%esi), %ebx )
19301 SRC( movl 20(%esi), %edx )
19302 adcl %ebx, %eax
19303 -DST( movl %ebx, 16(%edi) )
19304 +DST( movl %ebx, %es:16(%edi) )
19305 adcl %edx, %eax
19306 -DST( movl %edx, 20(%edi) )
19307 +DST( movl %edx, %es:20(%edi) )
19308
19309 SRC( movl 24(%esi), %ebx )
19310 SRC( movl 28(%esi), %edx )
19311 adcl %ebx, %eax
19312 -DST( movl %ebx, 24(%edi) )
19313 +DST( movl %ebx, %es:24(%edi) )
19314 adcl %edx, %eax
19315 -DST( movl %edx, 28(%edi) )
19316 +DST( movl %edx, %es:28(%edi) )
19317
19318 lea 32(%esi), %esi
19319 lea 32(%edi), %edi
19320 @@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
19321 shrl $2, %edx # This clears CF
19322 SRC(3: movl (%esi), %ebx )
19323 adcl %ebx, %eax
19324 -DST( movl %ebx, (%edi) )
19325 +DST( movl %ebx, %es:(%edi) )
19326 lea 4(%esi), %esi
19327 lea 4(%edi), %edi
19328 dec %edx
19329 @@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
19330 jb 5f
19331 SRC( movw (%esi), %cx )
19332 leal 2(%esi), %esi
19333 -DST( movw %cx, (%edi) )
19334 +DST( movw %cx, %es:(%edi) )
19335 leal 2(%edi), %edi
19336 je 6f
19337 shll $16,%ecx
19338 SRC(5: movb (%esi), %cl )
19339 -DST( movb %cl, (%edi) )
19340 +DST( movb %cl, %es:(%edi) )
19341 6: addl %ecx, %eax
19342 adcl $0, %eax
19343 7:
19344 @@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
19345
19346 6001:
19347 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19348 - movl $-EFAULT, (%ebx)
19349 + movl $-EFAULT, %ss:(%ebx)
19350
19351 # zero the complete destination - computing the rest
19352 # is too much work
19353 @@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
19354
19355 6002:
19356 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19357 - movl $-EFAULT,(%ebx)
19358 + movl $-EFAULT,%ss:(%ebx)
19359 jmp 5000b
19360
19361 .previous
19362
19363 + pushl_cfi %ss
19364 + popl_cfi %ds
19365 + pushl_cfi %ss
19366 + popl_cfi %es
19367 popl_cfi %ebx
19368 CFI_RESTORE ebx
19369 popl_cfi %esi
19370 @@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
19371 popl_cfi %ecx # equivalent to addl $4,%esp
19372 ret
19373 CFI_ENDPROC
19374 -ENDPROC(csum_partial_copy_generic)
19375 +ENDPROC(csum_partial_copy_generic_to_user)
19376
19377 #else
19378
19379 /* Version for PentiumII/PPro */
19380
19381 #define ROUND1(x) \
19382 + nop; nop; nop; \
19383 SRC(movl x(%esi), %ebx ) ; \
19384 addl %ebx, %eax ; \
19385 - DST(movl %ebx, x(%edi) ) ;
19386 + DST(movl %ebx, %es:x(%edi)) ;
19387
19388 #define ROUND(x) \
19389 + nop; nop; nop; \
19390 SRC(movl x(%esi), %ebx ) ; \
19391 adcl %ebx, %eax ; \
19392 - DST(movl %ebx, x(%edi) ) ;
19393 + DST(movl %ebx, %es:x(%edi)) ;
19394
19395 #define ARGBASE 12
19396 -
19397 -ENTRY(csum_partial_copy_generic)
19398 +
19399 +ENTRY(csum_partial_copy_generic_to_user)
19400 CFI_STARTPROC
19401 +
19402 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19403 + pushl_cfi %gs
19404 + popl_cfi %es
19405 + jmp csum_partial_copy_generic
19406 +#endif
19407 +
19408 +ENTRY(csum_partial_copy_generic_from_user)
19409 +
19410 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19411 + pushl_cfi %gs
19412 + popl_cfi %ds
19413 +#endif
19414 +
19415 +ENTRY(csum_partial_copy_generic)
19416 pushl_cfi %ebx
19417 CFI_REL_OFFSET ebx, 0
19418 pushl_cfi %edi
19419 @@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
19420 subl %ebx, %edi
19421 lea -1(%esi),%edx
19422 andl $-32,%edx
19423 - lea 3f(%ebx,%ebx), %ebx
19424 + lea 3f(%ebx,%ebx,2), %ebx
19425 testl %esi, %esi
19426 jmp *%ebx
19427 1: addl $64,%esi
19428 @@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
19429 jb 5f
19430 SRC( movw (%esi), %dx )
19431 leal 2(%esi), %esi
19432 -DST( movw %dx, (%edi) )
19433 +DST( movw %dx, %es:(%edi) )
19434 leal 2(%edi), %edi
19435 je 6f
19436 shll $16,%edx
19437 5:
19438 SRC( movb (%esi), %dl )
19439 -DST( movb %dl, (%edi) )
19440 +DST( movb %dl, %es:(%edi) )
19441 6: addl %edx, %eax
19442 adcl $0, %eax
19443 7:
19444 .section .fixup, "ax"
19445 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19446 - movl $-EFAULT, (%ebx)
19447 + movl $-EFAULT, %ss:(%ebx)
19448 # zero the complete destination (computing the rest is too much work)
19449 movl ARGBASE+8(%esp),%edi # dst
19450 movl ARGBASE+12(%esp),%ecx # len
19451 @@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
19452 rep; stosb
19453 jmp 7b
19454 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19455 - movl $-EFAULT, (%ebx)
19456 + movl $-EFAULT, %ss:(%ebx)
19457 jmp 7b
19458 .previous
19459
19460 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19461 + pushl_cfi %ss
19462 + popl_cfi %ds
19463 + pushl_cfi %ss
19464 + popl_cfi %es
19465 +#endif
19466 +
19467 popl_cfi %esi
19468 CFI_RESTORE esi
19469 popl_cfi %edi
19470 @@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
19471 CFI_RESTORE ebx
19472 ret
19473 CFI_ENDPROC
19474 -ENDPROC(csum_partial_copy_generic)
19475 +ENDPROC(csum_partial_copy_generic_to_user)
19476
19477 #undef ROUND
19478 #undef ROUND1
19479 diff -urNp linux-2.6.39.1/arch/x86/lib/clear_page_64.S linux-2.6.39.1/arch/x86/lib/clear_page_64.S
19480 --- linux-2.6.39.1/arch/x86/lib/clear_page_64.S 2011-05-19 00:06:34.000000000 -0400
19481 +++ linux-2.6.39.1/arch/x86/lib/clear_page_64.S 2011-05-22 19:36:30.000000000 -0400
19482 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
19483
19484 #include <asm/cpufeature.h>
19485
19486 - .section .altinstr_replacement,"ax"
19487 + .section .altinstr_replacement,"a"
19488 1: .byte 0xeb /* jmp <disp8> */
19489 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19490 2:
19491 diff -urNp linux-2.6.39.1/arch/x86/lib/copy_page_64.S linux-2.6.39.1/arch/x86/lib/copy_page_64.S
19492 --- linux-2.6.39.1/arch/x86/lib/copy_page_64.S 2011-05-19 00:06:34.000000000 -0400
19493 +++ linux-2.6.39.1/arch/x86/lib/copy_page_64.S 2011-05-22 19:36:30.000000000 -0400
19494 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
19495
19496 #include <asm/cpufeature.h>
19497
19498 - .section .altinstr_replacement,"ax"
19499 + .section .altinstr_replacement,"a"
19500 1: .byte 0xeb /* jmp <disp8> */
19501 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19502 2:
19503 diff -urNp linux-2.6.39.1/arch/x86/lib/copy_user_64.S linux-2.6.39.1/arch/x86/lib/copy_user_64.S
19504 --- linux-2.6.39.1/arch/x86/lib/copy_user_64.S 2011-06-03 00:04:13.000000000 -0400
19505 +++ linux-2.6.39.1/arch/x86/lib/copy_user_64.S 2011-06-03 00:32:05.000000000 -0400
19506 @@ -15,13 +15,14 @@
19507 #include <asm/asm-offsets.h>
19508 #include <asm/thread_info.h>
19509 #include <asm/cpufeature.h>
19510 +#include <asm/pgtable.h>
19511
19512 .macro ALTERNATIVE_JUMP feature,orig,alt
19513 0:
19514 .byte 0xe9 /* 32bit jump */
19515 .long \orig-1f /* by default jump to orig */
19516 1:
19517 - .section .altinstr_replacement,"ax"
19518 + .section .altinstr_replacement,"a"
19519 2: .byte 0xe9 /* near jump with 32bit immediate */
19520 .long \alt-1b /* offset */ /* or alternatively to alt */
19521 .previous
19522 @@ -64,37 +65,13 @@
19523 #endif
19524 .endm
19525
19526 -/* Standard copy_to_user with segment limit checking */
19527 -ENTRY(_copy_to_user)
19528 - CFI_STARTPROC
19529 - GET_THREAD_INFO(%rax)
19530 - movq %rdi,%rcx
19531 - addq %rdx,%rcx
19532 - jc bad_to_user
19533 - cmpq TI_addr_limit(%rax),%rcx
19534 - ja bad_to_user
19535 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19536 - CFI_ENDPROC
19537 -ENDPROC(_copy_to_user)
19538 -
19539 -/* Standard copy_from_user with segment limit checking */
19540 -ENTRY(_copy_from_user)
19541 - CFI_STARTPROC
19542 - GET_THREAD_INFO(%rax)
19543 - movq %rsi,%rcx
19544 - addq %rdx,%rcx
19545 - jc bad_from_user
19546 - cmpq TI_addr_limit(%rax),%rcx
19547 - ja bad_from_user
19548 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19549 - CFI_ENDPROC
19550 -ENDPROC(_copy_from_user)
19551 -
19552 .section .fixup,"ax"
19553 /* must zero dest */
19554 ENTRY(bad_from_user)
19555 bad_from_user:
19556 CFI_STARTPROC
19557 + testl %edx,%edx
19558 + js bad_to_user
19559 movl %edx,%ecx
19560 xorl %eax,%eax
19561 rep
19562 diff -urNp linux-2.6.39.1/arch/x86/lib/copy_user_nocache_64.S linux-2.6.39.1/arch/x86/lib/copy_user_nocache_64.S
19563 --- linux-2.6.39.1/arch/x86/lib/copy_user_nocache_64.S 2011-05-19 00:06:34.000000000 -0400
19564 +++ linux-2.6.39.1/arch/x86/lib/copy_user_nocache_64.S 2011-05-22 19:36:30.000000000 -0400
19565 @@ -14,6 +14,7 @@
19566 #include <asm/current.h>
19567 #include <asm/asm-offsets.h>
19568 #include <asm/thread_info.h>
19569 +#include <asm/pgtable.h>
19570
19571 .macro ALIGN_DESTINATION
19572 #ifdef FIX_ALIGNMENT
19573 @@ -50,6 +51,15 @@
19574 */
19575 ENTRY(__copy_user_nocache)
19576 CFI_STARTPROC
19577 +
19578 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19579 + mov $PAX_USER_SHADOW_BASE,%rcx
19580 + cmp %rcx,%rsi
19581 + jae 1f
19582 + add %rcx,%rsi
19583 +1:
19584 +#endif
19585 +
19586 cmpl $8,%edx
19587 jb 20f /* less then 8 bytes, go to byte copy loop */
19588 ALIGN_DESTINATION
19589 diff -urNp linux-2.6.39.1/arch/x86/lib/csum-wrappers_64.c linux-2.6.39.1/arch/x86/lib/csum-wrappers_64.c
19590 --- linux-2.6.39.1/arch/x86/lib/csum-wrappers_64.c 2011-05-19 00:06:34.000000000 -0400
19591 +++ linux-2.6.39.1/arch/x86/lib/csum-wrappers_64.c 2011-05-22 19:36:30.000000000 -0400
19592 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
19593 len -= 2;
19594 }
19595 }
19596 +
19597 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19598 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19599 + src += PAX_USER_SHADOW_BASE;
19600 +#endif
19601 +
19602 isum = csum_partial_copy_generic((__force const void *)src,
19603 dst, len, isum, errp, NULL);
19604 if (unlikely(*errp))
19605 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
19606 }
19607
19608 *errp = 0;
19609 +
19610 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19611 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
19612 + dst += PAX_USER_SHADOW_BASE;
19613 +#endif
19614 +
19615 return csum_partial_copy_generic(src, (void __force *)dst,
19616 len, isum, NULL, errp);
19617 }
19618 diff -urNp linux-2.6.39.1/arch/x86/lib/getuser.S linux-2.6.39.1/arch/x86/lib/getuser.S
19619 --- linux-2.6.39.1/arch/x86/lib/getuser.S 2011-05-19 00:06:34.000000000 -0400
19620 +++ linux-2.6.39.1/arch/x86/lib/getuser.S 2011-05-22 19:36:30.000000000 -0400
19621 @@ -33,14 +33,35 @@
19622 #include <asm/asm-offsets.h>
19623 #include <asm/thread_info.h>
19624 #include <asm/asm.h>
19625 +#include <asm/segment.h>
19626 +#include <asm/pgtable.h>
19627 +
19628 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19629 +#define __copyuser_seg gs;
19630 +#else
19631 +#define __copyuser_seg
19632 +#endif
19633
19634 .text
19635 ENTRY(__get_user_1)
19636 CFI_STARTPROC
19637 +
19638 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19639 GET_THREAD_INFO(%_ASM_DX)
19640 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19641 jae bad_get_user
19642 -1: movzb (%_ASM_AX),%edx
19643 +
19644 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19645 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19646 + cmp %_ASM_DX,%_ASM_AX
19647 + jae 1234f
19648 + add %_ASM_DX,%_ASM_AX
19649 +1234:
19650 +#endif
19651 +
19652 +#endif
19653 +
19654 +1: __copyuser_seg movzb (%_ASM_AX),%edx
19655 xor %eax,%eax
19656 ret
19657 CFI_ENDPROC
19658 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
19659 ENTRY(__get_user_2)
19660 CFI_STARTPROC
19661 add $1,%_ASM_AX
19662 +
19663 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19664 jc bad_get_user
19665 GET_THREAD_INFO(%_ASM_DX)
19666 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19667 jae bad_get_user
19668 -2: movzwl -1(%_ASM_AX),%edx
19669 +
19670 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19671 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19672 + cmp %_ASM_DX,%_ASM_AX
19673 + jae 1234f
19674 + add %_ASM_DX,%_ASM_AX
19675 +1234:
19676 +#endif
19677 +
19678 +#endif
19679 +
19680 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
19681 xor %eax,%eax
19682 ret
19683 CFI_ENDPROC
19684 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
19685 ENTRY(__get_user_4)
19686 CFI_STARTPROC
19687 add $3,%_ASM_AX
19688 +
19689 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19690 jc bad_get_user
19691 GET_THREAD_INFO(%_ASM_DX)
19692 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19693 jae bad_get_user
19694 -3: mov -3(%_ASM_AX),%edx
19695 +
19696 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19697 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19698 + cmp %_ASM_DX,%_ASM_AX
19699 + jae 1234f
19700 + add %_ASM_DX,%_ASM_AX
19701 +1234:
19702 +#endif
19703 +
19704 +#endif
19705 +
19706 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
19707 xor %eax,%eax
19708 ret
19709 CFI_ENDPROC
19710 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
19711 GET_THREAD_INFO(%_ASM_DX)
19712 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19713 jae bad_get_user
19714 +
19715 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19716 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19717 + cmp %_ASM_DX,%_ASM_AX
19718 + jae 1234f
19719 + add %_ASM_DX,%_ASM_AX
19720 +1234:
19721 +#endif
19722 +
19723 4: movq -7(%_ASM_AX),%_ASM_DX
19724 xor %eax,%eax
19725 ret
19726 diff -urNp linux-2.6.39.1/arch/x86/lib/insn.c linux-2.6.39.1/arch/x86/lib/insn.c
19727 --- linux-2.6.39.1/arch/x86/lib/insn.c 2011-05-19 00:06:34.000000000 -0400
19728 +++ linux-2.6.39.1/arch/x86/lib/insn.c 2011-05-22 19:36:30.000000000 -0400
19729 @@ -21,6 +21,11 @@
19730 #include <linux/string.h>
19731 #include <asm/inat.h>
19732 #include <asm/insn.h>
19733 +#ifdef __KERNEL__
19734 +#include <asm/pgtable_types.h>
19735 +#else
19736 +#define ktla_ktva(addr) addr
19737 +#endif
19738
19739 #define get_next(t, insn) \
19740 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
19741 @@ -40,8 +45,8 @@
19742 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
19743 {
19744 memset(insn, 0, sizeof(*insn));
19745 - insn->kaddr = kaddr;
19746 - insn->next_byte = kaddr;
19747 + insn->kaddr = ktla_ktva(kaddr);
19748 + insn->next_byte = ktla_ktva(kaddr);
19749 insn->x86_64 = x86_64 ? 1 : 0;
19750 insn->opnd_bytes = 4;
19751 if (x86_64)
19752 diff -urNp linux-2.6.39.1/arch/x86/lib/mmx_32.c linux-2.6.39.1/arch/x86/lib/mmx_32.c
19753 --- linux-2.6.39.1/arch/x86/lib/mmx_32.c 2011-05-19 00:06:34.000000000 -0400
19754 +++ linux-2.6.39.1/arch/x86/lib/mmx_32.c 2011-05-22 19:36:30.000000000 -0400
19755 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
19756 {
19757 void *p;
19758 int i;
19759 + unsigned long cr0;
19760
19761 if (unlikely(in_interrupt()))
19762 return __memcpy(to, from, len);
19763 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
19764 kernel_fpu_begin();
19765
19766 __asm__ __volatile__ (
19767 - "1: prefetch (%0)\n" /* This set is 28 bytes */
19768 - " prefetch 64(%0)\n"
19769 - " prefetch 128(%0)\n"
19770 - " prefetch 192(%0)\n"
19771 - " prefetch 256(%0)\n"
19772 + "1: prefetch (%1)\n" /* This set is 28 bytes */
19773 + " prefetch 64(%1)\n"
19774 + " prefetch 128(%1)\n"
19775 + " prefetch 192(%1)\n"
19776 + " prefetch 256(%1)\n"
19777 "2: \n"
19778 ".section .fixup, \"ax\"\n"
19779 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19780 + "3: \n"
19781 +
19782 +#ifdef CONFIG_PAX_KERNEXEC
19783 + " movl %%cr0, %0\n"
19784 + " movl %0, %%eax\n"
19785 + " andl $0xFFFEFFFF, %%eax\n"
19786 + " movl %%eax, %%cr0\n"
19787 +#endif
19788 +
19789 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19790 +
19791 +#ifdef CONFIG_PAX_KERNEXEC
19792 + " movl %0, %%cr0\n"
19793 +#endif
19794 +
19795 " jmp 2b\n"
19796 ".previous\n"
19797 _ASM_EXTABLE(1b, 3b)
19798 - : : "r" (from));
19799 + : "=&r" (cr0) : "r" (from) : "ax");
19800
19801 for ( ; i > 5; i--) {
19802 __asm__ __volatile__ (
19803 - "1: prefetch 320(%0)\n"
19804 - "2: movq (%0), %%mm0\n"
19805 - " movq 8(%0), %%mm1\n"
19806 - " movq 16(%0), %%mm2\n"
19807 - " movq 24(%0), %%mm3\n"
19808 - " movq %%mm0, (%1)\n"
19809 - " movq %%mm1, 8(%1)\n"
19810 - " movq %%mm2, 16(%1)\n"
19811 - " movq %%mm3, 24(%1)\n"
19812 - " movq 32(%0), %%mm0\n"
19813 - " movq 40(%0), %%mm1\n"
19814 - " movq 48(%0), %%mm2\n"
19815 - " movq 56(%0), %%mm3\n"
19816 - " movq %%mm0, 32(%1)\n"
19817 - " movq %%mm1, 40(%1)\n"
19818 - " movq %%mm2, 48(%1)\n"
19819 - " movq %%mm3, 56(%1)\n"
19820 + "1: prefetch 320(%1)\n"
19821 + "2: movq (%1), %%mm0\n"
19822 + " movq 8(%1), %%mm1\n"
19823 + " movq 16(%1), %%mm2\n"
19824 + " movq 24(%1), %%mm3\n"
19825 + " movq %%mm0, (%2)\n"
19826 + " movq %%mm1, 8(%2)\n"
19827 + " movq %%mm2, 16(%2)\n"
19828 + " movq %%mm3, 24(%2)\n"
19829 + " movq 32(%1), %%mm0\n"
19830 + " movq 40(%1), %%mm1\n"
19831 + " movq 48(%1), %%mm2\n"
19832 + " movq 56(%1), %%mm3\n"
19833 + " movq %%mm0, 32(%2)\n"
19834 + " movq %%mm1, 40(%2)\n"
19835 + " movq %%mm2, 48(%2)\n"
19836 + " movq %%mm3, 56(%2)\n"
19837 ".section .fixup, \"ax\"\n"
19838 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19839 + "3:\n"
19840 +
19841 +#ifdef CONFIG_PAX_KERNEXEC
19842 + " movl %%cr0, %0\n"
19843 + " movl %0, %%eax\n"
19844 + " andl $0xFFFEFFFF, %%eax\n"
19845 + " movl %%eax, %%cr0\n"
19846 +#endif
19847 +
19848 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19849 +
19850 +#ifdef CONFIG_PAX_KERNEXEC
19851 + " movl %0, %%cr0\n"
19852 +#endif
19853 +
19854 " jmp 2b\n"
19855 ".previous\n"
19856 _ASM_EXTABLE(1b, 3b)
19857 - : : "r" (from), "r" (to) : "memory");
19858 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19859
19860 from += 64;
19861 to += 64;
19862 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
19863 static void fast_copy_page(void *to, void *from)
19864 {
19865 int i;
19866 + unsigned long cr0;
19867
19868 kernel_fpu_begin();
19869
19870 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
19871 * but that is for later. -AV
19872 */
19873 __asm__ __volatile__(
19874 - "1: prefetch (%0)\n"
19875 - " prefetch 64(%0)\n"
19876 - " prefetch 128(%0)\n"
19877 - " prefetch 192(%0)\n"
19878 - " prefetch 256(%0)\n"
19879 + "1: prefetch (%1)\n"
19880 + " prefetch 64(%1)\n"
19881 + " prefetch 128(%1)\n"
19882 + " prefetch 192(%1)\n"
19883 + " prefetch 256(%1)\n"
19884 "2: \n"
19885 ".section .fixup, \"ax\"\n"
19886 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19887 + "3: \n"
19888 +
19889 +#ifdef CONFIG_PAX_KERNEXEC
19890 + " movl %%cr0, %0\n"
19891 + " movl %0, %%eax\n"
19892 + " andl $0xFFFEFFFF, %%eax\n"
19893 + " movl %%eax, %%cr0\n"
19894 +#endif
19895 +
19896 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19897 +
19898 +#ifdef CONFIG_PAX_KERNEXEC
19899 + " movl %0, %%cr0\n"
19900 +#endif
19901 +
19902 " jmp 2b\n"
19903 ".previous\n"
19904 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
19905 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
19906
19907 for (i = 0; i < (4096-320)/64; i++) {
19908 __asm__ __volatile__ (
19909 - "1: prefetch 320(%0)\n"
19910 - "2: movq (%0), %%mm0\n"
19911 - " movntq %%mm0, (%1)\n"
19912 - " movq 8(%0), %%mm1\n"
19913 - " movntq %%mm1, 8(%1)\n"
19914 - " movq 16(%0), %%mm2\n"
19915 - " movntq %%mm2, 16(%1)\n"
19916 - " movq 24(%0), %%mm3\n"
19917 - " movntq %%mm3, 24(%1)\n"
19918 - " movq 32(%0), %%mm4\n"
19919 - " movntq %%mm4, 32(%1)\n"
19920 - " movq 40(%0), %%mm5\n"
19921 - " movntq %%mm5, 40(%1)\n"
19922 - " movq 48(%0), %%mm6\n"
19923 - " movntq %%mm6, 48(%1)\n"
19924 - " movq 56(%0), %%mm7\n"
19925 - " movntq %%mm7, 56(%1)\n"
19926 + "1: prefetch 320(%1)\n"
19927 + "2: movq (%1), %%mm0\n"
19928 + " movntq %%mm0, (%2)\n"
19929 + " movq 8(%1), %%mm1\n"
19930 + " movntq %%mm1, 8(%2)\n"
19931 + " movq 16(%1), %%mm2\n"
19932 + " movntq %%mm2, 16(%2)\n"
19933 + " movq 24(%1), %%mm3\n"
19934 + " movntq %%mm3, 24(%2)\n"
19935 + " movq 32(%1), %%mm4\n"
19936 + " movntq %%mm4, 32(%2)\n"
19937 + " movq 40(%1), %%mm5\n"
19938 + " movntq %%mm5, 40(%2)\n"
19939 + " movq 48(%1), %%mm6\n"
19940 + " movntq %%mm6, 48(%2)\n"
19941 + " movq 56(%1), %%mm7\n"
19942 + " movntq %%mm7, 56(%2)\n"
19943 ".section .fixup, \"ax\"\n"
19944 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19945 + "3:\n"
19946 +
19947 +#ifdef CONFIG_PAX_KERNEXEC
19948 + " movl %%cr0, %0\n"
19949 + " movl %0, %%eax\n"
19950 + " andl $0xFFFEFFFF, %%eax\n"
19951 + " movl %%eax, %%cr0\n"
19952 +#endif
19953 +
19954 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19955 +
19956 +#ifdef CONFIG_PAX_KERNEXEC
19957 + " movl %0, %%cr0\n"
19958 +#endif
19959 +
19960 " jmp 2b\n"
19961 ".previous\n"
19962 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
19963 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19964
19965 from += 64;
19966 to += 64;
19967 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
19968 static void fast_copy_page(void *to, void *from)
19969 {
19970 int i;
19971 + unsigned long cr0;
19972
19973 kernel_fpu_begin();
19974
19975 __asm__ __volatile__ (
19976 - "1: prefetch (%0)\n"
19977 - " prefetch 64(%0)\n"
19978 - " prefetch 128(%0)\n"
19979 - " prefetch 192(%0)\n"
19980 - " prefetch 256(%0)\n"
19981 + "1: prefetch (%1)\n"
19982 + " prefetch 64(%1)\n"
19983 + " prefetch 128(%1)\n"
19984 + " prefetch 192(%1)\n"
19985 + " prefetch 256(%1)\n"
19986 "2: \n"
19987 ".section .fixup, \"ax\"\n"
19988 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19989 + "3: \n"
19990 +
19991 +#ifdef CONFIG_PAX_KERNEXEC
19992 + " movl %%cr0, %0\n"
19993 + " movl %0, %%eax\n"
19994 + " andl $0xFFFEFFFF, %%eax\n"
19995 + " movl %%eax, %%cr0\n"
19996 +#endif
19997 +
19998 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19999 +
20000 +#ifdef CONFIG_PAX_KERNEXEC
20001 + " movl %0, %%cr0\n"
20002 +#endif
20003 +
20004 " jmp 2b\n"
20005 ".previous\n"
20006 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20007 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20008
20009 for (i = 0; i < 4096/64; i++) {
20010 __asm__ __volatile__ (
20011 - "1: prefetch 320(%0)\n"
20012 - "2: movq (%0), %%mm0\n"
20013 - " movq 8(%0), %%mm1\n"
20014 - " movq 16(%0), %%mm2\n"
20015 - " movq 24(%0), %%mm3\n"
20016 - " movq %%mm0, (%1)\n"
20017 - " movq %%mm1, 8(%1)\n"
20018 - " movq %%mm2, 16(%1)\n"
20019 - " movq %%mm3, 24(%1)\n"
20020 - " movq 32(%0), %%mm0\n"
20021 - " movq 40(%0), %%mm1\n"
20022 - " movq 48(%0), %%mm2\n"
20023 - " movq 56(%0), %%mm3\n"
20024 - " movq %%mm0, 32(%1)\n"
20025 - " movq %%mm1, 40(%1)\n"
20026 - " movq %%mm2, 48(%1)\n"
20027 - " movq %%mm3, 56(%1)\n"
20028 + "1: prefetch 320(%1)\n"
20029 + "2: movq (%1), %%mm0\n"
20030 + " movq 8(%1), %%mm1\n"
20031 + " movq 16(%1), %%mm2\n"
20032 + " movq 24(%1), %%mm3\n"
20033 + " movq %%mm0, (%2)\n"
20034 + " movq %%mm1, 8(%2)\n"
20035 + " movq %%mm2, 16(%2)\n"
20036 + " movq %%mm3, 24(%2)\n"
20037 + " movq 32(%1), %%mm0\n"
20038 + " movq 40(%1), %%mm1\n"
20039 + " movq 48(%1), %%mm2\n"
20040 + " movq 56(%1), %%mm3\n"
20041 + " movq %%mm0, 32(%2)\n"
20042 + " movq %%mm1, 40(%2)\n"
20043 + " movq %%mm2, 48(%2)\n"
20044 + " movq %%mm3, 56(%2)\n"
20045 ".section .fixup, \"ax\"\n"
20046 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20047 + "3:\n"
20048 +
20049 +#ifdef CONFIG_PAX_KERNEXEC
20050 + " movl %%cr0, %0\n"
20051 + " movl %0, %%eax\n"
20052 + " andl $0xFFFEFFFF, %%eax\n"
20053 + " movl %%eax, %%cr0\n"
20054 +#endif
20055 +
20056 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20057 +
20058 +#ifdef CONFIG_PAX_KERNEXEC
20059 + " movl %0, %%cr0\n"
20060 +#endif
20061 +
20062 " jmp 2b\n"
20063 ".previous\n"
20064 _ASM_EXTABLE(1b, 3b)
20065 - : : "r" (from), "r" (to) : "memory");
20066 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20067
20068 from += 64;
20069 to += 64;
20070 diff -urNp linux-2.6.39.1/arch/x86/lib/putuser.S linux-2.6.39.1/arch/x86/lib/putuser.S
20071 --- linux-2.6.39.1/arch/x86/lib/putuser.S 2011-05-19 00:06:34.000000000 -0400
20072 +++ linux-2.6.39.1/arch/x86/lib/putuser.S 2011-05-22 19:36:30.000000000 -0400
20073 @@ -15,7 +15,8 @@
20074 #include <asm/thread_info.h>
20075 #include <asm/errno.h>
20076 #include <asm/asm.h>
20077 -
20078 +#include <asm/segment.h>
20079 +#include <asm/pgtable.h>
20080
20081 /*
20082 * __put_user_X
20083 @@ -29,52 +30,119 @@
20084 * as they get called from within inline assembly.
20085 */
20086
20087 -#define ENTER CFI_STARTPROC ; \
20088 - GET_THREAD_INFO(%_ASM_BX)
20089 +#define ENTER CFI_STARTPROC
20090 #define EXIT ret ; \
20091 CFI_ENDPROC
20092
20093 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20094 +#define _DEST %_ASM_CX,%_ASM_BX
20095 +#else
20096 +#define _DEST %_ASM_CX
20097 +#endif
20098 +
20099 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20100 +#define __copyuser_seg gs;
20101 +#else
20102 +#define __copyuser_seg
20103 +#endif
20104 +
20105 .text
20106 ENTRY(__put_user_1)
20107 ENTER
20108 +
20109 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20110 + GET_THREAD_INFO(%_ASM_BX)
20111 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
20112 jae bad_put_user
20113 -1: movb %al,(%_ASM_CX)
20114 +
20115 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20116 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20117 + cmp %_ASM_BX,%_ASM_CX
20118 + jb 1234f
20119 + xor %ebx,%ebx
20120 +1234:
20121 +#endif
20122 +
20123 +#endif
20124 +
20125 +1: __copyuser_seg movb %al,(_DEST)
20126 xor %eax,%eax
20127 EXIT
20128 ENDPROC(__put_user_1)
20129
20130 ENTRY(__put_user_2)
20131 ENTER
20132 +
20133 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20134 + GET_THREAD_INFO(%_ASM_BX)
20135 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20136 sub $1,%_ASM_BX
20137 cmp %_ASM_BX,%_ASM_CX
20138 jae bad_put_user
20139 -2: movw %ax,(%_ASM_CX)
20140 +
20141 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20142 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20143 + cmp %_ASM_BX,%_ASM_CX
20144 + jb 1234f
20145 + xor %ebx,%ebx
20146 +1234:
20147 +#endif
20148 +
20149 +#endif
20150 +
20151 +2: __copyuser_seg movw %ax,(_DEST)
20152 xor %eax,%eax
20153 EXIT
20154 ENDPROC(__put_user_2)
20155
20156 ENTRY(__put_user_4)
20157 ENTER
20158 +
20159 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20160 + GET_THREAD_INFO(%_ASM_BX)
20161 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20162 sub $3,%_ASM_BX
20163 cmp %_ASM_BX,%_ASM_CX
20164 jae bad_put_user
20165 -3: movl %eax,(%_ASM_CX)
20166 +
20167 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20168 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20169 + cmp %_ASM_BX,%_ASM_CX
20170 + jb 1234f
20171 + xor %ebx,%ebx
20172 +1234:
20173 +#endif
20174 +
20175 +#endif
20176 +
20177 +3: __copyuser_seg movl %eax,(_DEST)
20178 xor %eax,%eax
20179 EXIT
20180 ENDPROC(__put_user_4)
20181
20182 ENTRY(__put_user_8)
20183 ENTER
20184 +
20185 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20186 + GET_THREAD_INFO(%_ASM_BX)
20187 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20188 sub $7,%_ASM_BX
20189 cmp %_ASM_BX,%_ASM_CX
20190 jae bad_put_user
20191 -4: mov %_ASM_AX,(%_ASM_CX)
20192 +
20193 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20194 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20195 + cmp %_ASM_BX,%_ASM_CX
20196 + jb 1234f
20197 + xor %ebx,%ebx
20198 +1234:
20199 +#endif
20200 +
20201 +#endif
20202 +
20203 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
20204 #ifdef CONFIG_X86_32
20205 -5: movl %edx,4(%_ASM_CX)
20206 +5: __copyuser_seg movl %edx,4(_DEST)
20207 #endif
20208 xor %eax,%eax
20209 EXIT
20210 diff -urNp linux-2.6.39.1/arch/x86/lib/usercopy_32.c linux-2.6.39.1/arch/x86/lib/usercopy_32.c
20211 --- linux-2.6.39.1/arch/x86/lib/usercopy_32.c 2011-05-19 00:06:34.000000000 -0400
20212 +++ linux-2.6.39.1/arch/x86/lib/usercopy_32.c 2011-05-22 19:36:30.000000000 -0400
20213 @@ -43,7 +43,7 @@ do { \
20214 __asm__ __volatile__( \
20215 " testl %1,%1\n" \
20216 " jz 2f\n" \
20217 - "0: lodsb\n" \
20218 + "0: "__copyuser_seg"lodsb\n" \
20219 " stosb\n" \
20220 " testb %%al,%%al\n" \
20221 " jz 1f\n" \
20222 @@ -128,10 +128,12 @@ do { \
20223 int __d0; \
20224 might_fault(); \
20225 __asm__ __volatile__( \
20226 + __COPYUSER_SET_ES \
20227 "0: rep; stosl\n" \
20228 " movl %2,%0\n" \
20229 "1: rep; stosb\n" \
20230 "2:\n" \
20231 + __COPYUSER_RESTORE_ES \
20232 ".section .fixup,\"ax\"\n" \
20233 "3: lea 0(%2,%0,4),%0\n" \
20234 " jmp 2b\n" \
20235 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
20236 might_fault();
20237
20238 __asm__ __volatile__(
20239 + __COPYUSER_SET_ES
20240 " testl %0, %0\n"
20241 " jz 3f\n"
20242 " andl %0,%%ecx\n"
20243 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
20244 " subl %%ecx,%0\n"
20245 " addl %0,%%eax\n"
20246 "1:\n"
20247 + __COPYUSER_RESTORE_ES
20248 ".section .fixup,\"ax\"\n"
20249 "2: xorl %%eax,%%eax\n"
20250 " jmp 1b\n"
20251 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
20252
20253 #ifdef CONFIG_X86_INTEL_USERCOPY
20254 static unsigned long
20255 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
20256 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
20257 {
20258 int d0, d1;
20259 __asm__ __volatile__(
20260 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
20261 " .align 2,0x90\n"
20262 "3: movl 0(%4), %%eax\n"
20263 "4: movl 4(%4), %%edx\n"
20264 - "5: movl %%eax, 0(%3)\n"
20265 - "6: movl %%edx, 4(%3)\n"
20266 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
20267 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
20268 "7: movl 8(%4), %%eax\n"
20269 "8: movl 12(%4),%%edx\n"
20270 - "9: movl %%eax, 8(%3)\n"
20271 - "10: movl %%edx, 12(%3)\n"
20272 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
20273 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
20274 "11: movl 16(%4), %%eax\n"
20275 "12: movl 20(%4), %%edx\n"
20276 - "13: movl %%eax, 16(%3)\n"
20277 - "14: movl %%edx, 20(%3)\n"
20278 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
20279 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
20280 "15: movl 24(%4), %%eax\n"
20281 "16: movl 28(%4), %%edx\n"
20282 - "17: movl %%eax, 24(%3)\n"
20283 - "18: movl %%edx, 28(%3)\n"
20284 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
20285 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
20286 "19: movl 32(%4), %%eax\n"
20287 "20: movl 36(%4), %%edx\n"
20288 - "21: movl %%eax, 32(%3)\n"
20289 - "22: movl %%edx, 36(%3)\n"
20290 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20291 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20292 "23: movl 40(%4), %%eax\n"
20293 "24: movl 44(%4), %%edx\n"
20294 - "25: movl %%eax, 40(%3)\n"
20295 - "26: movl %%edx, 44(%3)\n"
20296 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20297 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20298 "27: movl 48(%4), %%eax\n"
20299 "28: movl 52(%4), %%edx\n"
20300 - "29: movl %%eax, 48(%3)\n"
20301 - "30: movl %%edx, 52(%3)\n"
20302 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20303 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20304 "31: movl 56(%4), %%eax\n"
20305 "32: movl 60(%4), %%edx\n"
20306 - "33: movl %%eax, 56(%3)\n"
20307 - "34: movl %%edx, 60(%3)\n"
20308 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20309 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20310 " addl $-64, %0\n"
20311 " addl $64, %4\n"
20312 " addl $64, %3\n"
20313 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20314 " shrl $2, %0\n"
20315 " andl $3, %%eax\n"
20316 " cld\n"
20317 + __COPYUSER_SET_ES
20318 "99: rep; movsl\n"
20319 "36: movl %%eax, %0\n"
20320 "37: rep; movsb\n"
20321 "100:\n"
20322 + __COPYUSER_RESTORE_ES
20323 + ".section .fixup,\"ax\"\n"
20324 + "101: lea 0(%%eax,%0,4),%0\n"
20325 + " jmp 100b\n"
20326 + ".previous\n"
20327 + ".section __ex_table,\"a\"\n"
20328 + " .align 4\n"
20329 + " .long 1b,100b\n"
20330 + " .long 2b,100b\n"
20331 + " .long 3b,100b\n"
20332 + " .long 4b,100b\n"
20333 + " .long 5b,100b\n"
20334 + " .long 6b,100b\n"
20335 + " .long 7b,100b\n"
20336 + " .long 8b,100b\n"
20337 + " .long 9b,100b\n"
20338 + " .long 10b,100b\n"
20339 + " .long 11b,100b\n"
20340 + " .long 12b,100b\n"
20341 + " .long 13b,100b\n"
20342 + " .long 14b,100b\n"
20343 + " .long 15b,100b\n"
20344 + " .long 16b,100b\n"
20345 + " .long 17b,100b\n"
20346 + " .long 18b,100b\n"
20347 + " .long 19b,100b\n"
20348 + " .long 20b,100b\n"
20349 + " .long 21b,100b\n"
20350 + " .long 22b,100b\n"
20351 + " .long 23b,100b\n"
20352 + " .long 24b,100b\n"
20353 + " .long 25b,100b\n"
20354 + " .long 26b,100b\n"
20355 + " .long 27b,100b\n"
20356 + " .long 28b,100b\n"
20357 + " .long 29b,100b\n"
20358 + " .long 30b,100b\n"
20359 + " .long 31b,100b\n"
20360 + " .long 32b,100b\n"
20361 + " .long 33b,100b\n"
20362 + " .long 34b,100b\n"
20363 + " .long 35b,100b\n"
20364 + " .long 36b,100b\n"
20365 + " .long 37b,100b\n"
20366 + " .long 99b,101b\n"
20367 + ".previous"
20368 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20369 + : "1"(to), "2"(from), "0"(size)
20370 + : "eax", "edx", "memory");
20371 + return size;
20372 +}
20373 +
20374 +static unsigned long
20375 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20376 +{
20377 + int d0, d1;
20378 + __asm__ __volatile__(
20379 + " .align 2,0x90\n"
20380 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20381 + " cmpl $67, %0\n"
20382 + " jbe 3f\n"
20383 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20384 + " .align 2,0x90\n"
20385 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20386 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20387 + "5: movl %%eax, 0(%3)\n"
20388 + "6: movl %%edx, 4(%3)\n"
20389 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20390 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20391 + "9: movl %%eax, 8(%3)\n"
20392 + "10: movl %%edx, 12(%3)\n"
20393 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20394 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20395 + "13: movl %%eax, 16(%3)\n"
20396 + "14: movl %%edx, 20(%3)\n"
20397 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20398 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20399 + "17: movl %%eax, 24(%3)\n"
20400 + "18: movl %%edx, 28(%3)\n"
20401 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20402 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20403 + "21: movl %%eax, 32(%3)\n"
20404 + "22: movl %%edx, 36(%3)\n"
20405 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20406 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20407 + "25: movl %%eax, 40(%3)\n"
20408 + "26: movl %%edx, 44(%3)\n"
20409 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20410 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20411 + "29: movl %%eax, 48(%3)\n"
20412 + "30: movl %%edx, 52(%3)\n"
20413 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20414 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20415 + "33: movl %%eax, 56(%3)\n"
20416 + "34: movl %%edx, 60(%3)\n"
20417 + " addl $-64, %0\n"
20418 + " addl $64, %4\n"
20419 + " addl $64, %3\n"
20420 + " cmpl $63, %0\n"
20421 + " ja 1b\n"
20422 + "35: movl %0, %%eax\n"
20423 + " shrl $2, %0\n"
20424 + " andl $3, %%eax\n"
20425 + " cld\n"
20426 + "99: rep; "__copyuser_seg" movsl\n"
20427 + "36: movl %%eax, %0\n"
20428 + "37: rep; "__copyuser_seg" movsb\n"
20429 + "100:\n"
20430 ".section .fixup,\"ax\"\n"
20431 "101: lea 0(%%eax,%0,4),%0\n"
20432 " jmp 100b\n"
20433 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20434 int d0, d1;
20435 __asm__ __volatile__(
20436 " .align 2,0x90\n"
20437 - "0: movl 32(%4), %%eax\n"
20438 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20439 " cmpl $67, %0\n"
20440 " jbe 2f\n"
20441 - "1: movl 64(%4), %%eax\n"
20442 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20443 " .align 2,0x90\n"
20444 - "2: movl 0(%4), %%eax\n"
20445 - "21: movl 4(%4), %%edx\n"
20446 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20447 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20448 " movl %%eax, 0(%3)\n"
20449 " movl %%edx, 4(%3)\n"
20450 - "3: movl 8(%4), %%eax\n"
20451 - "31: movl 12(%4),%%edx\n"
20452 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20453 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20454 " movl %%eax, 8(%3)\n"
20455 " movl %%edx, 12(%3)\n"
20456 - "4: movl 16(%4), %%eax\n"
20457 - "41: movl 20(%4), %%edx\n"
20458 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20459 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20460 " movl %%eax, 16(%3)\n"
20461 " movl %%edx, 20(%3)\n"
20462 - "10: movl 24(%4), %%eax\n"
20463 - "51: movl 28(%4), %%edx\n"
20464 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20465 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20466 " movl %%eax, 24(%3)\n"
20467 " movl %%edx, 28(%3)\n"
20468 - "11: movl 32(%4), %%eax\n"
20469 - "61: movl 36(%4), %%edx\n"
20470 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20471 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20472 " movl %%eax, 32(%3)\n"
20473 " movl %%edx, 36(%3)\n"
20474 - "12: movl 40(%4), %%eax\n"
20475 - "71: movl 44(%4), %%edx\n"
20476 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20477 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20478 " movl %%eax, 40(%3)\n"
20479 " movl %%edx, 44(%3)\n"
20480 - "13: movl 48(%4), %%eax\n"
20481 - "81: movl 52(%4), %%edx\n"
20482 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20483 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20484 " movl %%eax, 48(%3)\n"
20485 " movl %%edx, 52(%3)\n"
20486 - "14: movl 56(%4), %%eax\n"
20487 - "91: movl 60(%4), %%edx\n"
20488 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20489 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20490 " movl %%eax, 56(%3)\n"
20491 " movl %%edx, 60(%3)\n"
20492 " addl $-64, %0\n"
20493 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
20494 " shrl $2, %0\n"
20495 " andl $3, %%eax\n"
20496 " cld\n"
20497 - "6: rep; movsl\n"
20498 + "6: rep; "__copyuser_seg" movsl\n"
20499 " movl %%eax,%0\n"
20500 - "7: rep; movsb\n"
20501 + "7: rep; "__copyuser_seg" movsb\n"
20502 "8:\n"
20503 ".section .fixup,\"ax\"\n"
20504 "9: lea 0(%%eax,%0,4),%0\n"
20505 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
20506
20507 __asm__ __volatile__(
20508 " .align 2,0x90\n"
20509 - "0: movl 32(%4), %%eax\n"
20510 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20511 " cmpl $67, %0\n"
20512 " jbe 2f\n"
20513 - "1: movl 64(%4), %%eax\n"
20514 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20515 " .align 2,0x90\n"
20516 - "2: movl 0(%4), %%eax\n"
20517 - "21: movl 4(%4), %%edx\n"
20518 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20519 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20520 " movnti %%eax, 0(%3)\n"
20521 " movnti %%edx, 4(%3)\n"
20522 - "3: movl 8(%4), %%eax\n"
20523 - "31: movl 12(%4),%%edx\n"
20524 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20525 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20526 " movnti %%eax, 8(%3)\n"
20527 " movnti %%edx, 12(%3)\n"
20528 - "4: movl 16(%4), %%eax\n"
20529 - "41: movl 20(%4), %%edx\n"
20530 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20531 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20532 " movnti %%eax, 16(%3)\n"
20533 " movnti %%edx, 20(%3)\n"
20534 - "10: movl 24(%4), %%eax\n"
20535 - "51: movl 28(%4), %%edx\n"
20536 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20537 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20538 " movnti %%eax, 24(%3)\n"
20539 " movnti %%edx, 28(%3)\n"
20540 - "11: movl 32(%4), %%eax\n"
20541 - "61: movl 36(%4), %%edx\n"
20542 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20543 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20544 " movnti %%eax, 32(%3)\n"
20545 " movnti %%edx, 36(%3)\n"
20546 - "12: movl 40(%4), %%eax\n"
20547 - "71: movl 44(%4), %%edx\n"
20548 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20549 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20550 " movnti %%eax, 40(%3)\n"
20551 " movnti %%edx, 44(%3)\n"
20552 - "13: movl 48(%4), %%eax\n"
20553 - "81: movl 52(%4), %%edx\n"
20554 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20555 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20556 " movnti %%eax, 48(%3)\n"
20557 " movnti %%edx, 52(%3)\n"
20558 - "14: movl 56(%4), %%eax\n"
20559 - "91: movl 60(%4), %%edx\n"
20560 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20561 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20562 " movnti %%eax, 56(%3)\n"
20563 " movnti %%edx, 60(%3)\n"
20564 " addl $-64, %0\n"
20565 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
20566 " shrl $2, %0\n"
20567 " andl $3, %%eax\n"
20568 " cld\n"
20569 - "6: rep; movsl\n"
20570 + "6: rep; "__copyuser_seg" movsl\n"
20571 " movl %%eax,%0\n"
20572 - "7: rep; movsb\n"
20573 + "7: rep; "__copyuser_seg" movsb\n"
20574 "8:\n"
20575 ".section .fixup,\"ax\"\n"
20576 "9: lea 0(%%eax,%0,4),%0\n"
20577 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
20578
20579 __asm__ __volatile__(
20580 " .align 2,0x90\n"
20581 - "0: movl 32(%4), %%eax\n"
20582 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20583 " cmpl $67, %0\n"
20584 " jbe 2f\n"
20585 - "1: movl 64(%4), %%eax\n"
20586 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20587 " .align 2,0x90\n"
20588 - "2: movl 0(%4), %%eax\n"
20589 - "21: movl 4(%4), %%edx\n"
20590 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20591 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20592 " movnti %%eax, 0(%3)\n"
20593 " movnti %%edx, 4(%3)\n"
20594 - "3: movl 8(%4), %%eax\n"
20595 - "31: movl 12(%4),%%edx\n"
20596 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20597 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20598 " movnti %%eax, 8(%3)\n"
20599 " movnti %%edx, 12(%3)\n"
20600 - "4: movl 16(%4), %%eax\n"
20601 - "41: movl 20(%4), %%edx\n"
20602 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20603 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20604 " movnti %%eax, 16(%3)\n"
20605 " movnti %%edx, 20(%3)\n"
20606 - "10: movl 24(%4), %%eax\n"
20607 - "51: movl 28(%4), %%edx\n"
20608 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20609 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20610 " movnti %%eax, 24(%3)\n"
20611 " movnti %%edx, 28(%3)\n"
20612 - "11: movl 32(%4), %%eax\n"
20613 - "61: movl 36(%4), %%edx\n"
20614 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20615 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20616 " movnti %%eax, 32(%3)\n"
20617 " movnti %%edx, 36(%3)\n"
20618 - "12: movl 40(%4), %%eax\n"
20619 - "71: movl 44(%4), %%edx\n"
20620 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20621 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20622 " movnti %%eax, 40(%3)\n"
20623 " movnti %%edx, 44(%3)\n"
20624 - "13: movl 48(%4), %%eax\n"
20625 - "81: movl 52(%4), %%edx\n"
20626 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20627 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20628 " movnti %%eax, 48(%3)\n"
20629 " movnti %%edx, 52(%3)\n"
20630 - "14: movl 56(%4), %%eax\n"
20631 - "91: movl 60(%4), %%edx\n"
20632 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20633 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20634 " movnti %%eax, 56(%3)\n"
20635 " movnti %%edx, 60(%3)\n"
20636 " addl $-64, %0\n"
20637 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
20638 " shrl $2, %0\n"
20639 " andl $3, %%eax\n"
20640 " cld\n"
20641 - "6: rep; movsl\n"
20642 + "6: rep; "__copyuser_seg" movsl\n"
20643 " movl %%eax,%0\n"
20644 - "7: rep; movsb\n"
20645 + "7: rep; "__copyuser_seg" movsb\n"
20646 "8:\n"
20647 ".section .fixup,\"ax\"\n"
20648 "9: lea 0(%%eax,%0,4),%0\n"
20649 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
20650 */
20651 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
20652 unsigned long size);
20653 -unsigned long __copy_user_intel(void __user *to, const void *from,
20654 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
20655 + unsigned long size);
20656 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
20657 unsigned long size);
20658 unsigned long __copy_user_zeroing_intel_nocache(void *to,
20659 const void __user *from, unsigned long size);
20660 #endif /* CONFIG_X86_INTEL_USERCOPY */
20661
20662 /* Generic arbitrary sized copy. */
20663 -#define __copy_user(to, from, size) \
20664 +#define __copy_user(to, from, size, prefix, set, restore) \
20665 do { \
20666 int __d0, __d1, __d2; \
20667 __asm__ __volatile__( \
20668 + set \
20669 " cmp $7,%0\n" \
20670 " jbe 1f\n" \
20671 " movl %1,%0\n" \
20672 " negl %0\n" \
20673 " andl $7,%0\n" \
20674 " subl %0,%3\n" \
20675 - "4: rep; movsb\n" \
20676 + "4: rep; "prefix"movsb\n" \
20677 " movl %3,%0\n" \
20678 " shrl $2,%0\n" \
20679 " andl $3,%3\n" \
20680 " .align 2,0x90\n" \
20681 - "0: rep; movsl\n" \
20682 + "0: rep; "prefix"movsl\n" \
20683 " movl %3,%0\n" \
20684 - "1: rep; movsb\n" \
20685 + "1: rep; "prefix"movsb\n" \
20686 "2:\n" \
20687 + restore \
20688 ".section .fixup,\"ax\"\n" \
20689 "5: addl %3,%0\n" \
20690 " jmp 2b\n" \
20691 @@ -682,14 +799,14 @@ do { \
20692 " negl %0\n" \
20693 " andl $7,%0\n" \
20694 " subl %0,%3\n" \
20695 - "4: rep; movsb\n" \
20696 + "4: rep; "__copyuser_seg"movsb\n" \
20697 " movl %3,%0\n" \
20698 " shrl $2,%0\n" \
20699 " andl $3,%3\n" \
20700 " .align 2,0x90\n" \
20701 - "0: rep; movsl\n" \
20702 + "0: rep; "__copyuser_seg"movsl\n" \
20703 " movl %3,%0\n" \
20704 - "1: rep; movsb\n" \
20705 + "1: rep; "__copyuser_seg"movsb\n" \
20706 "2:\n" \
20707 ".section .fixup,\"ax\"\n" \
20708 "5: addl %3,%0\n" \
20709 @@ -775,9 +892,9 @@ survive:
20710 }
20711 #endif
20712 if (movsl_is_ok(to, from, n))
20713 - __copy_user(to, from, n);
20714 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
20715 else
20716 - n = __copy_user_intel(to, from, n);
20717 + n = __generic_copy_to_user_intel(to, from, n);
20718 return n;
20719 }
20720 EXPORT_SYMBOL(__copy_to_user_ll);
20721 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
20722 unsigned long n)
20723 {
20724 if (movsl_is_ok(to, from, n))
20725 - __copy_user(to, from, n);
20726 + __copy_user(to, from, n, __copyuser_seg, "", "");
20727 else
20728 - n = __copy_user_intel((void __user *)to,
20729 - (const void *)from, n);
20730 + n = __generic_copy_from_user_intel(to, from, n);
20731 return n;
20732 }
20733 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
20734 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
20735 if (n > 64 && cpu_has_xmm2)
20736 n = __copy_user_intel_nocache(to, from, n);
20737 else
20738 - __copy_user(to, from, n);
20739 + __copy_user(to, from, n, __copyuser_seg, "", "");
20740 #else
20741 - __copy_user(to, from, n);
20742 + __copy_user(to, from, n, __copyuser_seg, "", "");
20743 #endif
20744 return n;
20745 }
20746 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
20747
20748 -/**
20749 - * copy_to_user: - Copy a block of data into user space.
20750 - * @to: Destination address, in user space.
20751 - * @from: Source address, in kernel space.
20752 - * @n: Number of bytes to copy.
20753 - *
20754 - * Context: User context only. This function may sleep.
20755 - *
20756 - * Copy data from kernel space to user space.
20757 - *
20758 - * Returns number of bytes that could not be copied.
20759 - * On success, this will be zero.
20760 - */
20761 -unsigned long
20762 -copy_to_user(void __user *to, const void *from, unsigned long n)
20763 +void copy_from_user_overflow(void)
20764 {
20765 - if (access_ok(VERIFY_WRITE, to, n))
20766 - n = __copy_to_user(to, from, n);
20767 - return n;
20768 + WARN(1, "Buffer overflow detected!\n");
20769 }
20770 -EXPORT_SYMBOL(copy_to_user);
20771 +EXPORT_SYMBOL(copy_from_user_overflow);
20772
20773 -/**
20774 - * copy_from_user: - Copy a block of data from user space.
20775 - * @to: Destination address, in kernel space.
20776 - * @from: Source address, in user space.
20777 - * @n: Number of bytes to copy.
20778 - *
20779 - * Context: User context only. This function may sleep.
20780 - *
20781 - * Copy data from user space to kernel space.
20782 - *
20783 - * Returns number of bytes that could not be copied.
20784 - * On success, this will be zero.
20785 - *
20786 - * If some data could not be copied, this function will pad the copied
20787 - * data to the requested size using zero bytes.
20788 - */
20789 -unsigned long
20790 -_copy_from_user(void *to, const void __user *from, unsigned long n)
20791 +void copy_to_user_overflow(void)
20792 {
20793 - if (access_ok(VERIFY_READ, from, n))
20794 - n = __copy_from_user(to, from, n);
20795 - else
20796 - memset(to, 0, n);
20797 - return n;
20798 + WARN(1, "Buffer overflow detected!\n");
20799 }
20800 -EXPORT_SYMBOL(_copy_from_user);
20801 +EXPORT_SYMBOL(copy_to_user_overflow);
20802
20803 -void copy_from_user_overflow(void)
20804 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20805 +void __set_fs(mm_segment_t x)
20806 {
20807 - WARN(1, "Buffer overflow detected!\n");
20808 + switch (x.seg) {
20809 + case 0:
20810 + loadsegment(gs, 0);
20811 + break;
20812 + case TASK_SIZE_MAX:
20813 + loadsegment(gs, __USER_DS);
20814 + break;
20815 + case -1UL:
20816 + loadsegment(gs, __KERNEL_DS);
20817 + break;
20818 + default:
20819 + BUG();
20820 + }
20821 + return;
20822 }
20823 -EXPORT_SYMBOL(copy_from_user_overflow);
20824 +EXPORT_SYMBOL(__set_fs);
20825 +
20826 +void set_fs(mm_segment_t x)
20827 +{
20828 + current_thread_info()->addr_limit = x;
20829 + __set_fs(x);
20830 +}
20831 +EXPORT_SYMBOL(set_fs);
20832 +#endif
20833 diff -urNp linux-2.6.39.1/arch/x86/lib/usercopy_64.c linux-2.6.39.1/arch/x86/lib/usercopy_64.c
20834 --- linux-2.6.39.1/arch/x86/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
20835 +++ linux-2.6.39.1/arch/x86/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
20836 @@ -42,6 +42,12 @@ long
20837 __strncpy_from_user(char *dst, const char __user *src, long count)
20838 {
20839 long res;
20840 +
20841 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20842 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
20843 + src += PAX_USER_SHADOW_BASE;
20844 +#endif
20845 +
20846 __do_strncpy_from_user(dst, src, count, res);
20847 return res;
20848 }
20849 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
20850 {
20851 long __d0;
20852 might_fault();
20853 +
20854 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20855 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
20856 + addr += PAX_USER_SHADOW_BASE;
20857 +#endif
20858 +
20859 /* no memory constraint because it doesn't change any memory gcc knows
20860 about */
20861 asm volatile(
20862 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
20863
20864 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
20865 {
20866 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
20867 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
20868 +
20869 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20870 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
20871 + to += PAX_USER_SHADOW_BASE;
20872 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
20873 + from += PAX_USER_SHADOW_BASE;
20874 +#endif
20875 +
20876 return copy_user_generic((__force void *)to, (__force void *)from, len);
20877 - }
20878 - return len;
20879 + }
20880 + return len;
20881 }
20882 EXPORT_SYMBOL(copy_in_user);
20883
20884 diff -urNp linux-2.6.39.1/arch/x86/Makefile linux-2.6.39.1/arch/x86/Makefile
20885 --- linux-2.6.39.1/arch/x86/Makefile 2011-05-19 00:06:34.000000000 -0400
20886 +++ linux-2.6.39.1/arch/x86/Makefile 2011-05-22 19:36:30.000000000 -0400
20887 @@ -195,3 +195,12 @@ define archhelp
20888 echo ' FDARGS="..." arguments for the booted kernel'
20889 echo ' FDINITRD=file initrd for the booted kernel'
20890 endef
20891 +
20892 +define OLD_LD
20893 +
20894 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
20895 +*** Please upgrade your binutils to 2.18 or newer
20896 +endef
20897 +
20898 +archprepare:
20899 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
20900 diff -urNp linux-2.6.39.1/arch/x86/mm/extable.c linux-2.6.39.1/arch/x86/mm/extable.c
20901 --- linux-2.6.39.1/arch/x86/mm/extable.c 2011-05-19 00:06:34.000000000 -0400
20902 +++ linux-2.6.39.1/arch/x86/mm/extable.c 2011-05-22 19:36:30.000000000 -0400
20903 @@ -1,14 +1,71 @@
20904 #include <linux/module.h>
20905 #include <linux/spinlock.h>
20906 +#include <linux/sort.h>
20907 #include <asm/uaccess.h>
20908 +#include <asm/pgtable.h>
20909
20910 +/*
20911 + * The exception table needs to be sorted so that the binary
20912 + * search that we use to find entries in it works properly.
20913 + * This is used both for the kernel exception table and for
20914 + * the exception tables of modules that get loaded.
20915 + */
20916 +static int cmp_ex(const void *a, const void *b)
20917 +{
20918 + const struct exception_table_entry *x = a, *y = b;
20919 +
20920 + /* avoid overflow */
20921 + if (x->insn > y->insn)
20922 + return 1;
20923 + if (x->insn < y->insn)
20924 + return -1;
20925 + return 0;
20926 +}
20927 +
20928 +static void swap_ex(void *a, void *b, int size)
20929 +{
20930 + struct exception_table_entry t, *x = a, *y = b;
20931 +
20932 + t = *x;
20933 +
20934 + pax_open_kernel();
20935 + *x = *y;
20936 + *y = t;
20937 + pax_close_kernel();
20938 +}
20939 +
20940 +void sort_extable(struct exception_table_entry *start,
20941 + struct exception_table_entry *finish)
20942 +{
20943 + sort(start, finish - start, sizeof(struct exception_table_entry),
20944 + cmp_ex, swap_ex);
20945 +}
20946 +
20947 +#ifdef CONFIG_MODULES
20948 +/*
20949 + * If the exception table is sorted, any referring to the module init
20950 + * will be at the beginning or the end.
20951 + */
20952 +void trim_init_extable(struct module *m)
20953 +{
20954 + /*trim the beginning*/
20955 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
20956 + m->extable++;
20957 + m->num_exentries--;
20958 + }
20959 + /*trim the end*/
20960 + while (m->num_exentries &&
20961 + within_module_init(m->extable[m->num_exentries-1].insn, m))
20962 + m->num_exentries--;
20963 +}
20964 +#endif /* CONFIG_MODULES */
20965
20966 int fixup_exception(struct pt_regs *regs)
20967 {
20968 const struct exception_table_entry *fixup;
20969
20970 #ifdef CONFIG_PNPBIOS
20971 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
20972 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
20973 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
20974 extern u32 pnp_bios_is_utter_crap;
20975 pnp_bios_is_utter_crap = 1;
20976 diff -urNp linux-2.6.39.1/arch/x86/mm/fault.c linux-2.6.39.1/arch/x86/mm/fault.c
20977 --- linux-2.6.39.1/arch/x86/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
20978 +++ linux-2.6.39.1/arch/x86/mm/fault.c 2011-06-06 17:34:04.000000000 -0400
20979 @@ -12,10 +12,18 @@
20980 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
20981 #include <linux/perf_event.h> /* perf_sw_event */
20982 #include <linux/hugetlb.h> /* hstate_index_to_shift */
20983 +#include <linux/unistd.h>
20984 +#include <linux/compiler.h>
20985
20986 #include <asm/traps.h> /* dotraplinkage, ... */
20987 #include <asm/pgalloc.h> /* pgd_*(), ... */
20988 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
20989 +#include <asm/vsyscall.h>
20990 +#include <asm/tlbflush.h>
20991 +
20992 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20993 +#include <asm/stacktrace.h>
20994 +#endif
20995
20996 /*
20997 * Page fault error code bits:
20998 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
20999 int ret = 0;
21000
21001 /* kprobe_running() needs smp_processor_id() */
21002 - if (kprobes_built_in() && !user_mode_vm(regs)) {
21003 + if (kprobes_built_in() && !user_mode(regs)) {
21004 preempt_disable();
21005 if (kprobe_running() && kprobe_fault_handler(regs, 14))
21006 ret = 1;
21007 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
21008 return !instr_lo || (instr_lo>>1) == 1;
21009 case 0x00:
21010 /* Prefetch instruction is 0x0F0D or 0x0F18 */
21011 - if (probe_kernel_address(instr, opcode))
21012 + if (user_mode(regs)) {
21013 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21014 + return 0;
21015 + } else if (probe_kernel_address(instr, opcode))
21016 return 0;
21017
21018 *prefetch = (instr_lo == 0xF) &&
21019 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
21020 while (instr < max_instr) {
21021 unsigned char opcode;
21022
21023 - if (probe_kernel_address(instr, opcode))
21024 + if (user_mode(regs)) {
21025 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21026 + break;
21027 + } else if (probe_kernel_address(instr, opcode))
21028 break;
21029
21030 instr++;
21031 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
21032 force_sig_info(si_signo, &info, tsk);
21033 }
21034
21035 +#ifdef CONFIG_PAX_EMUTRAMP
21036 +static int pax_handle_fetch_fault(struct pt_regs *regs);
21037 +#endif
21038 +
21039 +#ifdef CONFIG_PAX_PAGEEXEC
21040 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
21041 +{
21042 + pgd_t *pgd;
21043 + pud_t *pud;
21044 + pmd_t *pmd;
21045 +
21046 + pgd = pgd_offset(mm, address);
21047 + if (!pgd_present(*pgd))
21048 + return NULL;
21049 + pud = pud_offset(pgd, address);
21050 + if (!pud_present(*pud))
21051 + return NULL;
21052 + pmd = pmd_offset(pud, address);
21053 + if (!pmd_present(*pmd))
21054 + return NULL;
21055 + return pmd;
21056 +}
21057 +#endif
21058 +
21059 DEFINE_SPINLOCK(pgd_lock);
21060 LIST_HEAD(pgd_list);
21061
21062 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
21063 for (address = VMALLOC_START & PMD_MASK;
21064 address >= TASK_SIZE && address < FIXADDR_TOP;
21065 address += PMD_SIZE) {
21066 +
21067 +#ifdef CONFIG_PAX_PER_CPU_PGD
21068 + unsigned long cpu;
21069 +#else
21070 struct page *page;
21071 +#endif
21072
21073 spin_lock(&pgd_lock);
21074 +
21075 +#ifdef CONFIG_PAX_PER_CPU_PGD
21076 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21077 + pgd_t *pgd = get_cpu_pgd(cpu);
21078 + pmd_t *ret;
21079 +#else
21080 list_for_each_entry(page, &pgd_list, lru) {
21081 + pgd_t *pgd = page_address(page);
21082 spinlock_t *pgt_lock;
21083 pmd_t *ret;
21084
21085 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
21086 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
21087
21088 spin_lock(pgt_lock);
21089 - ret = vmalloc_sync_one(page_address(page), address);
21090 +#endif
21091 +
21092 + ret = vmalloc_sync_one(pgd, address);
21093 +
21094 +#ifndef CONFIG_PAX_PER_CPU_PGD
21095 spin_unlock(pgt_lock);
21096 +#endif
21097
21098 if (!ret)
21099 break;
21100 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
21101 * an interrupt in the middle of a task switch..
21102 */
21103 pgd_paddr = read_cr3();
21104 +
21105 +#ifdef CONFIG_PAX_PER_CPU_PGD
21106 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
21107 +#endif
21108 +
21109 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
21110 if (!pmd_k)
21111 return -1;
21112 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
21113 * happen within a race in page table update. In the later
21114 * case just flush:
21115 */
21116 +
21117 +#ifdef CONFIG_PAX_PER_CPU_PGD
21118 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
21119 + pgd = pgd_offset_cpu(smp_processor_id(), address);
21120 +#else
21121 pgd = pgd_offset(current->active_mm, address);
21122 +#endif
21123 +
21124 pgd_ref = pgd_offset_k(address);
21125 if (pgd_none(*pgd_ref))
21126 return -1;
21127 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
21128 static int is_errata100(struct pt_regs *regs, unsigned long address)
21129 {
21130 #ifdef CONFIG_X86_64
21131 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
21132 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
21133 return 1;
21134 #endif
21135 return 0;
21136 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
21137 }
21138
21139 static const char nx_warning[] = KERN_CRIT
21140 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
21141 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
21142
21143 static void
21144 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
21145 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
21146 if (!oops_may_print())
21147 return;
21148
21149 - if (error_code & PF_INSTR) {
21150 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
21151 unsigned int level;
21152
21153 pte_t *pte = lookup_address(address, &level);
21154
21155 if (pte && pte_present(*pte) && !pte_exec(*pte))
21156 - printk(nx_warning, current_uid());
21157 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
21158 }
21159
21160 +#ifdef CONFIG_PAX_KERNEXEC
21161 + if (init_mm.start_code <= address && address < init_mm.end_code) {
21162 + if (current->signal->curr_ip)
21163 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21164 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
21165 + else
21166 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21167 + current->comm, task_pid_nr(current), current_uid(), current_euid());
21168 + }
21169 +#endif
21170 +
21171 printk(KERN_ALERT "BUG: unable to handle kernel ");
21172 if (address < PAGE_SIZE)
21173 printk(KERN_CONT "NULL pointer dereference");
21174 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
21175 unsigned long address, int si_code)
21176 {
21177 struct task_struct *tsk = current;
21178 + struct mm_struct *mm = tsk->mm;
21179 +
21180 +#ifdef CONFIG_X86_64
21181 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
21182 + if (regs->ip == (unsigned long)vgettimeofday) {
21183 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
21184 + return;
21185 + } else if (regs->ip == (unsigned long)vtime) {
21186 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
21187 + return;
21188 + } else if (regs->ip == (unsigned long)vgetcpu) {
21189 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
21190 + return;
21191 + }
21192 + }
21193 +#endif
21194 +
21195 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21196 + if (mm && (error_code & PF_USER)) {
21197 + unsigned long ip = regs->ip;
21198 +
21199 + if (v8086_mode(regs))
21200 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
21201 +
21202 + /*
21203 + * It's possible to have interrupts off here:
21204 + */
21205 + local_irq_enable();
21206 +
21207 +#ifdef CONFIG_PAX_PAGEEXEC
21208 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
21209 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
21210 +
21211 +#ifdef CONFIG_PAX_EMUTRAMP
21212 + switch (pax_handle_fetch_fault(regs)) {
21213 + case 2:
21214 + return;
21215 + }
21216 +#endif
21217 +
21218 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21219 + do_group_exit(SIGKILL);
21220 + }
21221 +#endif
21222 +
21223 +#ifdef CONFIG_PAX_SEGMEXEC
21224 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
21225 +
21226 +#ifdef CONFIG_PAX_EMUTRAMP
21227 + switch (pax_handle_fetch_fault(regs)) {
21228 + case 2:
21229 + return;
21230 + }
21231 +#endif
21232 +
21233 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21234 + do_group_exit(SIGKILL);
21235 + }
21236 +#endif
21237 +
21238 + }
21239 +#endif
21240
21241 /* User mode accesses just cause a SIGSEGV */
21242 if (error_code & PF_USER) {
21243 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
21244 return 1;
21245 }
21246
21247 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21248 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
21249 +{
21250 + pte_t *pte;
21251 + pmd_t *pmd;
21252 + spinlock_t *ptl;
21253 + unsigned char pte_mask;
21254 +
21255 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
21256 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
21257 + return 0;
21258 +
21259 + /* PaX: it's our fault, let's handle it if we can */
21260 +
21261 + /* PaX: take a look at read faults before acquiring any locks */
21262 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
21263 + /* instruction fetch attempt from a protected page in user mode */
21264 + up_read(&mm->mmap_sem);
21265 +
21266 +#ifdef CONFIG_PAX_EMUTRAMP
21267 + switch (pax_handle_fetch_fault(regs)) {
21268 + case 2:
21269 + return 1;
21270 + }
21271 +#endif
21272 +
21273 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
21274 + do_group_exit(SIGKILL);
21275 + }
21276 +
21277 + pmd = pax_get_pmd(mm, address);
21278 + if (unlikely(!pmd))
21279 + return 0;
21280 +
21281 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21282 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21283 + pte_unmap_unlock(pte, ptl);
21284 + return 0;
21285 + }
21286 +
21287 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21288 + /* write attempt to a protected page in user mode */
21289 + pte_unmap_unlock(pte, ptl);
21290 + return 0;
21291 + }
21292 +
21293 +#ifdef CONFIG_SMP
21294 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21295 +#else
21296 + if (likely(address > get_limit(regs->cs)))
21297 +#endif
21298 + {
21299 + set_pte(pte, pte_mkread(*pte));
21300 + __flush_tlb_one(address);
21301 + pte_unmap_unlock(pte, ptl);
21302 + up_read(&mm->mmap_sem);
21303 + return 1;
21304 + }
21305 +
21306 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21307 +
21308 + /*
21309 + * PaX: fill DTLB with user rights and retry
21310 + */
21311 + __asm__ __volatile__ (
21312 + "orb %2,(%1)\n"
21313 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21314 +/*
21315 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21316 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21317 + * page fault when examined during a TLB load attempt. this is true not only
21318 + * for PTEs holding a non-present entry but also present entries that will
21319 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21320 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21321 + * for our target pages since their PTEs are simply not in the TLBs at all.
21322 +
21323 + * the best thing in omitting it is that we gain around 15-20% speed in the
21324 + * fast path of the page fault handler and can get rid of tracing since we
21325 + * can no longer flush unintended entries.
21326 + */
21327 + "invlpg (%0)\n"
21328 +#endif
21329 + __copyuser_seg"testb $0,(%0)\n"
21330 + "xorb %3,(%1)\n"
21331 + :
21332 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21333 + : "memory", "cc");
21334 + pte_unmap_unlock(pte, ptl);
21335 + up_read(&mm->mmap_sem);
21336 + return 1;
21337 +}
21338 +#endif
21339 +
21340 /*
21341 * Handle a spurious fault caused by a stale TLB entry.
21342 *
21343 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
21344 static inline int
21345 access_error(unsigned long error_code, struct vm_area_struct *vma)
21346 {
21347 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21348 + return 1;
21349 +
21350 if (error_code & PF_WRITE) {
21351 /* write, present and write, not present: */
21352 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21353 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
21354 {
21355 struct vm_area_struct *vma;
21356 struct task_struct *tsk;
21357 - unsigned long address;
21358 struct mm_struct *mm;
21359 int fault;
21360 int write = error_code & PF_WRITE;
21361 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
21362 (write ? FAULT_FLAG_WRITE : 0);
21363
21364 + /* Get the faulting address: */
21365 + unsigned long address = read_cr2();
21366 +
21367 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21368 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21369 + if (!search_exception_tables(regs->ip)) {
21370 + bad_area_nosemaphore(regs, error_code, address);
21371 + return;
21372 + }
21373 + if (address < PAX_USER_SHADOW_BASE) {
21374 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21375 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21376 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21377 + } else
21378 + address -= PAX_USER_SHADOW_BASE;
21379 + }
21380 +#endif
21381 +
21382 tsk = current;
21383 mm = tsk->mm;
21384
21385 - /* Get the faulting address: */
21386 - address = read_cr2();
21387 -
21388 /*
21389 * Detect and handle instructions that would cause a page fault for
21390 * both a tracked kernel page and a userspace page.
21391 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
21392 * User-mode registers count as a user access even for any
21393 * potential system fault or CPU buglet:
21394 */
21395 - if (user_mode_vm(regs)) {
21396 + if (user_mode(regs)) {
21397 local_irq_enable();
21398 error_code |= PF_USER;
21399 } else {
21400 @@ -1087,6 +1337,11 @@ retry:
21401 might_sleep();
21402 }
21403
21404 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21405 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21406 + return;
21407 +#endif
21408 +
21409 vma = find_vma(mm, address);
21410 if (unlikely(!vma)) {
21411 bad_area(regs, error_code, address);
21412 @@ -1098,18 +1353,24 @@ retry:
21413 bad_area(regs, error_code, address);
21414 return;
21415 }
21416 - if (error_code & PF_USER) {
21417 - /*
21418 - * Accessing the stack below %sp is always a bug.
21419 - * The large cushion allows instructions like enter
21420 - * and pusha to work. ("enter $65535, $31" pushes
21421 - * 32 pointers and then decrements %sp by 65535.)
21422 - */
21423 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
21424 - bad_area(regs, error_code, address);
21425 - return;
21426 - }
21427 + /*
21428 + * Accessing the stack below %sp is always a bug.
21429 + * The large cushion allows instructions like enter
21430 + * and pusha to work. ("enter $65535, $31" pushes
21431 + * 32 pointers and then decrements %sp by 65535.)
21432 + */
21433 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
21434 + bad_area(regs, error_code, address);
21435 + return;
21436 }
21437 +
21438 +#ifdef CONFIG_PAX_SEGMEXEC
21439 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
21440 + bad_area(regs, error_code, address);
21441 + return;
21442 + }
21443 +#endif
21444 +
21445 if (unlikely(expand_stack(vma, address))) {
21446 bad_area(regs, error_code, address);
21447 return;
21448 @@ -1164,3 +1425,199 @@ good_area:
21449
21450 up_read(&mm->mmap_sem);
21451 }
21452 +
21453 +#ifdef CONFIG_PAX_EMUTRAMP
21454 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
21455 +{
21456 + int err;
21457 +
21458 + do { /* PaX: gcc trampoline emulation #1 */
21459 + unsigned char mov1, mov2;
21460 + unsigned short jmp;
21461 + unsigned int addr1, addr2;
21462 +
21463 +#ifdef CONFIG_X86_64
21464 + if ((regs->ip + 11) >> 32)
21465 + break;
21466 +#endif
21467 +
21468 + err = get_user(mov1, (unsigned char __user *)regs->ip);
21469 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21470 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
21471 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21472 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
21473 +
21474 + if (err)
21475 + break;
21476 +
21477 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
21478 + regs->cx = addr1;
21479 + regs->ax = addr2;
21480 + regs->ip = addr2;
21481 + return 2;
21482 + }
21483 + } while (0);
21484 +
21485 + do { /* PaX: gcc trampoline emulation #2 */
21486 + unsigned char mov, jmp;
21487 + unsigned int addr1, addr2;
21488 +
21489 +#ifdef CONFIG_X86_64
21490 + if ((regs->ip + 9) >> 32)
21491 + break;
21492 +#endif
21493 +
21494 + err = get_user(mov, (unsigned char __user *)regs->ip);
21495 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21496 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
21497 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21498 +
21499 + if (err)
21500 + break;
21501 +
21502 + if (mov == 0xB9 && jmp == 0xE9) {
21503 + regs->cx = addr1;
21504 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
21505 + return 2;
21506 + }
21507 + } while (0);
21508 +
21509 + return 1; /* PaX in action */
21510 +}
21511 +
21512 +#ifdef CONFIG_X86_64
21513 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
21514 +{
21515 + int err;
21516 +
21517 + do { /* PaX: gcc trampoline emulation #1 */
21518 + unsigned short mov1, mov2, jmp1;
21519 + unsigned char jmp2;
21520 + unsigned int addr1;
21521 + unsigned long addr2;
21522 +
21523 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21524 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
21525 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
21526 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
21527 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
21528 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
21529 +
21530 + if (err)
21531 + break;
21532 +
21533 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21534 + regs->r11 = addr1;
21535 + regs->r10 = addr2;
21536 + regs->ip = addr1;
21537 + return 2;
21538 + }
21539 + } while (0);
21540 +
21541 + do { /* PaX: gcc trampoline emulation #2 */
21542 + unsigned short mov1, mov2, jmp1;
21543 + unsigned char jmp2;
21544 + unsigned long addr1, addr2;
21545 +
21546 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21547 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
21548 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
21549 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
21550 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
21551 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
21552 +
21553 + if (err)
21554 + break;
21555 +
21556 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21557 + regs->r11 = addr1;
21558 + regs->r10 = addr2;
21559 + regs->ip = addr1;
21560 + return 2;
21561 + }
21562 + } while (0);
21563 +
21564 + return 1; /* PaX in action */
21565 +}
21566 +#endif
21567 +
21568 +/*
21569 + * PaX: decide what to do with offenders (regs->ip = fault address)
21570 + *
21571 + * returns 1 when task should be killed
21572 + * 2 when gcc trampoline was detected
21573 + */
21574 +static int pax_handle_fetch_fault(struct pt_regs *regs)
21575 +{
21576 + if (v8086_mode(regs))
21577 + return 1;
21578 +
21579 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
21580 + return 1;
21581 +
21582 +#ifdef CONFIG_X86_32
21583 + return pax_handle_fetch_fault_32(regs);
21584 +#else
21585 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
21586 + return pax_handle_fetch_fault_32(regs);
21587 + else
21588 + return pax_handle_fetch_fault_64(regs);
21589 +#endif
21590 +}
21591 +#endif
21592 +
21593 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21594 +void pax_report_insns(void *pc, void *sp)
21595 +{
21596 + long i;
21597 +
21598 + printk(KERN_ERR "PAX: bytes at PC: ");
21599 + for (i = 0; i < 20; i++) {
21600 + unsigned char c;
21601 + if (get_user(c, (__force unsigned char __user *)pc+i))
21602 + printk(KERN_CONT "?? ");
21603 + else
21604 + printk(KERN_CONT "%02x ", c);
21605 + }
21606 + printk("\n");
21607 +
21608 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
21609 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
21610 + unsigned long c;
21611 + if (get_user(c, (__force unsigned long __user *)sp+i))
21612 +#ifdef CONFIG_X86_32
21613 + printk(KERN_CONT "???????? ");
21614 +#else
21615 + printk(KERN_CONT "???????????????? ");
21616 +#endif
21617 + else
21618 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
21619 + }
21620 + printk("\n");
21621 +}
21622 +#endif
21623 +
21624 +/**
21625 + * probe_kernel_write(): safely attempt to write to a location
21626 + * @dst: address to write to
21627 + * @src: pointer to the data that shall be written
21628 + * @size: size of the data chunk
21629 + *
21630 + * Safely write to address @dst from the buffer at @src. If a kernel fault
21631 + * happens, handle that and return -EFAULT.
21632 + */
21633 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
21634 +{
21635 + long ret;
21636 + mm_segment_t old_fs = get_fs();
21637 +
21638 + set_fs(KERNEL_DS);
21639 + pagefault_disable();
21640 + pax_open_kernel();
21641 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
21642 + pax_close_kernel();
21643 + pagefault_enable();
21644 + set_fs(old_fs);
21645 +
21646 + return ret ? -EFAULT : 0;
21647 +}
21648 diff -urNp linux-2.6.39.1/arch/x86/mm/gup.c linux-2.6.39.1/arch/x86/mm/gup.c
21649 --- linux-2.6.39.1/arch/x86/mm/gup.c 2011-05-19 00:06:34.000000000 -0400
21650 +++ linux-2.6.39.1/arch/x86/mm/gup.c 2011-05-22 19:36:30.000000000 -0400
21651 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
21652 addr = start;
21653 len = (unsigned long) nr_pages << PAGE_SHIFT;
21654 end = start + len;
21655 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21656 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21657 (void __user *)start, len)))
21658 return 0;
21659
21660 diff -urNp linux-2.6.39.1/arch/x86/mm/highmem_32.c linux-2.6.39.1/arch/x86/mm/highmem_32.c
21661 --- linux-2.6.39.1/arch/x86/mm/highmem_32.c 2011-05-19 00:06:34.000000000 -0400
21662 +++ linux-2.6.39.1/arch/x86/mm/highmem_32.c 2011-05-22 19:36:30.000000000 -0400
21663 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
21664 idx = type + KM_TYPE_NR*smp_processor_id();
21665 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21666 BUG_ON(!pte_none(*(kmap_pte-idx)));
21667 +
21668 + pax_open_kernel();
21669 set_pte(kmap_pte-idx, mk_pte(page, prot));
21670 + pax_close_kernel();
21671
21672 return (void *)vaddr;
21673 }
21674 diff -urNp linux-2.6.39.1/arch/x86/mm/hugetlbpage.c linux-2.6.39.1/arch/x86/mm/hugetlbpage.c
21675 --- linux-2.6.39.1/arch/x86/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
21676 +++ linux-2.6.39.1/arch/x86/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
21677 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
21678 struct hstate *h = hstate_file(file);
21679 struct mm_struct *mm = current->mm;
21680 struct vm_area_struct *vma;
21681 - unsigned long start_addr;
21682 + unsigned long start_addr, pax_task_size = TASK_SIZE;
21683 +
21684 +#ifdef CONFIG_PAX_SEGMEXEC
21685 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21686 + pax_task_size = SEGMEXEC_TASK_SIZE;
21687 +#endif
21688 +
21689 + pax_task_size -= PAGE_SIZE;
21690
21691 if (len > mm->cached_hole_size) {
21692 - start_addr = mm->free_area_cache;
21693 + start_addr = mm->free_area_cache;
21694 } else {
21695 - start_addr = TASK_UNMAPPED_BASE;
21696 - mm->cached_hole_size = 0;
21697 + start_addr = mm->mmap_base;
21698 + mm->cached_hole_size = 0;
21699 }
21700
21701 full_search:
21702 @@ -280,26 +287,27 @@ full_search:
21703
21704 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
21705 /* At this point: (!vma || addr < vma->vm_end). */
21706 - if (TASK_SIZE - len < addr) {
21707 + if (pax_task_size - len < addr) {
21708 /*
21709 * Start a new search - just in case we missed
21710 * some holes.
21711 */
21712 - if (start_addr != TASK_UNMAPPED_BASE) {
21713 - start_addr = TASK_UNMAPPED_BASE;
21714 + if (start_addr != mm->mmap_base) {
21715 + start_addr = mm->mmap_base;
21716 mm->cached_hole_size = 0;
21717 goto full_search;
21718 }
21719 return -ENOMEM;
21720 }
21721 - if (!vma || addr + len <= vma->vm_start) {
21722 - mm->free_area_cache = addr + len;
21723 - return addr;
21724 - }
21725 + if (check_heap_stack_gap(vma, addr, len))
21726 + break;
21727 if (addr + mm->cached_hole_size < vma->vm_start)
21728 mm->cached_hole_size = vma->vm_start - addr;
21729 addr = ALIGN(vma->vm_end, huge_page_size(h));
21730 }
21731 +
21732 + mm->free_area_cache = addr + len;
21733 + return addr;
21734 }
21735
21736 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
21737 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
21738 {
21739 struct hstate *h = hstate_file(file);
21740 struct mm_struct *mm = current->mm;
21741 - struct vm_area_struct *vma, *prev_vma;
21742 - unsigned long base = mm->mmap_base, addr = addr0;
21743 + struct vm_area_struct *vma;
21744 + unsigned long base = mm->mmap_base, addr;
21745 unsigned long largest_hole = mm->cached_hole_size;
21746 - int first_time = 1;
21747
21748 /* don't allow allocations above current base */
21749 if (mm->free_area_cache > base)
21750 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
21751 largest_hole = 0;
21752 mm->free_area_cache = base;
21753 }
21754 -try_again:
21755 +
21756 /* make sure it can fit in the remaining address space */
21757 if (mm->free_area_cache < len)
21758 goto fail;
21759
21760 /* either no address requested or can't fit in requested address hole */
21761 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
21762 + addr = (mm->free_area_cache - len);
21763 do {
21764 + addr &= huge_page_mask(h);
21765 + vma = find_vma(mm, addr);
21766 /*
21767 * Lookup failure means no vma is above this address,
21768 * i.e. return with success:
21769 - */
21770 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
21771 - return addr;
21772 -
21773 - /*
21774 * new region fits between prev_vma->vm_end and
21775 * vma->vm_start, use it:
21776 */
21777 - if (addr + len <= vma->vm_start &&
21778 - (!prev_vma || (addr >= prev_vma->vm_end))) {
21779 + if (check_heap_stack_gap(vma, addr, len)) {
21780 /* remember the address as a hint for next time */
21781 - mm->cached_hole_size = largest_hole;
21782 - return (mm->free_area_cache = addr);
21783 - } else {
21784 - /* pull free_area_cache down to the first hole */
21785 - if (mm->free_area_cache == vma->vm_end) {
21786 - mm->free_area_cache = vma->vm_start;
21787 - mm->cached_hole_size = largest_hole;
21788 - }
21789 + mm->cached_hole_size = largest_hole;
21790 + return (mm->free_area_cache = addr);
21791 + }
21792 + /* pull free_area_cache down to the first hole */
21793 + if (mm->free_area_cache == vma->vm_end) {
21794 + mm->free_area_cache = vma->vm_start;
21795 + mm->cached_hole_size = largest_hole;
21796 }
21797
21798 /* remember the largest hole we saw so far */
21799 if (addr + largest_hole < vma->vm_start)
21800 - largest_hole = vma->vm_start - addr;
21801 + largest_hole = vma->vm_start - addr;
21802
21803 /* try just below the current vma->vm_start */
21804 - addr = (vma->vm_start - len) & huge_page_mask(h);
21805 - } while (len <= vma->vm_start);
21806 + addr = skip_heap_stack_gap(vma, len);
21807 + } while (!IS_ERR_VALUE(addr));
21808
21809 fail:
21810 /*
21811 - * if hint left us with no space for the requested
21812 - * mapping then try again:
21813 - */
21814 - if (first_time) {
21815 - mm->free_area_cache = base;
21816 - largest_hole = 0;
21817 - first_time = 0;
21818 - goto try_again;
21819 - }
21820 - /*
21821 * A failed mmap() very likely causes application failure,
21822 * so fall back to the bottom-up function here. This scenario
21823 * can happen with large stack limits and large mmap()
21824 * allocations.
21825 */
21826 - mm->free_area_cache = TASK_UNMAPPED_BASE;
21827 +
21828 +#ifdef CONFIG_PAX_SEGMEXEC
21829 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21830 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
21831 + else
21832 +#endif
21833 +
21834 + mm->mmap_base = TASK_UNMAPPED_BASE;
21835 +
21836 +#ifdef CONFIG_PAX_RANDMMAP
21837 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21838 + mm->mmap_base += mm->delta_mmap;
21839 +#endif
21840 +
21841 + mm->free_area_cache = mm->mmap_base;
21842 mm->cached_hole_size = ~0UL;
21843 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
21844 len, pgoff, flags);
21845 @@ -386,6 +392,7 @@ fail:
21846 /*
21847 * Restore the topdown base:
21848 */
21849 + mm->mmap_base = base;
21850 mm->free_area_cache = base;
21851 mm->cached_hole_size = ~0UL;
21852
21853 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
21854 struct hstate *h = hstate_file(file);
21855 struct mm_struct *mm = current->mm;
21856 struct vm_area_struct *vma;
21857 + unsigned long pax_task_size = TASK_SIZE;
21858
21859 if (len & ~huge_page_mask(h))
21860 return -EINVAL;
21861 - if (len > TASK_SIZE)
21862 +
21863 +#ifdef CONFIG_PAX_SEGMEXEC
21864 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21865 + pax_task_size = SEGMEXEC_TASK_SIZE;
21866 +#endif
21867 +
21868 + pax_task_size -= PAGE_SIZE;
21869 +
21870 + if (len > pax_task_size)
21871 return -ENOMEM;
21872
21873 if (flags & MAP_FIXED) {
21874 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
21875 if (addr) {
21876 addr = ALIGN(addr, huge_page_size(h));
21877 vma = find_vma(mm, addr);
21878 - if (TASK_SIZE - len >= addr &&
21879 - (!vma || addr + len <= vma->vm_start))
21880 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
21881 return addr;
21882 }
21883 if (mm->get_unmapped_area == arch_get_unmapped_area)
21884 diff -urNp linux-2.6.39.1/arch/x86/mm/init_32.c linux-2.6.39.1/arch/x86/mm/init_32.c
21885 --- linux-2.6.39.1/arch/x86/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
21886 +++ linux-2.6.39.1/arch/x86/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
21887 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
21888 }
21889
21890 /*
21891 - * Creates a middle page table and puts a pointer to it in the
21892 - * given global directory entry. This only returns the gd entry
21893 - * in non-PAE compilation mode, since the middle layer is folded.
21894 - */
21895 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
21896 -{
21897 - pud_t *pud;
21898 - pmd_t *pmd_table;
21899 -
21900 -#ifdef CONFIG_X86_PAE
21901 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
21902 - if (after_bootmem)
21903 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
21904 - else
21905 - pmd_table = (pmd_t *)alloc_low_page();
21906 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
21907 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
21908 - pud = pud_offset(pgd, 0);
21909 - BUG_ON(pmd_table != pmd_offset(pud, 0));
21910 -
21911 - return pmd_table;
21912 - }
21913 -#endif
21914 - pud = pud_offset(pgd, 0);
21915 - pmd_table = pmd_offset(pud, 0);
21916 -
21917 - return pmd_table;
21918 -}
21919 -
21920 -/*
21921 * Create a page table and place a pointer to it in a middle page
21922 * directory entry:
21923 */
21924 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
21925 page_table = (pte_t *)alloc_low_page();
21926
21927 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
21928 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21929 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
21930 +#else
21931 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
21932 +#endif
21933 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
21934 }
21935
21936 return pte_offset_kernel(pmd, 0);
21937 }
21938
21939 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
21940 +{
21941 + pud_t *pud;
21942 + pmd_t *pmd_table;
21943 +
21944 + pud = pud_offset(pgd, 0);
21945 + pmd_table = pmd_offset(pud, 0);
21946 +
21947 + return pmd_table;
21948 +}
21949 +
21950 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
21951 {
21952 int pgd_idx = pgd_index(vaddr);
21953 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
21954 int pgd_idx, pmd_idx;
21955 unsigned long vaddr;
21956 pgd_t *pgd;
21957 + pud_t *pud;
21958 pmd_t *pmd;
21959 pte_t *pte = NULL;
21960
21961 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
21962 pgd = pgd_base + pgd_idx;
21963
21964 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
21965 - pmd = one_md_table_init(pgd);
21966 - pmd = pmd + pmd_index(vaddr);
21967 + pud = pud_offset(pgd, vaddr);
21968 + pmd = pmd_offset(pud, vaddr);
21969 +
21970 +#ifdef CONFIG_X86_PAE
21971 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
21972 +#endif
21973 +
21974 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
21975 pmd++, pmd_idx++) {
21976 pte = page_table_kmap_check(one_page_table_init(pmd),
21977 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
21978 }
21979 }
21980
21981 -static inline int is_kernel_text(unsigned long addr)
21982 +static inline int is_kernel_text(unsigned long start, unsigned long end)
21983 {
21984 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
21985 - return 1;
21986 - return 0;
21987 + if ((start > ktla_ktva((unsigned long)_etext) ||
21988 + end <= ktla_ktva((unsigned long)_stext)) &&
21989 + (start > ktla_ktva((unsigned long)_einittext) ||
21990 + end <= ktla_ktva((unsigned long)_sinittext)) &&
21991 +
21992 +#ifdef CONFIG_ACPI_SLEEP
21993 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
21994 +#endif
21995 +
21996 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
21997 + return 0;
21998 + return 1;
21999 }
22000
22001 /*
22002 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
22003 unsigned long last_map_addr = end;
22004 unsigned long start_pfn, end_pfn;
22005 pgd_t *pgd_base = swapper_pg_dir;
22006 - int pgd_idx, pmd_idx, pte_ofs;
22007 + unsigned int pgd_idx, pmd_idx, pte_ofs;
22008 unsigned long pfn;
22009 pgd_t *pgd;
22010 + pud_t *pud;
22011 pmd_t *pmd;
22012 pte_t *pte;
22013 unsigned pages_2m, pages_4k;
22014 @@ -281,8 +282,13 @@ repeat:
22015 pfn = start_pfn;
22016 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22017 pgd = pgd_base + pgd_idx;
22018 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
22019 - pmd = one_md_table_init(pgd);
22020 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
22021 + pud = pud_offset(pgd, 0);
22022 + pmd = pmd_offset(pud, 0);
22023 +
22024 +#ifdef CONFIG_X86_PAE
22025 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22026 +#endif
22027
22028 if (pfn >= end_pfn)
22029 continue;
22030 @@ -294,14 +300,13 @@ repeat:
22031 #endif
22032 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
22033 pmd++, pmd_idx++) {
22034 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
22035 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
22036
22037 /*
22038 * Map with big pages if possible, otherwise
22039 * create normal page tables:
22040 */
22041 if (use_pse) {
22042 - unsigned int addr2;
22043 pgprot_t prot = PAGE_KERNEL_LARGE;
22044 /*
22045 * first pass will use the same initial
22046 @@ -311,11 +316,7 @@ repeat:
22047 __pgprot(PTE_IDENT_ATTR |
22048 _PAGE_PSE);
22049
22050 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
22051 - PAGE_OFFSET + PAGE_SIZE-1;
22052 -
22053 - if (is_kernel_text(addr) ||
22054 - is_kernel_text(addr2))
22055 + if (is_kernel_text(address, address + PMD_SIZE))
22056 prot = PAGE_KERNEL_LARGE_EXEC;
22057
22058 pages_2m++;
22059 @@ -332,7 +333,7 @@ repeat:
22060 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22061 pte += pte_ofs;
22062 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
22063 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
22064 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
22065 pgprot_t prot = PAGE_KERNEL;
22066 /*
22067 * first pass will use the same initial
22068 @@ -340,7 +341,7 @@ repeat:
22069 */
22070 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
22071
22072 - if (is_kernel_text(addr))
22073 + if (is_kernel_text(address, address + PAGE_SIZE))
22074 prot = PAGE_KERNEL_EXEC;
22075
22076 pages_4k++;
22077 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
22078
22079 pud = pud_offset(pgd, va);
22080 pmd = pmd_offset(pud, va);
22081 - if (!pmd_present(*pmd))
22082 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
22083 break;
22084
22085 pte = pte_offset_kernel(pmd, va);
22086 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
22087
22088 static void __init pagetable_init(void)
22089 {
22090 - pgd_t *pgd_base = swapper_pg_dir;
22091 -
22092 - permanent_kmaps_init(pgd_base);
22093 + permanent_kmaps_init(swapper_pg_dir);
22094 }
22095
22096 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22097 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22098 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22099
22100 /* user-defined highmem size */
22101 @@ -754,6 +753,12 @@ void __init mem_init(void)
22102
22103 pci_iommu_alloc();
22104
22105 +#ifdef CONFIG_PAX_PER_CPU_PGD
22106 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22107 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22108 + KERNEL_PGD_PTRS);
22109 +#endif
22110 +
22111 #ifdef CONFIG_FLATMEM
22112 BUG_ON(!mem_map);
22113 #endif
22114 @@ -771,7 +776,7 @@ void __init mem_init(void)
22115 set_highmem_pages_init();
22116
22117 codesize = (unsigned long) &_etext - (unsigned long) &_text;
22118 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
22119 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
22120 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
22121
22122 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
22123 @@ -812,10 +817,10 @@ void __init mem_init(void)
22124 ((unsigned long)&__init_end -
22125 (unsigned long)&__init_begin) >> 10,
22126
22127 - (unsigned long)&_etext, (unsigned long)&_edata,
22128 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
22129 + (unsigned long)&_sdata, (unsigned long)&_edata,
22130 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
22131
22132 - (unsigned long)&_text, (unsigned long)&_etext,
22133 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
22134 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
22135
22136 /*
22137 @@ -893,6 +898,7 @@ void set_kernel_text_rw(void)
22138 if (!kernel_set_to_readonly)
22139 return;
22140
22141 + start = ktla_ktva(start);
22142 pr_debug("Set kernel text: %lx - %lx for read write\n",
22143 start, start+size);
22144
22145 @@ -907,6 +913,7 @@ void set_kernel_text_ro(void)
22146 if (!kernel_set_to_readonly)
22147 return;
22148
22149 + start = ktla_ktva(start);
22150 pr_debug("Set kernel text: %lx - %lx for read only\n",
22151 start, start+size);
22152
22153 @@ -935,6 +942,7 @@ void mark_rodata_ro(void)
22154 unsigned long start = PFN_ALIGN(_text);
22155 unsigned long size = PFN_ALIGN(_etext) - start;
22156
22157 + start = ktla_ktva(start);
22158 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
22159 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
22160 size >> 10);
22161 diff -urNp linux-2.6.39.1/arch/x86/mm/init_64.c linux-2.6.39.1/arch/x86/mm/init_64.c
22162 --- linux-2.6.39.1/arch/x86/mm/init_64.c 2011-05-19 00:06:34.000000000 -0400
22163 +++ linux-2.6.39.1/arch/x86/mm/init_64.c 2011-05-22 19:36:30.000000000 -0400
22164 @@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpa
22165 * around without checking the pgd every time.
22166 */
22167
22168 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
22169 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
22170 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22171
22172 int force_personality32;
22173 @@ -107,12 +107,22 @@ void sync_global_pgds(unsigned long star
22174
22175 for (address = start; address <= end; address += PGDIR_SIZE) {
22176 const pgd_t *pgd_ref = pgd_offset_k(address);
22177 +
22178 +#ifdef CONFIG_PAX_PER_CPU_PGD
22179 + unsigned long cpu;
22180 +#else
22181 struct page *page;
22182 +#endif
22183
22184 if (pgd_none(*pgd_ref))
22185 continue;
22186
22187 spin_lock(&pgd_lock);
22188 +
22189 +#ifdef CONFIG_PAX_PER_CPU_PGD
22190 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22191 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
22192 +#else
22193 list_for_each_entry(page, &pgd_list, lru) {
22194 pgd_t *pgd;
22195 spinlock_t *pgt_lock;
22196 @@ -121,6 +131,7 @@ void sync_global_pgds(unsigned long star
22197 /* the pgt_lock only for Xen */
22198 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
22199 spin_lock(pgt_lock);
22200 +#endif
22201
22202 if (pgd_none(*pgd))
22203 set_pgd(pgd, *pgd_ref);
22204 @@ -128,7 +139,10 @@ void sync_global_pgds(unsigned long star
22205 BUG_ON(pgd_page_vaddr(*pgd)
22206 != pgd_page_vaddr(*pgd_ref));
22207
22208 +#ifndef CONFIG_PAX_PER_CPU_PGD
22209 spin_unlock(pgt_lock);
22210 +#endif
22211 +
22212 }
22213 spin_unlock(&pgd_lock);
22214 }
22215 @@ -202,7 +216,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
22216 pmd = fill_pmd(pud, vaddr);
22217 pte = fill_pte(pmd, vaddr);
22218
22219 + pax_open_kernel();
22220 set_pte(pte, new_pte);
22221 + pax_close_kernel();
22222
22223 /*
22224 * It's enough to flush this one mapping.
22225 @@ -261,14 +277,12 @@ static void __init __init_extra_mapping(
22226 pgd = pgd_offset_k((unsigned long)__va(phys));
22227 if (pgd_none(*pgd)) {
22228 pud = (pud_t *) spp_getpage();
22229 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
22230 - _PAGE_USER));
22231 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
22232 }
22233 pud = pud_offset(pgd, (unsigned long)__va(phys));
22234 if (pud_none(*pud)) {
22235 pmd = (pmd_t *) spp_getpage();
22236 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
22237 - _PAGE_USER));
22238 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
22239 }
22240 pmd = pmd_offset(pud, phys);
22241 BUG_ON(!pmd_none(*pmd));
22242 @@ -698,6 +712,12 @@ void __init mem_init(void)
22243
22244 pci_iommu_alloc();
22245
22246 +#ifdef CONFIG_PAX_PER_CPU_PGD
22247 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22248 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22249 + KERNEL_PGD_PTRS);
22250 +#endif
22251 +
22252 /* clear_bss() already clear the empty_zero_page */
22253
22254 reservedpages = 0;
22255 @@ -858,8 +878,8 @@ int kern_addr_valid(unsigned long addr)
22256 static struct vm_area_struct gate_vma = {
22257 .vm_start = VSYSCALL_START,
22258 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
22259 - .vm_page_prot = PAGE_READONLY_EXEC,
22260 - .vm_flags = VM_READ | VM_EXEC
22261 + .vm_page_prot = PAGE_READONLY,
22262 + .vm_flags = VM_READ
22263 };
22264
22265 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
22266 @@ -893,7 +913,7 @@ int in_gate_area_no_mm(unsigned long add
22267
22268 const char *arch_vma_name(struct vm_area_struct *vma)
22269 {
22270 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22271 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22272 return "[vdso]";
22273 if (vma == &gate_vma)
22274 return "[vsyscall]";
22275 diff -urNp linux-2.6.39.1/arch/x86/mm/init.c linux-2.6.39.1/arch/x86/mm/init.c
22276 --- linux-2.6.39.1/arch/x86/mm/init.c 2011-05-19 00:06:34.000000000 -0400
22277 +++ linux-2.6.39.1/arch/x86/mm/init.c 2011-06-07 19:41:11.000000000 -0400
22278 @@ -33,7 +33,7 @@ int direct_gbpages
22279 static void __init find_early_table_space(unsigned long end, int use_pse,
22280 int use_gbpages)
22281 {
22282 - unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
22283 + unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
22284 phys_addr_t base;
22285
22286 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
22287 @@ -315,12 +315,34 @@ unsigned long __init_refok init_memory_m
22288 */
22289 int devmem_is_allowed(unsigned long pagenr)
22290 {
22291 - if (pagenr <= 256)
22292 +#ifdef CONFIG_GRKERNSEC_KMEM
22293 + /* allow BDA */
22294 + if (!pagenr)
22295 + return 1;
22296 + /* allow EBDA */
22297 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22298 + return 1;
22299 +#else
22300 + if (!pagenr)
22301 + return 1;
22302 +#ifdef CONFIG_VM86
22303 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
22304 + return 1;
22305 +#endif
22306 +#endif
22307 +
22308 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22309 return 1;
22310 +#ifdef CONFIG_GRKERNSEC_KMEM
22311 + /* throw out everything else below 1MB */
22312 + if (pagenr <= 256)
22313 + return 0;
22314 +#endif
22315 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22316 return 0;
22317 if (!page_is_ram(pagenr))
22318 return 1;
22319 +
22320 return 0;
22321 }
22322
22323 @@ -375,6 +397,86 @@ void free_init_pages(char *what, unsigne
22324
22325 void free_initmem(void)
22326 {
22327 +
22328 +#ifdef CONFIG_PAX_KERNEXEC
22329 +#ifdef CONFIG_X86_32
22330 + /* PaX: limit KERNEL_CS to actual size */
22331 + unsigned long addr, limit;
22332 + struct desc_struct d;
22333 + int cpu;
22334 +
22335 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22336 + limit = (limit - 1UL) >> PAGE_SHIFT;
22337 +
22338 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22339 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22340 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22341 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22342 + }
22343 +
22344 + /* PaX: make KERNEL_CS read-only */
22345 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22346 + if (!paravirt_enabled())
22347 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22348 +/*
22349 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22350 + pgd = pgd_offset_k(addr);
22351 + pud = pud_offset(pgd, addr);
22352 + pmd = pmd_offset(pud, addr);
22353 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22354 + }
22355 +*/
22356 +#ifdef CONFIG_X86_PAE
22357 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22358 +/*
22359 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22360 + pgd = pgd_offset_k(addr);
22361 + pud = pud_offset(pgd, addr);
22362 + pmd = pmd_offset(pud, addr);
22363 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22364 + }
22365 +*/
22366 +#endif
22367 +
22368 +#ifdef CONFIG_MODULES
22369 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22370 +#endif
22371 +
22372 +#else
22373 + pgd_t *pgd;
22374 + pud_t *pud;
22375 + pmd_t *pmd;
22376 + unsigned long addr, end;
22377 +
22378 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22379 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22380 + pgd = pgd_offset_k(addr);
22381 + pud = pud_offset(pgd, addr);
22382 + pmd = pmd_offset(pud, addr);
22383 + if (!pmd_present(*pmd))
22384 + continue;
22385 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22386 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22387 + else
22388 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22389 + }
22390 +
22391 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22392 + end = addr + KERNEL_IMAGE_SIZE;
22393 + for (; addr < end; addr += PMD_SIZE) {
22394 + pgd = pgd_offset_k(addr);
22395 + pud = pud_offset(pgd, addr);
22396 + pmd = pmd_offset(pud, addr);
22397 + if (!pmd_present(*pmd))
22398 + continue;
22399 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22400 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22401 + }
22402 +#endif
22403 +
22404 + flush_tlb_all();
22405 +#endif
22406 +
22407 free_init_pages("unused kernel memory",
22408 (unsigned long)(&__init_begin),
22409 (unsigned long)(&__init_end));
22410 diff -urNp linux-2.6.39.1/arch/x86/mm/iomap_32.c linux-2.6.39.1/arch/x86/mm/iomap_32.c
22411 --- linux-2.6.39.1/arch/x86/mm/iomap_32.c 2011-05-19 00:06:34.000000000 -0400
22412 +++ linux-2.6.39.1/arch/x86/mm/iomap_32.c 2011-05-22 19:36:30.000000000 -0400
22413 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22414 type = kmap_atomic_idx_push();
22415 idx = type + KM_TYPE_NR * smp_processor_id();
22416 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22417 +
22418 + pax_open_kernel();
22419 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22420 + pax_close_kernel();
22421 +
22422 arch_flush_lazy_mmu_mode();
22423
22424 return (void *)vaddr;
22425 diff -urNp linux-2.6.39.1/arch/x86/mm/ioremap.c linux-2.6.39.1/arch/x86/mm/ioremap.c
22426 --- linux-2.6.39.1/arch/x86/mm/ioremap.c 2011-05-19 00:06:34.000000000 -0400
22427 +++ linux-2.6.39.1/arch/x86/mm/ioremap.c 2011-05-22 19:36:30.000000000 -0400
22428 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
22429 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
22430 int is_ram = page_is_ram(pfn);
22431
22432 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
22433 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
22434 return NULL;
22435 WARN_ON_ONCE(is_ram);
22436 }
22437 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
22438 early_param("early_ioremap_debug", early_ioremap_debug_setup);
22439
22440 static __initdata int after_paging_init;
22441 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
22442 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
22443
22444 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
22445 {
22446 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
22447 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
22448
22449 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
22450 - memset(bm_pte, 0, sizeof(bm_pte));
22451 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
22452 + pmd_populate_user(&init_mm, pmd, bm_pte);
22453
22454 /*
22455 * The boot-ioremap range spans multiple pmds, for which
22456 diff -urNp linux-2.6.39.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.39.1/arch/x86/mm/kmemcheck/kmemcheck.c
22457 --- linux-2.6.39.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-19 00:06:34.000000000 -0400
22458 +++ linux-2.6.39.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-22 19:36:30.000000000 -0400
22459 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
22460 * memory (e.g. tracked pages)? For now, we need this to avoid
22461 * invoking kmemcheck for PnP BIOS calls.
22462 */
22463 - if (regs->flags & X86_VM_MASK)
22464 + if (v8086_mode(regs))
22465 return false;
22466 - if (regs->cs != __KERNEL_CS)
22467 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
22468 return false;
22469
22470 pte = kmemcheck_pte_lookup(address);
22471 diff -urNp linux-2.6.39.1/arch/x86/mm/mmap.c linux-2.6.39.1/arch/x86/mm/mmap.c
22472 --- linux-2.6.39.1/arch/x86/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
22473 +++ linux-2.6.39.1/arch/x86/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
22474 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
22475 * Leave an at least ~128 MB hole with possible stack randomization.
22476 */
22477 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
22478 -#define MAX_GAP (TASK_SIZE/6*5)
22479 +#define MAX_GAP (pax_task_size/6*5)
22480
22481 /*
22482 * True on X86_32 or when emulating IA32 on X86_64
22483 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
22484 return rnd << PAGE_SHIFT;
22485 }
22486
22487 -static unsigned long mmap_base(void)
22488 +static unsigned long mmap_base(struct mm_struct *mm)
22489 {
22490 unsigned long gap = rlimit(RLIMIT_STACK);
22491 + unsigned long pax_task_size = TASK_SIZE;
22492 +
22493 +#ifdef CONFIG_PAX_SEGMEXEC
22494 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22495 + pax_task_size = SEGMEXEC_TASK_SIZE;
22496 +#endif
22497
22498 if (gap < MIN_GAP)
22499 gap = MIN_GAP;
22500 else if (gap > MAX_GAP)
22501 gap = MAX_GAP;
22502
22503 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
22504 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
22505 }
22506
22507 /*
22508 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
22509 * does, but not when emulating X86_32
22510 */
22511 -static unsigned long mmap_legacy_base(void)
22512 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
22513 {
22514 - if (mmap_is_ia32())
22515 + if (mmap_is_ia32()) {
22516 +
22517 +#ifdef CONFIG_PAX_SEGMEXEC
22518 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22519 + return SEGMEXEC_TASK_UNMAPPED_BASE;
22520 + else
22521 +#endif
22522 +
22523 return TASK_UNMAPPED_BASE;
22524 - else
22525 + } else
22526 return TASK_UNMAPPED_BASE + mmap_rnd();
22527 }
22528
22529 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
22530 void arch_pick_mmap_layout(struct mm_struct *mm)
22531 {
22532 if (mmap_is_legacy()) {
22533 - mm->mmap_base = mmap_legacy_base();
22534 + mm->mmap_base = mmap_legacy_base(mm);
22535 +
22536 +#ifdef CONFIG_PAX_RANDMMAP
22537 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22538 + mm->mmap_base += mm->delta_mmap;
22539 +#endif
22540 +
22541 mm->get_unmapped_area = arch_get_unmapped_area;
22542 mm->unmap_area = arch_unmap_area;
22543 } else {
22544 - mm->mmap_base = mmap_base();
22545 + mm->mmap_base = mmap_base(mm);
22546 +
22547 +#ifdef CONFIG_PAX_RANDMMAP
22548 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22549 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
22550 +#endif
22551 +
22552 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
22553 mm->unmap_area = arch_unmap_area_topdown;
22554 }
22555 diff -urNp linux-2.6.39.1/arch/x86/mm/mmio-mod.c linux-2.6.39.1/arch/x86/mm/mmio-mod.c
22556 --- linux-2.6.39.1/arch/x86/mm/mmio-mod.c 2011-05-19 00:06:34.000000000 -0400
22557 +++ linux-2.6.39.1/arch/x86/mm/mmio-mod.c 2011-05-22 19:36:30.000000000 -0400
22558 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
22559 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
22560 void __iomem *addr)
22561 {
22562 - static atomic_t next_id;
22563 + static atomic_unchecked_t next_id;
22564 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
22565 /* These are page-unaligned. */
22566 struct mmiotrace_map map = {
22567 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
22568 .private = trace
22569 },
22570 .phys = offset,
22571 - .id = atomic_inc_return(&next_id)
22572 + .id = atomic_inc_return_unchecked(&next_id)
22573 };
22574 map.map_id = trace->id;
22575
22576 diff -urNp linux-2.6.39.1/arch/x86/mm/numa_32.c linux-2.6.39.1/arch/x86/mm/numa_32.c
22577 --- linux-2.6.39.1/arch/x86/mm/numa_32.c 2011-05-19 00:06:34.000000000 -0400
22578 +++ linux-2.6.39.1/arch/x86/mm/numa_32.c 2011-05-22 19:36:30.000000000 -0400
22579 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
22580 }
22581 #endif
22582
22583 -extern unsigned long find_max_low_pfn(void);
22584 extern unsigned long highend_pfn, highstart_pfn;
22585
22586 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
22587 diff -urNp linux-2.6.39.1/arch/x86/mm/pageattr.c linux-2.6.39.1/arch/x86/mm/pageattr.c
22588 --- linux-2.6.39.1/arch/x86/mm/pageattr.c 2011-05-19 00:06:34.000000000 -0400
22589 +++ linux-2.6.39.1/arch/x86/mm/pageattr.c 2011-05-22 19:36:30.000000000 -0400
22590 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
22591 */
22592 #ifdef CONFIG_PCI_BIOS
22593 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
22594 - pgprot_val(forbidden) |= _PAGE_NX;
22595 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22596 #endif
22597
22598 /*
22599 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
22600 * Does not cover __inittext since that is gone later on. On
22601 * 64bit we do not enforce !NX on the low mapping
22602 */
22603 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
22604 - pgprot_val(forbidden) |= _PAGE_NX;
22605 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
22606 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22607
22608 +#ifdef CONFIG_DEBUG_RODATA
22609 /*
22610 * The .rodata section needs to be read-only. Using the pfn
22611 * catches all aliases.
22612 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
22613 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
22614 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
22615 pgprot_val(forbidden) |= _PAGE_RW;
22616 +#endif
22617
22618 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
22619 /*
22620 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
22621 }
22622 #endif
22623
22624 +#ifdef CONFIG_PAX_KERNEXEC
22625 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
22626 + pgprot_val(forbidden) |= _PAGE_RW;
22627 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22628 + }
22629 +#endif
22630 +
22631 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
22632
22633 return prot;
22634 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
22635 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
22636 {
22637 /* change init_mm */
22638 + pax_open_kernel();
22639 set_pte_atomic(kpte, pte);
22640 +
22641 #ifdef CONFIG_X86_32
22642 if (!SHARED_KERNEL_PMD) {
22643 +
22644 +#ifdef CONFIG_PAX_PER_CPU_PGD
22645 + unsigned long cpu;
22646 +#else
22647 struct page *page;
22648 +#endif
22649
22650 +#ifdef CONFIG_PAX_PER_CPU_PGD
22651 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22652 + pgd_t *pgd = get_cpu_pgd(cpu);
22653 +#else
22654 list_for_each_entry(page, &pgd_list, lru) {
22655 - pgd_t *pgd;
22656 + pgd_t *pgd = (pgd_t *)page_address(page);
22657 +#endif
22658 +
22659 pud_t *pud;
22660 pmd_t *pmd;
22661
22662 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
22663 + pgd += pgd_index(address);
22664 pud = pud_offset(pgd, address);
22665 pmd = pmd_offset(pud, address);
22666 set_pte_atomic((pte_t *)pmd, pte);
22667 }
22668 }
22669 #endif
22670 + pax_close_kernel();
22671 }
22672
22673 static int
22674 diff -urNp linux-2.6.39.1/arch/x86/mm/pageattr-test.c linux-2.6.39.1/arch/x86/mm/pageattr-test.c
22675 --- linux-2.6.39.1/arch/x86/mm/pageattr-test.c 2011-05-19 00:06:34.000000000 -0400
22676 +++ linux-2.6.39.1/arch/x86/mm/pageattr-test.c 2011-05-22 19:36:30.000000000 -0400
22677 @@ -36,7 +36,7 @@ enum {
22678
22679 static int pte_testbit(pte_t pte)
22680 {
22681 - return pte_flags(pte) & _PAGE_UNUSED1;
22682 + return pte_flags(pte) & _PAGE_CPA_TEST;
22683 }
22684
22685 struct split_state {
22686 diff -urNp linux-2.6.39.1/arch/x86/mm/pat.c linux-2.6.39.1/arch/x86/mm/pat.c
22687 --- linux-2.6.39.1/arch/x86/mm/pat.c 2011-05-19 00:06:34.000000000 -0400
22688 +++ linux-2.6.39.1/arch/x86/mm/pat.c 2011-05-22 19:36:30.000000000 -0400
22689 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
22690
22691 if (!entry) {
22692 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
22693 - current->comm, current->pid, start, end);
22694 + current->comm, task_pid_nr(current), start, end);
22695 return -EINVAL;
22696 }
22697
22698 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
22699 while (cursor < to) {
22700 if (!devmem_is_allowed(pfn)) {
22701 printk(KERN_INFO
22702 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
22703 - current->comm, from, to);
22704 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
22705 + current->comm, from, to, cursor);
22706 return 0;
22707 }
22708 cursor += PAGE_SIZE;
22709 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
22710 printk(KERN_INFO
22711 "%s:%d ioremap_change_attr failed %s "
22712 "for %Lx-%Lx\n",
22713 - current->comm, current->pid,
22714 + current->comm, task_pid_nr(current),
22715 cattr_name(flags),
22716 base, (unsigned long long)(base + size));
22717 return -EINVAL;
22718 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
22719 if (want_flags != flags) {
22720 printk(KERN_WARNING
22721 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
22722 - current->comm, current->pid,
22723 + current->comm, task_pid_nr(current),
22724 cattr_name(want_flags),
22725 (unsigned long long)paddr,
22726 (unsigned long long)(paddr + size),
22727 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
22728 free_memtype(paddr, paddr + size);
22729 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
22730 " for %Lx-%Lx, got %s\n",
22731 - current->comm, current->pid,
22732 + current->comm, task_pid_nr(current),
22733 cattr_name(want_flags),
22734 (unsigned long long)paddr,
22735 (unsigned long long)(paddr + size),
22736 diff -urNp linux-2.6.39.1/arch/x86/mm/pgtable_32.c linux-2.6.39.1/arch/x86/mm/pgtable_32.c
22737 --- linux-2.6.39.1/arch/x86/mm/pgtable_32.c 2011-05-19 00:06:34.000000000 -0400
22738 +++ linux-2.6.39.1/arch/x86/mm/pgtable_32.c 2011-05-22 19:36:30.000000000 -0400
22739 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
22740 return;
22741 }
22742 pte = pte_offset_kernel(pmd, vaddr);
22743 +
22744 + pax_open_kernel();
22745 if (pte_val(pteval))
22746 set_pte_at(&init_mm, vaddr, pte, pteval);
22747 else
22748 pte_clear(&init_mm, vaddr, pte);
22749 + pax_close_kernel();
22750
22751 /*
22752 * It's enough to flush this one mapping.
22753 diff -urNp linux-2.6.39.1/arch/x86/mm/pgtable.c linux-2.6.39.1/arch/x86/mm/pgtable.c
22754 --- linux-2.6.39.1/arch/x86/mm/pgtable.c 2011-05-19 00:06:34.000000000 -0400
22755 +++ linux-2.6.39.1/arch/x86/mm/pgtable.c 2011-05-22 19:36:30.000000000 -0400
22756 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
22757 list_del(&page->lru);
22758 }
22759
22760 -#define UNSHARED_PTRS_PER_PGD \
22761 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
22762 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22763 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
22764
22765 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
22766 +{
22767 + while (count--)
22768 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
22769 +}
22770 +#endif
22771 +
22772 +#ifdef CONFIG_PAX_PER_CPU_PGD
22773 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
22774 +{
22775 + while (count--)
22776 +
22777 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22778 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
22779 +#else
22780 + *dst++ = *src++;
22781 +#endif
22782
22783 +}
22784 +#endif
22785 +
22786 +#ifdef CONFIG_X86_64
22787 +#define pxd_t pud_t
22788 +#define pyd_t pgd_t
22789 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
22790 +#define pxd_free(mm, pud) pud_free((mm), (pud))
22791 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
22792 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
22793 +#define PYD_SIZE PGDIR_SIZE
22794 +#else
22795 +#define pxd_t pmd_t
22796 +#define pyd_t pud_t
22797 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
22798 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
22799 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
22800 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
22801 +#define PYD_SIZE PUD_SIZE
22802 +#endif
22803 +
22804 +#ifdef CONFIG_PAX_PER_CPU_PGD
22805 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
22806 +static inline void pgd_dtor(pgd_t *pgd) {}
22807 +#else
22808 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
22809 {
22810 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
22811 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
22812 pgd_list_del(pgd);
22813 spin_unlock(&pgd_lock);
22814 }
22815 +#endif
22816
22817 /*
22818 * List of all pgd's needed for non-PAE so it can invalidate entries
22819 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
22820 * -- wli
22821 */
22822
22823 -#ifdef CONFIG_X86_PAE
22824 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
22825 /*
22826 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
22827 * updating the top-level pagetable entries to guarantee the
22828 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
22829 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
22830 * and initialize the kernel pmds here.
22831 */
22832 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
22833 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
22834
22835 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
22836 {
22837 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
22838 */
22839 flush_tlb_mm(mm);
22840 }
22841 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
22842 +#define PREALLOCATED_PXDS USER_PGD_PTRS
22843 #else /* !CONFIG_X86_PAE */
22844
22845 /* No need to prepopulate any pagetable entries in non-PAE modes. */
22846 -#define PREALLOCATED_PMDS 0
22847 +#define PREALLOCATED_PXDS 0
22848
22849 #endif /* CONFIG_X86_PAE */
22850
22851 -static void free_pmds(pmd_t *pmds[])
22852 +static void free_pxds(pxd_t *pxds[])
22853 {
22854 int i;
22855
22856 - for(i = 0; i < PREALLOCATED_PMDS; i++)
22857 - if (pmds[i])
22858 - free_page((unsigned long)pmds[i]);
22859 + for(i = 0; i < PREALLOCATED_PXDS; i++)
22860 + if (pxds[i])
22861 + free_page((unsigned long)pxds[i]);
22862 }
22863
22864 -static int preallocate_pmds(pmd_t *pmds[])
22865 +static int preallocate_pxds(pxd_t *pxds[])
22866 {
22867 int i;
22868 bool failed = false;
22869
22870 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
22871 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
22872 - if (pmd == NULL)
22873 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
22874 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
22875 + if (pxd == NULL)
22876 failed = true;
22877 - pmds[i] = pmd;
22878 + pxds[i] = pxd;
22879 }
22880
22881 if (failed) {
22882 - free_pmds(pmds);
22883 + free_pxds(pxds);
22884 return -ENOMEM;
22885 }
22886
22887 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
22888 * preallocate which never got a corresponding vma will need to be
22889 * freed manually.
22890 */
22891 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
22892 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
22893 {
22894 int i;
22895
22896 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
22897 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
22898 pgd_t pgd = pgdp[i];
22899
22900 if (pgd_val(pgd) != 0) {
22901 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
22902 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
22903
22904 - pgdp[i] = native_make_pgd(0);
22905 + set_pgd(pgdp + i, native_make_pgd(0));
22906
22907 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
22908 - pmd_free(mm, pmd);
22909 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
22910 + pxd_free(mm, pxd);
22911 }
22912 }
22913 }
22914
22915 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
22916 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
22917 {
22918 - pud_t *pud;
22919 + pyd_t *pyd;
22920 unsigned long addr;
22921 int i;
22922
22923 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
22924 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
22925 return;
22926
22927 - pud = pud_offset(pgd, 0);
22928 +#ifdef CONFIG_X86_64
22929 + pyd = pyd_offset(mm, 0L);
22930 +#else
22931 + pyd = pyd_offset(pgd, 0L);
22932 +#endif
22933
22934 - for (addr = i = 0; i < PREALLOCATED_PMDS;
22935 - i++, pud++, addr += PUD_SIZE) {
22936 - pmd_t *pmd = pmds[i];
22937 + for (addr = i = 0; i < PREALLOCATED_PXDS;
22938 + i++, pyd++, addr += PYD_SIZE) {
22939 + pxd_t *pxd = pxds[i];
22940
22941 if (i >= KERNEL_PGD_BOUNDARY)
22942 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
22943 - sizeof(pmd_t) * PTRS_PER_PMD);
22944 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
22945 + sizeof(pxd_t) * PTRS_PER_PMD);
22946
22947 - pud_populate(mm, pud, pmd);
22948 + pyd_populate(mm, pyd, pxd);
22949 }
22950 }
22951
22952 pgd_t *pgd_alloc(struct mm_struct *mm)
22953 {
22954 pgd_t *pgd;
22955 - pmd_t *pmds[PREALLOCATED_PMDS];
22956 + pxd_t *pxds[PREALLOCATED_PXDS];
22957
22958 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
22959
22960 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
22961
22962 mm->pgd = pgd;
22963
22964 - if (preallocate_pmds(pmds) != 0)
22965 + if (preallocate_pxds(pxds) != 0)
22966 goto out_free_pgd;
22967
22968 if (paravirt_pgd_alloc(mm) != 0)
22969 - goto out_free_pmds;
22970 + goto out_free_pxds;
22971
22972 /*
22973 * Make sure that pre-populating the pmds is atomic with
22974 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
22975 spin_lock(&pgd_lock);
22976
22977 pgd_ctor(mm, pgd);
22978 - pgd_prepopulate_pmd(mm, pgd, pmds);
22979 + pgd_prepopulate_pxd(mm, pgd, pxds);
22980
22981 spin_unlock(&pgd_lock);
22982
22983 return pgd;
22984
22985 -out_free_pmds:
22986 - free_pmds(pmds);
22987 +out_free_pxds:
22988 + free_pxds(pxds);
22989 out_free_pgd:
22990 free_page((unsigned long)pgd);
22991 out:
22992 @@ -295,7 +344,7 @@ out:
22993
22994 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
22995 {
22996 - pgd_mop_up_pmds(mm, pgd);
22997 + pgd_mop_up_pxds(mm, pgd);
22998 pgd_dtor(pgd);
22999 paravirt_pgd_free(mm, pgd);
23000 free_page((unsigned long)pgd);
23001 diff -urNp linux-2.6.39.1/arch/x86/mm/setup_nx.c linux-2.6.39.1/arch/x86/mm/setup_nx.c
23002 --- linux-2.6.39.1/arch/x86/mm/setup_nx.c 2011-05-19 00:06:34.000000000 -0400
23003 +++ linux-2.6.39.1/arch/x86/mm/setup_nx.c 2011-05-22 19:36:30.000000000 -0400
23004 @@ -5,8 +5,10 @@
23005 #include <asm/pgtable.h>
23006 #include <asm/proto.h>
23007
23008 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23009 static int disable_nx __cpuinitdata;
23010
23011 +#ifndef CONFIG_PAX_PAGEEXEC
23012 /*
23013 * noexec = on|off
23014 *
23015 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
23016 return 0;
23017 }
23018 early_param("noexec", noexec_setup);
23019 +#endif
23020 +
23021 +#endif
23022
23023 void __cpuinit x86_configure_nx(void)
23024 {
23025 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23026 if (cpu_has_nx && !disable_nx)
23027 __supported_pte_mask |= _PAGE_NX;
23028 else
23029 +#endif
23030 __supported_pte_mask &= ~_PAGE_NX;
23031 }
23032
23033 diff -urNp linux-2.6.39.1/arch/x86/mm/tlb.c linux-2.6.39.1/arch/x86/mm/tlb.c
23034 --- linux-2.6.39.1/arch/x86/mm/tlb.c 2011-05-19 00:06:34.000000000 -0400
23035 +++ linux-2.6.39.1/arch/x86/mm/tlb.c 2011-05-22 19:36:30.000000000 -0400
23036 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
23037 BUG();
23038 cpumask_clear_cpu(cpu,
23039 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
23040 +
23041 +#ifndef CONFIG_PAX_PER_CPU_PGD
23042 load_cr3(swapper_pg_dir);
23043 +#endif
23044 +
23045 }
23046 EXPORT_SYMBOL_GPL(leave_mm);
23047
23048 diff -urNp linux-2.6.39.1/arch/x86/oprofile/backtrace.c linux-2.6.39.1/arch/x86/oprofile/backtrace.c
23049 --- linux-2.6.39.1/arch/x86/oprofile/backtrace.c 2011-05-19 00:06:34.000000000 -0400
23050 +++ linux-2.6.39.1/arch/x86/oprofile/backtrace.c 2011-05-22 19:36:30.000000000 -0400
23051 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
23052 struct stack_frame_ia32 *fp;
23053
23054 /* Also check accessibility of one struct frame_head beyond */
23055 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
23056 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
23057 return NULL;
23058 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
23059 return NULL;
23060 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
23061 {
23062 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
23063
23064 - if (!user_mode_vm(regs)) {
23065 + if (!user_mode(regs)) {
23066 unsigned long stack = kernel_stack_pointer(regs);
23067 if (depth)
23068 dump_trace(NULL, regs, (unsigned long *)stack, 0,
23069 diff -urNp linux-2.6.39.1/arch/x86/pci/ce4100.c linux-2.6.39.1/arch/x86/pci/ce4100.c
23070 --- linux-2.6.39.1/arch/x86/pci/ce4100.c 2011-05-19 00:06:34.000000000 -0400
23071 +++ linux-2.6.39.1/arch/x86/pci/ce4100.c 2011-05-22 19:36:30.000000000 -0400
23072 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
23073 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
23074 }
23075
23076 -struct pci_raw_ops ce4100_pci_conf = {
23077 +const struct pci_raw_ops ce4100_pci_conf = {
23078 .read = ce4100_conf_read,
23079 .write = ce4100_conf_write,
23080 };
23081 diff -urNp linux-2.6.39.1/arch/x86/pci/common.c linux-2.6.39.1/arch/x86/pci/common.c
23082 --- linux-2.6.39.1/arch/x86/pci/common.c 2011-05-19 00:06:34.000000000 -0400
23083 +++ linux-2.6.39.1/arch/x86/pci/common.c 2011-05-22 19:36:30.000000000 -0400
23084 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
23085 int pcibios_last_bus = -1;
23086 unsigned long pirq_table_addr;
23087 struct pci_bus *pci_root_bus;
23088 -struct pci_raw_ops *raw_pci_ops;
23089 -struct pci_raw_ops *raw_pci_ext_ops;
23090 +const struct pci_raw_ops *raw_pci_ops;
23091 +const struct pci_raw_ops *raw_pci_ext_ops;
23092
23093 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
23094 int reg, int len, u32 *val)
23095 diff -urNp linux-2.6.39.1/arch/x86/pci/direct.c linux-2.6.39.1/arch/x86/pci/direct.c
23096 --- linux-2.6.39.1/arch/x86/pci/direct.c 2011-05-19 00:06:34.000000000 -0400
23097 +++ linux-2.6.39.1/arch/x86/pci/direct.c 2011-05-22 19:36:30.000000000 -0400
23098 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
23099
23100 #undef PCI_CONF1_ADDRESS
23101
23102 -struct pci_raw_ops pci_direct_conf1 = {
23103 +const struct pci_raw_ops pci_direct_conf1 = {
23104 .read = pci_conf1_read,
23105 .write = pci_conf1_write,
23106 };
23107 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
23108
23109 #undef PCI_CONF2_ADDRESS
23110
23111 -struct pci_raw_ops pci_direct_conf2 = {
23112 +const struct pci_raw_ops pci_direct_conf2 = {
23113 .read = pci_conf2_read,
23114 .write = pci_conf2_write,
23115 };
23116 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
23117 * This should be close to trivial, but it isn't, because there are buggy
23118 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
23119 */
23120 -static int __init pci_sanity_check(struct pci_raw_ops *o)
23121 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
23122 {
23123 u32 x = 0;
23124 int year, devfn;
23125 diff -urNp linux-2.6.39.1/arch/x86/pci/fixup.c linux-2.6.39.1/arch/x86/pci/fixup.c
23126 --- linux-2.6.39.1/arch/x86/pci/fixup.c 2011-05-19 00:06:34.000000000 -0400
23127 +++ linux-2.6.39.1/arch/x86/pci/fixup.c 2011-05-22 19:36:30.000000000 -0400
23128 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
23129 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
23130 },
23131 },
23132 - { }
23133 + {}
23134 };
23135
23136 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
23137 diff -urNp linux-2.6.39.1/arch/x86/pci/mmconfig_32.c linux-2.6.39.1/arch/x86/pci/mmconfig_32.c
23138 --- linux-2.6.39.1/arch/x86/pci/mmconfig_32.c 2011-05-19 00:06:34.000000000 -0400
23139 +++ linux-2.6.39.1/arch/x86/pci/mmconfig_32.c 2011-05-22 19:36:30.000000000 -0400
23140 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
23141 return 0;
23142 }
23143
23144 -static struct pci_raw_ops pci_mmcfg = {
23145 +static const struct pci_raw_ops pci_mmcfg = {
23146 .read = pci_mmcfg_read,
23147 .write = pci_mmcfg_write,
23148 };
23149 diff -urNp linux-2.6.39.1/arch/x86/pci/mmconfig_64.c linux-2.6.39.1/arch/x86/pci/mmconfig_64.c
23150 --- linux-2.6.39.1/arch/x86/pci/mmconfig_64.c 2011-05-19 00:06:34.000000000 -0400
23151 +++ linux-2.6.39.1/arch/x86/pci/mmconfig_64.c 2011-05-22 19:36:30.000000000 -0400
23152 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
23153 return 0;
23154 }
23155
23156 -static struct pci_raw_ops pci_mmcfg = {
23157 +static const struct pci_raw_ops pci_mmcfg = {
23158 .read = pci_mmcfg_read,
23159 .write = pci_mmcfg_write,
23160 };
23161 diff -urNp linux-2.6.39.1/arch/x86/pci/mrst.c linux-2.6.39.1/arch/x86/pci/mrst.c
23162 --- linux-2.6.39.1/arch/x86/pci/mrst.c 2011-05-19 00:06:34.000000000 -0400
23163 +++ linux-2.6.39.1/arch/x86/pci/mrst.c 2011-05-22 19:36:30.000000000 -0400
23164 @@ -218,7 +218,7 @@ static int mrst_pci_irq_enable(struct pc
23165 return 0;
23166 }
23167
23168 -struct pci_ops pci_mrst_ops = {
23169 +const struct pci_ops pci_mrst_ops = {
23170 .read = pci_read,
23171 .write = pci_write,
23172 };
23173 diff -urNp linux-2.6.39.1/arch/x86/pci/numaq_32.c linux-2.6.39.1/arch/x86/pci/numaq_32.c
23174 --- linux-2.6.39.1/arch/x86/pci/numaq_32.c 2011-05-19 00:06:34.000000000 -0400
23175 +++ linux-2.6.39.1/arch/x86/pci/numaq_32.c 2011-05-22 19:36:30.000000000 -0400
23176 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
23177
23178 #undef PCI_CONF1_MQ_ADDRESS
23179
23180 -static struct pci_raw_ops pci_direct_conf1_mq = {
23181 +static const struct pci_raw_ops pci_direct_conf1_mq = {
23182 .read = pci_conf1_mq_read,
23183 .write = pci_conf1_mq_write
23184 };
23185 diff -urNp linux-2.6.39.1/arch/x86/pci/olpc.c linux-2.6.39.1/arch/x86/pci/olpc.c
23186 --- linux-2.6.39.1/arch/x86/pci/olpc.c 2011-05-19 00:06:34.000000000 -0400
23187 +++ linux-2.6.39.1/arch/x86/pci/olpc.c 2011-05-22 19:36:30.000000000 -0400
23188 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
23189 return 0;
23190 }
23191
23192 -static struct pci_raw_ops pci_olpc_conf = {
23193 +static const struct pci_raw_ops pci_olpc_conf = {
23194 .read = pci_olpc_read,
23195 .write = pci_olpc_write,
23196 };
23197 diff -urNp linux-2.6.39.1/arch/x86/pci/pcbios.c linux-2.6.39.1/arch/x86/pci/pcbios.c
23198 --- linux-2.6.39.1/arch/x86/pci/pcbios.c 2011-05-19 00:06:34.000000000 -0400
23199 +++ linux-2.6.39.1/arch/x86/pci/pcbios.c 2011-05-22 19:36:30.000000000 -0400
23200 @@ -79,50 +79,93 @@ union bios32 {
23201 static struct {
23202 unsigned long address;
23203 unsigned short segment;
23204 -} bios32_indirect = { 0, __KERNEL_CS };
23205 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
23206
23207 /*
23208 * Returns the entry point for the given service, NULL on error
23209 */
23210
23211 -static unsigned long bios32_service(unsigned long service)
23212 +static unsigned long __devinit bios32_service(unsigned long service)
23213 {
23214 unsigned char return_code; /* %al */
23215 unsigned long address; /* %ebx */
23216 unsigned long length; /* %ecx */
23217 unsigned long entry; /* %edx */
23218 unsigned long flags;
23219 + struct desc_struct d, *gdt;
23220
23221 local_irq_save(flags);
23222 - __asm__("lcall *(%%edi); cld"
23223 +
23224 + gdt = get_cpu_gdt_table(smp_processor_id());
23225 +
23226 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23227 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23228 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23229 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23230 +
23231 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23232 : "=a" (return_code),
23233 "=b" (address),
23234 "=c" (length),
23235 "=d" (entry)
23236 : "0" (service),
23237 "1" (0),
23238 - "D" (&bios32_indirect));
23239 + "D" (&bios32_indirect),
23240 + "r"(__PCIBIOS_DS)
23241 + : "memory");
23242 +
23243 + pax_open_kernel();
23244 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23245 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23246 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23247 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23248 + pax_close_kernel();
23249 +
23250 local_irq_restore(flags);
23251
23252 switch (return_code) {
23253 - case 0:
23254 - return address + entry;
23255 - case 0x80: /* Not present */
23256 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23257 - return 0;
23258 - default: /* Shouldn't happen */
23259 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23260 - service, return_code);
23261 + case 0: {
23262 + int cpu;
23263 + unsigned char flags;
23264 +
23265 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23266 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23267 + printk(KERN_WARNING "bios32_service: not valid\n");
23268 return 0;
23269 + }
23270 + address = address + PAGE_OFFSET;
23271 + length += 16UL; /* some BIOSs underreport this... */
23272 + flags = 4;
23273 + if (length >= 64*1024*1024) {
23274 + length >>= PAGE_SHIFT;
23275 + flags |= 8;
23276 + }
23277 +
23278 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23279 + gdt = get_cpu_gdt_table(cpu);
23280 + pack_descriptor(&d, address, length, 0x9b, flags);
23281 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23282 + pack_descriptor(&d, address, length, 0x93, flags);
23283 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23284 + }
23285 + return entry;
23286 + }
23287 + case 0x80: /* Not present */
23288 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23289 + return 0;
23290 + default: /* Shouldn't happen */
23291 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23292 + service, return_code);
23293 + return 0;
23294 }
23295 }
23296
23297 static struct {
23298 unsigned long address;
23299 unsigned short segment;
23300 -} pci_indirect = { 0, __KERNEL_CS };
23301 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23302
23303 -static int pci_bios_present;
23304 +static int pci_bios_present __read_only;
23305
23306 static int __devinit check_pcibios(void)
23307 {
23308 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
23309 unsigned long flags, pcibios_entry;
23310
23311 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23312 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23313 + pci_indirect.address = pcibios_entry;
23314
23315 local_irq_save(flags);
23316 - __asm__(
23317 - "lcall *(%%edi); cld\n\t"
23318 + __asm__("movw %w6, %%ds\n\t"
23319 + "lcall *%%ss:(%%edi); cld\n\t"
23320 + "push %%ss\n\t"
23321 + "pop %%ds\n\t"
23322 "jc 1f\n\t"
23323 "xor %%ah, %%ah\n"
23324 "1:"
23325 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
23326 "=b" (ebx),
23327 "=c" (ecx)
23328 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23329 - "D" (&pci_indirect)
23330 + "D" (&pci_indirect),
23331 + "r" (__PCIBIOS_DS)
23332 : "memory");
23333 local_irq_restore(flags);
23334
23335 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
23336
23337 switch (len) {
23338 case 1:
23339 - __asm__("lcall *(%%esi); cld\n\t"
23340 + __asm__("movw %w6, %%ds\n\t"
23341 + "lcall *%%ss:(%%esi); cld\n\t"
23342 + "push %%ss\n\t"
23343 + "pop %%ds\n\t"
23344 "jc 1f\n\t"
23345 "xor %%ah, %%ah\n"
23346 "1:"
23347 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
23348 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23349 "b" (bx),
23350 "D" ((long)reg),
23351 - "S" (&pci_indirect));
23352 + "S" (&pci_indirect),
23353 + "r" (__PCIBIOS_DS));
23354 /*
23355 * Zero-extend the result beyond 8 bits, do not trust the
23356 * BIOS having done it:
23357 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
23358 *value &= 0xff;
23359 break;
23360 case 2:
23361 - __asm__("lcall *(%%esi); cld\n\t"
23362 + __asm__("movw %w6, %%ds\n\t"
23363 + "lcall *%%ss:(%%esi); cld\n\t"
23364 + "push %%ss\n\t"
23365 + "pop %%ds\n\t"
23366 "jc 1f\n\t"
23367 "xor %%ah, %%ah\n"
23368 "1:"
23369 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
23370 : "1" (PCIBIOS_READ_CONFIG_WORD),
23371 "b" (bx),
23372 "D" ((long)reg),
23373 - "S" (&pci_indirect));
23374 + "S" (&pci_indirect),
23375 + "r" (__PCIBIOS_DS));
23376 /*
23377 * Zero-extend the result beyond 16 bits, do not trust the
23378 * BIOS having done it:
23379 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
23380 *value &= 0xffff;
23381 break;
23382 case 4:
23383 - __asm__("lcall *(%%esi); cld\n\t"
23384 + __asm__("movw %w6, %%ds\n\t"
23385 + "lcall *%%ss:(%%esi); cld\n\t"
23386 + "push %%ss\n\t"
23387 + "pop %%ds\n\t"
23388 "jc 1f\n\t"
23389 "xor %%ah, %%ah\n"
23390 "1:"
23391 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
23392 : "1" (PCIBIOS_READ_CONFIG_DWORD),
23393 "b" (bx),
23394 "D" ((long)reg),
23395 - "S" (&pci_indirect));
23396 + "S" (&pci_indirect),
23397 + "r" (__PCIBIOS_DS));
23398 break;
23399 }
23400
23401 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
23402
23403 switch (len) {
23404 case 1:
23405 - __asm__("lcall *(%%esi); cld\n\t"
23406 + __asm__("movw %w6, %%ds\n\t"
23407 + "lcall *%%ss:(%%esi); cld\n\t"
23408 + "push %%ss\n\t"
23409 + "pop %%ds\n\t"
23410 "jc 1f\n\t"
23411 "xor %%ah, %%ah\n"
23412 "1:"
23413 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
23414 "c" (value),
23415 "b" (bx),
23416 "D" ((long)reg),
23417 - "S" (&pci_indirect));
23418 + "S" (&pci_indirect),
23419 + "r" (__PCIBIOS_DS));
23420 break;
23421 case 2:
23422 - __asm__("lcall *(%%esi); cld\n\t"
23423 + __asm__("movw %w6, %%ds\n\t"
23424 + "lcall *%%ss:(%%esi); cld\n\t"
23425 + "push %%ss\n\t"
23426 + "pop %%ds\n\t"
23427 "jc 1f\n\t"
23428 "xor %%ah, %%ah\n"
23429 "1:"
23430 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
23431 "c" (value),
23432 "b" (bx),
23433 "D" ((long)reg),
23434 - "S" (&pci_indirect));
23435 + "S" (&pci_indirect),
23436 + "r" (__PCIBIOS_DS));
23437 break;
23438 case 4:
23439 - __asm__("lcall *(%%esi); cld\n\t"
23440 + __asm__("movw %w6, %%ds\n\t"
23441 + "lcall *%%ss:(%%esi); cld\n\t"
23442 + "push %%ss\n\t"
23443 + "pop %%ds\n\t"
23444 "jc 1f\n\t"
23445 "xor %%ah, %%ah\n"
23446 "1:"
23447 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
23448 "c" (value),
23449 "b" (bx),
23450 "D" ((long)reg),
23451 - "S" (&pci_indirect));
23452 + "S" (&pci_indirect),
23453 + "r" (__PCIBIOS_DS));
23454 break;
23455 }
23456
23457 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
23458 * Function table for BIOS32 access
23459 */
23460
23461 -static struct pci_raw_ops pci_bios_access = {
23462 +static const struct pci_raw_ops pci_bios_access = {
23463 .read = pci_bios_read,
23464 .write = pci_bios_write
23465 };
23466 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
23467 * Try to find PCI BIOS.
23468 */
23469
23470 -static struct pci_raw_ops * __devinit pci_find_bios(void)
23471 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
23472 {
23473 union bios32 *check;
23474 unsigned char sum;
23475 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
23476
23477 DBG("PCI: Fetching IRQ routing table... ");
23478 __asm__("push %%es\n\t"
23479 + "movw %w8, %%ds\n\t"
23480 "push %%ds\n\t"
23481 "pop %%es\n\t"
23482 - "lcall *(%%esi); cld\n\t"
23483 + "lcall *%%ss:(%%esi); cld\n\t"
23484 "pop %%es\n\t"
23485 + "push %%ss\n\t"
23486 + "pop %%ds\n"
23487 "jc 1f\n\t"
23488 "xor %%ah, %%ah\n"
23489 "1:"
23490 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
23491 "1" (0),
23492 "D" ((long) &opt),
23493 "S" (&pci_indirect),
23494 - "m" (opt)
23495 + "m" (opt),
23496 + "r" (__PCIBIOS_DS)
23497 : "memory");
23498 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
23499 if (ret & 0xff00)
23500 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
23501 {
23502 int ret;
23503
23504 - __asm__("lcall *(%%esi); cld\n\t"
23505 + __asm__("movw %w5, %%ds\n\t"
23506 + "lcall *%%ss:(%%esi); cld\n\t"
23507 + "push %%ss\n\t"
23508 + "pop %%ds\n"
23509 "jc 1f\n\t"
23510 "xor %%ah, %%ah\n"
23511 "1:"
23512 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
23513 : "0" (PCIBIOS_SET_PCI_HW_INT),
23514 "b" ((dev->bus->number << 8) | dev->devfn),
23515 "c" ((irq << 8) | (pin + 10)),
23516 - "S" (&pci_indirect));
23517 + "S" (&pci_indirect),
23518 + "r" (__PCIBIOS_DS));
23519 return !(ret & 0xff00);
23520 }
23521 EXPORT_SYMBOL(pcibios_set_irq_routing);
23522 diff -urNp linux-2.6.39.1/arch/x86/pci/xen.c linux-2.6.39.1/arch/x86/pci/xen.c
23523 --- linux-2.6.39.1/arch/x86/pci/xen.c 2011-05-19 00:06:34.000000000 -0400
23524 +++ linux-2.6.39.1/arch/x86/pci/xen.c 2011-05-22 19:36:30.000000000 -0400
23525 @@ -62,7 +62,7 @@ static int acpi_register_gsi_xen_hvm(str
23526 #include <linux/msi.h>
23527 #include <asm/msidef.h>
23528
23529 -struct xen_pci_frontend_ops *xen_pci_frontend;
23530 +const struct xen_pci_frontend_ops *xen_pci_frontend;
23531 EXPORT_SYMBOL_GPL(xen_pci_frontend);
23532
23533 #define XEN_PIRQ_MSI_DATA (MSI_DATA_TRIGGER_EDGE | \
23534 diff -urNp linux-2.6.39.1/arch/x86/platform/efi/efi_32.c linux-2.6.39.1/arch/x86/platform/efi/efi_32.c
23535 --- linux-2.6.39.1/arch/x86/platform/efi/efi_32.c 2011-05-19 00:06:34.000000000 -0400
23536 +++ linux-2.6.39.1/arch/x86/platform/efi/efi_32.c 2011-05-22 19:36:30.000000000 -0400
23537 @@ -38,70 +38,37 @@
23538 */
23539
23540 static unsigned long efi_rt_eflags;
23541 -static pgd_t efi_bak_pg_dir_pointer[2];
23542 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
23543
23544 -void efi_call_phys_prelog(void)
23545 +void __init efi_call_phys_prelog(void)
23546 {
23547 - unsigned long cr4;
23548 - unsigned long temp;
23549 struct desc_ptr gdt_descr;
23550
23551 local_irq_save(efi_rt_eflags);
23552
23553 - /*
23554 - * If I don't have PAE, I should just duplicate two entries in page
23555 - * directory. If I have PAE, I just need to duplicate one entry in
23556 - * page directory.
23557 - */
23558 - cr4 = read_cr4_safe();
23559 -
23560 - if (cr4 & X86_CR4_PAE) {
23561 - efi_bak_pg_dir_pointer[0].pgd =
23562 - swapper_pg_dir[pgd_index(0)].pgd;
23563 - swapper_pg_dir[0].pgd =
23564 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23565 - } else {
23566 - efi_bak_pg_dir_pointer[0].pgd =
23567 - swapper_pg_dir[pgd_index(0)].pgd;
23568 - efi_bak_pg_dir_pointer[1].pgd =
23569 - swapper_pg_dir[pgd_index(0x400000)].pgd;
23570 - swapper_pg_dir[pgd_index(0)].pgd =
23571 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23572 - temp = PAGE_OFFSET + 0x400000;
23573 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23574 - swapper_pg_dir[pgd_index(temp)].pgd;
23575 - }
23576 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
23577 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23578 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
23579
23580 /*
23581 * After the lock is released, the original page table is restored.
23582 */
23583 __flush_tlb_all();
23584
23585 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
23586 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
23587 gdt_descr.size = GDT_SIZE - 1;
23588 load_gdt(&gdt_descr);
23589 }
23590
23591 -void efi_call_phys_epilog(void)
23592 +void __init efi_call_phys_epilog(void)
23593 {
23594 - unsigned long cr4;
23595 struct desc_ptr gdt_descr;
23596
23597 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
23598 + gdt_descr.address = get_cpu_gdt_table(0);
23599 gdt_descr.size = GDT_SIZE - 1;
23600 load_gdt(&gdt_descr);
23601
23602 - cr4 = read_cr4_safe();
23603 -
23604 - if (cr4 & X86_CR4_PAE) {
23605 - swapper_pg_dir[pgd_index(0)].pgd =
23606 - efi_bak_pg_dir_pointer[0].pgd;
23607 - } else {
23608 - swapper_pg_dir[pgd_index(0)].pgd =
23609 - efi_bak_pg_dir_pointer[0].pgd;
23610 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23611 - efi_bak_pg_dir_pointer[1].pgd;
23612 - }
23613 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
23614
23615 /*
23616 * After the lock is released, the original page table is restored.
23617 diff -urNp linux-2.6.39.1/arch/x86/platform/efi/efi_stub_32.S linux-2.6.39.1/arch/x86/platform/efi/efi_stub_32.S
23618 --- linux-2.6.39.1/arch/x86/platform/efi/efi_stub_32.S 2011-05-19 00:06:34.000000000 -0400
23619 +++ linux-2.6.39.1/arch/x86/platform/efi/efi_stub_32.S 2011-05-22 19:36:30.000000000 -0400
23620 @@ -6,6 +6,7 @@
23621 */
23622
23623 #include <linux/linkage.h>
23624 +#include <linux/init.h>
23625 #include <asm/page_types.h>
23626
23627 /*
23628 @@ -20,7 +21,7 @@
23629 * service functions will comply with gcc calling convention, too.
23630 */
23631
23632 -.text
23633 +__INIT
23634 ENTRY(efi_call_phys)
23635 /*
23636 * 0. The function can only be called in Linux kernel. So CS has been
23637 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
23638 * The mapping of lower virtual memory has been created in prelog and
23639 * epilog.
23640 */
23641 - movl $1f, %edx
23642 - subl $__PAGE_OFFSET, %edx
23643 - jmp *%edx
23644 + jmp 1f-__PAGE_OFFSET
23645 1:
23646
23647 /*
23648 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
23649 * parameter 2, ..., param n. To make things easy, we save the return
23650 * address of efi_call_phys in a global variable.
23651 */
23652 - popl %edx
23653 - movl %edx, saved_return_addr
23654 - /* get the function pointer into ECX*/
23655 - popl %ecx
23656 - movl %ecx, efi_rt_function_ptr
23657 - movl $2f, %edx
23658 - subl $__PAGE_OFFSET, %edx
23659 - pushl %edx
23660 + popl (saved_return_addr)
23661 + popl (efi_rt_function_ptr)
23662
23663 /*
23664 * 3. Clear PG bit in %CR0.
23665 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
23666 /*
23667 * 5. Call the physical function.
23668 */
23669 - jmp *%ecx
23670 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
23671
23672 -2:
23673 /*
23674 * 6. After EFI runtime service returns, control will return to
23675 * following instruction. We'd better readjust stack pointer first.
23676 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
23677 movl %cr0, %edx
23678 orl $0x80000000, %edx
23679 movl %edx, %cr0
23680 - jmp 1f
23681 -1:
23682 +
23683 /*
23684 * 8. Now restore the virtual mode from flat mode by
23685 * adding EIP with PAGE_OFFSET.
23686 */
23687 - movl $1f, %edx
23688 - jmp *%edx
23689 + jmp 1f+__PAGE_OFFSET
23690 1:
23691
23692 /*
23693 * 9. Balance the stack. And because EAX contain the return value,
23694 * we'd better not clobber it.
23695 */
23696 - leal efi_rt_function_ptr, %edx
23697 - movl (%edx), %ecx
23698 - pushl %ecx
23699 + pushl (efi_rt_function_ptr)
23700
23701 /*
23702 - * 10. Push the saved return address onto the stack and return.
23703 + * 10. Return to the saved return address.
23704 */
23705 - leal saved_return_addr, %edx
23706 - movl (%edx), %ecx
23707 - pushl %ecx
23708 - ret
23709 + jmpl *(saved_return_addr)
23710 ENDPROC(efi_call_phys)
23711 .previous
23712
23713 -.data
23714 +__INITDATA
23715 saved_return_addr:
23716 .long 0
23717 efi_rt_function_ptr:
23718 diff -urNp linux-2.6.39.1/arch/x86/platform/olpc/olpc_dt.c linux-2.6.39.1/arch/x86/platform/olpc/olpc_dt.c
23719 --- linux-2.6.39.1/arch/x86/platform/olpc/olpc_dt.c 2011-05-19 00:06:34.000000000 -0400
23720 +++ linux-2.6.39.1/arch/x86/platform/olpc/olpc_dt.c 2011-05-22 19:36:30.000000000 -0400
23721 @@ -154,7 +154,7 @@ void * __init prom_early_alloc(unsigned
23722 return res;
23723 }
23724
23725 -static struct of_pdt_ops prom_olpc_ops __initdata = {
23726 +static const struct of_pdt_ops prom_olpc_ops = {
23727 .nextprop = olpc_dt_nextprop,
23728 .getproplen = olpc_dt_getproplen,
23729 .getproperty = olpc_dt_getproperty,
23730 diff -urNp linux-2.6.39.1/arch/x86/platform/uv/tlb_uv.c linux-2.6.39.1/arch/x86/platform/uv/tlb_uv.c
23731 --- linux-2.6.39.1/arch/x86/platform/uv/tlb_uv.c 2011-05-19 00:06:34.000000000 -0400
23732 +++ linux-2.6.39.1/arch/x86/platform/uv/tlb_uv.c 2011-05-22 19:36:30.000000000 -0400
23733 @@ -342,6 +342,8 @@ static void uv_reset_with_ipi(struct bau
23734 cpumask_t mask;
23735 struct reset_args reset_args;
23736
23737 + pax_track_stack();
23738 +
23739 reset_args.sender = sender;
23740
23741 cpus_clear(mask);
23742 diff -urNp linux-2.6.39.1/arch/x86/power/cpu.c linux-2.6.39.1/arch/x86/power/cpu.c
23743 --- linux-2.6.39.1/arch/x86/power/cpu.c 2011-05-19 00:06:34.000000000 -0400
23744 +++ linux-2.6.39.1/arch/x86/power/cpu.c 2011-05-22 19:36:30.000000000 -0400
23745 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
23746 static void fix_processor_context(void)
23747 {
23748 int cpu = smp_processor_id();
23749 - struct tss_struct *t = &per_cpu(init_tss, cpu);
23750 + struct tss_struct *t = init_tss + cpu;
23751
23752 set_tss_desc(cpu, t); /*
23753 * This just modifies memory; should not be
23754 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
23755 */
23756
23757 #ifdef CONFIG_X86_64
23758 + pax_open_kernel();
23759 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
23760 + pax_close_kernel();
23761
23762 syscall_init(); /* This sets MSR_*STAR and related */
23763 #endif
23764 diff -urNp linux-2.6.39.1/arch/x86/vdso/Makefile linux-2.6.39.1/arch/x86/vdso/Makefile
23765 --- linux-2.6.39.1/arch/x86/vdso/Makefile 2011-05-19 00:06:34.000000000 -0400
23766 +++ linux-2.6.39.1/arch/x86/vdso/Makefile 2011-05-22 19:36:30.000000000 -0400
23767 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
23768 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
23769 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
23770
23771 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
23772 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
23773 GCOV_PROFILE := n
23774
23775 #
23776 diff -urNp linux-2.6.39.1/arch/x86/vdso/vclock_gettime.c linux-2.6.39.1/arch/x86/vdso/vclock_gettime.c
23777 --- linux-2.6.39.1/arch/x86/vdso/vclock_gettime.c 2011-05-19 00:06:34.000000000 -0400
23778 +++ linux-2.6.39.1/arch/x86/vdso/vclock_gettime.c 2011-05-22 19:36:30.000000000 -0400
23779 @@ -22,24 +22,48 @@
23780 #include <asm/hpet.h>
23781 #include <asm/unistd.h>
23782 #include <asm/io.h>
23783 +#include <asm/fixmap.h>
23784 #include "vextern.h"
23785
23786 #define gtod vdso_vsyscall_gtod_data
23787
23788 +notrace noinline long __vdso_fallback_time(long *t)
23789 +{
23790 + long secs;
23791 + asm volatile("syscall"
23792 + : "=a" (secs)
23793 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
23794 + return secs;
23795 +}
23796 +
23797 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
23798 {
23799 long ret;
23800 asm("syscall" : "=a" (ret) :
23801 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
23802 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
23803 return ret;
23804 }
23805
23806 +notrace static inline cycle_t __vdso_vread_hpet(void)
23807 +{
23808 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
23809 +}
23810 +
23811 +notrace static inline cycle_t __vdso_vread_tsc(void)
23812 +{
23813 + cycle_t ret = (cycle_t)vget_cycles();
23814 +
23815 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
23816 +}
23817 +
23818 notrace static inline long vgetns(void)
23819 {
23820 long v;
23821 - cycles_t (*vread)(void);
23822 - vread = gtod->clock.vread;
23823 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
23824 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
23825 + v = __vdso_vread_tsc();
23826 + else
23827 + v = __vdso_vread_hpet();
23828 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
23829 return (v * gtod->clock.mult) >> gtod->clock.shift;
23830 }
23831
23832 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
23833
23834 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
23835 {
23836 - if (likely(gtod->sysctl_enabled))
23837 + if (likely(gtod->sysctl_enabled &&
23838 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
23839 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
23840 switch (clock) {
23841 case CLOCK_REALTIME:
23842 if (likely(gtod->clock.vread))
23843 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
23844 int clock_gettime(clockid_t, struct timespec *)
23845 __attribute__((weak, alias("__vdso_clock_gettime")));
23846
23847 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
23848 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
23849 {
23850 long ret;
23851 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
23852 + asm("syscall" : "=a" (ret) :
23853 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
23854 + return ret;
23855 +}
23856 +
23857 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
23858 +{
23859 + if (likely(gtod->sysctl_enabled &&
23860 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
23861 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
23862 + {
23863 if (likely(tv != NULL)) {
23864 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
23865 offsetof(struct timespec, tv_nsec) ||
23866 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
23867 }
23868 return 0;
23869 }
23870 - asm("syscall" : "=a" (ret) :
23871 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
23872 - return ret;
23873 + return __vdso_fallback_gettimeofday(tv, tz);
23874 }
23875 int gettimeofday(struct timeval *, struct timezone *)
23876 __attribute__((weak, alias("__vdso_gettimeofday")));
23877 diff -urNp linux-2.6.39.1/arch/x86/vdso/vdso32-setup.c linux-2.6.39.1/arch/x86/vdso/vdso32-setup.c
23878 --- linux-2.6.39.1/arch/x86/vdso/vdso32-setup.c 2011-05-19 00:06:34.000000000 -0400
23879 +++ linux-2.6.39.1/arch/x86/vdso/vdso32-setup.c 2011-05-22 19:36:30.000000000 -0400
23880 @@ -25,6 +25,7 @@
23881 #include <asm/tlbflush.h>
23882 #include <asm/vdso.h>
23883 #include <asm/proto.h>
23884 +#include <asm/mman.h>
23885
23886 enum {
23887 VDSO_DISABLED = 0,
23888 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
23889 void enable_sep_cpu(void)
23890 {
23891 int cpu = get_cpu();
23892 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
23893 + struct tss_struct *tss = init_tss + cpu;
23894
23895 if (!boot_cpu_has(X86_FEATURE_SEP)) {
23896 put_cpu();
23897 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
23898 gate_vma.vm_start = FIXADDR_USER_START;
23899 gate_vma.vm_end = FIXADDR_USER_END;
23900 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
23901 - gate_vma.vm_page_prot = __P101;
23902 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
23903 /*
23904 * Make sure the vDSO gets into every core dump.
23905 * Dumping its contents makes post-mortem fully interpretable later
23906 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
23907 if (compat)
23908 addr = VDSO_HIGH_BASE;
23909 else {
23910 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
23911 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
23912 if (IS_ERR_VALUE(addr)) {
23913 ret = addr;
23914 goto up_fail;
23915 }
23916 }
23917
23918 - current->mm->context.vdso = (void *)addr;
23919 + current->mm->context.vdso = addr;
23920
23921 if (compat_uses_vma || !compat) {
23922 /*
23923 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
23924 }
23925
23926 current_thread_info()->sysenter_return =
23927 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
23928 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
23929
23930 up_fail:
23931 if (ret)
23932 - current->mm->context.vdso = NULL;
23933 + current->mm->context.vdso = 0;
23934
23935 up_write(&mm->mmap_sem);
23936
23937 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
23938
23939 const char *arch_vma_name(struct vm_area_struct *vma)
23940 {
23941 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
23942 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
23943 return "[vdso]";
23944 +
23945 +#ifdef CONFIG_PAX_SEGMEXEC
23946 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
23947 + return "[vdso]";
23948 +#endif
23949 +
23950 return NULL;
23951 }
23952
23953 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
23954 * Check to see if the corresponding task was created in compat vdso
23955 * mode.
23956 */
23957 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
23958 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
23959 return &gate_vma;
23960 return NULL;
23961 }
23962 diff -urNp linux-2.6.39.1/arch/x86/vdso/vdso.lds.S linux-2.6.39.1/arch/x86/vdso/vdso.lds.S
23963 --- linux-2.6.39.1/arch/x86/vdso/vdso.lds.S 2011-05-19 00:06:34.000000000 -0400
23964 +++ linux-2.6.39.1/arch/x86/vdso/vdso.lds.S 2011-06-06 17:34:26.000000000 -0400
23965 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
23966 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
23967 #include "vextern.h"
23968 #undef VEXTERN
23969 +
23970 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
23971 +VEXTERN(fallback_gettimeofday)
23972 +VEXTERN(fallback_time)
23973 +VEXTERN(getcpu)
23974 +#undef VEXTERN
23975 diff -urNp linux-2.6.39.1/arch/x86/vdso/vextern.h linux-2.6.39.1/arch/x86/vdso/vextern.h
23976 --- linux-2.6.39.1/arch/x86/vdso/vextern.h 2011-05-19 00:06:34.000000000 -0400
23977 +++ linux-2.6.39.1/arch/x86/vdso/vextern.h 2011-05-22 19:36:30.000000000 -0400
23978 @@ -11,6 +11,5 @@
23979 put into vextern.h and be referenced as a pointer with vdso prefix.
23980 The main kernel later fills in the values. */
23981
23982 -VEXTERN(jiffies)
23983 VEXTERN(vgetcpu_mode)
23984 VEXTERN(vsyscall_gtod_data)
23985 diff -urNp linux-2.6.39.1/arch/x86/vdso/vma.c linux-2.6.39.1/arch/x86/vdso/vma.c
23986 --- linux-2.6.39.1/arch/x86/vdso/vma.c 2011-05-19 00:06:34.000000000 -0400
23987 +++ linux-2.6.39.1/arch/x86/vdso/vma.c 2011-05-22 19:36:30.000000000 -0400
23988 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
23989 if (!vbase)
23990 goto oom;
23991
23992 - if (memcmp(vbase, "\177ELF", 4)) {
23993 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
23994 printk("VDSO: I'm broken; not ELF\n");
23995 vdso_enabled = 0;
23996 }
23997 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
23998 goto up_fail;
23999 }
24000
24001 - current->mm->context.vdso = (void *)addr;
24002 + current->mm->context.vdso = addr;
24003
24004 ret = install_special_mapping(mm, addr, vdso_size,
24005 VM_READ|VM_EXEC|
24006 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
24007 VM_ALWAYSDUMP,
24008 vdso_pages);
24009 if (ret) {
24010 - current->mm->context.vdso = NULL;
24011 + current->mm->context.vdso = 0;
24012 goto up_fail;
24013 }
24014
24015 @@ -134,10 +134,3 @@ up_fail:
24016 up_write(&mm->mmap_sem);
24017 return ret;
24018 }
24019 -
24020 -static __init int vdso_setup(char *s)
24021 -{
24022 - vdso_enabled = simple_strtoul(s, NULL, 0);
24023 - return 0;
24024 -}
24025 -__setup("vdso=", vdso_setup);
24026 diff -urNp linux-2.6.39.1/arch/x86/xen/enlighten.c linux-2.6.39.1/arch/x86/xen/enlighten.c
24027 --- linux-2.6.39.1/arch/x86/xen/enlighten.c 2011-05-19 00:06:34.000000000 -0400
24028 +++ linux-2.6.39.1/arch/x86/xen/enlighten.c 2011-05-22 19:36:30.000000000 -0400
24029 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
24030
24031 struct shared_info xen_dummy_shared_info;
24032
24033 -void *xen_initial_gdt;
24034 -
24035 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
24036 __read_mostly int xen_have_vector_callback;
24037 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
24038 @@ -1010,7 +1008,7 @@ static const struct pv_apic_ops xen_apic
24039 #endif
24040 };
24041
24042 -static void xen_reboot(int reason)
24043 +static __noreturn void xen_reboot(int reason)
24044 {
24045 struct sched_shutdown r = { .reason = reason };
24046
24047 @@ -1018,17 +1016,17 @@ static void xen_reboot(int reason)
24048 BUG();
24049 }
24050
24051 -static void xen_restart(char *msg)
24052 +static __noreturn void xen_restart(char *msg)
24053 {
24054 xen_reboot(SHUTDOWN_reboot);
24055 }
24056
24057 -static void xen_emergency_restart(void)
24058 +static __noreturn void xen_emergency_restart(void)
24059 {
24060 xen_reboot(SHUTDOWN_reboot);
24061 }
24062
24063 -static void xen_machine_halt(void)
24064 +static __noreturn void xen_machine_halt(void)
24065 {
24066 xen_reboot(SHUTDOWN_poweroff);
24067 }
24068 @@ -1127,7 +1125,17 @@ asmlinkage void __init xen_start_kernel(
24069 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
24070
24071 /* Work out if we support NX */
24072 - x86_configure_nx();
24073 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24074 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
24075 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
24076 + unsigned l, h;
24077 +
24078 + __supported_pte_mask |= _PAGE_NX;
24079 + rdmsr(MSR_EFER, l, h);
24080 + l |= EFER_NX;
24081 + wrmsr(MSR_EFER, l, h);
24082 + }
24083 +#endif
24084
24085 xen_setup_features();
24086
24087 @@ -1158,13 +1166,6 @@ asmlinkage void __init xen_start_kernel(
24088
24089 machine_ops = xen_machine_ops;
24090
24091 - /*
24092 - * The only reliable way to retain the initial address of the
24093 - * percpu gdt_page is to remember it here, so we can go and
24094 - * mark it RW later, when the initial percpu area is freed.
24095 - */
24096 - xen_initial_gdt = &per_cpu(gdt_page, 0);
24097 -
24098 xen_smp_init();
24099
24100 #ifdef CONFIG_ACPI_NUMA
24101 diff -urNp linux-2.6.39.1/arch/x86/xen/mmu.c linux-2.6.39.1/arch/x86/xen/mmu.c
24102 --- linux-2.6.39.1/arch/x86/xen/mmu.c 2011-06-03 00:04:13.000000000 -0400
24103 +++ linux-2.6.39.1/arch/x86/xen/mmu.c 2011-06-03 00:32:05.000000000 -0400
24104 @@ -1791,6 +1791,8 @@ __init pgd_t *xen_setup_kernel_pagetable
24105 convert_pfn_mfn(init_level4_pgt);
24106 convert_pfn_mfn(level3_ident_pgt);
24107 convert_pfn_mfn(level3_kernel_pgt);
24108 + convert_pfn_mfn(level3_vmalloc_pgt);
24109 + convert_pfn_mfn(level3_vmemmap_pgt);
24110
24111 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
24112 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
24113 @@ -1809,7 +1811,10 @@ __init pgd_t *xen_setup_kernel_pagetable
24114 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
24115 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
24116 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
24117 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
24118 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
24119 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
24120 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
24121 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
24122 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
24123
24124 diff -urNp linux-2.6.39.1/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.39.1/arch/x86/xen/pci-swiotlb-xen.c
24125 --- linux-2.6.39.1/arch/x86/xen/pci-swiotlb-xen.c 2011-05-19 00:06:34.000000000 -0400
24126 +++ linux-2.6.39.1/arch/x86/xen/pci-swiotlb-xen.c 2011-05-22 19:36:30.000000000 -0400
24127 @@ -10,7 +10,7 @@
24128
24129 int xen_swiotlb __read_mostly;
24130
24131 -static struct dma_map_ops xen_swiotlb_dma_ops = {
24132 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
24133 .mapping_error = xen_swiotlb_dma_mapping_error,
24134 .alloc_coherent = xen_swiotlb_alloc_coherent,
24135 .free_coherent = xen_swiotlb_free_coherent,
24136 diff -urNp linux-2.6.39.1/arch/x86/xen/smp.c linux-2.6.39.1/arch/x86/xen/smp.c
24137 --- linux-2.6.39.1/arch/x86/xen/smp.c 2011-05-19 00:06:34.000000000 -0400
24138 +++ linux-2.6.39.1/arch/x86/xen/smp.c 2011-05-22 19:36:30.000000000 -0400
24139 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
24140 {
24141 BUG_ON(smp_processor_id() != 0);
24142 native_smp_prepare_boot_cpu();
24143 -
24144 - /* We've switched to the "real" per-cpu gdt, so make sure the
24145 - old memory can be recycled */
24146 - make_lowmem_page_readwrite(xen_initial_gdt);
24147 -
24148 xen_filter_cpu_maps();
24149 xen_setup_vcpu_info_placement();
24150 }
24151 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
24152 gdt = get_cpu_gdt_table(cpu);
24153
24154 ctxt->flags = VGCF_IN_KERNEL;
24155 - ctxt->user_regs.ds = __USER_DS;
24156 - ctxt->user_regs.es = __USER_DS;
24157 + ctxt->user_regs.ds = __KERNEL_DS;
24158 + ctxt->user_regs.es = __KERNEL_DS;
24159 ctxt->user_regs.ss = __KERNEL_DS;
24160 #ifdef CONFIG_X86_32
24161 ctxt->user_regs.fs = __KERNEL_PERCPU;
24162 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
24163 + savesegment(gs, ctxt->user_regs.gs);
24164 #else
24165 ctxt->gs_base_kernel = per_cpu_offset(cpu);
24166 #endif
24167 @@ -315,13 +310,12 @@ static int __cpuinit xen_cpu_up(unsigned
24168 int rc;
24169
24170 per_cpu(current_task, cpu) = idle;
24171 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24172 #ifdef CONFIG_X86_32
24173 irq_ctx_init(cpu);
24174 #else
24175 clear_tsk_thread_flag(idle, TIF_FORK);
24176 - per_cpu(kernel_stack, cpu) =
24177 - (unsigned long)task_stack_page(idle) -
24178 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24179 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24180 #endif
24181 xen_setup_runstate_info(cpu);
24182 xen_setup_timer(cpu);
24183 diff -urNp linux-2.6.39.1/arch/x86/xen/xen-asm_32.S linux-2.6.39.1/arch/x86/xen/xen-asm_32.S
24184 --- linux-2.6.39.1/arch/x86/xen/xen-asm_32.S 2011-05-19 00:06:34.000000000 -0400
24185 +++ linux-2.6.39.1/arch/x86/xen/xen-asm_32.S 2011-05-22 19:36:30.000000000 -0400
24186 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
24187 ESP_OFFSET=4 # bytes pushed onto stack
24188
24189 /*
24190 - * Store vcpu_info pointer for easy access. Do it this way to
24191 - * avoid having to reload %fs
24192 + * Store vcpu_info pointer for easy access.
24193 */
24194 #ifdef CONFIG_SMP
24195 - GET_THREAD_INFO(%eax)
24196 - movl TI_cpu(%eax), %eax
24197 - movl __per_cpu_offset(,%eax,4), %eax
24198 - mov xen_vcpu(%eax), %eax
24199 + push %fs
24200 + mov $(__KERNEL_PERCPU), %eax
24201 + mov %eax, %fs
24202 + mov PER_CPU_VAR(xen_vcpu), %eax
24203 + pop %fs
24204 #else
24205 movl xen_vcpu, %eax
24206 #endif
24207 diff -urNp linux-2.6.39.1/arch/x86/xen/xen-head.S linux-2.6.39.1/arch/x86/xen/xen-head.S
24208 --- linux-2.6.39.1/arch/x86/xen/xen-head.S 2011-05-19 00:06:34.000000000 -0400
24209 +++ linux-2.6.39.1/arch/x86/xen/xen-head.S 2011-05-22 19:36:30.000000000 -0400
24210 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
24211 #ifdef CONFIG_X86_32
24212 mov %esi,xen_start_info
24213 mov $init_thread_union+THREAD_SIZE,%esp
24214 +#ifdef CONFIG_SMP
24215 + movl $cpu_gdt_table,%edi
24216 + movl $__per_cpu_load,%eax
24217 + movw %ax,__KERNEL_PERCPU + 2(%edi)
24218 + rorl $16,%eax
24219 + movb %al,__KERNEL_PERCPU + 4(%edi)
24220 + movb %ah,__KERNEL_PERCPU + 7(%edi)
24221 + movl $__per_cpu_end - 1,%eax
24222 + subl $__per_cpu_start,%eax
24223 + movw %ax,__KERNEL_PERCPU + 0(%edi)
24224 +#endif
24225 #else
24226 mov %rsi,xen_start_info
24227 mov $init_thread_union+THREAD_SIZE,%rsp
24228 diff -urNp linux-2.6.39.1/arch/x86/xen/xen-ops.h linux-2.6.39.1/arch/x86/xen/xen-ops.h
24229 --- linux-2.6.39.1/arch/x86/xen/xen-ops.h 2011-05-19 00:06:34.000000000 -0400
24230 +++ linux-2.6.39.1/arch/x86/xen/xen-ops.h 2011-05-22 19:36:30.000000000 -0400
24231 @@ -10,8 +10,6 @@
24232 extern const char xen_hypervisor_callback[];
24233 extern const char xen_failsafe_callback[];
24234
24235 -extern void *xen_initial_gdt;
24236 -
24237 struct trap_info;
24238 void xen_copy_trap_info(struct trap_info *traps);
24239
24240 diff -urNp linux-2.6.39.1/block/blk-iopoll.c linux-2.6.39.1/block/blk-iopoll.c
24241 --- linux-2.6.39.1/block/blk-iopoll.c 2011-05-19 00:06:34.000000000 -0400
24242 +++ linux-2.6.39.1/block/blk-iopoll.c 2011-05-22 19:36:30.000000000 -0400
24243 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
24244 }
24245 EXPORT_SYMBOL(blk_iopoll_complete);
24246
24247 -static void blk_iopoll_softirq(struct softirq_action *h)
24248 +static void blk_iopoll_softirq(void)
24249 {
24250 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
24251 int rearm = 0, budget = blk_iopoll_budget;
24252 diff -urNp linux-2.6.39.1/block/blk-map.c linux-2.6.39.1/block/blk-map.c
24253 --- linux-2.6.39.1/block/blk-map.c 2011-05-19 00:06:34.000000000 -0400
24254 +++ linux-2.6.39.1/block/blk-map.c 2011-05-22 19:36:30.000000000 -0400
24255 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
24256 if (!len || !kbuf)
24257 return -EINVAL;
24258
24259 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
24260 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
24261 if (do_copy)
24262 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
24263 else
24264 diff -urNp linux-2.6.39.1/block/blk-softirq.c linux-2.6.39.1/block/blk-softirq.c
24265 --- linux-2.6.39.1/block/blk-softirq.c 2011-05-19 00:06:34.000000000 -0400
24266 +++ linux-2.6.39.1/block/blk-softirq.c 2011-05-22 19:36:30.000000000 -0400
24267 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
24268 * Softirq action handler - move entries to local list and loop over them
24269 * while passing them to the queue registered handler.
24270 */
24271 -static void blk_done_softirq(struct softirq_action *h)
24272 +static void blk_done_softirq(void)
24273 {
24274 struct list_head *cpu_list, local_list;
24275
24276 diff -urNp linux-2.6.39.1/block/bsg.c linux-2.6.39.1/block/bsg.c
24277 --- linux-2.6.39.1/block/bsg.c 2011-05-19 00:06:34.000000000 -0400
24278 +++ linux-2.6.39.1/block/bsg.c 2011-05-22 19:36:30.000000000 -0400
24279 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
24280 struct sg_io_v4 *hdr, struct bsg_device *bd,
24281 fmode_t has_write_perm)
24282 {
24283 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24284 + unsigned char *cmdptr;
24285 +
24286 if (hdr->request_len > BLK_MAX_CDB) {
24287 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
24288 if (!rq->cmd)
24289 return -ENOMEM;
24290 - }
24291 + cmdptr = rq->cmd;
24292 + } else
24293 + cmdptr = tmpcmd;
24294
24295 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
24296 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
24297 hdr->request_len))
24298 return -EFAULT;
24299
24300 + if (cmdptr != rq->cmd)
24301 + memcpy(rq->cmd, cmdptr, hdr->request_len);
24302 +
24303 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
24304 if (blk_verify_command(rq->cmd, has_write_perm))
24305 return -EPERM;
24306 diff -urNp linux-2.6.39.1/block/scsi_ioctl.c linux-2.6.39.1/block/scsi_ioctl.c
24307 --- linux-2.6.39.1/block/scsi_ioctl.c 2011-05-19 00:06:34.000000000 -0400
24308 +++ linux-2.6.39.1/block/scsi_ioctl.c 2011-05-22 19:36:30.000000000 -0400
24309 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
24310 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
24311 struct sg_io_hdr *hdr, fmode_t mode)
24312 {
24313 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
24314 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24315 + unsigned char *cmdptr;
24316 +
24317 + if (rq->cmd != rq->__cmd)
24318 + cmdptr = rq->cmd;
24319 + else
24320 + cmdptr = tmpcmd;
24321 +
24322 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
24323 return -EFAULT;
24324 +
24325 + if (cmdptr != rq->cmd)
24326 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
24327 +
24328 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
24329 return -EPERM;
24330
24331 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
24332 int err;
24333 unsigned int in_len, out_len, bytes, opcode, cmdlen;
24334 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
24335 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24336 + unsigned char *cmdptr;
24337
24338 if (!sic)
24339 return -EINVAL;
24340 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
24341 */
24342 err = -EFAULT;
24343 rq->cmd_len = cmdlen;
24344 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
24345 +
24346 + if (rq->cmd != rq->__cmd)
24347 + cmdptr = rq->cmd;
24348 + else
24349 + cmdptr = tmpcmd;
24350 +
24351 + if (copy_from_user(cmdptr, sic->data, cmdlen))
24352 goto error;
24353
24354 + if (rq->cmd != cmdptr)
24355 + memcpy(rq->cmd, cmdptr, cmdlen);
24356 +
24357 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
24358 goto error;
24359
24360 diff -urNp linux-2.6.39.1/crypto/serpent.c linux-2.6.39.1/crypto/serpent.c
24361 --- linux-2.6.39.1/crypto/serpent.c 2011-05-19 00:06:34.000000000 -0400
24362 +++ linux-2.6.39.1/crypto/serpent.c 2011-05-22 19:36:30.000000000 -0400
24363 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
24364 u32 r0,r1,r2,r3,r4;
24365 int i;
24366
24367 + pax_track_stack();
24368 +
24369 /* Copy key, add padding */
24370
24371 for (i = 0; i < keylen; ++i)
24372 diff -urNp linux-2.6.39.1/Documentation/dontdiff linux-2.6.39.1/Documentation/dontdiff
24373 --- linux-2.6.39.1/Documentation/dontdiff 2011-05-19 00:06:34.000000000 -0400
24374 +++ linux-2.6.39.1/Documentation/dontdiff 2011-05-22 19:36:30.000000000 -0400
24375 @@ -1,13 +1,16 @@
24376 *.a
24377 *.aux
24378 *.bin
24379 +*.cis
24380 *.cpio
24381 *.csp
24382 +*.dbg
24383 *.dsp
24384 *.dvi
24385 *.elf
24386 *.eps
24387 *.fw
24388 +*.gcno
24389 *.gen.S
24390 *.gif
24391 *.grep
24392 @@ -38,8 +41,10 @@
24393 *.tab.h
24394 *.tex
24395 *.ver
24396 +*.vim
24397 *.xml
24398 *_MODULES
24399 +*_reg_safe.h
24400 *_vga16.c
24401 *~
24402 *.9
24403 @@ -49,11 +54,16 @@
24404 53c700_d.h
24405 CVS
24406 ChangeSet
24407 +GPATH
24408 +GRTAGS
24409 +GSYMS
24410 +GTAGS
24411 Image
24412 Kerntypes
24413 Module.markers
24414 Module.symvers
24415 PENDING
24416 +PERF*
24417 SCCS
24418 System.map*
24419 TAGS
24420 @@ -80,8 +90,11 @@ btfixupprep
24421 build
24422 bvmlinux
24423 bzImage*
24424 +capability_names.h
24425 capflags.c
24426 classlist.h*
24427 +clut_vga16.c
24428 +common-cmds.h
24429 comp*.log
24430 compile.h*
24431 conf
24432 @@ -106,16 +119,19 @@ fore200e_mkfirm
24433 fore200e_pca_fw.c*
24434 gconf
24435 gen-devlist
24436 +gen-kdb_cmds.c
24437 gen_crc32table
24438 gen_init_cpio
24439 generated
24440 genheaders
24441 genksyms
24442 *_gray256.c
24443 +hash
24444 ihex2fw
24445 ikconfig.h*
24446 inat-tables.c
24447 initramfs_data.cpio
24448 +initramfs_data.cpio.bz2
24449 initramfs_data.cpio.gz
24450 initramfs_list
24451 int16.c
24452 @@ -125,7 +141,6 @@ int32.c
24453 int4.c
24454 int8.c
24455 kallsyms
24456 -kconfig
24457 keywords.c
24458 ksym.c*
24459 ksym.h*
24460 @@ -149,7 +164,9 @@ mkboot
24461 mkbugboot
24462 mkcpustr
24463 mkdep
24464 +mkpiggy
24465 mkprep
24466 +mkregtable
24467 mktables
24468 mktree
24469 modpost
24470 @@ -165,6 +182,7 @@ parse.h
24471 patches*
24472 pca200e.bin
24473 pca200e_ecd.bin2
24474 +perf-archive
24475 piggy.gz
24476 piggyback
24477 piggy.S
24478 @@ -180,7 +198,9 @@ r600_reg_safe.h
24479 raid6altivec*.c
24480 raid6int*.c
24481 raid6tables.c
24482 +regdb.c
24483 relocs
24484 +rlim_names.h
24485 rn50_reg_safe.h
24486 rs600_reg_safe.h
24487 rv515_reg_safe.h
24488 @@ -189,6 +209,7 @@ setup
24489 setup.bin
24490 setup.elf
24491 sImage
24492 +slabinfo
24493 sm_tbl*
24494 split-include
24495 syscalltab.h
24496 @@ -213,13 +234,17 @@ version.h*
24497 vmlinux
24498 vmlinux-*
24499 vmlinux.aout
24500 +vmlinux.bin.all
24501 +vmlinux.bin.bz2
24502 vmlinux.lds
24503 +vmlinux.relocs
24504 voffset.h
24505 vsyscall.lds
24506 vsyscall_32.lds
24507 wanxlfw.inc
24508 uImage
24509 unifdef
24510 +utsrelease.h
24511 wakeup.bin
24512 wakeup.elf
24513 wakeup.lds
24514 diff -urNp linux-2.6.39.1/Documentation/filesystems/configfs/configfs_example_macros.c linux-2.6.39.1/Documentation/filesystems/configfs/configfs_example_macros.c
24515 --- linux-2.6.39.1/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-19 00:06:34.000000000 -0400
24516 +++ linux-2.6.39.1/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-22 19:36:30.000000000 -0400
24517 @@ -368,7 +368,7 @@ static struct configfs_item_operations g
24518 * Note that, since no extra work is required on ->drop_item(),
24519 * no ->drop_item() is provided.
24520 */
24521 -static struct configfs_group_operations group_children_group_ops = {
24522 +static const struct configfs_group_operations group_children_group_ops = {
24523 .make_group = group_children_make_group,
24524 };
24525
24526 diff -urNp linux-2.6.39.1/Documentation/filesystems/sysfs.txt linux-2.6.39.1/Documentation/filesystems/sysfs.txt
24527 --- linux-2.6.39.1/Documentation/filesystems/sysfs.txt 2011-05-19 00:06:34.000000000 -0400
24528 +++ linux-2.6.39.1/Documentation/filesystems/sysfs.txt 2011-05-22 19:36:30.000000000 -0400
24529 @@ -125,8 +125,8 @@ set of sysfs operations for forwarding r
24530 show and store methods of the attribute owners.
24531
24532 struct sysfs_ops {
24533 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
24534 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
24535 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
24536 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
24537 };
24538
24539 [ Subsystems should have already defined a struct kobj_type as a
24540 diff -urNp linux-2.6.39.1/Documentation/kernel-parameters.txt linux-2.6.39.1/Documentation/kernel-parameters.txt
24541 --- linux-2.6.39.1/Documentation/kernel-parameters.txt 2011-05-19 00:06:34.000000000 -0400
24542 +++ linux-2.6.39.1/Documentation/kernel-parameters.txt 2011-05-22 19:36:30.000000000 -0400
24543 @@ -1879,6 +1879,13 @@ bytes respectively. Such letter suffixes
24544 the specified number of seconds. This is to be used if
24545 your oopses keep scrolling off the screen.
24546
24547 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
24548 + virtualization environments that don't cope well with the
24549 + expand down segment used by UDEREF on X86-32 or the frequent
24550 + page table updates on X86-64.
24551 +
24552 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
24553 +
24554 pcbit= [HW,ISDN]
24555
24556 pcd. [PARIDE]
24557 diff -urNp linux-2.6.39.1/drivers/acpi/acpi_ipmi.c linux-2.6.39.1/drivers/acpi/acpi_ipmi.c
24558 --- linux-2.6.39.1/drivers/acpi/acpi_ipmi.c 2011-05-19 00:06:34.000000000 -0400
24559 +++ linux-2.6.39.1/drivers/acpi/acpi_ipmi.c 2011-05-22 19:36:30.000000000 -0400
24560 @@ -70,7 +70,7 @@ struct acpi_ipmi_device {
24561 struct ipmi_driver_data {
24562 struct list_head ipmi_devices;
24563 struct ipmi_smi_watcher bmc_events;
24564 - struct ipmi_user_hndl ipmi_hndlrs;
24565 + const struct ipmi_user_hndl ipmi_hndlrs;
24566 struct mutex ipmi_lock;
24567 };
24568
24569 diff -urNp linux-2.6.39.1/drivers/acpi/apei/cper.c linux-2.6.39.1/drivers/acpi/apei/cper.c
24570 --- linux-2.6.39.1/drivers/acpi/apei/cper.c 2011-05-19 00:06:34.000000000 -0400
24571 +++ linux-2.6.39.1/drivers/acpi/apei/cper.c 2011-05-22 19:36:30.000000000 -0400
24572 @@ -38,12 +38,12 @@
24573 */
24574 u64 cper_next_record_id(void)
24575 {
24576 - static atomic64_t seq;
24577 + static atomic64_unchecked_t seq;
24578
24579 - if (!atomic64_read(&seq))
24580 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
24581 + if (!atomic64_read_unchecked(&seq))
24582 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
24583
24584 - return atomic64_inc_return(&seq);
24585 + return atomic64_inc_return_unchecked(&seq);
24586 }
24587 EXPORT_SYMBOL_GPL(cper_next_record_id);
24588
24589 diff -urNp linux-2.6.39.1/drivers/acpi/battery.c linux-2.6.39.1/drivers/acpi/battery.c
24590 --- linux-2.6.39.1/drivers/acpi/battery.c 2011-05-19 00:06:34.000000000 -0400
24591 +++ linux-2.6.39.1/drivers/acpi/battery.c 2011-05-22 19:36:30.000000000 -0400
24592 @@ -864,7 +864,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
24593 }
24594
24595 static struct battery_file {
24596 - struct file_operations ops;
24597 + const struct file_operations ops;
24598 mode_t mode;
24599 const char *name;
24600 } acpi_battery_file[] = {
24601 diff -urNp linux-2.6.39.1/drivers/acpi/dock.c linux-2.6.39.1/drivers/acpi/dock.c
24602 --- linux-2.6.39.1/drivers/acpi/dock.c 2011-05-19 00:06:34.000000000 -0400
24603 +++ linux-2.6.39.1/drivers/acpi/dock.c 2011-05-22 19:36:30.000000000 -0400
24604 @@ -77,7 +77,7 @@ struct dock_dependent_device {
24605 struct list_head list;
24606 struct list_head hotplug_list;
24607 acpi_handle handle;
24608 - struct acpi_dock_ops *ops;
24609 + const struct acpi_dock_ops *ops;
24610 void *context;
24611 };
24612
24613 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
24614 * the dock driver after _DCK is executed.
24615 */
24616 int
24617 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
24618 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
24619 void *context)
24620 {
24621 struct dock_dependent_device *dd;
24622 diff -urNp linux-2.6.39.1/drivers/acpi/ec_sys.c linux-2.6.39.1/drivers/acpi/ec_sys.c
24623 --- linux-2.6.39.1/drivers/acpi/ec_sys.c 2011-05-19 00:06:34.000000000 -0400
24624 +++ linux-2.6.39.1/drivers/acpi/ec_sys.c 2011-05-22 19:36:30.000000000 -0400
24625 @@ -92,7 +92,7 @@ static ssize_t acpi_ec_write_io(struct f
24626 return count;
24627 }
24628
24629 -static struct file_operations acpi_ec_io_ops = {
24630 +static const struct file_operations acpi_ec_io_ops = {
24631 .owner = THIS_MODULE,
24632 .open = acpi_ec_open_io,
24633 .read = acpi_ec_read_io,
24634 diff -urNp linux-2.6.39.1/drivers/acpi/fan.c linux-2.6.39.1/drivers/acpi/fan.c
24635 --- linux-2.6.39.1/drivers/acpi/fan.c 2011-05-19 00:06:34.000000000 -0400
24636 +++ linux-2.6.39.1/drivers/acpi/fan.c 2011-05-22 19:36:30.000000000 -0400
24637 @@ -110,7 +110,7 @@ fan_set_cur_state(struct thermal_cooling
24638 return result;
24639 }
24640
24641 -static struct thermal_cooling_device_ops fan_cooling_ops = {
24642 +static const struct thermal_cooling_device_ops fan_cooling_ops = {
24643 .get_max_state = fan_get_max_state,
24644 .get_cur_state = fan_get_cur_state,
24645 .set_cur_state = fan_set_cur_state,
24646 diff -urNp linux-2.6.39.1/drivers/acpi/power_meter.c linux-2.6.39.1/drivers/acpi/power_meter.c
24647 --- linux-2.6.39.1/drivers/acpi/power_meter.c 2011-05-19 00:06:34.000000000 -0400
24648 +++ linux-2.6.39.1/drivers/acpi/power_meter.c 2011-05-22 19:36:30.000000000 -0400
24649 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
24650 return res;
24651
24652 temp /= 1000;
24653 - if (temp < 0)
24654 - return -EINVAL;
24655
24656 mutex_lock(&resource->lock);
24657 resource->trip[attr->index - 7] = temp;
24658 diff -urNp linux-2.6.39.1/drivers/acpi/proc.c linux-2.6.39.1/drivers/acpi/proc.c
24659 --- linux-2.6.39.1/drivers/acpi/proc.c 2011-05-19 00:06:34.000000000 -0400
24660 +++ linux-2.6.39.1/drivers/acpi/proc.c 2011-05-22 19:36:30.000000000 -0400
24661 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
24662 size_t count, loff_t * ppos)
24663 {
24664 struct list_head *node, *next;
24665 - char strbuf[5];
24666 - char str[5] = "";
24667 - unsigned int len = count;
24668 -
24669 - if (len > 4)
24670 - len = 4;
24671 - if (len < 0)
24672 - return -EFAULT;
24673 + char strbuf[5] = {0};
24674
24675 - if (copy_from_user(strbuf, buffer, len))
24676 + if (count > 4)
24677 + count = 4;
24678 + if (copy_from_user(strbuf, buffer, count))
24679 return -EFAULT;
24680 - strbuf[len] = '\0';
24681 - sscanf(strbuf, "%s", str);
24682 + strbuf[count] = '\0';
24683
24684 mutex_lock(&acpi_device_lock);
24685 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
24686 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
24687 if (!dev->wakeup.flags.valid)
24688 continue;
24689
24690 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
24691 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
24692 if (device_can_wakeup(&dev->dev)) {
24693 bool enable = !device_may_wakeup(&dev->dev);
24694 device_set_wakeup_enable(&dev->dev, enable);
24695 diff -urNp linux-2.6.39.1/drivers/acpi/processor_driver.c linux-2.6.39.1/drivers/acpi/processor_driver.c
24696 --- linux-2.6.39.1/drivers/acpi/processor_driver.c 2011-05-19 00:06:34.000000000 -0400
24697 +++ linux-2.6.39.1/drivers/acpi/processor_driver.c 2011-05-22 19:36:30.000000000 -0400
24698 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
24699 return 0;
24700 #endif
24701
24702 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
24703 + BUG_ON(pr->id >= nr_cpu_ids);
24704
24705 /*
24706 * Buggy BIOS check
24707 diff -urNp linux-2.6.39.1/drivers/acpi/processor_idle.c linux-2.6.39.1/drivers/acpi/processor_idle.c
24708 --- linux-2.6.39.1/drivers/acpi/processor_idle.c 2011-05-19 00:06:34.000000000 -0400
24709 +++ linux-2.6.39.1/drivers/acpi/processor_idle.c 2011-05-22 19:36:30.000000000 -0400
24710 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
24711 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
24712 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
24713 (void *)1},
24714 - {},
24715 + {}
24716 };
24717
24718
24719 diff -urNp linux-2.6.39.1/drivers/acpi/processor_thermal.c linux-2.6.39.1/drivers/acpi/processor_thermal.c
24720 --- linux-2.6.39.1/drivers/acpi/processor_thermal.c 2011-05-19 00:06:34.000000000 -0400
24721 +++ linux-2.6.39.1/drivers/acpi/processor_thermal.c 2011-05-22 19:36:30.000000000 -0400
24722 @@ -244,7 +244,7 @@ processor_set_cur_state(struct thermal_c
24723 return result;
24724 }
24725
24726 -struct thermal_cooling_device_ops processor_cooling_ops = {
24727 +const struct thermal_cooling_device_ops processor_cooling_ops = {
24728 .get_max_state = processor_get_max_state,
24729 .get_cur_state = processor_get_cur_state,
24730 .set_cur_state = processor_set_cur_state,
24731 diff -urNp linux-2.6.39.1/drivers/acpi/sysfs.c linux-2.6.39.1/drivers/acpi/sysfs.c
24732 --- linux-2.6.39.1/drivers/acpi/sysfs.c 2011-05-19 00:06:34.000000000 -0400
24733 +++ linux-2.6.39.1/drivers/acpi/sysfs.c 2011-05-22 19:36:30.000000000 -0400
24734 @@ -149,12 +149,12 @@ static int param_get_debug_level(char *b
24735 return result;
24736 }
24737
24738 -static struct kernel_param_ops param_ops_debug_layer = {
24739 +static const struct kernel_param_ops param_ops_debug_layer = {
24740 .set = param_set_uint,
24741 .get = param_get_debug_layer,
24742 };
24743
24744 -static struct kernel_param_ops param_ops_debug_level = {
24745 +static const struct kernel_param_ops param_ops_debug_level = {
24746 .set = param_set_uint,
24747 .get = param_get_debug_level,
24748 };
24749 diff -urNp linux-2.6.39.1/drivers/acpi/thermal.c linux-2.6.39.1/drivers/acpi/thermal.c
24750 --- linux-2.6.39.1/drivers/acpi/thermal.c 2011-05-19 00:06:34.000000000 -0400
24751 +++ linux-2.6.39.1/drivers/acpi/thermal.c 2011-05-22 19:36:30.000000000 -0400
24752 @@ -812,7 +812,7 @@ acpi_thermal_unbind_cooling_device(struc
24753 thermal_zone_unbind_cooling_device);
24754 }
24755
24756 -static struct thermal_zone_device_ops acpi_thermal_zone_ops = {
24757 +static const struct thermal_zone_device_ops acpi_thermal_zone_ops = {
24758 .bind = acpi_thermal_bind_cooling_device,
24759 .unbind = acpi_thermal_unbind_cooling_device,
24760 .get_temp = thermal_get_temp,
24761 diff -urNp linux-2.6.39.1/drivers/acpi/video.c linux-2.6.39.1/drivers/acpi/video.c
24762 --- linux-2.6.39.1/drivers/acpi/video.c 2011-05-19 00:06:34.000000000 -0400
24763 +++ linux-2.6.39.1/drivers/acpi/video.c 2011-05-22 19:36:30.000000000 -0400
24764 @@ -308,7 +308,7 @@ video_set_cur_state(struct thermal_cooli
24765 return acpi_video_device_lcd_set_level(video, level);
24766 }
24767
24768 -static struct thermal_cooling_device_ops video_cooling_ops = {
24769 +static const struct thermal_cooling_device_ops video_cooling_ops = {
24770 .get_max_state = video_get_max_state,
24771 .get_cur_state = video_get_cur_state,
24772 .set_cur_state = video_set_cur_state,
24773 diff -urNp linux-2.6.39.1/drivers/ata/acard-ahci.c linux-2.6.39.1/drivers/ata/acard-ahci.c
24774 --- linux-2.6.39.1/drivers/ata/acard-ahci.c 2011-05-19 00:06:34.000000000 -0400
24775 +++ linux-2.6.39.1/drivers/ata/acard-ahci.c 2011-05-22 19:36:30.000000000 -0400
24776 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
24777 AHCI_SHT("acard-ahci"),
24778 };
24779
24780 -static struct ata_port_operations acard_ops = {
24781 +static const struct ata_port_operations acard_ops = {
24782 .inherits = &ahci_ops,
24783 .qc_prep = acard_ahci_qc_prep,
24784 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
24785 diff -urNp linux-2.6.39.1/drivers/ata/ahci.c linux-2.6.39.1/drivers/ata/ahci.c
24786 --- linux-2.6.39.1/drivers/ata/ahci.c 2011-05-19 00:06:34.000000000 -0400
24787 +++ linux-2.6.39.1/drivers/ata/ahci.c 2011-05-22 19:36:30.000000000 -0400
24788 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
24789 AHCI_SHT("ahci"),
24790 };
24791
24792 -static struct ata_port_operations ahci_vt8251_ops = {
24793 +static const struct ata_port_operations ahci_vt8251_ops = {
24794 .inherits = &ahci_ops,
24795 .hardreset = ahci_vt8251_hardreset,
24796 };
24797
24798 -static struct ata_port_operations ahci_p5wdh_ops = {
24799 +static const struct ata_port_operations ahci_p5wdh_ops = {
24800 .inherits = &ahci_ops,
24801 .hardreset = ahci_p5wdh_hardreset,
24802 };
24803
24804 -static struct ata_port_operations ahci_sb600_ops = {
24805 +static const struct ata_port_operations ahci_sb600_ops = {
24806 .inherits = &ahci_ops,
24807 .softreset = ahci_sb600_softreset,
24808 .pmp_softreset = ahci_sb600_softreset,
24809 diff -urNp linux-2.6.39.1/drivers/ata/ahci.h linux-2.6.39.1/drivers/ata/ahci.h
24810 --- linux-2.6.39.1/drivers/ata/ahci.h 2011-05-19 00:06:34.000000000 -0400
24811 +++ linux-2.6.39.1/drivers/ata/ahci.h 2011-05-22 19:36:30.000000000 -0400
24812 @@ -311,7 +311,7 @@ extern struct device_attribute *ahci_sde
24813 .shost_attrs = ahci_shost_attrs, \
24814 .sdev_attrs = ahci_sdev_attrs
24815
24816 -extern struct ata_port_operations ahci_ops;
24817 +extern const struct ata_port_operations ahci_ops;
24818
24819 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
24820 u32 opts);
24821 diff -urNp linux-2.6.39.1/drivers/ata/ata_generic.c linux-2.6.39.1/drivers/ata/ata_generic.c
24822 --- linux-2.6.39.1/drivers/ata/ata_generic.c 2011-05-19 00:06:34.000000000 -0400
24823 +++ linux-2.6.39.1/drivers/ata/ata_generic.c 2011-05-22 19:36:30.000000000 -0400
24824 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
24825 ATA_BMDMA_SHT(DRV_NAME),
24826 };
24827
24828 -static struct ata_port_operations generic_port_ops = {
24829 +static const struct ata_port_operations generic_port_ops = {
24830 .inherits = &ata_bmdma_port_ops,
24831 .cable_detect = ata_cable_unknown,
24832 .set_mode = generic_set_mode,
24833 diff -urNp linux-2.6.39.1/drivers/ata/ata_piix.c linux-2.6.39.1/drivers/ata/ata_piix.c
24834 --- linux-2.6.39.1/drivers/ata/ata_piix.c 2011-05-19 00:06:34.000000000 -0400
24835 +++ linux-2.6.39.1/drivers/ata/ata_piix.c 2011-05-22 19:36:30.000000000 -0400
24836 @@ -335,12 +335,12 @@ static struct scsi_host_template piix_sh
24837 ATA_BMDMA_SHT(DRV_NAME),
24838 };
24839
24840 -static struct ata_port_operations piix_sata_ops = {
24841 +static const struct ata_port_operations piix_sata_ops = {
24842 .inherits = &ata_bmdma32_port_ops,
24843 .sff_irq_check = piix_irq_check,
24844 };
24845
24846 -static struct ata_port_operations piix_pata_ops = {
24847 +static const struct ata_port_operations piix_pata_ops = {
24848 .inherits = &piix_sata_ops,
24849 .cable_detect = ata_cable_40wire,
24850 .set_piomode = piix_set_piomode,
24851 @@ -348,12 +348,12 @@ static struct ata_port_operations piix_p
24852 .prereset = piix_pata_prereset,
24853 };
24854
24855 -static struct ata_port_operations piix_vmw_ops = {
24856 +static const struct ata_port_operations piix_vmw_ops = {
24857 .inherits = &piix_pata_ops,
24858 .bmdma_status = piix_vmw_bmdma_status,
24859 };
24860
24861 -static struct ata_port_operations ich_pata_ops = {
24862 +static const struct ata_port_operations ich_pata_ops = {
24863 .inherits = &piix_pata_ops,
24864 .cable_detect = ich_pata_cable_detect,
24865 .set_dmamode = ich_set_dmamode,
24866 @@ -369,7 +369,7 @@ static struct scsi_host_template piix_si
24867 .shost_attrs = piix_sidpr_shost_attrs,
24868 };
24869
24870 -static struct ata_port_operations piix_sidpr_sata_ops = {
24871 +static const struct ata_port_operations piix_sidpr_sata_ops = {
24872 .inherits = &piix_sata_ops,
24873 .hardreset = sata_std_hardreset,
24874 .scr_read = piix_sidpr_scr_read,
24875 diff -urNp linux-2.6.39.1/drivers/ata/libahci.c linux-2.6.39.1/drivers/ata/libahci.c
24876 --- linux-2.6.39.1/drivers/ata/libahci.c 2011-05-19 00:06:34.000000000 -0400
24877 +++ linux-2.6.39.1/drivers/ata/libahci.c 2011-05-22 19:36:30.000000000 -0400
24878 @@ -141,7 +141,7 @@ struct device_attribute *ahci_sdev_attrs
24879 };
24880 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
24881
24882 -struct ata_port_operations ahci_ops = {
24883 +const struct ata_port_operations ahci_ops = {
24884 .inherits = &sata_pmp_port_ops,
24885
24886 .qc_defer = ahci_pmp_qc_defer,
24887 diff -urNp linux-2.6.39.1/drivers/ata/libata-acpi.c linux-2.6.39.1/drivers/ata/libata-acpi.c
24888 --- linux-2.6.39.1/drivers/ata/libata-acpi.c 2011-05-19 00:06:34.000000000 -0400
24889 +++ linux-2.6.39.1/drivers/ata/libata-acpi.c 2011-05-22 19:36:30.000000000 -0400
24890 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
24891 ata_acpi_uevent(dev->link->ap, dev, event);
24892 }
24893
24894 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
24895 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
24896 .handler = ata_acpi_dev_notify_dock,
24897 .uevent = ata_acpi_dev_uevent,
24898 };
24899
24900 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
24901 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
24902 .handler = ata_acpi_ap_notify_dock,
24903 .uevent = ata_acpi_ap_uevent,
24904 };
24905 diff -urNp linux-2.6.39.1/drivers/ata/libata-core.c linux-2.6.39.1/drivers/ata/libata-core.c
24906 --- linux-2.6.39.1/drivers/ata/libata-core.c 2011-05-19 00:06:34.000000000 -0400
24907 +++ linux-2.6.39.1/drivers/ata/libata-core.c 2011-05-22 19:36:30.000000000 -0400
24908 @@ -4747,7 +4747,7 @@ void ata_qc_free(struct ata_queued_cmd *
24909 struct ata_port *ap;
24910 unsigned int tag;
24911
24912 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24913 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24914 ap = qc->ap;
24915
24916 qc->flags = 0;
24917 @@ -4763,7 +4763,7 @@ void __ata_qc_complete(struct ata_queued
24918 struct ata_port *ap;
24919 struct ata_link *link;
24920
24921 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24922 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24923 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
24924 ap = qc->ap;
24925 link = qc->dev->link;
24926 @@ -5756,7 +5756,7 @@ static void ata_host_stop(struct device
24927 * LOCKING:
24928 * None.
24929 */
24930 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
24931 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
24932 {
24933 static DEFINE_SPINLOCK(lock);
24934 const struct ata_port_operations *cur;
24935 @@ -5768,6 +5768,7 @@ static void ata_finalize_port_ops(struct
24936 return;
24937
24938 spin_lock(&lock);
24939 + pax_open_kernel();
24940
24941 for (cur = ops->inherits; cur; cur = cur->inherits) {
24942 void **inherit = (void **)cur;
24943 @@ -5781,8 +5782,9 @@ static void ata_finalize_port_ops(struct
24944 if (IS_ERR(*pp))
24945 *pp = NULL;
24946
24947 - ops->inherits = NULL;
24948 + ((struct ata_port_operations *)ops)->inherits = NULL;
24949
24950 + pax_close_kernel();
24951 spin_unlock(&lock);
24952 }
24953
24954 @@ -5879,7 +5881,7 @@ int ata_host_start(struct ata_host *host
24955 */
24956 /* KILLME - the only user left is ipr */
24957 void ata_host_init(struct ata_host *host, struct device *dev,
24958 - unsigned long flags, struct ata_port_operations *ops)
24959 + unsigned long flags, const struct ata_port_operations *ops)
24960 {
24961 spin_lock_init(&host->lock);
24962 mutex_init(&host->eh_mutex);
24963 @@ -6583,7 +6585,7 @@ static void ata_dummy_error_handler(stru
24964 /* truly dummy */
24965 }
24966
24967 -struct ata_port_operations ata_dummy_port_ops = {
24968 +const struct ata_port_operations ata_dummy_port_ops = {
24969 .qc_prep = ata_noop_qc_prep,
24970 .qc_issue = ata_dummy_qc_issue,
24971 .error_handler = ata_dummy_error_handler,
24972 diff -urNp linux-2.6.39.1/drivers/ata/libata-eh.c linux-2.6.39.1/drivers/ata/libata-eh.c
24973 --- linux-2.6.39.1/drivers/ata/libata-eh.c 2011-05-19 00:06:34.000000000 -0400
24974 +++ linux-2.6.39.1/drivers/ata/libata-eh.c 2011-05-22 19:36:30.000000000 -0400
24975 @@ -2518,6 +2518,8 @@ void ata_eh_report(struct ata_port *ap)
24976 {
24977 struct ata_link *link;
24978
24979 + pax_track_stack();
24980 +
24981 ata_for_each_link(link, ap, HOST_FIRST)
24982 ata_eh_link_report(link);
24983 }
24984 @@ -3922,7 +3924,7 @@ void ata_do_eh(struct ata_port *ap, ata_
24985 */
24986 void ata_std_error_handler(struct ata_port *ap)
24987 {
24988 - struct ata_port_operations *ops = ap->ops;
24989 + const struct ata_port_operations *ops = ap->ops;
24990 ata_reset_fn_t hardreset = ops->hardreset;
24991
24992 /* ignore built-in hardreset if SCR access is not available */
24993 diff -urNp linux-2.6.39.1/drivers/ata/libata-pmp.c linux-2.6.39.1/drivers/ata/libata-pmp.c
24994 --- linux-2.6.39.1/drivers/ata/libata-pmp.c 2011-05-19 00:06:34.000000000 -0400
24995 +++ linux-2.6.39.1/drivers/ata/libata-pmp.c 2011-05-22 19:36:30.000000000 -0400
24996 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
24997 */
24998 static int sata_pmp_eh_recover(struct ata_port *ap)
24999 {
25000 - struct ata_port_operations *ops = ap->ops;
25001 + const struct ata_port_operations *ops = ap->ops;
25002 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
25003 struct ata_link *pmp_link = &ap->link;
25004 struct ata_device *pmp_dev = pmp_link->device;
25005 diff -urNp linux-2.6.39.1/drivers/ata/pata_acpi.c linux-2.6.39.1/drivers/ata/pata_acpi.c
25006 --- linux-2.6.39.1/drivers/ata/pata_acpi.c 2011-05-19 00:06:34.000000000 -0400
25007 +++ linux-2.6.39.1/drivers/ata/pata_acpi.c 2011-05-22 19:36:30.000000000 -0400
25008 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
25009 ATA_BMDMA_SHT(DRV_NAME),
25010 };
25011
25012 -static struct ata_port_operations pacpi_ops = {
25013 +static const struct ata_port_operations pacpi_ops = {
25014 .inherits = &ata_bmdma_port_ops,
25015 .qc_issue = pacpi_qc_issue,
25016 .cable_detect = pacpi_cable_detect,
25017 diff -urNp linux-2.6.39.1/drivers/ata/pata_ali.c linux-2.6.39.1/drivers/ata/pata_ali.c
25018 --- linux-2.6.39.1/drivers/ata/pata_ali.c 2011-05-19 00:06:34.000000000 -0400
25019 +++ linux-2.6.39.1/drivers/ata/pata_ali.c 2011-05-22 19:36:30.000000000 -0400
25020 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
25021 * Port operations for PIO only ALi
25022 */
25023
25024 -static struct ata_port_operations ali_early_port_ops = {
25025 +static const struct ata_port_operations ali_early_port_ops = {
25026 .inherits = &ata_sff_port_ops,
25027 .cable_detect = ata_cable_40wire,
25028 .set_piomode = ali_set_piomode,
25029 @@ -380,7 +380,7 @@ static const struct ata_port_operations
25030 * Port operations for DMA capable ALi without cable
25031 * detect
25032 */
25033 -static struct ata_port_operations ali_20_port_ops = {
25034 +static const struct ata_port_operations ali_20_port_ops = {
25035 .inherits = &ali_dma_base_ops,
25036 .cable_detect = ata_cable_40wire,
25037 .mode_filter = ali_20_filter,
25038 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
25039 /*
25040 * Port operations for DMA capable ALi with cable detect
25041 */
25042 -static struct ata_port_operations ali_c2_port_ops = {
25043 +static const struct ata_port_operations ali_c2_port_ops = {
25044 .inherits = &ali_dma_base_ops,
25045 .check_atapi_dma = ali_check_atapi_dma,
25046 .cable_detect = ali_c2_cable_detect,
25047 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
25048 /*
25049 * Port operations for DMA capable ALi with cable detect
25050 */
25051 -static struct ata_port_operations ali_c4_port_ops = {
25052 +static const struct ata_port_operations ali_c4_port_ops = {
25053 .inherits = &ali_dma_base_ops,
25054 .check_atapi_dma = ali_check_atapi_dma,
25055 .cable_detect = ali_c2_cable_detect,
25056 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
25057 /*
25058 * Port operations for DMA capable ALi with cable detect and LBA48
25059 */
25060 -static struct ata_port_operations ali_c5_port_ops = {
25061 +static const struct ata_port_operations ali_c5_port_ops = {
25062 .inherits = &ali_dma_base_ops,
25063 .check_atapi_dma = ali_check_atapi_dma,
25064 .dev_config = ali_warn_atapi_dma,
25065 diff -urNp linux-2.6.39.1/drivers/ata/pata_amd.c linux-2.6.39.1/drivers/ata/pata_amd.c
25066 --- linux-2.6.39.1/drivers/ata/pata_amd.c 2011-05-19 00:06:34.000000000 -0400
25067 +++ linux-2.6.39.1/drivers/ata/pata_amd.c 2011-05-22 19:36:31.000000000 -0400
25068 @@ -397,28 +397,28 @@ static const struct ata_port_operations
25069 .prereset = amd_pre_reset,
25070 };
25071
25072 -static struct ata_port_operations amd33_port_ops = {
25073 +static const struct ata_port_operations amd33_port_ops = {
25074 .inherits = &amd_base_port_ops,
25075 .cable_detect = ata_cable_40wire,
25076 .set_piomode = amd33_set_piomode,
25077 .set_dmamode = amd33_set_dmamode,
25078 };
25079
25080 -static struct ata_port_operations amd66_port_ops = {
25081 +static const struct ata_port_operations amd66_port_ops = {
25082 .inherits = &amd_base_port_ops,
25083 .cable_detect = ata_cable_unknown,
25084 .set_piomode = amd66_set_piomode,
25085 .set_dmamode = amd66_set_dmamode,
25086 };
25087
25088 -static struct ata_port_operations amd100_port_ops = {
25089 +static const struct ata_port_operations amd100_port_ops = {
25090 .inherits = &amd_base_port_ops,
25091 .cable_detect = ata_cable_unknown,
25092 .set_piomode = amd100_set_piomode,
25093 .set_dmamode = amd100_set_dmamode,
25094 };
25095
25096 -static struct ata_port_operations amd133_port_ops = {
25097 +static const struct ata_port_operations amd133_port_ops = {
25098 .inherits = &amd_base_port_ops,
25099 .cable_detect = amd_cable_detect,
25100 .set_piomode = amd133_set_piomode,
25101 @@ -433,13 +433,13 @@ static const struct ata_port_operations
25102 .host_stop = nv_host_stop,
25103 };
25104
25105 -static struct ata_port_operations nv100_port_ops = {
25106 +static const struct ata_port_operations nv100_port_ops = {
25107 .inherits = &nv_base_port_ops,
25108 .set_piomode = nv100_set_piomode,
25109 .set_dmamode = nv100_set_dmamode,
25110 };
25111
25112 -static struct ata_port_operations nv133_port_ops = {
25113 +static const struct ata_port_operations nv133_port_ops = {
25114 .inherits = &nv_base_port_ops,
25115 .set_piomode = nv133_set_piomode,
25116 .set_dmamode = nv133_set_dmamode,
25117 diff -urNp linux-2.6.39.1/drivers/ata/pata_arasan_cf.c linux-2.6.39.1/drivers/ata/pata_arasan_cf.c
25118 --- linux-2.6.39.1/drivers/ata/pata_arasan_cf.c 2011-05-19 00:06:34.000000000 -0400
25119 +++ linux-2.6.39.1/drivers/ata/pata_arasan_cf.c 2011-05-22 19:36:31.000000000 -0400
25120 @@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
25121 /* Handle platform specific quirks */
25122 if (pdata->quirk) {
25123 if (pdata->quirk & CF_BROKEN_PIO) {
25124 - ap->ops->set_piomode = NULL;
25125 + pax_open_kernel();
25126 + *(void**)&ap->ops->set_piomode = NULL;
25127 + pax_close_kernel();
25128 ap->pio_mask = 0;
25129 }
25130 if (pdata->quirk & CF_BROKEN_MWDMA)
25131 diff -urNp linux-2.6.39.1/drivers/ata/pata_artop.c linux-2.6.39.1/drivers/ata/pata_artop.c
25132 --- linux-2.6.39.1/drivers/ata/pata_artop.c 2011-05-19 00:06:34.000000000 -0400
25133 +++ linux-2.6.39.1/drivers/ata/pata_artop.c 2011-05-22 19:36:31.000000000 -0400
25134 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
25135 ATA_BMDMA_SHT(DRV_NAME),
25136 };
25137
25138 -static struct ata_port_operations artop6210_ops = {
25139 +static const struct ata_port_operations artop6210_ops = {
25140 .inherits = &ata_bmdma_port_ops,
25141 .cable_detect = ata_cable_40wire,
25142 .set_piomode = artop6210_set_piomode,
25143 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
25144 .qc_defer = artop6210_qc_defer,
25145 };
25146
25147 -static struct ata_port_operations artop6260_ops = {
25148 +static const struct ata_port_operations artop6260_ops = {
25149 .inherits = &ata_bmdma_port_ops,
25150 .cable_detect = artop6260_cable_detect,
25151 .set_piomode = artop6260_set_piomode,
25152 diff -urNp linux-2.6.39.1/drivers/ata/pata_at32.c linux-2.6.39.1/drivers/ata/pata_at32.c
25153 --- linux-2.6.39.1/drivers/ata/pata_at32.c 2011-05-19 00:06:34.000000000 -0400
25154 +++ linux-2.6.39.1/drivers/ata/pata_at32.c 2011-05-22 19:36:31.000000000 -0400
25155 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
25156 ATA_PIO_SHT(DRV_NAME),
25157 };
25158
25159 -static struct ata_port_operations at32_port_ops = {
25160 +static const struct ata_port_operations at32_port_ops = {
25161 .inherits = &ata_sff_port_ops,
25162 .cable_detect = ata_cable_40wire,
25163 .set_piomode = pata_at32_set_piomode,
25164 diff -urNp linux-2.6.39.1/drivers/ata/pata_at91.c linux-2.6.39.1/drivers/ata/pata_at91.c
25165 --- linux-2.6.39.1/drivers/ata/pata_at91.c 2011-05-19 00:06:34.000000000 -0400
25166 +++ linux-2.6.39.1/drivers/ata/pata_at91.c 2011-05-22 19:36:31.000000000 -0400
25167 @@ -212,7 +212,7 @@ static struct scsi_host_template pata_at
25168 ATA_PIO_SHT(DRV_NAME),
25169 };
25170
25171 -static struct ata_port_operations pata_at91_port_ops = {
25172 +static const struct ata_port_operations pata_at91_port_ops = {
25173 .inherits = &ata_sff_port_ops,
25174
25175 .sff_data_xfer = pata_at91_data_xfer_noirq,
25176 diff -urNp linux-2.6.39.1/drivers/ata/pata_atiixp.c linux-2.6.39.1/drivers/ata/pata_atiixp.c
25177 --- linux-2.6.39.1/drivers/ata/pata_atiixp.c 2011-05-19 00:06:34.000000000 -0400
25178 +++ linux-2.6.39.1/drivers/ata/pata_atiixp.c 2011-05-22 19:36:31.000000000 -0400
25179 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
25180 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25181 };
25182
25183 -static struct ata_port_operations atiixp_port_ops = {
25184 +static const struct ata_port_operations atiixp_port_ops = {
25185 .inherits = &ata_bmdma_port_ops,
25186
25187 .qc_prep = ata_bmdma_dumb_qc_prep,
25188 diff -urNp linux-2.6.39.1/drivers/ata/pata_atp867x.c linux-2.6.39.1/drivers/ata/pata_atp867x.c
25189 --- linux-2.6.39.1/drivers/ata/pata_atp867x.c 2011-05-19 00:06:34.000000000 -0400
25190 +++ linux-2.6.39.1/drivers/ata/pata_atp867x.c 2011-05-22 19:36:31.000000000 -0400
25191 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
25192 ATA_BMDMA_SHT(DRV_NAME),
25193 };
25194
25195 -static struct ata_port_operations atp867x_ops = {
25196 +static const struct ata_port_operations atp867x_ops = {
25197 .inherits = &ata_bmdma_port_ops,
25198 .cable_detect = atp867x_cable_detect,
25199 .set_piomode = atp867x_set_piomode,
25200 diff -urNp linux-2.6.39.1/drivers/ata/pata_bf54x.c linux-2.6.39.1/drivers/ata/pata_bf54x.c
25201 --- linux-2.6.39.1/drivers/ata/pata_bf54x.c 2011-05-19 00:06:34.000000000 -0400
25202 +++ linux-2.6.39.1/drivers/ata/pata_bf54x.c 2011-05-22 19:36:31.000000000 -0400
25203 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
25204 .dma_boundary = ATA_DMA_BOUNDARY,
25205 };
25206
25207 -static struct ata_port_operations bfin_pata_ops = {
25208 +static const struct ata_port_operations bfin_pata_ops = {
25209 .inherits = &ata_bmdma_port_ops,
25210
25211 .set_piomode = bfin_set_piomode,
25212 diff -urNp linux-2.6.39.1/drivers/ata/pata_cmd640.c linux-2.6.39.1/drivers/ata/pata_cmd640.c
25213 --- linux-2.6.39.1/drivers/ata/pata_cmd640.c 2011-05-19 00:06:34.000000000 -0400
25214 +++ linux-2.6.39.1/drivers/ata/pata_cmd640.c 2011-05-22 19:36:31.000000000 -0400
25215 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
25216 ATA_PIO_SHT(DRV_NAME),
25217 };
25218
25219 -static struct ata_port_operations cmd640_port_ops = {
25220 +static const struct ata_port_operations cmd640_port_ops = {
25221 .inherits = &ata_sff_port_ops,
25222 /* In theory xfer_noirq is not needed once we kill the prefetcher */
25223 .sff_data_xfer = ata_sff_data_xfer_noirq,
25224 diff -urNp linux-2.6.39.1/drivers/ata/pata_cmd64x.c linux-2.6.39.1/drivers/ata/pata_cmd64x.c
25225 --- linux-2.6.39.1/drivers/ata/pata_cmd64x.c 2011-06-03 00:04:13.000000000 -0400
25226 +++ linux-2.6.39.1/drivers/ata/pata_cmd64x.c 2011-06-03 00:32:05.000000000 -0400
25227 @@ -271,18 +271,18 @@ static const struct ata_port_operations
25228 .set_dmamode = cmd64x_set_dmamode,
25229 };
25230
25231 -static struct ata_port_operations cmd64x_port_ops = {
25232 +static const struct ata_port_operations cmd64x_port_ops = {
25233 .inherits = &cmd64x_base_ops,
25234 .cable_detect = ata_cable_40wire,
25235 };
25236
25237 -static struct ata_port_operations cmd646r1_port_ops = {
25238 +static const struct ata_port_operations cmd646r1_port_ops = {
25239 .inherits = &cmd64x_base_ops,
25240 .bmdma_stop = cmd646r1_bmdma_stop,
25241 .cable_detect = ata_cable_40wire,
25242 };
25243
25244 -static struct ata_port_operations cmd648_port_ops = {
25245 +static const struct ata_port_operations cmd648_port_ops = {
25246 .inherits = &cmd64x_base_ops,
25247 .bmdma_stop = cmd648_bmdma_stop,
25248 .cable_detect = cmd648_cable_detect,
25249 diff -urNp linux-2.6.39.1/drivers/ata/pata_cs5520.c linux-2.6.39.1/drivers/ata/pata_cs5520.c
25250 --- linux-2.6.39.1/drivers/ata/pata_cs5520.c 2011-05-19 00:06:34.000000000 -0400
25251 +++ linux-2.6.39.1/drivers/ata/pata_cs5520.c 2011-05-22 19:36:31.000000000 -0400
25252 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
25253 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25254 };
25255
25256 -static struct ata_port_operations cs5520_port_ops = {
25257 +static const struct ata_port_operations cs5520_port_ops = {
25258 .inherits = &ata_bmdma_port_ops,
25259 .qc_prep = ata_bmdma_dumb_qc_prep,
25260 .cable_detect = ata_cable_40wire,
25261 diff -urNp linux-2.6.39.1/drivers/ata/pata_cs5530.c linux-2.6.39.1/drivers/ata/pata_cs5530.c
25262 --- linux-2.6.39.1/drivers/ata/pata_cs5530.c 2011-05-19 00:06:34.000000000 -0400
25263 +++ linux-2.6.39.1/drivers/ata/pata_cs5530.c 2011-05-22 19:36:31.000000000 -0400
25264 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
25265 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25266 };
25267
25268 -static struct ata_port_operations cs5530_port_ops = {
25269 +static const struct ata_port_operations cs5530_port_ops = {
25270 .inherits = &ata_bmdma_port_ops,
25271
25272 .qc_prep = ata_bmdma_dumb_qc_prep,
25273 diff -urNp linux-2.6.39.1/drivers/ata/pata_cs5535.c linux-2.6.39.1/drivers/ata/pata_cs5535.c
25274 --- linux-2.6.39.1/drivers/ata/pata_cs5535.c 2011-05-19 00:06:34.000000000 -0400
25275 +++ linux-2.6.39.1/drivers/ata/pata_cs5535.c 2011-05-22 19:36:31.000000000 -0400
25276 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
25277 ATA_BMDMA_SHT(DRV_NAME),
25278 };
25279
25280 -static struct ata_port_operations cs5535_port_ops = {
25281 +static const struct ata_port_operations cs5535_port_ops = {
25282 .inherits = &ata_bmdma_port_ops,
25283 .cable_detect = cs5535_cable_detect,
25284 .set_piomode = cs5535_set_piomode,
25285 diff -urNp linux-2.6.39.1/drivers/ata/pata_cs5536.c linux-2.6.39.1/drivers/ata/pata_cs5536.c
25286 --- linux-2.6.39.1/drivers/ata/pata_cs5536.c 2011-05-19 00:06:34.000000000 -0400
25287 +++ linux-2.6.39.1/drivers/ata/pata_cs5536.c 2011-05-22 19:36:31.000000000 -0400
25288 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
25289 ATA_BMDMA_SHT(DRV_NAME),
25290 };
25291
25292 -static struct ata_port_operations cs5536_port_ops = {
25293 +static const struct ata_port_operations cs5536_port_ops = {
25294 .inherits = &ata_bmdma32_port_ops,
25295 .cable_detect = cs5536_cable_detect,
25296 .set_piomode = cs5536_set_piomode,
25297 diff -urNp linux-2.6.39.1/drivers/ata/pata_cypress.c linux-2.6.39.1/drivers/ata/pata_cypress.c
25298 --- linux-2.6.39.1/drivers/ata/pata_cypress.c 2011-05-19 00:06:34.000000000 -0400
25299 +++ linux-2.6.39.1/drivers/ata/pata_cypress.c 2011-05-22 19:36:31.000000000 -0400
25300 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
25301 ATA_BMDMA_SHT(DRV_NAME),
25302 };
25303
25304 -static struct ata_port_operations cy82c693_port_ops = {
25305 +static const struct ata_port_operations cy82c693_port_ops = {
25306 .inherits = &ata_bmdma_port_ops,
25307 .cable_detect = ata_cable_40wire,
25308 .set_piomode = cy82c693_set_piomode,
25309 diff -urNp linux-2.6.39.1/drivers/ata/pata_efar.c linux-2.6.39.1/drivers/ata/pata_efar.c
25310 --- linux-2.6.39.1/drivers/ata/pata_efar.c 2011-05-19 00:06:34.000000000 -0400
25311 +++ linux-2.6.39.1/drivers/ata/pata_efar.c 2011-05-22 19:36:31.000000000 -0400
25312 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
25313 ATA_BMDMA_SHT(DRV_NAME),
25314 };
25315
25316 -static struct ata_port_operations efar_ops = {
25317 +static const struct ata_port_operations efar_ops = {
25318 .inherits = &ata_bmdma_port_ops,
25319 .cable_detect = efar_cable_detect,
25320 .set_piomode = efar_set_piomode,
25321 diff -urNp linux-2.6.39.1/drivers/ata/pata_hpt366.c linux-2.6.39.1/drivers/ata/pata_hpt366.c
25322 --- linux-2.6.39.1/drivers/ata/pata_hpt366.c 2011-05-19 00:06:34.000000000 -0400
25323 +++ linux-2.6.39.1/drivers/ata/pata_hpt366.c 2011-05-22 19:36:31.000000000 -0400
25324 @@ -276,7 +276,7 @@ static struct scsi_host_template hpt36x_
25325 * Configuration for HPT366/68
25326 */
25327
25328 -static struct ata_port_operations hpt366_port_ops = {
25329 +static const struct ata_port_operations hpt366_port_ops = {
25330 .inherits = &ata_bmdma_port_ops,
25331 .cable_detect = hpt36x_cable_detect,
25332 .mode_filter = hpt366_filter,
25333 diff -urNp linux-2.6.39.1/drivers/ata/pata_hpt37x.c linux-2.6.39.1/drivers/ata/pata_hpt37x.c
25334 --- linux-2.6.39.1/drivers/ata/pata_hpt37x.c 2011-05-19 00:06:34.000000000 -0400
25335 +++ linux-2.6.39.1/drivers/ata/pata_hpt37x.c 2011-05-22 19:36:31.000000000 -0400
25336 @@ -589,7 +589,7 @@ static struct scsi_host_template hpt37x_
25337 * Configuration for HPT370
25338 */
25339
25340 -static struct ata_port_operations hpt370_port_ops = {
25341 +static const struct ata_port_operations hpt370_port_ops = {
25342 .inherits = &ata_bmdma_port_ops,
25343
25344 .bmdma_stop = hpt370_bmdma_stop,
25345 @@ -605,7 +605,7 @@ static struct ata_port_operations hpt370
25346 * Configuration for HPT370A. Close to 370 but less filters
25347 */
25348
25349 -static struct ata_port_operations hpt370a_port_ops = {
25350 +static const struct ata_port_operations hpt370a_port_ops = {
25351 .inherits = &hpt370_port_ops,
25352 .mode_filter = hpt370a_filter,
25353 };
25354 @@ -615,7 +615,7 @@ static struct ata_port_operations hpt370
25355 * mode setting functionality.
25356 */
25357
25358 -static struct ata_port_operations hpt302_port_ops = {
25359 +static const struct ata_port_operations hpt302_port_ops = {
25360 .inherits = &ata_bmdma_port_ops,
25361
25362 .bmdma_stop = hpt37x_bmdma_stop,
25363 @@ -631,7 +631,7 @@ static struct ata_port_operations hpt302
25364 * but we have a mode filter.
25365 */
25366
25367 -static struct ata_port_operations hpt372_port_ops = {
25368 +static const struct ata_port_operations hpt372_port_ops = {
25369 .inherits = &hpt302_port_ops,
25370 .mode_filter = hpt372_filter,
25371 };
25372 @@ -641,7 +641,7 @@ static struct ata_port_operations hpt372
25373 * but we have a different cable detection procedure for function 1.
25374 */
25375
25376 -static struct ata_port_operations hpt374_fn1_port_ops = {
25377 +static const struct ata_port_operations hpt374_fn1_port_ops = {
25378 .inherits = &hpt372_port_ops,
25379 .cable_detect = hpt374_fn1_cable_detect,
25380 };
25381 diff -urNp linux-2.6.39.1/drivers/ata/pata_hpt3x2n.c linux-2.6.39.1/drivers/ata/pata_hpt3x2n.c
25382 --- linux-2.6.39.1/drivers/ata/pata_hpt3x2n.c 2011-05-19 00:06:34.000000000 -0400
25383 +++ linux-2.6.39.1/drivers/ata/pata_hpt3x2n.c 2011-05-22 19:36:31.000000000 -0400
25384 @@ -350,7 +350,7 @@ static struct scsi_host_template hpt3x2n
25385 * Configuration for HPT302N/371N.
25386 */
25387
25388 -static struct ata_port_operations hpt3xxn_port_ops = {
25389 +static const struct ata_port_operations hpt3xxn_port_ops = {
25390 .inherits = &ata_bmdma_port_ops,
25391
25392 .bmdma_stop = hpt3x2n_bmdma_stop,
25393 @@ -368,7 +368,7 @@ static struct ata_port_operations hpt3xx
25394 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
25395 */
25396
25397 -static struct ata_port_operations hpt372n_port_ops = {
25398 +static const struct ata_port_operations hpt372n_port_ops = {
25399 .inherits = &hpt3xxn_port_ops,
25400 .mode_filter = &hpt372n_filter,
25401 };
25402 diff -urNp linux-2.6.39.1/drivers/ata/pata_hpt3x3.c linux-2.6.39.1/drivers/ata/pata_hpt3x3.c
25403 --- linux-2.6.39.1/drivers/ata/pata_hpt3x3.c 2011-05-19 00:06:34.000000000 -0400
25404 +++ linux-2.6.39.1/drivers/ata/pata_hpt3x3.c 2011-05-22 19:36:31.000000000 -0400
25405 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
25406 ATA_BMDMA_SHT(DRV_NAME),
25407 };
25408
25409 -static struct ata_port_operations hpt3x3_port_ops = {
25410 +static const struct ata_port_operations hpt3x3_port_ops = {
25411 .inherits = &ata_bmdma_port_ops,
25412 .cable_detect = ata_cable_40wire,
25413 .set_piomode = hpt3x3_set_piomode,
25414 diff -urNp linux-2.6.39.1/drivers/ata/pata_icside.c linux-2.6.39.1/drivers/ata/pata_icside.c
25415 --- linux-2.6.39.1/drivers/ata/pata_icside.c 2011-05-19 00:06:34.000000000 -0400
25416 +++ linux-2.6.39.1/drivers/ata/pata_icside.c 2011-05-22 19:36:31.000000000 -0400
25417 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
25418 }
25419 }
25420
25421 -static struct ata_port_operations pata_icside_port_ops = {
25422 +static const struct ata_port_operations pata_icside_port_ops = {
25423 .inherits = &ata_bmdma_port_ops,
25424 /* no need to build any PRD tables for DMA */
25425 .qc_prep = ata_noop_qc_prep,
25426 diff -urNp linux-2.6.39.1/drivers/ata/pata_isapnp.c linux-2.6.39.1/drivers/ata/pata_isapnp.c
25427 --- linux-2.6.39.1/drivers/ata/pata_isapnp.c 2011-05-19 00:06:34.000000000 -0400
25428 +++ linux-2.6.39.1/drivers/ata/pata_isapnp.c 2011-05-22 19:36:31.000000000 -0400
25429 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
25430 ATA_PIO_SHT(DRV_NAME),
25431 };
25432
25433 -static struct ata_port_operations isapnp_port_ops = {
25434 +static const struct ata_port_operations isapnp_port_ops = {
25435 .inherits = &ata_sff_port_ops,
25436 .cable_detect = ata_cable_40wire,
25437 };
25438
25439 -static struct ata_port_operations isapnp_noalt_port_ops = {
25440 +static const struct ata_port_operations isapnp_noalt_port_ops = {
25441 .inherits = &ata_sff_port_ops,
25442 .cable_detect = ata_cable_40wire,
25443 /* No altstatus so we don't want to use the lost interrupt poll */
25444 diff -urNp linux-2.6.39.1/drivers/ata/pata_it8213.c linux-2.6.39.1/drivers/ata/pata_it8213.c
25445 --- linux-2.6.39.1/drivers/ata/pata_it8213.c 2011-05-19 00:06:34.000000000 -0400
25446 +++ linux-2.6.39.1/drivers/ata/pata_it8213.c 2011-05-22 19:36:31.000000000 -0400
25447 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
25448 };
25449
25450
25451 -static struct ata_port_operations it8213_ops = {
25452 +static const struct ata_port_operations it8213_ops = {
25453 .inherits = &ata_bmdma_port_ops,
25454 .cable_detect = it8213_cable_detect,
25455 .set_piomode = it8213_set_piomode,
25456 diff -urNp linux-2.6.39.1/drivers/ata/pata_it821x.c linux-2.6.39.1/drivers/ata/pata_it821x.c
25457 --- linux-2.6.39.1/drivers/ata/pata_it821x.c 2011-05-19 00:06:34.000000000 -0400
25458 +++ linux-2.6.39.1/drivers/ata/pata_it821x.c 2011-05-22 19:36:31.000000000 -0400
25459 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
25460 ATA_BMDMA_SHT(DRV_NAME),
25461 };
25462
25463 -static struct ata_port_operations it821x_smart_port_ops = {
25464 +static const struct ata_port_operations it821x_smart_port_ops = {
25465 .inherits = &ata_bmdma_port_ops,
25466
25467 .check_atapi_dma= it821x_check_atapi_dma,
25468 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
25469 .port_start = it821x_port_start,
25470 };
25471
25472 -static struct ata_port_operations it821x_passthru_port_ops = {
25473 +static const struct ata_port_operations it821x_passthru_port_ops = {
25474 .inherits = &ata_bmdma_port_ops,
25475
25476 .check_atapi_dma= it821x_check_atapi_dma,
25477 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
25478 .port_start = it821x_port_start,
25479 };
25480
25481 -static struct ata_port_operations it821x_rdc_port_ops = {
25482 +static const struct ata_port_operations it821x_rdc_port_ops = {
25483 .inherits = &ata_bmdma_port_ops,
25484
25485 .check_atapi_dma= it821x_check_atapi_dma,
25486 diff -urNp linux-2.6.39.1/drivers/ata/pata_ixp4xx_cf.c linux-2.6.39.1/drivers/ata/pata_ixp4xx_cf.c
25487 --- linux-2.6.39.1/drivers/ata/pata_ixp4xx_cf.c 2011-05-19 00:06:34.000000000 -0400
25488 +++ linux-2.6.39.1/drivers/ata/pata_ixp4xx_cf.c 2011-05-22 19:36:31.000000000 -0400
25489 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
25490 ATA_PIO_SHT(DRV_NAME),
25491 };
25492
25493 -static struct ata_port_operations ixp4xx_port_ops = {
25494 +static const struct ata_port_operations ixp4xx_port_ops = {
25495 .inherits = &ata_sff_port_ops,
25496 .sff_data_xfer = ixp4xx_mmio_data_xfer,
25497 .cable_detect = ata_cable_40wire,
25498 diff -urNp linux-2.6.39.1/drivers/ata/pata_jmicron.c linux-2.6.39.1/drivers/ata/pata_jmicron.c
25499 --- linux-2.6.39.1/drivers/ata/pata_jmicron.c 2011-05-19 00:06:34.000000000 -0400
25500 +++ linux-2.6.39.1/drivers/ata/pata_jmicron.c 2011-05-22 19:36:31.000000000 -0400
25501 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
25502 ATA_BMDMA_SHT(DRV_NAME),
25503 };
25504
25505 -static struct ata_port_operations jmicron_ops = {
25506 +static const struct ata_port_operations jmicron_ops = {
25507 .inherits = &ata_bmdma_port_ops,
25508 .prereset = jmicron_pre_reset,
25509 };
25510 diff -urNp linux-2.6.39.1/drivers/ata/pata_legacy.c linux-2.6.39.1/drivers/ata/pata_legacy.c
25511 --- linux-2.6.39.1/drivers/ata/pata_legacy.c 2011-05-19 00:06:34.000000000 -0400
25512 +++ linux-2.6.39.1/drivers/ata/pata_legacy.c 2011-05-22 19:36:31.000000000 -0400
25513 @@ -116,7 +116,7 @@ struct legacy_probe {
25514
25515 struct legacy_controller {
25516 const char *name;
25517 - struct ata_port_operations *ops;
25518 + const struct ata_port_operations *ops;
25519 unsigned int pio_mask;
25520 unsigned int flags;
25521 unsigned int pflags;
25522 @@ -239,12 +239,12 @@ static const struct ata_port_operations
25523 * pio_mask as well.
25524 */
25525
25526 -static struct ata_port_operations simple_port_ops = {
25527 +static const struct ata_port_operations simple_port_ops = {
25528 .inherits = &legacy_base_port_ops,
25529 .sff_data_xfer = ata_sff_data_xfer_noirq,
25530 };
25531
25532 -static struct ata_port_operations legacy_port_ops = {
25533 +static const struct ata_port_operations legacy_port_ops = {
25534 .inherits = &legacy_base_port_ops,
25535 .sff_data_xfer = ata_sff_data_xfer_noirq,
25536 .set_mode = legacy_set_mode,
25537 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
25538 return buflen;
25539 }
25540
25541 -static struct ata_port_operations pdc20230_port_ops = {
25542 +static const struct ata_port_operations pdc20230_port_ops = {
25543 .inherits = &legacy_base_port_ops,
25544 .set_piomode = pdc20230_set_piomode,
25545 .sff_data_xfer = pdc_data_xfer_vlb,
25546 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
25547 ioread8(ap->ioaddr.status_addr);
25548 }
25549
25550 -static struct ata_port_operations ht6560a_port_ops = {
25551 +static const struct ata_port_operations ht6560a_port_ops = {
25552 .inherits = &legacy_base_port_ops,
25553 .set_piomode = ht6560a_set_piomode,
25554 };
25555 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
25556 ioread8(ap->ioaddr.status_addr);
25557 }
25558
25559 -static struct ata_port_operations ht6560b_port_ops = {
25560 +static const struct ata_port_operations ht6560b_port_ops = {
25561 .inherits = &legacy_base_port_ops,
25562 .set_piomode = ht6560b_set_piomode,
25563 };
25564 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
25565 }
25566
25567
25568 -static struct ata_port_operations opti82c611a_port_ops = {
25569 +static const struct ata_port_operations opti82c611a_port_ops = {
25570 .inherits = &legacy_base_port_ops,
25571 .set_piomode = opti82c611a_set_piomode,
25572 };
25573 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
25574 return ata_sff_qc_issue(qc);
25575 }
25576
25577 -static struct ata_port_operations opti82c46x_port_ops = {
25578 +static const struct ata_port_operations opti82c46x_port_ops = {
25579 .inherits = &legacy_base_port_ops,
25580 .set_piomode = opti82c46x_set_piomode,
25581 .qc_issue = opti82c46x_qc_issue,
25582 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
25583 return 0;
25584 }
25585
25586 -static struct ata_port_operations qdi6500_port_ops = {
25587 +static const struct ata_port_operations qdi6500_port_ops = {
25588 .inherits = &legacy_base_port_ops,
25589 .set_piomode = qdi6500_set_piomode,
25590 .qc_issue = qdi_qc_issue,
25591 .sff_data_xfer = vlb32_data_xfer,
25592 };
25593
25594 -static struct ata_port_operations qdi6580_port_ops = {
25595 +static const struct ata_port_operations qdi6580_port_ops = {
25596 .inherits = &legacy_base_port_ops,
25597 .set_piomode = qdi6580_set_piomode,
25598 .sff_data_xfer = vlb32_data_xfer,
25599 };
25600
25601 -static struct ata_port_operations qdi6580dp_port_ops = {
25602 +static const struct ata_port_operations qdi6580dp_port_ops = {
25603 .inherits = &legacy_base_port_ops,
25604 .set_piomode = qdi6580dp_set_piomode,
25605 .qc_issue = qdi_qc_issue,
25606 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
25607 return 0;
25608 }
25609
25610 -static struct ata_port_operations winbond_port_ops = {
25611 +static const struct ata_port_operations winbond_port_ops = {
25612 .inherits = &legacy_base_port_ops,
25613 .set_piomode = winbond_set_piomode,
25614 .sff_data_xfer = vlb32_data_xfer,
25615 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
25616 int pio_modes = controller->pio_mask;
25617 unsigned long io = probe->port;
25618 u32 mask = (1 << probe->slot);
25619 - struct ata_port_operations *ops = controller->ops;
25620 + const struct ata_port_operations *ops = controller->ops;
25621 struct legacy_data *ld = &legacy_data[probe->slot];
25622 struct ata_host *host = NULL;
25623 struct ata_port *ap;
25624 diff -urNp linux-2.6.39.1/drivers/ata/pata_macio.c linux-2.6.39.1/drivers/ata/pata_macio.c
25625 --- linux-2.6.39.1/drivers/ata/pata_macio.c 2011-05-19 00:06:34.000000000 -0400
25626 +++ linux-2.6.39.1/drivers/ata/pata_macio.c 2011-05-22 19:36:31.000000000 -0400
25627 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
25628 .slave_configure = pata_macio_slave_config,
25629 };
25630
25631 -static struct ata_port_operations pata_macio_ops = {
25632 +static const struct ata_port_operations pata_macio_ops = {
25633 .inherits = &ata_bmdma_port_ops,
25634 -
25635 .freeze = pata_macio_freeze,
25636 .set_piomode = pata_macio_set_timings,
25637 .set_dmamode = pata_macio_set_timings,
25638 diff -urNp linux-2.6.39.1/drivers/ata/pata_marvell.c linux-2.6.39.1/drivers/ata/pata_marvell.c
25639 --- linux-2.6.39.1/drivers/ata/pata_marvell.c 2011-05-19 00:06:34.000000000 -0400
25640 +++ linux-2.6.39.1/drivers/ata/pata_marvell.c 2011-05-22 19:36:31.000000000 -0400
25641 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
25642 ATA_BMDMA_SHT(DRV_NAME),
25643 };
25644
25645 -static struct ata_port_operations marvell_ops = {
25646 +static const struct ata_port_operations marvell_ops = {
25647 .inherits = &ata_bmdma_port_ops,
25648 .cable_detect = marvell_cable_detect,
25649 .prereset = marvell_pre_reset,
25650 diff -urNp linux-2.6.39.1/drivers/ata/pata_mpc52xx.c linux-2.6.39.1/drivers/ata/pata_mpc52xx.c
25651 --- linux-2.6.39.1/drivers/ata/pata_mpc52xx.c 2011-05-19 00:06:34.000000000 -0400
25652 +++ linux-2.6.39.1/drivers/ata/pata_mpc52xx.c 2011-05-22 19:36:31.000000000 -0400
25653 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
25654 ATA_PIO_SHT(DRV_NAME),
25655 };
25656
25657 -static struct ata_port_operations mpc52xx_ata_port_ops = {
25658 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
25659 .inherits = &ata_bmdma_port_ops,
25660 .sff_dev_select = mpc52xx_ata_dev_select,
25661 .set_piomode = mpc52xx_ata_set_piomode,
25662 diff -urNp linux-2.6.39.1/drivers/ata/pata_mpiix.c linux-2.6.39.1/drivers/ata/pata_mpiix.c
25663 --- linux-2.6.39.1/drivers/ata/pata_mpiix.c 2011-05-19 00:06:34.000000000 -0400
25664 +++ linux-2.6.39.1/drivers/ata/pata_mpiix.c 2011-05-22 19:36:31.000000000 -0400
25665 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
25666 ATA_PIO_SHT(DRV_NAME),
25667 };
25668
25669 -static struct ata_port_operations mpiix_port_ops = {
25670 +static const struct ata_port_operations mpiix_port_ops = {
25671 .inherits = &ata_sff_port_ops,
25672 .qc_issue = mpiix_qc_issue,
25673 .cable_detect = ata_cable_40wire,
25674 diff -urNp linux-2.6.39.1/drivers/ata/pata_netcell.c linux-2.6.39.1/drivers/ata/pata_netcell.c
25675 --- linux-2.6.39.1/drivers/ata/pata_netcell.c 2011-05-19 00:06:34.000000000 -0400
25676 +++ linux-2.6.39.1/drivers/ata/pata_netcell.c 2011-05-22 19:36:31.000000000 -0400
25677 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
25678 ATA_BMDMA_SHT(DRV_NAME),
25679 };
25680
25681 -static struct ata_port_operations netcell_ops = {
25682 +static const struct ata_port_operations netcell_ops = {
25683 .inherits = &ata_bmdma_port_ops,
25684 .cable_detect = ata_cable_80wire,
25685 .read_id = netcell_read_id,
25686 diff -urNp linux-2.6.39.1/drivers/ata/pata_ninja32.c linux-2.6.39.1/drivers/ata/pata_ninja32.c
25687 --- linux-2.6.39.1/drivers/ata/pata_ninja32.c 2011-05-19 00:06:34.000000000 -0400
25688 +++ linux-2.6.39.1/drivers/ata/pata_ninja32.c 2011-05-22 19:36:31.000000000 -0400
25689 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
25690 ATA_BMDMA_SHT(DRV_NAME),
25691 };
25692
25693 -static struct ata_port_operations ninja32_port_ops = {
25694 +static const struct ata_port_operations ninja32_port_ops = {
25695 .inherits = &ata_bmdma_port_ops,
25696 .sff_dev_select = ninja32_dev_select,
25697 .cable_detect = ata_cable_40wire,
25698 diff -urNp linux-2.6.39.1/drivers/ata/pata_ns87410.c linux-2.6.39.1/drivers/ata/pata_ns87410.c
25699 --- linux-2.6.39.1/drivers/ata/pata_ns87410.c 2011-05-19 00:06:34.000000000 -0400
25700 +++ linux-2.6.39.1/drivers/ata/pata_ns87410.c 2011-05-22 19:36:31.000000000 -0400
25701 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
25702 ATA_PIO_SHT(DRV_NAME),
25703 };
25704
25705 -static struct ata_port_operations ns87410_port_ops = {
25706 +static const struct ata_port_operations ns87410_port_ops = {
25707 .inherits = &ata_sff_port_ops,
25708 .qc_issue = ns87410_qc_issue,
25709 .cable_detect = ata_cable_40wire,
25710 diff -urNp linux-2.6.39.1/drivers/ata/pata_ns87415.c linux-2.6.39.1/drivers/ata/pata_ns87415.c
25711 --- linux-2.6.39.1/drivers/ata/pata_ns87415.c 2011-05-19 00:06:34.000000000 -0400
25712 +++ linux-2.6.39.1/drivers/ata/pata_ns87415.c 2011-05-22 19:36:31.000000000 -0400
25713 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
25714 }
25715 #endif /* 87560 SuperIO Support */
25716
25717 -static struct ata_port_operations ns87415_pata_ops = {
25718 +static const struct ata_port_operations ns87415_pata_ops = {
25719 .inherits = &ata_bmdma_port_ops,
25720
25721 .check_atapi_dma = ns87415_check_atapi_dma,
25722 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
25723 };
25724
25725 #if defined(CONFIG_SUPERIO)
25726 -static struct ata_port_operations ns87560_pata_ops = {
25727 +static const struct ata_port_operations ns87560_pata_ops = {
25728 .inherits = &ns87415_pata_ops,
25729 .sff_tf_read = ns87560_tf_read,
25730 .sff_check_status = ns87560_check_status,
25731 diff -urNp linux-2.6.39.1/drivers/ata/pata_octeon_cf.c linux-2.6.39.1/drivers/ata/pata_octeon_cf.c
25732 --- linux-2.6.39.1/drivers/ata/pata_octeon_cf.c 2011-05-19 00:06:34.000000000 -0400
25733 +++ linux-2.6.39.1/drivers/ata/pata_octeon_cf.c 2011-05-22 19:36:31.000000000 -0400
25734 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
25735 return 0;
25736 }
25737
25738 -static struct ata_port_operations octeon_cf_ops = {
25739 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
25740 .inherits = &ata_sff_port_ops,
25741 .check_atapi_dma = octeon_cf_check_atapi_dma,
25742 .qc_prep = ata_noop_qc_prep,
25743 diff -urNp linux-2.6.39.1/drivers/ata/pata_oldpiix.c linux-2.6.39.1/drivers/ata/pata_oldpiix.c
25744 --- linux-2.6.39.1/drivers/ata/pata_oldpiix.c 2011-05-19 00:06:34.000000000 -0400
25745 +++ linux-2.6.39.1/drivers/ata/pata_oldpiix.c 2011-05-22 19:36:31.000000000 -0400
25746 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
25747 ATA_BMDMA_SHT(DRV_NAME),
25748 };
25749
25750 -static struct ata_port_operations oldpiix_pata_ops = {
25751 +static const struct ata_port_operations oldpiix_pata_ops = {
25752 .inherits = &ata_bmdma_port_ops,
25753 .qc_issue = oldpiix_qc_issue,
25754 .cable_detect = ata_cable_40wire,
25755 diff -urNp linux-2.6.39.1/drivers/ata/pata_opti.c linux-2.6.39.1/drivers/ata/pata_opti.c
25756 --- linux-2.6.39.1/drivers/ata/pata_opti.c 2011-05-19 00:06:34.000000000 -0400
25757 +++ linux-2.6.39.1/drivers/ata/pata_opti.c 2011-05-22 19:36:31.000000000 -0400
25758 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
25759 ATA_PIO_SHT(DRV_NAME),
25760 };
25761
25762 -static struct ata_port_operations opti_port_ops = {
25763 +static const struct ata_port_operations opti_port_ops = {
25764 .inherits = &ata_sff_port_ops,
25765 .cable_detect = ata_cable_40wire,
25766 .set_piomode = opti_set_piomode,
25767 diff -urNp linux-2.6.39.1/drivers/ata/pata_optidma.c linux-2.6.39.1/drivers/ata/pata_optidma.c
25768 --- linux-2.6.39.1/drivers/ata/pata_optidma.c 2011-05-19 00:06:34.000000000 -0400
25769 +++ linux-2.6.39.1/drivers/ata/pata_optidma.c 2011-05-22 19:36:31.000000000 -0400
25770 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
25771 ATA_BMDMA_SHT(DRV_NAME),
25772 };
25773
25774 -static struct ata_port_operations optidma_port_ops = {
25775 +static const struct ata_port_operations optidma_port_ops = {
25776 .inherits = &ata_bmdma_port_ops,
25777 .cable_detect = ata_cable_40wire,
25778 .set_piomode = optidma_set_pio_mode,
25779 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
25780 .prereset = optidma_pre_reset,
25781 };
25782
25783 -static struct ata_port_operations optiplus_port_ops = {
25784 +static const struct ata_port_operations optiplus_port_ops = {
25785 .inherits = &optidma_port_ops,
25786 .set_piomode = optiplus_set_pio_mode,
25787 .set_dmamode = optiplus_set_dma_mode,
25788 diff -urNp linux-2.6.39.1/drivers/ata/pata_palmld.c linux-2.6.39.1/drivers/ata/pata_palmld.c
25789 --- linux-2.6.39.1/drivers/ata/pata_palmld.c 2011-05-19 00:06:34.000000000 -0400
25790 +++ linux-2.6.39.1/drivers/ata/pata_palmld.c 2011-05-22 19:36:31.000000000 -0400
25791 @@ -42,7 +42,7 @@ static struct scsi_host_template palmld_
25792 ATA_PIO_SHT(DRV_NAME),
25793 };
25794
25795 -static struct ata_port_operations palmld_port_ops = {
25796 +static const struct ata_port_operations palmld_port_ops = {
25797 .inherits = &ata_sff_port_ops,
25798 .sff_data_xfer = ata_sff_data_xfer_noirq,
25799 .cable_detect = ata_cable_40wire,
25800 diff -urNp linux-2.6.39.1/drivers/ata/pata_pcmcia.c linux-2.6.39.1/drivers/ata/pata_pcmcia.c
25801 --- linux-2.6.39.1/drivers/ata/pata_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
25802 +++ linux-2.6.39.1/drivers/ata/pata_pcmcia.c 2011-05-22 19:36:31.000000000 -0400
25803 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
25804 ATA_PIO_SHT(DRV_NAME),
25805 };
25806
25807 -static struct ata_port_operations pcmcia_port_ops = {
25808 +static const struct ata_port_operations pcmcia_port_ops = {
25809 .inherits = &ata_sff_port_ops,
25810 .sff_data_xfer = ata_sff_data_xfer_noirq,
25811 .cable_detect = ata_cable_40wire,
25812 .set_mode = pcmcia_set_mode,
25813 };
25814
25815 -static struct ata_port_operations pcmcia_8bit_port_ops = {
25816 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
25817 .inherits = &ata_sff_port_ops,
25818 .sff_data_xfer = ata_data_xfer_8bit,
25819 .cable_detect = ata_cable_40wire,
25820 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
25821 unsigned long io_base, ctl_base;
25822 void __iomem *io_addr, *ctl_addr;
25823 int n_ports = 1;
25824 - struct ata_port_operations *ops = &pcmcia_port_ops;
25825 + const struct ata_port_operations *ops = &pcmcia_port_ops;
25826
25827 /* Set up attributes in order to probe card and get resources */
25828 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
25829 diff -urNp linux-2.6.39.1/drivers/ata/pata_pdc2027x.c linux-2.6.39.1/drivers/ata/pata_pdc2027x.c
25830 --- linux-2.6.39.1/drivers/ata/pata_pdc2027x.c 2011-05-19 00:06:34.000000000 -0400
25831 +++ linux-2.6.39.1/drivers/ata/pata_pdc2027x.c 2011-05-22 19:36:31.000000000 -0400
25832 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
25833 ATA_BMDMA_SHT(DRV_NAME),
25834 };
25835
25836 -static struct ata_port_operations pdc2027x_pata100_ops = {
25837 +static const struct ata_port_operations pdc2027x_pata100_ops = {
25838 .inherits = &ata_bmdma_port_ops,
25839 .check_atapi_dma = pdc2027x_check_atapi_dma,
25840 .cable_detect = pdc2027x_cable_detect,
25841 .prereset = pdc2027x_prereset,
25842 };
25843
25844 -static struct ata_port_operations pdc2027x_pata133_ops = {
25845 +static const struct ata_port_operations pdc2027x_pata133_ops = {
25846 .inherits = &pdc2027x_pata100_ops,
25847 .mode_filter = pdc2027x_mode_filter,
25848 .set_piomode = pdc2027x_set_piomode,
25849 diff -urNp linux-2.6.39.1/drivers/ata/pata_pdc202xx_old.c linux-2.6.39.1/drivers/ata/pata_pdc202xx_old.c
25850 --- linux-2.6.39.1/drivers/ata/pata_pdc202xx_old.c 2011-05-19 00:06:34.000000000 -0400
25851 +++ linux-2.6.39.1/drivers/ata/pata_pdc202xx_old.c 2011-05-22 19:36:31.000000000 -0400
25852 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
25853 ATA_BMDMA_SHT(DRV_NAME),
25854 };
25855
25856 -static struct ata_port_operations pdc2024x_port_ops = {
25857 +static const struct ata_port_operations pdc2024x_port_ops = {
25858 .inherits = &ata_bmdma_port_ops,
25859
25860 .cable_detect = ata_cable_40wire,
25861 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
25862 .sff_irq_check = pdc202xx_irq_check,
25863 };
25864
25865 -static struct ata_port_operations pdc2026x_port_ops = {
25866 +static const struct ata_port_operations pdc2026x_port_ops = {
25867 .inherits = &pdc2024x_port_ops,
25868
25869 .check_atapi_dma = pdc2026x_check_atapi_dma,
25870 diff -urNp linux-2.6.39.1/drivers/ata/pata_piccolo.c linux-2.6.39.1/drivers/ata/pata_piccolo.c
25871 --- linux-2.6.39.1/drivers/ata/pata_piccolo.c 2011-05-19 00:06:34.000000000 -0400
25872 +++ linux-2.6.39.1/drivers/ata/pata_piccolo.c 2011-05-22 19:36:31.000000000 -0400
25873 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
25874 ATA_BMDMA_SHT(DRV_NAME),
25875 };
25876
25877 -static struct ata_port_operations tosh_port_ops = {
25878 +static const struct ata_port_operations tosh_port_ops = {
25879 .inherits = &ata_bmdma_port_ops,
25880 .cable_detect = ata_cable_unknown,
25881 .set_piomode = tosh_set_piomode,
25882 diff -urNp linux-2.6.39.1/drivers/ata/pata_platform.c linux-2.6.39.1/drivers/ata/pata_platform.c
25883 --- linux-2.6.39.1/drivers/ata/pata_platform.c 2011-05-19 00:06:34.000000000 -0400
25884 +++ linux-2.6.39.1/drivers/ata/pata_platform.c 2011-05-22 19:36:31.000000000 -0400
25885 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
25886 ATA_PIO_SHT(DRV_NAME),
25887 };
25888
25889 -static struct ata_port_operations pata_platform_port_ops = {
25890 +static const struct ata_port_operations pata_platform_port_ops = {
25891 .inherits = &ata_sff_port_ops,
25892 .sff_data_xfer = ata_sff_data_xfer_noirq,
25893 .cable_detect = ata_cable_unknown,
25894 diff -urNp linux-2.6.39.1/drivers/ata/pata_pxa.c linux-2.6.39.1/drivers/ata/pata_pxa.c
25895 --- linux-2.6.39.1/drivers/ata/pata_pxa.c 2011-05-19 00:06:34.000000000 -0400
25896 +++ linux-2.6.39.1/drivers/ata/pata_pxa.c 2011-05-22 19:36:31.000000000 -0400
25897 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
25898 ATA_BMDMA_SHT(DRV_NAME),
25899 };
25900
25901 -static struct ata_port_operations pxa_ata_port_ops = {
25902 +static const struct ata_port_operations pxa_ata_port_ops = {
25903 .inherits = &ata_bmdma_port_ops,
25904 .cable_detect = ata_cable_40wire,
25905
25906 diff -urNp linux-2.6.39.1/drivers/ata/pata_qdi.c linux-2.6.39.1/drivers/ata/pata_qdi.c
25907 --- linux-2.6.39.1/drivers/ata/pata_qdi.c 2011-05-19 00:06:34.000000000 -0400
25908 +++ linux-2.6.39.1/drivers/ata/pata_qdi.c 2011-05-22 19:36:31.000000000 -0400
25909 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
25910 ATA_PIO_SHT(DRV_NAME),
25911 };
25912
25913 -static struct ata_port_operations qdi6500_port_ops = {
25914 +static const struct ata_port_operations qdi6500_port_ops = {
25915 .inherits = &ata_sff_port_ops,
25916 .qc_issue = qdi_qc_issue,
25917 .sff_data_xfer = qdi_data_xfer,
25918 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
25919 .set_piomode = qdi6500_set_piomode,
25920 };
25921
25922 -static struct ata_port_operations qdi6580_port_ops = {
25923 +static const struct ata_port_operations qdi6580_port_ops = {
25924 .inherits = &qdi6500_port_ops,
25925 .set_piomode = qdi6580_set_piomode,
25926 };
25927 diff -urNp linux-2.6.39.1/drivers/ata/pata_radisys.c linux-2.6.39.1/drivers/ata/pata_radisys.c
25928 --- linux-2.6.39.1/drivers/ata/pata_radisys.c 2011-05-19 00:06:34.000000000 -0400
25929 +++ linux-2.6.39.1/drivers/ata/pata_radisys.c 2011-05-22 19:36:31.000000000 -0400
25930 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
25931 ATA_BMDMA_SHT(DRV_NAME),
25932 };
25933
25934 -static struct ata_port_operations radisys_pata_ops = {
25935 +static const struct ata_port_operations radisys_pata_ops = {
25936 .inherits = &ata_bmdma_port_ops,
25937 .qc_issue = radisys_qc_issue,
25938 .cable_detect = ata_cable_unknown,
25939 diff -urNp linux-2.6.39.1/drivers/ata/pata_rb532_cf.c linux-2.6.39.1/drivers/ata/pata_rb532_cf.c
25940 --- linux-2.6.39.1/drivers/ata/pata_rb532_cf.c 2011-05-19 00:06:34.000000000 -0400
25941 +++ linux-2.6.39.1/drivers/ata/pata_rb532_cf.c 2011-05-22 19:36:31.000000000 -0400
25942 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
25943 return IRQ_HANDLED;
25944 }
25945
25946 -static struct ata_port_operations rb532_pata_port_ops = {
25947 +static const struct ata_port_operations rb532_pata_port_ops = {
25948 .inherits = &ata_sff_port_ops,
25949 .sff_data_xfer = ata_sff_data_xfer32,
25950 };
25951 diff -urNp linux-2.6.39.1/drivers/ata/pata_rdc.c linux-2.6.39.1/drivers/ata/pata_rdc.c
25952 --- linux-2.6.39.1/drivers/ata/pata_rdc.c 2011-05-19 00:06:34.000000000 -0400
25953 +++ linux-2.6.39.1/drivers/ata/pata_rdc.c 2011-05-22 19:36:31.000000000 -0400
25954 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
25955 pci_write_config_byte(dev, 0x48, udma_enable);
25956 }
25957
25958 -static struct ata_port_operations rdc_pata_ops = {
25959 +static const struct ata_port_operations rdc_pata_ops = {
25960 .inherits = &ata_bmdma32_port_ops,
25961 .cable_detect = rdc_pata_cable_detect,
25962 .set_piomode = rdc_set_piomode,
25963 diff -urNp linux-2.6.39.1/drivers/ata/pata_rz1000.c linux-2.6.39.1/drivers/ata/pata_rz1000.c
25964 --- linux-2.6.39.1/drivers/ata/pata_rz1000.c 2011-05-19 00:06:34.000000000 -0400
25965 +++ linux-2.6.39.1/drivers/ata/pata_rz1000.c 2011-05-22 19:36:31.000000000 -0400
25966 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
25967 ATA_PIO_SHT(DRV_NAME),
25968 };
25969
25970 -static struct ata_port_operations rz1000_port_ops = {
25971 +static const struct ata_port_operations rz1000_port_ops = {
25972 .inherits = &ata_sff_port_ops,
25973 .cable_detect = ata_cable_40wire,
25974 .set_mode = rz1000_set_mode,
25975 diff -urNp linux-2.6.39.1/drivers/ata/pata_samsung_cf.c linux-2.6.39.1/drivers/ata/pata_samsung_cf.c
25976 --- linux-2.6.39.1/drivers/ata/pata_samsung_cf.c 2011-05-19 00:06:34.000000000 -0400
25977 +++ linux-2.6.39.1/drivers/ata/pata_samsung_cf.c 2011-05-22 19:36:31.000000000 -0400
25978 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
25979 ATA_PIO_SHT(DRV_NAME),
25980 };
25981
25982 -static struct ata_port_operations pata_s3c_port_ops = {
25983 +static const struct ata_port_operations pata_s3c_port_ops = {
25984 .inherits = &ata_sff_port_ops,
25985 .sff_check_status = pata_s3c_check_status,
25986 .sff_check_altstatus = pata_s3c_check_altstatus,
25987 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
25988 .set_piomode = pata_s3c_set_piomode,
25989 };
25990
25991 -static struct ata_port_operations pata_s5p_port_ops = {
25992 +static const struct ata_port_operations pata_s5p_port_ops = {
25993 .inherits = &ata_sff_port_ops,
25994 .set_piomode = pata_s3c_set_piomode,
25995 };
25996 diff -urNp linux-2.6.39.1/drivers/ata/pata_sc1200.c linux-2.6.39.1/drivers/ata/pata_sc1200.c
25997 --- linux-2.6.39.1/drivers/ata/pata_sc1200.c 2011-05-19 00:06:34.000000000 -0400
25998 +++ linux-2.6.39.1/drivers/ata/pata_sc1200.c 2011-05-22 19:36:31.000000000 -0400
25999 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
26000 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26001 };
26002
26003 -static struct ata_port_operations sc1200_port_ops = {
26004 +static const struct ata_port_operations sc1200_port_ops = {
26005 .inherits = &ata_bmdma_port_ops,
26006 .qc_prep = ata_bmdma_dumb_qc_prep,
26007 .qc_issue = sc1200_qc_issue,
26008 diff -urNp linux-2.6.39.1/drivers/ata/pata_scc.c linux-2.6.39.1/drivers/ata/pata_scc.c
26009 --- linux-2.6.39.1/drivers/ata/pata_scc.c 2011-05-19 00:06:34.000000000 -0400
26010 +++ linux-2.6.39.1/drivers/ata/pata_scc.c 2011-05-22 19:36:31.000000000 -0400
26011 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
26012 ATA_BMDMA_SHT(DRV_NAME),
26013 };
26014
26015 -static struct ata_port_operations scc_pata_ops = {
26016 +static const struct ata_port_operations scc_pata_ops = {
26017 .inherits = &ata_bmdma_port_ops,
26018
26019 .set_piomode = scc_set_piomode,
26020 diff -urNp linux-2.6.39.1/drivers/ata/pata_sch.c linux-2.6.39.1/drivers/ata/pata_sch.c
26021 --- linux-2.6.39.1/drivers/ata/pata_sch.c 2011-05-19 00:06:34.000000000 -0400
26022 +++ linux-2.6.39.1/drivers/ata/pata_sch.c 2011-05-22 19:36:31.000000000 -0400
26023 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
26024 ATA_BMDMA_SHT(DRV_NAME),
26025 };
26026
26027 -static struct ata_port_operations sch_pata_ops = {
26028 +static const struct ata_port_operations sch_pata_ops = {
26029 .inherits = &ata_bmdma_port_ops,
26030 .cable_detect = ata_cable_unknown,
26031 .set_piomode = sch_set_piomode,
26032 diff -urNp linux-2.6.39.1/drivers/ata/pata_serverworks.c linux-2.6.39.1/drivers/ata/pata_serverworks.c
26033 --- linux-2.6.39.1/drivers/ata/pata_serverworks.c 2011-05-19 00:06:34.000000000 -0400
26034 +++ linux-2.6.39.1/drivers/ata/pata_serverworks.c 2011-05-22 19:36:31.000000000 -0400
26035 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
26036 ATA_BMDMA_SHT(DRV_NAME),
26037 };
26038
26039 -static struct ata_port_operations serverworks_osb4_port_ops = {
26040 +static const struct ata_port_operations serverworks_osb4_port_ops = {
26041 .inherits = &ata_bmdma_port_ops,
26042 .cable_detect = serverworks_cable_detect,
26043 .mode_filter = serverworks_osb4_filter,
26044 @@ -308,7 +308,7 @@ static struct ata_port_operations server
26045 .set_dmamode = serverworks_set_dmamode,
26046 };
26047
26048 -static struct ata_port_operations serverworks_csb_port_ops = {
26049 +static const struct ata_port_operations serverworks_csb_port_ops = {
26050 .inherits = &serverworks_osb4_port_ops,
26051 .mode_filter = serverworks_csb_filter,
26052 };
26053 diff -urNp linux-2.6.39.1/drivers/ata/pata_sil680.c linux-2.6.39.1/drivers/ata/pata_sil680.c
26054 --- linux-2.6.39.1/drivers/ata/pata_sil680.c 2011-05-19 00:06:34.000000000 -0400
26055 +++ linux-2.6.39.1/drivers/ata/pata_sil680.c 2011-05-22 19:36:31.000000000 -0400
26056 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
26057 ATA_BMDMA_SHT(DRV_NAME),
26058 };
26059
26060 -
26061 -static struct ata_port_operations sil680_port_ops = {
26062 +static const struct ata_port_operations sil680_port_ops = {
26063 .inherits = &ata_bmdma32_port_ops,
26064 .sff_exec_command = sil680_sff_exec_command,
26065 .sff_irq_check = sil680_sff_irq_check,
26066 diff -urNp linux-2.6.39.1/drivers/ata/pata_sis.c linux-2.6.39.1/drivers/ata/pata_sis.c
26067 --- linux-2.6.39.1/drivers/ata/pata_sis.c 2011-05-19 00:06:34.000000000 -0400
26068 +++ linux-2.6.39.1/drivers/ata/pata_sis.c 2011-05-22 19:36:31.000000000 -0400
26069 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
26070 ATA_BMDMA_SHT(DRV_NAME),
26071 };
26072
26073 -static struct ata_port_operations sis_133_for_sata_ops = {
26074 +static const struct ata_port_operations sis_133_for_sata_ops = {
26075 .inherits = &ata_bmdma_port_ops,
26076 .set_piomode = sis_133_set_piomode,
26077 .set_dmamode = sis_133_set_dmamode,
26078 .cable_detect = sis_133_cable_detect,
26079 };
26080
26081 -static struct ata_port_operations sis_base_ops = {
26082 +static const struct ata_port_operations sis_base_ops = {
26083 .inherits = &ata_bmdma_port_ops,
26084 .prereset = sis_pre_reset,
26085 };
26086
26087 -static struct ata_port_operations sis_133_ops = {
26088 +static const struct ata_port_operations sis_133_ops = {
26089 .inherits = &sis_base_ops,
26090 .set_piomode = sis_133_set_piomode,
26091 .set_dmamode = sis_133_set_dmamode,
26092 .cable_detect = sis_133_cable_detect,
26093 };
26094
26095 -static struct ata_port_operations sis_133_early_ops = {
26096 +static const struct ata_port_operations sis_133_early_ops = {
26097 .inherits = &sis_base_ops,
26098 .set_piomode = sis_100_set_piomode,
26099 .set_dmamode = sis_133_early_set_dmamode,
26100 .cable_detect = sis_66_cable_detect,
26101 };
26102
26103 -static struct ata_port_operations sis_100_ops = {
26104 +static const struct ata_port_operations sis_100_ops = {
26105 .inherits = &sis_base_ops,
26106 .set_piomode = sis_100_set_piomode,
26107 .set_dmamode = sis_100_set_dmamode,
26108 .cable_detect = sis_66_cable_detect,
26109 };
26110
26111 -static struct ata_port_operations sis_66_ops = {
26112 +static const struct ata_port_operations sis_66_ops = {
26113 .inherits = &sis_base_ops,
26114 .set_piomode = sis_old_set_piomode,
26115 .set_dmamode = sis_66_set_dmamode,
26116 .cable_detect = sis_66_cable_detect,
26117 };
26118
26119 -static struct ata_port_operations sis_old_ops = {
26120 +static const struct ata_port_operations sis_old_ops = {
26121 .inherits = &sis_base_ops,
26122 .set_piomode = sis_old_set_piomode,
26123 .set_dmamode = sis_old_set_dmamode,
26124 diff -urNp linux-2.6.39.1/drivers/ata/pata_sl82c105.c linux-2.6.39.1/drivers/ata/pata_sl82c105.c
26125 --- linux-2.6.39.1/drivers/ata/pata_sl82c105.c 2011-05-19 00:06:34.000000000 -0400
26126 +++ linux-2.6.39.1/drivers/ata/pata_sl82c105.c 2011-05-22 19:36:31.000000000 -0400
26127 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
26128 ATA_BMDMA_SHT(DRV_NAME),
26129 };
26130
26131 -static struct ata_port_operations sl82c105_port_ops = {
26132 +static const struct ata_port_operations sl82c105_port_ops = {
26133 .inherits = &ata_bmdma_port_ops,
26134 .qc_defer = sl82c105_qc_defer,
26135 .bmdma_start = sl82c105_bmdma_start,
26136 diff -urNp linux-2.6.39.1/drivers/ata/pata_triflex.c linux-2.6.39.1/drivers/ata/pata_triflex.c
26137 --- linux-2.6.39.1/drivers/ata/pata_triflex.c 2011-05-19 00:06:34.000000000 -0400
26138 +++ linux-2.6.39.1/drivers/ata/pata_triflex.c 2011-05-22 19:36:31.000000000 -0400
26139 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
26140 ATA_BMDMA_SHT(DRV_NAME),
26141 };
26142
26143 -static struct ata_port_operations triflex_port_ops = {
26144 +static const struct ata_port_operations triflex_port_ops = {
26145 .inherits = &ata_bmdma_port_ops,
26146 .bmdma_start = triflex_bmdma_start,
26147 .bmdma_stop = triflex_bmdma_stop,
26148 diff -urNp linux-2.6.39.1/drivers/ata/pata_via.c linux-2.6.39.1/drivers/ata/pata_via.c
26149 --- linux-2.6.39.1/drivers/ata/pata_via.c 2011-05-19 00:06:34.000000000 -0400
26150 +++ linux-2.6.39.1/drivers/ata/pata_via.c 2011-05-22 19:36:31.000000000 -0400
26151 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
26152 ATA_BMDMA_SHT(DRV_NAME),
26153 };
26154
26155 -static struct ata_port_operations via_port_ops = {
26156 +static const struct ata_port_operations via_port_ops = {
26157 .inherits = &ata_bmdma_port_ops,
26158 .cable_detect = via_cable_detect,
26159 .set_piomode = via_set_piomode,
26160 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
26161 .mode_filter = via_mode_filter,
26162 };
26163
26164 -static struct ata_port_operations via_port_ops_noirq = {
26165 +static const struct ata_port_operations via_port_ops_noirq = {
26166 .inherits = &via_port_ops,
26167 .sff_data_xfer = ata_sff_data_xfer_noirq,
26168 };
26169 diff -urNp linux-2.6.39.1/drivers/ata/pdc_adma.c linux-2.6.39.1/drivers/ata/pdc_adma.c
26170 --- linux-2.6.39.1/drivers/ata/pdc_adma.c 2011-05-19 00:06:34.000000000 -0400
26171 +++ linux-2.6.39.1/drivers/ata/pdc_adma.c 2011-05-22 19:36:31.000000000 -0400
26172 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
26173 .dma_boundary = ADMA_DMA_BOUNDARY,
26174 };
26175
26176 -static struct ata_port_operations adma_ata_ops = {
26177 +static const struct ata_port_operations adma_ata_ops = {
26178 .inherits = &ata_sff_port_ops,
26179
26180 .lost_interrupt = ATA_OP_NULL,
26181 diff -urNp linux-2.6.39.1/drivers/ata/sata_dwc_460ex.c linux-2.6.39.1/drivers/ata/sata_dwc_460ex.c
26182 --- linux-2.6.39.1/drivers/ata/sata_dwc_460ex.c 2011-05-19 00:06:34.000000000 -0400
26183 +++ linux-2.6.39.1/drivers/ata/sata_dwc_460ex.c 2011-05-22 19:36:31.000000000 -0400
26184 @@ -1598,7 +1598,7 @@ static struct scsi_host_template sata_dw
26185 .dma_boundary = ATA_DMA_BOUNDARY,
26186 };
26187
26188 -static struct ata_port_operations sata_dwc_ops = {
26189 +static const struct ata_port_operations sata_dwc_ops = {
26190 .inherits = &ata_sff_port_ops,
26191
26192 .error_handler = sata_dwc_error_handler,
26193 diff -urNp linux-2.6.39.1/drivers/ata/sata_fsl.c linux-2.6.39.1/drivers/ata/sata_fsl.c
26194 --- linux-2.6.39.1/drivers/ata/sata_fsl.c 2011-05-19 00:06:34.000000000 -0400
26195 +++ linux-2.6.39.1/drivers/ata/sata_fsl.c 2011-05-22 19:36:31.000000000 -0400
26196 @@ -1268,7 +1268,7 @@ static struct scsi_host_template sata_fs
26197 .dma_boundary = ATA_DMA_BOUNDARY,
26198 };
26199
26200 -static struct ata_port_operations sata_fsl_ops = {
26201 +static const struct ata_port_operations sata_fsl_ops = {
26202 .inherits = &sata_pmp_port_ops,
26203
26204 .qc_defer = ata_std_qc_defer,
26205 diff -urNp linux-2.6.39.1/drivers/ata/sata_inic162x.c linux-2.6.39.1/drivers/ata/sata_inic162x.c
26206 --- linux-2.6.39.1/drivers/ata/sata_inic162x.c 2011-05-19 00:06:34.000000000 -0400
26207 +++ linux-2.6.39.1/drivers/ata/sata_inic162x.c 2011-05-22 19:36:31.000000000 -0400
26208 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
26209 return 0;
26210 }
26211
26212 -static struct ata_port_operations inic_port_ops = {
26213 +static const struct ata_port_operations inic_port_ops = {
26214 .inherits = &sata_port_ops,
26215
26216 .check_atapi_dma = inic_check_atapi_dma,
26217 diff -urNp linux-2.6.39.1/drivers/ata/sata_mv.c linux-2.6.39.1/drivers/ata/sata_mv.c
26218 --- linux-2.6.39.1/drivers/ata/sata_mv.c 2011-05-19 00:06:34.000000000 -0400
26219 +++ linux-2.6.39.1/drivers/ata/sata_mv.c 2011-05-22 19:36:31.000000000 -0400
26220 @@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
26221 .dma_boundary = MV_DMA_BOUNDARY,
26222 };
26223
26224 -static struct ata_port_operations mv5_ops = {
26225 +static const struct ata_port_operations mv5_ops = {
26226 .inherits = &ata_sff_port_ops,
26227
26228 .lost_interrupt = ATA_OP_NULL,
26229 @@ -682,7 +682,7 @@ static struct ata_port_operations mv5_op
26230 .port_stop = mv_port_stop,
26231 };
26232
26233 -static struct ata_port_operations mv6_ops = {
26234 +static const struct ata_port_operations mv6_ops = {
26235 .inherits = &ata_bmdma_port_ops,
26236
26237 .lost_interrupt = ATA_OP_NULL,
26238 @@ -716,7 +716,7 @@ static struct ata_port_operations mv6_op
26239 .port_stop = mv_port_stop,
26240 };
26241
26242 -static struct ata_port_operations mv_iie_ops = {
26243 +static const struct ata_port_operations mv_iie_ops = {
26244 .inherits = &mv6_ops,
26245 .dev_config = ATA_OP_NULL,
26246 .qc_prep = mv_qc_prep_iie,
26247 diff -urNp linux-2.6.39.1/drivers/ata/sata_nv.c linux-2.6.39.1/drivers/ata/sata_nv.c
26248 --- linux-2.6.39.1/drivers/ata/sata_nv.c 2011-05-19 00:06:34.000000000 -0400
26249 +++ linux-2.6.39.1/drivers/ata/sata_nv.c 2011-05-22 19:36:31.000000000 -0400
26250 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
26251 * cases. Define nv_hardreset() which only kicks in for post-boot
26252 * probing and use it for all variants.
26253 */
26254 -static struct ata_port_operations nv_generic_ops = {
26255 +static const struct ata_port_operations nv_generic_ops = {
26256 .inherits = &ata_bmdma_port_ops,
26257 .lost_interrupt = ATA_OP_NULL,
26258 .scr_read = nv_scr_read,
26259 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
26260 .hardreset = nv_hardreset,
26261 };
26262
26263 -static struct ata_port_operations nv_nf2_ops = {
26264 +static const struct ata_port_operations nv_nf2_ops = {
26265 .inherits = &nv_generic_ops,
26266 .freeze = nv_nf2_freeze,
26267 .thaw = nv_nf2_thaw,
26268 };
26269
26270 -static struct ata_port_operations nv_ck804_ops = {
26271 +static const struct ata_port_operations nv_ck804_ops = {
26272 .inherits = &nv_generic_ops,
26273 .freeze = nv_ck804_freeze,
26274 .thaw = nv_ck804_thaw,
26275 .host_stop = nv_ck804_host_stop,
26276 };
26277
26278 -static struct ata_port_operations nv_adma_ops = {
26279 +static const struct ata_port_operations nv_adma_ops = {
26280 .inherits = &nv_ck804_ops,
26281
26282 .check_atapi_dma = nv_adma_check_atapi_dma,
26283 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
26284 .host_stop = nv_adma_host_stop,
26285 };
26286
26287 -static struct ata_port_operations nv_swncq_ops = {
26288 +static const struct ata_port_operations nv_swncq_ops = {
26289 .inherits = &nv_generic_ops,
26290
26291 .qc_defer = ata_std_qc_defer,
26292 diff -urNp linux-2.6.39.1/drivers/ata/sata_promise.c linux-2.6.39.1/drivers/ata/sata_promise.c
26293 --- linux-2.6.39.1/drivers/ata/sata_promise.c 2011-05-19 00:06:34.000000000 -0400
26294 +++ linux-2.6.39.1/drivers/ata/sata_promise.c 2011-05-22 19:36:31.000000000 -0400
26295 @@ -194,7 +194,7 @@ static const struct ata_port_operations
26296 .error_handler = pdc_error_handler,
26297 };
26298
26299 -static struct ata_port_operations pdc_sata_ops = {
26300 +static const struct ata_port_operations pdc_sata_ops = {
26301 .inherits = &pdc_common_ops,
26302 .cable_detect = pdc_sata_cable_detect,
26303 .freeze = pdc_sata_freeze,
26304 @@ -207,14 +207,14 @@ static struct ata_port_operations pdc_sa
26305
26306 /* First-generation chips need a more restrictive ->check_atapi_dma op,
26307 and ->freeze/thaw that ignore the hotplug controls. */
26308 -static struct ata_port_operations pdc_old_sata_ops = {
26309 +static const struct ata_port_operations pdc_old_sata_ops = {
26310 .inherits = &pdc_sata_ops,
26311 .freeze = pdc_freeze,
26312 .thaw = pdc_thaw,
26313 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
26314 };
26315
26316 -static struct ata_port_operations pdc_pata_ops = {
26317 +static const struct ata_port_operations pdc_pata_ops = {
26318 .inherits = &pdc_common_ops,
26319 .cable_detect = pdc_pata_cable_detect,
26320 .freeze = pdc_freeze,
26321 diff -urNp linux-2.6.39.1/drivers/ata/sata_qstor.c linux-2.6.39.1/drivers/ata/sata_qstor.c
26322 --- linux-2.6.39.1/drivers/ata/sata_qstor.c 2011-05-19 00:06:34.000000000 -0400
26323 +++ linux-2.6.39.1/drivers/ata/sata_qstor.c 2011-05-22 19:36:31.000000000 -0400
26324 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
26325 .dma_boundary = QS_DMA_BOUNDARY,
26326 };
26327
26328 -static struct ata_port_operations qs_ata_ops = {
26329 +static const struct ata_port_operations qs_ata_ops = {
26330 .inherits = &ata_sff_port_ops,
26331
26332 .check_atapi_dma = qs_check_atapi_dma,
26333 diff -urNp linux-2.6.39.1/drivers/ata/sata_sil24.c linux-2.6.39.1/drivers/ata/sata_sil24.c
26334 --- linux-2.6.39.1/drivers/ata/sata_sil24.c 2011-05-19 00:06:34.000000000 -0400
26335 +++ linux-2.6.39.1/drivers/ata/sata_sil24.c 2011-05-22 19:36:31.000000000 -0400
26336 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
26337 .dma_boundary = ATA_DMA_BOUNDARY,
26338 };
26339
26340 -static struct ata_port_operations sil24_ops = {
26341 +static const struct ata_port_operations sil24_ops = {
26342 .inherits = &sata_pmp_port_ops,
26343
26344 .qc_defer = sil24_qc_defer,
26345 diff -urNp linux-2.6.39.1/drivers/ata/sata_sil.c linux-2.6.39.1/drivers/ata/sata_sil.c
26346 --- linux-2.6.39.1/drivers/ata/sata_sil.c 2011-05-19 00:06:34.000000000 -0400
26347 +++ linux-2.6.39.1/drivers/ata/sata_sil.c 2011-05-22 19:36:31.000000000 -0400
26348 @@ -181,7 +181,7 @@ static struct scsi_host_template sil_sht
26349 .sg_tablesize = ATA_MAX_PRD
26350 };
26351
26352 -static struct ata_port_operations sil_ops = {
26353 +static const struct ata_port_operations sil_ops = {
26354 .inherits = &ata_bmdma32_port_ops,
26355 .dev_config = sil_dev_config,
26356 .set_mode = sil_set_mode,
26357 diff -urNp linux-2.6.39.1/drivers/ata/sata_sis.c linux-2.6.39.1/drivers/ata/sata_sis.c
26358 --- linux-2.6.39.1/drivers/ata/sata_sis.c 2011-05-19 00:06:34.000000000 -0400
26359 +++ linux-2.6.39.1/drivers/ata/sata_sis.c 2011-05-22 19:36:31.000000000 -0400
26360 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
26361 ATA_BMDMA_SHT(DRV_NAME),
26362 };
26363
26364 -static struct ata_port_operations sis_ops = {
26365 +static const struct ata_port_operations sis_ops = {
26366 .inherits = &ata_bmdma_port_ops,
26367 .scr_read = sis_scr_read,
26368 .scr_write = sis_scr_write,
26369 diff -urNp linux-2.6.39.1/drivers/ata/sata_svw.c linux-2.6.39.1/drivers/ata/sata_svw.c
26370 --- linux-2.6.39.1/drivers/ata/sata_svw.c 2011-05-19 00:06:34.000000000 -0400
26371 +++ linux-2.6.39.1/drivers/ata/sata_svw.c 2011-05-22 19:36:31.000000000 -0400
26372 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
26373 };
26374
26375
26376 -static struct ata_port_operations k2_sata_ops = {
26377 +static const struct ata_port_operations k2_sata_ops = {
26378 .inherits = &ata_bmdma_port_ops,
26379 .sff_tf_load = k2_sata_tf_load,
26380 .sff_tf_read = k2_sata_tf_read,
26381 diff -urNp linux-2.6.39.1/drivers/ata/sata_sx4.c linux-2.6.39.1/drivers/ata/sata_sx4.c
26382 --- linux-2.6.39.1/drivers/ata/sata_sx4.c 2011-05-19 00:06:34.000000000 -0400
26383 +++ linux-2.6.39.1/drivers/ata/sata_sx4.c 2011-05-22 19:36:31.000000000 -0400
26384 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
26385 };
26386
26387 /* TODO: inherit from base port_ops after converting to new EH */
26388 -static struct ata_port_operations pdc_20621_ops = {
26389 +static const struct ata_port_operations pdc_20621_ops = {
26390 .inherits = &ata_sff_port_ops,
26391
26392 .check_atapi_dma = pdc_check_atapi_dma,
26393 diff -urNp linux-2.6.39.1/drivers/ata/sata_uli.c linux-2.6.39.1/drivers/ata/sata_uli.c
26394 --- linux-2.6.39.1/drivers/ata/sata_uli.c 2011-05-19 00:06:34.000000000 -0400
26395 +++ linux-2.6.39.1/drivers/ata/sata_uli.c 2011-05-22 19:36:31.000000000 -0400
26396 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
26397 ATA_BMDMA_SHT(DRV_NAME),
26398 };
26399
26400 -static struct ata_port_operations uli_ops = {
26401 +static const struct ata_port_operations uli_ops = {
26402 .inherits = &ata_bmdma_port_ops,
26403 .scr_read = uli_scr_read,
26404 .scr_write = uli_scr_write,
26405 diff -urNp linux-2.6.39.1/drivers/ata/sata_via.c linux-2.6.39.1/drivers/ata/sata_via.c
26406 --- linux-2.6.39.1/drivers/ata/sata_via.c 2011-05-19 00:06:34.000000000 -0400
26407 +++ linux-2.6.39.1/drivers/ata/sata_via.c 2011-05-22 19:36:31.000000000 -0400
26408 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
26409 ATA_BMDMA_SHT(DRV_NAME),
26410 };
26411
26412 -static struct ata_port_operations svia_base_ops = {
26413 +static const struct ata_port_operations svia_base_ops = {
26414 .inherits = &ata_bmdma_port_ops,
26415 .sff_tf_load = svia_tf_load,
26416 };
26417
26418 -static struct ata_port_operations vt6420_sata_ops = {
26419 +static const struct ata_port_operations vt6420_sata_ops = {
26420 .inherits = &svia_base_ops,
26421 .freeze = svia_noop_freeze,
26422 .prereset = vt6420_prereset,
26423 .bmdma_start = vt6420_bmdma_start,
26424 };
26425
26426 -static struct ata_port_operations vt6421_pata_ops = {
26427 +static const struct ata_port_operations vt6421_pata_ops = {
26428 .inherits = &svia_base_ops,
26429 .cable_detect = vt6421_pata_cable_detect,
26430 .set_piomode = vt6421_set_pio_mode,
26431 .set_dmamode = vt6421_set_dma_mode,
26432 };
26433
26434 -static struct ata_port_operations vt6421_sata_ops = {
26435 +static const struct ata_port_operations vt6421_sata_ops = {
26436 .inherits = &svia_base_ops,
26437 .scr_read = svia_scr_read,
26438 .scr_write = svia_scr_write,
26439 };
26440
26441 -static struct ata_port_operations vt8251_ops = {
26442 +static const struct ata_port_operations vt8251_ops = {
26443 .inherits = &svia_base_ops,
26444 .hardreset = sata_std_hardreset,
26445 .scr_read = vt8251_scr_read,
26446 diff -urNp linux-2.6.39.1/drivers/ata/sata_vsc.c linux-2.6.39.1/drivers/ata/sata_vsc.c
26447 --- linux-2.6.39.1/drivers/ata/sata_vsc.c 2011-05-19 00:06:34.000000000 -0400
26448 +++ linux-2.6.39.1/drivers/ata/sata_vsc.c 2011-05-22 19:36:31.000000000 -0400
26449 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
26450 };
26451
26452
26453 -static struct ata_port_operations vsc_sata_ops = {
26454 +static const struct ata_port_operations vsc_sata_ops = {
26455 .inherits = &ata_bmdma_port_ops,
26456 /* The IRQ handling is not quite standard SFF behaviour so we
26457 cannot use the default lost interrupt handler */
26458 diff -urNp linux-2.6.39.1/drivers/atm/adummy.c linux-2.6.39.1/drivers/atm/adummy.c
26459 --- linux-2.6.39.1/drivers/atm/adummy.c 2011-05-19 00:06:34.000000000 -0400
26460 +++ linux-2.6.39.1/drivers/atm/adummy.c 2011-05-22 19:36:31.000000000 -0400
26461 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
26462 vcc->pop(vcc, skb);
26463 else
26464 dev_kfree_skb_any(skb);
26465 - atomic_inc(&vcc->stats->tx);
26466 + atomic_inc_unchecked(&vcc->stats->tx);
26467
26468 return 0;
26469 }
26470 diff -urNp linux-2.6.39.1/drivers/atm/ambassador.c linux-2.6.39.1/drivers/atm/ambassador.c
26471 --- linux-2.6.39.1/drivers/atm/ambassador.c 2011-05-19 00:06:34.000000000 -0400
26472 +++ linux-2.6.39.1/drivers/atm/ambassador.c 2011-05-22 19:36:31.000000000 -0400
26473 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
26474 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
26475
26476 // VC layer stats
26477 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26478 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26479
26480 // free the descriptor
26481 kfree (tx_descr);
26482 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
26483 dump_skb ("<<<", vc, skb);
26484
26485 // VC layer stats
26486 - atomic_inc(&atm_vcc->stats->rx);
26487 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26488 __net_timestamp(skb);
26489 // end of our responsibility
26490 atm_vcc->push (atm_vcc, skb);
26491 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
26492 } else {
26493 PRINTK (KERN_INFO, "dropped over-size frame");
26494 // should we count this?
26495 - atomic_inc(&atm_vcc->stats->rx_drop);
26496 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26497 }
26498
26499 } else {
26500 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
26501 }
26502
26503 if (check_area (skb->data, skb->len)) {
26504 - atomic_inc(&atm_vcc->stats->tx_err);
26505 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
26506 return -ENOMEM; // ?
26507 }
26508
26509 diff -urNp linux-2.6.39.1/drivers/atm/atmtcp.c linux-2.6.39.1/drivers/atm/atmtcp.c
26510 --- linux-2.6.39.1/drivers/atm/atmtcp.c 2011-05-19 00:06:34.000000000 -0400
26511 +++ linux-2.6.39.1/drivers/atm/atmtcp.c 2011-05-22 19:36:31.000000000 -0400
26512 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
26513 if (vcc->pop) vcc->pop(vcc,skb);
26514 else dev_kfree_skb(skb);
26515 if (dev_data) return 0;
26516 - atomic_inc(&vcc->stats->tx_err);
26517 + atomic_inc_unchecked(&vcc->stats->tx_err);
26518 return -ENOLINK;
26519 }
26520 size = skb->len+sizeof(struct atmtcp_hdr);
26521 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
26522 if (!new_skb) {
26523 if (vcc->pop) vcc->pop(vcc,skb);
26524 else dev_kfree_skb(skb);
26525 - atomic_inc(&vcc->stats->tx_err);
26526 + atomic_inc_unchecked(&vcc->stats->tx_err);
26527 return -ENOBUFS;
26528 }
26529 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26530 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
26531 if (vcc->pop) vcc->pop(vcc,skb);
26532 else dev_kfree_skb(skb);
26533 out_vcc->push(out_vcc,new_skb);
26534 - atomic_inc(&vcc->stats->tx);
26535 - atomic_inc(&out_vcc->stats->rx);
26536 + atomic_inc_unchecked(&vcc->stats->tx);
26537 + atomic_inc_unchecked(&out_vcc->stats->rx);
26538 return 0;
26539 }
26540
26541 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
26542 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26543 read_unlock(&vcc_sklist_lock);
26544 if (!out_vcc) {
26545 - atomic_inc(&vcc->stats->tx_err);
26546 + atomic_inc_unchecked(&vcc->stats->tx_err);
26547 goto done;
26548 }
26549 skb_pull(skb,sizeof(struct atmtcp_hdr));
26550 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
26551 __net_timestamp(new_skb);
26552 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
26553 out_vcc->push(out_vcc,new_skb);
26554 - atomic_inc(&vcc->stats->tx);
26555 - atomic_inc(&out_vcc->stats->rx);
26556 + atomic_inc_unchecked(&vcc->stats->tx);
26557 + atomic_inc_unchecked(&out_vcc->stats->rx);
26558 done:
26559 if (vcc->pop) vcc->pop(vcc,skb);
26560 else dev_kfree_skb(skb);
26561 diff -urNp linux-2.6.39.1/drivers/atm/eni.c linux-2.6.39.1/drivers/atm/eni.c
26562 --- linux-2.6.39.1/drivers/atm/eni.c 2011-05-19 00:06:34.000000000 -0400
26563 +++ linux-2.6.39.1/drivers/atm/eni.c 2011-05-22 19:36:31.000000000 -0400
26564 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
26565 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
26566 vcc->dev->number);
26567 length = 0;
26568 - atomic_inc(&vcc->stats->rx_err);
26569 + atomic_inc_unchecked(&vcc->stats->rx_err);
26570 }
26571 else {
26572 length = ATM_CELL_SIZE-1; /* no HEC */
26573 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26574 size);
26575 }
26576 eff = length = 0;
26577 - atomic_inc(&vcc->stats->rx_err);
26578 + atomic_inc_unchecked(&vcc->stats->rx_err);
26579 }
26580 else {
26581 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
26582 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26583 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
26584 vcc->dev->number,vcc->vci,length,size << 2,descr);
26585 length = eff = 0;
26586 - atomic_inc(&vcc->stats->rx_err);
26587 + atomic_inc_unchecked(&vcc->stats->rx_err);
26588 }
26589 }
26590 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
26591 @@ -771,7 +771,7 @@ rx_dequeued++;
26592 vcc->push(vcc,skb);
26593 pushed++;
26594 }
26595 - atomic_inc(&vcc->stats->rx);
26596 + atomic_inc_unchecked(&vcc->stats->rx);
26597 }
26598 wake_up(&eni_dev->rx_wait);
26599 }
26600 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
26601 PCI_DMA_TODEVICE);
26602 if (vcc->pop) vcc->pop(vcc,skb);
26603 else dev_kfree_skb_irq(skb);
26604 - atomic_inc(&vcc->stats->tx);
26605 + atomic_inc_unchecked(&vcc->stats->tx);
26606 wake_up(&eni_dev->tx_wait);
26607 dma_complete++;
26608 }
26609 diff -urNp linux-2.6.39.1/drivers/atm/firestream.c linux-2.6.39.1/drivers/atm/firestream.c
26610 --- linux-2.6.39.1/drivers/atm/firestream.c 2011-05-19 00:06:34.000000000 -0400
26611 +++ linux-2.6.39.1/drivers/atm/firestream.c 2011-05-22 19:36:31.000000000 -0400
26612 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
26613 }
26614 }
26615
26616 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26617 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26618
26619 fs_dprintk (FS_DEBUG_TXMEM, "i");
26620 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
26621 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
26622 #endif
26623 skb_put (skb, qe->p1 & 0xffff);
26624 ATM_SKB(skb)->vcc = atm_vcc;
26625 - atomic_inc(&atm_vcc->stats->rx);
26626 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26627 __net_timestamp(skb);
26628 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
26629 atm_vcc->push (atm_vcc, skb);
26630 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
26631 kfree (pe);
26632 }
26633 if (atm_vcc)
26634 - atomic_inc(&atm_vcc->stats->rx_drop);
26635 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26636 break;
26637 case 0x1f: /* Reassembly abort: no buffers. */
26638 /* Silently increment error counter. */
26639 if (atm_vcc)
26640 - atomic_inc(&atm_vcc->stats->rx_drop);
26641 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26642 break;
26643 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
26644 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
26645 diff -urNp linux-2.6.39.1/drivers/atm/fore200e.c linux-2.6.39.1/drivers/atm/fore200e.c
26646 --- linux-2.6.39.1/drivers/atm/fore200e.c 2011-05-19 00:06:34.000000000 -0400
26647 +++ linux-2.6.39.1/drivers/atm/fore200e.c 2011-05-22 19:36:31.000000000 -0400
26648 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
26649 #endif
26650 /* check error condition */
26651 if (*entry->status & STATUS_ERROR)
26652 - atomic_inc(&vcc->stats->tx_err);
26653 + atomic_inc_unchecked(&vcc->stats->tx_err);
26654 else
26655 - atomic_inc(&vcc->stats->tx);
26656 + atomic_inc_unchecked(&vcc->stats->tx);
26657 }
26658 }
26659
26660 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
26661 if (skb == NULL) {
26662 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
26663
26664 - atomic_inc(&vcc->stats->rx_drop);
26665 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26666 return -ENOMEM;
26667 }
26668
26669 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
26670
26671 dev_kfree_skb_any(skb);
26672
26673 - atomic_inc(&vcc->stats->rx_drop);
26674 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26675 return -ENOMEM;
26676 }
26677
26678 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26679
26680 vcc->push(vcc, skb);
26681 - atomic_inc(&vcc->stats->rx);
26682 + atomic_inc_unchecked(&vcc->stats->rx);
26683
26684 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26685
26686 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
26687 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
26688 fore200e->atm_dev->number,
26689 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
26690 - atomic_inc(&vcc->stats->rx_err);
26691 + atomic_inc_unchecked(&vcc->stats->rx_err);
26692 }
26693 }
26694
26695 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
26696 goto retry_here;
26697 }
26698
26699 - atomic_inc(&vcc->stats->tx_err);
26700 + atomic_inc_unchecked(&vcc->stats->tx_err);
26701
26702 fore200e->tx_sat++;
26703 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
26704 diff -urNp linux-2.6.39.1/drivers/atm/he.c linux-2.6.39.1/drivers/atm/he.c
26705 --- linux-2.6.39.1/drivers/atm/he.c 2011-05-19 00:06:34.000000000 -0400
26706 +++ linux-2.6.39.1/drivers/atm/he.c 2011-05-22 19:36:31.000000000 -0400
26707 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26708
26709 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
26710 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
26711 - atomic_inc(&vcc->stats->rx_drop);
26712 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26713 goto return_host_buffers;
26714 }
26715
26716 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26717 RBRQ_LEN_ERR(he_dev->rbrq_head)
26718 ? "LEN_ERR" : "",
26719 vcc->vpi, vcc->vci);
26720 - atomic_inc(&vcc->stats->rx_err);
26721 + atomic_inc_unchecked(&vcc->stats->rx_err);
26722 goto return_host_buffers;
26723 }
26724
26725 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26726 vcc->push(vcc, skb);
26727 spin_lock(&he_dev->global_lock);
26728
26729 - atomic_inc(&vcc->stats->rx);
26730 + atomic_inc_unchecked(&vcc->stats->rx);
26731
26732 return_host_buffers:
26733 ++pdus_assembled;
26734 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
26735 tpd->vcc->pop(tpd->vcc, tpd->skb);
26736 else
26737 dev_kfree_skb_any(tpd->skb);
26738 - atomic_inc(&tpd->vcc->stats->tx_err);
26739 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
26740 }
26741 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
26742 return;
26743 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26744 vcc->pop(vcc, skb);
26745 else
26746 dev_kfree_skb_any(skb);
26747 - atomic_inc(&vcc->stats->tx_err);
26748 + atomic_inc_unchecked(&vcc->stats->tx_err);
26749 return -EINVAL;
26750 }
26751
26752 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26753 vcc->pop(vcc, skb);
26754 else
26755 dev_kfree_skb_any(skb);
26756 - atomic_inc(&vcc->stats->tx_err);
26757 + atomic_inc_unchecked(&vcc->stats->tx_err);
26758 return -EINVAL;
26759 }
26760 #endif
26761 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26762 vcc->pop(vcc, skb);
26763 else
26764 dev_kfree_skb_any(skb);
26765 - atomic_inc(&vcc->stats->tx_err);
26766 + atomic_inc_unchecked(&vcc->stats->tx_err);
26767 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26768 return -ENOMEM;
26769 }
26770 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26771 vcc->pop(vcc, skb);
26772 else
26773 dev_kfree_skb_any(skb);
26774 - atomic_inc(&vcc->stats->tx_err);
26775 + atomic_inc_unchecked(&vcc->stats->tx_err);
26776 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26777 return -ENOMEM;
26778 }
26779 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26780 __enqueue_tpd(he_dev, tpd, cid);
26781 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26782
26783 - atomic_inc(&vcc->stats->tx);
26784 + atomic_inc_unchecked(&vcc->stats->tx);
26785
26786 return 0;
26787 }
26788 diff -urNp linux-2.6.39.1/drivers/atm/horizon.c linux-2.6.39.1/drivers/atm/horizon.c
26789 --- linux-2.6.39.1/drivers/atm/horizon.c 2011-05-19 00:06:34.000000000 -0400
26790 +++ linux-2.6.39.1/drivers/atm/horizon.c 2011-05-22 19:36:31.000000000 -0400
26791 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
26792 {
26793 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
26794 // VC layer stats
26795 - atomic_inc(&vcc->stats->rx);
26796 + atomic_inc_unchecked(&vcc->stats->rx);
26797 __net_timestamp(skb);
26798 // end of our responsibility
26799 vcc->push (vcc, skb);
26800 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
26801 dev->tx_iovec = NULL;
26802
26803 // VC layer stats
26804 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26805 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26806
26807 // free the skb
26808 hrz_kfree_skb (skb);
26809 diff -urNp linux-2.6.39.1/drivers/atm/idt77252.c linux-2.6.39.1/drivers/atm/idt77252.c
26810 --- linux-2.6.39.1/drivers/atm/idt77252.c 2011-05-19 00:06:34.000000000 -0400
26811 +++ linux-2.6.39.1/drivers/atm/idt77252.c 2011-05-22 19:36:31.000000000 -0400
26812 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
26813 else
26814 dev_kfree_skb(skb);
26815
26816 - atomic_inc(&vcc->stats->tx);
26817 + atomic_inc_unchecked(&vcc->stats->tx);
26818 }
26819
26820 atomic_dec(&scq->used);
26821 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
26822 if ((sb = dev_alloc_skb(64)) == NULL) {
26823 printk("%s: Can't allocate buffers for aal0.\n",
26824 card->name);
26825 - atomic_add(i, &vcc->stats->rx_drop);
26826 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
26827 break;
26828 }
26829 if (!atm_charge(vcc, sb->truesize)) {
26830 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
26831 card->name);
26832 - atomic_add(i - 1, &vcc->stats->rx_drop);
26833 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
26834 dev_kfree_skb(sb);
26835 break;
26836 }
26837 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
26838 ATM_SKB(sb)->vcc = vcc;
26839 __net_timestamp(sb);
26840 vcc->push(vcc, sb);
26841 - atomic_inc(&vcc->stats->rx);
26842 + atomic_inc_unchecked(&vcc->stats->rx);
26843
26844 cell += ATM_CELL_PAYLOAD;
26845 }
26846 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
26847 "(CDC: %08x)\n",
26848 card->name, len, rpp->len, readl(SAR_REG_CDC));
26849 recycle_rx_pool_skb(card, rpp);
26850 - atomic_inc(&vcc->stats->rx_err);
26851 + atomic_inc_unchecked(&vcc->stats->rx_err);
26852 return;
26853 }
26854 if (stat & SAR_RSQE_CRC) {
26855 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
26856 recycle_rx_pool_skb(card, rpp);
26857 - atomic_inc(&vcc->stats->rx_err);
26858 + atomic_inc_unchecked(&vcc->stats->rx_err);
26859 return;
26860 }
26861 if (skb_queue_len(&rpp->queue) > 1) {
26862 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
26863 RXPRINTK("%s: Can't alloc RX skb.\n",
26864 card->name);
26865 recycle_rx_pool_skb(card, rpp);
26866 - atomic_inc(&vcc->stats->rx_err);
26867 + atomic_inc_unchecked(&vcc->stats->rx_err);
26868 return;
26869 }
26870 if (!atm_charge(vcc, skb->truesize)) {
26871 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
26872 __net_timestamp(skb);
26873
26874 vcc->push(vcc, skb);
26875 - atomic_inc(&vcc->stats->rx);
26876 + atomic_inc_unchecked(&vcc->stats->rx);
26877
26878 return;
26879 }
26880 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
26881 __net_timestamp(skb);
26882
26883 vcc->push(vcc, skb);
26884 - atomic_inc(&vcc->stats->rx);
26885 + atomic_inc_unchecked(&vcc->stats->rx);
26886
26887 if (skb->truesize > SAR_FB_SIZE_3)
26888 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
26889 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
26890 if (vcc->qos.aal != ATM_AAL0) {
26891 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
26892 card->name, vpi, vci);
26893 - atomic_inc(&vcc->stats->rx_drop);
26894 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26895 goto drop;
26896 }
26897
26898 if ((sb = dev_alloc_skb(64)) == NULL) {
26899 printk("%s: Can't allocate buffers for AAL0.\n",
26900 card->name);
26901 - atomic_inc(&vcc->stats->rx_err);
26902 + atomic_inc_unchecked(&vcc->stats->rx_err);
26903 goto drop;
26904 }
26905
26906 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
26907 ATM_SKB(sb)->vcc = vcc;
26908 __net_timestamp(sb);
26909 vcc->push(vcc, sb);
26910 - atomic_inc(&vcc->stats->rx);
26911 + atomic_inc_unchecked(&vcc->stats->rx);
26912
26913 drop:
26914 skb_pull(queue, 64);
26915 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26916
26917 if (vc == NULL) {
26918 printk("%s: NULL connection in send().\n", card->name);
26919 - atomic_inc(&vcc->stats->tx_err);
26920 + atomic_inc_unchecked(&vcc->stats->tx_err);
26921 dev_kfree_skb(skb);
26922 return -EINVAL;
26923 }
26924 if (!test_bit(VCF_TX, &vc->flags)) {
26925 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
26926 - atomic_inc(&vcc->stats->tx_err);
26927 + atomic_inc_unchecked(&vcc->stats->tx_err);
26928 dev_kfree_skb(skb);
26929 return -EINVAL;
26930 }
26931 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26932 break;
26933 default:
26934 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
26935 - atomic_inc(&vcc->stats->tx_err);
26936 + atomic_inc_unchecked(&vcc->stats->tx_err);
26937 dev_kfree_skb(skb);
26938 return -EINVAL;
26939 }
26940
26941 if (skb_shinfo(skb)->nr_frags != 0) {
26942 printk("%s: No scatter-gather yet.\n", card->name);
26943 - atomic_inc(&vcc->stats->tx_err);
26944 + atomic_inc_unchecked(&vcc->stats->tx_err);
26945 dev_kfree_skb(skb);
26946 return -EINVAL;
26947 }
26948 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26949
26950 err = queue_skb(card, vc, skb, oam);
26951 if (err) {
26952 - atomic_inc(&vcc->stats->tx_err);
26953 + atomic_inc_unchecked(&vcc->stats->tx_err);
26954 dev_kfree_skb(skb);
26955 return err;
26956 }
26957 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
26958 skb = dev_alloc_skb(64);
26959 if (!skb) {
26960 printk("%s: Out of memory in send_oam().\n", card->name);
26961 - atomic_inc(&vcc->stats->tx_err);
26962 + atomic_inc_unchecked(&vcc->stats->tx_err);
26963 return -ENOMEM;
26964 }
26965 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
26966 diff -urNp linux-2.6.39.1/drivers/atm/iphase.c linux-2.6.39.1/drivers/atm/iphase.c
26967 --- linux-2.6.39.1/drivers/atm/iphase.c 2011-05-19 00:06:34.000000000 -0400
26968 +++ linux-2.6.39.1/drivers/atm/iphase.c 2011-05-22 19:36:31.000000000 -0400
26969 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
26970 status = (u_short) (buf_desc_ptr->desc_mode);
26971 if (status & (RX_CER | RX_PTE | RX_OFL))
26972 {
26973 - atomic_inc(&vcc->stats->rx_err);
26974 + atomic_inc_unchecked(&vcc->stats->rx_err);
26975 IF_ERR(printk("IA: bad packet, dropping it");)
26976 if (status & RX_CER) {
26977 IF_ERR(printk(" cause: packet CRC error\n");)
26978 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
26979 len = dma_addr - buf_addr;
26980 if (len > iadev->rx_buf_sz) {
26981 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
26982 - atomic_inc(&vcc->stats->rx_err);
26983 + atomic_inc_unchecked(&vcc->stats->rx_err);
26984 goto out_free_desc;
26985 }
26986
26987 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
26988 ia_vcc = INPH_IA_VCC(vcc);
26989 if (ia_vcc == NULL)
26990 {
26991 - atomic_inc(&vcc->stats->rx_err);
26992 + atomic_inc_unchecked(&vcc->stats->rx_err);
26993 dev_kfree_skb_any(skb);
26994 atm_return(vcc, atm_guess_pdu2truesize(len));
26995 goto INCR_DLE;
26996 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
26997 if ((length > iadev->rx_buf_sz) || (length >
26998 (skb->len - sizeof(struct cpcs_trailer))))
26999 {
27000 - atomic_inc(&vcc->stats->rx_err);
27001 + atomic_inc_unchecked(&vcc->stats->rx_err);
27002 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
27003 length, skb->len);)
27004 dev_kfree_skb_any(skb);
27005 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
27006
27007 IF_RX(printk("rx_dle_intr: skb push");)
27008 vcc->push(vcc,skb);
27009 - atomic_inc(&vcc->stats->rx);
27010 + atomic_inc_unchecked(&vcc->stats->rx);
27011 iadev->rx_pkt_cnt++;
27012 }
27013 INCR_DLE:
27014 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
27015 {
27016 struct k_sonet_stats *stats;
27017 stats = &PRIV(_ia_dev[board])->sonet_stats;
27018 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
27019 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
27020 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
27021 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
27022 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
27023 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
27024 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
27025 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
27026 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
27027 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
27028 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
27029 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
27030 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
27031 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
27032 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
27033 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
27034 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
27035 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
27036 }
27037 ia_cmds.status = 0;
27038 break;
27039 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
27040 if ((desc == 0) || (desc > iadev->num_tx_desc))
27041 {
27042 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
27043 - atomic_inc(&vcc->stats->tx);
27044 + atomic_inc_unchecked(&vcc->stats->tx);
27045 if (vcc->pop)
27046 vcc->pop(vcc, skb);
27047 else
27048 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
27049 ATM_DESC(skb) = vcc->vci;
27050 skb_queue_tail(&iadev->tx_dma_q, skb);
27051
27052 - atomic_inc(&vcc->stats->tx);
27053 + atomic_inc_unchecked(&vcc->stats->tx);
27054 iadev->tx_pkt_cnt++;
27055 /* Increment transaction counter */
27056 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
27057
27058 #if 0
27059 /* add flow control logic */
27060 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
27061 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
27062 if (iavcc->vc_desc_cnt > 10) {
27063 vcc->tx_quota = vcc->tx_quota * 3 / 4;
27064 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
27065 diff -urNp linux-2.6.39.1/drivers/atm/lanai.c linux-2.6.39.1/drivers/atm/lanai.c
27066 --- linux-2.6.39.1/drivers/atm/lanai.c 2011-05-19 00:06:34.000000000 -0400
27067 +++ linux-2.6.39.1/drivers/atm/lanai.c 2011-05-22 19:36:31.000000000 -0400
27068 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
27069 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
27070 lanai_endtx(lanai, lvcc);
27071 lanai_free_skb(lvcc->tx.atmvcc, skb);
27072 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
27073 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
27074 }
27075
27076 /* Try to fill the buffer - don't call unless there is backlog */
27077 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
27078 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
27079 __net_timestamp(skb);
27080 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
27081 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
27082 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
27083 out:
27084 lvcc->rx.buf.ptr = end;
27085 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
27086 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
27087 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
27088 "vcc %d\n", lanai->number, (unsigned int) s, vci);
27089 lanai->stats.service_rxnotaal5++;
27090 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27091 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27092 return 0;
27093 }
27094 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
27095 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
27096 int bytes;
27097 read_unlock(&vcc_sklist_lock);
27098 DPRINTK("got trashed rx pdu on vci %d\n", vci);
27099 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27100 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27101 lvcc->stats.x.aal5.service_trash++;
27102 bytes = (SERVICE_GET_END(s) * 16) -
27103 (((unsigned long) lvcc->rx.buf.ptr) -
27104 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
27105 }
27106 if (s & SERVICE_STREAM) {
27107 read_unlock(&vcc_sklist_lock);
27108 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27109 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27110 lvcc->stats.x.aal5.service_stream++;
27111 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
27112 "PDU on VCI %d!\n", lanai->number, vci);
27113 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
27114 return 0;
27115 }
27116 DPRINTK("got rx crc error on vci %d\n", vci);
27117 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27118 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27119 lvcc->stats.x.aal5.service_rxcrc++;
27120 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
27121 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
27122 diff -urNp linux-2.6.39.1/drivers/atm/nicstar.c linux-2.6.39.1/drivers/atm/nicstar.c
27123 --- linux-2.6.39.1/drivers/atm/nicstar.c 2011-05-19 00:06:34.000000000 -0400
27124 +++ linux-2.6.39.1/drivers/atm/nicstar.c 2011-05-22 19:36:31.000000000 -0400
27125 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
27126 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
27127 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
27128 card->index);
27129 - atomic_inc(&vcc->stats->tx_err);
27130 + atomic_inc_unchecked(&vcc->stats->tx_err);
27131 dev_kfree_skb_any(skb);
27132 return -EINVAL;
27133 }
27134 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
27135 if (!vc->tx) {
27136 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
27137 card->index);
27138 - atomic_inc(&vcc->stats->tx_err);
27139 + atomic_inc_unchecked(&vcc->stats->tx_err);
27140 dev_kfree_skb_any(skb);
27141 return -EINVAL;
27142 }
27143 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
27144 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
27145 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
27146 card->index);
27147 - atomic_inc(&vcc->stats->tx_err);
27148 + atomic_inc_unchecked(&vcc->stats->tx_err);
27149 dev_kfree_skb_any(skb);
27150 return -EINVAL;
27151 }
27152
27153 if (skb_shinfo(skb)->nr_frags != 0) {
27154 printk("nicstar%d: No scatter-gather yet.\n", card->index);
27155 - atomic_inc(&vcc->stats->tx_err);
27156 + atomic_inc_unchecked(&vcc->stats->tx_err);
27157 dev_kfree_skb_any(skb);
27158 return -EINVAL;
27159 }
27160 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
27161 }
27162
27163 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
27164 - atomic_inc(&vcc->stats->tx_err);
27165 + atomic_inc_unchecked(&vcc->stats->tx_err);
27166 dev_kfree_skb_any(skb);
27167 return -EIO;
27168 }
27169 - atomic_inc(&vcc->stats->tx);
27170 + atomic_inc_unchecked(&vcc->stats->tx);
27171
27172 return 0;
27173 }
27174 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
27175 printk
27176 ("nicstar%d: Can't allocate buffers for aal0.\n",
27177 card->index);
27178 - atomic_add(i, &vcc->stats->rx_drop);
27179 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27180 break;
27181 }
27182 if (!atm_charge(vcc, sb->truesize)) {
27183 RXPRINTK
27184 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
27185 card->index);
27186 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27187 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27188 dev_kfree_skb_any(sb);
27189 break;
27190 }
27191 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
27192 ATM_SKB(sb)->vcc = vcc;
27193 __net_timestamp(sb);
27194 vcc->push(vcc, sb);
27195 - atomic_inc(&vcc->stats->rx);
27196 + atomic_inc_unchecked(&vcc->stats->rx);
27197 cell += ATM_CELL_PAYLOAD;
27198 }
27199
27200 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
27201 if (iovb == NULL) {
27202 printk("nicstar%d: Out of iovec buffers.\n",
27203 card->index);
27204 - atomic_inc(&vcc->stats->rx_drop);
27205 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27206 recycle_rx_buf(card, skb);
27207 return;
27208 }
27209 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
27210 small or large buffer itself. */
27211 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
27212 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
27213 - atomic_inc(&vcc->stats->rx_err);
27214 + atomic_inc_unchecked(&vcc->stats->rx_err);
27215 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27216 NS_MAX_IOVECS);
27217 NS_PRV_IOVCNT(iovb) = 0;
27218 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
27219 ("nicstar%d: Expected a small buffer, and this is not one.\n",
27220 card->index);
27221 which_list(card, skb);
27222 - atomic_inc(&vcc->stats->rx_err);
27223 + atomic_inc_unchecked(&vcc->stats->rx_err);
27224 recycle_rx_buf(card, skb);
27225 vc->rx_iov = NULL;
27226 recycle_iov_buf(card, iovb);
27227 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
27228 ("nicstar%d: Expected a large buffer, and this is not one.\n",
27229 card->index);
27230 which_list(card, skb);
27231 - atomic_inc(&vcc->stats->rx_err);
27232 + atomic_inc_unchecked(&vcc->stats->rx_err);
27233 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27234 NS_PRV_IOVCNT(iovb));
27235 vc->rx_iov = NULL;
27236 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
27237 printk(" - PDU size mismatch.\n");
27238 else
27239 printk(".\n");
27240 - atomic_inc(&vcc->stats->rx_err);
27241 + atomic_inc_unchecked(&vcc->stats->rx_err);
27242 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27243 NS_PRV_IOVCNT(iovb));
27244 vc->rx_iov = NULL;
27245 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
27246 /* skb points to a small buffer */
27247 if (!atm_charge(vcc, skb->truesize)) {
27248 push_rxbufs(card, skb);
27249 - atomic_inc(&vcc->stats->rx_drop);
27250 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27251 } else {
27252 skb_put(skb, len);
27253 dequeue_sm_buf(card, skb);
27254 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
27255 ATM_SKB(skb)->vcc = vcc;
27256 __net_timestamp(skb);
27257 vcc->push(vcc, skb);
27258 - atomic_inc(&vcc->stats->rx);
27259 + atomic_inc_unchecked(&vcc->stats->rx);
27260 }
27261 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
27262 struct sk_buff *sb;
27263 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
27264 if (len <= NS_SMBUFSIZE) {
27265 if (!atm_charge(vcc, sb->truesize)) {
27266 push_rxbufs(card, sb);
27267 - atomic_inc(&vcc->stats->rx_drop);
27268 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27269 } else {
27270 skb_put(sb, len);
27271 dequeue_sm_buf(card, sb);
27272 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
27273 ATM_SKB(sb)->vcc = vcc;
27274 __net_timestamp(sb);
27275 vcc->push(vcc, sb);
27276 - atomic_inc(&vcc->stats->rx);
27277 + atomic_inc_unchecked(&vcc->stats->rx);
27278 }
27279
27280 push_rxbufs(card, skb);
27281 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
27282
27283 if (!atm_charge(vcc, skb->truesize)) {
27284 push_rxbufs(card, skb);
27285 - atomic_inc(&vcc->stats->rx_drop);
27286 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27287 } else {
27288 dequeue_lg_buf(card, skb);
27289 #ifdef NS_USE_DESTRUCTORS
27290 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
27291 ATM_SKB(skb)->vcc = vcc;
27292 __net_timestamp(skb);
27293 vcc->push(vcc, skb);
27294 - atomic_inc(&vcc->stats->rx);
27295 + atomic_inc_unchecked(&vcc->stats->rx);
27296 }
27297
27298 push_rxbufs(card, sb);
27299 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
27300 printk
27301 ("nicstar%d: Out of huge buffers.\n",
27302 card->index);
27303 - atomic_inc(&vcc->stats->rx_drop);
27304 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27305 recycle_iovec_rx_bufs(card,
27306 (struct iovec *)
27307 iovb->data,
27308 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
27309 card->hbpool.count++;
27310 } else
27311 dev_kfree_skb_any(hb);
27312 - atomic_inc(&vcc->stats->rx_drop);
27313 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27314 } else {
27315 /* Copy the small buffer to the huge buffer */
27316 sb = (struct sk_buff *)iov->iov_base;
27317 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
27318 #endif /* NS_USE_DESTRUCTORS */
27319 __net_timestamp(hb);
27320 vcc->push(vcc, hb);
27321 - atomic_inc(&vcc->stats->rx);
27322 + atomic_inc_unchecked(&vcc->stats->rx);
27323 }
27324 }
27325
27326 diff -urNp linux-2.6.39.1/drivers/atm/solos-pci.c linux-2.6.39.1/drivers/atm/solos-pci.c
27327 --- linux-2.6.39.1/drivers/atm/solos-pci.c 2011-05-19 00:06:34.000000000 -0400
27328 +++ linux-2.6.39.1/drivers/atm/solos-pci.c 2011-05-22 19:36:31.000000000 -0400
27329 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
27330 }
27331 atm_charge(vcc, skb->truesize);
27332 vcc->push(vcc, skb);
27333 - atomic_inc(&vcc->stats->rx);
27334 + atomic_inc_unchecked(&vcc->stats->rx);
27335 break;
27336
27337 case PKT_STATUS:
27338 @@ -900,6 +900,8 @@ static int print_buffer(struct sk_buff *
27339 char msg[500];
27340 char item[10];
27341
27342 + pax_track_stack();
27343 +
27344 len = buf->len;
27345 for (i = 0; i < len; i++){
27346 if(i % 8 == 0)
27347 @@ -1009,7 +1011,7 @@ static uint32_t fpga_tx(struct solos_car
27348 vcc = SKB_CB(oldskb)->vcc;
27349
27350 if (vcc) {
27351 - atomic_inc(&vcc->stats->tx);
27352 + atomic_inc_unchecked(&vcc->stats->tx);
27353 solos_pop(vcc, oldskb);
27354 } else
27355 dev_kfree_skb_irq(oldskb);
27356 diff -urNp linux-2.6.39.1/drivers/atm/suni.c linux-2.6.39.1/drivers/atm/suni.c
27357 --- linux-2.6.39.1/drivers/atm/suni.c 2011-05-19 00:06:34.000000000 -0400
27358 +++ linux-2.6.39.1/drivers/atm/suni.c 2011-05-22 19:36:31.000000000 -0400
27359 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
27360
27361
27362 #define ADD_LIMITED(s,v) \
27363 - atomic_add((v),&stats->s); \
27364 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
27365 + atomic_add_unchecked((v),&stats->s); \
27366 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
27367
27368
27369 static void suni_hz(unsigned long from_timer)
27370 diff -urNp linux-2.6.39.1/drivers/atm/uPD98402.c linux-2.6.39.1/drivers/atm/uPD98402.c
27371 --- linux-2.6.39.1/drivers/atm/uPD98402.c 2011-05-19 00:06:34.000000000 -0400
27372 +++ linux-2.6.39.1/drivers/atm/uPD98402.c 2011-05-22 19:36:31.000000000 -0400
27373 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
27374 struct sonet_stats tmp;
27375 int error = 0;
27376
27377 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27378 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27379 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
27380 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
27381 if (zero && !error) {
27382 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
27383
27384
27385 #define ADD_LIMITED(s,v) \
27386 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
27387 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
27388 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27389 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
27390 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
27391 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27392
27393
27394 static void stat_event(struct atm_dev *dev)
27395 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
27396 if (reason & uPD98402_INT_PFM) stat_event(dev);
27397 if (reason & uPD98402_INT_PCO) {
27398 (void) GET(PCOCR); /* clear interrupt cause */
27399 - atomic_add(GET(HECCT),
27400 + atomic_add_unchecked(GET(HECCT),
27401 &PRIV(dev)->sonet_stats.uncorr_hcs);
27402 }
27403 if ((reason & uPD98402_INT_RFO) &&
27404 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
27405 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
27406 uPD98402_INT_LOS),PIMR); /* enable them */
27407 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
27408 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27409 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
27410 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
27411 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27412 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
27413 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
27414 return 0;
27415 }
27416
27417 diff -urNp linux-2.6.39.1/drivers/atm/zatm.c linux-2.6.39.1/drivers/atm/zatm.c
27418 --- linux-2.6.39.1/drivers/atm/zatm.c 2011-05-19 00:06:34.000000000 -0400
27419 +++ linux-2.6.39.1/drivers/atm/zatm.c 2011-05-22 19:36:31.000000000 -0400
27420 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27421 }
27422 if (!size) {
27423 dev_kfree_skb_irq(skb);
27424 - if (vcc) atomic_inc(&vcc->stats->rx_err);
27425 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
27426 continue;
27427 }
27428 if (!atm_charge(vcc,skb->truesize)) {
27429 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27430 skb->len = size;
27431 ATM_SKB(skb)->vcc = vcc;
27432 vcc->push(vcc,skb);
27433 - atomic_inc(&vcc->stats->rx);
27434 + atomic_inc_unchecked(&vcc->stats->rx);
27435 }
27436 zout(pos & 0xffff,MTA(mbx));
27437 #if 0 /* probably a stupid idea */
27438 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
27439 skb_queue_head(&zatm_vcc->backlog,skb);
27440 break;
27441 }
27442 - atomic_inc(&vcc->stats->tx);
27443 + atomic_inc_unchecked(&vcc->stats->tx);
27444 wake_up(&zatm_vcc->tx_wait);
27445 }
27446
27447 diff -urNp linux-2.6.39.1/drivers/base/iommu.c linux-2.6.39.1/drivers/base/iommu.c
27448 --- linux-2.6.39.1/drivers/base/iommu.c 2011-05-19 00:06:34.000000000 -0400
27449 +++ linux-2.6.39.1/drivers/base/iommu.c 2011-05-22 19:36:31.000000000 -0400
27450 @@ -23,9 +23,8 @@
27451 #include <linux/errno.h>
27452 #include <linux/iommu.h>
27453
27454 -static struct iommu_ops *iommu_ops;
27455 -
27456 -void register_iommu(struct iommu_ops *ops)
27457 +static const struct iommu_ops *iommu_ops;
27458 +void register_iommu(const struct iommu_ops *ops)
27459 {
27460 if (iommu_ops)
27461 BUG();
27462 diff -urNp linux-2.6.39.1/drivers/base/power/generic_ops.c linux-2.6.39.1/drivers/base/power/generic_ops.c
27463 --- linux-2.6.39.1/drivers/base/power/generic_ops.c 2011-05-19 00:06:34.000000000 -0400
27464 +++ linux-2.6.39.1/drivers/base/power/generic_ops.c 2011-05-22 19:36:31.000000000 -0400
27465 @@ -215,7 +215,7 @@ int pm_generic_restore(struct device *de
27466 EXPORT_SYMBOL_GPL(pm_generic_restore);
27467 #endif /* CONFIG_PM_SLEEP */
27468
27469 -struct dev_pm_ops generic_subsys_pm_ops = {
27470 +const struct dev_pm_ops generic_subsys_pm_ops = {
27471 #ifdef CONFIG_PM_SLEEP
27472 .suspend = pm_generic_suspend,
27473 .resume = pm_generic_resume,
27474 diff -urNp linux-2.6.39.1/drivers/base/power/wakeup.c linux-2.6.39.1/drivers/base/power/wakeup.c
27475 --- linux-2.6.39.1/drivers/base/power/wakeup.c 2011-05-19 00:06:34.000000000 -0400
27476 +++ linux-2.6.39.1/drivers/base/power/wakeup.c 2011-05-22 19:36:31.000000000 -0400
27477 @@ -29,14 +29,14 @@ bool events_check_enabled;
27478 * They need to be modified together atomically, so it's better to use one
27479 * atomic variable to hold them both.
27480 */
27481 -static atomic_t combined_event_count = ATOMIC_INIT(0);
27482 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
27483
27484 #define IN_PROGRESS_BITS (sizeof(int) * 4)
27485 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
27486
27487 static void split_counters(unsigned int *cnt, unsigned int *inpr)
27488 {
27489 - unsigned int comb = atomic_read(&combined_event_count);
27490 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
27491
27492 *cnt = (comb >> IN_PROGRESS_BITS);
27493 *inpr = comb & MAX_IN_PROGRESS;
27494 @@ -351,7 +351,7 @@ static void wakeup_source_activate(struc
27495 ws->last_time = ktime_get();
27496
27497 /* Increment the counter of events in progress. */
27498 - atomic_inc(&combined_event_count);
27499 + atomic_inc_unchecked(&combined_event_count);
27500 }
27501
27502 /**
27503 @@ -441,7 +441,7 @@ static void wakeup_source_deactivate(str
27504 * Increment the counter of registered wakeup events and decrement the
27505 * couter of wakeup events in progress simultaneously.
27506 */
27507 - atomic_add(MAX_IN_PROGRESS, &combined_event_count);
27508 + atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
27509 }
27510
27511 /**
27512 diff -urNp linux-2.6.39.1/drivers/block/cciss.c linux-2.6.39.1/drivers/block/cciss.c
27513 --- linux-2.6.39.1/drivers/block/cciss.c 2011-05-19 00:06:34.000000000 -0400
27514 +++ linux-2.6.39.1/drivers/block/cciss.c 2011-05-22 19:41:32.000000000 -0400
27515 @@ -103,7 +103,7 @@ MODULE_DEVICE_TABLE(pci, cciss_pci_devic
27516 * product = Marketing Name for the board
27517 * access = Address of the struct of function pointers
27518 */
27519 -static struct board_type products[] = {
27520 +static const struct board_type products[] = {
27521 {0x40700E11, "Smart Array 5300", &SA5_access},
27522 {0x40800E11, "Smart Array 5i", &SA5B_access},
27523 {0x40820E11, "Smart Array 532", &SA5B_access},
27524 @@ -1151,6 +1151,8 @@ static int cciss_ioctl32_passthru(struct
27525 int err;
27526 u32 cp;
27527
27528 + memset(&arg64, 0, sizeof(arg64));
27529 +
27530 err = 0;
27531 err |=
27532 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27533 diff -urNp linux-2.6.39.1/drivers/block/cciss.h linux-2.6.39.1/drivers/block/cciss.h
27534 --- linux-2.6.39.1/drivers/block/cciss.h 2011-05-19 00:06:34.000000000 -0400
27535 +++ linux-2.6.39.1/drivers/block/cciss.h 2011-05-22 19:36:31.000000000 -0400
27536 @@ -393,7 +393,7 @@ static bool SA5_performant_intr_pending(
27537 return register_value & SA5_OUTDB_STATUS_PERF_BIT;
27538 }
27539
27540 -static struct access_method SA5_access = {
27541 +static const struct access_method SA5_access = {
27542 SA5_submit_command,
27543 SA5_intr_mask,
27544 SA5_fifo_full,
27545 @@ -401,7 +401,7 @@ static struct access_method SA5_access =
27546 SA5_completed,
27547 };
27548
27549 -static struct access_method SA5B_access = {
27550 +static const struct access_method SA5B_access = {
27551 SA5_submit_command,
27552 SA5B_intr_mask,
27553 SA5_fifo_full,
27554 @@ -409,7 +409,7 @@ static struct access_method SA5B_access
27555 SA5_completed,
27556 };
27557
27558 -static struct access_method SA5_performant_access = {
27559 +static const struct access_method SA5_performant_access = {
27560 SA5_submit_command,
27561 SA5_performant_intr_mask,
27562 SA5_fifo_full,
27563 @@ -420,7 +420,7 @@ static struct access_method SA5_performa
27564 struct board_type {
27565 __u32 board_id;
27566 char *product_name;
27567 - struct access_method *access;
27568 + const struct access_method *access;
27569 int nr_cmds; /* Max cmds this kind of ctlr can handle. */
27570 };
27571
27572 diff -urNp linux-2.6.39.1/drivers/block/cpqarray.c linux-2.6.39.1/drivers/block/cpqarray.c
27573 --- linux-2.6.39.1/drivers/block/cpqarray.c 2011-05-19 00:06:34.000000000 -0400
27574 +++ linux-2.6.39.1/drivers/block/cpqarray.c 2011-05-22 19:36:31.000000000 -0400
27575 @@ -80,7 +80,7 @@ static int eisa[8];
27576 * product = Marketing Name for the board
27577 * access = Address of the struct of function pointers
27578 */
27579 -static struct board_type products[] = {
27580 +static const struct board_type products[] = {
27581 { 0x0040110E, "IDA", &smart1_access },
27582 { 0x0140110E, "IDA-2", &smart1_access },
27583 { 0x1040110E, "IAES", &smart1_access },
27584 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
27585 struct scatterlist tmp_sg[SG_MAX];
27586 int i, dir, seg;
27587
27588 + pax_track_stack();
27589 +
27590 queue_next:
27591 creq = blk_peek_request(q);
27592 if (!creq)
27593 diff -urNp linux-2.6.39.1/drivers/block/cpqarray.h linux-2.6.39.1/drivers/block/cpqarray.h
27594 --- linux-2.6.39.1/drivers/block/cpqarray.h 2011-05-19 00:06:34.000000000 -0400
27595 +++ linux-2.6.39.1/drivers/block/cpqarray.h 2011-05-22 19:36:31.000000000 -0400
27596 @@ -69,7 +69,7 @@ struct access_method {
27597 struct board_type {
27598 __u32 board_id;
27599 char *product_name;
27600 - struct access_method *access;
27601 + const struct access_method *access;
27602 };
27603
27604 struct ctlr_info {
27605 diff -urNp linux-2.6.39.1/drivers/block/DAC960.c linux-2.6.39.1/drivers/block/DAC960.c
27606 --- linux-2.6.39.1/drivers/block/DAC960.c 2011-05-19 00:06:34.000000000 -0400
27607 +++ linux-2.6.39.1/drivers/block/DAC960.c 2011-05-22 19:36:31.000000000 -0400
27608 @@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
27609 unsigned long flags;
27610 int Channel, TargetID;
27611
27612 + pax_track_stack();
27613 +
27614 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
27615 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
27616 sizeof(DAC960_SCSI_Inquiry_T) +
27617 diff -urNp linux-2.6.39.1/drivers/block/drbd/drbd_int.h linux-2.6.39.1/drivers/block/drbd/drbd_int.h
27618 --- linux-2.6.39.1/drivers/block/drbd/drbd_int.h 2011-05-19 00:06:34.000000000 -0400
27619 +++ linux-2.6.39.1/drivers/block/drbd/drbd_int.h 2011-05-22 19:36:31.000000000 -0400
27620 @@ -736,7 +736,7 @@ struct drbd_request;
27621 struct drbd_epoch {
27622 struct list_head list;
27623 unsigned int barrier_nr;
27624 - atomic_t epoch_size; /* increased on every request added. */
27625 + atomic_unchecked_t epoch_size; /* increased on every request added. */
27626 atomic_t active; /* increased on every req. added, and dec on every finished. */
27627 unsigned long flags;
27628 };
27629 @@ -1108,7 +1108,7 @@ struct drbd_conf {
27630 void *int_dig_in;
27631 void *int_dig_vv;
27632 wait_queue_head_t seq_wait;
27633 - atomic_t packet_seq;
27634 + atomic_unchecked_t packet_seq;
27635 unsigned int peer_seq;
27636 spinlock_t peer_seq_lock;
27637 unsigned int minor;
27638 diff -urNp linux-2.6.39.1/drivers/block/drbd/drbd_main.c linux-2.6.39.1/drivers/block/drbd/drbd_main.c
27639 --- linux-2.6.39.1/drivers/block/drbd/drbd_main.c 2011-05-19 00:06:34.000000000 -0400
27640 +++ linux-2.6.39.1/drivers/block/drbd/drbd_main.c 2011-05-22 19:36:31.000000000 -0400
27641 @@ -2387,7 +2387,7 @@ static int _drbd_send_ack(struct drbd_co
27642 p.sector = sector;
27643 p.block_id = block_id;
27644 p.blksize = blksize;
27645 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
27646 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
27647
27648 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
27649 return false;
27650 @@ -2686,7 +2686,7 @@ int drbd_send_dblock(struct drbd_conf *m
27651 p.sector = cpu_to_be64(req->sector);
27652 p.block_id = (unsigned long)req;
27653 p.seq_num = cpu_to_be32(req->seq_num =
27654 - atomic_add_return(1, &mdev->packet_seq));
27655 + atomic_add_return_unchecked(1, &mdev->packet_seq));
27656
27657 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
27658
27659 @@ -2971,7 +2971,7 @@ void drbd_init_set_defaults(struct drbd_
27660 atomic_set(&mdev->unacked_cnt, 0);
27661 atomic_set(&mdev->local_cnt, 0);
27662 atomic_set(&mdev->net_cnt, 0);
27663 - atomic_set(&mdev->packet_seq, 0);
27664 + atomic_set_unchecked(&mdev->packet_seq, 0);
27665 atomic_set(&mdev->pp_in_use, 0);
27666 atomic_set(&mdev->pp_in_use_by_net, 0);
27667 atomic_set(&mdev->rs_sect_in, 0);
27668 @@ -3051,8 +3051,8 @@ void drbd_mdev_cleanup(struct drbd_conf
27669 mdev->receiver.t_state);
27670
27671 /* no need to lock it, I'm the only thread alive */
27672 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
27673 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
27674 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
27675 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
27676 mdev->al_writ_cnt =
27677 mdev->bm_writ_cnt =
27678 mdev->read_cnt =
27679 diff -urNp linux-2.6.39.1/drivers/block/drbd/drbd_nl.c linux-2.6.39.1/drivers/block/drbd/drbd_nl.c
27680 --- linux-2.6.39.1/drivers/block/drbd/drbd_nl.c 2011-05-19 00:06:34.000000000 -0400
27681 +++ linux-2.6.39.1/drivers/block/drbd/drbd_nl.c 2011-05-22 19:36:31.000000000 -0400
27682 @@ -2298,7 +2298,7 @@ static void drbd_connector_callback(stru
27683 module_put(THIS_MODULE);
27684 }
27685
27686 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
27687 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
27688
27689 static unsigned short *
27690 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
27691 @@ -2369,7 +2369,7 @@ void drbd_bcast_state(struct drbd_conf *
27692 cn_reply->id.idx = CN_IDX_DRBD;
27693 cn_reply->id.val = CN_VAL_DRBD;
27694
27695 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
27696 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
27697 cn_reply->ack = 0; /* not used here. */
27698 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27699 (int)((char *)tl - (char *)reply->tag_list);
27700 @@ -2401,7 +2401,7 @@ void drbd_bcast_ev_helper(struct drbd_co
27701 cn_reply->id.idx = CN_IDX_DRBD;
27702 cn_reply->id.val = CN_VAL_DRBD;
27703
27704 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
27705 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
27706 cn_reply->ack = 0; /* not used here. */
27707 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27708 (int)((char *)tl - (char *)reply->tag_list);
27709 @@ -2479,7 +2479,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
27710 cn_reply->id.idx = CN_IDX_DRBD;
27711 cn_reply->id.val = CN_VAL_DRBD;
27712
27713 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
27714 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
27715 cn_reply->ack = 0; // not used here.
27716 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27717 (int)((char*)tl - (char*)reply->tag_list);
27718 @@ -2518,7 +2518,7 @@ void drbd_bcast_sync_progress(struct drb
27719 cn_reply->id.idx = CN_IDX_DRBD;
27720 cn_reply->id.val = CN_VAL_DRBD;
27721
27722 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
27723 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
27724 cn_reply->ack = 0; /* not used here. */
27725 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27726 (int)((char *)tl - (char *)reply->tag_list);
27727 diff -urNp linux-2.6.39.1/drivers/block/drbd/drbd_receiver.c linux-2.6.39.1/drivers/block/drbd/drbd_receiver.c
27728 --- linux-2.6.39.1/drivers/block/drbd/drbd_receiver.c 2011-05-19 00:06:34.000000000 -0400
27729 +++ linux-2.6.39.1/drivers/block/drbd/drbd_receiver.c 2011-05-22 19:36:31.000000000 -0400
27730 @@ -894,7 +894,7 @@ retry:
27731 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
27732 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
27733
27734 - atomic_set(&mdev->packet_seq, 0);
27735 + atomic_set_unchecked(&mdev->packet_seq, 0);
27736 mdev->peer_seq = 0;
27737
27738 drbd_thread_start(&mdev->asender);
27739 @@ -990,7 +990,7 @@ static enum finish_epoch drbd_may_finish
27740 do {
27741 next_epoch = NULL;
27742
27743 - epoch_size = atomic_read(&epoch->epoch_size);
27744 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
27745
27746 switch (ev & ~EV_CLEANUP) {
27747 case EV_PUT:
27748 @@ -1025,7 +1025,7 @@ static enum finish_epoch drbd_may_finish
27749 rv = FE_DESTROYED;
27750 } else {
27751 epoch->flags = 0;
27752 - atomic_set(&epoch->epoch_size, 0);
27753 + atomic_set_unchecked(&epoch->epoch_size, 0);
27754 /* atomic_set(&epoch->active, 0); is already zero */
27755 if (rv == FE_STILL_LIVE)
27756 rv = FE_RECYCLED;
27757 @@ -1196,14 +1196,14 @@ static int receive_Barrier(struct drbd_c
27758 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
27759 drbd_flush(mdev);
27760
27761 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
27762 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
27763 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
27764 if (epoch)
27765 break;
27766 }
27767
27768 epoch = mdev->current_epoch;
27769 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
27770 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
27771
27772 D_ASSERT(atomic_read(&epoch->active) == 0);
27773 D_ASSERT(epoch->flags == 0);
27774 @@ -1215,11 +1215,11 @@ static int receive_Barrier(struct drbd_c
27775 }
27776
27777 epoch->flags = 0;
27778 - atomic_set(&epoch->epoch_size, 0);
27779 + atomic_set_unchecked(&epoch->epoch_size, 0);
27780 atomic_set(&epoch->active, 0);
27781
27782 spin_lock(&mdev->epoch_lock);
27783 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
27784 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
27785 list_add(&epoch->list, &mdev->current_epoch->list);
27786 mdev->current_epoch = epoch;
27787 mdev->epochs++;
27788 @@ -1668,7 +1668,7 @@ static int receive_Data(struct drbd_conf
27789 spin_unlock(&mdev->peer_seq_lock);
27790
27791 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
27792 - atomic_inc(&mdev->current_epoch->epoch_size);
27793 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
27794 return drbd_drain_block(mdev, data_size);
27795 }
27796
27797 @@ -1694,7 +1694,7 @@ static int receive_Data(struct drbd_conf
27798
27799 spin_lock(&mdev->epoch_lock);
27800 e->epoch = mdev->current_epoch;
27801 - atomic_inc(&e->epoch->epoch_size);
27802 + atomic_inc_unchecked(&e->epoch->epoch_size);
27803 atomic_inc(&e->epoch->active);
27804 spin_unlock(&mdev->epoch_lock);
27805
27806 @@ -3905,7 +3905,7 @@ static void drbd_disconnect(struct drbd_
27807 D_ASSERT(list_empty(&mdev->done_ee));
27808
27809 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
27810 - atomic_set(&mdev->current_epoch->epoch_size, 0);
27811 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
27812 D_ASSERT(list_empty(&mdev->current_epoch->list));
27813 }
27814
27815 diff -urNp linux-2.6.39.1/drivers/block/nbd.c linux-2.6.39.1/drivers/block/nbd.c
27816 --- linux-2.6.39.1/drivers/block/nbd.c 2011-05-19 00:06:34.000000000 -0400
27817 +++ linux-2.6.39.1/drivers/block/nbd.c 2011-05-22 19:36:31.000000000 -0400
27818 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
27819 struct kvec iov;
27820 sigset_t blocked, oldset;
27821
27822 + pax_track_stack();
27823 +
27824 if (unlikely(!sock)) {
27825 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
27826 lo->disk->disk_name, (send ? "send" : "recv"));
27827 @@ -571,6 +573,8 @@ static void do_nbd_request(struct reques
27828 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
27829 unsigned int cmd, unsigned long arg)
27830 {
27831 + pax_track_stack();
27832 +
27833 switch (cmd) {
27834 case NBD_DISCONNECT: {
27835 struct request sreq;
27836 diff -urNp linux-2.6.39.1/drivers/block/smart1,2.h linux-2.6.39.1/drivers/block/smart1,2.h
27837 --- linux-2.6.39.1/drivers/block/smart1,2.h 2011-05-19 00:06:34.000000000 -0400
27838 +++ linux-2.6.39.1/drivers/block/smart1,2.h 2011-05-22 19:36:31.000000000 -0400
27839 @@ -107,7 +107,7 @@ static unsigned long smart4_intr_pending
27840 return 0 ;
27841 }
27842
27843 -static struct access_method smart4_access = {
27844 +static const struct access_method smart4_access = {
27845 smart4_submit_command,
27846 smart4_intr_mask,
27847 smart4_fifo_full,
27848 @@ -143,7 +143,7 @@ static unsigned long smart2_intr_pending
27849 return readl(h->vaddr + INTR_PENDING);
27850 }
27851
27852 -static struct access_method smart2_access = {
27853 +static const struct access_method smart2_access = {
27854 smart2_submit_command,
27855 smart2_intr_mask,
27856 smart2_fifo_full,
27857 @@ -179,7 +179,7 @@ static unsigned long smart2e_intr_pendin
27858 return inl(h->io_mem_addr + INTR_PENDING);
27859 }
27860
27861 -static struct access_method smart2e_access = {
27862 +static const struct access_method smart2e_access = {
27863 smart2e_submit_command,
27864 smart2e_intr_mask,
27865 smart2e_fifo_full,
27866 @@ -269,7 +269,7 @@ static unsigned long smart1_intr_pending
27867 return chan;
27868 }
27869
27870 -static struct access_method smart1_access = {
27871 +static const struct access_method smart1_access = {
27872 smart1_submit_command,
27873 smart1_intr_mask,
27874 smart1_fifo_full,
27875 diff -urNp linux-2.6.39.1/drivers/block/xsysace.c linux-2.6.39.1/drivers/block/xsysace.c
27876 --- linux-2.6.39.1/drivers/block/xsysace.c 2011-05-19 00:06:34.000000000 -0400
27877 +++ linux-2.6.39.1/drivers/block/xsysace.c 2011-05-22 19:36:31.000000000 -0400
27878 @@ -262,7 +262,7 @@ static void ace_dataout_8(struct ace_dev
27879 ace->data_ptr = src;
27880 }
27881
27882 -static struct ace_reg_ops ace_reg_8_ops = {
27883 +static const struct ace_reg_ops ace_reg_8_ops = {
27884 .in = ace_in_8,
27885 .out = ace_out_8,
27886 .datain = ace_datain_8,
27887 @@ -327,14 +327,14 @@ static void ace_dataout_le16(struct ace_
27888 ace->data_ptr = src;
27889 }
27890
27891 -static struct ace_reg_ops ace_reg_be16_ops = {
27892 +static const struct ace_reg_ops ace_reg_be16_ops = {
27893 .in = ace_in_be16,
27894 .out = ace_out_be16,
27895 .datain = ace_datain_be16,
27896 .dataout = ace_dataout_be16,
27897 };
27898
27899 -static struct ace_reg_ops ace_reg_le16_ops = {
27900 +static const struct ace_reg_ops ace_reg_le16_ops = {
27901 .in = ace_in_le16,
27902 .out = ace_out_le16,
27903 .datain = ace_datain_le16,
27904 diff -urNp linux-2.6.39.1/drivers/char/agp/frontend.c linux-2.6.39.1/drivers/char/agp/frontend.c
27905 --- linux-2.6.39.1/drivers/char/agp/frontend.c 2011-05-19 00:06:34.000000000 -0400
27906 +++ linux-2.6.39.1/drivers/char/agp/frontend.c 2011-05-22 19:36:31.000000000 -0400
27907 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
27908 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
27909 return -EFAULT;
27910
27911 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
27912 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
27913 return -EFAULT;
27914
27915 client = agp_find_client_by_pid(reserve.pid);
27916 diff -urNp linux-2.6.39.1/drivers/char/briq_panel.c linux-2.6.39.1/drivers/char/briq_panel.c
27917 --- linux-2.6.39.1/drivers/char/briq_panel.c 2011-05-19 00:06:34.000000000 -0400
27918 +++ linux-2.6.39.1/drivers/char/briq_panel.c 2011-05-22 19:41:32.000000000 -0400
27919 @@ -9,6 +9,7 @@
27920 #include <linux/types.h>
27921 #include <linux/errno.h>
27922 #include <linux/tty.h>
27923 +#include <linux/mutex.h>
27924 #include <linux/timer.h>
27925 #include <linux/kernel.h>
27926 #include <linux/wait.h>
27927 @@ -34,6 +35,7 @@ static int vfd_is_open;
27928 static unsigned char vfd[40];
27929 static int vfd_cursor;
27930 static unsigned char ledpb, led;
27931 +static DEFINE_MUTEX(vfd_mutex);
27932
27933 static void update_vfd(void)
27934 {
27935 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
27936 if (!vfd_is_open)
27937 return -EBUSY;
27938
27939 + mutex_lock(&vfd_mutex);
27940 for (;;) {
27941 char c;
27942 if (!indx)
27943 break;
27944 - if (get_user(c, buf))
27945 + if (get_user(c, buf)) {
27946 + mutex_unlock(&vfd_mutex);
27947 return -EFAULT;
27948 + }
27949 if (esc) {
27950 set_led(c);
27951 esc = 0;
27952 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
27953 buf++;
27954 }
27955 update_vfd();
27956 + mutex_unlock(&vfd_mutex);
27957
27958 return len;
27959 }
27960 diff -urNp linux-2.6.39.1/drivers/char/genrtc.c linux-2.6.39.1/drivers/char/genrtc.c
27961 --- linux-2.6.39.1/drivers/char/genrtc.c 2011-05-19 00:06:34.000000000 -0400
27962 +++ linux-2.6.39.1/drivers/char/genrtc.c 2011-05-22 19:41:32.000000000 -0400
27963 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
27964 switch (cmd) {
27965
27966 case RTC_PLL_GET:
27967 + memset(&pll, 0, sizeof(pll));
27968 if (get_rtc_pll(&pll))
27969 return -EINVAL;
27970 else
27971 diff -urNp linux-2.6.39.1/drivers/char/hpet.c linux-2.6.39.1/drivers/char/hpet.c
27972 --- linux-2.6.39.1/drivers/char/hpet.c 2011-05-19 00:06:34.000000000 -0400
27973 +++ linux-2.6.39.1/drivers/char/hpet.c 2011-05-22 19:36:31.000000000 -0400
27974 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
27975 }
27976
27977 static int
27978 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
27979 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
27980 struct hpet_info *info)
27981 {
27982 struct hpet_timer __iomem *timer;
27983 diff -urNp linux-2.6.39.1/drivers/char/ipmi/ipmi_devintf.c linux-2.6.39.1/drivers/char/ipmi/ipmi_devintf.c
27984 --- linux-2.6.39.1/drivers/char/ipmi/ipmi_devintf.c 2011-05-19 00:06:34.000000000 -0400
27985 +++ linux-2.6.39.1/drivers/char/ipmi/ipmi_devintf.c 2011-05-22 19:36:31.000000000 -0400
27986 @@ -109,8 +109,7 @@ static int ipmi_fasync(int fd, struct fi
27987 return (result);
27988 }
27989
27990 -static struct ipmi_user_hndl ipmi_hndlrs =
27991 -{
27992 +static const struct ipmi_user_hndl ipmi_hndlrs = {
27993 .ipmi_recv_hndl = file_receive_handler,
27994 };
27995
27996 diff -urNp linux-2.6.39.1/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.39.1/drivers/char/ipmi/ipmi_msghandler.c
27997 --- linux-2.6.39.1/drivers/char/ipmi/ipmi_msghandler.c 2011-05-19 00:06:34.000000000 -0400
27998 +++ linux-2.6.39.1/drivers/char/ipmi/ipmi_msghandler.c 2011-05-22 19:36:31.000000000 -0400
27999 @@ -82,7 +82,7 @@ struct ipmi_user {
28000 struct kref refcount;
28001
28002 /* The upper layer that handles receive messages. */
28003 - struct ipmi_user_hndl *handler;
28004 + const struct ipmi_user_hndl *handler;
28005 void *handler_data;
28006
28007 /* The interface this user is bound to. */
28008 @@ -414,7 +414,7 @@ struct ipmi_smi {
28009 struct proc_dir_entry *proc_dir;
28010 char proc_dir_name[10];
28011
28012 - atomic_t stats[IPMI_NUM_STATS];
28013 + atomic_unchecked_t stats[IPMI_NUM_STATS];
28014
28015 /*
28016 * run_to_completion duplicate of smb_info, smi_info
28017 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
28018
28019
28020 #define ipmi_inc_stat(intf, stat) \
28021 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
28022 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
28023 #define ipmi_get_stat(intf, stat) \
28024 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
28025 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
28026
28027 static int is_lan_addr(struct ipmi_addr *addr)
28028 {
28029 @@ -875,7 +875,7 @@ static int intf_err_seq(ipmi_smi_t int
28030
28031
28032 int ipmi_create_user(unsigned int if_num,
28033 - struct ipmi_user_hndl *handler,
28034 + const struct ipmi_user_hndl *handler,
28035 void *handler_data,
28036 ipmi_user_t *user)
28037 {
28038 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
28039 INIT_LIST_HEAD(&intf->cmd_rcvrs);
28040 init_waitqueue_head(&intf->waitq);
28041 for (i = 0; i < IPMI_NUM_STATS; i++)
28042 - atomic_set(&intf->stats[i], 0);
28043 + atomic_set_unchecked(&intf->stats[i], 0);
28044
28045 intf->proc_dir = NULL;
28046
28047 @@ -4196,6 +4196,8 @@ static void send_panic_events(char *str)
28048 struct ipmi_smi_msg smi_msg;
28049 struct ipmi_recv_msg recv_msg;
28050
28051 + pax_track_stack();
28052 +
28053 si = (struct ipmi_system_interface_addr *) &addr;
28054 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
28055 si->channel = IPMI_BMC_CHANNEL;
28056 diff -urNp linux-2.6.39.1/drivers/char/ipmi/ipmi_poweroff.c linux-2.6.39.1/drivers/char/ipmi/ipmi_poweroff.c
28057 --- linux-2.6.39.1/drivers/char/ipmi/ipmi_poweroff.c 2011-05-19 00:06:34.000000000 -0400
28058 +++ linux-2.6.39.1/drivers/char/ipmi/ipmi_poweroff.c 2011-05-22 19:36:31.000000000 -0400
28059 @@ -133,7 +133,7 @@ static void receive_handler(struct ipmi_
28060 complete(comp);
28061 }
28062
28063 -static struct ipmi_user_hndl ipmi_poweroff_handler = {
28064 +static const struct ipmi_user_hndl ipmi_poweroff_handler = {
28065 .ipmi_recv_hndl = receive_handler
28066 };
28067
28068 diff -urNp linux-2.6.39.1/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.39.1/drivers/char/ipmi/ipmi_si_intf.c
28069 --- linux-2.6.39.1/drivers/char/ipmi/ipmi_si_intf.c 2011-05-19 00:06:34.000000000 -0400
28070 +++ linux-2.6.39.1/drivers/char/ipmi/ipmi_si_intf.c 2011-05-22 19:36:31.000000000 -0400
28071 @@ -276,7 +276,7 @@ struct smi_info {
28072 unsigned char slave_addr;
28073
28074 /* Counters and things for the proc filesystem. */
28075 - atomic_t stats[SI_NUM_STATS];
28076 + atomic_unchecked_t stats[SI_NUM_STATS];
28077
28078 struct task_struct *thread;
28079
28080 @@ -285,9 +285,9 @@ struct smi_info {
28081 };
28082
28083 #define smi_inc_stat(smi, stat) \
28084 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
28085 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
28086 #define smi_get_stat(smi, stat) \
28087 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
28088 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
28089
28090 #define SI_MAX_PARMS 4
28091
28092 @@ -3198,7 +3198,7 @@ static int try_smi_init(struct smi_info
28093 atomic_set(&new_smi->req_events, 0);
28094 new_smi->run_to_completion = 0;
28095 for (i = 0; i < SI_NUM_STATS; i++)
28096 - atomic_set(&new_smi->stats[i], 0);
28097 + atomic_set_unchecked(&new_smi->stats[i], 0);
28098
28099 new_smi->interrupt_disabled = 1;
28100 atomic_set(&new_smi->stop_operation, 0);
28101 diff -urNp linux-2.6.39.1/drivers/char/ipmi/ipmi_watchdog.c linux-2.6.39.1/drivers/char/ipmi/ipmi_watchdog.c
28102 --- linux-2.6.39.1/drivers/char/ipmi/ipmi_watchdog.c 2011-05-19 00:06:34.000000000 -0400
28103 +++ linux-2.6.39.1/drivers/char/ipmi/ipmi_watchdog.c 2011-05-22 19:36:31.000000000 -0400
28104 @@ -216,7 +216,7 @@ static int set_param_timeout(const char
28105 return rv;
28106 }
28107
28108 -static struct kernel_param_ops param_ops_timeout = {
28109 +static const struct kernel_param_ops param_ops_timeout = {
28110 .set = set_param_timeout,
28111 .get = param_get_int,
28112 };
28113 @@ -278,14 +278,14 @@ static int set_param_wdog_ifnum(const ch
28114 return 0;
28115 }
28116
28117 -static struct kernel_param_ops param_ops_wdog_ifnum = {
28118 +static const struct kernel_param_ops param_ops_wdog_ifnum = {
28119 .set = set_param_wdog_ifnum,
28120 .get = param_get_int,
28121 };
28122
28123 #define param_check_wdog_ifnum param_check_int
28124
28125 -static struct kernel_param_ops param_ops_str = {
28126 +static const struct kernel_param_ops param_ops_str = {
28127 .set = set_param_str,
28128 .get = get_param_str,
28129 };
28130 @@ -953,7 +953,7 @@ static void ipmi_wdog_pretimeout_handler
28131 pretimeout_since_last_heartbeat = 1;
28132 }
28133
28134 -static struct ipmi_user_hndl ipmi_hndlrs = {
28135 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28136 .ipmi_recv_hndl = ipmi_wdog_msg_handler,
28137 .ipmi_watchdog_pretimeout = ipmi_wdog_pretimeout_handler
28138 };
28139 diff -urNp linux-2.6.39.1/drivers/char/Kconfig linux-2.6.39.1/drivers/char/Kconfig
28140 --- linux-2.6.39.1/drivers/char/Kconfig 2011-05-19 00:06:34.000000000 -0400
28141 +++ linux-2.6.39.1/drivers/char/Kconfig 2011-05-22 19:41:37.000000000 -0400
28142 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
28143
28144 config DEVKMEM
28145 bool "/dev/kmem virtual device support"
28146 - default y
28147 + default n
28148 + depends on !GRKERNSEC_KMEM
28149 help
28150 Say Y here if you want to support the /dev/kmem device. The
28151 /dev/kmem device is rarely used, but can be used for certain
28152 @@ -596,6 +597,7 @@ config DEVPORT
28153 bool
28154 depends on !M68K
28155 depends on ISA || PCI
28156 + depends on !GRKERNSEC_KMEM
28157 default y
28158
28159 source "drivers/s390/char/Kconfig"
28160 diff -urNp linux-2.6.39.1/drivers/char/mem.c linux-2.6.39.1/drivers/char/mem.c
28161 --- linux-2.6.39.1/drivers/char/mem.c 2011-05-19 00:06:34.000000000 -0400
28162 +++ linux-2.6.39.1/drivers/char/mem.c 2011-05-22 19:41:37.000000000 -0400
28163 @@ -18,6 +18,7 @@
28164 #include <linux/raw.h>
28165 #include <linux/tty.h>
28166 #include <linux/capability.h>
28167 +#include <linux/security.h>
28168 #include <linux/ptrace.h>
28169 #include <linux/device.h>
28170 #include <linux/highmem.h>
28171 @@ -34,6 +35,10 @@
28172 # include <linux/efi.h>
28173 #endif
28174
28175 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28176 +extern struct file_operations grsec_fops;
28177 +#endif
28178 +
28179 static inline unsigned long size_inside_page(unsigned long start,
28180 unsigned long size)
28181 {
28182 @@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
28183
28184 while (cursor < to) {
28185 if (!devmem_is_allowed(pfn)) {
28186 +#ifdef CONFIG_GRKERNSEC_KMEM
28187 + gr_handle_mem_readwrite(from, to);
28188 +#else
28189 printk(KERN_INFO
28190 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
28191 current->comm, from, to);
28192 +#endif
28193 return 0;
28194 }
28195 cursor += PAGE_SIZE;
28196 @@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
28197 }
28198 return 1;
28199 }
28200 +#elif defined(CONFIG_GRKERNSEC_KMEM)
28201 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28202 +{
28203 + return 0;
28204 +}
28205 #else
28206 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28207 {
28208 @@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
28209
28210 while (count > 0) {
28211 unsigned long remaining;
28212 + char *temp;
28213
28214 sz = size_inside_page(p, count);
28215
28216 @@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
28217 if (!ptr)
28218 return -EFAULT;
28219
28220 - remaining = copy_to_user(buf, ptr, sz);
28221 +#ifdef CONFIG_PAX_USERCOPY
28222 + temp = kmalloc(sz, GFP_KERNEL);
28223 + if (!temp) {
28224 + unxlate_dev_mem_ptr(p, ptr);
28225 + return -ENOMEM;
28226 + }
28227 + memcpy(temp, ptr, sz);
28228 +#else
28229 + temp = ptr;
28230 +#endif
28231 +
28232 + remaining = copy_to_user(buf, temp, sz);
28233 +
28234 +#ifdef CONFIG_PAX_USERCOPY
28235 + kfree(temp);
28236 +#endif
28237 +
28238 unxlate_dev_mem_ptr(p, ptr);
28239 if (remaining)
28240 return -EFAULT;
28241 @@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
28242 size_t count, loff_t *ppos)
28243 {
28244 unsigned long p = *ppos;
28245 - ssize_t low_count, read, sz;
28246 + ssize_t low_count, read, sz, err = 0;
28247 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
28248 - int err = 0;
28249
28250 read = 0;
28251 if (p < (unsigned long) high_memory) {
28252 @@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
28253 }
28254 #endif
28255 while (low_count > 0) {
28256 + char *temp;
28257 +
28258 sz = size_inside_page(p, low_count);
28259
28260 /*
28261 @@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
28262 */
28263 kbuf = xlate_dev_kmem_ptr((char *)p);
28264
28265 - if (copy_to_user(buf, kbuf, sz))
28266 +#ifdef CONFIG_PAX_USERCOPY
28267 + temp = kmalloc(sz, GFP_KERNEL);
28268 + if (!temp)
28269 + return -ENOMEM;
28270 + memcpy(temp, kbuf, sz);
28271 +#else
28272 + temp = kbuf;
28273 +#endif
28274 +
28275 + err = copy_to_user(buf, temp, sz);
28276 +
28277 +#ifdef CONFIG_PAX_USERCOPY
28278 + kfree(temp);
28279 +#endif
28280 +
28281 + if (err)
28282 return -EFAULT;
28283 buf += sz;
28284 p += sz;
28285 @@ -854,6 +901,9 @@ static const struct memdev {
28286 #ifdef CONFIG_CRASH_DUMP
28287 [12] = { "oldmem", 0, &oldmem_fops, NULL },
28288 #endif
28289 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28290 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
28291 +#endif
28292 };
28293
28294 static int memory_open(struct inode *inode, struct file *filp)
28295 diff -urNp linux-2.6.39.1/drivers/char/mmtimer.c linux-2.6.39.1/drivers/char/mmtimer.c
28296 --- linux-2.6.39.1/drivers/char/mmtimer.c 2011-05-19 00:06:34.000000000 -0400
28297 +++ linux-2.6.39.1/drivers/char/mmtimer.c 2011-05-22 19:36:31.000000000 -0400
28298 @@ -53,7 +53,7 @@ MODULE_LICENSE("GPL");
28299
28300 #define RTC_BITS 55 /* 55 bits for this implementation */
28301
28302 -static struct k_clock sgi_clock;
28303 +static const struct k_clock sgi_clock;
28304
28305 extern unsigned long sn_rtc_cycles_per_second;
28306
28307 @@ -772,7 +772,7 @@ static int sgi_clock_getres(const clocki
28308 return 0;
28309 }
28310
28311 -static struct k_clock sgi_clock = {
28312 +static const struct k_clock sgi_clock = {
28313 .clock_set = sgi_clock_set,
28314 .clock_get = sgi_clock_get,
28315 .clock_getres = sgi_clock_getres,
28316 diff -urNp linux-2.6.39.1/drivers/char/nvram.c linux-2.6.39.1/drivers/char/nvram.c
28317 --- linux-2.6.39.1/drivers/char/nvram.c 2011-05-19 00:06:34.000000000 -0400
28318 +++ linux-2.6.39.1/drivers/char/nvram.c 2011-05-22 19:36:31.000000000 -0400
28319 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
28320
28321 spin_unlock_irq(&rtc_lock);
28322
28323 - if (copy_to_user(buf, contents, tmp - contents))
28324 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
28325 return -EFAULT;
28326
28327 *ppos = i;
28328 diff -urNp linux-2.6.39.1/drivers/char/random.c linux-2.6.39.1/drivers/char/random.c
28329 --- linux-2.6.39.1/drivers/char/random.c 2011-05-19 00:06:34.000000000 -0400
28330 +++ linux-2.6.39.1/drivers/char/random.c 2011-05-22 19:41:37.000000000 -0400
28331 @@ -261,8 +261,13 @@
28332 /*
28333 * Configuration information
28334 */
28335 +#ifdef CONFIG_GRKERNSEC_RANDNET
28336 +#define INPUT_POOL_WORDS 512
28337 +#define OUTPUT_POOL_WORDS 128
28338 +#else
28339 #define INPUT_POOL_WORDS 128
28340 #define OUTPUT_POOL_WORDS 32
28341 +#endif
28342 #define SEC_XFER_SIZE 512
28343 #define EXTRACT_SIZE 10
28344
28345 @@ -300,10 +305,17 @@ static struct poolinfo {
28346 int poolwords;
28347 int tap1, tap2, tap3, tap4, tap5;
28348 } poolinfo_table[] = {
28349 +#ifdef CONFIG_GRKERNSEC_RANDNET
28350 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
28351 + { 512, 411, 308, 208, 104, 1 },
28352 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
28353 + { 128, 103, 76, 51, 25, 1 },
28354 +#else
28355 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
28356 { 128, 103, 76, 51, 25, 1 },
28357 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
28358 { 32, 26, 20, 14, 7, 1 },
28359 +#endif
28360 #if 0
28361 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
28362 { 2048, 1638, 1231, 819, 411, 1 },
28363 @@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
28364
28365 extract_buf(r, tmp);
28366 i = min_t(int, nbytes, EXTRACT_SIZE);
28367 - if (copy_to_user(buf, tmp, i)) {
28368 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
28369 ret = -EFAULT;
28370 break;
28371 }
28372 @@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
28373 #include <linux/sysctl.h>
28374
28375 static int min_read_thresh = 8, min_write_thresh;
28376 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
28377 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
28378 static int max_write_thresh = INPUT_POOL_WORDS * 32;
28379 static char sysctl_bootid[16];
28380
28381 diff -urNp linux-2.6.39.1/drivers/char/sonypi.c linux-2.6.39.1/drivers/char/sonypi.c
28382 --- linux-2.6.39.1/drivers/char/sonypi.c 2011-05-19 00:06:34.000000000 -0400
28383 +++ linux-2.6.39.1/drivers/char/sonypi.c 2011-05-22 19:36:31.000000000 -0400
28384 @@ -55,6 +55,7 @@
28385 #include <asm/uaccess.h>
28386 #include <asm/io.h>
28387 #include <asm/system.h>
28388 +#include <asm/local.h>
28389
28390 #include <linux/sonypi.h>
28391
28392 @@ -491,7 +492,7 @@ static struct sonypi_device {
28393 spinlock_t fifo_lock;
28394 wait_queue_head_t fifo_proc_list;
28395 struct fasync_struct *fifo_async;
28396 - int open_count;
28397 + local_t open_count;
28398 int model;
28399 struct input_dev *input_jog_dev;
28400 struct input_dev *input_key_dev;
28401 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
28402 static int sonypi_misc_release(struct inode *inode, struct file *file)
28403 {
28404 mutex_lock(&sonypi_device.lock);
28405 - sonypi_device.open_count--;
28406 + local_dec(&sonypi_device.open_count);
28407 mutex_unlock(&sonypi_device.lock);
28408 return 0;
28409 }
28410 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
28411 {
28412 mutex_lock(&sonypi_device.lock);
28413 /* Flush input queue on first open */
28414 - if (!sonypi_device.open_count)
28415 + if (!local_read(&sonypi_device.open_count))
28416 kfifo_reset(&sonypi_device.fifo);
28417 - sonypi_device.open_count++;
28418 + local_inc(&sonypi_device.open_count);
28419 mutex_unlock(&sonypi_device.lock);
28420
28421 return 0;
28422 diff -urNp linux-2.6.39.1/drivers/char/tpm/tpm_bios.c linux-2.6.39.1/drivers/char/tpm/tpm_bios.c
28423 --- linux-2.6.39.1/drivers/char/tpm/tpm_bios.c 2011-05-19 00:06:34.000000000 -0400
28424 +++ linux-2.6.39.1/drivers/char/tpm/tpm_bios.c 2011-05-22 19:36:31.000000000 -0400
28425 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
28426 event = addr;
28427
28428 if ((event->event_type == 0 && event->event_size == 0) ||
28429 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
28430 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
28431 return NULL;
28432
28433 return addr;
28434 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
28435 return NULL;
28436
28437 if ((event->event_type == 0 && event->event_size == 0) ||
28438 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
28439 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
28440 return NULL;
28441
28442 (*pos)++;
28443 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
28444 int i;
28445
28446 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
28447 - seq_putc(m, data[i]);
28448 + if (!seq_putc(m, data[i]))
28449 + return -EFAULT;
28450
28451 return 0;
28452 }
28453 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
28454 log->bios_event_log_end = log->bios_event_log + len;
28455
28456 virt = acpi_os_map_memory(start, len);
28457 + if (!virt) {
28458 + kfree(log->bios_event_log);
28459 + log->bios_event_log = NULL;
28460 + return -EFAULT;
28461 + }
28462
28463 memcpy(log->bios_event_log, virt, len);
28464
28465 diff -urNp linux-2.6.39.1/drivers/char/tpm/tpm.c linux-2.6.39.1/drivers/char/tpm/tpm.c
28466 --- linux-2.6.39.1/drivers/char/tpm/tpm.c 2011-05-19 00:06:34.000000000 -0400
28467 +++ linux-2.6.39.1/drivers/char/tpm/tpm.c 2011-05-22 19:36:31.000000000 -0400
28468 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
28469 chip->vendor.req_complete_val)
28470 goto out_recv;
28471
28472 - if ((status == chip->vendor.req_canceled)) {
28473 + if (status == chip->vendor.req_canceled) {
28474 dev_err(chip->dev, "Operation Canceled\n");
28475 rc = -ECANCELED;
28476 goto out;
28477 @@ -844,6 +844,8 @@ ssize_t tpm_show_pubek(struct device *de
28478
28479 struct tpm_chip *chip = dev_get_drvdata(dev);
28480
28481 + pax_track_stack();
28482 +
28483 tpm_cmd.header.in = tpm_readpubek_header;
28484 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
28485 "attempting to read the PUBEK");
28486 diff -urNp linux-2.6.39.1/drivers/char/ttyprintk.c linux-2.6.39.1/drivers/char/ttyprintk.c
28487 --- linux-2.6.39.1/drivers/char/ttyprintk.c 2011-05-19 00:06:34.000000000 -0400
28488 +++ linux-2.6.39.1/drivers/char/ttyprintk.c 2011-05-22 19:36:31.000000000 -0400
28489 @@ -170,7 +170,7 @@ static const struct tty_operations ttypr
28490 .ioctl = tpk_ioctl,
28491 };
28492
28493 -struct tty_port_operations null_ops = { };
28494 +const struct tty_port_operations null_ops = { };
28495
28496 static struct tty_driver *ttyprintk_driver;
28497
28498 diff -urNp linux-2.6.39.1/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.39.1/drivers/char/xilinx_hwicap/xilinx_hwicap.c
28499 --- linux-2.6.39.1/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-19 00:06:34.000000000 -0400
28500 +++ linux-2.6.39.1/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-22 19:36:31.000000000 -0400
28501 @@ -678,14 +678,14 @@ static int __devinit hwicap_setup(struct
28502 return retval;
28503 }
28504
28505 -static struct hwicap_driver_config buffer_icap_config = {
28506 +static const struct hwicap_driver_config buffer_icap_config = {
28507 .get_configuration = buffer_icap_get_configuration,
28508 .set_configuration = buffer_icap_set_configuration,
28509 .get_status = buffer_icap_get_status,
28510 .reset = buffer_icap_reset,
28511 };
28512
28513 -static struct hwicap_driver_config fifo_icap_config = {
28514 +static const struct hwicap_driver_config fifo_icap_config = {
28515 .get_configuration = fifo_icap_get_configuration,
28516 .set_configuration = fifo_icap_set_configuration,
28517 .get_status = fifo_icap_get_status,
28518 diff -urNp linux-2.6.39.1/drivers/crypto/hifn_795x.c linux-2.6.39.1/drivers/crypto/hifn_795x.c
28519 --- linux-2.6.39.1/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400
28520 +++ linux-2.6.39.1/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400
28521 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
28522 0xCA, 0x34, 0x2B, 0x2E};
28523 struct scatterlist sg;
28524
28525 + pax_track_stack();
28526 +
28527 memset(src, 0, sizeof(src));
28528 memset(ctx.key, 0, sizeof(ctx.key));
28529
28530 diff -urNp linux-2.6.39.1/drivers/crypto/padlock-aes.c linux-2.6.39.1/drivers/crypto/padlock-aes.c
28531 --- linux-2.6.39.1/drivers/crypto/padlock-aes.c 2011-05-19 00:06:34.000000000 -0400
28532 +++ linux-2.6.39.1/drivers/crypto/padlock-aes.c 2011-05-22 19:36:31.000000000 -0400
28533 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
28534 struct crypto_aes_ctx gen_aes;
28535 int cpu;
28536
28537 + pax_track_stack();
28538 +
28539 if (key_len % 8) {
28540 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
28541 return -EINVAL;
28542 diff -urNp linux-2.6.39.1/drivers/dca/dca-core.c linux-2.6.39.1/drivers/dca/dca-core.c
28543 --- linux-2.6.39.1/drivers/dca/dca-core.c 2011-05-19 00:06:34.000000000 -0400
28544 +++ linux-2.6.39.1/drivers/dca/dca-core.c 2011-05-22 19:36:31.000000000 -0400
28545 @@ -325,7 +325,7 @@ EXPORT_SYMBOL_GPL(dca_get_tag);
28546 * @ops - pointer to struct of dca operation function pointers
28547 * @priv_size - size of extra mem to be added for provider's needs
28548 */
28549 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size)
28550 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size)
28551 {
28552 struct dca_provider *dca;
28553 int alloc_size;
28554 diff -urNp linux-2.6.39.1/drivers/dma/ioat/dca.c linux-2.6.39.1/drivers/dma/ioat/dca.c
28555 --- linux-2.6.39.1/drivers/dma/ioat/dca.c 2011-05-19 00:06:34.000000000 -0400
28556 +++ linux-2.6.39.1/drivers/dma/ioat/dca.c 2011-05-22 19:36:31.000000000 -0400
28557 @@ -234,7 +234,7 @@ static int ioat_dca_dev_managed(struct d
28558 return 0;
28559 }
28560
28561 -static struct dca_ops ioat_dca_ops = {
28562 +static const struct dca_ops ioat_dca_ops = {
28563 .add_requester = ioat_dca_add_requester,
28564 .remove_requester = ioat_dca_remove_requester,
28565 .get_tag = ioat_dca_get_tag,
28566 @@ -384,7 +384,7 @@ static u8 ioat2_dca_get_tag(struct dca_p
28567 return tag;
28568 }
28569
28570 -static struct dca_ops ioat2_dca_ops = {
28571 +static const struct dca_ops ioat2_dca_ops = {
28572 .add_requester = ioat2_dca_add_requester,
28573 .remove_requester = ioat2_dca_remove_requester,
28574 .get_tag = ioat2_dca_get_tag,
28575 @@ -579,7 +579,7 @@ static u8 ioat3_dca_get_tag(struct dca_p
28576 return tag;
28577 }
28578
28579 -static struct dca_ops ioat3_dca_ops = {
28580 +static const struct dca_ops ioat3_dca_ops = {
28581 .add_requester = ioat3_dca_add_requester,
28582 .remove_requester = ioat3_dca_remove_requester,
28583 .get_tag = ioat3_dca_get_tag,
28584 diff -urNp linux-2.6.39.1/drivers/edac/amd64_edac.h linux-2.6.39.1/drivers/edac/amd64_edac.h
28585 --- linux-2.6.39.1/drivers/edac/amd64_edac.h 2011-05-19 00:06:34.000000000 -0400
28586 +++ linux-2.6.39.1/drivers/edac/amd64_edac.h 2011-05-22 19:36:31.000000000 -0400
28587 @@ -333,7 +333,7 @@ struct chip_select {
28588 };
28589
28590 struct amd64_pvt {
28591 - struct low_ops *ops;
28592 + const struct low_ops *ops;
28593
28594 /* pci_device handles which we utilize */
28595 struct pci_dev *F1, *F2, *F3;
28596 @@ -443,7 +443,7 @@ struct low_ops {
28597 struct amd64_family_type {
28598 const char *ctl_name;
28599 u16 f1_id, f3_id;
28600 - struct low_ops ops;
28601 + const struct low_ops ops;
28602 };
28603
28604 int __amd64_write_pci_cfg_dword(struct pci_dev *pdev, int offset,
28605 diff -urNp linux-2.6.39.1/drivers/edac/edac_mc_sysfs.c linux-2.6.39.1/drivers/edac/edac_mc_sysfs.c
28606 --- linux-2.6.39.1/drivers/edac/edac_mc_sysfs.c 2011-05-19 00:06:34.000000000 -0400
28607 +++ linux-2.6.39.1/drivers/edac/edac_mc_sysfs.c 2011-05-22 19:36:31.000000000 -0400
28608 @@ -760,7 +760,7 @@ static void edac_inst_grp_release(struct
28609 }
28610
28611 /* Intermediate show/store table */
28612 -static struct sysfs_ops inst_grp_ops = {
28613 +static const struct sysfs_ops inst_grp_ops = {
28614 .show = inst_grp_show,
28615 .store = inst_grp_store
28616 };
28617 diff -urNp linux-2.6.39.1/drivers/edac/edac_pci_sysfs.c linux-2.6.39.1/drivers/edac/edac_pci_sysfs.c
28618 --- linux-2.6.39.1/drivers/edac/edac_pci_sysfs.c 2011-05-19 00:06:34.000000000 -0400
28619 +++ linux-2.6.39.1/drivers/edac/edac_pci_sysfs.c 2011-05-22 19:36:31.000000000 -0400
28620 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
28621 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
28622 static int edac_pci_poll_msec = 1000; /* one second workq period */
28623
28624 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
28625 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
28626 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
28627 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
28628
28629 static struct kobject *edac_pci_top_main_kobj;
28630 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
28631 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
28632 edac_printk(KERN_CRIT, EDAC_PCI,
28633 "Signaled System Error on %s\n",
28634 pci_name(dev));
28635 - atomic_inc(&pci_nonparity_count);
28636 + atomic_inc_unchecked(&pci_nonparity_count);
28637 }
28638
28639 if (status & (PCI_STATUS_PARITY)) {
28640 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
28641 "Master Data Parity Error on %s\n",
28642 pci_name(dev));
28643
28644 - atomic_inc(&pci_parity_count);
28645 + atomic_inc_unchecked(&pci_parity_count);
28646 }
28647
28648 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28649 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
28650 "Detected Parity Error on %s\n",
28651 pci_name(dev));
28652
28653 - atomic_inc(&pci_parity_count);
28654 + atomic_inc_unchecked(&pci_parity_count);
28655 }
28656 }
28657
28658 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
28659 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
28660 "Signaled System Error on %s\n",
28661 pci_name(dev));
28662 - atomic_inc(&pci_nonparity_count);
28663 + atomic_inc_unchecked(&pci_nonparity_count);
28664 }
28665
28666 if (status & (PCI_STATUS_PARITY)) {
28667 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
28668 "Master Data Parity Error on "
28669 "%s\n", pci_name(dev));
28670
28671 - atomic_inc(&pci_parity_count);
28672 + atomic_inc_unchecked(&pci_parity_count);
28673 }
28674
28675 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28676 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
28677 "Detected Parity Error on %s\n",
28678 pci_name(dev));
28679
28680 - atomic_inc(&pci_parity_count);
28681 + atomic_inc_unchecked(&pci_parity_count);
28682 }
28683 }
28684 }
28685 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
28686 if (!check_pci_errors)
28687 return;
28688
28689 - before_count = atomic_read(&pci_parity_count);
28690 + before_count = atomic_read_unchecked(&pci_parity_count);
28691
28692 /* scan all PCI devices looking for a Parity Error on devices and
28693 * bridges.
28694 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
28695 /* Only if operator has selected panic on PCI Error */
28696 if (edac_pci_get_panic_on_pe()) {
28697 /* If the count is different 'after' from 'before' */
28698 - if (before_count != atomic_read(&pci_parity_count))
28699 + if (before_count != atomic_read_unchecked(&pci_parity_count))
28700 panic("EDAC: PCI Parity Error");
28701 }
28702 }
28703 diff -urNp linux-2.6.39.1/drivers/firewire/core-cdev.c linux-2.6.39.1/drivers/firewire/core-cdev.c
28704 --- linux-2.6.39.1/drivers/firewire/core-cdev.c 2011-05-19 00:06:34.000000000 -0400
28705 +++ linux-2.6.39.1/drivers/firewire/core-cdev.c 2011-05-22 19:36:31.000000000 -0400
28706 @@ -1312,8 +1312,7 @@ static int init_iso_resource(struct clie
28707 int ret;
28708
28709 if ((request->channels == 0 && request->bandwidth == 0) ||
28710 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
28711 - request->bandwidth < 0)
28712 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
28713 return -EINVAL;
28714
28715 r = kmalloc(sizeof(*r), GFP_KERNEL);
28716 diff -urNp linux-2.6.39.1/drivers/firewire/core-transaction.c linux-2.6.39.1/drivers/firewire/core-transaction.c
28717 --- linux-2.6.39.1/drivers/firewire/core-transaction.c 2011-05-19 00:06:34.000000000 -0400
28718 +++ linux-2.6.39.1/drivers/firewire/core-transaction.c 2011-05-22 19:36:31.000000000 -0400
28719 @@ -36,6 +36,7 @@
28720 #include <linux/string.h>
28721 #include <linux/timer.h>
28722 #include <linux/types.h>
28723 +#include <linux/sched.h>
28724
28725 #include <asm/byteorder.h>
28726
28727 @@ -420,6 +421,8 @@ int fw_run_transaction(struct fw_card *c
28728 struct transaction_callback_data d;
28729 struct fw_transaction t;
28730
28731 + pax_track_stack();
28732 +
28733 init_timer_on_stack(&t.split_timeout_timer);
28734 init_completion(&d.done);
28735 d.payload = payload;
28736 diff -urNp linux-2.6.39.1/drivers/firmware/dmi_scan.c linux-2.6.39.1/drivers/firmware/dmi_scan.c
28737 --- linux-2.6.39.1/drivers/firmware/dmi_scan.c 2011-05-19 00:06:34.000000000 -0400
28738 +++ linux-2.6.39.1/drivers/firmware/dmi_scan.c 2011-05-22 19:36:31.000000000 -0400
28739 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
28740 }
28741 }
28742 else {
28743 - /*
28744 - * no iounmap() for that ioremap(); it would be a no-op, but
28745 - * it's so early in setup that sucker gets confused into doing
28746 - * what it shouldn't if we actually call it.
28747 - */
28748 p = dmi_ioremap(0xF0000, 0x10000);
28749 if (p == NULL)
28750 goto error;
28751 diff -urNp linux-2.6.39.1/drivers/gpio/vr41xx_giu.c linux-2.6.39.1/drivers/gpio/vr41xx_giu.c
28752 --- linux-2.6.39.1/drivers/gpio/vr41xx_giu.c 2011-05-19 00:06:34.000000000 -0400
28753 +++ linux-2.6.39.1/drivers/gpio/vr41xx_giu.c 2011-05-22 19:36:31.000000000 -0400
28754 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
28755 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
28756 maskl, pendl, maskh, pendh);
28757
28758 - atomic_inc(&irq_err_count);
28759 + atomic_inc_unchecked(&irq_err_count);
28760
28761 return -EINVAL;
28762 }
28763 diff -urNp linux-2.6.39.1/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.39.1/drivers/gpu/drm/drm_crtc_helper.c
28764 --- linux-2.6.39.1/drivers/gpu/drm/drm_crtc_helper.c 2011-05-19 00:06:34.000000000 -0400
28765 +++ linux-2.6.39.1/drivers/gpu/drm/drm_crtc_helper.c 2011-05-22 19:36:31.000000000 -0400
28766 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
28767 struct drm_crtc *tmp;
28768 int crtc_mask = 1;
28769
28770 - WARN(!crtc, "checking null crtc?\n");
28771 + BUG_ON(!crtc);
28772
28773 dev = crtc->dev;
28774
28775 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
28776 struct drm_encoder *encoder;
28777 bool ret = true;
28778
28779 + pax_track_stack();
28780 +
28781 crtc->enabled = drm_helper_crtc_in_use(crtc);
28782 if (!crtc->enabled)
28783 return true;
28784 diff -urNp linux-2.6.39.1/drivers/gpu/drm/drm_drv.c linux-2.6.39.1/drivers/gpu/drm/drm_drv.c
28785 --- linux-2.6.39.1/drivers/gpu/drm/drm_drv.c 2011-05-19 00:06:34.000000000 -0400
28786 +++ linux-2.6.39.1/drivers/gpu/drm/drm_drv.c 2011-05-22 19:36:31.000000000 -0400
28787 @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
28788
28789 dev = file_priv->minor->dev;
28790 atomic_inc(&dev->ioctl_count);
28791 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
28792 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
28793 ++file_priv->ioctl_count;
28794
28795 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
28796 diff -urNp linux-2.6.39.1/drivers/gpu/drm/drm_fops.c linux-2.6.39.1/drivers/gpu/drm/drm_fops.c
28797 --- linux-2.6.39.1/drivers/gpu/drm/drm_fops.c 2011-05-19 00:06:34.000000000 -0400
28798 +++ linux-2.6.39.1/drivers/gpu/drm/drm_fops.c 2011-05-22 19:36:31.000000000 -0400
28799 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
28800 }
28801
28802 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
28803 - atomic_set(&dev->counts[i], 0);
28804 + atomic_set_unchecked(&dev->counts[i], 0);
28805
28806 dev->sigdata.lock = NULL;
28807
28808 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
28809
28810 retcode = drm_open_helper(inode, filp, dev);
28811 if (!retcode) {
28812 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
28813 - if (!dev->open_count++)
28814 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
28815 + if (local_inc_return(&dev->open_count) == 1)
28816 retcode = drm_setup(dev);
28817 }
28818 if (!retcode) {
28819 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
28820
28821 mutex_lock(&drm_global_mutex);
28822
28823 - DRM_DEBUG("open_count = %d\n", dev->open_count);
28824 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
28825
28826 if (dev->driver->preclose)
28827 dev->driver->preclose(dev, file_priv);
28828 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
28829 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
28830 task_pid_nr(current),
28831 (long)old_encode_dev(file_priv->minor->device),
28832 - dev->open_count);
28833 + local_read(&dev->open_count));
28834
28835 /* if the master has gone away we can't do anything with the lock */
28836 if (file_priv->minor->master)
28837 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
28838 * End inline drm_release
28839 */
28840
28841 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
28842 - if (!--dev->open_count) {
28843 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
28844 + if (local_dec_and_test(&dev->open_count)) {
28845 if (atomic_read(&dev->ioctl_count)) {
28846 DRM_ERROR("Device busy: %d\n",
28847 atomic_read(&dev->ioctl_count));
28848 diff -urNp linux-2.6.39.1/drivers/gpu/drm/drm_global.c linux-2.6.39.1/drivers/gpu/drm/drm_global.c
28849 --- linux-2.6.39.1/drivers/gpu/drm/drm_global.c 2011-05-19 00:06:34.000000000 -0400
28850 +++ linux-2.6.39.1/drivers/gpu/drm/drm_global.c 2011-05-22 19:36:31.000000000 -0400
28851 @@ -36,7 +36,7 @@
28852 struct drm_global_item {
28853 struct mutex mutex;
28854 void *object;
28855 - int refcount;
28856 + atomic_t refcount;
28857 };
28858
28859 static struct drm_global_item glob[DRM_GLOBAL_NUM];
28860 @@ -49,7 +49,7 @@ void drm_global_init(void)
28861 struct drm_global_item *item = &glob[i];
28862 mutex_init(&item->mutex);
28863 item->object = NULL;
28864 - item->refcount = 0;
28865 + atomic_set(&item->refcount, 0);
28866 }
28867 }
28868
28869 @@ -59,7 +59,7 @@ void drm_global_release(void)
28870 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
28871 struct drm_global_item *item = &glob[i];
28872 BUG_ON(item->object != NULL);
28873 - BUG_ON(item->refcount != 0);
28874 + BUG_ON(atomic_read(&item->refcount) != 0);
28875 }
28876 }
28877
28878 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
28879 void *object;
28880
28881 mutex_lock(&item->mutex);
28882 - if (item->refcount == 0) {
28883 + if (atomic_read(&item->refcount) == 0) {
28884 item->object = kzalloc(ref->size, GFP_KERNEL);
28885 if (unlikely(item->object == NULL)) {
28886 ret = -ENOMEM;
28887 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
28888 goto out_err;
28889
28890 }
28891 - ++item->refcount;
28892 + atomic_inc(&item->refcount);
28893 ref->object = item->object;
28894 object = item->object;
28895 mutex_unlock(&item->mutex);
28896 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
28897 struct drm_global_item *item = &glob[ref->global_type];
28898
28899 mutex_lock(&item->mutex);
28900 - BUG_ON(item->refcount == 0);
28901 + BUG_ON(atomic_read(&item->refcount) == 0);
28902 BUG_ON(ref->object != item->object);
28903 - if (--item->refcount == 0) {
28904 + if (atomic_dec_and_test(&item->refcount)) {
28905 ref->release(ref);
28906 item->object = NULL;
28907 }
28908 diff -urNp linux-2.6.39.1/drivers/gpu/drm/drm_info.c linux-2.6.39.1/drivers/gpu/drm/drm_info.c
28909 --- linux-2.6.39.1/drivers/gpu/drm/drm_info.c 2011-05-19 00:06:34.000000000 -0400
28910 +++ linux-2.6.39.1/drivers/gpu/drm/drm_info.c 2011-05-22 19:41:37.000000000 -0400
28911 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
28912 struct drm_local_map *map;
28913 struct drm_map_list *r_list;
28914
28915 - /* Hardcoded from _DRM_FRAME_BUFFER,
28916 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
28917 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
28918 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
28919 + static const char * const types[] = {
28920 + [_DRM_FRAME_BUFFER] = "FB",
28921 + [_DRM_REGISTERS] = "REG",
28922 + [_DRM_SHM] = "SHM",
28923 + [_DRM_AGP] = "AGP",
28924 + [_DRM_SCATTER_GATHER] = "SG",
28925 + [_DRM_CONSISTENT] = "PCI",
28926 + [_DRM_GEM] = "GEM" };
28927 const char *type;
28928 int i;
28929
28930 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
28931 map = r_list->map;
28932 if (!map)
28933 continue;
28934 - if (map->type < 0 || map->type > 5)
28935 + if (map->type >= ARRAY_SIZE(types))
28936 type = "??";
28937 else
28938 type = types[map->type];
28939 @@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
28940 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
28941 vma->vm_flags & VM_LOCKED ? 'l' : '-',
28942 vma->vm_flags & VM_IO ? 'i' : '-',
28943 +#ifdef CONFIG_GRKERNSEC_HIDESYM
28944 + 0);
28945 +#else
28946 vma->vm_pgoff);
28947 +#endif
28948
28949 #if defined(__i386__)
28950 pgprot = pgprot_val(vma->vm_page_prot);
28951 diff -urNp linux-2.6.39.1/drivers/gpu/drm/drm_ioctl.c linux-2.6.39.1/drivers/gpu/drm/drm_ioctl.c
28952 --- linux-2.6.39.1/drivers/gpu/drm/drm_ioctl.c 2011-05-19 00:06:34.000000000 -0400
28953 +++ linux-2.6.39.1/drivers/gpu/drm/drm_ioctl.c 2011-05-22 19:36:31.000000000 -0400
28954 @@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
28955 stats->data[i].value =
28956 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
28957 else
28958 - stats->data[i].value = atomic_read(&dev->counts[i]);
28959 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
28960 stats->data[i].type = dev->types[i];
28961 }
28962
28963 diff -urNp linux-2.6.39.1/drivers/gpu/drm/drm_lock.c linux-2.6.39.1/drivers/gpu/drm/drm_lock.c
28964 --- linux-2.6.39.1/drivers/gpu/drm/drm_lock.c 2011-05-19 00:06:34.000000000 -0400
28965 +++ linux-2.6.39.1/drivers/gpu/drm/drm_lock.c 2011-05-22 19:36:31.000000000 -0400
28966 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
28967 if (drm_lock_take(&master->lock, lock->context)) {
28968 master->lock.file_priv = file_priv;
28969 master->lock.lock_time = jiffies;
28970 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
28971 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
28972 break; /* Got lock */
28973 }
28974
28975 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
28976 return -EINVAL;
28977 }
28978
28979 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
28980 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
28981
28982 if (drm_lock_free(&master->lock, lock->context)) {
28983 /* FIXME: Should really bail out here. */
28984 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i810/i810_dma.c linux-2.6.39.1/drivers/gpu/drm/i810/i810_dma.c
28985 --- linux-2.6.39.1/drivers/gpu/drm/i810/i810_dma.c 2011-05-19 00:06:34.000000000 -0400
28986 +++ linux-2.6.39.1/drivers/gpu/drm/i810/i810_dma.c 2011-05-22 19:36:31.000000000 -0400
28987 @@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
28988 dma->buflist[vertex->idx],
28989 vertex->discard, vertex->used);
28990
28991 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
28992 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
28993 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
28994 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
28995 sarea_priv->last_enqueue = dev_priv->counter - 1;
28996 sarea_priv->last_dispatch = (int)hw_status[5];
28997
28998 @@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
28999 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
29000 mc->last_render);
29001
29002 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29003 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29004 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29005 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29006 sarea_priv->last_enqueue = dev_priv->counter - 1;
29007 sarea_priv->last_dispatch = (int)hw_status[5];
29008
29009 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i810/i810_drv.h linux-2.6.39.1/drivers/gpu/drm/i810/i810_drv.h
29010 --- linux-2.6.39.1/drivers/gpu/drm/i810/i810_drv.h 2011-05-19 00:06:34.000000000 -0400
29011 +++ linux-2.6.39.1/drivers/gpu/drm/i810/i810_drv.h 2011-05-22 19:36:31.000000000 -0400
29012 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
29013 int page_flipping;
29014
29015 wait_queue_head_t irq_queue;
29016 - atomic_t irq_received;
29017 - atomic_t irq_emitted;
29018 + atomic_unchecked_t irq_received;
29019 + atomic_unchecked_t irq_emitted;
29020
29021 int front_offset;
29022 } drm_i810_private_t;
29023 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7017.c
29024 --- linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-19 00:06:34.000000000 -0400
29025 +++ linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-22 19:36:31.000000000 -0400
29026 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
29027 }
29028 }
29029
29030 -struct intel_dvo_dev_ops ch7017_ops = {
29031 +const struct intel_dvo_dev_ops ch7017_ops = {
29032 .init = ch7017_init,
29033 .detect = ch7017_detect,
29034 .mode_valid = ch7017_mode_valid,
29035 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7xxx.c
29036 --- linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-19 00:06:34.000000000 -0400
29037 +++ linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-22 19:36:31.000000000 -0400
29038 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
29039 }
29040 }
29041
29042 -struct intel_dvo_dev_ops ch7xxx_ops = {
29043 +const struct intel_dvo_dev_ops ch7xxx_ops = {
29044 .init = ch7xxx_init,
29045 .detect = ch7xxx_detect,
29046 .mode_valid = ch7xxx_mode_valid,
29047 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/dvo.h linux-2.6.39.1/drivers/gpu/drm/i915/dvo.h
29048 --- linux-2.6.39.1/drivers/gpu/drm/i915/dvo.h 2011-05-19 00:06:34.000000000 -0400
29049 +++ linux-2.6.39.1/drivers/gpu/drm/i915/dvo.h 2011-05-22 19:36:31.000000000 -0400
29050 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
29051 *
29052 * \return singly-linked list of modes or NULL if no modes found.
29053 */
29054 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
29055 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
29056
29057 /**
29058 * Clean up driver-specific bits of the output
29059 */
29060 - void (*destroy) (struct intel_dvo_device *dvo);
29061 + void (* const destroy) (struct intel_dvo_device *dvo);
29062
29063 /**
29064 * Debugging hook to dump device registers to log file
29065 */
29066 - void (*dump_regs)(struct intel_dvo_device *dvo);
29067 + void (* const dump_regs)(struct intel_dvo_device *dvo);
29068 };
29069
29070 -extern struct intel_dvo_dev_ops sil164_ops;
29071 -extern struct intel_dvo_dev_ops ch7xxx_ops;
29072 -extern struct intel_dvo_dev_ops ivch_ops;
29073 -extern struct intel_dvo_dev_ops tfp410_ops;
29074 -extern struct intel_dvo_dev_ops ch7017_ops;
29075 +extern const struct intel_dvo_dev_ops sil164_ops;
29076 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
29077 +extern const struct intel_dvo_dev_ops ivch_ops;
29078 +extern const struct intel_dvo_dev_ops tfp410_ops;
29079 +extern const struct intel_dvo_dev_ops ch7017_ops;
29080
29081 #endif /* _INTEL_DVO_H */
29082 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ivch.c
29083 --- linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-19 00:06:34.000000000 -0400
29084 +++ linux-2.6.39.1/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-22 19:36:31.000000000 -0400
29085 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
29086 }
29087 }
29088
29089 -struct intel_dvo_dev_ops ivch_ops= {
29090 +const struct intel_dvo_dev_ops ivch_ops= {
29091 .init = ivch_init,
29092 .dpms = ivch_dpms,
29093 .mode_valid = ivch_mode_valid,
29094 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.39.1/drivers/gpu/drm/i915/dvo_sil164.c
29095 --- linux-2.6.39.1/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-19 00:06:34.000000000 -0400
29096 +++ linux-2.6.39.1/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-22 19:36:31.000000000 -0400
29097 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
29098 }
29099 }
29100
29101 -struct intel_dvo_dev_ops sil164_ops = {
29102 +const struct intel_dvo_dev_ops sil164_ops = {
29103 .init = sil164_init,
29104 .detect = sil164_detect,
29105 .mode_valid = sil164_mode_valid,
29106 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.39.1/drivers/gpu/drm/i915/dvo_tfp410.c
29107 --- linux-2.6.39.1/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-19 00:06:34.000000000 -0400
29108 +++ linux-2.6.39.1/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-22 19:36:31.000000000 -0400
29109 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
29110 }
29111 }
29112
29113 -struct intel_dvo_dev_ops tfp410_ops = {
29114 +const struct intel_dvo_dev_ops tfp410_ops = {
29115 .init = tfp410_init,
29116 .detect = tfp410_detect,
29117 .mode_valid = tfp410_mode_valid,
29118 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.39.1/drivers/gpu/drm/i915/i915_debugfs.c
29119 --- linux-2.6.39.1/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-19 00:06:34.000000000 -0400
29120 +++ linux-2.6.39.1/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-22 19:36:31.000000000 -0400
29121 @@ -496,7 +496,7 @@ static int i915_interrupt_info(struct se
29122 I915_READ(GTIMR));
29123 }
29124 seq_printf(m, "Interrupts received: %d\n",
29125 - atomic_read(&dev_priv->irq_received));
29126 + atomic_read_unchecked(&dev_priv->irq_received));
29127 for (i = 0; i < I915_NUM_RINGS; i++) {
29128 if (IS_GEN6(dev)) {
29129 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
29130 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/i915_dma.c linux-2.6.39.1/drivers/gpu/drm/i915/i915_dma.c
29131 --- linux-2.6.39.1/drivers/gpu/drm/i915/i915_dma.c 2011-05-19 00:06:34.000000000 -0400
29132 +++ linux-2.6.39.1/drivers/gpu/drm/i915/i915_dma.c 2011-05-22 19:36:31.000000000 -0400
29133 @@ -1171,7 +1171,7 @@ static bool i915_switcheroo_can_switch(s
29134 bool can_switch;
29135
29136 spin_lock(&dev->count_lock);
29137 - can_switch = (dev->open_count == 0);
29138 + can_switch = (local_read(&dev->open_count) == 0);
29139 spin_unlock(&dev->count_lock);
29140 return can_switch;
29141 }
29142 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.c linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.c
29143 --- linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.c 2011-05-19 00:06:34.000000000 -0400
29144 +++ linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.c 2011-05-22 19:36:31.000000000 -0400
29145 @@ -679,7 +679,7 @@ static const struct dev_pm_ops i915_pm_o
29146 .restore = i915_pm_resume,
29147 };
29148
29149 -static struct vm_operations_struct i915_gem_vm_ops = {
29150 +static const struct vm_operations_struct i915_gem_vm_ops = {
29151 .fault = i915_gem_fault,
29152 .open = drm_gem_vm_open,
29153 .close = drm_gem_vm_close,
29154 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.h linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.h
29155 --- linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.h 2011-05-19 00:06:34.000000000 -0400
29156 +++ linux-2.6.39.1/drivers/gpu/drm/i915/i915_drv.h 2011-05-22 19:36:31.000000000 -0400
29157 @@ -287,7 +287,7 @@ typedef struct drm_i915_private {
29158 int current_page;
29159 int page_flipping;
29160
29161 - atomic_t irq_received;
29162 + atomic_unchecked_t irq_received;
29163
29164 /* protects the irq masks */
29165 spinlock_t irq_lock;
29166 @@ -848,7 +848,7 @@ struct drm_i915_gem_object {
29167 * will be page flipped away on the next vblank. When it
29168 * reaches 0, dev_priv->pending_flip_queue will be woken up.
29169 */
29170 - atomic_t pending_flip;
29171 + atomic_unchecked_t pending_flip;
29172 };
29173
29174 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
29175 @@ -1232,7 +1232,7 @@ extern int intel_setup_gmbus(struct drm_
29176 extern void intel_teardown_gmbus(struct drm_device *dev);
29177 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
29178 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
29179 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29180 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29181 {
29182 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
29183 }
29184 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-2.6.39.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c
29185 --- linux-2.6.39.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-19 00:06:34.000000000 -0400
29186 +++ linux-2.6.39.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-22 19:36:31.000000000 -0400
29187 @@ -192,7 +192,7 @@ i915_gem_object_set_to_gpu_domain(struct
29188 i915_gem_release_mmap(obj);
29189
29190 if (obj->base.pending_write_domain)
29191 - cd->flips |= atomic_read(&obj->pending_flip);
29192 + cd->flips |= atomic_read_unchecked(&obj->pending_flip);
29193
29194 /* The actual obj->write_domain will be updated with
29195 * pending_write_domain after we emit the accumulated flush for all
29196 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/i915_irq.c linux-2.6.39.1/drivers/gpu/drm/i915/i915_irq.c
29197 --- linux-2.6.39.1/drivers/gpu/drm/i915/i915_irq.c 2011-05-19 00:06:34.000000000 -0400
29198 +++ linux-2.6.39.1/drivers/gpu/drm/i915/i915_irq.c 2011-05-22 19:36:31.000000000 -0400
29199 @@ -1101,7 +1101,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
29200 int ret = IRQ_NONE, pipe;
29201 bool blc_event = false;
29202
29203 - atomic_inc(&dev_priv->irq_received);
29204 + atomic_inc_unchecked(&dev_priv->irq_received);
29205
29206 if (HAS_PCH_SPLIT(dev))
29207 return ironlake_irq_handler(dev);
29208 @@ -1655,7 +1655,7 @@ void i915_driver_irq_preinstall(struct d
29209 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
29210 int pipe;
29211
29212 - atomic_set(&dev_priv->irq_received, 0);
29213 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29214
29215 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
29216 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
29217 diff -urNp linux-2.6.39.1/drivers/gpu/drm/i915/intel_display.c linux-2.6.39.1/drivers/gpu/drm/i915/intel_display.c
29218 --- linux-2.6.39.1/drivers/gpu/drm/i915/intel_display.c 2011-05-19 00:06:34.000000000 -0400
29219 +++ linux-2.6.39.1/drivers/gpu/drm/i915/intel_display.c 2011-05-22 19:36:31.000000000 -0400
29220 @@ -2244,7 +2244,7 @@ intel_pipe_set_base(struct drm_crtc *crt
29221
29222 wait_event(dev_priv->pending_flip_queue,
29223 atomic_read(&dev_priv->mm.wedged) ||
29224 - atomic_read(&obj->pending_flip) == 0);
29225 + atomic_read_unchecked(&obj->pending_flip) == 0);
29226
29227 /* Big Hammer, we also need to ensure that any pending
29228 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
29229 @@ -2712,7 +2712,7 @@ static void intel_crtc_wait_for_pending_
29230 obj = to_intel_framebuffer(crtc->fb)->obj;
29231 dev_priv = crtc->dev->dev_private;
29232 wait_event(dev_priv->pending_flip_queue,
29233 - atomic_read(&obj->pending_flip) == 0);
29234 + atomic_read_unchecked(&obj->pending_flip) == 0);
29235 }
29236
29237 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
29238 @@ -6016,7 +6016,7 @@ static void do_intel_finish_page_flip(st
29239
29240 atomic_clear_mask(1 << intel_crtc->plane,
29241 &obj->pending_flip.counter);
29242 - if (atomic_read(&obj->pending_flip) == 0)
29243 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
29244 wake_up(&dev_priv->pending_flip_queue);
29245
29246 schedule_work(&work->work);
29247 @@ -6145,7 +6145,7 @@ static int intel_crtc_page_flip(struct d
29248 /* Block clients from rendering to the new back buffer until
29249 * the flip occurs and the object is no longer visible.
29250 */
29251 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29252 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29253
29254 switch (INTEL_INFO(dev)->gen) {
29255 case 2:
29256 diff -urNp linux-2.6.39.1/drivers/gpu/drm/mga/mga_drv.h linux-2.6.39.1/drivers/gpu/drm/mga/mga_drv.h
29257 --- linux-2.6.39.1/drivers/gpu/drm/mga/mga_drv.h 2011-05-19 00:06:34.000000000 -0400
29258 +++ linux-2.6.39.1/drivers/gpu/drm/mga/mga_drv.h 2011-05-22 19:36:31.000000000 -0400
29259 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
29260 u32 clear_cmd;
29261 u32 maccess;
29262
29263 - atomic_t vbl_received; /**< Number of vblanks received. */
29264 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
29265 wait_queue_head_t fence_queue;
29266 - atomic_t last_fence_retired;
29267 + atomic_unchecked_t last_fence_retired;
29268 u32 next_fence_to_post;
29269
29270 unsigned int fb_cpp;
29271 diff -urNp linux-2.6.39.1/drivers/gpu/drm/mga/mga_irq.c linux-2.6.39.1/drivers/gpu/drm/mga/mga_irq.c
29272 --- linux-2.6.39.1/drivers/gpu/drm/mga/mga_irq.c 2011-05-19 00:06:34.000000000 -0400
29273 +++ linux-2.6.39.1/drivers/gpu/drm/mga/mga_irq.c 2011-05-22 19:36:31.000000000 -0400
29274 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
29275 if (crtc != 0)
29276 return 0;
29277
29278 - return atomic_read(&dev_priv->vbl_received);
29279 + return atomic_read_unchecked(&dev_priv->vbl_received);
29280 }
29281
29282
29283 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29284 /* VBLANK interrupt */
29285 if (status & MGA_VLINEPEN) {
29286 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
29287 - atomic_inc(&dev_priv->vbl_received);
29288 + atomic_inc_unchecked(&dev_priv->vbl_received);
29289 drm_handle_vblank(dev, 0);
29290 handled = 1;
29291 }
29292 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29293 if ((prim_start & ~0x03) != (prim_end & ~0x03))
29294 MGA_WRITE(MGA_PRIMEND, prim_end);
29295
29296 - atomic_inc(&dev_priv->last_fence_retired);
29297 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
29298 DRM_WAKEUP(&dev_priv->fence_queue);
29299 handled = 1;
29300 }
29301 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
29302 * using fences.
29303 */
29304 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
29305 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
29306 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
29307 - *sequence) <= (1 << 23)));
29308
29309 *sequence = cur_fence;
29310 diff -urNp linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_acpi.c linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_acpi.c
29311 --- linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-19 00:06:34.000000000 -0400
29312 +++ linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-22 19:36:31.000000000 -0400
29313 @@ -141,7 +141,7 @@ static int nouveau_dsm_get_client_id(str
29314 return VGA_SWITCHEROO_DIS;
29315 }
29316
29317 -static struct vga_switcheroo_handler nouveau_dsm_handler = {
29318 +static const struct vga_switcheroo_handler nouveau_dsm_handler = {
29319 .switchto = nouveau_dsm_switchto,
29320 .power_state = nouveau_dsm_power_state,
29321 .init = nouveau_dsm_init,
29322 diff -urNp linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_drv.h linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_drv.h
29323 --- linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-05-19 00:06:34.000000000 -0400
29324 +++ linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-06-07 18:07:24.000000000 -0400
29325 @@ -228,7 +228,7 @@ struct nouveau_channel {
29326 struct list_head pending;
29327 uint32_t sequence;
29328 uint32_t sequence_ack;
29329 - atomic_t last_sequence_irq;
29330 + atomic_unchecked_t last_sequence_irq;
29331 } fence;
29332
29333 /* DMA push buffer */
29334 @@ -662,7 +662,7 @@ struct drm_nouveau_private {
29335 struct drm_global_reference mem_global_ref;
29336 struct ttm_bo_global_ref bo_global_ref;
29337 struct ttm_bo_device bdev;
29338 - atomic_t validate_sequence;
29339 + atomic_unchecked_t validate_sequence;
29340 } ttm;
29341
29342 struct {
29343 diff -urNp linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_fence.c linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_fence.c
29344 --- linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-19 00:06:34.000000000 -0400
29345 +++ linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-22 19:36:31.000000000 -0400
29346 @@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
29347 if (USE_REFCNT(dev))
29348 sequence = nvchan_rd32(chan, 0x48);
29349 else
29350 - sequence = atomic_read(&chan->fence.last_sequence_irq);
29351 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
29352
29353 if (chan->fence.sequence_ack == sequence)
29354 goto out;
29355 @@ -553,7 +553,7 @@ nouveau_fence_channel_init(struct nouvea
29356 out_initialised:
29357 INIT_LIST_HEAD(&chan->fence.pending);
29358 spin_lock_init(&chan->fence.lock);
29359 - atomic_set(&chan->fence.last_sequence_irq, 0);
29360 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
29361 return 0;
29362 }
29363
29364 diff -urNp linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_gem.c linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_gem.c
29365 --- linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-19 00:06:34.000000000 -0400
29366 +++ linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-22 19:36:31.000000000 -0400
29367 @@ -249,7 +249,7 @@ validate_init(struct nouveau_channel *ch
29368 int trycnt = 0;
29369 int ret, i;
29370
29371 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
29372 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
29373 retry:
29374 if (++trycnt > 100000) {
29375 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
29376 diff -urNp linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_state.c
29377 --- linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-19 00:06:34.000000000 -0400
29378 +++ linux-2.6.39.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-22 19:36:31.000000000 -0400
29379 @@ -583,7 +583,7 @@ static bool nouveau_switcheroo_can_switc
29380 bool can_switch;
29381
29382 spin_lock(&dev->count_lock);
29383 - can_switch = (dev->open_count == 0);
29384 + can_switch = (local_read(&dev->open_count) == 0);
29385 spin_unlock(&dev->count_lock);
29386 return can_switch;
29387 }
29388 diff -urNp linux-2.6.39.1/drivers/gpu/drm/nouveau/nv04_graph.c linux-2.6.39.1/drivers/gpu/drm/nouveau/nv04_graph.c
29389 --- linux-2.6.39.1/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-19 00:06:34.000000000 -0400
29390 +++ linux-2.6.39.1/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-22 19:36:31.000000000 -0400
29391 @@ -552,7 +552,7 @@ static int
29392 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
29393 u32 class, u32 mthd, u32 data)
29394 {
29395 - atomic_set(&chan->fence.last_sequence_irq, data);
29396 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
29397 return 0;
29398 }
29399
29400 diff -urNp linux-2.6.39.1/drivers/gpu/drm/r128/r128_cce.c linux-2.6.39.1/drivers/gpu/drm/r128/r128_cce.c
29401 --- linux-2.6.39.1/drivers/gpu/drm/r128/r128_cce.c 2011-05-19 00:06:34.000000000 -0400
29402 +++ linux-2.6.39.1/drivers/gpu/drm/r128/r128_cce.c 2011-05-22 19:36:31.000000000 -0400
29403 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
29404
29405 /* GH: Simple idle check.
29406 */
29407 - atomic_set(&dev_priv->idle_count, 0);
29408 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29409
29410 /* We don't support anything other than bus-mastering ring mode,
29411 * but the ring can be in either AGP or PCI space for the ring
29412 diff -urNp linux-2.6.39.1/drivers/gpu/drm/r128/r128_drv.h linux-2.6.39.1/drivers/gpu/drm/r128/r128_drv.h
29413 --- linux-2.6.39.1/drivers/gpu/drm/r128/r128_drv.h 2011-05-19 00:06:34.000000000 -0400
29414 +++ linux-2.6.39.1/drivers/gpu/drm/r128/r128_drv.h 2011-05-22 19:36:31.000000000 -0400
29415 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
29416 int is_pci;
29417 unsigned long cce_buffers_offset;
29418
29419 - atomic_t idle_count;
29420 + atomic_unchecked_t idle_count;
29421
29422 int page_flipping;
29423 int current_page;
29424 u32 crtc_offset;
29425 u32 crtc_offset_cntl;
29426
29427 - atomic_t vbl_received;
29428 + atomic_unchecked_t vbl_received;
29429
29430 u32 color_fmt;
29431 unsigned int front_offset;
29432 diff -urNp linux-2.6.39.1/drivers/gpu/drm/r128/r128_irq.c linux-2.6.39.1/drivers/gpu/drm/r128/r128_irq.c
29433 --- linux-2.6.39.1/drivers/gpu/drm/r128/r128_irq.c 2011-05-19 00:06:34.000000000 -0400
29434 +++ linux-2.6.39.1/drivers/gpu/drm/r128/r128_irq.c 2011-05-22 19:36:31.000000000 -0400
29435 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
29436 if (crtc != 0)
29437 return 0;
29438
29439 - return atomic_read(&dev_priv->vbl_received);
29440 + return atomic_read_unchecked(&dev_priv->vbl_received);
29441 }
29442
29443 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
29444 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
29445 /* VBLANK interrupt */
29446 if (status & R128_CRTC_VBLANK_INT) {
29447 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
29448 - atomic_inc(&dev_priv->vbl_received);
29449 + atomic_inc_unchecked(&dev_priv->vbl_received);
29450 drm_handle_vblank(dev, 0);
29451 return IRQ_HANDLED;
29452 }
29453 diff -urNp linux-2.6.39.1/drivers/gpu/drm/r128/r128_state.c linux-2.6.39.1/drivers/gpu/drm/r128/r128_state.c
29454 --- linux-2.6.39.1/drivers/gpu/drm/r128/r128_state.c 2011-05-19 00:06:34.000000000 -0400
29455 +++ linux-2.6.39.1/drivers/gpu/drm/r128/r128_state.c 2011-05-22 19:36:31.000000000 -0400
29456 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
29457
29458 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
29459 {
29460 - if (atomic_read(&dev_priv->idle_count) == 0)
29461 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
29462 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
29463 else
29464 - atomic_set(&dev_priv->idle_count, 0);
29465 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29466 }
29467
29468 #endif
29469 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/atom.c linux-2.6.39.1/drivers/gpu/drm/radeon/atom.c
29470 --- linux-2.6.39.1/drivers/gpu/drm/radeon/atom.c 2011-05-19 00:06:34.000000000 -0400
29471 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/atom.c 2011-05-22 19:36:31.000000000 -0400
29472 @@ -1245,6 +1245,8 @@ struct atom_context *atom_parse(struct c
29473 char name[512];
29474 int i;
29475
29476 + pax_track_stack();
29477 +
29478 ctx->card = card;
29479 ctx->bios = bios;
29480
29481 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.39.1/drivers/gpu/drm/radeon/mkregtable.c
29482 --- linux-2.6.39.1/drivers/gpu/drm/radeon/mkregtable.c 2011-05-19 00:06:34.000000000 -0400
29483 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/mkregtable.c 2011-05-22 19:36:31.000000000 -0400
29484 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
29485 regex_t mask_rex;
29486 regmatch_t match[4];
29487 char buf[1024];
29488 - size_t end;
29489 + long end;
29490 int len;
29491 int done = 0;
29492 int r;
29493 unsigned o;
29494 struct offset *offset;
29495 char last_reg_s[10];
29496 - int last_reg;
29497 + unsigned long last_reg;
29498
29499 if (regcomp
29500 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
29501 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atombios.c
29502 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-19 00:06:34.000000000 -0400
29503 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-22 19:36:31.000000000 -0400
29504 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
29505 struct radeon_gpio_rec gpio;
29506 struct radeon_hpd hpd;
29507
29508 + pax_track_stack();
29509 +
29510 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
29511 return false;
29512
29513 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atpx_handler.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atpx_handler.c
29514 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-19 00:06:34.000000000 -0400
29515 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-22 19:36:31.000000000 -0400
29516 @@ -234,7 +234,7 @@ static int radeon_atpx_get_client_id(str
29517 return VGA_SWITCHEROO_DIS;
29518 }
29519
29520 -static struct vga_switcheroo_handler radeon_atpx_handler = {
29521 +static const struct vga_switcheroo_handler radeon_atpx_handler = {
29522 .switchto = radeon_atpx_switchto,
29523 .power_state = radeon_atpx_power_state,
29524 .init = radeon_atpx_init,
29525 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_device.c
29526 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_device.c 2011-05-19 00:06:34.000000000 -0400
29527 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_device.c 2011-05-22 19:36:31.000000000 -0400
29528 @@ -674,7 +674,7 @@ static bool radeon_switcheroo_can_switch
29529 bool can_switch;
29530
29531 spin_lock(&dev->count_lock);
29532 - can_switch = (dev->open_count == 0);
29533 + can_switch = (local_read(&dev->open_count) == 0);
29534 spin_unlock(&dev->count_lock);
29535 return can_switch;
29536 }
29537 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_display.c
29538 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_display.c 2011-05-19 00:06:34.000000000 -0400
29539 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_display.c 2011-05-22 19:36:31.000000000 -0400
29540 @@ -934,6 +934,8 @@ void radeon_compute_pll_legacy(struct ra
29541 uint32_t post_div;
29542 u32 pll_out_min, pll_out_max;
29543
29544 + pax_track_stack();
29545 +
29546 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
29547 freq = freq * 1000;
29548
29549 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_drv.h
29550 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-19 00:06:34.000000000 -0400
29551 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-22 19:36:31.000000000 -0400
29552 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
29553
29554 /* SW interrupt */
29555 wait_queue_head_t swi_queue;
29556 - atomic_t swi_emitted;
29557 + atomic_unchecked_t swi_emitted;
29558 int vblank_crtc;
29559 uint32_t irq_enable_reg;
29560 uint32_t r500_disp_irq_reg;
29561 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_fence.c
29562 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-19 00:06:34.000000000 -0400
29563 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-22 19:36:31.000000000 -0400
29564 @@ -49,7 +49,7 @@ int radeon_fence_emit(struct radeon_devi
29565 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
29566 return 0;
29567 }
29568 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
29569 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
29570 if (!rdev->cp.ready) {
29571 /* FIXME: cp is not running assume everythings is done right
29572 * away
29573 @@ -352,7 +352,7 @@ int radeon_fence_driver_init(struct rade
29574 return r;
29575 }
29576 WREG32(rdev->fence_drv.scratch_reg, 0);
29577 - atomic_set(&rdev->fence_drv.seq, 0);
29578 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
29579 INIT_LIST_HEAD(&rdev->fence_drv.created);
29580 INIT_LIST_HEAD(&rdev->fence_drv.emited);
29581 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
29582 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon.h linux-2.6.39.1/drivers/gpu/drm/radeon/radeon.h
29583 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon.h 2011-05-19 00:06:34.000000000 -0400
29584 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon.h 2011-05-22 19:36:31.000000000 -0400
29585 @@ -189,7 +189,7 @@ extern int sumo_get_temp(struct radeon_d
29586 */
29587 struct radeon_fence_driver {
29588 uint32_t scratch_reg;
29589 - atomic_t seq;
29590 + atomic_unchecked_t seq;
29591 uint32_t last_seq;
29592 unsigned long last_jiffies;
29593 unsigned long last_timeout;
29594 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ioc32.c
29595 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-19 00:06:34.000000000 -0400
29596 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-22 19:36:31.000000000 -0400
29597 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
29598 request = compat_alloc_user_space(sizeof(*request));
29599 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
29600 || __put_user(req32.param, &request->param)
29601 - || __put_user((void __user *)(unsigned long)req32.value,
29602 + || __put_user((unsigned long)req32.value,
29603 &request->value))
29604 return -EFAULT;
29605
29606 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_irq.c
29607 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-19 00:06:34.000000000 -0400
29608 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-22 19:36:31.000000000 -0400
29609 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
29610 unsigned int ret;
29611 RING_LOCALS;
29612
29613 - atomic_inc(&dev_priv->swi_emitted);
29614 - ret = atomic_read(&dev_priv->swi_emitted);
29615 + atomic_inc_unchecked(&dev_priv->swi_emitted);
29616 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
29617
29618 BEGIN_RING(4);
29619 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
29620 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
29621 drm_radeon_private_t *dev_priv =
29622 (drm_radeon_private_t *) dev->dev_private;
29623
29624 - atomic_set(&dev_priv->swi_emitted, 0);
29625 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
29626 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
29627
29628 dev->max_vblank_count = 0x001fffff;
29629 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_state.c
29630 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_state.c 2011-05-19 00:06:34.000000000 -0400
29631 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_state.c 2011-05-22 19:36:31.000000000 -0400
29632 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
29633 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
29634 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
29635
29636 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
29637 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
29638 sarea_priv->nbox * sizeof(depth_boxes[0])))
29639 return -EFAULT;
29640
29641 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
29642 {
29643 drm_radeon_private_t *dev_priv = dev->dev_private;
29644 drm_radeon_getparam_t *param = data;
29645 - int value;
29646 + int value = 0;
29647
29648 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
29649
29650 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ttm.c
29651 --- linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-19 00:06:34.000000000 -0400
29652 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-22 19:36:31.000000000 -0400
29653 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
29654 man->size = size >> PAGE_SHIFT;
29655 }
29656
29657 -static struct vm_operations_struct radeon_ttm_vm_ops;
29658 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
29659 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
29660 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
29661 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
29662
29663 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29664 {
29665 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
29666 struct radeon_device *rdev;
29667 int r;
29668
29669 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
29670 - if (bo == NULL) {
29671 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
29672 + if (!bo)
29673 return VM_FAULT_NOPAGE;
29674 - }
29675 rdev = radeon_get_rdev(bo->bdev);
29676 mutex_lock(&rdev->vram_mutex);
29677 - r = ttm_vm_ops->fault(vma, vmf);
29678 + r = ttm_bo_vm_fault(vma, vmf);
29679 mutex_unlock(&rdev->vram_mutex);
29680 return r;
29681 }
29682
29683 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
29684 + .fault = radeon_ttm_fault,
29685 + .open = ttm_bo_vm_open,
29686 + .close = ttm_bo_vm_close
29687 +};
29688 +
29689 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
29690 {
29691 struct drm_file *file_priv;
29692 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
29693
29694 file_priv = filp->private_data;
29695 rdev = file_priv->minor->dev->dev_private;
29696 - if (rdev == NULL) {
29697 + if (!rdev)
29698 return -EINVAL;
29699 - }
29700 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
29701 - if (unlikely(r != 0)) {
29702 + if (r)
29703 return r;
29704 - }
29705 - if (unlikely(ttm_vm_ops == NULL)) {
29706 - ttm_vm_ops = vma->vm_ops;
29707 - radeon_ttm_vm_ops = *ttm_vm_ops;
29708 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
29709 - }
29710 vma->vm_ops = &radeon_ttm_vm_ops;
29711 return 0;
29712 }
29713 diff -urNp linux-2.6.39.1/drivers/gpu/drm/radeon/rs690.c linux-2.6.39.1/drivers/gpu/drm/radeon/rs690.c
29714 --- linux-2.6.39.1/drivers/gpu/drm/radeon/rs690.c 2011-05-19 00:06:34.000000000 -0400
29715 +++ linux-2.6.39.1/drivers/gpu/drm/radeon/rs690.c 2011-05-22 19:36:31.000000000 -0400
29716 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
29717 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
29718 rdev->pm.sideport_bandwidth.full)
29719 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
29720 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
29721 + read_delay_latency.full = dfixed_const(800 * 1000);
29722 read_delay_latency.full = dfixed_div(read_delay_latency,
29723 rdev->pm.igp_sideport_mclk);
29724 + a.full = dfixed_const(370);
29725 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
29726 } else {
29727 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
29728 rdev->pm.k8_bandwidth.full)
29729 diff -urNp linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_bo_vm.c
29730 --- linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-19 00:06:34.000000000 -0400
29731 +++ linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-22 19:36:31.000000000 -0400
29732 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
29733 return best_bo;
29734 }
29735
29736 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29737 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29738 {
29739 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
29740 vma->vm_private_data;
29741 - struct ttm_bo_device *bdev = bo->bdev;
29742 + struct ttm_bo_device *bdev;
29743 unsigned long page_offset;
29744 unsigned long page_last;
29745 unsigned long pfn;
29746 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
29747 int i;
29748 unsigned long address = (unsigned long)vmf->virtual_address;
29749 int retval = VM_FAULT_NOPAGE;
29750 - struct ttm_mem_type_manager *man =
29751 - &bdev->man[bo->mem.mem_type];
29752 + struct ttm_mem_type_manager *man;
29753 +
29754 + if (!bo)
29755 + return VM_FAULT_NOPAGE;
29756 + bdev = bo->bdev;
29757 + man = &bdev->man[bo->mem.mem_type];
29758
29759 /*
29760 * Work around locking order reversal in fault / nopfn
29761 @@ -219,22 +223,25 @@ out_unlock:
29762 ttm_bo_unreserve(bo);
29763 return retval;
29764 }
29765 +EXPORT_SYMBOL(ttm_bo_vm_fault);
29766
29767 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
29768 +void ttm_bo_vm_open(struct vm_area_struct *vma)
29769 {
29770 struct ttm_buffer_object *bo =
29771 (struct ttm_buffer_object *)vma->vm_private_data;
29772
29773 (void)ttm_bo_reference(bo);
29774 }
29775 +EXPORT_SYMBOL(ttm_bo_vm_open);
29776
29777 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
29778 +void ttm_bo_vm_close(struct vm_area_struct *vma)
29779 {
29780 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
29781
29782 ttm_bo_unref(&bo);
29783 vma->vm_private_data = NULL;
29784 }
29785 +EXPORT_SYMBOL(ttm_bo_vm_close);
29786
29787 static const struct vm_operations_struct ttm_bo_vm_ops = {
29788 .fault = ttm_bo_vm_fault,
29789 diff -urNp linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_page_alloc.c
29790 --- linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-19 00:06:34.000000000 -0400
29791 +++ linux-2.6.39.1/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-22 19:36:31.000000000 -0400
29792 @@ -397,9 +397,9 @@ static int ttm_pool_get_num_unused_pages
29793 */
29794 static int ttm_pool_mm_shrink(struct shrinker *shrink, int shrink_pages, gfp_t gfp_mask)
29795 {
29796 - static atomic_t start_pool = ATOMIC_INIT(0);
29797 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
29798 unsigned i;
29799 - unsigned pool_offset = atomic_add_return(1, &start_pool);
29800 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
29801 struct ttm_page_pool *pool;
29802
29803 pool_offset = pool_offset % NUM_POOLS;
29804 diff -urNp linux-2.6.39.1/drivers/gpu/drm/via/via_drv.h linux-2.6.39.1/drivers/gpu/drm/via/via_drv.h
29805 --- linux-2.6.39.1/drivers/gpu/drm/via/via_drv.h 2011-05-19 00:06:34.000000000 -0400
29806 +++ linux-2.6.39.1/drivers/gpu/drm/via/via_drv.h 2011-05-22 19:36:31.000000000 -0400
29807 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
29808 typedef uint32_t maskarray_t[5];
29809
29810 typedef struct drm_via_irq {
29811 - atomic_t irq_received;
29812 + atomic_unchecked_t irq_received;
29813 uint32_t pending_mask;
29814 uint32_t enable_mask;
29815 wait_queue_head_t irq_queue;
29816 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
29817 struct timeval last_vblank;
29818 int last_vblank_valid;
29819 unsigned usec_per_vblank;
29820 - atomic_t vbl_received;
29821 + atomic_unchecked_t vbl_received;
29822 drm_via_state_t hc_state;
29823 char pci_buf[VIA_PCI_BUF_SIZE];
29824 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
29825 diff -urNp linux-2.6.39.1/drivers/gpu/drm/via/via_irq.c linux-2.6.39.1/drivers/gpu/drm/via/via_irq.c
29826 --- linux-2.6.39.1/drivers/gpu/drm/via/via_irq.c 2011-05-19 00:06:34.000000000 -0400
29827 +++ linux-2.6.39.1/drivers/gpu/drm/via/via_irq.c 2011-05-22 19:36:31.000000000 -0400
29828 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
29829 if (crtc != 0)
29830 return 0;
29831
29832 - return atomic_read(&dev_priv->vbl_received);
29833 + return atomic_read_unchecked(&dev_priv->vbl_received);
29834 }
29835
29836 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
29837 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
29838
29839 status = VIA_READ(VIA_REG_INTERRUPT);
29840 if (status & VIA_IRQ_VBLANK_PENDING) {
29841 - atomic_inc(&dev_priv->vbl_received);
29842 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
29843 + atomic_inc_unchecked(&dev_priv->vbl_received);
29844 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
29845 do_gettimeofday(&cur_vblank);
29846 if (dev_priv->last_vblank_valid) {
29847 dev_priv->usec_per_vblank =
29848 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
29849 dev_priv->last_vblank = cur_vblank;
29850 dev_priv->last_vblank_valid = 1;
29851 }
29852 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
29853 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
29854 DRM_DEBUG("US per vblank is: %u\n",
29855 dev_priv->usec_per_vblank);
29856 }
29857 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
29858
29859 for (i = 0; i < dev_priv->num_irqs; ++i) {
29860 if (status & cur_irq->pending_mask) {
29861 - atomic_inc(&cur_irq->irq_received);
29862 + atomic_inc_unchecked(&cur_irq->irq_received);
29863 DRM_WAKEUP(&cur_irq->irq_queue);
29864 handled = 1;
29865 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
29866 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
29867 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
29868 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
29869 masks[irq][4]));
29870 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
29871 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
29872 } else {
29873 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
29874 (((cur_irq_sequence =
29875 - atomic_read(&cur_irq->irq_received)) -
29876 + atomic_read_unchecked(&cur_irq->irq_received)) -
29877 *sequence) <= (1 << 23)));
29878 }
29879 *sequence = cur_irq_sequence;
29880 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
29881 }
29882
29883 for (i = 0; i < dev_priv->num_irqs; ++i) {
29884 - atomic_set(&cur_irq->irq_received, 0);
29885 + atomic_set_unchecked(&cur_irq->irq_received, 0);
29886 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
29887 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
29888 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
29889 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
29890 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
29891 case VIA_IRQ_RELATIVE:
29892 irqwait->request.sequence +=
29893 - atomic_read(&cur_irq->irq_received);
29894 + atomic_read_unchecked(&cur_irq->irq_received);
29895 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
29896 case VIA_IRQ_ABSOLUTE:
29897 break;
29898 diff -urNp linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
29899 --- linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-19 00:06:34.000000000 -0400
29900 +++ linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-22 19:36:31.000000000 -0400
29901 @@ -240,7 +240,7 @@ struct vmw_private {
29902 * Fencing and IRQs.
29903 */
29904
29905 - atomic_t fence_seq;
29906 + atomic_unchecked_t fence_seq;
29907 wait_queue_head_t fence_queue;
29908 wait_queue_head_t fifo_queue;
29909 atomic_t fence_queue_waiters;
29910 diff -urNp linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
29911 --- linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-19 00:06:34.000000000 -0400
29912 +++ linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-22 19:36:31.000000000 -0400
29913 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
29914 while (!vmw_lag_lt(queue, us)) {
29915 spin_lock(&queue->lock);
29916 if (list_empty(&queue->head))
29917 - sequence = atomic_read(&dev_priv->fence_seq);
29918 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
29919 else {
29920 fence = list_first_entry(&queue->head,
29921 struct vmw_fence, head);
29922 diff -urNp linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
29923 --- linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-19 00:06:34.000000000 -0400
29924 +++ linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-22 19:36:31.000000000 -0400
29925 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
29926 (unsigned int) min,
29927 (unsigned int) fifo->capabilities);
29928
29929 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
29930 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
29931 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
29932 vmw_fence_queue_init(&fifo->fence_queue);
29933 return vmw_fifo_send_fence(dev_priv, &dummy);
29934 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
29935
29936 fm = vmw_fifo_reserve(dev_priv, bytes);
29937 if (unlikely(fm == NULL)) {
29938 - *sequence = atomic_read(&dev_priv->fence_seq);
29939 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
29940 ret = -ENOMEM;
29941 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
29942 false, 3*HZ);
29943 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
29944 }
29945
29946 do {
29947 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
29948 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
29949 } while (*sequence == 0);
29950
29951 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
29952 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
29953 return VM_FAULT_SIGBUS;
29954 }
29955
29956 -static struct vm_operations_struct vmw_fifo_vm_ops = {
29957 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
29958 .fault = vmw_fifo_vm_fault,
29959 .open = NULL,
29960 .close = NULL
29961 diff -urNp linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
29962 --- linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-19 00:06:34.000000000 -0400
29963 +++ linux-2.6.39.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-22 19:36:31.000000000 -0400
29964 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
29965 * emitted. Then the fence is stale and signaled.
29966 */
29967
29968 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
29969 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
29970 > VMW_FENCE_WRAP);
29971
29972 return ret;
29973 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
29974
29975 if (fifo_idle)
29976 down_read(&fifo_state->rwsem);
29977 - signal_seq = atomic_read(&dev_priv->fence_seq);
29978 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
29979 ret = 0;
29980
29981 for (;;) {
29982 diff -urNp linux-2.6.39.1/drivers/gpu/vga/vga_switcheroo.c linux-2.6.39.1/drivers/gpu/vga/vga_switcheroo.c
29983 --- linux-2.6.39.1/drivers/gpu/vga/vga_switcheroo.c 2011-05-19 00:06:34.000000000 -0400
29984 +++ linux-2.6.39.1/drivers/gpu/vga/vga_switcheroo.c 2011-05-22 19:36:31.000000000 -0400
29985 @@ -53,7 +53,7 @@ struct vgasr_priv {
29986 int registered_clients;
29987 struct vga_switcheroo_client clients[VGA_SWITCHEROO_MAX_CLIENTS];
29988
29989 - struct vga_switcheroo_handler *handler;
29990 + const struct vga_switcheroo_handler *handler;
29991 };
29992
29993 static int vga_switcheroo_debugfs_init(struct vgasr_priv *priv);
29994 @@ -62,7 +62,7 @@ static void vga_switcheroo_debugfs_fini(
29995 /* only one switcheroo per system */
29996 static struct vgasr_priv vgasr_priv;
29997
29998 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler)
29999 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler)
30000 {
30001 mutex_lock(&vgasr_mutex);
30002 if (vgasr_priv.handler) {
30003 diff -urNp linux-2.6.39.1/drivers/hid/hid-core.c linux-2.6.39.1/drivers/hid/hid-core.c
30004 --- linux-2.6.39.1/drivers/hid/hid-core.c 2011-05-19 00:06:34.000000000 -0400
30005 +++ linux-2.6.39.1/drivers/hid/hid-core.c 2011-05-22 19:36:31.000000000 -0400
30006 @@ -1888,7 +1888,7 @@ static bool hid_ignore(struct hid_device
30007
30008 int hid_add_device(struct hid_device *hdev)
30009 {
30010 - static atomic_t id = ATOMIC_INIT(0);
30011 + static atomic_unchecked_t id = ATOMIC_INIT(0);
30012 int ret;
30013
30014 if (WARN_ON(hdev->status & HID_STAT_ADDED))
30015 @@ -1903,7 +1903,7 @@ int hid_add_device(struct hid_device *hd
30016 /* XXX hack, any other cleaner solution after the driver core
30017 * is converted to allow more than 20 bytes as the device name? */
30018 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
30019 - hdev->vendor, hdev->product, atomic_inc_return(&id));
30020 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
30021
30022 hid_debug_register(hdev, dev_name(&hdev->dev));
30023 ret = device_add(&hdev->dev);
30024 diff -urNp linux-2.6.39.1/drivers/hid/hid-picolcd.c linux-2.6.39.1/drivers/hid/hid-picolcd.c
30025 --- linux-2.6.39.1/drivers/hid/hid-picolcd.c 2011-05-19 00:06:34.000000000 -0400
30026 +++ linux-2.6.39.1/drivers/hid/hid-picolcd.c 2011-05-22 19:36:31.000000000 -0400
30027 @@ -1037,7 +1037,7 @@ static int picolcd_check_lcd_fb(struct l
30028 return fb && fb == picolcd_fbinfo((struct picolcd_data *)lcd_get_data(ldev));
30029 }
30030
30031 -static struct lcd_ops picolcd_lcdops = {
30032 +static const struct lcd_ops picolcd_lcdops = {
30033 .get_contrast = picolcd_get_contrast,
30034 .set_contrast = picolcd_set_contrast,
30035 .check_fb = picolcd_check_lcd_fb,
30036 diff -urNp linux-2.6.39.1/drivers/hid/usbhid/hiddev.c linux-2.6.39.1/drivers/hid/usbhid/hiddev.c
30037 --- linux-2.6.39.1/drivers/hid/usbhid/hiddev.c 2011-05-19 00:06:34.000000000 -0400
30038 +++ linux-2.6.39.1/drivers/hid/usbhid/hiddev.c 2011-05-22 19:36:31.000000000 -0400
30039 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
30040 break;
30041
30042 case HIDIOCAPPLICATION:
30043 - if (arg < 0 || arg >= hid->maxapplication)
30044 + if (arg >= hid->maxapplication)
30045 break;
30046
30047 for (i = 0; i < hid->maxcollection; i++)
30048 diff -urNp linux-2.6.39.1/drivers/hwmon/ibmaem.c linux-2.6.39.1/drivers/hwmon/ibmaem.c
30049 --- linux-2.6.39.1/drivers/hwmon/ibmaem.c 2011-05-19 00:06:34.000000000 -0400
30050 +++ linux-2.6.39.1/drivers/hwmon/ibmaem.c 2011-05-22 19:36:31.000000000 -0400
30051 @@ -238,7 +238,7 @@ struct aem_read_sensor_resp {
30052 struct aem_driver_data {
30053 struct list_head aem_devices;
30054 struct ipmi_smi_watcher bmc_events;
30055 - struct ipmi_user_hndl ipmi_hndlrs;
30056 + const struct ipmi_user_hndl ipmi_hndlrs;
30057 };
30058
30059 static void aem_register_bmc(int iface, struct device *dev);
30060 diff -urNp linux-2.6.39.1/drivers/hwmon/ibmpex.c linux-2.6.39.1/drivers/hwmon/ibmpex.c
30061 --- linux-2.6.39.1/drivers/hwmon/ibmpex.c 2011-05-19 00:06:34.000000000 -0400
30062 +++ linux-2.6.39.1/drivers/hwmon/ibmpex.c 2011-05-22 19:36:31.000000000 -0400
30063 @@ -110,7 +110,7 @@ struct ibmpex_bmc_data {
30064 struct ibmpex_driver_data {
30065 struct list_head bmc_data;
30066 struct ipmi_smi_watcher bmc_events;
30067 - struct ipmi_user_hndl ipmi_hndlrs;
30068 + const struct ipmi_user_hndl ipmi_hndlrs;
30069 };
30070
30071 static struct ibmpex_driver_data driver_data = {
30072 diff -urNp linux-2.6.39.1/drivers/hwmon/sht15.c linux-2.6.39.1/drivers/hwmon/sht15.c
30073 --- linux-2.6.39.1/drivers/hwmon/sht15.c 2011-05-19 00:06:34.000000000 -0400
30074 +++ linux-2.6.39.1/drivers/hwmon/sht15.c 2011-05-22 19:36:31.000000000 -0400
30075 @@ -113,7 +113,7 @@ struct sht15_data {
30076 int supply_uV;
30077 int supply_uV_valid;
30078 struct work_struct update_supply_work;
30079 - atomic_t interrupt_handled;
30080 + atomic_unchecked_t interrupt_handled;
30081 };
30082
30083 /**
30084 @@ -246,13 +246,13 @@ static inline int sht15_update_single_va
30085 return ret;
30086
30087 gpio_direction_input(data->pdata->gpio_data);
30088 - atomic_set(&data->interrupt_handled, 0);
30089 + atomic_set_unchecked(&data->interrupt_handled, 0);
30090
30091 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30092 if (gpio_get_value(data->pdata->gpio_data) == 0) {
30093 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
30094 /* Only relevant if the interrupt hasn't occurred. */
30095 - if (!atomic_read(&data->interrupt_handled))
30096 + if (!atomic_read_unchecked(&data->interrupt_handled))
30097 schedule_work(&data->read_work);
30098 }
30099 ret = wait_event_timeout(data->wait_queue,
30100 @@ -399,7 +399,7 @@ static irqreturn_t sht15_interrupt_fired
30101 struct sht15_data *data = d;
30102 /* First disable the interrupt */
30103 disable_irq_nosync(irq);
30104 - atomic_inc(&data->interrupt_handled);
30105 + atomic_inc_unchecked(&data->interrupt_handled);
30106 /* Then schedule a reading work struct */
30107 if (data->flag != SHT15_READING_NOTHING)
30108 schedule_work(&data->read_work);
30109 @@ -450,11 +450,11 @@ static void sht15_bh_read_data(struct wo
30110 here as could have gone low in meantime so verify
30111 it hasn't!
30112 */
30113 - atomic_set(&data->interrupt_handled, 0);
30114 + atomic_set_unchecked(&data->interrupt_handled, 0);
30115 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30116 /* If still not occurred or another handler has been scheduled */
30117 if (gpio_get_value(data->pdata->gpio_data)
30118 - || atomic_read(&data->interrupt_handled))
30119 + || atomic_read_unchecked(&data->interrupt_handled))
30120 return;
30121 }
30122 /* Read the data back from the device */
30123 diff -urNp linux-2.6.39.1/drivers/hwmon/w83791d.c linux-2.6.39.1/drivers/hwmon/w83791d.c
30124 --- linux-2.6.39.1/drivers/hwmon/w83791d.c 2011-05-19 00:06:34.000000000 -0400
30125 +++ linux-2.6.39.1/drivers/hwmon/w83791d.c 2011-05-22 19:36:31.000000000 -0400
30126 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
30127 struct i2c_board_info *info);
30128 static int w83791d_remove(struct i2c_client *client);
30129
30130 -static int w83791d_read(struct i2c_client *client, u8 register);
30131 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
30132 +static int w83791d_read(struct i2c_client *client, u8 reg);
30133 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
30134 static struct w83791d_data *w83791d_update_device(struct device *dev);
30135
30136 #ifdef DEBUG
30137 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-at91.c linux-2.6.39.1/drivers/i2c/busses/i2c-at91.c
30138 --- linux-2.6.39.1/drivers/i2c/busses/i2c-at91.c 2011-05-19 00:06:34.000000000 -0400
30139 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-at91.c 2011-05-22 19:36:31.000000000 -0400
30140 @@ -181,7 +181,7 @@ static u32 at91_func(struct i2c_adapter
30141 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30142 }
30143
30144 -static struct i2c_algorithm at91_algorithm = {
30145 +static const struct i2c_algorithm at91_algorithm = {
30146 .master_xfer = at91_xfer,
30147 .functionality = at91_func,
30148 };
30149 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-bfin-twi.c linux-2.6.39.1/drivers/i2c/busses/i2c-bfin-twi.c
30150 --- linux-2.6.39.1/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-19 00:06:34.000000000 -0400
30151 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-22 19:36:31.000000000 -0400
30152 @@ -599,7 +599,7 @@ static u32 bfin_twi_functionality(struct
30153 I2C_FUNC_I2C | I2C_FUNC_SMBUS_I2C_BLOCK;
30154 }
30155
30156 -static struct i2c_algorithm bfin_twi_algorithm = {
30157 +static const struct i2c_algorithm bfin_twi_algorithm = {
30158 .master_xfer = bfin_twi_master_xfer,
30159 .smbus_xfer = bfin_twi_smbus_xfer,
30160 .functionality = bfin_twi_functionality,
30161 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-davinci.c linux-2.6.39.1/drivers/i2c/busses/i2c-davinci.c
30162 --- linux-2.6.39.1/drivers/i2c/busses/i2c-davinci.c 2011-05-19 00:06:34.000000000 -0400
30163 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-davinci.c 2011-05-22 19:36:31.000000000 -0400
30164 @@ -630,7 +630,7 @@ static inline void i2c_davinci_cpufreq_d
30165 }
30166 #endif
30167
30168 -static struct i2c_algorithm i2c_davinci_algo = {
30169 +static const struct i2c_algorithm i2c_davinci_algo = {
30170 .master_xfer = i2c_davinci_xfer,
30171 .functionality = i2c_davinci_func,
30172 };
30173 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-designware.c linux-2.6.39.1/drivers/i2c/busses/i2c-designware.c
30174 --- linux-2.6.39.1/drivers/i2c/busses/i2c-designware.c 2011-05-19 00:06:34.000000000 -0400
30175 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-designware.c 2011-05-22 19:36:31.000000000 -0400
30176 @@ -689,7 +689,7 @@ tx_aborted:
30177 return IRQ_HANDLED;
30178 }
30179
30180 -static struct i2c_algorithm i2c_dw_algo = {
30181 +static const struct i2c_algorithm i2c_dw_algo = {
30182 .master_xfer = i2c_dw_xfer,
30183 .functionality = i2c_dw_func,
30184 };
30185 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-eg20t.c linux-2.6.39.1/drivers/i2c/busses/i2c-eg20t.c
30186 --- linux-2.6.39.1/drivers/i2c/busses/i2c-eg20t.c 2011-05-19 00:06:34.000000000 -0400
30187 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-eg20t.c 2011-05-22 19:36:31.000000000 -0400
30188 @@ -708,7 +708,7 @@ static u32 pch_i2c_func(struct i2c_adapt
30189 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL | I2C_FUNC_10BIT_ADDR;
30190 }
30191
30192 -static struct i2c_algorithm pch_algorithm = {
30193 +static const struct i2c_algorithm pch_algorithm = {
30194 .master_xfer = pch_i2c_xfer,
30195 .functionality = pch_i2c_func
30196 };
30197 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-imx.c linux-2.6.39.1/drivers/i2c/busses/i2c-imx.c
30198 --- linux-2.6.39.1/drivers/i2c/busses/i2c-imx.c 2011-05-19 00:06:34.000000000 -0400
30199 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-imx.c 2011-05-22 19:36:31.000000000 -0400
30200 @@ -457,7 +457,7 @@ static u32 i2c_imx_func(struct i2c_adapt
30201 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30202 }
30203
30204 -static struct i2c_algorithm i2c_imx_algo = {
30205 +static const struct i2c_algorithm i2c_imx_algo = {
30206 .master_xfer = i2c_imx_xfer,
30207 .functionality = i2c_imx_func,
30208 };
30209 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-intel-mid.c linux-2.6.39.1/drivers/i2c/busses/i2c-intel-mid.c
30210 --- linux-2.6.39.1/drivers/i2c/busses/i2c-intel-mid.c 2011-05-19 00:06:34.000000000 -0400
30211 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-intel-mid.c 2011-05-22 19:36:31.000000000 -0400
30212 @@ -917,7 +917,7 @@ err:
30213 return IRQ_HANDLED;
30214 }
30215
30216 -static struct i2c_algorithm intel_mid_i2c_algorithm = {
30217 +static const struct i2c_algorithm intel_mid_i2c_algorithm = {
30218 .master_xfer = intel_mid_i2c_xfer,
30219 .functionality = intel_mid_i2c_func,
30220 };
30221 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-nforce2.c linux-2.6.39.1/drivers/i2c/busses/i2c-nforce2.c
30222 --- linux-2.6.39.1/drivers/i2c/busses/i2c-nforce2.c 2011-05-19 00:06:34.000000000 -0400
30223 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-nforce2.c 2011-05-22 19:36:31.000000000 -0400
30224 @@ -303,7 +303,7 @@ static u32 nforce2_func(struct i2c_adapt
30225 I2C_FUNC_SMBUS_BLOCK_DATA : 0);
30226 }
30227
30228 -static struct i2c_algorithm smbus_algorithm = {
30229 +static const struct i2c_algorithm smbus_algorithm = {
30230 .smbus_xfer = nforce2_access,
30231 .functionality = nforce2_func,
30232 };
30233 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-pmcmsp.c linux-2.6.39.1/drivers/i2c/busses/i2c-pmcmsp.c
30234 --- linux-2.6.39.1/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
30235 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-22 19:36:31.000000000 -0400
30236 @@ -615,7 +615,7 @@ static u32 pmcmsptwi_i2c_func(struct i2c
30237
30238 /* -- Initialization -- */
30239
30240 -static struct i2c_algorithm pmcmsptwi_algo = {
30241 +static const struct i2c_algorithm pmcmsptwi_algo = {
30242 .master_xfer = pmcmsptwi_master_xfer,
30243 .functionality = pmcmsptwi_i2c_func,
30244 };
30245 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-pnx.c linux-2.6.39.1/drivers/i2c/busses/i2c-pnx.c
30246 --- linux-2.6.39.1/drivers/i2c/busses/i2c-pnx.c 2011-05-19 00:06:34.000000000 -0400
30247 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-pnx.c 2011-05-22 19:36:31.000000000 -0400
30248 @@ -535,7 +535,7 @@ static u32 i2c_pnx_func(struct i2c_adapt
30249 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30250 }
30251
30252 -static struct i2c_algorithm pnx_algorithm = {
30253 +static const struct i2c_algorithm pnx_algorithm = {
30254 .master_xfer = i2c_pnx_xfer,
30255 .functionality = i2c_pnx_func,
30256 };
30257 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-puv3.c linux-2.6.39.1/drivers/i2c/busses/i2c-puv3.c
30258 --- linux-2.6.39.1/drivers/i2c/busses/i2c-puv3.c 2011-05-19 00:06:34.000000000 -0400
30259 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-puv3.c 2011-05-22 19:36:31.000000000 -0400
30260 @@ -176,7 +176,7 @@ static u32 puv3_i2c_func(struct i2c_adap
30261 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30262 }
30263
30264 -static struct i2c_algorithm puv3_i2c_algorithm = {
30265 +static const struct i2c_algorithm puv3_i2c_algorithm = {
30266 .master_xfer = puv3_i2c_xfer,
30267 .functionality = puv3_i2c_func,
30268 };
30269 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-s6000.c linux-2.6.39.1/drivers/i2c/busses/i2c-s6000.c
30270 --- linux-2.6.39.1/drivers/i2c/busses/i2c-s6000.c 2011-05-19 00:06:34.000000000 -0400
30271 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-s6000.c 2011-05-22 19:36:31.000000000 -0400
30272 @@ -243,7 +243,7 @@ static u32 s6i2c_functionality(struct i2
30273 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30274 }
30275
30276 -static struct i2c_algorithm s6i2c_algorithm = {
30277 +static const struct i2c_algorithm s6i2c_algorithm = {
30278 .master_xfer = s6i2c_master_xfer,
30279 .functionality = s6i2c_functionality,
30280 };
30281 diff -urNp linux-2.6.39.1/drivers/i2c/busses/i2c-sh_mobile.c linux-2.6.39.1/drivers/i2c/busses/i2c-sh_mobile.c
30282 --- linux-2.6.39.1/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-19 00:06:34.000000000 -0400
30283 +++ linux-2.6.39.1/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-22 19:36:31.000000000 -0400
30284 @@ -529,7 +529,7 @@ static u32 sh_mobile_i2c_func(struct i2c
30285 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30286 }
30287
30288 -static struct i2c_algorithm sh_mobile_i2c_algorithm = {
30289 +static const struct i2c_algorithm sh_mobile_i2c_algorithm = {
30290 .functionality = sh_mobile_i2c_func,
30291 .master_xfer = sh_mobile_i2c_xfer,
30292 };
30293 diff -urNp linux-2.6.39.1/drivers/ide/ide-cd.c linux-2.6.39.1/drivers/ide/ide-cd.c
30294 --- linux-2.6.39.1/drivers/ide/ide-cd.c 2011-06-03 00:04:14.000000000 -0400
30295 +++ linux-2.6.39.1/drivers/ide/ide-cd.c 2011-06-03 00:32:05.000000000 -0400
30296 @@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
30297 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
30298 if ((unsigned long)buf & alignment
30299 || blk_rq_bytes(rq) & q->dma_pad_mask
30300 - || object_is_on_stack(buf))
30301 + || object_starts_on_stack(buf))
30302 drive->dma = 0;
30303 }
30304 }
30305 diff -urNp linux-2.6.39.1/drivers/ide/ide-floppy.c linux-2.6.39.1/drivers/ide/ide-floppy.c
30306 --- linux-2.6.39.1/drivers/ide/ide-floppy.c 2011-05-19 00:06:34.000000000 -0400
30307 +++ linux-2.6.39.1/drivers/ide/ide-floppy.c 2011-05-22 19:36:31.000000000 -0400
30308 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
30309 u8 pc_buf[256], header_len, desc_cnt;
30310 int i, rc = 1, blocks, length;
30311
30312 + pax_track_stack();
30313 +
30314 ide_debug_log(IDE_DBG_FUNC, "enter");
30315
30316 drive->bios_cyl = 0;
30317 diff -urNp linux-2.6.39.1/drivers/ide/it821x.c linux-2.6.39.1/drivers/ide/it821x.c
30318 --- linux-2.6.39.1/drivers/ide/it821x.c 2011-05-19 00:06:34.000000000 -0400
30319 +++ linux-2.6.39.1/drivers/ide/it821x.c 2011-05-22 19:36:31.000000000 -0400
30320 @@ -508,7 +508,7 @@ static void it821x_quirkproc(ide_drive_t
30321
30322 }
30323
30324 -static struct ide_dma_ops it821x_pass_through_dma_ops = {
30325 +static const struct ide_dma_ops it821x_pass_through_dma_ops = {
30326 .dma_host_set = ide_dma_host_set,
30327 .dma_setup = ide_dma_setup,
30328 .dma_start = it821x_dma_start,
30329 diff -urNp linux-2.6.39.1/drivers/ide/setup-pci.c linux-2.6.39.1/drivers/ide/setup-pci.c
30330 --- linux-2.6.39.1/drivers/ide/setup-pci.c 2011-05-19 00:06:34.000000000 -0400
30331 +++ linux-2.6.39.1/drivers/ide/setup-pci.c 2011-05-22 19:36:31.000000000 -0400
30332 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
30333 int ret, i, n_ports = dev2 ? 4 : 2;
30334 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
30335
30336 + pax_track_stack();
30337 +
30338 for (i = 0; i < n_ports / 2; i++) {
30339 ret = ide_setup_pci_controller(pdev[i], d, !i);
30340 if (ret < 0)
30341 diff -urNp linux-2.6.39.1/drivers/ide/trm290.c linux-2.6.39.1/drivers/ide/trm290.c
30342 --- linux-2.6.39.1/drivers/ide/trm290.c 2011-05-19 00:06:34.000000000 -0400
30343 +++ linux-2.6.39.1/drivers/ide/trm290.c 2011-05-22 19:36:31.000000000 -0400
30344 @@ -314,7 +314,7 @@ static const struct ide_tp_ops trm290_tp
30345 .output_data = ide_output_data,
30346 };
30347
30348 -static struct ide_dma_ops trm290_dma_ops = {
30349 +static const struct ide_dma_ops trm290_dma_ops = {
30350 .dma_host_set = trm290_dma_host_set,
30351 .dma_setup = trm290_dma_setup,
30352 .dma_start = trm290_dma_start,
30353 diff -urNp linux-2.6.39.1/drivers/infiniband/core/cm.c linux-2.6.39.1/drivers/infiniband/core/cm.c
30354 --- linux-2.6.39.1/drivers/infiniband/core/cm.c 2011-05-19 00:06:34.000000000 -0400
30355 +++ linux-2.6.39.1/drivers/infiniband/core/cm.c 2011-05-22 19:36:31.000000000 -0400
30356 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
30357
30358 struct cm_counter_group {
30359 struct kobject obj;
30360 - atomic_long_t counter[CM_ATTR_COUNT];
30361 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
30362 };
30363
30364 struct cm_counter_attribute {
30365 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
30366 struct ib_mad_send_buf *msg = NULL;
30367 int ret;
30368
30369 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30370 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30371 counter[CM_REQ_COUNTER]);
30372
30373 /* Quick state check to discard duplicate REQs. */
30374 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
30375 if (!cm_id_priv)
30376 return;
30377
30378 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30379 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30380 counter[CM_REP_COUNTER]);
30381 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
30382 if (ret)
30383 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
30384 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
30385 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
30386 spin_unlock_irq(&cm_id_priv->lock);
30387 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30388 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30389 counter[CM_RTU_COUNTER]);
30390 goto out;
30391 }
30392 @@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
30393 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
30394 dreq_msg->local_comm_id);
30395 if (!cm_id_priv) {
30396 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30397 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30398 counter[CM_DREQ_COUNTER]);
30399 cm_issue_drep(work->port, work->mad_recv_wc);
30400 return -EINVAL;
30401 @@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
30402 case IB_CM_MRA_REP_RCVD:
30403 break;
30404 case IB_CM_TIMEWAIT:
30405 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30406 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30407 counter[CM_DREQ_COUNTER]);
30408 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30409 goto unlock;
30410 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
30411 cm_free_msg(msg);
30412 goto deref;
30413 case IB_CM_DREQ_RCVD:
30414 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30415 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30416 counter[CM_DREQ_COUNTER]);
30417 goto unlock;
30418 default:
30419 @@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
30420 ib_modify_mad(cm_id_priv->av.port->mad_agent,
30421 cm_id_priv->msg, timeout)) {
30422 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
30423 - atomic_long_inc(&work->port->
30424 + atomic_long_inc_unchecked(&work->port->
30425 counter_group[CM_RECV_DUPLICATES].
30426 counter[CM_MRA_COUNTER]);
30427 goto out;
30428 @@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
30429 break;
30430 case IB_CM_MRA_REQ_RCVD:
30431 case IB_CM_MRA_REP_RCVD:
30432 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30433 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30434 counter[CM_MRA_COUNTER]);
30435 /* fall through */
30436 default:
30437 @@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
30438 case IB_CM_LAP_IDLE:
30439 break;
30440 case IB_CM_MRA_LAP_SENT:
30441 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30442 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30443 counter[CM_LAP_COUNTER]);
30444 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30445 goto unlock;
30446 @@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
30447 cm_free_msg(msg);
30448 goto deref;
30449 case IB_CM_LAP_RCVD:
30450 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30451 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30452 counter[CM_LAP_COUNTER]);
30453 goto unlock;
30454 default:
30455 @@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
30456 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
30457 if (cur_cm_id_priv) {
30458 spin_unlock_irq(&cm.lock);
30459 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30460 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30461 counter[CM_SIDR_REQ_COUNTER]);
30462 goto out; /* Duplicate message. */
30463 }
30464 @@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
30465 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
30466 msg->retries = 1;
30467
30468 - atomic_long_add(1 + msg->retries,
30469 + atomic_long_add_unchecked(1 + msg->retries,
30470 &port->counter_group[CM_XMIT].counter[attr_index]);
30471 if (msg->retries)
30472 - atomic_long_add(msg->retries,
30473 + atomic_long_add_unchecked(msg->retries,
30474 &port->counter_group[CM_XMIT_RETRIES].
30475 counter[attr_index]);
30476
30477 @@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
30478 }
30479
30480 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
30481 - atomic_long_inc(&port->counter_group[CM_RECV].
30482 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
30483 counter[attr_id - CM_ATTR_ID_OFFSET]);
30484
30485 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
30486 @@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
30487 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
30488
30489 return sprintf(buf, "%ld\n",
30490 - atomic_long_read(&group->counter[cm_attr->index]));
30491 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
30492 }
30493
30494 static const struct sysfs_ops cm_counter_ops = {
30495 diff -urNp linux-2.6.39.1/drivers/infiniband/core/fmr_pool.c linux-2.6.39.1/drivers/infiniband/core/fmr_pool.c
30496 --- linux-2.6.39.1/drivers/infiniband/core/fmr_pool.c 2011-05-19 00:06:34.000000000 -0400
30497 +++ linux-2.6.39.1/drivers/infiniband/core/fmr_pool.c 2011-05-22 19:36:31.000000000 -0400
30498 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
30499
30500 struct task_struct *thread;
30501
30502 - atomic_t req_ser;
30503 - atomic_t flush_ser;
30504 + atomic_unchecked_t req_ser;
30505 + atomic_unchecked_t flush_ser;
30506
30507 wait_queue_head_t force_wait;
30508 };
30509 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
30510 struct ib_fmr_pool *pool = pool_ptr;
30511
30512 do {
30513 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
30514 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
30515 ib_fmr_batch_release(pool);
30516
30517 - atomic_inc(&pool->flush_ser);
30518 + atomic_inc_unchecked(&pool->flush_ser);
30519 wake_up_interruptible(&pool->force_wait);
30520
30521 if (pool->flush_function)
30522 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
30523 }
30524
30525 set_current_state(TASK_INTERRUPTIBLE);
30526 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
30527 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
30528 !kthread_should_stop())
30529 schedule();
30530 __set_current_state(TASK_RUNNING);
30531 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
30532 pool->dirty_watermark = params->dirty_watermark;
30533 pool->dirty_len = 0;
30534 spin_lock_init(&pool->pool_lock);
30535 - atomic_set(&pool->req_ser, 0);
30536 - atomic_set(&pool->flush_ser, 0);
30537 + atomic_set_unchecked(&pool->req_ser, 0);
30538 + atomic_set_unchecked(&pool->flush_ser, 0);
30539 init_waitqueue_head(&pool->force_wait);
30540
30541 pool->thread = kthread_run(ib_fmr_cleanup_thread,
30542 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
30543 }
30544 spin_unlock_irq(&pool->pool_lock);
30545
30546 - serial = atomic_inc_return(&pool->req_ser);
30547 + serial = atomic_inc_return_unchecked(&pool->req_ser);
30548 wake_up_process(pool->thread);
30549
30550 if (wait_event_interruptible(pool->force_wait,
30551 - atomic_read(&pool->flush_ser) - serial >= 0))
30552 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
30553 return -EINTR;
30554
30555 return 0;
30556 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
30557 } else {
30558 list_add_tail(&fmr->list, &pool->dirty_list);
30559 if (++pool->dirty_len >= pool->dirty_watermark) {
30560 - atomic_inc(&pool->req_ser);
30561 + atomic_inc_unchecked(&pool->req_ser);
30562 wake_up_process(pool->thread);
30563 }
30564 }
30565 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/cxgb4/mem.c linux-2.6.39.1/drivers/infiniband/hw/cxgb4/mem.c
30566 --- linux-2.6.39.1/drivers/infiniband/hw/cxgb4/mem.c 2011-05-19 00:06:34.000000000 -0400
30567 +++ linux-2.6.39.1/drivers/infiniband/hw/cxgb4/mem.c 2011-05-22 19:36:31.000000000 -0400
30568 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
30569 int err;
30570 struct fw_ri_tpte tpt;
30571 u32 stag_idx;
30572 - static atomic_t key;
30573 + static atomic_unchecked_t key;
30574
30575 if (c4iw_fatal_error(rdev))
30576 return -EIO;
30577 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
30578 &rdev->resource.tpt_fifo_lock);
30579 if (!stag_idx)
30580 return -ENOMEM;
30581 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
30582 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
30583 }
30584 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
30585 __func__, stag_state, type, pdid, stag_idx);
30586 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_dma.c linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_dma.c
30587 --- linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-19 00:06:34.000000000 -0400
30588 +++ linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-22 19:36:31.000000000 -0400
30589 @@ -175,7 +175,7 @@ static void ipath_dma_free_coherent(stru
30590 free_pages((unsigned long) cpu_addr, get_order(size));
30591 }
30592
30593 -struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30594 +const struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30595 ipath_mapping_error,
30596 ipath_dma_map_single,
30597 ipath_dma_unmap_single,
30598 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_fs.c
30599 --- linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-19 00:06:34.000000000 -0400
30600 +++ linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-22 19:36:31.000000000 -0400
30601 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
30602 struct infinipath_counters counters;
30603 struct ipath_devdata *dd;
30604
30605 + pax_track_stack();
30606 +
30607 dd = file->f_path.dentry->d_inode->i_private;
30608 dd->ipath_f_read_counters(dd, &counters);
30609
30610 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_rc.c linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_rc.c
30611 --- linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-19 00:06:34.000000000 -0400
30612 +++ linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-22 19:36:31.000000000 -0400
30613 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
30614 struct ib_atomic_eth *ateth;
30615 struct ipath_ack_entry *e;
30616 u64 vaddr;
30617 - atomic64_t *maddr;
30618 + atomic64_unchecked_t *maddr;
30619 u64 sdata;
30620 u32 rkey;
30621 u8 next;
30622 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
30623 IB_ACCESS_REMOTE_ATOMIC)))
30624 goto nack_acc_unlck;
30625 /* Perform atomic OP and save result. */
30626 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
30627 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
30628 sdata = be64_to_cpu(ateth->swap_data);
30629 e = &qp->s_ack_queue[qp->r_head_ack_queue];
30630 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
30631 - (u64) atomic64_add_return(sdata, maddr) - sdata :
30632 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
30633 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
30634 be64_to_cpu(ateth->compare_data),
30635 sdata);
30636 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_ruc.c linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_ruc.c
30637 --- linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-19 00:06:34.000000000 -0400
30638 +++ linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-22 19:36:31.000000000 -0400
30639 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
30640 unsigned long flags;
30641 struct ib_wc wc;
30642 u64 sdata;
30643 - atomic64_t *maddr;
30644 + atomic64_unchecked_t *maddr;
30645 enum ib_wc_status send_status;
30646
30647 /*
30648 @@ -382,11 +382,11 @@ again:
30649 IB_ACCESS_REMOTE_ATOMIC)))
30650 goto acc_err;
30651 /* Perform atomic OP and save result. */
30652 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
30653 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
30654 sdata = wqe->wr.wr.atomic.compare_add;
30655 *(u64 *) sqp->s_sge.sge.vaddr =
30656 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
30657 - (u64) atomic64_add_return(sdata, maddr) - sdata :
30658 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
30659 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
30660 sdata, wqe->wr.wr.atomic.swap);
30661 goto send_comp;
30662 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_verbs.h linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_verbs.h
30663 --- linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-19 00:06:34.000000000 -0400
30664 +++ linux-2.6.39.1/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-22 19:36:31.000000000 -0400
30665 @@ -931,6 +931,6 @@ extern unsigned int ib_ipath_max_srq_wrs
30666
30667 extern const u32 ib_ipath_rnr_table[];
30668
30669 -extern struct ib_dma_mapping_ops ipath_dma_mapping_ops;
30670 +extern const struct ib_dma_mapping_ops ipath_dma_mapping_ops;
30671
30672 #endif /* IPATH_VERBS_H */
30673 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/nes/nes.c linux-2.6.39.1/drivers/infiniband/hw/nes/nes.c
30674 --- linux-2.6.39.1/drivers/infiniband/hw/nes/nes.c 2011-05-19 00:06:34.000000000 -0400
30675 +++ linux-2.6.39.1/drivers/infiniband/hw/nes/nes.c 2011-05-22 19:36:31.000000000 -0400
30676 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
30677 LIST_HEAD(nes_adapter_list);
30678 static LIST_HEAD(nes_dev_list);
30679
30680 -atomic_t qps_destroyed;
30681 +atomic_unchecked_t qps_destroyed;
30682
30683 static unsigned int ee_flsh_adapter;
30684 static unsigned int sysfs_nonidx_addr;
30685 @@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
30686 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
30687 struct nes_adapter *nesadapter = nesdev->nesadapter;
30688
30689 - atomic_inc(&qps_destroyed);
30690 + atomic_inc_unchecked(&qps_destroyed);
30691
30692 /* Free the control structures */
30693
30694 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.39.1/drivers/infiniband/hw/nes/nes_cm.c
30695 --- linux-2.6.39.1/drivers/infiniband/hw/nes/nes_cm.c 2011-05-19 00:06:34.000000000 -0400
30696 +++ linux-2.6.39.1/drivers/infiniband/hw/nes/nes_cm.c 2011-05-22 19:36:31.000000000 -0400
30697 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
30698 u32 cm_packets_retrans;
30699 u32 cm_packets_created;
30700 u32 cm_packets_received;
30701 -atomic_t cm_listens_created;
30702 -atomic_t cm_listens_destroyed;
30703 +atomic_unchecked_t cm_listens_created;
30704 +atomic_unchecked_t cm_listens_destroyed;
30705 u32 cm_backlog_drops;
30706 -atomic_t cm_loopbacks;
30707 -atomic_t cm_nodes_created;
30708 -atomic_t cm_nodes_destroyed;
30709 -atomic_t cm_accel_dropped_pkts;
30710 -atomic_t cm_resets_recvd;
30711 +atomic_unchecked_t cm_loopbacks;
30712 +atomic_unchecked_t cm_nodes_created;
30713 +atomic_unchecked_t cm_nodes_destroyed;
30714 +atomic_unchecked_t cm_accel_dropped_pkts;
30715 +atomic_unchecked_t cm_resets_recvd;
30716
30717 static inline int mini_cm_accelerated(struct nes_cm_core *,
30718 struct nes_cm_node *);
30719 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
30720
30721 static struct nes_cm_core *g_cm_core;
30722
30723 -atomic_t cm_connects;
30724 -atomic_t cm_accepts;
30725 -atomic_t cm_disconnects;
30726 -atomic_t cm_closes;
30727 -atomic_t cm_connecteds;
30728 -atomic_t cm_connect_reqs;
30729 -atomic_t cm_rejects;
30730 +atomic_unchecked_t cm_connects;
30731 +atomic_unchecked_t cm_accepts;
30732 +atomic_unchecked_t cm_disconnects;
30733 +atomic_unchecked_t cm_closes;
30734 +atomic_unchecked_t cm_connecteds;
30735 +atomic_unchecked_t cm_connect_reqs;
30736 +atomic_unchecked_t cm_rejects;
30737
30738
30739 /**
30740 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
30741 kfree(listener);
30742 listener = NULL;
30743 ret = 0;
30744 - atomic_inc(&cm_listens_destroyed);
30745 + atomic_inc_unchecked(&cm_listens_destroyed);
30746 } else {
30747 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
30748 }
30749 @@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
30750 cm_node->rem_mac);
30751
30752 add_hte_node(cm_core, cm_node);
30753 - atomic_inc(&cm_nodes_created);
30754 + atomic_inc_unchecked(&cm_nodes_created);
30755
30756 return cm_node;
30757 }
30758 @@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
30759 }
30760
30761 atomic_dec(&cm_core->node_cnt);
30762 - atomic_inc(&cm_nodes_destroyed);
30763 + atomic_inc_unchecked(&cm_nodes_destroyed);
30764 nesqp = cm_node->nesqp;
30765 if (nesqp) {
30766 nesqp->cm_node = NULL;
30767 @@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
30768
30769 static void drop_packet(struct sk_buff *skb)
30770 {
30771 - atomic_inc(&cm_accel_dropped_pkts);
30772 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
30773 dev_kfree_skb_any(skb);
30774 }
30775
30776 @@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
30777 {
30778
30779 int reset = 0; /* whether to send reset in case of err.. */
30780 - atomic_inc(&cm_resets_recvd);
30781 + atomic_inc_unchecked(&cm_resets_recvd);
30782 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
30783 " refcnt=%d\n", cm_node, cm_node->state,
30784 atomic_read(&cm_node->ref_count));
30785 @@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
30786 rem_ref_cm_node(cm_node->cm_core, cm_node);
30787 return NULL;
30788 }
30789 - atomic_inc(&cm_loopbacks);
30790 + atomic_inc_unchecked(&cm_loopbacks);
30791 loopbackremotenode->loopbackpartner = cm_node;
30792 loopbackremotenode->tcp_cntxt.rcv_wscale =
30793 NES_CM_DEFAULT_RCV_WND_SCALE;
30794 @@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
30795 add_ref_cm_node(cm_node);
30796 } else if (cm_node->state == NES_CM_STATE_TSA) {
30797 rem_ref_cm_node(cm_core, cm_node);
30798 - atomic_inc(&cm_accel_dropped_pkts);
30799 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
30800 dev_kfree_skb_any(skb);
30801 break;
30802 }
30803 @@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
30804
30805 if ((cm_id) && (cm_id->event_handler)) {
30806 if (issue_disconn) {
30807 - atomic_inc(&cm_disconnects);
30808 + atomic_inc_unchecked(&cm_disconnects);
30809 cm_event.event = IW_CM_EVENT_DISCONNECT;
30810 cm_event.status = disconn_status;
30811 cm_event.local_addr = cm_id->local_addr;
30812 @@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
30813 }
30814
30815 if (issue_close) {
30816 - atomic_inc(&cm_closes);
30817 + atomic_inc_unchecked(&cm_closes);
30818 nes_disconnect(nesqp, 1);
30819
30820 cm_id->provider_data = nesqp;
30821 @@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
30822
30823 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
30824 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
30825 - atomic_inc(&cm_accepts);
30826 + atomic_inc_unchecked(&cm_accepts);
30827
30828 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
30829 netdev_refcnt_read(nesvnic->netdev));
30830 @@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
30831
30832 struct nes_cm_core *cm_core;
30833
30834 - atomic_inc(&cm_rejects);
30835 + atomic_inc_unchecked(&cm_rejects);
30836 cm_node = (struct nes_cm_node *) cm_id->provider_data;
30837 loopback = cm_node->loopbackpartner;
30838 cm_core = cm_node->cm_core;
30839 @@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
30840 ntohl(cm_id->local_addr.sin_addr.s_addr),
30841 ntohs(cm_id->local_addr.sin_port));
30842
30843 - atomic_inc(&cm_connects);
30844 + atomic_inc_unchecked(&cm_connects);
30845 nesqp->active_conn = 1;
30846
30847 /* cache the cm_id in the qp */
30848 @@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
30849 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
30850 return err;
30851 }
30852 - atomic_inc(&cm_listens_created);
30853 + atomic_inc_unchecked(&cm_listens_created);
30854 }
30855
30856 cm_id->add_ref(cm_id);
30857 @@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
30858 if (nesqp->destroyed) {
30859 return;
30860 }
30861 - atomic_inc(&cm_connecteds);
30862 + atomic_inc_unchecked(&cm_connecteds);
30863 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
30864 " local port 0x%04X. jiffies = %lu.\n",
30865 nesqp->hwqp.qp_id,
30866 @@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
30867
30868 cm_id->add_ref(cm_id);
30869 ret = cm_id->event_handler(cm_id, &cm_event);
30870 - atomic_inc(&cm_closes);
30871 + atomic_inc_unchecked(&cm_closes);
30872 cm_event.event = IW_CM_EVENT_CLOSE;
30873 cm_event.status = IW_CM_EVENT_STATUS_OK;
30874 cm_event.provider_data = cm_id->provider_data;
30875 @@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
30876 return;
30877 cm_id = cm_node->cm_id;
30878
30879 - atomic_inc(&cm_connect_reqs);
30880 + atomic_inc_unchecked(&cm_connect_reqs);
30881 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
30882 cm_node, cm_id, jiffies);
30883
30884 @@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
30885 return;
30886 cm_id = cm_node->cm_id;
30887
30888 - atomic_inc(&cm_connect_reqs);
30889 + atomic_inc_unchecked(&cm_connect_reqs);
30890 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
30891 cm_node, cm_id, jiffies);
30892
30893 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/nes/nes.h linux-2.6.39.1/drivers/infiniband/hw/nes/nes.h
30894 --- linux-2.6.39.1/drivers/infiniband/hw/nes/nes.h 2011-05-19 00:06:34.000000000 -0400
30895 +++ linux-2.6.39.1/drivers/infiniband/hw/nes/nes.h 2011-05-22 19:36:31.000000000 -0400
30896 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
30897 extern unsigned int wqm_quanta;
30898 extern struct list_head nes_adapter_list;
30899
30900 -extern atomic_t cm_connects;
30901 -extern atomic_t cm_accepts;
30902 -extern atomic_t cm_disconnects;
30903 -extern atomic_t cm_closes;
30904 -extern atomic_t cm_connecteds;
30905 -extern atomic_t cm_connect_reqs;
30906 -extern atomic_t cm_rejects;
30907 -extern atomic_t mod_qp_timouts;
30908 -extern atomic_t qps_created;
30909 -extern atomic_t qps_destroyed;
30910 -extern atomic_t sw_qps_destroyed;
30911 +extern atomic_unchecked_t cm_connects;
30912 +extern atomic_unchecked_t cm_accepts;
30913 +extern atomic_unchecked_t cm_disconnects;
30914 +extern atomic_unchecked_t cm_closes;
30915 +extern atomic_unchecked_t cm_connecteds;
30916 +extern atomic_unchecked_t cm_connect_reqs;
30917 +extern atomic_unchecked_t cm_rejects;
30918 +extern atomic_unchecked_t mod_qp_timouts;
30919 +extern atomic_unchecked_t qps_created;
30920 +extern atomic_unchecked_t qps_destroyed;
30921 +extern atomic_unchecked_t sw_qps_destroyed;
30922 extern u32 mh_detected;
30923 extern u32 mh_pauses_sent;
30924 extern u32 cm_packets_sent;
30925 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
30926 extern u32 cm_packets_received;
30927 extern u32 cm_packets_dropped;
30928 extern u32 cm_packets_retrans;
30929 -extern atomic_t cm_listens_created;
30930 -extern atomic_t cm_listens_destroyed;
30931 +extern atomic_unchecked_t cm_listens_created;
30932 +extern atomic_unchecked_t cm_listens_destroyed;
30933 extern u32 cm_backlog_drops;
30934 -extern atomic_t cm_loopbacks;
30935 -extern atomic_t cm_nodes_created;
30936 -extern atomic_t cm_nodes_destroyed;
30937 -extern atomic_t cm_accel_dropped_pkts;
30938 -extern atomic_t cm_resets_recvd;
30939 +extern atomic_unchecked_t cm_loopbacks;
30940 +extern atomic_unchecked_t cm_nodes_created;
30941 +extern atomic_unchecked_t cm_nodes_destroyed;
30942 +extern atomic_unchecked_t cm_accel_dropped_pkts;
30943 +extern atomic_unchecked_t cm_resets_recvd;
30944
30945 extern u32 int_mod_timer_init;
30946 extern u32 int_mod_cq_depth_256;
30947 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.39.1/drivers/infiniband/hw/nes/nes_nic.c
30948 --- linux-2.6.39.1/drivers/infiniband/hw/nes/nes_nic.c 2011-05-19 00:06:34.000000000 -0400
30949 +++ linux-2.6.39.1/drivers/infiniband/hw/nes/nes_nic.c 2011-05-22 19:36:31.000000000 -0400
30950 @@ -1302,31 +1302,31 @@ static void nes_netdev_get_ethtool_stats
30951 target_stat_values[++index] = mh_detected;
30952 target_stat_values[++index] = mh_pauses_sent;
30953 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
30954 - target_stat_values[++index] = atomic_read(&cm_connects);
30955 - target_stat_values[++index] = atomic_read(&cm_accepts);
30956 - target_stat_values[++index] = atomic_read(&cm_disconnects);
30957 - target_stat_values[++index] = atomic_read(&cm_connecteds);
30958 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
30959 - target_stat_values[++index] = atomic_read(&cm_rejects);
30960 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
30961 - target_stat_values[++index] = atomic_read(&qps_created);
30962 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
30963 - target_stat_values[++index] = atomic_read(&qps_destroyed);
30964 - target_stat_values[++index] = atomic_read(&cm_closes);
30965 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
30966 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
30967 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
30968 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
30969 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
30970 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
30971 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
30972 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
30973 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
30974 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
30975 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
30976 target_stat_values[++index] = cm_packets_sent;
30977 target_stat_values[++index] = cm_packets_bounced;
30978 target_stat_values[++index] = cm_packets_created;
30979 target_stat_values[++index] = cm_packets_received;
30980 target_stat_values[++index] = cm_packets_dropped;
30981 target_stat_values[++index] = cm_packets_retrans;
30982 - target_stat_values[++index] = atomic_read(&cm_listens_created);
30983 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
30984 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
30985 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
30986 target_stat_values[++index] = cm_backlog_drops;
30987 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
30988 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
30989 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
30990 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
30991 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
30992 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
30993 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
30994 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
30995 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
30996 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
30997 target_stat_values[++index] = nesadapter->free_4kpbl;
30998 target_stat_values[++index] = nesadapter->free_256pbl;
30999 target_stat_values[++index] = int_mod_timer_init;
31000 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.39.1/drivers/infiniband/hw/nes/nes_verbs.c
31001 --- linux-2.6.39.1/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-19 00:06:34.000000000 -0400
31002 +++ linux-2.6.39.1/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-22 19:36:31.000000000 -0400
31003 @@ -46,9 +46,9 @@
31004
31005 #include <rdma/ib_umem.h>
31006
31007 -atomic_t mod_qp_timouts;
31008 -atomic_t qps_created;
31009 -atomic_t sw_qps_destroyed;
31010 +atomic_unchecked_t mod_qp_timouts;
31011 +atomic_unchecked_t qps_created;
31012 +atomic_unchecked_t sw_qps_destroyed;
31013
31014 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
31015
31016 @@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
31017 if (init_attr->create_flags)
31018 return ERR_PTR(-EINVAL);
31019
31020 - atomic_inc(&qps_created);
31021 + atomic_inc_unchecked(&qps_created);
31022 switch (init_attr->qp_type) {
31023 case IB_QPT_RC:
31024 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
31025 @@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
31026 struct iw_cm_event cm_event;
31027 int ret;
31028
31029 - atomic_inc(&sw_qps_destroyed);
31030 + atomic_inc_unchecked(&sw_qps_destroyed);
31031 nesqp->destroyed = 1;
31032
31033 /* Blow away the connection if it exists. */
31034 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/qib/qib.h linux-2.6.39.1/drivers/infiniband/hw/qib/qib.h
31035 --- linux-2.6.39.1/drivers/infiniband/hw/qib/qib.h 2011-05-19 00:06:34.000000000 -0400
31036 +++ linux-2.6.39.1/drivers/infiniband/hw/qib/qib.h 2011-05-22 19:36:31.000000000 -0400
31037 @@ -51,6 +51,7 @@
31038 #include <linux/completion.h>
31039 #include <linux/kref.h>
31040 #include <linux/sched.h>
31041 +#include <linux/slab.h>
31042
31043 #include "qib_common.h"
31044 #include "qib_verbs.h"
31045 @@ -87,7 +88,7 @@ struct qlogic_ib_stats {
31046 };
31047
31048 extern struct qlogic_ib_stats qib_stats;
31049 -extern struct pci_error_handlers qib_pci_err_handler;
31050 +extern const struct pci_error_handlers qib_pci_err_handler;
31051 extern struct pci_driver qib_driver;
31052
31053 #define QIB_CHIP_SWVERSION QIB_CHIP_VERS_MAJ
31054 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/qib/qib_mmap.c linux-2.6.39.1/drivers/infiniband/hw/qib/qib_mmap.c
31055 --- linux-2.6.39.1/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-19 00:06:34.000000000 -0400
31056 +++ linux-2.6.39.1/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-22 19:36:31.000000000 -0400
31057 @@ -75,7 +75,7 @@ static void qib_vma_close(struct vm_area
31058 kref_put(&ip->ref, qib_release_mmap_info);
31059 }
31060
31061 -static struct vm_operations_struct qib_vm_ops = {
31062 +static const struct vm_operations_struct qib_vm_ops = {
31063 .open = qib_vma_open,
31064 .close = qib_vma_close,
31065 };
31066 diff -urNp linux-2.6.39.1/drivers/infiniband/hw/qib/qib_pcie.c linux-2.6.39.1/drivers/infiniband/hw/qib/qib_pcie.c
31067 --- linux-2.6.39.1/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-19 00:06:34.000000000 -0400
31068 +++ linux-2.6.39.1/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-22 19:36:31.000000000 -0400
31069 @@ -735,7 +735,7 @@ qib_pci_resume(struct pci_dev *pdev)
31070 qib_init(dd, 1); /* same as re-init after reset */
31071 }
31072
31073 -struct pci_error_handlers qib_pci_err_handler = {
31074 +const struct pci_error_handlers qib_pci_err_handler = {
31075 .error_detected = qib_pci_error_detected,
31076 .mmio_enabled = qib_pci_mmio_enabled,
31077 .link_reset = qib_pci_link_reset,
31078 diff -urNp linux-2.6.39.1/drivers/input/gameport/gameport.c linux-2.6.39.1/drivers/input/gameport/gameport.c
31079 --- linux-2.6.39.1/drivers/input/gameport/gameport.c 2011-05-19 00:06:34.000000000 -0400
31080 +++ linux-2.6.39.1/drivers/input/gameport/gameport.c 2011-05-22 19:36:31.000000000 -0400
31081 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
31082 */
31083 static void gameport_init_port(struct gameport *gameport)
31084 {
31085 - static atomic_t gameport_no = ATOMIC_INIT(0);
31086 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
31087
31088 __module_get(THIS_MODULE);
31089
31090 mutex_init(&gameport->drv_mutex);
31091 device_initialize(&gameport->dev);
31092 dev_set_name(&gameport->dev, "gameport%lu",
31093 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
31094 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
31095 gameport->dev.bus = &gameport_bus;
31096 gameport->dev.release = gameport_release_port;
31097 if (gameport->parent)
31098 diff -urNp linux-2.6.39.1/drivers/input/input.c linux-2.6.39.1/drivers/input/input.c
31099 --- linux-2.6.39.1/drivers/input/input.c 2011-05-19 00:06:34.000000000 -0400
31100 +++ linux-2.6.39.1/drivers/input/input.c 2011-05-22 19:36:31.000000000 -0400
31101 @@ -1815,7 +1815,7 @@ static void input_cleanse_bitmasks(struc
31102 */
31103 int input_register_device(struct input_dev *dev)
31104 {
31105 - static atomic_t input_no = ATOMIC_INIT(0);
31106 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
31107 struct input_handler *handler;
31108 const char *path;
31109 int error;
31110 @@ -1852,7 +1852,7 @@ int input_register_device(struct input_d
31111 dev->setkeycode = input_default_setkeycode;
31112
31113 dev_set_name(&dev->dev, "input%ld",
31114 - (unsigned long) atomic_inc_return(&input_no) - 1);
31115 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
31116
31117 error = device_add(&dev->dev);
31118 if (error)
31119 diff -urNp linux-2.6.39.1/drivers/input/joystick/sidewinder.c linux-2.6.39.1/drivers/input/joystick/sidewinder.c
31120 --- linux-2.6.39.1/drivers/input/joystick/sidewinder.c 2011-05-19 00:06:34.000000000 -0400
31121 +++ linux-2.6.39.1/drivers/input/joystick/sidewinder.c 2011-05-22 19:36:31.000000000 -0400
31122 @@ -30,6 +30,7 @@
31123 #include <linux/kernel.h>
31124 #include <linux/module.h>
31125 #include <linux/slab.h>
31126 +#include <linux/sched.h>
31127 #include <linux/init.h>
31128 #include <linux/input.h>
31129 #include <linux/gameport.h>
31130 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
31131 unsigned char buf[SW_LENGTH];
31132 int i;
31133
31134 + pax_track_stack();
31135 +
31136 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
31137
31138 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
31139 diff -urNp linux-2.6.39.1/drivers/input/joystick/xpad.c linux-2.6.39.1/drivers/input/joystick/xpad.c
31140 --- linux-2.6.39.1/drivers/input/joystick/xpad.c 2011-05-19 00:06:34.000000000 -0400
31141 +++ linux-2.6.39.1/drivers/input/joystick/xpad.c 2011-05-22 19:36:31.000000000 -0400
31142 @@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
31143
31144 static int xpad_led_probe(struct usb_xpad *xpad)
31145 {
31146 - static atomic_t led_seq = ATOMIC_INIT(0);
31147 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
31148 long led_no;
31149 struct xpad_led *led;
31150 struct led_classdev *led_cdev;
31151 @@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
31152 if (!led)
31153 return -ENOMEM;
31154
31155 - led_no = (long)atomic_inc_return(&led_seq) - 1;
31156 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
31157
31158 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
31159 led->xpad = xpad;
31160 diff -urNp linux-2.6.39.1/drivers/input/mousedev.c linux-2.6.39.1/drivers/input/mousedev.c
31161 --- linux-2.6.39.1/drivers/input/mousedev.c 2011-05-19 00:06:34.000000000 -0400
31162 +++ linux-2.6.39.1/drivers/input/mousedev.c 2011-05-22 19:36:31.000000000 -0400
31163 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
31164
31165 spin_unlock_irq(&client->packet_lock);
31166
31167 - if (copy_to_user(buffer, data, count))
31168 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
31169 return -EFAULT;
31170
31171 return count;
31172 diff -urNp linux-2.6.39.1/drivers/input/serio/serio.c linux-2.6.39.1/drivers/input/serio/serio.c
31173 --- linux-2.6.39.1/drivers/input/serio/serio.c 2011-05-19 00:06:34.000000000 -0400
31174 +++ linux-2.6.39.1/drivers/input/serio/serio.c 2011-05-22 19:36:31.000000000 -0400
31175 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
31176 */
31177 static void serio_init_port(struct serio *serio)
31178 {
31179 - static atomic_t serio_no = ATOMIC_INIT(0);
31180 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
31181
31182 __module_get(THIS_MODULE);
31183
31184 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
31185 mutex_init(&serio->drv_mutex);
31186 device_initialize(&serio->dev);
31187 dev_set_name(&serio->dev, "serio%ld",
31188 - (long)atomic_inc_return(&serio_no) - 1);
31189 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
31190 serio->dev.bus = &serio_bus;
31191 serio->dev.release = serio_release_port;
31192 serio->dev.groups = serio_device_attr_groups;
31193 diff -urNp linux-2.6.39.1/drivers/isdn/capi/capi.c linux-2.6.39.1/drivers/isdn/capi/capi.c
31194 --- linux-2.6.39.1/drivers/isdn/capi/capi.c 2011-05-19 00:06:34.000000000 -0400
31195 +++ linux-2.6.39.1/drivers/isdn/capi/capi.c 2011-05-22 19:36:31.000000000 -0400
31196 @@ -89,8 +89,8 @@ struct capiminor {
31197
31198 struct capi20_appl *ap;
31199 u32 ncci;
31200 - atomic_t datahandle;
31201 - atomic_t msgid;
31202 + atomic_unchecked_t datahandle;
31203 + atomic_unchecked_t msgid;
31204
31205 struct tty_port port;
31206 int ttyinstop;
31207 @@ -414,7 +414,7 @@ gen_data_b3_resp_for(struct capiminor *m
31208 capimsg_setu16(s, 2, mp->ap->applid);
31209 capimsg_setu8 (s, 4, CAPI_DATA_B3);
31210 capimsg_setu8 (s, 5, CAPI_RESP);
31211 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
31212 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
31213 capimsg_setu32(s, 8, mp->ncci);
31214 capimsg_setu16(s, 12, datahandle);
31215 }
31216 @@ -547,14 +547,14 @@ static void handle_minor_send(struct cap
31217 mp->outbytes -= len;
31218 spin_unlock_bh(&mp->outlock);
31219
31220 - datahandle = atomic_inc_return(&mp->datahandle);
31221 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
31222 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
31223 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31224 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31225 capimsg_setu16(skb->data, 2, mp->ap->applid);
31226 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
31227 capimsg_setu8 (skb->data, 5, CAPI_REQ);
31228 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
31229 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
31230 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
31231 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
31232 capimsg_setu16(skb->data, 16, len); /* Data length */
31233 diff -urNp linux-2.6.39.1/drivers/isdn/gigaset/common.c linux-2.6.39.1/drivers/isdn/gigaset/common.c
31234 --- linux-2.6.39.1/drivers/isdn/gigaset/common.c 2011-05-19 00:06:34.000000000 -0400
31235 +++ linux-2.6.39.1/drivers/isdn/gigaset/common.c 2011-05-22 19:36:31.000000000 -0400
31236 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
31237 cs->commands_pending = 0;
31238 cs->cur_at_seq = 0;
31239 cs->gotfwver = -1;
31240 - cs->open_count = 0;
31241 + local_set(&cs->open_count, 0);
31242 cs->dev = NULL;
31243 cs->tty = NULL;
31244 cs->tty_dev = NULL;
31245 diff -urNp linux-2.6.39.1/drivers/isdn/gigaset/gigaset.h linux-2.6.39.1/drivers/isdn/gigaset/gigaset.h
31246 --- linux-2.6.39.1/drivers/isdn/gigaset/gigaset.h 2011-05-19 00:06:34.000000000 -0400
31247 +++ linux-2.6.39.1/drivers/isdn/gigaset/gigaset.h 2011-05-22 19:36:31.000000000 -0400
31248 @@ -35,6 +35,7 @@
31249 #include <linux/tty_driver.h>
31250 #include <linux/list.h>
31251 #include <asm/atomic.h>
31252 +#include <asm/local.h>
31253
31254 #define GIG_VERSION {0, 5, 0, 0}
31255 #define GIG_COMPAT {0, 4, 0, 0}
31256 @@ -433,7 +434,7 @@ struct cardstate {
31257 spinlock_t cmdlock;
31258 unsigned curlen, cmdbytes;
31259
31260 - unsigned open_count;
31261 + local_t open_count;
31262 struct tty_struct *tty;
31263 struct tasklet_struct if_wake_tasklet;
31264 unsigned control_state;
31265 diff -urNp linux-2.6.39.1/drivers/isdn/gigaset/interface.c linux-2.6.39.1/drivers/isdn/gigaset/interface.c
31266 --- linux-2.6.39.1/drivers/isdn/gigaset/interface.c 2011-05-19 00:06:34.000000000 -0400
31267 +++ linux-2.6.39.1/drivers/isdn/gigaset/interface.c 2011-05-22 19:36:31.000000000 -0400
31268 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
31269 return -ERESTARTSYS;
31270 tty->driver_data = cs;
31271
31272 - ++cs->open_count;
31273 -
31274 - if (cs->open_count == 1) {
31275 + if (local_inc_return(&cs->open_count) == 1) {
31276 spin_lock_irqsave(&cs->lock, flags);
31277 cs->tty = tty;
31278 spin_unlock_irqrestore(&cs->lock, flags);
31279 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
31280
31281 if (!cs->connected)
31282 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31283 - else if (!cs->open_count)
31284 + else if (!local_read(&cs->open_count))
31285 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31286 else {
31287 - if (!--cs->open_count) {
31288 + if (!local_dec_return(&cs->open_count)) {
31289 spin_lock_irqsave(&cs->lock, flags);
31290 cs->tty = NULL;
31291 spin_unlock_irqrestore(&cs->lock, flags);
31292 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
31293 if (!cs->connected) {
31294 gig_dbg(DEBUG_IF, "not connected");
31295 retval = -ENODEV;
31296 - } else if (!cs->open_count)
31297 + } else if (!local_read(&cs->open_count))
31298 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31299 else {
31300 retval = 0;
31301 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
31302 retval = -ENODEV;
31303 goto done;
31304 }
31305 - if (!cs->open_count) {
31306 + if (!local_read(&cs->open_count)) {
31307 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31308 retval = -ENODEV;
31309 goto done;
31310 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
31311 if (!cs->connected) {
31312 gig_dbg(DEBUG_IF, "not connected");
31313 retval = -ENODEV;
31314 - } else if (!cs->open_count)
31315 + } else if (!local_read(&cs->open_count))
31316 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31317 else if (cs->mstate != MS_LOCKED) {
31318 dev_warn(cs->dev, "can't write to unlocked device\n");
31319 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
31320
31321 if (!cs->connected)
31322 gig_dbg(DEBUG_IF, "not connected");
31323 - else if (!cs->open_count)
31324 + else if (!local_read(&cs->open_count))
31325 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31326 else if (cs->mstate != MS_LOCKED)
31327 dev_warn(cs->dev, "can't write to unlocked device\n");
31328 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
31329
31330 if (!cs->connected)
31331 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31332 - else if (!cs->open_count)
31333 + else if (!local_read(&cs->open_count))
31334 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31335 else
31336 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31337 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
31338
31339 if (!cs->connected)
31340 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31341 - else if (!cs->open_count)
31342 + else if (!local_read(&cs->open_count))
31343 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31344 else
31345 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31346 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
31347 goto out;
31348 }
31349
31350 - if (!cs->open_count) {
31351 + if (!local_read(&cs->open_count)) {
31352 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31353 goto out;
31354 }
31355 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/avm/b1.c linux-2.6.39.1/drivers/isdn/hardware/avm/b1.c
31356 --- linux-2.6.39.1/drivers/isdn/hardware/avm/b1.c 2011-05-19 00:06:34.000000000 -0400
31357 +++ linux-2.6.39.1/drivers/isdn/hardware/avm/b1.c 2011-05-22 19:36:31.000000000 -0400
31358 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
31359 }
31360 if (left) {
31361 if (t4file->user) {
31362 - if (copy_from_user(buf, dp, left))
31363 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31364 return -EFAULT;
31365 } else {
31366 memcpy(buf, dp, left);
31367 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
31368 }
31369 if (left) {
31370 if (config->user) {
31371 - if (copy_from_user(buf, dp, left))
31372 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31373 return -EFAULT;
31374 } else {
31375 memcpy(buf, dp, left);
31376 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.39.1/drivers/isdn/hardware/eicon/capidtmf.c
31377 --- linux-2.6.39.1/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-19 00:06:34.000000000 -0400
31378 +++ linux-2.6.39.1/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-22 19:36:31.000000000 -0400
31379 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
31380 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
31381 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
31382
31383 + pax_track_stack();
31384
31385 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
31386 {
31387 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.39.1/drivers/isdn/hardware/eicon/capifunc.c
31388 --- linux-2.6.39.1/drivers/isdn/hardware/eicon/capifunc.c 2011-05-19 00:06:34.000000000 -0400
31389 +++ linux-2.6.39.1/drivers/isdn/hardware/eicon/capifunc.c 2011-05-22 19:36:31.000000000 -0400
31390 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
31391 IDI_SYNC_REQ req;
31392 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31393
31394 + pax_track_stack();
31395 +
31396 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31397
31398 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31399 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.39.1/drivers/isdn/hardware/eicon/diddfunc.c
31400 --- linux-2.6.39.1/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-19 00:06:34.000000000 -0400
31401 +++ linux-2.6.39.1/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-22 19:36:31.000000000 -0400
31402 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
31403 IDI_SYNC_REQ req;
31404 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31405
31406 + pax_track_stack();
31407 +
31408 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31409
31410 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31411 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.39.1/drivers/isdn/hardware/eicon/divasfunc.c
31412 --- linux-2.6.39.1/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-19 00:06:34.000000000 -0400
31413 +++ linux-2.6.39.1/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-22 19:36:31.000000000 -0400
31414 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
31415 IDI_SYNC_REQ req;
31416 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31417
31418 + pax_track_stack();
31419 +
31420 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31421
31422 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31423 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.39.1/drivers/isdn/hardware/eicon/idifunc.c
31424 --- linux-2.6.39.1/drivers/isdn/hardware/eicon/idifunc.c 2011-05-19 00:06:34.000000000 -0400
31425 +++ linux-2.6.39.1/drivers/isdn/hardware/eicon/idifunc.c 2011-05-22 19:36:31.000000000 -0400
31426 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
31427 IDI_SYNC_REQ req;
31428 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31429
31430 + pax_track_stack();
31431 +
31432 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31433
31434 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31435 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/eicon/message.c linux-2.6.39.1/drivers/isdn/hardware/eicon/message.c
31436 --- linux-2.6.39.1/drivers/isdn/hardware/eicon/message.c 2011-05-19 00:06:34.000000000 -0400
31437 +++ linux-2.6.39.1/drivers/isdn/hardware/eicon/message.c 2011-05-22 19:36:31.000000000 -0400
31438 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
31439 dword d;
31440 word w;
31441
31442 + pax_track_stack();
31443 +
31444 a = plci->adapter;
31445 Id = ((word)plci->Id<<8)|a->Id;
31446 PUT_WORD(&SS_Ind[4],0x0000);
31447 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
31448 word j, n, w;
31449 dword d;
31450
31451 + pax_track_stack();
31452 +
31453
31454 for(i=0;i<8;i++) bp_parms[i].length = 0;
31455 for(i=0;i<2;i++) global_config[i].length = 0;
31456 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
31457 const byte llc3[] = {4,3,2,2,6,6,0};
31458 const byte header[] = {0,2,3,3,0,0,0};
31459
31460 + pax_track_stack();
31461 +
31462 for(i=0;i<8;i++) bp_parms[i].length = 0;
31463 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
31464 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
31465 @@ -14760,6 +14766,8 @@ static void group_optimization(DIVA_CAPI
31466 word appl_number_group_type[MAX_APPL];
31467 PLCI *auxplci;
31468
31469 + pax_track_stack();
31470 +
31471 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
31472
31473 if(!a->group_optimization_enabled)
31474 diff -urNp linux-2.6.39.1/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.39.1/drivers/isdn/hardware/eicon/mntfunc.c
31475 --- linux-2.6.39.1/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-19 00:06:34.000000000 -0400
31476 +++ linux-2.6.39.1/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-22 19:36:31.000000000 -0400
31477 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
31478 IDI_SYNC_REQ req;
31479 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31480
31481 + pax_track_stack();
31482 +
31483 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31484
31485 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31486 diff -urNp linux-2.6.39.1/drivers/isdn/i4l/isdn_common.c linux-2.6.39.1/drivers/isdn/i4l/isdn_common.c
31487 --- linux-2.6.39.1/drivers/isdn/i4l/isdn_common.c 2011-05-19 00:06:34.000000000 -0400
31488 +++ linux-2.6.39.1/drivers/isdn/i4l/isdn_common.c 2011-05-22 19:36:31.000000000 -0400
31489 @@ -1292,6 +1292,8 @@ isdn_ioctl(struct file *file, uint cmd,
31490 } iocpar;
31491 void __user *argp = (void __user *)arg;
31492
31493 + pax_track_stack();
31494 +
31495 #define name iocpar.name
31496 #define bname iocpar.bname
31497 #define iocts iocpar.iocts
31498 diff -urNp linux-2.6.39.1/drivers/isdn/i4l/isdn_net.c linux-2.6.39.1/drivers/isdn/i4l/isdn_net.c
31499 --- linux-2.6.39.1/drivers/isdn/i4l/isdn_net.c 2011-05-19 00:06:34.000000000 -0400
31500 +++ linux-2.6.39.1/drivers/isdn/i4l/isdn_net.c 2011-05-22 19:36:31.000000000 -0400
31501 @@ -400,7 +400,7 @@ isdn_net_stat_callback(int idx, isdn_ctr
31502 isdn_net_local *lp = p->local;
31503 #ifdef CONFIG_ISDN_X25
31504 struct concap_proto *cprot = lp->netdev->cprot;
31505 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31506 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31507 #endif
31508 switch (cmd) {
31509 case ISDN_STAT_BSENT:
31510 @@ -831,7 +831,7 @@ isdn_net_hangup(struct net_device *d)
31511 isdn_ctrl cmd;
31512 #ifdef CONFIG_ISDN_X25
31513 struct concap_proto *cprot = lp->netdev->cprot;
31514 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31515 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31516 #endif
31517
31518 if (lp->flags & ISDN_NET_CONNECTED) {
31519 diff -urNp linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.c linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.c
31520 --- linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.c 2011-05-19 00:06:34.000000000 -0400
31521 +++ linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.c 2011-05-22 19:36:31.000000000 -0400
31522 @@ -52,7 +52,7 @@ static int isdn_x25iface_connect_ind( st
31523 static int isdn_x25iface_disconn_ind( struct concap_proto * );
31524
31525
31526 -static struct concap_proto_ops ix25_pops = {
31527 +static const struct concap_proto_ops ix25_pops = {
31528 &isdn_x25iface_proto_new,
31529 &isdn_x25iface_proto_del,
31530 &isdn_x25iface_proto_restart,
31531 diff -urNp linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.h linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.h
31532 --- linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.h 2011-05-19 00:06:34.000000000 -0400
31533 +++ linux-2.6.39.1/drivers/isdn/i4l/isdn_x25iface.h 2011-05-22 19:36:31.000000000 -0400
31534 @@ -23,7 +23,7 @@
31535 #include <linux/isdn.h>
31536 #include <linux/concap.h>
31537
31538 -extern struct concap_proto_ops * isdn_x25iface_concap_proto_ops_pt;
31539 +extern const struct concap_proto_ops *isdn_x25iface_concap_proto_ops_pt;
31540 extern struct concap_proto * isdn_x25iface_proto_new(void);
31541
31542
31543 diff -urNp linux-2.6.39.1/drivers/isdn/icn/icn.c linux-2.6.39.1/drivers/isdn/icn/icn.c
31544 --- linux-2.6.39.1/drivers/isdn/icn/icn.c 2011-05-19 00:06:34.000000000 -0400
31545 +++ linux-2.6.39.1/drivers/isdn/icn/icn.c 2011-05-22 19:36:31.000000000 -0400
31546 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
31547 if (count > len)
31548 count = len;
31549 if (user) {
31550 - if (copy_from_user(msg, buf, count))
31551 + if (count > sizeof msg || copy_from_user(msg, buf, count))
31552 return -EFAULT;
31553 } else
31554 memcpy(msg, buf, count);
31555 diff -urNp linux-2.6.39.1/drivers/lguest/core.c linux-2.6.39.1/drivers/lguest/core.c
31556 --- linux-2.6.39.1/drivers/lguest/core.c 2011-05-19 00:06:34.000000000 -0400
31557 +++ linux-2.6.39.1/drivers/lguest/core.c 2011-05-22 19:36:31.000000000 -0400
31558 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
31559 * it's worked so far. The end address needs +1 because __get_vm_area
31560 * allocates an extra guard page, so we need space for that.
31561 */
31562 +
31563 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
31564 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31565 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
31566 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31567 +#else
31568 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31569 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
31570 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31571 +#endif
31572 +
31573 if (!switcher_vma) {
31574 err = -ENOMEM;
31575 printk("lguest: could not map switcher pages high\n");
31576 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
31577 * Now the Switcher is mapped at the right address, we can't fail!
31578 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
31579 */
31580 - memcpy(switcher_vma->addr, start_switcher_text,
31581 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
31582 end_switcher_text - start_switcher_text);
31583
31584 printk(KERN_INFO "lguest: mapped switcher at %p\n",
31585 diff -urNp linux-2.6.39.1/drivers/lguest/lguest_device.c linux-2.6.39.1/drivers/lguest/lguest_device.c
31586 --- linux-2.6.39.1/drivers/lguest/lguest_device.c 2011-05-19 00:06:34.000000000 -0400
31587 +++ linux-2.6.39.1/drivers/lguest/lguest_device.c 2011-05-22 19:36:31.000000000 -0400
31588 @@ -374,7 +374,7 @@ error:
31589 }
31590
31591 /* The ops structure which hooks everything together. */
31592 -static struct virtio_config_ops lguest_config_ops = {
31593 +static const struct virtio_config_ops lguest_config_ops = {
31594 .get_features = lg_get_features,
31595 .finalize_features = lg_finalize_features,
31596 .get = lg_get,
31597 diff -urNp linux-2.6.39.1/drivers/lguest/x86/core.c linux-2.6.39.1/drivers/lguest/x86/core.c
31598 --- linux-2.6.39.1/drivers/lguest/x86/core.c 2011-05-19 00:06:34.000000000 -0400
31599 +++ linux-2.6.39.1/drivers/lguest/x86/core.c 2011-05-22 19:36:31.000000000 -0400
31600 @@ -59,7 +59,7 @@ static struct {
31601 /* Offset from where switcher.S was compiled to where we've copied it */
31602 static unsigned long switcher_offset(void)
31603 {
31604 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
31605 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
31606 }
31607
31608 /* This cpu's struct lguest_pages. */
31609 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
31610 * These copies are pretty cheap, so we do them unconditionally: */
31611 /* Save the current Host top-level page directory.
31612 */
31613 +
31614 +#ifdef CONFIG_PAX_PER_CPU_PGD
31615 + pages->state.host_cr3 = read_cr3();
31616 +#else
31617 pages->state.host_cr3 = __pa(current->mm->pgd);
31618 +#endif
31619 +
31620 /*
31621 * Set up the Guest's page tables to see this CPU's pages (and no
31622 * other CPU's pages).
31623 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
31624 * compiled-in switcher code and the high-mapped copy we just made.
31625 */
31626 for (i = 0; i < IDT_ENTRIES; i++)
31627 - default_idt_entries[i] += switcher_offset();
31628 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
31629
31630 /*
31631 * Set up the Switcher's per-cpu areas.
31632 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
31633 * it will be undisturbed when we switch. To change %cs and jump we
31634 * need this structure to feed to Intel's "lcall" instruction.
31635 */
31636 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
31637 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
31638 lguest_entry.segment = LGUEST_CS;
31639
31640 /*
31641 diff -urNp linux-2.6.39.1/drivers/lguest/x86/switcher_32.S linux-2.6.39.1/drivers/lguest/x86/switcher_32.S
31642 --- linux-2.6.39.1/drivers/lguest/x86/switcher_32.S 2011-05-19 00:06:34.000000000 -0400
31643 +++ linux-2.6.39.1/drivers/lguest/x86/switcher_32.S 2011-05-22 19:36:31.000000000 -0400
31644 @@ -87,6 +87,7 @@
31645 #include <asm/page.h>
31646 #include <asm/segment.h>
31647 #include <asm/lguest.h>
31648 +#include <asm/processor-flags.h>
31649
31650 // We mark the start of the code to copy
31651 // It's placed in .text tho it's never run here
31652 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
31653 // Changes type when we load it: damn Intel!
31654 // For after we switch over our page tables
31655 // That entry will be read-only: we'd crash.
31656 +
31657 +#ifdef CONFIG_PAX_KERNEXEC
31658 + mov %cr0, %edx
31659 + xor $X86_CR0_WP, %edx
31660 + mov %edx, %cr0
31661 +#endif
31662 +
31663 movl $(GDT_ENTRY_TSS*8), %edx
31664 ltr %dx
31665
31666 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
31667 // Let's clear it again for our return.
31668 // The GDT descriptor of the Host
31669 // Points to the table after two "size" bytes
31670 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
31671 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
31672 // Clear "used" from type field (byte 5, bit 2)
31673 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
31674 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
31675 +
31676 +#ifdef CONFIG_PAX_KERNEXEC
31677 + mov %cr0, %eax
31678 + xor $X86_CR0_WP, %eax
31679 + mov %eax, %cr0
31680 +#endif
31681
31682 // Once our page table's switched, the Guest is live!
31683 // The Host fades as we run this final step.
31684 @@ -295,13 +309,12 @@ deliver_to_host:
31685 // I consulted gcc, and it gave
31686 // These instructions, which I gladly credit:
31687 leal (%edx,%ebx,8), %eax
31688 - movzwl (%eax),%edx
31689 - movl 4(%eax), %eax
31690 - xorw %ax, %ax
31691 - orl %eax, %edx
31692 + movl 4(%eax), %edx
31693 + movw (%eax), %dx
31694 // Now the address of the handler's in %edx
31695 // We call it now: its "iret" drops us home.
31696 - jmp *%edx
31697 + ljmp $__KERNEL_CS, $1f
31698 +1: jmp *%edx
31699
31700 // Every interrupt can come to us here
31701 // But we must truly tell each apart.
31702 diff -urNp linux-2.6.39.1/drivers/md/dm.c linux-2.6.39.1/drivers/md/dm.c
31703 --- linux-2.6.39.1/drivers/md/dm.c 2011-05-19 00:06:34.000000000 -0400
31704 +++ linux-2.6.39.1/drivers/md/dm.c 2011-05-22 19:36:31.000000000 -0400
31705 @@ -162,9 +162,9 @@ struct mapped_device {
31706 /*
31707 * Event handling.
31708 */
31709 - atomic_t event_nr;
31710 + atomic_unchecked_t event_nr;
31711 wait_queue_head_t eventq;
31712 - atomic_t uevent_seq;
31713 + atomic_unchecked_t uevent_seq;
31714 struct list_head uevent_list;
31715 spinlock_t uevent_lock; /* Protect access to uevent_list */
31716
31717 @@ -1836,8 +1836,8 @@ static struct mapped_device *alloc_dev(i
31718 rwlock_init(&md->map_lock);
31719 atomic_set(&md->holders, 1);
31720 atomic_set(&md->open_count, 0);
31721 - atomic_set(&md->event_nr, 0);
31722 - atomic_set(&md->uevent_seq, 0);
31723 + atomic_set_unchecked(&md->event_nr, 0);
31724 + atomic_set_unchecked(&md->uevent_seq, 0);
31725 INIT_LIST_HEAD(&md->uevent_list);
31726 spin_lock_init(&md->uevent_lock);
31727
31728 @@ -1971,7 +1971,7 @@ static void event_callback(void *context
31729
31730 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
31731
31732 - atomic_inc(&md->event_nr);
31733 + atomic_inc_unchecked(&md->event_nr);
31734 wake_up(&md->eventq);
31735 }
31736
31737 @@ -2547,18 +2547,18 @@ int dm_kobject_uevent(struct mapped_devi
31738
31739 uint32_t dm_next_uevent_seq(struct mapped_device *md)
31740 {
31741 - return atomic_add_return(1, &md->uevent_seq);
31742 + return atomic_add_return_unchecked(1, &md->uevent_seq);
31743 }
31744
31745 uint32_t dm_get_event_nr(struct mapped_device *md)
31746 {
31747 - return atomic_read(&md->event_nr);
31748 + return atomic_read_unchecked(&md->event_nr);
31749 }
31750
31751 int dm_wait_event(struct mapped_device *md, int event_nr)
31752 {
31753 return wait_event_interruptible(md->eventq,
31754 - (event_nr != atomic_read(&md->event_nr)));
31755 + (event_nr != atomic_read_unchecked(&md->event_nr)));
31756 }
31757
31758 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
31759 diff -urNp linux-2.6.39.1/drivers/md/dm-crypt.c linux-2.6.39.1/drivers/md/dm-crypt.c
31760 --- linux-2.6.39.1/drivers/md/dm-crypt.c 2011-05-19 00:06:34.000000000 -0400
31761 +++ linux-2.6.39.1/drivers/md/dm-crypt.c 2011-05-22 19:36:31.000000000 -0400
31762 @@ -138,7 +138,7 @@ struct crypt_config {
31763 char *cipher;
31764 char *cipher_string;
31765
31766 - struct crypt_iv_operations *iv_gen_ops;
31767 + const struct crypt_iv_operations *iv_gen_ops;
31768 union {
31769 struct iv_essiv_private essiv;
31770 struct iv_benbi_private benbi;
31771 @@ -620,15 +620,15 @@ static int crypt_iv_lmk_post(struct cryp
31772 return r;
31773 }
31774
31775 -static struct crypt_iv_operations crypt_iv_plain_ops = {
31776 +static const struct crypt_iv_operations crypt_iv_plain_ops = {
31777 .generator = crypt_iv_plain_gen
31778 };
31779
31780 -static struct crypt_iv_operations crypt_iv_plain64_ops = {
31781 +static const struct crypt_iv_operations crypt_iv_plain64_ops = {
31782 .generator = crypt_iv_plain64_gen
31783 };
31784
31785 -static struct crypt_iv_operations crypt_iv_essiv_ops = {
31786 +static const struct crypt_iv_operations crypt_iv_essiv_ops = {
31787 .ctr = crypt_iv_essiv_ctr,
31788 .dtr = crypt_iv_essiv_dtr,
31789 .init = crypt_iv_essiv_init,
31790 @@ -636,17 +636,17 @@ static struct crypt_iv_operations crypt_
31791 .generator = crypt_iv_essiv_gen
31792 };
31793
31794 -static struct crypt_iv_operations crypt_iv_benbi_ops = {
31795 +static const struct crypt_iv_operations crypt_iv_benbi_ops = {
31796 .ctr = crypt_iv_benbi_ctr,
31797 .dtr = crypt_iv_benbi_dtr,
31798 .generator = crypt_iv_benbi_gen
31799 };
31800
31801 -static struct crypt_iv_operations crypt_iv_null_ops = {
31802 +static const struct crypt_iv_operations crypt_iv_null_ops = {
31803 .generator = crypt_iv_null_gen
31804 };
31805
31806 -static struct crypt_iv_operations crypt_iv_lmk_ops = {
31807 +static const struct crypt_iv_operations crypt_iv_lmk_ops = {
31808 .ctr = crypt_iv_lmk_ctr,
31809 .dtr = crypt_iv_lmk_dtr,
31810 .init = crypt_iv_lmk_init,
31811 diff -urNp linux-2.6.39.1/drivers/md/dm-ioctl.c linux-2.6.39.1/drivers/md/dm-ioctl.c
31812 --- linux-2.6.39.1/drivers/md/dm-ioctl.c 2011-05-19 00:06:34.000000000 -0400
31813 +++ linux-2.6.39.1/drivers/md/dm-ioctl.c 2011-05-22 19:36:31.000000000 -0400
31814 @@ -1551,7 +1551,7 @@ static int validate_params(uint cmd, str
31815 cmd == DM_LIST_VERSIONS_CMD)
31816 return 0;
31817
31818 - if ((cmd == DM_DEV_CREATE_CMD)) {
31819 + if (cmd == DM_DEV_CREATE_CMD) {
31820 if (!*param->name) {
31821 DMWARN("name not supplied when creating device");
31822 return -EINVAL;
31823 diff -urNp linux-2.6.39.1/drivers/md/dm-raid1.c linux-2.6.39.1/drivers/md/dm-raid1.c
31824 --- linux-2.6.39.1/drivers/md/dm-raid1.c 2011-05-19 00:06:34.000000000 -0400
31825 +++ linux-2.6.39.1/drivers/md/dm-raid1.c 2011-05-22 19:36:31.000000000 -0400
31826 @@ -42,7 +42,7 @@ enum dm_raid1_error {
31827
31828 struct mirror {
31829 struct mirror_set *ms;
31830 - atomic_t error_count;
31831 + atomic_unchecked_t error_count;
31832 unsigned long error_type;
31833 struct dm_dev *dev;
31834 sector_t offset;
31835 @@ -187,7 +187,7 @@ static struct mirror *get_valid_mirror(s
31836 struct mirror *m;
31837
31838 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
31839 - if (!atomic_read(&m->error_count))
31840 + if (!atomic_read_unchecked(&m->error_count))
31841 return m;
31842
31843 return NULL;
31844 @@ -219,7 +219,7 @@ static void fail_mirror(struct mirror *m
31845 * simple way to tell if a device has encountered
31846 * errors.
31847 */
31848 - atomic_inc(&m->error_count);
31849 + atomic_inc_unchecked(&m->error_count);
31850
31851 if (test_and_set_bit(error_type, &m->error_type))
31852 return;
31853 @@ -410,7 +410,7 @@ static struct mirror *choose_mirror(stru
31854 struct mirror *m = get_default_mirror(ms);
31855
31856 do {
31857 - if (likely(!atomic_read(&m->error_count)))
31858 + if (likely(!atomic_read_unchecked(&m->error_count)))
31859 return m;
31860
31861 if (m-- == ms->mirror)
31862 @@ -424,7 +424,7 @@ static int default_ok(struct mirror *m)
31863 {
31864 struct mirror *default_mirror = get_default_mirror(m->ms);
31865
31866 - return !atomic_read(&default_mirror->error_count);
31867 + return !atomic_read_unchecked(&default_mirror->error_count);
31868 }
31869
31870 static int mirror_available(struct mirror_set *ms, struct bio *bio)
31871 @@ -561,7 +561,7 @@ static void do_reads(struct mirror_set *
31872 */
31873 if (likely(region_in_sync(ms, region, 1)))
31874 m = choose_mirror(ms, bio->bi_sector);
31875 - else if (m && atomic_read(&m->error_count))
31876 + else if (m && atomic_read_unchecked(&m->error_count))
31877 m = NULL;
31878
31879 if (likely(m))
31880 @@ -939,7 +939,7 @@ static int get_mirror(struct mirror_set
31881 }
31882
31883 ms->mirror[mirror].ms = ms;
31884 - atomic_set(&(ms->mirror[mirror].error_count), 0);
31885 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
31886 ms->mirror[mirror].error_type = 0;
31887 ms->mirror[mirror].offset = offset;
31888
31889 @@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
31890 */
31891 static char device_status_char(struct mirror *m)
31892 {
31893 - if (!atomic_read(&(m->error_count)))
31894 + if (!atomic_read_unchecked(&(m->error_count)))
31895 return 'A';
31896
31897 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
31898 diff -urNp linux-2.6.39.1/drivers/md/dm-stripe.c linux-2.6.39.1/drivers/md/dm-stripe.c
31899 --- linux-2.6.39.1/drivers/md/dm-stripe.c 2011-05-19 00:06:34.000000000 -0400
31900 +++ linux-2.6.39.1/drivers/md/dm-stripe.c 2011-05-22 19:36:31.000000000 -0400
31901 @@ -20,7 +20,7 @@ struct stripe {
31902 struct dm_dev *dev;
31903 sector_t physical_start;
31904
31905 - atomic_t error_count;
31906 + atomic_unchecked_t error_count;
31907 };
31908
31909 struct stripe_c {
31910 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
31911 kfree(sc);
31912 return r;
31913 }
31914 - atomic_set(&(sc->stripe[i].error_count), 0);
31915 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
31916 }
31917
31918 ti->private = sc;
31919 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
31920 DMEMIT("%d ", sc->stripes);
31921 for (i = 0; i < sc->stripes; i++) {
31922 DMEMIT("%s ", sc->stripe[i].dev->name);
31923 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
31924 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
31925 'D' : 'A';
31926 }
31927 buffer[i] = '\0';
31928 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
31929 */
31930 for (i = 0; i < sc->stripes; i++)
31931 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
31932 - atomic_inc(&(sc->stripe[i].error_count));
31933 - if (atomic_read(&(sc->stripe[i].error_count)) <
31934 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
31935 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
31936 DM_IO_ERROR_THRESHOLD)
31937 schedule_work(&sc->trigger_event);
31938 }
31939 diff -urNp linux-2.6.39.1/drivers/md/dm-table.c linux-2.6.39.1/drivers/md/dm-table.c
31940 --- linux-2.6.39.1/drivers/md/dm-table.c 2011-06-03 00:04:14.000000000 -0400
31941 +++ linux-2.6.39.1/drivers/md/dm-table.c 2011-06-03 00:32:05.000000000 -0400
31942 @@ -390,7 +390,7 @@ static int device_area_is_invalid(struct
31943 if (!dev_size)
31944 return 0;
31945
31946 - if ((start >= dev_size) || (start + len > dev_size)) {
31947 + if ((start >= dev_size) || (len > dev_size - start)) {
31948 DMWARN("%s: %s too small for target: "
31949 "start=%llu, len=%llu, dev_size=%llu",
31950 dm_device_name(ti->table->md), bdevname(bdev, b),
31951 diff -urNp linux-2.6.39.1/drivers/md/md.c linux-2.6.39.1/drivers/md/md.c
31952 --- linux-2.6.39.1/drivers/md/md.c 2011-06-03 00:04:14.000000000 -0400
31953 +++ linux-2.6.39.1/drivers/md/md.c 2011-06-03 00:32:05.000000000 -0400
31954 @@ -226,10 +226,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
31955 * start build, activate spare
31956 */
31957 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
31958 -static atomic_t md_event_count;
31959 +static atomic_unchecked_t md_event_count;
31960 void md_new_event(mddev_t *mddev)
31961 {
31962 - atomic_inc(&md_event_count);
31963 + atomic_inc_unchecked(&md_event_count);
31964 wake_up(&md_event_waiters);
31965 }
31966 EXPORT_SYMBOL_GPL(md_new_event);
31967 @@ -239,7 +239,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
31968 */
31969 static void md_new_event_inintr(mddev_t *mddev)
31970 {
31971 - atomic_inc(&md_event_count);
31972 + atomic_inc_unchecked(&md_event_count);
31973 wake_up(&md_event_waiters);
31974 }
31975
31976 @@ -1454,7 +1454,7 @@ static int super_1_load(mdk_rdev_t *rdev
31977
31978 rdev->preferred_minor = 0xffff;
31979 rdev->data_offset = le64_to_cpu(sb->data_offset);
31980 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
31981 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
31982
31983 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
31984 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
31985 @@ -1632,7 +1632,7 @@ static void super_1_sync(mddev_t *mddev,
31986 else
31987 sb->resync_offset = cpu_to_le64(0);
31988
31989 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
31990 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
31991
31992 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
31993 sb->size = cpu_to_le64(mddev->dev_sectors);
31994 @@ -2414,7 +2414,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
31995 static ssize_t
31996 errors_show(mdk_rdev_t *rdev, char *page)
31997 {
31998 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
31999 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
32000 }
32001
32002 static ssize_t
32003 @@ -2423,7 +2423,7 @@ errors_store(mdk_rdev_t *rdev, const cha
32004 char *e;
32005 unsigned long n = simple_strtoul(buf, &e, 10);
32006 if (*buf && (*e == 0 || *e == '\n')) {
32007 - atomic_set(&rdev->corrected_errors, n);
32008 + atomic_set_unchecked(&rdev->corrected_errors, n);
32009 return len;
32010 }
32011 return -EINVAL;
32012 @@ -2779,8 +2779,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
32013 rdev->last_read_error.tv_sec = 0;
32014 rdev->last_read_error.tv_nsec = 0;
32015 atomic_set(&rdev->nr_pending, 0);
32016 - atomic_set(&rdev->read_errors, 0);
32017 - atomic_set(&rdev->corrected_errors, 0);
32018 + atomic_set_unchecked(&rdev->read_errors, 0);
32019 + atomic_set_unchecked(&rdev->corrected_errors, 0);
32020
32021 INIT_LIST_HEAD(&rdev->same_set);
32022 init_waitqueue_head(&rdev->blocked_wait);
32023 @@ -6388,7 +6388,7 @@ static int md_seq_show(struct seq_file *
32024
32025 spin_unlock(&pers_lock);
32026 seq_printf(seq, "\n");
32027 - mi->event = atomic_read(&md_event_count);
32028 + mi->event = atomic_read_unchecked(&md_event_count);
32029 return 0;
32030 }
32031 if (v == (void*)2) {
32032 @@ -6477,7 +6477,7 @@ static int md_seq_show(struct seq_file *
32033 chunk_kb ? "KB" : "B");
32034 if (bitmap->file) {
32035 seq_printf(seq, ", file: ");
32036 - seq_path(seq, &bitmap->file->f_path, " \t\n");
32037 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
32038 }
32039
32040 seq_printf(seq, "\n");
32041 @@ -6511,7 +6511,7 @@ static int md_seq_open(struct inode *ino
32042 else {
32043 struct seq_file *p = file->private_data;
32044 p->private = mi;
32045 - mi->event = atomic_read(&md_event_count);
32046 + mi->event = atomic_read_unchecked(&md_event_count);
32047 }
32048 return error;
32049 }
32050 @@ -6527,7 +6527,7 @@ static unsigned int mdstat_poll(struct f
32051 /* always allow read */
32052 mask = POLLIN | POLLRDNORM;
32053
32054 - if (mi->event != atomic_read(&md_event_count))
32055 + if (mi->event != atomic_read_unchecked(&md_event_count))
32056 mask |= POLLERR | POLLPRI;
32057 return mask;
32058 }
32059 @@ -6571,7 +6571,7 @@ static int is_mddev_idle(mddev_t *mddev,
32060 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
32061 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
32062 (int)part_stat_read(&disk->part0, sectors[1]) -
32063 - atomic_read(&disk->sync_io);
32064 + atomic_read_unchecked(&disk->sync_io);
32065 /* sync IO will cause sync_io to increase before the disk_stats
32066 * as sync_io is counted when a request starts, and
32067 * disk_stats is counted when it completes.
32068 diff -urNp linux-2.6.39.1/drivers/md/md.h linux-2.6.39.1/drivers/md/md.h
32069 --- linux-2.6.39.1/drivers/md/md.h 2011-05-19 00:06:34.000000000 -0400
32070 +++ linux-2.6.39.1/drivers/md/md.h 2011-05-22 19:36:31.000000000 -0400
32071 @@ -97,13 +97,13 @@ struct mdk_rdev_s
32072 * only maintained for arrays that
32073 * support hot removal
32074 */
32075 - atomic_t read_errors; /* number of consecutive read errors that
32076 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
32077 * we have tried to ignore.
32078 */
32079 struct timespec last_read_error; /* monotonic time since our
32080 * last read error
32081 */
32082 - atomic_t corrected_errors; /* number of corrected read errors,
32083 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
32084 * for reporting to userspace and storing
32085 * in superblock.
32086 */
32087 @@ -342,7 +342,7 @@ static inline void rdev_dec_pending(mdk_
32088
32089 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
32090 {
32091 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32092 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32093 }
32094
32095 struct mdk_personality
32096 diff -urNp linux-2.6.39.1/drivers/md/raid10.c linux-2.6.39.1/drivers/md/raid10.c
32097 --- linux-2.6.39.1/drivers/md/raid10.c 2011-05-19 00:06:34.000000000 -0400
32098 +++ linux-2.6.39.1/drivers/md/raid10.c 2011-05-22 19:36:31.000000000 -0400
32099 @@ -1209,7 +1209,7 @@ static void end_sync_read(struct bio *bi
32100 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
32101 set_bit(R10BIO_Uptodate, &r10_bio->state);
32102 else {
32103 - atomic_add(r10_bio->sectors,
32104 + atomic_add_unchecked(r10_bio->sectors,
32105 &conf->mirrors[d].rdev->corrected_errors);
32106 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
32107 md_error(r10_bio->mddev,
32108 @@ -1417,7 +1417,7 @@ static void check_decay_read_errors(mdde
32109 {
32110 struct timespec cur_time_mon;
32111 unsigned long hours_since_last;
32112 - unsigned int read_errors = atomic_read(&rdev->read_errors);
32113 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
32114
32115 ktime_get_ts(&cur_time_mon);
32116
32117 @@ -1439,9 +1439,9 @@ static void check_decay_read_errors(mdde
32118 * overflowing the shift of read_errors by hours_since_last.
32119 */
32120 if (hours_since_last >= 8 * sizeof(read_errors))
32121 - atomic_set(&rdev->read_errors, 0);
32122 + atomic_set_unchecked(&rdev->read_errors, 0);
32123 else
32124 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
32125 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
32126 }
32127
32128 /*
32129 @@ -1476,8 +1476,8 @@ static void fix_read_error(conf_t *conf,
32130 }
32131
32132 check_decay_read_errors(mddev, rdev);
32133 - atomic_inc(&rdev->read_errors);
32134 - cur_read_error_count = atomic_read(&rdev->read_errors);
32135 + atomic_inc_unchecked(&rdev->read_errors);
32136 + cur_read_error_count = atomic_read_unchecked(&rdev->read_errors);
32137 if (cur_read_error_count > max_read_errors) {
32138 rcu_read_unlock();
32139 printk(KERN_NOTICE
32140 @@ -1550,7 +1550,7 @@ static void fix_read_error(conf_t *conf,
32141 test_bit(In_sync, &rdev->flags)) {
32142 atomic_inc(&rdev->nr_pending);
32143 rcu_read_unlock();
32144 - atomic_add(s, &rdev->corrected_errors);
32145 + atomic_add_unchecked(s, &rdev->corrected_errors);
32146 if (sync_page_io(rdev,
32147 r10_bio->devs[sl].addr +
32148 sect,
32149 diff -urNp linux-2.6.39.1/drivers/md/raid1.c linux-2.6.39.1/drivers/md/raid1.c
32150 --- linux-2.6.39.1/drivers/md/raid1.c 2011-05-19 00:06:34.000000000 -0400
32151 +++ linux-2.6.39.1/drivers/md/raid1.c 2011-05-22 19:36:31.000000000 -0400
32152 @@ -1342,7 +1342,7 @@ static void sync_request_write(mddev_t *
32153 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
32154 continue;
32155 rdev = conf->mirrors[d].rdev;
32156 - atomic_add(s, &rdev->corrected_errors);
32157 + atomic_add_unchecked(s, &rdev->corrected_errors);
32158 if (sync_page_io(rdev,
32159 sect,
32160 s<<9,
32161 @@ -1488,7 +1488,7 @@ static void fix_read_error(conf_t *conf,
32162 /* Well, this device is dead */
32163 md_error(mddev, rdev);
32164 else {
32165 - atomic_add(s, &rdev->corrected_errors);
32166 + atomic_add_unchecked(s, &rdev->corrected_errors);
32167 printk(KERN_INFO
32168 "md/raid1:%s: read error corrected "
32169 "(%d sectors at %llu on %s)\n",
32170 diff -urNp linux-2.6.39.1/drivers/md/raid5.c linux-2.6.39.1/drivers/md/raid5.c
32171 --- linux-2.6.39.1/drivers/md/raid5.c 2011-05-19 00:06:34.000000000 -0400
32172 +++ linux-2.6.39.1/drivers/md/raid5.c 2011-05-22 19:36:31.000000000 -0400
32173 @@ -550,7 +550,7 @@ static void ops_run_io(struct stripe_hea
32174 bi->bi_next = NULL;
32175 if (rw == WRITE &&
32176 test_bit(R5_ReWrite, &sh->dev[i].flags))
32177 - atomic_add(STRIPE_SECTORS,
32178 + atomic_add_unchecked(STRIPE_SECTORS,
32179 &rdev->corrected_errors);
32180 generic_make_request(bi);
32181 } else {
32182 @@ -1596,15 +1596,15 @@ static void raid5_end_read_request(struc
32183 clear_bit(R5_ReadError, &sh->dev[i].flags);
32184 clear_bit(R5_ReWrite, &sh->dev[i].flags);
32185 }
32186 - if (atomic_read(&conf->disks[i].rdev->read_errors))
32187 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
32188 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
32189 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
32190 } else {
32191 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
32192 int retry = 0;
32193 rdev = conf->disks[i].rdev;
32194
32195 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
32196 - atomic_inc(&rdev->read_errors);
32197 + atomic_inc_unchecked(&rdev->read_errors);
32198 if (conf->mddev->degraded >= conf->max_degraded)
32199 printk_rl(KERN_WARNING
32200 "md/raid:%s: read error not correctable "
32201 @@ -1622,7 +1622,7 @@ static void raid5_end_read_request(struc
32202 (unsigned long long)(sh->sector
32203 + rdev->data_offset),
32204 bdn);
32205 - else if (atomic_read(&rdev->read_errors)
32206 + else if (atomic_read_unchecked(&rdev->read_errors)
32207 > conf->max_nr_stripes)
32208 printk(KERN_WARNING
32209 "md/raid:%s: Too many read errors, failing device %s.\n",
32210 @@ -1947,6 +1947,7 @@ static sector_t compute_blocknr(struct s
32211 sector_t r_sector;
32212 struct stripe_head sh2;
32213
32214 + pax_track_stack();
32215
32216 chunk_offset = sector_div(new_sector, sectors_per_chunk);
32217 stripe = new_sector;
32218 diff -urNp linux-2.6.39.1/drivers/media/common/saa7146_hlp.c linux-2.6.39.1/drivers/media/common/saa7146_hlp.c
32219 --- linux-2.6.39.1/drivers/media/common/saa7146_hlp.c 2011-05-19 00:06:34.000000000 -0400
32220 +++ linux-2.6.39.1/drivers/media/common/saa7146_hlp.c 2011-05-22 19:36:31.000000000 -0400
32221 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
32222
32223 int x[32], y[32], w[32], h[32];
32224
32225 + pax_track_stack();
32226 +
32227 /* clear out memory */
32228 memset(&line_list[0], 0x00, sizeof(u32)*32);
32229 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
32230 diff -urNp linux-2.6.39.1/drivers/media/common/saa7146_vbi.c linux-2.6.39.1/drivers/media/common/saa7146_vbi.c
32231 --- linux-2.6.39.1/drivers/media/common/saa7146_vbi.c 2011-05-19 00:06:34.000000000 -0400
32232 +++ linux-2.6.39.1/drivers/media/common/saa7146_vbi.c 2011-05-22 19:36:31.000000000 -0400
32233 @@ -501,7 +501,7 @@ static ssize_t vbi_read(struct file *fil
32234 return ret;
32235 }
32236
32237 -struct saa7146_use_ops saa7146_vbi_uops = {
32238 +const struct saa7146_use_ops saa7146_vbi_uops = {
32239 .init = vbi_init,
32240 .open = vbi_open,
32241 .release = vbi_close,
32242 diff -urNp linux-2.6.39.1/drivers/media/common/saa7146_video.c linux-2.6.39.1/drivers/media/common/saa7146_video.c
32243 --- linux-2.6.39.1/drivers/media/common/saa7146_video.c 2011-05-19 00:06:34.000000000 -0400
32244 +++ linux-2.6.39.1/drivers/media/common/saa7146_video.c 2011-05-22 19:36:31.000000000 -0400
32245 @@ -1420,7 +1420,7 @@ out:
32246 return ret;
32247 }
32248
32249 -struct saa7146_use_ops saa7146_video_uops = {
32250 +const struct saa7146_use_ops saa7146_video_uops = {
32251 .init = video_init,
32252 .open = video_open,
32253 .release = video_close,
32254 diff -urNp linux-2.6.39.1/drivers/media/dvb/dm1105/dm1105.c linux-2.6.39.1/drivers/media/dvb/dm1105/dm1105.c
32255 --- linux-2.6.39.1/drivers/media/dvb/dm1105/dm1105.c 2011-05-19 00:06:34.000000000 -0400
32256 +++ linux-2.6.39.1/drivers/media/dvb/dm1105/dm1105.c 2011-05-22 19:36:31.000000000 -0400
32257 @@ -418,7 +418,7 @@ static u32 functionality(struct i2c_adap
32258 return I2C_FUNC_I2C;
32259 }
32260
32261 -static struct i2c_algorithm dm1105_algo = {
32262 +static const struct i2c_algorithm dm1105_algo = {
32263 .master_xfer = dm1105_i2c_xfer,
32264 .functionality = functionality,
32265 };
32266 diff -urNp linux-2.6.39.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.39.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
32267 --- linux-2.6.39.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-19 00:06:34.000000000 -0400
32268 +++ linux-2.6.39.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-22 19:36:31.000000000 -0400
32269 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
32270 u8 buf[HOST_LINK_BUF_SIZE];
32271 int i;
32272
32273 + pax_track_stack();
32274 +
32275 dprintk("%s\n", __func__);
32276
32277 /* check if we have space for a link buf in the rx_buffer */
32278 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
32279 unsigned long timeout;
32280 int written;
32281
32282 + pax_track_stack();
32283 +
32284 dprintk("%s\n", __func__);
32285
32286 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
32287 diff -urNp linux-2.6.39.1/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.39.1/drivers/media/dvb/dvb-core/dvbdev.c
32288 --- linux-2.6.39.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-19 00:06:34.000000000 -0400
32289 +++ linux-2.6.39.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-22 19:36:31.000000000 -0400
32290 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
32291 const struct dvb_device *template, void *priv, int type)
32292 {
32293 struct dvb_device *dvbdev;
32294 - struct file_operations *dvbdevfops;
32295 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
32296 struct device *clsdev;
32297 int minor;
32298 int id;
32299 diff -urNp linux-2.6.39.1/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.39.1/drivers/media/dvb/dvb-usb/dib0700_core.c
32300 --- linux-2.6.39.1/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-19 00:06:34.000000000 -0400
32301 +++ linux-2.6.39.1/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-22 19:36:31.000000000 -0400
32302 @@ -391,6 +391,8 @@ int dib0700_download_firmware(struct usb
32303
32304 u8 buf[260];
32305
32306 + pax_track_stack();
32307 +
32308 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
32309 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
32310 hx.addr, hx.len, hx.chk);
32311 diff -urNp linux-2.6.39.1/drivers/media/dvb/dvb-usb/lmedm04.c linux-2.6.39.1/drivers/media/dvb/dvb-usb/lmedm04.c
32312 --- linux-2.6.39.1/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-19 00:06:34.000000000 -0400
32313 +++ linux-2.6.39.1/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-22 19:36:31.000000000 -0400
32314 @@ -663,6 +663,7 @@ static int lme2510_download_firmware(str
32315 packet_size = 0x31;
32316 len_in = 1;
32317
32318 + pax_track_stack();
32319
32320 info("FRM Starting Firmware Download");
32321
32322 @@ -715,6 +716,8 @@ static void lme_coldreset(struct usb_dev
32323 int ret = 0, len_in;
32324 u8 data[512] = {0};
32325
32326 + pax_track_stack();
32327 +
32328 data[0] = 0x0a;
32329 len_in = 1;
32330 info("FRM Firmware Cold Reset");
32331 diff -urNp linux-2.6.39.1/drivers/media/dvb/frontends/dib7000p.c linux-2.6.39.1/drivers/media/dvb/frontends/dib7000p.c
32332 --- linux-2.6.39.1/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:04:14.000000000 -0400
32333 +++ linux-2.6.39.1/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:32:05.000000000 -0400
32334 @@ -1945,7 +1945,7 @@ static u32 dib7000p_i2c_func(struct i2c_
32335 return I2C_FUNC_I2C;
32336 }
32337
32338 -static struct i2c_algorithm dib7090_tuner_xfer_algo = {
32339 +static const struct i2c_algorithm dib7090_tuner_xfer_algo = {
32340 .master_xfer = dib7090_tuner_xfer,
32341 .functionality = dib7000p_i2c_func,
32342 };
32343 diff -urNp linux-2.6.39.1/drivers/media/dvb/frontends/dib9000.c linux-2.6.39.1/drivers/media/dvb/frontends/dib9000.c
32344 --- linux-2.6.39.1/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:04:14.000000000 -0400
32345 +++ linux-2.6.39.1/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:32:05.000000000 -0400
32346 @@ -1676,12 +1676,12 @@ static u32 dib9000_i2c_func(struct i2c_a
32347 return I2C_FUNC_I2C;
32348 }
32349
32350 -static struct i2c_algorithm dib9000_tuner_algo = {
32351 +static const struct i2c_algorithm dib9000_tuner_algo = {
32352 .master_xfer = dib9000_tuner_xfer,
32353 .functionality = dib9000_i2c_func,
32354 };
32355
32356 -static struct i2c_algorithm dib9000_component_bus_algo = {
32357 +static const struct i2c_algorithm dib9000_component_bus_algo = {
32358 .master_xfer = dib9000_fw_component_bus_xfer,
32359 .functionality = dib9000_i2c_func,
32360 };
32361 diff -urNp linux-2.6.39.1/drivers/media/dvb/frontends/dibx000_common.c linux-2.6.39.1/drivers/media/dvb/frontends/dibx000_common.c
32362 --- linux-2.6.39.1/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:04:14.000000000 -0400
32363 +++ linux-2.6.39.1/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:37:36.000000000 -0400
32364 @@ -221,12 +221,12 @@ static int dibx000_i2c_master_xfer_gpio3
32365 return num;
32366 }
32367
32368 -static struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32369 +static const struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32370 .master_xfer = dibx000_i2c_master_xfer_gpio12,
32371 .functionality = dibx000_i2c_func,
32372 };
32373
32374 -static struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32375 +static const struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32376 .master_xfer = dibx000_i2c_master_xfer_gpio34,
32377 .functionality = dibx000_i2c_func,
32378 };
32379 @@ -285,7 +285,7 @@ static int dibx000_i2c_gated_gpio67_xfer
32380 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32381 }
32382
32383 -static struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32384 +static const struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32385 .master_xfer = dibx000_i2c_gated_gpio67_xfer,
32386 .functionality = dibx000_i2c_func,
32387 };
32388 @@ -322,7 +322,7 @@ static int dibx000_i2c_gated_tuner_xfer(
32389 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32390 }
32391
32392 -static struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32393 +static const struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32394 .master_xfer = dibx000_i2c_gated_tuner_xfer,
32395 .functionality = dibx000_i2c_func,
32396 };
32397 @@ -375,7 +375,7 @@ void dibx000_reset_i2c_master(struct dib
32398 EXPORT_SYMBOL(dibx000_reset_i2c_master);
32399
32400 static int i2c_adapter_init(struct i2c_adapter *i2c_adap,
32401 - struct i2c_algorithm *algo, const char *name,
32402 + const struct i2c_algorithm *algo, const char *name,
32403 struct dibx000_i2c_master *mst)
32404 {
32405 strncpy(i2c_adap->name, name, sizeof(i2c_adap->name));
32406 diff -urNp linux-2.6.39.1/drivers/media/dvb/frontends/mb86a16.c linux-2.6.39.1/drivers/media/dvb/frontends/mb86a16.c
32407 --- linux-2.6.39.1/drivers/media/dvb/frontends/mb86a16.c 2011-05-19 00:06:34.000000000 -0400
32408 +++ linux-2.6.39.1/drivers/media/dvb/frontends/mb86a16.c 2011-05-22 19:36:31.000000000 -0400
32409 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
32410 int ret = -1;
32411 int sync;
32412
32413 + pax_track_stack();
32414 +
32415 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
32416
32417 fcp = 3000;
32418 diff -urNp linux-2.6.39.1/drivers/media/dvb/frontends/or51211.c linux-2.6.39.1/drivers/media/dvb/frontends/or51211.c
32419 --- linux-2.6.39.1/drivers/media/dvb/frontends/or51211.c 2011-05-19 00:06:34.000000000 -0400
32420 +++ linux-2.6.39.1/drivers/media/dvb/frontends/or51211.c 2011-05-22 19:36:31.000000000 -0400
32421 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
32422 u8 tudata[585];
32423 int i;
32424
32425 + pax_track_stack();
32426 +
32427 dprintk("Firmware is %zd bytes\n",fw->size);
32428
32429 /* Get eprom data */
32430 diff -urNp linux-2.6.39.1/drivers/media/dvb/frontends/s5h1420.c linux-2.6.39.1/drivers/media/dvb/frontends/s5h1420.c
32431 --- linux-2.6.39.1/drivers/media/dvb/frontends/s5h1420.c 2011-05-19 00:06:34.000000000 -0400
32432 +++ linux-2.6.39.1/drivers/media/dvb/frontends/s5h1420.c 2011-05-22 19:36:31.000000000 -0400
32433 @@ -870,7 +870,7 @@ static int s5h1420_tuner_i2c_tuner_xfer(
32434 return i2c_transfer(state->i2c, m, 1+num) == 1 + num ? num : -EIO;
32435 }
32436
32437 -static struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32438 +static const struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32439 .master_xfer = s5h1420_tuner_i2c_tuner_xfer,
32440 .functionality = s5h1420_tuner_i2c_func,
32441 };
32442 diff -urNp linux-2.6.39.1/drivers/media/dvb/mantis/mantis_i2c.c linux-2.6.39.1/drivers/media/dvb/mantis/mantis_i2c.c
32443 --- linux-2.6.39.1/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-19 00:06:34.000000000 -0400
32444 +++ linux-2.6.39.1/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-22 19:36:31.000000000 -0400
32445 @@ -212,7 +212,7 @@ static u32 mantis_i2c_func(struct i2c_ad
32446 return I2C_FUNC_SMBUS_EMUL;
32447 }
32448
32449 -static struct i2c_algorithm mantis_algo = {
32450 +static const struct i2c_algorithm mantis_algo = {
32451 .master_xfer = mantis_i2c_xfer,
32452 .functionality = mantis_i2c_func,
32453 };
32454 diff -urNp linux-2.6.39.1/drivers/media/dvb/ttusb-dec/ttusb_dec.c linux-2.6.39.1/drivers/media/dvb/ttusb-dec/ttusb_dec.c
32455 --- linux-2.6.39.1/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-19 00:06:34.000000000 -0400
32456 +++ linux-2.6.39.1/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-22 19:36:31.000000000 -0400
32457 @@ -1614,7 +1614,7 @@ static int fe_send_command(struct dvb_fr
32458 return ttusb_dec_send_command(dec, command, param_length, params, result_length, cmd_result);
32459 }
32460
32461 -static struct ttusbdecfe_config fe_config = {
32462 +static const struct ttusbdecfe_config fe_config = {
32463 .send_command = fe_send_command
32464 };
32465
32466 diff -urNp linux-2.6.39.1/drivers/media/radio/radio-cadet.c linux-2.6.39.1/drivers/media/radio/radio-cadet.c
32467 --- linux-2.6.39.1/drivers/media/radio/radio-cadet.c 2011-05-19 00:06:34.000000000 -0400
32468 +++ linux-2.6.39.1/drivers/media/radio/radio-cadet.c 2011-05-22 19:36:31.000000000 -0400
32469 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
32470 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
32471 mutex_unlock(&dev->lock);
32472
32473 - if (copy_to_user(data, readbuf, i))
32474 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
32475 return -EFAULT;
32476 return i;
32477 }
32478 diff -urNp linux-2.6.39.1/drivers/media/radio/radio-si4713.c linux-2.6.39.1/drivers/media/radio/radio-si4713.c
32479 --- linux-2.6.39.1/drivers/media/radio/radio-si4713.c 2011-05-19 00:06:34.000000000 -0400
32480 +++ linux-2.6.39.1/drivers/media/radio/radio-si4713.c 2011-05-22 19:36:31.000000000 -0400
32481 @@ -231,7 +231,7 @@ static long radio_si4713_default(struct
32482 ioctl, cmd, arg);
32483 }
32484
32485 -static struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32486 +static const struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32487 .vidioc_enumaudout = radio_si4713_enumaudout,
32488 .vidioc_g_audout = radio_si4713_g_audout,
32489 .vidioc_s_audout = radio_si4713_s_audout,
32490 diff -urNp linux-2.6.39.1/drivers/media/rc/ir-lirc-codec.c linux-2.6.39.1/drivers/media/rc/ir-lirc-codec.c
32491 --- linux-2.6.39.1/drivers/media/rc/ir-lirc-codec.c 2011-05-19 00:06:34.000000000 -0400
32492 +++ linux-2.6.39.1/drivers/media/rc/ir-lirc-codec.c 2011-05-22 19:36:31.000000000 -0400
32493 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
32494 return;
32495 }
32496
32497 -static struct file_operations lirc_fops = {
32498 +static const struct file_operations lirc_fops = {
32499 .owner = THIS_MODULE,
32500 .write = ir_lirc_transmit_ir,
32501 .unlocked_ioctl = ir_lirc_ioctl,
32502 diff -urNp linux-2.6.39.1/drivers/media/rc/lirc_dev.c linux-2.6.39.1/drivers/media/rc/lirc_dev.c
32503 --- linux-2.6.39.1/drivers/media/rc/lirc_dev.c 2011-05-19 00:06:34.000000000 -0400
32504 +++ linux-2.6.39.1/drivers/media/rc/lirc_dev.c 2011-05-22 19:36:31.000000000 -0400
32505 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
32506 }
32507
32508
32509 -static struct file_operations lirc_dev_fops = {
32510 +static const struct file_operations lirc_dev_fops = {
32511 .owner = THIS_MODULE,
32512 .read = lirc_dev_fop_read,
32513 .write = lirc_dev_fop_write,
32514 diff -urNp linux-2.6.39.1/drivers/media/rc/rc-main.c linux-2.6.39.1/drivers/media/rc/rc-main.c
32515 --- linux-2.6.39.1/drivers/media/rc/rc-main.c 2011-05-19 00:06:34.000000000 -0400
32516 +++ linux-2.6.39.1/drivers/media/rc/rc-main.c 2011-05-22 19:36:31.000000000 -0400
32517 @@ -996,7 +996,7 @@ EXPORT_SYMBOL_GPL(rc_free_device);
32518
32519 int rc_register_device(struct rc_dev *dev)
32520 {
32521 - static atomic_t devno = ATOMIC_INIT(0);
32522 + static atomic_unchecked_t devno = ATOMIC_INIT(0);
32523 struct rc_map *rc_map;
32524 const char *path;
32525 int rc;
32526 @@ -1019,7 +1019,7 @@ int rc_register_device(struct rc_dev *de
32527 if (dev->close)
32528 dev->input_dev->close = ir_close;
32529
32530 - dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1);
32531 + dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1);
32532 dev_set_name(&dev->dev, "rc%ld", dev->devno);
32533 dev_set_drvdata(&dev->dev, dev);
32534 rc = device_add(&dev->dev);
32535 diff -urNp linux-2.6.39.1/drivers/media/video/cafe_ccic.c linux-2.6.39.1/drivers/media/video/cafe_ccic.c
32536 --- linux-2.6.39.1/drivers/media/video/cafe_ccic.c 2011-05-19 00:06:34.000000000 -0400
32537 +++ linux-2.6.39.1/drivers/media/video/cafe_ccic.c 2011-05-22 19:36:31.000000000 -0400
32538 @@ -520,7 +520,7 @@ static u32 cafe_smbus_func(struct i2c_ad
32539 I2C_FUNC_SMBUS_WRITE_BYTE_DATA;
32540 }
32541
32542 -static struct i2c_algorithm cafe_smbus_algo = {
32543 +static const struct i2c_algorithm cafe_smbus_algo = {
32544 .smbus_xfer = cafe_smbus_xfer,
32545 .functionality = cafe_smbus_func
32546 };
32547 diff -urNp linux-2.6.39.1/drivers/media/video/cx18/cx18-alsa-pcm.c linux-2.6.39.1/drivers/media/video/cx18/cx18-alsa-pcm.c
32548 --- linux-2.6.39.1/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-19 00:06:34.000000000 -0400
32549 +++ linux-2.6.39.1/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-22 19:36:31.000000000 -0400
32550 @@ -314,7 +314,7 @@ static struct page *snd_pcm_get_vmalloc_
32551 return vmalloc_to_page(pageptr);
32552 }
32553
32554 -static struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32555 +static const struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32556 .open = snd_cx18_pcm_capture_open,
32557 .close = snd_cx18_pcm_capture_close,
32558 .ioctl = snd_cx18_pcm_ioctl,
32559 diff -urNp linux-2.6.39.1/drivers/media/video/cx18/cx18-driver.c linux-2.6.39.1/drivers/media/video/cx18/cx18-driver.c
32560 --- linux-2.6.39.1/drivers/media/video/cx18/cx18-driver.c 2011-05-19 00:06:34.000000000 -0400
32561 +++ linux-2.6.39.1/drivers/media/video/cx18/cx18-driver.c 2011-05-22 19:36:31.000000000 -0400
32562 @@ -61,7 +61,7 @@ static struct pci_device_id cx18_pci_tbl
32563
32564 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
32565
32566 -static atomic_t cx18_instance = ATOMIC_INIT(0);
32567 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
32568
32569 /* Parameter declarations */
32570 static int cardtype[CX18_MAX_CARDS];
32571 @@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
32572 struct i2c_client c;
32573 u8 eedata[256];
32574
32575 + pax_track_stack();
32576 +
32577 memset(&c, 0, sizeof(c));
32578 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
32579 c.adapter = &cx->i2c_adap[0];
32580 @@ -892,7 +894,7 @@ static int __devinit cx18_probe(struct p
32581 struct cx18 *cx;
32582
32583 /* FIXME - module parameter arrays constrain max instances */
32584 - i = atomic_inc_return(&cx18_instance) - 1;
32585 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
32586 if (i >= CX18_MAX_CARDS) {
32587 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
32588 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
32589 diff -urNp linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-audio.c linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-audio.c
32590 --- linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-19 00:06:34.000000000 -0400
32591 +++ linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-22 19:36:31.000000000 -0400
32592 @@ -613,7 +613,7 @@ static struct page *snd_pcm_get_vmalloc_
32593 return vmalloc_to_page(pageptr);
32594 }
32595
32596 -static struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32597 +static const struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32598 .open = snd_cx231xx_capture_open,
32599 .close = snd_cx231xx_pcm_close,
32600 .ioctl = snd_pcm_lib_ioctl,
32601 diff -urNp linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-i2c.c linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-i2c.c
32602 --- linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
32603 +++ linux-2.6.39.1/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
32604 @@ -435,7 +435,7 @@ static u32 functionality(struct i2c_adap
32605 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
32606 }
32607
32608 -static struct i2c_algorithm cx231xx_algo = {
32609 +static const struct i2c_algorithm cx231xx_algo = {
32610 .master_xfer = cx231xx_i2c_xfer,
32611 .functionality = functionality,
32612 };
32613 diff -urNp linux-2.6.39.1/drivers/media/video/cx23885/cx23885-input.c linux-2.6.39.1/drivers/media/video/cx23885/cx23885-input.c
32614 --- linux-2.6.39.1/drivers/media/video/cx23885/cx23885-input.c 2011-05-19 00:06:34.000000000 -0400
32615 +++ linux-2.6.39.1/drivers/media/video/cx23885/cx23885-input.c 2011-05-22 19:36:31.000000000 -0400
32616 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
32617 bool handle = false;
32618 struct ir_raw_event ir_core_event[64];
32619
32620 + pax_track_stack();
32621 +
32622 do {
32623 num = 0;
32624 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
32625 diff -urNp linux-2.6.39.1/drivers/media/video/cx88/cx88-alsa.c linux-2.6.39.1/drivers/media/video/cx88/cx88-alsa.c
32626 --- linux-2.6.39.1/drivers/media/video/cx88/cx88-alsa.c 2011-05-19 00:06:34.000000000 -0400
32627 +++ linux-2.6.39.1/drivers/media/video/cx88/cx88-alsa.c 2011-05-22 19:36:31.000000000 -0400
32628 @@ -519,7 +519,7 @@ static struct page *snd_cx88_page(struct
32629 /*
32630 * operators
32631 */
32632 -static struct snd_pcm_ops snd_cx88_pcm_ops = {
32633 +static const struct snd_pcm_ops snd_cx88_pcm_ops = {
32634 .open = snd_cx88_pcm_open,
32635 .close = snd_cx88_close,
32636 .ioctl = snd_pcm_lib_ioctl,
32637 diff -urNp linux-2.6.39.1/drivers/media/video/davinci/ccdc_hw_device.h linux-2.6.39.1/drivers/media/video/davinci/ccdc_hw_device.h
32638 --- linux-2.6.39.1/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-19 00:06:34.000000000 -0400
32639 +++ linux-2.6.39.1/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-22 19:36:31.000000000 -0400
32640 @@ -99,7 +99,7 @@ struct ccdc_hw_device {
32641 /* module owner */
32642 struct module *owner;
32643 /* hw ops */
32644 - struct ccdc_hw_ops hw_ops;
32645 + const struct ccdc_hw_ops hw_ops;
32646 };
32647
32648 /* Used by CCDC module to register & unregister with vpfe capture driver */
32649 diff -urNp linux-2.6.39.1/drivers/media/video/davinci/vpss.c linux-2.6.39.1/drivers/media/video/davinci/vpss.c
32650 --- linux-2.6.39.1/drivers/media/video/davinci/vpss.c 2011-05-19 00:06:34.000000000 -0400
32651 +++ linux-2.6.39.1/drivers/media/video/davinci/vpss.c 2011-05-22 19:36:31.000000000 -0400
32652 @@ -103,7 +103,7 @@ struct vpss_oper_config {
32653 __iomem void *vpss_regs_base1;
32654 enum vpss_platform_type platform;
32655 spinlock_t vpss_lock;
32656 - struct vpss_hw_ops hw_ops;
32657 + const struct vpss_hw_ops hw_ops;
32658 };
32659
32660 static struct vpss_oper_config oper_cfg;
32661 diff -urNp linux-2.6.39.1/drivers/media/video/em28xx/em28xx-audio.c linux-2.6.39.1/drivers/media/video/em28xx/em28xx-audio.c
32662 --- linux-2.6.39.1/drivers/media/video/em28xx/em28xx-audio.c 2011-05-19 00:06:34.000000000 -0400
32663 +++ linux-2.6.39.1/drivers/media/video/em28xx/em28xx-audio.c 2011-05-22 19:36:31.000000000 -0400
32664 @@ -432,7 +432,7 @@ static struct page *snd_pcm_get_vmalloc_
32665 return vmalloc_to_page(pageptr);
32666 }
32667
32668 -static struct snd_pcm_ops snd_em28xx_pcm_capture = {
32669 +static const struct snd_pcm_ops snd_em28xx_pcm_capture = {
32670 .open = snd_em28xx_capture_open,
32671 .close = snd_em28xx_pcm_close,
32672 .ioctl = snd_pcm_lib_ioctl,
32673 diff -urNp linux-2.6.39.1/drivers/media/video/em28xx/em28xx-i2c.c linux-2.6.39.1/drivers/media/video/em28xx/em28xx-i2c.c
32674 --- linux-2.6.39.1/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
32675 +++ linux-2.6.39.1/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
32676 @@ -451,7 +451,7 @@ static u32 functionality(struct i2c_adap
32677 return I2C_FUNC_SMBUS_EMUL;
32678 }
32679
32680 -static struct i2c_algorithm em28xx_algo = {
32681 +static const struct i2c_algorithm em28xx_algo = {
32682 .master_xfer = em28xx_i2c_xfer,
32683 .functionality = functionality,
32684 };
32685 diff -urNp linux-2.6.39.1/drivers/media/video/hdpvr/hdpvr-i2c.c linux-2.6.39.1/drivers/media/video/hdpvr/hdpvr-i2c.c
32686 --- linux-2.6.39.1/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-19 00:06:34.000000000 -0400
32687 +++ linux-2.6.39.1/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-22 19:36:31.000000000 -0400
32688 @@ -179,7 +179,7 @@ static u32 hdpvr_functionality(struct i2
32689 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
32690 }
32691
32692 -static struct i2c_algorithm hdpvr_algo = {
32693 +static const struct i2c_algorithm hdpvr_algo = {
32694 .master_xfer = hdpvr_transfer,
32695 .functionality = hdpvr_functionality,
32696 };
32697 diff -urNp linux-2.6.39.1/drivers/media/video/imx074.c linux-2.6.39.1/drivers/media/video/imx074.c
32698 --- linux-2.6.39.1/drivers/media/video/imx074.c 2011-05-19 00:06:34.000000000 -0400
32699 +++ linux-2.6.39.1/drivers/media/video/imx074.c 2011-05-22 19:36:31.000000000 -0400
32700 @@ -267,7 +267,7 @@ static int imx074_g_chip_ident(struct v4
32701 return 0;
32702 }
32703
32704 -static struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
32705 +static const struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
32706 .s_stream = imx074_s_stream,
32707 .s_mbus_fmt = imx074_s_fmt,
32708 .g_mbus_fmt = imx074_g_fmt,
32709 @@ -277,7 +277,7 @@ static struct v4l2_subdev_video_ops imx0
32710 .cropcap = imx074_cropcap,
32711 };
32712
32713 -static struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
32714 +static const struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
32715 .g_chip_ident = imx074_g_chip_ident,
32716 };
32717
32718 diff -urNp linux-2.6.39.1/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.39.1/drivers/media/video/ivtv/ivtv-driver.c
32719 --- linux-2.6.39.1/drivers/media/video/ivtv/ivtv-driver.c 2011-05-19 00:06:34.000000000 -0400
32720 +++ linux-2.6.39.1/drivers/media/video/ivtv/ivtv-driver.c 2011-05-22 19:36:31.000000000 -0400
32721 @@ -80,7 +80,7 @@ static struct pci_device_id ivtv_pci_tbl
32722 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
32723
32724 /* ivtv instance counter */
32725 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
32726 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
32727
32728 /* Parameter declarations */
32729 static int cardtype[IVTV_MAX_CARDS];
32730 diff -urNp linux-2.6.39.1/drivers/media/video/mt9m001.c linux-2.6.39.1/drivers/media/video/mt9m001.c
32731 --- linux-2.6.39.1/drivers/media/video/mt9m001.c 2011-05-19 00:06:34.000000000 -0400
32732 +++ linux-2.6.39.1/drivers/media/video/mt9m001.c 2011-05-22 19:36:31.000000000 -0400
32733 @@ -691,7 +691,7 @@ static int mt9m001_g_skip_top_lines(stru
32734 return 0;
32735 }
32736
32737 -static struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
32738 +static const struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
32739 .g_ctrl = mt9m001_g_ctrl,
32740 .s_ctrl = mt9m001_s_ctrl,
32741 .g_chip_ident = mt9m001_g_chip_ident,
32742 @@ -714,7 +714,7 @@ static int mt9m001_enum_fmt(struct v4l2_
32743 return 0;
32744 }
32745
32746 -static struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
32747 +static const struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
32748 .s_stream = mt9m001_s_stream,
32749 .s_mbus_fmt = mt9m001_s_fmt,
32750 .g_mbus_fmt = mt9m001_g_fmt,
32751 @@ -725,7 +725,7 @@ static struct v4l2_subdev_video_ops mt9m
32752 .enum_mbus_fmt = mt9m001_enum_fmt,
32753 };
32754
32755 -static struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
32756 +static const struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
32757 .g_skip_top_lines = mt9m001_g_skip_top_lines,
32758 };
32759
32760 diff -urNp linux-2.6.39.1/drivers/media/video/mt9t031.c linux-2.6.39.1/drivers/media/video/mt9t031.c
32761 --- linux-2.6.39.1/drivers/media/video/mt9t031.c 2011-05-19 00:06:34.000000000 -0400
32762 +++ linux-2.6.39.1/drivers/media/video/mt9t031.c 2011-05-22 19:36:31.000000000 -0400
32763 @@ -725,7 +725,7 @@ static int mt9t031_runtime_resume(struct
32764 return 0;
32765 }
32766
32767 -static struct dev_pm_ops mt9t031_dev_pm_ops = {
32768 +static const struct dev_pm_ops mt9t031_dev_pm_ops = {
32769 .runtime_suspend = mt9t031_runtime_suspend,
32770 .runtime_resume = mt9t031_runtime_resume,
32771 };
32772 @@ -788,7 +788,7 @@ static int mt9t031_g_skip_top_lines(stru
32773 return 0;
32774 }
32775
32776 -static struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
32777 +static const struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
32778 .g_ctrl = mt9t031_g_ctrl,
32779 .s_ctrl = mt9t031_s_ctrl,
32780 .g_chip_ident = mt9t031_g_chip_ident,
32781 @@ -808,7 +808,7 @@ static int mt9t031_enum_fmt(struct v4l2_
32782 return 0;
32783 }
32784
32785 -static struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
32786 +static const struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
32787 .s_stream = mt9t031_s_stream,
32788 .s_mbus_fmt = mt9t031_s_fmt,
32789 .g_mbus_fmt = mt9t031_g_fmt,
32790 @@ -819,7 +819,7 @@ static struct v4l2_subdev_video_ops mt9t
32791 .enum_mbus_fmt = mt9t031_enum_fmt,
32792 };
32793
32794 -static struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
32795 +static const struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
32796 .g_skip_top_lines = mt9t031_g_skip_top_lines,
32797 };
32798
32799 diff -urNp linux-2.6.39.1/drivers/media/video/mt9v022.c linux-2.6.39.1/drivers/media/video/mt9v022.c
32800 --- linux-2.6.39.1/drivers/media/video/mt9v022.c 2011-05-19 00:06:34.000000000 -0400
32801 +++ linux-2.6.39.1/drivers/media/video/mt9v022.c 2011-05-22 19:36:31.000000000 -0400
32802 @@ -825,7 +825,7 @@ static int mt9v022_g_skip_top_lines(stru
32803 return 0;
32804 }
32805
32806 -static struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
32807 +static const struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
32808 .g_ctrl = mt9v022_g_ctrl,
32809 .s_ctrl = mt9v022_s_ctrl,
32810 .g_chip_ident = mt9v022_g_chip_ident,
32811 @@ -848,7 +848,7 @@ static int mt9v022_enum_fmt(struct v4l2_
32812 return 0;
32813 }
32814
32815 -static struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
32816 +static const struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
32817 .s_stream = mt9v022_s_stream,
32818 .s_mbus_fmt = mt9v022_s_fmt,
32819 .g_mbus_fmt = mt9v022_g_fmt,
32820 @@ -859,7 +859,7 @@ static struct v4l2_subdev_video_ops mt9v
32821 .enum_mbus_fmt = mt9v022_enum_fmt,
32822 };
32823
32824 -static struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
32825 +static const struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
32826 .g_skip_top_lines = mt9v022_g_skip_top_lines,
32827 };
32828
32829 diff -urNp linux-2.6.39.1/drivers/media/video/mx2_camera.c linux-2.6.39.1/drivers/media/video/mx2_camera.c
32830 --- linux-2.6.39.1/drivers/media/video/mx2_camera.c 2011-05-19 00:06:34.000000000 -0400
32831 +++ linux-2.6.39.1/drivers/media/video/mx2_camera.c 2011-05-22 19:36:31.000000000 -0400
32832 @@ -668,7 +668,7 @@ static void mx2_videobuf_release(struct
32833 free_buffer(vq, buf);
32834 }
32835
32836 -static struct videobuf_queue_ops mx2_videobuf_ops = {
32837 +static const struct videobuf_queue_ops mx2_videobuf_ops = {
32838 .buf_setup = mx2_videobuf_setup,
32839 .buf_prepare = mx2_videobuf_prepare,
32840 .buf_queue = mx2_videobuf_queue,
32841 diff -urNp linux-2.6.39.1/drivers/media/video/omap24xxcam.c linux-2.6.39.1/drivers/media/video/omap24xxcam.c
32842 --- linux-2.6.39.1/drivers/media/video/omap24xxcam.c 2011-05-19 00:06:34.000000000 -0400
32843 +++ linux-2.6.39.1/drivers/media/video/omap24xxcam.c 2011-05-22 19:36:31.000000000 -0400
32844 @@ -403,7 +403,7 @@ static void omap24xxcam_vbq_complete(str
32845 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
32846
32847 do_gettimeofday(&vb->ts);
32848 - vb->field_count = atomic_add_return(2, &fh->field_count);
32849 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
32850 if (csr & csr_error) {
32851 vb->state = VIDEOBUF_ERROR;
32852 if (!atomic_read(&fh->cam->in_reset)) {
32853 diff -urNp linux-2.6.39.1/drivers/media/video/omap24xxcam.h linux-2.6.39.1/drivers/media/video/omap24xxcam.h
32854 --- linux-2.6.39.1/drivers/media/video/omap24xxcam.h 2011-05-19 00:06:34.000000000 -0400
32855 +++ linux-2.6.39.1/drivers/media/video/omap24xxcam.h 2011-05-22 19:36:31.000000000 -0400
32856 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
32857 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
32858 struct videobuf_queue vbq;
32859 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
32860 - atomic_t field_count; /* field counter for videobuf_buffer */
32861 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
32862 /* accessing cam here doesn't need serialisation: it's constant */
32863 struct omap24xxcam_device *cam;
32864 };
32865 diff -urNp linux-2.6.39.1/drivers/media/video/omap3isp/isp.h linux-2.6.39.1/drivers/media/video/omap3isp/isp.h
32866 --- linux-2.6.39.1/drivers/media/video/omap3isp/isp.h 2011-05-19 00:06:34.000000000 -0400
32867 +++ linux-2.6.39.1/drivers/media/video/omap3isp/isp.h 2011-05-22 19:36:31.000000000 -0400
32868 @@ -290,7 +290,7 @@ struct isp_device {
32869
32870 struct iommu *iommu;
32871
32872 - struct isp_platform_callback platform_cb;
32873 + const struct isp_platform_callback platform_cb;
32874 };
32875
32876 #define v4l2_dev_to_isp_device(dev) \
32877 diff -urNp linux-2.6.39.1/drivers/media/video/ov2640.c linux-2.6.39.1/drivers/media/video/ov2640.c
32878 --- linux-2.6.39.1/drivers/media/video/ov2640.c 2011-05-19 00:06:34.000000000 -0400
32879 +++ linux-2.6.39.1/drivers/media/video/ov2640.c 2011-05-22 19:36:31.000000000 -0400
32880 @@ -1080,7 +1080,7 @@ static struct soc_camera_ops ov2640_ops
32881 .num_controls = ARRAY_SIZE(ov2640_controls),
32882 };
32883
32884 -static struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
32885 +static const struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
32886 .g_ctrl = ov2640_g_ctrl,
32887 .s_ctrl = ov2640_s_ctrl,
32888 .g_chip_ident = ov2640_g_chip_ident,
32889 @@ -1090,7 +1090,7 @@ static struct v4l2_subdev_core_ops ov264
32890 #endif
32891 };
32892
32893 -static struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
32894 +static const struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
32895 .s_stream = ov2640_s_stream,
32896 .g_mbus_fmt = ov2640_g_fmt,
32897 .s_mbus_fmt = ov2640_s_fmt,
32898 diff -urNp linux-2.6.39.1/drivers/media/video/ov772x.c linux-2.6.39.1/drivers/media/video/ov772x.c
32899 --- linux-2.6.39.1/drivers/media/video/ov772x.c 2011-05-19 00:06:34.000000000 -0400
32900 +++ linux-2.6.39.1/drivers/media/video/ov772x.c 2011-05-22 19:36:31.000000000 -0400
32901 @@ -1079,7 +1079,7 @@ static struct soc_camera_ops ov772x_ops
32902 .num_controls = ARRAY_SIZE(ov772x_controls),
32903 };
32904
32905 -static struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
32906 +static const struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
32907 .g_ctrl = ov772x_g_ctrl,
32908 .s_ctrl = ov772x_s_ctrl,
32909 .g_chip_ident = ov772x_g_chip_ident,
32910 @@ -1099,7 +1099,7 @@ static int ov772x_enum_fmt(struct v4l2_s
32911 return 0;
32912 }
32913
32914 -static struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
32915 +static const struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
32916 .s_stream = ov772x_s_stream,
32917 .g_mbus_fmt = ov772x_g_fmt,
32918 .s_mbus_fmt = ov772x_s_fmt,
32919 diff -urNp linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
32920 --- linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-19 00:06:34.000000000 -0400
32921 +++ linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-22 19:36:31.000000000 -0400
32922 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
32923 u8 *eeprom;
32924 struct tveeprom tvdata;
32925
32926 + pax_track_stack();
32927 +
32928 memset(&tvdata,0,sizeof(tvdata));
32929
32930 eeprom = pvr2_eeprom_fetch(hdw);
32931 diff -urNp linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c
32932 --- linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-19 00:06:34.000000000 -0400
32933 +++ linux-2.6.39.1/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-22 19:36:31.000000000 -0400
32934 @@ -527,7 +527,7 @@ static u32 pvr2_i2c_functionality(struct
32935 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
32936 }
32937
32938 -static struct i2c_algorithm pvr2_i2c_algo_template = {
32939 +static const struct i2c_algorithm pvr2_i2c_algo_template = {
32940 .master_xfer = pvr2_i2c_xfer,
32941 .functionality = pvr2_i2c_functionality,
32942 };
32943 diff -urNp linux-2.6.39.1/drivers/media/video/rj54n1cb0c.c linux-2.6.39.1/drivers/media/video/rj54n1cb0c.c
32944 --- linux-2.6.39.1/drivers/media/video/rj54n1cb0c.c 2011-05-19 00:06:34.000000000 -0400
32945 +++ linux-2.6.39.1/drivers/media/video/rj54n1cb0c.c 2011-05-22 19:36:31.000000000 -0400
32946 @@ -1327,7 +1327,7 @@ static int rj54n1_s_ctrl(struct v4l2_sub
32947 return 0;
32948 }
32949
32950 -static struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
32951 +static const struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
32952 .g_ctrl = rj54n1_g_ctrl,
32953 .s_ctrl = rj54n1_s_ctrl,
32954 .g_chip_ident = rj54n1_g_chip_ident,
32955 @@ -1337,7 +1337,7 @@ static struct v4l2_subdev_core_ops rj54n
32956 #endif
32957 };
32958
32959 -static struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
32960 +static const struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
32961 .s_stream = rj54n1_s_stream,
32962 .s_mbus_fmt = rj54n1_s_fmt,
32963 .g_mbus_fmt = rj54n1_g_fmt,
32964 diff -urNp linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-capture.c linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-capture.c
32965 --- linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-19 00:06:34.000000000 -0400
32966 +++ linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-22 19:36:31.000000000 -0400
32967 @@ -376,7 +376,7 @@ static void fimc_unlock(struct vb2_queue
32968 mutex_unlock(&ctx->fimc_dev->lock);
32969 }
32970
32971 -static struct vb2_ops fimc_capture_qops = {
32972 +static const struct vb2_ops fimc_capture_qops = {
32973 .queue_setup = queue_setup,
32974 .buf_prepare = buffer_prepare,
32975 .buf_queue = buffer_queue,
32976 diff -urNp linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-core.c linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-core.c
32977 --- linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-19 00:06:34.000000000 -0400
32978 +++ linux-2.6.39.1/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-22 19:36:31.000000000 -0400
32979 @@ -768,7 +768,7 @@ static void fimc_unlock(struct vb2_queue
32980 mutex_unlock(&ctx->fimc_dev->lock);
32981 }
32982
32983 -static struct vb2_ops fimc_qops = {
32984 +static const struct vb2_ops fimc_qops = {
32985 .queue_setup = fimc_queue_setup,
32986 .buf_prepare = fimc_buf_prepare,
32987 .buf_queue = fimc_buf_queue,
32988 diff -urNp linux-2.6.39.1/drivers/media/video/saa7134/saa6752hs.c linux-2.6.39.1/drivers/media/video/saa7134/saa6752hs.c
32989 --- linux-2.6.39.1/drivers/media/video/saa7134/saa6752hs.c 2011-05-19 00:06:34.000000000 -0400
32990 +++ linux-2.6.39.1/drivers/media/video/saa7134/saa6752hs.c 2011-05-22 19:36:31.000000000 -0400
32991 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
32992 unsigned char localPAT[256];
32993 unsigned char localPMT[256];
32994
32995 + pax_track_stack();
32996 +
32997 /* Set video format - must be done first as it resets other settings */
32998 set_reg8(client, 0x41, h->video_format);
32999
33000 diff -urNp linux-2.6.39.1/drivers/media/video/saa7134/saa7134-alsa.c linux-2.6.39.1/drivers/media/video/saa7134/saa7134-alsa.c
33001 --- linux-2.6.39.1/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-19 00:06:34.000000000 -0400
33002 +++ linux-2.6.39.1/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-22 19:36:31.000000000 -0400
33003 @@ -808,7 +808,7 @@ static struct page *snd_card_saa7134_pag
33004 * ALSA capture callbacks definition
33005 */
33006
33007 -static struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33008 +static const struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33009 .open = snd_card_saa7134_capture_open,
33010 .close = snd_card_saa7134_capture_close,
33011 .ioctl = snd_pcm_lib_ioctl,
33012 diff -urNp linux-2.6.39.1/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.39.1/drivers/media/video/saa7164/saa7164-cmd.c
33013 --- linux-2.6.39.1/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-19 00:06:34.000000000 -0400
33014 +++ linux-2.6.39.1/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-22 19:36:31.000000000 -0400
33015 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
33016 u8 tmp[512];
33017 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33018
33019 + pax_track_stack();
33020 +
33021 /* While any outstand message on the bus exists... */
33022 do {
33023
33024 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
33025 u8 tmp[512];
33026 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33027
33028 + pax_track_stack();
33029 +
33030 while (loop) {
33031
33032 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
33033 diff -urNp linux-2.6.39.1/drivers/media/video/sh_mobile_csi2.c linux-2.6.39.1/drivers/media/video/sh_mobile_csi2.c
33034 --- linux-2.6.39.1/drivers/media/video/sh_mobile_csi2.c 2011-05-19 00:06:34.000000000 -0400
33035 +++ linux-2.6.39.1/drivers/media/video/sh_mobile_csi2.c 2011-05-22 19:36:31.000000000 -0400
33036 @@ -127,12 +127,12 @@ static int sh_csi2_s_fmt(struct v4l2_sub
33037 return 0;
33038 }
33039
33040 -static struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33041 +static const struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33042 .s_mbus_fmt = sh_csi2_s_fmt,
33043 .try_mbus_fmt = sh_csi2_try_fmt,
33044 };
33045
33046 -static struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33047 +static const struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33048
33049 static struct v4l2_subdev_ops sh_csi2_subdev_ops = {
33050 .core = &sh_csi2_subdev_core_ops,
33051 diff -urNp linux-2.6.39.1/drivers/media/video/soc_camera_platform.c linux-2.6.39.1/drivers/media/video/soc_camera_platform.c
33052 --- linux-2.6.39.1/drivers/media/video/soc_camera_platform.c 2011-05-19 00:06:34.000000000 -0400
33053 +++ linux-2.6.39.1/drivers/media/video/soc_camera_platform.c 2011-05-22 19:36:31.000000000 -0400
33054 @@ -70,7 +70,7 @@ static int soc_camera_platform_fill_fmt(
33055 return 0;
33056 }
33057
33058 -static struct v4l2_subdev_core_ops platform_subdev_core_ops;
33059 +static const struct v4l2_subdev_core_ops platform_subdev_core_ops;
33060
33061 static int soc_camera_platform_enum_fmt(struct v4l2_subdev *sd, unsigned int index,
33062 enum v4l2_mbus_pixelcode *code)
33063 @@ -115,7 +115,7 @@ static int soc_camera_platform_cropcap(s
33064 return 0;
33065 }
33066
33067 -static struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33068 +static const struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33069 .s_stream = soc_camera_platform_s_stream,
33070 .enum_mbus_fmt = soc_camera_platform_enum_fmt,
33071 .cropcap = soc_camera_platform_cropcap,
33072 diff -urNp linux-2.6.39.1/drivers/media/video/tlg2300/pd-alsa.c linux-2.6.39.1/drivers/media/video/tlg2300/pd-alsa.c
33073 --- linux-2.6.39.1/drivers/media/video/tlg2300/pd-alsa.c 2011-05-19 00:06:34.000000000 -0400
33074 +++ linux-2.6.39.1/drivers/media/video/tlg2300/pd-alsa.c 2011-05-22 19:36:31.000000000 -0400
33075 @@ -265,7 +265,7 @@ static struct page *snd_pcm_pd_get_page(
33076 return vmalloc_to_page(pageptr);
33077 }
33078
33079 -static struct snd_pcm_ops pcm_capture_ops = {
33080 +static const struct snd_pcm_ops pcm_capture_ops = {
33081 .open = snd_pd_capture_open,
33082 .close = snd_pd_pcm_close,
33083 .ioctl = snd_pcm_lib_ioctl,
33084 diff -urNp linux-2.6.39.1/drivers/media/video/tw9910.c linux-2.6.39.1/drivers/media/video/tw9910.c
33085 --- linux-2.6.39.1/drivers/media/video/tw9910.c 2011-05-19 00:06:34.000000000 -0400
33086 +++ linux-2.6.39.1/drivers/media/video/tw9910.c 2011-05-22 19:36:31.000000000 -0400
33087 @@ -894,7 +894,7 @@ static struct soc_camera_ops tw9910_ops
33088 .enum_input = tw9910_enum_input,
33089 };
33090
33091 -static struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33092 +static const struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33093 .g_chip_ident = tw9910_g_chip_ident,
33094 .s_std = tw9910_s_std,
33095 #ifdef CONFIG_VIDEO_ADV_DEBUG
33096 @@ -913,7 +913,7 @@ static int tw9910_enum_fmt(struct v4l2_s
33097 return 0;
33098 }
33099
33100 -static struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33101 +static const struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33102 .s_stream = tw9910_s_stream,
33103 .g_mbus_fmt = tw9910_g_fmt,
33104 .s_mbus_fmt = tw9910_s_fmt,
33105 diff -urNp linux-2.6.39.1/drivers/media/video/usbvision/usbvision-core.c linux-2.6.39.1/drivers/media/video/usbvision/usbvision-core.c
33106 --- linux-2.6.39.1/drivers/media/video/usbvision/usbvision-core.c 2011-05-19 00:06:34.000000000 -0400
33107 +++ linux-2.6.39.1/drivers/media/video/usbvision/usbvision-core.c 2011-05-22 19:36:31.000000000 -0400
33108 @@ -799,6 +799,8 @@ static enum parse_state usbvision_parse_
33109 unsigned char rv, gv, bv;
33110 static unsigned char *Y, *U, *V;
33111
33112 + pax_track_stack();
33113 +
33114 frame = usbvision->cur_frame;
33115 image_size = frame->frmwidth * frame->frmheight;
33116 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
33117 diff -urNp linux-2.6.39.1/drivers/media/video/usbvision/usbvision-i2c.c linux-2.6.39.1/drivers/media/video/usbvision/usbvision-i2c.c
33118 --- linux-2.6.39.1/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-19 00:06:34.000000000 -0400
33119 +++ linux-2.6.39.1/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-22 19:36:31.000000000 -0400
33120 @@ -189,7 +189,7 @@ static u32 functionality(struct i2c_adap
33121
33122 /* -----exported algorithm data: ------------------------------------- */
33123
33124 -static struct i2c_algorithm usbvision_algo = {
33125 +static const struct i2c_algorithm usbvision_algo = {
33126 .master_xfer = usbvision_i2c_xfer,
33127 .smbus_xfer = NULL,
33128 .functionality = functionality,
33129 diff -urNp linux-2.6.39.1/drivers/media/video/v4l2-device.c linux-2.6.39.1/drivers/media/video/v4l2-device.c
33130 --- linux-2.6.39.1/drivers/media/video/v4l2-device.c 2011-05-19 00:06:34.000000000 -0400
33131 +++ linux-2.6.39.1/drivers/media/video/v4l2-device.c 2011-05-22 19:36:31.000000000 -0400
33132 @@ -71,9 +71,9 @@ int v4l2_device_put(struct v4l2_device *
33133 EXPORT_SYMBOL_GPL(v4l2_device_put);
33134
33135 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
33136 - atomic_t *instance)
33137 + atomic_unchecked_t *instance)
33138 {
33139 - int num = atomic_inc_return(instance) - 1;
33140 + int num = atomic_inc_return_unchecked(instance) - 1;
33141 int len = strlen(basename);
33142
33143 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
33144 diff -urNp linux-2.6.39.1/drivers/media/video/videobuf-dma-sg.c linux-2.6.39.1/drivers/media/video/videobuf-dma-sg.c
33145 --- linux-2.6.39.1/drivers/media/video/videobuf-dma-sg.c 2011-05-19 00:06:34.000000000 -0400
33146 +++ linux-2.6.39.1/drivers/media/video/videobuf-dma-sg.c 2011-05-22 19:36:31.000000000 -0400
33147 @@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
33148 {
33149 struct videobuf_queue q;
33150
33151 + pax_track_stack();
33152 +
33153 /* Required to make generic handler to call __videobuf_alloc */
33154 q.int_ops = &sg_ops;
33155
33156 diff -urNp linux-2.6.39.1/drivers/message/fusion/mptbase.c linux-2.6.39.1/drivers/message/fusion/mptbase.c
33157 --- linux-2.6.39.1/drivers/message/fusion/mptbase.c 2011-05-19 00:06:34.000000000 -0400
33158 +++ linux-2.6.39.1/drivers/message/fusion/mptbase.c 2011-05-22 19:41:37.000000000 -0400
33159 @@ -143,7 +143,7 @@ static int MptDriverClass[MPT_MAX_PRO
33160 static MPT_EVHANDLER MptEvHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33161 /* Reset handler lookup table */
33162 static MPT_RESETHANDLER MptResetHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33163 -static struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33164 +static const struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33165
33166 #ifdef CONFIG_PROC_FS
33167 static struct proc_dir_entry *mpt_proc_root_dir;
33168 @@ -772,7 +772,7 @@ mpt_reset_deregister(u8 cb_idx)
33169 * @cb_idx: MPT protocol driver index
33170 */
33171 int
33172 -mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33173 +mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33174 {
33175 MPT_ADAPTER *ioc;
33176 const struct pci_device_id *id;
33177 @@ -801,7 +801,7 @@ mpt_device_driver_register(struct mpt_pc
33178 void
33179 mpt_device_driver_deregister(u8 cb_idx)
33180 {
33181 - struct mpt_pci_driver *dd_cbfunc;
33182 + const struct mpt_pci_driver *dd_cbfunc;
33183 MPT_ADAPTER *ioc;
33184
33185 if (!cb_idx || cb_idx >= MPT_MAX_PROTOCOL_DRIVERS)
33186 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
33187 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
33188 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
33189
33190 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33191 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
33192 +#else
33193 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
33194 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
33195 +#endif
33196 +
33197 /*
33198 * Rounding UP to nearest 4-kB boundary here...
33199 */
33200 diff -urNp linux-2.6.39.1/drivers/message/fusion/mptbase.h linux-2.6.39.1/drivers/message/fusion/mptbase.h
33201 --- linux-2.6.39.1/drivers/message/fusion/mptbase.h 2011-05-19 00:06:34.000000000 -0400
33202 +++ linux-2.6.39.1/drivers/message/fusion/mptbase.h 2011-05-22 19:36:31.000000000 -0400
33203 @@ -908,7 +908,7 @@ extern int mpt_event_register(u8 cb_idx
33204 extern void mpt_event_deregister(u8 cb_idx);
33205 extern int mpt_reset_register(u8 cb_idx, MPT_RESETHANDLER reset_func);
33206 extern void mpt_reset_deregister(u8 cb_idx);
33207 -extern int mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33208 +extern int mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33209 extern void mpt_device_driver_deregister(u8 cb_idx);
33210 extern MPT_FRAME_HDR *mpt_get_msg_frame(u8 cb_idx, MPT_ADAPTER *ioc);
33211 extern void mpt_free_msg_frame(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf);
33212 diff -urNp linux-2.6.39.1/drivers/message/fusion/mptctl.c linux-2.6.39.1/drivers/message/fusion/mptctl.c
33213 --- linux-2.6.39.1/drivers/message/fusion/mptctl.c 2011-05-19 00:06:34.000000000 -0400
33214 +++ linux-2.6.39.1/drivers/message/fusion/mptctl.c 2011-05-22 19:36:31.000000000 -0400
33215 @@ -3000,7 +3000,7 @@ mptctl_remove(struct pci_dev *pdev)
33216 {
33217 }
33218
33219 -static struct mpt_pci_driver mptctl_driver = {
33220 +static const struct mpt_pci_driver mptctl_driver = {
33221 .probe = mptctl_probe,
33222 .remove = mptctl_remove,
33223 };
33224 diff -urNp linux-2.6.39.1/drivers/message/fusion/mptsas.c linux-2.6.39.1/drivers/message/fusion/mptsas.c
33225 --- linux-2.6.39.1/drivers/message/fusion/mptsas.c 2011-05-19 00:06:34.000000000 -0400
33226 +++ linux-2.6.39.1/drivers/message/fusion/mptsas.c 2011-05-22 19:36:31.000000000 -0400
33227 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
33228 return 0;
33229 }
33230
33231 +static inline void
33232 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33233 +{
33234 + if (phy_info->port_details) {
33235 + phy_info->port_details->rphy = rphy;
33236 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33237 + ioc->name, rphy));
33238 + }
33239 +
33240 + if (rphy) {
33241 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33242 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33243 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33244 + ioc->name, rphy, rphy->dev.release));
33245 + }
33246 +}
33247 +
33248 /* no mutex */
33249 static void
33250 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
33251 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
33252 return NULL;
33253 }
33254
33255 -static inline void
33256 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33257 -{
33258 - if (phy_info->port_details) {
33259 - phy_info->port_details->rphy = rphy;
33260 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33261 - ioc->name, rphy));
33262 - }
33263 -
33264 - if (rphy) {
33265 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33266 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33267 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33268 - ioc->name, rphy, rphy->dev.release));
33269 - }
33270 -}
33271 -
33272 static inline struct sas_port *
33273 mptsas_get_port(struct mptsas_phyinfo *phy_info)
33274 {
33275 diff -urNp linux-2.6.39.1/drivers/message/fusion/mptscsih.c linux-2.6.39.1/drivers/message/fusion/mptscsih.c
33276 --- linux-2.6.39.1/drivers/message/fusion/mptscsih.c 2011-05-19 00:06:34.000000000 -0400
33277 +++ linux-2.6.39.1/drivers/message/fusion/mptscsih.c 2011-05-22 19:36:31.000000000 -0400
33278 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
33279
33280 h = shost_priv(SChost);
33281
33282 - if (h) {
33283 - if (h->info_kbuf == NULL)
33284 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33285 - return h->info_kbuf;
33286 - h->info_kbuf[0] = '\0';
33287 + if (!h)
33288 + return NULL;
33289
33290 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33291 - h->info_kbuf[size-1] = '\0';
33292 - }
33293 + if (h->info_kbuf == NULL)
33294 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33295 + return h->info_kbuf;
33296 + h->info_kbuf[0] = '\0';
33297 +
33298 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33299 + h->info_kbuf[size-1] = '\0';
33300
33301 return h->info_kbuf;
33302 }
33303 diff -urNp linux-2.6.39.1/drivers/message/i2o/i2o_config.c linux-2.6.39.1/drivers/message/i2o/i2o_config.c
33304 --- linux-2.6.39.1/drivers/message/i2o/i2o_config.c 2011-05-19 00:06:34.000000000 -0400
33305 +++ linux-2.6.39.1/drivers/message/i2o/i2o_config.c 2011-05-22 19:36:31.000000000 -0400
33306 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
33307 struct i2o_message *msg;
33308 unsigned int iop;
33309
33310 + pax_track_stack();
33311 +
33312 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
33313 return -EFAULT;
33314
33315 diff -urNp linux-2.6.39.1/drivers/message/i2o/i2o_proc.c linux-2.6.39.1/drivers/message/i2o/i2o_proc.c
33316 --- linux-2.6.39.1/drivers/message/i2o/i2o_proc.c 2011-05-19 00:06:34.000000000 -0400
33317 +++ linux-2.6.39.1/drivers/message/i2o/i2o_proc.c 2011-05-22 19:36:31.000000000 -0400
33318 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
33319 "Array Controller Device"
33320 };
33321
33322 -static char *chtostr(u8 * chars, int n)
33323 -{
33324 - char tmp[256];
33325 - tmp[0] = 0;
33326 - return strncat(tmp, (char *)chars, n);
33327 -}
33328 -
33329 static int i2o_report_query_status(struct seq_file *seq, int block_status,
33330 char *group)
33331 {
33332 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
33333
33334 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
33335 seq_printf(seq, "%-#8x", ddm_table.module_id);
33336 - seq_printf(seq, "%-29s",
33337 - chtostr(ddm_table.module_name_version, 28));
33338 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
33339 seq_printf(seq, "%9d ", ddm_table.data_size);
33340 seq_printf(seq, "%8d", ddm_table.code_size);
33341
33342 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
33343
33344 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
33345 seq_printf(seq, "%-#8x", dst->module_id);
33346 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
33347 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
33348 + seq_printf(seq, "%-.28s", dst->module_name_version);
33349 + seq_printf(seq, "%-.8s", dst->date);
33350 seq_printf(seq, "%8d ", dst->module_size);
33351 seq_printf(seq, "%8d ", dst->mpb_size);
33352 seq_printf(seq, "0x%04x", dst->module_flags);
33353 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
33354 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
33355 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
33356 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
33357 - seq_printf(seq, "Vendor info : %s\n",
33358 - chtostr((u8 *) (work32 + 2), 16));
33359 - seq_printf(seq, "Product info : %s\n",
33360 - chtostr((u8 *) (work32 + 6), 16));
33361 - seq_printf(seq, "Description : %s\n",
33362 - chtostr((u8 *) (work32 + 10), 16));
33363 - seq_printf(seq, "Product rev. : %s\n",
33364 - chtostr((u8 *) (work32 + 14), 8));
33365 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
33366 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
33367 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
33368 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
33369
33370 seq_printf(seq, "Serial number : ");
33371 print_serial_number(seq, (u8 *) (work32 + 16),
33372 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
33373 }
33374
33375 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
33376 - seq_printf(seq, "Module name : %s\n",
33377 - chtostr(result.module_name, 24));
33378 - seq_printf(seq, "Module revision : %s\n",
33379 - chtostr(result.module_rev, 8));
33380 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
33381 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
33382
33383 seq_printf(seq, "Serial number : ");
33384 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
33385 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
33386 return 0;
33387 }
33388
33389 - seq_printf(seq, "Device name : %s\n",
33390 - chtostr(result.device_name, 64));
33391 - seq_printf(seq, "Service name : %s\n",
33392 - chtostr(result.service_name, 64));
33393 - seq_printf(seq, "Physical name : %s\n",
33394 - chtostr(result.physical_location, 64));
33395 - seq_printf(seq, "Instance number : %s\n",
33396 - chtostr(result.instance_number, 4));
33397 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
33398 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
33399 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
33400 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
33401
33402 return 0;
33403 }
33404 diff -urNp linux-2.6.39.1/drivers/message/i2o/iop.c linux-2.6.39.1/drivers/message/i2o/iop.c
33405 --- linux-2.6.39.1/drivers/message/i2o/iop.c 2011-05-19 00:06:34.000000000 -0400
33406 +++ linux-2.6.39.1/drivers/message/i2o/iop.c 2011-05-22 19:36:31.000000000 -0400
33407 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
33408
33409 spin_lock_irqsave(&c->context_list_lock, flags);
33410
33411 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
33412 - atomic_inc(&c->context_list_counter);
33413 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
33414 + atomic_inc_unchecked(&c->context_list_counter);
33415
33416 - entry->context = atomic_read(&c->context_list_counter);
33417 + entry->context = atomic_read_unchecked(&c->context_list_counter);
33418
33419 list_add(&entry->list, &c->context_list);
33420
33421 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
33422
33423 #if BITS_PER_LONG == 64
33424 spin_lock_init(&c->context_list_lock);
33425 - atomic_set(&c->context_list_counter, 0);
33426 + atomic_set_unchecked(&c->context_list_counter, 0);
33427 INIT_LIST_HEAD(&c->context_list);
33428 #endif
33429
33430 diff -urNp linux-2.6.39.1/drivers/mfd/ab3100-core.c linux-2.6.39.1/drivers/mfd/ab3100-core.c
33431 --- linux-2.6.39.1/drivers/mfd/ab3100-core.c 2011-05-19 00:06:34.000000000 -0400
33432 +++ linux-2.6.39.1/drivers/mfd/ab3100-core.c 2011-05-22 19:36:31.000000000 -0400
33433 @@ -385,7 +385,7 @@ static int ab3100_event_registers_startu
33434 return 0;
33435 }
33436
33437 -static struct abx500_ops ab3100_ops = {
33438 +static const struct abx500_ops ab3100_ops = {
33439 .get_chip_id = ab3100_get_chip_id,
33440 .set_register = set_register_interruptible,
33441 .get_register = get_register_interruptible,
33442 diff -urNp linux-2.6.39.1/drivers/mfd/ab3550-core.c linux-2.6.39.1/drivers/mfd/ab3550-core.c
33443 --- linux-2.6.39.1/drivers/mfd/ab3550-core.c 2011-05-19 00:06:34.000000000 -0400
33444 +++ linux-2.6.39.1/drivers/mfd/ab3550-core.c 2011-05-22 19:36:31.000000000 -0400
33445 @@ -676,7 +676,7 @@ static int ab3550_startup_irq_enabled(st
33446 return val;
33447 }
33448
33449 -static struct abx500_ops ab3550_ops = {
33450 +static const struct abx500_ops ab3550_ops = {
33451 .get_chip_id = ab3550_get_chip_id,
33452 .get_register = ab3550_get_register_interruptible,
33453 .set_register = ab3550_set_register_interruptible,
33454 diff -urNp linux-2.6.39.1/drivers/mfd/ab8500-core.c linux-2.6.39.1/drivers/mfd/ab8500-core.c
33455 --- linux-2.6.39.1/drivers/mfd/ab8500-core.c 2011-05-19 00:06:34.000000000 -0400
33456 +++ linux-2.6.39.1/drivers/mfd/ab8500-core.c 2011-05-22 19:36:31.000000000 -0400
33457 @@ -223,7 +223,7 @@ static int ab8500_mask_and_set_register(
33458
33459 }
33460
33461 -static struct abx500_ops ab8500_ops = {
33462 +static const struct abx500_ops ab8500_ops = {
33463 .get_chip_id = ab8500_get_chip_id,
33464 .get_register = ab8500_get_register,
33465 .set_register = ab8500_set_register,
33466 diff -urNp linux-2.6.39.1/drivers/mfd/abx500-core.c linux-2.6.39.1/drivers/mfd/abx500-core.c
33467 --- linux-2.6.39.1/drivers/mfd/abx500-core.c 2011-05-19 00:06:34.000000000 -0400
33468 +++ linux-2.6.39.1/drivers/mfd/abx500-core.c 2011-05-22 19:36:31.000000000 -0400
33469 @@ -18,7 +18,7 @@ struct abx500_device_entry {
33470 struct device *dev;
33471 };
33472
33473 -static void lookup_ops(struct device *dev, struct abx500_ops **ops)
33474 +static void lookup_ops(struct device *dev, const struct abx500_ops **ops)
33475 {
33476 struct abx500_device_entry *dev_entry;
33477
33478 @@ -31,7 +31,7 @@ static void lookup_ops(struct device *de
33479 }
33480 }
33481
33482 -int abx500_register_ops(struct device *dev, struct abx500_ops *ops)
33483 +int abx500_register_ops(struct device *dev, const struct abx500_ops *ops)
33484 {
33485 struct abx500_device_entry *dev_entry;
33486
33487 @@ -65,7 +65,7 @@ EXPORT_SYMBOL(abx500_remove_ops);
33488 int abx500_set_register_interruptible(struct device *dev, u8 bank, u8 reg,
33489 u8 value)
33490 {
33491 - struct abx500_ops *ops;
33492 + const struct abx500_ops *ops;
33493
33494 lookup_ops(dev->parent, &ops);
33495 if ((ops != NULL) && (ops->set_register != NULL))
33496 @@ -78,7 +78,7 @@ EXPORT_SYMBOL(abx500_set_register_interr
33497 int abx500_get_register_interruptible(struct device *dev, u8 bank, u8 reg,
33498 u8 *value)
33499 {
33500 - struct abx500_ops *ops;
33501 + const struct abx500_ops *ops;
33502
33503 lookup_ops(dev->parent, &ops);
33504 if ((ops != NULL) && (ops->get_register != NULL))
33505 @@ -91,7 +91,7 @@ EXPORT_SYMBOL(abx500_get_register_interr
33506 int abx500_get_register_page_interruptible(struct device *dev, u8 bank,
33507 u8 first_reg, u8 *regvals, u8 numregs)
33508 {
33509 - struct abx500_ops *ops;
33510 + const struct abx500_ops *ops;
33511
33512 lookup_ops(dev->parent, &ops);
33513 if ((ops != NULL) && (ops->get_register_page != NULL))
33514 @@ -105,7 +105,7 @@ EXPORT_SYMBOL(abx500_get_register_page_i
33515 int abx500_mask_and_set_register_interruptible(struct device *dev, u8 bank,
33516 u8 reg, u8 bitmask, u8 bitvalues)
33517 {
33518 - struct abx500_ops *ops;
33519 + const struct abx500_ops *ops;
33520
33521 lookup_ops(dev->parent, &ops);
33522 if ((ops != NULL) && (ops->mask_and_set_register != NULL))
33523 @@ -118,7 +118,7 @@ EXPORT_SYMBOL(abx500_mask_and_set_regist
33524
33525 int abx500_get_chip_id(struct device *dev)
33526 {
33527 - struct abx500_ops *ops;
33528 + const struct abx500_ops *ops;
33529
33530 lookup_ops(dev->parent, &ops);
33531 if ((ops != NULL) && (ops->get_chip_id != NULL))
33532 @@ -130,7 +130,7 @@ EXPORT_SYMBOL(abx500_get_chip_id);
33533
33534 int abx500_event_registers_startup_state_get(struct device *dev, u8 *event)
33535 {
33536 - struct abx500_ops *ops;
33537 + const struct abx500_ops *ops;
33538
33539 lookup_ops(dev->parent, &ops);
33540 if ((ops != NULL) && (ops->event_registers_startup_state_get != NULL))
33541 @@ -142,7 +142,7 @@ EXPORT_SYMBOL(abx500_event_registers_sta
33542
33543 int abx500_startup_irq_enabled(struct device *dev, unsigned int irq)
33544 {
33545 - struct abx500_ops *ops;
33546 + const struct abx500_ops *ops;
33547
33548 lookup_ops(dev->parent, &ops);
33549 if ((ops != NULL) && (ops->startup_irq_enabled != NULL))
33550 diff -urNp linux-2.6.39.1/drivers/mfd/janz-cmodio.c linux-2.6.39.1/drivers/mfd/janz-cmodio.c
33551 --- linux-2.6.39.1/drivers/mfd/janz-cmodio.c 2011-05-19 00:06:34.000000000 -0400
33552 +++ linux-2.6.39.1/drivers/mfd/janz-cmodio.c 2011-05-22 19:36:31.000000000 -0400
33553 @@ -13,6 +13,7 @@
33554
33555 #include <linux/kernel.h>
33556 #include <linux/module.h>
33557 +#include <linux/slab.h>
33558 #include <linux/init.h>
33559 #include <linux/pci.h>
33560 #include <linux/interrupt.h>
33561 diff -urNp linux-2.6.39.1/drivers/mfd/mcp-sa11x0.c linux-2.6.39.1/drivers/mfd/mcp-sa11x0.c
33562 --- linux-2.6.39.1/drivers/mfd/mcp-sa11x0.c 2011-05-19 00:06:34.000000000 -0400
33563 +++ linux-2.6.39.1/drivers/mfd/mcp-sa11x0.c 2011-05-22 19:36:31.000000000 -0400
33564 @@ -128,7 +128,7 @@ static void mcp_sa11x0_disable(struct mc
33565 /*
33566 * Our methods.
33567 */
33568 -static struct mcp_ops mcp_sa11x0 = {
33569 +static const struct mcp_ops mcp_sa11x0 = {
33570 .set_telecom_divisor = mcp_sa11x0_set_telecom_divisor,
33571 .set_audio_divisor = mcp_sa11x0_set_audio_divisor,
33572 .reg_write = mcp_sa11x0_write,
33573 diff -urNp linux-2.6.39.1/drivers/mfd/wm8350-i2c.c linux-2.6.39.1/drivers/mfd/wm8350-i2c.c
33574 --- linux-2.6.39.1/drivers/mfd/wm8350-i2c.c 2011-05-19 00:06:34.000000000 -0400
33575 +++ linux-2.6.39.1/drivers/mfd/wm8350-i2c.c 2011-05-22 19:36:31.000000000 -0400
33576 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
33577 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
33578 int ret;
33579
33580 + pax_track_stack();
33581 +
33582 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
33583 return -EINVAL;
33584
33585 diff -urNp linux-2.6.39.1/drivers/misc/enclosure.c linux-2.6.39.1/drivers/misc/enclosure.c
33586 --- linux-2.6.39.1/drivers/misc/enclosure.c 2011-05-19 00:06:34.000000000 -0400
33587 +++ linux-2.6.39.1/drivers/misc/enclosure.c 2011-05-22 19:36:31.000000000 -0400
33588 @@ -161,7 +161,7 @@ enclosure_register(struct device *dev, c
33589 }
33590 EXPORT_SYMBOL_GPL(enclosure_register);
33591
33592 -static struct enclosure_component_callbacks enclosure_null_callbacks;
33593 +static const struct enclosure_component_callbacks enclosure_null_callbacks;
33594
33595 /**
33596 * enclosure_unregister - remove an enclosure
33597 diff -urNp linux-2.6.39.1/drivers/misc/kgdbts.c linux-2.6.39.1/drivers/misc/kgdbts.c
33598 --- linux-2.6.39.1/drivers/misc/kgdbts.c 2011-05-19 00:06:34.000000000 -0400
33599 +++ linux-2.6.39.1/drivers/misc/kgdbts.c 2011-05-22 19:36:31.000000000 -0400
33600 @@ -118,7 +118,7 @@
33601 } while (0)
33602 #define MAX_CONFIG_LEN 40
33603
33604 -static struct kgdb_io kgdbts_io_ops;
33605 +static const struct kgdb_io kgdbts_io_ops;
33606 static char get_buf[BUFMAX];
33607 static int get_buf_cnt;
33608 static char put_buf[BUFMAX];
33609 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
33610 module_put(THIS_MODULE);
33611 }
33612
33613 -static struct kgdb_io kgdbts_io_ops = {
33614 +static const struct kgdb_io kgdbts_io_ops = {
33615 .name = "kgdbts",
33616 .read_char = kgdbts_get_char,
33617 .write_char = kgdbts_put_char,
33618 diff -urNp linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.c linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.c
33619 --- linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-19 00:06:34.000000000 -0400
33620 +++ linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-22 19:36:31.000000000 -0400
33621 @@ -435,7 +435,7 @@ static irqreturn_t lis302dl_interrupt(in
33622 * the lid is closed. This leads to interrupts as soon as a little move
33623 * is done.
33624 */
33625 - atomic_inc(&lis3_dev.count);
33626 + atomic_inc_unchecked(&lis3_dev.count);
33627
33628 wake_up_interruptible(&lis3_dev.misc_wait);
33629 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
33630 @@ -518,7 +518,7 @@ static int lis3lv02d_misc_open(struct in
33631 if (lis3_dev.pm_dev)
33632 pm_runtime_get_sync(lis3_dev.pm_dev);
33633
33634 - atomic_set(&lis3_dev.count, 0);
33635 + atomic_set_unchecked(&lis3_dev.count, 0);
33636 return 0;
33637 }
33638
33639 @@ -545,7 +545,7 @@ static ssize_t lis3lv02d_misc_read(struc
33640 add_wait_queue(&lis3_dev.misc_wait, &wait);
33641 while (true) {
33642 set_current_state(TASK_INTERRUPTIBLE);
33643 - data = atomic_xchg(&lis3_dev.count, 0);
33644 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
33645 if (data)
33646 break;
33647
33648 @@ -583,7 +583,7 @@ out:
33649 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
33650 {
33651 poll_wait(file, &lis3_dev.misc_wait, wait);
33652 - if (atomic_read(&lis3_dev.count))
33653 + if (atomic_read_unchecked(&lis3_dev.count))
33654 return POLLIN | POLLRDNORM;
33655 return 0;
33656 }
33657 diff -urNp linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.h linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.h
33658 --- linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-19 00:06:34.000000000 -0400
33659 +++ linux-2.6.39.1/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-22 19:36:31.000000000 -0400
33660 @@ -265,7 +265,7 @@ struct lis3lv02d {
33661 struct input_polled_dev *idev; /* input device */
33662 struct platform_device *pdev; /* platform device */
33663 struct regulator_bulk_data regulators[2];
33664 - atomic_t count; /* interrupt count after last read */
33665 + atomic_unchecked_t count; /* interrupt count after last read */
33666 union axis_conversion ac; /* hw -> logical axis */
33667 int mapped_btns[3];
33668
33669 diff -urNp linux-2.6.39.1/drivers/misc/sgi-gru/gruhandles.c linux-2.6.39.1/drivers/misc/sgi-gru/gruhandles.c
33670 --- linux-2.6.39.1/drivers/misc/sgi-gru/gruhandles.c 2011-05-19 00:06:34.000000000 -0400
33671 +++ linux-2.6.39.1/drivers/misc/sgi-gru/gruhandles.c 2011-05-22 19:36:31.000000000 -0400
33672 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
33673 unsigned long nsec;
33674
33675 nsec = CLKS2NSEC(clks);
33676 - atomic_long_inc(&mcs_op_statistics[op].count);
33677 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
33678 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
33679 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
33680 if (mcs_op_statistics[op].max < nsec)
33681 mcs_op_statistics[op].max = nsec;
33682 }
33683 diff -urNp linux-2.6.39.1/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.39.1/drivers/misc/sgi-gru/gruprocfs.c
33684 --- linux-2.6.39.1/drivers/misc/sgi-gru/gruprocfs.c 2011-05-19 00:06:34.000000000 -0400
33685 +++ linux-2.6.39.1/drivers/misc/sgi-gru/gruprocfs.c 2011-05-22 19:36:31.000000000 -0400
33686 @@ -32,9 +32,9 @@
33687
33688 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
33689
33690 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
33691 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
33692 {
33693 - unsigned long val = atomic_long_read(v);
33694 + unsigned long val = atomic_long_read_unchecked(v);
33695
33696 seq_printf(s, "%16lu %s\n", val, id);
33697 }
33698 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
33699
33700 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
33701 for (op = 0; op < mcsop_last; op++) {
33702 - count = atomic_long_read(&mcs_op_statistics[op].count);
33703 - total = atomic_long_read(&mcs_op_statistics[op].total);
33704 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
33705 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
33706 max = mcs_op_statistics[op].max;
33707 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
33708 count ? total / count : 0, max);
33709 diff -urNp linux-2.6.39.1/drivers/misc/sgi-gru/grutables.h linux-2.6.39.1/drivers/misc/sgi-gru/grutables.h
33710 --- linux-2.6.39.1/drivers/misc/sgi-gru/grutables.h 2011-05-19 00:06:34.000000000 -0400
33711 +++ linux-2.6.39.1/drivers/misc/sgi-gru/grutables.h 2011-05-22 19:36:31.000000000 -0400
33712 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
33713 * GRU statistics.
33714 */
33715 struct gru_stats_s {
33716 - atomic_long_t vdata_alloc;
33717 - atomic_long_t vdata_free;
33718 - atomic_long_t gts_alloc;
33719 - atomic_long_t gts_free;
33720 - atomic_long_t gms_alloc;
33721 - atomic_long_t gms_free;
33722 - atomic_long_t gts_double_allocate;
33723 - atomic_long_t assign_context;
33724 - atomic_long_t assign_context_failed;
33725 - atomic_long_t free_context;
33726 - atomic_long_t load_user_context;
33727 - atomic_long_t load_kernel_context;
33728 - atomic_long_t lock_kernel_context;
33729 - atomic_long_t unlock_kernel_context;
33730 - atomic_long_t steal_user_context;
33731 - atomic_long_t steal_kernel_context;
33732 - atomic_long_t steal_context_failed;
33733 - atomic_long_t nopfn;
33734 - atomic_long_t asid_new;
33735 - atomic_long_t asid_next;
33736 - atomic_long_t asid_wrap;
33737 - atomic_long_t asid_reuse;
33738 - atomic_long_t intr;
33739 - atomic_long_t intr_cbr;
33740 - atomic_long_t intr_tfh;
33741 - atomic_long_t intr_spurious;
33742 - atomic_long_t intr_mm_lock_failed;
33743 - atomic_long_t call_os;
33744 - atomic_long_t call_os_wait_queue;
33745 - atomic_long_t user_flush_tlb;
33746 - atomic_long_t user_unload_context;
33747 - atomic_long_t user_exception;
33748 - atomic_long_t set_context_option;
33749 - atomic_long_t check_context_retarget_intr;
33750 - atomic_long_t check_context_unload;
33751 - atomic_long_t tlb_dropin;
33752 - atomic_long_t tlb_preload_page;
33753 - atomic_long_t tlb_dropin_fail_no_asid;
33754 - atomic_long_t tlb_dropin_fail_upm;
33755 - atomic_long_t tlb_dropin_fail_invalid;
33756 - atomic_long_t tlb_dropin_fail_range_active;
33757 - atomic_long_t tlb_dropin_fail_idle;
33758 - atomic_long_t tlb_dropin_fail_fmm;
33759 - atomic_long_t tlb_dropin_fail_no_exception;
33760 - atomic_long_t tfh_stale_on_fault;
33761 - atomic_long_t mmu_invalidate_range;
33762 - atomic_long_t mmu_invalidate_page;
33763 - atomic_long_t flush_tlb;
33764 - atomic_long_t flush_tlb_gru;
33765 - atomic_long_t flush_tlb_gru_tgh;
33766 - atomic_long_t flush_tlb_gru_zero_asid;
33767 -
33768 - atomic_long_t copy_gpa;
33769 - atomic_long_t read_gpa;
33770 -
33771 - atomic_long_t mesq_receive;
33772 - atomic_long_t mesq_receive_none;
33773 - atomic_long_t mesq_send;
33774 - atomic_long_t mesq_send_failed;
33775 - atomic_long_t mesq_noop;
33776 - atomic_long_t mesq_send_unexpected_error;
33777 - atomic_long_t mesq_send_lb_overflow;
33778 - atomic_long_t mesq_send_qlimit_reached;
33779 - atomic_long_t mesq_send_amo_nacked;
33780 - atomic_long_t mesq_send_put_nacked;
33781 - atomic_long_t mesq_page_overflow;
33782 - atomic_long_t mesq_qf_locked;
33783 - atomic_long_t mesq_qf_noop_not_full;
33784 - atomic_long_t mesq_qf_switch_head_failed;
33785 - atomic_long_t mesq_qf_unexpected_error;
33786 - atomic_long_t mesq_noop_unexpected_error;
33787 - atomic_long_t mesq_noop_lb_overflow;
33788 - atomic_long_t mesq_noop_qlimit_reached;
33789 - atomic_long_t mesq_noop_amo_nacked;
33790 - atomic_long_t mesq_noop_put_nacked;
33791 - atomic_long_t mesq_noop_page_overflow;
33792 + atomic_long_unchecked_t vdata_alloc;
33793 + atomic_long_unchecked_t vdata_free;
33794 + atomic_long_unchecked_t gts_alloc;
33795 + atomic_long_unchecked_t gts_free;
33796 + atomic_long_unchecked_t gms_alloc;
33797 + atomic_long_unchecked_t gms_free;
33798 + atomic_long_unchecked_t gts_double_allocate;
33799 + atomic_long_unchecked_t assign_context;
33800 + atomic_long_unchecked_t assign_context_failed;
33801 + atomic_long_unchecked_t free_context;
33802 + atomic_long_unchecked_t load_user_context;
33803 + atomic_long_unchecked_t load_kernel_context;
33804 + atomic_long_unchecked_t lock_kernel_context;
33805 + atomic_long_unchecked_t unlock_kernel_context;
33806 + atomic_long_unchecked_t steal_user_context;
33807 + atomic_long_unchecked_t steal_kernel_context;
33808 + atomic_long_unchecked_t steal_context_failed;
33809 + atomic_long_unchecked_t nopfn;
33810 + atomic_long_unchecked_t asid_new;
33811 + atomic_long_unchecked_t asid_next;
33812 + atomic_long_unchecked_t asid_wrap;
33813 + atomic_long_unchecked_t asid_reuse;
33814 + atomic_long_unchecked_t intr;
33815 + atomic_long_unchecked_t intr_cbr;
33816 + atomic_long_unchecked_t intr_tfh;
33817 + atomic_long_unchecked_t intr_spurious;
33818 + atomic_long_unchecked_t intr_mm_lock_failed;
33819 + atomic_long_unchecked_t call_os;
33820 + atomic_long_unchecked_t call_os_wait_queue;
33821 + atomic_long_unchecked_t user_flush_tlb;
33822 + atomic_long_unchecked_t user_unload_context;
33823 + atomic_long_unchecked_t user_exception;
33824 + atomic_long_unchecked_t set_context_option;
33825 + atomic_long_unchecked_t check_context_retarget_intr;
33826 + atomic_long_unchecked_t check_context_unload;
33827 + atomic_long_unchecked_t tlb_dropin;
33828 + atomic_long_unchecked_t tlb_preload_page;
33829 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
33830 + atomic_long_unchecked_t tlb_dropin_fail_upm;
33831 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
33832 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
33833 + atomic_long_unchecked_t tlb_dropin_fail_idle;
33834 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
33835 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
33836 + atomic_long_unchecked_t tfh_stale_on_fault;
33837 + atomic_long_unchecked_t mmu_invalidate_range;
33838 + atomic_long_unchecked_t mmu_invalidate_page;
33839 + atomic_long_unchecked_t flush_tlb;
33840 + atomic_long_unchecked_t flush_tlb_gru;
33841 + atomic_long_unchecked_t flush_tlb_gru_tgh;
33842 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
33843 +
33844 + atomic_long_unchecked_t copy_gpa;
33845 + atomic_long_unchecked_t read_gpa;
33846 +
33847 + atomic_long_unchecked_t mesq_receive;
33848 + atomic_long_unchecked_t mesq_receive_none;
33849 + atomic_long_unchecked_t mesq_send;
33850 + atomic_long_unchecked_t mesq_send_failed;
33851 + atomic_long_unchecked_t mesq_noop;
33852 + atomic_long_unchecked_t mesq_send_unexpected_error;
33853 + atomic_long_unchecked_t mesq_send_lb_overflow;
33854 + atomic_long_unchecked_t mesq_send_qlimit_reached;
33855 + atomic_long_unchecked_t mesq_send_amo_nacked;
33856 + atomic_long_unchecked_t mesq_send_put_nacked;
33857 + atomic_long_unchecked_t mesq_page_overflow;
33858 + atomic_long_unchecked_t mesq_qf_locked;
33859 + atomic_long_unchecked_t mesq_qf_noop_not_full;
33860 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
33861 + atomic_long_unchecked_t mesq_qf_unexpected_error;
33862 + atomic_long_unchecked_t mesq_noop_unexpected_error;
33863 + atomic_long_unchecked_t mesq_noop_lb_overflow;
33864 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
33865 + atomic_long_unchecked_t mesq_noop_amo_nacked;
33866 + atomic_long_unchecked_t mesq_noop_put_nacked;
33867 + atomic_long_unchecked_t mesq_noop_page_overflow;
33868
33869 };
33870
33871 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
33872 tghop_invalidate, mcsop_last};
33873
33874 struct mcs_op_statistic {
33875 - atomic_long_t count;
33876 - atomic_long_t total;
33877 + atomic_long_unchecked_t count;
33878 + atomic_long_unchecked_t total;
33879 unsigned long max;
33880 };
33881
33882 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
33883
33884 #define STAT(id) do { \
33885 if (gru_options & OPT_STATS) \
33886 - atomic_long_inc(&gru_stats.id); \
33887 + atomic_long_inc_unchecked(&gru_stats.id); \
33888 } while (0)
33889
33890 #ifdef CONFIG_SGI_GRU_DEBUG
33891 diff -urNp linux-2.6.39.1/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.39.1/drivers/misc/sgi-xp/xpc_sn2.c
33892 --- linux-2.6.39.1/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-19 00:06:34.000000000 -0400
33893 +++ linux-2.6.39.1/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-22 19:36:31.000000000 -0400
33894 @@ -2351,7 +2351,7 @@ xpc_received_payload_sn2(struct xpc_chan
33895 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
33896 }
33897
33898 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
33899 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
33900 .setup_partitions = xpc_setup_partitions_sn2,
33901 .teardown_partitions = xpc_teardown_partitions_sn2,
33902 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
33903 diff -urNp linux-2.6.39.1/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.39.1/drivers/misc/sgi-xp/xpc_uv.c
33904 --- linux-2.6.39.1/drivers/misc/sgi-xp/xpc_uv.c 2011-05-19 00:06:34.000000000 -0400
33905 +++ linux-2.6.39.1/drivers/misc/sgi-xp/xpc_uv.c 2011-05-22 19:36:31.000000000 -0400
33906 @@ -1674,7 +1674,7 @@ xpc_received_payload_uv(struct xpc_chann
33907 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
33908 }
33909
33910 -static struct xpc_arch_operations xpc_arch_ops_uv = {
33911 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
33912 .setup_partitions = xpc_setup_partitions_uv,
33913 .teardown_partitions = xpc_teardown_partitions_uv,
33914 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
33915 diff -urNp linux-2.6.39.1/drivers/misc/spear13xx_pcie_gadget.c linux-2.6.39.1/drivers/misc/spear13xx_pcie_gadget.c
33916 --- linux-2.6.39.1/drivers/misc/spear13xx_pcie_gadget.c 2011-05-19 00:06:34.000000000 -0400
33917 +++ linux-2.6.39.1/drivers/misc/spear13xx_pcie_gadget.c 2011-05-22 19:36:31.000000000 -0400
33918 @@ -644,7 +644,7 @@ static ssize_t pcie_gadget_target_attr_s
33919 return ret;
33920 }
33921
33922 -static struct configfs_item_operations pcie_gadget_target_item_ops = {
33923 +static const struct configfs_item_operations pcie_gadget_target_item_ops = {
33924 .show_attribute = pcie_gadget_target_attr_show,
33925 .store_attribute = pcie_gadget_target_attr_store,
33926 };
33927 diff -urNp linux-2.6.39.1/drivers/mmc/host/davinci_mmc.c linux-2.6.39.1/drivers/mmc/host/davinci_mmc.c
33928 --- linux-2.6.39.1/drivers/mmc/host/davinci_mmc.c 2011-05-19 00:06:34.000000000 -0400
33929 +++ linux-2.6.39.1/drivers/mmc/host/davinci_mmc.c 2011-05-22 19:36:31.000000000 -0400
33930 @@ -1133,7 +1133,7 @@ static void mmc_davinci_enable_sdio_irq(
33931 }
33932 }
33933
33934 -static struct mmc_host_ops mmc_davinci_ops = {
33935 +static const struct mmc_host_ops mmc_davinci_ops = {
33936 .request = mmc_davinci_request,
33937 .set_ios = mmc_davinci_set_ios,
33938 .get_cd = mmc_davinci_get_cd,
33939 diff -urNp linux-2.6.39.1/drivers/mmc/host/dw_mmc.c linux-2.6.39.1/drivers/mmc/host/dw_mmc.c
33940 --- linux-2.6.39.1/drivers/mmc/host/dw_mmc.c 2011-05-19 00:06:34.000000000 -0400
33941 +++ linux-2.6.39.1/drivers/mmc/host/dw_mmc.c 2011-05-22 19:36:31.000000000 -0400
33942 @@ -417,7 +417,7 @@ static int dw_mci_idmac_init(struct dw_m
33943 return 0;
33944 }
33945
33946 -static struct dw_mci_dma_ops dw_mci_idmac_ops = {
33947 +static const struct dw_mci_dma_ops dw_mci_idmac_ops = {
33948 .init = dw_mci_idmac_init,
33949 .start = dw_mci_idmac_start_dma,
33950 .stop = dw_mci_idmac_stop_dma,
33951 diff -urNp linux-2.6.39.1/drivers/mmc/host/s3cmci.c linux-2.6.39.1/drivers/mmc/host/s3cmci.c
33952 --- linux-2.6.39.1/drivers/mmc/host/s3cmci.c 2011-05-19 00:06:34.000000000 -0400
33953 +++ linux-2.6.39.1/drivers/mmc/host/s3cmci.c 2011-05-22 19:36:31.000000000 -0400
33954 @@ -1349,7 +1349,7 @@ static void s3cmci_enable_sdio_irq(struc
33955 s3cmci_check_sdio_irq(host);
33956 }
33957
33958 -static struct mmc_host_ops s3cmci_ops = {
33959 +static const struct mmc_host_ops s3cmci_ops = {
33960 .request = s3cmci_request,
33961 .set_ios = s3cmci_set_ios,
33962 .get_ro = s3cmci_get_ro,
33963 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-cns3xxx.c linux-2.6.39.1/drivers/mmc/host/sdhci-cns3xxx.c
33964 --- linux-2.6.39.1/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-19 00:06:34.000000000 -0400
33965 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-22 19:36:31.000000000 -0400
33966 @@ -81,7 +81,7 @@ out:
33967 host->clock = clock;
33968 }
33969
33970 -static struct sdhci_ops sdhci_cns3xxx_ops = {
33971 +static const struct sdhci_ops sdhci_cns3xxx_ops = {
33972 .get_max_clock = sdhci_cns3xxx_get_max_clk,
33973 .set_clock = sdhci_cns3xxx_set_clock,
33974 };
33975 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-dove.c linux-2.6.39.1/drivers/mmc/host/sdhci-dove.c
33976 --- linux-2.6.39.1/drivers/mmc/host/sdhci-dove.c 2011-05-19 00:06:34.000000000 -0400
33977 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-dove.c 2011-05-22 19:36:31.000000000 -0400
33978 @@ -56,7 +56,7 @@ static u32 sdhci_dove_readl(struct sdhci
33979 return ret;
33980 }
33981
33982 -static struct sdhci_ops sdhci_dove_ops = {
33983 +static const struct sdhci_ops sdhci_dove_ops = {
33984 .read_w = sdhci_dove_readw,
33985 .read_l = sdhci_dove_readl,
33986 };
33987 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-esdhc-imx.c linux-2.6.39.1/drivers/mmc/host/sdhci-esdhc-imx.c
33988 --- linux-2.6.39.1/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-19 00:06:34.000000000 -0400
33989 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-22 19:36:31.000000000 -0400
33990 @@ -201,7 +201,7 @@ static unsigned int esdhc_pltfm_get_ro(s
33991 return -ENOSYS;
33992 }
33993
33994 -static struct sdhci_ops sdhci_esdhc_ops = {
33995 +static const struct sdhci_ops sdhci_esdhc_ops = {
33996 .read_l = esdhc_readl_le,
33997 .read_w = esdhc_readw_le,
33998 .write_l = esdhc_writel_le,
33999 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-of.h linux-2.6.39.1/drivers/mmc/host/sdhci-of.h
34000 --- linux-2.6.39.1/drivers/mmc/host/sdhci-of.h 2011-05-19 00:06:34.000000000 -0400
34001 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-of.h 2011-05-22 19:36:31.000000000 -0400
34002 @@ -21,7 +21,7 @@
34003
34004 struct sdhci_of_data {
34005 unsigned int quirks;
34006 - struct sdhci_ops ops;
34007 + const struct sdhci_ops ops;
34008 };
34009
34010 struct sdhci_of_host {
34011 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-pci.c linux-2.6.39.1/drivers/mmc/host/sdhci-pci.c
34012 --- linux-2.6.39.1/drivers/mmc/host/sdhci-pci.c 2011-05-19 00:06:34.000000000 -0400
34013 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-pci.c 2011-05-22 19:36:31.000000000 -0400
34014 @@ -786,7 +786,7 @@ static int sdhci_pci_enable_dma(struct s
34015 return 0;
34016 }
34017
34018 -static struct sdhci_ops sdhci_pci_ops = {
34019 +static const struct sdhci_ops sdhci_pci_ops = {
34020 .enable_dma = sdhci_pci_enable_dma,
34021 };
34022
34023 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-pltfm.c linux-2.6.39.1/drivers/mmc/host/sdhci-pltfm.c
34024 --- linux-2.6.39.1/drivers/mmc/host/sdhci-pltfm.c 2011-05-19 00:06:34.000000000 -0400
34025 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-pltfm.c 2011-05-22 19:36:31.000000000 -0400
34026 @@ -41,7 +41,7 @@
34027 * *
34028 \*****************************************************************************/
34029
34030 -static struct sdhci_ops sdhci_pltfm_ops = {
34031 +static const struct sdhci_ops sdhci_pltfm_ops = {
34032 };
34033
34034 /*****************************************************************************\
34035 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-pxa.c linux-2.6.39.1/drivers/mmc/host/sdhci-pxa.c
34036 --- linux-2.6.39.1/drivers/mmc/host/sdhci-pxa.c 2011-05-19 00:06:34.000000000 -0400
34037 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-pxa.c 2011-05-22 19:36:31.000000000 -0400
34038 @@ -69,7 +69,7 @@ static void set_clock(struct sdhci_host
34039 }
34040 }
34041
34042 -static struct sdhci_ops sdhci_pxa_ops = {
34043 +static const struct sdhci_ops sdhci_pxa_ops = {
34044 .set_clock = set_clock,
34045 };
34046
34047 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-s3c.c linux-2.6.39.1/drivers/mmc/host/sdhci-s3c.c
34048 --- linux-2.6.39.1/drivers/mmc/host/sdhci-s3c.c 2011-05-19 00:06:34.000000000 -0400
34049 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-s3c.c 2011-05-22 19:36:31.000000000 -0400
34050 @@ -309,7 +309,7 @@ static int sdhci_s3c_platform_8bit_width
34051 return 0;
34052 }
34053
34054 -static struct sdhci_ops sdhci_s3c_ops = {
34055 +static const struct sdhci_ops sdhci_s3c_ops = {
34056 .get_max_clock = sdhci_s3c_get_max_clk,
34057 .set_clock = sdhci_s3c_set_clock,
34058 .get_min_clock = sdhci_s3c_get_min_clock,
34059 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-spear.c linux-2.6.39.1/drivers/mmc/host/sdhci-spear.c
34060 --- linux-2.6.39.1/drivers/mmc/host/sdhci-spear.c 2011-05-19 00:06:34.000000000 -0400
34061 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-spear.c 2011-05-22 19:36:31.000000000 -0400
34062 @@ -32,7 +32,7 @@ struct spear_sdhci {
34063 };
34064
34065 /* sdhci ops */
34066 -static struct sdhci_ops sdhci_pltfm_ops = {
34067 +static const struct sdhci_ops sdhci_pltfm_ops = {
34068 /* Nothing to do for now. */
34069 };
34070
34071 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdhci-tegra.c linux-2.6.39.1/drivers/mmc/host/sdhci-tegra.c
34072 --- linux-2.6.39.1/drivers/mmc/host/sdhci-tegra.c 2011-05-19 00:06:34.000000000 -0400
34073 +++ linux-2.6.39.1/drivers/mmc/host/sdhci-tegra.c 2011-05-22 19:36:31.000000000 -0400
34074 @@ -242,7 +242,7 @@ static void tegra_sdhci_pltfm_exit(struc
34075 clk_put(pltfm_host->clk);
34076 }
34077
34078 -static struct sdhci_ops tegra_sdhci_ops = {
34079 +static const struct sdhci_ops tegra_sdhci_ops = {
34080 .get_ro = tegra_sdhci_get_ro,
34081 .read_l = tegra_sdhci_readl,
34082 .read_w = tegra_sdhci_readw,
34083 diff -urNp linux-2.6.39.1/drivers/mmc/host/sdricoh_cs.c linux-2.6.39.1/drivers/mmc/host/sdricoh_cs.c
34084 --- linux-2.6.39.1/drivers/mmc/host/sdricoh_cs.c 2011-05-19 00:06:34.000000000 -0400
34085 +++ linux-2.6.39.1/drivers/mmc/host/sdricoh_cs.c 2011-05-22 19:36:31.000000000 -0400
34086 @@ -387,7 +387,7 @@ static int sdricoh_get_ro(struct mmc_hos
34087 return (status & STATUS_CARD_LOCKED);
34088 }
34089
34090 -static struct mmc_host_ops sdricoh_ops = {
34091 +static const struct mmc_host_ops sdricoh_ops = {
34092 .request = sdricoh_request,
34093 .set_ios = sdricoh_set_ios,
34094 .get_ro = sdricoh_get_ro,
34095 diff -urNp linux-2.6.39.1/drivers/mmc/host/sh_mmcif.c linux-2.6.39.1/drivers/mmc/host/sh_mmcif.c
34096 --- linux-2.6.39.1/drivers/mmc/host/sh_mmcif.c 2011-05-19 00:06:34.000000000 -0400
34097 +++ linux-2.6.39.1/drivers/mmc/host/sh_mmcif.c 2011-05-22 19:36:31.000000000 -0400
34098 @@ -872,7 +872,7 @@ static int sh_mmcif_get_cd(struct mmc_ho
34099 return p->get_cd(host->pd);
34100 }
34101
34102 -static struct mmc_host_ops sh_mmcif_ops = {
34103 +static const struct mmc_host_ops sh_mmcif_ops = {
34104 .request = sh_mmcif_request,
34105 .set_ios = sh_mmcif_set_ios,
34106 .get_cd = sh_mmcif_get_cd,
34107 diff -urNp linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0001.c
34108 --- linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-19 00:06:34.000000000 -0400
34109 +++ linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-22 19:36:31.000000000 -0400
34110 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
34111 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
34112 unsigned long timeo = jiffies + HZ;
34113
34114 + pax_track_stack();
34115 +
34116 /* Prevent setting state FL_SYNCING for chip in suspended state. */
34117 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
34118 goto sleep;
34119 @@ -1657,6 +1659,8 @@ static int __xipram do_write_buffer(stru
34120 unsigned long initial_adr;
34121 int initial_len = len;
34122
34123 + pax_track_stack();
34124 +
34125 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
34126 adr += chip->start;
34127 initial_adr = adr;
34128 @@ -1875,6 +1879,8 @@ static int __xipram do_erase_oneblock(st
34129 int retries = 3;
34130 int ret;
34131
34132 + pax_track_stack();
34133 +
34134 adr += chip->start;
34135
34136 retry:
34137 diff -urNp linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0020.c
34138 --- linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-19 00:06:34.000000000 -0400
34139 +++ linux-2.6.39.1/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-22 19:36:31.000000000 -0400
34140 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
34141 unsigned long cmd_addr;
34142 struct cfi_private *cfi = map->fldrv_priv;
34143
34144 + pax_track_stack();
34145 +
34146 adr += chip->start;
34147
34148 /* Ensure cmd read/writes are aligned. */
34149 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
34150 DECLARE_WAITQUEUE(wait, current);
34151 int wbufsize, z;
34152
34153 + pax_track_stack();
34154 +
34155 /* M58LW064A requires bus alignment for buffer wriets -- saw */
34156 if (adr & (map_bankwidth(map)-1))
34157 return -EINVAL;
34158 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
34159 DECLARE_WAITQUEUE(wait, current);
34160 int ret = 0;
34161
34162 + pax_track_stack();
34163 +
34164 adr += chip->start;
34165
34166 /* Let's determine this according to the interleave only once */
34167 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
34168 unsigned long timeo = jiffies + HZ;
34169 DECLARE_WAITQUEUE(wait, current);
34170
34171 + pax_track_stack();
34172 +
34173 adr += chip->start;
34174
34175 /* Let's determine this according to the interleave only once */
34176 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
34177 unsigned long timeo = jiffies + HZ;
34178 DECLARE_WAITQUEUE(wait, current);
34179
34180 + pax_track_stack();
34181 +
34182 adr += chip->start;
34183
34184 /* Let's determine this according to the interleave only once */
34185 diff -urNp linux-2.6.39.1/drivers/mtd/devices/doc2000.c linux-2.6.39.1/drivers/mtd/devices/doc2000.c
34186 --- linux-2.6.39.1/drivers/mtd/devices/doc2000.c 2011-05-19 00:06:34.000000000 -0400
34187 +++ linux-2.6.39.1/drivers/mtd/devices/doc2000.c 2011-05-22 19:36:31.000000000 -0400
34188 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
34189
34190 /* The ECC will not be calculated correctly if less than 512 is written */
34191 /* DBB-
34192 - if (len != 0x200 && eccbuf)
34193 + if (len != 0x200)
34194 printk(KERN_WARNING
34195 "ECC needs a full sector write (adr: %lx size %lx)\n",
34196 (long) to, (long) len);
34197 diff -urNp linux-2.6.39.1/drivers/mtd/devices/doc2001.c linux-2.6.39.1/drivers/mtd/devices/doc2001.c
34198 --- linux-2.6.39.1/drivers/mtd/devices/doc2001.c 2011-05-19 00:06:34.000000000 -0400
34199 +++ linux-2.6.39.1/drivers/mtd/devices/doc2001.c 2011-05-22 19:36:31.000000000 -0400
34200 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
34201 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
34202
34203 /* Don't allow read past end of device */
34204 - if (from >= this->totlen)
34205 + if (from >= this->totlen || !len)
34206 return -EINVAL;
34207
34208 /* Don't allow a single read to cross a 512-byte block boundary */
34209 diff -urNp linux-2.6.39.1/drivers/mtd/ftl.c linux-2.6.39.1/drivers/mtd/ftl.c
34210 --- linux-2.6.39.1/drivers/mtd/ftl.c 2011-05-19 00:06:34.000000000 -0400
34211 +++ linux-2.6.39.1/drivers/mtd/ftl.c 2011-05-22 19:36:31.000000000 -0400
34212 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
34213 loff_t offset;
34214 uint16_t srcunitswap = cpu_to_le16(srcunit);
34215
34216 + pax_track_stack();
34217 +
34218 eun = &part->EUNInfo[srcunit];
34219 xfer = &part->XferInfo[xferunit];
34220 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
34221 diff -urNp linux-2.6.39.1/drivers/mtd/inftlcore.c linux-2.6.39.1/drivers/mtd/inftlcore.c
34222 --- linux-2.6.39.1/drivers/mtd/inftlcore.c 2011-05-19 00:06:34.000000000 -0400
34223 +++ linux-2.6.39.1/drivers/mtd/inftlcore.c 2011-05-22 19:36:31.000000000 -0400
34224 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
34225 struct inftl_oob oob;
34226 size_t retlen;
34227
34228 + pax_track_stack();
34229 +
34230 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
34231 "pending=%d)\n", inftl, thisVUC, pendingblock);
34232
34233 diff -urNp linux-2.6.39.1/drivers/mtd/inftlmount.c linux-2.6.39.1/drivers/mtd/inftlmount.c
34234 --- linux-2.6.39.1/drivers/mtd/inftlmount.c 2011-05-19 00:06:34.000000000 -0400
34235 +++ linux-2.6.39.1/drivers/mtd/inftlmount.c 2011-05-22 19:36:31.000000000 -0400
34236 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
34237 struct INFTLPartition *ip;
34238 size_t retlen;
34239
34240 + pax_track_stack();
34241 +
34242 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
34243
34244 /*
34245 diff -urNp linux-2.6.39.1/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.39.1/drivers/mtd/lpddr/qinfo_probe.c
34246 --- linux-2.6.39.1/drivers/mtd/lpddr/qinfo_probe.c 2011-05-19 00:06:34.000000000 -0400
34247 +++ linux-2.6.39.1/drivers/mtd/lpddr/qinfo_probe.c 2011-05-22 19:36:31.000000000 -0400
34248 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
34249 {
34250 map_word pfow_val[4];
34251
34252 + pax_track_stack();
34253 +
34254 /* Check identification string */
34255 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
34256 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
34257 diff -urNp linux-2.6.39.1/drivers/mtd/mtdchar.c linux-2.6.39.1/drivers/mtd/mtdchar.c
34258 --- linux-2.6.39.1/drivers/mtd/mtdchar.c 2011-05-19 00:06:34.000000000 -0400
34259 +++ linux-2.6.39.1/drivers/mtd/mtdchar.c 2011-05-22 19:36:31.000000000 -0400
34260 @@ -560,6 +560,8 @@ static int mtd_ioctl(struct file *file,
34261 u_long size;
34262 struct mtd_info_user info;
34263
34264 + pax_track_stack();
34265 +
34266 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
34267
34268 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
34269 diff -urNp linux-2.6.39.1/drivers/mtd/nand/denali.c linux-2.6.39.1/drivers/mtd/nand/denali.c
34270 --- linux-2.6.39.1/drivers/mtd/nand/denali.c 2011-05-19 00:06:34.000000000 -0400
34271 +++ linux-2.6.39.1/drivers/mtd/nand/denali.c 2011-05-22 19:36:31.000000000 -0400
34272 @@ -25,6 +25,7 @@
34273 #include <linux/pci.h>
34274 #include <linux/mtd/mtd.h>
34275 #include <linux/module.h>
34276 +#include <linux/slab.h>
34277
34278 #include "denali.h"
34279
34280 diff -urNp linux-2.6.39.1/drivers/mtd/nftlcore.c linux-2.6.39.1/drivers/mtd/nftlcore.c
34281 --- linux-2.6.39.1/drivers/mtd/nftlcore.c 2011-05-19 00:06:34.000000000 -0400
34282 +++ linux-2.6.39.1/drivers/mtd/nftlcore.c 2011-05-22 19:36:31.000000000 -0400
34283 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
34284 int inplace = 1;
34285 size_t retlen;
34286
34287 + pax_track_stack();
34288 +
34289 memset(BlockMap, 0xff, sizeof(BlockMap));
34290 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
34291
34292 diff -urNp linux-2.6.39.1/drivers/mtd/nftlmount.c linux-2.6.39.1/drivers/mtd/nftlmount.c
34293 --- linux-2.6.39.1/drivers/mtd/nftlmount.c 2011-05-19 00:06:34.000000000 -0400
34294 +++ linux-2.6.39.1/drivers/mtd/nftlmount.c 2011-05-22 19:36:31.000000000 -0400
34295 @@ -24,6 +24,7 @@
34296 #include <asm/errno.h>
34297 #include <linux/delay.h>
34298 #include <linux/slab.h>
34299 +#include <linux/sched.h>
34300 #include <linux/mtd/mtd.h>
34301 #include <linux/mtd/nand.h>
34302 #include <linux/mtd/nftl.h>
34303 @@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
34304 struct mtd_info *mtd = nftl->mbd.mtd;
34305 unsigned int i;
34306
34307 + pax_track_stack();
34308 +
34309 /* Assume logical EraseSize == physical erasesize for starting the scan.
34310 We'll sort it out later if we find a MediaHeader which says otherwise */
34311 /* Actually, we won't. The new DiskOnChip driver has already scanned
34312 diff -urNp linux-2.6.39.1/drivers/mtd/ubi/build.c linux-2.6.39.1/drivers/mtd/ubi/build.c
34313 --- linux-2.6.39.1/drivers/mtd/ubi/build.c 2011-05-19 00:06:34.000000000 -0400
34314 +++ linux-2.6.39.1/drivers/mtd/ubi/build.c 2011-05-22 19:36:31.000000000 -0400
34315 @@ -1287,7 +1287,7 @@ module_exit(ubi_exit);
34316 static int __init bytes_str_to_int(const char *str)
34317 {
34318 char *endp;
34319 - unsigned long result;
34320 + unsigned long result, scale = 1;
34321
34322 result = simple_strtoul(str, &endp, 0);
34323 if (str == endp || result >= INT_MAX) {
34324 @@ -1298,11 +1298,11 @@ static int __init bytes_str_to_int(const
34325
34326 switch (*endp) {
34327 case 'G':
34328 - result *= 1024;
34329 + scale *= 1024;
34330 case 'M':
34331 - result *= 1024;
34332 + scale *= 1024;
34333 case 'K':
34334 - result *= 1024;
34335 + scale *= 1024;
34336 if (endp[1] == 'i' && endp[2] == 'B')
34337 endp += 2;
34338 case '\0':
34339 @@ -1313,7 +1313,13 @@ static int __init bytes_str_to_int(const
34340 return -EINVAL;
34341 }
34342
34343 - return result;
34344 + if ((intoverflow_t)result*scale >= INT_MAX) {
34345 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
34346 + str);
34347 + return -EINVAL;
34348 + }
34349 +
34350 + return result*scale;
34351 }
34352
34353 /**
34354 diff -urNp linux-2.6.39.1/drivers/net/bcm63xx_enet.c linux-2.6.39.1/drivers/net/bcm63xx_enet.c
34355 --- linux-2.6.39.1/drivers/net/bcm63xx_enet.c 2011-05-19 00:06:34.000000000 -0400
34356 +++ linux-2.6.39.1/drivers/net/bcm63xx_enet.c 2011-05-22 19:36:31.000000000 -0400
34357 @@ -1469,7 +1469,7 @@ static int bcm_enet_set_pauseparam(struc
34358 return 0;
34359 }
34360
34361 -static struct ethtool_ops bcm_enet_ethtool_ops = {
34362 +static const struct ethtool_ops bcm_enet_ethtool_ops = {
34363 .get_strings = bcm_enet_get_strings,
34364 .get_sset_count = bcm_enet_get_sset_count,
34365 .get_ethtool_stats = bcm_enet_get_ethtool_stats,
34366 diff -urNp linux-2.6.39.1/drivers/net/bna/bnad_ethtool.c linux-2.6.39.1/drivers/net/bna/bnad_ethtool.c
34367 --- linux-2.6.39.1/drivers/net/bna/bnad_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34368 +++ linux-2.6.39.1/drivers/net/bna/bnad_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34369 @@ -1242,7 +1242,7 @@ bnad_get_sset_count(struct net_device *n
34370 }
34371 }
34372
34373 -static struct ethtool_ops bnad_ethtool_ops = {
34374 +static const struct ethtool_ops bnad_ethtool_ops = {
34375 .get_settings = bnad_get_settings,
34376 .set_settings = bnad_set_settings,
34377 .get_drvinfo = bnad_get_drvinfo,
34378 diff -urNp linux-2.6.39.1/drivers/net/bnx2.c linux-2.6.39.1/drivers/net/bnx2.c
34379 --- linux-2.6.39.1/drivers/net/bnx2.c 2011-05-19 00:06:34.000000000 -0400
34380 +++ linux-2.6.39.1/drivers/net/bnx2.c 2011-05-22 19:36:31.000000000 -0400
34381 @@ -5828,6 +5828,8 @@ bnx2_test_nvram(struct bnx2 *bp)
34382 int rc = 0;
34383 u32 magic, csum;
34384
34385 + pax_track_stack();
34386 +
34387 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
34388 goto test_nvram_done;
34389
34390 diff -urNp linux-2.6.39.1/drivers/net/bnx2x/bnx2x_ethtool.c linux-2.6.39.1/drivers/net/bnx2x/bnx2x_ethtool.c
34391 --- linux-2.6.39.1/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34392 +++ linux-2.6.39.1/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34393 @@ -1788,6 +1788,8 @@ static int bnx2x_test_nvram(struct bnx2x
34394 int i, rc;
34395 u32 magic, crc;
34396
34397 + pax_track_stack();
34398 +
34399 if (BP_NOMCP(bp))
34400 return 0;
34401
34402 diff -urNp linux-2.6.39.1/drivers/net/chelsio/pm3393.c linux-2.6.39.1/drivers/net/chelsio/pm3393.c
34403 --- linux-2.6.39.1/drivers/net/chelsio/pm3393.c 2011-05-19 00:06:34.000000000 -0400
34404 +++ linux-2.6.39.1/drivers/net/chelsio/pm3393.c 2011-05-22 19:36:31.000000000 -0400
34405 @@ -571,7 +571,7 @@ static void pm3393_destroy(struct cmac *
34406 kfree(cmac);
34407 }
34408
34409 -static struct cmac_ops pm3393_ops = {
34410 +static const struct cmac_ops pm3393_ops = {
34411 .destroy = pm3393_destroy,
34412 .reset = pm3393_reset,
34413 .interrupt_enable = pm3393_interrupt_enable,
34414 diff -urNp linux-2.6.39.1/drivers/net/chelsio/vsc7326.c linux-2.6.39.1/drivers/net/chelsio/vsc7326.c
34415 --- linux-2.6.39.1/drivers/net/chelsio/vsc7326.c 2011-05-19 00:06:34.000000000 -0400
34416 +++ linux-2.6.39.1/drivers/net/chelsio/vsc7326.c 2011-05-22 19:36:31.000000000 -0400
34417 @@ -666,7 +666,7 @@ static void mac_destroy(struct cmac *mac
34418 kfree(mac);
34419 }
34420
34421 -static struct cmac_ops vsc7326_ops = {
34422 +static const struct cmac_ops vsc7326_ops = {
34423 .destroy = mac_destroy,
34424 .reset = mac_reset,
34425 .interrupt_handler = mac_intr_handler,
34426 diff -urNp linux-2.6.39.1/drivers/net/cxgb4/cxgb4_main.c linux-2.6.39.1/drivers/net/cxgb4/cxgb4_main.c
34427 --- linux-2.6.39.1/drivers/net/cxgb4/cxgb4_main.c 2011-05-19 00:06:34.000000000 -0400
34428 +++ linux-2.6.39.1/drivers/net/cxgb4/cxgb4_main.c 2011-05-22 19:36:31.000000000 -0400
34429 @@ -3428,6 +3428,8 @@ static int __devinit enable_msix(struct
34430 unsigned int nchan = adap->params.nports;
34431 struct msix_entry entries[MAX_INGQ + 1];
34432
34433 + pax_track_stack();
34434 +
34435 for (i = 0; i < ARRAY_SIZE(entries); ++i)
34436 entries[i].entry = i;
34437
34438 diff -urNp linux-2.6.39.1/drivers/net/cxgb4/t4_hw.c linux-2.6.39.1/drivers/net/cxgb4/t4_hw.c
34439 --- linux-2.6.39.1/drivers/net/cxgb4/t4_hw.c 2011-05-19 00:06:34.000000000 -0400
34440 +++ linux-2.6.39.1/drivers/net/cxgb4/t4_hw.c 2011-05-22 19:36:31.000000000 -0400
34441 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
34442 u8 vpd[VPD_LEN], csum;
34443 unsigned int vpdr_len, kw_offset, id_len;
34444
34445 + pax_track_stack();
34446 +
34447 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
34448 if (ret < 0)
34449 return ret;
34450 diff -urNp linux-2.6.39.1/drivers/net/cxgb4vf/cxgb4vf_main.c linux-2.6.39.1/drivers/net/cxgb4vf/cxgb4vf_main.c
34451 --- linux-2.6.39.1/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-19 00:06:34.000000000 -0400
34452 +++ linux-2.6.39.1/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-22 19:36:31.000000000 -0400
34453 @@ -1572,7 +1572,7 @@ static int cxgb4vf_set_tso(struct net_de
34454 return 0;
34455 }
34456
34457 -static struct ethtool_ops cxgb4vf_ethtool_ops = {
34458 +static const struct ethtool_ops cxgb4vf_ethtool_ops = {
34459 .get_settings = cxgb4vf_get_settings,
34460 .get_drvinfo = cxgb4vf_get_drvinfo,
34461 .get_msglevel = cxgb4vf_get_msglevel,
34462 diff -urNp linux-2.6.39.1/drivers/net/e1000e/82571.c linux-2.6.39.1/drivers/net/e1000e/82571.c
34463 --- linux-2.6.39.1/drivers/net/e1000e/82571.c 2011-05-19 00:06:34.000000000 -0400
34464 +++ linux-2.6.39.1/drivers/net/e1000e/82571.c 2011-05-22 19:36:31.000000000 -0400
34465 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
34466 {
34467 struct e1000_hw *hw = &adapter->hw;
34468 struct e1000_mac_info *mac = &hw->mac;
34469 - struct e1000_mac_operations *func = &mac->ops;
34470 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34471 u32 swsm = 0;
34472 u32 swsm2 = 0;
34473 bool force_clear_smbi = false;
34474 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
34475 er32(ICRXDMTC);
34476 }
34477
34478 -static struct e1000_mac_operations e82571_mac_ops = {
34479 +static const struct e1000_mac_operations e82571_mac_ops = {
34480 /* .check_mng_mode: mac type dependent */
34481 /* .check_for_link: media type dependent */
34482 .id_led_init = e1000e_id_led_init,
34483 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
34484 .read_mac_addr = e1000_read_mac_addr_82571,
34485 };
34486
34487 -static struct e1000_phy_operations e82_phy_ops_igp = {
34488 +static const struct e1000_phy_operations e82_phy_ops_igp = {
34489 .acquire = e1000_get_hw_semaphore_82571,
34490 .check_polarity = e1000_check_polarity_igp,
34491 .check_reset_block = e1000e_check_reset_block_generic,
34492 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
34493 .cfg_on_link_up = NULL,
34494 };
34495
34496 -static struct e1000_phy_operations e82_phy_ops_m88 = {
34497 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
34498 .acquire = e1000_get_hw_semaphore_82571,
34499 .check_polarity = e1000_check_polarity_m88,
34500 .check_reset_block = e1000e_check_reset_block_generic,
34501 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
34502 .cfg_on_link_up = NULL,
34503 };
34504
34505 -static struct e1000_phy_operations e82_phy_ops_bm = {
34506 +static const struct e1000_phy_operations e82_phy_ops_bm = {
34507 .acquire = e1000_get_hw_semaphore_82571,
34508 .check_polarity = e1000_check_polarity_m88,
34509 .check_reset_block = e1000e_check_reset_block_generic,
34510 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
34511 .cfg_on_link_up = NULL,
34512 };
34513
34514 -static struct e1000_nvm_operations e82571_nvm_ops = {
34515 +static const struct e1000_nvm_operations e82571_nvm_ops = {
34516 .acquire = e1000_acquire_nvm_82571,
34517 .read = e1000e_read_nvm_eerd,
34518 .release = e1000_release_nvm_82571,
34519 diff -urNp linux-2.6.39.1/drivers/net/e1000e/e1000.h linux-2.6.39.1/drivers/net/e1000e/e1000.h
34520 --- linux-2.6.39.1/drivers/net/e1000e/e1000.h 2011-05-19 00:06:34.000000000 -0400
34521 +++ linux-2.6.39.1/drivers/net/e1000e/e1000.h 2011-05-22 19:36:31.000000000 -0400
34522 @@ -409,9 +409,9 @@ struct e1000_info {
34523 u32 pba;
34524 u32 max_hw_frame_size;
34525 s32 (*get_variants)(struct e1000_adapter *);
34526 - struct e1000_mac_operations *mac_ops;
34527 - struct e1000_phy_operations *phy_ops;
34528 - struct e1000_nvm_operations *nvm_ops;
34529 + const struct e1000_mac_operations *mac_ops;
34530 + const struct e1000_phy_operations *phy_ops;
34531 + const struct e1000_nvm_operations *nvm_ops;
34532 };
34533
34534 /* hardware capability, feature, and workaround flags */
34535 diff -urNp linux-2.6.39.1/drivers/net/e1000e/es2lan.c linux-2.6.39.1/drivers/net/e1000e/es2lan.c
34536 --- linux-2.6.39.1/drivers/net/e1000e/es2lan.c 2011-05-19 00:06:34.000000000 -0400
34537 +++ linux-2.6.39.1/drivers/net/e1000e/es2lan.c 2011-05-22 19:36:31.000000000 -0400
34538 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
34539 {
34540 struct e1000_hw *hw = &adapter->hw;
34541 struct e1000_mac_info *mac = &hw->mac;
34542 - struct e1000_mac_operations *func = &mac->ops;
34543 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34544
34545 /* Set media type */
34546 switch (adapter->pdev->device) {
34547 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
34548 er32(ICRXDMTC);
34549 }
34550
34551 -static struct e1000_mac_operations es2_mac_ops = {
34552 +static const struct e1000_mac_operations es2_mac_ops = {
34553 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
34554 .id_led_init = e1000e_id_led_init,
34555 .check_mng_mode = e1000e_check_mng_mode_generic,
34556 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
34557 .setup_led = e1000e_setup_led_generic,
34558 };
34559
34560 -static struct e1000_phy_operations es2_phy_ops = {
34561 +static const struct e1000_phy_operations es2_phy_ops = {
34562 .acquire = e1000_acquire_phy_80003es2lan,
34563 .check_polarity = e1000_check_polarity_m88,
34564 .check_reset_block = e1000e_check_reset_block_generic,
34565 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
34566 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
34567 };
34568
34569 -static struct e1000_nvm_operations es2_nvm_ops = {
34570 +static const struct e1000_nvm_operations es2_nvm_ops = {
34571 .acquire = e1000_acquire_nvm_80003es2lan,
34572 .read = e1000e_read_nvm_eerd,
34573 .release = e1000_release_nvm_80003es2lan,
34574 diff -urNp linux-2.6.39.1/drivers/net/e1000e/hw.h linux-2.6.39.1/drivers/net/e1000e/hw.h
34575 --- linux-2.6.39.1/drivers/net/e1000e/hw.h 2011-05-19 00:06:34.000000000 -0400
34576 +++ linux-2.6.39.1/drivers/net/e1000e/hw.h 2011-05-22 19:36:31.000000000 -0400
34577 @@ -811,6 +811,7 @@ struct e1000_nvm_operations {
34578 };
34579
34580 struct e1000_mac_info {
34581 + /* cannot be const see e1000_init_mac_params_ich8lan */
34582 struct e1000_mac_operations ops;
34583 u8 addr[ETH_ALEN];
34584 u8 perm_addr[ETH_ALEN];
34585 @@ -852,6 +853,7 @@ struct e1000_mac_info {
34586 };
34587
34588 struct e1000_phy_info {
34589 + /* Cannot be const see e1000_init_phy_params_82571() */
34590 struct e1000_phy_operations ops;
34591
34592 enum e1000_phy_type type;
34593 @@ -886,6 +888,7 @@ struct e1000_phy_info {
34594 };
34595
34596 struct e1000_nvm_info {
34597 + /* cannot be const */
34598 struct e1000_nvm_operations ops;
34599
34600 enum e1000_nvm_type type;
34601 diff -urNp linux-2.6.39.1/drivers/net/e1000e/ich8lan.c linux-2.6.39.1/drivers/net/e1000e/ich8lan.c
34602 --- linux-2.6.39.1/drivers/net/e1000e/ich8lan.c 2011-05-19 00:06:34.000000000 -0400
34603 +++ linux-2.6.39.1/drivers/net/e1000e/ich8lan.c 2011-05-22 19:36:31.000000000 -0400
34604 @@ -3866,7 +3866,7 @@ static void e1000_clear_hw_cntrs_ich8lan
34605 }
34606 }
34607
34608 -static struct e1000_mac_operations ich8_mac_ops = {
34609 +static const struct e1000_mac_operations ich8_mac_ops = {
34610 .id_led_init = e1000e_id_led_init,
34611 /* check_mng_mode dependent on mac type */
34612 .check_for_link = e1000_check_for_copper_link_ich8lan,
34613 @@ -3885,7 +3885,7 @@ static struct e1000_mac_operations ich8_
34614 /* id_led_init dependent on mac type */
34615 };
34616
34617 -static struct e1000_phy_operations ich8_phy_ops = {
34618 +static const struct e1000_phy_operations ich8_phy_ops = {
34619 .acquire = e1000_acquire_swflag_ich8lan,
34620 .check_reset_block = e1000_check_reset_block_ich8lan,
34621 .commit = NULL,
34622 @@ -3899,7 +3899,7 @@ static struct e1000_phy_operations ich8_
34623 .write_reg = e1000e_write_phy_reg_igp,
34624 };
34625
34626 -static struct e1000_nvm_operations ich8_nvm_ops = {
34627 +static const struct e1000_nvm_operations ich8_nvm_ops = {
34628 .acquire = e1000_acquire_nvm_ich8lan,
34629 .read = e1000_read_nvm_ich8lan,
34630 .release = e1000_release_nvm_ich8lan,
34631 diff -urNp linux-2.6.39.1/drivers/net/greth.c linux-2.6.39.1/drivers/net/greth.c
34632 --- linux-2.6.39.1/drivers/net/greth.c 2011-05-19 00:06:34.000000000 -0400
34633 +++ linux-2.6.39.1/drivers/net/greth.c 2011-05-22 19:36:31.000000000 -0400
34634 @@ -1192,7 +1192,7 @@ static const struct ethtool_ops greth_et
34635 .get_link = ethtool_op_get_link,
34636 };
34637
34638 -static struct net_device_ops greth_netdev_ops = {
34639 +static const struct net_device_ops greth_netdev_ops = {
34640 .ndo_open = greth_open,
34641 .ndo_stop = greth_close,
34642 .ndo_start_xmit = greth_start_xmit,
34643 diff -urNp linux-2.6.39.1/drivers/net/hamradio/6pack.c linux-2.6.39.1/drivers/net/hamradio/6pack.c
34644 --- linux-2.6.39.1/drivers/net/hamradio/6pack.c 2011-05-19 00:06:34.000000000 -0400
34645 +++ linux-2.6.39.1/drivers/net/hamradio/6pack.c 2011-05-22 19:36:31.000000000 -0400
34646 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
34647 unsigned char buf[512];
34648 int count1;
34649
34650 + pax_track_stack();
34651 +
34652 if (!count)
34653 return;
34654
34655 diff -urNp linux-2.6.39.1/drivers/net/ibm_newemac/phy.c linux-2.6.39.1/drivers/net/ibm_newemac/phy.c
34656 --- linux-2.6.39.1/drivers/net/ibm_newemac/phy.c 2011-05-19 00:06:34.000000000 -0400
34657 +++ linux-2.6.39.1/drivers/net/ibm_newemac/phy.c 2011-05-22 19:36:31.000000000 -0400
34658 @@ -273,7 +273,7 @@ static int genmii_read_link(struct mii_p
34659 }
34660
34661 /* Generic implementation for most 10/100/1000 PHYs */
34662 -static struct mii_phy_ops generic_phy_ops = {
34663 +static const struct mii_phy_ops generic_phy_ops = {
34664 .setup_aneg = genmii_setup_aneg,
34665 .setup_forced = genmii_setup_forced,
34666 .poll_link = genmii_poll_link,
34667 @@ -337,7 +337,7 @@ static int cis8201_init(struct mii_phy *
34668 return 0;
34669 }
34670
34671 -static struct mii_phy_ops cis8201_phy_ops = {
34672 +static const struct mii_phy_ops cis8201_phy_ops = {
34673 .init = cis8201_init,
34674 .setup_aneg = genmii_setup_aneg,
34675 .setup_forced = genmii_setup_forced,
34676 @@ -417,7 +417,7 @@ static int et1011c_init(struct mii_phy *
34677 return 0;
34678 }
34679
34680 -static struct mii_phy_ops et1011c_phy_ops = {
34681 +static const struct mii_phy_ops et1011c_phy_ops = {
34682 .init = et1011c_init,
34683 .setup_aneg = genmii_setup_aneg,
34684 .setup_forced = genmii_setup_forced,
34685 @@ -436,7 +436,7 @@ static struct mii_phy_def et1011c_phy_de
34686
34687
34688
34689 -static struct mii_phy_ops m88e1111_phy_ops = {
34690 +static const struct mii_phy_ops m88e1111_phy_ops = {
34691 .init = m88e1111_init,
34692 .setup_aneg = genmii_setup_aneg,
34693 .setup_forced = genmii_setup_forced,
34694 @@ -452,7 +452,7 @@ static struct mii_phy_def m88e1111_phy_d
34695 .ops = &m88e1111_phy_ops,
34696 };
34697
34698 -static struct mii_phy_ops m88e1112_phy_ops = {
34699 +static const struct mii_phy_ops m88e1112_phy_ops = {
34700 .init = m88e1112_init,
34701 .setup_aneg = genmii_setup_aneg,
34702 .setup_forced = genmii_setup_forced,
34703 diff -urNp linux-2.6.39.1/drivers/net/ibmveth.c linux-2.6.39.1/drivers/net/ibmveth.c
34704 --- linux-2.6.39.1/drivers/net/ibmveth.c 2011-05-19 00:06:34.000000000 -0400
34705 +++ linux-2.6.39.1/drivers/net/ibmveth.c 2011-05-22 19:36:31.000000000 -0400
34706 @@ -1625,7 +1625,7 @@ static struct vio_device_id ibmveth_devi
34707 };
34708 MODULE_DEVICE_TABLE(vio, ibmveth_device_table);
34709
34710 -static struct dev_pm_ops ibmveth_pm_ops = {
34711 +static const struct dev_pm_ops ibmveth_pm_ops = {
34712 .resume = ibmveth_resume
34713 };
34714
34715 diff -urNp linux-2.6.39.1/drivers/net/igb/e1000_82575.c linux-2.6.39.1/drivers/net/igb/e1000_82575.c
34716 --- linux-2.6.39.1/drivers/net/igb/e1000_82575.c 2011-05-19 00:06:34.000000000 -0400
34717 +++ linux-2.6.39.1/drivers/net/igb/e1000_82575.c 2011-05-22 19:36:31.000000000 -0400
34718 @@ -2029,7 +2029,7 @@ out:
34719 return ret_val;
34720 }
34721
34722 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
34723 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
34724 .init_hw = igb_init_hw_82575,
34725 .check_for_link = igb_check_for_link_82575,
34726 .rar_set = igb_rar_set,
34727 @@ -2037,13 +2037,13 @@ static struct e1000_mac_operations e1000
34728 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
34729 };
34730
34731 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
34732 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
34733 .acquire = igb_acquire_phy_82575,
34734 .get_cfg_done = igb_get_cfg_done_82575,
34735 .release = igb_release_phy_82575,
34736 };
34737
34738 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
34739 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
34740 .acquire = igb_acquire_nvm_82575,
34741 .read = igb_read_nvm_eerd,
34742 .release = igb_release_nvm_82575,
34743 diff -urNp linux-2.6.39.1/drivers/net/igb/e1000_hw.h linux-2.6.39.1/drivers/net/igb/e1000_hw.h
34744 --- linux-2.6.39.1/drivers/net/igb/e1000_hw.h 2011-05-19 00:06:34.000000000 -0400
34745 +++ linux-2.6.39.1/drivers/net/igb/e1000_hw.h 2011-05-22 19:36:31.000000000 -0400
34746 @@ -342,14 +342,15 @@ struct e1000_nvm_operations {
34747
34748 struct e1000_info {
34749 s32 (*get_invariants)(struct e1000_hw *);
34750 - struct e1000_mac_operations *mac_ops;
34751 - struct e1000_phy_operations *phy_ops;
34752 - struct e1000_nvm_operations *nvm_ops;
34753 + const struct e1000_mac_operations *mac_ops;
34754 + const struct e1000_phy_operations *phy_ops;
34755 + const struct e1000_nvm_operations *nvm_ops;
34756 };
34757
34758 extern const struct e1000_info e1000_82575_info;
34759
34760 struct e1000_mac_info {
34761 + /* cannot be const see igb_get_invariants_82575() */
34762 struct e1000_mac_operations ops;
34763
34764 u8 addr[6];
34765 @@ -388,6 +389,7 @@ struct e1000_mac_info {
34766 };
34767
34768 struct e1000_phy_info {
34769 + /* cannot be const see igb_get_invariants_82575() */
34770 struct e1000_phy_operations ops;
34771
34772 enum e1000_phy_type type;
34773 @@ -423,6 +425,7 @@ struct e1000_phy_info {
34774 };
34775
34776 struct e1000_nvm_info {
34777 + /* cannot be const */
34778 struct e1000_nvm_operations ops;
34779 enum e1000_nvm_type type;
34780 enum e1000_nvm_override override;
34781 diff -urNp linux-2.6.39.1/drivers/net/igbvf/vf.h linux-2.6.39.1/drivers/net/igbvf/vf.h
34782 --- linux-2.6.39.1/drivers/net/igbvf/vf.h 2011-05-19 00:06:34.000000000 -0400
34783 +++ linux-2.6.39.1/drivers/net/igbvf/vf.h 2011-05-22 19:36:31.000000000 -0400
34784 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
34785 };
34786
34787 struct e1000_mac_info {
34788 + /* cannot be const see e1000_init_mac_params_vf() */
34789 struct e1000_mac_operations ops;
34790 u8 addr[6];
34791 u8 perm_addr[6];
34792 diff -urNp linux-2.6.39.1/drivers/net/irda/sh_irda.c linux-2.6.39.1/drivers/net/irda/sh_irda.c
34793 --- linux-2.6.39.1/drivers/net/irda/sh_irda.c 2011-05-19 00:06:34.000000000 -0400
34794 +++ linux-2.6.39.1/drivers/net/irda/sh_irda.c 2011-05-22 19:36:31.000000000 -0400
34795 @@ -307,7 +307,7 @@ static int xir_fte(struct sh_irda_self *
34796 return 0;
34797 }
34798
34799 -static struct sh_irda_xir_func xir_func = {
34800 +static const struct sh_irda_xir_func xir_func = {
34801 .xir_fre = xir_fre,
34802 .xir_trov = xir_trov,
34803 .xir_9 = xir_9,
34804 @@ -321,7 +321,7 @@ static struct sh_irda_xir_func xir_func
34805 *
34806 * MIR/FIR are not supported now
34807 *=====================================*/
34808 -static struct sh_irda_xir_func mfir_func = {
34809 +static const struct sh_irda_xir_func mfir_func = {
34810 .xir_fre = xir_fre,
34811 .xir_trov = xir_trov,
34812 .xir_9 = xir_9,
34813 @@ -400,7 +400,7 @@ static int sir_fte(struct sh_irda_self *
34814 return 0;
34815 }
34816
34817 -static struct sh_irda_xir_func sir_func = {
34818 +static const struct sh_irda_xir_func sir_func = {
34819 .xir_fre = sir_fre,
34820 .xir_trov = sir_trov,
34821 .xir_9 = sir_tot,
34822 @@ -411,7 +411,7 @@ static struct sh_irda_xir_func sir_func
34823 static void sh_irda_set_mode(struct sh_irda_self *self, enum sh_irda_mode mode)
34824 {
34825 struct device *dev = &self->ndev->dev;
34826 - struct sh_irda_xir_func *func;
34827 + const struct sh_irda_xir_func *func;
34828 const char *name;
34829 u16 data;
34830
34831 diff -urNp linux-2.6.39.1/drivers/net/ixgb/ixgb_main.c linux-2.6.39.1/drivers/net/ixgb/ixgb_main.c
34832 --- linux-2.6.39.1/drivers/net/ixgb/ixgb_main.c 2011-05-19 00:06:34.000000000 -0400
34833 +++ linux-2.6.39.1/drivers/net/ixgb/ixgb_main.c 2011-05-22 19:36:31.000000000 -0400
34834 @@ -1069,6 +1069,8 @@ ixgb_set_multi(struct net_device *netdev
34835 u32 rctl;
34836 int i;
34837
34838 + pax_track_stack();
34839 +
34840 /* Check for Promiscuous and All Multicast modes */
34841
34842 rctl = IXGB_READ_REG(hw, RCTL);
34843 diff -urNp linux-2.6.39.1/drivers/net/ixgb/ixgb_param.c linux-2.6.39.1/drivers/net/ixgb/ixgb_param.c
34844 --- linux-2.6.39.1/drivers/net/ixgb/ixgb_param.c 2011-05-19 00:06:34.000000000 -0400
34845 +++ linux-2.6.39.1/drivers/net/ixgb/ixgb_param.c 2011-05-22 19:36:31.000000000 -0400
34846 @@ -261,6 +261,9 @@ void __devinit
34847 ixgb_check_options(struct ixgb_adapter *adapter)
34848 {
34849 int bd = adapter->bd_number;
34850 +
34851 + pax_track_stack();
34852 +
34853 if (bd >= IXGB_MAX_NIC) {
34854 pr_notice("Warning: no configuration for board #%i\n", bd);
34855 pr_notice("Using defaults for all values\n");
34856 diff -urNp linux-2.6.39.1/drivers/net/ixgbe/ixgbe_82599.c linux-2.6.39.1/drivers/net/ixgbe/ixgbe_82599.c
34857 --- linux-2.6.39.1/drivers/net/ixgbe/ixgbe_82599.c 2011-05-19 00:06:34.000000000 -0400
34858 +++ linux-2.6.39.1/drivers/net/ixgbe/ixgbe_82599.c 2011-05-22 19:36:31.000000000 -0400
34859 @@ -2099,7 +2099,7 @@ static struct ixgbe_phy_operations phy_o
34860 .check_overtemp = &ixgbe_tn_check_overtemp,
34861 };
34862
34863 -struct ixgbe_info ixgbe_82599_info = {
34864 +const struct ixgbe_info ixgbe_82599_info = {
34865 .mac = ixgbe_mac_82599EB,
34866 .get_invariants = &ixgbe_get_invariants_82599,
34867 .mac_ops = &mac_ops_82599,
34868 diff -urNp linux-2.6.39.1/drivers/net/ixgbe/ixgbe.h linux-2.6.39.1/drivers/net/ixgbe/ixgbe.h
34869 --- linux-2.6.39.1/drivers/net/ixgbe/ixgbe.h 2011-05-19 00:06:34.000000000 -0400
34870 +++ linux-2.6.39.1/drivers/net/ixgbe/ixgbe.h 2011-05-22 19:36:31.000000000 -0400
34871 @@ -493,8 +493,8 @@ enum ixgbe_boards {
34872 };
34873
34874 extern struct ixgbe_info ixgbe_82598_info;
34875 -extern struct ixgbe_info ixgbe_82599_info;
34876 -extern struct ixgbe_info ixgbe_X540_info;
34877 +extern const struct ixgbe_info ixgbe_82599_info;
34878 +extern const struct ixgbe_info ixgbe_X540_info;
34879 #ifdef CONFIG_IXGBE_DCB
34880 extern const struct dcbnl_rtnl_ops dcbnl_ops;
34881 extern int ixgbe_copy_dcb_cfg(struct ixgbe_dcb_config *src_dcb_cfg,
34882 diff -urNp linux-2.6.39.1/drivers/net/ixgbe/ixgbe_x540.c linux-2.6.39.1/drivers/net/ixgbe/ixgbe_x540.c
34883 --- linux-2.6.39.1/drivers/net/ixgbe/ixgbe_x540.c 2011-05-19 00:06:34.000000000 -0400
34884 +++ linux-2.6.39.1/drivers/net/ixgbe/ixgbe_x540.c 2011-05-22 19:36:31.000000000 -0400
34885 @@ -727,7 +727,7 @@ static struct ixgbe_phy_operations phy_o
34886 .check_overtemp = &ixgbe_tn_check_overtemp,
34887 };
34888
34889 -struct ixgbe_info ixgbe_X540_info = {
34890 +const struct ixgbe_info ixgbe_X540_info = {
34891 .mac = ixgbe_mac_X540,
34892 .get_invariants = &ixgbe_get_invariants_X540,
34893 .mac_ops = &mac_ops_X540,
34894 diff -urNp linux-2.6.39.1/drivers/net/ixgbevf/ethtool.c linux-2.6.39.1/drivers/net/ixgbevf/ethtool.c
34895 --- linux-2.6.39.1/drivers/net/ixgbevf/ethtool.c 2011-05-19 00:06:34.000000000 -0400
34896 +++ linux-2.6.39.1/drivers/net/ixgbevf/ethtool.c 2011-05-22 19:36:31.000000000 -0400
34897 @@ -709,7 +709,7 @@ static int ixgbevf_nway_reset(struct net
34898 return 0;
34899 }
34900
34901 -static struct ethtool_ops ixgbevf_ethtool_ops = {
34902 +static const struct ethtool_ops ixgbevf_ethtool_ops = {
34903 .get_settings = ixgbevf_get_settings,
34904 .get_drvinfo = ixgbevf_get_drvinfo,
34905 .get_regs_len = ixgbevf_get_regs_len,
34906 diff -urNp linux-2.6.39.1/drivers/net/ixgbevf/ixgbevf.h linux-2.6.39.1/drivers/net/ixgbevf/ixgbevf.h
34907 --- linux-2.6.39.1/drivers/net/ixgbevf/ixgbevf.h 2011-05-19 00:06:34.000000000 -0400
34908 +++ linux-2.6.39.1/drivers/net/ixgbevf/ixgbevf.h 2011-05-22 19:36:31.000000000 -0400
34909 @@ -279,7 +279,7 @@ enum ixgbevf_boards {
34910
34911 extern struct ixgbevf_info ixgbevf_82599_vf_info;
34912 extern struct ixgbevf_info ixgbevf_X540_vf_info;
34913 -extern struct ixgbe_mac_operations ixgbevf_mbx_ops;
34914 +extern const struct ixgbe_mac_operations ixgbevf_mbx_ops;
34915
34916 /* needed by ethtool.c */
34917 extern char ixgbevf_driver_name[];
34918 diff -urNp linux-2.6.39.1/drivers/net/ixgbevf/vf.c linux-2.6.39.1/drivers/net/ixgbevf/vf.c
34919 --- linux-2.6.39.1/drivers/net/ixgbevf/vf.c 2011-05-19 00:06:34.000000000 -0400
34920 +++ linux-2.6.39.1/drivers/net/ixgbevf/vf.c 2011-05-22 19:36:31.000000000 -0400
34921 @@ -368,7 +368,7 @@ static s32 ixgbevf_check_mac_link_vf(str
34922 return 0;
34923 }
34924
34925 -static struct ixgbe_mac_operations ixgbevf_mac_ops = {
34926 +static const struct ixgbe_mac_operations ixgbevf_mac_ops = {
34927 .init_hw = ixgbevf_init_hw_vf,
34928 .reset_hw = ixgbevf_reset_hw_vf,
34929 .start_hw = ixgbevf_start_hw_vf,
34930 @@ -381,12 +381,12 @@ static struct ixgbe_mac_operations ixgbe
34931 .set_vfta = ixgbevf_set_vfta_vf,
34932 };
34933
34934 -struct ixgbevf_info ixgbevf_82599_vf_info = {
34935 +const struct ixgbevf_info ixgbevf_82599_vf_info = {
34936 .mac = ixgbe_mac_82599_vf,
34937 .mac_ops = &ixgbevf_mac_ops,
34938 };
34939
34940 -struct ixgbevf_info ixgbevf_X540_vf_info = {
34941 +const struct ixgbevf_info ixgbevf_X540_vf_info = {
34942 .mac = ixgbe_mac_X540_vf,
34943 .mac_ops = &ixgbevf_mac_ops,
34944 };
34945 diff -urNp linux-2.6.39.1/drivers/net/ixgbevf/vf.h linux-2.6.39.1/drivers/net/ixgbevf/vf.h
34946 --- linux-2.6.39.1/drivers/net/ixgbevf/vf.h 2011-05-19 00:06:34.000000000 -0400
34947 +++ linux-2.6.39.1/drivers/net/ixgbevf/vf.h 2011-05-22 19:36:31.000000000 -0400
34948 @@ -166,7 +166,7 @@ struct ixgbevf_hw_stats {
34949
34950 struct ixgbevf_info {
34951 enum ixgbe_mac_type mac;
34952 - struct ixgbe_mac_operations *mac_ops;
34953 + const struct ixgbe_mac_operations *mac_ops;
34954 };
34955
34956 #endif /* __IXGBE_VF_H__ */
34957 diff -urNp linux-2.6.39.1/drivers/net/ksz884x.c linux-2.6.39.1/drivers/net/ksz884x.c
34958 --- linux-2.6.39.1/drivers/net/ksz884x.c 2011-05-19 00:06:34.000000000 -0400
34959 +++ linux-2.6.39.1/drivers/net/ksz884x.c 2011-05-22 19:36:31.000000000 -0400
34960 @@ -6536,6 +6536,8 @@ static void netdev_get_ethtool_stats(str
34961 int rc;
34962 u64 counter[TOTAL_PORT_COUNTER_NUM];
34963
34964 + pax_track_stack();
34965 +
34966 mutex_lock(&hw_priv->lock);
34967 n = SWITCH_PORT_NUM;
34968 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
34969 @@ -6637,7 +6639,7 @@ static int netdev_set_rx_csum(struct net
34970 return 0;
34971 }
34972
34973 -static struct ethtool_ops netdev_ethtool_ops = {
34974 +static const struct ethtool_ops netdev_ethtool_ops = {
34975 .get_settings = netdev_get_settings,
34976 .set_settings = netdev_set_settings,
34977 .nway_reset = netdev_nway_reset,
34978 diff -urNp linux-2.6.39.1/drivers/net/mlx4/main.c linux-2.6.39.1/drivers/net/mlx4/main.c
34979 --- linux-2.6.39.1/drivers/net/mlx4/main.c 2011-05-19 00:06:34.000000000 -0400
34980 +++ linux-2.6.39.1/drivers/net/mlx4/main.c 2011-05-22 19:36:31.000000000 -0400
34981 @@ -40,6 +40,7 @@
34982 #include <linux/dma-mapping.h>
34983 #include <linux/slab.h>
34984 #include <linux/io-mapping.h>
34985 +#include <linux/sched.h>
34986
34987 #include <linux/mlx4/device.h>
34988 #include <linux/mlx4/doorbell.h>
34989 @@ -764,6 +765,8 @@ static int mlx4_init_hca(struct mlx4_dev
34990 u64 icm_size;
34991 int err;
34992
34993 + pax_track_stack();
34994 +
34995 err = mlx4_QUERY_FW(dev);
34996 if (err) {
34997 if (err == -EACCES)
34998 diff -urNp linux-2.6.39.1/drivers/net/netconsole.c linux-2.6.39.1/drivers/net/netconsole.c
34999 --- linux-2.6.39.1/drivers/net/netconsole.c 2011-05-19 00:06:34.000000000 -0400
35000 +++ linux-2.6.39.1/drivers/net/netconsole.c 2011-05-22 19:36:31.000000000 -0400
35001 @@ -634,7 +634,7 @@ static void drop_netconsole_target(struc
35002 config_item_put(&nt->item);
35003 }
35004
35005 -static struct configfs_group_operations netconsole_subsys_group_ops = {
35006 +static const struct configfs_group_operations netconsole_subsys_group_ops = {
35007 .make_item = make_netconsole_target,
35008 .drop_item = drop_netconsole_target,
35009 };
35010 diff -urNp linux-2.6.39.1/drivers/net/niu.c linux-2.6.39.1/drivers/net/niu.c
35011 --- linux-2.6.39.1/drivers/net/niu.c 2011-05-19 00:06:34.000000000 -0400
35012 +++ linux-2.6.39.1/drivers/net/niu.c 2011-05-22 19:36:31.000000000 -0400
35013 @@ -9067,6 +9067,8 @@ static void __devinit niu_try_msix(struc
35014 int i, num_irqs, err;
35015 u8 first_ldg;
35016
35017 + pax_track_stack();
35018 +
35019 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
35020 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
35021 ldg_num_map[i] = first_ldg + i;
35022 diff -urNp linux-2.6.39.1/drivers/net/pcnet32.c linux-2.6.39.1/drivers/net/pcnet32.c
35023 --- linux-2.6.39.1/drivers/net/pcnet32.c 2011-05-19 00:06:34.000000000 -0400
35024 +++ linux-2.6.39.1/drivers/net/pcnet32.c 2011-05-22 19:36:31.000000000 -0400
35025 @@ -82,7 +82,7 @@ static int cards_found;
35026 /*
35027 * VLB I/O addresses
35028 */
35029 -static unsigned int pcnet32_portlist[] __initdata =
35030 +static unsigned int pcnet32_portlist[] __devinitdata =
35031 { 0x300, 0x320, 0x340, 0x360, 0 };
35032
35033 static int pcnet32_debug;
35034 @@ -379,7 +379,7 @@ static int pcnet32_wio_check(unsigned lo
35035 return inw(addr + PCNET32_WIO_RAP) == 88;
35036 }
35037
35038 -static struct pcnet32_access pcnet32_wio = {
35039 +static const struct pcnet32_access pcnet32_wio = {
35040 .read_csr = pcnet32_wio_read_csr,
35041 .write_csr = pcnet32_wio_write_csr,
35042 .read_bcr = pcnet32_wio_read_bcr,
35043 @@ -434,7 +434,7 @@ static int pcnet32_dwio_check(unsigned l
35044 return (inl(addr + PCNET32_DWIO_RAP) & 0xffff) == 88;
35045 }
35046
35047 -static struct pcnet32_access pcnet32_dwio = {
35048 +static const struct pcnet32_access pcnet32_dwio = {
35049 .read_csr = pcnet32_dwio_read_csr,
35050 .write_csr = pcnet32_dwio_write_csr,
35051 .read_bcr = pcnet32_dwio_read_bcr,
35052 @@ -1546,7 +1546,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35053 int chip_version;
35054 char *chipname;
35055 struct net_device *dev;
35056 - struct pcnet32_access *a = NULL;
35057 + const struct pcnet32_access *a = NULL;
35058 u8 promaddr[6];
35059 int ret = -ENODEV;
35060
35061 diff -urNp linux-2.6.39.1/drivers/net/ppp_generic.c linux-2.6.39.1/drivers/net/ppp_generic.c
35062 --- linux-2.6.39.1/drivers/net/ppp_generic.c 2011-05-19 00:06:34.000000000 -0400
35063 +++ linux-2.6.39.1/drivers/net/ppp_generic.c 2011-05-22 19:36:31.000000000 -0400
35064 @@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
35065 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
35066 struct ppp_stats stats;
35067 struct ppp_comp_stats cstats;
35068 - char *vers;
35069
35070 switch (cmd) {
35071 case SIOCGPPPSTATS:
35072 @@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
35073 break;
35074
35075 case SIOCGPPPVER:
35076 - vers = PPP_VERSION;
35077 - if (copy_to_user(addr, vers, strlen(vers) + 1))
35078 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
35079 break;
35080 err = 0;
35081 break;
35082 diff -urNp linux-2.6.39.1/drivers/net/qlcnic/qlcnic.h linux-2.6.39.1/drivers/net/qlcnic/qlcnic.h
35083 --- linux-2.6.39.1/drivers/net/qlcnic/qlcnic.h 2011-05-19 00:06:34.000000000 -0400
35084 +++ linux-2.6.39.1/drivers/net/qlcnic/qlcnic.h 2011-05-22 19:36:31.000000000 -0400
35085 @@ -1037,7 +1037,7 @@ struct qlcnic_adapter {
35086 struct vlan_group *vlgrp;
35087 struct qlcnic_npar_info *npars;
35088 struct qlcnic_eswitch *eswitch;
35089 - struct qlcnic_nic_template *nic_ops;
35090 + const struct qlcnic_nic_template *nic_ops;
35091
35092 struct qlcnic_adapter_stats stats;
35093
35094 diff -urNp linux-2.6.39.1/drivers/net/qlcnic/qlcnic_main.c linux-2.6.39.1/drivers/net/qlcnic/qlcnic_main.c
35095 --- linux-2.6.39.1/drivers/net/qlcnic/qlcnic_main.c 2011-05-19 00:06:34.000000000 -0400
35096 +++ linux-2.6.39.1/drivers/net/qlcnic/qlcnic_main.c 2011-05-22 19:36:31.000000000 -0400
35097 @@ -340,13 +340,13 @@ static const struct net_device_ops qlcni
35098 #endif
35099 };
35100
35101 -static struct qlcnic_nic_template qlcnic_ops = {
35102 +static const struct qlcnic_nic_template qlcnic_ops = {
35103 .config_bridged_mode = qlcnic_config_bridged_mode,
35104 .config_led = qlcnic_config_led,
35105 .start_firmware = qlcnic_start_firmware
35106 };
35107
35108 -static struct qlcnic_nic_template qlcnic_vf_ops = {
35109 +static const struct qlcnic_nic_template qlcnic_vf_ops = {
35110 .config_bridged_mode = qlcnicvf_config_bridged_mode,
35111 .config_led = qlcnicvf_config_led,
35112 .start_firmware = qlcnicvf_start_firmware
35113 diff -urNp linux-2.6.39.1/drivers/net/qlge/qlge.h linux-2.6.39.1/drivers/net/qlge/qlge.h
35114 --- linux-2.6.39.1/drivers/net/qlge/qlge.h 2011-05-19 00:06:34.000000000 -0400
35115 +++ linux-2.6.39.1/drivers/net/qlge/qlge.h 2011-05-22 19:36:31.000000000 -0400
35116 @@ -2134,7 +2134,7 @@ struct ql_adapter {
35117 struct delayed_work mpi_idc_work;
35118 struct delayed_work mpi_core_to_log;
35119 struct completion ide_completion;
35120 - struct nic_operations *nic_ops;
35121 + const struct nic_operations *nic_ops;
35122 u16 device_id;
35123 struct timer_list timer;
35124 atomic_t lb_count;
35125 diff -urNp linux-2.6.39.1/drivers/net/qlge/qlge_main.c linux-2.6.39.1/drivers/net/qlge/qlge_main.c
35126 --- linux-2.6.39.1/drivers/net/qlge/qlge_main.c 2011-05-19 00:06:34.000000000 -0400
35127 +++ linux-2.6.39.1/drivers/net/qlge/qlge_main.c 2011-05-22 19:36:31.000000000 -0400
35128 @@ -4412,12 +4412,12 @@ error:
35129 rtnl_unlock();
35130 }
35131
35132 -static struct nic_operations qla8012_nic_ops = {
35133 +static const struct nic_operations qla8012_nic_ops = {
35134 .get_flash = ql_get_8012_flash_params,
35135 .port_initialize = ql_8012_port_initialize,
35136 };
35137
35138 -static struct nic_operations qla8000_nic_ops = {
35139 +static const struct nic_operations qla8000_nic_ops = {
35140 .get_flash = ql_get_8000_flash_params,
35141 .port_initialize = ql_8000_port_initialize,
35142 };
35143 diff -urNp linux-2.6.39.1/drivers/net/sfc/falcon.c linux-2.6.39.1/drivers/net/sfc/falcon.c
35144 --- linux-2.6.39.1/drivers/net/sfc/falcon.c 2011-05-19 00:06:34.000000000 -0400
35145 +++ linux-2.6.39.1/drivers/net/sfc/falcon.c 2011-05-22 19:36:31.000000000 -0400
35146 @@ -1703,7 +1703,7 @@ static int falcon_set_wol(struct efx_nic
35147 **************************************************************************
35148 */
35149
35150 -struct efx_nic_type falcon_a1_nic_type = {
35151 +const struct efx_nic_type falcon_a1_nic_type = {
35152 .probe = falcon_probe_nic,
35153 .remove = falcon_remove_nic,
35154 .init = falcon_init_nic,
35155 @@ -1744,7 +1744,7 @@ struct efx_nic_type falcon_a1_nic_type =
35156 .reset_world_flags = ETH_RESET_IRQ,
35157 };
35158
35159 -struct efx_nic_type falcon_b0_nic_type = {
35160 +const struct efx_nic_type falcon_b0_nic_type = {
35161 .probe = falcon_probe_nic,
35162 .remove = falcon_remove_nic,
35163 .init = falcon_init_nic,
35164 diff -urNp linux-2.6.39.1/drivers/net/sfc/mtd.c linux-2.6.39.1/drivers/net/sfc/mtd.c
35165 --- linux-2.6.39.1/drivers/net/sfc/mtd.c 2011-05-19 00:06:34.000000000 -0400
35166 +++ linux-2.6.39.1/drivers/net/sfc/mtd.c 2011-05-22 19:36:31.000000000 -0400
35167 @@ -382,7 +382,7 @@ static int falcon_mtd_sync(struct mtd_in
35168 return rc;
35169 }
35170
35171 -static struct efx_mtd_ops falcon_mtd_ops = {
35172 +static const struct efx_mtd_ops falcon_mtd_ops = {
35173 .read = falcon_mtd_read,
35174 .erase = falcon_mtd_erase,
35175 .write = falcon_mtd_write,
35176 @@ -560,7 +560,7 @@ static int siena_mtd_sync(struct mtd_inf
35177 return rc;
35178 }
35179
35180 -static struct efx_mtd_ops siena_mtd_ops = {
35181 +static const struct efx_mtd_ops siena_mtd_ops = {
35182 .read = siena_mtd_read,
35183 .erase = siena_mtd_erase,
35184 .write = siena_mtd_write,
35185 diff -urNp linux-2.6.39.1/drivers/net/sfc/nic.h linux-2.6.39.1/drivers/net/sfc/nic.h
35186 --- linux-2.6.39.1/drivers/net/sfc/nic.h 2011-05-19 00:06:34.000000000 -0400
35187 +++ linux-2.6.39.1/drivers/net/sfc/nic.h 2011-05-22 19:36:31.000000000 -0400
35188 @@ -152,9 +152,9 @@ struct siena_nic_data {
35189 int wol_filter_id;
35190 };
35191
35192 -extern struct efx_nic_type falcon_a1_nic_type;
35193 -extern struct efx_nic_type falcon_b0_nic_type;
35194 -extern struct efx_nic_type siena_a0_nic_type;
35195 +extern const struct efx_nic_type falcon_a1_nic_type;
35196 +extern const struct efx_nic_type falcon_b0_nic_type;
35197 +extern const struct efx_nic_type siena_a0_nic_type;
35198
35199 /**************************************************************************
35200 *
35201 diff -urNp linux-2.6.39.1/drivers/net/sfc/siena.c linux-2.6.39.1/drivers/net/sfc/siena.c
35202 --- linux-2.6.39.1/drivers/net/sfc/siena.c 2011-05-19 00:06:34.000000000 -0400
35203 +++ linux-2.6.39.1/drivers/net/sfc/siena.c 2011-05-22 19:36:31.000000000 -0400
35204 @@ -599,7 +599,7 @@ static void siena_init_wol(struct efx_ni
35205 **************************************************************************
35206 */
35207
35208 -struct efx_nic_type siena_a0_nic_type = {
35209 +const struct efx_nic_type siena_a0_nic_type = {
35210 .probe = siena_probe_nic,
35211 .remove = siena_remove_nic,
35212 .init = siena_init_nic,
35213 diff -urNp linux-2.6.39.1/drivers/net/sh_eth.c linux-2.6.39.1/drivers/net/sh_eth.c
35214 --- linux-2.6.39.1/drivers/net/sh_eth.c 2011-05-19 00:06:34.000000000 -0400
35215 +++ linux-2.6.39.1/drivers/net/sh_eth.c 2011-05-22 19:36:31.000000000 -0400
35216 @@ -1360,7 +1360,7 @@ static void sh_eth_get_strings(struct ne
35217 }
35218 }
35219
35220 -static struct ethtool_ops sh_eth_ethtool_ops = {
35221 +static const struct ethtool_ops sh_eth_ethtool_ops = {
35222 .get_settings = sh_eth_get_settings,
35223 .set_settings = sh_eth_set_settings,
35224 .nway_reset = sh_eth_nway_reset,
35225 diff -urNp linux-2.6.39.1/drivers/net/stmmac/stmmac_ethtool.c linux-2.6.39.1/drivers/net/stmmac/stmmac_ethtool.c
35226 --- linux-2.6.39.1/drivers/net/stmmac/stmmac_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35227 +++ linux-2.6.39.1/drivers/net/stmmac/stmmac_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35228 @@ -348,7 +348,7 @@ static int stmmac_set_wol(struct net_dev
35229 return 0;
35230 }
35231
35232 -static struct ethtool_ops stmmac_ethtool_ops = {
35233 +static const struct ethtool_ops stmmac_ethtool_ops = {
35234 .begin = stmmac_check_if_running,
35235 .get_drvinfo = stmmac_ethtool_getdrvinfo,
35236 .get_settings = stmmac_ethtool_getsettings,
35237 diff -urNp linux-2.6.39.1/drivers/net/sungem_phy.c linux-2.6.39.1/drivers/net/sungem_phy.c
35238 --- linux-2.6.39.1/drivers/net/sungem_phy.c 2011-05-19 00:06:34.000000000 -0400
35239 +++ linux-2.6.39.1/drivers/net/sungem_phy.c 2011-05-22 19:36:31.000000000 -0400
35240 @@ -886,7 +886,7 @@ static int marvell_read_link(struct mii_
35241 SUPPORTED_1000baseT_Half | SUPPORTED_1000baseT_Full)
35242
35243 /* Broadcom BCM 5201 */
35244 -static struct mii_phy_ops bcm5201_phy_ops = {
35245 +static const struct mii_phy_ops bcm5201_phy_ops = {
35246 .init = bcm5201_init,
35247 .suspend = bcm5201_suspend,
35248 .setup_aneg = genmii_setup_aneg,
35249 @@ -905,7 +905,7 @@ static struct mii_phy_def bcm5201_phy_de
35250 };
35251
35252 /* Broadcom BCM 5221 */
35253 -static struct mii_phy_ops bcm5221_phy_ops = {
35254 +static const struct mii_phy_ops bcm5221_phy_ops = {
35255 .suspend = bcm5221_suspend,
35256 .init = bcm5221_init,
35257 .setup_aneg = genmii_setup_aneg,
35258 @@ -924,7 +924,7 @@ static struct mii_phy_def bcm5221_phy_de
35259 };
35260
35261 /* Broadcom BCM 5241 */
35262 -static struct mii_phy_ops bcm5241_phy_ops = {
35263 +static const struct mii_phy_ops bcm5241_phy_ops = {
35264 .suspend = bcm5241_suspend,
35265 .init = bcm5241_init,
35266 .setup_aneg = genmii_setup_aneg,
35267 @@ -942,7 +942,7 @@ static struct mii_phy_def bcm5241_phy_de
35268 };
35269
35270 /* Broadcom BCM 5400 */
35271 -static struct mii_phy_ops bcm5400_phy_ops = {
35272 +static const struct mii_phy_ops bcm5400_phy_ops = {
35273 .init = bcm5400_init,
35274 .suspend = bcm5400_suspend,
35275 .setup_aneg = bcm54xx_setup_aneg,
35276 @@ -961,7 +961,7 @@ static struct mii_phy_def bcm5400_phy_de
35277 };
35278
35279 /* Broadcom BCM 5401 */
35280 -static struct mii_phy_ops bcm5401_phy_ops = {
35281 +static const struct mii_phy_ops bcm5401_phy_ops = {
35282 .init = bcm5401_init,
35283 .suspend = bcm5401_suspend,
35284 .setup_aneg = bcm54xx_setup_aneg,
35285 @@ -980,7 +980,7 @@ static struct mii_phy_def bcm5401_phy_de
35286 };
35287
35288 /* Broadcom BCM 5411 */
35289 -static struct mii_phy_ops bcm5411_phy_ops = {
35290 +static const struct mii_phy_ops bcm5411_phy_ops = {
35291 .init = bcm5411_init,
35292 .suspend = generic_suspend,
35293 .setup_aneg = bcm54xx_setup_aneg,
35294 @@ -999,7 +999,7 @@ static struct mii_phy_def bcm5411_phy_de
35295 };
35296
35297 /* Broadcom BCM 5421 */
35298 -static struct mii_phy_ops bcm5421_phy_ops = {
35299 +static const struct mii_phy_ops bcm5421_phy_ops = {
35300 .init = bcm5421_init,
35301 .suspend = generic_suspend,
35302 .setup_aneg = bcm54xx_setup_aneg,
35303 @@ -1019,7 +1019,7 @@ static struct mii_phy_def bcm5421_phy_de
35304 };
35305
35306 /* Broadcom BCM 5421 built-in K2 */
35307 -static struct mii_phy_ops bcm5421k2_phy_ops = {
35308 +static const struct mii_phy_ops bcm5421k2_phy_ops = {
35309 .init = bcm5421_init,
35310 .suspend = generic_suspend,
35311 .setup_aneg = bcm54xx_setup_aneg,
35312 @@ -1037,7 +1037,7 @@ static struct mii_phy_def bcm5421k2_phy_
35313 .ops = &bcm5421k2_phy_ops
35314 };
35315
35316 -static struct mii_phy_ops bcm5461_phy_ops = {
35317 +static const struct mii_phy_ops bcm5461_phy_ops = {
35318 .init = bcm5421_init,
35319 .suspend = generic_suspend,
35320 .setup_aneg = bcm54xx_setup_aneg,
35321 @@ -1057,7 +1057,7 @@ static struct mii_phy_def bcm5461_phy_de
35322 };
35323
35324 /* Broadcom BCM 5462 built-in Vesta */
35325 -static struct mii_phy_ops bcm5462V_phy_ops = {
35326 +static const struct mii_phy_ops bcm5462V_phy_ops = {
35327 .init = bcm5421_init,
35328 .suspend = generic_suspend,
35329 .setup_aneg = bcm54xx_setup_aneg,
35330 @@ -1076,7 +1076,7 @@ static struct mii_phy_def bcm5462V_phy_d
35331 };
35332
35333 /* Marvell 88E1101 amd 88E1111 */
35334 -static struct mii_phy_ops marvell88e1101_phy_ops = {
35335 +static const struct mii_phy_ops marvell88e1101_phy_ops = {
35336 .suspend = generic_suspend,
35337 .setup_aneg = marvell_setup_aneg,
35338 .setup_forced = marvell_setup_forced,
35339 @@ -1084,7 +1084,7 @@ static struct mii_phy_ops marvell88e1101
35340 .read_link = marvell_read_link
35341 };
35342
35343 -static struct mii_phy_ops marvell88e1111_phy_ops = {
35344 +static const struct mii_phy_ops marvell88e1111_phy_ops = {
35345 .init = marvell88e1111_init,
35346 .suspend = generic_suspend,
35347 .setup_aneg = marvell_setup_aneg,
35348 @@ -1122,7 +1122,7 @@ static struct mii_phy_def marvell88e1111
35349 };
35350
35351 /* Generic implementation for most 10/100 PHYs */
35352 -static struct mii_phy_ops generic_phy_ops = {
35353 +static const struct mii_phy_ops generic_phy_ops = {
35354 .setup_aneg = genmii_setup_aneg,
35355 .setup_forced = genmii_setup_forced,
35356 .poll_link = genmii_poll_link,
35357 diff -urNp linux-2.6.39.1/drivers/net/tg3.h linux-2.6.39.1/drivers/net/tg3.h
35358 --- linux-2.6.39.1/drivers/net/tg3.h 2011-05-19 00:06:34.000000000 -0400
35359 +++ linux-2.6.39.1/drivers/net/tg3.h 2011-05-22 19:36:31.000000000 -0400
35360 @@ -131,6 +131,7 @@
35361 #define CHIPREV_ID_5750_A0 0x4000
35362 #define CHIPREV_ID_5750_A1 0x4001
35363 #define CHIPREV_ID_5750_A3 0x4003
35364 +#define CHIPREV_ID_5750_C1 0x4201
35365 #define CHIPREV_ID_5750_C2 0x4202
35366 #define CHIPREV_ID_5752_A0_HW 0x5000
35367 #define CHIPREV_ID_5752_A0 0x6000
35368 diff -urNp linux-2.6.39.1/drivers/net/tile/tilepro.c linux-2.6.39.1/drivers/net/tile/tilepro.c
35369 --- linux-2.6.39.1/drivers/net/tile/tilepro.c 2011-05-19 00:06:34.000000000 -0400
35370 +++ linux-2.6.39.1/drivers/net/tile/tilepro.c 2011-05-22 19:36:31.000000000 -0400
35371 @@ -2263,7 +2263,7 @@ static int tile_net_get_mac(struct net_d
35372 }
35373
35374
35375 -static struct net_device_ops tile_net_ops = {
35376 +static const struct net_device_ops tile_net_ops = {
35377 .ndo_open = tile_net_open,
35378 .ndo_stop = tile_net_stop,
35379 .ndo_start_xmit = tile_net_tx,
35380 diff -urNp linux-2.6.39.1/drivers/net/tulip/de2104x.c linux-2.6.39.1/drivers/net/tulip/de2104x.c
35381 --- linux-2.6.39.1/drivers/net/tulip/de2104x.c 2011-05-19 00:06:34.000000000 -0400
35382 +++ linux-2.6.39.1/drivers/net/tulip/de2104x.c 2011-05-22 19:36:31.000000000 -0400
35383 @@ -1817,6 +1817,8 @@ static void __devinit de21041_get_srom_i
35384 struct de_srom_info_leaf *il;
35385 void *bufp;
35386
35387 + pax_track_stack();
35388 +
35389 /* download entire eeprom */
35390 for (i = 0; i < DE_EEPROM_WORDS; i++)
35391 ((__le16 *)ee_data)[i] =
35392 diff -urNp linux-2.6.39.1/drivers/net/tulip/de4x5.c linux-2.6.39.1/drivers/net/tulip/de4x5.c
35393 --- linux-2.6.39.1/drivers/net/tulip/de4x5.c 2011-05-19 00:06:34.000000000 -0400
35394 +++ linux-2.6.39.1/drivers/net/tulip/de4x5.c 2011-05-22 19:36:31.000000000 -0400
35395 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
35396 for (i=0; i<ETH_ALEN; i++) {
35397 tmp.addr[i] = dev->dev_addr[i];
35398 }
35399 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35400 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35401 break;
35402
35403 case DE4X5_SET_HWADDR: /* Set the hardware address */
35404 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
35405 spin_lock_irqsave(&lp->lock, flags);
35406 memcpy(&statbuf, &lp->pktStats, ioc->len);
35407 spin_unlock_irqrestore(&lp->lock, flags);
35408 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
35409 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
35410 return -EFAULT;
35411 break;
35412 }
35413 diff -urNp linux-2.6.39.1/drivers/net/usb/asix.c linux-2.6.39.1/drivers/net/usb/asix.c
35414 --- linux-2.6.39.1/drivers/net/usb/asix.c 2011-05-19 00:06:34.000000000 -0400
35415 +++ linux-2.6.39.1/drivers/net/usb/asix.c 2011-05-22 19:36:31.000000000 -0400
35416 @@ -1098,7 +1098,7 @@ out:
35417 return ret;
35418 }
35419
35420 -static struct ethtool_ops ax88178_ethtool_ops = {
35421 +static const struct ethtool_ops ax88178_ethtool_ops = {
35422 .get_drvinfo = asix_get_drvinfo,
35423 .get_link = asix_get_link,
35424 .get_msglevel = usbnet_get_msglevel,
35425 diff -urNp linux-2.6.39.1/drivers/net/usb/cdc_ncm.c linux-2.6.39.1/drivers/net/usb/cdc_ncm.c
35426 --- linux-2.6.39.1/drivers/net/usb/cdc_ncm.c 2011-05-19 00:06:34.000000000 -0400
35427 +++ linux-2.6.39.1/drivers/net/usb/cdc_ncm.c 2011-05-22 19:36:31.000000000 -0400
35428 @@ -141,7 +141,7 @@ struct cdc_ncm_ctx {
35429 static void cdc_ncm_tx_timeout(unsigned long arg);
35430 static const struct driver_info cdc_ncm_info;
35431 static struct usb_driver cdc_ncm_driver;
35432 -static struct ethtool_ops cdc_ncm_ethtool_ops;
35433 +static const struct ethtool_ops cdc_ncm_ethtool_ops;
35434
35435 static const struct usb_device_id cdc_devs[] = {
35436 { USB_INTERFACE_INFO(USB_CLASS_COMM,
35437 @@ -1257,7 +1257,7 @@ static struct usb_driver cdc_ncm_driver
35438 .supports_autosuspend = 1,
35439 };
35440
35441 -static struct ethtool_ops cdc_ncm_ethtool_ops = {
35442 +static const struct ethtool_ops cdc_ncm_ethtool_ops = {
35443 .get_drvinfo = cdc_ncm_get_drvinfo,
35444 .get_link = usbnet_get_link,
35445 .get_msglevel = usbnet_get_msglevel,
35446 diff -urNp linux-2.6.39.1/drivers/net/usb/hso.c linux-2.6.39.1/drivers/net/usb/hso.c
35447 --- linux-2.6.39.1/drivers/net/usb/hso.c 2011-05-19 00:06:34.000000000 -0400
35448 +++ linux-2.6.39.1/drivers/net/usb/hso.c 2011-05-22 19:36:31.000000000 -0400
35449 @@ -71,7 +71,7 @@
35450 #include <asm/byteorder.h>
35451 #include <linux/serial_core.h>
35452 #include <linux/serial.h>
35453 -
35454 +#include <asm/local.h>
35455
35456 #define MOD_AUTHOR "Option Wireless"
35457 #define MOD_DESCRIPTION "USB High Speed Option driver"
35458 @@ -257,7 +257,7 @@ struct hso_serial {
35459
35460 /* from usb_serial_port */
35461 struct tty_struct *tty;
35462 - int open_count;
35463 + local_t open_count;
35464 spinlock_t serial_lock;
35465
35466 int (*write_data) (struct hso_serial *serial);
35467 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
35468 struct urb *urb;
35469
35470 urb = serial->rx_urb[0];
35471 - if (serial->open_count > 0) {
35472 + if (local_read(&serial->open_count) > 0) {
35473 count = put_rxbuf_data(urb, serial);
35474 if (count == -1)
35475 return;
35476 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
35477 DUMP1(urb->transfer_buffer, urb->actual_length);
35478
35479 /* Anyone listening? */
35480 - if (serial->open_count == 0)
35481 + if (local_read(&serial->open_count) == 0)
35482 return;
35483
35484 if (status == 0) {
35485 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
35486 spin_unlock_irq(&serial->serial_lock);
35487
35488 /* check for port already opened, if not set the termios */
35489 - serial->open_count++;
35490 - if (serial->open_count == 1) {
35491 + if (local_inc_return(&serial->open_count) == 1) {
35492 serial->rx_state = RX_IDLE;
35493 /* Force default termio settings */
35494 _hso_serial_set_termios(tty, NULL);
35495 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
35496 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
35497 if (result) {
35498 hso_stop_serial_device(serial->parent);
35499 - serial->open_count--;
35500 + local_dec(&serial->open_count);
35501 kref_put(&serial->parent->ref, hso_serial_ref_free);
35502 }
35503 } else {
35504 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
35505
35506 /* reset the rts and dtr */
35507 /* do the actual close */
35508 - serial->open_count--;
35509 + local_dec(&serial->open_count);
35510
35511 - if (serial->open_count <= 0) {
35512 - serial->open_count = 0;
35513 + if (local_read(&serial->open_count) <= 0) {
35514 + local_set(&serial->open_count, 0);
35515 spin_lock_irq(&serial->serial_lock);
35516 if (serial->tty == tty) {
35517 serial->tty->driver_data = NULL;
35518 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
35519
35520 /* the actual setup */
35521 spin_lock_irqsave(&serial->serial_lock, flags);
35522 - if (serial->open_count)
35523 + if (local_read(&serial->open_count))
35524 _hso_serial_set_termios(tty, old);
35525 else
35526 tty->termios = old;
35527 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
35528 D1("Pending read interrupt on port %d\n", i);
35529 spin_lock(&serial->serial_lock);
35530 if (serial->rx_state == RX_IDLE &&
35531 - serial->open_count > 0) {
35532 + local_read(&serial->open_count) > 0) {
35533 /* Setup and send a ctrl req read on
35534 * port i */
35535 if (!serial->rx_urb_filled[0]) {
35536 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
35537 /* Start all serial ports */
35538 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
35539 if (serial_table[i] && (serial_table[i]->interface == iface)) {
35540 - if (dev2ser(serial_table[i])->open_count) {
35541 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
35542 result =
35543 hso_start_serial_device(serial_table[i], GFP_NOIO);
35544 hso_kick_transmit(dev2ser(serial_table[i]));
35545 diff -urNp linux-2.6.39.1/drivers/net/usb/ipheth.c linux-2.6.39.1/drivers/net/usb/ipheth.c
35546 --- linux-2.6.39.1/drivers/net/usb/ipheth.c 2011-05-19 00:06:34.000000000 -0400
35547 +++ linux-2.6.39.1/drivers/net/usb/ipheth.c 2011-05-22 19:36:31.000000000 -0400
35548 @@ -421,7 +421,7 @@ static u32 ipheth_ethtool_op_get_link(st
35549 return netif_carrier_ok(dev->net);
35550 }
35551
35552 -static struct ethtool_ops ops = {
35553 +static const struct ethtool_ops ops = {
35554 .get_link = ipheth_ethtool_op_get_link
35555 };
35556
35557 diff -urNp linux-2.6.39.1/drivers/net/usb/sierra_net.c linux-2.6.39.1/drivers/net/usb/sierra_net.c
35558 --- linux-2.6.39.1/drivers/net/usb/sierra_net.c 2011-05-19 00:06:34.000000000 -0400
35559 +++ linux-2.6.39.1/drivers/net/usb/sierra_net.c 2011-05-22 19:36:31.000000000 -0400
35560 @@ -618,7 +618,7 @@ static u32 sierra_net_get_link(struct ne
35561 return sierra_net_get_private(dev)->link_up && netif_running(net);
35562 }
35563
35564 -static struct ethtool_ops sierra_net_ethtool_ops = {
35565 +static const struct ethtool_ops sierra_net_ethtool_ops = {
35566 .get_drvinfo = sierra_net_get_drvinfo,
35567 .get_link = sierra_net_get_link,
35568 .get_msglevel = usbnet_get_msglevel,
35569 diff -urNp linux-2.6.39.1/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.39.1/drivers/net/vmxnet3/vmxnet3_ethtool.c
35570 --- linux-2.6.39.1/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35571 +++ linux-2.6.39.1/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35572 @@ -631,8 +631,7 @@ vmxnet3_set_rss_indir(struct net_device
35573 * Return with error code if any of the queue indices
35574 * is out of range
35575 */
35576 - if (p->ring_index[i] < 0 ||
35577 - p->ring_index[i] >= adapter->num_rx_queues)
35578 + if (p->ring_index[i] >= adapter->num_rx_queues)
35579 return -EINVAL;
35580 }
35581
35582 diff -urNp linux-2.6.39.1/drivers/net/vxge/vxge-main.c linux-2.6.39.1/drivers/net/vxge/vxge-main.c
35583 --- linux-2.6.39.1/drivers/net/vxge/vxge-main.c 2011-05-19 00:06:34.000000000 -0400
35584 +++ linux-2.6.39.1/drivers/net/vxge/vxge-main.c 2011-05-22 19:36:31.000000000 -0400
35585 @@ -97,6 +97,8 @@ static inline void VXGE_COMPLETE_VPATH_T
35586 struct sk_buff *completed[NR_SKB_COMPLETED];
35587 int more;
35588
35589 + pax_track_stack();
35590 +
35591 do {
35592 more = 0;
35593 skb_ptr = completed;
35594 @@ -1927,6 +1929,8 @@ static enum vxge_hw_status vxge_rth_conf
35595 u8 mtable[256] = {0}; /* CPU to vpath mapping */
35596 int index;
35597
35598 + pax_track_stack();
35599 +
35600 /*
35601 * Filling
35602 * - itable with bucket numbers
35603 diff -urNp linux-2.6.39.1/drivers/net/wan/cycx_x25.c linux-2.6.39.1/drivers/net/wan/cycx_x25.c
35604 --- linux-2.6.39.1/drivers/net/wan/cycx_x25.c 2011-05-19 00:06:34.000000000 -0400
35605 +++ linux-2.6.39.1/drivers/net/wan/cycx_x25.c 2011-05-22 19:36:31.000000000 -0400
35606 @@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
35607 unsigned char hex[1024],
35608 * phex = hex;
35609
35610 + pax_track_stack();
35611 +
35612 if (len >= (sizeof(hex) / 2))
35613 len = (sizeof(hex) / 2) - 1;
35614
35615 diff -urNp linux-2.6.39.1/drivers/net/wan/lapbether.c linux-2.6.39.1/drivers/net/wan/lapbether.c
35616 --- linux-2.6.39.1/drivers/net/wan/lapbether.c 2011-05-19 00:06:34.000000000 -0400
35617 +++ linux-2.6.39.1/drivers/net/wan/lapbether.c 2011-05-22 19:36:31.000000000 -0400
35618 @@ -259,7 +259,7 @@ static int lapbeth_set_mac_address(struc
35619 }
35620
35621
35622 -static struct lapb_register_struct lapbeth_callbacks = {
35623 +static const struct lapb_register_struct lapbeth_callbacks = {
35624 .connect_confirmation = lapbeth_connected,
35625 .connect_indication = lapbeth_connected,
35626 .disconnect_confirmation = lapbeth_disconnected,
35627 diff -urNp linux-2.6.39.1/drivers/net/wan/x25_asy.c linux-2.6.39.1/drivers/net/wan/x25_asy.c
35628 --- linux-2.6.39.1/drivers/net/wan/x25_asy.c 2011-05-19 00:06:34.000000000 -0400
35629 +++ linux-2.6.39.1/drivers/net/wan/x25_asy.c 2011-05-22 19:36:31.000000000 -0400
35630 @@ -434,7 +434,7 @@ static void x25_asy_disconnected(struct
35631 netif_rx(skb);
35632 }
35633
35634 -static struct lapb_register_struct x25_asy_callbacks = {
35635 +static const struct lapb_register_struct x25_asy_callbacks = {
35636 .connect_confirmation = x25_asy_connected,
35637 .connect_indication = x25_asy_connected,
35638 .disconnect_confirmation = x25_asy_disconnected,
35639 diff -urNp linux-2.6.39.1/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.39.1/drivers/net/wimax/i2400m/usb-fw.c
35640 --- linux-2.6.39.1/drivers/net/wimax/i2400m/usb-fw.c 2011-05-19 00:06:34.000000000 -0400
35641 +++ linux-2.6.39.1/drivers/net/wimax/i2400m/usb-fw.c 2011-05-22 19:36:31.000000000 -0400
35642 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
35643 int do_autopm = 1;
35644 DECLARE_COMPLETION_ONSTACK(notif_completion);
35645
35646 + pax_track_stack();
35647 +
35648 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
35649 i2400m, ack, ack_size);
35650 BUG_ON(_ack == i2400m->bm_ack_buf);
35651 diff -urNp linux-2.6.39.1/drivers/net/wireless/airo.c linux-2.6.39.1/drivers/net/wireless/airo.c
35652 --- linux-2.6.39.1/drivers/net/wireless/airo.c 2011-05-19 00:06:34.000000000 -0400
35653 +++ linux-2.6.39.1/drivers/net/wireless/airo.c 2011-05-22 19:36:31.000000000 -0400
35654 @@ -3001,6 +3001,8 @@ static void airo_process_scan_results (s
35655 BSSListElement * loop_net;
35656 BSSListElement * tmp_net;
35657
35658 + pax_track_stack();
35659 +
35660 /* Blow away current list of scan results */
35661 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
35662 list_move_tail (&loop_net->list, &ai->network_free_list);
35663 @@ -3792,6 +3794,8 @@ static u16 setup_card(struct airo_info *
35664 WepKeyRid wkr;
35665 int rc;
35666
35667 + pax_track_stack();
35668 +
35669 memset( &mySsid, 0, sizeof( mySsid ) );
35670 kfree (ai->flash);
35671 ai->flash = NULL;
35672 @@ -4760,6 +4764,8 @@ static int proc_stats_rid_open( struct i
35673 __le32 *vals = stats.vals;
35674 int len;
35675
35676 + pax_track_stack();
35677 +
35678 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35679 return -ENOMEM;
35680 data = file->private_data;
35681 @@ -5483,6 +5489,8 @@ static int proc_BSSList_open( struct ino
35682 /* If doLoseSync is not 1, we won't do a Lose Sync */
35683 int doLoseSync = -1;
35684
35685 + pax_track_stack();
35686 +
35687 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35688 return -ENOMEM;
35689 data = file->private_data;
35690 @@ -7190,6 +7198,8 @@ static int airo_get_aplist(struct net_de
35691 int i;
35692 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
35693
35694 + pax_track_stack();
35695 +
35696 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
35697 if (!qual)
35698 return -ENOMEM;
35699 @@ -7750,6 +7760,8 @@ static void airo_read_wireless_stats(str
35700 CapabilityRid cap_rid;
35701 __le32 *vals = stats_rid.vals;
35702
35703 + pax_track_stack();
35704 +
35705 /* Get stats out of the card */
35706 clear_bit(JOB_WSTATS, &local->jobs);
35707 if (local->power.event) {
35708 diff -urNp linux-2.6.39.1/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.39.1/drivers/net/wireless/ath/ath5k/debug.c
35709 --- linux-2.6.39.1/drivers/net/wireless/ath/ath5k/debug.c 2011-05-19 00:06:34.000000000 -0400
35710 +++ linux-2.6.39.1/drivers/net/wireless/ath/ath5k/debug.c 2011-05-22 19:36:31.000000000 -0400
35711 @@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
35712 unsigned int v;
35713 u64 tsf;
35714
35715 + pax_track_stack();
35716 +
35717 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
35718 len += snprintf(buf+len, sizeof(buf)-len,
35719 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
35720 @@ -323,6 +325,8 @@ static ssize_t read_file_debug(struct fi
35721 unsigned int len = 0;
35722 unsigned int i;
35723
35724 + pax_track_stack();
35725 +
35726 len += snprintf(buf+len, sizeof(buf)-len,
35727 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
35728
35729 @@ -384,6 +388,8 @@ static ssize_t read_file_antenna(struct
35730 unsigned int i;
35731 unsigned int v;
35732
35733 + pax_track_stack();
35734 +
35735 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
35736 sc->ah->ah_ant_mode);
35737 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
35738 @@ -494,6 +500,8 @@ static ssize_t read_file_misc(struct fil
35739 unsigned int len = 0;
35740 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
35741
35742 + pax_track_stack();
35743 +
35744 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
35745 sc->bssidmask);
35746 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
35747 @@ -550,6 +558,8 @@ static ssize_t read_file_frameerrors(str
35748 unsigned int len = 0;
35749 int i;
35750
35751 + pax_track_stack();
35752 +
35753 len += snprintf(buf+len, sizeof(buf)-len,
35754 "RX\n---------------------\n");
35755 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
35756 @@ -667,6 +677,8 @@ static ssize_t read_file_ani(struct file
35757 char buf[700];
35758 unsigned int len = 0;
35759
35760 + pax_track_stack();
35761 +
35762 len += snprintf(buf+len, sizeof(buf)-len,
35763 "HW has PHY error counters:\t%s\n",
35764 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
35765 @@ -827,6 +839,8 @@ static ssize_t read_file_queue(struct fi
35766 struct ath5k_buf *bf, *bf0;
35767 int i, n;
35768
35769 + pax_track_stack();
35770 +
35771 len += snprintf(buf+len, sizeof(buf)-len,
35772 "available txbuffers: %d\n", sc->txbuf_len);
35773
35774 diff -urNp linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c
35775 --- linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-19 00:06:34.000000000 -0400
35776 +++ linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-22 19:36:31.000000000 -0400
35777 @@ -734,6 +734,8 @@ static void ar9003_hw_tx_iq_cal(struct a
35778 s32 i, j, ip, im, nmeasurement;
35779 u8 nchains = get_streams(common->tx_chainmask);
35780
35781 + pax_track_stack();
35782 +
35783 for (ip = 0; ip < MPASS; ip++) {
35784 REG_RMW_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_1,
35785 AR_PHY_TX_IQCAQL_CONTROL_1_IQCORR_I_Q_COFF_DELPT,
35786 @@ -856,6 +858,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
35787 int i, ip, im, j;
35788 int nmeasurement;
35789
35790 + pax_track_stack();
35791 +
35792 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
35793 if (ah->txchainmask & (1 << i))
35794 num_chains++;
35795 diff -urNp linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
35796 --- linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-19 00:06:34.000000000 -0400
35797 +++ linux-2.6.39.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-22 19:36:31.000000000 -0400
35798 @@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
35799 int theta_low_bin = 0;
35800 int i;
35801
35802 + pax_track_stack();
35803 +
35804 /* disregard any bin that contains <= 16 samples */
35805 thresh_accum_cnt = 16;
35806 scale_factor = 5;
35807 diff -urNp linux-2.6.39.1/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.39.1/drivers/net/wireless/ath/ath9k/debug.c
35808 --- linux-2.6.39.1/drivers/net/wireless/ath/ath9k/debug.c 2011-05-19 00:06:34.000000000 -0400
35809 +++ linux-2.6.39.1/drivers/net/wireless/ath/ath9k/debug.c 2011-05-22 19:36:31.000000000 -0400
35810 @@ -335,6 +335,8 @@ static ssize_t read_file_interrupt(struc
35811 char buf[512];
35812 unsigned int len = 0;
35813
35814 + pax_track_stack();
35815 +
35816 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
35817 len += snprintf(buf + len, sizeof(buf) - len,
35818 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
35819 @@ -422,6 +424,8 @@ static ssize_t read_file_wiphy(struct fi
35820 u8 addr[ETH_ALEN];
35821 u32 tmp;
35822
35823 + pax_track_stack();
35824 +
35825 len += snprintf(buf + len, sizeof(buf) - len,
35826 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
35827 wiphy_name(sc->hw->wiphy),
35828 diff -urNp linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc_drv_main.c linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc_drv_main.c
35829 --- linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-19 00:06:34.000000000 -0400
35830 +++ linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-22 19:36:31.000000000 -0400
35831 @@ -737,6 +737,8 @@ static ssize_t read_file_tgt_stats(struc
35832 unsigned int len = 0;
35833 int ret = 0;
35834
35835 + pax_track_stack();
35836 +
35837 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
35838
35839 WMI_CMD(WMI_TGT_STATS_CMDID);
35840 @@ -782,6 +784,8 @@ static ssize_t read_file_xmit(struct fil
35841 char buf[512];
35842 unsigned int len = 0;
35843
35844 + pax_track_stack();
35845 +
35846 len += snprintf(buf + len, sizeof(buf) - len,
35847 "%20s : %10u\n", "Buffers queued",
35848 priv->debug.tx_stats.buf_queued);
35849 @@ -831,6 +835,8 @@ static ssize_t read_file_recv(struct fil
35850 char buf[512];
35851 unsigned int len = 0;
35852
35853 + pax_track_stack();
35854 +
35855 len += snprintf(buf + len, sizeof(buf) - len,
35856 "%20s : %10u\n", "SKBs allocated",
35857 priv->debug.rx_stats.skb_allocated);
35858 @@ -1816,7 +1822,7 @@ static void ath9k_htc_set_coverage_class
35859 mutex_unlock(&priv->mutex);
35860 }
35861
35862 -struct ieee80211_ops ath9k_htc_ops = {
35863 +const struct ieee80211_ops ath9k_htc_ops = {
35864 .tx = ath9k_htc_tx,
35865 .start = ath9k_htc_start,
35866 .stop = ath9k_htc_stop,
35867 diff -urNp linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc.h linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc.h
35868 --- linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc.h 2011-05-19 00:06:34.000000000 -0400
35869 +++ linux-2.6.39.1/drivers/net/wireless/ath/ath9k/htc.h 2011-05-22 19:36:31.000000000 -0400
35870 @@ -42,7 +42,7 @@
35871 #define TSF_TO_TU(_h, _l) \
35872 ((((u32)(_h)) << 22) | (((u32)(_l)) >> 10))
35873
35874 -extern struct ieee80211_ops ath9k_htc_ops;
35875 +extern const struct ieee80211_ops ath9k_htc_ops;
35876 extern int htc_modparam_nohwcrypt;
35877
35878 enum htc_phymode {
35879 diff -urNp linux-2.6.39.1/drivers/net/wireless/b43/debugfs.c linux-2.6.39.1/drivers/net/wireless/b43/debugfs.c
35880 --- linux-2.6.39.1/drivers/net/wireless/b43/debugfs.c 2011-05-19 00:06:34.000000000 -0400
35881 +++ linux-2.6.39.1/drivers/net/wireless/b43/debugfs.c 2011-05-22 19:36:31.000000000 -0400
35882 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
35883 struct b43_debugfs_fops {
35884 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
35885 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
35886 - struct file_operations fops;
35887 + const struct file_operations fops;
35888 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
35889 size_t file_struct_offset;
35890 };
35891 diff -urNp linux-2.6.39.1/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.39.1/drivers/net/wireless/b43legacy/debugfs.c
35892 --- linux-2.6.39.1/drivers/net/wireless/b43legacy/debugfs.c 2011-05-19 00:06:34.000000000 -0400
35893 +++ linux-2.6.39.1/drivers/net/wireless/b43legacy/debugfs.c 2011-05-22 19:36:31.000000000 -0400
35894 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
35895 struct b43legacy_debugfs_fops {
35896 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
35897 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
35898 - struct file_operations fops;
35899 + const struct file_operations fops;
35900 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
35901 size_t file_struct_offset;
35902 /* Take wl->irq_lock before calling read/write? */
35903 diff -urNp linux-2.6.39.1/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.39.1/drivers/net/wireless/ipw2x00/ipw2100.c
35904 --- linux-2.6.39.1/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-19 00:06:34.000000000 -0400
35905 +++ linux-2.6.39.1/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-22 19:36:31.000000000 -0400
35906 @@ -2100,6 +2100,8 @@ static int ipw2100_set_essid(struct ipw2
35907 int err;
35908 DECLARE_SSID_BUF(ssid);
35909
35910 + pax_track_stack();
35911 +
35912 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
35913
35914 if (ssid_len)
35915 @@ -5449,6 +5451,8 @@ static int ipw2100_set_key(struct ipw210
35916 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
35917 int err;
35918
35919 + pax_track_stack();
35920 +
35921 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
35922 idx, keylen, len);
35923
35924 diff -urNp linux-2.6.39.1/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.39.1/drivers/net/wireless/ipw2x00/libipw_rx.c
35925 --- linux-2.6.39.1/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-19 00:06:34.000000000 -0400
35926 +++ linux-2.6.39.1/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-22 19:36:31.000000000 -0400
35927 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
35928 unsigned long flags;
35929 DECLARE_SSID_BUF(ssid);
35930
35931 + pax_track_stack();
35932 +
35933 LIBIPW_DEBUG_SCAN("'%s' (%pM"
35934 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
35935 print_ssid(ssid, info_element->data, info_element->len),
35936 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-3945.c linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-3945.c
35937 --- linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-19 00:06:34.000000000 -0400
35938 +++ linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-22 19:36:31.000000000 -0400
35939 @@ -2630,7 +2630,7 @@ static int iwl3945_load_bsm(struct iwl_p
35940 return 0;
35941 }
35942
35943 -static struct iwl_hcmd_ops iwl3945_hcmd = {
35944 +static const struct iwl_hcmd_ops iwl3945_hcmd = {
35945 .rxon_assoc = iwl3945_send_rxon_assoc,
35946 .commit_rxon = iwl3945_commit_rxon,
35947 };
35948 @@ -2675,7 +2675,7 @@ static const struct iwl_legacy_ops iwl39
35949 .manage_ibss_station = iwl3945_manage_ibss_station,
35950 };
35951
35952 -static struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
35953 +static const struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
35954 .get_hcmd_size = iwl3945_get_hcmd_size,
35955 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
35956 .request_scan = iwl3945_request_scan,
35957 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.c linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.c
35958 --- linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-05-19 00:06:34.000000000 -0400
35959 +++ linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-05-22 19:36:32.000000000 -0400
35960 @@ -1904,7 +1904,7 @@ static void iwl4965_rx_handler_setup(str
35961 priv->rx_handlers[BEACON_NOTIFICATION] = iwl4965_rx_beacon_notif;
35962 }
35963
35964 -static struct iwl_hcmd_ops iwl4965_hcmd = {
35965 +static const struct iwl_hcmd_ops iwl4965_hcmd = {
35966 .rxon_assoc = iwl4965_send_rxon_assoc,
35967 .commit_rxon = iwl4965_commit_rxon,
35968 .set_rxon_chain = iwl4965_set_rxon_chain,
35969 @@ -2056,7 +2056,7 @@ static void iwl4965_config_ap(struct iwl
35970 iwl4965_send_beacon_cmd(priv);
35971 }
35972
35973 -static struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
35974 +static const struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
35975 .get_hcmd_size = iwl4965_get_hcmd_size,
35976 .build_addsta_hcmd = iwl4965_build_addsta_hcmd,
35977 .request_scan = iwl4965_request_scan,
35978 @@ -2114,7 +2114,7 @@ static const struct iwl_legacy_ops iwl49
35979 .update_bcast_stations = iwl4965_update_bcast_stations,
35980 };
35981
35982 -struct ieee80211_ops iwl4965_hw_ops = {
35983 +const struct ieee80211_ops iwl4965_hw_ops = {
35984 .tx = iwl4965_mac_tx,
35985 .start = iwl4965_mac_start,
35986 .stop = iwl4965_mac_stop,
35987 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.h linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.h
35988 --- linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-19 00:06:34.000000000 -0400
35989 +++ linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-22 19:36:32.000000000 -0400
35990 @@ -70,7 +70,7 @@ extern struct iwl_cfg iwl4965_cfg;
35991
35992 extern struct iwl_mod_params iwl4965_mod_params;
35993
35994 -extern struct ieee80211_ops iwl4965_hw_ops;
35995 +extern const struct ieee80211_ops iwl4965_hw_ops;
35996
35997 /* tx queue */
35998 void iwl4965_free_tfds_in_queue(struct iwl_priv *priv,
35999 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-core.h linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-core.h
36000 --- linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-core.h 2011-05-19 00:06:34.000000000 -0400
36001 +++ linux-2.6.39.1/drivers/net/wireless/iwlegacy/iwl-core.h 2011-05-22 19:36:32.000000000 -0400
36002 @@ -150,7 +150,7 @@ struct iwl_lib_ops {
36003 int (*set_channel_switch)(struct iwl_priv *priv,
36004 struct ieee80211_channel_switch *ch_switch);
36005 /* power management */
36006 - struct iwl_apm_ops apm_ops;
36007 + const struct iwl_apm_ops apm_ops;
36008
36009 /* power */
36010 int (*send_tx_power) (struct iwl_priv *priv);
36011 @@ -160,12 +160,12 @@ struct iwl_lib_ops {
36012 struct iwl_eeprom_ops eeprom_ops;
36013
36014 /* temperature */
36015 - struct iwl_temp_ops temp_ops;
36016 + const struct iwl_temp_ops temp_ops;
36017 /* check for plcp health */
36018 bool (*check_plcp_health)(struct iwl_priv *priv,
36019 struct iwl_rx_packet *pkt);
36020
36021 - struct iwl_debugfs_ops debugfs_ops;
36022 + const struct iwl_debugfs_ops debugfs_ops;
36023
36024 };
36025
36026 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-6000.c
36027 --- linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-05-19 00:06:34.000000000 -0400
36028 +++ linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-05-22 19:36:32.000000000 -0400
36029 @@ -422,11 +422,11 @@ static struct iwl_lib_ops iwl6030_lib =
36030 }
36031 };
36032
36033 -static struct iwl_nic_ops iwl6050_nic_ops = {
36034 +static const struct iwl_nic_ops iwl6050_nic_ops = {
36035 .additional_nic_config = &iwl6050_additional_nic_config,
36036 };
36037
36038 -static struct iwl_nic_ops iwl6150_nic_ops = {
36039 +static const struct iwl_nic_ops iwl6150_nic_ops = {
36040 .additional_nic_config = &iwl6150_additional_nic_config,
36041 };
36042
36043 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn.h linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn.h
36044 --- linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-19 00:06:34.000000000 -0400
36045 +++ linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-22 19:36:32.000000000 -0400
36046 @@ -109,9 +109,9 @@ extern struct iwl_cfg iwl230_bg_cfg;
36047 extern struct iwl_cfg iwl230_bgn_cfg;
36048
36049 extern struct iwl_mod_params iwlagn_mod_params;
36050 -extern struct iwl_hcmd_ops iwlagn_hcmd;
36051 -extern struct iwl_hcmd_ops iwlagn_bt_hcmd;
36052 -extern struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36053 +extern const struct iwl_hcmd_ops iwlagn_hcmd;
36054 +extern const struct iwl_hcmd_ops iwlagn_bt_hcmd;
36055 +extern const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36056
36057 extern struct ieee80211_ops iwlagn_hw_ops;
36058 extern struct ieee80211_ops iwl4965_hw_ops;
36059 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c
36060 --- linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-05-19 00:06:34.000000000 -0400
36061 +++ linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-05-22 19:36:32.000000000 -0400
36062 @@ -363,7 +363,7 @@ static int iwlagn_set_pan_params(struct
36063 return ret;
36064 }
36065
36066 -struct iwl_hcmd_ops iwlagn_hcmd = {
36067 +const struct iwl_hcmd_ops iwlagn_hcmd = {
36068 .rxon_assoc = iwlagn_send_rxon_assoc,
36069 .commit_rxon = iwlagn_commit_rxon,
36070 .set_rxon_chain = iwlagn_set_rxon_chain,
36071 @@ -372,7 +372,7 @@ struct iwl_hcmd_ops iwlagn_hcmd = {
36072 .set_pan_params = iwlagn_set_pan_params,
36073 };
36074
36075 -struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36076 +const struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36077 .rxon_assoc = iwlagn_send_rxon_assoc,
36078 .commit_rxon = iwlagn_commit_rxon,
36079 .set_rxon_chain = iwlagn_set_rxon_chain,
36080 @@ -381,7 +381,7 @@ struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36081 .set_pan_params = iwlagn_set_pan_params,
36082 };
36083
36084 -struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36085 +const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36086 .get_hcmd_size = iwlagn_get_hcmd_size,
36087 .build_addsta_hcmd = iwlagn_build_addsta_hcmd,
36088 .gain_computation = iwlagn_gain_computation,
36089 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
36090 --- linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-19 00:06:34.000000000 -0400
36091 +++ linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-22 19:36:32.000000000 -0400
36092 @@ -883,6 +883,8 @@ static void rs_tx_status(void *priv_r, s
36093 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
36094 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
36095
36096 + pax_track_stack();
36097 +
36098 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
36099
36100 /* Treat uninitialized rate scaling data same as non-existing. */
36101 @@ -2894,6 +2896,8 @@ static void rs_fill_link_cmd(struct iwl_
36102 container_of(lq_sta, struct iwl_station_priv, lq_sta);
36103 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
36104
36105 + pax_track_stack();
36106 +
36107 /* Override starting rate (index 0) if needed for debug purposes */
36108 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
36109
36110 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-core.h linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-core.h
36111 --- linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-core.h 2011-05-19 00:06:34.000000000 -0400
36112 +++ linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-core.h 2011-05-22 19:36:32.000000000 -0400
36113 @@ -198,28 +198,25 @@ struct iwl_lib_ops {
36114 int (*set_channel_switch)(struct iwl_priv *priv,
36115 struct ieee80211_channel_switch *ch_switch);
36116 /* power management */
36117 - struct iwl_apm_ops apm_ops;
36118 + const struct iwl_apm_ops apm_ops;
36119
36120 /* power */
36121 int (*send_tx_power) (struct iwl_priv *priv);
36122 void (*update_chain_flags)(struct iwl_priv *priv);
36123
36124 /* isr */
36125 - struct iwl_isr_ops isr_ops;
36126 + const struct iwl_isr_ops isr_ops;
36127
36128 /* eeprom operations (as defined in iwl-eeprom.h) */
36129 struct iwl_eeprom_ops eeprom_ops;
36130
36131 /* temperature */
36132 - struct iwl_temp_ops temp_ops;
36133 + const struct iwl_temp_ops temp_ops;
36134
36135 int (*txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36136 void (*dev_txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36137
36138 - struct iwl_debugfs_ops debugfs_ops;
36139 -
36140 - /* thermal throttling */
36141 - struct iwl_tt_ops tt_ops;
36142 + const struct iwl_debugfs_ops debugfs_ops;const struct iwl_tt_ops tt_ops;
36143 };
36144
36145 struct iwl_led_ops {
36146 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c
36147 --- linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-19 00:06:34.000000000 -0400
36148 +++ linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-22 19:36:32.000000000 -0400
36149 @@ -549,6 +549,8 @@ static ssize_t iwl_dbgfs_status_read(str
36150 int pos = 0;
36151 const size_t bufsz = sizeof(buf);
36152
36153 + pax_track_stack();
36154 +
36155 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
36156 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
36157 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
36158 @@ -681,6 +683,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
36159 char buf[256 * NUM_IWL_RXON_CTX];
36160 const size_t bufsz = sizeof(buf);
36161
36162 + pax_track_stack();
36163 +
36164 for_each_context(priv, ctx) {
36165 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
36166 ctx->ctxid);
36167 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debug.h
36168 --- linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-19 00:06:34.000000000 -0400
36169 +++ linux-2.6.39.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-22 19:36:32.000000000 -0400
36170 @@ -68,8 +68,8 @@ do {
36171 } while (0)
36172
36173 #else
36174 -#define IWL_DEBUG(__priv, level, fmt, args...)
36175 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
36176 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
36177 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
36178 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
36179 const void *p, u32 len)
36180 {}
36181 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/cfg80211.c linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/cfg80211.c
36182 --- linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
36183 +++ linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
36184 @@ -763,7 +763,7 @@ static int iwm_cfg80211_flush_pmksa(stru
36185 }
36186
36187
36188 -static struct cfg80211_ops iwm_cfg80211_ops = {
36189 +static const struct cfg80211_ops iwm_cfg80211_ops = {
36190 .change_virtual_intf = iwm_cfg80211_change_iface,
36191 .add_key = iwm_cfg80211_add_key,
36192 .get_key = iwm_cfg80211_get_key,
36193 diff -urNp linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/debugfs.c
36194 --- linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36195 +++ linux-2.6.39.1/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36196 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
36197 int buf_len = 512;
36198 size_t len = 0;
36199
36200 + pax_track_stack();
36201 +
36202 if (*ppos != 0)
36203 return 0;
36204 if (count < sizeof(buf))
36205 diff -urNp linux-2.6.39.1/drivers/net/wireless/libertas/cfg.c linux-2.6.39.1/drivers/net/wireless/libertas/cfg.c
36206 --- linux-2.6.39.1/drivers/net/wireless/libertas/cfg.c 2011-05-19 00:06:34.000000000 -0400
36207 +++ linux-2.6.39.1/drivers/net/wireless/libertas/cfg.c 2011-05-22 19:36:32.000000000 -0400
36208 @@ -2003,7 +2003,7 @@ static int lbs_leave_ibss(struct wiphy *
36209 * Initialization
36210 */
36211
36212 -static struct cfg80211_ops lbs_cfg80211_ops = {
36213 +static const struct cfg80211_ops lbs_cfg80211_ops = {
36214 .set_channel = lbs_cfg_set_channel,
36215 .scan = lbs_cfg_scan,
36216 .connect = lbs_cfg_connect,
36217 diff -urNp linux-2.6.39.1/drivers/net/wireless/libertas/debugfs.c linux-2.6.39.1/drivers/net/wireless/libertas/debugfs.c
36218 --- linux-2.6.39.1/drivers/net/wireless/libertas/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36219 +++ linux-2.6.39.1/drivers/net/wireless/libertas/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36220 @@ -702,7 +702,7 @@ out_unlock:
36221 struct lbs_debugfs_files {
36222 const char *name;
36223 int perm;
36224 - struct file_operations fops;
36225 + const struct file_operations fops;
36226 };
36227
36228 static const struct lbs_debugfs_files debugfs_files[] = {
36229 diff -urNp linux-2.6.39.1/drivers/net/wireless/rndis_wlan.c linux-2.6.39.1/drivers/net/wireless/rndis_wlan.c
36230 --- linux-2.6.39.1/drivers/net/wireless/rndis_wlan.c 2011-05-19 00:06:34.000000000 -0400
36231 +++ linux-2.6.39.1/drivers/net/wireless/rndis_wlan.c 2011-05-22 19:36:32.000000000 -0400
36232 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
36233
36234 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
36235
36236 - if (rts_threshold < 0 || rts_threshold > 2347)
36237 + if (rts_threshold > 2347)
36238 rts_threshold = 2347;
36239
36240 tmp = cpu_to_le32(rts_threshold);
36241 diff -urNp linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.c linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.c
36242 --- linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.c 2011-05-19 00:06:34.000000000 -0400
36243 +++ linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.c 2011-05-22 19:36:32.000000000 -0400
36244 @@ -1869,7 +1869,7 @@ int rtl_pci_resume(struct pci_dev *pdev)
36245 }
36246 EXPORT_SYMBOL(rtl_pci_resume);
36247
36248 -struct rtl_intf_ops rtl_pci_ops = {
36249 +const struct rtl_intf_ops rtl_pci_ops = {
36250 .adapter_start = rtl_pci_start,
36251 .adapter_stop = rtl_pci_stop,
36252 .adapter_tx = rtl_pci_tx,
36253 diff -urNp linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.h linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.h
36254 --- linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.h 2011-05-19 00:06:34.000000000 -0400
36255 +++ linux-2.6.39.1/drivers/net/wireless/rtlwifi/pci.h 2011-05-22 19:36:32.000000000 -0400
36256 @@ -234,7 +234,7 @@ struct rtl_pci_priv {
36257
36258 int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw);
36259
36260 -extern struct rtl_intf_ops rtl_pci_ops;
36261 +extern const struct rtl_intf_ops rtl_pci_ops;
36262
36263 int __devinit rtl_pci_probe(struct pci_dev *pdev,
36264 const struct pci_device_id *id);
36265 diff -urNp linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
36266 --- linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-19 00:06:34.000000000 -0400
36267 +++ linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-22 19:36:32.000000000 -0400
36268 @@ -827,6 +827,8 @@ static bool _rtl92c_phy_sw_chnl_step_by_
36269 u8 rfpath;
36270 u8 num_total_rfpath = rtlphy->num_total_rfpath;
36271
36272 + pax_track_stack();
36273 +
36274 precommoncmdcnt = 0;
36275 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
36276 MAX_PRECMD_CNT,
36277 diff -urNp linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
36278 --- linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-19 00:06:34.000000000 -0400
36279 +++ linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-22 19:36:32.000000000 -0400
36280 @@ -96,7 +96,7 @@ void rtl92c_deinit_sw_vars(struct ieee80
36281 }
36282 }
36283
36284 -static struct rtl_hal_ops rtl8192ce_hal_ops = {
36285 +static const struct rtl_hal_ops rtl8192ce_hal_ops = {
36286 .init_sw_vars = rtl92c_init_sw_vars,
36287 .deinit_sw_vars = rtl92c_deinit_sw_vars,
36288 .read_eeprom_info = rtl92ce_read_eeprom_info,
36289 @@ -151,7 +151,7 @@ static struct rtl_mod_params rtl92ce_mod
36290 .sw_crypto = 0,
36291 };
36292
36293 -static struct rtl_hal_cfg rtl92ce_hal_cfg = {
36294 +static const struct rtl_hal_cfg rtl92ce_hal_cfg = {
36295 .name = "rtl92c_pci",
36296 .fw_name = "rtlwifi/rtl8192cfw.bin",
36297 .ops = &rtl8192ce_hal_ops,
36298 diff -urNp linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
36299 --- linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-19 00:06:34.000000000 -0400
36300 +++ linux-2.6.39.1/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-22 19:36:32.000000000 -0400
36301 @@ -77,7 +77,7 @@ static void rtl92cu_deinit_sw_vars(struc
36302 }
36303 }
36304
36305 -static struct rtl_hal_ops rtl8192cu_hal_ops = {
36306 +static const struct rtl_hal_ops rtl8192cu_hal_ops = {
36307 .init_sw_vars = rtl92cu_init_sw_vars,
36308 .deinit_sw_vars = rtl92cu_deinit_sw_vars,
36309 .read_chip_version = rtl92c_read_chip_version,
36310 @@ -147,7 +147,7 @@ static struct rtl_hal_usbint_cfg rtl92cu
36311 .usb_mq_to_hwq = rtl8192cu_mq_to_hwq,
36312 };
36313
36314 -static struct rtl_hal_cfg rtl92cu_hal_cfg = {
36315 +static const struct rtl_hal_cfg rtl92cu_hal_cfg = {
36316 .name = "rtl92c_usb",
36317 .fw_name = "rtlwifi/rtl8192cufw.bin",
36318 .ops = &rtl8192cu_hal_ops,
36319 diff -urNp linux-2.6.39.1/drivers/net/wireless/rtlwifi/usb.c linux-2.6.39.1/drivers/net/wireless/rtlwifi/usb.c
36320 --- linux-2.6.39.1/drivers/net/wireless/rtlwifi/usb.c 2011-05-19 00:06:34.000000000 -0400
36321 +++ linux-2.6.39.1/drivers/net/wireless/rtlwifi/usb.c 2011-05-22 19:36:32.000000000 -0400
36322 @@ -913,7 +913,7 @@ static bool rtl_usb_tx_chk_waitq_insert(
36323 return false;
36324 }
36325
36326 -static struct rtl_intf_ops rtl_usb_ops = {
36327 +static const struct rtl_intf_ops rtl_usb_ops = {
36328 .adapter_start = rtl_usb_start,
36329 .adapter_stop = rtl_usb_stop,
36330 .adapter_tx = rtl_usb_tx,
36331 diff -urNp linux-2.6.39.1/drivers/net/wireless/rtlwifi/wifi.h linux-2.6.39.1/drivers/net/wireless/rtlwifi/wifi.h
36332 --- linux-2.6.39.1/drivers/net/wireless/rtlwifi/wifi.h 2011-05-19 00:06:34.000000000 -0400
36333 +++ linux-2.6.39.1/drivers/net/wireless/rtlwifi/wifi.h 2011-05-22 19:36:32.000000000 -0400
36334 @@ -1447,7 +1447,7 @@ struct rtl_hal_cfg {
36335 u8 bar_id;
36336 char *name;
36337 char *fw_name;
36338 - struct rtl_hal_ops *ops;
36339 + const struct rtl_hal_ops *ops;
36340 struct rtl_mod_params *mod_params;
36341 struct rtl_hal_usbint_cfg *usb_interface_cfg;
36342
36343 @@ -1533,7 +1533,7 @@ struct rtl_priv {
36344 *intf_ops : for diff interrface usb/pcie
36345 */
36346 struct rtl_hal_cfg *cfg;
36347 - struct rtl_intf_ops *intf_ops;
36348 + const struct rtl_intf_ops *intf_ops;
36349
36350 /*this var will be set by set_bit,
36351 and was used to indicate status of
36352 diff -urNp linux-2.6.39.1/drivers/net/wireless/wl12xx/spi.c linux-2.6.39.1/drivers/net/wireless/wl12xx/spi.c
36353 --- linux-2.6.39.1/drivers/net/wireless/wl12xx/spi.c 2011-05-19 00:06:34.000000000 -0400
36354 +++ linux-2.6.39.1/drivers/net/wireless/wl12xx/spi.c 2011-05-22 19:36:32.000000000 -0400
36355 @@ -280,6 +280,8 @@ static void wl1271_spi_raw_write(struct
36356 u32 chunk_len;
36357 int i;
36358
36359 + pax_track_stack();
36360 +
36361 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
36362
36363 spi_message_init(&m);
36364 diff -urNp linux-2.6.39.1/drivers/net/xen-netback/interface.c linux-2.6.39.1/drivers/net/xen-netback/interface.c
36365 --- linux-2.6.39.1/drivers/net/xen-netback/interface.c 2011-05-19 00:06:34.000000000 -0400
36366 +++ linux-2.6.39.1/drivers/net/xen-netback/interface.c 2011-05-22 19:36:32.000000000 -0400
36367 @@ -273,7 +273,7 @@ static void xenvif_get_strings(struct ne
36368 }
36369 }
36370
36371 -static struct ethtool_ops xenvif_ethtool_ops = {
36372 +static const struct ethtool_ops xenvif_ethtool_ops = {
36373 .get_tx_csum = ethtool_op_get_tx_csum,
36374 .set_tx_csum = xenvif_set_tx_csum,
36375 .get_sg = ethtool_op_get_sg,
36376 diff -urNp linux-2.6.39.1/drivers/net/xilinx_emaclite.c linux-2.6.39.1/drivers/net/xilinx_emaclite.c
36377 --- linux-2.6.39.1/drivers/net/xilinx_emaclite.c 2011-05-19 00:06:34.000000000 -0400
36378 +++ linux-2.6.39.1/drivers/net/xilinx_emaclite.c 2011-05-22 19:36:32.000000000 -0400
36379 @@ -1085,7 +1085,7 @@ static bool get_bool(struct platform_dev
36380 }
36381 }
36382
36383 -static struct net_device_ops xemaclite_netdev_ops;
36384 +static const struct net_device_ops xemaclite_netdev_ops;
36385
36386 /**
36387 * xemaclite_of_probe - Probe method for the Emaclite device.
36388 @@ -1264,7 +1264,7 @@ xemaclite_poll_controller(struct net_dev
36389 }
36390 #endif
36391
36392 -static struct net_device_ops xemaclite_netdev_ops = {
36393 +static const struct net_device_ops xemaclite_netdev_ops = {
36394 .ndo_open = xemaclite_open,
36395 .ndo_stop = xemaclite_close,
36396 .ndo_start_xmit = xemaclite_send,
36397 diff -urNp linux-2.6.39.1/drivers/nfc/pn544.c linux-2.6.39.1/drivers/nfc/pn544.c
36398 --- linux-2.6.39.1/drivers/nfc/pn544.c 2011-05-19 00:06:34.000000000 -0400
36399 +++ linux-2.6.39.1/drivers/nfc/pn544.c 2011-05-22 19:36:32.000000000 -0400
36400 @@ -89,7 +89,7 @@ static ssize_t pn544_test(struct device
36401
36402 static int pn544_enable(struct pn544_info *info, int mode)
36403 {
36404 - struct pn544_nfc_platform_data *pdata;
36405 + const struct pn544_nfc_platform_data *pdata;
36406 struct i2c_client *client = info->i2c_dev;
36407
36408 int r;
36409 @@ -118,7 +118,7 @@ static int pn544_enable(struct pn544_inf
36410
36411 static void pn544_disable(struct pn544_info *info)
36412 {
36413 - struct pn544_nfc_platform_data *pdata;
36414 + const struct pn544_nfc_platform_data *pdata;
36415 struct i2c_client *client = info->i2c_dev;
36416
36417 pdata = client->dev.platform_data;
36418 @@ -509,7 +509,7 @@ static long pn544_ioctl(struct file *fil
36419 struct pn544_info *info = container_of(file->private_data,
36420 struct pn544_info, miscdev);
36421 struct i2c_client *client = info->i2c_dev;
36422 - struct pn544_nfc_platform_data *pdata;
36423 + const struct pn544_nfc_platform_data *pdata;
36424 unsigned int val;
36425 int r = 0;
36426
36427 @@ -715,7 +715,7 @@ static int __devinit pn544_probe(struct
36428 const struct i2c_device_id *id)
36429 {
36430 struct pn544_info *info;
36431 - struct pn544_nfc_platform_data *pdata;
36432 + const struct pn544_nfc_platform_data *pdata;
36433 int r = 0;
36434
36435 dev_dbg(&client->dev, "%s\n", __func__);
36436 diff -urNp linux-2.6.39.1/drivers/of/pdt.c linux-2.6.39.1/drivers/of/pdt.c
36437 --- linux-2.6.39.1/drivers/of/pdt.c 2011-05-19 00:06:34.000000000 -0400
36438 +++ linux-2.6.39.1/drivers/of/pdt.c 2011-05-22 19:36:32.000000000 -0400
36439 @@ -24,7 +24,7 @@
36440 #include <linux/of_pdt.h>
36441 #include <asm/prom.h>
36442
36443 -static struct of_pdt_ops *of_pdt_prom_ops __initdata;
36444 +static const struct of_pdt_ops *of_pdt_prom_ops;
36445
36446 void __initdata (*of_pdt_build_more)(struct device_node *dp,
36447 struct device_node ***nextp);
36448 diff -urNp linux-2.6.39.1/drivers/oprofile/buffer_sync.c linux-2.6.39.1/drivers/oprofile/buffer_sync.c
36449 --- linux-2.6.39.1/drivers/oprofile/buffer_sync.c 2011-05-19 00:06:34.000000000 -0400
36450 +++ linux-2.6.39.1/drivers/oprofile/buffer_sync.c 2011-05-22 19:36:32.000000000 -0400
36451 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
36452 if (cookie == NO_COOKIE)
36453 offset = pc;
36454 if (cookie == INVALID_COOKIE) {
36455 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36456 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36457 offset = pc;
36458 }
36459 if (cookie != last_cookie) {
36460 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
36461 /* add userspace sample */
36462
36463 if (!mm) {
36464 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
36465 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
36466 return 0;
36467 }
36468
36469 cookie = lookup_dcookie(mm, s->eip, &offset);
36470
36471 if (cookie == INVALID_COOKIE) {
36472 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36473 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36474 return 0;
36475 }
36476
36477 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
36478 /* ignore backtraces if failed to add a sample */
36479 if (state == sb_bt_start) {
36480 state = sb_bt_ignore;
36481 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
36482 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
36483 }
36484 }
36485 release_mm(mm);
36486 diff -urNp linux-2.6.39.1/drivers/oprofile/event_buffer.c linux-2.6.39.1/drivers/oprofile/event_buffer.c
36487 --- linux-2.6.39.1/drivers/oprofile/event_buffer.c 2011-05-19 00:06:34.000000000 -0400
36488 +++ linux-2.6.39.1/drivers/oprofile/event_buffer.c 2011-05-22 19:36:32.000000000 -0400
36489 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
36490 }
36491
36492 if (buffer_pos == buffer_size) {
36493 - atomic_inc(&oprofile_stats.event_lost_overflow);
36494 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
36495 return;
36496 }
36497
36498 diff -urNp linux-2.6.39.1/drivers/oprofile/oprof.c linux-2.6.39.1/drivers/oprofile/oprof.c
36499 --- linux-2.6.39.1/drivers/oprofile/oprof.c 2011-05-19 00:06:34.000000000 -0400
36500 +++ linux-2.6.39.1/drivers/oprofile/oprof.c 2011-05-22 19:36:32.000000000 -0400
36501 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
36502 if (oprofile_ops.switch_events())
36503 return;
36504
36505 - atomic_inc(&oprofile_stats.multiplex_counter);
36506 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
36507 start_switch_worker();
36508 }
36509
36510 diff -urNp linux-2.6.39.1/drivers/oprofile/oprofilefs.c linux-2.6.39.1/drivers/oprofile/oprofilefs.c
36511 --- linux-2.6.39.1/drivers/oprofile/oprofilefs.c 2011-05-19 00:06:34.000000000 -0400
36512 +++ linux-2.6.39.1/drivers/oprofile/oprofilefs.c 2011-05-22 19:36:32.000000000 -0400
36513 @@ -186,7 +186,7 @@ static const struct file_operations atom
36514
36515
36516 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
36517 - char const *name, atomic_t *val)
36518 + char const *name, atomic_unchecked_t *val)
36519 {
36520 return __oprofilefs_create_file(sb, root, name,
36521 &atomic_ro_fops, 0444, val);
36522 diff -urNp linux-2.6.39.1/drivers/oprofile/oprofile_stats.c linux-2.6.39.1/drivers/oprofile/oprofile_stats.c
36523 --- linux-2.6.39.1/drivers/oprofile/oprofile_stats.c 2011-05-19 00:06:34.000000000 -0400
36524 +++ linux-2.6.39.1/drivers/oprofile/oprofile_stats.c 2011-05-22 19:36:32.000000000 -0400
36525 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
36526 cpu_buf->sample_invalid_eip = 0;
36527 }
36528
36529 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
36530 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
36531 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
36532 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
36533 - atomic_set(&oprofile_stats.multiplex_counter, 0);
36534 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
36535 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
36536 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
36537 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
36538 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
36539 }
36540
36541
36542 diff -urNp linux-2.6.39.1/drivers/oprofile/oprofile_stats.h linux-2.6.39.1/drivers/oprofile/oprofile_stats.h
36543 --- linux-2.6.39.1/drivers/oprofile/oprofile_stats.h 2011-05-19 00:06:34.000000000 -0400
36544 +++ linux-2.6.39.1/drivers/oprofile/oprofile_stats.h 2011-05-22 19:36:32.000000000 -0400
36545 @@ -13,11 +13,11 @@
36546 #include <asm/atomic.h>
36547
36548 struct oprofile_stat_struct {
36549 - atomic_t sample_lost_no_mm;
36550 - atomic_t sample_lost_no_mapping;
36551 - atomic_t bt_lost_no_mapping;
36552 - atomic_t event_lost_overflow;
36553 - atomic_t multiplex_counter;
36554 + atomic_unchecked_t sample_lost_no_mm;
36555 + atomic_unchecked_t sample_lost_no_mapping;
36556 + atomic_unchecked_t bt_lost_no_mapping;
36557 + atomic_unchecked_t event_lost_overflow;
36558 + atomic_unchecked_t multiplex_counter;
36559 };
36560
36561 extern struct oprofile_stat_struct oprofile_stats;
36562 diff -urNp linux-2.6.39.1/drivers/parisc/dino.c linux-2.6.39.1/drivers/parisc/dino.c
36563 --- linux-2.6.39.1/drivers/parisc/dino.c 2011-05-19 00:06:34.000000000 -0400
36564 +++ linux-2.6.39.1/drivers/parisc/dino.c 2011-05-22 19:36:32.000000000 -0400
36565 @@ -238,7 +238,7 @@ static int dino_cfg_write(struct pci_bus
36566 return 0;
36567 }
36568
36569 -static struct pci_ops dino_cfg_ops = {
36570 +static const struct pci_ops dino_cfg_ops = {
36571 .read = dino_cfg_read,
36572 .write = dino_cfg_write,
36573 };
36574 diff -urNp linux-2.6.39.1/drivers/parisc/lba_pci.c linux-2.6.39.1/drivers/parisc/lba_pci.c
36575 --- linux-2.6.39.1/drivers/parisc/lba_pci.c 2011-05-19 00:06:34.000000000 -0400
36576 +++ linux-2.6.39.1/drivers/parisc/lba_pci.c 2011-05-22 19:36:32.000000000 -0400
36577 @@ -468,7 +468,7 @@ static int elroy_cfg_write(struct pci_bu
36578 }
36579
36580
36581 -static struct pci_ops elroy_cfg_ops = {
36582 +static const struct pci_ops elroy_cfg_ops = {
36583 .read = elroy_cfg_read,
36584 .write = elroy_cfg_write,
36585 };
36586 @@ -541,7 +541,7 @@ static int mercury_cfg_write(struct pci_
36587 return 0;
36588 }
36589
36590 -static struct pci_ops mercury_cfg_ops = {
36591 +static const struct pci_ops mercury_cfg_ops = {
36592 .read = mercury_cfg_read,
36593 .write = mercury_cfg_write,
36594 };
36595 @@ -1405,7 +1405,7 @@ lba_driver_probe(struct parisc_device *d
36596 {
36597 struct lba_device *lba_dev;
36598 struct pci_bus *lba_bus;
36599 - struct pci_ops *cfg_ops;
36600 + const struct pci_ops *cfg_ops;
36601 u32 func_class;
36602 void *tmp_obj;
36603 char *version;
36604 diff -urNp linux-2.6.39.1/drivers/parport/procfs.c linux-2.6.39.1/drivers/parport/procfs.c
36605 --- linux-2.6.39.1/drivers/parport/procfs.c 2011-05-19 00:06:34.000000000 -0400
36606 +++ linux-2.6.39.1/drivers/parport/procfs.c 2011-05-22 19:36:32.000000000 -0400
36607 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
36608
36609 *ppos += len;
36610
36611 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
36612 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
36613 }
36614
36615 #ifdef CONFIG_PARPORT_1284
36616 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
36617
36618 *ppos += len;
36619
36620 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
36621 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
36622 }
36623 #endif /* IEEE1284.3 support. */
36624
36625 diff -urNp linux-2.6.39.1/drivers/pci/access.c linux-2.6.39.1/drivers/pci/access.c
36626 --- linux-2.6.39.1/drivers/pci/access.c 2011-05-19 00:06:34.000000000 -0400
36627 +++ linux-2.6.39.1/drivers/pci/access.c 2011-05-22 19:36:32.000000000 -0400
36628 @@ -74,9 +74,9 @@ EXPORT_SYMBOL(pci_bus_write_config_dword
36629 *
36630 * Return previous raw operations
36631 */
36632 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops)
36633 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops)
36634 {
36635 - struct pci_ops *old_ops;
36636 + const struct pci_ops *old_ops;
36637 unsigned long flags;
36638
36639 raw_spin_lock_irqsave(&pci_lock, flags);
36640 diff -urNp linux-2.6.39.1/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.39.1/drivers/pci/hotplug/acpiphp_glue.c
36641 --- linux-2.6.39.1/drivers/pci/hotplug/acpiphp_glue.c 2011-05-19 00:06:34.000000000 -0400
36642 +++ linux-2.6.39.1/drivers/pci/hotplug/acpiphp_glue.c 2011-05-22 19:36:32.000000000 -0400
36643 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
36644 }
36645
36646
36647 -static struct acpi_dock_ops acpiphp_dock_ops = {
36648 +static const struct acpi_dock_ops acpiphp_dock_ops = {
36649 .handler = handle_hotplug_event_func,
36650 };
36651
36652 diff -urNp linux-2.6.39.1/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.39.1/drivers/pci/hotplug/cpqphp_nvram.c
36653 --- linux-2.6.39.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-19 00:06:34.000000000 -0400
36654 +++ linux-2.6.39.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-22 19:36:32.000000000 -0400
36655 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
36656
36657 void compaq_nvram_init (void __iomem *rom_start)
36658 {
36659 +
36660 +#ifndef CONFIG_PAX_KERNEXEC
36661 if (rom_start) {
36662 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
36663 }
36664 +#endif
36665 +
36666 dbg("int15 entry = %p\n", compaq_int15_entry_point);
36667
36668 /* initialize our int15 lock */
36669 diff -urNp linux-2.6.39.1/drivers/pci/hotplug/shpchp.h linux-2.6.39.1/drivers/pci/hotplug/shpchp.h
36670 --- linux-2.6.39.1/drivers/pci/hotplug/shpchp.h 2011-05-19 00:06:34.000000000 -0400
36671 +++ linux-2.6.39.1/drivers/pci/hotplug/shpchp.h 2011-05-22 19:36:32.000000000 -0400
36672 @@ -86,7 +86,7 @@ struct slot {
36673 u8 presence_save;
36674 u8 pwr_save;
36675 struct controller *ctrl;
36676 - struct hpc_ops *hpc_ops;
36677 + const struct hpc_ops *hpc_ops;
36678 struct hotplug_slot *hotplug_slot;
36679 struct list_head slot_list;
36680 struct delayed_work work; /* work for button event */
36681 @@ -107,7 +107,7 @@ struct controller {
36682 int slot_num_inc; /* 1 or -1 */
36683 struct pci_dev *pci_dev;
36684 struct list_head slot_list;
36685 - struct hpc_ops *hpc_ops;
36686 + const struct hpc_ops *hpc_ops;
36687 wait_queue_head_t queue; /* sleep & wake process */
36688 u8 slot_device_offset;
36689 u32 pcix_misc2_reg; /* for amd pogo errata */
36690 diff -urNp linux-2.6.39.1/drivers/pci/hotplug/shpchp_hpc.c linux-2.6.39.1/drivers/pci/hotplug/shpchp_hpc.c
36691 --- linux-2.6.39.1/drivers/pci/hotplug/shpchp_hpc.c 2011-05-19 00:06:34.000000000 -0400
36692 +++ linux-2.6.39.1/drivers/pci/hotplug/shpchp_hpc.c 2011-05-22 19:36:32.000000000 -0400
36693 @@ -910,7 +910,7 @@ static int shpc_get_max_bus_speed(struct
36694 return retval;
36695 }
36696
36697 -static struct hpc_ops shpchp_hpc_ops = {
36698 +static const struct hpc_ops shpchp_hpc_ops = {
36699 .power_on_slot = hpc_power_on_slot,
36700 .slot_enable = hpc_slot_enable,
36701 .slot_disable = hpc_slot_disable,
36702 diff -urNp linux-2.6.39.1/drivers/pci/intel-iommu.c linux-2.6.39.1/drivers/pci/intel-iommu.c
36703 --- linux-2.6.39.1/drivers/pci/intel-iommu.c 2011-05-19 00:06:34.000000000 -0400
36704 +++ linux-2.6.39.1/drivers/pci/intel-iommu.c 2011-05-22 19:36:32.000000000 -0400
36705 @@ -391,7 +391,7 @@ static int intel_iommu_strict;
36706 static DEFINE_SPINLOCK(device_domain_lock);
36707 static LIST_HEAD(device_domain_list);
36708
36709 -static struct iommu_ops intel_iommu_ops;
36710 +static const struct iommu_ops intel_iommu_ops;
36711
36712 static int __init intel_iommu_setup(char *str)
36713 {
36714 @@ -2945,7 +2945,7 @@ static int intel_mapping_error(struct de
36715 return !dma_addr;
36716 }
36717
36718 -struct dma_map_ops intel_dma_ops = {
36719 +const struct dma_map_ops intel_dma_ops = {
36720 .alloc_coherent = intel_alloc_coherent,
36721 .free_coherent = intel_free_coherent,
36722 .map_sg = intel_map_sg,
36723 @@ -3739,7 +3739,7 @@ static int intel_iommu_domain_has_cap(st
36724 return 0;
36725 }
36726
36727 -static struct iommu_ops intel_iommu_ops = {
36728 +static const struct iommu_ops intel_iommu_ops = {
36729 .domain_init = intel_iommu_domain_init,
36730 .domain_destroy = intel_iommu_domain_destroy,
36731 .attach_dev = intel_iommu_attach_device,
36732 diff -urNp linux-2.6.39.1/drivers/pci/pci-acpi.c linux-2.6.39.1/drivers/pci/pci-acpi.c
36733 --- linux-2.6.39.1/drivers/pci/pci-acpi.c 2011-05-19 00:06:34.000000000 -0400
36734 +++ linux-2.6.39.1/drivers/pci/pci-acpi.c 2011-05-22 19:36:32.000000000 -0400
36735 @@ -332,7 +332,7 @@ static int acpi_pci_run_wake(struct pci_
36736 return 0;
36737 }
36738
36739 -static struct pci_platform_pm_ops acpi_pci_platform_pm = {
36740 +static const struct pci_platform_pm_ops acpi_pci_platform_pm = {
36741 .is_manageable = acpi_pci_power_manageable,
36742 .set_state = acpi_pci_set_power_state,
36743 .choose_state = acpi_pci_choose_state,
36744 diff -urNp linux-2.6.39.1/drivers/pci/pci.c linux-2.6.39.1/drivers/pci/pci.c
36745 --- linux-2.6.39.1/drivers/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
36746 +++ linux-2.6.39.1/drivers/pci/pci.c 2011-05-22 19:36:32.000000000 -0400
36747 @@ -480,9 +480,9 @@ pci_restore_bars(struct pci_dev *dev)
36748 pci_update_resource(dev, i);
36749 }
36750
36751 -static struct pci_platform_pm_ops *pci_platform_pm;
36752 +static const struct pci_platform_pm_ops *pci_platform_pm;
36753
36754 -int pci_set_platform_pm(struct pci_platform_pm_ops *ops)
36755 +int pci_set_platform_pm(const struct pci_platform_pm_ops *ops)
36756 {
36757 if (!ops->is_manageable || !ops->set_state || !ops->choose_state
36758 || !ops->sleep_wake || !ops->can_wakeup)
36759 diff -urNp linux-2.6.39.1/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.39.1/drivers/pci/pcie/aer/aerdrv_core.c
36760 --- linux-2.6.39.1/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-19 00:06:34.000000000 -0400
36761 +++ linux-2.6.39.1/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-22 19:36:32.000000000 -0400
36762 @@ -239,7 +239,7 @@ static bool find_source_device(struct pc
36763 static int report_error_detected(struct pci_dev *dev, void *data)
36764 {
36765 pci_ers_result_t vote;
36766 - struct pci_error_handlers *err_handler;
36767 + const struct pci_error_handlers *err_handler;
36768 struct aer_broadcast_data *result_data;
36769 result_data = (struct aer_broadcast_data *) data;
36770
36771 @@ -273,7 +273,7 @@ static int report_error_detected(struct
36772 static int report_mmio_enabled(struct pci_dev *dev, void *data)
36773 {
36774 pci_ers_result_t vote;
36775 - struct pci_error_handlers *err_handler;
36776 + const struct pci_error_handlers *err_handler;
36777 struct aer_broadcast_data *result_data;
36778 result_data = (struct aer_broadcast_data *) data;
36779
36780 @@ -291,7 +291,7 @@ static int report_mmio_enabled(struct pc
36781 static int report_slot_reset(struct pci_dev *dev, void *data)
36782 {
36783 pci_ers_result_t vote;
36784 - struct pci_error_handlers *err_handler;
36785 + const struct pci_error_handlers *err_handler;
36786 struct aer_broadcast_data *result_data;
36787 result_data = (struct aer_broadcast_data *) data;
36788
36789 @@ -308,7 +308,7 @@ static int report_slot_reset(struct pci_
36790
36791 static int report_resume(struct pci_dev *dev, void *data)
36792 {
36793 - struct pci_error_handlers *err_handler;
36794 + const struct pci_error_handlers *err_handler;
36795
36796 dev->error_state = pci_channel_io_normal;
36797
36798 diff -urNp linux-2.6.39.1/drivers/pci/pcie/aer/aer_inject.c linux-2.6.39.1/drivers/pci/pcie/aer/aer_inject.c
36799 --- linux-2.6.39.1/drivers/pci/pcie/aer/aer_inject.c 2011-05-19 00:06:34.000000000 -0400
36800 +++ linux-2.6.39.1/drivers/pci/pcie/aer/aer_inject.c 2011-05-22 19:36:32.000000000 -0400
36801 @@ -64,7 +64,7 @@ struct aer_error {
36802 struct pci_bus_ops {
36803 struct list_head list;
36804 struct pci_bus *bus;
36805 - struct pci_ops *ops;
36806 + const struct pci_ops *ops;
36807 };
36808
36809 static LIST_HEAD(einjected);
36810 @@ -110,7 +110,7 @@ static struct aer_error *__find_aer_erro
36811 }
36812
36813 /* inject_lock must be held before calling */
36814 -static struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
36815 +static const struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
36816 {
36817 struct pci_bus_ops *bus_ops;
36818
36819 @@ -187,7 +187,7 @@ static int pci_read_aer(struct pci_bus *
36820 u32 *sim;
36821 struct aer_error *err;
36822 unsigned long flags;
36823 - struct pci_ops *ops;
36824 + const struct pci_ops *ops;
36825 int domain;
36826
36827 spin_lock_irqsave(&inject_lock, flags);
36828 @@ -219,7 +219,7 @@ int pci_write_aer(struct pci_bus *bus, u
36829 struct aer_error *err;
36830 unsigned long flags;
36831 int rw1cs;
36832 - struct pci_ops *ops;
36833 + const struct pci_ops *ops;
36834 int domain;
36835
36836 spin_lock_irqsave(&inject_lock, flags);
36837 @@ -254,7 +254,7 @@ static struct pci_ops pci_ops_aer = {
36838
36839 static void pci_bus_ops_init(struct pci_bus_ops *bus_ops,
36840 struct pci_bus *bus,
36841 - struct pci_ops *ops)
36842 + const struct pci_ops *ops)
36843 {
36844 INIT_LIST_HEAD(&bus_ops->list);
36845 bus_ops->bus = bus;
36846 @@ -263,7 +263,7 @@ static void pci_bus_ops_init(struct pci_
36847
36848 static int pci_bus_set_aer_ops(struct pci_bus *bus)
36849 {
36850 - struct pci_ops *ops;
36851 + const struct pci_ops *ops;
36852 struct pci_bus_ops *bus_ops;
36853 unsigned long flags;
36854
36855 diff -urNp linux-2.6.39.1/drivers/pci/pcie/aspm.c linux-2.6.39.1/drivers/pci/pcie/aspm.c
36856 --- linux-2.6.39.1/drivers/pci/pcie/aspm.c 2011-05-19 00:06:34.000000000 -0400
36857 +++ linux-2.6.39.1/drivers/pci/pcie/aspm.c 2011-05-22 19:36:32.000000000 -0400
36858 @@ -27,9 +27,9 @@
36859 #define MODULE_PARAM_PREFIX "pcie_aspm."
36860
36861 /* Note: those are not register definitions */
36862 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
36863 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
36864 -#define ASPM_STATE_L1 (4) /* L1 state */
36865 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
36866 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
36867 +#define ASPM_STATE_L1 (4U) /* L1 state */
36868 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
36869 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
36870
36871 diff -urNp linux-2.6.39.1/drivers/pci/pci.h linux-2.6.39.1/drivers/pci/pci.h
36872 --- linux-2.6.39.1/drivers/pci/pci.h 2011-05-19 00:06:34.000000000 -0400
36873 +++ linux-2.6.39.1/drivers/pci/pci.h 2011-05-22 19:36:32.000000000 -0400
36874 @@ -65,7 +65,7 @@ struct pci_platform_pm_ops {
36875 int (*run_wake)(struct pci_dev *dev, bool enable);
36876 };
36877
36878 -extern int pci_set_platform_pm(struct pci_platform_pm_ops *ops);
36879 +extern int pci_set_platform_pm(const struct pci_platform_pm_ops *ops);
36880 extern void pci_update_current_state(struct pci_dev *dev, pci_power_t state);
36881 extern void pci_disable_enabled_device(struct pci_dev *dev);
36882 extern int pci_finish_runtime_suspend(struct pci_dev *dev);
36883 diff -urNp linux-2.6.39.1/drivers/pci/probe.c linux-2.6.39.1/drivers/pci/probe.c
36884 --- linux-2.6.39.1/drivers/pci/probe.c 2011-05-19 00:06:34.000000000 -0400
36885 +++ linux-2.6.39.1/drivers/pci/probe.c 2011-05-22 19:36:32.000000000 -0400
36886 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
36887 return ret;
36888 }
36889
36890 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
36891 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
36892 struct device_attribute *attr,
36893 char *buf)
36894 {
36895 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
36896 }
36897
36898 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
36899 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
36900 struct device_attribute *attr,
36901 char *buf)
36902 {
36903 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
36904 u32 l, sz, mask;
36905 u16 orig_cmd;
36906
36907 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
36908 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
36909
36910 if (!dev->mmio_always_on) {
36911 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
36912 @@ -1407,7 +1407,7 @@ unsigned int __devinit pci_scan_child_bu
36913 }
36914
36915 struct pci_bus * pci_create_bus(struct device *parent,
36916 - int bus, struct pci_ops *ops, void *sysdata)
36917 + int bus, const struct pci_ops *ops, void *sysdata)
36918 {
36919 int error;
36920 struct pci_bus *b, *b2;
36921 @@ -1483,7 +1483,7 @@ err_out:
36922 }
36923
36924 struct pci_bus * __devinit pci_scan_bus_parented(struct device *parent,
36925 - int bus, struct pci_ops *ops, void *sysdata)
36926 + int bus, const struct pci_ops *ops, void *sysdata)
36927 {
36928 struct pci_bus *b;
36929
36930 diff -urNp linux-2.6.39.1/drivers/pci/proc.c linux-2.6.39.1/drivers/pci/proc.c
36931 --- linux-2.6.39.1/drivers/pci/proc.c 2011-05-19 00:06:34.000000000 -0400
36932 +++ linux-2.6.39.1/drivers/pci/proc.c 2011-05-22 19:41:37.000000000 -0400
36933 @@ -476,7 +476,16 @@ static const struct file_operations proc
36934 static int __init pci_proc_init(void)
36935 {
36936 struct pci_dev *dev = NULL;
36937 +
36938 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
36939 +#ifdef CONFIG_GRKERNSEC_PROC_USER
36940 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
36941 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36942 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
36943 +#endif
36944 +#else
36945 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
36946 +#endif
36947 proc_create("devices", 0, proc_bus_pci_dir,
36948 &proc_bus_pci_dev_operations);
36949 proc_initialized = 1;
36950 diff -urNp linux-2.6.39.1/drivers/pci/xen-pcifront.c linux-2.6.39.1/drivers/pci/xen-pcifront.c
36951 --- linux-2.6.39.1/drivers/pci/xen-pcifront.c 2011-05-19 00:06:34.000000000 -0400
36952 +++ linux-2.6.39.1/drivers/pci/xen-pcifront.c 2011-05-22 19:36:32.000000000 -0400
36953 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
36954 struct pcifront_sd *sd = bus->sysdata;
36955 struct pcifront_device *pdev = pcifront_get_pdev(sd);
36956
36957 + pax_track_stack();
36958 +
36959 if (verbose_request)
36960 dev_info(&pdev->xdev->dev,
36961 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
36962 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
36963 struct pcifront_sd *sd = bus->sysdata;
36964 struct pcifront_device *pdev = pcifront_get_pdev(sd);
36965
36966 + pax_track_stack();
36967 +
36968 if (verbose_request)
36969 dev_info(&pdev->xdev->dev,
36970 "write dev=%04x:%02x:%02x.%01x - "
36971 @@ -236,7 +240,7 @@ static int pcifront_bus_write(struct pci
36972 return errno_to_pcibios_err(do_pci_op(pdev, &op));
36973 }
36974
36975 -struct pci_ops pcifront_bus_ops = {
36976 +const struct pci_ops pcifront_bus_ops = {
36977 .read = pcifront_bus_read,
36978 .write = pcifront_bus_write,
36979 };
36980 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
36981 struct pcifront_device *pdev = pcifront_get_pdev(sd);
36982 struct msi_desc *entry;
36983
36984 + pax_track_stack();
36985 +
36986 if (nvec > SH_INFO_MAX_VEC) {
36987 dev_err(&dev->dev, "too much vector for pci frontend: %x."
36988 " Increase SH_INFO_MAX_VEC.\n", nvec);
36989 @@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
36990 struct pcifront_sd *sd = dev->bus->sysdata;
36991 struct pcifront_device *pdev = pcifront_get_pdev(sd);
36992
36993 + pax_track_stack();
36994 +
36995 err = do_pci_op(pdev, &op);
36996
36997 /* What should do for error ? */
36998 @@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
36999 struct pcifront_sd *sd = dev->bus->sysdata;
37000 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37001
37002 + pax_track_stack();
37003 +
37004 err = do_pci_op(pdev, &op);
37005 if (likely(!err)) {
37006 vector[0] = op.value;
37007 @@ -368,7 +378,7 @@ static void pci_frontend_disable_msi(str
37008 printk(KERN_DEBUG "get fake response frombackend\n");
37009 }
37010
37011 -static struct xen_pci_frontend_ops pci_frontend_ops = {
37012 +static const struct xen_pci_frontend_ops pci_frontend_ops = {
37013 .enable_msi = pci_frontend_enable_msi,
37014 .disable_msi = pci_frontend_disable_msi,
37015 .enable_msix = pci_frontend_enable_msix,
37016 diff -urNp linux-2.6.39.1/drivers/pcmcia/at91_cf.c linux-2.6.39.1/drivers/pcmcia/at91_cf.c
37017 --- linux-2.6.39.1/drivers/pcmcia/at91_cf.c 2011-05-19 00:06:34.000000000 -0400
37018 +++ linux-2.6.39.1/drivers/pcmcia/at91_cf.c 2011-05-22 19:36:32.000000000 -0400
37019 @@ -203,7 +203,7 @@ at91_cf_set_mem_map(struct pcmcia_socket
37020 return 0;
37021 }
37022
37023 -static struct pccard_operations at91_cf_ops = {
37024 +static const struct pccard_operations at91_cf_ops = {
37025 .init = at91_cf_ss_init,
37026 .suspend = at91_cf_ss_suspend,
37027 .get_status = at91_cf_get_status,
37028 diff -urNp linux-2.6.39.1/drivers/pcmcia/bfin_cf_pcmcia.c linux-2.6.39.1/drivers/pcmcia/bfin_cf_pcmcia.c
37029 --- linux-2.6.39.1/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37030 +++ linux-2.6.39.1/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37031 @@ -184,7 +184,7 @@ bfin_cf_set_mem_map(struct pcmcia_socket
37032 return 0;
37033 }
37034
37035 -static struct pccard_operations bfin_cf_ops = {
37036 +static const struct pccard_operations bfin_cf_ops = {
37037 .init = bfin_cf_ss_init,
37038 .suspend = bfin_cf_ss_suspend,
37039 .get_status = bfin_cf_get_status,
37040 diff -urNp linux-2.6.39.1/drivers/pcmcia/db1xxx_ss.c linux-2.6.39.1/drivers/pcmcia/db1xxx_ss.c
37041 --- linux-2.6.39.1/drivers/pcmcia/db1xxx_ss.c 2011-05-19 00:06:34.000000000 -0400
37042 +++ linux-2.6.39.1/drivers/pcmcia/db1xxx_ss.c 2011-05-22 19:36:32.000000000 -0400
37043 @@ -384,7 +384,7 @@ static int au1x00_pcmcia_set_mem_map(str
37044 return 0;
37045 }
37046
37047 -static struct pccard_operations db1x_pcmcia_operations = {
37048 +static const struct pccard_operations db1x_pcmcia_operations = {
37049 .init = db1x_pcmcia_sock_init,
37050 .suspend = db1x_pcmcia_sock_suspend,
37051 .get_status = db1x_pcmcia_get_status,
37052 diff -urNp linux-2.6.39.1/drivers/pcmcia/electra_cf.c linux-2.6.39.1/drivers/pcmcia/electra_cf.c
37053 --- linux-2.6.39.1/drivers/pcmcia/electra_cf.c 2011-05-19 00:06:34.000000000 -0400
37054 +++ linux-2.6.39.1/drivers/pcmcia/electra_cf.c 2011-05-22 19:36:32.000000000 -0400
37055 @@ -173,7 +173,7 @@ static int electra_cf_set_mem_map(struct
37056 return 0;
37057 }
37058
37059 -static struct pccard_operations electra_cf_ops = {
37060 +static const struct pccard_operations electra_cf_ops = {
37061 .init = electra_cf_ss_init,
37062 .get_status = electra_cf_get_status,
37063 .set_socket = electra_cf_set_socket,
37064 diff -urNp linux-2.6.39.1/drivers/pcmcia/m32r_cfc.c linux-2.6.39.1/drivers/pcmcia/m32r_cfc.c
37065 --- linux-2.6.39.1/drivers/pcmcia/m32r_cfc.c 2011-05-19 00:06:34.000000000 -0400
37066 +++ linux-2.6.39.1/drivers/pcmcia/m32r_cfc.c 2011-05-22 19:36:32.000000000 -0400
37067 @@ -674,7 +674,7 @@ static int pcc_init(struct pcmcia_socket
37068 return 0;
37069 }
37070
37071 -static struct pccard_operations pcc_operations = {
37072 +static const struct pccard_operations pcc_operations = {
37073 .init = pcc_init,
37074 .get_status = pcc_get_status,
37075 .set_socket = pcc_set_socket,
37076 diff -urNp linux-2.6.39.1/drivers/pcmcia/m32r_pcc.c linux-2.6.39.1/drivers/pcmcia/m32r_pcc.c
37077 --- linux-2.6.39.1/drivers/pcmcia/m32r_pcc.c 2011-05-19 00:06:34.000000000 -0400
37078 +++ linux-2.6.39.1/drivers/pcmcia/m32r_pcc.c 2011-05-22 19:36:32.000000000 -0400
37079 @@ -652,7 +652,7 @@ static int pcc_init(struct pcmcia_socket
37080 return 0;
37081 }
37082
37083 -static struct pccard_operations pcc_operations = {
37084 +static const struct pccard_operations pcc_operations = {
37085 .init = pcc_init,
37086 .get_status = pcc_get_status,
37087 .set_socket = pcc_set_socket,
37088 diff -urNp linux-2.6.39.1/drivers/pcmcia/m8xx_pcmcia.c linux-2.6.39.1/drivers/pcmcia/m8xx_pcmcia.c
37089 --- linux-2.6.39.1/drivers/pcmcia/m8xx_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37090 +++ linux-2.6.39.1/drivers/pcmcia/m8xx_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37091 @@ -1139,7 +1139,7 @@ static int m8xx_sock_suspend(struct pcmc
37092 return m8xx_set_socket(sock, &dead_socket);
37093 }
37094
37095 -static struct pccard_operations m8xx_services = {
37096 +static const struct pccard_operations m8xx_services = {
37097 .init = m8xx_sock_init,
37098 .suspend = m8xx_sock_suspend,
37099 .get_status = m8xx_get_status,
37100 diff -urNp linux-2.6.39.1/drivers/pcmcia/omap_cf.c linux-2.6.39.1/drivers/pcmcia/omap_cf.c
37101 --- linux-2.6.39.1/drivers/pcmcia/omap_cf.c 2011-05-19 00:06:34.000000000 -0400
37102 +++ linux-2.6.39.1/drivers/pcmcia/omap_cf.c 2011-05-22 19:36:32.000000000 -0400
37103 @@ -185,7 +185,7 @@ omap_cf_set_mem_map(struct pcmcia_socket
37104 return 0;
37105 }
37106
37107 -static struct pccard_operations omap_cf_ops = {
37108 +static const struct pccard_operations omap_cf_ops = {
37109 .init = omap_cf_ss_init,
37110 .suspend = omap_cf_ss_suspend,
37111 .get_status = omap_cf_get_status,
37112 diff -urNp linux-2.6.39.1/drivers/pcmcia/rsrc_iodyn.c linux-2.6.39.1/drivers/pcmcia/rsrc_iodyn.c
37113 --- linux-2.6.39.1/drivers/pcmcia/rsrc_iodyn.c 2011-05-19 00:06:34.000000000 -0400
37114 +++ linux-2.6.39.1/drivers/pcmcia/rsrc_iodyn.c 2011-05-22 19:36:32.000000000 -0400
37115 @@ -161,7 +161,7 @@ static int iodyn_find_io(struct pcmcia_s
37116 }
37117
37118
37119 -struct pccard_resource_ops pccard_iodyn_ops = {
37120 +const struct pccard_resource_ops pccard_iodyn_ops = {
37121 .validate_mem = NULL,
37122 .find_io = iodyn_find_io,
37123 .find_mem = NULL,
37124 diff -urNp linux-2.6.39.1/drivers/pcmcia/rsrc_mgr.c linux-2.6.39.1/drivers/pcmcia/rsrc_mgr.c
37125 --- linux-2.6.39.1/drivers/pcmcia/rsrc_mgr.c 2011-05-19 00:06:34.000000000 -0400
37126 +++ linux-2.6.39.1/drivers/pcmcia/rsrc_mgr.c 2011-05-22 19:36:32.000000000 -0400
37127 @@ -57,7 +57,7 @@ static int static_find_io(struct pcmcia_
37128 }
37129
37130
37131 -struct pccard_resource_ops pccard_static_ops = {
37132 +const struct pccard_resource_ops pccard_static_ops = {
37133 .validate_mem = NULL,
37134 .find_io = static_find_io,
37135 .find_mem = NULL,
37136 diff -urNp linux-2.6.39.1/drivers/pcmcia/vrc4171_card.c linux-2.6.39.1/drivers/pcmcia/vrc4171_card.c
37137 --- linux-2.6.39.1/drivers/pcmcia/vrc4171_card.c 2011-05-19 00:06:34.000000000 -0400
37138 +++ linux-2.6.39.1/drivers/pcmcia/vrc4171_card.c 2011-05-22 19:36:32.000000000 -0400
37139 @@ -479,7 +479,7 @@ static int pccard_set_mem_map(struct pcm
37140 return 0;
37141 }
37142
37143 -static struct pccard_operations vrc4171_pccard_operations = {
37144 +static const struct pccard_operations vrc4171_pccard_operations = {
37145 .init = pccard_init,
37146 .get_status = pccard_get_status,
37147 .set_socket = pccard_set_socket,
37148 diff -urNp linux-2.6.39.1/drivers/pcmcia/vrc4173_cardu.c linux-2.6.39.1/drivers/pcmcia/vrc4173_cardu.c
37149 --- linux-2.6.39.1/drivers/pcmcia/vrc4173_cardu.c 2011-05-19 00:06:34.000000000 -0400
37150 +++ linux-2.6.39.1/drivers/pcmcia/vrc4173_cardu.c 2011-05-22 19:36:32.000000000 -0400
37151 @@ -384,7 +384,7 @@ static void cardu_proc_setup(unsigned in
37152 {
37153 }
37154
37155 -static struct pccard_operations cardu_operations = {
37156 +static const struct pccard_operations cardu_operations = {
37157 .init = cardu_init,
37158 .register_callback = cardu_register_callback,
37159 .inquire_socket = cardu_inquire_socket,
37160 diff -urNp linux-2.6.39.1/drivers/pcmcia/xxs1500_ss.c linux-2.6.39.1/drivers/pcmcia/xxs1500_ss.c
37161 --- linux-2.6.39.1/drivers/pcmcia/xxs1500_ss.c 2011-05-19 00:06:34.000000000 -0400
37162 +++ linux-2.6.39.1/drivers/pcmcia/xxs1500_ss.c 2011-05-22 19:36:32.000000000 -0400
37163 @@ -196,7 +196,7 @@ static int au1x00_pcmcia_set_mem_map(str
37164 return 0;
37165 }
37166
37167 -static struct pccard_operations xxs1500_pcmcia_operations = {
37168 +static const struct pccard_operations xxs1500_pcmcia_operations = {
37169 .init = xxs1500_pcmcia_sock_init,
37170 .suspend = xxs1500_pcmcia_sock_suspend,
37171 .get_status = xxs1500_pcmcia_get_status,
37172 diff -urNp linux-2.6.39.1/drivers/platform/x86/acerhdf.c linux-2.6.39.1/drivers/platform/x86/acerhdf.c
37173 --- linux-2.6.39.1/drivers/platform/x86/acerhdf.c 2011-05-19 00:06:34.000000000 -0400
37174 +++ linux-2.6.39.1/drivers/platform/x86/acerhdf.c 2011-05-22 19:36:32.000000000 -0400
37175 @@ -406,7 +406,7 @@ static int acerhdf_get_crit_temp(struct
37176 }
37177
37178 /* bind callback functions to thermalzone */
37179 -static struct thermal_zone_device_ops acerhdf_dev_ops = {
37180 +static const struct thermal_zone_device_ops acerhdf_dev_ops = {
37181 .bind = acerhdf_bind,
37182 .unbind = acerhdf_unbind,
37183 .get_temp = acerhdf_get_ec_temp,
37184 @@ -481,7 +481,7 @@ err_out:
37185 }
37186
37187 /* bind fan callbacks to fan device */
37188 -static struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37189 +static const struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37190 .get_max_state = acerhdf_get_max_state,
37191 .get_cur_state = acerhdf_get_cur_state,
37192 .set_cur_state = acerhdf_set_cur_state,
37193 diff -urNp linux-2.6.39.1/drivers/platform/x86/ideapad-laptop.c linux-2.6.39.1/drivers/platform/x86/ideapad-laptop.c
37194 --- linux-2.6.39.1/drivers/platform/x86/ideapad-laptop.c 2011-05-19 00:06:34.000000000 -0400
37195 +++ linux-2.6.39.1/drivers/platform/x86/ideapad-laptop.c 2011-05-22 19:36:32.000000000 -0400
37196 @@ -207,7 +207,7 @@ static int ideapad_rfk_set(void *data, b
37197 return write_ec_cmd(ideapad_handle, opcode, !blocked);
37198 }
37199
37200 -static struct rfkill_ops ideapad_rfk_ops = {
37201 +static const struct rfkill_ops ideapad_rfk_ops = {
37202 .set_block = ideapad_rfk_set,
37203 };
37204
37205 diff -urNp linux-2.6.39.1/drivers/platform/x86/intel_menlow.c linux-2.6.39.1/drivers/platform/x86/intel_menlow.c
37206 --- linux-2.6.39.1/drivers/platform/x86/intel_menlow.c 2011-05-19 00:06:34.000000000 -0400
37207 +++ linux-2.6.39.1/drivers/platform/x86/intel_menlow.c 2011-05-22 19:36:32.000000000 -0400
37208 @@ -143,7 +143,7 @@ static int memory_set_cur_bandwidth(stru
37209 return 0;
37210 }
37211
37212 -static struct thermal_cooling_device_ops memory_cooling_ops = {
37213 +static const struct thermal_cooling_device_ops memory_cooling_ops = {
37214 .get_max_state = memory_get_max_bandwidth,
37215 .get_cur_state = memory_get_cur_bandwidth,
37216 .set_cur_state = memory_set_cur_bandwidth,
37217 diff -urNp linux-2.6.39.1/drivers/platform/x86/intel_mid_thermal.c linux-2.6.39.1/drivers/platform/x86/intel_mid_thermal.c
37218 --- linux-2.6.39.1/drivers/platform/x86/intel_mid_thermal.c 2011-05-19 00:06:34.000000000 -0400
37219 +++ linux-2.6.39.1/drivers/platform/x86/intel_mid_thermal.c 2011-05-22 19:36:32.000000000 -0400
37220 @@ -458,7 +458,7 @@ static int read_curr_temp(struct thermal
37221 }
37222
37223 /* Can't be const */
37224 -static struct thermal_zone_device_ops tzd_ops = {
37225 +static const struct thermal_zone_device_ops tzd_ops = {
37226 .get_temp = read_curr_temp,
37227 };
37228
37229 diff -urNp linux-2.6.39.1/drivers/platform/x86/samsung-laptop.c linux-2.6.39.1/drivers/platform/x86/samsung-laptop.c
37230 --- linux-2.6.39.1/drivers/platform/x86/samsung-laptop.c 2011-05-19 00:06:34.000000000 -0400
37231 +++ linux-2.6.39.1/drivers/platform/x86/samsung-laptop.c 2011-05-22 19:36:32.000000000 -0400
37232 @@ -419,7 +419,7 @@ static int rfkill_set(void *data, bool b
37233 return 0;
37234 }
37235
37236 -static struct rfkill_ops rfkill_ops = {
37237 +static const struct rfkill_ops rfkill_ops = {
37238 .set_block = rfkill_set,
37239 };
37240
37241 diff -urNp linux-2.6.39.1/drivers/pnp/pnpbios/bioscalls.c linux-2.6.39.1/drivers/pnp/pnpbios/bioscalls.c
37242 --- linux-2.6.39.1/drivers/pnp/pnpbios/bioscalls.c 2011-05-19 00:06:34.000000000 -0400
37243 +++ linux-2.6.39.1/drivers/pnp/pnpbios/bioscalls.c 2011-05-22 19:36:32.000000000 -0400
37244 @@ -59,7 +59,7 @@ do { \
37245 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
37246 } while(0)
37247
37248 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
37249 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
37250 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
37251
37252 /*
37253 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
37254
37255 cpu = get_cpu();
37256 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
37257 +
37258 + pax_open_kernel();
37259 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
37260 + pax_close_kernel();
37261
37262 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
37263 spin_lock_irqsave(&pnp_bios_lock, flags);
37264 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
37265 :"memory");
37266 spin_unlock_irqrestore(&pnp_bios_lock, flags);
37267
37268 + pax_open_kernel();
37269 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
37270 + pax_close_kernel();
37271 +
37272 put_cpu();
37273
37274 /* If we get here and this is set then the PnP BIOS faulted on us. */
37275 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
37276 return status;
37277 }
37278
37279 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
37280 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
37281 {
37282 int i;
37283
37284 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
37285 pnp_bios_callpoint.offset = header->fields.pm16offset;
37286 pnp_bios_callpoint.segment = PNP_CS16;
37287
37288 + pax_open_kernel();
37289 +
37290 for_each_possible_cpu(i) {
37291 struct desc_struct *gdt = get_cpu_gdt_table(i);
37292 if (!gdt)
37293 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
37294 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
37295 (unsigned long)__va(header->fields.pm16dseg));
37296 }
37297 +
37298 + pax_close_kernel();
37299 }
37300 diff -urNp linux-2.6.39.1/drivers/pnp/resource.c linux-2.6.39.1/drivers/pnp/resource.c
37301 --- linux-2.6.39.1/drivers/pnp/resource.c 2011-05-19 00:06:34.000000000 -0400
37302 +++ linux-2.6.39.1/drivers/pnp/resource.c 2011-05-22 19:36:32.000000000 -0400
37303 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
37304 return 1;
37305
37306 /* check if the resource is valid */
37307 - if (*irq < 0 || *irq > 15)
37308 + if (*irq > 15)
37309 return 0;
37310
37311 /* check if the resource is reserved */
37312 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
37313 return 1;
37314
37315 /* check if the resource is valid */
37316 - if (*dma < 0 || *dma == 4 || *dma > 7)
37317 + if (*dma == 4 || *dma > 7)
37318 return 0;
37319
37320 /* check if the resource is reserved */
37321 diff -urNp linux-2.6.39.1/drivers/power/max8925_power.c linux-2.6.39.1/drivers/power/max8925_power.c
37322 --- linux-2.6.39.1/drivers/power/max8925_power.c 2011-05-19 00:06:34.000000000 -0400
37323 +++ linux-2.6.39.1/drivers/power/max8925_power.c 2011-05-22 19:36:32.000000000 -0400
37324 @@ -426,7 +426,7 @@ static __devinit int max8925_power_probe
37325 {
37326 struct max8925_chip *chip = dev_get_drvdata(pdev->dev.parent);
37327 struct max8925_platform_data *max8925_pdata;
37328 - struct max8925_power_pdata *pdata = NULL;
37329 + const struct max8925_power_pdata *pdata = NULL;
37330 struct max8925_power_info *info;
37331 int ret;
37332
37333 diff -urNp linux-2.6.39.1/drivers/regulator/core.c linux-2.6.39.1/drivers/regulator/core.c
37334 --- linux-2.6.39.1/drivers/regulator/core.c 2011-05-19 00:06:34.000000000 -0400
37335 +++ linux-2.6.39.1/drivers/regulator/core.c 2011-05-22 19:36:32.000000000 -0400
37336 @@ -2883,7 +2883,7 @@ core_initcall(regulator_init);
37337 static int __init regulator_init_complete(void)
37338 {
37339 struct regulator_dev *rdev;
37340 - struct regulator_ops *ops;
37341 + const struct regulator_ops *ops;
37342 struct regulation_constraints *c;
37343 int enabled, ret;
37344
37345 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-at32ap700x.c linux-2.6.39.1/drivers/rtc/rtc-at32ap700x.c
37346 --- linux-2.6.39.1/drivers/rtc/rtc-at32ap700x.c 2011-05-19 00:06:34.000000000 -0400
37347 +++ linux-2.6.39.1/drivers/rtc/rtc-at32ap700x.c 2011-05-22 19:36:32.000000000 -0400
37348 @@ -187,7 +187,7 @@ static irqreturn_t at32_rtc_interrupt(in
37349 return ret;
37350 }
37351
37352 -static struct rtc_class_ops at32_rtc_ops = {
37353 +static const struct rtc_class_ops at32_rtc_ops = {
37354 .read_time = at32_rtc_readtime,
37355 .set_time = at32_rtc_settime,
37356 .read_alarm = at32_rtc_readalarm,
37357 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-au1xxx.c linux-2.6.39.1/drivers/rtc/rtc-au1xxx.c
37358 --- linux-2.6.39.1/drivers/rtc/rtc-au1xxx.c 2011-05-19 00:06:34.000000000 -0400
37359 +++ linux-2.6.39.1/drivers/rtc/rtc-au1xxx.c 2011-05-22 19:36:32.000000000 -0400
37360 @@ -57,7 +57,7 @@ static int au1xtoy_rtc_set_time(struct d
37361 return 0;
37362 }
37363
37364 -static struct rtc_class_ops au1xtoy_rtc_ops = {
37365 +static const struct rtc_class_ops au1xtoy_rtc_ops = {
37366 .read_time = au1xtoy_rtc_read_time,
37367 .set_time = au1xtoy_rtc_set_time,
37368 };
37369 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-bfin.c linux-2.6.39.1/drivers/rtc/rtc-bfin.c
37370 --- linux-2.6.39.1/drivers/rtc/rtc-bfin.c 2011-05-19 00:06:34.000000000 -0400
37371 +++ linux-2.6.39.1/drivers/rtc/rtc-bfin.c 2011-05-22 19:36:32.000000000 -0400
37372 @@ -333,7 +333,7 @@ static int bfin_rtc_proc(struct device *
37373 #undef yesno
37374 }
37375
37376 -static struct rtc_class_ops bfin_rtc_ops = {
37377 +static const struct rtc_class_ops bfin_rtc_ops = {
37378 .read_time = bfin_rtc_read_time,
37379 .set_time = bfin_rtc_set_time,
37380 .read_alarm = bfin_rtc_read_alarm,
37381 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-coh901331.c linux-2.6.39.1/drivers/rtc/rtc-coh901331.c
37382 --- linux-2.6.39.1/drivers/rtc/rtc-coh901331.c 2011-05-19 00:06:34.000000000 -0400
37383 +++ linux-2.6.39.1/drivers/rtc/rtc-coh901331.c 2011-05-22 19:36:32.000000000 -0400
37384 @@ -142,7 +142,7 @@ static int coh901331_alarm_irq_enable(st
37385 return 0;
37386 }
37387
37388 -static struct rtc_class_ops coh901331_ops = {
37389 +static const struct rtc_class_ops coh901331_ops = {
37390 .read_time = coh901331_read_time,
37391 .set_mmss = coh901331_set_mmss,
37392 .read_alarm = coh901331_read_alarm,
37393 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-davinci.c linux-2.6.39.1/drivers/rtc/rtc-davinci.c
37394 --- linux-2.6.39.1/drivers/rtc/rtc-davinci.c 2011-05-19 00:06:34.000000000 -0400
37395 +++ linux-2.6.39.1/drivers/rtc/rtc-davinci.c 2011-05-22 19:36:32.000000000 -0400
37396 @@ -469,7 +469,7 @@ static int davinci_rtc_set_alarm(struct
37397 return 0;
37398 }
37399
37400 -static struct rtc_class_ops davinci_rtc_ops = {
37401 +static const struct rtc_class_ops davinci_rtc_ops = {
37402 .ioctl = davinci_rtc_ioctl,
37403 .read_time = davinci_rtc_read_time,
37404 .set_time = davinci_rtc_set_time,
37405 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-dev.c linux-2.6.39.1/drivers/rtc/rtc-dev.c
37406 --- linux-2.6.39.1/drivers/rtc/rtc-dev.c 2011-05-19 00:06:34.000000000 -0400
37407 +++ linux-2.6.39.1/drivers/rtc/rtc-dev.c 2011-05-22 19:41:37.000000000 -0400
37408 @@ -14,6 +14,7 @@
37409 #include <linux/module.h>
37410 #include <linux/rtc.h>
37411 #include <linux/sched.h>
37412 +#include <linux/grsecurity.h>
37413 #include "rtc-core.h"
37414
37415 static dev_t rtc_devt;
37416 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
37417 if (copy_from_user(&tm, uarg, sizeof(tm)))
37418 return -EFAULT;
37419
37420 + gr_log_timechange();
37421 +
37422 return rtc_set_time(rtc, &tm);
37423
37424 case RTC_PIE_ON:
37425 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-dm355evm.c linux-2.6.39.1/drivers/rtc/rtc-dm355evm.c
37426 --- linux-2.6.39.1/drivers/rtc/rtc-dm355evm.c 2011-05-19 00:06:34.000000000 -0400
37427 +++ linux-2.6.39.1/drivers/rtc/rtc-dm355evm.c 2011-05-22 19:36:32.000000000 -0400
37428 @@ -115,7 +115,7 @@ static int dm355evm_rtc_set_time(struct
37429 return 0;
37430 }
37431
37432 -static struct rtc_class_ops dm355evm_rtc_ops = {
37433 +static const struct rtc_class_ops dm355evm_rtc_ops = {
37434 .read_time = dm355evm_rtc_read_time,
37435 .set_time = dm355evm_rtc_set_time,
37436 };
37437 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-ds1302.c linux-2.6.39.1/drivers/rtc/rtc-ds1302.c
37438 --- linux-2.6.39.1/drivers/rtc/rtc-ds1302.c 2011-05-19 00:06:34.000000000 -0400
37439 +++ linux-2.6.39.1/drivers/rtc/rtc-ds1302.c 2011-05-22 19:36:32.000000000 -0400
37440 @@ -199,7 +199,7 @@ static int ds1302_rtc_ioctl(struct devic
37441 return -ENOIOCTLCMD;
37442 }
37443
37444 -static struct rtc_class_ops ds1302_rtc_ops = {
37445 +static const struct rtc_class_ops ds1302_rtc_ops = {
37446 .read_time = ds1302_rtc_read_time,
37447 .set_time = ds1302_rtc_set_time,
37448 .ioctl = ds1302_rtc_ioctl,
37449 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-imxdi.c linux-2.6.39.1/drivers/rtc/rtc-imxdi.c
37450 --- linux-2.6.39.1/drivers/rtc/rtc-imxdi.c 2011-05-19 00:06:34.000000000 -0400
37451 +++ linux-2.6.39.1/drivers/rtc/rtc-imxdi.c 2011-05-22 19:36:32.000000000 -0400
37452 @@ -290,7 +290,7 @@ static int dryice_rtc_set_alarm(struct d
37453 return 0;
37454 }
37455
37456 -static struct rtc_class_ops dryice_rtc_ops = {
37457 +static const struct rtc_class_ops dryice_rtc_ops = {
37458 .read_time = dryice_rtc_read_time,
37459 .set_mmss = dryice_rtc_set_mmss,
37460 .alarm_irq_enable = dryice_rtc_alarm_irq_enable,
37461 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-jz4740.c linux-2.6.39.1/drivers/rtc/rtc-jz4740.c
37462 --- linux-2.6.39.1/drivers/rtc/rtc-jz4740.c 2011-05-19 00:06:34.000000000 -0400
37463 +++ linux-2.6.39.1/drivers/rtc/rtc-jz4740.c 2011-05-22 19:36:32.000000000 -0400
37464 @@ -174,7 +174,7 @@ static int jz4740_rtc_alarm_irq_enable(s
37465 return jz4740_rtc_ctrl_set_bits(rtc, JZ_RTC_CTRL_AF_IRQ, enable);
37466 }
37467
37468 -static struct rtc_class_ops jz4740_rtc_ops = {
37469 +static const struct rtc_class_ops jz4740_rtc_ops = {
37470 .read_time = jz4740_rtc_read_time,
37471 .set_mmss = jz4740_rtc_set_mmss,
37472 .read_alarm = jz4740_rtc_read_alarm,
37473 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-m41t80.c linux-2.6.39.1/drivers/rtc/rtc-m41t80.c
37474 --- linux-2.6.39.1/drivers/rtc/rtc-m41t80.c 2011-05-19 00:06:34.000000000 -0400
37475 +++ linux-2.6.39.1/drivers/rtc/rtc-m41t80.c 2011-05-22 19:36:32.000000000 -0400
37476 @@ -354,7 +354,7 @@ static int m41t80_rtc_read_alarm(struct
37477 return 0;
37478 }
37479
37480 -static struct rtc_class_ops m41t80_rtc_ops = {
37481 +static const struct rtc_class_ops m41t80_rtc_ops = {
37482 .read_time = m41t80_rtc_read_time,
37483 .set_time = m41t80_rtc_set_time,
37484 .read_alarm = m41t80_rtc_read_alarm,
37485 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-mxc.c linux-2.6.39.1/drivers/rtc/rtc-mxc.c
37486 --- linux-2.6.39.1/drivers/rtc/rtc-mxc.c 2011-05-19 00:06:34.000000000 -0400
37487 +++ linux-2.6.39.1/drivers/rtc/rtc-mxc.c 2011-05-22 19:36:32.000000000 -0400
37488 @@ -355,7 +355,7 @@ static int mxc_rtc_set_alarm(struct devi
37489 }
37490
37491 /* RTC layer */
37492 -static struct rtc_class_ops mxc_rtc_ops = {
37493 +static const struct rtc_class_ops mxc_rtc_ops = {
37494 .release = mxc_rtc_release,
37495 .read_time = mxc_rtc_read_time,
37496 .set_mmss = mxc_rtc_set_mmss,
37497 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-nuc900.c linux-2.6.39.1/drivers/rtc/rtc-nuc900.c
37498 --- linux-2.6.39.1/drivers/rtc/rtc-nuc900.c 2011-05-19 00:06:34.000000000 -0400
37499 +++ linux-2.6.39.1/drivers/rtc/rtc-nuc900.c 2011-05-22 19:36:32.000000000 -0400
37500 @@ -214,7 +214,7 @@ static int nuc900_rtc_set_alarm(struct d
37501 return 0;
37502 }
37503
37504 -static struct rtc_class_ops nuc900_rtc_ops = {
37505 +static const struct rtc_class_ops nuc900_rtc_ops = {
37506 .read_time = nuc900_rtc_read_time,
37507 .set_time = nuc900_rtc_set_time,
37508 .read_alarm = nuc900_rtc_read_alarm,
37509 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-omap.c linux-2.6.39.1/drivers/rtc/rtc-omap.c
37510 --- linux-2.6.39.1/drivers/rtc/rtc-omap.c 2011-05-19 00:06:34.000000000 -0400
37511 +++ linux-2.6.39.1/drivers/rtc/rtc-omap.c 2011-05-22 19:36:32.000000000 -0400
37512 @@ -274,7 +274,7 @@ static int omap_rtc_set_alarm(struct dev
37513 return 0;
37514 }
37515
37516 -static struct rtc_class_ops omap_rtc_ops = {
37517 +static const struct rtc_class_ops omap_rtc_ops = {
37518 .read_time = omap_rtc_read_time,
37519 .set_time = omap_rtc_set_time,
37520 .read_alarm = omap_rtc_read_alarm,
37521 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-pcf50633.c linux-2.6.39.1/drivers/rtc/rtc-pcf50633.c
37522 --- linux-2.6.39.1/drivers/rtc/rtc-pcf50633.c 2011-05-19 00:06:34.000000000 -0400
37523 +++ linux-2.6.39.1/drivers/rtc/rtc-pcf50633.c 2011-05-22 19:36:32.000000000 -0400
37524 @@ -238,7 +238,7 @@ static int pcf50633_rtc_set_alarm(struct
37525 return ret;
37526 }
37527
37528 -static struct rtc_class_ops pcf50633_rtc_ops = {
37529 +static const struct rtc_class_ops pcf50633_rtc_ops = {
37530 .read_time = pcf50633_rtc_read_time,
37531 .set_time = pcf50633_rtc_set_time,
37532 .read_alarm = pcf50633_rtc_read_alarm,
37533 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-pl031.c linux-2.6.39.1/drivers/rtc/rtc-pl031.c
37534 --- linux-2.6.39.1/drivers/rtc/rtc-pl031.c 2011-05-19 00:06:34.000000000 -0400
37535 +++ linux-2.6.39.1/drivers/rtc/rtc-pl031.c 2011-05-22 19:36:32.000000000 -0400
37536 @@ -374,7 +374,7 @@ err_req:
37537 }
37538
37539 /* Operations for the original ARM version */
37540 -static struct rtc_class_ops arm_pl031_ops = {
37541 +static const struct rtc_class_ops arm_pl031_ops = {
37542 .read_time = pl031_read_time,
37543 .set_time = pl031_set_time,
37544 .read_alarm = pl031_read_alarm,
37545 @@ -383,7 +383,7 @@ static struct rtc_class_ops arm_pl031_op
37546 };
37547
37548 /* The First ST derivative */
37549 -static struct rtc_class_ops stv1_pl031_ops = {
37550 +static const struct rtc_class_ops stv1_pl031_ops = {
37551 .read_time = pl031_read_time,
37552 .set_time = pl031_set_time,
37553 .read_alarm = pl031_read_alarm,
37554 @@ -392,7 +392,7 @@ static struct rtc_class_ops stv1_pl031_o
37555 };
37556
37557 /* And the second ST derivative */
37558 -static struct rtc_class_ops stv2_pl031_ops = {
37559 +static const struct rtc_class_ops stv2_pl031_ops = {
37560 .read_time = pl031_stv2_read_time,
37561 .set_time = pl031_stv2_set_time,
37562 .read_alarm = pl031_stv2_read_alarm,
37563 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-rx8025.c linux-2.6.39.1/drivers/rtc/rtc-rx8025.c
37564 --- linux-2.6.39.1/drivers/rtc/rtc-rx8025.c 2011-05-19 00:06:34.000000000 -0400
37565 +++ linux-2.6.39.1/drivers/rtc/rtc-rx8025.c 2011-05-22 19:36:32.000000000 -0400
37566 @@ -424,7 +424,7 @@ static int rx8025_alarm_irq_enable(struc
37567 return 0;
37568 }
37569
37570 -static struct rtc_class_ops rx8025_rtc_ops = {
37571 +static const struct rtc_class_ops rx8025_rtc_ops = {
37572 .read_time = rx8025_get_time,
37573 .set_time = rx8025_set_time,
37574 .read_alarm = rx8025_read_alarm,
37575 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-sh.c linux-2.6.39.1/drivers/rtc/rtc-sh.c
37576 --- linux-2.6.39.1/drivers/rtc/rtc-sh.c 2011-05-19 00:06:34.000000000 -0400
37577 +++ linux-2.6.39.1/drivers/rtc/rtc-sh.c 2011-05-22 19:36:32.000000000 -0400
37578 @@ -576,7 +576,7 @@ static int sh_rtc_set_alarm(struct devic
37579 return 0;
37580 }
37581
37582 -static struct rtc_class_ops sh_rtc_ops = {
37583 +static const struct rtc_class_ops sh_rtc_ops = {
37584 .read_time = sh_rtc_read_time,
37585 .set_time = sh_rtc_set_time,
37586 .read_alarm = sh_rtc_read_alarm,
37587 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-stmp3xxx.c linux-2.6.39.1/drivers/rtc/rtc-stmp3xxx.c
37588 --- linux-2.6.39.1/drivers/rtc/rtc-stmp3xxx.c 2011-05-19 00:06:34.000000000 -0400
37589 +++ linux-2.6.39.1/drivers/rtc/rtc-stmp3xxx.c 2011-05-22 19:36:32.000000000 -0400
37590 @@ -133,7 +133,7 @@ static int stmp3xxx_rtc_set_alarm(struct
37591 return 0;
37592 }
37593
37594 -static struct rtc_class_ops stmp3xxx_rtc_ops = {
37595 +static const struct rtc_class_ops stmp3xxx_rtc_ops = {
37596 .alarm_irq_enable =
37597 stmp3xxx_alarm_irq_enable,
37598 .read_time = stmp3xxx_rtc_gettime,
37599 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-tegra.c linux-2.6.39.1/drivers/rtc/rtc-tegra.c
37600 --- linux-2.6.39.1/drivers/rtc/rtc-tegra.c 2011-05-19 00:06:34.000000000 -0400
37601 +++ linux-2.6.39.1/drivers/rtc/rtc-tegra.c 2011-05-22 19:36:32.000000000 -0400
37602 @@ -294,7 +294,7 @@ static irqreturn_t tegra_rtc_irq_handler
37603 return IRQ_HANDLED;
37604 }
37605
37606 -static struct rtc_class_ops tegra_rtc_ops = {
37607 +static const struct rtc_class_ops tegra_rtc_ops = {
37608 .read_time = tegra_rtc_read_time,
37609 .set_time = tegra_rtc_set_time,
37610 .read_alarm = tegra_rtc_read_alarm,
37611 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-twl.c linux-2.6.39.1/drivers/rtc/rtc-twl.c
37612 --- linux-2.6.39.1/drivers/rtc/rtc-twl.c 2011-05-19 00:06:34.000000000 -0400
37613 +++ linux-2.6.39.1/drivers/rtc/rtc-twl.c 2011-05-22 19:36:32.000000000 -0400
37614 @@ -415,7 +415,7 @@ out:
37615 return ret;
37616 }
37617
37618 -static struct rtc_class_ops twl_rtc_ops = {
37619 +static const struct rtc_class_ops twl_rtc_ops = {
37620 .read_time = twl_rtc_read_time,
37621 .set_time = twl_rtc_set_time,
37622 .read_alarm = twl_rtc_read_alarm,
37623 diff -urNp linux-2.6.39.1/drivers/rtc/rtc-v3020.c linux-2.6.39.1/drivers/rtc/rtc-v3020.c
37624 --- linux-2.6.39.1/drivers/rtc/rtc-v3020.c 2011-05-19 00:06:34.000000000 -0400
37625 +++ linux-2.6.39.1/drivers/rtc/rtc-v3020.c 2011-05-22 19:36:32.000000000 -0400
37626 @@ -62,7 +62,7 @@ struct v3020 {
37627 /* GPIO access */
37628 struct v3020_gpio *gpio;
37629
37630 - struct v3020_chip_ops *ops;
37631 + const struct v3020_chip_ops *ops;
37632
37633 struct rtc_device *rtc;
37634 };
37635 @@ -100,7 +100,7 @@ static unsigned char v3020_mmio_read_bit
37636 return !!(readl(chip->ioaddress) & (1 << chip->leftshift));
37637 }
37638
37639 -static struct v3020_chip_ops v3020_mmio_ops = {
37640 +static const struct v3020_chip_ops v3020_mmio_ops = {
37641 .map_io = v3020_mmio_map,
37642 .unmap_io = v3020_mmio_unmap,
37643 .read_bit = v3020_mmio_read_bit,
37644 @@ -177,7 +177,7 @@ static unsigned char v3020_gpio_read_bit
37645 return bit;
37646 }
37647
37648 -static struct v3020_chip_ops v3020_gpio_ops = {
37649 +static const struct v3020_chip_ops v3020_gpio_ops = {
37650 .map_io = v3020_gpio_map,
37651 .unmap_io = v3020_gpio_unmap,
37652 .read_bit = v3020_gpio_read_bit,
37653 diff -urNp linux-2.6.39.1/drivers/s390/char/con3270.c linux-2.6.39.1/drivers/s390/char/con3270.c
37654 --- linux-2.6.39.1/drivers/s390/char/con3270.c 2011-05-19 00:06:34.000000000 -0400
37655 +++ linux-2.6.39.1/drivers/s390/char/con3270.c 2011-05-22 19:36:32.000000000 -0400
37656 @@ -28,7 +28,7 @@
37657 #define CON3270_OUTPUT_BUFFER_SIZE 1024
37658 #define CON3270_STRING_PAGES 4
37659
37660 -static struct raw3270_fn con3270_fn;
37661 +static const struct raw3270_fn con3270_fn;
37662
37663 /*
37664 * Main 3270 console view data structure.
37665 @@ -413,7 +413,7 @@ con3270_irq(struct con3270 *cp, struct r
37666 }
37667
37668 /* Console view to a 3270 device. */
37669 -static struct raw3270_fn con3270_fn = {
37670 +static const struct raw3270_fn con3270_fn = {
37671 .activate = con3270_activate,
37672 .deactivate = con3270_deactivate,
37673 .intv = (void *) con3270_irq
37674 diff -urNp linux-2.6.39.1/drivers/s390/char/fs3270.c linux-2.6.39.1/drivers/s390/char/fs3270.c
37675 --- linux-2.6.39.1/drivers/s390/char/fs3270.c 2011-05-19 00:06:34.000000000 -0400
37676 +++ linux-2.6.39.1/drivers/s390/char/fs3270.c 2011-05-22 19:36:32.000000000 -0400
37677 @@ -24,7 +24,7 @@
37678 #include "raw3270.h"
37679 #include "ctrlchar.h"
37680
37681 -static struct raw3270_fn fs3270_fn;
37682 +static const struct raw3270_fn fs3270_fn;
37683
37684 struct fs3270 {
37685 struct raw3270_view view;
37686 @@ -413,7 +413,7 @@ fs3270_release(struct raw3270_view *view
37687 }
37688
37689 /* View to a 3270 device. Can be console, tty or fullscreen. */
37690 -static struct raw3270_fn fs3270_fn = {
37691 +static const struct raw3270_fn fs3270_fn = {
37692 .activate = fs3270_activate,
37693 .deactivate = fs3270_deactivate,
37694 .intv = (void *) fs3270_irq,
37695 diff -urNp linux-2.6.39.1/drivers/s390/char/raw3270.c linux-2.6.39.1/drivers/s390/char/raw3270.c
37696 --- linux-2.6.39.1/drivers/s390/char/raw3270.c 2011-05-19 00:06:34.000000000 -0400
37697 +++ linux-2.6.39.1/drivers/s390/char/raw3270.c 2011-05-22 19:36:32.000000000 -0400
37698 @@ -488,7 +488,7 @@ raw3270_init_irq(struct raw3270_view *vi
37699 return RAW3270_IO_DONE;
37700 }
37701
37702 -static struct raw3270_fn raw3270_init_fn = {
37703 +static const struct raw3270_fn raw3270_init_fn = {
37704 .intv = raw3270_init_irq
37705 };
37706
37707 diff -urNp linux-2.6.39.1/drivers/s390/char/tty3270.c linux-2.6.39.1/drivers/s390/char/tty3270.c
37708 --- linux-2.6.39.1/drivers/s390/char/tty3270.c 2011-05-19 00:06:34.000000000 -0400
37709 +++ linux-2.6.39.1/drivers/s390/char/tty3270.c 2011-05-22 19:36:32.000000000 -0400
37710 @@ -37,7 +37,7 @@
37711 struct tty_driver *tty3270_driver;
37712 static int tty3270_max_index;
37713
37714 -static struct raw3270_fn tty3270_fn;
37715 +static const struct raw3270_fn tty3270_fn;
37716
37717 struct tty3270_cell {
37718 unsigned char character;
37719 @@ -834,7 +834,7 @@ tty3270_del_views(void)
37720 }
37721 }
37722
37723 -static struct raw3270_fn tty3270_fn = {
37724 +static const struct raw3270_fn tty3270_fn = {
37725 .activate = tty3270_activate,
37726 .deactivate = tty3270_deactivate,
37727 .intv = (void *) tty3270_irq,
37728 diff -urNp linux-2.6.39.1/drivers/s390/cio/qdio_debug.c linux-2.6.39.1/drivers/s390/cio/qdio_debug.c
37729 --- linux-2.6.39.1/drivers/s390/cio/qdio_debug.c 2011-05-19 00:06:34.000000000 -0400
37730 +++ linux-2.6.39.1/drivers/s390/cio/qdio_debug.c 2011-05-22 19:36:32.000000000 -0400
37731 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
37732 filp->f_path.dentry->d_inode->i_private);
37733 }
37734
37735 -static struct file_operations debugfs_perf_fops = {
37736 +static const struct file_operations debugfs_perf_fops = {
37737 .owner = THIS_MODULE,
37738 .open = qperf_seq_open,
37739 .read = seq_read,
37740 diff -urNp linux-2.6.39.1/drivers/s390/crypto/zcrypt_cex2a.c linux-2.6.39.1/drivers/s390/crypto/zcrypt_cex2a.c
37741 --- linux-2.6.39.1/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-19 00:06:34.000000000 -0400
37742 +++ linux-2.6.39.1/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-22 19:36:32.000000000 -0400
37743 @@ -415,7 +415,7 @@ out_free:
37744 /**
37745 * The crypto operations for a CEX2A card.
37746 */
37747 -static struct zcrypt_ops zcrypt_cex2a_ops = {
37748 +static const struct zcrypt_ops zcrypt_cex2a_ops = {
37749 .rsa_modexpo = zcrypt_cex2a_modexpo,
37750 .rsa_modexpo_crt = zcrypt_cex2a_modexpo_crt,
37751 };
37752 diff -urNp linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcica.c linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcica.c
37753 --- linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcica.c 2011-05-19 00:06:34.000000000 -0400
37754 +++ linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcica.c 2011-05-22 19:36:32.000000000 -0400
37755 @@ -347,7 +347,7 @@ out_free:
37756 /**
37757 * The crypto operations for a PCICA card.
37758 */
37759 -static struct zcrypt_ops zcrypt_pcica_ops = {
37760 +static const struct zcrypt_ops zcrypt_pcica_ops = {
37761 .rsa_modexpo = zcrypt_pcica_modexpo,
37762 .rsa_modexpo_crt = zcrypt_pcica_modexpo_crt,
37763 };
37764 diff -urNp linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcicc.c linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcicc.c
37765 --- linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-19 00:06:34.000000000 -0400
37766 +++ linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-22 19:36:32.000000000 -0400
37767 @@ -553,7 +553,7 @@ out_free:
37768 /**
37769 * The crypto operations for a PCICC card.
37770 */
37771 -static struct zcrypt_ops zcrypt_pcicc_ops = {
37772 +static const struct zcrypt_ops zcrypt_pcicc_ops = {
37773 .rsa_modexpo = zcrypt_pcicc_modexpo,
37774 .rsa_modexpo_crt = zcrypt_pcicc_modexpo_crt,
37775 };
37776 diff -urNp linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcixcc.c linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcixcc.c
37777 --- linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-19 00:06:34.000000000 -0400
37778 +++ linux-2.6.39.1/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-22 19:36:32.000000000 -0400
37779 @@ -851,13 +851,13 @@ static long zcrypt_pcixcc_rng(struct zcr
37780 /**
37781 * The crypto operations for a PCIXCC/CEX2C card.
37782 */
37783 -static struct zcrypt_ops zcrypt_pcixcc_ops = {
37784 +static const struct zcrypt_ops zcrypt_pcixcc_ops = {
37785 .rsa_modexpo = zcrypt_pcixcc_modexpo,
37786 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
37787 .send_cprb = zcrypt_pcixcc_send_cprb,
37788 };
37789
37790 -static struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
37791 +static const struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
37792 .rsa_modexpo = zcrypt_pcixcc_modexpo,
37793 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
37794 .send_cprb = zcrypt_pcixcc_send_cprb,
37795 diff -urNp linux-2.6.39.1/drivers/s390/kvm/kvm_virtio.c linux-2.6.39.1/drivers/s390/kvm/kvm_virtio.c
37796 --- linux-2.6.39.1/drivers/s390/kvm/kvm_virtio.c 2011-05-19 00:06:34.000000000 -0400
37797 +++ linux-2.6.39.1/drivers/s390/kvm/kvm_virtio.c 2011-05-22 19:36:32.000000000 -0400
37798 @@ -266,7 +266,7 @@ error:
37799 /*
37800 * The config ops structure as defined by virtio config
37801 */
37802 -static struct virtio_config_ops kvm_vq_configspace_ops = {
37803 +static const struct virtio_config_ops kvm_vq_configspace_ops = {
37804 .get_features = kvm_get_features,
37805 .finalize_features = kvm_finalize_features,
37806 .get = kvm_get,
37807 diff -urNp linux-2.6.39.1/drivers/s390/net/qeth_core.h linux-2.6.39.1/drivers/s390/net/qeth_core.h
37808 --- linux-2.6.39.1/drivers/s390/net/qeth_core.h 2011-05-19 00:06:34.000000000 -0400
37809 +++ linux-2.6.39.1/drivers/s390/net/qeth_core.h 2011-05-22 19:36:32.000000000 -0400
37810 @@ -743,7 +743,7 @@ struct qeth_card {
37811 struct qeth_qdio_info qdio;
37812 struct qeth_perf_stats perf_stats;
37813 int read_or_write_problem;
37814 - struct qeth_osn_info osn_info;
37815 + const struct qeth_osn_info osn_info;
37816 struct qeth_discipline discipline;
37817 atomic_t force_alloc_skb;
37818 struct service_level qeth_service_level;
37819 diff -urNp linux-2.6.39.1/drivers/scsi/53c700.c linux-2.6.39.1/drivers/scsi/53c700.c
37820 --- linux-2.6.39.1/drivers/scsi/53c700.c 2011-05-19 00:06:34.000000000 -0400
37821 +++ linux-2.6.39.1/drivers/scsi/53c700.c 2011-05-22 19:36:32.000000000 -0400
37822 @@ -2153,7 +2153,7 @@ EXPORT_SYMBOL(NCR_700_detect);
37823 EXPORT_SYMBOL(NCR_700_release);
37824 EXPORT_SYMBOL(NCR_700_intr);
37825
37826 -static struct spi_function_template NCR_700_transport_functions = {
37827 +static struct spi_function_template NCR_700_transport_functions = {
37828 .set_period = NCR_700_set_period,
37829 .show_period = 1,
37830 .set_offset = NCR_700_set_offset,
37831 diff -urNp linux-2.6.39.1/drivers/scsi/aacraid/commctrl.c linux-2.6.39.1/drivers/scsi/aacraid/commctrl.c
37832 --- linux-2.6.39.1/drivers/scsi/aacraid/commctrl.c 2011-05-19 00:06:34.000000000 -0400
37833 +++ linux-2.6.39.1/drivers/scsi/aacraid/commctrl.c 2011-05-22 19:36:32.000000000 -0400
37834 @@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
37835 u32 actual_fibsize64, actual_fibsize = 0;
37836 int i;
37837
37838 + pax_track_stack();
37839
37840 if (dev->in_reset) {
37841 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
37842 diff -urNp linux-2.6.39.1/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.39.1/drivers/scsi/aic94xx/aic94xx_init.c
37843 --- linux-2.6.39.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-19 00:06:34.000000000 -0400
37844 +++ linux-2.6.39.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-22 19:41:37.000000000 -0400
37845 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
37846 flash_error_table[i].reason);
37847 }
37848
37849 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
37850 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
37851 asd_show_update_bios, asd_store_update_bios);
37852
37853 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
37854 diff -urNp linux-2.6.39.1/drivers/scsi/bfa/bfa_core.c linux-2.6.39.1/drivers/scsi/bfa/bfa_core.c
37855 --- linux-2.6.39.1/drivers/scsi/bfa/bfa_core.c 2011-05-19 00:06:34.000000000 -0400
37856 +++ linux-2.6.39.1/drivers/scsi/bfa/bfa_core.c 2011-05-22 19:36:32.000000000 -0400
37857 @@ -24,7 +24,7 @@ BFA_TRC_FILE(HAL, CORE);
37858 /*
37859 * BFA module list terminated by NULL
37860 */
37861 -static struct bfa_module_s *hal_mods[] = {
37862 +static const struct bfa_module_s *hal_mods[] = {
37863 &hal_mod_sgpg,
37864 &hal_mod_fcport,
37865 &hal_mod_fcxp,
37866 diff -urNp linux-2.6.39.1/drivers/scsi/bfa/bfad.c linux-2.6.39.1/drivers/scsi/bfa/bfad.c
37867 --- linux-2.6.39.1/drivers/scsi/bfa/bfad.c 2011-05-19 00:06:34.000000000 -0400
37868 +++ linux-2.6.39.1/drivers/scsi/bfa/bfad.c 2011-05-22 19:36:32.000000000 -0400
37869 @@ -1027,6 +1027,8 @@ bfad_start_ops(struct bfad_s *bfad) {
37870 struct bfad_vport_s *vport, *vport_new;
37871 struct bfa_fcs_driver_info_s driver_info;
37872
37873 + pax_track_stack();
37874 +
37875 /* Fill the driver_info info to fcs*/
37876 memset(&driver_info, 0, sizeof(driver_info));
37877 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
37878 diff -urNp linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs.c linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs.c
37879 --- linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs.c 2011-05-19 00:06:34.000000000 -0400
37880 +++ linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs.c 2011-05-22 19:36:32.000000000 -0400
37881 @@ -70,7 +70,7 @@ bfa_fcs_attach(struct bfa_fcs_s *fcs, st
37882 bfa_boolean_t min_cfg)
37883 {
37884 int i;
37885 - struct bfa_fcs_mod_s *mod;
37886 + const struct bfa_fcs_mod_s *mod;
37887
37888 fcs->bfa = bfa;
37889 fcs->bfad = bfad;
37890 @@ -93,7 +93,7 @@ void
37891 bfa_fcs_init(struct bfa_fcs_s *fcs)
37892 {
37893 int i, npbc_vports;
37894 - struct bfa_fcs_mod_s *mod;
37895 + const struct bfa_fcs_mod_s *mod;
37896 struct bfi_pbc_vport_s pbc_vports[BFI_PBC_MAX_VPORTS];
37897
37898 for (i = 0; i < sizeof(fcs_modules) / sizeof(fcs_modules[0]); i++) {
37899 @@ -140,7 +140,7 @@ bfa_fcs_driver_info_init(struct bfa_fcs_
37900 void
37901 bfa_fcs_exit(struct bfa_fcs_s *fcs)
37902 {
37903 - struct bfa_fcs_mod_s *mod;
37904 + const struct bfa_fcs_mod_s *mod;
37905 int nmods, i;
37906
37907 bfa_wc_init(&fcs->wc, bfa_fcs_exit_comp, fcs);
37908 diff -urNp linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_lport.c linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_lport.c
37909 --- linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-19 00:06:34.000000000 -0400
37910 +++ linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-22 19:36:32.000000000 -0400
37911 @@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
37912 u16 len, count;
37913 u16 templen;
37914
37915 + pax_track_stack();
37916 +
37917 /*
37918 * get hba attributes
37919 */
37920 @@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
37921 u8 count = 0;
37922 u16 templen;
37923
37924 + pax_track_stack();
37925 +
37926 /*
37927 * get port attributes
37928 */
37929 diff -urNp linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_rport.c linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_rport.c
37930 --- linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-19 00:06:34.000000000 -0400
37931 +++ linux-2.6.39.1/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-22 19:36:32.000000000 -0400
37932 @@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
37933 struct fc_rpsc_speed_info_s speeds;
37934 struct bfa_port_attr_s pport_attr;
37935
37936 + pax_track_stack();
37937 +
37938 bfa_trc(port->fcs, rx_fchs->s_id);
37939 bfa_trc(port->fcs, rx_fchs->d_id);
37940
37941 diff -urNp linux-2.6.39.1/drivers/scsi/bfa/bfa_modules.h linux-2.6.39.1/drivers/scsi/bfa/bfa_modules.h
37942 --- linux-2.6.39.1/drivers/scsi/bfa/bfa_modules.h 2011-05-19 00:06:34.000000000 -0400
37943 +++ linux-2.6.39.1/drivers/scsi/bfa/bfa_modules.h 2011-05-22 19:36:32.000000000 -0400
37944 @@ -68,8 +68,8 @@ enum {
37945 static void bfa_ ## __mod ## _stop(struct bfa_s *bfa); \
37946 static void bfa_ ## __mod ## _iocdisable(struct bfa_s *bfa); \
37947 \
37948 - extern struct bfa_module_s hal_mod_ ## __mod; \
37949 - struct bfa_module_s hal_mod_ ## __mod = { \
37950 + extern const struct bfa_module_s hal_mod_ ## __mod; \
37951 + const struct bfa_module_s hal_mod_ ## __mod = { \
37952 bfa_ ## __mod ## _meminfo, \
37953 bfa_ ## __mod ## _attach, \
37954 bfa_ ## __mod ## _detach, \
37955 @@ -116,12 +116,12 @@ struct bfa_s {
37956 };
37957
37958 extern bfa_boolean_t bfa_auto_recover;
37959 -extern struct bfa_module_s hal_mod_sgpg;
37960 -extern struct bfa_module_s hal_mod_fcport;
37961 -extern struct bfa_module_s hal_mod_fcxp;
37962 -extern struct bfa_module_s hal_mod_lps;
37963 -extern struct bfa_module_s hal_mod_uf;
37964 -extern struct bfa_module_s hal_mod_rport;
37965 -extern struct bfa_module_s hal_mod_fcpim;
37966 +extern const struct bfa_module_s hal_mod_sgpg;
37967 +extern const struct bfa_module_s hal_mod_fcport;
37968 +extern const struct bfa_module_s hal_mod_fcxp;
37969 +extern const struct bfa_module_s hal_mod_lps;
37970 +extern const struct bfa_module_s hal_mod_uf;
37971 +extern const struct bfa_module_s hal_mod_rport;
37972 +extern const struct bfa_module_s hal_mod_fcpim;
37973
37974 #endif /* __BFA_MODULES_H__ */
37975 diff -urNp linux-2.6.39.1/drivers/scsi/BusLogic.c linux-2.6.39.1/drivers/scsi/BusLogic.c
37976 --- linux-2.6.39.1/drivers/scsi/BusLogic.c 2011-05-19 00:06:34.000000000 -0400
37977 +++ linux-2.6.39.1/drivers/scsi/BusLogic.c 2011-05-22 19:36:32.000000000 -0400
37978 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
37979 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
37980 *PrototypeHostAdapter)
37981 {
37982 + pax_track_stack();
37983 +
37984 /*
37985 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
37986 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
37987 diff -urNp linux-2.6.39.1/drivers/scsi/dpt_i2o.c linux-2.6.39.1/drivers/scsi/dpt_i2o.c
37988 --- linux-2.6.39.1/drivers/scsi/dpt_i2o.c 2011-05-19 00:06:34.000000000 -0400
37989 +++ linux-2.6.39.1/drivers/scsi/dpt_i2o.c 2011-05-22 19:36:32.000000000 -0400
37990 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
37991 dma_addr_t addr;
37992 ulong flags = 0;
37993
37994 + pax_track_stack();
37995 +
37996 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
37997 // get user msg size in u32s
37998 if(get_user(size, &user_msg[0])){
37999 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
38000 s32 rcode;
38001 dma_addr_t addr;
38002
38003 + pax_track_stack();
38004 +
38005 memset(msg, 0 , sizeof(msg));
38006 len = scsi_bufflen(cmd);
38007 direction = 0x00000000;
38008 diff -urNp linux-2.6.39.1/drivers/scsi/eata.c linux-2.6.39.1/drivers/scsi/eata.c
38009 --- linux-2.6.39.1/drivers/scsi/eata.c 2011-05-19 00:06:34.000000000 -0400
38010 +++ linux-2.6.39.1/drivers/scsi/eata.c 2011-05-22 19:36:32.000000000 -0400
38011 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
38012 struct hostdata *ha;
38013 char name[16];
38014
38015 + pax_track_stack();
38016 +
38017 sprintf(name, "%s%d", driver_name, j);
38018
38019 if (!request_region(port_base, REGION_SIZE, driver_name)) {
38020 diff -urNp linux-2.6.39.1/drivers/scsi/esp_scsi.c linux-2.6.39.1/drivers/scsi/esp_scsi.c
38021 --- linux-2.6.39.1/drivers/scsi/esp_scsi.c 2011-05-19 00:06:34.000000000 -0400
38022 +++ linux-2.6.39.1/drivers/scsi/esp_scsi.c 2011-05-22 19:36:32.000000000 -0400
38023 @@ -2680,7 +2680,7 @@ static void esp_set_width(struct scsi_ta
38024 tp->flags |= ESP_TGT_CHECK_NEGO;
38025 }
38026
38027 -static struct spi_function_template esp_transport_ops = {
38028 +static const struct spi_function_template esp_transport_ops = {
38029 .set_offset = esp_set_offset,
38030 .show_offset = 1,
38031 .set_period = esp_set_period,
38032 diff -urNp linux-2.6.39.1/drivers/scsi/fcoe/fcoe.c linux-2.6.39.1/drivers/scsi/fcoe/fcoe.c
38033 --- linux-2.6.39.1/drivers/scsi/fcoe/fcoe.c 2011-05-19 00:06:34.000000000 -0400
38034 +++ linux-2.6.39.1/drivers/scsi/fcoe/fcoe.c 2011-05-22 19:36:32.000000000 -0400
38035 @@ -138,7 +138,7 @@ static int fcoe_vport_disable(struct fc_
38036 static void fcoe_set_vport_symbolic_name(struct fc_vport *);
38037 static void fcoe_set_port_id(struct fc_lport *, u32, struct fc_frame *);
38038
38039 -static struct libfc_function_template fcoe_libfc_fcn_templ = {
38040 +static const struct libfc_function_template fcoe_libfc_fcn_templ = {
38041 .frame_send = fcoe_xmit,
38042 .ddp_setup = fcoe_ddp_setup,
38043 .ddp_done = fcoe_ddp_done,
38044 diff -urNp linux-2.6.39.1/drivers/scsi/fcoe/fcoe_ctlr.c linux-2.6.39.1/drivers/scsi/fcoe/fcoe_ctlr.c
38045 --- linux-2.6.39.1/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-19 00:06:34.000000000 -0400
38046 +++ linux-2.6.39.1/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-22 19:36:32.000000000 -0400
38047 @@ -1912,7 +1912,7 @@ static void fcoe_ctlr_vn_rport_callback(
38048 mutex_unlock(&fip->ctlr_mutex);
38049 }
38050
38051 -static struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38052 +static const struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38053 .event_callback = fcoe_ctlr_vn_rport_callback,
38054 };
38055
38056 @@ -2458,6 +2458,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
38057 } buf;
38058 int rc;
38059
38060 + pax_track_stack();
38061 +
38062 fiph = (struct fip_header *)skb->data;
38063 sub = fiph->fip_subcode;
38064
38065 diff -urNp linux-2.6.39.1/drivers/scsi/fnic/fnic_main.c linux-2.6.39.1/drivers/scsi/fnic/fnic_main.c
38066 --- linux-2.6.39.1/drivers/scsi/fnic/fnic_main.c 2011-05-19 00:06:34.000000000 -0400
38067 +++ linux-2.6.39.1/drivers/scsi/fnic/fnic_main.c 2011-05-22 19:36:32.000000000 -0400
38068 @@ -69,7 +69,7 @@ module_param(fnic_log_level, int, S_IRUG
38069 MODULE_PARM_DESC(fnic_log_level, "bit mask of fnic logging levels");
38070
38071
38072 -static struct libfc_function_template fnic_transport_template = {
38073 +static const struct libfc_function_template fnic_transport_template = {
38074 .frame_send = fnic_send,
38075 .lport_set_port_id = fnic_set_port_id,
38076 .fcp_abort_io = fnic_empty_scsi_cleanup,
38077 diff -urNp linux-2.6.39.1/drivers/scsi/gdth.c linux-2.6.39.1/drivers/scsi/gdth.c
38078 --- linux-2.6.39.1/drivers/scsi/gdth.c 2011-05-19 00:06:34.000000000 -0400
38079 +++ linux-2.6.39.1/drivers/scsi/gdth.c 2011-05-22 19:36:32.000000000 -0400
38080 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
38081 unsigned long flags;
38082 gdth_ha_str *ha;
38083
38084 + pax_track_stack();
38085 +
38086 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
38087 return -EFAULT;
38088 ha = gdth_find_ha(ldrv.ionode);
38089 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
38090 gdth_ha_str *ha;
38091 int rval;
38092
38093 + pax_track_stack();
38094 +
38095 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
38096 res.number >= MAX_HDRIVES)
38097 return -EFAULT;
38098 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
38099 gdth_ha_str *ha;
38100 int rval;
38101
38102 + pax_track_stack();
38103 +
38104 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
38105 return -EFAULT;
38106 ha = gdth_find_ha(gen.ionode);
38107 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
38108 int i;
38109 gdth_cmd_str gdtcmd;
38110 char cmnd[MAX_COMMAND_SIZE];
38111 +
38112 + pax_track_stack();
38113 +
38114 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
38115
38116 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
38117 diff -urNp linux-2.6.39.1/drivers/scsi/gdth_proc.c linux-2.6.39.1/drivers/scsi/gdth_proc.c
38118 --- linux-2.6.39.1/drivers/scsi/gdth_proc.c 2011-05-19 00:06:34.000000000 -0400
38119 +++ linux-2.6.39.1/drivers/scsi/gdth_proc.c 2011-05-22 19:36:32.000000000 -0400
38120 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
38121 u64 paddr;
38122
38123 char cmnd[MAX_COMMAND_SIZE];
38124 +
38125 + pax_track_stack();
38126 +
38127 memset(cmnd, 0xff, 12);
38128 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
38129
38130 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
38131 gdth_hget_str *phg;
38132 char cmnd[MAX_COMMAND_SIZE];
38133
38134 + pax_track_stack();
38135 +
38136 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
38137 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
38138 if (!gdtcmd || !estr)
38139 diff -urNp linux-2.6.39.1/drivers/scsi/hosts.c linux-2.6.39.1/drivers/scsi/hosts.c
38140 --- linux-2.6.39.1/drivers/scsi/hosts.c 2011-05-19 00:06:34.000000000 -0400
38141 +++ linux-2.6.39.1/drivers/scsi/hosts.c 2011-05-22 19:36:32.000000000 -0400
38142 @@ -42,7 +42,7 @@
38143 #include "scsi_logging.h"
38144
38145
38146 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
38147 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
38148
38149
38150 static void scsi_host_cls_release(struct device *dev)
38151 @@ -354,7 +354,7 @@ struct Scsi_Host *scsi_host_alloc(struct
38152 * subtract one because we increment first then return, but we need to
38153 * know what the next host number was before increment
38154 */
38155 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
38156 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
38157 shost->dma_channel = 0xff;
38158
38159 /* These three are default values which can be overridden */
38160 diff -urNp linux-2.6.39.1/drivers/scsi/hpsa.h linux-2.6.39.1/drivers/scsi/hpsa.h
38161 --- linux-2.6.39.1/drivers/scsi/hpsa.h 2011-05-19 00:06:34.000000000 -0400
38162 +++ linux-2.6.39.1/drivers/scsi/hpsa.h 2011-05-22 19:36:32.000000000 -0400
38163 @@ -347,7 +347,7 @@ static struct access_method SA5_access =
38164 SA5_completed,
38165 };
38166
38167 -static struct access_method SA5_performant_access = {
38168 +static const struct access_method SA5_performant_access = {
38169 SA5_submit_command,
38170 SA5_performant_intr_mask,
38171 SA5_fifo_full,
38172 diff -urNp linux-2.6.39.1/drivers/scsi/hptiop.c linux-2.6.39.1/drivers/scsi/hptiop.c
38173 --- linux-2.6.39.1/drivers/scsi/hptiop.c 2011-05-19 00:06:34.000000000 -0400
38174 +++ linux-2.6.39.1/drivers/scsi/hptiop.c 2011-05-22 19:36:32.000000000 -0400
38175 @@ -1226,7 +1226,7 @@ static void hptiop_remove(struct pci_dev
38176 scsi_host_put(host);
38177 }
38178
38179 -static struct hptiop_adapter_ops hptiop_itl_ops = {
38180 +static const struct hptiop_adapter_ops hptiop_itl_ops = {
38181 .iop_wait_ready = iop_wait_ready_itl,
38182 .internal_memalloc = NULL,
38183 .internal_memfree = NULL,
38184 @@ -1241,7 +1241,7 @@ static struct hptiop_adapter_ops hptiop_
38185 .post_req = hptiop_post_req_itl,
38186 };
38187
38188 -static struct hptiop_adapter_ops hptiop_mv_ops = {
38189 +static const struct hptiop_adapter_ops hptiop_mv_ops = {
38190 .iop_wait_ready = iop_wait_ready_mv,
38191 .internal_memalloc = hptiop_internal_memalloc_mv,
38192 .internal_memfree = hptiop_internal_memfree_mv,
38193 diff -urNp linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvfc.c linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvfc.c
38194 --- linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-19 00:06:34.000000000 -0400
38195 +++ linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-22 19:36:32.000000000 -0400
38196 @@ -4881,7 +4881,7 @@ static struct vio_device_id ibmvfc_devic
38197 };
38198 MODULE_DEVICE_TABLE(vio, ibmvfc_device_table);
38199
38200 -static struct dev_pm_ops ibmvfc_pm_ops = {
38201 +static const struct dev_pm_ops ibmvfc_pm_ops = {
38202 .resume = ibmvfc_resume
38203 };
38204
38205 diff -urNp linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.c linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.c
38206 --- linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-19 00:06:34.000000000 -0400
38207 +++ linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-22 19:36:32.000000000 -0400
38208 @@ -104,7 +104,7 @@ static struct scsi_transport_template *i
38209
38210 #define IBMVSCSI_VERSION "1.5.9"
38211
38212 -static struct ibmvscsi_ops *ibmvscsi_ops;
38213 +static const struct ibmvscsi_ops *ibmvscsi_ops;
38214
38215 MODULE_DESCRIPTION("IBM Virtual SCSI");
38216 MODULE_AUTHOR("Dave Boutcher");
38217 @@ -2059,7 +2059,7 @@ static struct vio_device_id ibmvscsi_dev
38218 };
38219 MODULE_DEVICE_TABLE(vio, ibmvscsi_device_table);
38220
38221 -static struct dev_pm_ops ibmvscsi_pm_ops = {
38222 +static const struct dev_pm_ops ibmvscsi_pm_ops = {
38223 .resume = ibmvscsi_resume
38224 };
38225
38226 @@ -2075,7 +2075,7 @@ static struct vio_driver ibmvscsi_driver
38227 }
38228 };
38229
38230 -static struct srp_function_template ibmvscsi_transport_functions = {
38231 +static const struct srp_function_template ibmvscsi_transport_functions = {
38232 };
38233
38234 int __init ibmvscsi_module_init(void)
38235 diff -urNp linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.h linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.h
38236 --- linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-19 00:06:34.000000000 -0400
38237 +++ linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-22 19:36:32.000000000 -0400
38238 @@ -127,7 +127,7 @@ struct ibmvscsi_ops {
38239 int (*resume) (struct ibmvscsi_host_data *hostdata);
38240 };
38241
38242 -extern struct ibmvscsi_ops iseriesvscsi_ops;
38243 -extern struct ibmvscsi_ops rpavscsi_ops;
38244 +extern const struct ibmvscsi_ops iseriesvscsi_ops;
38245 +extern const struct ibmvscsi_ops rpavscsi_ops;
38246
38247 #endif /* IBMVSCSI_H */
38248 diff -urNp linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvstgt.c linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvstgt.c
38249 --- linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-19 00:06:34.000000000 -0400
38250 +++ linux-2.6.39.1/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-22 19:36:32.000000000 -0400
38251 @@ -951,7 +951,7 @@ static int get_system_info(void)
38252 return 0;
38253 }
38254
38255 -static struct srp_function_template ibmvstgt_transport_functions = {
38256 +static const struct srp_function_template ibmvstgt_transport_functions = {
38257 .tsk_mgmt_response = ibmvstgt_tsk_mgmt_response,
38258 .it_nexus_response = ibmvstgt_it_nexus_response,
38259 };
38260 diff -urNp linux-2.6.39.1/drivers/scsi/ibmvscsi/iseries_vscsi.c linux-2.6.39.1/drivers/scsi/ibmvscsi/iseries_vscsi.c
38261 --- linux-2.6.39.1/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38262 +++ linux-2.6.39.1/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38263 @@ -163,7 +163,7 @@ static int iseriesvscsi_resume(struct ib
38264 return 0;
38265 }
38266
38267 -struct ibmvscsi_ops iseriesvscsi_ops = {
38268 +const struct ibmvscsi_ops iseriesvscsi_ops = {
38269 .init_crq_queue = iseriesvscsi_init_crq_queue,
38270 .release_crq_queue = iseriesvscsi_release_crq_queue,
38271 .reset_crq_queue = iseriesvscsi_reset_crq_queue,
38272 diff -urNp linux-2.6.39.1/drivers/scsi/ibmvscsi/rpa_vscsi.c linux-2.6.39.1/drivers/scsi/ibmvscsi/rpa_vscsi.c
38273 --- linux-2.6.39.1/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38274 +++ linux-2.6.39.1/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38275 @@ -358,7 +358,7 @@ static int rpavscsi_resume(struct ibmvsc
38276 return 0;
38277 }
38278
38279 -struct ibmvscsi_ops rpavscsi_ops = {
38280 +const struct ibmvscsi_ops rpavscsi_ops = {
38281 .init_crq_queue = rpavscsi_init_crq_queue,
38282 .release_crq_queue = rpavscsi_release_crq_queue,
38283 .reset_crq_queue = rpavscsi_reset_crq_queue,
38284 diff -urNp linux-2.6.39.1/drivers/scsi/ipr.c linux-2.6.39.1/drivers/scsi/ipr.c
38285 --- linux-2.6.39.1/drivers/scsi/ipr.c 2011-05-19 00:06:34.000000000 -0400
38286 +++ linux-2.6.39.1/drivers/scsi/ipr.c 2011-05-22 19:36:32.000000000 -0400
38287 @@ -6210,7 +6210,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
38288 return true;
38289 }
38290
38291 -static struct ata_port_operations ipr_sata_ops = {
38292 +static const struct ata_port_operations ipr_sata_ops = {
38293 .phy_reset = ipr_ata_phy_reset,
38294 .hardreset = ipr_sata_reset,
38295 .post_internal_cmd = ipr_ata_post_internal,
38296 diff -urNp linux-2.6.39.1/drivers/scsi/libfc/fc_exch.c linux-2.6.39.1/drivers/scsi/libfc/fc_exch.c
38297 --- linux-2.6.39.1/drivers/scsi/libfc/fc_exch.c 2011-05-19 00:06:34.000000000 -0400
38298 +++ linux-2.6.39.1/drivers/scsi/libfc/fc_exch.c 2011-05-22 19:36:32.000000000 -0400
38299 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
38300 * all together if not used XXX
38301 */
38302 struct {
38303 - atomic_t no_free_exch;
38304 - atomic_t no_free_exch_xid;
38305 - atomic_t xid_not_found;
38306 - atomic_t xid_busy;
38307 - atomic_t seq_not_found;
38308 - atomic_t non_bls_resp;
38309 + atomic_unchecked_t no_free_exch;
38310 + atomic_unchecked_t no_free_exch_xid;
38311 + atomic_unchecked_t xid_not_found;
38312 + atomic_unchecked_t xid_busy;
38313 + atomic_unchecked_t seq_not_found;
38314 + atomic_unchecked_t non_bls_resp;
38315 } stats;
38316 };
38317
38318 @@ -700,7 +700,7 @@ static struct fc_exch *fc_exch_em_alloc(
38319 /* allocate memory for exchange */
38320 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
38321 if (!ep) {
38322 - atomic_inc(&mp->stats.no_free_exch);
38323 + atomic_inc_unchecked(&mp->stats.no_free_exch);
38324 goto out;
38325 }
38326 memset(ep, 0, sizeof(*ep));
38327 @@ -761,7 +761,7 @@ out:
38328 return ep;
38329 err:
38330 spin_unlock_bh(&pool->lock);
38331 - atomic_inc(&mp->stats.no_free_exch_xid);
38332 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
38333 mempool_free(ep, mp->ep_pool);
38334 return NULL;
38335 }
38336 @@ -906,7 +906,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38337 xid = ntohs(fh->fh_ox_id); /* we originated exch */
38338 ep = fc_exch_find(mp, xid);
38339 if (!ep) {
38340 - atomic_inc(&mp->stats.xid_not_found);
38341 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38342 reject = FC_RJT_OX_ID;
38343 goto out;
38344 }
38345 @@ -936,7 +936,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38346 ep = fc_exch_find(mp, xid);
38347 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
38348 if (ep) {
38349 - atomic_inc(&mp->stats.xid_busy);
38350 + atomic_inc_unchecked(&mp->stats.xid_busy);
38351 reject = FC_RJT_RX_ID;
38352 goto rel;
38353 }
38354 @@ -947,7 +947,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38355 }
38356 xid = ep->xid; /* get our XID */
38357 } else if (!ep) {
38358 - atomic_inc(&mp->stats.xid_not_found);
38359 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38360 reject = FC_RJT_RX_ID; /* XID not found */
38361 goto out;
38362 }
38363 @@ -964,7 +964,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38364 } else {
38365 sp = &ep->seq;
38366 if (sp->id != fh->fh_seq_id) {
38367 - atomic_inc(&mp->stats.seq_not_found);
38368 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38369 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
38370 goto rel;
38371 }
38372 @@ -1392,22 +1392,22 @@ static void fc_exch_recv_seq_resp(struct
38373
38374 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
38375 if (!ep) {
38376 - atomic_inc(&mp->stats.xid_not_found);
38377 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38378 goto out;
38379 }
38380 if (ep->esb_stat & ESB_ST_COMPLETE) {
38381 - atomic_inc(&mp->stats.xid_not_found);
38382 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38383 goto rel;
38384 }
38385 if (ep->rxid == FC_XID_UNKNOWN)
38386 ep->rxid = ntohs(fh->fh_rx_id);
38387 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
38388 - atomic_inc(&mp->stats.xid_not_found);
38389 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38390 goto rel;
38391 }
38392 if (ep->did != ntoh24(fh->fh_s_id) &&
38393 ep->did != FC_FID_FLOGI) {
38394 - atomic_inc(&mp->stats.xid_not_found);
38395 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38396 goto rel;
38397 }
38398 sof = fr_sof(fp);
38399 @@ -1416,7 +1416,7 @@ static void fc_exch_recv_seq_resp(struct
38400 sp->ssb_stat |= SSB_ST_RESP;
38401 sp->id = fh->fh_seq_id;
38402 } else if (sp->id != fh->fh_seq_id) {
38403 - atomic_inc(&mp->stats.seq_not_found);
38404 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38405 goto rel;
38406 }
38407
38408 @@ -1479,9 +1479,9 @@ static void fc_exch_recv_resp(struct fc_
38409 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
38410
38411 if (!sp)
38412 - atomic_inc(&mp->stats.xid_not_found);
38413 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38414 else
38415 - atomic_inc(&mp->stats.non_bls_resp);
38416 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
38417
38418 fc_frame_free(fp);
38419 }
38420 diff -urNp linux-2.6.39.1/drivers/scsi/libfc/fc_lport.c linux-2.6.39.1/drivers/scsi/libfc/fc_lport.c
38421 --- linux-2.6.39.1/drivers/scsi/libfc/fc_lport.c 2011-05-19 00:06:34.000000000 -0400
38422 +++ linux-2.6.39.1/drivers/scsi/libfc/fc_lport.c 2011-05-22 19:36:32.000000000 -0400
38423 @@ -1299,7 +1299,7 @@ static void fc_lport_enter_ns(struct fc_
38424 fc_lport_error(lport, fp);
38425 }
38426
38427 -static struct fc_rport_operations fc_lport_rport_ops = {
38428 +static const struct fc_rport_operations fc_lport_rport_ops = {
38429 .event_callback = fc_lport_rport_callback,
38430 };
38431
38432 diff -urNp linux-2.6.39.1/drivers/scsi/libfc/fc_rport.c linux-2.6.39.1/drivers/scsi/libfc/fc_rport.c
38433 --- linux-2.6.39.1/drivers/scsi/libfc/fc_rport.c 2011-05-19 00:06:34.000000000 -0400
38434 +++ linux-2.6.39.1/drivers/scsi/libfc/fc_rport.c 2011-05-22 19:36:32.000000000 -0400
38435 @@ -256,7 +256,7 @@ static void fc_rport_work(struct work_st
38436 struct fc_rport_libfc_priv *rpriv;
38437 enum fc_rport_event event;
38438 struct fc_lport *lport = rdata->local_port;
38439 - struct fc_rport_operations *rport_ops;
38440 + const struct fc_rport_operations *rport_ops;
38441 struct fc_rport_identifiers ids;
38442 struct fc_rport *rport;
38443 struct fc4_prov *prov;
38444 diff -urNp linux-2.6.39.1/drivers/scsi/libsas/sas_ata.c linux-2.6.39.1/drivers/scsi/libsas/sas_ata.c
38445 --- linux-2.6.39.1/drivers/scsi/libsas/sas_ata.c 2011-05-19 00:06:34.000000000 -0400
38446 +++ linux-2.6.39.1/drivers/scsi/libsas/sas_ata.c 2011-05-22 19:36:32.000000000 -0400
38447 @@ -307,14 +307,14 @@ static void sas_ata_post_internal(struct
38448 }
38449 }
38450
38451 -static struct ata_port_operations sas_sata_ops = {
38452 +static const struct ata_port_operations sas_sata_ops = {
38453 .prereset = ata_std_prereset,
38454 .softreset = NULL,
38455 .hardreset = sas_ata_hard_reset,
38456 .postreset = ata_std_postreset,
38457 .error_handler = ata_std_error_handler,
38458 .post_internal_cmd = sas_ata_post_internal,
38459 - .qc_defer = ata_std_qc_defer,
38460 + .qc_defer = ata_std_qc_defer,
38461 .qc_prep = ata_noop_qc_prep,
38462 .qc_issue = sas_ata_qc_issue,
38463 .qc_fill_rtf = sas_ata_qc_fill_rtf,
38464 diff -urNp linux-2.6.39.1/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.39.1/drivers/scsi/lpfc/lpfc_debugfs.c
38465 --- linux-2.6.39.1/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-19 00:06:34.000000000 -0400
38466 +++ linux-2.6.39.1/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-22 19:36:32.000000000 -0400
38467 @@ -104,7 +104,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
38468
38469 #include <linux/debugfs.h>
38470
38471 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38472 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38473 static unsigned long lpfc_debugfs_start_time = 0L;
38474
38475 /* iDiag */
38476 @@ -141,7 +141,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38477 lpfc_debugfs_enable = 0;
38478
38479 len = 0;
38480 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38481 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38482 (lpfc_debugfs_max_disc_trc - 1);
38483 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38484 dtp = vport->disc_trc + i;
38485 @@ -202,7 +202,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38486 lpfc_debugfs_enable = 0;
38487
38488 len = 0;
38489 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38490 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38491 (lpfc_debugfs_max_slow_ring_trc - 1);
38492 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38493 dtp = phba->slow_ring_trc + i;
38494 @@ -380,6 +380,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38495 uint32_t *ptr;
38496 char buffer[1024];
38497
38498 + pax_track_stack();
38499 +
38500 off = 0;
38501 spin_lock_irq(&phba->hbalock);
38502
38503 @@ -617,14 +619,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
38504 !vport || !vport->disc_trc)
38505 return;
38506
38507 - index = atomic_inc_return(&vport->disc_trc_cnt) &
38508 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
38509 (lpfc_debugfs_max_disc_trc - 1);
38510 dtp = vport->disc_trc + index;
38511 dtp->fmt = fmt;
38512 dtp->data1 = data1;
38513 dtp->data2 = data2;
38514 dtp->data3 = data3;
38515 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38516 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38517 dtp->jif = jiffies;
38518 #endif
38519 return;
38520 @@ -655,14 +657,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
38521 !phba || !phba->slow_ring_trc)
38522 return;
38523
38524 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
38525 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
38526 (lpfc_debugfs_max_slow_ring_trc - 1);
38527 dtp = phba->slow_ring_trc + index;
38528 dtp->fmt = fmt;
38529 dtp->data1 = data1;
38530 dtp->data2 = data2;
38531 dtp->data3 = data3;
38532 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38533 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38534 dtp->jif = jiffies;
38535 #endif
38536 return;
38537 @@ -2145,7 +2147,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38538 "slow_ring buffer\n");
38539 goto debug_failed;
38540 }
38541 - atomic_set(&phba->slow_ring_trc_cnt, 0);
38542 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
38543 memset(phba->slow_ring_trc, 0,
38544 (sizeof(struct lpfc_debugfs_trc) *
38545 lpfc_debugfs_max_slow_ring_trc));
38546 @@ -2191,7 +2193,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38547 "buffer\n");
38548 goto debug_failed;
38549 }
38550 - atomic_set(&vport->disc_trc_cnt, 0);
38551 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
38552
38553 snprintf(name, sizeof(name), "discovery_trace");
38554 vport->debug_disc_trc =
38555 diff -urNp linux-2.6.39.1/drivers/scsi/lpfc/lpfc.h linux-2.6.39.1/drivers/scsi/lpfc/lpfc.h
38556 --- linux-2.6.39.1/drivers/scsi/lpfc/lpfc.h 2011-05-19 00:06:34.000000000 -0400
38557 +++ linux-2.6.39.1/drivers/scsi/lpfc/lpfc.h 2011-05-22 19:36:32.000000000 -0400
38558 @@ -419,7 +419,7 @@ struct lpfc_vport {
38559 struct dentry *debug_nodelist;
38560 struct dentry *vport_debugfs_root;
38561 struct lpfc_debugfs_trc *disc_trc;
38562 - atomic_t disc_trc_cnt;
38563 + atomic_unchecked_t disc_trc_cnt;
38564 #endif
38565 uint8_t stat_data_enabled;
38566 uint8_t stat_data_blocked;
38567 @@ -785,8 +785,8 @@ struct lpfc_hba {
38568 struct timer_list fabric_block_timer;
38569 unsigned long bit_flags;
38570 #define FABRIC_COMANDS_BLOCKED 0
38571 - atomic_t num_rsrc_err;
38572 - atomic_t num_cmd_success;
38573 + atomic_unchecked_t num_rsrc_err;
38574 + atomic_unchecked_t num_cmd_success;
38575 unsigned long last_rsrc_error_time;
38576 unsigned long last_ramp_down_time;
38577 unsigned long last_ramp_up_time;
38578 @@ -800,7 +800,7 @@ struct lpfc_hba {
38579 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
38580 struct dentry *debug_slow_ring_trc;
38581 struct lpfc_debugfs_trc *slow_ring_trc;
38582 - atomic_t slow_ring_trc_cnt;
38583 + atomic_unchecked_t slow_ring_trc_cnt;
38584 /* iDiag debugfs sub-directory */
38585 struct dentry *idiag_root;
38586 struct dentry *idiag_pci_cfg;
38587 diff -urNp linux-2.6.39.1/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.39.1/drivers/scsi/lpfc/lpfc_scsi.c
38588 --- linux-2.6.39.1/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-19 00:06:34.000000000 -0400
38589 +++ linux-2.6.39.1/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-22 19:36:32.000000000 -0400
38590 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
38591 uint32_t evt_posted;
38592
38593 spin_lock_irqsave(&phba->hbalock, flags);
38594 - atomic_inc(&phba->num_rsrc_err);
38595 + atomic_inc_unchecked(&phba->num_rsrc_err);
38596 phba->last_rsrc_error_time = jiffies;
38597
38598 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
38599 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
38600 unsigned long flags;
38601 struct lpfc_hba *phba = vport->phba;
38602 uint32_t evt_posted;
38603 - atomic_inc(&phba->num_cmd_success);
38604 + atomic_inc_unchecked(&phba->num_cmd_success);
38605
38606 if (vport->cfg_lun_queue_depth <= queue_depth)
38607 return;
38608 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
38609 unsigned long num_rsrc_err, num_cmd_success;
38610 int i;
38611
38612 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
38613 - num_cmd_success = atomic_read(&phba->num_cmd_success);
38614 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
38615 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
38616
38617 vports = lpfc_create_vport_work_array(phba);
38618 if (vports != NULL)
38619 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
38620 }
38621 }
38622 lpfc_destroy_vport_work_array(phba, vports);
38623 - atomic_set(&phba->num_rsrc_err, 0);
38624 - atomic_set(&phba->num_cmd_success, 0);
38625 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
38626 + atomic_set_unchecked(&phba->num_cmd_success, 0);
38627 }
38628
38629 /**
38630 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
38631 }
38632 }
38633 lpfc_destroy_vport_work_array(phba, vports);
38634 - atomic_set(&phba->num_rsrc_err, 0);
38635 - atomic_set(&phba->num_cmd_success, 0);
38636 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
38637 + atomic_set_unchecked(&phba->num_cmd_success, 0);
38638 }
38639
38640 /**
38641 diff -urNp linux-2.6.39.1/drivers/scsi/mac_esp.c linux-2.6.39.1/drivers/scsi/mac_esp.c
38642 --- linux-2.6.39.1/drivers/scsi/mac_esp.c 2011-05-19 00:06:34.000000000 -0400
38643 +++ linux-2.6.39.1/drivers/scsi/mac_esp.c 2011-05-22 19:36:32.000000000 -0400
38644 @@ -473,7 +473,7 @@ static irqreturn_t mac_scsi_esp_intr(int
38645 return IRQ_HANDLED;
38646 }
38647
38648 -static struct esp_driver_ops mac_esp_ops = {
38649 +static const struct esp_driver_ops mac_esp_ops = {
38650 .esp_write8 = mac_esp_write8,
38651 .esp_read8 = mac_esp_read8,
38652 .map_single = mac_esp_map_single,
38653 diff -urNp linux-2.6.39.1/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.39.1/drivers/scsi/megaraid/megaraid_mbox.c
38654 --- linux-2.6.39.1/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-19 00:06:34.000000000 -0400
38655 +++ linux-2.6.39.1/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-22 19:36:32.000000000 -0400
38656 @@ -3510,6 +3510,8 @@ megaraid_cmm_register(adapter_t *adapter
38657 int rval;
38658 int i;
38659
38660 + pax_track_stack();
38661 +
38662 // Allocate memory for the base list of scb for management module.
38663 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
38664
38665 diff -urNp linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_base.c linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_base.c
38666 --- linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-19 00:06:34.000000000 -0400
38667 +++ linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-22 19:36:32.000000000 -0400
38668 @@ -366,7 +366,7 @@ megasas_check_reset_xscale(struct megasa
38669 return 0;
38670 }
38671
38672 -static struct megasas_instance_template megasas_instance_template_xscale = {
38673 +static const struct megasas_instance_template megasas_instance_template_xscale = {
38674
38675 .fire_cmd = megasas_fire_cmd_xscale,
38676 .enable_intr = megasas_enable_intr_xscale,
38677 @@ -497,7 +497,7 @@ megasas_check_reset_ppc(struct megasas_i
38678 {
38679 return 0;
38680 }
38681 -static struct megasas_instance_template megasas_instance_template_ppc = {
38682 +static const struct megasas_instance_template megasas_instance_template_ppc = {
38683
38684 .fire_cmd = megasas_fire_cmd_ppc,
38685 .enable_intr = megasas_enable_intr_ppc,
38686 @@ -623,7 +623,7 @@ megasas_check_reset_skinny(struct megasa
38687 return 0;
38688 }
38689
38690 -static struct megasas_instance_template megasas_instance_template_skinny = {
38691 +static const struct megasas_instance_template megasas_instance_template_skinny = {
38692
38693 .fire_cmd = megasas_fire_cmd_skinny,
38694 .enable_intr = megasas_enable_intr_skinny,
38695 @@ -810,7 +810,7 @@ megasas_check_reset_gen2(struct megasas_
38696 return 0;
38697 }
38698
38699 -static struct megasas_instance_template megasas_instance_template_gen2 = {
38700 +static const struct megasas_instance_template megasas_instance_template_gen2 = {
38701
38702 .fire_cmd = megasas_fire_cmd_gen2,
38703 .enable_intr = megasas_enable_intr_gen2,
38704 @@ -834,7 +834,7 @@ static struct megasas_instance_template
38705 /*
38706 * Template added for TB (Fusion)
38707 */
38708 -extern struct megasas_instance_template megasas_instance_template_fusion;
38709 +extern const struct megasas_instance_template megasas_instance_template_fusion;
38710
38711 /**
38712 * megasas_issue_polled - Issues a polling command
38713 diff -urNp linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_fusion.c linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_fusion.c
38714 --- linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-19 00:06:34.000000000 -0400
38715 +++ linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-22 19:36:32.000000000 -0400
38716 @@ -2236,7 +2236,7 @@ void megasas_fusion_ocr_wq(struct work_s
38717 megasas_reset_fusion(instance->host);
38718 }
38719
38720 -struct megasas_instance_template megasas_instance_template_fusion = {
38721 +const struct megasas_instance_template megasas_instance_template_fusion = {
38722 .fire_cmd = megasas_fire_cmd_fusion,
38723 .enable_intr = megasas_enable_intr_fusion,
38724 .disable_intr = megasas_disable_intr_fusion,
38725 diff -urNp linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas.h linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas.h
38726 --- linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas.h 2011-05-19 00:06:34.000000000 -0400
38727 +++ linux-2.6.39.1/drivers/scsi/megaraid/megaraid_sas.h 2011-05-22 19:36:32.000000000 -0400
38728 @@ -1330,7 +1330,7 @@ struct megasas_instance {
38729 atomic_t fw_outstanding;
38730 atomic_t fw_reset_no_pci_access;
38731
38732 - struct megasas_instance_template *instancet;
38733 + const struct megasas_instance_template *instancet;
38734 struct tasklet_struct isr_tasklet;
38735 struct work_struct work_init;
38736
38737 diff -urNp linux-2.6.39.1/drivers/scsi/ncr53c8xx.c linux-2.6.39.1/drivers/scsi/ncr53c8xx.c
38738 --- linux-2.6.39.1/drivers/scsi/ncr53c8xx.c 2011-05-19 00:06:34.000000000 -0400
38739 +++ linux-2.6.39.1/drivers/scsi/ncr53c8xx.c 2011-05-22 19:36:32.000000000 -0400
38740 @@ -8606,7 +8606,7 @@ static void ncr53c8xx_get_signalling(str
38741 spi_signalling(shost) = type;
38742 }
38743
38744 -static struct spi_function_template ncr53c8xx_transport_functions = {
38745 +static struct spi_function_template ncr53c8xx_transport_functions = {
38746 .set_period = ncr53c8xx_set_period,
38747 .show_period = 1,
38748 .set_offset = ncr53c8xx_set_offset,
38749 diff -urNp linux-2.6.39.1/drivers/scsi/osd/osd_initiator.c linux-2.6.39.1/drivers/scsi/osd/osd_initiator.c
38750 --- linux-2.6.39.1/drivers/scsi/osd/osd_initiator.c 2011-05-19 00:06:34.000000000 -0400
38751 +++ linux-2.6.39.1/drivers/scsi/osd/osd_initiator.c 2011-05-22 19:36:32.000000000 -0400
38752 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
38753 int nelem = ARRAY_SIZE(get_attrs), a = 0;
38754 int ret;
38755
38756 + pax_track_stack();
38757 +
38758 or = osd_start_request(od, GFP_KERNEL);
38759 if (!or)
38760 return -ENOMEM;
38761 diff -urNp linux-2.6.39.1/drivers/scsi/pmcraid.c linux-2.6.39.1/drivers/scsi/pmcraid.c
38762 --- linux-2.6.39.1/drivers/scsi/pmcraid.c 2011-05-19 00:06:34.000000000 -0400
38763 +++ linux-2.6.39.1/drivers/scsi/pmcraid.c 2011-05-22 19:36:32.000000000 -0400
38764 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
38765 res->scsi_dev = scsi_dev;
38766 scsi_dev->hostdata = res;
38767 res->change_detected = 0;
38768 - atomic_set(&res->read_failures, 0);
38769 - atomic_set(&res->write_failures, 0);
38770 + atomic_set_unchecked(&res->read_failures, 0);
38771 + atomic_set_unchecked(&res->write_failures, 0);
38772 rc = 0;
38773 }
38774 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
38775 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
38776
38777 /* If this was a SCSI read/write command keep count of errors */
38778 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
38779 - atomic_inc(&res->read_failures);
38780 + atomic_inc_unchecked(&res->read_failures);
38781 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
38782 - atomic_inc(&res->write_failures);
38783 + atomic_inc_unchecked(&res->write_failures);
38784
38785 if (!RES_IS_GSCSI(res->cfg_entry) &&
38786 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
38787 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
38788 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
38789 * hrrq_id assigned here in queuecommand
38790 */
38791 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
38792 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
38793 pinstance->num_hrrq;
38794 cmd->cmd_done = pmcraid_io_done;
38795
38796 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
38797 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
38798 * hrrq_id assigned here in queuecommand
38799 */
38800 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
38801 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
38802 pinstance->num_hrrq;
38803
38804 if (request_size) {
38805 @@ -4495,7 +4495,7 @@ static void pmcraid_worker_function(stru
38806
38807 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
38808 /* add resources only after host is added into system */
38809 - if (!atomic_read(&pinstance->expose_resources))
38810 + if (!atomic_read_unchecked(&pinstance->expose_resources))
38811 return;
38812
38813 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
38814 @@ -5329,8 +5329,8 @@ static int __devinit pmcraid_init_instan
38815 init_waitqueue_head(&pinstance->reset_wait_q);
38816
38817 atomic_set(&pinstance->outstanding_cmds, 0);
38818 - atomic_set(&pinstance->last_message_id, 0);
38819 - atomic_set(&pinstance->expose_resources, 0);
38820 + atomic_set_unchecked(&pinstance->last_message_id, 0);
38821 + atomic_set_unchecked(&pinstance->expose_resources, 0);
38822
38823 INIT_LIST_HEAD(&pinstance->free_res_q);
38824 INIT_LIST_HEAD(&pinstance->used_res_q);
38825 @@ -6045,7 +6045,7 @@ static int __devinit pmcraid_probe(
38826 /* Schedule worker thread to handle CCN and take care of adding and
38827 * removing devices to OS
38828 */
38829 - atomic_set(&pinstance->expose_resources, 1);
38830 + atomic_set_unchecked(&pinstance->expose_resources, 1);
38831 schedule_work(&pinstance->worker_q);
38832 return rc;
38833
38834 diff -urNp linux-2.6.39.1/drivers/scsi/pmcraid.h linux-2.6.39.1/drivers/scsi/pmcraid.h
38835 --- linux-2.6.39.1/drivers/scsi/pmcraid.h 2011-05-19 00:06:34.000000000 -0400
38836 +++ linux-2.6.39.1/drivers/scsi/pmcraid.h 2011-05-22 19:36:32.000000000 -0400
38837 @@ -750,7 +750,7 @@ struct pmcraid_instance {
38838 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
38839
38840 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
38841 - atomic_t last_message_id;
38842 + atomic_unchecked_t last_message_id;
38843
38844 /* configuration table */
38845 struct pmcraid_config_table *cfg_table;
38846 @@ -779,7 +779,7 @@ struct pmcraid_instance {
38847 atomic_t outstanding_cmds;
38848
38849 /* should add/delete resources to mid-layer now ?*/
38850 - atomic_t expose_resources;
38851 + atomic_unchecked_t expose_resources;
38852
38853
38854
38855 @@ -815,8 +815,8 @@ struct pmcraid_resource_entry {
38856 struct pmcraid_config_table_entry_ext cfg_entry_ext;
38857 };
38858 struct scsi_device *scsi_dev; /* Link scsi_device structure */
38859 - atomic_t read_failures; /* count of failed READ commands */
38860 - atomic_t write_failures; /* count of failed WRITE commands */
38861 + atomic_unchecked_t read_failures; /* count of failed READ commands */
38862 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
38863
38864 /* To indicate add/delete/modify during CCN */
38865 u8 change_detected;
38866 diff -urNp linux-2.6.39.1/drivers/scsi/qla2xxx/qla_os.c linux-2.6.39.1/drivers/scsi/qla2xxx/qla_os.c
38867 --- linux-2.6.39.1/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:04:14.000000000 -0400
38868 +++ linux-2.6.39.1/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:32:06.000000000 -0400
38869 @@ -4103,7 +4103,7 @@ static struct pci_driver qla2xxx_pci_dri
38870 .err_handler = &qla2xxx_err_handler,
38871 };
38872
38873 -static struct file_operations apidev_fops = {
38874 +static const struct file_operations apidev_fops = {
38875 .owner = THIS_MODULE,
38876 .llseek = noop_llseek,
38877 };
38878 diff -urNp linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_def.h
38879 --- linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_def.h 2011-05-19 00:06:34.000000000 -0400
38880 +++ linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_def.h 2011-05-22 19:36:32.000000000 -0400
38881 @@ -256,7 +256,7 @@ struct ddb_entry {
38882 atomic_t retry_relogin_timer; /* Min Time between relogins
38883 * (4000 only) */
38884 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
38885 - atomic_t relogin_retry_count; /* Num of times relogin has been
38886 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
38887 * retried */
38888
38889 uint16_t port;
38890 diff -urNp linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_init.c
38891 --- linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_init.c 2011-05-19 00:06:34.000000000 -0400
38892 +++ linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_init.c 2011-05-22 19:36:32.000000000 -0400
38893 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
38894 ddb_entry->fw_ddb_index = fw_ddb_index;
38895 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
38896 atomic_set(&ddb_entry->relogin_timer, 0);
38897 - atomic_set(&ddb_entry->relogin_retry_count, 0);
38898 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
38899 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
38900 list_add_tail(&ddb_entry->list, &ha->ddb_list);
38901 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
38902 @@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
38903 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
38904 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
38905 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
38906 - atomic_set(&ddb_entry->relogin_retry_count, 0);
38907 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
38908 atomic_set(&ddb_entry->relogin_timer, 0);
38909 clear_bit(DF_RELOGIN, &ddb_entry->flags);
38910 iscsi_unblock_session(ddb_entry->sess);
38911 diff -urNp linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_os.c
38912 --- linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_os.c 2011-05-19 00:06:34.000000000 -0400
38913 +++ linux-2.6.39.1/drivers/scsi/qla4xxx/ql4_os.c 2011-05-22 19:36:32.000000000 -0400
38914 @@ -802,13 +802,13 @@ static void qla4xxx_timer(struct scsi_ql
38915 ddb_entry->fw_ddb_device_state ==
38916 DDB_DS_SESSION_FAILED) {
38917 /* Reset retry relogin timer */
38918 - atomic_inc(&ddb_entry->relogin_retry_count);
38919 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
38920 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
38921 " timed out-retrying"
38922 " relogin (%d)\n",
38923 ha->host_no,
38924 ddb_entry->fw_ddb_index,
38925 - atomic_read(&ddb_entry->
38926 + atomic_read_unchecked(&ddb_entry->
38927 relogin_retry_count))
38928 );
38929 start_dpc++;
38930 diff -urNp linux-2.6.39.1/drivers/scsi/scsi.c linux-2.6.39.1/drivers/scsi/scsi.c
38931 --- linux-2.6.39.1/drivers/scsi/scsi.c 2011-05-19 00:06:34.000000000 -0400
38932 +++ linux-2.6.39.1/drivers/scsi/scsi.c 2011-05-22 19:36:32.000000000 -0400
38933 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
38934 unsigned long timeout;
38935 int rtn = 0;
38936
38937 - atomic_inc(&cmd->device->iorequest_cnt);
38938 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
38939
38940 /* check if the device is still usable */
38941 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
38942 diff -urNp linux-2.6.39.1/drivers/scsi/scsi_debug.c linux-2.6.39.1/drivers/scsi/scsi_debug.c
38943 --- linux-2.6.39.1/drivers/scsi/scsi_debug.c 2011-05-19 00:06:34.000000000 -0400
38944 +++ linux-2.6.39.1/drivers/scsi/scsi_debug.c 2011-05-22 19:36:32.000000000 -0400
38945 @@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
38946 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
38947 unsigned char *cmd = (unsigned char *)scp->cmnd;
38948
38949 + pax_track_stack();
38950 +
38951 if ((errsts = check_readiness(scp, 1, devip)))
38952 return errsts;
38953 memset(arr, 0, sizeof(arr));
38954 @@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
38955 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
38956 unsigned char *cmd = (unsigned char *)scp->cmnd;
38957
38958 + pax_track_stack();
38959 +
38960 if ((errsts = check_readiness(scp, 1, devip)))
38961 return errsts;
38962 memset(arr, 0, sizeof(arr));
38963 diff -urNp linux-2.6.39.1/drivers/scsi/scsi_lib.c linux-2.6.39.1/drivers/scsi/scsi_lib.c
38964 --- linux-2.6.39.1/drivers/scsi/scsi_lib.c 2011-05-19 00:06:34.000000000 -0400
38965 +++ linux-2.6.39.1/drivers/scsi/scsi_lib.c 2011-05-22 19:36:32.000000000 -0400
38966 @@ -1410,7 +1410,7 @@ static void scsi_kill_request(struct req
38967 shost = sdev->host;
38968 scsi_init_cmd_errh(cmd);
38969 cmd->result = DID_NO_CONNECT << 16;
38970 - atomic_inc(&cmd->device->iorequest_cnt);
38971 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
38972
38973 /*
38974 * SCSI request completion path will do scsi_device_unbusy(),
38975 @@ -1436,9 +1436,9 @@ static void scsi_softirq_done(struct req
38976
38977 INIT_LIST_HEAD(&cmd->eh_entry);
38978
38979 - atomic_inc(&cmd->device->iodone_cnt);
38980 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
38981 if (cmd->result)
38982 - atomic_inc(&cmd->device->ioerr_cnt);
38983 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
38984
38985 disposition = scsi_decide_disposition(cmd);
38986 if (disposition != SUCCESS &&
38987 diff -urNp linux-2.6.39.1/drivers/scsi/scsi_sysfs.c linux-2.6.39.1/drivers/scsi/scsi_sysfs.c
38988 --- linux-2.6.39.1/drivers/scsi/scsi_sysfs.c 2011-05-19 00:06:34.000000000 -0400
38989 +++ linux-2.6.39.1/drivers/scsi/scsi_sysfs.c 2011-05-22 19:36:32.000000000 -0400
38990 @@ -621,7 +621,7 @@ show_iostat_##field(struct device *dev,
38991 char *buf) \
38992 { \
38993 struct scsi_device *sdev = to_scsi_device(dev); \
38994 - unsigned long long count = atomic_read(&sdev->field); \
38995 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
38996 return snprintf(buf, 20, "0x%llx\n", count); \
38997 } \
38998 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
38999 diff -urNp linux-2.6.39.1/drivers/scsi/scsi_transport_fc.c linux-2.6.39.1/drivers/scsi/scsi_transport_fc.c
39000 --- linux-2.6.39.1/drivers/scsi/scsi_transport_fc.c 2011-05-19 00:06:34.000000000 -0400
39001 +++ linux-2.6.39.1/drivers/scsi/scsi_transport_fc.c 2011-05-22 19:36:32.000000000 -0400
39002 @@ -485,7 +485,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
39003 * Netlink Infrastructure
39004 */
39005
39006 -static atomic_t fc_event_seq;
39007 +static atomic_unchecked_t fc_event_seq;
39008
39009 /**
39010 * fc_get_event_number - Obtain the next sequential FC event number
39011 @@ -498,7 +498,7 @@ static atomic_t fc_event_seq;
39012 u32
39013 fc_get_event_number(void)
39014 {
39015 - return atomic_add_return(1, &fc_event_seq);
39016 + return atomic_add_return_unchecked(1, &fc_event_seq);
39017 }
39018 EXPORT_SYMBOL(fc_get_event_number);
39019
39020 @@ -646,7 +646,7 @@ static __init int fc_transport_init(void
39021 {
39022 int error;
39023
39024 - atomic_set(&fc_event_seq, 0);
39025 + atomic_set_unchecked(&fc_event_seq, 0);
39026
39027 error = transport_class_register(&fc_host_class);
39028 if (error)
39029 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
39030 char *cp;
39031
39032 *val = simple_strtoul(buf, &cp, 0);
39033 - if ((*cp && (*cp != '\n')) || (*val < 0))
39034 + if (*cp && (*cp != '\n'))
39035 return -EINVAL;
39036 /*
39037 * Check for overflow; dev_loss_tmo is u32
39038 diff -urNp linux-2.6.39.1/drivers/scsi/scsi_transport_iscsi.c linux-2.6.39.1/drivers/scsi/scsi_transport_iscsi.c
39039 --- linux-2.6.39.1/drivers/scsi/scsi_transport_iscsi.c 2011-05-19 00:06:34.000000000 -0400
39040 +++ linux-2.6.39.1/drivers/scsi/scsi_transport_iscsi.c 2011-05-22 19:36:32.000000000 -0400
39041 @@ -83,7 +83,7 @@ struct iscsi_internal {
39042 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
39043 };
39044
39045 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
39046 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
39047 static struct workqueue_struct *iscsi_eh_timer_workq;
39048
39049 /*
39050 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
39051 int err;
39052
39053 ihost = shost->shost_data;
39054 - session->sid = atomic_add_return(1, &iscsi_session_nr);
39055 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
39056
39057 if (id == ISCSI_MAX_TARGET) {
39058 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
39059 @@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
39060 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
39061 ISCSI_TRANSPORT_VERSION);
39062
39063 - atomic_set(&iscsi_session_nr, 0);
39064 + atomic_set_unchecked(&iscsi_session_nr, 0);
39065
39066 err = class_register(&iscsi_transport_class);
39067 if (err)
39068 diff -urNp linux-2.6.39.1/drivers/scsi/scsi_transport_srp.c linux-2.6.39.1/drivers/scsi/scsi_transport_srp.c
39069 --- linux-2.6.39.1/drivers/scsi/scsi_transport_srp.c 2011-05-19 00:06:34.000000000 -0400
39070 +++ linux-2.6.39.1/drivers/scsi/scsi_transport_srp.c 2011-05-22 19:36:32.000000000 -0400
39071 @@ -33,7 +33,7 @@
39072 #include "scsi_transport_srp_internal.h"
39073
39074 struct srp_host_attrs {
39075 - atomic_t next_port_id;
39076 + atomic_unchecked_t next_port_id;
39077 };
39078 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
39079
39080 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
39081 struct Scsi_Host *shost = dev_to_shost(dev);
39082 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
39083
39084 - atomic_set(&srp_host->next_port_id, 0);
39085 + atomic_set_unchecked(&srp_host->next_port_id, 0);
39086 return 0;
39087 }
39088
39089 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
39090 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
39091 rport->roles = ids->roles;
39092
39093 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
39094 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
39095 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
39096
39097 transport_setup_device(&rport->dev);
39098 diff -urNp linux-2.6.39.1/drivers/scsi/sg.c linux-2.6.39.1/drivers/scsi/sg.c
39099 --- linux-2.6.39.1/drivers/scsi/sg.c 2011-05-19 00:06:34.000000000 -0400
39100 +++ linux-2.6.39.1/drivers/scsi/sg.c 2011-05-22 19:36:32.000000000 -0400
39101 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
39102 const struct file_operations * fops;
39103 };
39104
39105 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
39106 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
39107 {"allow_dio", &adio_fops},
39108 {"debug", &debug_fops},
39109 {"def_reserved_size", &dressz_fops},
39110 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
39111 {
39112 int k, mask;
39113 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
39114 - struct sg_proc_leaf * leaf;
39115 + const struct sg_proc_leaf * leaf;
39116
39117 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
39118 if (!sg_proc_sgp)
39119 diff -urNp linux-2.6.39.1/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.39.1/drivers/scsi/sym53c8xx_2/sym_glue.c
39120 --- linux-2.6.39.1/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-19 00:06:34.000000000 -0400
39121 +++ linux-2.6.39.1/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-22 19:36:32.000000000 -0400
39122 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
39123 int do_iounmap = 0;
39124 int do_disable_device = 1;
39125
39126 + pax_track_stack();
39127 +
39128 memset(&sym_dev, 0, sizeof(sym_dev));
39129 memset(&nvram, 0, sizeof(nvram));
39130 sym_dev.pdev = pdev;
39131 diff -urNp linux-2.6.39.1/drivers/scsi/vmw_pvscsi.c linux-2.6.39.1/drivers/scsi/vmw_pvscsi.c
39132 --- linux-2.6.39.1/drivers/scsi/vmw_pvscsi.c 2011-05-19 00:06:34.000000000 -0400
39133 +++ linux-2.6.39.1/drivers/scsi/vmw_pvscsi.c 2011-05-22 19:36:32.000000000 -0400
39134 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
39135 dma_addr_t base;
39136 unsigned i;
39137
39138 + pax_track_stack();
39139 +
39140 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
39141 cmd.reqRingNumPages = adapter->req_pages;
39142 cmd.cmpRingNumPages = adapter->cmp_pages;
39143 diff -urNp linux-2.6.39.1/drivers/sh/clk/cpg.c linux-2.6.39.1/drivers/sh/clk/cpg.c
39144 --- linux-2.6.39.1/drivers/sh/clk/cpg.c 2011-06-03 00:04:14.000000000 -0400
39145 +++ linux-2.6.39.1/drivers/sh/clk/cpg.c 2011-06-03 00:32:06.000000000 -0400
39146 @@ -26,7 +26,7 @@ static void sh_clk_mstp32_disable(struct
39147 clk->enable_reg);
39148 }
39149
39150 -static struct clk_ops sh_clk_mstp32_clk_ops = {
39151 +static const struct clk_ops sh_clk_mstp32_clk_ops = {
39152 .enable = sh_clk_mstp32_enable,
39153 .disable = sh_clk_mstp32_disable,
39154 .recalc = followparent_recalc,
39155 @@ -150,7 +150,7 @@ static void sh_clk_div6_disable(struct c
39156 __raw_writel(value, clk->enable_reg);
39157 }
39158
39159 -static struct clk_ops sh_clk_div6_clk_ops = {
39160 +static const struct clk_ops sh_clk_div6_clk_ops = {
39161 .recalc = sh_clk_div6_recalc,
39162 .round_rate = sh_clk_div_round_rate,
39163 .set_rate = sh_clk_div6_set_rate,
39164 @@ -158,7 +158,7 @@ static struct clk_ops sh_clk_div6_clk_op
39165 .disable = sh_clk_div6_disable,
39166 };
39167
39168 -static struct clk_ops sh_clk_div6_reparent_clk_ops = {
39169 +static const struct clk_ops sh_clk_div6_reparent_clk_ops = {
39170 .recalc = sh_clk_div6_recalc,
39171 .round_rate = sh_clk_div_round_rate,
39172 .set_rate = sh_clk_div6_set_rate,
39173 @@ -282,13 +282,13 @@ static void sh_clk_div4_disable(struct c
39174 __raw_writel(__raw_readl(clk->enable_reg) | (1 << 8), clk->enable_reg);
39175 }
39176
39177 -static struct clk_ops sh_clk_div4_clk_ops = {
39178 +static const struct clk_ops sh_clk_div4_clk_ops = {
39179 .recalc = sh_clk_div4_recalc,
39180 .set_rate = sh_clk_div4_set_rate,
39181 .round_rate = sh_clk_div_round_rate,
39182 };
39183
39184 -static struct clk_ops sh_clk_div4_enable_clk_ops = {
39185 +static const struct clk_ops sh_clk_div4_enable_clk_ops = {
39186 .recalc = sh_clk_div4_recalc,
39187 .set_rate = sh_clk_div4_set_rate,
39188 .round_rate = sh_clk_div_round_rate,
39189 @@ -296,7 +296,7 @@ static struct clk_ops sh_clk_div4_enable
39190 .disable = sh_clk_div4_disable,
39191 };
39192
39193 -static struct clk_ops sh_clk_div4_reparent_clk_ops = {
39194 +static const struct clk_ops sh_clk_div4_reparent_clk_ops = {
39195 .recalc = sh_clk_div4_recalc,
39196 .set_rate = sh_clk_div4_set_rate,
39197 .round_rate = sh_clk_div_round_rate,
39198 diff -urNp linux-2.6.39.1/drivers/spi/dw_spi.h linux-2.6.39.1/drivers/spi/dw_spi.h
39199 --- linux-2.6.39.1/drivers/spi/dw_spi.h 2011-05-19 00:06:34.000000000 -0400
39200 +++ linux-2.6.39.1/drivers/spi/dw_spi.h 2011-05-22 19:36:32.000000000 -0400
39201 @@ -151,7 +151,7 @@ struct dw_spi {
39202 int dma_chan_done;
39203 struct device *dma_dev;
39204 dma_addr_t dma_addr; /* phy address of the Data register */
39205 - struct dw_spi_dma_ops *dma_ops;
39206 + const struct dw_spi_dma_ops *dma_ops;
39207 void *dma_priv; /* platform relate info */
39208 struct pci_dev *dmac;
39209
39210 diff -urNp linux-2.6.39.1/drivers/spi/dw_spi_mid.c linux-2.6.39.1/drivers/spi/dw_spi_mid.c
39211 --- linux-2.6.39.1/drivers/spi/dw_spi_mid.c 2011-05-19 00:06:34.000000000 -0400
39212 +++ linux-2.6.39.1/drivers/spi/dw_spi_mid.c 2011-05-22 19:36:32.000000000 -0400
39213 @@ -180,7 +180,7 @@ static int mid_spi_dma_transfer(struct d
39214 return 0;
39215 }
39216
39217 -static struct dw_spi_dma_ops mid_dma_ops = {
39218 +static const struct dw_spi_dma_ops mid_dma_ops = {
39219 .dma_init = mid_spi_dma_init,
39220 .dma_exit = mid_spi_dma_exit,
39221 .dma_transfer = mid_spi_dma_transfer,
39222 diff -urNp linux-2.6.39.1/drivers/spi/spi.c linux-2.6.39.1/drivers/spi/spi.c
39223 --- linux-2.6.39.1/drivers/spi/spi.c 2011-05-19 00:06:34.000000000 -0400
39224 +++ linux-2.6.39.1/drivers/spi/spi.c 2011-05-22 19:36:32.000000000 -0400
39225 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
39226 EXPORT_SYMBOL_GPL(spi_bus_unlock);
39227
39228 /* portable code must never pass more than 32 bytes */
39229 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
39230 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
39231
39232 static u8 *buf;
39233
39234 diff -urNp linux-2.6.39.1/drivers/ssb/driver_pcicore.c linux-2.6.39.1/drivers/ssb/driver_pcicore.c
39235 --- linux-2.6.39.1/drivers/ssb/driver_pcicore.c 2011-05-19 00:06:34.000000000 -0400
39236 +++ linux-2.6.39.1/drivers/ssb/driver_pcicore.c 2011-05-22 19:36:32.000000000 -0400
39237 @@ -223,7 +223,7 @@ static int ssb_pcicore_write_config(stru
39238 return err ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
39239 }
39240
39241 -static struct pci_ops ssb_pcicore_pciops = {
39242 +static const struct pci_ops ssb_pcicore_pciops = {
39243 .read = ssb_pcicore_read_config,
39244 .write = ssb_pcicore_write_config,
39245 };
39246 diff -urNp linux-2.6.39.1/drivers/staging/ath6kl/os/linux/cfg80211.c linux-2.6.39.1/drivers/staging/ath6kl/os/linux/cfg80211.c
39247 --- linux-2.6.39.1/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39248 +++ linux-2.6.39.1/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39249 @@ -1391,8 +1391,7 @@ u32 cipher_suites[] = {
39250 WLAN_CIPHER_SUITE_CCMP,
39251 };
39252
39253 -static struct
39254 -cfg80211_ops ar6k_cfg80211_ops = {
39255 +static const struct cfg80211_ops ar6k_cfg80211_ops = {
39256 .change_virtual_intf = ar6k_cfg80211_change_iface,
39257 .add_virtual_intf = ar6k_cfg80211_add_virtual_intf,
39258 .del_virtual_intf = ar6k_cfg80211_del_virtual_intf,
39259 diff -urNp linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
39260 --- linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-19 00:06:34.000000000 -0400
39261 +++ linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-22 19:36:32.000000000 -0400
39262 @@ -857,14 +857,14 @@ static void dhd_op_if(dhd_if_t *ifp)
39263 free_netdev(ifp->net);
39264 }
39265 /* Allocate etherdev, including space for private structure */
39266 - ifp->net = alloc_etherdev(sizeof(dhd));
39267 + ifp->net = alloc_etherdev(sizeof(*dhd));
39268 if (!ifp->net) {
39269 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39270 ret = -ENOMEM;
39271 }
39272 if (ret == 0) {
39273 strcpy(ifp->net->name, ifp->name);
39274 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
39275 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
39276 err = dhd_net_attach(&dhd->pub, ifp->idx);
39277 if (err != 0) {
39278 DHD_ERROR(("%s: dhd_net_attach failed, "
39279 @@ -1500,7 +1500,7 @@ static void dhd_ethtool_get_drvinfo(stru
39280 sprintf(info->bus_info, "%s", dev_name(&wl_cfg80211_get_sdio_func()->dev));
39281 }
39282
39283 -struct ethtool_ops dhd_ethtool_ops = {
39284 +const struct ethtool_ops dhd_ethtool_ops = {
39285 .get_drvinfo = dhd_ethtool_get_drvinfo
39286 };
39287
39288 @@ -1923,7 +1923,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39289 strcpy(nv_path, nvram_path);
39290
39291 /* Allocate etherdev, including space for private structure */
39292 - net = alloc_etherdev(sizeof(dhd));
39293 + net = alloc_etherdev(sizeof(*dhd));
39294 if (!net) {
39295 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39296 goto fail;
39297 @@ -1939,7 +1939,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39298 /*
39299 * Save the dhd_info into the priv
39300 */
39301 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39302 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39303
39304 /* Set network interface name if it was provided as module parameter */
39305 if (iface_name[0]) {
39306 @@ -2056,7 +2056,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39307 /*
39308 * Save the dhd_info into the priv
39309 */
39310 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39311 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39312
39313 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
39314 g_bus = bus;
39315 @@ -2206,7 +2206,7 @@ dhd_iovar(dhd_pub_t *pub, int ifidx, cha
39316 return ret;
39317 }
39318
39319 -static struct net_device_ops dhd_ops_pri = {
39320 +static const struct net_device_ops dhd_ops_pri = {
39321 .ndo_open = dhd_open,
39322 .ndo_stop = dhd_stop,
39323 .ndo_get_stats = dhd_get_stats,
39324 diff -urNp linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c
39325 --- linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39326 +++ linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39327 @@ -2109,7 +2109,7 @@ wl_cfg80211_flush_pmksa(struct wiphy *wi
39328
39329 }
39330
39331 -static struct cfg80211_ops wl_cfg80211_ops = {
39332 +static const struct cfg80211_ops wl_cfg80211_ops = {
39333 .change_virtual_intf = wl_cfg80211_change_iface,
39334 .scan = wl_cfg80211_scan,
39335 .set_wiphy_params = wl_cfg80211_set_wiphy_params,
39336 diff -urNp linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c
39337 --- linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-19 00:06:34.000000000 -0400
39338 +++ linux-2.6.39.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-22 19:36:32.000000000 -0400
39339 @@ -495,7 +495,7 @@ wl_iw_get_range(struct net_device *dev,
39340 list = (wl_u32_list_t *) channels;
39341
39342 dwrq->length = sizeof(struct iw_range);
39343 - memset(range, 0, sizeof(range));
39344 + memset(range, 0, sizeof(*range));
39345
39346 range->min_nwid = range->max_nwid = 0;
39347
39348 diff -urNp linux-2.6.39.1/drivers/staging/comedi/comedi_fops.c linux-2.6.39.1/drivers/staging/comedi/comedi_fops.c
39349 --- linux-2.6.39.1/drivers/staging/comedi/comedi_fops.c 2011-05-19 00:06:34.000000000 -0400
39350 +++ linux-2.6.39.1/drivers/staging/comedi/comedi_fops.c 2011-05-22 19:36:32.000000000 -0400
39351 @@ -1445,7 +1445,7 @@ static void comedi_unmap(struct vm_area_
39352 mutex_unlock(&dev->mutex);
39353 }
39354
39355 -static struct vm_operations_struct comedi_vm_ops = {
39356 +static const struct vm_operations_struct comedi_vm_ops = {
39357 .close = comedi_unmap,
39358 };
39359
39360 diff -urNp linux-2.6.39.1/drivers/staging/cx25821/cx25821-alsa.c linux-2.6.39.1/drivers/staging/cx25821/cx25821-alsa.c
39361 --- linux-2.6.39.1/drivers/staging/cx25821/cx25821-alsa.c 2011-05-19 00:06:34.000000000 -0400
39362 +++ linux-2.6.39.1/drivers/staging/cx25821/cx25821-alsa.c 2011-05-22 19:36:32.000000000 -0400
39363 @@ -586,7 +586,7 @@ static struct page *snd_cx25821_page(str
39364 /*
39365 * operators
39366 */
39367 -static struct snd_pcm_ops snd_cx25821_pcm_ops = {
39368 +static const struct snd_pcm_ops snd_cx25821_pcm_ops = {
39369 .open = snd_cx25821_pcm_open,
39370 .close = snd_cx25821_close,
39371 .ioctl = snd_pcm_lib_ioctl,
39372 diff -urNp linux-2.6.39.1/drivers/staging/cx25821/cx25821-i2c.c linux-2.6.39.1/drivers/staging/cx25821/cx25821-i2c.c
39373 --- linux-2.6.39.1/drivers/staging/cx25821/cx25821-i2c.c 2011-05-19 00:06:34.000000000 -0400
39374 +++ linux-2.6.39.1/drivers/staging/cx25821/cx25821-i2c.c 2011-05-22 19:36:32.000000000 -0400
39375 @@ -282,7 +282,7 @@ static u32 cx25821_functionality(struct
39376 I2C_FUNC_SMBUS_READ_WORD_DATA | I2C_FUNC_SMBUS_WRITE_WORD_DATA;
39377 }
39378
39379 -static struct i2c_algorithm cx25821_i2c_algo_template = {
39380 +static const struct i2c_algorithm cx25821_i2c_algo_template = {
39381 .master_xfer = i2c_xfer,
39382 .functionality = cx25821_functionality,
39383 #ifdef NEED_ALGO_CONTROL
39384 diff -urNp linux-2.6.39.1/drivers/staging/et131x/et1310_tx.c linux-2.6.39.1/drivers/staging/et131x/et1310_tx.c
39385 --- linux-2.6.39.1/drivers/staging/et131x/et1310_tx.c 2011-05-19 00:06:34.000000000 -0400
39386 +++ linux-2.6.39.1/drivers/staging/et131x/et1310_tx.c 2011-05-22 19:36:32.000000000 -0400
39387 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
39388 struct net_device_stats *stats = &etdev->net_stats;
39389
39390 if (tcb->flags & fMP_DEST_BROAD)
39391 - atomic_inc(&etdev->Stats.brdcstxmt);
39392 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
39393 else if (tcb->flags & fMP_DEST_MULTI)
39394 - atomic_inc(&etdev->Stats.multixmt);
39395 + atomic_inc_unchecked(&etdev->Stats.multixmt);
39396 else
39397 - atomic_inc(&etdev->Stats.unixmt);
39398 + atomic_inc_unchecked(&etdev->Stats.unixmt);
39399
39400 if (tcb->skb) {
39401 stats->tx_bytes += tcb->skb->len;
39402 diff -urNp linux-2.6.39.1/drivers/staging/et131x/et131x_adapter.h linux-2.6.39.1/drivers/staging/et131x/et131x_adapter.h
39403 --- linux-2.6.39.1/drivers/staging/et131x/et131x_adapter.h 2011-05-19 00:06:34.000000000 -0400
39404 +++ linux-2.6.39.1/drivers/staging/et131x/et131x_adapter.h 2011-05-22 19:36:32.000000000 -0400
39405 @@ -110,11 +110,11 @@ typedef struct _ce_stats_t {
39406 * operations
39407 */
39408 u32 unircv; /* # multicast packets received */
39409 - atomic_t unixmt; /* # multicast packets for Tx */
39410 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
39411 u32 multircv; /* # multicast packets received */
39412 - atomic_t multixmt; /* # multicast packets for Tx */
39413 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
39414 u32 brdcstrcv; /* # broadcast packets received */
39415 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
39416 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
39417 u32 norcvbuf; /* # Rx packets discarded */
39418 u32 noxmtbuf; /* # Tx packets discarded */
39419
39420 diff -urNp linux-2.6.39.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.39.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
39421 --- linux-2.6.39.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-19 00:06:34.000000000 -0400
39422 +++ linux-2.6.39.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-22 19:36:32.000000000 -0400
39423 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
39424 //
39425 // Table of entry-point routines for char device
39426 //
39427 -static struct file_operations ft1000fops =
39428 +static const struct file_operations ft1000fops =
39429 {
39430 .unlocked_ioctl = ft1000_ioctl,
39431 .poll = ft1000_poll_dev,
39432 diff -urNp linux-2.6.39.1/drivers/staging/generic_serial/rio/rio_linux.c linux-2.6.39.1/drivers/staging/generic_serial/rio/rio_linux.c
39433 --- linux-2.6.39.1/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-19 00:06:34.000000000 -0400
39434 +++ linux-2.6.39.1/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-22 19:36:32.000000000 -0400
39435 @@ -221,7 +221,7 @@ module_param(rio_poll, int, 0);
39436 module_param(rio_debug, int, 0644);
39437 module_param(rio_irqmask, long, 0);
39438
39439 -static struct real_driver rio_real_driver = {
39440 +static const struct real_driver rio_real_driver = {
39441 rio_disable_tx_interrupts,
39442 rio_enable_tx_interrupts,
39443 rio_disable_rx_interrupts,
39444 diff -urNp linux-2.6.39.1/drivers/staging/generic_serial/ser_a2232.c linux-2.6.39.1/drivers/staging/generic_serial/ser_a2232.c
39445 --- linux-2.6.39.1/drivers/staging/generic_serial/ser_a2232.c 2011-05-19 00:06:34.000000000 -0400
39446 +++ linux-2.6.39.1/drivers/staging/generic_serial/ser_a2232.c 2011-05-22 19:36:32.000000000 -0400
39447 @@ -144,7 +144,7 @@ static int a2232_open(struct tty_struct
39448 /*---------------------------------------------------------------------------
39449 * Interface from generic_serial.c back here
39450 *--------------------------------------------------------------------------*/
39451 -static struct real_driver a2232_real_driver = {
39452 +static const struct real_driver a2232_real_driver = {
39453 a2232_disable_tx_interrupts,
39454 a2232_enable_tx_interrupts,
39455 a2232_disable_rx_interrupts,
39456 diff -urNp linux-2.6.39.1/drivers/staging/generic_serial/sx.c linux-2.6.39.1/drivers/staging/generic_serial/sx.c
39457 --- linux-2.6.39.1/drivers/staging/generic_serial/sx.c 2011-05-19 00:06:34.000000000 -0400
39458 +++ linux-2.6.39.1/drivers/staging/generic_serial/sx.c 2011-05-22 19:36:32.000000000 -0400
39459 @@ -355,7 +355,7 @@ module_param(sx_irqmask, int, 0);
39460
39461 MODULE_LICENSE("GPL");
39462
39463 -static struct real_driver sx_real_driver = {
39464 +static const struct real_driver sx_real_driver = {
39465 sx_disable_tx_interrupts,
39466 sx_enable_tx_interrupts,
39467 sx_disable_rx_interrupts,
39468 diff -urNp linux-2.6.39.1/drivers/staging/generic_serial/vme_scc.c linux-2.6.39.1/drivers/staging/generic_serial/vme_scc.c
39469 --- linux-2.6.39.1/drivers/staging/generic_serial/vme_scc.c 2011-05-19 00:06:34.000000000 -0400
39470 +++ linux-2.6.39.1/drivers/staging/generic_serial/vme_scc.c 2011-05-22 19:36:32.000000000 -0400
39471 @@ -94,7 +94,7 @@ static struct scc_port scc_ports[2];
39472 * Interface from generic_serial.c back here
39473 *--------------------------------------------------------------------------*/
39474
39475 -static struct real_driver scc_real_driver = {
39476 +static const struct real_driver scc_real_driver = {
39477 scc_disable_tx_interrupts,
39478 scc_enable_tx_interrupts,
39479 scc_disable_rx_interrupts,
39480 diff -urNp linux-2.6.39.1/drivers/staging/gma500/psb_fb.c linux-2.6.39.1/drivers/staging/gma500/psb_fb.c
39481 --- linux-2.6.39.1/drivers/staging/gma500/psb_fb.c 2011-05-19 00:06:34.000000000 -0400
39482 +++ linux-2.6.39.1/drivers/staging/gma500/psb_fb.c 2011-05-22 19:36:32.000000000 -0400
39483 @@ -230,7 +230,7 @@ static void psbfb_vm_close(struct vm_are
39484 DRM_DEBUG("vm_close\n");
39485 }
39486
39487 -static struct vm_operations_struct psbfb_vm_ops = {
39488 +static const struct vm_operations_struct psbfb_vm_ops = {
39489 .fault = psbfb_vm_fault,
39490 .open = psbfb_vm_open,
39491 .close = psbfb_vm_close
39492 diff -urNp linux-2.6.39.1/drivers/staging/go7007/go7007-i2c.c linux-2.6.39.1/drivers/staging/go7007/go7007-i2c.c
39493 --- linux-2.6.39.1/drivers/staging/go7007/go7007-i2c.c 2011-05-19 00:06:34.000000000 -0400
39494 +++ linux-2.6.39.1/drivers/staging/go7007/go7007-i2c.c 2011-05-22 19:36:32.000000000 -0400
39495 @@ -198,7 +198,7 @@ static u32 go7007_functionality(struct i
39496 return I2C_FUNC_SMBUS_BYTE_DATA;
39497 }
39498
39499 -static struct i2c_algorithm go7007_algo = {
39500 +static const struct i2c_algorithm go7007_algo = {
39501 .smbus_xfer = go7007_smbus_xfer,
39502 .master_xfer = go7007_i2c_master_xfer,
39503 .functionality = go7007_functionality,
39504 diff -urNp linux-2.6.39.1/drivers/staging/go7007/go7007-usb.c linux-2.6.39.1/drivers/staging/go7007/go7007-usb.c
39505 --- linux-2.6.39.1/drivers/staging/go7007/go7007-usb.c 2011-05-19 00:06:34.000000000 -0400
39506 +++ linux-2.6.39.1/drivers/staging/go7007/go7007-usb.c 2011-05-22 19:36:32.000000000 -0400
39507 @@ -849,7 +849,7 @@ static int go7007_usb_send_firmware(stru
39508 &transferred, timeout);
39509 }
39510
39511 -static struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39512 +static const struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39513 .interface_reset = go7007_usb_interface_reset,
39514 .write_interrupt = go7007_usb_ezusb_write_interrupt,
39515 .read_interrupt = go7007_usb_read_interrupt,
39516 @@ -858,7 +858,7 @@ static struct go7007_hpi_ops go7007_usb_
39517 .send_firmware = go7007_usb_send_firmware,
39518 };
39519
39520 -static struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39521 +static const struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39522 .interface_reset = go7007_usb_interface_reset,
39523 .write_interrupt = go7007_usb_onboard_write_interrupt,
39524 .read_interrupt = go7007_usb_read_interrupt,
39525 @@ -950,7 +950,7 @@ static u32 go7007_usb_functionality(stru
39526 return (I2C_FUNC_SMBUS_EMUL) & ~I2C_FUNC_SMBUS_QUICK;
39527 }
39528
39529 -static struct i2c_algorithm go7007_usb_algo = {
39530 +static const struct i2c_algorithm go7007_usb_algo = {
39531 .master_xfer = go7007_usb_i2c_master_xfer,
39532 .functionality = go7007_usb_functionality,
39533 };
39534 diff -urNp linux-2.6.39.1/drivers/staging/go7007/go7007-v4l2.c linux-2.6.39.1/drivers/staging/go7007/go7007-v4l2.c
39535 --- linux-2.6.39.1/drivers/staging/go7007/go7007-v4l2.c 2011-05-19 00:06:34.000000000 -0400
39536 +++ linux-2.6.39.1/drivers/staging/go7007/go7007-v4l2.c 2011-05-22 19:36:32.000000000 -0400
39537 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
39538 return 0;
39539 }
39540
39541 -static struct vm_operations_struct go7007_vm_ops = {
39542 +static const struct vm_operations_struct go7007_vm_ops = {
39543 .open = go7007_vm_open,
39544 .close = go7007_vm_close,
39545 .fault = go7007_vm_fault,
39546 diff -urNp linux-2.6.39.1/drivers/staging/go7007/saa7134-go7007.c linux-2.6.39.1/drivers/staging/go7007/saa7134-go7007.c
39547 --- linux-2.6.39.1/drivers/staging/go7007/saa7134-go7007.c 2011-05-19 00:06:34.000000000 -0400
39548 +++ linux-2.6.39.1/drivers/staging/go7007/saa7134-go7007.c 2011-05-22 19:36:32.000000000 -0400
39549 @@ -421,7 +421,7 @@ static int saa7134_go7007_send_command(s
39550
39551 }
39552
39553 -static struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39554 +static const struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39555 .interface_reset = saa7134_go7007_interface_reset,
39556 .write_interrupt = saa7134_go7007_write_interrupt,
39557 .read_interrupt = saa7134_go7007_read_interrupt,
39558 diff -urNp linux-2.6.39.1/drivers/staging/go7007/snd-go7007.c linux-2.6.39.1/drivers/staging/go7007/snd-go7007.c
39559 --- linux-2.6.39.1/drivers/staging/go7007/snd-go7007.c 2011-05-19 00:06:34.000000000 -0400
39560 +++ linux-2.6.39.1/drivers/staging/go7007/snd-go7007.c 2011-05-22 19:36:32.000000000 -0400
39561 @@ -204,7 +204,7 @@ static struct page *go7007_snd_pcm_page(
39562 return vmalloc_to_page(substream->runtime->dma_area + offset);
39563 }
39564
39565 -static struct snd_pcm_ops go7007_snd_capture_ops = {
39566 +static const struct snd_pcm_ops go7007_snd_capture_ops = {
39567 .open = go7007_snd_capture_open,
39568 .close = go7007_snd_capture_close,
39569 .ioctl = snd_pcm_lib_ioctl,
39570 @@ -227,7 +227,7 @@ static int go7007_snd_free(struct snd_de
39571 return 0;
39572 }
39573
39574 -static struct snd_device_ops go7007_snd_device_ops = {
39575 +static const struct snd_device_ops go7007_snd_device_ops = {
39576 .dev_free = go7007_snd_free,
39577 };
39578
39579 diff -urNp linux-2.6.39.1/drivers/staging/hv/channel.c linux-2.6.39.1/drivers/staging/hv/channel.c
39580 --- linux-2.6.39.1/drivers/staging/hv/channel.c 2011-05-19 00:06:34.000000000 -0400
39581 +++ linux-2.6.39.1/drivers/staging/hv/channel.c 2011-05-22 19:36:32.000000000 -0400
39582 @@ -509,8 +509,8 @@ int vmbus_establish_gpadl(struct vmbus_c
39583 unsigned long flags;
39584 int ret = 0;
39585
39586 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
39587 - atomic_inc(&vmbus_connection.next_gpadl_handle);
39588 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
39589 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
39590
39591 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
39592 if (ret)
39593 diff -urNp linux-2.6.39.1/drivers/staging/hv/hv.c linux-2.6.39.1/drivers/staging/hv/hv.c
39594 --- linux-2.6.39.1/drivers/staging/hv/hv.c 2011-05-19 00:06:34.000000000 -0400
39595 +++ linux-2.6.39.1/drivers/staging/hv/hv.c 2011-05-22 19:36:32.000000000 -0400
39596 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
39597 u64 output_address = (output) ? virt_to_phys(output) : 0;
39598 u32 output_address_hi = output_address >> 32;
39599 u32 output_address_lo = output_address & 0xFFFFFFFF;
39600 - volatile void *hypercall_page = hv_context.hypercall_page;
39601 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
39602
39603 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
39604 control, input, output);
39605 diff -urNp linux-2.6.39.1/drivers/staging/hv/rndis_filter.c linux-2.6.39.1/drivers/staging/hv/rndis_filter.c
39606 --- linux-2.6.39.1/drivers/staging/hv/rndis_filter.c 2011-05-19 00:06:34.000000000 -0400
39607 +++ linux-2.6.39.1/drivers/staging/hv/rndis_filter.c 2011-05-22 19:36:32.000000000 -0400
39608 @@ -49,7 +49,7 @@ struct rndis_device {
39609
39610 enum rndis_device_state state;
39611 u32 link_stat;
39612 - atomic_t new_req_id;
39613 + atomic_unchecked_t new_req_id;
39614
39615 spinlock_t request_lock;
39616 struct list_head req_list;
39617 @@ -144,7 +144,7 @@ static struct rndis_request *get_rndis_r
39618 * template
39619 */
39620 set = &rndis_msg->msg.set_req;
39621 - set->req_id = atomic_inc_return(&dev->new_req_id);
39622 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
39623
39624 /* Add to the request list */
39625 spin_lock_irqsave(&dev->request_lock, flags);
39626 @@ -709,7 +709,7 @@ static void rndis_filter_halt_device(str
39627
39628 /* Setup the rndis set */
39629 halt = &request->request_msg.msg.halt_req;
39630 - halt->req_id = atomic_inc_return(&dev->new_req_id);
39631 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
39632
39633 /* Ignore return since this msg is optional. */
39634 rndis_filter_send_request(dev, request);
39635 diff -urNp linux-2.6.39.1/drivers/staging/hv/vmbus_drv.c linux-2.6.39.1/drivers/staging/hv/vmbus_drv.c
39636 --- linux-2.6.39.1/drivers/staging/hv/vmbus_drv.c 2011-05-19 00:06:34.000000000 -0400
39637 +++ linux-2.6.39.1/drivers/staging/hv/vmbus_drv.c 2011-05-22 19:36:32.000000000 -0400
39638 @@ -661,14 +661,14 @@ int vmbus_child_device_register(struct h
39639 {
39640 int ret = 0;
39641
39642 - static atomic_t device_num = ATOMIC_INIT(0);
39643 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
39644
39645 DPRINT_DBG(VMBUS_DRV, "child device (%p) registering",
39646 child_device_obj);
39647
39648 /* Set the device name. Otherwise, device_register() will fail. */
39649 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
39650 - atomic_inc_return(&device_num));
39651 + atomic_inc_return_unchecked(&device_num));
39652
39653 /* The new device belongs to this bus */
39654 child_device_obj->device.bus = &vmbus_drv.bus; /* device->dev.bus; */
39655 diff -urNp linux-2.6.39.1/drivers/staging/hv/vmbus_private.h linux-2.6.39.1/drivers/staging/hv/vmbus_private.h
39656 --- linux-2.6.39.1/drivers/staging/hv/vmbus_private.h 2011-05-19 00:06:34.000000000 -0400
39657 +++ linux-2.6.39.1/drivers/staging/hv/vmbus_private.h 2011-05-22 19:36:32.000000000 -0400
39658 @@ -58,7 +58,7 @@ enum vmbus_connect_state {
39659 struct vmbus_connection {
39660 enum vmbus_connect_state conn_state;
39661
39662 - atomic_t next_gpadl_handle;
39663 + atomic_unchecked_t next_gpadl_handle;
39664
39665 /*
39666 * Represents channel interrupts. Each bit position represents a
39667 diff -urNp linux-2.6.39.1/drivers/staging/iio/ring_generic.h linux-2.6.39.1/drivers/staging/iio/ring_generic.h
39668 --- linux-2.6.39.1/drivers/staging/iio/ring_generic.h 2011-05-19 00:06:34.000000000 -0400
39669 +++ linux-2.6.39.1/drivers/staging/iio/ring_generic.h 2011-05-25 16:55:27.000000000 -0400
39670 @@ -134,7 +134,7 @@ struct iio_ring_buffer {
39671 struct iio_handler access_handler;
39672 struct iio_event_interface ev_int;
39673 struct iio_shared_ev_pointer shared_ev_pointer;
39674 - struct iio_ring_access_funcs access;
39675 + struct iio_ring_access_funcs access;
39676 int (*preenable)(struct iio_dev *);
39677 int (*postenable)(struct iio_dev *);
39678 int (*predisable)(struct iio_dev *);
39679 diff -urNp linux-2.6.39.1/drivers/staging/intel_sst/intelmid_ctrl.c linux-2.6.39.1/drivers/staging/intel_sst/intelmid_ctrl.c
39680 --- linux-2.6.39.1/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-19 00:06:34.000000000 -0400
39681 +++ linux-2.6.39.1/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-22 19:36:32.000000000 -0400
39682 @@ -494,7 +494,7 @@ static int snd_intelmad_device_set(struc
39683 struct snd_intelmad *intelmaddata;
39684 struct snd_pmic_ops *scard_ops;
39685 int ret_val = 0, vendor, status;
39686 - struct intel_sst_pcm_control *pcm_control;
39687 + const struct intel_sst_pcm_control *pcm_control;
39688
39689 pr_debug("snd_intelmad_device_set called\n");
39690
39691 diff -urNp linux-2.6.39.1/drivers/staging/intel_sst/intel_sst_drv_interface.c linux-2.6.39.1/drivers/staging/intel_sst/intel_sst_drv_interface.c
39692 --- linux-2.6.39.1/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-19 00:06:34.000000000 -0400
39693 +++ linux-2.6.39.1/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-22 19:36:32.000000000 -0400
39694 @@ -470,7 +470,7 @@ int sst_device_control(int cmd, void *ar
39695 }
39696
39697
39698 -struct intel_sst_pcm_control pcm_ops = {
39699 +const struct intel_sst_pcm_control pcm_ops = {
39700 .open = sst_open_pcm_stream,
39701 .device_control = sst_device_control,
39702 .close = sst_close_pcm_stream,
39703 diff -urNp linux-2.6.39.1/drivers/staging/line6/capture.c linux-2.6.39.1/drivers/staging/line6/capture.c
39704 --- linux-2.6.39.1/drivers/staging/line6/capture.c 2011-05-19 00:06:34.000000000 -0400
39705 +++ linux-2.6.39.1/drivers/staging/line6/capture.c 2011-05-22 19:36:32.000000000 -0400
39706 @@ -378,7 +378,7 @@ snd_line6_capture_pointer(struct snd_pcm
39707 }
39708
39709 /* capture operators */
39710 -struct snd_pcm_ops snd_line6_capture_ops = {
39711 +const struct snd_pcm_ops snd_line6_capture_ops = {
39712 .open = snd_line6_capture_open,
39713 .close = snd_line6_capture_close,
39714 .ioctl = snd_pcm_lib_ioctl,
39715 diff -urNp linux-2.6.39.1/drivers/staging/line6/capture.h linux-2.6.39.1/drivers/staging/line6/capture.h
39716 --- linux-2.6.39.1/drivers/staging/line6/capture.h 2011-05-19 00:06:34.000000000 -0400
39717 +++ linux-2.6.39.1/drivers/staging/line6/capture.h 2011-05-22 19:36:32.000000000 -0400
39718 @@ -17,7 +17,7 @@
39719 #include "driver.h"
39720 #include "pcm.h"
39721
39722 -extern struct snd_pcm_ops snd_line6_capture_ops;
39723 +extern const struct snd_pcm_ops snd_line6_capture_ops;
39724
39725 extern void line6_capture_copy(struct snd_line6_pcm *line6pcm, char *fbuf,
39726 int fsize);
39727 diff -urNp linux-2.6.39.1/drivers/staging/line6/midi.c linux-2.6.39.1/drivers/staging/line6/midi.c
39728 --- linux-2.6.39.1/drivers/staging/line6/midi.c 2011-05-19 00:06:34.000000000 -0400
39729 +++ linux-2.6.39.1/drivers/staging/line6/midi.c 2011-05-22 19:36:32.000000000 -0400
39730 @@ -239,14 +239,14 @@ static void line6_midi_input_trigger(str
39731 line6->line6midi->substream_receive = 0;
39732 }
39733
39734 -static struct snd_rawmidi_ops line6_midi_output_ops = {
39735 +static const struct snd_rawmidi_ops line6_midi_output_ops = {
39736 .open = line6_midi_output_open,
39737 .close = line6_midi_output_close,
39738 .trigger = line6_midi_output_trigger,
39739 .drain = line6_midi_output_drain,
39740 };
39741
39742 -static struct snd_rawmidi_ops line6_midi_input_ops = {
39743 +static const struct snd_rawmidi_ops line6_midi_input_ops = {
39744 .open = line6_midi_input_open,
39745 .close = line6_midi_input_close,
39746 .trigger = line6_midi_input_trigger,
39747 @@ -373,7 +373,7 @@ static int snd_line6_midi_free(struct sn
39748 */
39749 int line6_init_midi(struct usb_line6 *line6)
39750 {
39751 - static struct snd_device_ops midi_ops = {
39752 + static const struct snd_device_ops midi_ops = {
39753 .dev_free = snd_line6_midi_free,
39754 };
39755
39756 diff -urNp linux-2.6.39.1/drivers/staging/line6/pcm.c linux-2.6.39.1/drivers/staging/line6/pcm.c
39757 --- linux-2.6.39.1/drivers/staging/line6/pcm.c 2011-05-19 00:06:34.000000000 -0400
39758 +++ linux-2.6.39.1/drivers/staging/line6/pcm.c 2011-05-22 19:36:32.000000000 -0400
39759 @@ -384,7 +384,7 @@ void line6_pcm_disconnect(struct snd_lin
39760 int line6_init_pcm(struct usb_line6 *line6,
39761 struct line6_pcm_properties *properties)
39762 {
39763 - static struct snd_device_ops pcm_ops = {
39764 + static const struct snd_device_ops pcm_ops = {
39765 .dev_free = snd_line6_pcm_free,
39766 };
39767
39768 diff -urNp linux-2.6.39.1/drivers/staging/line6/playback.c linux-2.6.39.1/drivers/staging/line6/playback.c
39769 --- linux-2.6.39.1/drivers/staging/line6/playback.c 2011-05-19 00:06:34.000000000 -0400
39770 +++ linux-2.6.39.1/drivers/staging/line6/playback.c 2011-05-22 19:36:32.000000000 -0400
39771 @@ -536,7 +536,7 @@ snd_line6_playback_pointer(struct snd_pc
39772 }
39773
39774 /* playback operators */
39775 -struct snd_pcm_ops snd_line6_playback_ops = {
39776 +const struct snd_pcm_ops snd_line6_playback_ops = {
39777 .open = snd_line6_playback_open,
39778 .close = snd_line6_playback_close,
39779 .ioctl = snd_pcm_lib_ioctl,
39780 diff -urNp linux-2.6.39.1/drivers/staging/line6/playback.h linux-2.6.39.1/drivers/staging/line6/playback.h
39781 --- linux-2.6.39.1/drivers/staging/line6/playback.h 2011-05-19 00:06:34.000000000 -0400
39782 +++ linux-2.6.39.1/drivers/staging/line6/playback.h 2011-05-22 19:36:32.000000000 -0400
39783 @@ -27,7 +27,7 @@
39784 */
39785 #define USE_CLEAR_BUFFER_WORKAROUND 1
39786
39787 -extern struct snd_pcm_ops snd_line6_playback_ops;
39788 +extern const struct snd_pcm_ops snd_line6_playback_ops;
39789
39790 extern int line6_create_audio_out_urbs(struct snd_line6_pcm *line6pcm);
39791 extern int line6_submit_audio_out_all_urbs(struct snd_line6_pcm *line6pcm);
39792 diff -urNp linux-2.6.39.1/drivers/staging/msm/staging-devices.c linux-2.6.39.1/drivers/staging/msm/staging-devices.c
39793 --- linux-2.6.39.1/drivers/staging/msm/staging-devices.c 2011-05-19 00:06:34.000000000 -0400
39794 +++ linux-2.6.39.1/drivers/staging/msm/staging-devices.c 2011-05-22 19:36:32.000000000 -0400
39795 @@ -211,7 +211,7 @@ static int msm_fb_lcdc_gpio_config(int o
39796 }
39797
39798
39799 -static struct lcdc_platform_data lcdc_pdata = {
39800 +static const struct lcdc_platform_data lcdc_pdata = {
39801 .lcdc_gpio_config = msm_fb_lcdc_gpio_config,
39802 };
39803
39804 diff -urNp linux-2.6.39.1/drivers/staging/octeon/ethernet.c linux-2.6.39.1/drivers/staging/octeon/ethernet.c
39805 --- linux-2.6.39.1/drivers/staging/octeon/ethernet.c 2011-05-19 00:06:34.000000000 -0400
39806 +++ linux-2.6.39.1/drivers/staging/octeon/ethernet.c 2011-05-22 19:36:32.000000000 -0400
39807 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
39808 * since the RX tasklet also increments it.
39809 */
39810 #ifdef CONFIG_64BIT
39811 - atomic64_add(rx_status.dropped_packets,
39812 - (atomic64_t *)&priv->stats.rx_dropped);
39813 + atomic64_add_unchecked(rx_status.dropped_packets,
39814 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
39815 #else
39816 - atomic_add(rx_status.dropped_packets,
39817 - (atomic_t *)&priv->stats.rx_dropped);
39818 + atomic_add_unchecked(rx_status.dropped_packets,
39819 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
39820 #endif
39821 }
39822
39823 diff -urNp linux-2.6.39.1/drivers/staging/octeon/ethernet-rx.c linux-2.6.39.1/drivers/staging/octeon/ethernet-rx.c
39824 --- linux-2.6.39.1/drivers/staging/octeon/ethernet-rx.c 2011-05-19 00:06:34.000000000 -0400
39825 +++ linux-2.6.39.1/drivers/staging/octeon/ethernet-rx.c 2011-05-22 19:36:32.000000000 -0400
39826 @@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
39827 /* Increment RX stats for virtual ports */
39828 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
39829 #ifdef CONFIG_64BIT
39830 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
39831 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
39832 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
39833 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
39834 #else
39835 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
39836 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
39837 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
39838 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
39839 #endif
39840 }
39841 netif_receive_skb(skb);
39842 @@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
39843 dev->name);
39844 */
39845 #ifdef CONFIG_64BIT
39846 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
39847 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
39848 #else
39849 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
39850 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
39851 #endif
39852 dev_kfree_skb_irq(skb);
39853 }
39854 diff -urNp linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.c linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.c
39855 --- linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-19 00:06:34.000000000 -0400
39856 +++ linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-22 19:36:32.000000000 -0400
39857 @@ -43,7 +43,7 @@ module_param(noinit, int, 0444);
39858 static int useaa = 1;
39859 module_param(useaa, int, 0444);
39860
39861 -static struct dcon_platform_data *pdata;
39862 +static const struct dcon_platform_data *pdata;
39863
39864 /* I2C structures */
39865
39866 diff -urNp linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.h linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.h
39867 --- linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-19 00:06:34.000000000 -0400
39868 +++ linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-22 19:36:32.000000000 -0400
39869 @@ -92,11 +92,11 @@ struct dcon_platform_data {
39870 extern irqreturn_t dcon_interrupt(int irq, void *id);
39871
39872 #ifdef CONFIG_FB_OLPC_DCON_1
39873 -extern struct dcon_platform_data dcon_pdata_xo_1;
39874 +extern const struct dcon_platform_data dcon_pdata_xo_1;
39875 #endif
39876
39877 #ifdef CONFIG_FB_OLPC_DCON_1_5
39878 -extern struct dcon_platform_data dcon_pdata_xo_1_5;
39879 +extern const struct dcon_platform_data dcon_pdata_xo_1_5;
39880 #endif
39881
39882 #endif
39883 diff -urNp linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c
39884 --- linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-19 00:06:34.000000000 -0400
39885 +++ linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-22 19:36:32.000000000 -0400
39886 @@ -185,7 +185,7 @@ static u8 dcon_read_status_xo_1_5(void)
39887 return status;
39888 }
39889
39890 -struct dcon_platform_data dcon_pdata_xo_1_5 = {
39891 +const struct dcon_platform_data dcon_pdata_xo_1_5 = {
39892 .init = dcon_init_xo_1_5,
39893 .bus_stabilize_wiggle = dcon_wiggle_xo_1_5,
39894 .set_dconload = dcon_set_dconload_xo_1_5,
39895 diff -urNp linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c
39896 --- linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-19 00:06:34.000000000 -0400
39897 +++ linux-2.6.39.1/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-22 19:36:32.000000000 -0400
39898 @@ -196,7 +196,7 @@ static u8 dcon_read_status_xo_1(void)
39899 return status;
39900 }
39901
39902 -struct dcon_platform_data dcon_pdata_xo_1 = {
39903 +const struct dcon_platform_data dcon_pdata_xo_1 = {
39904 .init = dcon_init_xo_1,
39905 .bus_stabilize_wiggle = dcon_wiggle_xo_1,
39906 .set_dconload = dcon_set_dconload_1,
39907 diff -urNp linux-2.6.39.1/drivers/staging/phison/phison.c linux-2.6.39.1/drivers/staging/phison/phison.c
39908 --- linux-2.6.39.1/drivers/staging/phison/phison.c 2011-05-19 00:06:34.000000000 -0400
39909 +++ linux-2.6.39.1/drivers/staging/phison/phison.c 2011-05-22 19:36:32.000000000 -0400
39910 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
39911 ATA_BMDMA_SHT(DRV_NAME),
39912 };
39913
39914 -static struct ata_port_operations phison_ops = {
39915 +static const struct ata_port_operations phison_ops = {
39916 .inherits = &ata_bmdma_port_ops,
39917 .prereset = phison_pre_reset,
39918 };
39919 diff -urNp linux-2.6.39.1/drivers/staging/pohmelfs/inode.c linux-2.6.39.1/drivers/staging/pohmelfs/inode.c
39920 --- linux-2.6.39.1/drivers/staging/pohmelfs/inode.c 2011-05-19 00:06:34.000000000 -0400
39921 +++ linux-2.6.39.1/drivers/staging/pohmelfs/inode.c 2011-05-22 19:36:32.000000000 -0400
39922 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
39923 mutex_init(&psb->mcache_lock);
39924 psb->mcache_root = RB_ROOT;
39925 psb->mcache_timeout = msecs_to_jiffies(5000);
39926 - atomic_long_set(&psb->mcache_gen, 0);
39927 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
39928
39929 psb->trans_max_pages = 100;
39930
39931 @@ -1870,7 +1870,7 @@ static int pohmelfs_fill_super(struct su
39932 INIT_LIST_HEAD(&psb->crypto_ready_list);
39933 INIT_LIST_HEAD(&psb->crypto_active_list);
39934
39935 - atomic_set(&psb->trans_gen, 1);
39936 + atomic_set_unchecked(&psb->trans_gen, 1);
39937 atomic_long_set(&psb->total_inodes, 0);
39938
39939 mutex_init(&psb->state_lock);
39940 diff -urNp linux-2.6.39.1/drivers/staging/pohmelfs/mcache.c linux-2.6.39.1/drivers/staging/pohmelfs/mcache.c
39941 --- linux-2.6.39.1/drivers/staging/pohmelfs/mcache.c 2011-05-19 00:06:34.000000000 -0400
39942 +++ linux-2.6.39.1/drivers/staging/pohmelfs/mcache.c 2011-05-22 19:36:32.000000000 -0400
39943 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
39944 m->data = data;
39945 m->start = start;
39946 m->size = size;
39947 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
39948 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
39949
39950 mutex_lock(&psb->mcache_lock);
39951 err = pohmelfs_mcache_insert(psb, m);
39952 diff -urNp linux-2.6.39.1/drivers/staging/pohmelfs/netfs.h linux-2.6.39.1/drivers/staging/pohmelfs/netfs.h
39953 --- linux-2.6.39.1/drivers/staging/pohmelfs/netfs.h 2011-05-19 00:06:34.000000000 -0400
39954 +++ linux-2.6.39.1/drivers/staging/pohmelfs/netfs.h 2011-05-22 19:36:32.000000000 -0400
39955 @@ -571,14 +571,14 @@ struct pohmelfs_config;
39956 struct pohmelfs_sb {
39957 struct rb_root mcache_root;
39958 struct mutex mcache_lock;
39959 - atomic_long_t mcache_gen;
39960 + atomic_long_unchecked_t mcache_gen;
39961 unsigned long mcache_timeout;
39962
39963 unsigned int idx;
39964
39965 unsigned int trans_retries;
39966
39967 - atomic_t trans_gen;
39968 + atomic_unchecked_t trans_gen;
39969
39970 unsigned int crypto_attached_size;
39971 unsigned int crypto_align_size;
39972 diff -urNp linux-2.6.39.1/drivers/staging/pohmelfs/trans.c linux-2.6.39.1/drivers/staging/pohmelfs/trans.c
39973 --- linux-2.6.39.1/drivers/staging/pohmelfs/trans.c 2011-05-19 00:06:34.000000000 -0400
39974 +++ linux-2.6.39.1/drivers/staging/pohmelfs/trans.c 2011-05-22 19:36:32.000000000 -0400
39975 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
39976 int err;
39977 struct netfs_cmd *cmd = t->iovec.iov_base;
39978
39979 - t->gen = atomic_inc_return(&psb->trans_gen);
39980 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
39981
39982 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
39983 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
39984 diff -urNp linux-2.6.39.1/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.39.1/drivers/staging/rtl8192u/ieee80211/proc.c
39985 --- linux-2.6.39.1/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-19 00:06:34.000000000 -0400
39986 +++ linux-2.6.39.1/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-22 19:36:32.000000000 -0400
39987 @@ -87,7 +87,7 @@ static int c_show(struct seq_file *m, vo
39988 return 0;
39989 }
39990
39991 -static struct seq_operations crypto_seq_ops = {
39992 +static const struct seq_operations crypto_seq_ops = {
39993 .start = c_start,
39994 .next = c_next,
39995 .stop = c_stop,
39996 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
39997 return seq_open(file, &crypto_seq_ops);
39998 }
39999
40000 -static struct file_operations proc_crypto_ops = {
40001 +static const struct file_operations proc_crypto_ops = {
40002 .open = crypto_info_open,
40003 .read = seq_read,
40004 .llseek = seq_lseek,
40005 diff -urNp linux-2.6.39.1/drivers/staging/rtl8712/rtl871x_io.h linux-2.6.39.1/drivers/staging/rtl8712/rtl871x_io.h
40006 --- linux-2.6.39.1/drivers/staging/rtl8712/rtl871x_io.h 2011-05-19 00:06:34.000000000 -0400
40007 +++ linux-2.6.39.1/drivers/staging/rtl8712/rtl871x_io.h 2011-05-22 19:36:32.000000000 -0400
40008 @@ -107,7 +107,7 @@ struct intf_hdl {
40009 void (*intf_hdl_unload)(u8 *priv);
40010 void (*intf_hdl_open)(u8 *priv);
40011 void (*intf_hdl_close)(u8 *priv);
40012 - struct _io_ops io_ops;
40013 + const struct _io_ops io_ops;
40014 };
40015
40016 struct reg_protocol_rd {
40017 diff -urNp linux-2.6.39.1/drivers/staging/solo6x10/g723.c linux-2.6.39.1/drivers/staging/solo6x10/g723.c
40018 --- linux-2.6.39.1/drivers/staging/solo6x10/g723.c 2011-05-19 00:06:34.000000000 -0400
40019 +++ linux-2.6.39.1/drivers/staging/solo6x10/g723.c 2011-05-22 19:36:32.000000000 -0400
40020 @@ -237,7 +237,7 @@ static int snd_solo_pcm_copy(struct snd_
40021 return 0;
40022 }
40023
40024 -static struct snd_pcm_ops snd_solo_pcm_ops = {
40025 +static const struct snd_pcm_ops snd_solo_pcm_ops = {
40026 .open = snd_solo_pcm_open,
40027 .close = snd_solo_pcm_close,
40028 .ioctl = snd_pcm_lib_ioctl,
40029 @@ -334,7 +334,7 @@ static int solo_snd_pcm_init(struct solo
40030
40031 int solo_g723_init(struct solo_dev *solo_dev)
40032 {
40033 - static struct snd_device_ops ops = { NULL };
40034 + static const struct snd_device_ops ops = { NULL };
40035 struct snd_card *card;
40036 struct snd_kcontrol_new kctl;
40037 char name[32];
40038 diff -urNp linux-2.6.39.1/drivers/staging/spectra/ffsport.c linux-2.6.39.1/drivers/staging/spectra/ffsport.c
40039 --- linux-2.6.39.1/drivers/staging/spectra/ffsport.c 2011-05-19 00:06:34.000000000 -0400
40040 +++ linux-2.6.39.1/drivers/staging/spectra/ffsport.c 2011-05-22 19:36:32.000000000 -0400
40041 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
40042 return ret;
40043 }
40044
40045 -static struct block_device_operations GLOB_SBD_ops = {
40046 +static const struct block_device_operations GLOB_SBD_ops = {
40047 .owner = THIS_MODULE,
40048 .open = GLOB_SBD_open,
40049 .release = GLOB_SBD_release,
40050 diff -urNp linux-2.6.39.1/drivers/staging/tm6000/tm6000-alsa.c linux-2.6.39.1/drivers/staging/tm6000/tm6000-alsa.c
40051 --- linux-2.6.39.1/drivers/staging/tm6000/tm6000-alsa.c 2011-05-19 00:06:34.000000000 -0400
40052 +++ linux-2.6.39.1/drivers/staging/tm6000/tm6000-alsa.c 2011-05-22 19:36:32.000000000 -0400
40053 @@ -380,7 +380,7 @@ static snd_pcm_uframes_t snd_tm6000_poin
40054 /*
40055 * operators
40056 */
40057 -static struct snd_pcm_ops snd_tm6000_pcm_ops = {
40058 +static const struct snd_pcm_ops snd_tm6000_pcm_ops = {
40059 .open = snd_tm6000_pcm_open,
40060 .close = snd_tm6000_close,
40061 .ioctl = snd_pcm_lib_ioctl,
40062 diff -urNp linux-2.6.39.1/drivers/staging/tty/istallion.c linux-2.6.39.1/drivers/staging/tty/istallion.c
40063 --- linux-2.6.39.1/drivers/staging/tty/istallion.c 2011-05-19 00:06:34.000000000 -0400
40064 +++ linux-2.6.39.1/drivers/staging/tty/istallion.c 2011-05-22 20:49:07.000000000 -0400
40065 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
40066 * re-used for each stats call.
40067 */
40068 static comstats_t stli_comstats;
40069 -static combrd_t stli_brdstats;
40070 static struct asystats stli_cdkstats;
40071
40072 /*****************************************************************************/
40073 @@ -4003,6 +4002,7 @@ out:
40074
40075 static int stli_getbrdstats(combrd_t __user *bp)
40076 {
40077 + combrd_t stli_brdstats;
40078 struct stlibrd *brdp;
40079 unsigned int i;
40080
40081 @@ -4226,6 +4226,8 @@ static int stli_getportstruct(struct stl
40082 struct stliport stli_dummyport;
40083 struct stliport *portp;
40084
40085 + pax_track_stack();
40086 +
40087 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
40088 return -EFAULT;
40089 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
40090 @@ -4248,6 +4250,8 @@ static int stli_getbrdstruct(struct stli
40091 struct stlibrd stli_dummybrd;
40092 struct stlibrd *brdp;
40093
40094 + pax_track_stack();
40095 +
40096 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
40097 return -EFAULT;
40098 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
40099 diff -urNp linux-2.6.39.1/drivers/staging/tty/stallion.c linux-2.6.39.1/drivers/staging/tty/stallion.c
40100 --- linux-2.6.39.1/drivers/staging/tty/stallion.c 2011-05-19 00:06:34.000000000 -0400
40101 +++ linux-2.6.39.1/drivers/staging/tty/stallion.c 2011-05-22 19:36:32.000000000 -0400
40102 @@ -2406,6 +2406,8 @@ static int stl_getportstruct(struct stlp
40103 struct stlport stl_dummyport;
40104 struct stlport *portp;
40105
40106 + pax_track_stack();
40107 +
40108 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
40109 return -EFAULT;
40110 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
40111 diff -urNp linux-2.6.39.1/drivers/staging/usbip/vhci.h linux-2.6.39.1/drivers/staging/usbip/vhci.h
40112 --- linux-2.6.39.1/drivers/staging/usbip/vhci.h 2011-05-19 00:06:34.000000000 -0400
40113 +++ linux-2.6.39.1/drivers/staging/usbip/vhci.h 2011-05-22 19:36:32.000000000 -0400
40114 @@ -92,7 +92,7 @@ struct vhci_hcd {
40115 unsigned resuming:1;
40116 unsigned long re_timeout;
40117
40118 - atomic_t seqnum;
40119 + atomic_unchecked_t seqnum;
40120
40121 /*
40122 * NOTE:
40123 diff -urNp linux-2.6.39.1/drivers/staging/usbip/vhci_hcd.c linux-2.6.39.1/drivers/staging/usbip/vhci_hcd.c
40124 --- linux-2.6.39.1/drivers/staging/usbip/vhci_hcd.c 2011-05-19 00:06:34.000000000 -0400
40125 +++ linux-2.6.39.1/drivers/staging/usbip/vhci_hcd.c 2011-05-22 19:36:32.000000000 -0400
40126 @@ -536,7 +536,7 @@ static void vhci_tx_urb(struct urb *urb)
40127 return;
40128 }
40129
40130 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
40131 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40132 if (priv->seqnum == 0xffff)
40133 usbip_uinfo("seqnum max\n");
40134
40135 @@ -795,7 +795,7 @@ static int vhci_urb_dequeue(struct usb_h
40136 return -ENOMEM;
40137 }
40138
40139 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
40140 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40141 if (unlink->seqnum == 0xffff)
40142 usbip_uinfo("seqnum max\n");
40143
40144 @@ -992,7 +992,7 @@ static int vhci_start(struct usb_hcd *hc
40145 vdev->rhport = rhport;
40146 }
40147
40148 - atomic_set(&vhci->seqnum, 0);
40149 + atomic_set_unchecked(&vhci->seqnum, 0);
40150 spin_lock_init(&vhci->lock);
40151
40152
40153 diff -urNp linux-2.6.39.1/drivers/staging/usbip/vhci_rx.c linux-2.6.39.1/drivers/staging/usbip/vhci_rx.c
40154 --- linux-2.6.39.1/drivers/staging/usbip/vhci_rx.c 2011-05-19 00:06:34.000000000 -0400
40155 +++ linux-2.6.39.1/drivers/staging/usbip/vhci_rx.c 2011-05-22 19:36:32.000000000 -0400
40156 @@ -81,7 +81,7 @@ static void vhci_recv_ret_submit(struct
40157 usbip_uerr("cannot find a urb of seqnum %u\n",
40158 pdu->base.seqnum);
40159 usbip_uinfo("max seqnum %d\n",
40160 - atomic_read(&the_controller->seqnum));
40161 + atomic_read_unchecked(&the_controller->seqnum));
40162 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
40163 return;
40164 }
40165 diff -urNp linux-2.6.39.1/drivers/staging/vme/devices/vme_user.c linux-2.6.39.1/drivers/staging/vme/devices/vme_user.c
40166 --- linux-2.6.39.1/drivers/staging/vme/devices/vme_user.c 2011-05-19 00:06:34.000000000 -0400
40167 +++ linux-2.6.39.1/drivers/staging/vme/devices/vme_user.c 2011-05-22 19:36:32.000000000 -0400
40168 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
40169 static int __devinit vme_user_probe(struct device *, int, int);
40170 static int __devexit vme_user_remove(struct device *, int, int);
40171
40172 -static struct file_operations vme_user_fops = {
40173 +static const struct file_operations vme_user_fops = {
40174 .open = vme_user_open,
40175 .release = vme_user_release,
40176 .read = vme_user_read,
40177 diff -urNp linux-2.6.39.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.39.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
40178 --- linux-2.6.39.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-19 00:06:34.000000000 -0400
40179 +++ linux-2.6.39.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-22 19:36:32.000000000 -0400
40180 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
40181
40182
40183 /*standard block device driver interface */
40184 -static struct block_device_operations cyasblkdev_bdops = {
40185 +static const struct block_device_operations cyasblkdev_bdops = {
40186 .open = cyasblkdev_blk_open,
40187 .release = cyasblkdev_blk_release,
40188 .ioctl = cyasblkdev_blk_ioctl,
40189 diff -urNp linux-2.6.39.1/drivers/staging/wlags49_h2/wl_netdev.c linux-2.6.39.1/drivers/staging/wlags49_h2/wl_netdev.c
40190 --- linux-2.6.39.1/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-19 00:06:34.000000000 -0400
40191 +++ linux-2.6.39.1/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-22 19:36:32.000000000 -0400
40192 @@ -474,7 +474,7 @@ static void wl_get_drvinfo(struct net_de
40193 }
40194 } // wl_get_drvinfo
40195
40196 -static struct ethtool_ops wl_ethtool_ops = {
40197 +static const struct ethtool_ops wl_ethtool_ops = {
40198 .get_drvinfo = wl_get_drvinfo,
40199 .get_link = ethtool_op_get_link,
40200 };
40201 diff -urNp linux-2.6.39.1/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.39.1/drivers/staging/wlan-ng/hfa384x_usb.c
40202 --- linux-2.6.39.1/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-19 00:06:34.000000000 -0400
40203 +++ linux-2.6.39.1/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-22 19:36:32.000000000 -0400
40204 @@ -671,7 +671,7 @@ struct usbctlx_cmd_completor {
40205 hfa384x_cmdresult_t *result;
40206 };
40207
40208 -static inline int usbctlx_cmd_completor_fn(struct usbctlx_completor *head)
40209 +static inline int usbctlx_cmd_completor_fn(const struct usbctlx_completor *head)
40210 {
40211 struct usbctlx_cmd_completor *complete;
40212
40213 @@ -705,7 +705,7 @@ struct usbctlx_rrid_completor {
40214 unsigned int riddatalen;
40215 };
40216
40217 -static int usbctlx_rrid_completor_fn(struct usbctlx_completor *head)
40218 +static int usbctlx_rrid_completor_fn(const struct usbctlx_completor *head)
40219 {
40220 struct usbctlx_rrid_completor *complete;
40221 hfa384x_rridresult_t rridresult;
40222 @@ -768,7 +768,7 @@ struct usbctlx_rmem_completor {
40223 };
40224 typedef struct usbctlx_rmem_completor usbctlx_rmem_completor_t;
40225
40226 -static int usbctlx_rmem_completor_fn(struct usbctlx_completor *head)
40227 +static int usbctlx_rmem_completor_fn(const struct usbctlx_completor *head)
40228 {
40229 usbctlx_rmem_completor_t *complete = (usbctlx_rmem_completor_t *) head;
40230
40231 diff -urNp linux-2.6.39.1/drivers/staging/zcache/tmem.c linux-2.6.39.1/drivers/staging/zcache/tmem.c
40232 --- linux-2.6.39.1/drivers/staging/zcache/tmem.c 2011-05-19 00:06:34.000000000 -0400
40233 +++ linux-2.6.39.1/drivers/staging/zcache/tmem.c 2011-05-22 19:36:32.000000000 -0400
40234 @@ -39,7 +39,7 @@
40235 * A tmem host implementation must use this function to register callbacks
40236 * for memory allocation.
40237 */
40238 -static struct tmem_hostops tmem_hostops;
40239 +static const struct tmem_hostops tmem_hostops;
40240
40241 static void tmem_objnode_tree_init(void);
40242
40243 @@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
40244 * A tmem host implementation must use this function to register
40245 * callbacks for a page-accessible memory (PAM) implementation
40246 */
40247 -static struct tmem_pamops tmem_pamops;
40248 +static const struct tmem_pamops tmem_pamops;
40249
40250 void tmem_register_pamops(struct tmem_pamops *m)
40251 {
40252 diff -urNp linux-2.6.39.1/drivers/staging/zcache/zcache.c linux-2.6.39.1/drivers/staging/zcache/zcache.c
40253 --- linux-2.6.39.1/drivers/staging/zcache/zcache.c 2011-05-19 00:06:34.000000000 -0400
40254 +++ linux-2.6.39.1/drivers/staging/zcache/zcache.c 2011-05-22 19:36:32.000000000 -0400
40255 @@ -882,7 +882,7 @@ static void zcache_obj_free(struct tmem_
40256 kmem_cache_free(zcache_obj_cache, obj);
40257 }
40258
40259 -static struct tmem_hostops zcache_hostops = {
40260 +static const struct tmem_hostops zcache_hostops = {
40261 .obj_alloc = zcache_obj_alloc,
40262 .obj_free = zcache_obj_free,
40263 .objnode_alloc = zcache_objnode_alloc,
40264 @@ -987,7 +987,7 @@ static void zcache_pampd_free(void *pamp
40265 }
40266 }
40267
40268 -static struct tmem_pamops zcache_pamops = {
40269 +static const struct tmem_pamops zcache_pamops = {
40270 .create = zcache_pampd_create,
40271 .get_data = zcache_pampd_get_data,
40272 .free = zcache_pampd_free,
40273 diff -urNp linux-2.6.39.1/drivers/target/target_core_alua.c linux-2.6.39.1/drivers/target/target_core_alua.c
40274 --- linux-2.6.39.1/drivers/target/target_core_alua.c 2011-05-19 00:06:34.000000000 -0400
40275 +++ linux-2.6.39.1/drivers/target/target_core_alua.c 2011-05-22 19:36:32.000000000 -0400
40276 @@ -675,6 +675,8 @@ static int core_alua_update_tpg_primary_
40277 char path[ALUA_METADATA_PATH_LEN];
40278 int len;
40279
40280 + pax_track_stack();
40281 +
40282 memset(path, 0, ALUA_METADATA_PATH_LEN);
40283
40284 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
40285 @@ -938,6 +940,8 @@ static int core_alua_update_tpg_secondar
40286 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
40287 int len;
40288
40289 + pax_track_stack();
40290 +
40291 memset(path, 0, ALUA_METADATA_PATH_LEN);
40292 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
40293
40294 diff -urNp linux-2.6.39.1/drivers/target/target_core_cdb.c linux-2.6.39.1/drivers/target/target_core_cdb.c
40295 --- linux-2.6.39.1/drivers/target/target_core_cdb.c 2011-05-19 00:06:34.000000000 -0400
40296 +++ linux-2.6.39.1/drivers/target/target_core_cdb.c 2011-05-22 19:36:32.000000000 -0400
40297 @@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
40298 int length = 0;
40299 unsigned char buf[SE_MODE_PAGE_BUF];
40300
40301 + pax_track_stack();
40302 +
40303 memset(buf, 0, SE_MODE_PAGE_BUF);
40304
40305 switch (cdb[2] & 0x3f) {
40306 diff -urNp linux-2.6.39.1/drivers/target/target_core_configfs.c linux-2.6.39.1/drivers/target/target_core_configfs.c
40307 --- linux-2.6.39.1/drivers/target/target_core_configfs.c 2011-05-19 00:06:34.000000000 -0400
40308 +++ linux-2.6.39.1/drivers/target/target_core_configfs.c 2011-05-22 19:36:32.000000000 -0400
40309 @@ -1280,6 +1280,8 @@ static ssize_t target_core_dev_pr_show_a
40310 ssize_t len = 0;
40311 int reg_count = 0, prf_isid;
40312
40313 + pax_track_stack();
40314 +
40315 if (!(su_dev->se_dev_ptr))
40316 return -ENODEV;
40317
40318 @@ -2682,7 +2684,7 @@ static void target_core_alua_drop_tg_pt_
40319 config_item_put(item);
40320 }
40321
40322 -static struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40323 +static const struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40324 .make_group = &target_core_alua_create_tg_pt_gp,
40325 .drop_item = &target_core_alua_drop_tg_pt_gp,
40326 };
40327 @@ -2726,7 +2728,7 @@ static void target_core_stat_rmdir(
40328 return;
40329 }
40330
40331 -static struct configfs_group_operations target_core_stat_group_ops = {
40332 +static const struct configfs_group_operations target_core_stat_group_ops = {
40333 .make_group = &target_core_stat_mkdir,
40334 .drop_item = &target_core_stat_rmdir,
40335 };
40336 @@ -2939,7 +2941,7 @@ static void target_core_drop_subdev(
40337 mutex_unlock(&hba->hba_access_mutex);
40338 }
40339
40340 -static struct configfs_group_operations target_core_hba_group_ops = {
40341 +static const struct configfs_group_operations target_core_hba_group_ops = {
40342 .make_group = target_core_make_subdev,
40343 .drop_item = target_core_drop_subdev,
40344 };
40345 @@ -3117,7 +3119,7 @@ static void target_core_call_delhbafromt
40346 config_item_put(item);
40347 }
40348
40349 -static struct configfs_group_operations target_core_group_ops = {
40350 +static const struct configfs_group_operations target_core_group_ops = {
40351 .make_group = target_core_call_addhbatotarget,
40352 .drop_item = target_core_call_delhbafromtarget,
40353 };
40354 diff -urNp linux-2.6.39.1/drivers/target/target_core_fabric_configfs.c linux-2.6.39.1/drivers/target/target_core_fabric_configfs.c
40355 --- linux-2.6.39.1/drivers/target/target_core_fabric_configfs.c 2011-05-19 00:06:34.000000000 -0400
40356 +++ linux-2.6.39.1/drivers/target/target_core_fabric_configfs.c 2011-05-22 19:36:32.000000000 -0400
40357 @@ -1174,7 +1174,7 @@ static void target_fabric_drop_wwn(
40358 config_item_put(item);
40359 }
40360
40361 -static struct configfs_group_operations target_fabric_wwn_group_ops = {
40362 +static const struct configfs_group_operations target_fabric_wwn_group_ops = {
40363 .make_group = target_fabric_make_wwn,
40364 .drop_item = target_fabric_drop_wwn,
40365 };
40366 diff -urNp linux-2.6.39.1/drivers/target/target_core_pr.c linux-2.6.39.1/drivers/target/target_core_pr.c
40367 --- linux-2.6.39.1/drivers/target/target_core_pr.c 2011-05-19 00:06:34.000000000 -0400
40368 +++ linux-2.6.39.1/drivers/target/target_core_pr.c 2011-05-22 19:36:32.000000000 -0400
40369 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
40370 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
40371 u16 tpgt;
40372
40373 + pax_track_stack();
40374 +
40375 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
40376 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
40377 /*
40378 @@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
40379 ssize_t len = 0;
40380 int reg_count = 0;
40381
40382 + pax_track_stack();
40383 +
40384 memset(buf, 0, pr_aptpl_buf_len);
40385 /*
40386 * Called to clear metadata once APTPL has been deactivated.
40387 @@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
40388 char path[512];
40389 int ret;
40390
40391 + pax_track_stack();
40392 +
40393 memset(iov, 0, sizeof(struct iovec));
40394 memset(path, 0, 512);
40395
40396 diff -urNp linux-2.6.39.1/drivers/target/target_core_tmr.c linux-2.6.39.1/drivers/target/target_core_tmr.c
40397 --- linux-2.6.39.1/drivers/target/target_core_tmr.c 2011-06-03 00:04:14.000000000 -0400
40398 +++ linux-2.6.39.1/drivers/target/target_core_tmr.c 2011-06-03 00:32:07.000000000 -0400
40399 @@ -263,7 +263,7 @@ int core_tmr_lun_reset(
40400 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
40401 T_TASK(cmd)->t_task_cdbs,
40402 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40403 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40404 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40405 atomic_read(&T_TASK(cmd)->t_transport_active),
40406 atomic_read(&T_TASK(cmd)->t_transport_stop),
40407 atomic_read(&T_TASK(cmd)->t_transport_sent));
40408 @@ -305,7 +305,7 @@ int core_tmr_lun_reset(
40409 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
40410 " task: %p, t_fe_count: %d dev: %p\n", task,
40411 fe_count, dev);
40412 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40413 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40414 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
40415 flags);
40416 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40417 @@ -315,7 +315,7 @@ int core_tmr_lun_reset(
40418 }
40419 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
40420 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
40421 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40422 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40423 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
40424 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40425
40426 diff -urNp linux-2.6.39.1/drivers/target/target_core_transport.c linux-2.6.39.1/drivers/target/target_core_transport.c
40427 --- linux-2.6.39.1/drivers/target/target_core_transport.c 2011-06-03 00:04:14.000000000 -0400
40428 +++ linux-2.6.39.1/drivers/target/target_core_transport.c 2011-06-03 00:32:07.000000000 -0400
40429 @@ -1681,7 +1681,7 @@ struct se_device *transport_add_device_t
40430
40431 dev->queue_depth = dev_limits->queue_depth;
40432 atomic_set(&dev->depth_left, dev->queue_depth);
40433 - atomic_set(&dev->dev_ordered_id, 0);
40434 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
40435
40436 se_dev_set_default_attribs(dev, dev_limits);
40437
40438 @@ -1882,7 +1882,7 @@ static int transport_check_alloc_task_at
40439 * Used to determine when ORDERED commands should go from
40440 * Dormant to Active status.
40441 */
40442 - cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
40443 + cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
40444 smp_mb__after_atomic_inc();
40445 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
40446 cmd->se_ordered_id, cmd->sam_task_attr,
40447 @@ -2169,7 +2169,7 @@ static void transport_generic_request_fa
40448 " t_transport_active: %d t_transport_stop: %d"
40449 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
40450 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40451 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40452 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40453 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
40454 atomic_read(&T_TASK(cmd)->t_transport_active),
40455 atomic_read(&T_TASK(cmd)->t_transport_stop),
40456 @@ -2673,9 +2673,9 @@ check_depth:
40457 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
40458 atomic_set(&task->task_active, 1);
40459 atomic_set(&task->task_sent, 1);
40460 - atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
40461 + atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
40462
40463 - if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
40464 + if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
40465 T_TASK(cmd)->t_task_cdbs)
40466 atomic_set(&cmd->transport_sent, 1);
40467
40468 @@ -5568,7 +5568,7 @@ static void transport_generic_wait_for_t
40469 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
40470 }
40471 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
40472 - atomic_read(&T_TASK(cmd)->t_transport_aborted))
40473 + atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
40474 goto remove;
40475
40476 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
40477 @@ -5797,7 +5797,7 @@ int transport_check_aborted_status(struc
40478 {
40479 int ret = 0;
40480
40481 - if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
40482 + if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
40483 if (!(send_status) ||
40484 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
40485 return 1;
40486 @@ -5825,7 +5825,7 @@ void transport_send_task_abort(struct se
40487 */
40488 if (cmd->data_direction == DMA_TO_DEVICE) {
40489 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
40490 - atomic_inc(&T_TASK(cmd)->t_transport_aborted);
40491 + atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
40492 smp_mb__after_atomic_inc();
40493 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
40494 transport_new_cmd_failure(cmd);
40495 @@ -5949,7 +5949,7 @@ static void transport_processing_shutdow
40496 CMD_TFO(cmd)->get_task_tag(cmd),
40497 T_TASK(cmd)->t_task_cdbs,
40498 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40499 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40500 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40501 atomic_read(&T_TASK(cmd)->t_transport_active),
40502 atomic_read(&T_TASK(cmd)->t_transport_stop),
40503 atomic_read(&T_TASK(cmd)->t_transport_sent));
40504 diff -urNp linux-2.6.39.1/drivers/telephony/ixj.c linux-2.6.39.1/drivers/telephony/ixj.c
40505 --- linux-2.6.39.1/drivers/telephony/ixj.c 2011-05-19 00:06:34.000000000 -0400
40506 +++ linux-2.6.39.1/drivers/telephony/ixj.c 2011-05-22 19:36:32.000000000 -0400
40507 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
40508 bool mContinue;
40509 char *pIn, *pOut;
40510
40511 + pax_track_stack();
40512 +
40513 if (!SCI_Prepare(j))
40514 return 0;
40515
40516 diff -urNp linux-2.6.39.1/drivers/tty/hvc/hvc_console.h linux-2.6.39.1/drivers/tty/hvc/hvc_console.h
40517 --- linux-2.6.39.1/drivers/tty/hvc/hvc_console.h 2011-05-19 00:06:34.000000000 -0400
40518 +++ linux-2.6.39.1/drivers/tty/hvc/hvc_console.h 2011-05-22 19:36:32.000000000 -0400
40519 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
40520 /* register a vterm for hvc tty operation (module_init or hotplug add) */
40521 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
40522 const struct hv_ops *ops, int outbuf_size);
40523 +
40524 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
40525 extern int hvc_remove(struct hvc_struct *hp);
40526
40527 diff -urNp linux-2.6.39.1/drivers/tty/hvc/hvc_iucv.c linux-2.6.39.1/drivers/tty/hvc/hvc_iucv.c
40528 --- linux-2.6.39.1/drivers/tty/hvc/hvc_iucv.c 2011-05-19 00:06:34.000000000 -0400
40529 +++ linux-2.6.39.1/drivers/tty/hvc/hvc_iucv.c 2011-05-22 19:36:32.000000000 -0400
40530 @@ -1203,7 +1203,7 @@ static int param_get_vmidfilter(char *bu
40531
40532 #define param_check_vmidfilter(name, p) __param_check(name, p, void)
40533
40534 -static struct kernel_param_ops param_ops_vmidfilter = {
40535 +static const struct kernel_param_ops param_ops_vmidfilter = {
40536 .set = param_set_vmidfilter,
40537 .get = param_get_vmidfilter,
40538 };
40539 diff -urNp linux-2.6.39.1/drivers/tty/hvc/hvcs.c linux-2.6.39.1/drivers/tty/hvc/hvcs.c
40540 --- linux-2.6.39.1/drivers/tty/hvc/hvcs.c 2011-05-19 00:06:34.000000000 -0400
40541 +++ linux-2.6.39.1/drivers/tty/hvc/hvcs.c 2011-05-22 19:36:32.000000000 -0400
40542 @@ -83,6 +83,7 @@
40543 #include <asm/hvcserver.h>
40544 #include <asm/uaccess.h>
40545 #include <asm/vio.h>
40546 +#include <asm/local.h>
40547
40548 /*
40549 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
40550 @@ -270,7 +271,7 @@ struct hvcs_struct {
40551 unsigned int index;
40552
40553 struct tty_struct *tty;
40554 - int open_count;
40555 + local_t open_count;
40556
40557 /*
40558 * Used to tell the driver kernel_thread what operations need to take
40559 @@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
40560
40561 spin_lock_irqsave(&hvcsd->lock, flags);
40562
40563 - if (hvcsd->open_count > 0) {
40564 + if (local_read(&hvcsd->open_count) > 0) {
40565 spin_unlock_irqrestore(&hvcsd->lock, flags);
40566 printk(KERN_INFO "HVCS: vterm state unchanged. "
40567 "The hvcs device node is still in use.\n");
40568 @@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
40569 if ((retval = hvcs_partner_connect(hvcsd)))
40570 goto error_release;
40571
40572 - hvcsd->open_count = 1;
40573 + local_set(&hvcsd->open_count, 1);
40574 hvcsd->tty = tty;
40575 tty->driver_data = hvcsd;
40576
40577 @@ -1179,7 +1180,7 @@ fast_open:
40578
40579 spin_lock_irqsave(&hvcsd->lock, flags);
40580 kref_get(&hvcsd->kref);
40581 - hvcsd->open_count++;
40582 + local_inc(&hvcsd->open_count);
40583 hvcsd->todo_mask |= HVCS_SCHED_READ;
40584 spin_unlock_irqrestore(&hvcsd->lock, flags);
40585
40586 @@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
40587 hvcsd = tty->driver_data;
40588
40589 spin_lock_irqsave(&hvcsd->lock, flags);
40590 - if (--hvcsd->open_count == 0) {
40591 + if (local_dec_and_test(&hvcsd->open_count)) {
40592
40593 vio_disable_interrupts(hvcsd->vdev);
40594
40595 @@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
40596 free_irq(irq, hvcsd);
40597 kref_put(&hvcsd->kref, destroy_hvcs_struct);
40598 return;
40599 - } else if (hvcsd->open_count < 0) {
40600 + } else if (local_read(&hvcsd->open_count) < 0) {
40601 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
40602 " is missmanaged.\n",
40603 - hvcsd->vdev->unit_address, hvcsd->open_count);
40604 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
40605 }
40606
40607 spin_unlock_irqrestore(&hvcsd->lock, flags);
40608 @@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
40609
40610 spin_lock_irqsave(&hvcsd->lock, flags);
40611 /* Preserve this so that we know how many kref refs to put */
40612 - temp_open_count = hvcsd->open_count;
40613 + temp_open_count = local_read(&hvcsd->open_count);
40614
40615 /*
40616 * Don't kref put inside the spinlock because the destruction
40617 @@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
40618 hvcsd->tty->driver_data = NULL;
40619 hvcsd->tty = NULL;
40620
40621 - hvcsd->open_count = 0;
40622 + local_set(&hvcsd->open_count, 0);
40623
40624 /* This will drop any buffered data on the floor which is OK in a hangup
40625 * scenario. */
40626 @@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
40627 * the middle of a write operation? This is a crummy place to do this
40628 * but we want to keep it all in the spinlock.
40629 */
40630 - if (hvcsd->open_count <= 0) {
40631 + if (local_read(&hvcsd->open_count) <= 0) {
40632 spin_unlock_irqrestore(&hvcsd->lock, flags);
40633 return -ENODEV;
40634 }
40635 @@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
40636 {
40637 struct hvcs_struct *hvcsd = tty->driver_data;
40638
40639 - if (!hvcsd || hvcsd->open_count <= 0)
40640 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
40641 return 0;
40642
40643 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
40644 diff -urNp linux-2.6.39.1/drivers/tty/hvc/hvc_xen.c linux-2.6.39.1/drivers/tty/hvc/hvc_xen.c
40645 --- linux-2.6.39.1/drivers/tty/hvc/hvc_xen.c 2011-05-19 00:06:34.000000000 -0400
40646 +++ linux-2.6.39.1/drivers/tty/hvc/hvc_xen.c 2011-05-22 19:36:32.000000000 -0400
40647 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
40648 return recv;
40649 }
40650
40651 -static struct hv_ops domU_hvc_ops = {
40652 +static const struct hv_ops domU_hvc_ops = {
40653 .get_chars = domU_read_console,
40654 .put_chars = domU_write_console,
40655 .notifier_add = notifier_add_irq,
40656 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
40657 return len;
40658 }
40659
40660 -static struct hv_ops dom0_hvc_ops = {
40661 +static const struct hv_ops dom0_hvc_ops = {
40662 .get_chars = dom0_read_console,
40663 .put_chars = dom0_write_console,
40664 .notifier_add = notifier_add_irq,
40665 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
40666 static int __init xen_hvc_init(void)
40667 {
40668 struct hvc_struct *hp;
40669 - struct hv_ops *ops;
40670 + const struct hv_ops *ops;
40671
40672 if (!xen_pv_domain())
40673 return -ENODEV;
40674 @@ -205,7 +205,7 @@ static void __exit xen_hvc_fini(void)
40675
40676 static int xen_cons_init(void)
40677 {
40678 - struct hv_ops *ops;
40679 + const struct hv_ops *ops;
40680
40681 if (!xen_pv_domain())
40682 return 0;
40683 diff -urNp linux-2.6.39.1/drivers/tty/ipwireless/tty.c linux-2.6.39.1/drivers/tty/ipwireless/tty.c
40684 --- linux-2.6.39.1/drivers/tty/ipwireless/tty.c 2011-05-19 00:06:34.000000000 -0400
40685 +++ linux-2.6.39.1/drivers/tty/ipwireless/tty.c 2011-05-22 19:36:32.000000000 -0400
40686 @@ -29,6 +29,7 @@
40687 #include <linux/tty_driver.h>
40688 #include <linux/tty_flip.h>
40689 #include <linux/uaccess.h>
40690 +#include <asm/local.h>
40691
40692 #include "tty.h"
40693 #include "network.h"
40694 @@ -51,7 +52,7 @@ struct ipw_tty {
40695 int tty_type;
40696 struct ipw_network *network;
40697 struct tty_struct *linux_tty;
40698 - int open_count;
40699 + local_t open_count;
40700 unsigned int control_lines;
40701 struct mutex ipw_tty_mutex;
40702 int tx_bytes_queued;
40703 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
40704 mutex_unlock(&tty->ipw_tty_mutex);
40705 return -ENODEV;
40706 }
40707 - if (tty->open_count == 0)
40708 + if (local_read(&tty->open_count) == 0)
40709 tty->tx_bytes_queued = 0;
40710
40711 - tty->open_count++;
40712 + local_inc(&tty->open_count);
40713
40714 tty->linux_tty = linux_tty;
40715 linux_tty->driver_data = tty;
40716 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
40717
40718 static void do_ipw_close(struct ipw_tty *tty)
40719 {
40720 - tty->open_count--;
40721 -
40722 - if (tty->open_count == 0) {
40723 + if (local_dec_return(&tty->open_count) == 0) {
40724 struct tty_struct *linux_tty = tty->linux_tty;
40725
40726 if (linux_tty != NULL) {
40727 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
40728 return;
40729
40730 mutex_lock(&tty->ipw_tty_mutex);
40731 - if (tty->open_count == 0) {
40732 + if (local_read(&tty->open_count) == 0) {
40733 mutex_unlock(&tty->ipw_tty_mutex);
40734 return;
40735 }
40736 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
40737 return;
40738 }
40739
40740 - if (!tty->open_count) {
40741 + if (!local_read(&tty->open_count)) {
40742 mutex_unlock(&tty->ipw_tty_mutex);
40743 return;
40744 }
40745 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
40746 return -ENODEV;
40747
40748 mutex_lock(&tty->ipw_tty_mutex);
40749 - if (!tty->open_count) {
40750 + if (!local_read(&tty->open_count)) {
40751 mutex_unlock(&tty->ipw_tty_mutex);
40752 return -EINVAL;
40753 }
40754 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
40755 if (!tty)
40756 return -ENODEV;
40757
40758 - if (!tty->open_count)
40759 + if (!local_read(&tty->open_count))
40760 return -EINVAL;
40761
40762 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
40763 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
40764 if (!tty)
40765 return 0;
40766
40767 - if (!tty->open_count)
40768 + if (!local_read(&tty->open_count))
40769 return 0;
40770
40771 return tty->tx_bytes_queued;
40772 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
40773 if (!tty)
40774 return -ENODEV;
40775
40776 - if (!tty->open_count)
40777 + if (!local_read(&tty->open_count))
40778 return -EINVAL;
40779
40780 return get_control_lines(tty);
40781 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
40782 if (!tty)
40783 return -ENODEV;
40784
40785 - if (!tty->open_count)
40786 + if (!local_read(&tty->open_count))
40787 return -EINVAL;
40788
40789 return set_control_lines(tty, set, clear);
40790 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
40791 if (!tty)
40792 return -ENODEV;
40793
40794 - if (!tty->open_count)
40795 + if (!local_read(&tty->open_count))
40796 return -EINVAL;
40797
40798 /* FIXME: Exactly how is the tty object locked here .. */
40799 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
40800 against a parallel ioctl etc */
40801 mutex_lock(&ttyj->ipw_tty_mutex);
40802 }
40803 - while (ttyj->open_count)
40804 + while (local_read(&ttyj->open_count))
40805 do_ipw_close(ttyj);
40806 ipwireless_disassociate_network_ttys(network,
40807 ttyj->channel_idx);
40808 diff -urNp linux-2.6.39.1/drivers/tty/mxser.c linux-2.6.39.1/drivers/tty/mxser.c
40809 --- linux-2.6.39.1/drivers/tty/mxser.c 2011-05-19 00:06:34.000000000 -0400
40810 +++ linux-2.6.39.1/drivers/tty/mxser.c 2011-05-22 19:36:32.000000000 -0400
40811 @@ -2340,7 +2340,7 @@ static const struct tty_operations mxser
40812 .get_icount = mxser_get_icount,
40813 };
40814
40815 -struct tty_port_operations mxser_port_ops = {
40816 +const struct tty_port_operations mxser_port_ops = {
40817 .carrier_raised = mxser_carrier_raised,
40818 .dtr_rts = mxser_dtr_rts,
40819 .activate = mxser_activate,
40820 diff -urNp linux-2.6.39.1/drivers/tty/n_gsm.c linux-2.6.39.1/drivers/tty/n_gsm.c
40821 --- linux-2.6.39.1/drivers/tty/n_gsm.c 2011-05-19 00:06:34.000000000 -0400
40822 +++ linux-2.6.39.1/drivers/tty/n_gsm.c 2011-05-22 19:36:32.000000000 -0400
40823 @@ -1588,7 +1588,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
40824 return NULL;
40825 spin_lock_init(&dlci->lock);
40826 dlci->fifo = &dlci->_fifo;
40827 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
40828 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
40829 kfree(dlci);
40830 return NULL;
40831 }
40832 diff -urNp linux-2.6.39.1/drivers/tty/n_tty.c linux-2.6.39.1/drivers/tty/n_tty.c
40833 --- linux-2.6.39.1/drivers/tty/n_tty.c 2011-05-19 00:06:34.000000000 -0400
40834 +++ linux-2.6.39.1/drivers/tty/n_tty.c 2011-05-22 19:36:32.000000000 -0400
40835 @@ -2122,6 +2122,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
40836 {
40837 *ops = tty_ldisc_N_TTY;
40838 ops->owner = NULL;
40839 - ops->refcount = ops->flags = 0;
40840 + atomic_set(&ops->refcount, 0);
40841 + ops->flags = 0;
40842 }
40843 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
40844 diff -urNp linux-2.6.39.1/drivers/tty/pty.c linux-2.6.39.1/drivers/tty/pty.c
40845 --- linux-2.6.39.1/drivers/tty/pty.c 2011-05-19 00:06:34.000000000 -0400
40846 +++ linux-2.6.39.1/drivers/tty/pty.c 2011-05-22 19:36:32.000000000 -0400
40847 @@ -699,7 +699,18 @@ out:
40848 return retval;
40849 }
40850
40851 -static struct file_operations ptmx_fops;
40852 +static const struct file_operations ptmx_fops = {
40853 + .llseek = no_llseek,
40854 + .read = tty_read,
40855 + .write = tty_write,
40856 + .poll = tty_poll,
40857 + .unlocked_ioctl = tty_ioctl,
40858 + .compat_ioctl = tty_compat_ioctl,
40859 + .open = ptmx_open,
40860 + .release = tty_release,
40861 + .fasync = tty_fasync,
40862 +};
40863 +
40864
40865 static void __init unix98_pty_init(void)
40866 {
40867 @@ -752,10 +763,6 @@ static void __init unix98_pty_init(void)
40868
40869 register_sysctl_table(pty_root_table);
40870
40871 - /* Now create the /dev/ptmx special device */
40872 - tty_default_fops(&ptmx_fops);
40873 - ptmx_fops.open = ptmx_open;
40874 -
40875 cdev_init(&ptmx_cdev, &ptmx_fops);
40876 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
40877 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
40878 diff -urNp linux-2.6.39.1/drivers/tty/rocket.c linux-2.6.39.1/drivers/tty/rocket.c
40879 --- linux-2.6.39.1/drivers/tty/rocket.c 2011-05-19 00:06:34.000000000 -0400
40880 +++ linux-2.6.39.1/drivers/tty/rocket.c 2011-05-22 19:36:32.000000000 -0400
40881 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
40882 struct rocket_ports tmp;
40883 int board;
40884
40885 + pax_track_stack();
40886 +
40887 if (!retports)
40888 return -EFAULT;
40889 memset(&tmp, 0, sizeof (tmp));
40890 diff -urNp linux-2.6.39.1/drivers/tty/serial/21285.c linux-2.6.39.1/drivers/tty/serial/21285.c
40891 --- linux-2.6.39.1/drivers/tty/serial/21285.c 2011-05-19 00:06:34.000000000 -0400
40892 +++ linux-2.6.39.1/drivers/tty/serial/21285.c 2011-05-22 19:36:32.000000000 -0400
40893 @@ -340,7 +340,7 @@ static int serial21285_verify_port(struc
40894 return ret;
40895 }
40896
40897 -static struct uart_ops serial21285_ops = {
40898 +static const struct uart_ops serial21285_ops = {
40899 .tx_empty = serial21285_tx_empty,
40900 .get_mctrl = serial21285_get_mctrl,
40901 .set_mctrl = serial21285_set_mctrl,
40902 diff -urNp linux-2.6.39.1/drivers/tty/serial/8250.c linux-2.6.39.1/drivers/tty/serial/8250.c
40903 --- linux-2.6.39.1/drivers/tty/serial/8250.c 2011-05-19 00:06:34.000000000 -0400
40904 +++ linux-2.6.39.1/drivers/tty/serial/8250.c 2011-05-22 19:36:32.000000000 -0400
40905 @@ -2708,7 +2708,7 @@ serial8250_type(struct uart_port *port)
40906 return uart_config[type].name;
40907 }
40908
40909 -static struct uart_ops serial8250_pops = {
40910 +static const struct uart_ops serial8250_pops = {
40911 .tx_empty = serial8250_tx_empty,
40912 .set_mctrl = serial8250_set_mctrl,
40913 .get_mctrl = serial8250_get_mctrl,
40914 diff -urNp linux-2.6.39.1/drivers/tty/serial/altera_jtaguart.c linux-2.6.39.1/drivers/tty/serial/altera_jtaguart.c
40915 --- linux-2.6.39.1/drivers/tty/serial/altera_jtaguart.c 2011-05-19 00:06:34.000000000 -0400
40916 +++ linux-2.6.39.1/drivers/tty/serial/altera_jtaguart.c 2011-05-22 19:36:32.000000000 -0400
40917 @@ -281,7 +281,7 @@ static int altera_jtaguart_verify_port(s
40918 /*
40919 * Define the basic serial functions we support.
40920 */
40921 -static struct uart_ops altera_jtaguart_ops = {
40922 +static const struct uart_ops altera_jtaguart_ops = {
40923 .tx_empty = altera_jtaguart_tx_empty,
40924 .get_mctrl = altera_jtaguart_get_mctrl,
40925 .set_mctrl = altera_jtaguart_set_mctrl,
40926 diff -urNp linux-2.6.39.1/drivers/tty/serial/altera_uart.c linux-2.6.39.1/drivers/tty/serial/altera_uart.c
40927 --- linux-2.6.39.1/drivers/tty/serial/altera_uart.c 2011-05-19 00:06:34.000000000 -0400
40928 +++ linux-2.6.39.1/drivers/tty/serial/altera_uart.c 2011-05-22 19:36:32.000000000 -0400
40929 @@ -380,7 +380,7 @@ static int altera_uart_verify_port(struc
40930 /*
40931 * Define the basic serial functions we support.
40932 */
40933 -static struct uart_ops altera_uart_ops = {
40934 +static const struct uart_ops altera_uart_ops = {
40935 .tx_empty = altera_uart_tx_empty,
40936 .get_mctrl = altera_uart_get_mctrl,
40937 .set_mctrl = altera_uart_set_mctrl,
40938 diff -urNp linux-2.6.39.1/drivers/tty/serial/amba-pl010.c linux-2.6.39.1/drivers/tty/serial/amba-pl010.c
40939 --- linux-2.6.39.1/drivers/tty/serial/amba-pl010.c 2011-05-19 00:06:34.000000000 -0400
40940 +++ linux-2.6.39.1/drivers/tty/serial/amba-pl010.c 2011-05-22 19:36:32.000000000 -0400
40941 @@ -529,7 +529,7 @@ static int pl010_verify_port(struct uart
40942 return ret;
40943 }
40944
40945 -static struct uart_ops amba_pl010_pops = {
40946 +static const struct uart_ops amba_pl010_pops = {
40947 .tx_empty = pl010_tx_empty,
40948 .set_mctrl = pl010_set_mctrl,
40949 .get_mctrl = pl010_get_mctrl,
40950 diff -urNp linux-2.6.39.1/drivers/tty/serial/amba-pl011.c linux-2.6.39.1/drivers/tty/serial/amba-pl011.c
40951 --- linux-2.6.39.1/drivers/tty/serial/amba-pl011.c 2011-05-19 00:06:34.000000000 -0400
40952 +++ linux-2.6.39.1/drivers/tty/serial/amba-pl011.c 2011-05-22 19:36:32.000000000 -0400
40953 @@ -1581,7 +1581,7 @@ static int pl010_verify_port(struct uart
40954 return ret;
40955 }
40956
40957 -static struct uart_ops amba_pl011_pops = {
40958 +static const struct uart_ops amba_pl011_pops = {
40959 .tx_empty = pl01x_tx_empty,
40960 .set_mctrl = pl011_set_mctrl,
40961 .get_mctrl = pl01x_get_mctrl,
40962 diff -urNp linux-2.6.39.1/drivers/tty/serial/apbuart.c linux-2.6.39.1/drivers/tty/serial/apbuart.c
40963 --- linux-2.6.39.1/drivers/tty/serial/apbuart.c 2011-05-19 00:06:34.000000000 -0400
40964 +++ linux-2.6.39.1/drivers/tty/serial/apbuart.c 2011-05-22 19:36:32.000000000 -0400
40965 @@ -328,7 +328,7 @@ static int apbuart_verify_port(struct ua
40966 return ret;
40967 }
40968
40969 -static struct uart_ops grlib_apbuart_ops = {
40970 +static const struct uart_ops grlib_apbuart_ops = {
40971 .tx_empty = apbuart_tx_empty,
40972 .set_mctrl = apbuart_set_mctrl,
40973 .get_mctrl = apbuart_get_mctrl,
40974 diff -urNp linux-2.6.39.1/drivers/tty/serial/atmel_serial.c linux-2.6.39.1/drivers/tty/serial/atmel_serial.c
40975 --- linux-2.6.39.1/drivers/tty/serial/atmel_serial.c 2011-05-19 00:06:34.000000000 -0400
40976 +++ linux-2.6.39.1/drivers/tty/serial/atmel_serial.c 2011-05-22 19:36:32.000000000 -0400
40977 @@ -1382,7 +1382,7 @@ atmel_ioctl(struct uart_port *port, unsi
40978
40979
40980
40981 -static struct uart_ops atmel_pops = {
40982 +static const struct uart_ops atmel_pops = {
40983 .tx_empty = atmel_tx_empty,
40984 .set_mctrl = atmel_set_mctrl,
40985 .get_mctrl = atmel_get_mctrl,
40986 diff -urNp linux-2.6.39.1/drivers/tty/serial/bcm63xx_uart.c linux-2.6.39.1/drivers/tty/serial/bcm63xx_uart.c
40987 --- linux-2.6.39.1/drivers/tty/serial/bcm63xx_uart.c 2011-05-19 00:06:34.000000000 -0400
40988 +++ linux-2.6.39.1/drivers/tty/serial/bcm63xx_uart.c 2011-05-22 19:36:32.000000000 -0400
40989 @@ -636,7 +636,7 @@ static int bcm_uart_verify_port(struct u
40990 }
40991
40992 /* serial core callbacks */
40993 -static struct uart_ops bcm_uart_ops = {
40994 +static const struct uart_ops bcm_uart_ops = {
40995 .tx_empty = bcm_uart_tx_empty,
40996 .get_mctrl = bcm_uart_get_mctrl,
40997 .set_mctrl = bcm_uart_set_mctrl,
40998 diff -urNp linux-2.6.39.1/drivers/tty/serial/bfin_5xx.c linux-2.6.39.1/drivers/tty/serial/bfin_5xx.c
40999 --- linux-2.6.39.1/drivers/tty/serial/bfin_5xx.c 2011-05-19 00:06:34.000000000 -0400
41000 +++ linux-2.6.39.1/drivers/tty/serial/bfin_5xx.c 2011-05-22 19:36:32.000000000 -0400
41001 @@ -1036,7 +1036,7 @@ static int bfin_kgdboc_port_startup(stru
41002 }
41003 #endif
41004
41005 -static struct uart_ops bfin_serial_pops = {
41006 +static const struct uart_ops bfin_serial_pops = {
41007 .tx_empty = bfin_serial_tx_empty,
41008 .set_mctrl = bfin_serial_set_mctrl,
41009 .get_mctrl = bfin_serial_get_mctrl,
41010 diff -urNp linux-2.6.39.1/drivers/tty/serial/bfin_sport_uart.c linux-2.6.39.1/drivers/tty/serial/bfin_sport_uart.c
41011 --- linux-2.6.39.1/drivers/tty/serial/bfin_sport_uart.c 2011-05-19 00:06:34.000000000 -0400
41012 +++ linux-2.6.39.1/drivers/tty/serial/bfin_sport_uart.c 2011-05-22 19:36:32.000000000 -0400
41013 @@ -571,7 +571,7 @@ static void sport_set_termios(struct uar
41014 spin_unlock_irqrestore(&up->port.lock, flags);
41015 }
41016
41017 -struct uart_ops sport_uart_ops = {
41018 +const struct uart_ops sport_uart_ops = {
41019 .tx_empty = sport_tx_empty,
41020 .set_mctrl = sport_set_mctrl,
41021 .get_mctrl = sport_get_mctrl,
41022 diff -urNp linux-2.6.39.1/drivers/tty/serial/clps711x.c linux-2.6.39.1/drivers/tty/serial/clps711x.c
41023 --- linux-2.6.39.1/drivers/tty/serial/clps711x.c 2011-05-19 00:06:34.000000000 -0400
41024 +++ linux-2.6.39.1/drivers/tty/serial/clps711x.c 2011-05-22 19:36:32.000000000 -0400
41025 @@ -380,7 +380,7 @@ static int clps711xuart_request_port(str
41026 return 0;
41027 }
41028
41029 -static struct uart_ops clps711x_pops = {
41030 +static const struct uart_ops clps711x_pops = {
41031 .tx_empty = clps711xuart_tx_empty,
41032 .set_mctrl = clps711xuart_set_mctrl_null,
41033 .get_mctrl = clps711xuart_get_mctrl,
41034 diff -urNp linux-2.6.39.1/drivers/tty/serial/cpm_uart/cpm_uart_core.c linux-2.6.39.1/drivers/tty/serial/cpm_uart/cpm_uart_core.c
41035 --- linux-2.6.39.1/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-19 00:06:34.000000000 -0400
41036 +++ linux-2.6.39.1/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-22 19:36:32.000000000 -0400
41037 @@ -1099,7 +1099,7 @@ static void cpm_put_poll_char(struct uar
41038 }
41039 #endif /* CONFIG_CONSOLE_POLL */
41040
41041 -static struct uart_ops cpm_uart_pops = {
41042 +static const struct uart_ops cpm_uart_pops = {
41043 .tx_empty = cpm_uart_tx_empty,
41044 .set_mctrl = cpm_uart_set_mctrl,
41045 .get_mctrl = cpm_uart_get_mctrl,
41046 diff -urNp linux-2.6.39.1/drivers/tty/serial/dz.c linux-2.6.39.1/drivers/tty/serial/dz.c
41047 --- linux-2.6.39.1/drivers/tty/serial/dz.c 2011-05-19 00:06:34.000000000 -0400
41048 +++ linux-2.6.39.1/drivers/tty/serial/dz.c 2011-05-22 19:36:32.000000000 -0400
41049 @@ -746,7 +746,7 @@ static int dz_verify_port(struct uart_po
41050 return ret;
41051 }
41052
41053 -static struct uart_ops dz_ops = {
41054 +static const struct uart_ops dz_ops = {
41055 .tx_empty = dz_tx_empty,
41056 .get_mctrl = dz_get_mctrl,
41057 .set_mctrl = dz_set_mctrl,
41058 diff -urNp linux-2.6.39.1/drivers/tty/serial/imx.c linux-2.6.39.1/drivers/tty/serial/imx.c
41059 --- linux-2.6.39.1/drivers/tty/serial/imx.c 2011-05-19 00:06:34.000000000 -0400
41060 +++ linux-2.6.39.1/drivers/tty/serial/imx.c 2011-05-22 19:36:32.000000000 -0400
41061 @@ -1018,7 +1018,7 @@ imx_verify_port(struct uart_port *port,
41062 return ret;
41063 }
41064
41065 -static struct uart_ops imx_pops = {
41066 +static const struct uart_ops imx_pops = {
41067 .tx_empty = imx_tx_empty,
41068 .set_mctrl = imx_set_mctrl,
41069 .get_mctrl = imx_get_mctrl,
41070 diff -urNp linux-2.6.39.1/drivers/tty/serial/ioc3_serial.c linux-2.6.39.1/drivers/tty/serial/ioc3_serial.c
41071 --- linux-2.6.39.1/drivers/tty/serial/ioc3_serial.c 2011-05-19 00:06:34.000000000 -0400
41072 +++ linux-2.6.39.1/drivers/tty/serial/ioc3_serial.c 2011-05-22 19:36:32.000000000 -0400
41073 @@ -1874,7 +1874,7 @@ static int ic3_request_port(struct uart_
41074 }
41075
41076 /* Associate the uart functions above - given to serial core */
41077 -static struct uart_ops ioc3_ops = {
41078 +static const struct uart_ops ioc3_ops = {
41079 .tx_empty = ic3_tx_empty,
41080 .set_mctrl = ic3_set_mctrl,
41081 .get_mctrl = ic3_get_mctrl,
41082 diff -urNp linux-2.6.39.1/drivers/tty/serial/ioc4_serial.c linux-2.6.39.1/drivers/tty/serial/ioc4_serial.c
41083 --- linux-2.6.39.1/drivers/tty/serial/ioc4_serial.c 2011-05-19 00:06:34.000000000 -0400
41084 +++ linux-2.6.39.1/drivers/tty/serial/ioc4_serial.c 2011-05-22 19:36:32.000000000 -0400
41085 @@ -2593,7 +2593,7 @@ static int ic4_request_port(struct uart_
41086
41087 /* Associate the uart functions above - given to serial core */
41088
41089 -static struct uart_ops ioc4_ops = {
41090 +static const struct uart_ops ioc4_ops = {
41091 .tx_empty = ic4_tx_empty,
41092 .set_mctrl = ic4_set_mctrl,
41093 .get_mctrl = ic4_get_mctrl,
41094 diff -urNp linux-2.6.39.1/drivers/tty/serial/ip22zilog.c linux-2.6.39.1/drivers/tty/serial/ip22zilog.c
41095 --- linux-2.6.39.1/drivers/tty/serial/ip22zilog.c 2011-05-19 00:06:34.000000000 -0400
41096 +++ linux-2.6.39.1/drivers/tty/serial/ip22zilog.c 2011-05-22 19:36:32.000000000 -0400
41097 @@ -928,7 +928,7 @@ static int ip22zilog_verify_port(struct
41098 return -EINVAL;
41099 }
41100
41101 -static struct uart_ops ip22zilog_pops = {
41102 +static const struct uart_ops ip22zilog_pops = {
41103 .tx_empty = ip22zilog_tx_empty,
41104 .set_mctrl = ip22zilog_set_mctrl,
41105 .get_mctrl = ip22zilog_get_mctrl,
41106 diff -urNp linux-2.6.39.1/drivers/tty/serial/kgdboc.c linux-2.6.39.1/drivers/tty/serial/kgdboc.c
41107 --- linux-2.6.39.1/drivers/tty/serial/kgdboc.c 2011-05-19 00:06:34.000000000 -0400
41108 +++ linux-2.6.39.1/drivers/tty/serial/kgdboc.c 2011-05-22 19:36:32.000000000 -0400
41109 @@ -22,7 +22,7 @@
41110
41111 #define MAX_CONFIG_LEN 40
41112
41113 -static struct kgdb_io kgdboc_io_ops;
41114 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
41115
41116 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
41117 static int configured = -1;
41118 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
41119 kgdboc_restore_input();
41120 }
41121
41122 -static struct kgdb_io kgdboc_io_ops = {
41123 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
41124 .name = "kgdboc",
41125 .read_char = kgdboc_get_char,
41126 .write_char = kgdboc_put_char,
41127 diff -urNp linux-2.6.39.1/drivers/tty/serial/m32r_sio.c linux-2.6.39.1/drivers/tty/serial/m32r_sio.c
41128 --- linux-2.6.39.1/drivers/tty/serial/m32r_sio.c 2011-05-19 00:06:34.000000000 -0400
41129 +++ linux-2.6.39.1/drivers/tty/serial/m32r_sio.c 2011-05-22 19:36:32.000000000 -0400
41130 @@ -939,7 +939,7 @@ m32r_sio_type(struct uart_port *port)
41131 return uart_config[type].name;
41132 }
41133
41134 -static struct uart_ops m32r_sio_pops = {
41135 +static const struct uart_ops m32r_sio_pops = {
41136 .tx_empty = m32r_sio_tx_empty,
41137 .set_mctrl = m32r_sio_set_mctrl,
41138 .get_mctrl = m32r_sio_get_mctrl,
41139 diff -urNp linux-2.6.39.1/drivers/tty/serial/max3100.c linux-2.6.39.1/drivers/tty/serial/max3100.c
41140 --- linux-2.6.39.1/drivers/tty/serial/max3100.c 2011-05-19 00:06:34.000000000 -0400
41141 +++ linux-2.6.39.1/drivers/tty/serial/max3100.c 2011-05-22 19:36:32.000000000 -0400
41142 @@ -710,7 +710,7 @@ static void max3100_break_ctl(struct uar
41143 dev_dbg(&s->spi->dev, "%s\n", __func__);
41144 }
41145
41146 -static struct uart_ops max3100_ops = {
41147 +static const struct uart_ops max3100_ops = {
41148 .tx_empty = max3100_tx_empty,
41149 .set_mctrl = max3100_set_mctrl,
41150 .get_mctrl = max3100_get_mctrl,
41151 diff -urNp linux-2.6.39.1/drivers/tty/serial/max3107.c linux-2.6.39.1/drivers/tty/serial/max3107.c
41152 --- linux-2.6.39.1/drivers/tty/serial/max3107.c 2011-05-19 00:06:34.000000000 -0400
41153 +++ linux-2.6.39.1/drivers/tty/serial/max3107.c 2011-05-22 19:36:32.000000000 -0400
41154 @@ -910,7 +910,7 @@ static void max3107_break_ctl(struct uar
41155
41156
41157 /* Port functions */
41158 -static struct uart_ops max3107_ops = {
41159 +static const struct uart_ops max3107_ops = {
41160 .tx_empty = max3107_tx_empty,
41161 .set_mctrl = max3107_set_mctrl,
41162 .get_mctrl = max3107_get_mctrl,
41163 diff -urNp linux-2.6.39.1/drivers/tty/serial/mfd.c linux-2.6.39.1/drivers/tty/serial/mfd.c
41164 --- linux-2.6.39.1/drivers/tty/serial/mfd.c 2011-05-19 00:06:34.000000000 -0400
41165 +++ linux-2.6.39.1/drivers/tty/serial/mfd.c 2011-05-22 19:36:32.000000000 -0400
41166 @@ -1178,7 +1178,7 @@ static struct console serial_hsu_console
41167 };
41168 #endif
41169
41170 -struct uart_ops serial_hsu_pops = {
41171 +const struct uart_ops serial_hsu_pops = {
41172 .tx_empty = serial_hsu_tx_empty,
41173 .set_mctrl = serial_hsu_set_mctrl,
41174 .get_mctrl = serial_hsu_get_mctrl,
41175 diff -urNp linux-2.6.39.1/drivers/tty/serial/mpc52xx_uart.c linux-2.6.39.1/drivers/tty/serial/mpc52xx_uart.c
41176 --- linux-2.6.39.1/drivers/tty/serial/mpc52xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41177 +++ linux-2.6.39.1/drivers/tty/serial/mpc52xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41178 @@ -283,7 +283,7 @@ static irqreturn_t mpc52xx_psc_handle_ir
41179 return mpc5xxx_uart_process_int(port);
41180 }
41181
41182 -static struct psc_ops mpc52xx_psc_ops = {
41183 +static const struct psc_ops mpc52xx_psc_ops = {
41184 .fifo_init = mpc52xx_psc_fifo_init,
41185 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41186 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41187 @@ -304,7 +304,7 @@ static struct psc_ops mpc52xx_psc_ops =
41188 .handle_irq = mpc52xx_psc_handle_irq,
41189 };
41190
41191 -static struct psc_ops mpc5200b_psc_ops = {
41192 +static const struct psc_ops mpc5200b_psc_ops = {
41193 .fifo_init = mpc52xx_psc_fifo_init,
41194 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41195 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41196 @@ -571,7 +571,7 @@ static void mpc512x_psc_get_irq(struct u
41197 port->irq = psc_fifoc_irq;
41198 }
41199
41200 -static struct psc_ops mpc512x_psc_ops = {
41201 +static const struct psc_ops mpc512x_psc_ops = {
41202 .fifo_init = mpc512x_psc_fifo_init,
41203 .raw_rx_rdy = mpc512x_psc_raw_rx_rdy,
41204 .raw_tx_rdy = mpc512x_psc_raw_tx_rdy,
41205 @@ -596,7 +596,7 @@ static struct psc_ops mpc512x_psc_ops =
41206 };
41207 #endif
41208
41209 -static struct psc_ops *psc_ops;
41210 +static const struct psc_ops *psc_ops;
41211
41212 /* ======================================================================== */
41213 /* UART operations */
41214 @@ -905,7 +905,7 @@ mpc52xx_uart_verify_port(struct uart_por
41215 }
41216
41217
41218 -static struct uart_ops mpc52xx_uart_ops = {
41219 +static const struct uart_ops mpc52xx_uart_ops = {
41220 .tx_empty = mpc52xx_uart_tx_empty,
41221 .set_mctrl = mpc52xx_uart_set_mctrl,
41222 .get_mctrl = mpc52xx_uart_get_mctrl,
41223 diff -urNp linux-2.6.39.1/drivers/tty/serial/mpsc.c linux-2.6.39.1/drivers/tty/serial/mpsc.c
41224 --- linux-2.6.39.1/drivers/tty/serial/mpsc.c 2011-05-19 00:06:34.000000000 -0400
41225 +++ linux-2.6.39.1/drivers/tty/serial/mpsc.c 2011-05-22 19:36:32.000000000 -0400
41226 @@ -1663,7 +1663,7 @@ static void mpsc_put_poll_char(struct ua
41227 }
41228 #endif
41229
41230 -static struct uart_ops mpsc_pops = {
41231 +static const struct uart_ops mpsc_pops = {
41232 .tx_empty = mpsc_tx_empty,
41233 .set_mctrl = mpsc_set_mctrl,
41234 .get_mctrl = mpsc_get_mctrl,
41235 diff -urNp linux-2.6.39.1/drivers/tty/serial/mrst_max3110.c linux-2.6.39.1/drivers/tty/serial/mrst_max3110.c
41236 --- linux-2.6.39.1/drivers/tty/serial/mrst_max3110.c 2011-05-19 00:06:34.000000000 -0400
41237 +++ linux-2.6.39.1/drivers/tty/serial/mrst_max3110.c 2011-05-22 19:36:32.000000000 -0400
41238 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
41239 int loop = 1, num, total = 0;
41240 u8 recv_buf[512], *pbuf;
41241
41242 + pax_track_stack();
41243 +
41244 pbuf = recv_buf;
41245 do {
41246 num = max3110_read_multi(max, pbuf);
41247 @@ -726,7 +728,7 @@ static void serial_m3110_enable_ms(struc
41248 {
41249 }
41250
41251 -struct uart_ops serial_m3110_ops = {
41252 +const struct uart_ops serial_m3110_ops = {
41253 .tx_empty = serial_m3110_tx_empty,
41254 .set_mctrl = serial_m3110_set_mctrl,
41255 .get_mctrl = serial_m3110_get_mctrl,
41256 diff -urNp linux-2.6.39.1/drivers/tty/serial/msm_serial.c linux-2.6.39.1/drivers/tty/serial/msm_serial.c
41257 --- linux-2.6.39.1/drivers/tty/serial/msm_serial.c 2011-05-19 00:06:34.000000000 -0400
41258 +++ linux-2.6.39.1/drivers/tty/serial/msm_serial.c 2011-05-22 19:36:32.000000000 -0400
41259 @@ -702,7 +702,7 @@ static void msm_power(struct uart_port *
41260 }
41261 }
41262
41263 -static struct uart_ops msm_uart_pops = {
41264 +static const struct uart_ops msm_uart_pops = {
41265 .tx_empty = msm_tx_empty,
41266 .set_mctrl = msm_set_mctrl,
41267 .get_mctrl = msm_get_mctrl,
41268 diff -urNp linux-2.6.39.1/drivers/tty/serial/msm_serial_hs.c linux-2.6.39.1/drivers/tty/serial/msm_serial_hs.c
41269 --- linux-2.6.39.1/drivers/tty/serial/msm_serial_hs.c 2011-05-19 00:06:34.000000000 -0400
41270 +++ linux-2.6.39.1/drivers/tty/serial/msm_serial_hs.c 2011-05-22 19:36:32.000000000 -0400
41271 @@ -360,7 +360,7 @@ struct msm_hs_port {
41272 static struct msm_hs_port q_uart_port[UARTDM_NR];
41273 static struct platform_driver msm_serial_hs_platform_driver;
41274 static struct uart_driver msm_hs_driver;
41275 -static struct uart_ops msm_hs_ops;
41276 +static const struct uart_ops msm_hs_ops;
41277 static struct workqueue_struct *msm_hs_workqueue;
41278
41279 #define UARTDM_TO_MSM(uart_port) \
41280 @@ -1856,7 +1856,7 @@ static struct uart_driver msm_hs_driver
41281 .cons = 0,
41282 };
41283
41284 -static struct uart_ops msm_hs_ops = {
41285 +static const struct uart_ops msm_hs_ops = {
41286 .tx_empty = msm_hs_tx_empty,
41287 .set_mctrl = msm_hs_set_mctrl_locked,
41288 .get_mctrl = msm_hs_get_mctrl_locked,
41289 diff -urNp linux-2.6.39.1/drivers/tty/serial/mux.c linux-2.6.39.1/drivers/tty/serial/mux.c
41290 --- linux-2.6.39.1/drivers/tty/serial/mux.c 2011-05-19 00:06:34.000000000 -0400
41291 +++ linux-2.6.39.1/drivers/tty/serial/mux.c 2011-05-22 19:36:32.000000000 -0400
41292 @@ -442,7 +442,7 @@ static struct console mux_console = {
41293 #define MUX_CONSOLE NULL
41294 #endif
41295
41296 -static struct uart_ops mux_pops = {
41297 +static const struct uart_ops mux_pops = {
41298 .tx_empty = mux_tx_empty,
41299 .set_mctrl = mux_set_mctrl,
41300 .get_mctrl = mux_get_mctrl,
41301 diff -urNp linux-2.6.39.1/drivers/tty/serial/mxs-auart.c linux-2.6.39.1/drivers/tty/serial/mxs-auart.c
41302 --- linux-2.6.39.1/drivers/tty/serial/mxs-auart.c 2011-05-19 00:06:34.000000000 -0400
41303 +++ linux-2.6.39.1/drivers/tty/serial/mxs-auart.c 2011-05-22 19:36:32.000000000 -0400
41304 @@ -499,7 +499,7 @@ static void mxs_auart_enable_ms(struct u
41305 /* just empty */
41306 }
41307
41308 -static struct uart_ops mxs_auart_ops = {
41309 +static const struct uart_ops mxs_auart_ops = {
41310 .tx_empty = mxs_auart_tx_empty,
41311 .start_tx = mxs_auart_start_tx,
41312 .stop_tx = mxs_auart_stop_tx,
41313 diff -urNp linux-2.6.39.1/drivers/tty/serial/netx-serial.c linux-2.6.39.1/drivers/tty/serial/netx-serial.c
41314 --- linux-2.6.39.1/drivers/tty/serial/netx-serial.c 2011-05-19 00:06:34.000000000 -0400
41315 +++ linux-2.6.39.1/drivers/tty/serial/netx-serial.c 2011-05-22 19:36:32.000000000 -0400
41316 @@ -464,7 +464,7 @@ netx_verify_port(struct uart_port *port,
41317 return ret;
41318 }
41319
41320 -static struct uart_ops netx_pops = {
41321 +static const struct uart_ops netx_pops = {
41322 .tx_empty = netx_tx_empty,
41323 .set_mctrl = netx_set_mctrl,
41324 .get_mctrl = netx_get_mctrl,
41325 diff -urNp linux-2.6.39.1/drivers/tty/serial/nwpserial.c linux-2.6.39.1/drivers/tty/serial/nwpserial.c
41326 --- linux-2.6.39.1/drivers/tty/serial/nwpserial.c 2011-05-19 00:06:34.000000000 -0400
41327 +++ linux-2.6.39.1/drivers/tty/serial/nwpserial.c 2011-05-22 19:36:32.000000000 -0400
41328 @@ -303,7 +303,7 @@ static unsigned int nwpserial_tx_empty(s
41329 return ret & UART_LSR_TEMT ? TIOCSER_TEMT : 0;
41330 }
41331
41332 -static struct uart_ops nwpserial_pops = {
41333 +static const struct uart_ops nwpserial_pops = {
41334 .tx_empty = nwpserial_tx_empty,
41335 .set_mctrl = nwpserial_set_mctrl,
41336 .get_mctrl = nwpserial_get_mctrl,
41337 diff -urNp linux-2.6.39.1/drivers/tty/serial/omap-serial.c linux-2.6.39.1/drivers/tty/serial/omap-serial.c
41338 --- linux-2.6.39.1/drivers/tty/serial/omap-serial.c 2011-05-19 00:06:34.000000000 -0400
41339 +++ linux-2.6.39.1/drivers/tty/serial/omap-serial.c 2011-05-22 19:36:32.000000000 -0400
41340 @@ -1029,7 +1029,7 @@ static inline void serial_omap_add_conso
41341
41342 #endif
41343
41344 -static struct uart_ops serial_omap_pops = {
41345 +static const struct uart_ops serial_omap_pops = {
41346 .tx_empty = serial_omap_tx_empty,
41347 .set_mctrl = serial_omap_set_mctrl,
41348 .get_mctrl = serial_omap_get_mctrl,
41349 diff -urNp linux-2.6.39.1/drivers/tty/serial/pch_uart.c linux-2.6.39.1/drivers/tty/serial/pch_uart.c
41350 --- linux-2.6.39.1/drivers/tty/serial/pch_uart.c 2011-05-19 00:06:34.000000000 -0400
41351 +++ linux-2.6.39.1/drivers/tty/serial/pch_uart.c 2011-05-22 19:36:32.000000000 -0400
41352 @@ -1351,7 +1351,7 @@ static int pch_uart_verify_port(struct u
41353 return 0;
41354 }
41355
41356 -static struct uart_ops pch_uart_ops = {
41357 +static const struct uart_ops pch_uart_ops = {
41358 .tx_empty = pch_uart_tx_empty,
41359 .set_mctrl = pch_uart_set_mctrl,
41360 .get_mctrl = pch_uart_get_mctrl,
41361 diff -urNp linux-2.6.39.1/drivers/tty/serial/pmac_zilog.c linux-2.6.39.1/drivers/tty/serial/pmac_zilog.c
41362 --- linux-2.6.39.1/drivers/tty/serial/pmac_zilog.c 2011-05-19 00:06:34.000000000 -0400
41363 +++ linux-2.6.39.1/drivers/tty/serial/pmac_zilog.c 2011-05-22 19:36:32.000000000 -0400
41364 @@ -1427,7 +1427,7 @@ static void pmz_poll_put_char(struct uar
41365
41366 #endif /* CONFIG_CONSOLE_POLL */
41367
41368 -static struct uart_ops pmz_pops = {
41369 +static const struct uart_ops pmz_pops = {
41370 .tx_empty = pmz_tx_empty,
41371 .set_mctrl = pmz_set_mctrl,
41372 .get_mctrl = pmz_get_mctrl,
41373 diff -urNp linux-2.6.39.1/drivers/tty/serial/pnx8xxx_uart.c linux-2.6.39.1/drivers/tty/serial/pnx8xxx_uart.c
41374 --- linux-2.6.39.1/drivers/tty/serial/pnx8xxx_uart.c 2011-05-19 00:06:34.000000000 -0400
41375 +++ linux-2.6.39.1/drivers/tty/serial/pnx8xxx_uart.c 2011-05-22 19:36:32.000000000 -0400
41376 @@ -614,7 +614,7 @@ pnx8xxx_verify_port(struct uart_port *po
41377 return ret;
41378 }
41379
41380 -static struct uart_ops pnx8xxx_pops = {
41381 +static const struct uart_ops pnx8xxx_pops = {
41382 .tx_empty = pnx8xxx_tx_empty,
41383 .set_mctrl = pnx8xxx_set_mctrl,
41384 .get_mctrl = pnx8xxx_get_mctrl,
41385 diff -urNp linux-2.6.39.1/drivers/tty/serial/pxa.c linux-2.6.39.1/drivers/tty/serial/pxa.c
41386 --- linux-2.6.39.1/drivers/tty/serial/pxa.c 2011-05-19 00:06:34.000000000 -0400
41387 +++ linux-2.6.39.1/drivers/tty/serial/pxa.c 2011-05-22 19:36:32.000000000 -0400
41388 @@ -706,7 +706,7 @@ static struct console serial_pxa_console
41389 #define PXA_CONSOLE NULL
41390 #endif
41391
41392 -struct uart_ops serial_pxa_pops = {
41393 +const struct uart_ops serial_pxa_pops = {
41394 .tx_empty = serial_pxa_tx_empty,
41395 .set_mctrl = serial_pxa_set_mctrl,
41396 .get_mctrl = serial_pxa_get_mctrl,
41397 diff -urNp linux-2.6.39.1/drivers/tty/serial/sa1100.c linux-2.6.39.1/drivers/tty/serial/sa1100.c
41398 --- linux-2.6.39.1/drivers/tty/serial/sa1100.c 2011-05-19 00:06:34.000000000 -0400
41399 +++ linux-2.6.39.1/drivers/tty/serial/sa1100.c 2011-05-22 19:36:32.000000000 -0400
41400 @@ -577,7 +577,7 @@ sa1100_verify_port(struct uart_port *por
41401 return ret;
41402 }
41403
41404 -static struct uart_ops sa1100_pops = {
41405 +static const struct uart_ops sa1100_pops = {
41406 .tx_empty = sa1100_tx_empty,
41407 .set_mctrl = sa1100_set_mctrl,
41408 .get_mctrl = sa1100_get_mctrl,
41409 diff -urNp linux-2.6.39.1/drivers/tty/serial/samsung.c linux-2.6.39.1/drivers/tty/serial/samsung.c
41410 --- linux-2.6.39.1/drivers/tty/serial/samsung.c 2011-05-19 00:06:34.000000000 -0400
41411 +++ linux-2.6.39.1/drivers/tty/serial/samsung.c 2011-05-22 19:36:32.000000000 -0400
41412 @@ -860,7 +860,7 @@ static struct console s3c24xx_serial_con
41413 #define S3C24XX_SERIAL_CONSOLE NULL
41414 #endif
41415
41416 -static struct uart_ops s3c24xx_serial_ops = {
41417 +static const struct uart_ops s3c24xx_serial_ops = {
41418 .pm = s3c24xx_serial_pm,
41419 .tx_empty = s3c24xx_serial_tx_empty,
41420 .get_mctrl = s3c24xx_serial_get_mctrl,
41421 diff -urNp linux-2.6.39.1/drivers/tty/serial/sc26xx.c linux-2.6.39.1/drivers/tty/serial/sc26xx.c
41422 --- linux-2.6.39.1/drivers/tty/serial/sc26xx.c 2011-05-19 00:06:34.000000000 -0400
41423 +++ linux-2.6.39.1/drivers/tty/serial/sc26xx.c 2011-05-22 19:36:32.000000000 -0400
41424 @@ -515,7 +515,7 @@ static int sc26xx_verify_port(struct uar
41425 return -EINVAL;
41426 }
41427
41428 -static struct uart_ops sc26xx_ops = {
41429 +static const struct uart_ops sc26xx_ops = {
41430 .tx_empty = sc26xx_tx_empty,
41431 .set_mctrl = sc26xx_set_mctrl,
41432 .get_mctrl = sc26xx_get_mctrl,
41433 diff -urNp linux-2.6.39.1/drivers/tty/serial/serial_ks8695.c linux-2.6.39.1/drivers/tty/serial/serial_ks8695.c
41434 --- linux-2.6.39.1/drivers/tty/serial/serial_ks8695.c 2011-05-19 00:06:34.000000000 -0400
41435 +++ linux-2.6.39.1/drivers/tty/serial/serial_ks8695.c 2011-05-22 19:36:32.000000000 -0400
41436 @@ -528,7 +528,7 @@ static int ks8695uart_verify_port(struct
41437 return ret;
41438 }
41439
41440 -static struct uart_ops ks8695uart_pops = {
41441 +static const struct uart_ops ks8695uart_pops = {
41442 .tx_empty = ks8695uart_tx_empty,
41443 .set_mctrl = ks8695uart_set_mctrl,
41444 .get_mctrl = ks8695uart_get_mctrl,
41445 diff -urNp linux-2.6.39.1/drivers/tty/serial/serial_txx9.c linux-2.6.39.1/drivers/tty/serial/serial_txx9.c
41446 --- linux-2.6.39.1/drivers/tty/serial/serial_txx9.c 2011-05-19 00:06:34.000000000 -0400
41447 +++ linux-2.6.39.1/drivers/tty/serial/serial_txx9.c 2011-05-22 19:36:32.000000000 -0400
41448 @@ -857,7 +857,7 @@ serial_txx9_type(struct uart_port *port)
41449 return "txx9";
41450 }
41451
41452 -static struct uart_ops serial_txx9_pops = {
41453 +static const struct uart_ops serial_txx9_pops = {
41454 .tx_empty = serial_txx9_tx_empty,
41455 .set_mctrl = serial_txx9_set_mctrl,
41456 .get_mctrl = serial_txx9_get_mctrl,
41457 diff -urNp linux-2.6.39.1/drivers/tty/serial/sn_console.c linux-2.6.39.1/drivers/tty/serial/sn_console.c
41458 --- linux-2.6.39.1/drivers/tty/serial/sn_console.c 2011-05-19 00:06:34.000000000 -0400
41459 +++ linux-2.6.39.1/drivers/tty/serial/sn_console.c 2011-05-22 19:36:32.000000000 -0400
41460 @@ -388,7 +388,7 @@ static void snp_config_port(struct uart_
41461
41462 /* Associate the uart functions above - given to serial core */
41463
41464 -static struct uart_ops sn_console_ops = {
41465 +static const struct uart_ops sn_console_ops = {
41466 .tx_empty = snp_tx_empty,
41467 .set_mctrl = snp_set_mctrl,
41468 .get_mctrl = snp_get_mctrl,
41469 diff -urNp linux-2.6.39.1/drivers/tty/serial/sunhv.c linux-2.6.39.1/drivers/tty/serial/sunhv.c
41470 --- linux-2.6.39.1/drivers/tty/serial/sunhv.c 2011-05-19 00:06:34.000000000 -0400
41471 +++ linux-2.6.39.1/drivers/tty/serial/sunhv.c 2011-05-22 19:36:32.000000000 -0400
41472 @@ -168,12 +168,12 @@ struct sunhv_ops {
41473 int (*receive_chars)(struct uart_port *port, struct tty_struct *tty);
41474 };
41475
41476 -static struct sunhv_ops bychar_ops = {
41477 +static const struct sunhv_ops bychar_ops = {
41478 .transmit_chars = transmit_chars_putchar,
41479 .receive_chars = receive_chars_getchar,
41480 };
41481
41482 -static struct sunhv_ops bywrite_ops = {
41483 +static const struct sunhv_ops bywrite_ops = {
41484 .transmit_chars = transmit_chars_write,
41485 .receive_chars = receive_chars_read,
41486 };
41487 @@ -370,7 +370,7 @@ static int sunhv_verify_port(struct uart
41488 return -EINVAL;
41489 }
41490
41491 -static struct uart_ops sunhv_pops = {
41492 +static const struct uart_ops sunhv_pops = {
41493 .tx_empty = sunhv_tx_empty,
41494 .set_mctrl = sunhv_set_mctrl,
41495 .get_mctrl = sunhv_get_mctrl,
41496 diff -urNp linux-2.6.39.1/drivers/tty/serial/sunsab.c linux-2.6.39.1/drivers/tty/serial/sunsab.c
41497 --- linux-2.6.39.1/drivers/tty/serial/sunsab.c 2011-05-19 00:06:34.000000000 -0400
41498 +++ linux-2.6.39.1/drivers/tty/serial/sunsab.c 2011-05-22 19:36:32.000000000 -0400
41499 @@ -804,7 +804,7 @@ static int sunsab_verify_port(struct uar
41500 return -EINVAL;
41501 }
41502
41503 -static struct uart_ops sunsab_pops = {
41504 +static const struct uart_ops sunsab_pops = {
41505 .tx_empty = sunsab_tx_empty,
41506 .set_mctrl = sunsab_set_mctrl,
41507 .get_mctrl = sunsab_get_mctrl,
41508 diff -urNp linux-2.6.39.1/drivers/tty/serial/sunsu.c linux-2.6.39.1/drivers/tty/serial/sunsu.c
41509 --- linux-2.6.39.1/drivers/tty/serial/sunsu.c 2011-05-19 00:06:34.000000000 -0400
41510 +++ linux-2.6.39.1/drivers/tty/serial/sunsu.c 2011-05-22 19:36:32.000000000 -0400
41511 @@ -946,7 +946,7 @@ sunsu_type(struct uart_port *port)
41512 return uart_config[type].name;
41513 }
41514
41515 -static struct uart_ops sunsu_pops = {
41516 +static const struct uart_ops sunsu_pops = {
41517 .tx_empty = sunsu_tx_empty,
41518 .set_mctrl = sunsu_set_mctrl,
41519 .get_mctrl = sunsu_get_mctrl,
41520 diff -urNp linux-2.6.39.1/drivers/tty/serial/sunzilog.c linux-2.6.39.1/drivers/tty/serial/sunzilog.c
41521 --- linux-2.6.39.1/drivers/tty/serial/sunzilog.c 2011-05-19 00:06:34.000000000 -0400
41522 +++ linux-2.6.39.1/drivers/tty/serial/sunzilog.c 2011-05-22 19:36:32.000000000 -0400
41523 @@ -1042,7 +1042,7 @@ static void sunzilog_put_poll_char(struc
41524 }
41525 #endif /* CONFIG_CONSOLE_POLL */
41526
41527 -static struct uart_ops sunzilog_pops = {
41528 +static const struct uart_ops sunzilog_pops = {
41529 .tx_empty = sunzilog_tx_empty,
41530 .set_mctrl = sunzilog_set_mctrl,
41531 .get_mctrl = sunzilog_get_mctrl,
41532 diff -urNp linux-2.6.39.1/drivers/tty/serial/timbuart.c linux-2.6.39.1/drivers/tty/serial/timbuart.c
41533 --- linux-2.6.39.1/drivers/tty/serial/timbuart.c 2011-05-19 00:06:34.000000000 -0400
41534 +++ linux-2.6.39.1/drivers/tty/serial/timbuart.c 2011-05-22 19:36:32.000000000 -0400
41535 @@ -394,7 +394,7 @@ static int timbuart_verify_port(struct u
41536 return -EINVAL;
41537 }
41538
41539 -static struct uart_ops timbuart_ops = {
41540 +static const struct uart_ops timbuart_ops = {
41541 .tx_empty = timbuart_tx_empty,
41542 .set_mctrl = timbuart_set_mctrl,
41543 .get_mctrl = timbuart_get_mctrl,
41544 diff -urNp linux-2.6.39.1/drivers/tty/serial/uartlite.c linux-2.6.39.1/drivers/tty/serial/uartlite.c
41545 --- linux-2.6.39.1/drivers/tty/serial/uartlite.c 2011-05-19 00:06:34.000000000 -0400
41546 +++ linux-2.6.39.1/drivers/tty/serial/uartlite.c 2011-05-22 19:36:32.000000000 -0400
41547 @@ -331,7 +331,7 @@ static void ulite_put_poll_char(struct u
41548 }
41549 #endif
41550
41551 -static struct uart_ops ulite_ops = {
41552 +static const struct uart_ops ulite_ops = {
41553 .tx_empty = ulite_tx_empty,
41554 .set_mctrl = ulite_set_mctrl,
41555 .get_mctrl = ulite_get_mctrl,
41556 diff -urNp linux-2.6.39.1/drivers/tty/serial/ucc_uart.c linux-2.6.39.1/drivers/tty/serial/ucc_uart.c
41557 --- linux-2.6.39.1/drivers/tty/serial/ucc_uart.c 2011-05-19 00:06:34.000000000 -0400
41558 +++ linux-2.6.39.1/drivers/tty/serial/ucc_uart.c 2011-05-22 19:36:32.000000000 -0400
41559 @@ -1088,7 +1088,7 @@ static int qe_uart_verify_port(struct ua
41560 *
41561 * Details on these functions can be found in Documentation/serial/driver
41562 */
41563 -static struct uart_ops qe_uart_pops = {
41564 +static const struct uart_ops qe_uart_pops = {
41565 .tx_empty = qe_uart_tx_empty,
41566 .set_mctrl = qe_uart_set_mctrl,
41567 .get_mctrl = qe_uart_get_mctrl,
41568 diff -urNp linux-2.6.39.1/drivers/tty/serial/vr41xx_siu.c linux-2.6.39.1/drivers/tty/serial/vr41xx_siu.c
41569 --- linux-2.6.39.1/drivers/tty/serial/vr41xx_siu.c 2011-05-19 00:06:34.000000000 -0400
41570 +++ linux-2.6.39.1/drivers/tty/serial/vr41xx_siu.c 2011-05-22 19:36:32.000000000 -0400
41571 @@ -683,7 +683,7 @@ static int siu_verify_port(struct uart_p
41572 return 0;
41573 }
41574
41575 -static struct uart_ops siu_uart_ops = {
41576 +static const struct uart_ops siu_uart_ops = {
41577 .tx_empty = siu_tx_empty,
41578 .set_mctrl = siu_set_mctrl,
41579 .get_mctrl = siu_get_mctrl,
41580 diff -urNp linux-2.6.39.1/drivers/tty/serial/vt8500_serial.c linux-2.6.39.1/drivers/tty/serial/vt8500_serial.c
41581 --- linux-2.6.39.1/drivers/tty/serial/vt8500_serial.c 2011-05-19 00:06:34.000000000 -0400
41582 +++ linux-2.6.39.1/drivers/tty/serial/vt8500_serial.c 2011-05-22 19:36:32.000000000 -0400
41583 @@ -519,7 +519,7 @@ static struct console vt8500_console = {
41584 #define VT8500_CONSOLE NULL
41585 #endif
41586
41587 -static struct uart_ops vt8500_uart_pops = {
41588 +static const struct uart_ops vt8500_uart_pops = {
41589 .tx_empty = vt8500_tx_empty,
41590 .set_mctrl = vt8500_set_mctrl,
41591 .get_mctrl = vt8500_get_mctrl,
41592 diff -urNp linux-2.6.39.1/drivers/tty/serial/zs.c linux-2.6.39.1/drivers/tty/serial/zs.c
41593 --- linux-2.6.39.1/drivers/tty/serial/zs.c 2011-05-19 00:06:34.000000000 -0400
41594 +++ linux-2.6.39.1/drivers/tty/serial/zs.c 2011-05-22 19:36:32.000000000 -0400
41595 @@ -1044,7 +1044,7 @@ static int zs_verify_port(struct uart_po
41596 }
41597
41598
41599 -static struct uart_ops zs_ops = {
41600 +static const struct uart_ops zs_ops = {
41601 .tx_empty = zs_tx_empty,
41602 .set_mctrl = zs_set_mctrl,
41603 .get_mctrl = zs_get_mctrl,
41604 diff -urNp linux-2.6.39.1/drivers/tty/tty_io.c linux-2.6.39.1/drivers/tty/tty_io.c
41605 --- linux-2.6.39.1/drivers/tty/tty_io.c 2011-05-19 00:06:34.000000000 -0400
41606 +++ linux-2.6.39.1/drivers/tty/tty_io.c 2011-05-22 19:36:32.000000000 -0400
41607 @@ -139,21 +139,11 @@ EXPORT_SYMBOL(tty_mutex);
41608 /* Spinlock to protect the tty->tty_files list */
41609 DEFINE_SPINLOCK(tty_files_lock);
41610
41611 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
41612 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
41613 ssize_t redirected_tty_write(struct file *, const char __user *,
41614 size_t, loff_t *);
41615 -static unsigned int tty_poll(struct file *, poll_table *);
41616 static int tty_open(struct inode *, struct file *);
41617 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
41618 -#ifdef CONFIG_COMPAT
41619 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
41620 - unsigned long arg);
41621 -#else
41622 -#define tty_compat_ioctl NULL
41623 -#endif
41624 static int __tty_fasync(int fd, struct file *filp, int on);
41625 -static int tty_fasync(int fd, struct file *filp, int on);
41626 static void release_tty(struct tty_struct *tty, int idx);
41627 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
41628 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
41629 @@ -937,7 +927,7 @@ EXPORT_SYMBOL(start_tty);
41630 * read calls may be outstanding in parallel.
41631 */
41632
41633 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
41634 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
41635 loff_t *ppos)
41636 {
41637 int i;
41638 @@ -963,6 +953,8 @@ static ssize_t tty_read(struct file *fil
41639 return i;
41640 }
41641
41642 +EXPORT_SYMBOL(tty_read);
41643 +
41644 void tty_write_unlock(struct tty_struct *tty)
41645 {
41646 mutex_unlock(&tty->atomic_write_lock);
41647 @@ -1112,7 +1104,7 @@ void tty_write_message(struct tty_struct
41648 * write method will not be invoked in parallel for each device.
41649 */
41650
41651 -static ssize_t tty_write(struct file *file, const char __user *buf,
41652 +ssize_t tty_write(struct file *file, const char __user *buf,
41653 size_t count, loff_t *ppos)
41654 {
41655 struct inode *inode = file->f_path.dentry->d_inode;
41656 @@ -1138,6 +1130,8 @@ static ssize_t tty_write(struct file *fi
41657 return ret;
41658 }
41659
41660 +EXPORT_SYMBOL(tty_write);
41661 +
41662 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
41663 size_t count, loff_t *ppos)
41664 {
41665 @@ -1777,6 +1771,8 @@ int tty_release(struct inode *inode, str
41666 return 0;
41667 }
41668
41669 +EXPORT_SYMBOL(tty_release);
41670 +
41671 /**
41672 * tty_open - open a tty device
41673 * @inode: inode of device file
41674 @@ -1968,7 +1964,7 @@ got_driver:
41675 * may be re-entered freely by other callers.
41676 */
41677
41678 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
41679 +unsigned int tty_poll(struct file *filp, poll_table *wait)
41680 {
41681 struct tty_struct *tty = file_tty(filp);
41682 struct tty_ldisc *ld;
41683 @@ -1984,6 +1980,8 @@ static unsigned int tty_poll(struct file
41684 return ret;
41685 }
41686
41687 +EXPORT_SYMBOL(tty_poll);
41688 +
41689 static int __tty_fasync(int fd, struct file *filp, int on)
41690 {
41691 struct tty_struct *tty = file_tty(filp);
41692 @@ -2025,7 +2023,7 @@ out:
41693 return retval;
41694 }
41695
41696 -static int tty_fasync(int fd, struct file *filp, int on)
41697 +int tty_fasync(int fd, struct file *filp, int on)
41698 {
41699 int retval;
41700 tty_lock();
41701 @@ -2034,6 +2032,8 @@ static int tty_fasync(int fd, struct fil
41702 return retval;
41703 }
41704
41705 +EXPORT_SYMBOL(tty_fasync);
41706 +
41707 /**
41708 * tiocsti - fake input character
41709 * @tty: tty to fake input into
41710 @@ -2695,8 +2695,10 @@ long tty_ioctl(struct file *file, unsign
41711 return retval;
41712 }
41713
41714 +EXPORT_SYMBOL(tty_ioctl);
41715 +
41716 #ifdef CONFIG_COMPAT
41717 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
41718 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
41719 unsigned long arg)
41720 {
41721 struct inode *inode = file->f_dentry->d_inode;
41722 @@ -2720,6 +2722,9 @@ static long tty_compat_ioctl(struct file
41723
41724 return retval;
41725 }
41726 +
41727 +EXPORT_SYMBOL(tty_compat_ioctl);
41728 +
41729 #endif
41730
41731 /*
41732 @@ -3198,11 +3203,6 @@ struct tty_struct *get_current_tty(void)
41733 }
41734 EXPORT_SYMBOL_GPL(get_current_tty);
41735
41736 -void tty_default_fops(struct file_operations *fops)
41737 -{
41738 - *fops = tty_fops;
41739 -}
41740 -
41741 /*
41742 * Initialize the console device. This is called *early*, so
41743 * we can't necessarily depend on lots of kernel help here.
41744 diff -urNp linux-2.6.39.1/drivers/tty/tty_ldisc.c linux-2.6.39.1/drivers/tty/tty_ldisc.c
41745 --- linux-2.6.39.1/drivers/tty/tty_ldisc.c 2011-05-19 00:06:34.000000000 -0400
41746 +++ linux-2.6.39.1/drivers/tty/tty_ldisc.c 2011-05-22 19:36:32.000000000 -0400
41747 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
41748 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
41749 struct tty_ldisc_ops *ldo = ld->ops;
41750
41751 - ldo->refcount--;
41752 + atomic_dec(&ldo->refcount);
41753 module_put(ldo->owner);
41754 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
41755
41756 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
41757 spin_lock_irqsave(&tty_ldisc_lock, flags);
41758 tty_ldiscs[disc] = new_ldisc;
41759 new_ldisc->num = disc;
41760 - new_ldisc->refcount = 0;
41761 + atomic_set(&new_ldisc->refcount, 0);
41762 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
41763
41764 return ret;
41765 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
41766 return -EINVAL;
41767
41768 spin_lock_irqsave(&tty_ldisc_lock, flags);
41769 - if (tty_ldiscs[disc]->refcount)
41770 + if (atomic_read(&tty_ldiscs[disc]->refcount))
41771 ret = -EBUSY;
41772 else
41773 tty_ldiscs[disc] = NULL;
41774 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
41775 if (ldops) {
41776 ret = ERR_PTR(-EAGAIN);
41777 if (try_module_get(ldops->owner)) {
41778 - ldops->refcount++;
41779 + atomic_inc(&ldops->refcount);
41780 ret = ldops;
41781 }
41782 }
41783 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
41784 unsigned long flags;
41785
41786 spin_lock_irqsave(&tty_ldisc_lock, flags);
41787 - ldops->refcount--;
41788 + atomic_dec(&ldops->refcount);
41789 module_put(ldops->owner);
41790 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
41791 }
41792 diff -urNp linux-2.6.39.1/drivers/tty/vt/keyboard.c linux-2.6.39.1/drivers/tty/vt/keyboard.c
41793 --- linux-2.6.39.1/drivers/tty/vt/keyboard.c 2011-05-19 00:06:34.000000000 -0400
41794 +++ linux-2.6.39.1/drivers/tty/vt/keyboard.c 2011-05-22 20:32:43.000000000 -0400
41795 @@ -658,6 +658,16 @@ static void k_spec(struct vc_data *vc, u
41796 kbd->kbdmode == VC_OFF) &&
41797 value != KVAL(K_SAK))
41798 return; /* SAK is allowed even in raw mode */
41799 +
41800 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
41801 + {
41802 + void *func = fn_handler[value];
41803 + if (func == fn_show_state || func == fn_show_ptregs ||
41804 + func == fn_show_mem)
41805 + return;
41806 + }
41807 +#endif
41808 +
41809 fn_handler[value](vc);
41810 }
41811
41812 diff -urNp linux-2.6.39.1/drivers/tty/vt/vt.c linux-2.6.39.1/drivers/tty/vt/vt.c
41813 --- linux-2.6.39.1/drivers/tty/vt/vt.c 2011-05-19 00:06:34.000000000 -0400
41814 +++ linux-2.6.39.1/drivers/tty/vt/vt.c 2011-05-22 19:36:32.000000000 -0400
41815 @@ -261,7 +261,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
41816
41817 static void notify_write(struct vc_data *vc, unsigned int unicode)
41818 {
41819 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
41820 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
41821 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
41822 }
41823
41824 diff -urNp linux-2.6.39.1/drivers/tty/vt/vt_ioctl.c linux-2.6.39.1/drivers/tty/vt/vt_ioctl.c
41825 --- linux-2.6.39.1/drivers/tty/vt/vt_ioctl.c 2011-05-19 00:06:34.000000000 -0400
41826 +++ linux-2.6.39.1/drivers/tty/vt/vt_ioctl.c 2011-05-22 19:41:37.000000000 -0400
41827 @@ -209,9 +209,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
41828 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
41829 return -EFAULT;
41830
41831 - if (!capable(CAP_SYS_TTY_CONFIG))
41832 - perm = 0;
41833 -
41834 switch (cmd) {
41835 case KDGKBENT:
41836 key_map = key_maps[s];
41837 @@ -223,6 +220,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
41838 val = (i ? K_HOLE : K_NOSUCHMAP);
41839 return put_user(val, &user_kbe->kb_value);
41840 case KDSKBENT:
41841 + if (!capable(CAP_SYS_TTY_CONFIG))
41842 + perm = 0;
41843 +
41844 if (!perm)
41845 return -EPERM;
41846 if (!i && v == K_NOSUCHMAP) {
41847 @@ -324,9 +324,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
41848 int i, j, k;
41849 int ret;
41850
41851 - if (!capable(CAP_SYS_TTY_CONFIG))
41852 - perm = 0;
41853 -
41854 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
41855 if (!kbs) {
41856 ret = -ENOMEM;
41857 @@ -360,6 +357,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
41858 kfree(kbs);
41859 return ((p && *p) ? -EOVERFLOW : 0);
41860 case KDSKBSENT:
41861 + if (!capable(CAP_SYS_TTY_CONFIG))
41862 + perm = 0;
41863 +
41864 if (!perm) {
41865 ret = -EPERM;
41866 goto reterr;
41867 diff -urNp linux-2.6.39.1/drivers/uio/uio.c linux-2.6.39.1/drivers/uio/uio.c
41868 --- linux-2.6.39.1/drivers/uio/uio.c 2011-05-19 00:06:34.000000000 -0400
41869 +++ linux-2.6.39.1/drivers/uio/uio.c 2011-05-22 19:36:32.000000000 -0400
41870 @@ -25,6 +25,7 @@
41871 #include <linux/kobject.h>
41872 #include <linux/cdev.h>
41873 #include <linux/uio_driver.h>
41874 +#include <asm/local.h>
41875
41876 #define UIO_MAX_DEVICES (1U << MINORBITS)
41877
41878 @@ -32,10 +33,10 @@ struct uio_device {
41879 struct module *owner;
41880 struct device *dev;
41881 int minor;
41882 - atomic_t event;
41883 + atomic_unchecked_t event;
41884 struct fasync_struct *async_queue;
41885 wait_queue_head_t wait;
41886 - int vma_count;
41887 + local_t vma_count;
41888 struct uio_info *info;
41889 struct kobject *map_dir;
41890 struct kobject *portio_dir;
41891 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
41892 struct device_attribute *attr, char *buf)
41893 {
41894 struct uio_device *idev = dev_get_drvdata(dev);
41895 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
41896 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
41897 }
41898
41899 static struct device_attribute uio_class_attributes[] = {
41900 @@ -402,7 +403,7 @@ void uio_event_notify(struct uio_info *i
41901 {
41902 struct uio_device *idev = info->uio_dev;
41903
41904 - atomic_inc(&idev->event);
41905 + atomic_inc_unchecked(&idev->event);
41906 wake_up_interruptible(&idev->wait);
41907 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
41908 }
41909 @@ -455,7 +456,7 @@ static int uio_open(struct inode *inode,
41910 }
41911
41912 listener->dev = idev;
41913 - listener->event_count = atomic_read(&idev->event);
41914 + listener->event_count = atomic_read_unchecked(&idev->event);
41915 filep->private_data = listener;
41916
41917 if (idev->info->open) {
41918 @@ -506,7 +507,7 @@ static unsigned int uio_poll(struct file
41919 return -EIO;
41920
41921 poll_wait(filep, &idev->wait, wait);
41922 - if (listener->event_count != atomic_read(&idev->event))
41923 + if (listener->event_count != atomic_read_unchecked(&idev->event))
41924 return POLLIN | POLLRDNORM;
41925 return 0;
41926 }
41927 @@ -531,7 +532,7 @@ static ssize_t uio_read(struct file *fil
41928 do {
41929 set_current_state(TASK_INTERRUPTIBLE);
41930
41931 - event_count = atomic_read(&idev->event);
41932 + event_count = atomic_read_unchecked(&idev->event);
41933 if (event_count != listener->event_count) {
41934 if (copy_to_user(buf, &event_count, count))
41935 retval = -EFAULT;
41936 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
41937 static void uio_vma_open(struct vm_area_struct *vma)
41938 {
41939 struct uio_device *idev = vma->vm_private_data;
41940 - idev->vma_count++;
41941 + local_inc(&idev->vma_count);
41942 }
41943
41944 static void uio_vma_close(struct vm_area_struct *vma)
41945 {
41946 struct uio_device *idev = vma->vm_private_data;
41947 - idev->vma_count--;
41948 + local_dec(&idev->vma_count);
41949 }
41950
41951 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
41952 @@ -819,7 +820,7 @@ int __uio_register_device(struct module
41953 idev->owner = owner;
41954 idev->info = info;
41955 init_waitqueue_head(&idev->wait);
41956 - atomic_set(&idev->event, 0);
41957 + atomic_set_unchecked(&idev->event, 0);
41958
41959 ret = uio_get_minor(idev);
41960 if (ret)
41961 diff -urNp linux-2.6.39.1/drivers/usb/atm/cxacru.c linux-2.6.39.1/drivers/usb/atm/cxacru.c
41962 --- linux-2.6.39.1/drivers/usb/atm/cxacru.c 2011-05-19 00:06:34.000000000 -0400
41963 +++ linux-2.6.39.1/drivers/usb/atm/cxacru.c 2011-05-22 19:36:32.000000000 -0400
41964 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
41965 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
41966 if (ret < 2)
41967 return -EINVAL;
41968 - if (index < 0 || index > 0x7f)
41969 + if (index > 0x7f)
41970 return -EINVAL;
41971 pos += tmp;
41972
41973 diff -urNp linux-2.6.39.1/drivers/usb/atm/usbatm.c linux-2.6.39.1/drivers/usb/atm/usbatm.c
41974 --- linux-2.6.39.1/drivers/usb/atm/usbatm.c 2011-05-19 00:06:34.000000000 -0400
41975 +++ linux-2.6.39.1/drivers/usb/atm/usbatm.c 2011-05-22 19:36:32.000000000 -0400
41976 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
41977 if (printk_ratelimit())
41978 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
41979 __func__, vpi, vci);
41980 - atomic_inc(&vcc->stats->rx_err);
41981 + atomic_inc_unchecked(&vcc->stats->rx_err);
41982 return;
41983 }
41984
41985 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
41986 if (length > ATM_MAX_AAL5_PDU) {
41987 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
41988 __func__, length, vcc);
41989 - atomic_inc(&vcc->stats->rx_err);
41990 + atomic_inc_unchecked(&vcc->stats->rx_err);
41991 goto out;
41992 }
41993
41994 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
41995 if (sarb->len < pdu_length) {
41996 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
41997 __func__, pdu_length, sarb->len, vcc);
41998 - atomic_inc(&vcc->stats->rx_err);
41999 + atomic_inc_unchecked(&vcc->stats->rx_err);
42000 goto out;
42001 }
42002
42003 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
42004 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
42005 __func__, vcc);
42006 - atomic_inc(&vcc->stats->rx_err);
42007 + atomic_inc_unchecked(&vcc->stats->rx_err);
42008 goto out;
42009 }
42010
42011 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
42012 if (printk_ratelimit())
42013 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
42014 __func__, length);
42015 - atomic_inc(&vcc->stats->rx_drop);
42016 + atomic_inc_unchecked(&vcc->stats->rx_drop);
42017 goto out;
42018 }
42019
42020 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
42021
42022 vcc->push(vcc, skb);
42023
42024 - atomic_inc(&vcc->stats->rx);
42025 + atomic_inc_unchecked(&vcc->stats->rx);
42026 out:
42027 skb_trim(sarb, 0);
42028 }
42029 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
42030 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
42031
42032 usbatm_pop(vcc, skb);
42033 - atomic_inc(&vcc->stats->tx);
42034 + atomic_inc_unchecked(&vcc->stats->tx);
42035
42036 skb = skb_dequeue(&instance->sndqueue);
42037 }
42038 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
42039 if (!left--)
42040 return sprintf(page,
42041 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
42042 - atomic_read(&atm_dev->stats.aal5.tx),
42043 - atomic_read(&atm_dev->stats.aal5.tx_err),
42044 - atomic_read(&atm_dev->stats.aal5.rx),
42045 - atomic_read(&atm_dev->stats.aal5.rx_err),
42046 - atomic_read(&atm_dev->stats.aal5.rx_drop));
42047 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
42048 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
42049 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
42050 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
42051 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
42052
42053 if (!left--) {
42054 if (instance->disconnected)
42055 diff -urNp linux-2.6.39.1/drivers/usb/core/devices.c linux-2.6.39.1/drivers/usb/core/devices.c
42056 --- linux-2.6.39.1/drivers/usb/core/devices.c 2011-05-19 00:06:34.000000000 -0400
42057 +++ linux-2.6.39.1/drivers/usb/core/devices.c 2011-05-22 19:36:32.000000000 -0400
42058 @@ -126,7 +126,7 @@ static const char *format_endpt =
42059 * time it gets called.
42060 */
42061 static struct device_connect_event {
42062 - atomic_t count;
42063 + atomic_unchecked_t count;
42064 wait_queue_head_t wait;
42065 } device_event = {
42066 .count = ATOMIC_INIT(1),
42067 @@ -164,7 +164,7 @@ static const struct class_info clas_info
42068
42069 void usbfs_conn_disc_event(void)
42070 {
42071 - atomic_add(2, &device_event.count);
42072 + atomic_add_unchecked(2, &device_event.count);
42073 wake_up(&device_event.wait);
42074 }
42075
42076 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
42077
42078 poll_wait(file, &device_event.wait, wait);
42079
42080 - event_count = atomic_read(&device_event.count);
42081 + event_count = atomic_read_unchecked(&device_event.count);
42082 if (file->f_version != event_count) {
42083 file->f_version = event_count;
42084 return POLLIN | POLLRDNORM;
42085 diff -urNp linux-2.6.39.1/drivers/usb/core/hcd.c linux-2.6.39.1/drivers/usb/core/hcd.c
42086 --- linux-2.6.39.1/drivers/usb/core/hcd.c 2011-06-03 00:04:14.000000000 -0400
42087 +++ linux-2.6.39.1/drivers/usb/core/hcd.c 2011-06-03 00:32:07.000000000 -0400
42088 @@ -2574,7 +2574,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
42089
42090 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
42091
42092 -struct usb_mon_operations *mon_ops;
42093 +const struct usb_mon_operations *mon_ops;
42094
42095 /*
42096 * The registration is unlocked.
42097 @@ -2584,7 +2584,7 @@ struct usb_mon_operations *mon_ops;
42098 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
42099 */
42100
42101 -int usb_mon_register (struct usb_mon_operations *ops)
42102 +int usb_mon_register (const struct usb_mon_operations *ops)
42103 {
42104
42105 if (mon_ops)
42106 diff -urNp linux-2.6.39.1/drivers/usb/core/message.c linux-2.6.39.1/drivers/usb/core/message.c
42107 --- linux-2.6.39.1/drivers/usb/core/message.c 2011-05-19 00:06:34.000000000 -0400
42108 +++ linux-2.6.39.1/drivers/usb/core/message.c 2011-05-22 19:36:32.000000000 -0400
42109 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
42110 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
42111 if (buf) {
42112 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
42113 - if (len > 0) {
42114 - smallbuf = kmalloc(++len, GFP_NOIO);
42115 + if (len++ > 0) {
42116 + smallbuf = kmalloc(len, GFP_NOIO);
42117 if (!smallbuf)
42118 return buf;
42119 memcpy(smallbuf, buf, len);
42120 diff -urNp linux-2.6.39.1/drivers/usb/early/ehci-dbgp.c linux-2.6.39.1/drivers/usb/early/ehci-dbgp.c
42121 --- linux-2.6.39.1/drivers/usb/early/ehci-dbgp.c 2011-05-19 00:06:34.000000000 -0400
42122 +++ linux-2.6.39.1/drivers/usb/early/ehci-dbgp.c 2011-05-22 19:36:32.000000000 -0400
42123 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
42124 }
42125
42126 #ifdef CONFIG_KGDB
42127 -static struct kgdb_io kgdbdbgp_io_ops;
42128 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
42129 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
42130 #else
42131 #define dbgp_kgdb_mode (0)
42132 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
42133 early_dbgp_write(NULL, &chr, 1);
42134 }
42135
42136 -static struct kgdb_io kgdbdbgp_io_ops = {
42137 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
42138 .name = "kgdbdbgp",
42139 .read_char = kgdbdbgp_read_char,
42140 .write_char = kgdbdbgp_write_char,
42141 diff -urNp linux-2.6.39.1/drivers/usb/gadget/fsl_qe_udc.c linux-2.6.39.1/drivers/usb/gadget/fsl_qe_udc.c
42142 --- linux-2.6.39.1/drivers/usb/gadget/fsl_qe_udc.c 2011-05-19 00:06:34.000000000 -0400
42143 +++ linux-2.6.39.1/drivers/usb/gadget/fsl_qe_udc.c 2011-05-22 19:36:32.000000000 -0400
42144 @@ -1859,7 +1859,7 @@ out:
42145 return status;
42146 }
42147
42148 -static struct usb_ep_ops qe_ep_ops = {
42149 +static const struct usb_ep_ops qe_ep_ops = {
42150 .enable = qe_ep_enable,
42151 .disable = qe_ep_disable,
42152
42153 @@ -1928,7 +1928,7 @@ static int qe_pullup(struct usb_gadget *
42154 }
42155
42156 /* defined in usb_gadget.h */
42157 -static struct usb_gadget_ops qe_gadget_ops = {
42158 +static const struct usb_gadget_ops qe_gadget_ops = {
42159 .get_frame = qe_get_frame,
42160 .wakeup = qe_wakeup,
42161 /* .set_selfpowered = qe_set_selfpowered,*/ /* always selfpowered */
42162 diff -urNp linux-2.6.39.1/drivers/usb/gadget/fsl_udc_core.c linux-2.6.39.1/drivers/usb/gadget/fsl_udc_core.c
42163 --- linux-2.6.39.1/drivers/usb/gadget/fsl_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42164 +++ linux-2.6.39.1/drivers/usb/gadget/fsl_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42165 @@ -1003,7 +1003,7 @@ static void fsl_ep_fifo_flush(struct usb
42166 } while (fsl_readl(&dr_regs->endptstatus) & bits);
42167 }
42168
42169 -static struct usb_ep_ops fsl_ep_ops = {
42170 +static const struct usb_ep_ops fsl_ep_ops = {
42171 .enable = fsl_ep_enable,
42172 .disable = fsl_ep_disable,
42173
42174 @@ -1114,7 +1114,7 @@ static int fsl_pullup(struct usb_gadget
42175 }
42176
42177 /* defined in gadget.h */
42178 -static struct usb_gadget_ops fsl_gadget_ops = {
42179 +static const struct usb_gadget_ops fsl_gadget_ops = {
42180 .get_frame = fsl_get_frame,
42181 .wakeup = fsl_wakeup,
42182 /* .set_selfpowered = fsl_set_selfpowered, */ /* Always selfpowered */
42183 diff -urNp linux-2.6.39.1/drivers/usb/gadget/fusb300_udc.c linux-2.6.39.1/drivers/usb/gadget/fusb300_udc.c
42184 --- linux-2.6.39.1/drivers/usb/gadget/fusb300_udc.c 2011-05-19 00:06:34.000000000 -0400
42185 +++ linux-2.6.39.1/drivers/usb/gadget/fusb300_udc.c 2011-05-22 19:36:32.000000000 -0400
42186 @@ -527,7 +527,7 @@ static void fusb300_fifo_flush(struct us
42187 {
42188 }
42189
42190 -static struct usb_ep_ops fusb300_ep_ops = {
42191 +static const struct usb_ep_ops fusb300_ep_ops = {
42192 .enable = fusb300_enable,
42193 .disable = fusb300_disable,
42194
42195 @@ -1570,7 +1570,7 @@ static int fusb300_udc_pullup(struct usb
42196 return 0;
42197 }
42198
42199 -static struct usb_gadget_ops fusb300_gadget_ops = {
42200 +static const struct usb_gadget_ops fusb300_gadget_ops = {
42201 .pullup = fusb300_udc_pullup,
42202 };
42203
42204 diff -urNp linux-2.6.39.1/drivers/usb/gadget/goku_udc.c linux-2.6.39.1/drivers/usb/gadget/goku_udc.c
42205 --- linux-2.6.39.1/drivers/usb/gadget/goku_udc.c 2011-05-19 00:06:34.000000000 -0400
42206 +++ linux-2.6.39.1/drivers/usb/gadget/goku_udc.c 2011-05-22 19:36:32.000000000 -0400
42207 @@ -973,7 +973,7 @@ static void goku_fifo_flush(struct usb_e
42208 command(regs, COMMAND_FIFO_CLEAR, ep->num);
42209 }
42210
42211 -static struct usb_ep_ops goku_ep_ops = {
42212 +static const struct usb_ep_ops goku_ep_ops = {
42213 .enable = goku_ep_enable,
42214 .disable = goku_ep_disable,
42215
42216 diff -urNp linux-2.6.39.1/drivers/usb/gadget/imx_udc.c linux-2.6.39.1/drivers/usb/gadget/imx_udc.c
42217 --- linux-2.6.39.1/drivers/usb/gadget/imx_udc.c 2011-05-19 00:06:34.000000000 -0400
42218 +++ linux-2.6.39.1/drivers/usb/gadget/imx_udc.c 2011-05-22 19:36:32.000000000 -0400
42219 @@ -937,7 +937,7 @@ static void imx_ep_fifo_flush(struct usb
42220 local_irq_restore(flags);
42221 }
42222
42223 -static struct usb_ep_ops imx_ep_ops = {
42224 +static const struct usb_ep_ops imx_ep_ops = {
42225 .enable = imx_ep_enable,
42226 .disable = imx_ep_disable,
42227
42228 diff -urNp linux-2.6.39.1/drivers/usb/gadget/m66592-udc.c linux-2.6.39.1/drivers/usb/gadget/m66592-udc.c
42229 --- linux-2.6.39.1/drivers/usb/gadget/m66592-udc.c 2011-05-19 00:06:34.000000000 -0400
42230 +++ linux-2.6.39.1/drivers/usb/gadget/m66592-udc.c 2011-05-22 19:36:32.000000000 -0400
42231 @@ -1437,7 +1437,7 @@ static void m66592_fifo_flush(struct usb
42232 spin_unlock_irqrestore(&ep->m66592->lock, flags);
42233 }
42234
42235 -static struct usb_ep_ops m66592_ep_ops = {
42236 +static const struct usb_ep_ops m66592_ep_ops = {
42237 .enable = m66592_enable,
42238 .disable = m66592_disable,
42239
42240 @@ -1542,7 +1542,7 @@ static int m66592_get_frame(struct usb_g
42241 return m66592_read(m66592, M66592_FRMNUM) & 0x03FF;
42242 }
42243
42244 -static struct usb_gadget_ops m66592_gadget_ops = {
42245 +static const struct usb_gadget_ops m66592_gadget_ops = {
42246 .get_frame = m66592_get_frame,
42247 };
42248
42249 diff -urNp linux-2.6.39.1/drivers/usb/gadget/mv_udc_core.c linux-2.6.39.1/drivers/usb/gadget/mv_udc_core.c
42250 --- linux-2.6.39.1/drivers/usb/gadget/mv_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42251 +++ linux-2.6.39.1/drivers/usb/gadget/mv_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42252 @@ -972,7 +972,7 @@ static int mv_ep_set_wedge(struct usb_ep
42253 return mv_ep_set_halt_wedge(_ep, 1, 1);
42254 }
42255
42256 -static struct usb_ep_ops mv_ep_ops = {
42257 +static const struct usb_ep_ops mv_ep_ops = {
42258 .enable = mv_ep_enable,
42259 .disable = mv_ep_disable,
42260
42261 diff -urNp linux-2.6.39.1/drivers/usb/gadget/omap_udc.c linux-2.6.39.1/drivers/usb/gadget/omap_udc.c
42262 --- linux-2.6.39.1/drivers/usb/gadget/omap_udc.c 2011-05-19 00:06:34.000000000 -0400
42263 +++ linux-2.6.39.1/drivers/usb/gadget/omap_udc.c 2011-05-22 19:36:32.000000000 -0400
42264 @@ -1177,7 +1177,7 @@ done:
42265 return status;
42266 }
42267
42268 -static struct usb_ep_ops omap_ep_ops = {
42269 +static const struct usb_ep_ops omap_ep_ops = {
42270 .enable = omap_ep_enable,
42271 .disable = omap_ep_disable,
42272
42273 @@ -1374,7 +1374,7 @@ static int omap_pullup(struct usb_gadget
42274 return 0;
42275 }
42276
42277 -static struct usb_gadget_ops omap_gadget_ops = {
42278 +static const struct usb_gadget_ops omap_gadget_ops = {
42279 .get_frame = omap_get_frame,
42280 .wakeup = omap_wakeup,
42281 .set_selfpowered = omap_set_selfpowered,
42282 diff -urNp linux-2.6.39.1/drivers/usb/gadget/pxa25x_udc.c linux-2.6.39.1/drivers/usb/gadget/pxa25x_udc.c
42283 --- linux-2.6.39.1/drivers/usb/gadget/pxa25x_udc.c 2011-05-19 00:06:34.000000000 -0400
42284 +++ linux-2.6.39.1/drivers/usb/gadget/pxa25x_udc.c 2011-05-22 19:36:32.000000000 -0400
42285 @@ -896,7 +896,7 @@ static void pxa25x_ep_fifo_flush(struct
42286 }
42287
42288
42289 -static struct usb_ep_ops pxa25x_ep_ops = {
42290 +static const struct usb_ep_ops pxa25x_ep_ops = {
42291 .enable = pxa25x_ep_enable,
42292 .disable = pxa25x_ep_disable,
42293
42294 diff -urNp linux-2.6.39.1/drivers/usb/gadget/pxa27x_udc.c linux-2.6.39.1/drivers/usb/gadget/pxa27x_udc.c
42295 --- linux-2.6.39.1/drivers/usb/gadget/pxa27x_udc.c 2011-05-19 00:06:34.000000000 -0400
42296 +++ linux-2.6.39.1/drivers/usb/gadget/pxa27x_udc.c 2011-05-22 19:36:32.000000000 -0400
42297 @@ -1491,7 +1491,7 @@ static int pxa_ep_disable(struct usb_ep
42298 return 0;
42299 }
42300
42301 -static struct usb_ep_ops pxa_ep_ops = {
42302 +static const struct usb_ep_ops pxa_ep_ops = {
42303 .enable = pxa_ep_enable,
42304 .disable = pxa_ep_disable,
42305
42306 diff -urNp linux-2.6.39.1/drivers/usb/gadget/r8a66597-udc.c linux-2.6.39.1/drivers/usb/gadget/r8a66597-udc.c
42307 --- linux-2.6.39.1/drivers/usb/gadget/r8a66597-udc.c 2011-05-19 00:06:34.000000000 -0400
42308 +++ linux-2.6.39.1/drivers/usb/gadget/r8a66597-udc.c 2011-05-22 19:36:32.000000000 -0400
42309 @@ -1392,7 +1392,7 @@ static void r8a66597_fifo_flush(struct u
42310 spin_unlock_irqrestore(&ep->r8a66597->lock, flags);
42311 }
42312
42313 -static struct usb_ep_ops r8a66597_ep_ops = {
42314 +static const struct usb_ep_ops r8a66597_ep_ops = {
42315 .enable = r8a66597_enable,
42316 .disable = r8a66597_disable,
42317
42318 @@ -1497,7 +1497,7 @@ static int r8a66597_get_frame(struct usb
42319 return r8a66597_read(r8a66597, FRMNUM) & 0x03FF;
42320 }
42321
42322 -static struct usb_gadget_ops r8a66597_gadget_ops = {
42323 +static const struct usb_gadget_ops r8a66597_gadget_ops = {
42324 .get_frame = r8a66597_get_frame,
42325 };
42326
42327 diff -urNp linux-2.6.39.1/drivers/usb/gadget/s3c-hsotg.c linux-2.6.39.1/drivers/usb/gadget/s3c-hsotg.c
42328 --- linux-2.6.39.1/drivers/usb/gadget/s3c-hsotg.c 2011-05-19 00:06:34.000000000 -0400
42329 +++ linux-2.6.39.1/drivers/usb/gadget/s3c-hsotg.c 2011-05-22 19:36:32.000000000 -0400
42330 @@ -2461,7 +2461,7 @@ static int s3c_hsotg_ep_sethalt(struct u
42331 return 0;
42332 }
42333
42334 -static struct usb_ep_ops s3c_hsotg_ep_ops = {
42335 +static const struct usb_ep_ops s3c_hsotg_ep_ops = {
42336 .enable = s3c_hsotg_ep_enable,
42337 .disable = s3c_hsotg_ep_disable,
42338 .alloc_request = s3c_hsotg_ep_alloc_request,
42339 @@ -2725,7 +2725,7 @@ static int s3c_hsotg_gadget_getframe(str
42340 return s3c_hsotg_read_frameno(to_hsotg(gadget));
42341 }
42342
42343 -static struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42344 +static const struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42345 .get_frame = s3c_hsotg_gadget_getframe,
42346 };
42347
42348 diff -urNp linux-2.6.39.1/drivers/usb/gadget/uvc_queue.c linux-2.6.39.1/drivers/usb/gadget/uvc_queue.c
42349 --- linux-2.6.39.1/drivers/usb/gadget/uvc_queue.c 2011-05-19 00:06:34.000000000 -0400
42350 +++ linux-2.6.39.1/drivers/usb/gadget/uvc_queue.c 2011-05-22 19:36:32.000000000 -0400
42351 @@ -400,7 +400,7 @@ static void uvc_vm_close(struct vm_area_
42352 buffer->vma_use_count--;
42353 }
42354
42355 -static struct vm_operations_struct uvc_vm_ops = {
42356 +static const struct vm_operations_struct uvc_vm_ops = {
42357 .open = uvc_vm_open,
42358 .close = uvc_vm_close,
42359 };
42360 diff -urNp linux-2.6.39.1/drivers/usb/host/ehci-fsl.c linux-2.6.39.1/drivers/usb/host/ehci-fsl.c
42361 --- linux-2.6.39.1/drivers/usb/host/ehci-fsl.c 2011-05-19 00:06:34.000000000 -0400
42362 +++ linux-2.6.39.1/drivers/usb/host/ehci-fsl.c 2011-05-22 19:36:32.000000000 -0400
42363 @@ -380,7 +380,7 @@ static int ehci_fsl_drv_restore(struct d
42364 return 0;
42365 }
42366
42367 -static struct dev_pm_ops ehci_fsl_pm_ops = {
42368 +static const struct dev_pm_ops ehci_fsl_pm_ops = {
42369 .suspend = ehci_fsl_drv_suspend,
42370 .resume = ehci_fsl_drv_resume,
42371 .restore = ehci_fsl_drv_restore,
42372 diff -urNp linux-2.6.39.1/drivers/usb/host/xhci-mem.c linux-2.6.39.1/drivers/usb/host/xhci-mem.c
42373 --- linux-2.6.39.1/drivers/usb/host/xhci-mem.c 2011-06-03 00:04:14.000000000 -0400
42374 +++ linux-2.6.39.1/drivers/usb/host/xhci-mem.c 2011-06-03 00:32:07.000000000 -0400
42375 @@ -1670,6 +1670,8 @@ static int xhci_check_trb_in_td_math(str
42376 unsigned int num_tests;
42377 int i, ret;
42378
42379 + pax_track_stack();
42380 +
42381 num_tests = ARRAY_SIZE(simple_test_vector);
42382 for (i = 0; i < num_tests; i++) {
42383 ret = xhci_test_trb_in_td(xhci,
42384 diff -urNp linux-2.6.39.1/drivers/usb/mon/mon_main.c linux-2.6.39.1/drivers/usb/mon/mon_main.c
42385 --- linux-2.6.39.1/drivers/usb/mon/mon_main.c 2011-05-19 00:06:34.000000000 -0400
42386 +++ linux-2.6.39.1/drivers/usb/mon/mon_main.c 2011-05-22 19:36:32.000000000 -0400
42387 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
42388 /*
42389 * Ops
42390 */
42391 -static struct usb_mon_operations mon_ops_0 = {
42392 +static const struct usb_mon_operations mon_ops_0 = {
42393 .urb_submit = mon_submit,
42394 .urb_submit_error = mon_submit_error,
42395 .urb_complete = mon_complete,
42396 diff -urNp linux-2.6.39.1/drivers/usb/musb/cppi_dma.h linux-2.6.39.1/drivers/usb/musb/cppi_dma.h
42397 --- linux-2.6.39.1/drivers/usb/musb/cppi_dma.h 2011-05-19 00:06:34.000000000 -0400
42398 +++ linux-2.6.39.1/drivers/usb/musb/cppi_dma.h 2011-05-22 19:36:32.000000000 -0400
42399 @@ -113,7 +113,7 @@ struct cppi_channel {
42400
42401 /* CPPI DMA controller object */
42402 struct cppi {
42403 - struct dma_controller controller;
42404 + const struct dma_controller controller;
42405 struct musb *musb;
42406 void __iomem *mregs; /* Mentor regs */
42407 void __iomem *tibase; /* TI/CPPI regs */
42408 diff -urNp linux-2.6.39.1/drivers/usb/otg/msm_otg.c linux-2.6.39.1/drivers/usb/otg/msm_otg.c
42409 --- linux-2.6.39.1/drivers/usb/otg/msm_otg.c 2011-05-19 00:06:34.000000000 -0400
42410 +++ linux-2.6.39.1/drivers/usb/otg/msm_otg.c 2011-05-22 19:36:32.000000000 -0400
42411 @@ -95,7 +95,7 @@ static int ulpi_write(struct otg_transce
42412 return 0;
42413 }
42414
42415 -static struct otg_io_access_ops msm_otg_io_ops = {
42416 +static const struct otg_io_access_ops msm_otg_io_ops = {
42417 .read = ulpi_read,
42418 .write = ulpi_write,
42419 };
42420 diff -urNp linux-2.6.39.1/drivers/usb/otg/ulpi_viewport.c linux-2.6.39.1/drivers/usb/otg/ulpi_viewport.c
42421 --- linux-2.6.39.1/drivers/usb/otg/ulpi_viewport.c 2011-05-19 00:06:34.000000000 -0400
42422 +++ linux-2.6.39.1/drivers/usb/otg/ulpi_viewport.c 2011-05-22 19:36:32.000000000 -0400
42423 @@ -74,7 +74,7 @@ static int ulpi_viewport_write(struct ot
42424 return ulpi_viewport_wait(view, ULPI_VIEW_RUN);
42425 }
42426
42427 -struct otg_io_access_ops ulpi_viewport_access_ops = {
42428 +const struct otg_io_access_ops ulpi_viewport_access_ops = {
42429 .read = ulpi_viewport_read,
42430 .write = ulpi_viewport_write,
42431 };
42432 diff -urNp linux-2.6.39.1/drivers/usb/serial/ftdi_sio.c linux-2.6.39.1/drivers/usb/serial/ftdi_sio.c
42433 --- linux-2.6.39.1/drivers/usb/serial/ftdi_sio.c 2011-06-03 00:04:14.000000000 -0400
42434 +++ linux-2.6.39.1/drivers/usb/serial/ftdi_sio.c 2011-06-03 00:32:07.000000000 -0400
42435 @@ -104,27 +104,27 @@ static int ftdi_stmclite_probe(struct
42436 static void ftdi_USB_UIRT_setup(struct ftdi_private *priv);
42437 static void ftdi_HE_TIRA1_setup(struct ftdi_private *priv);
42438
42439 -static struct ftdi_sio_quirk ftdi_jtag_quirk = {
42440 +static const struct ftdi_sio_quirk ftdi_jtag_quirk = {
42441 .probe = ftdi_jtag_probe,
42442 };
42443
42444 -static struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42445 +static const struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42446 .probe = ftdi_mtxorb_hack_setup,
42447 };
42448
42449 -static struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42450 +static const struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42451 .probe = ftdi_NDI_device_setup,
42452 };
42453
42454 -static struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42455 +static const struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42456 .port_probe = ftdi_USB_UIRT_setup,
42457 };
42458
42459 -static struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42460 +static const struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42461 .port_probe = ftdi_HE_TIRA1_setup,
42462 };
42463
42464 -static struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42465 +static const struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42466 .probe = ftdi_stmclite_probe,
42467 };
42468
42469 diff -urNp linux-2.6.39.1/drivers/usb/wusbcore/wa-hc.h linux-2.6.39.1/drivers/usb/wusbcore/wa-hc.h
42470 --- linux-2.6.39.1/drivers/usb/wusbcore/wa-hc.h 2011-05-19 00:06:34.000000000 -0400
42471 +++ linux-2.6.39.1/drivers/usb/wusbcore/wa-hc.h 2011-05-22 19:36:32.000000000 -0400
42472 @@ -192,7 +192,7 @@ struct wahc {
42473 struct list_head xfer_delayed_list;
42474 spinlock_t xfer_list_lock;
42475 struct work_struct xfer_work;
42476 - atomic_t xfer_id_count;
42477 + atomic_unchecked_t xfer_id_count;
42478 };
42479
42480
42481 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
42482 INIT_LIST_HEAD(&wa->xfer_delayed_list);
42483 spin_lock_init(&wa->xfer_list_lock);
42484 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
42485 - atomic_set(&wa->xfer_id_count, 1);
42486 + atomic_set_unchecked(&wa->xfer_id_count, 1);
42487 }
42488
42489 /**
42490 diff -urNp linux-2.6.39.1/drivers/usb/wusbcore/wa-xfer.c linux-2.6.39.1/drivers/usb/wusbcore/wa-xfer.c
42491 --- linux-2.6.39.1/drivers/usb/wusbcore/wa-xfer.c 2011-05-19 00:06:34.000000000 -0400
42492 +++ linux-2.6.39.1/drivers/usb/wusbcore/wa-xfer.c 2011-05-22 19:36:32.000000000 -0400
42493 @@ -294,7 +294,7 @@ out:
42494 */
42495 static void wa_xfer_id_init(struct wa_xfer *xfer)
42496 {
42497 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
42498 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
42499 }
42500
42501 /*
42502 diff -urNp linux-2.6.39.1/drivers/vhost/vhost.c linux-2.6.39.1/drivers/vhost/vhost.c
42503 --- linux-2.6.39.1/drivers/vhost/vhost.c 2011-05-19 00:06:34.000000000 -0400
42504 +++ linux-2.6.39.1/drivers/vhost/vhost.c 2011-05-22 19:36:32.000000000 -0400
42505 @@ -580,7 +580,7 @@ static int init_used(struct vhost_virtqu
42506 return get_user(vq->last_used_idx, &used->idx);
42507 }
42508
42509 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
42510 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
42511 {
42512 struct file *eventfp, *filep = NULL,
42513 *pollstart = NULL, *pollstop = NULL;
42514 diff -urNp linux-2.6.39.1/drivers/video/backlight/corgi_lcd.c linux-2.6.39.1/drivers/video/backlight/corgi_lcd.c
42515 --- linux-2.6.39.1/drivers/video/backlight/corgi_lcd.c 2011-05-19 00:06:34.000000000 -0400
42516 +++ linux-2.6.39.1/drivers/video/backlight/corgi_lcd.c 2011-05-22 19:36:32.000000000 -0400
42517 @@ -383,7 +383,7 @@ static int corgi_lcd_get_power(struct lc
42518 return lcd->power;
42519 }
42520
42521 -static struct lcd_ops corgi_lcd_ops = {
42522 +static const struct lcd_ops corgi_lcd_ops = {
42523 .get_power = corgi_lcd_get_power,
42524 .set_power = corgi_lcd_set_power,
42525 .set_mode = corgi_lcd_set_mode,
42526 diff -urNp linux-2.6.39.1/drivers/video/backlight/cr_bllcd.c linux-2.6.39.1/drivers/video/backlight/cr_bllcd.c
42527 --- linux-2.6.39.1/drivers/video/backlight/cr_bllcd.c 2011-05-19 00:06:34.000000000 -0400
42528 +++ linux-2.6.39.1/drivers/video/backlight/cr_bllcd.c 2011-05-22 19:36:32.000000000 -0400
42529 @@ -165,7 +165,7 @@ static int cr_lcd_set_power(struct lcd_d
42530 return 0;
42531 }
42532
42533 -static struct lcd_ops cr_lcd_ops = {
42534 +static const struct lcd_ops cr_lcd_ops = {
42535 .set_power = cr_lcd_set_power,
42536 };
42537
42538 diff -urNp linux-2.6.39.1/drivers/video/backlight/ili9320.c linux-2.6.39.1/drivers/video/backlight/ili9320.c
42539 --- linux-2.6.39.1/drivers/video/backlight/ili9320.c 2011-05-19 00:06:34.000000000 -0400
42540 +++ linux-2.6.39.1/drivers/video/backlight/ili9320.c 2011-05-22 19:36:32.000000000 -0400
42541 @@ -166,7 +166,7 @@ static int ili9320_get_power(struct lcd_
42542 return lcd->power;
42543 }
42544
42545 -static struct lcd_ops ili9320_ops = {
42546 +static const struct lcd_ops ili9320_ops = {
42547 .get_power = ili9320_get_power,
42548 .set_power = ili9320_set_power,
42549 };
42550 diff -urNp linux-2.6.39.1/drivers/video/backlight/jornada720_lcd.c linux-2.6.39.1/drivers/video/backlight/jornada720_lcd.c
42551 --- linux-2.6.39.1/drivers/video/backlight/jornada720_lcd.c 2011-05-19 00:06:34.000000000 -0400
42552 +++ linux-2.6.39.1/drivers/video/backlight/jornada720_lcd.c 2011-05-22 19:36:32.000000000 -0400
42553 @@ -87,7 +87,7 @@ static int jornada_lcd_set_power(struct
42554 return 0;
42555 }
42556
42557 -static struct lcd_ops jornada_lcd_props = {
42558 +static const struct lcd_ops jornada_lcd_props = {
42559 .get_contrast = jornada_lcd_get_contrast,
42560 .set_contrast = jornada_lcd_set_contrast,
42561 .get_power = jornada_lcd_get_power,
42562 diff -urNp linux-2.6.39.1/drivers/video/backlight/l4f00242t03.c linux-2.6.39.1/drivers/video/backlight/l4f00242t03.c
42563 --- linux-2.6.39.1/drivers/video/backlight/l4f00242t03.c 2011-05-19 00:06:34.000000000 -0400
42564 +++ linux-2.6.39.1/drivers/video/backlight/l4f00242t03.c 2011-05-22 19:36:32.000000000 -0400
42565 @@ -149,7 +149,7 @@ static int l4f00242t03_lcd_power_set(str
42566 return 0;
42567 }
42568
42569 -static struct lcd_ops l4f_ops = {
42570 +static const struct lcd_ops l4f_ops = {
42571 .set_power = l4f00242t03_lcd_power_set,
42572 .get_power = l4f00242t03_lcd_power_get,
42573 };
42574 diff -urNp linux-2.6.39.1/drivers/video/backlight/lcd.c linux-2.6.39.1/drivers/video/backlight/lcd.c
42575 --- linux-2.6.39.1/drivers/video/backlight/lcd.c 2011-05-19 00:06:34.000000000 -0400
42576 +++ linux-2.6.39.1/drivers/video/backlight/lcd.c 2011-05-22 19:36:32.000000000 -0400
42577 @@ -192,7 +192,7 @@ static struct device_attribute lcd_devic
42578 * or a pointer to the newly allocated device.
42579 */
42580 struct lcd_device *lcd_device_register(const char *name, struct device *parent,
42581 - void *devdata, struct lcd_ops *ops)
42582 + void *devdata, const struct lcd_ops *ops)
42583 {
42584 struct lcd_device *new_ld;
42585 int rc;
42586 diff -urNp linux-2.6.39.1/drivers/video/backlight/ld9040.c linux-2.6.39.1/drivers/video/backlight/ld9040.c
42587 --- linux-2.6.39.1/drivers/video/backlight/ld9040.c 2011-05-19 00:06:34.000000000 -0400
42588 +++ linux-2.6.39.1/drivers/video/backlight/ld9040.c 2011-05-22 19:36:32.000000000 -0400
42589 @@ -651,7 +651,7 @@ static int ld9040_set_brightness(struct
42590 return ret;
42591 }
42592
42593 -static struct lcd_ops ld9040_lcd_ops = {
42594 +static const struct lcd_ops ld9040_lcd_ops = {
42595 .set_power = ld9040_set_power,
42596 .get_power = ld9040_get_power,
42597 };
42598 diff -urNp linux-2.6.39.1/drivers/video/backlight/lms283gf05.c linux-2.6.39.1/drivers/video/backlight/lms283gf05.c
42599 --- linux-2.6.39.1/drivers/video/backlight/lms283gf05.c 2011-05-19 00:06:34.000000000 -0400
42600 +++ linux-2.6.39.1/drivers/video/backlight/lms283gf05.c 2011-05-22 19:36:32.000000000 -0400
42601 @@ -144,7 +144,7 @@ static int lms283gf05_power_set(struct l
42602 return 0;
42603 }
42604
42605 -static struct lcd_ops lms_ops = {
42606 +static const struct lcd_ops lms_ops = {
42607 .set_power = lms283gf05_power_set,
42608 .get_power = NULL,
42609 };
42610 diff -urNp linux-2.6.39.1/drivers/video/backlight/ltv350qv.c linux-2.6.39.1/drivers/video/backlight/ltv350qv.c
42611 --- linux-2.6.39.1/drivers/video/backlight/ltv350qv.c 2011-05-19 00:06:34.000000000 -0400
42612 +++ linux-2.6.39.1/drivers/video/backlight/ltv350qv.c 2011-05-22 19:36:32.000000000 -0400
42613 @@ -221,7 +221,7 @@ static int ltv350qv_get_power(struct lcd
42614 return lcd->power;
42615 }
42616
42617 -static struct lcd_ops ltv_ops = {
42618 +static const struct lcd_ops ltv_ops = {
42619 .get_power = ltv350qv_get_power,
42620 .set_power = ltv350qv_set_power,
42621 };
42622 diff -urNp linux-2.6.39.1/drivers/video/backlight/platform_lcd.c linux-2.6.39.1/drivers/video/backlight/platform_lcd.c
42623 --- linux-2.6.39.1/drivers/video/backlight/platform_lcd.c 2011-05-19 00:06:34.000000000 -0400
42624 +++ linux-2.6.39.1/drivers/video/backlight/platform_lcd.c 2011-05-22 19:36:32.000000000 -0400
42625 @@ -66,7 +66,7 @@ static int platform_lcd_match(struct lcd
42626 return plcd->us->parent == info->device;
42627 }
42628
42629 -static struct lcd_ops platform_lcd_ops = {
42630 +static const struct lcd_ops platform_lcd_ops = {
42631 .get_power = platform_lcd_get_power,
42632 .set_power = platform_lcd_set_power,
42633 .check_fb = platform_lcd_match,
42634 diff -urNp linux-2.6.39.1/drivers/video/backlight/s6e63m0.c linux-2.6.39.1/drivers/video/backlight/s6e63m0.c
42635 --- linux-2.6.39.1/drivers/video/backlight/s6e63m0.c 2011-05-19 00:06:34.000000000 -0400
42636 +++ linux-2.6.39.1/drivers/video/backlight/s6e63m0.c 2011-05-22 19:36:32.000000000 -0400
42637 @@ -644,7 +644,7 @@ static int s6e63m0_set_brightness(struct
42638 return ret;
42639 }
42640
42641 -static struct lcd_ops s6e63m0_lcd_ops = {
42642 +static const struct lcd_ops s6e63m0_lcd_ops = {
42643 .set_power = s6e63m0_set_power,
42644 .get_power = s6e63m0_get_power,
42645 };
42646 diff -urNp linux-2.6.39.1/drivers/video/backlight/tdo24m.c linux-2.6.39.1/drivers/video/backlight/tdo24m.c
42647 --- linux-2.6.39.1/drivers/video/backlight/tdo24m.c 2011-05-19 00:06:34.000000000 -0400
42648 +++ linux-2.6.39.1/drivers/video/backlight/tdo24m.c 2011-05-22 19:36:32.000000000 -0400
42649 @@ -322,7 +322,7 @@ static int tdo24m_set_mode(struct lcd_de
42650 return lcd->adj_mode(lcd, mode);
42651 }
42652
42653 -static struct lcd_ops tdo24m_ops = {
42654 +static const struct lcd_ops tdo24m_ops = {
42655 .get_power = tdo24m_get_power,
42656 .set_power = tdo24m_set_power,
42657 .set_mode = tdo24m_set_mode,
42658 diff -urNp linux-2.6.39.1/drivers/video/backlight/tosa_lcd.c linux-2.6.39.1/drivers/video/backlight/tosa_lcd.c
42659 --- linux-2.6.39.1/drivers/video/backlight/tosa_lcd.c 2011-05-19 00:06:34.000000000 -0400
42660 +++ linux-2.6.39.1/drivers/video/backlight/tosa_lcd.c 2011-05-22 19:36:32.000000000 -0400
42661 @@ -163,7 +163,7 @@ static int tosa_lcd_set_mode(struct lcd_
42662 return 0;
42663 }
42664
42665 -static struct lcd_ops tosa_lcd_ops = {
42666 +static const struct lcd_ops tosa_lcd_ops = {
42667 .set_power = tosa_lcd_set_power,
42668 .get_power = tosa_lcd_get_power,
42669 .set_mode = tosa_lcd_set_mode,
42670 diff -urNp linux-2.6.39.1/drivers/video/bf537-lq035.c linux-2.6.39.1/drivers/video/bf537-lq035.c
42671 --- linux-2.6.39.1/drivers/video/bf537-lq035.c 2011-05-19 00:06:34.000000000 -0400
42672 +++ linux-2.6.39.1/drivers/video/bf537-lq035.c 2011-05-22 19:36:32.000000000 -0400
42673 @@ -682,7 +682,7 @@ static int bfin_lcd_check_fb(struct lcd_
42674 return 0;
42675 }
42676
42677 -static struct lcd_ops bfin_lcd_ops = {
42678 +static const struct lcd_ops bfin_lcd_ops = {
42679 .get_power = bfin_lcd_get_power,
42680 .set_power = bfin_lcd_set_power,
42681 .get_contrast = bfin_lcd_get_contrast,
42682 diff -urNp linux-2.6.39.1/drivers/video/bf54x-lq043fb.c linux-2.6.39.1/drivers/video/bf54x-lq043fb.c
42683 --- linux-2.6.39.1/drivers/video/bf54x-lq043fb.c 2011-05-19 00:06:34.000000000 -0400
42684 +++ linux-2.6.39.1/drivers/video/bf54x-lq043fb.c 2011-05-22 19:36:32.000000000 -0400
42685 @@ -467,7 +467,7 @@ static int bfin_lcd_check_fb(struct lcd_
42686 return 0;
42687 }
42688
42689 -static struct lcd_ops bfin_lcd_ops = {
42690 +static const struct lcd_ops bfin_lcd_ops = {
42691 .get_power = bfin_lcd_get_power,
42692 .set_power = bfin_lcd_set_power,
42693 .get_contrast = bfin_lcd_get_contrast,
42694 diff -urNp linux-2.6.39.1/drivers/video/bfin-t350mcqb-fb.c linux-2.6.39.1/drivers/video/bfin-t350mcqb-fb.c
42695 --- linux-2.6.39.1/drivers/video/bfin-t350mcqb-fb.c 2011-05-19 00:06:34.000000000 -0400
42696 +++ linux-2.6.39.1/drivers/video/bfin-t350mcqb-fb.c 2011-05-22 19:36:32.000000000 -0400
42697 @@ -387,7 +387,7 @@ static int bfin_lcd_check_fb(struct lcd_
42698 return 0;
42699 }
42700
42701 -static struct lcd_ops bfin_lcd_ops = {
42702 +static const struct lcd_ops bfin_lcd_ops = {
42703 .get_power = bfin_lcd_get_power,
42704 .set_power = bfin_lcd_set_power,
42705 .get_contrast = bfin_lcd_get_contrast,
42706 diff -urNp linux-2.6.39.1/drivers/video/fbcmap.c linux-2.6.39.1/drivers/video/fbcmap.c
42707 --- linux-2.6.39.1/drivers/video/fbcmap.c 2011-05-19 00:06:34.000000000 -0400
42708 +++ linux-2.6.39.1/drivers/video/fbcmap.c 2011-05-22 19:36:32.000000000 -0400
42709 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
42710 rc = -ENODEV;
42711 goto out;
42712 }
42713 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
42714 - !info->fbops->fb_setcmap)) {
42715 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
42716 rc = -EINVAL;
42717 goto out1;
42718 }
42719 diff -urNp linux-2.6.39.1/drivers/video/fbmem.c linux-2.6.39.1/drivers/video/fbmem.c
42720 --- linux-2.6.39.1/drivers/video/fbmem.c 2011-05-19 00:06:34.000000000 -0400
42721 +++ linux-2.6.39.1/drivers/video/fbmem.c 2011-05-22 19:36:32.000000000 -0400
42722 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
42723 image->dx += image->width + 8;
42724 }
42725 } else if (rotate == FB_ROTATE_UD) {
42726 - for (x = 0; x < num && image->dx >= 0; x++) {
42727 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
42728 info->fbops->fb_imageblit(info, image);
42729 image->dx -= image->width + 8;
42730 }
42731 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
42732 image->dy += image->height + 8;
42733 }
42734 } else if (rotate == FB_ROTATE_CCW) {
42735 - for (x = 0; x < num && image->dy >= 0; x++) {
42736 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
42737 info->fbops->fb_imageblit(info, image);
42738 image->dy -= image->height + 8;
42739 }
42740 @@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
42741 int flags = info->flags;
42742 int ret = 0;
42743
42744 + pax_track_stack();
42745 +
42746 if (var->activate & FB_ACTIVATE_INV_MODE) {
42747 struct fb_videomode mode1, mode2;
42748
42749 @@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
42750 void __user *argp = (void __user *)arg;
42751 long ret = 0;
42752
42753 + pax_track_stack();
42754 +
42755 switch (cmd) {
42756 case FBIOGET_VSCREENINFO:
42757 if (!lock_fb_info(info))
42758 @@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
42759 return -EFAULT;
42760 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
42761 return -EINVAL;
42762 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
42763 + if (con2fb.framebuffer >= FB_MAX)
42764 return -EINVAL;
42765 if (!registered_fb[con2fb.framebuffer])
42766 request_module("fb%d", con2fb.framebuffer);
42767 diff -urNp linux-2.6.39.1/drivers/video/geode/display_gx1.c linux-2.6.39.1/drivers/video/geode/display_gx1.c
42768 --- linux-2.6.39.1/drivers/video/geode/display_gx1.c 2011-05-19 00:06:34.000000000 -0400
42769 +++ linux-2.6.39.1/drivers/video/geode/display_gx1.c 2011-05-22 19:36:32.000000000 -0400
42770 @@ -208,7 +208,7 @@ static void gx1_set_hw_palette_reg(struc
42771 writel(val, par->dc_regs + DC_PAL_DATA);
42772 }
42773
42774 -struct geode_dc_ops gx1_dc_ops = {
42775 +const struct geode_dc_ops gx1_dc_ops = {
42776 .set_mode = gx1_set_mode,
42777 .set_palette_reg = gx1_set_hw_palette_reg,
42778 };
42779 diff -urNp linux-2.6.39.1/drivers/video/geode/display_gx1.h linux-2.6.39.1/drivers/video/geode/display_gx1.h
42780 --- linux-2.6.39.1/drivers/video/geode/display_gx1.h 2011-05-19 00:06:34.000000000 -0400
42781 +++ linux-2.6.39.1/drivers/video/geode/display_gx1.h 2011-05-22 19:36:32.000000000 -0400
42782 @@ -18,7 +18,7 @@
42783 unsigned gx1_gx_base(void);
42784 int gx1_frame_buffer_size(void);
42785
42786 -extern struct geode_dc_ops gx1_dc_ops;
42787 +extern const struct geode_dc_ops gx1_dc_ops;
42788
42789 /* GX1 configuration I/O registers */
42790
42791 diff -urNp linux-2.6.39.1/drivers/video/geode/geodefb.h linux-2.6.39.1/drivers/video/geode/geodefb.h
42792 --- linux-2.6.39.1/drivers/video/geode/geodefb.h 2011-05-19 00:06:34.000000000 -0400
42793 +++ linux-2.6.39.1/drivers/video/geode/geodefb.h 2011-05-22 19:36:32.000000000 -0400
42794 @@ -31,8 +31,8 @@ struct geodefb_par {
42795 int panel_y;
42796 void __iomem *dc_regs;
42797 void __iomem *vid_regs;
42798 - struct geode_dc_ops *dc_ops;
42799 - struct geode_vid_ops *vid_ops;
42800 + const struct geode_dc_ops *dc_ops;
42801 + const struct geode_vid_ops *vid_ops;
42802 };
42803
42804 #endif /* !__GEODEFB_H__ */
42805 diff -urNp linux-2.6.39.1/drivers/video/geode/video_cs5530.c linux-2.6.39.1/drivers/video/geode/video_cs5530.c
42806 --- linux-2.6.39.1/drivers/video/geode/video_cs5530.c 2011-05-19 00:06:34.000000000 -0400
42807 +++ linux-2.6.39.1/drivers/video/geode/video_cs5530.c 2011-05-22 19:36:32.000000000 -0400
42808 @@ -186,7 +186,7 @@ static int cs5530_blank_display(struct f
42809 return 0;
42810 }
42811
42812 -struct geode_vid_ops cs5530_vid_ops = {
42813 +const struct geode_vid_ops cs5530_vid_ops = {
42814 .set_dclk = cs5530_set_dclk_frequency,
42815 .configure_display = cs5530_configure_display,
42816 .blank_display = cs5530_blank_display,
42817 diff -urNp linux-2.6.39.1/drivers/video/geode/video_cs5530.h linux-2.6.39.1/drivers/video/geode/video_cs5530.h
42818 --- linux-2.6.39.1/drivers/video/geode/video_cs5530.h 2011-05-19 00:06:34.000000000 -0400
42819 +++ linux-2.6.39.1/drivers/video/geode/video_cs5530.h 2011-05-22 19:36:32.000000000 -0400
42820 @@ -15,7 +15,7 @@
42821 #ifndef __VIDEO_CS5530_H__
42822 #define __VIDEO_CS5530_H__
42823
42824 -extern struct geode_vid_ops cs5530_vid_ops;
42825 +extern const struct geode_vid_ops cs5530_vid_ops;
42826
42827 /* CS5530 Video device registers */
42828
42829 diff -urNp linux-2.6.39.1/drivers/video/i810/i810_accel.c linux-2.6.39.1/drivers/video/i810/i810_accel.c
42830 --- linux-2.6.39.1/drivers/video/i810/i810_accel.c 2011-05-19 00:06:34.000000000 -0400
42831 +++ linux-2.6.39.1/drivers/video/i810/i810_accel.c 2011-05-22 19:36:32.000000000 -0400
42832 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
42833 }
42834 }
42835 printk("ringbuffer lockup!!!\n");
42836 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
42837 i810_report_error(mmio);
42838 par->dev_flags |= LOCKUP;
42839 info->pixmap.scan_align = 1;
42840 diff -urNp linux-2.6.39.1/drivers/video/matrox/matroxfb_base.c linux-2.6.39.1/drivers/video/matrox/matroxfb_base.c
42841 --- linux-2.6.39.1/drivers/video/matrox/matroxfb_base.c 2011-05-19 00:06:34.000000000 -0400
42842 +++ linux-2.6.39.1/drivers/video/matrox/matroxfb_base.c 2011-05-22 19:36:32.000000000 -0400
42843 @@ -1232,7 +1232,7 @@ static struct fb_ops matroxfb_ops = {
42844 #define RSText 0x7
42845 #define RSText8 0x8
42846 /* 9-F */
42847 -static struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
42848 +static const struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
42849 { { 0, 8, 0}, { 0, 8, 0}, { 0, 8, 0}, { 0, 0, 0}, 8 },
42850 { { 10, 5, 0}, { 5, 5, 0}, { 0, 5, 0}, { 15, 1, 0}, 16 },
42851 { { 11, 5, 0}, { 5, 6, 0}, { 0, 5, 0}, { 0, 0, 0}, 16 },
42852 diff -urNp linux-2.6.39.1/drivers/video/omap/lcd_ams_delta.c linux-2.6.39.1/drivers/video/omap/lcd_ams_delta.c
42853 --- linux-2.6.39.1/drivers/video/omap/lcd_ams_delta.c 2011-05-19 00:06:34.000000000 -0400
42854 +++ linux-2.6.39.1/drivers/video/omap/lcd_ams_delta.c 2011-05-22 19:36:32.000000000 -0400
42855 @@ -87,7 +87,7 @@ static int ams_delta_lcd_get_contrast(st
42856 return ams_delta_lcd & AMS_DELTA_MAX_CONTRAST;
42857 }
42858
42859 -static struct lcd_ops ams_delta_lcd_ops = {
42860 +static const struct lcd_ops ams_delta_lcd_ops = {
42861 .get_power = ams_delta_lcd_get_power,
42862 .set_power = ams_delta_lcd_set_power,
42863 .get_contrast = ams_delta_lcd_get_contrast,
42864 diff -urNp linux-2.6.39.1/drivers/video/pxa3xx-gcu.c linux-2.6.39.1/drivers/video/pxa3xx-gcu.c
42865 --- linux-2.6.39.1/drivers/video/pxa3xx-gcu.c 2011-05-19 00:06:34.000000000 -0400
42866 +++ linux-2.6.39.1/drivers/video/pxa3xx-gcu.c 2011-05-22 19:36:32.000000000 -0400
42867 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
42868 dma_addr_t shared_phys;
42869 struct resource *resource_mem;
42870 struct miscdevice misc_dev;
42871 - struct file_operations misc_fops;
42872 + const struct file_operations misc_fops;
42873 wait_queue_head_t wait_idle;
42874 wait_queue_head_t wait_free;
42875 spinlock_t spinlock;
42876 diff -urNp linux-2.6.39.1/drivers/video/sh_mobile_lcdcfb.c linux-2.6.39.1/drivers/video/sh_mobile_lcdcfb.c
42877 --- linux-2.6.39.1/drivers/video/sh_mobile_lcdcfb.c 2011-05-19 00:06:34.000000000 -0400
42878 +++ linux-2.6.39.1/drivers/video/sh_mobile_lcdcfb.c 2011-05-22 19:36:32.000000000 -0400
42879 @@ -245,7 +245,7 @@ static unsigned long lcdc_sys_read_data(
42880 return lcdc_read(ch->lcdc, _LDDRDR) & 0x3ffff;
42881 }
42882
42883 -struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
42884 +const struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
42885 lcdc_sys_write_index,
42886 lcdc_sys_write_data,
42887 lcdc_sys_read_data,
42888 diff -urNp linux-2.6.39.1/drivers/video/udlfb.c linux-2.6.39.1/drivers/video/udlfb.c
42889 --- linux-2.6.39.1/drivers/video/udlfb.c 2011-05-19 00:06:34.000000000 -0400
42890 +++ linux-2.6.39.1/drivers/video/udlfb.c 2011-05-22 19:36:32.000000000 -0400
42891 @@ -584,11 +584,11 @@ int dlfb_handle_damage(struct dlfb_data
42892 dlfb_urb_completion(urb);
42893
42894 error:
42895 - atomic_add(bytes_sent, &dev->bytes_sent);
42896 - atomic_add(bytes_identical, &dev->bytes_identical);
42897 - atomic_add(width*height*2, &dev->bytes_rendered);
42898 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
42899 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
42900 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
42901 end_cycles = get_cycles();
42902 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
42903 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
42904 >> 10)), /* Kcycles */
42905 &dev->cpu_kcycles_used);
42906
42907 @@ -709,11 +709,11 @@ static void dlfb_dpy_deferred_io(struct
42908 dlfb_urb_completion(urb);
42909
42910 error:
42911 - atomic_add(bytes_sent, &dev->bytes_sent);
42912 - atomic_add(bytes_identical, &dev->bytes_identical);
42913 - atomic_add(bytes_rendered, &dev->bytes_rendered);
42914 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
42915 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
42916 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
42917 end_cycles = get_cycles();
42918 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
42919 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
42920 >> 10)), /* Kcycles */
42921 &dev->cpu_kcycles_used);
42922 }
42923 @@ -1301,7 +1301,7 @@ static ssize_t metrics_bytes_rendered_sh
42924 struct fb_info *fb_info = dev_get_drvdata(fbdev);
42925 struct dlfb_data *dev = fb_info->par;
42926 return snprintf(buf, PAGE_SIZE, "%u\n",
42927 - atomic_read(&dev->bytes_rendered));
42928 + atomic_read_unchecked(&dev->bytes_rendered));
42929 }
42930
42931 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
42932 @@ -1309,7 +1309,7 @@ static ssize_t metrics_bytes_identical_s
42933 struct fb_info *fb_info = dev_get_drvdata(fbdev);
42934 struct dlfb_data *dev = fb_info->par;
42935 return snprintf(buf, PAGE_SIZE, "%u\n",
42936 - atomic_read(&dev->bytes_identical));
42937 + atomic_read_unchecked(&dev->bytes_identical));
42938 }
42939
42940 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
42941 @@ -1317,7 +1317,7 @@ static ssize_t metrics_bytes_sent_show(s
42942 struct fb_info *fb_info = dev_get_drvdata(fbdev);
42943 struct dlfb_data *dev = fb_info->par;
42944 return snprintf(buf, PAGE_SIZE, "%u\n",
42945 - atomic_read(&dev->bytes_sent));
42946 + atomic_read_unchecked(&dev->bytes_sent));
42947 }
42948
42949 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
42950 @@ -1325,7 +1325,7 @@ static ssize_t metrics_cpu_kcycles_used_
42951 struct fb_info *fb_info = dev_get_drvdata(fbdev);
42952 struct dlfb_data *dev = fb_info->par;
42953 return snprintf(buf, PAGE_SIZE, "%u\n",
42954 - atomic_read(&dev->cpu_kcycles_used));
42955 + atomic_read_unchecked(&dev->cpu_kcycles_used));
42956 }
42957
42958 static ssize_t edid_show(
42959 @@ -1382,10 +1382,10 @@ static ssize_t metrics_reset_store(struc
42960 struct fb_info *fb_info = dev_get_drvdata(fbdev);
42961 struct dlfb_data *dev = fb_info->par;
42962
42963 - atomic_set(&dev->bytes_rendered, 0);
42964 - atomic_set(&dev->bytes_identical, 0);
42965 - atomic_set(&dev->bytes_sent, 0);
42966 - atomic_set(&dev->cpu_kcycles_used, 0);
42967 + atomic_set_unchecked(&dev->bytes_rendered, 0);
42968 + atomic_set_unchecked(&dev->bytes_identical, 0);
42969 + atomic_set_unchecked(&dev->bytes_sent, 0);
42970 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
42971
42972 return count;
42973 }
42974 diff -urNp linux-2.6.39.1/drivers/video/uvesafb.c linux-2.6.39.1/drivers/video/uvesafb.c
42975 --- linux-2.6.39.1/drivers/video/uvesafb.c 2011-05-19 00:06:34.000000000 -0400
42976 +++ linux-2.6.39.1/drivers/video/uvesafb.c 2011-05-22 19:36:32.000000000 -0400
42977 @@ -19,6 +19,7 @@
42978 #include <linux/io.h>
42979 #include <linux/mutex.h>
42980 #include <linux/slab.h>
42981 +#include <linux/moduleloader.h>
42982 #include <video/edid.h>
42983 #include <video/uvesafb.h>
42984 #ifdef CONFIG_X86
42985 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
42986 NULL,
42987 };
42988
42989 - return call_usermodehelper(v86d_path, argv, envp, 1);
42990 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
42991 }
42992
42993 /*
42994 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
42995 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
42996 par->pmi_setpal = par->ypan = 0;
42997 } else {
42998 +
42999 +#ifdef CONFIG_PAX_KERNEXEC
43000 +#ifdef CONFIG_MODULES
43001 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
43002 +#endif
43003 + if (!par->pmi_code) {
43004 + par->pmi_setpal = par->ypan = 0;
43005 + return 0;
43006 + }
43007 +#endif
43008 +
43009 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
43010 + task->t.regs.edi);
43011 +
43012 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43013 + pax_open_kernel();
43014 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
43015 + pax_close_kernel();
43016 +
43017 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
43018 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
43019 +#else
43020 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
43021 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
43022 +#endif
43023 +
43024 printk(KERN_INFO "uvesafb: protected mode interface info at "
43025 "%04x:%04x\n",
43026 (u16)task->t.regs.es, (u16)task->t.regs.edi);
43027 @@ -1821,6 +1844,11 @@ out:
43028 if (par->vbe_modes)
43029 kfree(par->vbe_modes);
43030
43031 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43032 + if (par->pmi_code)
43033 + module_free_exec(NULL, par->pmi_code);
43034 +#endif
43035 +
43036 framebuffer_release(info);
43037 return err;
43038 }
43039 @@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
43040 kfree(par->vbe_state_orig);
43041 if (par->vbe_state_saved)
43042 kfree(par->vbe_state_saved);
43043 +
43044 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43045 + if (par->pmi_code)
43046 + module_free_exec(NULL, par->pmi_code);
43047 +#endif
43048 +
43049 }
43050
43051 framebuffer_release(info);
43052 @@ -2013,7 +2047,7 @@ static int param_set_scroll(const char *
43053
43054 return 0;
43055 }
43056 -static struct kernel_param_ops param_ops_scroll = {
43057 +static const struct kernel_param_ops param_ops_scroll = {
43058 .set = param_set_scroll,
43059 };
43060 #define param_check_scroll(name, p) __param_check(name, p, void)
43061 diff -urNp linux-2.6.39.1/drivers/video/vesafb.c linux-2.6.39.1/drivers/video/vesafb.c
43062 --- linux-2.6.39.1/drivers/video/vesafb.c 2011-05-19 00:06:34.000000000 -0400
43063 +++ linux-2.6.39.1/drivers/video/vesafb.c 2011-05-22 19:36:32.000000000 -0400
43064 @@ -9,6 +9,7 @@
43065 */
43066
43067 #include <linux/module.h>
43068 +#include <linux/moduleloader.h>
43069 #include <linux/kernel.h>
43070 #include <linux/errno.h>
43071 #include <linux/string.h>
43072 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
43073 static int vram_total __initdata; /* Set total amount of memory */
43074 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
43075 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
43076 -static void (*pmi_start)(void) __read_mostly;
43077 -static void (*pmi_pal) (void) __read_mostly;
43078 +static void (*pmi_start)(void) __read_only;
43079 +static void (*pmi_pal) (void) __read_only;
43080 static int depth __read_mostly;
43081 static int vga_compat __read_mostly;
43082 /* --------------------------------------------------------------------- */
43083 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
43084 unsigned int size_vmode;
43085 unsigned int size_remap;
43086 unsigned int size_total;
43087 + void *pmi_code = NULL;
43088
43089 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
43090 return -ENODEV;
43091 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
43092 size_remap = size_total;
43093 vesafb_fix.smem_len = size_remap;
43094
43095 -#ifndef __i386__
43096 - screen_info.vesapm_seg = 0;
43097 -#endif
43098 -
43099 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
43100 printk(KERN_WARNING
43101 "vesafb: cannot reserve video memory at 0x%lx\n",
43102 @@ -306,9 +304,21 @@ static int __init vesafb_probe(struct pl
43103 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
43104 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
43105
43106 +#ifdef __i386__
43107 +
43108 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43109 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
43110 + if (!pmi_code)
43111 +#elif !defined(CONFIG_PAX_KERNEXEC)
43112 + if (0)
43113 +#endif
43114 +
43115 +#endif
43116 + screen_info.vesapm_seg = 0;
43117 +
43118 if (screen_info.vesapm_seg) {
43119 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
43120 - screen_info.vesapm_seg,screen_info.vesapm_off);
43121 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
43122 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
43123 }
43124
43125 if (screen_info.vesapm_seg < 0xc000)
43126 @@ -316,9 +326,25 @@ static int __init vesafb_probe(struct pl
43127
43128 if (ypan || pmi_setpal) {
43129 unsigned short *pmi_base;
43130 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43131 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
43132 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
43133 +
43134 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43135 +
43136 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43137 + pax_open_kernel();
43138 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
43139 +#else
43140 + pmi_code = pmi_base;
43141 +#endif
43142 +
43143 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
43144 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
43145 +
43146 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43147 + pmi_start = ktva_ktla(pmi_start);
43148 + pmi_pal = ktva_ktla(pmi_pal);
43149 + pax_close_kernel();
43150 +#endif
43151 +
43152 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
43153 if (pmi_base[3]) {
43154 printk(KERN_INFO "vesafb: pmi: ports = ");
43155 @@ -487,6 +513,11 @@ static int __init vesafb_probe(struct pl
43156 info->node, info->fix.id);
43157 return 0;
43158 err:
43159 +
43160 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43161 + module_free_exec(NULL, pmi_code);
43162 +#endif
43163 +
43164 if (info->screen_base)
43165 iounmap(info->screen_base);
43166 framebuffer_release(info);
43167 diff -urNp linux-2.6.39.1/drivers/virtio/virtio_balloon.c linux-2.6.39.1/drivers/virtio/virtio_balloon.c
43168 --- linux-2.6.39.1/drivers/virtio/virtio_balloon.c 2011-05-19 00:06:34.000000000 -0400
43169 +++ linux-2.6.39.1/drivers/virtio/virtio_balloon.c 2011-05-22 19:36:32.000000000 -0400
43170 @@ -176,6 +176,8 @@ static void update_balloon_stats(struct
43171 struct sysinfo i;
43172 int idx = 0;
43173
43174 + pax_track_stack();
43175 +
43176 all_vm_events(events);
43177 si_meminfo(&i);
43178
43179 diff -urNp linux-2.6.39.1/drivers/xen/gntalloc.c linux-2.6.39.1/drivers/xen/gntalloc.c
43180 --- linux-2.6.39.1/drivers/xen/gntalloc.c 2011-05-19 00:06:34.000000000 -0400
43181 +++ linux-2.6.39.1/drivers/xen/gntalloc.c 2011-05-22 19:36:32.000000000 -0400
43182 @@ -440,7 +440,7 @@ static void gntalloc_vma_close(struct vm
43183 spin_unlock(&gref_lock);
43184 }
43185
43186 -static struct vm_operations_struct gntalloc_vmops = {
43187 +static const struct vm_operations_struct gntalloc_vmops = {
43188 .close = gntalloc_vma_close,
43189 };
43190
43191 diff -urNp linux-2.6.39.1/drivers/xen/gntdev.c linux-2.6.39.1/drivers/xen/gntdev.c
43192 --- linux-2.6.39.1/drivers/xen/gntdev.c 2011-05-19 00:06:34.000000000 -0400
43193 +++ linux-2.6.39.1/drivers/xen/gntdev.c 2011-05-22 19:36:32.000000000 -0400
43194 @@ -340,7 +340,7 @@ static void gntdev_vma_close(struct vm_a
43195 gntdev_put_map(map);
43196 }
43197
43198 -static struct vm_operations_struct gntdev_vmops = {
43199 +static const struct vm_operations_struct gntdev_vmops = {
43200 .close = gntdev_vma_close,
43201 };
43202
43203 @@ -404,7 +404,7 @@ static void mn_release(struct mmu_notifi
43204 spin_unlock(&priv->lock);
43205 }
43206
43207 -struct mmu_notifier_ops gntdev_mmu_ops = {
43208 +const struct mmu_notifier_ops gntdev_mmu_ops = {
43209 .release = mn_release,
43210 .invalidate_page = mn_invl_page,
43211 .invalidate_range_start = mn_invl_range_start,
43212 diff -urNp linux-2.6.39.1/drivers/xen/xenfs/privcmd.c linux-2.6.39.1/drivers/xen/xenfs/privcmd.c
43213 --- linux-2.6.39.1/drivers/xen/xenfs/privcmd.c 2011-05-19 00:06:34.000000000 -0400
43214 +++ linux-2.6.39.1/drivers/xen/xenfs/privcmd.c 2011-05-22 19:36:32.000000000 -0400
43215 @@ -268,7 +268,7 @@ static int mmap_return_errors(void *data
43216 return put_user(*mfnp, st->user++);
43217 }
43218
43219 -static struct vm_operations_struct privcmd_vm_ops;
43220 +static const struct vm_operations_struct privcmd_vm_ops;
43221
43222 static long privcmd_ioctl_mmap_batch(void __user *udata)
43223 {
43224 @@ -369,7 +369,7 @@ static int privcmd_fault(struct vm_area_
43225 return VM_FAULT_SIGBUS;
43226 }
43227
43228 -static struct vm_operations_struct privcmd_vm_ops = {
43229 +static const struct vm_operations_struct privcmd_vm_ops = {
43230 .fault = privcmd_fault
43231 };
43232
43233 diff -urNp linux-2.6.39.1/fs/9p/vfs_inode.c linux-2.6.39.1/fs/9p/vfs_inode.c
43234 --- linux-2.6.39.1/fs/9p/vfs_inode.c 2011-05-19 00:06:34.000000000 -0400
43235 +++ linux-2.6.39.1/fs/9p/vfs_inode.c 2011-05-22 19:36:32.000000000 -0400
43236 @@ -1210,7 +1210,7 @@ static void *v9fs_vfs_follow_link(struct
43237 void
43238 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43239 {
43240 - char *s = nd_get_link(nd);
43241 + const char *s = nd_get_link(nd);
43242
43243 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
43244 IS_ERR(s) ? "<error>" : s);
43245 diff -urNp linux-2.6.39.1/fs/aio.c linux-2.6.39.1/fs/aio.c
43246 --- linux-2.6.39.1/fs/aio.c 2011-05-19 00:06:34.000000000 -0400
43247 +++ linux-2.6.39.1/fs/aio.c 2011-06-03 01:00:34.000000000 -0400
43248 @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
43249 size += sizeof(struct io_event) * nr_events;
43250 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
43251
43252 - if (nr_pages < 0)
43253 + if (nr_pages <= 0)
43254 return -EINVAL;
43255
43256 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
43257 @@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
43258 struct aio_timeout to;
43259 int retry = 0;
43260
43261 + pax_track_stack();
43262 +
43263 /* needed to zero any padding within an entry (there shouldn't be
43264 * any, but C is fun!
43265 */
43266 @@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
43267 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
43268 {
43269 ssize_t ret;
43270 + struct iovec iovstack;
43271
43272 #ifdef CONFIG_COMPAT
43273 if (compat)
43274 ret = compat_rw_copy_check_uvector(type,
43275 (struct compat_iovec __user *)kiocb->ki_buf,
43276 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43277 + kiocb->ki_nbytes, 1, &iovstack,
43278 &kiocb->ki_iovec);
43279 else
43280 #endif
43281 ret = rw_copy_check_uvector(type,
43282 (struct iovec __user *)kiocb->ki_buf,
43283 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43284 + kiocb->ki_nbytes, 1, &iovstack,
43285 &kiocb->ki_iovec);
43286 if (ret < 0)
43287 goto out;
43288
43289 + if (kiocb->ki_iovec == &iovstack) {
43290 + kiocb->ki_inline_vec = iovstack;
43291 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
43292 + }
43293 kiocb->ki_nr_segs = kiocb->ki_nbytes;
43294 kiocb->ki_cur_seg = 0;
43295 /* ki_nbytes/left now reflect bytes instead of segs */
43296 diff -urNp linux-2.6.39.1/fs/attr.c linux-2.6.39.1/fs/attr.c
43297 --- linux-2.6.39.1/fs/attr.c 2011-05-19 00:06:34.000000000 -0400
43298 +++ linux-2.6.39.1/fs/attr.c 2011-05-22 19:41:37.000000000 -0400
43299 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
43300 unsigned long limit;
43301
43302 limit = rlimit(RLIMIT_FSIZE);
43303 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
43304 if (limit != RLIM_INFINITY && offset > limit)
43305 goto out_sig;
43306 if (offset > inode->i_sb->s_maxbytes)
43307 diff -urNp linux-2.6.39.1/fs/befs/linuxvfs.c linux-2.6.39.1/fs/befs/linuxvfs.c
43308 --- linux-2.6.39.1/fs/befs/linuxvfs.c 2011-05-19 00:06:34.000000000 -0400
43309 +++ linux-2.6.39.1/fs/befs/linuxvfs.c 2011-05-22 19:36:32.000000000 -0400
43310 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
43311 {
43312 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
43313 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
43314 - char *link = nd_get_link(nd);
43315 + const char *link = nd_get_link(nd);
43316 if (!IS_ERR(link))
43317 kfree(link);
43318 }
43319 diff -urNp linux-2.6.39.1/fs/binfmt_aout.c linux-2.6.39.1/fs/binfmt_aout.c
43320 --- linux-2.6.39.1/fs/binfmt_aout.c 2011-05-19 00:06:34.000000000 -0400
43321 +++ linux-2.6.39.1/fs/binfmt_aout.c 2011-05-22 19:41:37.000000000 -0400
43322 @@ -16,6 +16,7 @@
43323 #include <linux/string.h>
43324 #include <linux/fs.h>
43325 #include <linux/file.h>
43326 +#include <linux/security.h>
43327 #include <linux/stat.h>
43328 #include <linux/fcntl.h>
43329 #include <linux/ptrace.h>
43330 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
43331 #endif
43332 # define START_STACK(u) ((void __user *)u.start_stack)
43333
43334 + memset(&dump, 0, sizeof(dump));
43335 +
43336 fs = get_fs();
43337 set_fs(KERNEL_DS);
43338 has_dumped = 1;
43339 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
43340
43341 /* If the size of the dump file exceeds the rlimit, then see what would happen
43342 if we wrote the stack, but not the data area. */
43343 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
43344 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
43345 dump.u_dsize = 0;
43346
43347 /* Make sure we have enough room to write the stack and data areas. */
43348 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
43349 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
43350 dump.u_ssize = 0;
43351
43352 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
43353 rlim = rlimit(RLIMIT_DATA);
43354 if (rlim >= RLIM_INFINITY)
43355 rlim = ~0;
43356 +
43357 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
43358 if (ex.a_data + ex.a_bss > rlim)
43359 return -ENOMEM;
43360
43361 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
43362 install_exec_creds(bprm);
43363 current->flags &= ~PF_FORKNOEXEC;
43364
43365 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43366 + current->mm->pax_flags = 0UL;
43367 +#endif
43368 +
43369 +#ifdef CONFIG_PAX_PAGEEXEC
43370 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
43371 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
43372 +
43373 +#ifdef CONFIG_PAX_EMUTRAMP
43374 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
43375 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
43376 +#endif
43377 +
43378 +#ifdef CONFIG_PAX_MPROTECT
43379 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
43380 + current->mm->pax_flags |= MF_PAX_MPROTECT;
43381 +#endif
43382 +
43383 + }
43384 +#endif
43385 +
43386 if (N_MAGIC(ex) == OMAGIC) {
43387 unsigned long text_addr, map_size;
43388 loff_t pos;
43389 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
43390
43391 down_write(&current->mm->mmap_sem);
43392 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
43393 - PROT_READ | PROT_WRITE | PROT_EXEC,
43394 + PROT_READ | PROT_WRITE,
43395 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
43396 fd_offset + ex.a_text);
43397 up_write(&current->mm->mmap_sem);
43398 diff -urNp linux-2.6.39.1/fs/binfmt_elf.c linux-2.6.39.1/fs/binfmt_elf.c
43399 --- linux-2.6.39.1/fs/binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
43400 +++ linux-2.6.39.1/fs/binfmt_elf.c 2011-05-22 19:41:37.000000000 -0400
43401 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
43402 #define elf_core_dump NULL
43403 #endif
43404
43405 +#ifdef CONFIG_PAX_MPROTECT
43406 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
43407 +#endif
43408 +
43409 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
43410 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
43411 #else
43412 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
43413 .load_binary = load_elf_binary,
43414 .load_shlib = load_elf_library,
43415 .core_dump = elf_core_dump,
43416 +
43417 +#ifdef CONFIG_PAX_MPROTECT
43418 + .handle_mprotect= elf_handle_mprotect,
43419 +#endif
43420 +
43421 .min_coredump = ELF_EXEC_PAGESIZE,
43422 };
43423
43424 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
43425
43426 static int set_brk(unsigned long start, unsigned long end)
43427 {
43428 + unsigned long e = end;
43429 +
43430 start = ELF_PAGEALIGN(start);
43431 end = ELF_PAGEALIGN(end);
43432 if (end > start) {
43433 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
43434 if (BAD_ADDR(addr))
43435 return addr;
43436 }
43437 - current->mm->start_brk = current->mm->brk = end;
43438 + current->mm->start_brk = current->mm->brk = e;
43439 return 0;
43440 }
43441
43442 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
43443 elf_addr_t __user *u_rand_bytes;
43444 const char *k_platform = ELF_PLATFORM;
43445 const char *k_base_platform = ELF_BASE_PLATFORM;
43446 - unsigned char k_rand_bytes[16];
43447 + u32 k_rand_bytes[4];
43448 int items;
43449 elf_addr_t *elf_info;
43450 int ei_index = 0;
43451 const struct cred *cred = current_cred();
43452 struct vm_area_struct *vma;
43453 + unsigned long saved_auxv[AT_VECTOR_SIZE];
43454 +
43455 + pax_track_stack();
43456
43457 /*
43458 * In some cases (e.g. Hyper-Threading), we want to avoid L1
43459 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
43460 * Generate 16 random bytes for userspace PRNG seeding.
43461 */
43462 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
43463 - u_rand_bytes = (elf_addr_t __user *)
43464 - STACK_ALLOC(p, sizeof(k_rand_bytes));
43465 + srandom32(k_rand_bytes[0] ^ random32());
43466 + srandom32(k_rand_bytes[1] ^ random32());
43467 + srandom32(k_rand_bytes[2] ^ random32());
43468 + srandom32(k_rand_bytes[3] ^ random32());
43469 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
43470 + u_rand_bytes = (elf_addr_t __user *) p;
43471 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
43472 return -EFAULT;
43473
43474 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
43475 return -EFAULT;
43476 current->mm->env_end = p;
43477
43478 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
43479 +
43480 /* Put the elf_info on the stack in the right place. */
43481 sp = (elf_addr_t __user *)envp + 1;
43482 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
43483 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
43484 return -EFAULT;
43485 return 0;
43486 }
43487 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
43488 {
43489 struct elf_phdr *elf_phdata;
43490 struct elf_phdr *eppnt;
43491 - unsigned long load_addr = 0;
43492 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
43493 int load_addr_set = 0;
43494 unsigned long last_bss = 0, elf_bss = 0;
43495 - unsigned long error = ~0UL;
43496 + unsigned long error = -EINVAL;
43497 unsigned long total_size;
43498 int retval, i, size;
43499
43500 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
43501 goto out_close;
43502 }
43503
43504 +#ifdef CONFIG_PAX_SEGMEXEC
43505 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
43506 + pax_task_size = SEGMEXEC_TASK_SIZE;
43507 +#endif
43508 +
43509 eppnt = elf_phdata;
43510 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
43511 if (eppnt->p_type == PT_LOAD) {
43512 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
43513 k = load_addr + eppnt->p_vaddr;
43514 if (BAD_ADDR(k) ||
43515 eppnt->p_filesz > eppnt->p_memsz ||
43516 - eppnt->p_memsz > TASK_SIZE ||
43517 - TASK_SIZE - eppnt->p_memsz < k) {
43518 + eppnt->p_memsz > pax_task_size ||
43519 + pax_task_size - eppnt->p_memsz < k) {
43520 error = -ENOMEM;
43521 goto out_close;
43522 }
43523 @@ -528,6 +553,193 @@ out:
43524 return error;
43525 }
43526
43527 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
43528 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
43529 +{
43530 + unsigned long pax_flags = 0UL;
43531 +
43532 +#ifdef CONFIG_PAX_PAGEEXEC
43533 + if (elf_phdata->p_flags & PF_PAGEEXEC)
43534 + pax_flags |= MF_PAX_PAGEEXEC;
43535 +#endif
43536 +
43537 +#ifdef CONFIG_PAX_SEGMEXEC
43538 + if (elf_phdata->p_flags & PF_SEGMEXEC)
43539 + pax_flags |= MF_PAX_SEGMEXEC;
43540 +#endif
43541 +
43542 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43543 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43544 + if ((__supported_pte_mask & _PAGE_NX))
43545 + pax_flags &= ~MF_PAX_SEGMEXEC;
43546 + else
43547 + pax_flags &= ~MF_PAX_PAGEEXEC;
43548 + }
43549 +#endif
43550 +
43551 +#ifdef CONFIG_PAX_EMUTRAMP
43552 + if (elf_phdata->p_flags & PF_EMUTRAMP)
43553 + pax_flags |= MF_PAX_EMUTRAMP;
43554 +#endif
43555 +
43556 +#ifdef CONFIG_PAX_MPROTECT
43557 + if (elf_phdata->p_flags & PF_MPROTECT)
43558 + pax_flags |= MF_PAX_MPROTECT;
43559 +#endif
43560 +
43561 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43562 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
43563 + pax_flags |= MF_PAX_RANDMMAP;
43564 +#endif
43565 +
43566 + return pax_flags;
43567 +}
43568 +#endif
43569 +
43570 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43571 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
43572 +{
43573 + unsigned long pax_flags = 0UL;
43574 +
43575 +#ifdef CONFIG_PAX_PAGEEXEC
43576 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
43577 + pax_flags |= MF_PAX_PAGEEXEC;
43578 +#endif
43579 +
43580 +#ifdef CONFIG_PAX_SEGMEXEC
43581 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
43582 + pax_flags |= MF_PAX_SEGMEXEC;
43583 +#endif
43584 +
43585 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43586 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43587 + if ((__supported_pte_mask & _PAGE_NX))
43588 + pax_flags &= ~MF_PAX_SEGMEXEC;
43589 + else
43590 + pax_flags &= ~MF_PAX_PAGEEXEC;
43591 + }
43592 +#endif
43593 +
43594 +#ifdef CONFIG_PAX_EMUTRAMP
43595 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
43596 + pax_flags |= MF_PAX_EMUTRAMP;
43597 +#endif
43598 +
43599 +#ifdef CONFIG_PAX_MPROTECT
43600 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
43601 + pax_flags |= MF_PAX_MPROTECT;
43602 +#endif
43603 +
43604 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43605 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
43606 + pax_flags |= MF_PAX_RANDMMAP;
43607 +#endif
43608 +
43609 + return pax_flags;
43610 +}
43611 +#endif
43612 +
43613 +#ifdef CONFIG_PAX_EI_PAX
43614 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
43615 +{
43616 + unsigned long pax_flags = 0UL;
43617 +
43618 +#ifdef CONFIG_PAX_PAGEEXEC
43619 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
43620 + pax_flags |= MF_PAX_PAGEEXEC;
43621 +#endif
43622 +
43623 +#ifdef CONFIG_PAX_SEGMEXEC
43624 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
43625 + pax_flags |= MF_PAX_SEGMEXEC;
43626 +#endif
43627 +
43628 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43629 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43630 + if ((__supported_pte_mask & _PAGE_NX))
43631 + pax_flags &= ~MF_PAX_SEGMEXEC;
43632 + else
43633 + pax_flags &= ~MF_PAX_PAGEEXEC;
43634 + }
43635 +#endif
43636 +
43637 +#ifdef CONFIG_PAX_EMUTRAMP
43638 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
43639 + pax_flags |= MF_PAX_EMUTRAMP;
43640 +#endif
43641 +
43642 +#ifdef CONFIG_PAX_MPROTECT
43643 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
43644 + pax_flags |= MF_PAX_MPROTECT;
43645 +#endif
43646 +
43647 +#ifdef CONFIG_PAX_ASLR
43648 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
43649 + pax_flags |= MF_PAX_RANDMMAP;
43650 +#endif
43651 +
43652 + return pax_flags;
43653 +}
43654 +#endif
43655 +
43656 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
43657 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
43658 +{
43659 + unsigned long pax_flags = 0UL;
43660 +
43661 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43662 + unsigned long i;
43663 + int found_flags = 0;
43664 +#endif
43665 +
43666 +#ifdef CONFIG_PAX_EI_PAX
43667 + pax_flags = pax_parse_ei_pax(elf_ex);
43668 +#endif
43669 +
43670 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43671 + for (i = 0UL; i < elf_ex->e_phnum; i++)
43672 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
43673 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
43674 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
43675 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
43676 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
43677 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
43678 + return -EINVAL;
43679 +
43680 +#ifdef CONFIG_PAX_SOFTMODE
43681 + if (pax_softmode)
43682 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
43683 + else
43684 +#endif
43685 +
43686 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
43687 + found_flags = 1;
43688 + break;
43689 + }
43690 +#endif
43691 +
43692 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
43693 + if (found_flags == 0) {
43694 + struct elf_phdr phdr;
43695 + memset(&phdr, 0, sizeof(phdr));
43696 + phdr.p_flags = PF_NOEMUTRAMP;
43697 +#ifdef CONFIG_PAX_SOFTMODE
43698 + if (pax_softmode)
43699 + pax_flags = pax_parse_softmode(&phdr);
43700 + else
43701 +#endif
43702 + pax_flags = pax_parse_hardmode(&phdr);
43703 + }
43704 +#endif
43705 +
43706 + if (0 > pax_check_flags(&pax_flags))
43707 + return -EINVAL;
43708 +
43709 + current->mm->pax_flags = pax_flags;
43710 + return 0;
43711 +}
43712 +#endif
43713 +
43714 /*
43715 * These are the functions used to load ELF style executables and shared
43716 * libraries. There is no binary dependent code anywhere else.
43717 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
43718 {
43719 unsigned int random_variable = 0;
43720
43721 +#ifdef CONFIG_PAX_RANDUSTACK
43722 + if (randomize_va_space)
43723 + return stack_top - current->mm->delta_stack;
43724 +#endif
43725 +
43726 if ((current->flags & PF_RANDOMIZE) &&
43727 !(current->personality & ADDR_NO_RANDOMIZE)) {
43728 random_variable = get_random_int() & STACK_RND_MASK;
43729 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
43730 unsigned long load_addr = 0, load_bias = 0;
43731 int load_addr_set = 0;
43732 char * elf_interpreter = NULL;
43733 - unsigned long error;
43734 + unsigned long error = 0;
43735 struct elf_phdr *elf_ppnt, *elf_phdata;
43736 unsigned long elf_bss, elf_brk;
43737 int retval, i;
43738 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
43739 unsigned long start_code, end_code, start_data, end_data;
43740 unsigned long reloc_func_desc __maybe_unused = 0;
43741 int executable_stack = EXSTACK_DEFAULT;
43742 - unsigned long def_flags = 0;
43743 struct {
43744 struct elfhdr elf_ex;
43745 struct elfhdr interp_elf_ex;
43746 } *loc;
43747 + unsigned long pax_task_size = TASK_SIZE;
43748
43749 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
43750 if (!loc) {
43751 @@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
43752
43753 /* OK, This is the point of no return */
43754 current->flags &= ~PF_FORKNOEXEC;
43755 - current->mm->def_flags = def_flags;
43756 +
43757 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43758 + current->mm->pax_flags = 0UL;
43759 +#endif
43760 +
43761 +#ifdef CONFIG_PAX_DLRESOLVE
43762 + current->mm->call_dl_resolve = 0UL;
43763 +#endif
43764 +
43765 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
43766 + current->mm->call_syscall = 0UL;
43767 +#endif
43768 +
43769 +#ifdef CONFIG_PAX_ASLR
43770 + current->mm->delta_mmap = 0UL;
43771 + current->mm->delta_stack = 0UL;
43772 +#endif
43773 +
43774 + current->mm->def_flags = 0;
43775 +
43776 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
43777 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
43778 + send_sig(SIGKILL, current, 0);
43779 + goto out_free_dentry;
43780 + }
43781 +#endif
43782 +
43783 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
43784 + pax_set_initial_flags(bprm);
43785 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
43786 + if (pax_set_initial_flags_func)
43787 + (pax_set_initial_flags_func)(bprm);
43788 +#endif
43789 +
43790 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43791 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
43792 + current->mm->context.user_cs_limit = PAGE_SIZE;
43793 + current->mm->def_flags |= VM_PAGEEXEC;
43794 + }
43795 +#endif
43796 +
43797 +#ifdef CONFIG_PAX_SEGMEXEC
43798 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
43799 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
43800 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
43801 + pax_task_size = SEGMEXEC_TASK_SIZE;
43802 + current->mm->def_flags |= VM_NOHUGEPAGE;
43803 + }
43804 +#endif
43805 +
43806 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
43807 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43808 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
43809 + put_cpu();
43810 + }
43811 +#endif
43812
43813 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
43814 may depend on the personality. */
43815 SET_PERSONALITY(loc->elf_ex);
43816 +
43817 +#ifdef CONFIG_PAX_ASLR
43818 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
43819 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
43820 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
43821 + }
43822 +#endif
43823 +
43824 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
43825 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43826 + executable_stack = EXSTACK_DISABLE_X;
43827 + current->personality &= ~READ_IMPLIES_EXEC;
43828 + } else
43829 +#endif
43830 +
43831 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
43832 current->personality |= READ_IMPLIES_EXEC;
43833
43834 @@ -800,6 +1087,20 @@ static int load_elf_binary(struct linux_
43835 #else
43836 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
43837 #endif
43838 +
43839 +#ifdef CONFIG_PAX_RANDMMAP
43840 + /* PaX: randomize base address at the default exe base if requested */
43841 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
43842 +#ifdef CONFIG_SPARC64
43843 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
43844 +#else
43845 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
43846 +#endif
43847 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
43848 + elf_flags |= MAP_FIXED;
43849 + }
43850 +#endif
43851 +
43852 }
43853
43854 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
43855 @@ -832,9 +1133,9 @@ static int load_elf_binary(struct linux_
43856 * allowed task size. Note that p_filesz must always be
43857 * <= p_memsz so it is only necessary to check p_memsz.
43858 */
43859 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
43860 - elf_ppnt->p_memsz > TASK_SIZE ||
43861 - TASK_SIZE - elf_ppnt->p_memsz < k) {
43862 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
43863 + elf_ppnt->p_memsz > pax_task_size ||
43864 + pax_task_size - elf_ppnt->p_memsz < k) {
43865 /* set_brk can never work. Avoid overflows. */
43866 send_sig(SIGKILL, current, 0);
43867 retval = -EINVAL;
43868 @@ -862,6 +1163,11 @@ static int load_elf_binary(struct linux_
43869 start_data += load_bias;
43870 end_data += load_bias;
43871
43872 +#ifdef CONFIG_PAX_RANDMMAP
43873 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
43874 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
43875 +#endif
43876 +
43877 /* Calling set_brk effectively mmaps the pages that we need
43878 * for the bss and break sections. We must do this before
43879 * mapping in the interpreter, to make sure it doesn't wind
43880 @@ -873,9 +1179,11 @@ static int load_elf_binary(struct linux_
43881 goto out_free_dentry;
43882 }
43883 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
43884 - send_sig(SIGSEGV, current, 0);
43885 - retval = -EFAULT; /* Nobody gets to see this, but.. */
43886 - goto out_free_dentry;
43887 + /*
43888 + * This bss-zeroing can fail if the ELF
43889 + * file specifies odd protections. So
43890 + * we don't check the return value
43891 + */
43892 }
43893
43894 if (elf_interpreter) {
43895 @@ -1090,7 +1398,7 @@ out:
43896 * Decide what to dump of a segment, part, all or none.
43897 */
43898 static unsigned long vma_dump_size(struct vm_area_struct *vma,
43899 - unsigned long mm_flags)
43900 + unsigned long mm_flags, long signr)
43901 {
43902 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
43903
43904 @@ -1124,7 +1432,7 @@ static unsigned long vma_dump_size(struc
43905 if (vma->vm_file == NULL)
43906 return 0;
43907
43908 - if (FILTER(MAPPED_PRIVATE))
43909 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
43910 goto whole;
43911
43912 /*
43913 @@ -1346,9 +1654,9 @@ static void fill_auxv_note(struct memelf
43914 {
43915 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
43916 int i = 0;
43917 - do
43918 + do {
43919 i += 2;
43920 - while (auxv[i - 2] != AT_NULL);
43921 + } while (auxv[i - 2] != AT_NULL);
43922 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
43923 }
43924
43925 @@ -1854,14 +2162,14 @@ static void fill_extnum_info(struct elfh
43926 }
43927
43928 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
43929 - unsigned long mm_flags)
43930 + struct coredump_params *cprm)
43931 {
43932 struct vm_area_struct *vma;
43933 size_t size = 0;
43934
43935 for (vma = first_vma(current, gate_vma); vma != NULL;
43936 vma = next_vma(vma, gate_vma))
43937 - size += vma_dump_size(vma, mm_flags);
43938 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
43939 return size;
43940 }
43941
43942 @@ -1955,7 +2263,7 @@ static int elf_core_dump(struct coredump
43943
43944 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
43945
43946 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
43947 + offset += elf_core_vma_data_size(gate_vma, cprm);
43948 offset += elf_core_extra_data_size();
43949 e_shoff = offset;
43950
43951 @@ -1969,10 +2277,12 @@ static int elf_core_dump(struct coredump
43952 offset = dataoff;
43953
43954 size += sizeof(*elf);
43955 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
43956 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
43957 goto end_coredump;
43958
43959 size += sizeof(*phdr4note);
43960 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
43961 if (size > cprm->limit
43962 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
43963 goto end_coredump;
43964 @@ -1986,7 +2296,7 @@ static int elf_core_dump(struct coredump
43965 phdr.p_offset = offset;
43966 phdr.p_vaddr = vma->vm_start;
43967 phdr.p_paddr = 0;
43968 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
43969 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
43970 phdr.p_memsz = vma->vm_end - vma->vm_start;
43971 offset += phdr.p_filesz;
43972 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
43973 @@ -1997,6 +2307,7 @@ static int elf_core_dump(struct coredump
43974 phdr.p_align = ELF_EXEC_PAGESIZE;
43975
43976 size += sizeof(phdr);
43977 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
43978 if (size > cprm->limit
43979 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
43980 goto end_coredump;
43981 @@ -2021,7 +2332,7 @@ static int elf_core_dump(struct coredump
43982 unsigned long addr;
43983 unsigned long end;
43984
43985 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
43986 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
43987
43988 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
43989 struct page *page;
43990 @@ -2030,6 +2341,7 @@ static int elf_core_dump(struct coredump
43991 page = get_dump_page(addr);
43992 if (page) {
43993 void *kaddr = kmap(page);
43994 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
43995 stop = ((size += PAGE_SIZE) > cprm->limit) ||
43996 !dump_write(cprm->file, kaddr,
43997 PAGE_SIZE);
43998 @@ -2047,6 +2359,7 @@ static int elf_core_dump(struct coredump
43999
44000 if (e_phnum == PN_XNUM) {
44001 size += sizeof(*shdr4extnum);
44002 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44003 if (size > cprm->limit
44004 || !dump_write(cprm->file, shdr4extnum,
44005 sizeof(*shdr4extnum)))
44006 @@ -2067,6 +2380,97 @@ out:
44007
44008 #endif /* CONFIG_ELF_CORE */
44009
44010 +#ifdef CONFIG_PAX_MPROTECT
44011 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
44012 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
44013 + * we'll remove VM_MAYWRITE for good on RELRO segments.
44014 + *
44015 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
44016 + * basis because we want to allow the common case and not the special ones.
44017 + */
44018 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
44019 +{
44020 + struct elfhdr elf_h;
44021 + struct elf_phdr elf_p;
44022 + unsigned long i;
44023 + unsigned long oldflags;
44024 + bool is_textrel_rw, is_textrel_rx, is_relro;
44025 +
44026 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
44027 + return;
44028 +
44029 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
44030 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
44031 +
44032 +#ifdef CONFIG_PAX_ELFRELOCS
44033 + /* possible TEXTREL */
44034 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
44035 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
44036 +#else
44037 + is_textrel_rw = false;
44038 + is_textrel_rx = false;
44039 +#endif
44040 +
44041 + /* possible RELRO */
44042 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
44043 +
44044 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
44045 + return;
44046 +
44047 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
44048 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
44049 +
44050 +#ifdef CONFIG_PAX_ETEXECRELOCS
44051 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44052 +#else
44053 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
44054 +#endif
44055 +
44056 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44057 + !elf_check_arch(&elf_h) ||
44058 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
44059 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
44060 + return;
44061 +
44062 + for (i = 0UL; i < elf_h.e_phnum; i++) {
44063 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
44064 + return;
44065 + switch (elf_p.p_type) {
44066 + case PT_DYNAMIC:
44067 + if (!is_textrel_rw && !is_textrel_rx)
44068 + continue;
44069 + i = 0UL;
44070 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
44071 + elf_dyn dyn;
44072 +
44073 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
44074 + return;
44075 + if (dyn.d_tag == DT_NULL)
44076 + return;
44077 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
44078 + gr_log_textrel(vma);
44079 + if (is_textrel_rw)
44080 + vma->vm_flags |= VM_MAYWRITE;
44081 + else
44082 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
44083 + vma->vm_flags &= ~VM_MAYWRITE;
44084 + return;
44085 + }
44086 + i++;
44087 + }
44088 + return;
44089 +
44090 + case PT_GNU_RELRO:
44091 + if (!is_relro)
44092 + continue;
44093 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
44094 + vma->vm_flags &= ~VM_MAYWRITE;
44095 + return;
44096 + }
44097 + }
44098 +}
44099 +#endif
44100 +
44101 static int __init init_elf_binfmt(void)
44102 {
44103 return register_binfmt(&elf_format);
44104 diff -urNp linux-2.6.39.1/fs/binfmt_flat.c linux-2.6.39.1/fs/binfmt_flat.c
44105 --- linux-2.6.39.1/fs/binfmt_flat.c 2011-05-19 00:06:34.000000000 -0400
44106 +++ linux-2.6.39.1/fs/binfmt_flat.c 2011-05-22 19:36:32.000000000 -0400
44107 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
44108 realdatastart = (unsigned long) -ENOMEM;
44109 printk("Unable to allocate RAM for process data, errno %d\n",
44110 (int)-realdatastart);
44111 + down_write(&current->mm->mmap_sem);
44112 do_munmap(current->mm, textpos, text_len);
44113 + up_write(&current->mm->mmap_sem);
44114 ret = realdatastart;
44115 goto err;
44116 }
44117 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
44118 }
44119 if (IS_ERR_VALUE(result)) {
44120 printk("Unable to read data+bss, errno %d\n", (int)-result);
44121 + down_write(&current->mm->mmap_sem);
44122 do_munmap(current->mm, textpos, text_len);
44123 do_munmap(current->mm, realdatastart, len);
44124 + up_write(&current->mm->mmap_sem);
44125 ret = result;
44126 goto err;
44127 }
44128 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
44129 }
44130 if (IS_ERR_VALUE(result)) {
44131 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
44132 + down_write(&current->mm->mmap_sem);
44133 do_munmap(current->mm, textpos, text_len + data_len + extra +
44134 MAX_SHARED_LIBS * sizeof(unsigned long));
44135 + up_write(&current->mm->mmap_sem);
44136 ret = result;
44137 goto err;
44138 }
44139 diff -urNp linux-2.6.39.1/fs/bio.c linux-2.6.39.1/fs/bio.c
44140 --- linux-2.6.39.1/fs/bio.c 2011-05-19 00:06:34.000000000 -0400
44141 +++ linux-2.6.39.1/fs/bio.c 2011-05-22 19:36:32.000000000 -0400
44142 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
44143 const int read = bio_data_dir(bio) == READ;
44144 struct bio_map_data *bmd = bio->bi_private;
44145 int i;
44146 - char *p = bmd->sgvecs[0].iov_base;
44147 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
44148
44149 __bio_for_each_segment(bvec, bio, i, 0) {
44150 char *addr = page_address(bvec->bv_page);
44151 diff -urNp linux-2.6.39.1/fs/block_dev.c linux-2.6.39.1/fs/block_dev.c
44152 --- linux-2.6.39.1/fs/block_dev.c 2011-06-03 00:04:14.000000000 -0400
44153 +++ linux-2.6.39.1/fs/block_dev.c 2011-06-06 19:57:05.000000000 -0400
44154 @@ -671,7 +671,7 @@ static bool bd_may_claim(struct block_de
44155 else if (bdev->bd_contains == bdev)
44156 return true; /* is a whole device which isn't held */
44157
44158 - else if (whole->bd_holder == bd_may_claim)
44159 + else if (whole->bd_holder == (void *)bd_may_claim)
44160 return true; /* is a partition of a device that is being partitioned */
44161 else if (whole->bd_holder != NULL)
44162 return false; /* is a partition of a held device */
44163 @@ -1272,8 +1272,8 @@ int blkdev_get(struct block_device *bdev
44164 * individual writeable reference is too fragile given the
44165 * way @mode is used in blkdev_get/put().
44166 */
44167 - if ((disk->flags & GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE) &&
44168 - !res && (mode & FMODE_WRITE) && !bdev->bd_write_holder) {
44169 + if (!res && (mode & FMODE_WRITE) && !bdev->bd_write_holder &&
44170 + (disk->flags & GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE)) {
44171 bdev->bd_write_holder = true;
44172 disk_block_events(disk);
44173 }
44174 diff -urNp linux-2.6.39.1/fs/btrfs/compression.c linux-2.6.39.1/fs/btrfs/compression.c
44175 --- linux-2.6.39.1/fs/btrfs/compression.c 2011-05-19 00:06:34.000000000 -0400
44176 +++ linux-2.6.39.1/fs/btrfs/compression.c 2011-05-22 19:36:32.000000000 -0400
44177 @@ -719,7 +719,7 @@ static int comp_num_workspace[BTRFS_COMP
44178 static atomic_t comp_alloc_workspace[BTRFS_COMPRESS_TYPES];
44179 static wait_queue_head_t comp_workspace_wait[BTRFS_COMPRESS_TYPES];
44180
44181 -struct btrfs_compress_op *btrfs_compress_op[] = {
44182 +const struct btrfs_compress_op *btrfs_compress_op[] = {
44183 &btrfs_zlib_compress,
44184 &btrfs_lzo_compress,
44185 };
44186 diff -urNp linux-2.6.39.1/fs/btrfs/compression.h linux-2.6.39.1/fs/btrfs/compression.h
44187 --- linux-2.6.39.1/fs/btrfs/compression.h 2011-05-19 00:06:34.000000000 -0400
44188 +++ linux-2.6.39.1/fs/btrfs/compression.h 2011-05-22 19:36:32.000000000 -0400
44189 @@ -77,7 +77,7 @@ struct btrfs_compress_op {
44190 size_t srclen, size_t destlen);
44191 };
44192
44193 -extern struct btrfs_compress_op btrfs_zlib_compress;
44194 -extern struct btrfs_compress_op btrfs_lzo_compress;
44195 +extern const struct btrfs_compress_op btrfs_zlib_compress;
44196 +extern const struct btrfs_compress_op btrfs_lzo_compress;
44197
44198 #endif
44199 diff -urNp linux-2.6.39.1/fs/btrfs/ctree.c linux-2.6.39.1/fs/btrfs/ctree.c
44200 --- linux-2.6.39.1/fs/btrfs/ctree.c 2011-05-19 00:06:34.000000000 -0400
44201 +++ linux-2.6.39.1/fs/btrfs/ctree.c 2011-05-22 19:36:32.000000000 -0400
44202 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
44203 free_extent_buffer(buf);
44204 add_root_to_dirty_list(root);
44205 } else {
44206 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
44207 - parent_start = parent->start;
44208 - else
44209 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
44210 + if (parent)
44211 + parent_start = parent->start;
44212 + else
44213 + parent_start = 0;
44214 + } else
44215 parent_start = 0;
44216
44217 WARN_ON(trans->transid != btrfs_header_generation(parent));
44218 @@ -3647,7 +3650,6 @@ setup_items_for_insert(struct btrfs_tran
44219
44220 ret = 0;
44221 if (slot == 0) {
44222 - struct btrfs_disk_key disk_key;
44223 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
44224 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
44225 }
44226 diff -urNp linux-2.6.39.1/fs/btrfs/disk-io.c linux-2.6.39.1/fs/btrfs/disk-io.c
44227 --- linux-2.6.39.1/fs/btrfs/disk-io.c 2011-05-19 00:06:34.000000000 -0400
44228 +++ linux-2.6.39.1/fs/btrfs/disk-io.c 2011-05-22 19:36:32.000000000 -0400
44229 @@ -42,7 +42,7 @@
44230 #include "tree-log.h"
44231 #include "free-space-cache.h"
44232
44233 -static struct extent_io_ops btree_extent_io_ops;
44234 +static const struct extent_io_ops btree_extent_io_ops;
44235 static void end_workqueue_fn(struct btrfs_work *work);
44236 static void free_fs_root(struct btrfs_root *root);
44237 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
44238 @@ -3070,7 +3070,7 @@ static int btrfs_cleanup_transaction(str
44239 return 0;
44240 }
44241
44242 -static struct extent_io_ops btree_extent_io_ops = {
44243 +static const struct extent_io_ops btree_extent_io_ops = {
44244 .write_cache_pages_lock_hook = btree_lock_page_hook,
44245 .readpage_end_io_hook = btree_readpage_end_io_hook,
44246 .submit_bio_hook = btree_submit_bio_hook,
44247 diff -urNp linux-2.6.39.1/fs/btrfs/extent_io.h linux-2.6.39.1/fs/btrfs/extent_io.h
44248 --- linux-2.6.39.1/fs/btrfs/extent_io.h 2011-05-19 00:06:34.000000000 -0400
44249 +++ linux-2.6.39.1/fs/btrfs/extent_io.h 2011-05-22 19:36:32.000000000 -0400
44250 @@ -56,36 +56,36 @@ typedef int (extent_submit_bio_hook_t)(s
44251 struct bio *bio, int mirror_num,
44252 unsigned long bio_flags, u64 bio_offset);
44253 struct extent_io_ops {
44254 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
44255 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
44256 u64 start, u64 end, int *page_started,
44257 unsigned long *nr_written);
44258 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
44259 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
44260 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
44261 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
44262 extent_submit_bio_hook_t *submit_bio_hook;
44263 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
44264 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
44265 size_t size, struct bio *bio,
44266 unsigned long bio_flags);
44267 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
44268 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
44269 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
44270 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
44271 u64 start, u64 end,
44272 struct extent_state *state);
44273 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
44274 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
44275 u64 start, u64 end,
44276 struct extent_state *state);
44277 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44278 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44279 struct extent_state *state);
44280 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44281 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44282 struct extent_state *state, int uptodate);
44283 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
44284 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
44285 int *bits);
44286 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
44287 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
44288 int *bits);
44289 - int (*merge_extent_hook)(struct inode *inode,
44290 + int (* const merge_extent_hook)(struct inode *inode,
44291 struct extent_state *new,
44292 struct extent_state *other);
44293 - int (*split_extent_hook)(struct inode *inode,
44294 + int (* const split_extent_hook)(struct inode *inode,
44295 struct extent_state *orig, u64 split);
44296 - int (*write_cache_pages_lock_hook)(struct page *page);
44297 + int (* const write_cache_pages_lock_hook)(struct page *page);
44298 };
44299
44300 struct extent_io_tree {
44301 @@ -95,7 +95,7 @@ struct extent_io_tree {
44302 u64 dirty_bytes;
44303 spinlock_t lock;
44304 spinlock_t buffer_lock;
44305 - struct extent_io_ops *ops;
44306 + const struct extent_io_ops *ops;
44307 };
44308
44309 struct extent_state {
44310 diff -urNp linux-2.6.39.1/fs/btrfs/free-space-cache.c linux-2.6.39.1/fs/btrfs/free-space-cache.c
44311 --- linux-2.6.39.1/fs/btrfs/free-space-cache.c 2011-05-19 00:06:34.000000000 -0400
44312 +++ linux-2.6.39.1/fs/btrfs/free-space-cache.c 2011-05-22 19:36:32.000000000 -0400
44313 @@ -1910,8 +1910,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44314 while(1) {
44315 if (entry->bytes < bytes ||
44316 (!entry->bitmap && entry->offset < min_start)) {
44317 - struct rb_node *node;
44318 -
44319 node = rb_next(&entry->offset_index);
44320 if (!node)
44321 break;
44322 @@ -1925,7 +1923,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44323 cluster, entry, bytes,
44324 min_start);
44325 if (ret == 0) {
44326 - struct rb_node *node;
44327 node = rb_next(&entry->offset_index);
44328 if (!node)
44329 break;
44330 diff -urNp linux-2.6.39.1/fs/btrfs/inode.c linux-2.6.39.1/fs/btrfs/inode.c
44331 --- linux-2.6.39.1/fs/btrfs/inode.c 2011-05-19 00:06:34.000000000 -0400
44332 +++ linux-2.6.39.1/fs/btrfs/inode.c 2011-05-22 20:42:42.000000000 -0400
44333 @@ -65,7 +65,7 @@ static const struct inode_operations btr
44334 static const struct address_space_operations btrfs_aops;
44335 static const struct address_space_operations btrfs_symlink_aops;
44336 static const struct file_operations btrfs_dir_file_operations;
44337 -static struct extent_io_ops btrfs_extent_io_ops;
44338 +static const struct extent_io_ops btrfs_extent_io_ops;
44339
44340 static struct kmem_cache *btrfs_inode_cachep;
44341 struct kmem_cache *btrfs_trans_handle_cachep;
44342 @@ -6947,7 +6947,7 @@ fail:
44343 return -ENOMEM;
44344 }
44345
44346 -static int btrfs_getattr(struct vfsmount *mnt,
44347 +int btrfs_getattr(struct vfsmount *mnt,
44348 struct dentry *dentry, struct kstat *stat)
44349 {
44350 struct inode *inode = dentry->d_inode;
44351 @@ -6959,6 +6959,14 @@ static int btrfs_getattr(struct vfsmount
44352 return 0;
44353 }
44354
44355 +EXPORT_SYMBOL(btrfs_getattr);
44356 +
44357 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
44358 +{
44359 + return BTRFS_I(inode)->root->anon_super.s_dev;
44360 +}
44361 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
44362 +
44363 /*
44364 * If a file is moved, it will inherit the cow and compression flags of the new
44365 * directory.
44366 @@ -7488,7 +7496,7 @@ static const struct file_operations btrf
44367 .fsync = btrfs_sync_file,
44368 };
44369
44370 -static struct extent_io_ops btrfs_extent_io_ops = {
44371 +static const struct extent_io_ops btrfs_extent_io_ops = {
44372 .fill_delalloc = run_delalloc_range,
44373 .submit_bio_hook = btrfs_submit_bio_hook,
44374 .merge_bio_hook = btrfs_merge_bio_hook,
44375 diff -urNp linux-2.6.39.1/fs/btrfs/ioctl.c linux-2.6.39.1/fs/btrfs/ioctl.c
44376 --- linux-2.6.39.1/fs/btrfs/ioctl.c 2011-05-19 00:06:34.000000000 -0400
44377 +++ linux-2.6.39.1/fs/btrfs/ioctl.c 2011-05-22 19:41:37.000000000 -0400
44378 @@ -2361,9 +2361,12 @@ long btrfs_ioctl_space_info(struct btrfs
44379 for (i = 0; i < num_types; i++) {
44380 struct btrfs_space_info *tmp;
44381
44382 + /* Don't copy in more than we allocated */
44383 if (!slot_count)
44384 break;
44385
44386 + slot_count--;
44387 +
44388 info = NULL;
44389 rcu_read_lock();
44390 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
44391 @@ -2385,10 +2388,7 @@ long btrfs_ioctl_space_info(struct btrfs
44392 memcpy(dest, &space, sizeof(space));
44393 dest++;
44394 space_args.total_spaces++;
44395 - slot_count--;
44396 }
44397 - if (!slot_count)
44398 - break;
44399 }
44400 up_read(&info->groups_sem);
44401 }
44402 diff -urNp linux-2.6.39.1/fs/btrfs/lzo.c linux-2.6.39.1/fs/btrfs/lzo.c
44403 --- linux-2.6.39.1/fs/btrfs/lzo.c 2011-05-19 00:06:34.000000000 -0400
44404 +++ linux-2.6.39.1/fs/btrfs/lzo.c 2011-05-22 19:36:32.000000000 -0400
44405 @@ -418,7 +418,7 @@ out:
44406 return ret;
44407 }
44408
44409 -struct btrfs_compress_op btrfs_lzo_compress = {
44410 +const struct btrfs_compress_op btrfs_lzo_compress = {
44411 .alloc_workspace = lzo_alloc_workspace,
44412 .free_workspace = lzo_free_workspace,
44413 .compress_pages = lzo_compress_pages,
44414 diff -urNp linux-2.6.39.1/fs/btrfs/relocation.c linux-2.6.39.1/fs/btrfs/relocation.c
44415 --- linux-2.6.39.1/fs/btrfs/relocation.c 2011-05-19 00:06:34.000000000 -0400
44416 +++ linux-2.6.39.1/fs/btrfs/relocation.c 2011-05-22 19:36:32.000000000 -0400
44417 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
44418 }
44419 spin_unlock(&rc->reloc_root_tree.lock);
44420
44421 - BUG_ON((struct btrfs_root *)node->data != root);
44422 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
44423
44424 if (!del) {
44425 spin_lock(&rc->reloc_root_tree.lock);
44426 diff -urNp linux-2.6.39.1/fs/btrfs/zlib.c linux-2.6.39.1/fs/btrfs/zlib.c
44427 --- linux-2.6.39.1/fs/btrfs/zlib.c 2011-05-19 00:06:34.000000000 -0400
44428 +++ linux-2.6.39.1/fs/btrfs/zlib.c 2011-05-22 19:36:32.000000000 -0400
44429 @@ -390,7 +390,7 @@ next:
44430 return ret;
44431 }
44432
44433 -struct btrfs_compress_op btrfs_zlib_compress = {
44434 +const struct btrfs_compress_op btrfs_zlib_compress = {
44435 .alloc_workspace = zlib_alloc_workspace,
44436 .free_workspace = zlib_free_workspace,
44437 .compress_pages = zlib_compress_pages,
44438 diff -urNp linux-2.6.39.1/fs/cachefiles/bind.c linux-2.6.39.1/fs/cachefiles/bind.c
44439 --- linux-2.6.39.1/fs/cachefiles/bind.c 2011-05-19 00:06:34.000000000 -0400
44440 +++ linux-2.6.39.1/fs/cachefiles/bind.c 2011-05-22 19:36:32.000000000 -0400
44441 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
44442 args);
44443
44444 /* start by checking things over */
44445 - ASSERT(cache->fstop_percent >= 0 &&
44446 - cache->fstop_percent < cache->fcull_percent &&
44447 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
44448 cache->fcull_percent < cache->frun_percent &&
44449 cache->frun_percent < 100);
44450
44451 - ASSERT(cache->bstop_percent >= 0 &&
44452 - cache->bstop_percent < cache->bcull_percent &&
44453 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
44454 cache->bcull_percent < cache->brun_percent &&
44455 cache->brun_percent < 100);
44456
44457 diff -urNp linux-2.6.39.1/fs/cachefiles/daemon.c linux-2.6.39.1/fs/cachefiles/daemon.c
44458 --- linux-2.6.39.1/fs/cachefiles/daemon.c 2011-05-19 00:06:34.000000000 -0400
44459 +++ linux-2.6.39.1/fs/cachefiles/daemon.c 2011-05-22 19:36:32.000000000 -0400
44460 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
44461 if (n > buflen)
44462 return -EMSGSIZE;
44463
44464 - if (copy_to_user(_buffer, buffer, n) != 0)
44465 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
44466 return -EFAULT;
44467
44468 return n;
44469 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
44470 if (test_bit(CACHEFILES_DEAD, &cache->flags))
44471 return -EIO;
44472
44473 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
44474 + if (datalen > PAGE_SIZE - 1)
44475 return -EOPNOTSUPP;
44476
44477 /* drag the command string into the kernel so we can parse it */
44478 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
44479 if (args[0] != '%' || args[1] != '\0')
44480 return -EINVAL;
44481
44482 - if (fstop < 0 || fstop >= cache->fcull_percent)
44483 + if (fstop >= cache->fcull_percent)
44484 return cachefiles_daemon_range_error(cache, args);
44485
44486 cache->fstop_percent = fstop;
44487 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
44488 if (args[0] != '%' || args[1] != '\0')
44489 return -EINVAL;
44490
44491 - if (bstop < 0 || bstop >= cache->bcull_percent)
44492 + if (bstop >= cache->bcull_percent)
44493 return cachefiles_daemon_range_error(cache, args);
44494
44495 cache->bstop_percent = bstop;
44496 diff -urNp linux-2.6.39.1/fs/cachefiles/internal.h linux-2.6.39.1/fs/cachefiles/internal.h
44497 --- linux-2.6.39.1/fs/cachefiles/internal.h 2011-05-19 00:06:34.000000000 -0400
44498 +++ linux-2.6.39.1/fs/cachefiles/internal.h 2011-05-22 19:36:32.000000000 -0400
44499 @@ -57,7 +57,7 @@ struct cachefiles_cache {
44500 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
44501 struct rb_root active_nodes; /* active nodes (can't be culled) */
44502 rwlock_t active_lock; /* lock for active_nodes */
44503 - atomic_t gravecounter; /* graveyard uniquifier */
44504 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
44505 unsigned frun_percent; /* when to stop culling (% files) */
44506 unsigned fcull_percent; /* when to start culling (% files) */
44507 unsigned fstop_percent; /* when to stop allocating (% files) */
44508 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
44509 * proc.c
44510 */
44511 #ifdef CONFIG_CACHEFILES_HISTOGRAM
44512 -extern atomic_t cachefiles_lookup_histogram[HZ];
44513 -extern atomic_t cachefiles_mkdir_histogram[HZ];
44514 -extern atomic_t cachefiles_create_histogram[HZ];
44515 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44516 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44517 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
44518
44519 extern int __init cachefiles_proc_init(void);
44520 extern void cachefiles_proc_cleanup(void);
44521 static inline
44522 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
44523 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
44524 {
44525 unsigned long jif = jiffies - start_jif;
44526 if (jif >= HZ)
44527 jif = HZ - 1;
44528 - atomic_inc(&histogram[jif]);
44529 + atomic_inc_unchecked(&histogram[jif]);
44530 }
44531
44532 #else
44533 diff -urNp linux-2.6.39.1/fs/cachefiles/namei.c linux-2.6.39.1/fs/cachefiles/namei.c
44534 --- linux-2.6.39.1/fs/cachefiles/namei.c 2011-05-19 00:06:34.000000000 -0400
44535 +++ linux-2.6.39.1/fs/cachefiles/namei.c 2011-05-22 19:36:32.000000000 -0400
44536 @@ -318,7 +318,7 @@ try_again:
44537 /* first step is to make up a grave dentry in the graveyard */
44538 sprintf(nbuffer, "%08x%08x",
44539 (uint32_t) get_seconds(),
44540 - (uint32_t) atomic_inc_return(&cache->gravecounter));
44541 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
44542
44543 /* do the multiway lock magic */
44544 trap = lock_rename(cache->graveyard, dir);
44545 diff -urNp linux-2.6.39.1/fs/cachefiles/proc.c linux-2.6.39.1/fs/cachefiles/proc.c
44546 --- linux-2.6.39.1/fs/cachefiles/proc.c 2011-05-19 00:06:34.000000000 -0400
44547 +++ linux-2.6.39.1/fs/cachefiles/proc.c 2011-05-22 19:36:32.000000000 -0400
44548 @@ -14,9 +14,9 @@
44549 #include <linux/seq_file.h>
44550 #include "internal.h"
44551
44552 -atomic_t cachefiles_lookup_histogram[HZ];
44553 -atomic_t cachefiles_mkdir_histogram[HZ];
44554 -atomic_t cachefiles_create_histogram[HZ];
44555 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44556 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44557 +atomic_unchecked_t cachefiles_create_histogram[HZ];
44558
44559 /*
44560 * display the latency histogram
44561 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
44562 return 0;
44563 default:
44564 index = (unsigned long) v - 3;
44565 - x = atomic_read(&cachefiles_lookup_histogram[index]);
44566 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
44567 - z = atomic_read(&cachefiles_create_histogram[index]);
44568 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
44569 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
44570 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
44571 if (x == 0 && y == 0 && z == 0)
44572 return 0;
44573
44574 diff -urNp linux-2.6.39.1/fs/cachefiles/rdwr.c linux-2.6.39.1/fs/cachefiles/rdwr.c
44575 --- linux-2.6.39.1/fs/cachefiles/rdwr.c 2011-05-19 00:06:34.000000000 -0400
44576 +++ linux-2.6.39.1/fs/cachefiles/rdwr.c 2011-05-22 19:36:32.000000000 -0400
44577 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
44578 old_fs = get_fs();
44579 set_fs(KERNEL_DS);
44580 ret = file->f_op->write(
44581 - file, (const void __user *) data, len, &pos);
44582 + file, (__force const void __user *) data, len, &pos);
44583 set_fs(old_fs);
44584 kunmap(page);
44585 if (ret != len)
44586 diff -urNp linux-2.6.39.1/fs/ceph/addr.c linux-2.6.39.1/fs/ceph/addr.c
44587 --- linux-2.6.39.1/fs/ceph/addr.c 2011-05-19 00:06:34.000000000 -0400
44588 +++ linux-2.6.39.1/fs/ceph/addr.c 2011-05-22 19:36:32.000000000 -0400
44589 @@ -1164,7 +1164,7 @@ out:
44590 return ret;
44591 }
44592
44593 -static struct vm_operations_struct ceph_vmops = {
44594 +static const struct vm_operations_struct ceph_vmops = {
44595 .fault = filemap_fault,
44596 .page_mkwrite = ceph_page_mkwrite,
44597 };
44598 diff -urNp linux-2.6.39.1/fs/ceph/dir.c linux-2.6.39.1/fs/ceph/dir.c
44599 --- linux-2.6.39.1/fs/ceph/dir.c 2011-05-19 00:06:34.000000000 -0400
44600 +++ linux-2.6.39.1/fs/ceph/dir.c 2011-05-22 19:36:32.000000000 -0400
44601 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
44602 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
44603 struct ceph_mds_client *mdsc = fsc->mdsc;
44604 unsigned frag = fpos_frag(filp->f_pos);
44605 - int off = fpos_off(filp->f_pos);
44606 + unsigned int off = fpos_off(filp->f_pos);
44607 int err;
44608 u32 ftype;
44609 struct ceph_mds_reply_info_parsed *rinfo;
44610 @@ -360,7 +360,7 @@ more:
44611 rinfo = &fi->last_readdir->r_reply_info;
44612 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
44613 rinfo->dir_nr, off, fi->offset);
44614 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
44615 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
44616 u64 pos = ceph_make_fpos(frag, off);
44617 struct ceph_mds_reply_inode *in =
44618 rinfo->dir_in[off - fi->offset].in;
44619 diff -urNp linux-2.6.39.1/fs/cifs/cifs_debug.c linux-2.6.39.1/fs/cifs/cifs_debug.c
44620 --- linux-2.6.39.1/fs/cifs/cifs_debug.c 2011-05-19 00:06:34.000000000 -0400
44621 +++ linux-2.6.39.1/fs/cifs/cifs_debug.c 2011-05-22 19:36:32.000000000 -0400
44622 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
44623 tcon = list_entry(tmp3,
44624 struct cifsTconInfo,
44625 tcon_list);
44626 - atomic_set(&tcon->num_smbs_sent, 0);
44627 - atomic_set(&tcon->num_writes, 0);
44628 - atomic_set(&tcon->num_reads, 0);
44629 - atomic_set(&tcon->num_oplock_brks, 0);
44630 - atomic_set(&tcon->num_opens, 0);
44631 - atomic_set(&tcon->num_posixopens, 0);
44632 - atomic_set(&tcon->num_posixmkdirs, 0);
44633 - atomic_set(&tcon->num_closes, 0);
44634 - atomic_set(&tcon->num_deletes, 0);
44635 - atomic_set(&tcon->num_mkdirs, 0);
44636 - atomic_set(&tcon->num_rmdirs, 0);
44637 - atomic_set(&tcon->num_renames, 0);
44638 - atomic_set(&tcon->num_t2renames, 0);
44639 - atomic_set(&tcon->num_ffirst, 0);
44640 - atomic_set(&tcon->num_fnext, 0);
44641 - atomic_set(&tcon->num_fclose, 0);
44642 - atomic_set(&tcon->num_hardlinks, 0);
44643 - atomic_set(&tcon->num_symlinks, 0);
44644 - atomic_set(&tcon->num_locks, 0);
44645 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
44646 + atomic_set_unchecked(&tcon->num_writes, 0);
44647 + atomic_set_unchecked(&tcon->num_reads, 0);
44648 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
44649 + atomic_set_unchecked(&tcon->num_opens, 0);
44650 + atomic_set_unchecked(&tcon->num_posixopens, 0);
44651 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
44652 + atomic_set_unchecked(&tcon->num_closes, 0);
44653 + atomic_set_unchecked(&tcon->num_deletes, 0);
44654 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
44655 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
44656 + atomic_set_unchecked(&tcon->num_renames, 0);
44657 + atomic_set_unchecked(&tcon->num_t2renames, 0);
44658 + atomic_set_unchecked(&tcon->num_ffirst, 0);
44659 + atomic_set_unchecked(&tcon->num_fnext, 0);
44660 + atomic_set_unchecked(&tcon->num_fclose, 0);
44661 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
44662 + atomic_set_unchecked(&tcon->num_symlinks, 0);
44663 + atomic_set_unchecked(&tcon->num_locks, 0);
44664 }
44665 }
44666 }
44667 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
44668 if (tcon->need_reconnect)
44669 seq_puts(m, "\tDISCONNECTED ");
44670 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
44671 - atomic_read(&tcon->num_smbs_sent),
44672 - atomic_read(&tcon->num_oplock_brks));
44673 + atomic_read_unchecked(&tcon->num_smbs_sent),
44674 + atomic_read_unchecked(&tcon->num_oplock_brks));
44675 seq_printf(m, "\nReads: %d Bytes: %lld",
44676 - atomic_read(&tcon->num_reads),
44677 + atomic_read_unchecked(&tcon->num_reads),
44678 (long long)(tcon->bytes_read));
44679 seq_printf(m, "\nWrites: %d Bytes: %lld",
44680 - atomic_read(&tcon->num_writes),
44681 + atomic_read_unchecked(&tcon->num_writes),
44682 (long long)(tcon->bytes_written));
44683 seq_printf(m, "\nFlushes: %d",
44684 - atomic_read(&tcon->num_flushes));
44685 + atomic_read_unchecked(&tcon->num_flushes));
44686 seq_printf(m, "\nLocks: %d HardLinks: %d "
44687 "Symlinks: %d",
44688 - atomic_read(&tcon->num_locks),
44689 - atomic_read(&tcon->num_hardlinks),
44690 - atomic_read(&tcon->num_symlinks));
44691 + atomic_read_unchecked(&tcon->num_locks),
44692 + atomic_read_unchecked(&tcon->num_hardlinks),
44693 + atomic_read_unchecked(&tcon->num_symlinks));
44694 seq_printf(m, "\nOpens: %d Closes: %d "
44695 "Deletes: %d",
44696 - atomic_read(&tcon->num_opens),
44697 - atomic_read(&tcon->num_closes),
44698 - atomic_read(&tcon->num_deletes));
44699 + atomic_read_unchecked(&tcon->num_opens),
44700 + atomic_read_unchecked(&tcon->num_closes),
44701 + atomic_read_unchecked(&tcon->num_deletes));
44702 seq_printf(m, "\nPosix Opens: %d "
44703 "Posix Mkdirs: %d",
44704 - atomic_read(&tcon->num_posixopens),
44705 - atomic_read(&tcon->num_posixmkdirs));
44706 + atomic_read_unchecked(&tcon->num_posixopens),
44707 + atomic_read_unchecked(&tcon->num_posixmkdirs));
44708 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
44709 - atomic_read(&tcon->num_mkdirs),
44710 - atomic_read(&tcon->num_rmdirs));
44711 + atomic_read_unchecked(&tcon->num_mkdirs),
44712 + atomic_read_unchecked(&tcon->num_rmdirs));
44713 seq_printf(m, "\nRenames: %d T2 Renames %d",
44714 - atomic_read(&tcon->num_renames),
44715 - atomic_read(&tcon->num_t2renames));
44716 + atomic_read_unchecked(&tcon->num_renames),
44717 + atomic_read_unchecked(&tcon->num_t2renames));
44718 seq_printf(m, "\nFindFirst: %d FNext %d "
44719 "FClose %d",
44720 - atomic_read(&tcon->num_ffirst),
44721 - atomic_read(&tcon->num_fnext),
44722 - atomic_read(&tcon->num_fclose));
44723 + atomic_read_unchecked(&tcon->num_ffirst),
44724 + atomic_read_unchecked(&tcon->num_fnext),
44725 + atomic_read_unchecked(&tcon->num_fclose));
44726 }
44727 }
44728 }
44729 diff -urNp linux-2.6.39.1/fs/cifs/cifsglob.h linux-2.6.39.1/fs/cifs/cifsglob.h
44730 --- linux-2.6.39.1/fs/cifs/cifsglob.h 2011-05-19 00:06:34.000000000 -0400
44731 +++ linux-2.6.39.1/fs/cifs/cifsglob.h 2011-05-22 19:36:32.000000000 -0400
44732 @@ -305,28 +305,28 @@ struct cifsTconInfo {
44733 __u16 Flags; /* optional support bits */
44734 enum statusEnum tidStatus;
44735 #ifdef CONFIG_CIFS_STATS
44736 - atomic_t num_smbs_sent;
44737 - atomic_t num_writes;
44738 - atomic_t num_reads;
44739 - atomic_t num_flushes;
44740 - atomic_t num_oplock_brks;
44741 - atomic_t num_opens;
44742 - atomic_t num_closes;
44743 - atomic_t num_deletes;
44744 - atomic_t num_mkdirs;
44745 - atomic_t num_posixopens;
44746 - atomic_t num_posixmkdirs;
44747 - atomic_t num_rmdirs;
44748 - atomic_t num_renames;
44749 - atomic_t num_t2renames;
44750 - atomic_t num_ffirst;
44751 - atomic_t num_fnext;
44752 - atomic_t num_fclose;
44753 - atomic_t num_hardlinks;
44754 - atomic_t num_symlinks;
44755 - atomic_t num_locks;
44756 - atomic_t num_acl_get;
44757 - atomic_t num_acl_set;
44758 + atomic_unchecked_t num_smbs_sent;
44759 + atomic_unchecked_t num_writes;
44760 + atomic_unchecked_t num_reads;
44761 + atomic_unchecked_t num_flushes;
44762 + atomic_unchecked_t num_oplock_brks;
44763 + atomic_unchecked_t num_opens;
44764 + atomic_unchecked_t num_closes;
44765 + atomic_unchecked_t num_deletes;
44766 + atomic_unchecked_t num_mkdirs;
44767 + atomic_unchecked_t num_posixopens;
44768 + atomic_unchecked_t num_posixmkdirs;
44769 + atomic_unchecked_t num_rmdirs;
44770 + atomic_unchecked_t num_renames;
44771 + atomic_unchecked_t num_t2renames;
44772 + atomic_unchecked_t num_ffirst;
44773 + atomic_unchecked_t num_fnext;
44774 + atomic_unchecked_t num_fclose;
44775 + atomic_unchecked_t num_hardlinks;
44776 + atomic_unchecked_t num_symlinks;
44777 + atomic_unchecked_t num_locks;
44778 + atomic_unchecked_t num_acl_get;
44779 + atomic_unchecked_t num_acl_set;
44780 #ifdef CONFIG_CIFS_STATS2
44781 unsigned long long time_writes;
44782 unsigned long long time_reads;
44783 @@ -509,7 +509,7 @@ static inline char CIFS_DIR_SEP(const st
44784 }
44785
44786 #ifdef CONFIG_CIFS_STATS
44787 -#define cifs_stats_inc atomic_inc
44788 +#define cifs_stats_inc atomic_inc_unchecked
44789
44790 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
44791 unsigned int bytes)
44792 diff -urNp linux-2.6.39.1/fs/cifs/link.c linux-2.6.39.1/fs/cifs/link.c
44793 --- linux-2.6.39.1/fs/cifs/link.c 2011-05-19 00:06:34.000000000 -0400
44794 +++ linux-2.6.39.1/fs/cifs/link.c 2011-05-22 19:36:32.000000000 -0400
44795 @@ -577,7 +577,7 @@ symlink_exit:
44796
44797 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
44798 {
44799 - char *p = nd_get_link(nd);
44800 + const char *p = nd_get_link(nd);
44801 if (!IS_ERR(p))
44802 kfree(p);
44803 }
44804 diff -urNp linux-2.6.39.1/fs/coda/cache.c linux-2.6.39.1/fs/coda/cache.c
44805 --- linux-2.6.39.1/fs/coda/cache.c 2011-05-19 00:06:34.000000000 -0400
44806 +++ linux-2.6.39.1/fs/coda/cache.c 2011-05-22 19:36:32.000000000 -0400
44807 @@ -24,7 +24,7 @@
44808 #include "coda_linux.h"
44809 #include "coda_cache.h"
44810
44811 -static atomic_t permission_epoch = ATOMIC_INIT(0);
44812 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
44813
44814 /* replace or extend an acl cache hit */
44815 void coda_cache_enter(struct inode *inode, int mask)
44816 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
44817 struct coda_inode_info *cii = ITOC(inode);
44818
44819 spin_lock(&cii->c_lock);
44820 - cii->c_cached_epoch = atomic_read(&permission_epoch);
44821 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
44822 if (cii->c_uid != current_fsuid()) {
44823 cii->c_uid = current_fsuid();
44824 cii->c_cached_perm = mask;
44825 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
44826 {
44827 struct coda_inode_info *cii = ITOC(inode);
44828 spin_lock(&cii->c_lock);
44829 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
44830 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
44831 spin_unlock(&cii->c_lock);
44832 }
44833
44834 /* remove all acl caches */
44835 void coda_cache_clear_all(struct super_block *sb)
44836 {
44837 - atomic_inc(&permission_epoch);
44838 + atomic_inc_unchecked(&permission_epoch);
44839 }
44840
44841
44842 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
44843 spin_lock(&cii->c_lock);
44844 hit = (mask & cii->c_cached_perm) == mask &&
44845 cii->c_uid == current_fsuid() &&
44846 - cii->c_cached_epoch == atomic_read(&permission_epoch);
44847 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
44848 spin_unlock(&cii->c_lock);
44849
44850 return hit;
44851 diff -urNp linux-2.6.39.1/fs/compat_binfmt_elf.c linux-2.6.39.1/fs/compat_binfmt_elf.c
44852 --- linux-2.6.39.1/fs/compat_binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
44853 +++ linux-2.6.39.1/fs/compat_binfmt_elf.c 2011-05-22 19:36:32.000000000 -0400
44854 @@ -30,11 +30,13 @@
44855 #undef elf_phdr
44856 #undef elf_shdr
44857 #undef elf_note
44858 +#undef elf_dyn
44859 #undef elf_addr_t
44860 #define elfhdr elf32_hdr
44861 #define elf_phdr elf32_phdr
44862 #define elf_shdr elf32_shdr
44863 #define elf_note elf32_note
44864 +#define elf_dyn Elf32_Dyn
44865 #define elf_addr_t Elf32_Addr
44866
44867 /*
44868 diff -urNp linux-2.6.39.1/fs/compat.c linux-2.6.39.1/fs/compat.c
44869 --- linux-2.6.39.1/fs/compat.c 2011-05-19 00:06:34.000000000 -0400
44870 +++ linux-2.6.39.1/fs/compat.c 2011-05-22 19:41:37.000000000 -0400
44871 @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
44872 goto out;
44873
44874 ret = -EINVAL;
44875 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
44876 + if (nr_segs > UIO_MAXIOV)
44877 goto out;
44878 if (nr_segs > fast_segs) {
44879 ret = -ENOMEM;
44880 @@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
44881
44882 struct compat_readdir_callback {
44883 struct compat_old_linux_dirent __user *dirent;
44884 + struct file * file;
44885 int result;
44886 };
44887
44888 @@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
44889 buf->result = -EOVERFLOW;
44890 return -EOVERFLOW;
44891 }
44892 +
44893 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
44894 + return 0;
44895 +
44896 buf->result++;
44897 dirent = buf->dirent;
44898 if (!access_ok(VERIFY_WRITE, dirent,
44899 @@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
44900
44901 buf.result = 0;
44902 buf.dirent = dirent;
44903 + buf.file = file;
44904
44905 error = vfs_readdir(file, compat_fillonedir, &buf);
44906 if (buf.result)
44907 @@ -917,6 +923,7 @@ struct compat_linux_dirent {
44908 struct compat_getdents_callback {
44909 struct compat_linux_dirent __user *current_dir;
44910 struct compat_linux_dirent __user *previous;
44911 + struct file * file;
44912 int count;
44913 int error;
44914 };
44915 @@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
44916 buf->error = -EOVERFLOW;
44917 return -EOVERFLOW;
44918 }
44919 +
44920 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
44921 + return 0;
44922 +
44923 dirent = buf->previous;
44924 if (dirent) {
44925 if (__put_user(offset, &dirent->d_off))
44926 @@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
44927 buf.previous = NULL;
44928 buf.count = count;
44929 buf.error = 0;
44930 + buf.file = file;
44931
44932 error = vfs_readdir(file, compat_filldir, &buf);
44933 if (error >= 0)
44934 @@ -1006,6 +1018,7 @@ out:
44935 struct compat_getdents_callback64 {
44936 struct linux_dirent64 __user *current_dir;
44937 struct linux_dirent64 __user *previous;
44938 + struct file * file;
44939 int count;
44940 int error;
44941 };
44942 @@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
44943 buf->error = -EINVAL; /* only used if we fail.. */
44944 if (reclen > buf->count)
44945 return -EINVAL;
44946 +
44947 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
44948 + return 0;
44949 +
44950 dirent = buf->previous;
44951
44952 if (dirent) {
44953 @@ -1073,6 +1090,7 @@ asmlinkage long compat_sys_getdents64(un
44954 buf.previous = NULL;
44955 buf.count = count;
44956 buf.error = 0;
44957 + buf.file = file;
44958
44959 error = vfs_readdir(file, compat_filldir64, &buf);
44960 if (error >= 0)
44961 @@ -1436,6 +1454,11 @@ int compat_do_execve(char * filename,
44962 compat_uptr_t __user *envp,
44963 struct pt_regs * regs)
44964 {
44965 +#ifdef CONFIG_GRKERNSEC
44966 + struct file *old_exec_file;
44967 + struct acl_subject_label *old_acl;
44968 + struct rlimit old_rlim[RLIM_NLIMITS];
44969 +#endif
44970 struct linux_binprm *bprm;
44971 struct file *file;
44972 struct files_struct *displaced;
44973 @@ -1472,6 +1495,19 @@ int compat_do_execve(char * filename,
44974 bprm->filename = filename;
44975 bprm->interp = filename;
44976
44977 + if (gr_process_user_ban()) {
44978 + retval = -EPERM;
44979 + goto out_file;
44980 + }
44981 +
44982 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
44983 + retval = -EAGAIN;
44984 + if (gr_handle_nproc())
44985 + goto out_file;
44986 + retval = -EACCES;
44987 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
44988 + goto out_file;
44989 +
44990 retval = bprm_mm_init(bprm);
44991 if (retval)
44992 goto out_file;
44993 @@ -1501,9 +1537,40 @@ int compat_do_execve(char * filename,
44994 if (retval < 0)
44995 goto out;
44996
44997 + if (!gr_tpe_allow(file)) {
44998 + retval = -EACCES;
44999 + goto out;
45000 + }
45001 +
45002 + if (gr_check_crash_exec(file)) {
45003 + retval = -EACCES;
45004 + goto out;
45005 + }
45006 +
45007 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45008 +
45009 + gr_handle_exec_args_compat(bprm, argv);
45010 +
45011 +#ifdef CONFIG_GRKERNSEC
45012 + old_acl = current->acl;
45013 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45014 + old_exec_file = current->exec_file;
45015 + get_file(file);
45016 + current->exec_file = file;
45017 +#endif
45018 +
45019 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45020 + bprm->unsafe & LSM_UNSAFE_SHARE);
45021 + if (retval < 0)
45022 + goto out_fail;
45023 +
45024 retval = search_binary_handler(bprm, regs);
45025 if (retval < 0)
45026 - goto out;
45027 + goto out_fail;
45028 +#ifdef CONFIG_GRKERNSEC
45029 + if (old_exec_file)
45030 + fput(old_exec_file);
45031 +#endif
45032
45033 /* execve succeeded */
45034 current->fs->in_exec = 0;
45035 @@ -1514,6 +1581,14 @@ int compat_do_execve(char * filename,
45036 put_files_struct(displaced);
45037 return retval;
45038
45039 +out_fail:
45040 +#ifdef CONFIG_GRKERNSEC
45041 + current->acl = old_acl;
45042 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45043 + fput(current->exec_file);
45044 + current->exec_file = old_exec_file;
45045 +#endif
45046 +
45047 out:
45048 if (bprm->mm) {
45049 acct_arg_size(bprm, 0);
45050 @@ -1681,6 +1756,8 @@ int compat_core_sys_select(int n, compat
45051 struct fdtable *fdt;
45052 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
45053
45054 + pax_track_stack();
45055 +
45056 if (n < 0)
45057 goto out_nofds;
45058
45059 diff -urNp linux-2.6.39.1/fs/compat_ioctl.c linux-2.6.39.1/fs/compat_ioctl.c
45060 --- linux-2.6.39.1/fs/compat_ioctl.c 2011-05-19 00:06:34.000000000 -0400
45061 +++ linux-2.6.39.1/fs/compat_ioctl.c 2011-05-22 19:36:32.000000000 -0400
45062 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
45063
45064 err = get_user(palp, &up->palette);
45065 err |= get_user(length, &up->length);
45066 + if (err)
45067 + return -EFAULT;
45068
45069 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
45070 err = put_user(compat_ptr(palp), &up_native->palette);
45071 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
45072 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
45073 {
45074 unsigned int a, b;
45075 - a = *(unsigned int *)p;
45076 - b = *(unsigned int *)q;
45077 + a = *(const unsigned int *)p;
45078 + b = *(const unsigned int *)q;
45079 if (a > b)
45080 return 1;
45081 if (a < b)
45082 diff -urNp linux-2.6.39.1/fs/configfs/dir.c linux-2.6.39.1/fs/configfs/dir.c
45083 --- linux-2.6.39.1/fs/configfs/dir.c 2011-05-19 00:06:34.000000000 -0400
45084 +++ linux-2.6.39.1/fs/configfs/dir.c 2011-05-22 19:36:32.000000000 -0400
45085 @@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
45086 }
45087 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
45088 struct configfs_dirent *next;
45089 - const char * name;
45090 + const unsigned char * name;
45091 + char d_name[sizeof(next->s_dentry->d_iname)];
45092 int len;
45093 struct inode *inode = NULL;
45094
45095 @@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
45096 continue;
45097
45098 name = configfs_get_name(next);
45099 - len = strlen(name);
45100 + if (next->s_dentry && name == next->s_dentry->d_iname) {
45101 + len = next->s_dentry->d_name.len;
45102 + memcpy(d_name, name, len);
45103 + name = d_name;
45104 + } else
45105 + len = strlen(name);
45106
45107 /*
45108 * We'll have a dentry and an inode for
45109 diff -urNp linux-2.6.39.1/fs/configfs/file.c linux-2.6.39.1/fs/configfs/file.c
45110 --- linux-2.6.39.1/fs/configfs/file.c 2011-05-19 00:06:34.000000000 -0400
45111 +++ linux-2.6.39.1/fs/configfs/file.c 2011-05-22 19:36:32.000000000 -0400
45112 @@ -215,7 +215,7 @@ static int check_perm(struct inode * ino
45113 struct config_item *item = configfs_get_config_item(file->f_path.dentry->d_parent);
45114 struct configfs_attribute * attr = to_attr(file->f_path.dentry);
45115 struct configfs_buffer * buffer;
45116 - struct configfs_item_operations * ops = NULL;
45117 + struct configfs_item_operations *ops = NULL;
45118 int error = 0;
45119
45120 if (!item || !attr)
45121 diff -urNp linux-2.6.39.1/fs/configfs/item.c linux-2.6.39.1/fs/configfs/item.c
45122 --- linux-2.6.39.1/fs/configfs/item.c 2011-05-19 00:06:34.000000000 -0400
45123 +++ linux-2.6.39.1/fs/configfs/item.c 2011-05-22 19:36:32.000000000 -0400
45124 @@ -123,7 +123,7 @@ void config_item_init_type_name(struct c
45125 EXPORT_SYMBOL(config_item_init_type_name);
45126
45127 void config_group_init_type_name(struct config_group *group, const char *name,
45128 - struct config_item_type *type)
45129 + struct config_item_type *type)
45130 {
45131 config_item_set_name(&group->cg_item, name);
45132 group->cg_item.ci_type = type;
45133 diff -urNp linux-2.6.39.1/fs/dcache.c linux-2.6.39.1/fs/dcache.c
45134 --- linux-2.6.39.1/fs/dcache.c 2011-05-19 00:06:34.000000000 -0400
45135 +++ linux-2.6.39.1/fs/dcache.c 2011-05-22 19:36:32.000000000 -0400
45136 @@ -3069,7 +3069,7 @@ void __init vfs_caches_init(unsigned lon
45137 mempages -= reserve;
45138
45139 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
45140 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
45141 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
45142
45143 dcache_init();
45144 inode_init();
45145 diff -urNp linux-2.6.39.1/fs/dlm/lockspace.c linux-2.6.39.1/fs/dlm/lockspace.c
45146 --- linux-2.6.39.1/fs/dlm/lockspace.c 2011-05-19 00:06:34.000000000 -0400
45147 +++ linux-2.6.39.1/fs/dlm/lockspace.c 2011-05-22 19:36:32.000000000 -0400
45148 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
45149 return 0;
45150 }
45151
45152 -static struct kset_uevent_ops dlm_uevent_ops = {
45153 +static const struct kset_uevent_ops dlm_uevent_ops = {
45154 .uevent = dlm_uevent,
45155 };
45156
45157 diff -urNp linux-2.6.39.1/fs/ecryptfs/inode.c linux-2.6.39.1/fs/ecryptfs/inode.c
45158 --- linux-2.6.39.1/fs/ecryptfs/inode.c 2011-06-03 00:04:14.000000000 -0400
45159 +++ linux-2.6.39.1/fs/ecryptfs/inode.c 2011-06-03 00:32:07.000000000 -0400
45160 @@ -623,7 +623,7 @@ static int ecryptfs_readlink_lower(struc
45161 old_fs = get_fs();
45162 set_fs(get_ds());
45163 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
45164 - (char __user *)lower_buf,
45165 + (__force char __user *)lower_buf,
45166 lower_bufsiz);
45167 set_fs(old_fs);
45168 if (rc < 0)
45169 @@ -669,7 +669,7 @@ static void *ecryptfs_follow_link(struct
45170 }
45171 old_fs = get_fs();
45172 set_fs(get_ds());
45173 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
45174 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
45175 set_fs(old_fs);
45176 if (rc < 0) {
45177 kfree(buf);
45178 @@ -684,7 +684,7 @@ out:
45179 static void
45180 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
45181 {
45182 - char *buf = nd_get_link(nd);
45183 + const char *buf = nd_get_link(nd);
45184 if (!IS_ERR(buf)) {
45185 /* Free the char* */
45186 kfree(buf);
45187 diff -urNp linux-2.6.39.1/fs/ecryptfs/miscdev.c linux-2.6.39.1/fs/ecryptfs/miscdev.c
45188 --- linux-2.6.39.1/fs/ecryptfs/miscdev.c 2011-05-19 00:06:34.000000000 -0400
45189 +++ linux-2.6.39.1/fs/ecryptfs/miscdev.c 2011-05-22 19:36:32.000000000 -0400
45190 @@ -328,7 +328,7 @@ check_list:
45191 goto out_unlock_msg_ctx;
45192 i = 5;
45193 if (msg_ctx->msg) {
45194 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
45195 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
45196 goto out_unlock_msg_ctx;
45197 i += packet_length_size;
45198 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
45199 diff -urNp linux-2.6.39.1/fs/exec.c linux-2.6.39.1/fs/exec.c
45200 --- linux-2.6.39.1/fs/exec.c 2011-05-19 00:06:34.000000000 -0400
45201 +++ linux-2.6.39.1/fs/exec.c 2011-06-03 23:33:13.000000000 -0400
45202 @@ -55,12 +55,24 @@
45203 #include <linux/fs_struct.h>
45204 #include <linux/pipe_fs_i.h>
45205 #include <linux/oom.h>
45206 +#include <linux/random.h>
45207 +#include <linux/seq_file.h>
45208 +
45209 +#ifdef CONFIG_PAX_REFCOUNT
45210 +#include <linux/kallsyms.h>
45211 +#include <linux/kdebug.h>
45212 +#endif
45213
45214 #include <asm/uaccess.h>
45215 #include <asm/mmu_context.h>
45216 #include <asm/tlb.h>
45217 #include "internal.h"
45218
45219 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
45220 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
45221 +EXPORT_SYMBOL(pax_set_initial_flags_func);
45222 +#endif
45223 +
45224 int core_uses_pid;
45225 char core_pattern[CORENAME_MAX_SIZE] = "core";
45226 unsigned int core_pipe_limit;
45227 @@ -70,7 +82,7 @@ struct core_name {
45228 char *corename;
45229 int used, size;
45230 };
45231 -static atomic_t call_count = ATOMIC_INIT(1);
45232 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
45233
45234 /* The maximal length of core_pattern is also specified in sysctl.c */
45235
45236 @@ -116,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __use
45237 char *tmp = getname(library);
45238 int error = PTR_ERR(tmp);
45239 static const struct open_flags uselib_flags = {
45240 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45241 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45242 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
45243 .intent = LOOKUP_OPEN
45244 };
45245 @@ -190,18 +202,10 @@ struct page *get_arg_page(struct linux_b
45246 int write)
45247 {
45248 struct page *page;
45249 - int ret;
45250
45251 -#ifdef CONFIG_STACK_GROWSUP
45252 - if (write) {
45253 - ret = expand_stack_downwards(bprm->vma, pos);
45254 - if (ret < 0)
45255 - return NULL;
45256 - }
45257 -#endif
45258 - ret = get_user_pages(current, bprm->mm, pos,
45259 - 1, write, 1, &page, NULL);
45260 - if (ret <= 0)
45261 + if (0 > expand_stack_downwards(bprm->vma, pos))
45262 + return NULL;
45263 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
45264 return NULL;
45265
45266 if (write) {
45267 @@ -276,6 +280,11 @@ static int __bprm_mm_init(struct linux_b
45268 vma->vm_end = STACK_TOP_MAX;
45269 vma->vm_start = vma->vm_end - PAGE_SIZE;
45270 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
45271 +
45272 +#ifdef CONFIG_PAX_SEGMEXEC
45273 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
45274 +#endif
45275 +
45276 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45277 INIT_LIST_HEAD(&vma->anon_vma_chain);
45278
45279 @@ -290,6 +299,12 @@ static int __bprm_mm_init(struct linux_b
45280 mm->stack_vm = mm->total_vm = 1;
45281 up_write(&mm->mmap_sem);
45282 bprm->p = vma->vm_end - sizeof(void *);
45283 +
45284 +#ifdef CONFIG_PAX_RANDUSTACK
45285 + if (randomize_va_space)
45286 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
45287 +#endif
45288 +
45289 return 0;
45290 err:
45291 up_write(&mm->mmap_sem);
45292 @@ -525,7 +540,7 @@ int copy_strings_kernel(int argc, const
45293 int r;
45294 mm_segment_t oldfs = get_fs();
45295 set_fs(KERNEL_DS);
45296 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
45297 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
45298 set_fs(oldfs);
45299 return r;
45300 }
45301 @@ -555,7 +570,8 @@ static int shift_arg_pages(struct vm_are
45302 unsigned long new_end = old_end - shift;
45303 struct mmu_gather *tlb;
45304
45305 - BUG_ON(new_start > new_end);
45306 + if (new_start >= new_end || new_start < mmap_min_addr)
45307 + return -ENOMEM;
45308
45309 /*
45310 * ensure there are no vmas between where we want to go
45311 @@ -564,6 +580,10 @@ static int shift_arg_pages(struct vm_are
45312 if (vma != find_vma(mm, new_start))
45313 return -EFAULT;
45314
45315 +#ifdef CONFIG_PAX_SEGMEXEC
45316 + BUG_ON(pax_find_mirror_vma(vma));
45317 +#endif
45318 +
45319 /*
45320 * cover the whole range: [new_start, old_end)
45321 */
45322 @@ -644,10 +664,6 @@ int setup_arg_pages(struct linux_binprm
45323 stack_top = arch_align_stack(stack_top);
45324 stack_top = PAGE_ALIGN(stack_top);
45325
45326 - if (unlikely(stack_top < mmap_min_addr) ||
45327 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
45328 - return -ENOMEM;
45329 -
45330 stack_shift = vma->vm_end - stack_top;
45331
45332 bprm->p -= stack_shift;
45333 @@ -659,8 +675,28 @@ int setup_arg_pages(struct linux_binprm
45334 bprm->exec -= stack_shift;
45335
45336 down_write(&mm->mmap_sem);
45337 +
45338 + /* Move stack pages down in memory. */
45339 + if (stack_shift) {
45340 + ret = shift_arg_pages(vma, stack_shift);
45341 + if (ret)
45342 + goto out_unlock;
45343 + }
45344 +
45345 vm_flags = VM_STACK_FLAGS;
45346
45347 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45348 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
45349 + vm_flags &= ~VM_EXEC;
45350 +
45351 +#ifdef CONFIG_PAX_MPROTECT
45352 + if (mm->pax_flags & MF_PAX_MPROTECT)
45353 + vm_flags &= ~VM_MAYEXEC;
45354 +#endif
45355 +
45356 + }
45357 +#endif
45358 +
45359 /*
45360 * Adjust stack execute permissions; explicitly enable for
45361 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
45362 @@ -679,13 +715,6 @@ int setup_arg_pages(struct linux_binprm
45363 goto out_unlock;
45364 BUG_ON(prev != vma);
45365
45366 - /* Move stack pages down in memory. */
45367 - if (stack_shift) {
45368 - ret = shift_arg_pages(vma, stack_shift);
45369 - if (ret)
45370 - goto out_unlock;
45371 - }
45372 -
45373 /* mprotect_fixup is overkill to remove the temporary stack flags */
45374 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
45375
45376 @@ -725,7 +754,7 @@ struct file *open_exec(const char *name)
45377 struct file *file;
45378 int err;
45379 static const struct open_flags open_exec_flags = {
45380 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45381 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45382 .acc_mode = MAY_EXEC | MAY_OPEN,
45383 .intent = LOOKUP_OPEN
45384 };
45385 @@ -766,7 +795,7 @@ int kernel_read(struct file *file, loff_
45386 old_fs = get_fs();
45387 set_fs(get_ds());
45388 /* The cast to a user pointer is valid due to the set_fs() */
45389 - result = vfs_read(file, (void __user *)addr, count, &pos);
45390 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
45391 set_fs(old_fs);
45392 return result;
45393 }
45394 @@ -1188,7 +1217,7 @@ int check_unsafe_exec(struct linux_binpr
45395 }
45396 rcu_read_unlock();
45397
45398 - if (p->fs->users > n_fs) {
45399 + if (atomic_read(&p->fs->users) > n_fs) {
45400 bprm->unsafe |= LSM_UNSAFE_SHARE;
45401 } else {
45402 res = -EAGAIN;
45403 @@ -1384,6 +1413,11 @@ int do_execve(const char * filename,
45404 const char __user *const __user *envp,
45405 struct pt_regs * regs)
45406 {
45407 +#ifdef CONFIG_GRKERNSEC
45408 + struct file *old_exec_file;
45409 + struct acl_subject_label *old_acl;
45410 + struct rlimit old_rlim[RLIM_NLIMITS];
45411 +#endif
45412 struct linux_binprm *bprm;
45413 struct file *file;
45414 struct files_struct *displaced;
45415 @@ -1420,6 +1454,23 @@ int do_execve(const char * filename,
45416 bprm->filename = filename;
45417 bprm->interp = filename;
45418
45419 + if (gr_process_user_ban()) {
45420 + retval = -EPERM;
45421 + goto out_file;
45422 + }
45423 +
45424 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45425 +
45426 + if (gr_handle_nproc()) {
45427 + retval = -EAGAIN;
45428 + goto out_file;
45429 + }
45430 +
45431 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
45432 + retval = -EACCES;
45433 + goto out_file;
45434 + }
45435 +
45436 retval = bprm_mm_init(bprm);
45437 if (retval)
45438 goto out_file;
45439 @@ -1449,9 +1500,40 @@ int do_execve(const char * filename,
45440 if (retval < 0)
45441 goto out;
45442
45443 + if (!gr_tpe_allow(file)) {
45444 + retval = -EACCES;
45445 + goto out;
45446 + }
45447 +
45448 + if (gr_check_crash_exec(file)) {
45449 + retval = -EACCES;
45450 + goto out;
45451 + }
45452 +
45453 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45454 +
45455 + gr_handle_exec_args(bprm, argv);
45456 +
45457 +#ifdef CONFIG_GRKERNSEC
45458 + old_acl = current->acl;
45459 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45460 + old_exec_file = current->exec_file;
45461 + get_file(file);
45462 + current->exec_file = file;
45463 +#endif
45464 +
45465 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45466 + bprm->unsafe & LSM_UNSAFE_SHARE);
45467 + if (retval < 0)
45468 + goto out_fail;
45469 +
45470 retval = search_binary_handler(bprm,regs);
45471 if (retval < 0)
45472 - goto out;
45473 + goto out_fail;
45474 +#ifdef CONFIG_GRKERNSEC
45475 + if (old_exec_file)
45476 + fput(old_exec_file);
45477 +#endif
45478
45479 /* execve succeeded */
45480 current->fs->in_exec = 0;
45481 @@ -1462,6 +1544,14 @@ int do_execve(const char * filename,
45482 put_files_struct(displaced);
45483 return retval;
45484
45485 +out_fail:
45486 +#ifdef CONFIG_GRKERNSEC
45487 + current->acl = old_acl;
45488 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45489 + fput(current->exec_file);
45490 + current->exec_file = old_exec_file;
45491 +#endif
45492 +
45493 out:
45494 if (bprm->mm) {
45495 acct_arg_size(bprm, 0);
45496 @@ -1507,7 +1597,7 @@ static int expand_corename(struct core_n
45497 {
45498 char *old_corename = cn->corename;
45499
45500 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
45501 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
45502 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
45503
45504 if (!cn->corename) {
45505 @@ -1560,7 +1650,7 @@ static int format_corename(struct core_n
45506 int pid_in_pattern = 0;
45507 int err = 0;
45508
45509 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
45510 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
45511 cn->corename = kmalloc(cn->size, GFP_KERNEL);
45512 cn->used = 0;
45513
45514 @@ -1648,6 +1738,219 @@ out:
45515 return ispipe;
45516 }
45517
45518 +int pax_check_flags(unsigned long *flags)
45519 +{
45520 + int retval = 0;
45521 +
45522 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
45523 + if (*flags & MF_PAX_SEGMEXEC)
45524 + {
45525 + *flags &= ~MF_PAX_SEGMEXEC;
45526 + retval = -EINVAL;
45527 + }
45528 +#endif
45529 +
45530 + if ((*flags & MF_PAX_PAGEEXEC)
45531 +
45532 +#ifdef CONFIG_PAX_PAGEEXEC
45533 + && (*flags & MF_PAX_SEGMEXEC)
45534 +#endif
45535 +
45536 + )
45537 + {
45538 + *flags &= ~MF_PAX_PAGEEXEC;
45539 + retval = -EINVAL;
45540 + }
45541 +
45542 + if ((*flags & MF_PAX_MPROTECT)
45543 +
45544 +#ifdef CONFIG_PAX_MPROTECT
45545 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45546 +#endif
45547 +
45548 + )
45549 + {
45550 + *flags &= ~MF_PAX_MPROTECT;
45551 + retval = -EINVAL;
45552 + }
45553 +
45554 + if ((*flags & MF_PAX_EMUTRAMP)
45555 +
45556 +#ifdef CONFIG_PAX_EMUTRAMP
45557 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45558 +#endif
45559 +
45560 + )
45561 + {
45562 + *flags &= ~MF_PAX_EMUTRAMP;
45563 + retval = -EINVAL;
45564 + }
45565 +
45566 + return retval;
45567 +}
45568 +
45569 +EXPORT_SYMBOL(pax_check_flags);
45570 +
45571 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45572 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
45573 +{
45574 + struct task_struct *tsk = current;
45575 + struct mm_struct *mm = current->mm;
45576 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
45577 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
45578 + char *path_exec = NULL;
45579 + char *path_fault = NULL;
45580 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
45581 +
45582 + if (buffer_exec && buffer_fault) {
45583 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
45584 +
45585 + down_read(&mm->mmap_sem);
45586 + vma = mm->mmap;
45587 + while (vma && (!vma_exec || !vma_fault)) {
45588 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
45589 + vma_exec = vma;
45590 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
45591 + vma_fault = vma;
45592 + vma = vma->vm_next;
45593 + }
45594 + if (vma_exec) {
45595 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
45596 + if (IS_ERR(path_exec))
45597 + path_exec = "<path too long>";
45598 + else {
45599 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
45600 + if (path_exec) {
45601 + *path_exec = 0;
45602 + path_exec = buffer_exec;
45603 + } else
45604 + path_exec = "<path too long>";
45605 + }
45606 + }
45607 + if (vma_fault) {
45608 + start = vma_fault->vm_start;
45609 + end = vma_fault->vm_end;
45610 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
45611 + if (vma_fault->vm_file) {
45612 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
45613 + if (IS_ERR(path_fault))
45614 + path_fault = "<path too long>";
45615 + else {
45616 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
45617 + if (path_fault) {
45618 + *path_fault = 0;
45619 + path_fault = buffer_fault;
45620 + } else
45621 + path_fault = "<path too long>";
45622 + }
45623 + } else
45624 + path_fault = "<anonymous mapping>";
45625 + }
45626 + up_read(&mm->mmap_sem);
45627 + }
45628 + if (tsk->signal->curr_ip)
45629 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
45630 + else
45631 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
45632 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
45633 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
45634 + task_uid(tsk), task_euid(tsk), pc, sp);
45635 + free_page((unsigned long)buffer_exec);
45636 + free_page((unsigned long)buffer_fault);
45637 + pax_report_insns(pc, sp);
45638 + do_coredump(SIGKILL, SIGKILL, regs);
45639 +}
45640 +#endif
45641 +
45642 +#ifdef CONFIG_PAX_REFCOUNT
45643 +void pax_report_refcount_overflow(struct pt_regs *regs)
45644 +{
45645 + if (current->signal->curr_ip)
45646 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
45647 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
45648 + else
45649 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
45650 + current->comm, task_pid_nr(current), current_uid(), current_euid());
45651 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
45652 + show_regs(regs);
45653 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
45654 +}
45655 +#endif
45656 +
45657 +#ifdef CONFIG_PAX_USERCOPY
45658 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
45659 +int object_is_on_stack(const void *obj, unsigned long len)
45660 +{
45661 + const void * const stack = task_stack_page(current);
45662 + const void * const stackend = stack + THREAD_SIZE;
45663 +
45664 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
45665 + const void *frame = NULL;
45666 + const void *oldframe;
45667 +#endif
45668 +
45669 + if (obj + len < obj)
45670 + return -1;
45671 +
45672 + if (obj + len <= stack || stackend <= obj)
45673 + return 0;
45674 +
45675 + if (obj < stack || stackend < obj + len)
45676 + return -1;
45677 +
45678 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
45679 + oldframe = __builtin_frame_address(1);
45680 + if (oldframe)
45681 + frame = __builtin_frame_address(2);
45682 + /*
45683 + low ----------------------------------------------> high
45684 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
45685 + ^----------------^
45686 + allow copies only within here
45687 + */
45688 + while (stack <= frame && frame < stackend) {
45689 + /* if obj + len extends past the last frame, this
45690 + check won't pass and the next frame will be 0,
45691 + causing us to bail out and correctly report
45692 + the copy as invalid
45693 + */
45694 + if (obj + len <= frame)
45695 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
45696 + oldframe = frame;
45697 + frame = *(const void * const *)frame;
45698 + }
45699 + return -1;
45700 +#else
45701 + return 1;
45702 +#endif
45703 +}
45704 +
45705 +
45706 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
45707 +{
45708 + if (current->signal->curr_ip)
45709 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
45710 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
45711 + else
45712 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
45713 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
45714 + dump_stack();
45715 + gr_handle_kernel_exploit();
45716 + do_group_exit(SIGKILL);
45717 +}
45718 +#endif
45719 +
45720 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
45721 +void pax_track_stack(void)
45722 +{
45723 + unsigned long sp = (unsigned long)&sp;
45724 + if (sp < current_thread_info()->lowest_stack &&
45725 + sp > (unsigned long)task_stack_page(current))
45726 + current_thread_info()->lowest_stack = sp;
45727 +}
45728 +EXPORT_SYMBOL(pax_track_stack);
45729 +#endif
45730 +
45731 static int zap_process(struct task_struct *start, int exit_code)
45732 {
45733 struct task_struct *t;
45734 @@ -1858,17 +2161,17 @@ static void wait_for_dump_helpers(struct
45735 pipe = file->f_path.dentry->d_inode->i_pipe;
45736
45737 pipe_lock(pipe);
45738 - pipe->readers++;
45739 - pipe->writers--;
45740 + atomic_inc(&pipe->readers);
45741 + atomic_dec(&pipe->writers);
45742
45743 - while ((pipe->readers > 1) && (!signal_pending(current))) {
45744 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
45745 wake_up_interruptible_sync(&pipe->wait);
45746 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
45747 pipe_wait(pipe);
45748 }
45749
45750 - pipe->readers--;
45751 - pipe->writers++;
45752 + atomic_dec(&pipe->readers);
45753 + atomic_inc(&pipe->writers);
45754 pipe_unlock(pipe);
45755
45756 }
45757 @@ -1929,7 +2232,7 @@ void do_coredump(long signr, int exit_co
45758 int retval = 0;
45759 int flag = 0;
45760 int ispipe;
45761 - static atomic_t core_dump_count = ATOMIC_INIT(0);
45762 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
45763 struct coredump_params cprm = {
45764 .signr = signr,
45765 .regs = regs,
45766 @@ -1944,6 +2247,9 @@ void do_coredump(long signr, int exit_co
45767
45768 audit_core_dumps(signr);
45769
45770 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
45771 + gr_handle_brute_attach(current, cprm.mm_flags);
45772 +
45773 binfmt = mm->binfmt;
45774 if (!binfmt || !binfmt->core_dump)
45775 goto fail;
45776 @@ -1984,6 +2290,8 @@ void do_coredump(long signr, int exit_co
45777 goto fail_corename;
45778 }
45779
45780 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
45781 +
45782 if (ispipe) {
45783 int dump_count;
45784 char **helper_argv;
45785 @@ -2011,7 +2319,7 @@ void do_coredump(long signr, int exit_co
45786 }
45787 cprm.limit = RLIM_INFINITY;
45788
45789 - dump_count = atomic_inc_return(&core_dump_count);
45790 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
45791 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
45792 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
45793 task_tgid_vnr(current), current->comm);
45794 @@ -2081,7 +2389,7 @@ close_fail:
45795 filp_close(cprm.file, NULL);
45796 fail_dropcount:
45797 if (ispipe)
45798 - atomic_dec(&core_dump_count);
45799 + atomic_dec_unchecked(&core_dump_count);
45800 fail_unlock:
45801 kfree(cn.corename);
45802 fail_corename:
45803 diff -urNp linux-2.6.39.1/fs/ext2/balloc.c linux-2.6.39.1/fs/ext2/balloc.c
45804 --- linux-2.6.39.1/fs/ext2/balloc.c 2011-05-19 00:06:34.000000000 -0400
45805 +++ linux-2.6.39.1/fs/ext2/balloc.c 2011-05-22 19:41:37.000000000 -0400
45806 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
45807
45808 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
45809 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
45810 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
45811 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
45812 sbi->s_resuid != current_fsuid() &&
45813 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
45814 return 0;
45815 diff -urNp linux-2.6.39.1/fs/ext3/balloc.c linux-2.6.39.1/fs/ext3/balloc.c
45816 --- linux-2.6.39.1/fs/ext3/balloc.c 2011-05-19 00:06:34.000000000 -0400
45817 +++ linux-2.6.39.1/fs/ext3/balloc.c 2011-05-22 19:41:37.000000000 -0400
45818 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
45819
45820 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
45821 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
45822 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
45823 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
45824 sbi->s_resuid != current_fsuid() &&
45825 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
45826 return 0;
45827 diff -urNp linux-2.6.39.1/fs/ext4/balloc.c linux-2.6.39.1/fs/ext4/balloc.c
45828 --- linux-2.6.39.1/fs/ext4/balloc.c 2011-05-19 00:06:34.000000000 -0400
45829 +++ linux-2.6.39.1/fs/ext4/balloc.c 2011-05-22 19:41:37.000000000 -0400
45830 @@ -522,7 +522,7 @@ static int ext4_has_free_blocks(struct e
45831 /* Hm, nope. Are (enough) root reserved blocks available? */
45832 if (sbi->s_resuid == current_fsuid() ||
45833 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
45834 - capable(CAP_SYS_RESOURCE)) {
45835 + capable_nolog(CAP_SYS_RESOURCE)) {
45836 if (free_blocks >= (nblocks + dirty_blocks))
45837 return 1;
45838 }
45839 diff -urNp linux-2.6.39.1/fs/ext4/ext4.h linux-2.6.39.1/fs/ext4/ext4.h
45840 --- linux-2.6.39.1/fs/ext4/ext4.h 2011-06-03 00:04:14.000000000 -0400
45841 +++ linux-2.6.39.1/fs/ext4/ext4.h 2011-06-03 00:32:07.000000000 -0400
45842 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
45843 unsigned long s_mb_last_start;
45844
45845 /* stats for buddy allocator */
45846 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
45847 - atomic_t s_bal_success; /* we found long enough chunks */
45848 - atomic_t s_bal_allocated; /* in blocks */
45849 - atomic_t s_bal_ex_scanned; /* total extents scanned */
45850 - atomic_t s_bal_goals; /* goal hits */
45851 - atomic_t s_bal_breaks; /* too long searches */
45852 - atomic_t s_bal_2orders; /* 2^order hits */
45853 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
45854 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
45855 + atomic_unchecked_t s_bal_allocated; /* in blocks */
45856 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
45857 + atomic_unchecked_t s_bal_goals; /* goal hits */
45858 + atomic_unchecked_t s_bal_breaks; /* too long searches */
45859 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
45860 spinlock_t s_bal_lock;
45861 unsigned long s_mb_buddies_generated;
45862 unsigned long long s_mb_generation_time;
45863 - atomic_t s_mb_lost_chunks;
45864 - atomic_t s_mb_preallocated;
45865 - atomic_t s_mb_discarded;
45866 + atomic_unchecked_t s_mb_lost_chunks;
45867 + atomic_unchecked_t s_mb_preallocated;
45868 + atomic_unchecked_t s_mb_discarded;
45869 atomic_t s_lock_busy;
45870
45871 /* locality groups */
45872 diff -urNp linux-2.6.39.1/fs/ext4/mballoc.c linux-2.6.39.1/fs/ext4/mballoc.c
45873 --- linux-2.6.39.1/fs/ext4/mballoc.c 2011-06-03 00:04:14.000000000 -0400
45874 +++ linux-2.6.39.1/fs/ext4/mballoc.c 2011-06-03 00:32:07.000000000 -0400
45875 @@ -1853,7 +1853,7 @@ void ext4_mb_simple_scan_group(struct ex
45876 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
45877
45878 if (EXT4_SB(sb)->s_mb_stats)
45879 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
45880 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
45881
45882 break;
45883 }
45884 @@ -2147,7 +2147,7 @@ repeat:
45885 ac->ac_status = AC_STATUS_CONTINUE;
45886 ac->ac_flags |= EXT4_MB_HINT_FIRST;
45887 cr = 3;
45888 - atomic_inc(&sbi->s_mb_lost_chunks);
45889 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
45890 goto repeat;
45891 }
45892 }
45893 @@ -2190,6 +2190,8 @@ static int ext4_mb_seq_groups_show(struc
45894 ext4_grpblk_t counters[16];
45895 } sg;
45896
45897 + pax_track_stack();
45898 +
45899 group--;
45900 if (group == 0)
45901 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
45902 @@ -2613,25 +2615,25 @@ int ext4_mb_release(struct super_block *
45903 if (sbi->s_mb_stats) {
45904 printk(KERN_INFO
45905 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
45906 - atomic_read(&sbi->s_bal_allocated),
45907 - atomic_read(&sbi->s_bal_reqs),
45908 - atomic_read(&sbi->s_bal_success));
45909 + atomic_read_unchecked(&sbi->s_bal_allocated),
45910 + atomic_read_unchecked(&sbi->s_bal_reqs),
45911 + atomic_read_unchecked(&sbi->s_bal_success));
45912 printk(KERN_INFO
45913 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
45914 "%u 2^N hits, %u breaks, %u lost\n",
45915 - atomic_read(&sbi->s_bal_ex_scanned),
45916 - atomic_read(&sbi->s_bal_goals),
45917 - atomic_read(&sbi->s_bal_2orders),
45918 - atomic_read(&sbi->s_bal_breaks),
45919 - atomic_read(&sbi->s_mb_lost_chunks));
45920 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
45921 + atomic_read_unchecked(&sbi->s_bal_goals),
45922 + atomic_read_unchecked(&sbi->s_bal_2orders),
45923 + atomic_read_unchecked(&sbi->s_bal_breaks),
45924 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
45925 printk(KERN_INFO
45926 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
45927 sbi->s_mb_buddies_generated++,
45928 sbi->s_mb_generation_time);
45929 printk(KERN_INFO
45930 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
45931 - atomic_read(&sbi->s_mb_preallocated),
45932 - atomic_read(&sbi->s_mb_discarded));
45933 + atomic_read_unchecked(&sbi->s_mb_preallocated),
45934 + atomic_read_unchecked(&sbi->s_mb_discarded));
45935 }
45936
45937 free_percpu(sbi->s_locality_groups);
45938 @@ -3107,16 +3109,16 @@ static void ext4_mb_collect_stats(struct
45939 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
45940
45941 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
45942 - atomic_inc(&sbi->s_bal_reqs);
45943 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
45944 + atomic_inc_unchecked(&sbi->s_bal_reqs);
45945 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
45946 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
45947 - atomic_inc(&sbi->s_bal_success);
45948 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
45949 + atomic_inc_unchecked(&sbi->s_bal_success);
45950 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
45951 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
45952 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
45953 - atomic_inc(&sbi->s_bal_goals);
45954 + atomic_inc_unchecked(&sbi->s_bal_goals);
45955 if (ac->ac_found > sbi->s_mb_max_to_scan)
45956 - atomic_inc(&sbi->s_bal_breaks);
45957 + atomic_inc_unchecked(&sbi->s_bal_breaks);
45958 }
45959
45960 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
45961 @@ -3514,7 +3516,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
45962 trace_ext4_mb_new_inode_pa(ac, pa);
45963
45964 ext4_mb_use_inode_pa(ac, pa);
45965 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45966 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45967
45968 ei = EXT4_I(ac->ac_inode);
45969 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
45970 @@ -3574,7 +3576,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
45971 trace_ext4_mb_new_group_pa(ac, pa);
45972
45973 ext4_mb_use_group_pa(ac, pa);
45974 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45975 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45976
45977 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
45978 lg = ac->ac_lg;
45979 @@ -3661,7 +3663,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
45980 * from the bitmap and continue.
45981 */
45982 }
45983 - atomic_add(free, &sbi->s_mb_discarded);
45984 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
45985
45986 return err;
45987 }
45988 @@ -3679,7 +3681,7 @@ ext4_mb_release_group_pa(struct ext4_bud
45989 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
45990 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
45991 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
45992 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
45993 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
45994 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
45995
45996 return 0;
45997 diff -urNp linux-2.6.39.1/fs/fcntl.c linux-2.6.39.1/fs/fcntl.c
45998 --- linux-2.6.39.1/fs/fcntl.c 2011-05-19 00:06:34.000000000 -0400
45999 +++ linux-2.6.39.1/fs/fcntl.c 2011-05-22 20:45:50.000000000 -0400
46000 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
46001 if (err)
46002 return err;
46003
46004 + if (gr_handle_chroot_fowner(pid, type))
46005 + return -ENOENT;
46006 + if (gr_check_protected_task_fowner(pid, type))
46007 + return -EACCES;
46008 +
46009 f_modown(filp, pid, type, force);
46010 return 0;
46011 }
46012 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
46013 switch (cmd) {
46014 case F_DUPFD:
46015 case F_DUPFD_CLOEXEC:
46016 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
46017 if (arg >= rlimit(RLIMIT_NOFILE))
46018 break;
46019 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
46020 @@ -835,14 +841,14 @@ static int __init fcntl_init(void)
46021 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
46022 * is defined as O_NONBLOCK on some platforms and not on others.
46023 */
46024 - BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46025 + BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46026 O_RDONLY | O_WRONLY | O_RDWR |
46027 O_CREAT | O_EXCL | O_NOCTTY |
46028 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
46029 __O_SYNC | O_DSYNC | FASYNC |
46030 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
46031 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
46032 - __FMODE_EXEC | O_PATH
46033 + __FMODE_EXEC | O_PATH | FMODE_GREXEC
46034 ));
46035
46036 fasync_cache = kmem_cache_create("fasync_cache",
46037 diff -urNp linux-2.6.39.1/fs/fifo.c linux-2.6.39.1/fs/fifo.c
46038 --- linux-2.6.39.1/fs/fifo.c 2011-05-19 00:06:34.000000000 -0400
46039 +++ linux-2.6.39.1/fs/fifo.c 2011-05-22 19:36:32.000000000 -0400
46040 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
46041 */
46042 filp->f_op = &read_pipefifo_fops;
46043 pipe->r_counter++;
46044 - if (pipe->readers++ == 0)
46045 + if (atomic_inc_return(&pipe->readers) == 1)
46046 wake_up_partner(inode);
46047
46048 - if (!pipe->writers) {
46049 + if (!atomic_read(&pipe->writers)) {
46050 if ((filp->f_flags & O_NONBLOCK)) {
46051 /* suppress POLLHUP until we have
46052 * seen a writer */
46053 @@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
46054 * errno=ENXIO when there is no process reading the FIFO.
46055 */
46056 ret = -ENXIO;
46057 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
46058 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
46059 goto err;
46060
46061 filp->f_op = &write_pipefifo_fops;
46062 pipe->w_counter++;
46063 - if (!pipe->writers++)
46064 + if (atomic_inc_return(&pipe->writers) == 1)
46065 wake_up_partner(inode);
46066
46067 - if (!pipe->readers) {
46068 + if (!atomic_read(&pipe->readers)) {
46069 wait_for_partner(inode, &pipe->r_counter);
46070 if (signal_pending(current))
46071 goto err_wr;
46072 @@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
46073 */
46074 filp->f_op = &rdwr_pipefifo_fops;
46075
46076 - pipe->readers++;
46077 - pipe->writers++;
46078 + atomic_inc(&pipe->readers);
46079 + atomic_inc(&pipe->writers);
46080 pipe->r_counter++;
46081 pipe->w_counter++;
46082 - if (pipe->readers == 1 || pipe->writers == 1)
46083 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
46084 wake_up_partner(inode);
46085 break;
46086
46087 @@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
46088 return 0;
46089
46090 err_rd:
46091 - if (!--pipe->readers)
46092 + if (atomic_dec_and_test(&pipe->readers))
46093 wake_up_interruptible(&pipe->wait);
46094 ret = -ERESTARTSYS;
46095 goto err;
46096
46097 err_wr:
46098 - if (!--pipe->writers)
46099 + if (atomic_dec_and_test(&pipe->writers))
46100 wake_up_interruptible(&pipe->wait);
46101 ret = -ERESTARTSYS;
46102 goto err;
46103
46104 err:
46105 - if (!pipe->readers && !pipe->writers)
46106 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
46107 free_pipe_info(inode);
46108
46109 err_nocleanup:
46110 diff -urNp linux-2.6.39.1/fs/file.c linux-2.6.39.1/fs/file.c
46111 --- linux-2.6.39.1/fs/file.c 2011-05-19 00:06:34.000000000 -0400
46112 +++ linux-2.6.39.1/fs/file.c 2011-05-22 19:41:37.000000000 -0400
46113 @@ -15,6 +15,7 @@
46114 #include <linux/slab.h>
46115 #include <linux/vmalloc.h>
46116 #include <linux/file.h>
46117 +#include <linux/security.h>
46118 #include <linux/fdtable.h>
46119 #include <linux/bitops.h>
46120 #include <linux/interrupt.h>
46121 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
46122 * N.B. For clone tasks sharing a files structure, this test
46123 * will limit the total number of files that can be opened.
46124 */
46125 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
46126 if (nr >= rlimit(RLIMIT_NOFILE))
46127 return -EMFILE;
46128
46129 diff -urNp linux-2.6.39.1/fs/filesystems.c linux-2.6.39.1/fs/filesystems.c
46130 --- linux-2.6.39.1/fs/filesystems.c 2011-05-19 00:06:34.000000000 -0400
46131 +++ linux-2.6.39.1/fs/filesystems.c 2011-05-22 19:41:37.000000000 -0400
46132 @@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
46133 int len = dot ? dot - name : strlen(name);
46134
46135 fs = __get_fs_type(name, len);
46136 +
46137 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46138 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
46139 +#else
46140 if (!fs && (request_module("%.*s", len, name) == 0))
46141 +#endif
46142 fs = __get_fs_type(name, len);
46143
46144 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
46145 diff -urNp linux-2.6.39.1/fs/fscache/cookie.c linux-2.6.39.1/fs/fscache/cookie.c
46146 --- linux-2.6.39.1/fs/fscache/cookie.c 2011-05-19 00:06:34.000000000 -0400
46147 +++ linux-2.6.39.1/fs/fscache/cookie.c 2011-05-22 19:36:32.000000000 -0400
46148 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46149 parent ? (char *) parent->def->name : "<no-parent>",
46150 def->name, netfs_data);
46151
46152 - fscache_stat(&fscache_n_acquires);
46153 + fscache_stat_unchecked(&fscache_n_acquires);
46154
46155 /* if there's no parent cookie, then we don't create one here either */
46156 if (!parent) {
46157 - fscache_stat(&fscache_n_acquires_null);
46158 + fscache_stat_unchecked(&fscache_n_acquires_null);
46159 _leave(" [no parent]");
46160 return NULL;
46161 }
46162 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46163 /* allocate and initialise a cookie */
46164 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46165 if (!cookie) {
46166 - fscache_stat(&fscache_n_acquires_oom);
46167 + fscache_stat_unchecked(&fscache_n_acquires_oom);
46168 _leave(" [ENOMEM]");
46169 return NULL;
46170 }
46171 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46172
46173 switch (cookie->def->type) {
46174 case FSCACHE_COOKIE_TYPE_INDEX:
46175 - fscache_stat(&fscache_n_cookie_index);
46176 + fscache_stat_unchecked(&fscache_n_cookie_index);
46177 break;
46178 case FSCACHE_COOKIE_TYPE_DATAFILE:
46179 - fscache_stat(&fscache_n_cookie_data);
46180 + fscache_stat_unchecked(&fscache_n_cookie_data);
46181 break;
46182 default:
46183 - fscache_stat(&fscache_n_cookie_special);
46184 + fscache_stat_unchecked(&fscache_n_cookie_special);
46185 break;
46186 }
46187
46188 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46189 if (fscache_acquire_non_index_cookie(cookie) < 0) {
46190 atomic_dec(&parent->n_children);
46191 __fscache_cookie_put(cookie);
46192 - fscache_stat(&fscache_n_acquires_nobufs);
46193 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
46194 _leave(" = NULL");
46195 return NULL;
46196 }
46197 }
46198
46199 - fscache_stat(&fscache_n_acquires_ok);
46200 + fscache_stat_unchecked(&fscache_n_acquires_ok);
46201 _leave(" = %p", cookie);
46202 return cookie;
46203 }
46204 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
46205 cache = fscache_select_cache_for_object(cookie->parent);
46206 if (!cache) {
46207 up_read(&fscache_addremove_sem);
46208 - fscache_stat(&fscache_n_acquires_no_cache);
46209 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
46210 _leave(" = -ENOMEDIUM [no cache]");
46211 return -ENOMEDIUM;
46212 }
46213 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
46214 object = cache->ops->alloc_object(cache, cookie);
46215 fscache_stat_d(&fscache_n_cop_alloc_object);
46216 if (IS_ERR(object)) {
46217 - fscache_stat(&fscache_n_object_no_alloc);
46218 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
46219 ret = PTR_ERR(object);
46220 goto error;
46221 }
46222
46223 - fscache_stat(&fscache_n_object_alloc);
46224 + fscache_stat_unchecked(&fscache_n_object_alloc);
46225
46226 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
46227
46228 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
46229 struct fscache_object *object;
46230 struct hlist_node *_p;
46231
46232 - fscache_stat(&fscache_n_updates);
46233 + fscache_stat_unchecked(&fscache_n_updates);
46234
46235 if (!cookie) {
46236 - fscache_stat(&fscache_n_updates_null);
46237 + fscache_stat_unchecked(&fscache_n_updates_null);
46238 _leave(" [no cookie]");
46239 return;
46240 }
46241 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
46242 struct fscache_object *object;
46243 unsigned long event;
46244
46245 - fscache_stat(&fscache_n_relinquishes);
46246 + fscache_stat_unchecked(&fscache_n_relinquishes);
46247 if (retire)
46248 - fscache_stat(&fscache_n_relinquishes_retire);
46249 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
46250
46251 if (!cookie) {
46252 - fscache_stat(&fscache_n_relinquishes_null);
46253 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
46254 _leave(" [no cookie]");
46255 return;
46256 }
46257 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
46258
46259 /* wait for the cookie to finish being instantiated (or to fail) */
46260 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
46261 - fscache_stat(&fscache_n_relinquishes_waitcrt);
46262 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
46263 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
46264 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
46265 }
46266 diff -urNp linux-2.6.39.1/fs/fscache/internal.h linux-2.6.39.1/fs/fscache/internal.h
46267 --- linux-2.6.39.1/fs/fscache/internal.h 2011-05-19 00:06:34.000000000 -0400
46268 +++ linux-2.6.39.1/fs/fscache/internal.h 2011-05-22 19:36:32.000000000 -0400
46269 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
46270 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
46271 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
46272
46273 -extern atomic_t fscache_n_op_pend;
46274 -extern atomic_t fscache_n_op_run;
46275 -extern atomic_t fscache_n_op_enqueue;
46276 -extern atomic_t fscache_n_op_deferred_release;
46277 -extern atomic_t fscache_n_op_release;
46278 -extern atomic_t fscache_n_op_gc;
46279 -extern atomic_t fscache_n_op_cancelled;
46280 -extern atomic_t fscache_n_op_rejected;
46281 -
46282 -extern atomic_t fscache_n_attr_changed;
46283 -extern atomic_t fscache_n_attr_changed_ok;
46284 -extern atomic_t fscache_n_attr_changed_nobufs;
46285 -extern atomic_t fscache_n_attr_changed_nomem;
46286 -extern atomic_t fscache_n_attr_changed_calls;
46287 -
46288 -extern atomic_t fscache_n_allocs;
46289 -extern atomic_t fscache_n_allocs_ok;
46290 -extern atomic_t fscache_n_allocs_wait;
46291 -extern atomic_t fscache_n_allocs_nobufs;
46292 -extern atomic_t fscache_n_allocs_intr;
46293 -extern atomic_t fscache_n_allocs_object_dead;
46294 -extern atomic_t fscache_n_alloc_ops;
46295 -extern atomic_t fscache_n_alloc_op_waits;
46296 -
46297 -extern atomic_t fscache_n_retrievals;
46298 -extern atomic_t fscache_n_retrievals_ok;
46299 -extern atomic_t fscache_n_retrievals_wait;
46300 -extern atomic_t fscache_n_retrievals_nodata;
46301 -extern atomic_t fscache_n_retrievals_nobufs;
46302 -extern atomic_t fscache_n_retrievals_intr;
46303 -extern atomic_t fscache_n_retrievals_nomem;
46304 -extern atomic_t fscache_n_retrievals_object_dead;
46305 -extern atomic_t fscache_n_retrieval_ops;
46306 -extern atomic_t fscache_n_retrieval_op_waits;
46307 -
46308 -extern atomic_t fscache_n_stores;
46309 -extern atomic_t fscache_n_stores_ok;
46310 -extern atomic_t fscache_n_stores_again;
46311 -extern atomic_t fscache_n_stores_nobufs;
46312 -extern atomic_t fscache_n_stores_oom;
46313 -extern atomic_t fscache_n_store_ops;
46314 -extern atomic_t fscache_n_store_calls;
46315 -extern atomic_t fscache_n_store_pages;
46316 -extern atomic_t fscache_n_store_radix_deletes;
46317 -extern atomic_t fscache_n_store_pages_over_limit;
46318 -
46319 -extern atomic_t fscache_n_store_vmscan_not_storing;
46320 -extern atomic_t fscache_n_store_vmscan_gone;
46321 -extern atomic_t fscache_n_store_vmscan_busy;
46322 -extern atomic_t fscache_n_store_vmscan_cancelled;
46323 -
46324 -extern atomic_t fscache_n_marks;
46325 -extern atomic_t fscache_n_uncaches;
46326 -
46327 -extern atomic_t fscache_n_acquires;
46328 -extern atomic_t fscache_n_acquires_null;
46329 -extern atomic_t fscache_n_acquires_no_cache;
46330 -extern atomic_t fscache_n_acquires_ok;
46331 -extern atomic_t fscache_n_acquires_nobufs;
46332 -extern atomic_t fscache_n_acquires_oom;
46333 -
46334 -extern atomic_t fscache_n_updates;
46335 -extern atomic_t fscache_n_updates_null;
46336 -extern atomic_t fscache_n_updates_run;
46337 -
46338 -extern atomic_t fscache_n_relinquishes;
46339 -extern atomic_t fscache_n_relinquishes_null;
46340 -extern atomic_t fscache_n_relinquishes_waitcrt;
46341 -extern atomic_t fscache_n_relinquishes_retire;
46342 -
46343 -extern atomic_t fscache_n_cookie_index;
46344 -extern atomic_t fscache_n_cookie_data;
46345 -extern atomic_t fscache_n_cookie_special;
46346 -
46347 -extern atomic_t fscache_n_object_alloc;
46348 -extern atomic_t fscache_n_object_no_alloc;
46349 -extern atomic_t fscache_n_object_lookups;
46350 -extern atomic_t fscache_n_object_lookups_negative;
46351 -extern atomic_t fscache_n_object_lookups_positive;
46352 -extern atomic_t fscache_n_object_lookups_timed_out;
46353 -extern atomic_t fscache_n_object_created;
46354 -extern atomic_t fscache_n_object_avail;
46355 -extern atomic_t fscache_n_object_dead;
46356 -
46357 -extern atomic_t fscache_n_checkaux_none;
46358 -extern atomic_t fscache_n_checkaux_okay;
46359 -extern atomic_t fscache_n_checkaux_update;
46360 -extern atomic_t fscache_n_checkaux_obsolete;
46361 +extern atomic_unchecked_t fscache_n_op_pend;
46362 +extern atomic_unchecked_t fscache_n_op_run;
46363 +extern atomic_unchecked_t fscache_n_op_enqueue;
46364 +extern atomic_unchecked_t fscache_n_op_deferred_release;
46365 +extern atomic_unchecked_t fscache_n_op_release;
46366 +extern atomic_unchecked_t fscache_n_op_gc;
46367 +extern atomic_unchecked_t fscache_n_op_cancelled;
46368 +extern atomic_unchecked_t fscache_n_op_rejected;
46369 +
46370 +extern atomic_unchecked_t fscache_n_attr_changed;
46371 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
46372 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
46373 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
46374 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
46375 +
46376 +extern atomic_unchecked_t fscache_n_allocs;
46377 +extern atomic_unchecked_t fscache_n_allocs_ok;
46378 +extern atomic_unchecked_t fscache_n_allocs_wait;
46379 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
46380 +extern atomic_unchecked_t fscache_n_allocs_intr;
46381 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
46382 +extern atomic_unchecked_t fscache_n_alloc_ops;
46383 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
46384 +
46385 +extern atomic_unchecked_t fscache_n_retrievals;
46386 +extern atomic_unchecked_t fscache_n_retrievals_ok;
46387 +extern atomic_unchecked_t fscache_n_retrievals_wait;
46388 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
46389 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
46390 +extern atomic_unchecked_t fscache_n_retrievals_intr;
46391 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
46392 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
46393 +extern atomic_unchecked_t fscache_n_retrieval_ops;
46394 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
46395 +
46396 +extern atomic_unchecked_t fscache_n_stores;
46397 +extern atomic_unchecked_t fscache_n_stores_ok;
46398 +extern atomic_unchecked_t fscache_n_stores_again;
46399 +extern atomic_unchecked_t fscache_n_stores_nobufs;
46400 +extern atomic_unchecked_t fscache_n_stores_oom;
46401 +extern atomic_unchecked_t fscache_n_store_ops;
46402 +extern atomic_unchecked_t fscache_n_store_calls;
46403 +extern atomic_unchecked_t fscache_n_store_pages;
46404 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
46405 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
46406 +
46407 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
46408 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
46409 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
46410 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
46411 +
46412 +extern atomic_unchecked_t fscache_n_marks;
46413 +extern atomic_unchecked_t fscache_n_uncaches;
46414 +
46415 +extern atomic_unchecked_t fscache_n_acquires;
46416 +extern atomic_unchecked_t fscache_n_acquires_null;
46417 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
46418 +extern atomic_unchecked_t fscache_n_acquires_ok;
46419 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
46420 +extern atomic_unchecked_t fscache_n_acquires_oom;
46421 +
46422 +extern atomic_unchecked_t fscache_n_updates;
46423 +extern atomic_unchecked_t fscache_n_updates_null;
46424 +extern atomic_unchecked_t fscache_n_updates_run;
46425 +
46426 +extern atomic_unchecked_t fscache_n_relinquishes;
46427 +extern atomic_unchecked_t fscache_n_relinquishes_null;
46428 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
46429 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
46430 +
46431 +extern atomic_unchecked_t fscache_n_cookie_index;
46432 +extern atomic_unchecked_t fscache_n_cookie_data;
46433 +extern atomic_unchecked_t fscache_n_cookie_special;
46434 +
46435 +extern atomic_unchecked_t fscache_n_object_alloc;
46436 +extern atomic_unchecked_t fscache_n_object_no_alloc;
46437 +extern atomic_unchecked_t fscache_n_object_lookups;
46438 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
46439 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
46440 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
46441 +extern atomic_unchecked_t fscache_n_object_created;
46442 +extern atomic_unchecked_t fscache_n_object_avail;
46443 +extern atomic_unchecked_t fscache_n_object_dead;
46444 +
46445 +extern atomic_unchecked_t fscache_n_checkaux_none;
46446 +extern atomic_unchecked_t fscache_n_checkaux_okay;
46447 +extern atomic_unchecked_t fscache_n_checkaux_update;
46448 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
46449
46450 extern atomic_t fscache_n_cop_alloc_object;
46451 extern atomic_t fscache_n_cop_lookup_object;
46452 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
46453 atomic_inc(stat);
46454 }
46455
46456 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
46457 +{
46458 + atomic_inc_unchecked(stat);
46459 +}
46460 +
46461 static inline void fscache_stat_d(atomic_t *stat)
46462 {
46463 atomic_dec(stat);
46464 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
46465
46466 #define __fscache_stat(stat) (NULL)
46467 #define fscache_stat(stat) do {} while (0)
46468 +#define fscache_stat_unchecked(stat) do {} while (0)
46469 #define fscache_stat_d(stat) do {} while (0)
46470 #endif
46471
46472 diff -urNp linux-2.6.39.1/fs/fscache/object.c linux-2.6.39.1/fs/fscache/object.c
46473 --- linux-2.6.39.1/fs/fscache/object.c 2011-05-19 00:06:34.000000000 -0400
46474 +++ linux-2.6.39.1/fs/fscache/object.c 2011-05-22 19:36:32.000000000 -0400
46475 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
46476 /* update the object metadata on disk */
46477 case FSCACHE_OBJECT_UPDATING:
46478 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
46479 - fscache_stat(&fscache_n_updates_run);
46480 + fscache_stat_unchecked(&fscache_n_updates_run);
46481 fscache_stat(&fscache_n_cop_update_object);
46482 object->cache->ops->update_object(object);
46483 fscache_stat_d(&fscache_n_cop_update_object);
46484 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
46485 spin_lock(&object->lock);
46486 object->state = FSCACHE_OBJECT_DEAD;
46487 spin_unlock(&object->lock);
46488 - fscache_stat(&fscache_n_object_dead);
46489 + fscache_stat_unchecked(&fscache_n_object_dead);
46490 goto terminal_transit;
46491
46492 /* handle the parent cache of this object being withdrawn from
46493 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
46494 spin_lock(&object->lock);
46495 object->state = FSCACHE_OBJECT_DEAD;
46496 spin_unlock(&object->lock);
46497 - fscache_stat(&fscache_n_object_dead);
46498 + fscache_stat_unchecked(&fscache_n_object_dead);
46499 goto terminal_transit;
46500
46501 /* complain about the object being woken up once it is
46502 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
46503 parent->cookie->def->name, cookie->def->name,
46504 object->cache->tag->name);
46505
46506 - fscache_stat(&fscache_n_object_lookups);
46507 + fscache_stat_unchecked(&fscache_n_object_lookups);
46508 fscache_stat(&fscache_n_cop_lookup_object);
46509 ret = object->cache->ops->lookup_object(object);
46510 fscache_stat_d(&fscache_n_cop_lookup_object);
46511 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
46512 if (ret == -ETIMEDOUT) {
46513 /* probably stuck behind another object, so move this one to
46514 * the back of the queue */
46515 - fscache_stat(&fscache_n_object_lookups_timed_out);
46516 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
46517 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46518 }
46519
46520 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
46521
46522 spin_lock(&object->lock);
46523 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46524 - fscache_stat(&fscache_n_object_lookups_negative);
46525 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
46526
46527 /* transit here to allow write requests to begin stacking up
46528 * and read requests to begin returning ENODATA */
46529 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
46530 * result, in which case there may be data available */
46531 spin_lock(&object->lock);
46532 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46533 - fscache_stat(&fscache_n_object_lookups_positive);
46534 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
46535
46536 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
46537
46538 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
46539 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46540 } else {
46541 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
46542 - fscache_stat(&fscache_n_object_created);
46543 + fscache_stat_unchecked(&fscache_n_object_created);
46544
46545 object->state = FSCACHE_OBJECT_AVAILABLE;
46546 spin_unlock(&object->lock);
46547 @@ -602,7 +602,7 @@ static void fscache_object_available(str
46548 fscache_enqueue_dependents(object);
46549
46550 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
46551 - fscache_stat(&fscache_n_object_avail);
46552 + fscache_stat_unchecked(&fscache_n_object_avail);
46553
46554 _leave("");
46555 }
46556 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
46557 enum fscache_checkaux result;
46558
46559 if (!object->cookie->def->check_aux) {
46560 - fscache_stat(&fscache_n_checkaux_none);
46561 + fscache_stat_unchecked(&fscache_n_checkaux_none);
46562 return FSCACHE_CHECKAUX_OKAY;
46563 }
46564
46565 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
46566 switch (result) {
46567 /* entry okay as is */
46568 case FSCACHE_CHECKAUX_OKAY:
46569 - fscache_stat(&fscache_n_checkaux_okay);
46570 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
46571 break;
46572
46573 /* entry requires update */
46574 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
46575 - fscache_stat(&fscache_n_checkaux_update);
46576 + fscache_stat_unchecked(&fscache_n_checkaux_update);
46577 break;
46578
46579 /* entry requires deletion */
46580 case FSCACHE_CHECKAUX_OBSOLETE:
46581 - fscache_stat(&fscache_n_checkaux_obsolete);
46582 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
46583 break;
46584
46585 default:
46586 diff -urNp linux-2.6.39.1/fs/fscache/operation.c linux-2.6.39.1/fs/fscache/operation.c
46587 --- linux-2.6.39.1/fs/fscache/operation.c 2011-05-19 00:06:34.000000000 -0400
46588 +++ linux-2.6.39.1/fs/fscache/operation.c 2011-05-22 19:36:32.000000000 -0400
46589 @@ -17,7 +17,7 @@
46590 #include <linux/slab.h>
46591 #include "internal.h"
46592
46593 -atomic_t fscache_op_debug_id;
46594 +atomic_unchecked_t fscache_op_debug_id;
46595 EXPORT_SYMBOL(fscache_op_debug_id);
46596
46597 /**
46598 @@ -40,7 +40,7 @@ void fscache_enqueue_operation(struct fs
46599 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
46600 ASSERTCMP(atomic_read(&op->usage), >, 0);
46601
46602 - fscache_stat(&fscache_n_op_enqueue);
46603 + fscache_stat_unchecked(&fscache_n_op_enqueue);
46604 switch (op->flags & FSCACHE_OP_TYPE) {
46605 case FSCACHE_OP_ASYNC:
46606 _debug("queue async");
46607 @@ -73,7 +73,7 @@ static void fscache_run_op(struct fscach
46608 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
46609 if (op->processor)
46610 fscache_enqueue_operation(op);
46611 - fscache_stat(&fscache_n_op_run);
46612 + fscache_stat_unchecked(&fscache_n_op_run);
46613 }
46614
46615 /*
46616 @@ -104,11 +104,11 @@ int fscache_submit_exclusive_op(struct f
46617 if (object->n_ops > 1) {
46618 atomic_inc(&op->usage);
46619 list_add_tail(&op->pend_link, &object->pending_ops);
46620 - fscache_stat(&fscache_n_op_pend);
46621 + fscache_stat_unchecked(&fscache_n_op_pend);
46622 } else if (!list_empty(&object->pending_ops)) {
46623 atomic_inc(&op->usage);
46624 list_add_tail(&op->pend_link, &object->pending_ops);
46625 - fscache_stat(&fscache_n_op_pend);
46626 + fscache_stat_unchecked(&fscache_n_op_pend);
46627 fscache_start_operations(object);
46628 } else {
46629 ASSERTCMP(object->n_in_progress, ==, 0);
46630 @@ -124,7 +124,7 @@ int fscache_submit_exclusive_op(struct f
46631 object->n_exclusive++; /* reads and writes must wait */
46632 atomic_inc(&op->usage);
46633 list_add_tail(&op->pend_link, &object->pending_ops);
46634 - fscache_stat(&fscache_n_op_pend);
46635 + fscache_stat_unchecked(&fscache_n_op_pend);
46636 ret = 0;
46637 } else {
46638 /* not allowed to submit ops in any other state */
46639 @@ -211,11 +211,11 @@ int fscache_submit_op(struct fscache_obj
46640 if (object->n_exclusive > 0) {
46641 atomic_inc(&op->usage);
46642 list_add_tail(&op->pend_link, &object->pending_ops);
46643 - fscache_stat(&fscache_n_op_pend);
46644 + fscache_stat_unchecked(&fscache_n_op_pend);
46645 } else if (!list_empty(&object->pending_ops)) {
46646 atomic_inc(&op->usage);
46647 list_add_tail(&op->pend_link, &object->pending_ops);
46648 - fscache_stat(&fscache_n_op_pend);
46649 + fscache_stat_unchecked(&fscache_n_op_pend);
46650 fscache_start_operations(object);
46651 } else {
46652 ASSERTCMP(object->n_exclusive, ==, 0);
46653 @@ -227,12 +227,12 @@ int fscache_submit_op(struct fscache_obj
46654 object->n_ops++;
46655 atomic_inc(&op->usage);
46656 list_add_tail(&op->pend_link, &object->pending_ops);
46657 - fscache_stat(&fscache_n_op_pend);
46658 + fscache_stat_unchecked(&fscache_n_op_pend);
46659 ret = 0;
46660 } else if (object->state == FSCACHE_OBJECT_DYING ||
46661 object->state == FSCACHE_OBJECT_LC_DYING ||
46662 object->state == FSCACHE_OBJECT_WITHDRAWING) {
46663 - fscache_stat(&fscache_n_op_rejected);
46664 + fscache_stat_unchecked(&fscache_n_op_rejected);
46665 ret = -ENOBUFS;
46666 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
46667 fscache_report_unexpected_submission(object, op, ostate);
46668 @@ -302,7 +302,7 @@ int fscache_cancel_op(struct fscache_ope
46669
46670 ret = -EBUSY;
46671 if (!list_empty(&op->pend_link)) {
46672 - fscache_stat(&fscache_n_op_cancelled);
46673 + fscache_stat_unchecked(&fscache_n_op_cancelled);
46674 list_del_init(&op->pend_link);
46675 object->n_ops--;
46676 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
46677 @@ -341,7 +341,7 @@ void fscache_put_operation(struct fscach
46678 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
46679 BUG();
46680
46681 - fscache_stat(&fscache_n_op_release);
46682 + fscache_stat_unchecked(&fscache_n_op_release);
46683
46684 if (op->release) {
46685 op->release(op);
46686 @@ -358,7 +358,7 @@ void fscache_put_operation(struct fscach
46687 * lock, and defer it otherwise */
46688 if (!spin_trylock(&object->lock)) {
46689 _debug("defer put");
46690 - fscache_stat(&fscache_n_op_deferred_release);
46691 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
46692
46693 cache = object->cache;
46694 spin_lock(&cache->op_gc_list_lock);
46695 @@ -420,7 +420,7 @@ void fscache_operation_gc(struct work_st
46696
46697 _debug("GC DEFERRED REL OBJ%x OP%x",
46698 object->debug_id, op->debug_id);
46699 - fscache_stat(&fscache_n_op_gc);
46700 + fscache_stat_unchecked(&fscache_n_op_gc);
46701
46702 ASSERTCMP(atomic_read(&op->usage), ==, 0);
46703
46704 diff -urNp linux-2.6.39.1/fs/fscache/page.c linux-2.6.39.1/fs/fscache/page.c
46705 --- linux-2.6.39.1/fs/fscache/page.c 2011-05-19 00:06:34.000000000 -0400
46706 +++ linux-2.6.39.1/fs/fscache/page.c 2011-05-22 19:36:32.000000000 -0400
46707 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
46708 val = radix_tree_lookup(&cookie->stores, page->index);
46709 if (!val) {
46710 rcu_read_unlock();
46711 - fscache_stat(&fscache_n_store_vmscan_not_storing);
46712 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
46713 __fscache_uncache_page(cookie, page);
46714 return true;
46715 }
46716 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
46717 spin_unlock(&cookie->stores_lock);
46718
46719 if (xpage) {
46720 - fscache_stat(&fscache_n_store_vmscan_cancelled);
46721 - fscache_stat(&fscache_n_store_radix_deletes);
46722 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
46723 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
46724 ASSERTCMP(xpage, ==, page);
46725 } else {
46726 - fscache_stat(&fscache_n_store_vmscan_gone);
46727 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
46728 }
46729
46730 wake_up_bit(&cookie->flags, 0);
46731 @@ -107,7 +107,7 @@ page_busy:
46732 /* we might want to wait here, but that could deadlock the allocator as
46733 * the work threads writing to the cache may all end up sleeping
46734 * on memory allocation */
46735 - fscache_stat(&fscache_n_store_vmscan_busy);
46736 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
46737 return false;
46738 }
46739 EXPORT_SYMBOL(__fscache_maybe_release_page);
46740 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
46741 FSCACHE_COOKIE_STORING_TAG);
46742 if (!radix_tree_tag_get(&cookie->stores, page->index,
46743 FSCACHE_COOKIE_PENDING_TAG)) {
46744 - fscache_stat(&fscache_n_store_radix_deletes);
46745 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
46746 xpage = radix_tree_delete(&cookie->stores, page->index);
46747 }
46748 spin_unlock(&cookie->stores_lock);
46749 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
46750
46751 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
46752
46753 - fscache_stat(&fscache_n_attr_changed_calls);
46754 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
46755
46756 if (fscache_object_is_active(object)) {
46757 fscache_set_op_state(op, "CallFS");
46758 @@ -179,11 +179,11 @@ int __fscache_attr_changed(struct fscach
46759
46760 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
46761
46762 - fscache_stat(&fscache_n_attr_changed);
46763 + fscache_stat_unchecked(&fscache_n_attr_changed);
46764
46765 op = kzalloc(sizeof(*op), GFP_KERNEL);
46766 if (!op) {
46767 - fscache_stat(&fscache_n_attr_changed_nomem);
46768 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
46769 _leave(" = -ENOMEM");
46770 return -ENOMEM;
46771 }
46772 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
46773 if (fscache_submit_exclusive_op(object, op) < 0)
46774 goto nobufs;
46775 spin_unlock(&cookie->lock);
46776 - fscache_stat(&fscache_n_attr_changed_ok);
46777 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
46778 fscache_put_operation(op);
46779 _leave(" = 0");
46780 return 0;
46781 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
46782 nobufs:
46783 spin_unlock(&cookie->lock);
46784 kfree(op);
46785 - fscache_stat(&fscache_n_attr_changed_nobufs);
46786 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
46787 _leave(" = %d", -ENOBUFS);
46788 return -ENOBUFS;
46789 }
46790 @@ -246,7 +246,7 @@ static struct fscache_retrieval *fscache
46791 /* allocate a retrieval operation and attempt to submit it */
46792 op = kzalloc(sizeof(*op), GFP_NOIO);
46793 if (!op) {
46794 - fscache_stat(&fscache_n_retrievals_nomem);
46795 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
46796 return NULL;
46797 }
46798
46799 @@ -275,13 +275,13 @@ static int fscache_wait_for_deferred_loo
46800 return 0;
46801 }
46802
46803 - fscache_stat(&fscache_n_retrievals_wait);
46804 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
46805
46806 jif = jiffies;
46807 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
46808 fscache_wait_bit_interruptible,
46809 TASK_INTERRUPTIBLE) != 0) {
46810 - fscache_stat(&fscache_n_retrievals_intr);
46811 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
46812 _leave(" = -ERESTARTSYS");
46813 return -ERESTARTSYS;
46814 }
46815 @@ -299,8 +299,8 @@ static int fscache_wait_for_deferred_loo
46816 */
46817 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
46818 struct fscache_retrieval *op,
46819 - atomic_t *stat_op_waits,
46820 - atomic_t *stat_object_dead)
46821 + atomic_unchecked_t *stat_op_waits,
46822 + atomic_unchecked_t *stat_object_dead)
46823 {
46824 int ret;
46825
46826 @@ -308,7 +308,7 @@ static int fscache_wait_for_retrieval_ac
46827 goto check_if_dead;
46828
46829 _debug(">>> WT");
46830 - fscache_stat(stat_op_waits);
46831 + fscache_stat_unchecked(stat_op_waits);
46832 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
46833 fscache_wait_bit_interruptible,
46834 TASK_INTERRUPTIBLE) < 0) {
46835 @@ -325,7 +325,7 @@ static int fscache_wait_for_retrieval_ac
46836
46837 check_if_dead:
46838 if (unlikely(fscache_object_is_dead(object))) {
46839 - fscache_stat(stat_object_dead);
46840 + fscache_stat_unchecked(stat_object_dead);
46841 return -ENOBUFS;
46842 }
46843 return 0;
46844 @@ -352,7 +352,7 @@ int __fscache_read_or_alloc_page(struct
46845
46846 _enter("%p,%p,,,", cookie, page);
46847
46848 - fscache_stat(&fscache_n_retrievals);
46849 + fscache_stat_unchecked(&fscache_n_retrievals);
46850
46851 if (hlist_empty(&cookie->backing_objects))
46852 goto nobufs;
46853 @@ -386,7 +386,7 @@ int __fscache_read_or_alloc_page(struct
46854 goto nobufs_unlock;
46855 spin_unlock(&cookie->lock);
46856
46857 - fscache_stat(&fscache_n_retrieval_ops);
46858 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
46859
46860 /* pin the netfs read context in case we need to do the actual netfs
46861 * read because we've encountered a cache read failure */
46862 @@ -416,15 +416,15 @@ int __fscache_read_or_alloc_page(struct
46863
46864 error:
46865 if (ret == -ENOMEM)
46866 - fscache_stat(&fscache_n_retrievals_nomem);
46867 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
46868 else if (ret == -ERESTARTSYS)
46869 - fscache_stat(&fscache_n_retrievals_intr);
46870 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
46871 else if (ret == -ENODATA)
46872 - fscache_stat(&fscache_n_retrievals_nodata);
46873 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
46874 else if (ret < 0)
46875 - fscache_stat(&fscache_n_retrievals_nobufs);
46876 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46877 else
46878 - fscache_stat(&fscache_n_retrievals_ok);
46879 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
46880
46881 fscache_put_retrieval(op);
46882 _leave(" = %d", ret);
46883 @@ -434,7 +434,7 @@ nobufs_unlock:
46884 spin_unlock(&cookie->lock);
46885 kfree(op);
46886 nobufs:
46887 - fscache_stat(&fscache_n_retrievals_nobufs);
46888 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46889 _leave(" = -ENOBUFS");
46890 return -ENOBUFS;
46891 }
46892 @@ -472,7 +472,7 @@ int __fscache_read_or_alloc_pages(struct
46893
46894 _enter("%p,,%d,,,", cookie, *nr_pages);
46895
46896 - fscache_stat(&fscache_n_retrievals);
46897 + fscache_stat_unchecked(&fscache_n_retrievals);
46898
46899 if (hlist_empty(&cookie->backing_objects))
46900 goto nobufs;
46901 @@ -503,7 +503,7 @@ int __fscache_read_or_alloc_pages(struct
46902 goto nobufs_unlock;
46903 spin_unlock(&cookie->lock);
46904
46905 - fscache_stat(&fscache_n_retrieval_ops);
46906 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
46907
46908 /* pin the netfs read context in case we need to do the actual netfs
46909 * read because we've encountered a cache read failure */
46910 @@ -533,15 +533,15 @@ int __fscache_read_or_alloc_pages(struct
46911
46912 error:
46913 if (ret == -ENOMEM)
46914 - fscache_stat(&fscache_n_retrievals_nomem);
46915 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
46916 else if (ret == -ERESTARTSYS)
46917 - fscache_stat(&fscache_n_retrievals_intr);
46918 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
46919 else if (ret == -ENODATA)
46920 - fscache_stat(&fscache_n_retrievals_nodata);
46921 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
46922 else if (ret < 0)
46923 - fscache_stat(&fscache_n_retrievals_nobufs);
46924 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46925 else
46926 - fscache_stat(&fscache_n_retrievals_ok);
46927 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
46928
46929 fscache_put_retrieval(op);
46930 _leave(" = %d", ret);
46931 @@ -551,7 +551,7 @@ nobufs_unlock:
46932 spin_unlock(&cookie->lock);
46933 kfree(op);
46934 nobufs:
46935 - fscache_stat(&fscache_n_retrievals_nobufs);
46936 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46937 _leave(" = -ENOBUFS");
46938 return -ENOBUFS;
46939 }
46940 @@ -575,7 +575,7 @@ int __fscache_alloc_page(struct fscache_
46941
46942 _enter("%p,%p,,,", cookie, page);
46943
46944 - fscache_stat(&fscache_n_allocs);
46945 + fscache_stat_unchecked(&fscache_n_allocs);
46946
46947 if (hlist_empty(&cookie->backing_objects))
46948 goto nobufs;
46949 @@ -602,7 +602,7 @@ int __fscache_alloc_page(struct fscache_
46950 goto nobufs_unlock;
46951 spin_unlock(&cookie->lock);
46952
46953 - fscache_stat(&fscache_n_alloc_ops);
46954 + fscache_stat_unchecked(&fscache_n_alloc_ops);
46955
46956 ret = fscache_wait_for_retrieval_activation(
46957 object, op,
46958 @@ -618,11 +618,11 @@ int __fscache_alloc_page(struct fscache_
46959
46960 error:
46961 if (ret == -ERESTARTSYS)
46962 - fscache_stat(&fscache_n_allocs_intr);
46963 + fscache_stat_unchecked(&fscache_n_allocs_intr);
46964 else if (ret < 0)
46965 - fscache_stat(&fscache_n_allocs_nobufs);
46966 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
46967 else
46968 - fscache_stat(&fscache_n_allocs_ok);
46969 + fscache_stat_unchecked(&fscache_n_allocs_ok);
46970
46971 fscache_put_retrieval(op);
46972 _leave(" = %d", ret);
46973 @@ -632,7 +632,7 @@ nobufs_unlock:
46974 spin_unlock(&cookie->lock);
46975 kfree(op);
46976 nobufs:
46977 - fscache_stat(&fscache_n_allocs_nobufs);
46978 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
46979 _leave(" = -ENOBUFS");
46980 return -ENOBUFS;
46981 }
46982 @@ -675,7 +675,7 @@ static void fscache_write_op(struct fsca
46983
46984 spin_lock(&cookie->stores_lock);
46985
46986 - fscache_stat(&fscache_n_store_calls);
46987 + fscache_stat_unchecked(&fscache_n_store_calls);
46988
46989 /* find a page to store */
46990 page = NULL;
46991 @@ -686,7 +686,7 @@ static void fscache_write_op(struct fsca
46992 page = results[0];
46993 _debug("gang %d [%lx]", n, page->index);
46994 if (page->index > op->store_limit) {
46995 - fscache_stat(&fscache_n_store_pages_over_limit);
46996 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
46997 goto superseded;
46998 }
46999
47000 @@ -699,7 +699,7 @@ static void fscache_write_op(struct fsca
47001 spin_unlock(&object->lock);
47002
47003 fscache_set_op_state(&op->op, "Store");
47004 - fscache_stat(&fscache_n_store_pages);
47005 + fscache_stat_unchecked(&fscache_n_store_pages);
47006 fscache_stat(&fscache_n_cop_write_page);
47007 ret = object->cache->ops->write_page(op, page);
47008 fscache_stat_d(&fscache_n_cop_write_page);
47009 @@ -769,7 +769,7 @@ int __fscache_write_page(struct fscache_
47010 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47011 ASSERT(PageFsCache(page));
47012
47013 - fscache_stat(&fscache_n_stores);
47014 + fscache_stat_unchecked(&fscache_n_stores);
47015
47016 op = kzalloc(sizeof(*op), GFP_NOIO);
47017 if (!op)
47018 @@ -821,7 +821,7 @@ int __fscache_write_page(struct fscache_
47019 spin_unlock(&cookie->stores_lock);
47020 spin_unlock(&object->lock);
47021
47022 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
47023 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
47024 op->store_limit = object->store_limit;
47025
47026 if (fscache_submit_op(object, &op->op) < 0)
47027 @@ -829,8 +829,8 @@ int __fscache_write_page(struct fscache_
47028
47029 spin_unlock(&cookie->lock);
47030 radix_tree_preload_end();
47031 - fscache_stat(&fscache_n_store_ops);
47032 - fscache_stat(&fscache_n_stores_ok);
47033 + fscache_stat_unchecked(&fscache_n_store_ops);
47034 + fscache_stat_unchecked(&fscache_n_stores_ok);
47035
47036 /* the work queue now carries its own ref on the object */
47037 fscache_put_operation(&op->op);
47038 @@ -838,14 +838,14 @@ int __fscache_write_page(struct fscache_
47039 return 0;
47040
47041 already_queued:
47042 - fscache_stat(&fscache_n_stores_again);
47043 + fscache_stat_unchecked(&fscache_n_stores_again);
47044 already_pending:
47045 spin_unlock(&cookie->stores_lock);
47046 spin_unlock(&object->lock);
47047 spin_unlock(&cookie->lock);
47048 radix_tree_preload_end();
47049 kfree(op);
47050 - fscache_stat(&fscache_n_stores_ok);
47051 + fscache_stat_unchecked(&fscache_n_stores_ok);
47052 _leave(" = 0");
47053 return 0;
47054
47055 @@ -864,14 +864,14 @@ nobufs:
47056 spin_unlock(&cookie->lock);
47057 radix_tree_preload_end();
47058 kfree(op);
47059 - fscache_stat(&fscache_n_stores_nobufs);
47060 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
47061 _leave(" = -ENOBUFS");
47062 return -ENOBUFS;
47063
47064 nomem_free:
47065 kfree(op);
47066 nomem:
47067 - fscache_stat(&fscache_n_stores_oom);
47068 + fscache_stat_unchecked(&fscache_n_stores_oom);
47069 _leave(" = -ENOMEM");
47070 return -ENOMEM;
47071 }
47072 @@ -889,7 +889,7 @@ void __fscache_uncache_page(struct fscac
47073 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47074 ASSERTCMP(page, !=, NULL);
47075
47076 - fscache_stat(&fscache_n_uncaches);
47077 + fscache_stat_unchecked(&fscache_n_uncaches);
47078
47079 /* cache withdrawal may beat us to it */
47080 if (!PageFsCache(page))
47081 @@ -942,7 +942,7 @@ void fscache_mark_pages_cached(struct fs
47082 unsigned long loop;
47083
47084 #ifdef CONFIG_FSCACHE_STATS
47085 - atomic_add(pagevec->nr, &fscache_n_marks);
47086 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
47087 #endif
47088
47089 for (loop = 0; loop < pagevec->nr; loop++) {
47090 diff -urNp linux-2.6.39.1/fs/fscache/stats.c linux-2.6.39.1/fs/fscache/stats.c
47091 --- linux-2.6.39.1/fs/fscache/stats.c 2011-05-19 00:06:34.000000000 -0400
47092 +++ linux-2.6.39.1/fs/fscache/stats.c 2011-05-22 19:36:32.000000000 -0400
47093 @@ -18,95 +18,95 @@
47094 /*
47095 * operation counters
47096 */
47097 -atomic_t fscache_n_op_pend;
47098 -atomic_t fscache_n_op_run;
47099 -atomic_t fscache_n_op_enqueue;
47100 -atomic_t fscache_n_op_requeue;
47101 -atomic_t fscache_n_op_deferred_release;
47102 -atomic_t fscache_n_op_release;
47103 -atomic_t fscache_n_op_gc;
47104 -atomic_t fscache_n_op_cancelled;
47105 -atomic_t fscache_n_op_rejected;
47106 -
47107 -atomic_t fscache_n_attr_changed;
47108 -atomic_t fscache_n_attr_changed_ok;
47109 -atomic_t fscache_n_attr_changed_nobufs;
47110 -atomic_t fscache_n_attr_changed_nomem;
47111 -atomic_t fscache_n_attr_changed_calls;
47112 -
47113 -atomic_t fscache_n_allocs;
47114 -atomic_t fscache_n_allocs_ok;
47115 -atomic_t fscache_n_allocs_wait;
47116 -atomic_t fscache_n_allocs_nobufs;
47117 -atomic_t fscache_n_allocs_intr;
47118 -atomic_t fscache_n_allocs_object_dead;
47119 -atomic_t fscache_n_alloc_ops;
47120 -atomic_t fscache_n_alloc_op_waits;
47121 -
47122 -atomic_t fscache_n_retrievals;
47123 -atomic_t fscache_n_retrievals_ok;
47124 -atomic_t fscache_n_retrievals_wait;
47125 -atomic_t fscache_n_retrievals_nodata;
47126 -atomic_t fscache_n_retrievals_nobufs;
47127 -atomic_t fscache_n_retrievals_intr;
47128 -atomic_t fscache_n_retrievals_nomem;
47129 -atomic_t fscache_n_retrievals_object_dead;
47130 -atomic_t fscache_n_retrieval_ops;
47131 -atomic_t fscache_n_retrieval_op_waits;
47132 -
47133 -atomic_t fscache_n_stores;
47134 -atomic_t fscache_n_stores_ok;
47135 -atomic_t fscache_n_stores_again;
47136 -atomic_t fscache_n_stores_nobufs;
47137 -atomic_t fscache_n_stores_oom;
47138 -atomic_t fscache_n_store_ops;
47139 -atomic_t fscache_n_store_calls;
47140 -atomic_t fscache_n_store_pages;
47141 -atomic_t fscache_n_store_radix_deletes;
47142 -atomic_t fscache_n_store_pages_over_limit;
47143 -
47144 -atomic_t fscache_n_store_vmscan_not_storing;
47145 -atomic_t fscache_n_store_vmscan_gone;
47146 -atomic_t fscache_n_store_vmscan_busy;
47147 -atomic_t fscache_n_store_vmscan_cancelled;
47148 -
47149 -atomic_t fscache_n_marks;
47150 -atomic_t fscache_n_uncaches;
47151 -
47152 -atomic_t fscache_n_acquires;
47153 -atomic_t fscache_n_acquires_null;
47154 -atomic_t fscache_n_acquires_no_cache;
47155 -atomic_t fscache_n_acquires_ok;
47156 -atomic_t fscache_n_acquires_nobufs;
47157 -atomic_t fscache_n_acquires_oom;
47158 -
47159 -atomic_t fscache_n_updates;
47160 -atomic_t fscache_n_updates_null;
47161 -atomic_t fscache_n_updates_run;
47162 -
47163 -atomic_t fscache_n_relinquishes;
47164 -atomic_t fscache_n_relinquishes_null;
47165 -atomic_t fscache_n_relinquishes_waitcrt;
47166 -atomic_t fscache_n_relinquishes_retire;
47167 -
47168 -atomic_t fscache_n_cookie_index;
47169 -atomic_t fscache_n_cookie_data;
47170 -atomic_t fscache_n_cookie_special;
47171 -
47172 -atomic_t fscache_n_object_alloc;
47173 -atomic_t fscache_n_object_no_alloc;
47174 -atomic_t fscache_n_object_lookups;
47175 -atomic_t fscache_n_object_lookups_negative;
47176 -atomic_t fscache_n_object_lookups_positive;
47177 -atomic_t fscache_n_object_lookups_timed_out;
47178 -atomic_t fscache_n_object_created;
47179 -atomic_t fscache_n_object_avail;
47180 -atomic_t fscache_n_object_dead;
47181 -
47182 -atomic_t fscache_n_checkaux_none;
47183 -atomic_t fscache_n_checkaux_okay;
47184 -atomic_t fscache_n_checkaux_update;
47185 -atomic_t fscache_n_checkaux_obsolete;
47186 +atomic_unchecked_t fscache_n_op_pend;
47187 +atomic_unchecked_t fscache_n_op_run;
47188 +atomic_unchecked_t fscache_n_op_enqueue;
47189 +atomic_unchecked_t fscache_n_op_requeue;
47190 +atomic_unchecked_t fscache_n_op_deferred_release;
47191 +atomic_unchecked_t fscache_n_op_release;
47192 +atomic_unchecked_t fscache_n_op_gc;
47193 +atomic_unchecked_t fscache_n_op_cancelled;
47194 +atomic_unchecked_t fscache_n_op_rejected;
47195 +
47196 +atomic_unchecked_t fscache_n_attr_changed;
47197 +atomic_unchecked_t fscache_n_attr_changed_ok;
47198 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
47199 +atomic_unchecked_t fscache_n_attr_changed_nomem;
47200 +atomic_unchecked_t fscache_n_attr_changed_calls;
47201 +
47202 +atomic_unchecked_t fscache_n_allocs;
47203 +atomic_unchecked_t fscache_n_allocs_ok;
47204 +atomic_unchecked_t fscache_n_allocs_wait;
47205 +atomic_unchecked_t fscache_n_allocs_nobufs;
47206 +atomic_unchecked_t fscache_n_allocs_intr;
47207 +atomic_unchecked_t fscache_n_allocs_object_dead;
47208 +atomic_unchecked_t fscache_n_alloc_ops;
47209 +atomic_unchecked_t fscache_n_alloc_op_waits;
47210 +
47211 +atomic_unchecked_t fscache_n_retrievals;
47212 +atomic_unchecked_t fscache_n_retrievals_ok;
47213 +atomic_unchecked_t fscache_n_retrievals_wait;
47214 +atomic_unchecked_t fscache_n_retrievals_nodata;
47215 +atomic_unchecked_t fscache_n_retrievals_nobufs;
47216 +atomic_unchecked_t fscache_n_retrievals_intr;
47217 +atomic_unchecked_t fscache_n_retrievals_nomem;
47218 +atomic_unchecked_t fscache_n_retrievals_object_dead;
47219 +atomic_unchecked_t fscache_n_retrieval_ops;
47220 +atomic_unchecked_t fscache_n_retrieval_op_waits;
47221 +
47222 +atomic_unchecked_t fscache_n_stores;
47223 +atomic_unchecked_t fscache_n_stores_ok;
47224 +atomic_unchecked_t fscache_n_stores_again;
47225 +atomic_unchecked_t fscache_n_stores_nobufs;
47226 +atomic_unchecked_t fscache_n_stores_oom;
47227 +atomic_unchecked_t fscache_n_store_ops;
47228 +atomic_unchecked_t fscache_n_store_calls;
47229 +atomic_unchecked_t fscache_n_store_pages;
47230 +atomic_unchecked_t fscache_n_store_radix_deletes;
47231 +atomic_unchecked_t fscache_n_store_pages_over_limit;
47232 +
47233 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47234 +atomic_unchecked_t fscache_n_store_vmscan_gone;
47235 +atomic_unchecked_t fscache_n_store_vmscan_busy;
47236 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47237 +
47238 +atomic_unchecked_t fscache_n_marks;
47239 +atomic_unchecked_t fscache_n_uncaches;
47240 +
47241 +atomic_unchecked_t fscache_n_acquires;
47242 +atomic_unchecked_t fscache_n_acquires_null;
47243 +atomic_unchecked_t fscache_n_acquires_no_cache;
47244 +atomic_unchecked_t fscache_n_acquires_ok;
47245 +atomic_unchecked_t fscache_n_acquires_nobufs;
47246 +atomic_unchecked_t fscache_n_acquires_oom;
47247 +
47248 +atomic_unchecked_t fscache_n_updates;
47249 +atomic_unchecked_t fscache_n_updates_null;
47250 +atomic_unchecked_t fscache_n_updates_run;
47251 +
47252 +atomic_unchecked_t fscache_n_relinquishes;
47253 +atomic_unchecked_t fscache_n_relinquishes_null;
47254 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47255 +atomic_unchecked_t fscache_n_relinquishes_retire;
47256 +
47257 +atomic_unchecked_t fscache_n_cookie_index;
47258 +atomic_unchecked_t fscache_n_cookie_data;
47259 +atomic_unchecked_t fscache_n_cookie_special;
47260 +
47261 +atomic_unchecked_t fscache_n_object_alloc;
47262 +atomic_unchecked_t fscache_n_object_no_alloc;
47263 +atomic_unchecked_t fscache_n_object_lookups;
47264 +atomic_unchecked_t fscache_n_object_lookups_negative;
47265 +atomic_unchecked_t fscache_n_object_lookups_positive;
47266 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
47267 +atomic_unchecked_t fscache_n_object_created;
47268 +atomic_unchecked_t fscache_n_object_avail;
47269 +atomic_unchecked_t fscache_n_object_dead;
47270 +
47271 +atomic_unchecked_t fscache_n_checkaux_none;
47272 +atomic_unchecked_t fscache_n_checkaux_okay;
47273 +atomic_unchecked_t fscache_n_checkaux_update;
47274 +atomic_unchecked_t fscache_n_checkaux_obsolete;
47275
47276 atomic_t fscache_n_cop_alloc_object;
47277 atomic_t fscache_n_cop_lookup_object;
47278 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
47279 seq_puts(m, "FS-Cache statistics\n");
47280
47281 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
47282 - atomic_read(&fscache_n_cookie_index),
47283 - atomic_read(&fscache_n_cookie_data),
47284 - atomic_read(&fscache_n_cookie_special));
47285 + atomic_read_unchecked(&fscache_n_cookie_index),
47286 + atomic_read_unchecked(&fscache_n_cookie_data),
47287 + atomic_read_unchecked(&fscache_n_cookie_special));
47288
47289 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
47290 - atomic_read(&fscache_n_object_alloc),
47291 - atomic_read(&fscache_n_object_no_alloc),
47292 - atomic_read(&fscache_n_object_avail),
47293 - atomic_read(&fscache_n_object_dead));
47294 + atomic_read_unchecked(&fscache_n_object_alloc),
47295 + atomic_read_unchecked(&fscache_n_object_no_alloc),
47296 + atomic_read_unchecked(&fscache_n_object_avail),
47297 + atomic_read_unchecked(&fscache_n_object_dead));
47298 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
47299 - atomic_read(&fscache_n_checkaux_none),
47300 - atomic_read(&fscache_n_checkaux_okay),
47301 - atomic_read(&fscache_n_checkaux_update),
47302 - atomic_read(&fscache_n_checkaux_obsolete));
47303 + atomic_read_unchecked(&fscache_n_checkaux_none),
47304 + atomic_read_unchecked(&fscache_n_checkaux_okay),
47305 + atomic_read_unchecked(&fscache_n_checkaux_update),
47306 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
47307
47308 seq_printf(m, "Pages : mrk=%u unc=%u\n",
47309 - atomic_read(&fscache_n_marks),
47310 - atomic_read(&fscache_n_uncaches));
47311 + atomic_read_unchecked(&fscache_n_marks),
47312 + atomic_read_unchecked(&fscache_n_uncaches));
47313
47314 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
47315 " oom=%u\n",
47316 - atomic_read(&fscache_n_acquires),
47317 - atomic_read(&fscache_n_acquires_null),
47318 - atomic_read(&fscache_n_acquires_no_cache),
47319 - atomic_read(&fscache_n_acquires_ok),
47320 - atomic_read(&fscache_n_acquires_nobufs),
47321 - atomic_read(&fscache_n_acquires_oom));
47322 + atomic_read_unchecked(&fscache_n_acquires),
47323 + atomic_read_unchecked(&fscache_n_acquires_null),
47324 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
47325 + atomic_read_unchecked(&fscache_n_acquires_ok),
47326 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
47327 + atomic_read_unchecked(&fscache_n_acquires_oom));
47328
47329 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
47330 - atomic_read(&fscache_n_object_lookups),
47331 - atomic_read(&fscache_n_object_lookups_negative),
47332 - atomic_read(&fscache_n_object_lookups_positive),
47333 - atomic_read(&fscache_n_object_created),
47334 - atomic_read(&fscache_n_object_lookups_timed_out));
47335 + atomic_read_unchecked(&fscache_n_object_lookups),
47336 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
47337 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
47338 + atomic_read_unchecked(&fscache_n_object_created),
47339 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
47340
47341 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
47342 - atomic_read(&fscache_n_updates),
47343 - atomic_read(&fscache_n_updates_null),
47344 - atomic_read(&fscache_n_updates_run));
47345 + atomic_read_unchecked(&fscache_n_updates),
47346 + atomic_read_unchecked(&fscache_n_updates_null),
47347 + atomic_read_unchecked(&fscache_n_updates_run));
47348
47349 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
47350 - atomic_read(&fscache_n_relinquishes),
47351 - atomic_read(&fscache_n_relinquishes_null),
47352 - atomic_read(&fscache_n_relinquishes_waitcrt),
47353 - atomic_read(&fscache_n_relinquishes_retire));
47354 + atomic_read_unchecked(&fscache_n_relinquishes),
47355 + atomic_read_unchecked(&fscache_n_relinquishes_null),
47356 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
47357 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
47358
47359 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
47360 - atomic_read(&fscache_n_attr_changed),
47361 - atomic_read(&fscache_n_attr_changed_ok),
47362 - atomic_read(&fscache_n_attr_changed_nobufs),
47363 - atomic_read(&fscache_n_attr_changed_nomem),
47364 - atomic_read(&fscache_n_attr_changed_calls));
47365 + atomic_read_unchecked(&fscache_n_attr_changed),
47366 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
47367 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
47368 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
47369 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
47370
47371 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
47372 - atomic_read(&fscache_n_allocs),
47373 - atomic_read(&fscache_n_allocs_ok),
47374 - atomic_read(&fscache_n_allocs_wait),
47375 - atomic_read(&fscache_n_allocs_nobufs),
47376 - atomic_read(&fscache_n_allocs_intr));
47377 + atomic_read_unchecked(&fscache_n_allocs),
47378 + atomic_read_unchecked(&fscache_n_allocs_ok),
47379 + atomic_read_unchecked(&fscache_n_allocs_wait),
47380 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
47381 + atomic_read_unchecked(&fscache_n_allocs_intr));
47382 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
47383 - atomic_read(&fscache_n_alloc_ops),
47384 - atomic_read(&fscache_n_alloc_op_waits),
47385 - atomic_read(&fscache_n_allocs_object_dead));
47386 + atomic_read_unchecked(&fscache_n_alloc_ops),
47387 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
47388 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
47389
47390 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
47391 " int=%u oom=%u\n",
47392 - atomic_read(&fscache_n_retrievals),
47393 - atomic_read(&fscache_n_retrievals_ok),
47394 - atomic_read(&fscache_n_retrievals_wait),
47395 - atomic_read(&fscache_n_retrievals_nodata),
47396 - atomic_read(&fscache_n_retrievals_nobufs),
47397 - atomic_read(&fscache_n_retrievals_intr),
47398 - atomic_read(&fscache_n_retrievals_nomem));
47399 + atomic_read_unchecked(&fscache_n_retrievals),
47400 + atomic_read_unchecked(&fscache_n_retrievals_ok),
47401 + atomic_read_unchecked(&fscache_n_retrievals_wait),
47402 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
47403 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
47404 + atomic_read_unchecked(&fscache_n_retrievals_intr),
47405 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
47406 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
47407 - atomic_read(&fscache_n_retrieval_ops),
47408 - atomic_read(&fscache_n_retrieval_op_waits),
47409 - atomic_read(&fscache_n_retrievals_object_dead));
47410 + atomic_read_unchecked(&fscache_n_retrieval_ops),
47411 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
47412 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
47413
47414 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
47415 - atomic_read(&fscache_n_stores),
47416 - atomic_read(&fscache_n_stores_ok),
47417 - atomic_read(&fscache_n_stores_again),
47418 - atomic_read(&fscache_n_stores_nobufs),
47419 - atomic_read(&fscache_n_stores_oom));
47420 + atomic_read_unchecked(&fscache_n_stores),
47421 + atomic_read_unchecked(&fscache_n_stores_ok),
47422 + atomic_read_unchecked(&fscache_n_stores_again),
47423 + atomic_read_unchecked(&fscache_n_stores_nobufs),
47424 + atomic_read_unchecked(&fscache_n_stores_oom));
47425 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
47426 - atomic_read(&fscache_n_store_ops),
47427 - atomic_read(&fscache_n_store_calls),
47428 - atomic_read(&fscache_n_store_pages),
47429 - atomic_read(&fscache_n_store_radix_deletes),
47430 - atomic_read(&fscache_n_store_pages_over_limit));
47431 + atomic_read_unchecked(&fscache_n_store_ops),
47432 + atomic_read_unchecked(&fscache_n_store_calls),
47433 + atomic_read_unchecked(&fscache_n_store_pages),
47434 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
47435 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
47436
47437 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
47438 - atomic_read(&fscache_n_store_vmscan_not_storing),
47439 - atomic_read(&fscache_n_store_vmscan_gone),
47440 - atomic_read(&fscache_n_store_vmscan_busy),
47441 - atomic_read(&fscache_n_store_vmscan_cancelled));
47442 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
47443 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
47444 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
47445 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
47446
47447 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
47448 - atomic_read(&fscache_n_op_pend),
47449 - atomic_read(&fscache_n_op_run),
47450 - atomic_read(&fscache_n_op_enqueue),
47451 - atomic_read(&fscache_n_op_cancelled),
47452 - atomic_read(&fscache_n_op_rejected));
47453 + atomic_read_unchecked(&fscache_n_op_pend),
47454 + atomic_read_unchecked(&fscache_n_op_run),
47455 + atomic_read_unchecked(&fscache_n_op_enqueue),
47456 + atomic_read_unchecked(&fscache_n_op_cancelled),
47457 + atomic_read_unchecked(&fscache_n_op_rejected));
47458 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
47459 - atomic_read(&fscache_n_op_deferred_release),
47460 - atomic_read(&fscache_n_op_release),
47461 - atomic_read(&fscache_n_op_gc));
47462 + atomic_read_unchecked(&fscache_n_op_deferred_release),
47463 + atomic_read_unchecked(&fscache_n_op_release),
47464 + atomic_read_unchecked(&fscache_n_op_gc));
47465
47466 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
47467 atomic_read(&fscache_n_cop_alloc_object),
47468 diff -urNp linux-2.6.39.1/fs/fs_struct.c linux-2.6.39.1/fs/fs_struct.c
47469 --- linux-2.6.39.1/fs/fs_struct.c 2011-05-19 00:06:34.000000000 -0400
47470 +++ linux-2.6.39.1/fs/fs_struct.c 2011-05-22 19:41:37.000000000 -0400
47471 @@ -4,6 +4,7 @@
47472 #include <linux/path.h>
47473 #include <linux/slab.h>
47474 #include <linux/fs_struct.h>
47475 +#include <linux/grsecurity.h>
47476 #include "internal.h"
47477
47478 static inline void path_get_longterm(struct path *path)
47479 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
47480 old_root = fs->root;
47481 fs->root = *path;
47482 path_get_longterm(path);
47483 + gr_set_chroot_entries(current, path);
47484 write_seqcount_end(&fs->seq);
47485 spin_unlock(&fs->lock);
47486 if (old_root.dentry)
47487 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
47488 && fs->root.mnt == old_root->mnt) {
47489 path_get_longterm(new_root);
47490 fs->root = *new_root;
47491 + gr_set_chroot_entries(p, new_root);
47492 count++;
47493 }
47494 if (fs->pwd.dentry == old_root->dentry
47495 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
47496 spin_lock(&fs->lock);
47497 write_seqcount_begin(&fs->seq);
47498 tsk->fs = NULL;
47499 - kill = !--fs->users;
47500 + gr_clear_chroot_entries(tsk);
47501 + kill = !atomic_dec_return(&fs->users);
47502 write_seqcount_end(&fs->seq);
47503 spin_unlock(&fs->lock);
47504 task_unlock(tsk);
47505 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
47506 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
47507 /* We don't need to lock fs - think why ;-) */
47508 if (fs) {
47509 - fs->users = 1;
47510 + atomic_set(&fs->users, 1);
47511 fs->in_exec = 0;
47512 spin_lock_init(&fs->lock);
47513 seqcount_init(&fs->seq);
47514 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
47515 spin_lock(&old->lock);
47516 fs->root = old->root;
47517 path_get_longterm(&fs->root);
47518 + /* instead of calling gr_set_chroot_entries here,
47519 + we call it from every caller of this function
47520 + */
47521 fs->pwd = old->pwd;
47522 path_get_longterm(&fs->pwd);
47523 spin_unlock(&old->lock);
47524 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
47525
47526 task_lock(current);
47527 spin_lock(&fs->lock);
47528 - kill = !--fs->users;
47529 + kill = !atomic_dec_return(&fs->users);
47530 current->fs = new_fs;
47531 + gr_set_chroot_entries(current, &new_fs->root);
47532 spin_unlock(&fs->lock);
47533 task_unlock(current);
47534
47535 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
47536
47537 /* to be mentioned only in INIT_TASK */
47538 struct fs_struct init_fs = {
47539 - .users = 1,
47540 + .users = ATOMIC_INIT(1),
47541 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
47542 .seq = SEQCNT_ZERO,
47543 .umask = 0022,
47544 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
47545 task_lock(current);
47546
47547 spin_lock(&init_fs.lock);
47548 - init_fs.users++;
47549 + atomic_inc(&init_fs.users);
47550 spin_unlock(&init_fs.lock);
47551
47552 spin_lock(&fs->lock);
47553 current->fs = &init_fs;
47554 - kill = !--fs->users;
47555 + gr_set_chroot_entries(current, &current->fs->root);
47556 + kill = !atomic_dec_return(&fs->users);
47557 spin_unlock(&fs->lock);
47558
47559 task_unlock(current);
47560 diff -urNp linux-2.6.39.1/fs/fuse/cuse.c linux-2.6.39.1/fs/fuse/cuse.c
47561 --- linux-2.6.39.1/fs/fuse/cuse.c 2011-05-19 00:06:34.000000000 -0400
47562 +++ linux-2.6.39.1/fs/fuse/cuse.c 2011-05-22 19:36:32.000000000 -0400
47563 @@ -538,8 +538,18 @@ static int cuse_channel_release(struct i
47564 return rc;
47565 }
47566
47567 -static struct file_operations cuse_channel_fops; /* initialized during init */
47568 -
47569 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
47570 + .owner = THIS_MODULE,
47571 + .llseek = no_llseek,
47572 + .read = do_sync_read,
47573 + .aio_read = fuse_dev_read,
47574 + .write = do_sync_write,
47575 + .aio_write = fuse_dev_write,
47576 + .poll = fuse_dev_poll,
47577 + .open = cuse_channel_open,
47578 + .release = cuse_channel_release,
47579 + .fasync = fuse_dev_fasync,
47580 +};
47581
47582 /**************************************************************************
47583 * Misc stuff and module initializatiion
47584 @@ -585,12 +595,6 @@ static int __init cuse_init(void)
47585 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
47586 INIT_LIST_HEAD(&cuse_conntbl[i]);
47587
47588 - /* inherit and extend fuse_dev_operations */
47589 - cuse_channel_fops = fuse_dev_operations;
47590 - cuse_channel_fops.owner = THIS_MODULE;
47591 - cuse_channel_fops.open = cuse_channel_open;
47592 - cuse_channel_fops.release = cuse_channel_release;
47593 -
47594 cuse_class = class_create(THIS_MODULE, "cuse");
47595 if (IS_ERR(cuse_class))
47596 return PTR_ERR(cuse_class);
47597 diff -urNp linux-2.6.39.1/fs/fuse/dev.c linux-2.6.39.1/fs/fuse/dev.c
47598 --- linux-2.6.39.1/fs/fuse/dev.c 2011-05-19 00:06:34.000000000 -0400
47599 +++ linux-2.6.39.1/fs/fuse/dev.c 2011-05-22 19:36:32.000000000 -0400
47600 @@ -1181,7 +1181,7 @@ static ssize_t fuse_dev_do_read(struct f
47601 return err;
47602 }
47603
47604 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47605 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47606 unsigned long nr_segs, loff_t pos)
47607 {
47608 struct fuse_copy_state cs;
47609 @@ -1195,6 +1195,8 @@ static ssize_t fuse_dev_read(struct kioc
47610 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
47611 }
47612
47613 +EXPORT_SYMBOL_GPL(fuse_dev_read);
47614 +
47615 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
47616 struct pipe_buffer *buf)
47617 {
47618 @@ -1238,7 +1240,7 @@ static ssize_t fuse_dev_splice_read(stru
47619 ret = 0;
47620 pipe_lock(pipe);
47621
47622 - if (!pipe->readers) {
47623 + if (!atomic_read(&pipe->readers)) {
47624 send_sig(SIGPIPE, current, 0);
47625 if (!ret)
47626 ret = -EPIPE;
47627 @@ -1731,7 +1733,7 @@ static ssize_t fuse_dev_do_write(struct
47628 return err;
47629 }
47630
47631 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
47632 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
47633 unsigned long nr_segs, loff_t pos)
47634 {
47635 struct fuse_copy_state cs;
47636 @@ -1744,6 +1746,8 @@ static ssize_t fuse_dev_write(struct kio
47637 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
47638 }
47639
47640 +EXPORT_SYMBOL_GPL(fuse_dev_write);
47641 +
47642 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
47643 struct file *out, loff_t *ppos,
47644 size_t len, unsigned int flags)
47645 @@ -1822,7 +1826,7 @@ out:
47646 return ret;
47647 }
47648
47649 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
47650 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
47651 {
47652 unsigned mask = POLLOUT | POLLWRNORM;
47653 struct fuse_conn *fc = fuse_get_conn(file);
47654 @@ -1841,6 +1845,8 @@ static unsigned fuse_dev_poll(struct fil
47655 return mask;
47656 }
47657
47658 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
47659 +
47660 /*
47661 * Abort all requests on the given list (pending or processing)
47662 *
47663 @@ -1977,7 +1983,7 @@ int fuse_dev_release(struct inode *inode
47664 }
47665 EXPORT_SYMBOL_GPL(fuse_dev_release);
47666
47667 -static int fuse_dev_fasync(int fd, struct file *file, int on)
47668 +int fuse_dev_fasync(int fd, struct file *file, int on)
47669 {
47670 struct fuse_conn *fc = fuse_get_conn(file);
47671 if (!fc)
47672 @@ -1987,6 +1993,8 @@ static int fuse_dev_fasync(int fd, struc
47673 return fasync_helper(fd, file, on, &fc->fasync);
47674 }
47675
47676 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
47677 +
47678 const struct file_operations fuse_dev_operations = {
47679 .owner = THIS_MODULE,
47680 .llseek = no_llseek,
47681 diff -urNp linux-2.6.39.1/fs/fuse/dir.c linux-2.6.39.1/fs/fuse/dir.c
47682 --- linux-2.6.39.1/fs/fuse/dir.c 2011-05-19 00:06:34.000000000 -0400
47683 +++ linux-2.6.39.1/fs/fuse/dir.c 2011-05-22 19:36:32.000000000 -0400
47684 @@ -1147,7 +1147,7 @@ static char *read_link(struct dentry *de
47685 return link;
47686 }
47687
47688 -static void free_link(char *link)
47689 +static void free_link(const char *link)
47690 {
47691 if (!IS_ERR(link))
47692 free_page((unsigned long) link);
47693 diff -urNp linux-2.6.39.1/fs/fuse/fuse_i.h linux-2.6.39.1/fs/fuse/fuse_i.h
47694 --- linux-2.6.39.1/fs/fuse/fuse_i.h 2011-05-19 00:06:34.000000000 -0400
47695 +++ linux-2.6.39.1/fs/fuse/fuse_i.h 2011-05-22 19:36:32.000000000 -0400
47696 @@ -540,6 +540,16 @@ extern const struct file_operations fuse
47697
47698 extern const struct dentry_operations fuse_dentry_operations;
47699
47700 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47701 + unsigned long nr_segs, loff_t pos);
47702 +
47703 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
47704 + unsigned long nr_segs, loff_t pos);
47705 +
47706 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
47707 +
47708 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
47709 +
47710 /**
47711 * Inode to nodeid comparison.
47712 */
47713 diff -urNp linux-2.6.39.1/fs/gfs2/ops_inode.c linux-2.6.39.1/fs/gfs2/ops_inode.c
47714 --- linux-2.6.39.1/fs/gfs2/ops_inode.c 2011-05-19 00:06:34.000000000 -0400
47715 +++ linux-2.6.39.1/fs/gfs2/ops_inode.c 2011-05-22 19:36:32.000000000 -0400
47716 @@ -740,6 +740,8 @@ static int gfs2_rename(struct inode *odi
47717 unsigned int x;
47718 int error;
47719
47720 + pax_track_stack();
47721 +
47722 if (ndentry->d_inode) {
47723 nip = GFS2_I(ndentry->d_inode);
47724 if (ip == nip)
47725 @@ -1019,7 +1021,7 @@ out:
47726
47727 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
47728 {
47729 - char *s = nd_get_link(nd);
47730 + const char *s = nd_get_link(nd);
47731 if (!IS_ERR(s))
47732 kfree(s);
47733 }
47734 diff -urNp linux-2.6.39.1/fs/hfsplus/catalog.c linux-2.6.39.1/fs/hfsplus/catalog.c
47735 --- linux-2.6.39.1/fs/hfsplus/catalog.c 2011-05-19 00:06:34.000000000 -0400
47736 +++ linux-2.6.39.1/fs/hfsplus/catalog.c 2011-05-22 19:36:32.000000000 -0400
47737 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
47738 int err;
47739 u16 type;
47740
47741 + pax_track_stack();
47742 +
47743 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
47744 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
47745 if (err)
47746 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
47747 int entry_size;
47748 int err;
47749
47750 + pax_track_stack();
47751 +
47752 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
47753 str->name, cnid, inode->i_nlink);
47754 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
47755 @@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
47756 int entry_size, type;
47757 int err = 0;
47758
47759 + pax_track_stack();
47760 +
47761 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
47762 cnid, src_dir->i_ino, src_name->name,
47763 dst_dir->i_ino, dst_name->name);
47764 diff -urNp linux-2.6.39.1/fs/hfsplus/dir.c linux-2.6.39.1/fs/hfsplus/dir.c
47765 --- linux-2.6.39.1/fs/hfsplus/dir.c 2011-05-19 00:06:34.000000000 -0400
47766 +++ linux-2.6.39.1/fs/hfsplus/dir.c 2011-05-22 19:36:32.000000000 -0400
47767 @@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
47768 struct hfsplus_readdir_data *rd;
47769 u16 type;
47770
47771 + pax_track_stack();
47772 +
47773 if (filp->f_pos >= inode->i_size)
47774 return 0;
47775
47776 diff -urNp linux-2.6.39.1/fs/hfsplus/inode.c linux-2.6.39.1/fs/hfsplus/inode.c
47777 --- linux-2.6.39.1/fs/hfsplus/inode.c 2011-05-19 00:06:34.000000000 -0400
47778 +++ linux-2.6.39.1/fs/hfsplus/inode.c 2011-05-22 19:36:32.000000000 -0400
47779 @@ -489,6 +489,8 @@ int hfsplus_cat_read_inode(struct inode
47780 int res = 0;
47781 u16 type;
47782
47783 + pax_track_stack();
47784 +
47785 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
47786
47787 HFSPLUS_I(inode)->linkid = 0;
47788 @@ -552,6 +554,8 @@ int hfsplus_cat_write_inode(struct inode
47789 struct hfs_find_data fd;
47790 hfsplus_cat_entry entry;
47791
47792 + pax_track_stack();
47793 +
47794 if (HFSPLUS_IS_RSRC(inode))
47795 main_inode = HFSPLUS_I(inode)->rsrc_inode;
47796
47797 diff -urNp linux-2.6.39.1/fs/hfsplus/ioctl.c linux-2.6.39.1/fs/hfsplus/ioctl.c
47798 --- linux-2.6.39.1/fs/hfsplus/ioctl.c 2011-05-19 00:06:34.000000000 -0400
47799 +++ linux-2.6.39.1/fs/hfsplus/ioctl.c 2011-05-22 19:36:32.000000000 -0400
47800 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
47801 struct hfsplus_cat_file *file;
47802 int res;
47803
47804 + pax_track_stack();
47805 +
47806 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
47807 return -EOPNOTSUPP;
47808
47809 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
47810 struct hfsplus_cat_file *file;
47811 ssize_t res = 0;
47812
47813 + pax_track_stack();
47814 +
47815 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
47816 return -EOPNOTSUPP;
47817
47818 diff -urNp linux-2.6.39.1/fs/hfsplus/super.c linux-2.6.39.1/fs/hfsplus/super.c
47819 --- linux-2.6.39.1/fs/hfsplus/super.c 2011-05-19 00:06:34.000000000 -0400
47820 +++ linux-2.6.39.1/fs/hfsplus/super.c 2011-05-22 19:36:32.000000000 -0400
47821 @@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
47822 struct nls_table *nls = NULL;
47823 int err;
47824
47825 + pax_track_stack();
47826 +
47827 err = -EINVAL;
47828 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
47829 if (!sbi)
47830 diff -urNp linux-2.6.39.1/fs/hugetlbfs/inode.c linux-2.6.39.1/fs/hugetlbfs/inode.c
47831 --- linux-2.6.39.1/fs/hugetlbfs/inode.c 2011-05-19 00:06:34.000000000 -0400
47832 +++ linux-2.6.39.1/fs/hugetlbfs/inode.c 2011-05-22 19:41:37.000000000 -0400
47833 @@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs
47834 .kill_sb = kill_litter_super,
47835 };
47836
47837 -static struct vfsmount *hugetlbfs_vfsmount;
47838 +struct vfsmount *hugetlbfs_vfsmount;
47839
47840 static int can_do_hugetlb_shm(void)
47841 {
47842 diff -urNp linux-2.6.39.1/fs/inode.c linux-2.6.39.1/fs/inode.c
47843 --- linux-2.6.39.1/fs/inode.c 2011-05-19 00:06:34.000000000 -0400
47844 +++ linux-2.6.39.1/fs/inode.c 2011-05-22 19:36:32.000000000 -0400
47845 @@ -862,8 +862,8 @@ unsigned int get_next_ino(void)
47846
47847 #ifdef CONFIG_SMP
47848 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
47849 - static atomic_t shared_last_ino;
47850 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
47851 + static atomic_unchecked_t shared_last_ino;
47852 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
47853
47854 res = next - LAST_INO_BATCH;
47855 }
47856 diff -urNp linux-2.6.39.1/fs/jbd/checkpoint.c linux-2.6.39.1/fs/jbd/checkpoint.c
47857 --- linux-2.6.39.1/fs/jbd/checkpoint.c 2011-05-19 00:06:34.000000000 -0400
47858 +++ linux-2.6.39.1/fs/jbd/checkpoint.c 2011-05-22 19:36:32.000000000 -0400
47859 @@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
47860 tid_t this_tid;
47861 int result;
47862
47863 + pax_track_stack();
47864 +
47865 jbd_debug(1, "Start checkpoint\n");
47866
47867 /*
47868 diff -urNp linux-2.6.39.1/fs/jffs2/compr_rtime.c linux-2.6.39.1/fs/jffs2/compr_rtime.c
47869 --- linux-2.6.39.1/fs/jffs2/compr_rtime.c 2011-05-19 00:06:34.000000000 -0400
47870 +++ linux-2.6.39.1/fs/jffs2/compr_rtime.c 2011-05-22 19:36:32.000000000 -0400
47871 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
47872 int outpos = 0;
47873 int pos=0;
47874
47875 + pax_track_stack();
47876 +
47877 memset(positions,0,sizeof(positions));
47878
47879 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
47880 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
47881 int outpos = 0;
47882 int pos=0;
47883
47884 + pax_track_stack();
47885 +
47886 memset(positions,0,sizeof(positions));
47887
47888 while (outpos<destlen) {
47889 diff -urNp linux-2.6.39.1/fs/jffs2/compr_rubin.c linux-2.6.39.1/fs/jffs2/compr_rubin.c
47890 --- linux-2.6.39.1/fs/jffs2/compr_rubin.c 2011-05-19 00:06:34.000000000 -0400
47891 +++ linux-2.6.39.1/fs/jffs2/compr_rubin.c 2011-05-22 19:36:32.000000000 -0400
47892 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
47893 int ret;
47894 uint32_t mysrclen, mydstlen;
47895
47896 + pax_track_stack();
47897 +
47898 mysrclen = *sourcelen;
47899 mydstlen = *dstlen - 8;
47900
47901 diff -urNp linux-2.6.39.1/fs/jffs2/erase.c linux-2.6.39.1/fs/jffs2/erase.c
47902 --- linux-2.6.39.1/fs/jffs2/erase.c 2011-05-19 00:06:34.000000000 -0400
47903 +++ linux-2.6.39.1/fs/jffs2/erase.c 2011-05-22 19:36:32.000000000 -0400
47904 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
47905 struct jffs2_unknown_node marker = {
47906 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
47907 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
47908 - .totlen = cpu_to_je32(c->cleanmarker_size)
47909 + .totlen = cpu_to_je32(c->cleanmarker_size),
47910 + .hdr_crc = cpu_to_je32(0)
47911 };
47912
47913 jffs2_prealloc_raw_node_refs(c, jeb, 1);
47914 diff -urNp linux-2.6.39.1/fs/jffs2/wbuf.c linux-2.6.39.1/fs/jffs2/wbuf.c
47915 --- linux-2.6.39.1/fs/jffs2/wbuf.c 2011-05-19 00:06:34.000000000 -0400
47916 +++ linux-2.6.39.1/fs/jffs2/wbuf.c 2011-05-22 19:36:32.000000000 -0400
47917 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
47918 {
47919 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
47920 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
47921 - .totlen = constant_cpu_to_je32(8)
47922 + .totlen = constant_cpu_to_je32(8),
47923 + .hdr_crc = constant_cpu_to_je32(0)
47924 };
47925
47926 /*
47927 diff -urNp linux-2.6.39.1/fs/jffs2/xattr.c linux-2.6.39.1/fs/jffs2/xattr.c
47928 --- linux-2.6.39.1/fs/jffs2/xattr.c 2011-05-19 00:06:34.000000000 -0400
47929 +++ linux-2.6.39.1/fs/jffs2/xattr.c 2011-05-22 19:36:32.000000000 -0400
47930 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
47931
47932 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
47933
47934 + pax_track_stack();
47935 +
47936 /* Phase.1 : Merge same xref */
47937 for (i=0; i < XREF_TMPHASH_SIZE; i++)
47938 xref_tmphash[i] = NULL;
47939 diff -urNp linux-2.6.39.1/fs/jfs/super.c linux-2.6.39.1/fs/jfs/super.c
47940 --- linux-2.6.39.1/fs/jfs/super.c 2011-05-19 00:06:34.000000000 -0400
47941 +++ linux-2.6.39.1/fs/jfs/super.c 2011-06-07 18:07:24.000000000 -0400
47942 @@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
47943
47944 jfs_inode_cachep =
47945 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
47946 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
47947 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
47948 init_once);
47949 if (jfs_inode_cachep == NULL)
47950 return -ENOMEM;
47951 diff -urNp linux-2.6.39.1/fs/Kconfig.binfmt linux-2.6.39.1/fs/Kconfig.binfmt
47952 --- linux-2.6.39.1/fs/Kconfig.binfmt 2011-05-19 00:06:34.000000000 -0400
47953 +++ linux-2.6.39.1/fs/Kconfig.binfmt 2011-05-22 19:36:32.000000000 -0400
47954 @@ -86,7 +86,7 @@ config HAVE_AOUT
47955
47956 config BINFMT_AOUT
47957 tristate "Kernel support for a.out and ECOFF binaries"
47958 - depends on HAVE_AOUT
47959 + depends on HAVE_AOUT && BROKEN
47960 ---help---
47961 A.out (Assembler.OUTput) is a set of formats for libraries and
47962 executables used in the earliest versions of UNIX. Linux used
47963 diff -urNp linux-2.6.39.1/fs/libfs.c linux-2.6.39.1/fs/libfs.c
47964 --- linux-2.6.39.1/fs/libfs.c 2011-05-19 00:06:34.000000000 -0400
47965 +++ linux-2.6.39.1/fs/libfs.c 2011-05-22 19:36:32.000000000 -0400
47966 @@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
47967
47968 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
47969 struct dentry *next;
47970 + char d_name[sizeof(next->d_iname)];
47971 + const unsigned char *name;
47972 +
47973 next = list_entry(p, struct dentry, d_u.d_child);
47974 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
47975 if (!simple_positive(next)) {
47976 @@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
47977
47978 spin_unlock(&next->d_lock);
47979 spin_unlock(&dentry->d_lock);
47980 - if (filldir(dirent, next->d_name.name,
47981 + name = next->d_name.name;
47982 + if (name == next->d_iname) {
47983 + memcpy(d_name, name, next->d_name.len);
47984 + name = d_name;
47985 + }
47986 + if (filldir(dirent, name,
47987 next->d_name.len, filp->f_pos,
47988 next->d_inode->i_ino,
47989 dt_type(next->d_inode)) < 0)
47990 diff -urNp linux-2.6.39.1/fs/lockd/clntproc.c linux-2.6.39.1/fs/lockd/clntproc.c
47991 --- linux-2.6.39.1/fs/lockd/clntproc.c 2011-05-19 00:06:34.000000000 -0400
47992 +++ linux-2.6.39.1/fs/lockd/clntproc.c 2011-05-22 19:36:32.000000000 -0400
47993 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
47994 /*
47995 * Cookie counter for NLM requests
47996 */
47997 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
47998 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
47999
48000 void nlmclnt_next_cookie(struct nlm_cookie *c)
48001 {
48002 - u32 cookie = atomic_inc_return(&nlm_cookie);
48003 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
48004
48005 memcpy(c->data, &cookie, 4);
48006 c->len=4;
48007 @@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
48008 struct nlm_rqst reqst, *req;
48009 int status;
48010
48011 + pax_track_stack();
48012 +
48013 req = &reqst;
48014 memset(req, 0, sizeof(*req));
48015 locks_init_lock(&req->a_args.lock.fl);
48016 diff -urNp linux-2.6.39.1/fs/lockd/svc.c linux-2.6.39.1/fs/lockd/svc.c
48017 --- linux-2.6.39.1/fs/lockd/svc.c 2011-05-19 00:06:34.000000000 -0400
48018 +++ linux-2.6.39.1/fs/lockd/svc.c 2011-05-22 19:36:32.000000000 -0400
48019 @@ -41,7 +41,7 @@
48020
48021 static struct svc_program nlmsvc_program;
48022
48023 -struct nlmsvc_binding * nlmsvc_ops;
48024 +const struct nlmsvc_binding * nlmsvc_ops;
48025 EXPORT_SYMBOL_GPL(nlmsvc_ops);
48026
48027 static DEFINE_MUTEX(nlmsvc_mutex);
48028 diff -urNp linux-2.6.39.1/fs/locks.c linux-2.6.39.1/fs/locks.c
48029 --- linux-2.6.39.1/fs/locks.c 2011-05-19 00:06:34.000000000 -0400
48030 +++ linux-2.6.39.1/fs/locks.c 2011-05-22 19:36:32.000000000 -0400
48031 @@ -2033,16 +2033,16 @@ void locks_remove_flock(struct file *fil
48032 return;
48033
48034 if (filp->f_op && filp->f_op->flock) {
48035 - struct file_lock fl = {
48036 + struct file_lock flock = {
48037 .fl_pid = current->tgid,
48038 .fl_file = filp,
48039 .fl_flags = FL_FLOCK,
48040 .fl_type = F_UNLCK,
48041 .fl_end = OFFSET_MAX,
48042 };
48043 - filp->f_op->flock(filp, F_SETLKW, &fl);
48044 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
48045 - fl.fl_ops->fl_release_private(&fl);
48046 + filp->f_op->flock(filp, F_SETLKW, &flock);
48047 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
48048 + flock.fl_ops->fl_release_private(&flock);
48049 }
48050
48051 lock_flocks();
48052 diff -urNp linux-2.6.39.1/fs/logfs/super.c linux-2.6.39.1/fs/logfs/super.c
48053 --- linux-2.6.39.1/fs/logfs/super.c 2011-05-19 00:06:34.000000000 -0400
48054 +++ linux-2.6.39.1/fs/logfs/super.c 2011-05-22 19:36:32.000000000 -0400
48055 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
48056 struct logfs_disk_super _ds1, *ds1 = &_ds1;
48057 int err, valid0, valid1;
48058
48059 + pax_track_stack();
48060 +
48061 /* read first superblock */
48062 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
48063 if (err)
48064 diff -urNp linux-2.6.39.1/fs/namei.c linux-2.6.39.1/fs/namei.c
48065 --- linux-2.6.39.1/fs/namei.c 2011-06-03 00:04:14.000000000 -0400
48066 +++ linux-2.6.39.1/fs/namei.c 2011-06-03 00:32:07.000000000 -0400
48067 @@ -237,20 +237,30 @@ int generic_permission(struct inode *ino
48068 return ret;
48069
48070 /*
48071 - * Read/write DACs are always overridable.
48072 - * Executable DACs are overridable if at least one exec bit is set.
48073 + * Searching includes executable on directories, else just read.
48074 */
48075 - if (!(mask & MAY_EXEC) || execute_ok(inode))
48076 - if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48077 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48078 + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) {
48079 +#ifdef CONFIG_GRKERNSEC
48080 + if (flags & IPERM_FLAG_RCU)
48081 + return -ECHILD;
48082 +#endif
48083 + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48084 return 0;
48085 + }
48086
48087 /*
48088 - * Searching includes executable on directories, else just read.
48089 + * Read/write DACs are always overridable.
48090 + * Executable DACs are overridable if at least one exec bit is set.
48091 */
48092 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48093 - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
48094 - if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48095 + if (!(mask & MAY_EXEC) || execute_ok(inode)) {
48096 +#ifdef CONFIG_GRKERNSEC
48097 + if (flags & IPERM_FLAG_RCU)
48098 + return -ECHILD;
48099 +#endif
48100 + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48101 return 0;
48102 + }
48103
48104 return -EACCES;
48105 }
48106 @@ -626,6 +636,9 @@ static inline int handle_reval_path(stru
48107 struct dentry *dentry = nd->path.dentry;
48108 int status;
48109
48110 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
48111 + return -ENOENT;
48112 +
48113 if (likely(!(nd->flags & LOOKUP_JUMPED)))
48114 return 0;
48115
48116 @@ -671,9 +684,16 @@ static inline int exec_permission(struct
48117 if (ret == -ECHILD)
48118 return ret;
48119
48120 - if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
48121 - ns_capable(ns, CAP_DAC_READ_SEARCH))
48122 + if (ns_capable_nolog(ns, CAP_DAC_OVERRIDE))
48123 goto ok;
48124 + else {
48125 +#ifdef CONFIG_GRKERNSEC
48126 + if (flags & IPERM_FLAG_RCU)
48127 + return -ECHILD;
48128 +#endif
48129 + if (ns_capable(ns, CAP_DAC_READ_SEARCH) || ns_capable(ns, CAP_DAC_OVERRIDE))
48130 + goto ok;
48131 + }
48132
48133 return ret;
48134 ok:
48135 @@ -781,11 +801,19 @@ follow_link(struct path *link, struct na
48136 return error;
48137 }
48138
48139 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
48140 + dentry->d_inode, dentry, nd->path.mnt)) {
48141 + error = -EACCES;
48142 + *p = ERR_PTR(error); /* no ->put_link(), please */
48143 + path_put(&nd->path);
48144 + return error;
48145 + }
48146 +
48147 nd->last_type = LAST_BIND;
48148 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
48149 error = PTR_ERR(*p);
48150 if (!IS_ERR(*p)) {
48151 - char *s = nd_get_link(nd);
48152 + const char *s = nd_get_link(nd);
48153 error = 0;
48154 if (s)
48155 error = __vfs_follow_link(nd, s);
48156 @@ -1697,6 +1725,9 @@ static int do_path_lookup(int dfd, const
48157 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
48158
48159 if (likely(!retval)) {
48160 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
48161 + return -ENOENT;
48162 +
48163 if (unlikely(!audit_dummy_context())) {
48164 if (nd->path.dentry && nd->inode)
48165 audit_inode(name, nd->path.dentry);
48166 @@ -2007,6 +2038,30 @@ int vfs_create(struct inode *dir, struct
48167 return error;
48168 }
48169
48170 +/*
48171 + * Note that while the flag value (low two bits) for sys_open means:
48172 + * 00 - read-only
48173 + * 01 - write-only
48174 + * 10 - read-write
48175 + * 11 - special
48176 + * it is changed into
48177 + * 00 - no permissions needed
48178 + * 01 - read-permission
48179 + * 10 - write-permission
48180 + * 11 - read-write
48181 + * for the internal routines (ie open_namei()/follow_link() etc)
48182 + * This is more logical, and also allows the 00 "no perm needed"
48183 + * to be used for symlinks (where the permissions are checked
48184 + * later).
48185 + *
48186 +*/
48187 +static inline int open_to_namei_flags(int flag)
48188 +{
48189 + if ((flag+1) & O_ACCMODE)
48190 + flag++;
48191 + return flag;
48192 +}
48193 +
48194 static int may_open(struct path *path, int acc_mode, int flag)
48195 {
48196 struct dentry *dentry = path->dentry;
48197 @@ -2059,7 +2114,27 @@ static int may_open(struct path *path, i
48198 /*
48199 * Ensure there are no outstanding leases on the file.
48200 */
48201 - return break_lease(inode, flag);
48202 + error = break_lease(inode, flag);
48203 +
48204 + if (error)
48205 + return error;
48206 +
48207 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
48208 + error = -EPERM;
48209 + goto exit;
48210 + }
48211 +
48212 + if (gr_handle_rawio(inode)) {
48213 + error = -EPERM;
48214 + goto exit;
48215 + }
48216 +
48217 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
48218 + error = -EACCES;
48219 + goto exit;
48220 + }
48221 +exit:
48222 + return error;
48223 }
48224
48225 static int handle_truncate(struct file *filp)
48226 @@ -2085,30 +2160,6 @@ static int handle_truncate(struct file *
48227 }
48228
48229 /*
48230 - * Note that while the flag value (low two bits) for sys_open means:
48231 - * 00 - read-only
48232 - * 01 - write-only
48233 - * 10 - read-write
48234 - * 11 - special
48235 - * it is changed into
48236 - * 00 - no permissions needed
48237 - * 01 - read-permission
48238 - * 10 - write-permission
48239 - * 11 - read-write
48240 - * for the internal routines (ie open_namei()/follow_link() etc)
48241 - * This is more logical, and also allows the 00 "no perm needed"
48242 - * to be used for symlinks (where the permissions are checked
48243 - * later).
48244 - *
48245 -*/
48246 -static inline int open_to_namei_flags(int flag)
48247 -{
48248 - if ((flag+1) & O_ACCMODE)
48249 - flag++;
48250 - return flag;
48251 -}
48252 -
48253 -/*
48254 * Handle the last step of open()
48255 */
48256 static struct file *do_last(struct nameidata *nd, struct path *path,
48257 @@ -2117,6 +2168,7 @@ static struct file *do_last(struct namei
48258 struct dentry *dir = nd->path.dentry;
48259 struct dentry *dentry;
48260 int open_flag = op->open_flag;
48261 + int flag = open_to_namei_flags(open_flag);
48262 int will_truncate = open_flag & O_TRUNC;
48263 int want_write = 0;
48264 int acc_mode = op->acc_mode;
48265 @@ -2212,6 +2264,12 @@ static struct file *do_last(struct namei
48266 /* Negative dentry, just create the file */
48267 if (!dentry->d_inode) {
48268 int mode = op->mode;
48269 +
48270 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, flag, mode)) {
48271 + error = -EACCES;
48272 + goto exit_mutex_unlock;
48273 + }
48274 +
48275 if (!IS_POSIXACL(dir->d_inode))
48276 mode &= ~current_umask();
48277 /*
48278 @@ -2235,6 +2293,8 @@ static struct file *do_last(struct namei
48279 error = vfs_create(dir->d_inode, dentry, mode, nd);
48280 if (error)
48281 goto exit_mutex_unlock;
48282 + else
48283 + gr_handle_create(path->dentry, path->mnt);
48284 mutex_unlock(&dir->d_inode->i_mutex);
48285 dput(nd->path.dentry);
48286 nd->path.dentry = dentry;
48287 @@ -2244,6 +2304,14 @@ static struct file *do_last(struct namei
48288 /*
48289 * It already exists.
48290 */
48291 +
48292 + /* only check if O_CREAT is specified, all other checks need to go
48293 + into may_open */
48294 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
48295 + error = -EACCES;
48296 + goto exit_mutex_unlock;
48297 + }
48298 +
48299 mutex_unlock(&dir->d_inode->i_mutex);
48300 audit_inode(pathname, path->dentry);
48301
48302 @@ -2530,6 +2598,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48303 error = may_mknod(mode);
48304 if (error)
48305 goto out_dput;
48306 +
48307 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
48308 + error = -EPERM;
48309 + goto out_dput;
48310 + }
48311 +
48312 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
48313 + error = -EACCES;
48314 + goto out_dput;
48315 + }
48316 +
48317 error = mnt_want_write(nd.path.mnt);
48318 if (error)
48319 goto out_dput;
48320 @@ -2550,6 +2629,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48321 }
48322 out_drop_write:
48323 mnt_drop_write(nd.path.mnt);
48324 +
48325 + if (!error)
48326 + gr_handle_create(dentry, nd.path.mnt);
48327 out_dput:
48328 dput(dentry);
48329 out_unlock:
48330 @@ -2602,6 +2684,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48331 if (IS_ERR(dentry))
48332 goto out_unlock;
48333
48334 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
48335 + error = -EACCES;
48336 + goto out_dput;
48337 + }
48338 +
48339 if (!IS_POSIXACL(nd.path.dentry->d_inode))
48340 mode &= ~current_umask();
48341 error = mnt_want_write(nd.path.mnt);
48342 @@ -2613,6 +2700,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48343 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
48344 out_drop_write:
48345 mnt_drop_write(nd.path.mnt);
48346 +
48347 + if (!error)
48348 + gr_handle_create(dentry, nd.path.mnt);
48349 +
48350 out_dput:
48351 dput(dentry);
48352 out_unlock:
48353 @@ -2692,6 +2783,8 @@ static long do_rmdir(int dfd, const char
48354 char * name;
48355 struct dentry *dentry;
48356 struct nameidata nd;
48357 + ino_t saved_ino = 0;
48358 + dev_t saved_dev = 0;
48359
48360 error = user_path_parent(dfd, pathname, &nd, &name);
48361 if (error)
48362 @@ -2716,6 +2809,19 @@ static long do_rmdir(int dfd, const char
48363 error = PTR_ERR(dentry);
48364 if (IS_ERR(dentry))
48365 goto exit2;
48366 +
48367 + if (dentry->d_inode != NULL) {
48368 + if (dentry->d_inode->i_nlink <= 1) {
48369 + saved_ino = dentry->d_inode->i_ino;
48370 + saved_dev = gr_get_dev_from_dentry(dentry);
48371 + }
48372 +
48373 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
48374 + error = -EACCES;
48375 + goto exit3;
48376 + }
48377 + }
48378 +
48379 error = mnt_want_write(nd.path.mnt);
48380 if (error)
48381 goto exit3;
48382 @@ -2723,6 +2829,8 @@ static long do_rmdir(int dfd, const char
48383 if (error)
48384 goto exit4;
48385 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
48386 + if (!error && (saved_dev || saved_ino))
48387 + gr_handle_delete(saved_ino, saved_dev);
48388 exit4:
48389 mnt_drop_write(nd.path.mnt);
48390 exit3:
48391 @@ -2785,6 +2893,8 @@ static long do_unlinkat(int dfd, const c
48392 struct dentry *dentry;
48393 struct nameidata nd;
48394 struct inode *inode = NULL;
48395 + ino_t saved_ino = 0;
48396 + dev_t saved_dev = 0;
48397
48398 error = user_path_parent(dfd, pathname, &nd, &name);
48399 if (error)
48400 @@ -2804,8 +2914,17 @@ static long do_unlinkat(int dfd, const c
48401 if (nd.last.name[nd.last.len])
48402 goto slashes;
48403 inode = dentry->d_inode;
48404 - if (inode)
48405 + if (inode) {
48406 ihold(inode);
48407 + if (inode->i_nlink <= 1) {
48408 + saved_ino = inode->i_ino;
48409 + saved_dev = gr_get_dev_from_dentry(dentry);
48410 + }
48411 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
48412 + error = -EACCES;
48413 + goto exit2;
48414 + }
48415 + }
48416 error = mnt_want_write(nd.path.mnt);
48417 if (error)
48418 goto exit2;
48419 @@ -2813,6 +2932,8 @@ static long do_unlinkat(int dfd, const c
48420 if (error)
48421 goto exit3;
48422 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
48423 + if (!error && (saved_ino || saved_dev))
48424 + gr_handle_delete(saved_ino, saved_dev);
48425 exit3:
48426 mnt_drop_write(nd.path.mnt);
48427 exit2:
48428 @@ -2890,6 +3011,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
48429 if (IS_ERR(dentry))
48430 goto out_unlock;
48431
48432 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
48433 + error = -EACCES;
48434 + goto out_dput;
48435 + }
48436 +
48437 error = mnt_want_write(nd.path.mnt);
48438 if (error)
48439 goto out_dput;
48440 @@ -2897,6 +3023,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
48441 if (error)
48442 goto out_drop_write;
48443 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
48444 + if (!error)
48445 + gr_handle_create(dentry, nd.path.mnt);
48446 out_drop_write:
48447 mnt_drop_write(nd.path.mnt);
48448 out_dput:
48449 @@ -3005,6 +3133,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48450 error = PTR_ERR(new_dentry);
48451 if (IS_ERR(new_dentry))
48452 goto out_unlock;
48453 +
48454 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
48455 + old_path.dentry->d_inode,
48456 + old_path.dentry->d_inode->i_mode, to)) {
48457 + error = -EACCES;
48458 + goto out_dput;
48459 + }
48460 +
48461 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
48462 + old_path.dentry, old_path.mnt, to)) {
48463 + error = -EACCES;
48464 + goto out_dput;
48465 + }
48466 +
48467 error = mnt_want_write(nd.path.mnt);
48468 if (error)
48469 goto out_dput;
48470 @@ -3012,6 +3154,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48471 if (error)
48472 goto out_drop_write;
48473 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
48474 + if (!error)
48475 + gr_handle_create(new_dentry, nd.path.mnt);
48476 out_drop_write:
48477 mnt_drop_write(nd.path.mnt);
48478 out_dput:
48479 @@ -3189,6 +3333,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48480 char *to;
48481 int error;
48482
48483 + pax_track_stack();
48484 +
48485 error = user_path_parent(olddfd, oldname, &oldnd, &from);
48486 if (error)
48487 goto exit;
48488 @@ -3245,6 +3391,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48489 if (new_dentry == trap)
48490 goto exit5;
48491
48492 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
48493 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
48494 + to);
48495 + if (error)
48496 + goto exit5;
48497 +
48498 error = mnt_want_write(oldnd.path.mnt);
48499 if (error)
48500 goto exit5;
48501 @@ -3254,6 +3406,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48502 goto exit6;
48503 error = vfs_rename(old_dir->d_inode, old_dentry,
48504 new_dir->d_inode, new_dentry);
48505 + if (!error)
48506 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
48507 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
48508 exit6:
48509 mnt_drop_write(oldnd.path.mnt);
48510 exit5:
48511 @@ -3279,6 +3434,8 @@ SYSCALL_DEFINE2(rename, const char __use
48512
48513 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
48514 {
48515 + char tmpbuf[64];
48516 + const char *newlink;
48517 int len;
48518
48519 len = PTR_ERR(link);
48520 @@ -3288,7 +3445,14 @@ int vfs_readlink(struct dentry *dentry,
48521 len = strlen(link);
48522 if (len > (unsigned) buflen)
48523 len = buflen;
48524 - if (copy_to_user(buffer, link, len))
48525 +
48526 + if (len < sizeof(tmpbuf)) {
48527 + memcpy(tmpbuf, link, len);
48528 + newlink = tmpbuf;
48529 + } else
48530 + newlink = link;
48531 +
48532 + if (copy_to_user(buffer, newlink, len))
48533 len = -EFAULT;
48534 out:
48535 return len;
48536 diff -urNp linux-2.6.39.1/fs/namespace.c linux-2.6.39.1/fs/namespace.c
48537 --- linux-2.6.39.1/fs/namespace.c 2011-05-19 00:06:34.000000000 -0400
48538 +++ linux-2.6.39.1/fs/namespace.c 2011-05-22 20:43:58.000000000 -0400
48539 @@ -1328,6 +1328,9 @@ static int do_umount(struct vfsmount *mn
48540 if (!(sb->s_flags & MS_RDONLY))
48541 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
48542 up_write(&sb->s_umount);
48543 +
48544 + gr_log_remount(mnt->mnt_devname, retval);
48545 +
48546 return retval;
48547 }
48548
48549 @@ -1347,6 +1350,9 @@ static int do_umount(struct vfsmount *mn
48550 br_write_unlock(vfsmount_lock);
48551 up_write(&namespace_sem);
48552 release_mounts(&umount_list);
48553 +
48554 + gr_log_unmount(mnt->mnt_devname, retval);
48555 +
48556 return retval;
48557 }
48558
48559 @@ -2338,6 +2344,16 @@ long do_mount(char *dev_name, char *dir_
48560 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
48561 MS_STRICTATIME);
48562
48563 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
48564 + retval = -EPERM;
48565 + goto dput_out;
48566 + }
48567 +
48568 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
48569 + retval = -EPERM;
48570 + goto dput_out;
48571 + }
48572 +
48573 if (flags & MS_REMOUNT)
48574 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
48575 data_page);
48576 @@ -2352,6 +2368,9 @@ long do_mount(char *dev_name, char *dir_
48577 dev_name, data_page);
48578 dput_out:
48579 path_put(&path);
48580 +
48581 + gr_log_mount(dev_name, dir_name, retval);
48582 +
48583 return retval;
48584 }
48585
48586 @@ -2575,6 +2594,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
48587 if (error)
48588 goto out2;
48589
48590 + if (gr_handle_chroot_pivot()) {
48591 + error = -EPERM;
48592 + goto out2;
48593 + }
48594 +
48595 get_fs_root(current->fs, &root);
48596 error = lock_mount(&old);
48597 if (error)
48598 diff -urNp linux-2.6.39.1/fs/ncpfs/dir.c linux-2.6.39.1/fs/ncpfs/dir.c
48599 --- linux-2.6.39.1/fs/ncpfs/dir.c 2011-05-19 00:06:34.000000000 -0400
48600 +++ linux-2.6.39.1/fs/ncpfs/dir.c 2011-05-22 19:36:32.000000000 -0400
48601 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
48602 int res, val = 0, len;
48603 __u8 __name[NCP_MAXPATHLEN + 1];
48604
48605 + pax_track_stack();
48606 +
48607 if (dentry == dentry->d_sb->s_root)
48608 return 1;
48609
48610 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
48611 int error, res, len;
48612 __u8 __name[NCP_MAXPATHLEN + 1];
48613
48614 + pax_track_stack();
48615 +
48616 error = -EIO;
48617 if (!ncp_conn_valid(server))
48618 goto finished;
48619 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
48620 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
48621 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
48622
48623 + pax_track_stack();
48624 +
48625 ncp_age_dentry(server, dentry);
48626 len = sizeof(__name);
48627 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
48628 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
48629 int error, len;
48630 __u8 __name[NCP_MAXPATHLEN + 1];
48631
48632 + pax_track_stack();
48633 +
48634 DPRINTK("ncp_mkdir: making %s/%s\n",
48635 dentry->d_parent->d_name.name, dentry->d_name.name);
48636
48637 @@ -1135,6 +1143,8 @@ static int ncp_rename(struct inode *old_
48638 int old_len, new_len;
48639 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
48640
48641 + pax_track_stack();
48642 +
48643 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
48644 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
48645 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
48646 diff -urNp linux-2.6.39.1/fs/ncpfs/inode.c linux-2.6.39.1/fs/ncpfs/inode.c
48647 --- linux-2.6.39.1/fs/ncpfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48648 +++ linux-2.6.39.1/fs/ncpfs/inode.c 2011-05-22 19:36:32.000000000 -0400
48649 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
48650 #endif
48651 struct ncp_entry_info finfo;
48652
48653 + pax_track_stack();
48654 +
48655 data.wdog_pid = NULL;
48656 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
48657 if (!server)
48658 diff -urNp linux-2.6.39.1/fs/nfs/inode.c linux-2.6.39.1/fs/nfs/inode.c
48659 --- linux-2.6.39.1/fs/nfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48660 +++ linux-2.6.39.1/fs/nfs/inode.c 2011-05-22 19:36:32.000000000 -0400
48661 @@ -999,16 +999,16 @@ static int nfs_size_need_update(const st
48662 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
48663 }
48664
48665 -static atomic_long_t nfs_attr_generation_counter;
48666 +static atomic_long_unchecked_t nfs_attr_generation_counter;
48667
48668 static unsigned long nfs_read_attr_generation_counter(void)
48669 {
48670 - return atomic_long_read(&nfs_attr_generation_counter);
48671 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
48672 }
48673
48674 unsigned long nfs_inc_attr_generation_counter(void)
48675 {
48676 - return atomic_long_inc_return(&nfs_attr_generation_counter);
48677 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
48678 }
48679
48680 void nfs_fattr_init(struct nfs_fattr *fattr)
48681 diff -urNp linux-2.6.39.1/fs/nfs/nfs4proc.c linux-2.6.39.1/fs/nfs/nfs4proc.c
48682 --- linux-2.6.39.1/fs/nfs/nfs4proc.c 2011-06-03 00:04:14.000000000 -0400
48683 +++ linux-2.6.39.1/fs/nfs/nfs4proc.c 2011-06-03 00:32:07.000000000 -0400
48684 @@ -5845,14 +5845,14 @@ struct nfs4_state_recovery_ops nfs41_nog
48685 };
48686 #endif /* CONFIG_NFS_V4_1 */
48687
48688 -struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
48689 +const struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
48690 .sched_state_renewal = nfs4_proc_async_renew,
48691 .get_state_renewal_cred_locked = nfs4_get_renew_cred_locked,
48692 .renew_lease = nfs4_proc_renew,
48693 };
48694
48695 #if defined(CONFIG_NFS_V4_1)
48696 -struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
48697 +const struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
48698 .sched_state_renewal = nfs41_proc_async_sequence,
48699 .get_state_renewal_cred_locked = nfs4_get_machine_cred_locked,
48700 .renew_lease = nfs4_proc_sequence,
48701 diff -urNp linux-2.6.39.1/fs/nfsd/lockd.c linux-2.6.39.1/fs/nfsd/lockd.c
48702 --- linux-2.6.39.1/fs/nfsd/lockd.c 2011-05-19 00:06:34.000000000 -0400
48703 +++ linux-2.6.39.1/fs/nfsd/lockd.c 2011-05-22 19:36:32.000000000 -0400
48704 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
48705 fput(filp);
48706 }
48707
48708 -static struct nlmsvc_binding nfsd_nlm_ops = {
48709 +static const struct nlmsvc_binding nfsd_nlm_ops = {
48710 .fopen = nlm_fopen, /* open file for locking */
48711 .fclose = nlm_fclose, /* close file */
48712 };
48713 diff -urNp linux-2.6.39.1/fs/nfsd/nfs4state.c linux-2.6.39.1/fs/nfsd/nfs4state.c
48714 --- linux-2.6.39.1/fs/nfsd/nfs4state.c 2011-05-19 00:06:34.000000000 -0400
48715 +++ linux-2.6.39.1/fs/nfsd/nfs4state.c 2011-05-22 19:36:32.000000000 -0400
48716 @@ -3784,6 +3784,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
48717 unsigned int strhashval;
48718 int err;
48719
48720 + pax_track_stack();
48721 +
48722 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
48723 (long long) lock->lk_offset,
48724 (long long) lock->lk_length);
48725 diff -urNp linux-2.6.39.1/fs/nfsd/nfs4xdr.c linux-2.6.39.1/fs/nfsd/nfs4xdr.c
48726 --- linux-2.6.39.1/fs/nfsd/nfs4xdr.c 2011-05-19 00:06:34.000000000 -0400
48727 +++ linux-2.6.39.1/fs/nfsd/nfs4xdr.c 2011-05-22 19:36:32.000000000 -0400
48728 @@ -1793,6 +1793,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
48729 .dentry = dentry,
48730 };
48731
48732 + pax_track_stack();
48733 +
48734 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
48735 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
48736 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
48737 diff -urNp linux-2.6.39.1/fs/nfsd/nfsctl.c linux-2.6.39.1/fs/nfsd/nfsctl.c
48738 --- linux-2.6.39.1/fs/nfsd/nfsctl.c 2011-05-19 00:06:34.000000000 -0400
48739 +++ linux-2.6.39.1/fs/nfsd/nfsctl.c 2011-05-22 19:36:32.000000000 -0400
48740 @@ -182,7 +182,7 @@ static int export_features_open(struct i
48741 return single_open(file, export_features_show, NULL);
48742 }
48743
48744 -static struct file_operations export_features_operations = {
48745 +static const struct file_operations export_features_operations = {
48746 .open = export_features_open,
48747 .read = seq_read,
48748 .llseek = seq_lseek,
48749 diff -urNp linux-2.6.39.1/fs/nfsd/vfs.c linux-2.6.39.1/fs/nfsd/vfs.c
48750 --- linux-2.6.39.1/fs/nfsd/vfs.c 2011-05-19 00:06:34.000000000 -0400
48751 +++ linux-2.6.39.1/fs/nfsd/vfs.c 2011-05-22 19:36:32.000000000 -0400
48752 @@ -898,7 +898,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
48753 } else {
48754 oldfs = get_fs();
48755 set_fs(KERNEL_DS);
48756 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
48757 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
48758 set_fs(oldfs);
48759 }
48760
48761 @@ -1002,7 +1002,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
48762
48763 /* Write the data. */
48764 oldfs = get_fs(); set_fs(KERNEL_DS);
48765 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
48766 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
48767 set_fs(oldfs);
48768 if (host_err < 0)
48769 goto out_nfserr;
48770 @@ -1525,7 +1525,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
48771 */
48772
48773 oldfs = get_fs(); set_fs(KERNEL_DS);
48774 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
48775 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
48776 set_fs(oldfs);
48777
48778 if (host_err < 0)
48779 diff -urNp linux-2.6.39.1/fs/nilfs2/segment.c linux-2.6.39.1/fs/nilfs2/segment.c
48780 --- linux-2.6.39.1/fs/nilfs2/segment.c 2011-05-19 00:06:34.000000000 -0400
48781 +++ linux-2.6.39.1/fs/nilfs2/segment.c 2011-05-22 19:36:32.000000000 -0400
48782 @@ -555,7 +555,7 @@ static void nilfs_write_file_node_binfo(
48783 *vblocknr = binfo->bi_v.bi_vblocknr;
48784 }
48785
48786 -static struct nilfs_sc_operations nilfs_sc_file_ops = {
48787 +static const struct nilfs_sc_operations nilfs_sc_file_ops = {
48788 .collect_data = nilfs_collect_file_data,
48789 .collect_node = nilfs_collect_file_node,
48790 .collect_bmap = nilfs_collect_file_bmap,
48791 @@ -604,7 +604,7 @@ static void nilfs_write_dat_node_binfo(s
48792 *binfo_dat = binfo->bi_dat;
48793 }
48794
48795 -static struct nilfs_sc_operations nilfs_sc_dat_ops = {
48796 +static const struct nilfs_sc_operations nilfs_sc_dat_ops = {
48797 .collect_data = nilfs_collect_dat_data,
48798 .collect_node = nilfs_collect_file_node,
48799 .collect_bmap = nilfs_collect_dat_bmap,
48800 @@ -612,7 +612,7 @@ static struct nilfs_sc_operations nilfs_
48801 .write_node_binfo = nilfs_write_dat_node_binfo,
48802 };
48803
48804 -static struct nilfs_sc_operations nilfs_sc_dsync_ops = {
48805 +static const struct nilfs_sc_operations nilfs_sc_dsync_ops = {
48806 .collect_data = nilfs_collect_file_data,
48807 .collect_node = NULL,
48808 .collect_bmap = NULL,
48809 @@ -971,7 +971,7 @@ static size_t nilfs_segctor_buffer_rest(
48810
48811 static int nilfs_segctor_scan_file(struct nilfs_sc_info *sci,
48812 struct inode *inode,
48813 - struct nilfs_sc_operations *sc_ops)
48814 + const struct nilfs_sc_operations *sc_ops)
48815 {
48816 LIST_HEAD(data_buffers);
48817 LIST_HEAD(node_buffers);
48818 @@ -1475,7 +1475,7 @@ nilfs_segctor_update_payload_blocknr(str
48819 sector_t blocknr;
48820 unsigned long nfinfo = segbuf->sb_sum.nfinfo;
48821 unsigned long nblocks = 0, ndatablk = 0;
48822 - struct nilfs_sc_operations *sc_op = NULL;
48823 + const struct nilfs_sc_operations *sc_op = NULL;
48824 struct nilfs_segsum_pointer ssp;
48825 struct nilfs_finfo *finfo = NULL;
48826 union nilfs_binfo binfo;
48827 diff -urNp linux-2.6.39.1/fs/notify/dnotify/dnotify.c linux-2.6.39.1/fs/notify/dnotify/dnotify.c
48828 --- linux-2.6.39.1/fs/notify/dnotify/dnotify.c 2011-05-19 00:06:34.000000000 -0400
48829 +++ linux-2.6.39.1/fs/notify/dnotify/dnotify.c 2011-05-22 19:36:32.000000000 -0400
48830 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
48831 kmem_cache_free(dnotify_mark_cache, dn_mark);
48832 }
48833
48834 -static struct fsnotify_ops dnotify_fsnotify_ops = {
48835 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
48836 .handle_event = dnotify_handle_event,
48837 .should_send_event = dnotify_should_send_event,
48838 .free_group_priv = NULL,
48839 diff -urNp linux-2.6.39.1/fs/notify/notification.c linux-2.6.39.1/fs/notify/notification.c
48840 --- linux-2.6.39.1/fs/notify/notification.c 2011-05-19 00:06:34.000000000 -0400
48841 +++ linux-2.6.39.1/fs/notify/notification.c 2011-05-22 19:36:32.000000000 -0400
48842 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
48843 * get set to 0 so it will never get 'freed'
48844 */
48845 static struct fsnotify_event *q_overflow_event;
48846 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
48847 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
48848
48849 /**
48850 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
48851 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
48852 */
48853 u32 fsnotify_get_cookie(void)
48854 {
48855 - return atomic_inc_return(&fsnotify_sync_cookie);
48856 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
48857 }
48858 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
48859
48860 diff -urNp linux-2.6.39.1/fs/ntfs/dir.c linux-2.6.39.1/fs/ntfs/dir.c
48861 --- linux-2.6.39.1/fs/ntfs/dir.c 2011-05-19 00:06:34.000000000 -0400
48862 +++ linux-2.6.39.1/fs/ntfs/dir.c 2011-05-22 19:36:32.000000000 -0400
48863 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
48864 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
48865 ~(s64)(ndir->itype.index.block_size - 1)));
48866 /* Bounds checks. */
48867 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
48868 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
48869 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
48870 "inode 0x%lx or driver bug.", vdir->i_ino);
48871 goto err_out;
48872 diff -urNp linux-2.6.39.1/fs/ntfs/file.c linux-2.6.39.1/fs/ntfs/file.c
48873 --- linux-2.6.39.1/fs/ntfs/file.c 2011-05-19 00:06:34.000000000 -0400
48874 +++ linux-2.6.39.1/fs/ntfs/file.c 2011-05-22 19:36:32.000000000 -0400
48875 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
48876 #endif /* NTFS_RW */
48877 };
48878
48879 -const struct file_operations ntfs_empty_file_ops = {};
48880 +const struct file_operations ntfs_empty_file_ops __read_only;
48881
48882 -const struct inode_operations ntfs_empty_inode_ops = {};
48883 +const struct inode_operations ntfs_empty_inode_ops __read_only;
48884 diff -urNp linux-2.6.39.1/fs/ocfs2/cluster/heartbeat.c linux-2.6.39.1/fs/ocfs2/cluster/heartbeat.c
48885 --- linux-2.6.39.1/fs/ocfs2/cluster/heartbeat.c 2011-05-19 00:06:34.000000000 -0400
48886 +++ linux-2.6.39.1/fs/ocfs2/cluster/heartbeat.c 2011-05-22 19:36:32.000000000 -0400
48887 @@ -2261,7 +2261,7 @@ static struct configfs_item_operations o
48888 .store_attribute = o2hb_heartbeat_group_store,
48889 };
48890
48891 -static struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
48892 +static const struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
48893 .make_item = o2hb_heartbeat_group_make_item,
48894 .drop_item = o2hb_heartbeat_group_drop_item,
48895 };
48896 diff -urNp linux-2.6.39.1/fs/ocfs2/cluster/nodemanager.c linux-2.6.39.1/fs/ocfs2/cluster/nodemanager.c
48897 --- linux-2.6.39.1/fs/ocfs2/cluster/nodemanager.c 2011-05-19 00:06:34.000000000 -0400
48898 +++ linux-2.6.39.1/fs/ocfs2/cluster/nodemanager.c 2011-05-22 19:36:32.000000000 -0400
48899 @@ -752,7 +752,7 @@ static void o2nm_node_group_drop_item(st
48900 config_item_put(item);
48901 }
48902
48903 -static struct configfs_group_operations o2nm_node_group_group_ops = {
48904 +static const struct configfs_group_operations o2nm_node_group_group_ops = {
48905 .make_item = o2nm_node_group_make_item,
48906 .drop_item = o2nm_node_group_drop_item,
48907 };
48908 @@ -869,7 +869,7 @@ static void o2nm_cluster_group_drop_item
48909 config_item_put(item);
48910 }
48911
48912 -static struct configfs_group_operations o2nm_cluster_group_group_ops = {
48913 +static const struct configfs_group_operations o2nm_cluster_group_group_ops = {
48914 .make_group = o2nm_cluster_group_make_group,
48915 .drop_item = o2nm_cluster_group_drop_item,
48916 };
48917 diff -urNp linux-2.6.39.1/fs/ocfs2/localalloc.c linux-2.6.39.1/fs/ocfs2/localalloc.c
48918 --- linux-2.6.39.1/fs/ocfs2/localalloc.c 2011-05-19 00:06:34.000000000 -0400
48919 +++ linux-2.6.39.1/fs/ocfs2/localalloc.c 2011-05-22 19:36:32.000000000 -0400
48920 @@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
48921 goto bail;
48922 }
48923
48924 - atomic_inc(&osb->alloc_stats.moves);
48925 + atomic_inc_unchecked(&osb->alloc_stats.moves);
48926
48927 bail:
48928 if (handle)
48929 diff -urNp linux-2.6.39.1/fs/ocfs2/namei.c linux-2.6.39.1/fs/ocfs2/namei.c
48930 --- linux-2.6.39.1/fs/ocfs2/namei.c 2011-05-19 00:06:34.000000000 -0400
48931 +++ linux-2.6.39.1/fs/ocfs2/namei.c 2011-05-22 19:36:32.000000000 -0400
48932 @@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
48933 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
48934 struct ocfs2_dir_lookup_result target_insert = { NULL, };
48935
48936 + pax_track_stack();
48937 +
48938 /* At some point it might be nice to break this function up a
48939 * bit. */
48940
48941 diff -urNp linux-2.6.39.1/fs/ocfs2/ocfs2.h linux-2.6.39.1/fs/ocfs2/ocfs2.h
48942 --- linux-2.6.39.1/fs/ocfs2/ocfs2.h 2011-05-19 00:06:34.000000000 -0400
48943 +++ linux-2.6.39.1/fs/ocfs2/ocfs2.h 2011-05-22 19:36:32.000000000 -0400
48944 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
48945
48946 struct ocfs2_alloc_stats
48947 {
48948 - atomic_t moves;
48949 - atomic_t local_data;
48950 - atomic_t bitmap_data;
48951 - atomic_t bg_allocs;
48952 - atomic_t bg_extends;
48953 + atomic_unchecked_t moves;
48954 + atomic_unchecked_t local_data;
48955 + atomic_unchecked_t bitmap_data;
48956 + atomic_unchecked_t bg_allocs;
48957 + atomic_unchecked_t bg_extends;
48958 };
48959
48960 enum ocfs2_local_alloc_state
48961 diff -urNp linux-2.6.39.1/fs/ocfs2/stackglue.h linux-2.6.39.1/fs/ocfs2/stackglue.h
48962 --- linux-2.6.39.1/fs/ocfs2/stackglue.h 2011-05-19 00:06:34.000000000 -0400
48963 +++ linux-2.6.39.1/fs/ocfs2/stackglue.h 2011-05-22 19:36:32.000000000 -0400
48964 @@ -221,13 +221,13 @@ struct ocfs2_stack_operations {
48965 };
48966
48967 /*
48968 - * Each stack plugin must describe itself by registering a
48969 + * Each stack plugin must describe itself by registerin const g a
48970 * ocfs2_stack_plugin structure. This is only seen by stackglue and the
48971 * stack driver.
48972 */
48973 struct ocfs2_stack_plugin {
48974 char *sp_name;
48975 - struct ocfs2_stack_operations *sp_ops;
48976 + const struct ocfs2_stack_operations *sp_ops;
48977 struct module *sp_owner;
48978
48979 /* These are managed by the stackglue code. */
48980 diff -urNp linux-2.6.39.1/fs/ocfs2/stack_o2cb.c linux-2.6.39.1/fs/ocfs2/stack_o2cb.c
48981 --- linux-2.6.39.1/fs/ocfs2/stack_o2cb.c 2011-05-19 00:06:34.000000000 -0400
48982 +++ linux-2.6.39.1/fs/ocfs2/stack_o2cb.c 2011-06-07 18:07:24.000000000 -0400
48983 @@ -358,7 +358,7 @@ static int o2cb_cluster_this_node(unsign
48984 return 0;
48985 }
48986
48987 -static struct ocfs2_stack_operations o2cb_stack_ops = {
48988 +static const struct ocfs2_stack_operations o2cb_stack_ops = {
48989 .connect = o2cb_cluster_connect,
48990 .disconnect = o2cb_cluster_disconnect,
48991 .this_node = o2cb_cluster_this_node,
48992 diff -urNp linux-2.6.39.1/fs/ocfs2/stack_user.c linux-2.6.39.1/fs/ocfs2/stack_user.c
48993 --- linux-2.6.39.1/fs/ocfs2/stack_user.c 2011-05-19 00:06:34.000000000 -0400
48994 +++ linux-2.6.39.1/fs/ocfs2/stack_user.c 2011-05-22 19:36:32.000000000 -0400
48995 @@ -399,7 +399,7 @@ static int ocfs2_control_do_setversion_m
48996 long major, minor;
48997 char *ptr = NULL;
48998 struct ocfs2_control_private *p = file->private_data;
48999 - struct ocfs2_protocol_version *max =
49000 + const struct ocfs2_protocol_version *max =
49001 &ocfs2_user_plugin.sp_max_proto;
49002
49003 if (ocfs2_control_get_handshake_state(file) !=
49004 @@ -861,7 +861,7 @@ static int user_cluster_this_node(unsign
49005 return 0;
49006 }
49007
49008 -static struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49009 +static const struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49010 .connect = user_cluster_connect,
49011 .disconnect = user_cluster_disconnect,
49012 .this_node = user_cluster_this_node,
49013 diff -urNp linux-2.6.39.1/fs/ocfs2/suballoc.c linux-2.6.39.1/fs/ocfs2/suballoc.c
49014 --- linux-2.6.39.1/fs/ocfs2/suballoc.c 2011-05-19 00:06:34.000000000 -0400
49015 +++ linux-2.6.39.1/fs/ocfs2/suballoc.c 2011-05-22 19:36:32.000000000 -0400
49016 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
49017 mlog_errno(status);
49018 goto bail;
49019 }
49020 - atomic_inc(&osb->alloc_stats.bg_extends);
49021 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
49022
49023 /* You should never ask for this much metadata */
49024 BUG_ON(bits_wanted >
49025 @@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
49026 mlog_errno(status);
49027 goto bail;
49028 }
49029 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49030 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49031
49032 *suballoc_loc = res.sr_bg_blkno;
49033 *suballoc_bit_start = res.sr_bit_offset;
49034 @@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
49035 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
49036 res->sr_bits);
49037
49038 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49039 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49040
49041 BUG_ON(res->sr_bits != 1);
49042
49043 @@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
49044 mlog_errno(status);
49045 goto bail;
49046 }
49047 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49048 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49049
49050 BUG_ON(res.sr_bits != 1);
49051
49052 @@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
49053 cluster_start,
49054 num_clusters);
49055 if (!status)
49056 - atomic_inc(&osb->alloc_stats.local_data);
49057 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
49058 } else {
49059 if (min_clusters > (osb->bitmap_cpg - 1)) {
49060 /* The only paths asking for contiguousness
49061 @@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
49062 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
49063 res.sr_bg_blkno,
49064 res.sr_bit_offset);
49065 - atomic_inc(&osb->alloc_stats.bitmap_data);
49066 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
49067 *num_clusters = res.sr_bits;
49068 }
49069 }
49070 diff -urNp linux-2.6.39.1/fs/ocfs2/super.c linux-2.6.39.1/fs/ocfs2/super.c
49071 --- linux-2.6.39.1/fs/ocfs2/super.c 2011-05-19 00:06:34.000000000 -0400
49072 +++ linux-2.6.39.1/fs/ocfs2/super.c 2011-05-22 19:36:32.000000000 -0400
49073 @@ -299,11 +299,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
49074 "%10s => GlobalAllocs: %d LocalAllocs: %d "
49075 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
49076 "Stats",
49077 - atomic_read(&osb->alloc_stats.bitmap_data),
49078 - atomic_read(&osb->alloc_stats.local_data),
49079 - atomic_read(&osb->alloc_stats.bg_allocs),
49080 - atomic_read(&osb->alloc_stats.moves),
49081 - atomic_read(&osb->alloc_stats.bg_extends));
49082 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
49083 + atomic_read_unchecked(&osb->alloc_stats.local_data),
49084 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
49085 + atomic_read_unchecked(&osb->alloc_stats.moves),
49086 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
49087
49088 out += snprintf(buf + out, len - out,
49089 "%10s => State: %u Descriptor: %llu Size: %u bits "
49090 @@ -2111,11 +2111,11 @@ static int ocfs2_initialize_super(struct
49091 spin_lock_init(&osb->osb_xattr_lock);
49092 ocfs2_init_steal_slots(osb);
49093
49094 - atomic_set(&osb->alloc_stats.moves, 0);
49095 - atomic_set(&osb->alloc_stats.local_data, 0);
49096 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
49097 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
49098 - atomic_set(&osb->alloc_stats.bg_extends, 0);
49099 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
49100 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
49101 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
49102 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
49103 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
49104
49105 /* Copy the blockcheck stats from the superblock probe */
49106 osb->osb_ecc_stats = *stats;
49107 diff -urNp linux-2.6.39.1/fs/ocfs2/symlink.c linux-2.6.39.1/fs/ocfs2/symlink.c
49108 --- linux-2.6.39.1/fs/ocfs2/symlink.c 2011-05-19 00:06:34.000000000 -0400
49109 +++ linux-2.6.39.1/fs/ocfs2/symlink.c 2011-05-22 19:36:32.000000000 -0400
49110 @@ -142,7 +142,7 @@ bail:
49111
49112 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
49113 {
49114 - char *link = nd_get_link(nd);
49115 + const char *link = nd_get_link(nd);
49116 if (!IS_ERR(link))
49117 kfree(link);
49118 }
49119 diff -urNp linux-2.6.39.1/fs/open.c linux-2.6.39.1/fs/open.c
49120 --- linux-2.6.39.1/fs/open.c 2011-05-19 00:06:34.000000000 -0400
49121 +++ linux-2.6.39.1/fs/open.c 2011-05-22 20:46:51.000000000 -0400
49122 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
49123 error = locks_verify_truncate(inode, NULL, length);
49124 if (!error)
49125 error = security_path_truncate(&path);
49126 +
49127 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
49128 + error = -EACCES;
49129 +
49130 if (!error)
49131 error = do_truncate(path.dentry, length, 0, NULL);
49132
49133 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
49134 if (__mnt_is_readonly(path.mnt))
49135 res = -EROFS;
49136
49137 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
49138 + res = -EACCES;
49139 +
49140 out_path_release:
49141 path_put(&path);
49142 out:
49143 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
49144 if (error)
49145 goto dput_and_out;
49146
49147 + gr_log_chdir(path.dentry, path.mnt);
49148 +
49149 set_fs_pwd(current->fs, &path);
49150
49151 dput_and_out:
49152 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
49153 goto out_putf;
49154
49155 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
49156 +
49157 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
49158 + error = -EPERM;
49159 +
49160 + if (!error)
49161 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
49162 +
49163 if (!error)
49164 set_fs_pwd(current->fs, &file->f_path);
49165 out_putf:
49166 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
49167 if (error)
49168 goto dput_and_out;
49169
49170 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
49171 + goto dput_and_out;
49172 +
49173 + if (gr_handle_chroot_caps(&path)) {
49174 + error = -ENOMEM;
49175 + goto dput_and_out;
49176 + }
49177 +
49178 set_fs_root(current->fs, &path);
49179 +
49180 + gr_handle_chroot_chdir(&path);
49181 +
49182 error = 0;
49183 dput_and_out:
49184 path_put(&path);
49185 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
49186 err = mnt_want_write_file(file);
49187 if (err)
49188 goto out_putf;
49189 +
49190 mutex_lock(&inode->i_mutex);
49191 +
49192 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
49193 + err = -EACCES;
49194 + goto out_unlock;
49195 + }
49196 +
49197 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
49198 if (err)
49199 goto out_unlock;
49200 if (mode == (mode_t) -1)
49201 mode = inode->i_mode;
49202 +
49203 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
49204 + err = -EACCES;
49205 + goto out_unlock;
49206 + }
49207 +
49208 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49209 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49210 err = notify_change(dentry, &newattrs);
49211 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
49212 error = mnt_want_write(path.mnt);
49213 if (error)
49214 goto dput_and_out;
49215 +
49216 mutex_lock(&inode->i_mutex);
49217 +
49218 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
49219 + error = -EACCES;
49220 + goto out_unlock;
49221 + }
49222 +
49223 error = security_path_chmod(path.dentry, path.mnt, mode);
49224 if (error)
49225 goto out_unlock;
49226 if (mode == (mode_t) -1)
49227 mode = inode->i_mode;
49228 +
49229 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
49230 + error = -EACCES;
49231 + goto out_unlock;
49232 + }
49233 +
49234 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49235 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49236 error = notify_change(path.dentry, &newattrs);
49237 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
49238 int error;
49239 struct iattr newattrs;
49240
49241 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
49242 + return -EACCES;
49243 +
49244 newattrs.ia_valid = ATTR_CTIME;
49245 if (user != (uid_t) -1) {
49246 newattrs.ia_valid |= ATTR_UID;
49247 @@ -998,7 +1054,10 @@ long do_sys_open(int dfd, const char __u
49248 if (!IS_ERR(tmp)) {
49249 fd = get_unused_fd_flags(flags);
49250 if (fd >= 0) {
49251 - struct file *f = do_filp_open(dfd, tmp, &op, lookup);
49252 + struct file *f;
49253 + /* don't allow to be set by userland */
49254 + flags &= ~FMODE_GREXEC;
49255 + f = do_filp_open(dfd, tmp, &op, lookup);
49256 if (IS_ERR(f)) {
49257 put_unused_fd(fd);
49258 fd = PTR_ERR(f);
49259 diff -urNp linux-2.6.39.1/fs/partitions/ldm.c linux-2.6.39.1/fs/partitions/ldm.c
49260 --- linux-2.6.39.1/fs/partitions/ldm.c 2011-06-03 00:04:14.000000000 -0400
49261 +++ linux-2.6.39.1/fs/partitions/ldm.c 2011-06-03 00:32:07.000000000 -0400
49262 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
49263 ldm_error ("A VBLK claims to have %d parts.", num);
49264 return false;
49265 }
49266 +
49267 if (rec >= num) {
49268 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
49269 return false;
49270 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
49271 goto found;
49272 }
49273
49274 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
49275 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
49276 if (!f) {
49277 ldm_crit ("Out of memory.");
49278 return false;
49279 diff -urNp linux-2.6.39.1/fs/pipe.c linux-2.6.39.1/fs/pipe.c
49280 --- linux-2.6.39.1/fs/pipe.c 2011-05-19 00:06:34.000000000 -0400
49281 +++ linux-2.6.39.1/fs/pipe.c 2011-05-22 19:41:37.000000000 -0400
49282 @@ -420,9 +420,9 @@ redo:
49283 }
49284 if (bufs) /* More to do? */
49285 continue;
49286 - if (!pipe->writers)
49287 + if (!atomic_read(&pipe->writers))
49288 break;
49289 - if (!pipe->waiting_writers) {
49290 + if (!atomic_read(&pipe->waiting_writers)) {
49291 /* syscall merging: Usually we must not sleep
49292 * if O_NONBLOCK is set, or if we got some data.
49293 * But if a writer sleeps in kernel space, then
49294 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
49295 mutex_lock(&inode->i_mutex);
49296 pipe = inode->i_pipe;
49297
49298 - if (!pipe->readers) {
49299 + if (!atomic_read(&pipe->readers)) {
49300 send_sig(SIGPIPE, current, 0);
49301 ret = -EPIPE;
49302 goto out;
49303 @@ -530,7 +530,7 @@ redo1:
49304 for (;;) {
49305 int bufs;
49306
49307 - if (!pipe->readers) {
49308 + if (!atomic_read(&pipe->readers)) {
49309 send_sig(SIGPIPE, current, 0);
49310 if (!ret)
49311 ret = -EPIPE;
49312 @@ -616,9 +616,9 @@ redo2:
49313 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
49314 do_wakeup = 0;
49315 }
49316 - pipe->waiting_writers++;
49317 + atomic_inc(&pipe->waiting_writers);
49318 pipe_wait(pipe);
49319 - pipe->waiting_writers--;
49320 + atomic_dec(&pipe->waiting_writers);
49321 }
49322 out:
49323 mutex_unlock(&inode->i_mutex);
49324 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
49325 mask = 0;
49326 if (filp->f_mode & FMODE_READ) {
49327 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
49328 - if (!pipe->writers && filp->f_version != pipe->w_counter)
49329 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
49330 mask |= POLLHUP;
49331 }
49332
49333 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
49334 * Most Unices do not set POLLERR for FIFOs but on Linux they
49335 * behave exactly like pipes for poll().
49336 */
49337 - if (!pipe->readers)
49338 + if (!atomic_read(&pipe->readers))
49339 mask |= POLLERR;
49340 }
49341
49342 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
49343
49344 mutex_lock(&inode->i_mutex);
49345 pipe = inode->i_pipe;
49346 - pipe->readers -= decr;
49347 - pipe->writers -= decw;
49348 + atomic_sub(decr, &pipe->readers);
49349 + atomic_sub(decw, &pipe->writers);
49350
49351 - if (!pipe->readers && !pipe->writers) {
49352 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
49353 free_pipe_info(inode);
49354 } else {
49355 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
49356 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
49357
49358 if (inode->i_pipe) {
49359 ret = 0;
49360 - inode->i_pipe->readers++;
49361 + atomic_inc(&inode->i_pipe->readers);
49362 }
49363
49364 mutex_unlock(&inode->i_mutex);
49365 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
49366
49367 if (inode->i_pipe) {
49368 ret = 0;
49369 - inode->i_pipe->writers++;
49370 + atomic_inc(&inode->i_pipe->writers);
49371 }
49372
49373 mutex_unlock(&inode->i_mutex);
49374 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
49375 if (inode->i_pipe) {
49376 ret = 0;
49377 if (filp->f_mode & FMODE_READ)
49378 - inode->i_pipe->readers++;
49379 + atomic_inc(&inode->i_pipe->readers);
49380 if (filp->f_mode & FMODE_WRITE)
49381 - inode->i_pipe->writers++;
49382 + atomic_inc(&inode->i_pipe->writers);
49383 }
49384
49385 mutex_unlock(&inode->i_mutex);
49386 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
49387 inode->i_pipe = NULL;
49388 }
49389
49390 -static struct vfsmount *pipe_mnt __read_mostly;
49391 +struct vfsmount *pipe_mnt __read_mostly;
49392
49393 /*
49394 * pipefs_dname() is called from d_path().
49395 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
49396 goto fail_iput;
49397 inode->i_pipe = pipe;
49398
49399 - pipe->readers = pipe->writers = 1;
49400 + atomic_set(&pipe->readers, 1);
49401 + atomic_set(&pipe->writers, 1);
49402 inode->i_fop = &rdwr_pipefifo_fops;
49403
49404 /*
49405 diff -urNp linux-2.6.39.1/fs/proc/array.c linux-2.6.39.1/fs/proc/array.c
49406 --- linux-2.6.39.1/fs/proc/array.c 2011-05-19 00:06:34.000000000 -0400
49407 +++ linux-2.6.39.1/fs/proc/array.c 2011-05-22 19:41:37.000000000 -0400
49408 @@ -60,6 +60,7 @@
49409 #include <linux/tty.h>
49410 #include <linux/string.h>
49411 #include <linux/mman.h>
49412 +#include <linux/grsecurity.h>
49413 #include <linux/proc_fs.h>
49414 #include <linux/ioport.h>
49415 #include <linux/uaccess.h>
49416 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
49417 seq_putc(m, '\n');
49418 }
49419
49420 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49421 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
49422 +{
49423 + if (p->mm)
49424 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
49425 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
49426 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
49427 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
49428 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
49429 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
49430 + else
49431 + seq_printf(m, "PaX:\t-----\n");
49432 +}
49433 +#endif
49434 +
49435 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
49436 struct pid *pid, struct task_struct *task)
49437 {
49438 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
49439 task_cpus_allowed(m, task);
49440 cpuset_task_status_allowed(m, task);
49441 task_context_switch_counts(m, task);
49442 +
49443 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49444 + task_pax(m, task);
49445 +#endif
49446 +
49447 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
49448 + task_grsec_rbac(m, task);
49449 +#endif
49450 +
49451 return 0;
49452 }
49453
49454 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49455 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49456 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49457 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49458 +#endif
49459 +
49460 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
49461 struct pid *pid, struct task_struct *task, int whole)
49462 {
49463 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
49464 cputime_t cutime, cstime, utime, stime;
49465 cputime_t cgtime, gtime;
49466 unsigned long rsslim = 0;
49467 - char tcomm[sizeof(task->comm)];
49468 + char tcomm[sizeof(task->comm)] = { 0 };
49469 unsigned long flags;
49470
49471 + pax_track_stack();
49472 +
49473 state = *get_task_state(task);
49474 vsize = eip = esp = 0;
49475 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
49476 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
49477 gtime = task->gtime;
49478 }
49479
49480 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49481 + if (PAX_RAND_FLAGS(mm)) {
49482 + eip = 0;
49483 + esp = 0;
49484 + wchan = 0;
49485 + }
49486 +#endif
49487 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49488 + wchan = 0;
49489 + eip =0;
49490 + esp =0;
49491 +#endif
49492 +
49493 /* scale priority and nice values from timeslices to -20..20 */
49494 /* to make it look like a "normal" Unix priority/nice value */
49495 priority = task_prio(task);
49496 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
49497 vsize,
49498 mm ? get_mm_rss(mm) : 0,
49499 rsslim,
49500 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49501 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
49502 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
49503 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
49504 +#else
49505 mm ? (permitted ? mm->start_code : 1) : 0,
49506 mm ? (permitted ? mm->end_code : 1) : 0,
49507 (permitted && mm) ? mm->start_stack : 0,
49508 +#endif
49509 esp,
49510 eip,
49511 /* The signal information here is obsolete.
49512 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
49513
49514 return 0;
49515 }
49516 +
49517 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49518 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
49519 +{
49520 + u32 curr_ip = 0;
49521 + unsigned long flags;
49522 +
49523 + if (lock_task_sighand(task, &flags)) {
49524 + curr_ip = task->signal->curr_ip;
49525 + unlock_task_sighand(task, &flags);
49526 + }
49527 +
49528 + return sprintf(buffer, "%pI4\n", &curr_ip);
49529 +}
49530 +#endif
49531 diff -urNp linux-2.6.39.1/fs/proc/base.c linux-2.6.39.1/fs/proc/base.c
49532 --- linux-2.6.39.1/fs/proc/base.c 2011-05-19 00:06:34.000000000 -0400
49533 +++ linux-2.6.39.1/fs/proc/base.c 2011-06-04 21:20:04.000000000 -0400
49534 @@ -104,6 +104,22 @@ struct pid_entry {
49535 union proc_op op;
49536 };
49537
49538 +struct getdents_callback {
49539 + struct linux_dirent __user * current_dir;
49540 + struct linux_dirent __user * previous;
49541 + struct file * file;
49542 + int count;
49543 + int error;
49544 +};
49545 +
49546 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
49547 + loff_t offset, u64 ino, unsigned int d_type)
49548 +{
49549 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
49550 + buf->error = -EINVAL;
49551 + return 0;
49552 +}
49553 +
49554 #define NOD(NAME, MODE, IOP, FOP, OP) { \
49555 .name = (NAME), \
49556 .len = sizeof(NAME) - 1, \
49557 @@ -206,6 +222,9 @@ static struct mm_struct *__check_mem_per
49558 if (task == current)
49559 return mm;
49560
49561 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
49562 + return ERR_PTR(-EPERM);
49563 +
49564 /*
49565 * If current is actively ptrace'ing, and would also be
49566 * permitted to freshly attach with ptrace now, permit it.
49567 @@ -279,6 +298,9 @@ static int proc_pid_cmdline(struct task_
49568 if (!mm->arg_end)
49569 goto out_mm; /* Shh! No looking before we're done */
49570
49571 + if (gr_acl_handle_procpidmem(task))
49572 + goto out_mm;
49573 +
49574 len = mm->arg_end - mm->arg_start;
49575
49576 if (len > PAGE_SIZE)
49577 @@ -306,12 +328,28 @@ out:
49578 return res;
49579 }
49580
49581 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49582 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49583 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49584 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49585 +#endif
49586 +
49587 static int proc_pid_auxv(struct task_struct *task, char *buffer)
49588 {
49589 struct mm_struct *mm = mm_for_maps(task);
49590 int res = PTR_ERR(mm);
49591 if (mm && !IS_ERR(mm)) {
49592 unsigned int nwords = 0;
49593 +
49594 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49595 + /* allow if we're currently ptracing this task */
49596 + if (PAX_RAND_FLAGS(mm) &&
49597 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
49598 + mmput(mm);
49599 + return res;
49600 + }
49601 +#endif
49602 +
49603 do {
49604 nwords += 2;
49605 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
49606 @@ -325,7 +363,7 @@ static int proc_pid_auxv(struct task_str
49607 }
49608
49609
49610 -#ifdef CONFIG_KALLSYMS
49611 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49612 /*
49613 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
49614 * Returns the resolved symbol. If that fails, simply return the address.
49615 @@ -364,7 +402,7 @@ static void unlock_trace(struct task_str
49616 mutex_unlock(&task->signal->cred_guard_mutex);
49617 }
49618
49619 -#ifdef CONFIG_STACKTRACE
49620 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49621
49622 #define MAX_STACK_TRACE_DEPTH 64
49623
49624 @@ -555,7 +593,7 @@ static int proc_pid_limits(struct task_s
49625 return count;
49626 }
49627
49628 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
49629 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
49630 static int proc_pid_syscall(struct task_struct *task, char *buffer)
49631 {
49632 long nr;
49633 @@ -584,7 +622,7 @@ static int proc_pid_syscall(struct task_
49634 /************************************************************************/
49635
49636 /* permission checks */
49637 -static int proc_fd_access_allowed(struct inode *inode)
49638 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
49639 {
49640 struct task_struct *task;
49641 int allowed = 0;
49642 @@ -594,7 +632,10 @@ static int proc_fd_access_allowed(struct
49643 */
49644 task = get_proc_task(inode);
49645 if (task) {
49646 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
49647 + if (log)
49648 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
49649 + else
49650 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
49651 put_task_struct(task);
49652 }
49653 return allowed;
49654 @@ -973,6 +1014,9 @@ static ssize_t environ_read(struct file
49655 if (!task)
49656 goto out_no_task;
49657
49658 + if (gr_acl_handle_procpidmem(task))
49659 + goto out;
49660 +
49661 ret = -ENOMEM;
49662 page = (char *)__get_free_page(GFP_TEMPORARY);
49663 if (!page)
49664 @@ -1660,7 +1704,7 @@ static void *proc_pid_follow_link(struct
49665 path_put(&nd->path);
49666
49667 /* Are we allowed to snoop on the tasks file descriptors? */
49668 - if (!proc_fd_access_allowed(inode))
49669 + if (!proc_fd_access_allowed(inode,0))
49670 goto out;
49671
49672 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
49673 @@ -1699,8 +1743,18 @@ static int proc_pid_readlink(struct dent
49674 struct path path;
49675
49676 /* Are we allowed to snoop on the tasks file descriptors? */
49677 - if (!proc_fd_access_allowed(inode))
49678 - goto out;
49679 + /* logging this is needed for learning on chromium to work properly,
49680 + but we don't want to flood the logs from 'ps' which does a readlink
49681 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
49682 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
49683 + */
49684 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
49685 + if (!proc_fd_access_allowed(inode,0))
49686 + goto out;
49687 + } else {
49688 + if (!proc_fd_access_allowed(inode,1))
49689 + goto out;
49690 + }
49691
49692 error = PROC_I(inode)->op.proc_get_link(inode, &path);
49693 if (error)
49694 @@ -1766,7 +1820,11 @@ static struct inode *proc_pid_make_inode
49695 rcu_read_lock();
49696 cred = __task_cred(task);
49697 inode->i_uid = cred->euid;
49698 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49699 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49700 +#else
49701 inode->i_gid = cred->egid;
49702 +#endif
49703 rcu_read_unlock();
49704 }
49705 security_task_to_inode(task, inode);
49706 @@ -1784,6 +1842,9 @@ static int pid_getattr(struct vfsmount *
49707 struct inode *inode = dentry->d_inode;
49708 struct task_struct *task;
49709 const struct cred *cred;
49710 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49711 + const struct cred *tmpcred = current_cred();
49712 +#endif
49713
49714 generic_fillattr(inode, stat);
49715
49716 @@ -1791,13 +1852,41 @@ static int pid_getattr(struct vfsmount *
49717 stat->uid = 0;
49718 stat->gid = 0;
49719 task = pid_task(proc_pid(inode), PIDTYPE_PID);
49720 +
49721 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
49722 + rcu_read_unlock();
49723 + return -ENOENT;
49724 + }
49725 +
49726 if (task) {
49727 + cred = __task_cred(task);
49728 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49729 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
49730 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49731 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
49732 +#endif
49733 + ) {
49734 +#endif
49735 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
49736 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49737 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
49738 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49739 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
49740 +#endif
49741 task_dumpable(task)) {
49742 - cred = __task_cred(task);
49743 stat->uid = cred->euid;
49744 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49745 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
49746 +#else
49747 stat->gid = cred->egid;
49748 +#endif
49749 }
49750 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49751 + } else {
49752 + rcu_read_unlock();
49753 + return -ENOENT;
49754 + }
49755 +#endif
49756 }
49757 rcu_read_unlock();
49758 return 0;
49759 @@ -1834,11 +1923,20 @@ static int pid_revalidate(struct dentry
49760
49761 if (task) {
49762 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
49763 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49764 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
49765 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49766 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
49767 +#endif
49768 task_dumpable(task)) {
49769 rcu_read_lock();
49770 cred = __task_cred(task);
49771 inode->i_uid = cred->euid;
49772 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49773 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49774 +#else
49775 inode->i_gid = cred->egid;
49776 +#endif
49777 rcu_read_unlock();
49778 } else {
49779 inode->i_uid = 0;
49780 @@ -1959,7 +2057,8 @@ static int proc_fd_info(struct inode *in
49781 int fd = proc_fd(inode);
49782
49783 if (task) {
49784 - files = get_files_struct(task);
49785 + if (!gr_acl_handle_procpidmem(task))
49786 + files = get_files_struct(task);
49787 put_task_struct(task);
49788 }
49789 if (files) {
49790 @@ -2219,15 +2318,25 @@ static const struct file_operations proc
49791 */
49792 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
49793 {
49794 + struct task_struct *task;
49795 int rv;
49796
49797 if (flags & IPERM_FLAG_RCU)
49798 return -ECHILD;
49799 rv = generic_permission(inode, mask, flags, NULL);
49800 - if (rv == 0)
49801 - return 0;
49802 +
49803 if (task_pid(current) == proc_pid(inode))
49804 rv = 0;
49805 +
49806 + task = get_proc_task(inode);
49807 + if (task == NULL)
49808 + return rv;
49809 +
49810 + if (gr_acl_handle_procpidmem(task))
49811 + rv = -EACCES;
49812 +
49813 + put_task_struct(task);
49814 +
49815 return rv;
49816 }
49817
49818 @@ -2337,6 +2446,9 @@ static struct dentry *proc_pident_lookup
49819 if (!task)
49820 goto out_no_task;
49821
49822 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
49823 + goto out;
49824 +
49825 /*
49826 * Yes, it does not scale. And it should not. Don't add
49827 * new entries into /proc/<tgid>/ without very good reasons.
49828 @@ -2381,6 +2493,9 @@ static int proc_pident_readdir(struct fi
49829 if (!task)
49830 goto out_no_task;
49831
49832 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
49833 + goto out;
49834 +
49835 ret = 0;
49836 i = filp->f_pos;
49837 switch (i) {
49838 @@ -2651,7 +2766,7 @@ static void *proc_self_follow_link(struc
49839 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
49840 void *cookie)
49841 {
49842 - char *s = nd_get_link(nd);
49843 + const char *s = nd_get_link(nd);
49844 if (!IS_ERR(s))
49845 __putname(s);
49846 }
49847 @@ -2835,7 +2950,7 @@ static const struct pid_entry tgid_base_
49848 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
49849 #endif
49850 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
49851 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
49852 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
49853 INF("syscall", S_IRUGO, proc_pid_syscall),
49854 #endif
49855 INF("cmdline", S_IRUGO, proc_pid_cmdline),
49856 @@ -2860,10 +2975,10 @@ static const struct pid_entry tgid_base_
49857 #ifdef CONFIG_SECURITY
49858 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
49859 #endif
49860 -#ifdef CONFIG_KALLSYMS
49861 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49862 INF("wchan", S_IRUGO, proc_pid_wchan),
49863 #endif
49864 -#ifdef CONFIG_STACKTRACE
49865 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49866 ONE("stack", S_IRUGO, proc_pid_stack),
49867 #endif
49868 #ifdef CONFIG_SCHEDSTATS
49869 @@ -2894,6 +3009,9 @@ static const struct pid_entry tgid_base_
49870 #ifdef CONFIG_TASK_IO_ACCOUNTING
49871 INF("io", S_IRUGO, proc_tgid_io_accounting),
49872 #endif
49873 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49874 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
49875 +#endif
49876 };
49877
49878 static int proc_tgid_base_readdir(struct file * filp,
49879 @@ -3019,7 +3137,14 @@ static struct dentry *proc_pid_instantia
49880 if (!inode)
49881 goto out;
49882
49883 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49884 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
49885 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49886 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49887 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
49888 +#else
49889 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
49890 +#endif
49891 inode->i_op = &proc_tgid_base_inode_operations;
49892 inode->i_fop = &proc_tgid_base_operations;
49893 inode->i_flags|=S_IMMUTABLE;
49894 @@ -3061,7 +3186,11 @@ struct dentry *proc_pid_lookup(struct in
49895 if (!task)
49896 goto out;
49897
49898 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
49899 + goto out_put_task;
49900 +
49901 result = proc_pid_instantiate(dir, dentry, task, NULL);
49902 +out_put_task:
49903 put_task_struct(task);
49904 out:
49905 return result;
49906 @@ -3126,6 +3255,11 @@ int proc_pid_readdir(struct file * filp,
49907 {
49908 unsigned int nr;
49909 struct task_struct *reaper;
49910 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49911 + const struct cred *tmpcred = current_cred();
49912 + const struct cred *itercred;
49913 +#endif
49914 + filldir_t __filldir = filldir;
49915 struct tgid_iter iter;
49916 struct pid_namespace *ns;
49917
49918 @@ -3149,8 +3283,27 @@ int proc_pid_readdir(struct file * filp,
49919 for (iter = next_tgid(ns, iter);
49920 iter.task;
49921 iter.tgid += 1, iter = next_tgid(ns, iter)) {
49922 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49923 + rcu_read_lock();
49924 + itercred = __task_cred(iter.task);
49925 +#endif
49926 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
49927 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49928 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
49929 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49930 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
49931 +#endif
49932 + )
49933 +#endif
49934 + )
49935 + __filldir = &gr_fake_filldir;
49936 + else
49937 + __filldir = filldir;
49938 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49939 + rcu_read_unlock();
49940 +#endif
49941 filp->f_pos = iter.tgid + TGID_OFFSET;
49942 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
49943 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
49944 put_task_struct(iter.task);
49945 goto out;
49946 }
49947 @@ -3177,7 +3330,7 @@ static const struct pid_entry tid_base_s
49948 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
49949 #endif
49950 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
49951 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
49952 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
49953 INF("syscall", S_IRUGO, proc_pid_syscall),
49954 #endif
49955 INF("cmdline", S_IRUGO, proc_pid_cmdline),
49956 @@ -3201,10 +3354,10 @@ static const struct pid_entry tid_base_s
49957 #ifdef CONFIG_SECURITY
49958 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
49959 #endif
49960 -#ifdef CONFIG_KALLSYMS
49961 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49962 INF("wchan", S_IRUGO, proc_pid_wchan),
49963 #endif
49964 -#ifdef CONFIG_STACKTRACE
49965 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49966 ONE("stack", S_IRUGO, proc_pid_stack),
49967 #endif
49968 #ifdef CONFIG_SCHEDSTATS
49969 diff -urNp linux-2.6.39.1/fs/proc/cmdline.c linux-2.6.39.1/fs/proc/cmdline.c
49970 --- linux-2.6.39.1/fs/proc/cmdline.c 2011-05-19 00:06:34.000000000 -0400
49971 +++ linux-2.6.39.1/fs/proc/cmdline.c 2011-05-22 19:41:37.000000000 -0400
49972 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
49973
49974 static int __init proc_cmdline_init(void)
49975 {
49976 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49977 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
49978 +#else
49979 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
49980 +#endif
49981 return 0;
49982 }
49983 module_init(proc_cmdline_init);
49984 diff -urNp linux-2.6.39.1/fs/proc/devices.c linux-2.6.39.1/fs/proc/devices.c
49985 --- linux-2.6.39.1/fs/proc/devices.c 2011-05-19 00:06:34.000000000 -0400
49986 +++ linux-2.6.39.1/fs/proc/devices.c 2011-05-22 19:41:37.000000000 -0400
49987 @@ -64,7 +64,11 @@ static const struct file_operations proc
49988
49989 static int __init proc_devices_init(void)
49990 {
49991 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49992 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
49993 +#else
49994 proc_create("devices", 0, NULL, &proc_devinfo_operations);
49995 +#endif
49996 return 0;
49997 }
49998 module_init(proc_devices_init);
49999 diff -urNp linux-2.6.39.1/fs/proc/inode.c linux-2.6.39.1/fs/proc/inode.c
50000 --- linux-2.6.39.1/fs/proc/inode.c 2011-05-19 00:06:34.000000000 -0400
50001 +++ linux-2.6.39.1/fs/proc/inode.c 2011-05-22 19:41:37.000000000 -0400
50002 @@ -433,7 +433,11 @@ struct inode *proc_get_inode(struct supe
50003 if (de->mode) {
50004 inode->i_mode = de->mode;
50005 inode->i_uid = de->uid;
50006 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50007 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50008 +#else
50009 inode->i_gid = de->gid;
50010 +#endif
50011 }
50012 if (de->size)
50013 inode->i_size = de->size;
50014 diff -urNp linux-2.6.39.1/fs/proc/internal.h linux-2.6.39.1/fs/proc/internal.h
50015 --- linux-2.6.39.1/fs/proc/internal.h 2011-05-19 00:06:34.000000000 -0400
50016 +++ linux-2.6.39.1/fs/proc/internal.h 2011-05-22 19:41:37.000000000 -0400
50017 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
50018 struct pid *pid, struct task_struct *task);
50019 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
50020 struct pid *pid, struct task_struct *task);
50021 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50022 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
50023 +#endif
50024 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
50025
50026 extern const struct file_operations proc_maps_operations;
50027 diff -urNp linux-2.6.39.1/fs/proc/Kconfig linux-2.6.39.1/fs/proc/Kconfig
50028 --- linux-2.6.39.1/fs/proc/Kconfig 2011-05-19 00:06:34.000000000 -0400
50029 +++ linux-2.6.39.1/fs/proc/Kconfig 2011-05-22 19:41:37.000000000 -0400
50030 @@ -30,12 +30,12 @@ config PROC_FS
50031
50032 config PROC_KCORE
50033 bool "/proc/kcore support" if !ARM
50034 - depends on PROC_FS && MMU
50035 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
50036
50037 config PROC_VMCORE
50038 bool "/proc/vmcore support"
50039 - depends on PROC_FS && CRASH_DUMP
50040 - default y
50041 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
50042 + default n
50043 help
50044 Exports the dump image of crashed kernel in ELF format.
50045
50046 @@ -59,8 +59,8 @@ config PROC_SYSCTL
50047 limited in memory.
50048
50049 config PROC_PAGE_MONITOR
50050 - default y
50051 - depends on PROC_FS && MMU
50052 + default n
50053 + depends on PROC_FS && MMU && !GRKERNSEC
50054 bool "Enable /proc page monitoring" if EXPERT
50055 help
50056 Various /proc files exist to monitor process memory utilization:
50057 diff -urNp linux-2.6.39.1/fs/proc/kcore.c linux-2.6.39.1/fs/proc/kcore.c
50058 --- linux-2.6.39.1/fs/proc/kcore.c 2011-05-19 00:06:34.000000000 -0400
50059 +++ linux-2.6.39.1/fs/proc/kcore.c 2011-05-22 19:41:37.000000000 -0400
50060 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
50061 off_t offset = 0;
50062 struct kcore_list *m;
50063
50064 + pax_track_stack();
50065 +
50066 /* setup ELF header */
50067 elf = (struct elfhdr *) bufp;
50068 bufp += sizeof(struct elfhdr);
50069 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
50070 * the addresses in the elf_phdr on our list.
50071 */
50072 start = kc_offset_to_vaddr(*fpos - elf_buflen);
50073 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
50074 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
50075 + if (tsz > buflen)
50076 tsz = buflen;
50077 -
50078 +
50079 while (buflen) {
50080 struct kcore_list *m;
50081
50082 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
50083 kfree(elf_buf);
50084 } else {
50085 if (kern_addr_valid(start)) {
50086 - unsigned long n;
50087 + char *elf_buf;
50088 + mm_segment_t oldfs;
50089
50090 - n = copy_to_user(buffer, (char *)start, tsz);
50091 - /*
50092 - * We cannot distingush between fault on source
50093 - * and fault on destination. When this happens
50094 - * we clear too and hope it will trigger the
50095 - * EFAULT again.
50096 - */
50097 - if (n) {
50098 - if (clear_user(buffer + tsz - n,
50099 - n))
50100 + elf_buf = kmalloc(tsz, GFP_KERNEL);
50101 + if (!elf_buf)
50102 + return -ENOMEM;
50103 + oldfs = get_fs();
50104 + set_fs(KERNEL_DS);
50105 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
50106 + set_fs(oldfs);
50107 + if (copy_to_user(buffer, elf_buf, tsz)) {
50108 + kfree(elf_buf);
50109 return -EFAULT;
50110 + }
50111 }
50112 + set_fs(oldfs);
50113 + kfree(elf_buf);
50114 } else {
50115 if (clear_user(buffer, tsz))
50116 return -EFAULT;
50117 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
50118
50119 static int open_kcore(struct inode *inode, struct file *filp)
50120 {
50121 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50122 + return -EPERM;
50123 +#endif
50124 if (!capable(CAP_SYS_RAWIO))
50125 return -EPERM;
50126 if (kcore_need_update)
50127 diff -urNp linux-2.6.39.1/fs/proc/meminfo.c linux-2.6.39.1/fs/proc/meminfo.c
50128 --- linux-2.6.39.1/fs/proc/meminfo.c 2011-05-19 00:06:34.000000000 -0400
50129 +++ linux-2.6.39.1/fs/proc/meminfo.c 2011-05-22 19:36:32.000000000 -0400
50130 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
50131 unsigned long pages[NR_LRU_LISTS];
50132 int lru;
50133
50134 + pax_track_stack();
50135 +
50136 /*
50137 * display in kilobytes.
50138 */
50139 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
50140 vmi.used >> 10,
50141 vmi.largest_chunk >> 10
50142 #ifdef CONFIG_MEMORY_FAILURE
50143 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
50144 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
50145 #endif
50146 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
50147 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
50148 diff -urNp linux-2.6.39.1/fs/proc/nommu.c linux-2.6.39.1/fs/proc/nommu.c
50149 --- linux-2.6.39.1/fs/proc/nommu.c 2011-05-19 00:06:34.000000000 -0400
50150 +++ linux-2.6.39.1/fs/proc/nommu.c 2011-05-22 19:36:32.000000000 -0400
50151 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
50152 if (len < 1)
50153 len = 1;
50154 seq_printf(m, "%*c", len, ' ');
50155 - seq_path(m, &file->f_path, "");
50156 + seq_path(m, &file->f_path, "\n\\");
50157 }
50158
50159 seq_putc(m, '\n');
50160 diff -urNp linux-2.6.39.1/fs/proc/proc_net.c linux-2.6.39.1/fs/proc/proc_net.c
50161 --- linux-2.6.39.1/fs/proc/proc_net.c 2011-05-19 00:06:34.000000000 -0400
50162 +++ linux-2.6.39.1/fs/proc/proc_net.c 2011-05-22 19:41:37.000000000 -0400
50163 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
50164 struct task_struct *task;
50165 struct nsproxy *ns;
50166 struct net *net = NULL;
50167 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50168 + const struct cred *cred = current_cred();
50169 +#endif
50170 +
50171 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50172 + if (cred->fsuid)
50173 + return net;
50174 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50175 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
50176 + return net;
50177 +#endif
50178
50179 rcu_read_lock();
50180 task = pid_task(proc_pid(dir), PIDTYPE_PID);
50181 diff -urNp linux-2.6.39.1/fs/proc/proc_sysctl.c linux-2.6.39.1/fs/proc/proc_sysctl.c
50182 --- linux-2.6.39.1/fs/proc/proc_sysctl.c 2011-05-19 00:06:34.000000000 -0400
50183 +++ linux-2.6.39.1/fs/proc/proc_sysctl.c 2011-05-22 19:41:37.000000000 -0400
50184 @@ -8,6 +8,8 @@
50185 #include <linux/namei.h>
50186 #include "internal.h"
50187
50188 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
50189 +
50190 static const struct dentry_operations proc_sys_dentry_operations;
50191 static const struct file_operations proc_sys_file_operations;
50192 static const struct inode_operations proc_sys_inode_operations;
50193 @@ -111,6 +113,9 @@ static struct dentry *proc_sys_lookup(st
50194 if (!p)
50195 goto out;
50196
50197 + if (gr_handle_sysctl(p, MAY_EXEC))
50198 + goto out;
50199 +
50200 err = ERR_PTR(-ENOMEM);
50201 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
50202 if (h)
50203 @@ -230,6 +235,9 @@ static int scan(struct ctl_table_header
50204 if (*pos < file->f_pos)
50205 continue;
50206
50207 + if (gr_handle_sysctl(table, 0))
50208 + continue;
50209 +
50210 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
50211 if (res)
50212 return res;
50213 @@ -358,6 +366,9 @@ static int proc_sys_getattr(struct vfsmo
50214 if (IS_ERR(head))
50215 return PTR_ERR(head);
50216
50217 + if (table && gr_handle_sysctl(table, MAY_EXEC))
50218 + return -ENOENT;
50219 +
50220 generic_fillattr(inode, stat);
50221 if (table)
50222 stat->mode = (stat->mode & S_IFMT) | table->mode;
50223 diff -urNp linux-2.6.39.1/fs/proc/root.c linux-2.6.39.1/fs/proc/root.c
50224 --- linux-2.6.39.1/fs/proc/root.c 2011-05-19 00:06:34.000000000 -0400
50225 +++ linux-2.6.39.1/fs/proc/root.c 2011-05-22 19:41:37.000000000 -0400
50226 @@ -122,7 +122,15 @@ void __init proc_root_init(void)
50227 #ifdef CONFIG_PROC_DEVICETREE
50228 proc_device_tree_init();
50229 #endif
50230 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50231 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50232 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
50233 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50234 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
50235 +#endif
50236 +#else
50237 proc_mkdir("bus", NULL);
50238 +#endif
50239 proc_sys_init();
50240 }
50241
50242 diff -urNp linux-2.6.39.1/fs/proc/task_mmu.c linux-2.6.39.1/fs/proc/task_mmu.c
50243 --- linux-2.6.39.1/fs/proc/task_mmu.c 2011-05-19 00:06:34.000000000 -0400
50244 +++ linux-2.6.39.1/fs/proc/task_mmu.c 2011-05-22 22:43:29.000000000 -0400
50245 @@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
50246 "VmExe:\t%8lu kB\n"
50247 "VmLib:\t%8lu kB\n"
50248 "VmPTE:\t%8lu kB\n"
50249 - "VmSwap:\t%8lu kB\n",
50250 - hiwater_vm << (PAGE_SHIFT-10),
50251 + "VmSwap:\t%8lu kB\n"
50252 +
50253 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50254 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
50255 +#endif
50256 +
50257 + ,hiwater_vm << (PAGE_SHIFT-10),
50258 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
50259 mm->locked_vm << (PAGE_SHIFT-10),
50260 hiwater_rss << (PAGE_SHIFT-10),
50261 @@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
50262 data << (PAGE_SHIFT-10),
50263 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
50264 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
50265 - swap << (PAGE_SHIFT-10));
50266 + swap << (PAGE_SHIFT-10)
50267 +
50268 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50269 + , mm->context.user_cs_base, mm->context.user_cs_limit
50270 +#endif
50271 +
50272 + );
50273 }
50274
50275 unsigned long task_vsize(struct mm_struct *mm)
50276 @@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
50277 return ret;
50278 }
50279
50280 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50281 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50282 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50283 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50284 +#endif
50285 +
50286 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
50287 {
50288 struct mm_struct *mm = vma->vm_mm;
50289 @@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
50290 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
50291 }
50292
50293 - /* We don't show the stack guard page in /proc/maps */
50294 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50295 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
50296 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
50297 +#else
50298 start = vma->vm_start;
50299 - if (stack_guard_page_start(vma, start))
50300 - start += PAGE_SIZE;
50301 end = vma->vm_end;
50302 - if (stack_guard_page_end(vma, end))
50303 - end -= PAGE_SIZE;
50304 +#endif
50305
50306 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
50307 start,
50308 @@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
50309 flags & VM_WRITE ? 'w' : '-',
50310 flags & VM_EXEC ? 'x' : '-',
50311 flags & VM_MAYSHARE ? 's' : 'p',
50312 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50313 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
50314 +#else
50315 pgoff,
50316 +#endif
50317 MAJOR(dev), MINOR(dev), ino, &len);
50318
50319 /*
50320 @@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
50321 */
50322 if (file) {
50323 pad_len_spaces(m, len);
50324 - seq_path(m, &file->f_path, "\n");
50325 + seq_path(m, &file->f_path, "\n\\");
50326 } else {
50327 const char *name = arch_vma_name(vma);
50328 if (!name) {
50329 @@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
50330 if (vma->vm_start <= mm->brk &&
50331 vma->vm_end >= mm->start_brk) {
50332 name = "[heap]";
50333 - } else if (vma->vm_start <= mm->start_stack &&
50334 - vma->vm_end >= mm->start_stack) {
50335 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
50336 + (vma->vm_start <= mm->start_stack &&
50337 + vma->vm_end >= mm->start_stack)) {
50338 name = "[stack]";
50339 }
50340 } else {
50341 @@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
50342 };
50343
50344 memset(&mss, 0, sizeof mss);
50345 - mss.vma = vma;
50346 - /* mmap_sem is held in m_start */
50347 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50348 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50349 -
50350 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50351 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
50352 +#endif
50353 + mss.vma = vma;
50354 + /* mmap_sem is held in m_start */
50355 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50356 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50357 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50358 + }
50359 +#endif
50360 show_map_vma(m, vma);
50361
50362 seq_printf(m,
50363 @@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
50364 "KernelPageSize: %8lu kB\n"
50365 "MMUPageSize: %8lu kB\n"
50366 "Locked: %8lu kB\n",
50367 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50368 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
50369 +#else
50370 (vma->vm_end - vma->vm_start) >> 10,
50371 +#endif
50372 mss.resident >> 10,
50373 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
50374 mss.shared_clean >> 10,
50375 diff -urNp linux-2.6.39.1/fs/proc/task_nommu.c linux-2.6.39.1/fs/proc/task_nommu.c
50376 --- linux-2.6.39.1/fs/proc/task_nommu.c 2011-05-19 00:06:34.000000000 -0400
50377 +++ linux-2.6.39.1/fs/proc/task_nommu.c 2011-05-22 19:36:32.000000000 -0400
50378 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
50379 else
50380 bytes += kobjsize(mm);
50381
50382 - if (current->fs && current->fs->users > 1)
50383 + if (current->fs && atomic_read(&current->fs->users) > 1)
50384 sbytes += kobjsize(current->fs);
50385 else
50386 bytes += kobjsize(current->fs);
50387 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
50388
50389 if (file) {
50390 pad_len_spaces(m, len);
50391 - seq_path(m, &file->f_path, "");
50392 + seq_path(m, &file->f_path, "\n\\");
50393 } else if (mm) {
50394 if (vma->vm_start <= mm->start_stack &&
50395 vma->vm_end >= mm->start_stack) {
50396 diff -urNp linux-2.6.39.1/fs/quota/netlink.c linux-2.6.39.1/fs/quota/netlink.c
50397 --- linux-2.6.39.1/fs/quota/netlink.c 2011-05-19 00:06:34.000000000 -0400
50398 +++ linux-2.6.39.1/fs/quota/netlink.c 2011-05-22 19:36:32.000000000 -0400
50399 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
50400 void quota_send_warning(short type, unsigned int id, dev_t dev,
50401 const char warntype)
50402 {
50403 - static atomic_t seq;
50404 + static atomic_unchecked_t seq;
50405 struct sk_buff *skb;
50406 void *msg_head;
50407 int ret;
50408 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
50409 "VFS: Not enough memory to send quota warning.\n");
50410 return;
50411 }
50412 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
50413 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
50414 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
50415 if (!msg_head) {
50416 printk(KERN_ERR
50417 diff -urNp linux-2.6.39.1/fs/readdir.c linux-2.6.39.1/fs/readdir.c
50418 --- linux-2.6.39.1/fs/readdir.c 2011-05-19 00:06:34.000000000 -0400
50419 +++ linux-2.6.39.1/fs/readdir.c 2011-05-22 19:41:42.000000000 -0400
50420 @@ -17,6 +17,7 @@
50421 #include <linux/security.h>
50422 #include <linux/syscalls.h>
50423 #include <linux/unistd.h>
50424 +#include <linux/namei.h>
50425
50426 #include <asm/uaccess.h>
50427
50428 @@ -67,6 +68,7 @@ struct old_linux_dirent {
50429
50430 struct readdir_callback {
50431 struct old_linux_dirent __user * dirent;
50432 + struct file * file;
50433 int result;
50434 };
50435
50436 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
50437 buf->result = -EOVERFLOW;
50438 return -EOVERFLOW;
50439 }
50440 +
50441 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50442 + return 0;
50443 +
50444 buf->result++;
50445 dirent = buf->dirent;
50446 if (!access_ok(VERIFY_WRITE, dirent,
50447 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
50448
50449 buf.result = 0;
50450 buf.dirent = dirent;
50451 + buf.file = file;
50452
50453 error = vfs_readdir(file, fillonedir, &buf);
50454 if (buf.result)
50455 @@ -142,6 +149,7 @@ struct linux_dirent {
50456 struct getdents_callback {
50457 struct linux_dirent __user * current_dir;
50458 struct linux_dirent __user * previous;
50459 + struct file * file;
50460 int count;
50461 int error;
50462 };
50463 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
50464 buf->error = -EOVERFLOW;
50465 return -EOVERFLOW;
50466 }
50467 +
50468 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50469 + return 0;
50470 +
50471 dirent = buf->previous;
50472 if (dirent) {
50473 if (__put_user(offset, &dirent->d_off))
50474 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
50475 buf.previous = NULL;
50476 buf.count = count;
50477 buf.error = 0;
50478 + buf.file = file;
50479
50480 error = vfs_readdir(file, filldir, &buf);
50481 if (error >= 0)
50482 @@ -229,6 +242,7 @@ out:
50483 struct getdents_callback64 {
50484 struct linux_dirent64 __user * current_dir;
50485 struct linux_dirent64 __user * previous;
50486 + struct file *file;
50487 int count;
50488 int error;
50489 };
50490 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
50491 buf->error = -EINVAL; /* only used if we fail.. */
50492 if (reclen > buf->count)
50493 return -EINVAL;
50494 +
50495 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50496 + return 0;
50497 +
50498 dirent = buf->previous;
50499 if (dirent) {
50500 if (__put_user(offset, &dirent->d_off))
50501 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
50502
50503 buf.current_dir = dirent;
50504 buf.previous = NULL;
50505 + buf.file = file;
50506 buf.count = count;
50507 buf.error = 0;
50508
50509 diff -urNp linux-2.6.39.1/fs/reiserfs/dir.c linux-2.6.39.1/fs/reiserfs/dir.c
50510 --- linux-2.6.39.1/fs/reiserfs/dir.c 2011-05-19 00:06:34.000000000 -0400
50511 +++ linux-2.6.39.1/fs/reiserfs/dir.c 2011-05-22 19:36:32.000000000 -0400
50512 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
50513 struct reiserfs_dir_entry de;
50514 int ret = 0;
50515
50516 + pax_track_stack();
50517 +
50518 reiserfs_write_lock(inode->i_sb);
50519
50520 reiserfs_check_lock_depth(inode->i_sb, "readdir");
50521 diff -urNp linux-2.6.39.1/fs/reiserfs/do_balan.c linux-2.6.39.1/fs/reiserfs/do_balan.c
50522 --- linux-2.6.39.1/fs/reiserfs/do_balan.c 2011-05-19 00:06:34.000000000 -0400
50523 +++ linux-2.6.39.1/fs/reiserfs/do_balan.c 2011-05-22 19:36:32.000000000 -0400
50524 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
50525 return;
50526 }
50527
50528 - atomic_inc(&(fs_generation(tb->tb_sb)));
50529 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
50530 do_balance_starts(tb);
50531
50532 /* balance leaf returns 0 except if combining L R and S into
50533 diff -urNp linux-2.6.39.1/fs/reiserfs/item_ops.c linux-2.6.39.1/fs/reiserfs/item_ops.c
50534 --- linux-2.6.39.1/fs/reiserfs/item_ops.c 2011-05-19 00:06:34.000000000 -0400
50535 +++ linux-2.6.39.1/fs/reiserfs/item_ops.c 2011-05-22 19:36:32.000000000 -0400
50536 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
50537 vi->vi_index, vi->vi_type, vi->vi_ih);
50538 }
50539
50540 -static struct item_operations stat_data_ops = {
50541 +static const struct item_operations stat_data_ops = {
50542 .bytes_number = sd_bytes_number,
50543 .decrement_key = sd_decrement_key,
50544 .is_left_mergeable = sd_is_left_mergeable,
50545 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
50546 vi->vi_index, vi->vi_type, vi->vi_ih);
50547 }
50548
50549 -static struct item_operations direct_ops = {
50550 +static const struct item_operations direct_ops = {
50551 .bytes_number = direct_bytes_number,
50552 .decrement_key = direct_decrement_key,
50553 .is_left_mergeable = direct_is_left_mergeable,
50554 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
50555 vi->vi_index, vi->vi_type, vi->vi_ih);
50556 }
50557
50558 -static struct item_operations indirect_ops = {
50559 +static const struct item_operations indirect_ops = {
50560 .bytes_number = indirect_bytes_number,
50561 .decrement_key = indirect_decrement_key,
50562 .is_left_mergeable = indirect_is_left_mergeable,
50563 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
50564 printk("\n");
50565 }
50566
50567 -static struct item_operations direntry_ops = {
50568 +static const struct item_operations direntry_ops = {
50569 .bytes_number = direntry_bytes_number,
50570 .decrement_key = direntry_decrement_key,
50571 .is_left_mergeable = direntry_is_left_mergeable,
50572 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
50573 "Invalid item type observed, run fsck ASAP");
50574 }
50575
50576 -static struct item_operations errcatch_ops = {
50577 +static const struct item_operations errcatch_ops = {
50578 errcatch_bytes_number,
50579 errcatch_decrement_key,
50580 errcatch_is_left_mergeable,
50581 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
50582 #error Item types must use disk-format assigned values.
50583 #endif
50584
50585 -struct item_operations *item_ops[TYPE_ANY + 1] = {
50586 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
50587 &stat_data_ops,
50588 &indirect_ops,
50589 &direct_ops,
50590 diff -urNp linux-2.6.39.1/fs/reiserfs/journal.c linux-2.6.39.1/fs/reiserfs/journal.c
50591 --- linux-2.6.39.1/fs/reiserfs/journal.c 2011-05-19 00:06:34.000000000 -0400
50592 +++ linux-2.6.39.1/fs/reiserfs/journal.c 2011-05-22 19:36:32.000000000 -0400
50593 @@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
50594 struct buffer_head *bh;
50595 int i, j;
50596
50597 + pax_track_stack();
50598 +
50599 bh = __getblk(dev, block, bufsize);
50600 if (buffer_uptodate(bh))
50601 return (bh);
50602 diff -urNp linux-2.6.39.1/fs/reiserfs/namei.c linux-2.6.39.1/fs/reiserfs/namei.c
50603 --- linux-2.6.39.1/fs/reiserfs/namei.c 2011-05-19 00:06:34.000000000 -0400
50604 +++ linux-2.6.39.1/fs/reiserfs/namei.c 2011-05-22 19:36:32.000000000 -0400
50605 @@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
50606 unsigned long savelink = 1;
50607 struct timespec ctime;
50608
50609 + pax_track_stack();
50610 +
50611 /* three balancings: (1) old name removal, (2) new name insertion
50612 and (3) maybe "save" link insertion
50613 stat data updates: (1) old directory,
50614 diff -urNp linux-2.6.39.1/fs/reiserfs/procfs.c linux-2.6.39.1/fs/reiserfs/procfs.c
50615 --- linux-2.6.39.1/fs/reiserfs/procfs.c 2011-05-19 00:06:34.000000000 -0400
50616 +++ linux-2.6.39.1/fs/reiserfs/procfs.c 2011-05-22 19:36:32.000000000 -0400
50617 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
50618 "SMALL_TAILS " : "NO_TAILS ",
50619 replay_only(sb) ? "REPLAY_ONLY " : "",
50620 convert_reiserfs(sb) ? "CONV " : "",
50621 - atomic_read(&r->s_generation_counter),
50622 + atomic_read_unchecked(&r->s_generation_counter),
50623 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
50624 SF(s_do_balance), SF(s_unneeded_left_neighbor),
50625 SF(s_good_search_by_key_reada), SF(s_bmaps),
50626 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
50627 struct journal_params *jp = &rs->s_v1.s_journal;
50628 char b[BDEVNAME_SIZE];
50629
50630 + pax_track_stack();
50631 +
50632 seq_printf(m, /* on-disk fields */
50633 "jp_journal_1st_block: \t%i\n"
50634 "jp_journal_dev: \t%s[%x]\n"
50635 diff -urNp linux-2.6.39.1/fs/reiserfs/stree.c linux-2.6.39.1/fs/reiserfs/stree.c
50636 --- linux-2.6.39.1/fs/reiserfs/stree.c 2011-05-19 00:06:34.000000000 -0400
50637 +++ linux-2.6.39.1/fs/reiserfs/stree.c 2011-05-22 19:36:32.000000000 -0400
50638 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
50639 int iter = 0;
50640 #endif
50641
50642 + pax_track_stack();
50643 +
50644 BUG_ON(!th->t_trans_id);
50645
50646 init_tb_struct(th, &s_del_balance, sb, path,
50647 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
50648 int retval;
50649 int quota_cut_bytes = 0;
50650
50651 + pax_track_stack();
50652 +
50653 BUG_ON(!th->t_trans_id);
50654
50655 le_key2cpu_key(&cpu_key, key);
50656 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
50657 int quota_cut_bytes;
50658 loff_t tail_pos = 0;
50659
50660 + pax_track_stack();
50661 +
50662 BUG_ON(!th->t_trans_id);
50663
50664 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
50665 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
50666 int retval;
50667 int fs_gen;
50668
50669 + pax_track_stack();
50670 +
50671 BUG_ON(!th->t_trans_id);
50672
50673 fs_gen = get_generation(inode->i_sb);
50674 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
50675 int fs_gen = 0;
50676 int quota_bytes = 0;
50677
50678 + pax_track_stack();
50679 +
50680 BUG_ON(!th->t_trans_id);
50681
50682 if (inode) { /* Do we count quotas for item? */
50683 diff -urNp linux-2.6.39.1/fs/reiserfs/super.c linux-2.6.39.1/fs/reiserfs/super.c
50684 --- linux-2.6.39.1/fs/reiserfs/super.c 2011-05-19 00:06:34.000000000 -0400
50685 +++ linux-2.6.39.1/fs/reiserfs/super.c 2011-05-22 19:36:32.000000000 -0400
50686 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
50687 {.option_name = NULL}
50688 };
50689
50690 + pax_track_stack();
50691 +
50692 *blocks = 0;
50693 if (!options || !*options)
50694 /* use default configuration: create tails, journaling on, no
50695 diff -urNp linux-2.6.39.1/fs/select.c linux-2.6.39.1/fs/select.c
50696 --- linux-2.6.39.1/fs/select.c 2011-05-19 00:06:34.000000000 -0400
50697 +++ linux-2.6.39.1/fs/select.c 2011-05-22 19:41:42.000000000 -0400
50698 @@ -20,6 +20,7 @@
50699 #include <linux/module.h>
50700 #include <linux/slab.h>
50701 #include <linux/poll.h>
50702 +#include <linux/security.h>
50703 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
50704 #include <linux/file.h>
50705 #include <linux/fdtable.h>
50706 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
50707 int retval, i, timed_out = 0;
50708 unsigned long slack = 0;
50709
50710 + pax_track_stack();
50711 +
50712 rcu_read_lock();
50713 retval = max_select_fd(n, fds);
50714 rcu_read_unlock();
50715 @@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
50716 /* Allocate small arguments on the stack to save memory and be faster */
50717 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
50718
50719 + pax_track_stack();
50720 +
50721 ret = -EINVAL;
50722 if (n < 0)
50723 goto out_nofds;
50724 @@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
50725 struct poll_list *walk = head;
50726 unsigned long todo = nfds;
50727
50728 + pax_track_stack();
50729 +
50730 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
50731 if (nfds > rlimit(RLIMIT_NOFILE))
50732 return -EINVAL;
50733
50734 diff -urNp linux-2.6.39.1/fs/seq_file.c linux-2.6.39.1/fs/seq_file.c
50735 --- linux-2.6.39.1/fs/seq_file.c 2011-05-19 00:06:34.000000000 -0400
50736 +++ linux-2.6.39.1/fs/seq_file.c 2011-05-22 19:36:32.000000000 -0400
50737 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
50738 return 0;
50739 }
50740 if (!m->buf) {
50741 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
50742 + m->size = PAGE_SIZE;
50743 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
50744 if (!m->buf)
50745 return -ENOMEM;
50746 }
50747 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
50748 Eoverflow:
50749 m->op->stop(m, p);
50750 kfree(m->buf);
50751 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
50752 + m->size <<= 1;
50753 + m->buf = kmalloc(m->size, GFP_KERNEL);
50754 return !m->buf ? -ENOMEM : -EAGAIN;
50755 }
50756
50757 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
50758 m->version = file->f_version;
50759 /* grab buffer if we didn't have one */
50760 if (!m->buf) {
50761 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
50762 + m->size = PAGE_SIZE;
50763 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
50764 if (!m->buf)
50765 goto Enomem;
50766 }
50767 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
50768 goto Fill;
50769 m->op->stop(m, p);
50770 kfree(m->buf);
50771 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
50772 + m->size <<= 1;
50773 + m->buf = kmalloc(m->size, GFP_KERNEL);
50774 if (!m->buf)
50775 goto Enomem;
50776 m->count = 0;
50777 diff -urNp linux-2.6.39.1/fs/splice.c linux-2.6.39.1/fs/splice.c
50778 --- linux-2.6.39.1/fs/splice.c 2011-05-19 00:06:34.000000000 -0400
50779 +++ linux-2.6.39.1/fs/splice.c 2011-05-22 19:36:32.000000000 -0400
50780 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
50781 pipe_lock(pipe);
50782
50783 for (;;) {
50784 - if (!pipe->readers) {
50785 + if (!atomic_read(&pipe->readers)) {
50786 send_sig(SIGPIPE, current, 0);
50787 if (!ret)
50788 ret = -EPIPE;
50789 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
50790 do_wakeup = 0;
50791 }
50792
50793 - pipe->waiting_writers++;
50794 + atomic_inc(&pipe->waiting_writers);
50795 pipe_wait(pipe);
50796 - pipe->waiting_writers--;
50797 + atomic_dec(&pipe->waiting_writers);
50798 }
50799
50800 pipe_unlock(pipe);
50801 @@ -316,6 +316,8 @@ __generic_file_splice_read(struct file *
50802 .spd_release = spd_release_page,
50803 };
50804
50805 + pax_track_stack();
50806 +
50807 if (splice_grow_spd(pipe, &spd))
50808 return -ENOMEM;
50809
50810 @@ -556,7 +558,7 @@ static ssize_t kernel_readv(struct file
50811 old_fs = get_fs();
50812 set_fs(get_ds());
50813 /* The cast to a user pointer is valid due to the set_fs() */
50814 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
50815 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
50816 set_fs(old_fs);
50817
50818 return res;
50819 @@ -571,7 +573,7 @@ static ssize_t kernel_write(struct file
50820 old_fs = get_fs();
50821 set_fs(get_ds());
50822 /* The cast to a user pointer is valid due to the set_fs() */
50823 - res = vfs_write(file, (const char __user *)buf, count, &pos);
50824 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
50825 set_fs(old_fs);
50826
50827 return res;
50828 @@ -599,6 +601,8 @@ ssize_t default_file_splice_read(struct
50829 .spd_release = spd_release_page,
50830 };
50831
50832 + pax_track_stack();
50833 +
50834 if (splice_grow_spd(pipe, &spd))
50835 return -ENOMEM;
50836
50837 @@ -622,7 +626,7 @@ ssize_t default_file_splice_read(struct
50838 goto err;
50839
50840 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
50841 - vec[i].iov_base = (void __user *) page_address(page);
50842 + vec[i].iov_base = (__force void __user *) page_address(page);
50843 vec[i].iov_len = this_len;
50844 spd.pages[i] = page;
50845 spd.nr_pages++;
50846 @@ -842,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
50847 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
50848 {
50849 while (!pipe->nrbufs) {
50850 - if (!pipe->writers)
50851 + if (!atomic_read(&pipe->writers))
50852 return 0;
50853
50854 - if (!pipe->waiting_writers && sd->num_spliced)
50855 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
50856 return 0;
50857
50858 if (sd->flags & SPLICE_F_NONBLOCK)
50859 @@ -1178,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct fi
50860 * out of the pipe right after the splice_to_pipe(). So set
50861 * PIPE_READERS appropriately.
50862 */
50863 - pipe->readers = 1;
50864 + atomic_set(&pipe->readers, 1);
50865
50866 current->splice_pipe = pipe;
50867 }
50868 @@ -1615,6 +1619,8 @@ static long vmsplice_to_pipe(struct file
50869 };
50870 long ret;
50871
50872 + pax_track_stack();
50873 +
50874 pipe = get_pipe_info(file);
50875 if (!pipe)
50876 return -EBADF;
50877 @@ -1730,9 +1736,9 @@ static int ipipe_prep(struct pipe_inode_
50878 ret = -ERESTARTSYS;
50879 break;
50880 }
50881 - if (!pipe->writers)
50882 + if (!atomic_read(&pipe->writers))
50883 break;
50884 - if (!pipe->waiting_writers) {
50885 + if (!atomic_read(&pipe->waiting_writers)) {
50886 if (flags & SPLICE_F_NONBLOCK) {
50887 ret = -EAGAIN;
50888 break;
50889 @@ -1764,7 +1770,7 @@ static int opipe_prep(struct pipe_inode_
50890 pipe_lock(pipe);
50891
50892 while (pipe->nrbufs >= pipe->buffers) {
50893 - if (!pipe->readers) {
50894 + if (!atomic_read(&pipe->readers)) {
50895 send_sig(SIGPIPE, current, 0);
50896 ret = -EPIPE;
50897 break;
50898 @@ -1777,9 +1783,9 @@ static int opipe_prep(struct pipe_inode_
50899 ret = -ERESTARTSYS;
50900 break;
50901 }
50902 - pipe->waiting_writers++;
50903 + atomic_inc(&pipe->waiting_writers);
50904 pipe_wait(pipe);
50905 - pipe->waiting_writers--;
50906 + atomic_dec(&pipe->waiting_writers);
50907 }
50908
50909 pipe_unlock(pipe);
50910 @@ -1815,14 +1821,14 @@ retry:
50911 pipe_double_lock(ipipe, opipe);
50912
50913 do {
50914 - if (!opipe->readers) {
50915 + if (!atomic_read(&opipe->readers)) {
50916 send_sig(SIGPIPE, current, 0);
50917 if (!ret)
50918 ret = -EPIPE;
50919 break;
50920 }
50921
50922 - if (!ipipe->nrbufs && !ipipe->writers)
50923 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
50924 break;
50925
50926 /*
50927 @@ -1922,7 +1928,7 @@ static int link_pipe(struct pipe_inode_i
50928 pipe_double_lock(ipipe, opipe);
50929
50930 do {
50931 - if (!opipe->readers) {
50932 + if (!atomic_read(&opipe->readers)) {
50933 send_sig(SIGPIPE, current, 0);
50934 if (!ret)
50935 ret = -EPIPE;
50936 @@ -1967,7 +1973,7 @@ static int link_pipe(struct pipe_inode_i
50937 * return EAGAIN if we have the potential of some data in the
50938 * future, otherwise just return 0
50939 */
50940 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
50941 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
50942 ret = -EAGAIN;
50943
50944 pipe_unlock(ipipe);
50945 diff -urNp linux-2.6.39.1/fs/sysfs/file.c linux-2.6.39.1/fs/sysfs/file.c
50946 --- linux-2.6.39.1/fs/sysfs/file.c 2011-05-19 00:06:34.000000000 -0400
50947 +++ linux-2.6.39.1/fs/sysfs/file.c 2011-05-22 19:36:32.000000000 -0400
50948 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
50949
50950 struct sysfs_open_dirent {
50951 atomic_t refcnt;
50952 - atomic_t event;
50953 + atomic_unchecked_t event;
50954 wait_queue_head_t poll;
50955 struct list_head buffers; /* goes through sysfs_buffer.list */
50956 };
50957 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
50958 if (!sysfs_get_active(attr_sd))
50959 return -ENODEV;
50960
50961 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
50962 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
50963 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
50964
50965 sysfs_put_active(attr_sd);
50966 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
50967 return -ENOMEM;
50968
50969 atomic_set(&new_od->refcnt, 0);
50970 - atomic_set(&new_od->event, 1);
50971 + atomic_set_unchecked(&new_od->event, 1);
50972 init_waitqueue_head(&new_od->poll);
50973 INIT_LIST_HEAD(&new_od->buffers);
50974 goto retry;
50975 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
50976
50977 sysfs_put_active(attr_sd);
50978
50979 - if (buffer->event != atomic_read(&od->event))
50980 + if (buffer->event != atomic_read_unchecked(&od->event))
50981 goto trigger;
50982
50983 return DEFAULT_POLLMASK;
50984 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
50985
50986 od = sd->s_attr.open;
50987 if (od) {
50988 - atomic_inc(&od->event);
50989 + atomic_inc_unchecked(&od->event);
50990 wake_up_interruptible(&od->poll);
50991 }
50992
50993 diff -urNp linux-2.6.39.1/fs/sysfs/mount.c linux-2.6.39.1/fs/sysfs/mount.c
50994 --- linux-2.6.39.1/fs/sysfs/mount.c 2011-05-19 00:06:34.000000000 -0400
50995 +++ linux-2.6.39.1/fs/sysfs/mount.c 2011-05-22 19:41:42.000000000 -0400
50996 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
50997 .s_name = "",
50998 .s_count = ATOMIC_INIT(1),
50999 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
51000 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
51001 + .s_mode = S_IFDIR | S_IRWXU,
51002 +#else
51003 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
51004 +#endif
51005 .s_ino = 1,
51006 };
51007
51008 diff -urNp linux-2.6.39.1/fs/sysfs/symlink.c linux-2.6.39.1/fs/sysfs/symlink.c
51009 --- linux-2.6.39.1/fs/sysfs/symlink.c 2011-05-19 00:06:34.000000000 -0400
51010 +++ linux-2.6.39.1/fs/sysfs/symlink.c 2011-05-22 19:36:32.000000000 -0400
51011 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
51012
51013 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
51014 {
51015 - char *page = nd_get_link(nd);
51016 + const char *page = nd_get_link(nd);
51017 if (!IS_ERR(page))
51018 free_page((unsigned long)page);
51019 }
51020 diff -urNp linux-2.6.39.1/fs/udf/inode.c linux-2.6.39.1/fs/udf/inode.c
51021 --- linux-2.6.39.1/fs/udf/inode.c 2011-05-19 00:06:34.000000000 -0400
51022 +++ linux-2.6.39.1/fs/udf/inode.c 2011-05-22 19:36:32.000000000 -0400
51023 @@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
51024 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
51025 int lastblock = 0;
51026
51027 + pax_track_stack();
51028 +
51029 prev_epos.offset = udf_file_entry_alloc_offset(inode);
51030 prev_epos.block = iinfo->i_location;
51031 prev_epos.bh = NULL;
51032 diff -urNp linux-2.6.39.1/fs/udf/misc.c linux-2.6.39.1/fs/udf/misc.c
51033 --- linux-2.6.39.1/fs/udf/misc.c 2011-05-19 00:06:34.000000000 -0400
51034 +++ linux-2.6.39.1/fs/udf/misc.c 2011-05-22 19:36:32.000000000 -0400
51035 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
51036
51037 u8 udf_tag_checksum(const struct tag *t)
51038 {
51039 - u8 *data = (u8 *)t;
51040 + const u8 *data = (const u8 *)t;
51041 u8 checksum = 0;
51042 int i;
51043 for (i = 0; i < sizeof(struct tag); ++i)
51044 diff -urNp linux-2.6.39.1/fs/utimes.c linux-2.6.39.1/fs/utimes.c
51045 --- linux-2.6.39.1/fs/utimes.c 2011-05-19 00:06:34.000000000 -0400
51046 +++ linux-2.6.39.1/fs/utimes.c 2011-05-22 19:41:42.000000000 -0400
51047 @@ -1,6 +1,7 @@
51048 #include <linux/compiler.h>
51049 #include <linux/file.h>
51050 #include <linux/fs.h>
51051 +#include <linux/security.h>
51052 #include <linux/linkage.h>
51053 #include <linux/mount.h>
51054 #include <linux/namei.h>
51055 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
51056 goto mnt_drop_write_and_out;
51057 }
51058 }
51059 +
51060 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
51061 + error = -EACCES;
51062 + goto mnt_drop_write_and_out;
51063 + }
51064 +
51065 mutex_lock(&inode->i_mutex);
51066 error = notify_change(path->dentry, &newattrs);
51067 mutex_unlock(&inode->i_mutex);
51068 diff -urNp linux-2.6.39.1/fs/xattr_acl.c linux-2.6.39.1/fs/xattr_acl.c
51069 --- linux-2.6.39.1/fs/xattr_acl.c 2011-05-19 00:06:34.000000000 -0400
51070 +++ linux-2.6.39.1/fs/xattr_acl.c 2011-05-22 19:36:32.000000000 -0400
51071 @@ -17,8 +17,8 @@
51072 struct posix_acl *
51073 posix_acl_from_xattr(const void *value, size_t size)
51074 {
51075 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
51076 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
51077 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
51078 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
51079 int count;
51080 struct posix_acl *acl;
51081 struct posix_acl_entry *acl_e;
51082 diff -urNp linux-2.6.39.1/fs/xattr.c linux-2.6.39.1/fs/xattr.c
51083 --- linux-2.6.39.1/fs/xattr.c 2011-05-19 00:06:34.000000000 -0400
51084 +++ linux-2.6.39.1/fs/xattr.c 2011-05-22 19:41:42.000000000 -0400
51085 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
51086 * Extended attribute SET operations
51087 */
51088 static long
51089 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
51090 +setxattr(struct path *path, const char __user *name, const void __user *value,
51091 size_t size, int flags)
51092 {
51093 int error;
51094 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
51095 return PTR_ERR(kvalue);
51096 }
51097
51098 - error = vfs_setxattr(d, kname, kvalue, size, flags);
51099 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
51100 + error = -EACCES;
51101 + goto out;
51102 + }
51103 +
51104 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
51105 +out:
51106 kfree(kvalue);
51107 return error;
51108 }
51109 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
51110 return error;
51111 error = mnt_want_write(path.mnt);
51112 if (!error) {
51113 - error = setxattr(path.dentry, name, value, size, flags);
51114 + error = setxattr(&path, name, value, size, flags);
51115 mnt_drop_write(path.mnt);
51116 }
51117 path_put(&path);
51118 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
51119 return error;
51120 error = mnt_want_write(path.mnt);
51121 if (!error) {
51122 - error = setxattr(path.dentry, name, value, size, flags);
51123 + error = setxattr(&path, name, value, size, flags);
51124 mnt_drop_write(path.mnt);
51125 }
51126 path_put(&path);
51127 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
51128 const void __user *,value, size_t, size, int, flags)
51129 {
51130 struct file *f;
51131 - struct dentry *dentry;
51132 int error = -EBADF;
51133
51134 f = fget(fd);
51135 if (!f)
51136 return error;
51137 - dentry = f->f_path.dentry;
51138 - audit_inode(NULL, dentry);
51139 + audit_inode(NULL, f->f_path.dentry);
51140 error = mnt_want_write_file(f);
51141 if (!error) {
51142 - error = setxattr(dentry, name, value, size, flags);
51143 + error = setxattr(&f->f_path, name, value, size, flags);
51144 mnt_drop_write(f->f_path.mnt);
51145 }
51146 fput(f);
51147 diff -urNp linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl32.c
51148 --- linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-19 00:06:34.000000000 -0400
51149 +++ linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-22 19:41:42.000000000 -0400
51150 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
51151 xfs_fsop_geom_t fsgeo;
51152 int error;
51153
51154 + memset(&fsgeo, 0, sizeof(fsgeo));
51155 error = xfs_fs_geometry(mp, &fsgeo, 3);
51156 if (error)
51157 return -error;
51158 diff -urNp linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl.c
51159 --- linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-19 00:06:34.000000000 -0400
51160 +++ linux-2.6.39.1/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-22 19:36:32.000000000 -0400
51161 @@ -128,7 +128,7 @@ xfs_find_handle(
51162 }
51163
51164 error = -EFAULT;
51165 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
51166 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
51167 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
51168 goto out_put;
51169
51170 diff -urNp linux-2.6.39.1/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.39.1/fs/xfs/linux-2.6/xfs_iops.c
51171 --- linux-2.6.39.1/fs/xfs/linux-2.6/xfs_iops.c 2011-05-19 00:06:34.000000000 -0400
51172 +++ linux-2.6.39.1/fs/xfs/linux-2.6/xfs_iops.c 2011-05-22 19:36:32.000000000 -0400
51173 @@ -437,7 +437,7 @@ xfs_vn_put_link(
51174 struct nameidata *nd,
51175 void *p)
51176 {
51177 - char *s = nd_get_link(nd);
51178 + const char *s = nd_get_link(nd);
51179
51180 if (!IS_ERR(s))
51181 kfree(s);
51182 diff -urNp linux-2.6.39.1/fs/xfs/xfs_bmap.c linux-2.6.39.1/fs/xfs/xfs_bmap.c
51183 --- linux-2.6.39.1/fs/xfs/xfs_bmap.c 2011-05-19 00:06:34.000000000 -0400
51184 +++ linux-2.6.39.1/fs/xfs/xfs_bmap.c 2011-05-22 19:36:32.000000000 -0400
51185 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
51186 int nmap,
51187 int ret_nmap);
51188 #else
51189 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
51190 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
51191 #endif /* DEBUG */
51192
51193 STATIC int
51194 diff -urNp linux-2.6.39.1/fs/xfs/xfs_dir2.c linux-2.6.39.1/fs/xfs/xfs_dir2.c
51195 --- linux-2.6.39.1/fs/xfs/xfs_dir2.c 2011-05-19 00:06:34.000000000 -0400
51196 +++ linux-2.6.39.1/fs/xfs/xfs_dir2.c 2011-05-22 19:36:32.000000000 -0400
51197 @@ -85,7 +85,7 @@ xfs_ascii_ci_compname(
51198 return result;
51199 }
51200
51201 -static struct xfs_nameops xfs_ascii_ci_nameops = {
51202 +static const struct xfs_nameops xfs_ascii_ci_nameops = {
51203 .hashname = xfs_ascii_ci_hashname,
51204 .compname = xfs_ascii_ci_compname,
51205 };
51206 diff -urNp linux-2.6.39.1/fs/xfs/xfs_dir2_sf.c linux-2.6.39.1/fs/xfs/xfs_dir2_sf.c
51207 --- linux-2.6.39.1/fs/xfs/xfs_dir2_sf.c 2011-05-19 00:06:34.000000000 -0400
51208 +++ linux-2.6.39.1/fs/xfs/xfs_dir2_sf.c 2011-05-22 19:36:32.000000000 -0400
51209 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
51210 }
51211
51212 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
51213 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51214 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
51215 + char name[sfep->namelen];
51216 + memcpy(name, sfep->name, sfep->namelen);
51217 + if (filldir(dirent, name, sfep->namelen,
51218 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
51219 + *offset = off & 0x7fffffff;
51220 + return 0;
51221 + }
51222 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51223 off & 0x7fffffff, ino, DT_UNKNOWN)) {
51224 *offset = off & 0x7fffffff;
51225 return 0;
51226 diff -urNp linux-2.6.39.1/grsecurity/gracl_alloc.c linux-2.6.39.1/grsecurity/gracl_alloc.c
51227 --- linux-2.6.39.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
51228 +++ linux-2.6.39.1/grsecurity/gracl_alloc.c 2011-05-22 19:41:42.000000000 -0400
51229 @@ -0,0 +1,105 @@
51230 +#include <linux/kernel.h>
51231 +#include <linux/mm.h>
51232 +#include <linux/slab.h>
51233 +#include <linux/vmalloc.h>
51234 +#include <linux/gracl.h>
51235 +#include <linux/grsecurity.h>
51236 +
51237 +static unsigned long alloc_stack_next = 1;
51238 +static unsigned long alloc_stack_size = 1;
51239 +static void **alloc_stack;
51240 +
51241 +static __inline__ int
51242 +alloc_pop(void)
51243 +{
51244 + if (alloc_stack_next == 1)
51245 + return 0;
51246 +
51247 + kfree(alloc_stack[alloc_stack_next - 2]);
51248 +
51249 + alloc_stack_next--;
51250 +
51251 + return 1;
51252 +}
51253 +
51254 +static __inline__ int
51255 +alloc_push(void *buf)
51256 +{
51257 + if (alloc_stack_next >= alloc_stack_size)
51258 + return 1;
51259 +
51260 + alloc_stack[alloc_stack_next - 1] = buf;
51261 +
51262 + alloc_stack_next++;
51263 +
51264 + return 0;
51265 +}
51266 +
51267 +void *
51268 +acl_alloc(unsigned long len)
51269 +{
51270 + void *ret = NULL;
51271 +
51272 + if (!len || len > PAGE_SIZE)
51273 + goto out;
51274 +
51275 + ret = kmalloc(len, GFP_KERNEL);
51276 +
51277 + if (ret) {
51278 + if (alloc_push(ret)) {
51279 + kfree(ret);
51280 + ret = NULL;
51281 + }
51282 + }
51283 +
51284 +out:
51285 + return ret;
51286 +}
51287 +
51288 +void *
51289 +acl_alloc_num(unsigned long num, unsigned long len)
51290 +{
51291 + if (!len || (num > (PAGE_SIZE / len)))
51292 + return NULL;
51293 +
51294 + return acl_alloc(num * len);
51295 +}
51296 +
51297 +void
51298 +acl_free_all(void)
51299 +{
51300 + if (gr_acl_is_enabled() || !alloc_stack)
51301 + return;
51302 +
51303 + while (alloc_pop()) ;
51304 +
51305 + if (alloc_stack) {
51306 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
51307 + kfree(alloc_stack);
51308 + else
51309 + vfree(alloc_stack);
51310 + }
51311 +
51312 + alloc_stack = NULL;
51313 + alloc_stack_size = 1;
51314 + alloc_stack_next = 1;
51315 +
51316 + return;
51317 +}
51318 +
51319 +int
51320 +acl_alloc_stack_init(unsigned long size)
51321 +{
51322 + if ((size * sizeof (void *)) <= PAGE_SIZE)
51323 + alloc_stack =
51324 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
51325 + else
51326 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
51327 +
51328 + alloc_stack_size = size;
51329 +
51330 + if (!alloc_stack)
51331 + return 0;
51332 + else
51333 + return 1;
51334 +}
51335 diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c
51336 --- linux-2.6.39.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
51337 +++ linux-2.6.39.1/grsecurity/gracl.c 2011-06-11 16:26:18.000000000 -0400
51338 @@ -0,0 +1,4109 @@
51339 +#include <linux/kernel.h>
51340 +#include <linux/module.h>
51341 +#include <linux/sched.h>
51342 +#include <linux/mm.h>
51343 +#include <linux/file.h>
51344 +#include <linux/fs.h>
51345 +#include <linux/namei.h>
51346 +#include <linux/mount.h>
51347 +#include <linux/tty.h>
51348 +#include <linux/proc_fs.h>
51349 +#include <linux/lglock.h>
51350 +#include <linux/slab.h>
51351 +#include <linux/vmalloc.h>
51352 +#include <linux/types.h>
51353 +#include <linux/sysctl.h>
51354 +#include <linux/netdevice.h>
51355 +#include <linux/ptrace.h>
51356 +#include <linux/gracl.h>
51357 +#include <linux/gralloc.h>
51358 +#include <linux/grsecurity.h>
51359 +#include <linux/grinternal.h>
51360 +#include <linux/pid_namespace.h>
51361 +#include <linux/fdtable.h>
51362 +#include <linux/percpu.h>
51363 +
51364 +#include <asm/uaccess.h>
51365 +#include <asm/errno.h>
51366 +#include <asm/mman.h>
51367 +
51368 +static struct acl_role_db acl_role_set;
51369 +static struct name_db name_set;
51370 +static struct inodev_db inodev_set;
51371 +
51372 +/* for keeping track of userspace pointers used for subjects, so we
51373 + can share references in the kernel as well
51374 +*/
51375 +
51376 +static struct path real_root;
51377 +
51378 +static struct acl_subj_map_db subj_map_set;
51379 +
51380 +static struct acl_role_label *default_role;
51381 +
51382 +static struct acl_role_label *role_list;
51383 +
51384 +static u16 acl_sp_role_value;
51385 +
51386 +extern char *gr_shared_page[4];
51387 +static DEFINE_MUTEX(gr_dev_mutex);
51388 +DEFINE_RWLOCK(gr_inode_lock);
51389 +
51390 +struct gr_arg *gr_usermode;
51391 +
51392 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
51393 +
51394 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
51395 +extern void gr_clear_learn_entries(void);
51396 +
51397 +#ifdef CONFIG_GRKERNSEC_RESLOG
51398 +extern void gr_log_resource(const struct task_struct *task,
51399 + const int res, const unsigned long wanted, const int gt);
51400 +#endif
51401 +
51402 +unsigned char *gr_system_salt;
51403 +unsigned char *gr_system_sum;
51404 +
51405 +static struct sprole_pw **acl_special_roles = NULL;
51406 +static __u16 num_sprole_pws = 0;
51407 +
51408 +static struct acl_role_label *kernel_role = NULL;
51409 +
51410 +static unsigned int gr_auth_attempts = 0;
51411 +static unsigned long gr_auth_expires = 0UL;
51412 +
51413 +#ifdef CONFIG_NET
51414 +extern struct vfsmount *sock_mnt;
51415 +#endif
51416 +
51417 +extern struct vfsmount *pipe_mnt;
51418 +extern struct vfsmount *shm_mnt;
51419 +#ifdef CONFIG_HUGETLBFS
51420 +extern struct vfsmount *hugetlbfs_vfsmount;
51421 +#endif
51422 +
51423 +static struct acl_object_label *fakefs_obj_rw;
51424 +static struct acl_object_label *fakefs_obj_rwx;
51425 +
51426 +extern int gr_init_uidset(void);
51427 +extern void gr_free_uidset(void);
51428 +extern void gr_remove_uid(uid_t uid);
51429 +extern int gr_find_uid(uid_t uid);
51430 +
51431 +DECLARE_BRLOCK(vfsmount_lock);
51432 +
51433 +__inline__ int
51434 +gr_acl_is_enabled(void)
51435 +{
51436 + return (gr_status & GR_READY);
51437 +}
51438 +
51439 +#ifdef CONFIG_BTRFS_FS
51440 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
51441 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
51442 +#endif
51443 +
51444 +static inline dev_t __get_dev(const struct dentry *dentry)
51445 +{
51446 +#ifdef CONFIG_BTRFS_FS
51447 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
51448 + return get_btrfs_dev_from_inode(dentry->d_inode);
51449 + else
51450 +#endif
51451 + return dentry->d_inode->i_sb->s_dev;
51452 +}
51453 +
51454 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
51455 +{
51456 + return __get_dev(dentry);
51457 +}
51458 +
51459 +static char gr_task_roletype_to_char(struct task_struct *task)
51460 +{
51461 + switch (task->role->roletype &
51462 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
51463 + GR_ROLE_SPECIAL)) {
51464 + case GR_ROLE_DEFAULT:
51465 + return 'D';
51466 + case GR_ROLE_USER:
51467 + return 'U';
51468 + case GR_ROLE_GROUP:
51469 + return 'G';
51470 + case GR_ROLE_SPECIAL:
51471 + return 'S';
51472 + }
51473 +
51474 + return 'X';
51475 +}
51476 +
51477 +char gr_roletype_to_char(void)
51478 +{
51479 + return gr_task_roletype_to_char(current);
51480 +}
51481 +
51482 +__inline__ int
51483 +gr_acl_tpe_check(void)
51484 +{
51485 + if (unlikely(!(gr_status & GR_READY)))
51486 + return 0;
51487 + if (current->role->roletype & GR_ROLE_TPE)
51488 + return 1;
51489 + else
51490 + return 0;
51491 +}
51492 +
51493 +int
51494 +gr_handle_rawio(const struct inode *inode)
51495 +{
51496 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
51497 + if (inode && S_ISBLK(inode->i_mode) &&
51498 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
51499 + !capable(CAP_SYS_RAWIO))
51500 + return 1;
51501 +#endif
51502 + return 0;
51503 +}
51504 +
51505 +static int
51506 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
51507 +{
51508 + if (likely(lena != lenb))
51509 + return 0;
51510 +
51511 + return !memcmp(a, b, lena);
51512 +}
51513 +
51514 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
51515 +{
51516 + *buflen -= namelen;
51517 + if (*buflen < 0)
51518 + return -ENAMETOOLONG;
51519 + *buffer -= namelen;
51520 + memcpy(*buffer, str, namelen);
51521 + return 0;
51522 +}
51523 +
51524 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
51525 +{
51526 + return prepend(buffer, buflen, name->name, name->len);
51527 +}
51528 +
51529 +static int prepend_path(const struct path *path, struct path *root,
51530 + char **buffer, int *buflen)
51531 +{
51532 + struct dentry *dentry = path->dentry;
51533 + struct vfsmount *vfsmnt = path->mnt;
51534 + bool slash = false;
51535 + int error = 0;
51536 +
51537 + while (dentry != root->dentry || vfsmnt != root->mnt) {
51538 + struct dentry * parent;
51539 +
51540 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
51541 + /* Global root? */
51542 + if (vfsmnt->mnt_parent == vfsmnt) {
51543 + goto out;
51544 + }
51545 + dentry = vfsmnt->mnt_mountpoint;
51546 + vfsmnt = vfsmnt->mnt_parent;
51547 + continue;
51548 + }
51549 + parent = dentry->d_parent;
51550 + prefetch(parent);
51551 + spin_lock(&dentry->d_lock);
51552 + error = prepend_name(buffer, buflen, &dentry->d_name);
51553 + spin_unlock(&dentry->d_lock);
51554 + if (!error)
51555 + error = prepend(buffer, buflen, "/", 1);
51556 + if (error)
51557 + break;
51558 +
51559 + slash = true;
51560 + dentry = parent;
51561 + }
51562 +
51563 +out:
51564 + if (!error && !slash)
51565 + error = prepend(buffer, buflen, "/", 1);
51566 +
51567 + return error;
51568 +}
51569 +
51570 +/* this must be called with vfsmount_lock and rename_lock held */
51571 +
51572 +static char *__our_d_path(const struct path *path, struct path *root,
51573 + char *buf, int buflen)
51574 +{
51575 + char *res = buf + buflen;
51576 + int error;
51577 +
51578 + prepend(&res, &buflen, "\0", 1);
51579 + error = prepend_path(path, root, &res, &buflen);
51580 + if (error)
51581 + return ERR_PTR(error);
51582 +
51583 + return res;
51584 +}
51585 +
51586 +static char *
51587 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
51588 +{
51589 + char *retval;
51590 +
51591 + retval = __our_d_path(path, root, buf, buflen);
51592 + if (unlikely(IS_ERR(retval)))
51593 + retval = strcpy(buf, "<path too long>");
51594 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
51595 + retval[1] = '\0';
51596 +
51597 + return retval;
51598 +}
51599 +
51600 +static char *
51601 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
51602 + char *buf, int buflen)
51603 +{
51604 + struct path path;
51605 + char *res;
51606 +
51607 + path.dentry = (struct dentry *)dentry;
51608 + path.mnt = (struct vfsmount *)vfsmnt;
51609 +
51610 + /* we can use real_root.dentry, real_root.mnt, because this is only called
51611 + by the RBAC system */
51612 + res = gen_full_path(&path, &real_root, buf, buflen);
51613 +
51614 + return res;
51615 +}
51616 +
51617 +static char *
51618 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
51619 + char *buf, int buflen)
51620 +{
51621 + char *res;
51622 + struct path path;
51623 + struct path root;
51624 + struct task_struct *reaper = &init_task;
51625 +
51626 + path.dentry = (struct dentry *)dentry;
51627 + path.mnt = (struct vfsmount *)vfsmnt;
51628 +
51629 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
51630 + get_fs_root(reaper->fs, &root);
51631 +
51632 + write_seqlock(&rename_lock);
51633 + br_read_lock(vfsmount_lock);
51634 + res = gen_full_path(&path, &root, buf, buflen);
51635 + br_read_unlock(vfsmount_lock);
51636 + write_sequnlock(&rename_lock);
51637 +
51638 + path_put(&root);
51639 + return res;
51640 +}
51641 +
51642 +static char *
51643 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
51644 +{
51645 + char *ret;
51646 + write_seqlock(&rename_lock);
51647 + br_read_lock(vfsmount_lock);
51648 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
51649 + PAGE_SIZE);
51650 + br_read_unlock(vfsmount_lock);
51651 + write_sequnlock(&rename_lock);
51652 + return ret;
51653 +}
51654 +
51655 +char *
51656 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
51657 +{
51658 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
51659 + PAGE_SIZE);
51660 +}
51661 +
51662 +char *
51663 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
51664 +{
51665 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
51666 + PAGE_SIZE);
51667 +}
51668 +
51669 +char *
51670 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
51671 +{
51672 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
51673 + PAGE_SIZE);
51674 +}
51675 +
51676 +char *
51677 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
51678 +{
51679 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
51680 + PAGE_SIZE);
51681 +}
51682 +
51683 +char *
51684 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
51685 +{
51686 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
51687 + PAGE_SIZE);
51688 +}
51689 +
51690 +__inline__ __u32
51691 +to_gr_audit(const __u32 reqmode)
51692 +{
51693 + /* masks off auditable permission flags, then shifts them to create
51694 + auditing flags, and adds the special case of append auditing if
51695 + we're requesting write */
51696 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
51697 +}
51698 +
51699 +struct acl_subject_label *
51700 +lookup_subject_map(const struct acl_subject_label *userp)
51701 +{
51702 + unsigned int index = shash(userp, subj_map_set.s_size);
51703 + struct subject_map *match;
51704 +
51705 + match = subj_map_set.s_hash[index];
51706 +
51707 + while (match && match->user != userp)
51708 + match = match->next;
51709 +
51710 + if (match != NULL)
51711 + return match->kernel;
51712 + else
51713 + return NULL;
51714 +}
51715 +
51716 +static void
51717 +insert_subj_map_entry(struct subject_map *subjmap)
51718 +{
51719 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
51720 + struct subject_map **curr;
51721 +
51722 + subjmap->prev = NULL;
51723 +
51724 + curr = &subj_map_set.s_hash[index];
51725 + if (*curr != NULL)
51726 + (*curr)->prev = subjmap;
51727 +
51728 + subjmap->next = *curr;
51729 + *curr = subjmap;
51730 +
51731 + return;
51732 +}
51733 +
51734 +static struct acl_role_label *
51735 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
51736 + const gid_t gid)
51737 +{
51738 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
51739 + struct acl_role_label *match;
51740 + struct role_allowed_ip *ipp;
51741 + unsigned int x;
51742 + u32 curr_ip = task->signal->curr_ip;
51743 +
51744 + task->signal->saved_ip = curr_ip;
51745 +
51746 + match = acl_role_set.r_hash[index];
51747 +
51748 + while (match) {
51749 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
51750 + for (x = 0; x < match->domain_child_num; x++) {
51751 + if (match->domain_children[x] == uid)
51752 + goto found;
51753 + }
51754 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
51755 + break;
51756 + match = match->next;
51757 + }
51758 +found:
51759 + if (match == NULL) {
51760 + try_group:
51761 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
51762 + match = acl_role_set.r_hash[index];
51763 +
51764 + while (match) {
51765 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
51766 + for (x = 0; x < match->domain_child_num; x++) {
51767 + if (match->domain_children[x] == gid)
51768 + goto found2;
51769 + }
51770 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
51771 + break;
51772 + match = match->next;
51773 + }
51774 +found2:
51775 + if (match == NULL)
51776 + match = default_role;
51777 + if (match->allowed_ips == NULL)
51778 + return match;
51779 + else {
51780 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
51781 + if (likely
51782 + ((ntohl(curr_ip) & ipp->netmask) ==
51783 + (ntohl(ipp->addr) & ipp->netmask)))
51784 + return match;
51785 + }
51786 + match = default_role;
51787 + }
51788 + } else if (match->allowed_ips == NULL) {
51789 + return match;
51790 + } else {
51791 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
51792 + if (likely
51793 + ((ntohl(curr_ip) & ipp->netmask) ==
51794 + (ntohl(ipp->addr) & ipp->netmask)))
51795 + return match;
51796 + }
51797 + goto try_group;
51798 + }
51799 +
51800 + return match;
51801 +}
51802 +
51803 +struct acl_subject_label *
51804 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
51805 + const struct acl_role_label *role)
51806 +{
51807 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
51808 + struct acl_subject_label *match;
51809 +
51810 + match = role->subj_hash[index];
51811 +
51812 + while (match && (match->inode != ino || match->device != dev ||
51813 + (match->mode & GR_DELETED))) {
51814 + match = match->next;
51815 + }
51816 +
51817 + if (match && !(match->mode & GR_DELETED))
51818 + return match;
51819 + else
51820 + return NULL;
51821 +}
51822 +
51823 +struct acl_subject_label *
51824 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
51825 + const struct acl_role_label *role)
51826 +{
51827 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
51828 + struct acl_subject_label *match;
51829 +
51830 + match = role->subj_hash[index];
51831 +
51832 + while (match && (match->inode != ino || match->device != dev ||
51833 + !(match->mode & GR_DELETED))) {
51834 + match = match->next;
51835 + }
51836 +
51837 + if (match && (match->mode & GR_DELETED))
51838 + return match;
51839 + else
51840 + return NULL;
51841 +}
51842 +
51843 +static struct acl_object_label *
51844 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
51845 + const struct acl_subject_label *subj)
51846 +{
51847 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
51848 + struct acl_object_label *match;
51849 +
51850 + match = subj->obj_hash[index];
51851 +
51852 + while (match && (match->inode != ino || match->device != dev ||
51853 + (match->mode & GR_DELETED))) {
51854 + match = match->next;
51855 + }
51856 +
51857 + if (match && !(match->mode & GR_DELETED))
51858 + return match;
51859 + else
51860 + return NULL;
51861 +}
51862 +
51863 +static struct acl_object_label *
51864 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
51865 + const struct acl_subject_label *subj)
51866 +{
51867 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
51868 + struct acl_object_label *match;
51869 +
51870 + match = subj->obj_hash[index];
51871 +
51872 + while (match && (match->inode != ino || match->device != dev ||
51873 + !(match->mode & GR_DELETED))) {
51874 + match = match->next;
51875 + }
51876 +
51877 + if (match && (match->mode & GR_DELETED))
51878 + return match;
51879 +
51880 + match = subj->obj_hash[index];
51881 +
51882 + while (match && (match->inode != ino || match->device != dev ||
51883 + (match->mode & GR_DELETED))) {
51884 + match = match->next;
51885 + }
51886 +
51887 + if (match && !(match->mode & GR_DELETED))
51888 + return match;
51889 + else
51890 + return NULL;
51891 +}
51892 +
51893 +static struct name_entry *
51894 +lookup_name_entry(const char *name)
51895 +{
51896 + unsigned int len = strlen(name);
51897 + unsigned int key = full_name_hash(name, len);
51898 + unsigned int index = key % name_set.n_size;
51899 + struct name_entry *match;
51900 +
51901 + match = name_set.n_hash[index];
51902 +
51903 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
51904 + match = match->next;
51905 +
51906 + return match;
51907 +}
51908 +
51909 +static struct name_entry *
51910 +lookup_name_entry_create(const char *name)
51911 +{
51912 + unsigned int len = strlen(name);
51913 + unsigned int key = full_name_hash(name, len);
51914 + unsigned int index = key % name_set.n_size;
51915 + struct name_entry *match;
51916 +
51917 + match = name_set.n_hash[index];
51918 +
51919 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
51920 + !match->deleted))
51921 + match = match->next;
51922 +
51923 + if (match && match->deleted)
51924 + return match;
51925 +
51926 + match = name_set.n_hash[index];
51927 +
51928 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
51929 + match->deleted))
51930 + match = match->next;
51931 +
51932 + if (match && !match->deleted)
51933 + return match;
51934 + else
51935 + return NULL;
51936 +}
51937 +
51938 +static struct inodev_entry *
51939 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
51940 +{
51941 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
51942 + struct inodev_entry *match;
51943 +
51944 + match = inodev_set.i_hash[index];
51945 +
51946 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
51947 + match = match->next;
51948 +
51949 + return match;
51950 +}
51951 +
51952 +static void
51953 +insert_inodev_entry(struct inodev_entry *entry)
51954 +{
51955 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
51956 + inodev_set.i_size);
51957 + struct inodev_entry **curr;
51958 +
51959 + entry->prev = NULL;
51960 +
51961 + curr = &inodev_set.i_hash[index];
51962 + if (*curr != NULL)
51963 + (*curr)->prev = entry;
51964 +
51965 + entry->next = *curr;
51966 + *curr = entry;
51967 +
51968 + return;
51969 +}
51970 +
51971 +static void
51972 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
51973 +{
51974 + unsigned int index =
51975 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
51976 + struct acl_role_label **curr;
51977 + struct acl_role_label *tmp;
51978 +
51979 + curr = &acl_role_set.r_hash[index];
51980 +
51981 + /* if role was already inserted due to domains and already has
51982 + a role in the same bucket as it attached, then we need to
51983 + combine these two buckets
51984 + */
51985 + if (role->next) {
51986 + tmp = role->next;
51987 + while (tmp->next)
51988 + tmp = tmp->next;
51989 + tmp->next = *curr;
51990 + } else
51991 + role->next = *curr;
51992 + *curr = role;
51993 +
51994 + return;
51995 +}
51996 +
51997 +static void
51998 +insert_acl_role_label(struct acl_role_label *role)
51999 +{
52000 + int i;
52001 +
52002 + if (role_list == NULL) {
52003 + role_list = role;
52004 + role->prev = NULL;
52005 + } else {
52006 + role->prev = role_list;
52007 + role_list = role;
52008 + }
52009 +
52010 + /* used for hash chains */
52011 + role->next = NULL;
52012 +
52013 + if (role->roletype & GR_ROLE_DOMAIN) {
52014 + for (i = 0; i < role->domain_child_num; i++)
52015 + __insert_acl_role_label(role, role->domain_children[i]);
52016 + } else
52017 + __insert_acl_role_label(role, role->uidgid);
52018 +}
52019 +
52020 +static int
52021 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
52022 +{
52023 + struct name_entry **curr, *nentry;
52024 + struct inodev_entry *ientry;
52025 + unsigned int len = strlen(name);
52026 + unsigned int key = full_name_hash(name, len);
52027 + unsigned int index = key % name_set.n_size;
52028 +
52029 + curr = &name_set.n_hash[index];
52030 +
52031 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
52032 + curr = &((*curr)->next);
52033 +
52034 + if (*curr != NULL)
52035 + return 1;
52036 +
52037 + nentry = acl_alloc(sizeof (struct name_entry));
52038 + if (nentry == NULL)
52039 + return 0;
52040 + ientry = acl_alloc(sizeof (struct inodev_entry));
52041 + if (ientry == NULL)
52042 + return 0;
52043 + ientry->nentry = nentry;
52044 +
52045 + nentry->key = key;
52046 + nentry->name = name;
52047 + nentry->inode = inode;
52048 + nentry->device = device;
52049 + nentry->len = len;
52050 + nentry->deleted = deleted;
52051 +
52052 + nentry->prev = NULL;
52053 + curr = &name_set.n_hash[index];
52054 + if (*curr != NULL)
52055 + (*curr)->prev = nentry;
52056 + nentry->next = *curr;
52057 + *curr = nentry;
52058 +
52059 + /* insert us into the table searchable by inode/dev */
52060 + insert_inodev_entry(ientry);
52061 +
52062 + return 1;
52063 +}
52064 +
52065 +static void
52066 +insert_acl_obj_label(struct acl_object_label *obj,
52067 + struct acl_subject_label *subj)
52068 +{
52069 + unsigned int index =
52070 + fhash(obj->inode, obj->device, subj->obj_hash_size);
52071 + struct acl_object_label **curr;
52072 +
52073 +
52074 + obj->prev = NULL;
52075 +
52076 + curr = &subj->obj_hash[index];
52077 + if (*curr != NULL)
52078 + (*curr)->prev = obj;
52079 +
52080 + obj->next = *curr;
52081 + *curr = obj;
52082 +
52083 + return;
52084 +}
52085 +
52086 +static void
52087 +insert_acl_subj_label(struct acl_subject_label *obj,
52088 + struct acl_role_label *role)
52089 +{
52090 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
52091 + struct acl_subject_label **curr;
52092 +
52093 + obj->prev = NULL;
52094 +
52095 + curr = &role->subj_hash[index];
52096 + if (*curr != NULL)
52097 + (*curr)->prev = obj;
52098 +
52099 + obj->next = *curr;
52100 + *curr = obj;
52101 +
52102 + return;
52103 +}
52104 +
52105 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
52106 +
52107 +static void *
52108 +create_table(__u32 * len, int elementsize)
52109 +{
52110 + unsigned int table_sizes[] = {
52111 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
52112 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
52113 + 4194301, 8388593, 16777213, 33554393, 67108859
52114 + };
52115 + void *newtable = NULL;
52116 + unsigned int pwr = 0;
52117 +
52118 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
52119 + table_sizes[pwr] <= *len)
52120 + pwr++;
52121 +
52122 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
52123 + return newtable;
52124 +
52125 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
52126 + newtable =
52127 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
52128 + else
52129 + newtable = vmalloc(table_sizes[pwr] * elementsize);
52130 +
52131 + *len = table_sizes[pwr];
52132 +
52133 + return newtable;
52134 +}
52135 +
52136 +static int
52137 +init_variables(const struct gr_arg *arg)
52138 +{
52139 + struct task_struct *reaper = &init_task;
52140 + unsigned int stacksize;
52141 +
52142 + subj_map_set.s_size = arg->role_db.num_subjects;
52143 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
52144 + name_set.n_size = arg->role_db.num_objects;
52145 + inodev_set.i_size = arg->role_db.num_objects;
52146 +
52147 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
52148 + !name_set.n_size || !inodev_set.i_size)
52149 + return 1;
52150 +
52151 + if (!gr_init_uidset())
52152 + return 1;
52153 +
52154 + /* set up the stack that holds allocation info */
52155 +
52156 + stacksize = arg->role_db.num_pointers + 5;
52157 +
52158 + if (!acl_alloc_stack_init(stacksize))
52159 + return 1;
52160 +
52161 + /* grab reference for the real root dentry and vfsmount */
52162 + get_fs_root(reaper->fs, &real_root);
52163 +
52164 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52165 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
52166 +#endif
52167 +
52168 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
52169 + if (fakefs_obj_rw == NULL)
52170 + return 1;
52171 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
52172 +
52173 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
52174 + if (fakefs_obj_rwx == NULL)
52175 + return 1;
52176 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
52177 +
52178 + subj_map_set.s_hash =
52179 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
52180 + acl_role_set.r_hash =
52181 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
52182 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
52183 + inodev_set.i_hash =
52184 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
52185 +
52186 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
52187 + !name_set.n_hash || !inodev_set.i_hash)
52188 + return 1;
52189 +
52190 + memset(subj_map_set.s_hash, 0,
52191 + sizeof(struct subject_map *) * subj_map_set.s_size);
52192 + memset(acl_role_set.r_hash, 0,
52193 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
52194 + memset(name_set.n_hash, 0,
52195 + sizeof (struct name_entry *) * name_set.n_size);
52196 + memset(inodev_set.i_hash, 0,
52197 + sizeof (struct inodev_entry *) * inodev_set.i_size);
52198 +
52199 + return 0;
52200 +}
52201 +
52202 +/* free information not needed after startup
52203 + currently contains user->kernel pointer mappings for subjects
52204 +*/
52205 +
52206 +static void
52207 +free_init_variables(void)
52208 +{
52209 + __u32 i;
52210 +
52211 + if (subj_map_set.s_hash) {
52212 + for (i = 0; i < subj_map_set.s_size; i++) {
52213 + if (subj_map_set.s_hash[i]) {
52214 + kfree(subj_map_set.s_hash[i]);
52215 + subj_map_set.s_hash[i] = NULL;
52216 + }
52217 + }
52218 +
52219 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
52220 + PAGE_SIZE)
52221 + kfree(subj_map_set.s_hash);
52222 + else
52223 + vfree(subj_map_set.s_hash);
52224 + }
52225 +
52226 + return;
52227 +}
52228 +
52229 +static void
52230 +free_variables(void)
52231 +{
52232 + struct acl_subject_label *s;
52233 + struct acl_role_label *r;
52234 + struct task_struct *task, *task2;
52235 + unsigned int x;
52236 +
52237 + gr_clear_learn_entries();
52238 +
52239 + read_lock(&tasklist_lock);
52240 + do_each_thread(task2, task) {
52241 + task->acl_sp_role = 0;
52242 + task->acl_role_id = 0;
52243 + task->acl = NULL;
52244 + task->role = NULL;
52245 + } while_each_thread(task2, task);
52246 + read_unlock(&tasklist_lock);
52247 +
52248 + /* release the reference to the real root dentry and vfsmount */
52249 + path_put(&real_root);
52250 +
52251 + /* free all object hash tables */
52252 +
52253 + FOR_EACH_ROLE_START(r)
52254 + if (r->subj_hash == NULL)
52255 + goto next_role;
52256 + FOR_EACH_SUBJECT_START(r, s, x)
52257 + if (s->obj_hash == NULL)
52258 + break;
52259 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52260 + kfree(s->obj_hash);
52261 + else
52262 + vfree(s->obj_hash);
52263 + FOR_EACH_SUBJECT_END(s, x)
52264 + FOR_EACH_NESTED_SUBJECT_START(r, s)
52265 + if (s->obj_hash == NULL)
52266 + break;
52267 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52268 + kfree(s->obj_hash);
52269 + else
52270 + vfree(s->obj_hash);
52271 + FOR_EACH_NESTED_SUBJECT_END(s)
52272 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
52273 + kfree(r->subj_hash);
52274 + else
52275 + vfree(r->subj_hash);
52276 + r->subj_hash = NULL;
52277 +next_role:
52278 + FOR_EACH_ROLE_END(r)
52279 +
52280 + acl_free_all();
52281 +
52282 + if (acl_role_set.r_hash) {
52283 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
52284 + PAGE_SIZE)
52285 + kfree(acl_role_set.r_hash);
52286 + else
52287 + vfree(acl_role_set.r_hash);
52288 + }
52289 + if (name_set.n_hash) {
52290 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
52291 + PAGE_SIZE)
52292 + kfree(name_set.n_hash);
52293 + else
52294 + vfree(name_set.n_hash);
52295 + }
52296 +
52297 + if (inodev_set.i_hash) {
52298 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
52299 + PAGE_SIZE)
52300 + kfree(inodev_set.i_hash);
52301 + else
52302 + vfree(inodev_set.i_hash);
52303 + }
52304 +
52305 + gr_free_uidset();
52306 +
52307 + memset(&name_set, 0, sizeof (struct name_db));
52308 + memset(&inodev_set, 0, sizeof (struct inodev_db));
52309 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
52310 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
52311 +
52312 + default_role = NULL;
52313 + role_list = NULL;
52314 +
52315 + return;
52316 +}
52317 +
52318 +static __u32
52319 +count_user_objs(struct acl_object_label *userp)
52320 +{
52321 + struct acl_object_label o_tmp;
52322 + __u32 num = 0;
52323 +
52324 + while (userp) {
52325 + if (copy_from_user(&o_tmp, userp,
52326 + sizeof (struct acl_object_label)))
52327 + break;
52328 +
52329 + userp = o_tmp.prev;
52330 + num++;
52331 + }
52332 +
52333 + return num;
52334 +}
52335 +
52336 +static struct acl_subject_label *
52337 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
52338 +
52339 +static int
52340 +copy_user_glob(struct acl_object_label *obj)
52341 +{
52342 + struct acl_object_label *g_tmp, **guser;
52343 + unsigned int len;
52344 + char *tmp;
52345 +
52346 + if (obj->globbed == NULL)
52347 + return 0;
52348 +
52349 + guser = &obj->globbed;
52350 + while (*guser) {
52351 + g_tmp = (struct acl_object_label *)
52352 + acl_alloc(sizeof (struct acl_object_label));
52353 + if (g_tmp == NULL)
52354 + return -ENOMEM;
52355 +
52356 + if (copy_from_user(g_tmp, *guser,
52357 + sizeof (struct acl_object_label)))
52358 + return -EFAULT;
52359 +
52360 + len = strnlen_user(g_tmp->filename, PATH_MAX);
52361 +
52362 + if (!len || len >= PATH_MAX)
52363 + return -EINVAL;
52364 +
52365 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52366 + return -ENOMEM;
52367 +
52368 + if (copy_from_user(tmp, g_tmp->filename, len))
52369 + return -EFAULT;
52370 + tmp[len-1] = '\0';
52371 + g_tmp->filename = tmp;
52372 +
52373 + *guser = g_tmp;
52374 + guser = &(g_tmp->next);
52375 + }
52376 +
52377 + return 0;
52378 +}
52379 +
52380 +static int
52381 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
52382 + struct acl_role_label *role)
52383 +{
52384 + struct acl_object_label *o_tmp;
52385 + unsigned int len;
52386 + int ret;
52387 + char *tmp;
52388 +
52389 + while (userp) {
52390 + if ((o_tmp = (struct acl_object_label *)
52391 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
52392 + return -ENOMEM;
52393 +
52394 + if (copy_from_user(o_tmp, userp,
52395 + sizeof (struct acl_object_label)))
52396 + return -EFAULT;
52397 +
52398 + userp = o_tmp->prev;
52399 +
52400 + len = strnlen_user(o_tmp->filename, PATH_MAX);
52401 +
52402 + if (!len || len >= PATH_MAX)
52403 + return -EINVAL;
52404 +
52405 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52406 + return -ENOMEM;
52407 +
52408 + if (copy_from_user(tmp, o_tmp->filename, len))
52409 + return -EFAULT;
52410 + tmp[len-1] = '\0';
52411 + o_tmp->filename = tmp;
52412 +
52413 + insert_acl_obj_label(o_tmp, subj);
52414 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
52415 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
52416 + return -ENOMEM;
52417 +
52418 + ret = copy_user_glob(o_tmp);
52419 + if (ret)
52420 + return ret;
52421 +
52422 + if (o_tmp->nested) {
52423 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
52424 + if (IS_ERR(o_tmp->nested))
52425 + return PTR_ERR(o_tmp->nested);
52426 +
52427 + /* insert into nested subject list */
52428 + o_tmp->nested->next = role->hash->first;
52429 + role->hash->first = o_tmp->nested;
52430 + }
52431 + }
52432 +
52433 + return 0;
52434 +}
52435 +
52436 +static __u32
52437 +count_user_subjs(struct acl_subject_label *userp)
52438 +{
52439 + struct acl_subject_label s_tmp;
52440 + __u32 num = 0;
52441 +
52442 + while (userp) {
52443 + if (copy_from_user(&s_tmp, userp,
52444 + sizeof (struct acl_subject_label)))
52445 + break;
52446 +
52447 + userp = s_tmp.prev;
52448 + /* do not count nested subjects against this count, since
52449 + they are not included in the hash table, but are
52450 + attached to objects. We have already counted
52451 + the subjects in userspace for the allocation
52452 + stack
52453 + */
52454 + if (!(s_tmp.mode & GR_NESTED))
52455 + num++;
52456 + }
52457 +
52458 + return num;
52459 +}
52460 +
52461 +static int
52462 +copy_user_allowedips(struct acl_role_label *rolep)
52463 +{
52464 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
52465 +
52466 + ruserip = rolep->allowed_ips;
52467 +
52468 + while (ruserip) {
52469 + rlast = rtmp;
52470 +
52471 + if ((rtmp = (struct role_allowed_ip *)
52472 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
52473 + return -ENOMEM;
52474 +
52475 + if (copy_from_user(rtmp, ruserip,
52476 + sizeof (struct role_allowed_ip)))
52477 + return -EFAULT;
52478 +
52479 + ruserip = rtmp->prev;
52480 +
52481 + if (!rlast) {
52482 + rtmp->prev = NULL;
52483 + rolep->allowed_ips = rtmp;
52484 + } else {
52485 + rlast->next = rtmp;
52486 + rtmp->prev = rlast;
52487 + }
52488 +
52489 + if (!ruserip)
52490 + rtmp->next = NULL;
52491 + }
52492 +
52493 + return 0;
52494 +}
52495 +
52496 +static int
52497 +copy_user_transitions(struct acl_role_label *rolep)
52498 +{
52499 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
52500 +
52501 + unsigned int len;
52502 + char *tmp;
52503 +
52504 + rusertp = rolep->transitions;
52505 +
52506 + while (rusertp) {
52507 + rlast = rtmp;
52508 +
52509 + if ((rtmp = (struct role_transition *)
52510 + acl_alloc(sizeof (struct role_transition))) == NULL)
52511 + return -ENOMEM;
52512 +
52513 + if (copy_from_user(rtmp, rusertp,
52514 + sizeof (struct role_transition)))
52515 + return -EFAULT;
52516 +
52517 + rusertp = rtmp->prev;
52518 +
52519 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
52520 +
52521 + if (!len || len >= GR_SPROLE_LEN)
52522 + return -EINVAL;
52523 +
52524 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52525 + return -ENOMEM;
52526 +
52527 + if (copy_from_user(tmp, rtmp->rolename, len))
52528 + return -EFAULT;
52529 + tmp[len-1] = '\0';
52530 + rtmp->rolename = tmp;
52531 +
52532 + if (!rlast) {
52533 + rtmp->prev = NULL;
52534 + rolep->transitions = rtmp;
52535 + } else {
52536 + rlast->next = rtmp;
52537 + rtmp->prev = rlast;
52538 + }
52539 +
52540 + if (!rusertp)
52541 + rtmp->next = NULL;
52542 + }
52543 +
52544 + return 0;
52545 +}
52546 +
52547 +static struct acl_subject_label *
52548 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
52549 +{
52550 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
52551 + unsigned int len;
52552 + char *tmp;
52553 + __u32 num_objs;
52554 + struct acl_ip_label **i_tmp, *i_utmp2;
52555 + struct gr_hash_struct ghash;
52556 + struct subject_map *subjmap;
52557 + unsigned int i_num;
52558 + int err;
52559 +
52560 + s_tmp = lookup_subject_map(userp);
52561 +
52562 + /* we've already copied this subject into the kernel, just return
52563 + the reference to it, and don't copy it over again
52564 + */
52565 + if (s_tmp)
52566 + return(s_tmp);
52567 +
52568 + if ((s_tmp = (struct acl_subject_label *)
52569 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
52570 + return ERR_PTR(-ENOMEM);
52571 +
52572 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
52573 + if (subjmap == NULL)
52574 + return ERR_PTR(-ENOMEM);
52575 +
52576 + subjmap->user = userp;
52577 + subjmap->kernel = s_tmp;
52578 + insert_subj_map_entry(subjmap);
52579 +
52580 + if (copy_from_user(s_tmp, userp,
52581 + sizeof (struct acl_subject_label)))
52582 + return ERR_PTR(-EFAULT);
52583 +
52584 + len = strnlen_user(s_tmp->filename, PATH_MAX);
52585 +
52586 + if (!len || len >= PATH_MAX)
52587 + return ERR_PTR(-EINVAL);
52588 +
52589 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52590 + return ERR_PTR(-ENOMEM);
52591 +
52592 + if (copy_from_user(tmp, s_tmp->filename, len))
52593 + return ERR_PTR(-EFAULT);
52594 + tmp[len-1] = '\0';
52595 + s_tmp->filename = tmp;
52596 +
52597 + if (!strcmp(s_tmp->filename, "/"))
52598 + role->root_label = s_tmp;
52599 +
52600 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
52601 + return ERR_PTR(-EFAULT);
52602 +
52603 + /* copy user and group transition tables */
52604 +
52605 + if (s_tmp->user_trans_num) {
52606 + uid_t *uidlist;
52607 +
52608 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
52609 + if (uidlist == NULL)
52610 + return ERR_PTR(-ENOMEM);
52611 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
52612 + return ERR_PTR(-EFAULT);
52613 +
52614 + s_tmp->user_transitions = uidlist;
52615 + }
52616 +
52617 + if (s_tmp->group_trans_num) {
52618 + gid_t *gidlist;
52619 +
52620 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
52621 + if (gidlist == NULL)
52622 + return ERR_PTR(-ENOMEM);
52623 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
52624 + return ERR_PTR(-EFAULT);
52625 +
52626 + s_tmp->group_transitions = gidlist;
52627 + }
52628 +
52629 + /* set up object hash table */
52630 + num_objs = count_user_objs(ghash.first);
52631 +
52632 + s_tmp->obj_hash_size = num_objs;
52633 + s_tmp->obj_hash =
52634 + (struct acl_object_label **)
52635 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
52636 +
52637 + if (!s_tmp->obj_hash)
52638 + return ERR_PTR(-ENOMEM);
52639 +
52640 + memset(s_tmp->obj_hash, 0,
52641 + s_tmp->obj_hash_size *
52642 + sizeof (struct acl_object_label *));
52643 +
52644 + /* add in objects */
52645 + err = copy_user_objs(ghash.first, s_tmp, role);
52646 +
52647 + if (err)
52648 + return ERR_PTR(err);
52649 +
52650 + /* set pointer for parent subject */
52651 + if (s_tmp->parent_subject) {
52652 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
52653 +
52654 + if (IS_ERR(s_tmp2))
52655 + return s_tmp2;
52656 +
52657 + s_tmp->parent_subject = s_tmp2;
52658 + }
52659 +
52660 + /* add in ip acls */
52661 +
52662 + if (!s_tmp->ip_num) {
52663 + s_tmp->ips = NULL;
52664 + goto insert;
52665 + }
52666 +
52667 + i_tmp =
52668 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
52669 + sizeof (struct acl_ip_label *));
52670 +
52671 + if (!i_tmp)
52672 + return ERR_PTR(-ENOMEM);
52673 +
52674 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
52675 + *(i_tmp + i_num) =
52676 + (struct acl_ip_label *)
52677 + acl_alloc(sizeof (struct acl_ip_label));
52678 + if (!*(i_tmp + i_num))
52679 + return ERR_PTR(-ENOMEM);
52680 +
52681 + if (copy_from_user
52682 + (&i_utmp2, s_tmp->ips + i_num,
52683 + sizeof (struct acl_ip_label *)))
52684 + return ERR_PTR(-EFAULT);
52685 +
52686 + if (copy_from_user
52687 + (*(i_tmp + i_num), i_utmp2,
52688 + sizeof (struct acl_ip_label)))
52689 + return ERR_PTR(-EFAULT);
52690 +
52691 + if ((*(i_tmp + i_num))->iface == NULL)
52692 + continue;
52693 +
52694 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
52695 + if (!len || len >= IFNAMSIZ)
52696 + return ERR_PTR(-EINVAL);
52697 + tmp = acl_alloc(len);
52698 + if (tmp == NULL)
52699 + return ERR_PTR(-ENOMEM);
52700 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
52701 + return ERR_PTR(-EFAULT);
52702 + (*(i_tmp + i_num))->iface = tmp;
52703 + }
52704 +
52705 + s_tmp->ips = i_tmp;
52706 +
52707 +insert:
52708 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
52709 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
52710 + return ERR_PTR(-ENOMEM);
52711 +
52712 + return s_tmp;
52713 +}
52714 +
52715 +static int
52716 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
52717 +{
52718 + struct acl_subject_label s_pre;
52719 + struct acl_subject_label * ret;
52720 + int err;
52721 +
52722 + while (userp) {
52723 + if (copy_from_user(&s_pre, userp,
52724 + sizeof (struct acl_subject_label)))
52725 + return -EFAULT;
52726 +
52727 + /* do not add nested subjects here, add
52728 + while parsing objects
52729 + */
52730 +
52731 + if (s_pre.mode & GR_NESTED) {
52732 + userp = s_pre.prev;
52733 + continue;
52734 + }
52735 +
52736 + ret = do_copy_user_subj(userp, role);
52737 +
52738 + err = PTR_ERR(ret);
52739 + if (IS_ERR(ret))
52740 + return err;
52741 +
52742 + insert_acl_subj_label(ret, role);
52743 +
52744 + userp = s_pre.prev;
52745 + }
52746 +
52747 + return 0;
52748 +}
52749 +
52750 +static int
52751 +copy_user_acl(struct gr_arg *arg)
52752 +{
52753 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
52754 + struct sprole_pw *sptmp;
52755 + struct gr_hash_struct *ghash;
52756 + uid_t *domainlist;
52757 + unsigned int r_num;
52758 + unsigned int len;
52759 + char *tmp;
52760 + int err = 0;
52761 + __u16 i;
52762 + __u32 num_subjs;
52763 +
52764 + /* we need a default and kernel role */
52765 + if (arg->role_db.num_roles < 2)
52766 + return -EINVAL;
52767 +
52768 + /* copy special role authentication info from userspace */
52769 +
52770 + num_sprole_pws = arg->num_sprole_pws;
52771 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
52772 +
52773 + if (!acl_special_roles) {
52774 + err = -ENOMEM;
52775 + goto cleanup;
52776 + }
52777 +
52778 + for (i = 0; i < num_sprole_pws; i++) {
52779 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
52780 + if (!sptmp) {
52781 + err = -ENOMEM;
52782 + goto cleanup;
52783 + }
52784 + if (copy_from_user(sptmp, arg->sprole_pws + i,
52785 + sizeof (struct sprole_pw))) {
52786 + err = -EFAULT;
52787 + goto cleanup;
52788 + }
52789 +
52790 + len =
52791 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
52792 +
52793 + if (!len || len >= GR_SPROLE_LEN) {
52794 + err = -EINVAL;
52795 + goto cleanup;
52796 + }
52797 +
52798 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
52799 + err = -ENOMEM;
52800 + goto cleanup;
52801 + }
52802 +
52803 + if (copy_from_user(tmp, sptmp->rolename, len)) {
52804 + err = -EFAULT;
52805 + goto cleanup;
52806 + }
52807 + tmp[len-1] = '\0';
52808 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52809 + printk(KERN_ALERT "Copying special role %s\n", tmp);
52810 +#endif
52811 + sptmp->rolename = tmp;
52812 + acl_special_roles[i] = sptmp;
52813 + }
52814 +
52815 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
52816 +
52817 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
52818 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
52819 +
52820 + if (!r_tmp) {
52821 + err = -ENOMEM;
52822 + goto cleanup;
52823 + }
52824 +
52825 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
52826 + sizeof (struct acl_role_label *))) {
52827 + err = -EFAULT;
52828 + goto cleanup;
52829 + }
52830 +
52831 + if (copy_from_user(r_tmp, r_utmp2,
52832 + sizeof (struct acl_role_label))) {
52833 + err = -EFAULT;
52834 + goto cleanup;
52835 + }
52836 +
52837 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
52838 +
52839 + if (!len || len >= PATH_MAX) {
52840 + err = -EINVAL;
52841 + goto cleanup;
52842 + }
52843 +
52844 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
52845 + err = -ENOMEM;
52846 + goto cleanup;
52847 + }
52848 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
52849 + err = -EFAULT;
52850 + goto cleanup;
52851 + }
52852 + tmp[len-1] = '\0';
52853 + r_tmp->rolename = tmp;
52854 +
52855 + if (!strcmp(r_tmp->rolename, "default")
52856 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
52857 + default_role = r_tmp;
52858 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
52859 + kernel_role = r_tmp;
52860 + }
52861 +
52862 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
52863 + err = -ENOMEM;
52864 + goto cleanup;
52865 + }
52866 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
52867 + err = -EFAULT;
52868 + goto cleanup;
52869 + }
52870 +
52871 + r_tmp->hash = ghash;
52872 +
52873 + num_subjs = count_user_subjs(r_tmp->hash->first);
52874 +
52875 + r_tmp->subj_hash_size = num_subjs;
52876 + r_tmp->subj_hash =
52877 + (struct acl_subject_label **)
52878 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
52879 +
52880 + if (!r_tmp->subj_hash) {
52881 + err = -ENOMEM;
52882 + goto cleanup;
52883 + }
52884 +
52885 + err = copy_user_allowedips(r_tmp);
52886 + if (err)
52887 + goto cleanup;
52888 +
52889 + /* copy domain info */
52890 + if (r_tmp->domain_children != NULL) {
52891 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
52892 + if (domainlist == NULL) {
52893 + err = -ENOMEM;
52894 + goto cleanup;
52895 + }
52896 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
52897 + err = -EFAULT;
52898 + goto cleanup;
52899 + }
52900 + r_tmp->domain_children = domainlist;
52901 + }
52902 +
52903 + err = copy_user_transitions(r_tmp);
52904 + if (err)
52905 + goto cleanup;
52906 +
52907 + memset(r_tmp->subj_hash, 0,
52908 + r_tmp->subj_hash_size *
52909 + sizeof (struct acl_subject_label *));
52910 +
52911 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
52912 +
52913 + if (err)
52914 + goto cleanup;
52915 +
52916 + /* set nested subject list to null */
52917 + r_tmp->hash->first = NULL;
52918 +
52919 + insert_acl_role_label(r_tmp);
52920 + }
52921 +
52922 + goto return_err;
52923 + cleanup:
52924 + free_variables();
52925 + return_err:
52926 + return err;
52927 +
52928 +}
52929 +
52930 +static int
52931 +gracl_init(struct gr_arg *args)
52932 +{
52933 + int error = 0;
52934 +
52935 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
52936 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
52937 +
52938 + if (init_variables(args)) {
52939 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
52940 + error = -ENOMEM;
52941 + free_variables();
52942 + goto out;
52943 + }
52944 +
52945 + error = copy_user_acl(args);
52946 + free_init_variables();
52947 + if (error) {
52948 + free_variables();
52949 + goto out;
52950 + }
52951 +
52952 + if ((error = gr_set_acls(0))) {
52953 + free_variables();
52954 + goto out;
52955 + }
52956 +
52957 + pax_open_kernel();
52958 + gr_status |= GR_READY;
52959 + pax_close_kernel();
52960 +
52961 + out:
52962 + return error;
52963 +}
52964 +
52965 +/* derived from glibc fnmatch() 0: match, 1: no match*/
52966 +
52967 +static int
52968 +glob_match(const char *p, const char *n)
52969 +{
52970 + char c;
52971 +
52972 + while ((c = *p++) != '\0') {
52973 + switch (c) {
52974 + case '?':
52975 + if (*n == '\0')
52976 + return 1;
52977 + else if (*n == '/')
52978 + return 1;
52979 + break;
52980 + case '\\':
52981 + if (*n != c)
52982 + return 1;
52983 + break;
52984 + case '*':
52985 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
52986 + if (*n == '/')
52987 + return 1;
52988 + else if (c == '?') {
52989 + if (*n == '\0')
52990 + return 1;
52991 + else
52992 + ++n;
52993 + }
52994 + }
52995 + if (c == '\0') {
52996 + return 0;
52997 + } else {
52998 + const char *endp;
52999 +
53000 + if ((endp = strchr(n, '/')) == NULL)
53001 + endp = n + strlen(n);
53002 +
53003 + if (c == '[') {
53004 + for (--p; n < endp; ++n)
53005 + if (!glob_match(p, n))
53006 + return 0;
53007 + } else if (c == '/') {
53008 + while (*n != '\0' && *n != '/')
53009 + ++n;
53010 + if (*n == '/' && !glob_match(p, n + 1))
53011 + return 0;
53012 + } else {
53013 + for (--p; n < endp; ++n)
53014 + if (*n == c && !glob_match(p, n))
53015 + return 0;
53016 + }
53017 +
53018 + return 1;
53019 + }
53020 + case '[':
53021 + {
53022 + int not;
53023 + char cold;
53024 +
53025 + if (*n == '\0' || *n == '/')
53026 + return 1;
53027 +
53028 + not = (*p == '!' || *p == '^');
53029 + if (not)
53030 + ++p;
53031 +
53032 + c = *p++;
53033 + for (;;) {
53034 + unsigned char fn = (unsigned char)*n;
53035 +
53036 + if (c == '\0')
53037 + return 1;
53038 + else {
53039 + if (c == fn)
53040 + goto matched;
53041 + cold = c;
53042 + c = *p++;
53043 +
53044 + if (c == '-' && *p != ']') {
53045 + unsigned char cend = *p++;
53046 +
53047 + if (cend == '\0')
53048 + return 1;
53049 +
53050 + if (cold <= fn && fn <= cend)
53051 + goto matched;
53052 +
53053 + c = *p++;
53054 + }
53055 + }
53056 +
53057 + if (c == ']')
53058 + break;
53059 + }
53060 + if (!not)
53061 + return 1;
53062 + break;
53063 + matched:
53064 + while (c != ']') {
53065 + if (c == '\0')
53066 + return 1;
53067 +
53068 + c = *p++;
53069 + }
53070 + if (not)
53071 + return 1;
53072 + }
53073 + break;
53074 + default:
53075 + if (c != *n)
53076 + return 1;
53077 + }
53078 +
53079 + ++n;
53080 + }
53081 +
53082 + if (*n == '\0')
53083 + return 0;
53084 +
53085 + if (*n == '/')
53086 + return 0;
53087 +
53088 + return 1;
53089 +}
53090 +
53091 +static struct acl_object_label *
53092 +chk_glob_label(struct acl_object_label *globbed,
53093 + struct dentry *dentry, struct vfsmount *mnt, char **path)
53094 +{
53095 + struct acl_object_label *tmp;
53096 +
53097 + if (*path == NULL)
53098 + *path = gr_to_filename_nolock(dentry, mnt);
53099 +
53100 + tmp = globbed;
53101 +
53102 + while (tmp) {
53103 + if (!glob_match(tmp->filename, *path))
53104 + return tmp;
53105 + tmp = tmp->next;
53106 + }
53107 +
53108 + return NULL;
53109 +}
53110 +
53111 +static struct acl_object_label *
53112 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53113 + const ino_t curr_ino, const dev_t curr_dev,
53114 + const struct acl_subject_label *subj, char **path, const int checkglob)
53115 +{
53116 + struct acl_subject_label *tmpsubj;
53117 + struct acl_object_label *retval;
53118 + struct acl_object_label *retval2;
53119 +
53120 + tmpsubj = (struct acl_subject_label *) subj;
53121 + read_lock(&gr_inode_lock);
53122 + do {
53123 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
53124 + if (retval) {
53125 + if (checkglob && retval->globbed) {
53126 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
53127 + (struct vfsmount *)orig_mnt, path);
53128 + if (retval2)
53129 + retval = retval2;
53130 + }
53131 + break;
53132 + }
53133 + } while ((tmpsubj = tmpsubj->parent_subject));
53134 + read_unlock(&gr_inode_lock);
53135 +
53136 + return retval;
53137 +}
53138 +
53139 +static __inline__ struct acl_object_label *
53140 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53141 + struct dentry *curr_dentry,
53142 + const struct acl_subject_label *subj, char **path, const int checkglob)
53143 +{
53144 + int newglob = checkglob;
53145 + ino_t inode;
53146 + dev_t device;
53147 +
53148 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
53149 + as we don't want a / * rule to match instead of the / object
53150 + don't do this for create lookups that call this function though, since they're looking up
53151 + on the parent and thus need globbing checks on all paths
53152 + */
53153 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
53154 + newglob = GR_NO_GLOB;
53155 +
53156 + spin_lock(&curr_dentry->d_lock);
53157 + inode = curr_dentry->d_inode->i_ino;
53158 + device = __get_dev(curr_dentry);
53159 + spin_unlock(&curr_dentry->d_lock);
53160 +
53161 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
53162 +}
53163 +
53164 +static struct acl_object_label *
53165 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53166 + const struct acl_subject_label *subj, char *path, const int checkglob)
53167 +{
53168 + struct dentry *dentry = (struct dentry *) l_dentry;
53169 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53170 + struct acl_object_label *retval;
53171 + struct dentry *parent;
53172 +
53173 + write_seqlock(&rename_lock);
53174 + br_read_lock(vfsmount_lock);
53175 +
53176 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
53177 +#ifdef CONFIG_NET
53178 + mnt == sock_mnt ||
53179 +#endif
53180 +#ifdef CONFIG_HUGETLBFS
53181 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
53182 +#endif
53183 + /* ignore Eric Biederman */
53184 + IS_PRIVATE(l_dentry->d_inode))) {
53185 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
53186 + goto out;
53187 + }
53188 +
53189 + for (;;) {
53190 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53191 + break;
53192 +
53193 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53194 + if (mnt->mnt_parent == mnt)
53195 + break;
53196 +
53197 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53198 + if (retval != NULL)
53199 + goto out;
53200 +
53201 + dentry = mnt->mnt_mountpoint;
53202 + mnt = mnt->mnt_parent;
53203 + continue;
53204 + }
53205 +
53206 + parent = dentry->d_parent;
53207 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53208 + if (retval != NULL)
53209 + goto out;
53210 +
53211 + dentry = parent;
53212 + }
53213 +
53214 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53215 +
53216 + /* real_root is pinned so we don't have to hold a reference */
53217 + if (retval == NULL)
53218 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
53219 +out:
53220 + br_read_unlock(vfsmount_lock);
53221 + write_sequnlock(&rename_lock);
53222 +
53223 + BUG_ON(retval == NULL);
53224 +
53225 + return retval;
53226 +}
53227 +
53228 +static __inline__ struct acl_object_label *
53229 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53230 + const struct acl_subject_label *subj)
53231 +{
53232 + char *path = NULL;
53233 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
53234 +}
53235 +
53236 +static __inline__ struct acl_object_label *
53237 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53238 + const struct acl_subject_label *subj)
53239 +{
53240 + char *path = NULL;
53241 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
53242 +}
53243 +
53244 +static __inline__ struct acl_object_label *
53245 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53246 + const struct acl_subject_label *subj, char *path)
53247 +{
53248 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
53249 +}
53250 +
53251 +static struct acl_subject_label *
53252 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53253 + const struct acl_role_label *role)
53254 +{
53255 + struct dentry *dentry = (struct dentry *) l_dentry;
53256 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53257 + struct acl_subject_label *retval;
53258 + struct dentry *parent;
53259 +
53260 + write_seqlock(&rename_lock);
53261 + br_read_lock(vfsmount_lock);
53262 +
53263 + for (;;) {
53264 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53265 + break;
53266 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53267 + if (mnt->mnt_parent == mnt)
53268 + break;
53269 +
53270 + spin_lock(&dentry->d_lock);
53271 + read_lock(&gr_inode_lock);
53272 + retval =
53273 + lookup_acl_subj_label(dentry->d_inode->i_ino,
53274 + __get_dev(dentry), role);
53275 + read_unlock(&gr_inode_lock);
53276 + spin_unlock(&dentry->d_lock);
53277 + if (retval != NULL)
53278 + goto out;
53279 +
53280 + dentry = mnt->mnt_mountpoint;
53281 + mnt = mnt->mnt_parent;
53282 + continue;
53283 + }
53284 +
53285 + spin_lock(&dentry->d_lock);
53286 + read_lock(&gr_inode_lock);
53287 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53288 + __get_dev(dentry), role);
53289 + read_unlock(&gr_inode_lock);
53290 + parent = dentry->d_parent;
53291 + spin_unlock(&dentry->d_lock);
53292 +
53293 + if (retval != NULL)
53294 + goto out;
53295 +
53296 + dentry = parent;
53297 + }
53298 +
53299 + spin_lock(&dentry->d_lock);
53300 + read_lock(&gr_inode_lock);
53301 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53302 + __get_dev(dentry), role);
53303 + read_unlock(&gr_inode_lock);
53304 + spin_unlock(&dentry->d_lock);
53305 +
53306 + if (unlikely(retval == NULL)) {
53307 + /* real_root is pinned, we don't need to hold a reference */
53308 + read_lock(&gr_inode_lock);
53309 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
53310 + __get_dev(real_root.dentry), role);
53311 + read_unlock(&gr_inode_lock);
53312 + }
53313 +out:
53314 + br_read_unlock(vfsmount_lock);
53315 + write_sequnlock(&rename_lock);
53316 +
53317 + BUG_ON(retval == NULL);
53318 +
53319 + return retval;
53320 +}
53321 +
53322 +static void
53323 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
53324 +{
53325 + struct task_struct *task = current;
53326 + const struct cred *cred = current_cred();
53327 +
53328 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53329 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53330 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53331 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
53332 +
53333 + return;
53334 +}
53335 +
53336 +static void
53337 +gr_log_learn_sysctl(const char *path, const __u32 mode)
53338 +{
53339 + struct task_struct *task = current;
53340 + const struct cred *cred = current_cred();
53341 +
53342 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53343 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53344 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53345 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
53346 +
53347 + return;
53348 +}
53349 +
53350 +static void
53351 +gr_log_learn_id_change(const char type, const unsigned int real,
53352 + const unsigned int effective, const unsigned int fs)
53353 +{
53354 + struct task_struct *task = current;
53355 + const struct cred *cred = current_cred();
53356 +
53357 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
53358 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53359 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53360 + type, real, effective, fs, &task->signal->saved_ip);
53361 +
53362 + return;
53363 +}
53364 +
53365 +__u32
53366 +gr_check_link(const struct dentry * new_dentry,
53367 + const struct dentry * parent_dentry,
53368 + const struct vfsmount * parent_mnt,
53369 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
53370 +{
53371 + struct acl_object_label *obj;
53372 + __u32 oldmode, newmode;
53373 + __u32 needmode;
53374 +
53375 + if (unlikely(!(gr_status & GR_READY)))
53376 + return (GR_CREATE | GR_LINK);
53377 +
53378 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
53379 + oldmode = obj->mode;
53380 +
53381 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53382 + oldmode |= (GR_CREATE | GR_LINK);
53383 +
53384 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
53385 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53386 + needmode |= GR_SETID | GR_AUDIT_SETID;
53387 +
53388 + newmode =
53389 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
53390 + oldmode | needmode);
53391 +
53392 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
53393 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
53394 + GR_INHERIT | GR_AUDIT_INHERIT);
53395 +
53396 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
53397 + goto bad;
53398 +
53399 + if ((oldmode & needmode) != needmode)
53400 + goto bad;
53401 +
53402 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
53403 + if ((newmode & needmode) != needmode)
53404 + goto bad;
53405 +
53406 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
53407 + return newmode;
53408 +bad:
53409 + needmode = oldmode;
53410 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53411 + needmode |= GR_SETID;
53412 +
53413 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53414 + gr_log_learn(old_dentry, old_mnt, needmode);
53415 + return (GR_CREATE | GR_LINK);
53416 + } else if (newmode & GR_SUPPRESS)
53417 + return GR_SUPPRESS;
53418 + else
53419 + return 0;
53420 +}
53421 +
53422 +__u32
53423 +gr_search_file(const struct dentry * dentry, const __u32 mode,
53424 + const struct vfsmount * mnt)
53425 +{
53426 + __u32 retval = mode;
53427 + struct acl_subject_label *curracl;
53428 + struct acl_object_label *currobj;
53429 +
53430 + if (unlikely(!(gr_status & GR_READY)))
53431 + return (mode & ~GR_AUDITS);
53432 +
53433 + curracl = current->acl;
53434 +
53435 + currobj = chk_obj_label(dentry, mnt, curracl);
53436 + retval = currobj->mode & mode;
53437 +
53438 + /* if we're opening a specified transfer file for writing
53439 + (e.g. /dev/initctl), then transfer our role to init
53440 + */
53441 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
53442 + current->role->roletype & GR_ROLE_PERSIST)) {
53443 + struct task_struct *task = init_pid_ns.child_reaper;
53444 +
53445 + if (task->role != current->role) {
53446 + task->acl_sp_role = 0;
53447 + task->acl_role_id = current->acl_role_id;
53448 + task->role = current->role;
53449 + rcu_read_lock();
53450 + read_lock(&grsec_exec_file_lock);
53451 + gr_apply_subject_to_task(task);
53452 + read_unlock(&grsec_exec_file_lock);
53453 + rcu_read_unlock();
53454 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
53455 + }
53456 + }
53457 +
53458 + if (unlikely
53459 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
53460 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
53461 + __u32 new_mode = mode;
53462 +
53463 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53464 +
53465 + retval = new_mode;
53466 +
53467 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
53468 + new_mode |= GR_INHERIT;
53469 +
53470 + if (!(mode & GR_NOLEARN))
53471 + gr_log_learn(dentry, mnt, new_mode);
53472 + }
53473 +
53474 + return retval;
53475 +}
53476 +
53477 +__u32
53478 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
53479 + const struct vfsmount * mnt, const __u32 mode)
53480 +{
53481 + struct name_entry *match;
53482 + struct acl_object_label *matchpo;
53483 + struct acl_subject_label *curracl;
53484 + char *path;
53485 + __u32 retval;
53486 +
53487 + if (unlikely(!(gr_status & GR_READY)))
53488 + return (mode & ~GR_AUDITS);
53489 +
53490 + preempt_disable();
53491 + path = gr_to_filename_rbac(new_dentry, mnt);
53492 + match = lookup_name_entry_create(path);
53493 +
53494 + if (!match)
53495 + goto check_parent;
53496 +
53497 + curracl = current->acl;
53498 +
53499 + read_lock(&gr_inode_lock);
53500 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
53501 + read_unlock(&gr_inode_lock);
53502 +
53503 + if (matchpo) {
53504 + if ((matchpo->mode & mode) !=
53505 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
53506 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53507 + __u32 new_mode = mode;
53508 +
53509 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53510 +
53511 + gr_log_learn(new_dentry, mnt, new_mode);
53512 +
53513 + preempt_enable();
53514 + return new_mode;
53515 + }
53516 + preempt_enable();
53517 + return (matchpo->mode & mode);
53518 + }
53519 +
53520 + check_parent:
53521 + curracl = current->acl;
53522 +
53523 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
53524 + retval = matchpo->mode & mode;
53525 +
53526 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
53527 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
53528 + __u32 new_mode = mode;
53529 +
53530 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53531 +
53532 + gr_log_learn(new_dentry, mnt, new_mode);
53533 + preempt_enable();
53534 + return new_mode;
53535 + }
53536 +
53537 + preempt_enable();
53538 + return retval;
53539 +}
53540 +
53541 +int
53542 +gr_check_hidden_task(const struct task_struct *task)
53543 +{
53544 + if (unlikely(!(gr_status & GR_READY)))
53545 + return 0;
53546 +
53547 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
53548 + return 1;
53549 +
53550 + return 0;
53551 +}
53552 +
53553 +int
53554 +gr_check_protected_task(const struct task_struct *task)
53555 +{
53556 + if (unlikely(!(gr_status & GR_READY) || !task))
53557 + return 0;
53558 +
53559 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53560 + task->acl != current->acl)
53561 + return 1;
53562 +
53563 + return 0;
53564 +}
53565 +
53566 +int
53567 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53568 +{
53569 + struct task_struct *p;
53570 + int ret = 0;
53571 +
53572 + if (unlikely(!(gr_status & GR_READY) || !pid))
53573 + return ret;
53574 +
53575 + read_lock(&tasklist_lock);
53576 + do_each_pid_task(pid, type, p) {
53577 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53578 + p->acl != current->acl) {
53579 + ret = 1;
53580 + goto out;
53581 + }
53582 + } while_each_pid_task(pid, type, p);
53583 +out:
53584 + read_unlock(&tasklist_lock);
53585 +
53586 + return ret;
53587 +}
53588 +
53589 +void
53590 +gr_copy_label(struct task_struct *tsk)
53591 +{
53592 + tsk->signal->used_accept = 0;
53593 + tsk->acl_sp_role = 0;
53594 + tsk->acl_role_id = current->acl_role_id;
53595 + tsk->acl = current->acl;
53596 + tsk->role = current->role;
53597 + tsk->signal->curr_ip = current->signal->curr_ip;
53598 + tsk->signal->saved_ip = current->signal->saved_ip;
53599 + if (current->exec_file)
53600 + get_file(current->exec_file);
53601 + tsk->exec_file = current->exec_file;
53602 + tsk->is_writable = current->is_writable;
53603 + if (unlikely(current->signal->used_accept)) {
53604 + current->signal->curr_ip = 0;
53605 + current->signal->saved_ip = 0;
53606 + }
53607 +
53608 + return;
53609 +}
53610 +
53611 +static void
53612 +gr_set_proc_res(struct task_struct *task)
53613 +{
53614 + struct acl_subject_label *proc;
53615 + unsigned short i;
53616 +
53617 + proc = task->acl;
53618 +
53619 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
53620 + return;
53621 +
53622 + for (i = 0; i < RLIM_NLIMITS; i++) {
53623 + if (!(proc->resmask & (1 << i)))
53624 + continue;
53625 +
53626 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
53627 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
53628 + }
53629 +
53630 + return;
53631 +}
53632 +
53633 +extern int __gr_process_user_ban(struct user_struct *user);
53634 +
53635 +int
53636 +gr_check_user_change(int real, int effective, int fs)
53637 +{
53638 + unsigned int i;
53639 + __u16 num;
53640 + uid_t *uidlist;
53641 + int curuid;
53642 + int realok = 0;
53643 + int effectiveok = 0;
53644 + int fsok = 0;
53645 +
53646 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
53647 + struct user_struct *user;
53648 +
53649 + if (real == -1)
53650 + goto skipit;
53651 +
53652 + user = find_user(real);
53653 + if (user == NULL)
53654 + goto skipit;
53655 +
53656 + if (__gr_process_user_ban(user)) {
53657 + /* for find_user */
53658 + free_uid(user);
53659 + return 1;
53660 + }
53661 +
53662 + /* for find_user */
53663 + free_uid(user);
53664 +
53665 +skipit:
53666 +#endif
53667 +
53668 + if (unlikely(!(gr_status & GR_READY)))
53669 + return 0;
53670 +
53671 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53672 + gr_log_learn_id_change('u', real, effective, fs);
53673 +
53674 + num = current->acl->user_trans_num;
53675 + uidlist = current->acl->user_transitions;
53676 +
53677 + if (uidlist == NULL)
53678 + return 0;
53679 +
53680 + if (real == -1)
53681 + realok = 1;
53682 + if (effective == -1)
53683 + effectiveok = 1;
53684 + if (fs == -1)
53685 + fsok = 1;
53686 +
53687 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
53688 + for (i = 0; i < num; i++) {
53689 + curuid = (int)uidlist[i];
53690 + if (real == curuid)
53691 + realok = 1;
53692 + if (effective == curuid)
53693 + effectiveok = 1;
53694 + if (fs == curuid)
53695 + fsok = 1;
53696 + }
53697 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
53698 + for (i = 0; i < num; i++) {
53699 + curuid = (int)uidlist[i];
53700 + if (real == curuid)
53701 + break;
53702 + if (effective == curuid)
53703 + break;
53704 + if (fs == curuid)
53705 + break;
53706 + }
53707 + /* not in deny list */
53708 + if (i == num) {
53709 + realok = 1;
53710 + effectiveok = 1;
53711 + fsok = 1;
53712 + }
53713 + }
53714 +
53715 + if (realok && effectiveok && fsok)
53716 + return 0;
53717 + else {
53718 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
53719 + return 1;
53720 + }
53721 +}
53722 +
53723 +int
53724 +gr_check_group_change(int real, int effective, int fs)
53725 +{
53726 + unsigned int i;
53727 + __u16 num;
53728 + gid_t *gidlist;
53729 + int curgid;
53730 + int realok = 0;
53731 + int effectiveok = 0;
53732 + int fsok = 0;
53733 +
53734 + if (unlikely(!(gr_status & GR_READY)))
53735 + return 0;
53736 +
53737 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53738 + gr_log_learn_id_change('g', real, effective, fs);
53739 +
53740 + num = current->acl->group_trans_num;
53741 + gidlist = current->acl->group_transitions;
53742 +
53743 + if (gidlist == NULL)
53744 + return 0;
53745 +
53746 + if (real == -1)
53747 + realok = 1;
53748 + if (effective == -1)
53749 + effectiveok = 1;
53750 + if (fs == -1)
53751 + fsok = 1;
53752 +
53753 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
53754 + for (i = 0; i < num; i++) {
53755 + curgid = (int)gidlist[i];
53756 + if (real == curgid)
53757 + realok = 1;
53758 + if (effective == curgid)
53759 + effectiveok = 1;
53760 + if (fs == curgid)
53761 + fsok = 1;
53762 + }
53763 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
53764 + for (i = 0; i < num; i++) {
53765 + curgid = (int)gidlist[i];
53766 + if (real == curgid)
53767 + break;
53768 + if (effective == curgid)
53769 + break;
53770 + if (fs == curgid)
53771 + break;
53772 + }
53773 + /* not in deny list */
53774 + if (i == num) {
53775 + realok = 1;
53776 + effectiveok = 1;
53777 + fsok = 1;
53778 + }
53779 + }
53780 +
53781 + if (realok && effectiveok && fsok)
53782 + return 0;
53783 + else {
53784 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
53785 + return 1;
53786 + }
53787 +}
53788 +
53789 +void
53790 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
53791 +{
53792 + struct acl_role_label *role = task->role;
53793 + struct acl_subject_label *subj = NULL;
53794 + struct acl_object_label *obj;
53795 + struct file *filp;
53796 +
53797 + if (unlikely(!(gr_status & GR_READY)))
53798 + return;
53799 +
53800 + filp = task->exec_file;
53801 +
53802 + /* kernel process, we'll give them the kernel role */
53803 + if (unlikely(!filp)) {
53804 + task->role = kernel_role;
53805 + task->acl = kernel_role->root_label;
53806 + return;
53807 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
53808 + role = lookup_acl_role_label(task, uid, gid);
53809 +
53810 + /* perform subject lookup in possibly new role
53811 + we can use this result below in the case where role == task->role
53812 + */
53813 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
53814 +
53815 + /* if we changed uid/gid, but result in the same role
53816 + and are using inheritance, don't lose the inherited subject
53817 + if current subject is other than what normal lookup
53818 + would result in, we arrived via inheritance, don't
53819 + lose subject
53820 + */
53821 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
53822 + (subj == task->acl)))
53823 + task->acl = subj;
53824 +
53825 + task->role = role;
53826 +
53827 + task->is_writable = 0;
53828 +
53829 + /* ignore additional mmap checks for processes that are writable
53830 + by the default ACL */
53831 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
53832 + if (unlikely(obj->mode & GR_WRITE))
53833 + task->is_writable = 1;
53834 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
53835 + if (unlikely(obj->mode & GR_WRITE))
53836 + task->is_writable = 1;
53837 +
53838 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53839 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
53840 +#endif
53841 +
53842 + gr_set_proc_res(task);
53843 +
53844 + return;
53845 +}
53846 +
53847 +int
53848 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
53849 + const int unsafe_share)
53850 +{
53851 + struct task_struct *task = current;
53852 + struct acl_subject_label *newacl;
53853 + struct acl_object_label *obj;
53854 + __u32 retmode;
53855 +
53856 + if (unlikely(!(gr_status & GR_READY)))
53857 + return 0;
53858 +
53859 + newacl = chk_subj_label(dentry, mnt, task->role);
53860 +
53861 + task_lock(task);
53862 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
53863 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
53864 + !(task->role->roletype & GR_ROLE_GOD) &&
53865 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
53866 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
53867 + task_unlock(task);
53868 + if (unsafe_share)
53869 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
53870 + else
53871 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
53872 + return -EACCES;
53873 + }
53874 + task_unlock(task);
53875 +
53876 + obj = chk_obj_label(dentry, mnt, task->acl);
53877 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
53878 +
53879 + if (!(task->acl->mode & GR_INHERITLEARN) &&
53880 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
53881 + if (obj->nested)
53882 + task->acl = obj->nested;
53883 + else
53884 + task->acl = newacl;
53885 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
53886 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
53887 +
53888 + task->is_writable = 0;
53889 +
53890 + /* ignore additional mmap checks for processes that are writable
53891 + by the default ACL */
53892 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
53893 + if (unlikely(obj->mode & GR_WRITE))
53894 + task->is_writable = 1;
53895 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
53896 + if (unlikely(obj->mode & GR_WRITE))
53897 + task->is_writable = 1;
53898 +
53899 + gr_set_proc_res(task);
53900 +
53901 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53902 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
53903 +#endif
53904 + return 0;
53905 +}
53906 +
53907 +/* always called with valid inodev ptr */
53908 +static void
53909 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
53910 +{
53911 + struct acl_object_label *matchpo;
53912 + struct acl_subject_label *matchps;
53913 + struct acl_subject_label *subj;
53914 + struct acl_role_label *role;
53915 + unsigned int x;
53916 +
53917 + FOR_EACH_ROLE_START(role)
53918 + FOR_EACH_SUBJECT_START(role, subj, x)
53919 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
53920 + matchpo->mode |= GR_DELETED;
53921 + FOR_EACH_SUBJECT_END(subj,x)
53922 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
53923 + if (subj->inode == ino && subj->device == dev)
53924 + subj->mode |= GR_DELETED;
53925 + FOR_EACH_NESTED_SUBJECT_END(subj)
53926 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
53927 + matchps->mode |= GR_DELETED;
53928 + FOR_EACH_ROLE_END(role)
53929 +
53930 + inodev->nentry->deleted = 1;
53931 +
53932 + return;
53933 +}
53934 +
53935 +void
53936 +gr_handle_delete(const ino_t ino, const dev_t dev)
53937 +{
53938 + struct inodev_entry *inodev;
53939 +
53940 + if (unlikely(!(gr_status & GR_READY)))
53941 + return;
53942 +
53943 + write_lock(&gr_inode_lock);
53944 + inodev = lookup_inodev_entry(ino, dev);
53945 + if (inodev != NULL)
53946 + do_handle_delete(inodev, ino, dev);
53947 + write_unlock(&gr_inode_lock);
53948 +
53949 + return;
53950 +}
53951 +
53952 +static void
53953 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
53954 + const ino_t newinode, const dev_t newdevice,
53955 + struct acl_subject_label *subj)
53956 +{
53957 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
53958 + struct acl_object_label *match;
53959 +
53960 + match = subj->obj_hash[index];
53961 +
53962 + while (match && (match->inode != oldinode ||
53963 + match->device != olddevice ||
53964 + !(match->mode & GR_DELETED)))
53965 + match = match->next;
53966 +
53967 + if (match && (match->inode == oldinode)
53968 + && (match->device == olddevice)
53969 + && (match->mode & GR_DELETED)) {
53970 + if (match->prev == NULL) {
53971 + subj->obj_hash[index] = match->next;
53972 + if (match->next != NULL)
53973 + match->next->prev = NULL;
53974 + } else {
53975 + match->prev->next = match->next;
53976 + if (match->next != NULL)
53977 + match->next->prev = match->prev;
53978 + }
53979 + match->prev = NULL;
53980 + match->next = NULL;
53981 + match->inode = newinode;
53982 + match->device = newdevice;
53983 + match->mode &= ~GR_DELETED;
53984 +
53985 + insert_acl_obj_label(match, subj);
53986 + }
53987 +
53988 + return;
53989 +}
53990 +
53991 +static void
53992 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
53993 + const ino_t newinode, const dev_t newdevice,
53994 + struct acl_role_label *role)
53995 +{
53996 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
53997 + struct acl_subject_label *match;
53998 +
53999 + match = role->subj_hash[index];
54000 +
54001 + while (match && (match->inode != oldinode ||
54002 + match->device != olddevice ||
54003 + !(match->mode & GR_DELETED)))
54004 + match = match->next;
54005 +
54006 + if (match && (match->inode == oldinode)
54007 + && (match->device == olddevice)
54008 + && (match->mode & GR_DELETED)) {
54009 + if (match->prev == NULL) {
54010 + role->subj_hash[index] = match->next;
54011 + if (match->next != NULL)
54012 + match->next->prev = NULL;
54013 + } else {
54014 + match->prev->next = match->next;
54015 + if (match->next != NULL)
54016 + match->next->prev = match->prev;
54017 + }
54018 + match->prev = NULL;
54019 + match->next = NULL;
54020 + match->inode = newinode;
54021 + match->device = newdevice;
54022 + match->mode &= ~GR_DELETED;
54023 +
54024 + insert_acl_subj_label(match, role);
54025 + }
54026 +
54027 + return;
54028 +}
54029 +
54030 +static void
54031 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
54032 + const ino_t newinode, const dev_t newdevice)
54033 +{
54034 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
54035 + struct inodev_entry *match;
54036 +
54037 + match = inodev_set.i_hash[index];
54038 +
54039 + while (match && (match->nentry->inode != oldinode ||
54040 + match->nentry->device != olddevice || !match->nentry->deleted))
54041 + match = match->next;
54042 +
54043 + if (match && (match->nentry->inode == oldinode)
54044 + && (match->nentry->device == olddevice) &&
54045 + match->nentry->deleted) {
54046 + if (match->prev == NULL) {
54047 + inodev_set.i_hash[index] = match->next;
54048 + if (match->next != NULL)
54049 + match->next->prev = NULL;
54050 + } else {
54051 + match->prev->next = match->next;
54052 + if (match->next != NULL)
54053 + match->next->prev = match->prev;
54054 + }
54055 + match->prev = NULL;
54056 + match->next = NULL;
54057 + match->nentry->inode = newinode;
54058 + match->nentry->device = newdevice;
54059 + match->nentry->deleted = 0;
54060 +
54061 + insert_inodev_entry(match);
54062 + }
54063 +
54064 + return;
54065 +}
54066 +
54067 +static void
54068 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
54069 + const struct vfsmount *mnt)
54070 +{
54071 + struct acl_subject_label *subj;
54072 + struct acl_role_label *role;
54073 + unsigned int x;
54074 + ino_t ino = dentry->d_inode->i_ino;
54075 + dev_t dev = __get_dev(dentry);
54076 +
54077 + FOR_EACH_ROLE_START(role)
54078 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
54079 +
54080 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54081 + if ((subj->inode == ino) && (subj->device == dev)) {
54082 + subj->inode = ino;
54083 + subj->device = dev;
54084 + }
54085 + FOR_EACH_NESTED_SUBJECT_END(subj)
54086 + FOR_EACH_SUBJECT_START(role, subj, x)
54087 + update_acl_obj_label(matchn->inode, matchn->device,
54088 + ino, dev, subj);
54089 + FOR_EACH_SUBJECT_END(subj,x)
54090 + FOR_EACH_ROLE_END(role)
54091 +
54092 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
54093 +
54094 + return;
54095 +}
54096 +
54097 +void
54098 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
54099 +{
54100 + struct name_entry *matchn;
54101 +
54102 + if (unlikely(!(gr_status & GR_READY)))
54103 + return;
54104 +
54105 + preempt_disable();
54106 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
54107 +
54108 + if (unlikely((unsigned long)matchn)) {
54109 + write_lock(&gr_inode_lock);
54110 + do_handle_create(matchn, dentry, mnt);
54111 + write_unlock(&gr_inode_lock);
54112 + }
54113 + preempt_enable();
54114 +
54115 + return;
54116 +}
54117 +
54118 +void
54119 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
54120 + struct dentry *old_dentry,
54121 + struct dentry *new_dentry,
54122 + struct vfsmount *mnt, const __u8 replace)
54123 +{
54124 + struct name_entry *matchn;
54125 + struct inodev_entry *inodev;
54126 + ino_t old_ino = old_dentry->d_inode->i_ino;
54127 + dev_t old_dev = __get_dev(old_dentry);
54128 +
54129 + /* vfs_rename swaps the name and parent link for old_dentry and
54130 + new_dentry
54131 + at this point, old_dentry has the new name, parent link, and inode
54132 + for the renamed file
54133 + if a file is being replaced by a rename, new_dentry has the inode
54134 + and name for the replaced file
54135 + */
54136 +
54137 + if (unlikely(!(gr_status & GR_READY)))
54138 + return;
54139 +
54140 + preempt_disable();
54141 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
54142 +
54143 + /* we wouldn't have to check d_inode if it weren't for
54144 + NFS silly-renaming
54145 + */
54146 +
54147 + write_lock(&gr_inode_lock);
54148 + if (unlikely(replace && new_dentry->d_inode)) {
54149 + ino_t new_ino = new_dentry->d_inode->i_ino;
54150 + dev_t new_dev = __get_dev(new_dentry);
54151 +
54152 + inodev = lookup_inodev_entry(new_ino, new_dev);
54153 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
54154 + do_handle_delete(inodev, new_ino, new_dev);
54155 + }
54156 +
54157 + inodev = lookup_inodev_entry(old_ino, old_dev);
54158 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
54159 + do_handle_delete(inodev, old_ino, old_dev);
54160 +
54161 + if (unlikely((unsigned long)matchn))
54162 + do_handle_create(matchn, old_dentry, mnt);
54163 +
54164 + write_unlock(&gr_inode_lock);
54165 + preempt_enable();
54166 +
54167 + return;
54168 +}
54169 +
54170 +static int
54171 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
54172 + unsigned char **sum)
54173 +{
54174 + struct acl_role_label *r;
54175 + struct role_allowed_ip *ipp;
54176 + struct role_transition *trans;
54177 + unsigned int i;
54178 + int found = 0;
54179 + u32 curr_ip = current->signal->curr_ip;
54180 +
54181 + current->signal->saved_ip = curr_ip;
54182 +
54183 + /* check transition table */
54184 +
54185 + for (trans = current->role->transitions; trans; trans = trans->next) {
54186 + if (!strcmp(rolename, trans->rolename)) {
54187 + found = 1;
54188 + break;
54189 + }
54190 + }
54191 +
54192 + if (!found)
54193 + return 0;
54194 +
54195 + /* handle special roles that do not require authentication
54196 + and check ip */
54197 +
54198 + FOR_EACH_ROLE_START(r)
54199 + if (!strcmp(rolename, r->rolename) &&
54200 + (r->roletype & GR_ROLE_SPECIAL)) {
54201 + found = 0;
54202 + if (r->allowed_ips != NULL) {
54203 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
54204 + if ((ntohl(curr_ip) & ipp->netmask) ==
54205 + (ntohl(ipp->addr) & ipp->netmask))
54206 + found = 1;
54207 + }
54208 + } else
54209 + found = 2;
54210 + if (!found)
54211 + return 0;
54212 +
54213 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
54214 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
54215 + *salt = NULL;
54216 + *sum = NULL;
54217 + return 1;
54218 + }
54219 + }
54220 + FOR_EACH_ROLE_END(r)
54221 +
54222 + for (i = 0; i < num_sprole_pws; i++) {
54223 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
54224 + *salt = acl_special_roles[i]->salt;
54225 + *sum = acl_special_roles[i]->sum;
54226 + return 1;
54227 + }
54228 + }
54229 +
54230 + return 0;
54231 +}
54232 +
54233 +static void
54234 +assign_special_role(char *rolename)
54235 +{
54236 + struct acl_object_label *obj;
54237 + struct acl_role_label *r;
54238 + struct acl_role_label *assigned = NULL;
54239 + struct task_struct *tsk;
54240 + struct file *filp;
54241 +
54242 + FOR_EACH_ROLE_START(r)
54243 + if (!strcmp(rolename, r->rolename) &&
54244 + (r->roletype & GR_ROLE_SPECIAL)) {
54245 + assigned = r;
54246 + break;
54247 + }
54248 + FOR_EACH_ROLE_END(r)
54249 +
54250 + if (!assigned)
54251 + return;
54252 +
54253 + read_lock(&tasklist_lock);
54254 + read_lock(&grsec_exec_file_lock);
54255 +
54256 + tsk = current->real_parent;
54257 + if (tsk == NULL)
54258 + goto out_unlock;
54259 +
54260 + filp = tsk->exec_file;
54261 + if (filp == NULL)
54262 + goto out_unlock;
54263 +
54264 + tsk->is_writable = 0;
54265 +
54266 + tsk->acl_sp_role = 1;
54267 + tsk->acl_role_id = ++acl_sp_role_value;
54268 + tsk->role = assigned;
54269 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
54270 +
54271 + /* ignore additional mmap checks for processes that are writable
54272 + by the default ACL */
54273 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54274 + if (unlikely(obj->mode & GR_WRITE))
54275 + tsk->is_writable = 1;
54276 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
54277 + if (unlikely(obj->mode & GR_WRITE))
54278 + tsk->is_writable = 1;
54279 +
54280 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54281 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
54282 +#endif
54283 +
54284 +out_unlock:
54285 + read_unlock(&grsec_exec_file_lock);
54286 + read_unlock(&tasklist_lock);
54287 + return;
54288 +}
54289 +
54290 +int gr_check_secure_terminal(struct task_struct *task)
54291 +{
54292 + struct task_struct *p, *p2, *p3;
54293 + struct files_struct *files;
54294 + struct fdtable *fdt;
54295 + struct file *our_file = NULL, *file;
54296 + int i;
54297 +
54298 + if (task->signal->tty == NULL)
54299 + return 1;
54300 +
54301 + files = get_files_struct(task);
54302 + if (files != NULL) {
54303 + rcu_read_lock();
54304 + fdt = files_fdtable(files);
54305 + for (i=0; i < fdt->max_fds; i++) {
54306 + file = fcheck_files(files, i);
54307 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
54308 + get_file(file);
54309 + our_file = file;
54310 + }
54311 + }
54312 + rcu_read_unlock();
54313 + put_files_struct(files);
54314 + }
54315 +
54316 + if (our_file == NULL)
54317 + return 1;
54318 +
54319 + read_lock(&tasklist_lock);
54320 + do_each_thread(p2, p) {
54321 + files = get_files_struct(p);
54322 + if (files == NULL ||
54323 + (p->signal && p->signal->tty == task->signal->tty)) {
54324 + if (files != NULL)
54325 + put_files_struct(files);
54326 + continue;
54327 + }
54328 + rcu_read_lock();
54329 + fdt = files_fdtable(files);
54330 + for (i=0; i < fdt->max_fds; i++) {
54331 + file = fcheck_files(files, i);
54332 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
54333 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
54334 + p3 = task;
54335 + while (p3->pid > 0) {
54336 + if (p3 == p)
54337 + break;
54338 + p3 = p3->real_parent;
54339 + }
54340 + if (p3 == p)
54341 + break;
54342 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
54343 + gr_handle_alertkill(p);
54344 + rcu_read_unlock();
54345 + put_files_struct(files);
54346 + read_unlock(&tasklist_lock);
54347 + fput(our_file);
54348 + return 0;
54349 + }
54350 + }
54351 + rcu_read_unlock();
54352 + put_files_struct(files);
54353 + } while_each_thread(p2, p);
54354 + read_unlock(&tasklist_lock);
54355 +
54356 + fput(our_file);
54357 + return 1;
54358 +}
54359 +
54360 +ssize_t
54361 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
54362 +{
54363 + struct gr_arg_wrapper uwrap;
54364 + unsigned char *sprole_salt = NULL;
54365 + unsigned char *sprole_sum = NULL;
54366 + int error = sizeof (struct gr_arg_wrapper);
54367 + int error2 = 0;
54368 +
54369 + mutex_lock(&gr_dev_mutex);
54370 +
54371 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
54372 + error = -EPERM;
54373 + goto out;
54374 + }
54375 +
54376 + if (count != sizeof (struct gr_arg_wrapper)) {
54377 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
54378 + error = -EINVAL;
54379 + goto out;
54380 + }
54381 +
54382 +
54383 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
54384 + gr_auth_expires = 0;
54385 + gr_auth_attempts = 0;
54386 + }
54387 +
54388 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
54389 + error = -EFAULT;
54390 + goto out;
54391 + }
54392 +
54393 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
54394 + error = -EINVAL;
54395 + goto out;
54396 + }
54397 +
54398 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
54399 + error = -EFAULT;
54400 + goto out;
54401 + }
54402 +
54403 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54404 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54405 + time_after(gr_auth_expires, get_seconds())) {
54406 + error = -EBUSY;
54407 + goto out;
54408 + }
54409 +
54410 + /* if non-root trying to do anything other than use a special role,
54411 + do not attempt authentication, do not count towards authentication
54412 + locking
54413 + */
54414 +
54415 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
54416 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54417 + current_uid()) {
54418 + error = -EPERM;
54419 + goto out;
54420 + }
54421 +
54422 + /* ensure pw and special role name are null terminated */
54423 +
54424 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
54425 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
54426 +
54427 + /* Okay.
54428 + * We have our enough of the argument structure..(we have yet
54429 + * to copy_from_user the tables themselves) . Copy the tables
54430 + * only if we need them, i.e. for loading operations. */
54431 +
54432 + switch (gr_usermode->mode) {
54433 + case GR_STATUS:
54434 + if (gr_status & GR_READY) {
54435 + error = 1;
54436 + if (!gr_check_secure_terminal(current))
54437 + error = 3;
54438 + } else
54439 + error = 2;
54440 + goto out;
54441 + case GR_SHUTDOWN:
54442 + if ((gr_status & GR_READY)
54443 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54444 + pax_open_kernel();
54445 + gr_status &= ~GR_READY;
54446 + pax_close_kernel();
54447 +
54448 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
54449 + free_variables();
54450 + memset(gr_usermode, 0, sizeof (struct gr_arg));
54451 + memset(gr_system_salt, 0, GR_SALT_LEN);
54452 + memset(gr_system_sum, 0, GR_SHA_LEN);
54453 + } else if (gr_status & GR_READY) {
54454 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
54455 + error = -EPERM;
54456 + } else {
54457 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
54458 + error = -EAGAIN;
54459 + }
54460 + break;
54461 + case GR_ENABLE:
54462 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
54463 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
54464 + else {
54465 + if (gr_status & GR_READY)
54466 + error = -EAGAIN;
54467 + else
54468 + error = error2;
54469 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
54470 + }
54471 + break;
54472 + case GR_RELOAD:
54473 + if (!(gr_status & GR_READY)) {
54474 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
54475 + error = -EAGAIN;
54476 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54477 + preempt_disable();
54478 +
54479 + pax_open_kernel();
54480 + gr_status &= ~GR_READY;
54481 + pax_close_kernel();
54482 +
54483 + free_variables();
54484 + if (!(error2 = gracl_init(gr_usermode))) {
54485 + preempt_enable();
54486 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
54487 + } else {
54488 + preempt_enable();
54489 + error = error2;
54490 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54491 + }
54492 + } else {
54493 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54494 + error = -EPERM;
54495 + }
54496 + break;
54497 + case GR_SEGVMOD:
54498 + if (unlikely(!(gr_status & GR_READY))) {
54499 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
54500 + error = -EAGAIN;
54501 + break;
54502 + }
54503 +
54504 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54505 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
54506 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
54507 + struct acl_subject_label *segvacl;
54508 + segvacl =
54509 + lookup_acl_subj_label(gr_usermode->segv_inode,
54510 + gr_usermode->segv_device,
54511 + current->role);
54512 + if (segvacl) {
54513 + segvacl->crashes = 0;
54514 + segvacl->expires = 0;
54515 + }
54516 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
54517 + gr_remove_uid(gr_usermode->segv_uid);
54518 + }
54519 + } else {
54520 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
54521 + error = -EPERM;
54522 + }
54523 + break;
54524 + case GR_SPROLE:
54525 + case GR_SPROLEPAM:
54526 + if (unlikely(!(gr_status & GR_READY))) {
54527 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
54528 + error = -EAGAIN;
54529 + break;
54530 + }
54531 +
54532 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
54533 + current->role->expires = 0;
54534 + current->role->auth_attempts = 0;
54535 + }
54536 +
54537 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54538 + time_after(current->role->expires, get_seconds())) {
54539 + error = -EBUSY;
54540 + goto out;
54541 + }
54542 +
54543 + if (lookup_special_role_auth
54544 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
54545 + && ((!sprole_salt && !sprole_sum)
54546 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
54547 + char *p = "";
54548 + assign_special_role(gr_usermode->sp_role);
54549 + read_lock(&tasklist_lock);
54550 + if (current->real_parent)
54551 + p = current->real_parent->role->rolename;
54552 + read_unlock(&tasklist_lock);
54553 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
54554 + p, acl_sp_role_value);
54555 + } else {
54556 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
54557 + error = -EPERM;
54558 + if(!(current->role->auth_attempts++))
54559 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54560 +
54561 + goto out;
54562 + }
54563 + break;
54564 + case GR_UNSPROLE:
54565 + if (unlikely(!(gr_status & GR_READY))) {
54566 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
54567 + error = -EAGAIN;
54568 + break;
54569 + }
54570 +
54571 + if (current->role->roletype & GR_ROLE_SPECIAL) {
54572 + char *p = "";
54573 + int i = 0;
54574 +
54575 + read_lock(&tasklist_lock);
54576 + if (current->real_parent) {
54577 + p = current->real_parent->role->rolename;
54578 + i = current->real_parent->acl_role_id;
54579 + }
54580 + read_unlock(&tasklist_lock);
54581 +
54582 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
54583 + gr_set_acls(1);
54584 + } else {
54585 + error = -EPERM;
54586 + goto out;
54587 + }
54588 + break;
54589 + default:
54590 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
54591 + error = -EINVAL;
54592 + break;
54593 + }
54594 +
54595 + if (error != -EPERM)
54596 + goto out;
54597 +
54598 + if(!(gr_auth_attempts++))
54599 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54600 +
54601 + out:
54602 + mutex_unlock(&gr_dev_mutex);
54603 + return error;
54604 +}
54605 +
54606 +/* must be called with
54607 + rcu_read_lock();
54608 + read_lock(&tasklist_lock);
54609 + read_lock(&grsec_exec_file_lock);
54610 +*/
54611 +int gr_apply_subject_to_task(struct task_struct *task)
54612 +{
54613 + struct acl_object_label *obj;
54614 + char *tmpname;
54615 + struct acl_subject_label *tmpsubj;
54616 + struct file *filp;
54617 + struct name_entry *nmatch;
54618 +
54619 + filp = task->exec_file;
54620 + if (filp == NULL)
54621 + return 0;
54622 +
54623 + /* the following is to apply the correct subject
54624 + on binaries running when the RBAC system
54625 + is enabled, when the binaries have been
54626 + replaced or deleted since their execution
54627 + -----
54628 + when the RBAC system starts, the inode/dev
54629 + from exec_file will be one the RBAC system
54630 + is unaware of. It only knows the inode/dev
54631 + of the present file on disk, or the absence
54632 + of it.
54633 + */
54634 + preempt_disable();
54635 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
54636 +
54637 + nmatch = lookup_name_entry(tmpname);
54638 + preempt_enable();
54639 + tmpsubj = NULL;
54640 + if (nmatch) {
54641 + if (nmatch->deleted)
54642 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
54643 + else
54644 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
54645 + if (tmpsubj != NULL)
54646 + task->acl = tmpsubj;
54647 + }
54648 + if (tmpsubj == NULL)
54649 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
54650 + task->role);
54651 + if (task->acl) {
54652 + struct acl_subject_label *curr;
54653 + curr = task->acl;
54654 +
54655 + task->is_writable = 0;
54656 + /* ignore additional mmap checks for processes that are writable
54657 + by the default ACL */
54658 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54659 + if (unlikely(obj->mode & GR_WRITE))
54660 + task->is_writable = 1;
54661 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54662 + if (unlikely(obj->mode & GR_WRITE))
54663 + task->is_writable = 1;
54664 +
54665 + gr_set_proc_res(task);
54666 +
54667 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54668 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54669 +#endif
54670 + } else {
54671 + return 1;
54672 + }
54673 +
54674 + return 0;
54675 +}
54676 +
54677 +int
54678 +gr_set_acls(const int type)
54679 +{
54680 + struct task_struct *task, *task2;
54681 + struct acl_role_label *role = current->role;
54682 + __u16 acl_role_id = current->acl_role_id;
54683 + const struct cred *cred;
54684 + int ret;
54685 +
54686 + rcu_read_lock();
54687 + read_lock(&tasklist_lock);
54688 + read_lock(&grsec_exec_file_lock);
54689 + do_each_thread(task2, task) {
54690 + /* check to see if we're called from the exit handler,
54691 + if so, only replace ACLs that have inherited the admin
54692 + ACL */
54693 +
54694 + if (type && (task->role != role ||
54695 + task->acl_role_id != acl_role_id))
54696 + continue;
54697 +
54698 + task->acl_role_id = 0;
54699 + task->acl_sp_role = 0;
54700 +
54701 + if (task->exec_file) {
54702 + cred = __task_cred(task);
54703 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
54704 + ret = gr_apply_subject_to_task(task);
54705 + if (ret) {
54706 + read_unlock(&grsec_exec_file_lock);
54707 + read_unlock(&tasklist_lock);
54708 + rcu_read_unlock();
54709 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
54710 + return ret;
54711 + }
54712 + } else {
54713 + // it's a kernel process
54714 + task->role = kernel_role;
54715 + task->acl = kernel_role->root_label;
54716 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
54717 + task->acl->mode &= ~GR_PROCFIND;
54718 +#endif
54719 + }
54720 + } while_each_thread(task2, task);
54721 + read_unlock(&grsec_exec_file_lock);
54722 + read_unlock(&tasklist_lock);
54723 + rcu_read_unlock();
54724 +
54725 + return 0;
54726 +}
54727 +
54728 +void
54729 +gr_learn_resource(const struct task_struct *task,
54730 + const int res, const unsigned long wanted, const int gt)
54731 +{
54732 + struct acl_subject_label *acl;
54733 + const struct cred *cred;
54734 +
54735 + if (unlikely((gr_status & GR_READY) &&
54736 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
54737 + goto skip_reslog;
54738 +
54739 +#ifdef CONFIG_GRKERNSEC_RESLOG
54740 + gr_log_resource(task, res, wanted, gt);
54741 +#endif
54742 + skip_reslog:
54743 +
54744 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
54745 + return;
54746 +
54747 + acl = task->acl;
54748 +
54749 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
54750 + !(acl->resmask & (1 << (unsigned short) res))))
54751 + return;
54752 +
54753 + if (wanted >= acl->res[res].rlim_cur) {
54754 + unsigned long res_add;
54755 +
54756 + res_add = wanted;
54757 + switch (res) {
54758 + case RLIMIT_CPU:
54759 + res_add += GR_RLIM_CPU_BUMP;
54760 + break;
54761 + case RLIMIT_FSIZE:
54762 + res_add += GR_RLIM_FSIZE_BUMP;
54763 + break;
54764 + case RLIMIT_DATA:
54765 + res_add += GR_RLIM_DATA_BUMP;
54766 + break;
54767 + case RLIMIT_STACK:
54768 + res_add += GR_RLIM_STACK_BUMP;
54769 + break;
54770 + case RLIMIT_CORE:
54771 + res_add += GR_RLIM_CORE_BUMP;
54772 + break;
54773 + case RLIMIT_RSS:
54774 + res_add += GR_RLIM_RSS_BUMP;
54775 + break;
54776 + case RLIMIT_NPROC:
54777 + res_add += GR_RLIM_NPROC_BUMP;
54778 + break;
54779 + case RLIMIT_NOFILE:
54780 + res_add += GR_RLIM_NOFILE_BUMP;
54781 + break;
54782 + case RLIMIT_MEMLOCK:
54783 + res_add += GR_RLIM_MEMLOCK_BUMP;
54784 + break;
54785 + case RLIMIT_AS:
54786 + res_add += GR_RLIM_AS_BUMP;
54787 + break;
54788 + case RLIMIT_LOCKS:
54789 + res_add += GR_RLIM_LOCKS_BUMP;
54790 + break;
54791 + case RLIMIT_SIGPENDING:
54792 + res_add += GR_RLIM_SIGPENDING_BUMP;
54793 + break;
54794 + case RLIMIT_MSGQUEUE:
54795 + res_add += GR_RLIM_MSGQUEUE_BUMP;
54796 + break;
54797 + case RLIMIT_NICE:
54798 + res_add += GR_RLIM_NICE_BUMP;
54799 + break;
54800 + case RLIMIT_RTPRIO:
54801 + res_add += GR_RLIM_RTPRIO_BUMP;
54802 + break;
54803 + case RLIMIT_RTTIME:
54804 + res_add += GR_RLIM_RTTIME_BUMP;
54805 + break;
54806 + }
54807 +
54808 + acl->res[res].rlim_cur = res_add;
54809 +
54810 + if (wanted > acl->res[res].rlim_max)
54811 + acl->res[res].rlim_max = res_add;
54812 +
54813 + /* only log the subject filename, since resource logging is supported for
54814 + single-subject learning only */
54815 + rcu_read_lock();
54816 + cred = __task_cred(task);
54817 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
54818 + task->role->roletype, cred->uid, cred->gid, acl->filename,
54819 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
54820 + "", (unsigned long) res, &task->signal->saved_ip);
54821 + rcu_read_unlock();
54822 + }
54823 +
54824 + return;
54825 +}
54826 +
54827 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
54828 +void
54829 +pax_set_initial_flags(struct linux_binprm *bprm)
54830 +{
54831 + struct task_struct *task = current;
54832 + struct acl_subject_label *proc;
54833 + unsigned long flags;
54834 +
54835 + if (unlikely(!(gr_status & GR_READY)))
54836 + return;
54837 +
54838 + flags = pax_get_flags(task);
54839 +
54840 + proc = task->acl;
54841 +
54842 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
54843 + flags &= ~MF_PAX_PAGEEXEC;
54844 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
54845 + flags &= ~MF_PAX_SEGMEXEC;
54846 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
54847 + flags &= ~MF_PAX_RANDMMAP;
54848 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
54849 + flags &= ~MF_PAX_EMUTRAMP;
54850 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
54851 + flags &= ~MF_PAX_MPROTECT;
54852 +
54853 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
54854 + flags |= MF_PAX_PAGEEXEC;
54855 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
54856 + flags |= MF_PAX_SEGMEXEC;
54857 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
54858 + flags |= MF_PAX_RANDMMAP;
54859 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
54860 + flags |= MF_PAX_EMUTRAMP;
54861 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
54862 + flags |= MF_PAX_MPROTECT;
54863 +
54864 + pax_set_flags(task, flags);
54865 +
54866 + return;
54867 +}
54868 +#endif
54869 +
54870 +#ifdef CONFIG_SYSCTL
54871 +/* Eric Biederman likes breaking userland ABI and every inode-based security
54872 + system to save 35kb of memory */
54873 +
54874 +/* we modify the passed in filename, but adjust it back before returning */
54875 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
54876 +{
54877 + struct name_entry *nmatch;
54878 + char *p, *lastp = NULL;
54879 + struct acl_object_label *obj = NULL, *tmp;
54880 + struct acl_subject_label *tmpsubj;
54881 + char c = '\0';
54882 +
54883 + read_lock(&gr_inode_lock);
54884 +
54885 + p = name + len - 1;
54886 + do {
54887 + nmatch = lookup_name_entry(name);
54888 + if (lastp != NULL)
54889 + *lastp = c;
54890 +
54891 + if (nmatch == NULL)
54892 + goto next_component;
54893 + tmpsubj = current->acl;
54894 + do {
54895 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
54896 + if (obj != NULL) {
54897 + tmp = obj->globbed;
54898 + while (tmp) {
54899 + if (!glob_match(tmp->filename, name)) {
54900 + obj = tmp;
54901 + goto found_obj;
54902 + }
54903 + tmp = tmp->next;
54904 + }
54905 + goto found_obj;
54906 + }
54907 + } while ((tmpsubj = tmpsubj->parent_subject));
54908 +next_component:
54909 + /* end case */
54910 + if (p == name)
54911 + break;
54912 +
54913 + while (*p != '/')
54914 + p--;
54915 + if (p == name)
54916 + lastp = p + 1;
54917 + else {
54918 + lastp = p;
54919 + p--;
54920 + }
54921 + c = *lastp;
54922 + *lastp = '\0';
54923 + } while (1);
54924 +found_obj:
54925 + read_unlock(&gr_inode_lock);
54926 + /* obj returned will always be non-null */
54927 + return obj;
54928 +}
54929 +
54930 +/* returns 0 when allowing, non-zero on error
54931 + op of 0 is used for readdir, so we don't log the names of hidden files
54932 +*/
54933 +__u32
54934 +gr_handle_sysctl(const struct ctl_table *table, const int op)
54935 +{
54936 + struct ctl_table *tmp;
54937 + const char *proc_sys = "/proc/sys";
54938 + char *path;
54939 + struct acl_object_label *obj;
54940 + unsigned short len = 0, pos = 0, depth = 0, i;
54941 + __u32 err = 0;
54942 + __u32 mode = 0;
54943 +
54944 + if (unlikely(!(gr_status & GR_READY)))
54945 + return 0;
54946 +
54947 + /* for now, ignore operations on non-sysctl entries if it's not a
54948 + readdir*/
54949 + if (table->child != NULL && op != 0)
54950 + return 0;
54951 +
54952 + mode |= GR_FIND;
54953 + /* it's only a read if it's an entry, read on dirs is for readdir */
54954 + if (op & MAY_READ)
54955 + mode |= GR_READ;
54956 + if (op & MAY_WRITE)
54957 + mode |= GR_WRITE;
54958 +
54959 + preempt_disable();
54960 +
54961 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
54962 +
54963 + /* it's only a read/write if it's an actual entry, not a dir
54964 + (which are opened for readdir)
54965 + */
54966 +
54967 + /* convert the requested sysctl entry into a pathname */
54968 +
54969 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
54970 + len += strlen(tmp->procname);
54971 + len++;
54972 + depth++;
54973 + }
54974 +
54975 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
54976 + /* deny */
54977 + goto out;
54978 + }
54979 +
54980 + memset(path, 0, PAGE_SIZE);
54981 +
54982 + memcpy(path, proc_sys, strlen(proc_sys));
54983 +
54984 + pos += strlen(proc_sys);
54985 +
54986 + for (; depth > 0; depth--) {
54987 + path[pos] = '/';
54988 + pos++;
54989 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
54990 + if (depth == i) {
54991 + memcpy(path + pos, tmp->procname,
54992 + strlen(tmp->procname));
54993 + pos += strlen(tmp->procname);
54994 + }
54995 + i++;
54996 + }
54997 + }
54998 +
54999 + obj = gr_lookup_by_name(path, pos);
55000 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
55001 +
55002 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
55003 + ((err & mode) != mode))) {
55004 + __u32 new_mode = mode;
55005 +
55006 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55007 +
55008 + err = 0;
55009 + gr_log_learn_sysctl(path, new_mode);
55010 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
55011 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
55012 + err = -ENOENT;
55013 + } else if (!(err & GR_FIND)) {
55014 + err = -ENOENT;
55015 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
55016 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
55017 + path, (mode & GR_READ) ? " reading" : "",
55018 + (mode & GR_WRITE) ? " writing" : "");
55019 + err = -EACCES;
55020 + } else if ((err & mode) != mode) {
55021 + err = -EACCES;
55022 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
55023 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
55024 + path, (mode & GR_READ) ? " reading" : "",
55025 + (mode & GR_WRITE) ? " writing" : "");
55026 + err = 0;
55027 + } else
55028 + err = 0;
55029 +
55030 + out:
55031 + preempt_enable();
55032 +
55033 + return err;
55034 +}
55035 +#endif
55036 +
55037 +int
55038 +gr_handle_proc_ptrace(struct task_struct *task)
55039 +{
55040 + struct file *filp;
55041 + struct task_struct *tmp = task;
55042 + struct task_struct *curtemp = current;
55043 + __u32 retmode;
55044 +
55045 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55046 + if (unlikely(!(gr_status & GR_READY)))
55047 + return 0;
55048 +#endif
55049 +
55050 + read_lock(&tasklist_lock);
55051 + read_lock(&grsec_exec_file_lock);
55052 + filp = task->exec_file;
55053 +
55054 + while (tmp->pid > 0) {
55055 + if (tmp == curtemp)
55056 + break;
55057 + tmp = tmp->real_parent;
55058 + }
55059 +
55060 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55061 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
55062 + read_unlock(&grsec_exec_file_lock);
55063 + read_unlock(&tasklist_lock);
55064 + return 1;
55065 + }
55066 +
55067 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55068 + if (!(gr_status & GR_READY)) {
55069 + read_unlock(&grsec_exec_file_lock);
55070 + read_unlock(&tasklist_lock);
55071 + return 0;
55072 + }
55073 +#endif
55074 +
55075 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
55076 + read_unlock(&grsec_exec_file_lock);
55077 + read_unlock(&tasklist_lock);
55078 +
55079 + if (retmode & GR_NOPTRACE)
55080 + return 1;
55081 +
55082 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
55083 + && (current->acl != task->acl || (current->acl != current->role->root_label
55084 + && current->pid != task->pid)))
55085 + return 1;
55086 +
55087 + return 0;
55088 +}
55089 +
55090 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
55091 +{
55092 + if (unlikely(!(gr_status & GR_READY)))
55093 + return;
55094 +
55095 + if (!(current->role->roletype & GR_ROLE_GOD))
55096 + return;
55097 +
55098 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
55099 + p->role->rolename, gr_task_roletype_to_char(p),
55100 + p->acl->filename);
55101 +}
55102 +
55103 +int
55104 +gr_handle_ptrace(struct task_struct *task, const long request)
55105 +{
55106 + struct task_struct *tmp = task;
55107 + struct task_struct *curtemp = current;
55108 + __u32 retmode;
55109 +
55110 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55111 + if (unlikely(!(gr_status & GR_READY)))
55112 + return 0;
55113 +#endif
55114 +
55115 + read_lock(&tasklist_lock);
55116 + while (tmp->pid > 0) {
55117 + if (tmp == curtemp)
55118 + break;
55119 + tmp = tmp->real_parent;
55120 + }
55121 +
55122 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55123 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
55124 + read_unlock(&tasklist_lock);
55125 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55126 + return 1;
55127 + }
55128 + read_unlock(&tasklist_lock);
55129 +
55130 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55131 + if (!(gr_status & GR_READY))
55132 + return 0;
55133 +#endif
55134 +
55135 + read_lock(&grsec_exec_file_lock);
55136 + if (unlikely(!task->exec_file)) {
55137 + read_unlock(&grsec_exec_file_lock);
55138 + return 0;
55139 + }
55140 +
55141 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
55142 + read_unlock(&grsec_exec_file_lock);
55143 +
55144 + if (retmode & GR_NOPTRACE) {
55145 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55146 + return 1;
55147 + }
55148 +
55149 + if (retmode & GR_PTRACERD) {
55150 + switch (request) {
55151 + case PTRACE_POKETEXT:
55152 + case PTRACE_POKEDATA:
55153 + case PTRACE_POKEUSR:
55154 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
55155 + case PTRACE_SETREGS:
55156 + case PTRACE_SETFPREGS:
55157 +#endif
55158 +#ifdef CONFIG_X86
55159 + case PTRACE_SETFPXREGS:
55160 +#endif
55161 +#ifdef CONFIG_ALTIVEC
55162 + case PTRACE_SETVRREGS:
55163 +#endif
55164 + return 1;
55165 + default:
55166 + return 0;
55167 + }
55168 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
55169 + !(current->role->roletype & GR_ROLE_GOD) &&
55170 + (current->acl != task->acl)) {
55171 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55172 + return 1;
55173 + }
55174 +
55175 + return 0;
55176 +}
55177 +
55178 +static int is_writable_mmap(const struct file *filp)
55179 +{
55180 + struct task_struct *task = current;
55181 + struct acl_object_label *obj, *obj2;
55182 +
55183 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
55184 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
55185 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55186 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
55187 + task->role->root_label);
55188 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
55189 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
55190 + return 1;
55191 + }
55192 + }
55193 + return 0;
55194 +}
55195 +
55196 +int
55197 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
55198 +{
55199 + __u32 mode;
55200 +
55201 + if (unlikely(!file || !(prot & PROT_EXEC)))
55202 + return 1;
55203 +
55204 + if (is_writable_mmap(file))
55205 + return 0;
55206 +
55207 + mode =
55208 + gr_search_file(file->f_path.dentry,
55209 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55210 + file->f_path.mnt);
55211 +
55212 + if (!gr_tpe_allow(file))
55213 + return 0;
55214 +
55215 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55216 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55217 + return 0;
55218 + } else if (unlikely(!(mode & GR_EXEC))) {
55219 + return 0;
55220 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55221 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55222 + return 1;
55223 + }
55224 +
55225 + return 1;
55226 +}
55227 +
55228 +int
55229 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
55230 +{
55231 + __u32 mode;
55232 +
55233 + if (unlikely(!file || !(prot & PROT_EXEC)))
55234 + return 1;
55235 +
55236 + if (is_writable_mmap(file))
55237 + return 0;
55238 +
55239 + mode =
55240 + gr_search_file(file->f_path.dentry,
55241 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55242 + file->f_path.mnt);
55243 +
55244 + if (!gr_tpe_allow(file))
55245 + return 0;
55246 +
55247 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55248 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55249 + return 0;
55250 + } else if (unlikely(!(mode & GR_EXEC))) {
55251 + return 0;
55252 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55253 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55254 + return 1;
55255 + }
55256 +
55257 + return 1;
55258 +}
55259 +
55260 +void
55261 +gr_acl_handle_psacct(struct task_struct *task, const long code)
55262 +{
55263 + unsigned long runtime;
55264 + unsigned long cputime;
55265 + unsigned int wday, cday;
55266 + __u8 whr, chr;
55267 + __u8 wmin, cmin;
55268 + __u8 wsec, csec;
55269 + struct timespec timeval;
55270 +
55271 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
55272 + !(task->acl->mode & GR_PROCACCT)))
55273 + return;
55274 +
55275 + do_posix_clock_monotonic_gettime(&timeval);
55276 + runtime = timeval.tv_sec - task->start_time.tv_sec;
55277 + wday = runtime / (3600 * 24);
55278 + runtime -= wday * (3600 * 24);
55279 + whr = runtime / 3600;
55280 + runtime -= whr * 3600;
55281 + wmin = runtime / 60;
55282 + runtime -= wmin * 60;
55283 + wsec = runtime;
55284 +
55285 + cputime = (task->utime + task->stime) / HZ;
55286 + cday = cputime / (3600 * 24);
55287 + cputime -= cday * (3600 * 24);
55288 + chr = cputime / 3600;
55289 + cputime -= chr * 3600;
55290 + cmin = cputime / 60;
55291 + cputime -= cmin * 60;
55292 + csec = cputime;
55293 +
55294 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
55295 +
55296 + return;
55297 +}
55298 +
55299 +void gr_set_kernel_label(struct task_struct *task)
55300 +{
55301 + if (gr_status & GR_READY) {
55302 + task->role = kernel_role;
55303 + task->acl = kernel_role->root_label;
55304 + }
55305 + return;
55306 +}
55307 +
55308 +#ifdef CONFIG_TASKSTATS
55309 +int gr_is_taskstats_denied(int pid)
55310 +{
55311 + struct task_struct *task;
55312 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55313 + const struct cred *cred;
55314 +#endif
55315 + int ret = 0;
55316 +
55317 + /* restrict taskstats viewing to un-chrooted root users
55318 + who have the 'view' subject flag if the RBAC system is enabled
55319 + */
55320 +
55321 + rcu_read_lock();
55322 + read_lock(&tasklist_lock);
55323 + task = find_task_by_vpid(pid);
55324 + if (task) {
55325 +#ifdef CONFIG_GRKERNSEC_CHROOT
55326 + if (proc_is_chrooted(task))
55327 + ret = -EACCES;
55328 +#endif
55329 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55330 + cred = __task_cred(task);
55331 +#ifdef CONFIG_GRKERNSEC_PROC_USER
55332 + if (cred->uid != 0)
55333 + ret = -EACCES;
55334 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55335 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
55336 + ret = -EACCES;
55337 +#endif
55338 +#endif
55339 + if (gr_status & GR_READY) {
55340 + if (!(task->acl->mode & GR_VIEW))
55341 + ret = -EACCES;
55342 + }
55343 + } else
55344 + ret = -ENOENT;
55345 +
55346 + read_unlock(&tasklist_lock);
55347 + rcu_read_unlock();
55348 +
55349 + return ret;
55350 +}
55351 +#endif
55352 +
55353 +/* AUXV entries are filled via a descendant of search_binary_handler
55354 + after we've already applied the subject for the target
55355 +*/
55356 +int gr_acl_enable_at_secure(void)
55357 +{
55358 + if (unlikely(!(gr_status & GR_READY)))
55359 + return 0;
55360 +
55361 + if (current->acl->mode & GR_ATSECURE)
55362 + return 1;
55363 +
55364 + return 0;
55365 +}
55366 +
55367 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
55368 +{
55369 + struct task_struct *task = current;
55370 + struct dentry *dentry = file->f_path.dentry;
55371 + struct vfsmount *mnt = file->f_path.mnt;
55372 + struct acl_object_label *obj, *tmp;
55373 + struct acl_subject_label *subj;
55374 + unsigned int bufsize;
55375 + int is_not_root;
55376 + char *path;
55377 + dev_t dev = __get_dev(dentry);
55378 +
55379 + if (unlikely(!(gr_status & GR_READY)))
55380 + return 1;
55381 +
55382 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55383 + return 1;
55384 +
55385 + /* ignore Eric Biederman */
55386 + if (IS_PRIVATE(dentry->d_inode))
55387 + return 1;
55388 +
55389 + subj = task->acl;
55390 + do {
55391 + obj = lookup_acl_obj_label(ino, dev, subj);
55392 + if (obj != NULL)
55393 + return (obj->mode & GR_FIND) ? 1 : 0;
55394 + } while ((subj = subj->parent_subject));
55395 +
55396 + /* this is purely an optimization since we're looking for an object
55397 + for the directory we're doing a readdir on
55398 + if it's possible for any globbed object to match the entry we're
55399 + filling into the directory, then the object we find here will be
55400 + an anchor point with attached globbed objects
55401 + */
55402 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
55403 + if (obj->globbed == NULL)
55404 + return (obj->mode & GR_FIND) ? 1 : 0;
55405 +
55406 + is_not_root = ((obj->filename[0] == '/') &&
55407 + (obj->filename[1] == '\0')) ? 0 : 1;
55408 + bufsize = PAGE_SIZE - namelen - is_not_root;
55409 +
55410 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
55411 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
55412 + return 1;
55413 +
55414 + preempt_disable();
55415 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
55416 + bufsize);
55417 +
55418 + bufsize = strlen(path);
55419 +
55420 + /* if base is "/", don't append an additional slash */
55421 + if (is_not_root)
55422 + *(path + bufsize) = '/';
55423 + memcpy(path + bufsize + is_not_root, name, namelen);
55424 + *(path + bufsize + namelen + is_not_root) = '\0';
55425 +
55426 + tmp = obj->globbed;
55427 + while (tmp) {
55428 + if (!glob_match(tmp->filename, path)) {
55429 + preempt_enable();
55430 + return (tmp->mode & GR_FIND) ? 1 : 0;
55431 + }
55432 + tmp = tmp->next;
55433 + }
55434 + preempt_enable();
55435 + return (obj->mode & GR_FIND) ? 1 : 0;
55436 +}
55437 +
55438 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
55439 +EXPORT_SYMBOL(gr_acl_is_enabled);
55440 +#endif
55441 +EXPORT_SYMBOL(gr_learn_resource);
55442 +EXPORT_SYMBOL(gr_set_kernel_label);
55443 +#ifdef CONFIG_SECURITY
55444 +EXPORT_SYMBOL(gr_check_user_change);
55445 +EXPORT_SYMBOL(gr_check_group_change);
55446 +#endif
55447 +
55448 diff -urNp linux-2.6.39.1/grsecurity/gracl_cap.c linux-2.6.39.1/grsecurity/gracl_cap.c
55449 --- linux-2.6.39.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
55450 +++ linux-2.6.39.1/grsecurity/gracl_cap.c 2011-05-22 19:41:42.000000000 -0400
55451 @@ -0,0 +1,139 @@
55452 +#include <linux/kernel.h>
55453 +#include <linux/module.h>
55454 +#include <linux/sched.h>
55455 +#include <linux/gracl.h>
55456 +#include <linux/grsecurity.h>
55457 +#include <linux/grinternal.h>
55458 +
55459 +static const char *captab_log[] = {
55460 + "CAP_CHOWN",
55461 + "CAP_DAC_OVERRIDE",
55462 + "CAP_DAC_READ_SEARCH",
55463 + "CAP_FOWNER",
55464 + "CAP_FSETID",
55465 + "CAP_KILL",
55466 + "CAP_SETGID",
55467 + "CAP_SETUID",
55468 + "CAP_SETPCAP",
55469 + "CAP_LINUX_IMMUTABLE",
55470 + "CAP_NET_BIND_SERVICE",
55471 + "CAP_NET_BROADCAST",
55472 + "CAP_NET_ADMIN",
55473 + "CAP_NET_RAW",
55474 + "CAP_IPC_LOCK",
55475 + "CAP_IPC_OWNER",
55476 + "CAP_SYS_MODULE",
55477 + "CAP_SYS_RAWIO",
55478 + "CAP_SYS_CHROOT",
55479 + "CAP_SYS_PTRACE",
55480 + "CAP_SYS_PACCT",
55481 + "CAP_SYS_ADMIN",
55482 + "CAP_SYS_BOOT",
55483 + "CAP_SYS_NICE",
55484 + "CAP_SYS_RESOURCE",
55485 + "CAP_SYS_TIME",
55486 + "CAP_SYS_TTY_CONFIG",
55487 + "CAP_MKNOD",
55488 + "CAP_LEASE",
55489 + "CAP_AUDIT_WRITE",
55490 + "CAP_AUDIT_CONTROL",
55491 + "CAP_SETFCAP",
55492 + "CAP_MAC_OVERRIDE",
55493 + "CAP_MAC_ADMIN",
55494 + "CAP_SYSLOG"
55495 +};
55496 +
55497 +EXPORT_SYMBOL(gr_is_capable);
55498 +EXPORT_SYMBOL(gr_is_capable_nolog);
55499 +
55500 +int
55501 +gr_is_capable(const int cap)
55502 +{
55503 + struct task_struct *task = current;
55504 + const struct cred *cred = current_cred();
55505 + struct acl_subject_label *curracl;
55506 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55507 + kernel_cap_t cap_audit = __cap_empty_set;
55508 +
55509 + if (!gr_acl_is_enabled())
55510 + return 1;
55511 +
55512 + curracl = task->acl;
55513 +
55514 + cap_drop = curracl->cap_lower;
55515 + cap_mask = curracl->cap_mask;
55516 + cap_audit = curracl->cap_invert_audit;
55517 +
55518 + while ((curracl = curracl->parent_subject)) {
55519 + /* if the cap isn't specified in the current computed mask but is specified in the
55520 + current level subject, and is lowered in the current level subject, then add
55521 + it to the set of dropped capabilities
55522 + otherwise, add the current level subject's mask to the current computed mask
55523 + */
55524 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55525 + cap_raise(cap_mask, cap);
55526 + if (cap_raised(curracl->cap_lower, cap))
55527 + cap_raise(cap_drop, cap);
55528 + if (cap_raised(curracl->cap_invert_audit, cap))
55529 + cap_raise(cap_audit, cap);
55530 + }
55531 + }
55532 +
55533 + if (!cap_raised(cap_drop, cap)) {
55534 + if (cap_raised(cap_audit, cap))
55535 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
55536 + return 1;
55537 + }
55538 +
55539 + curracl = task->acl;
55540 +
55541 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
55542 + && cap_raised(cred->cap_effective, cap)) {
55543 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55544 + task->role->roletype, cred->uid,
55545 + cred->gid, task->exec_file ?
55546 + gr_to_filename(task->exec_file->f_path.dentry,
55547 + task->exec_file->f_path.mnt) : curracl->filename,
55548 + curracl->filename, 0UL,
55549 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
55550 + return 1;
55551 + }
55552 +
55553 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
55554 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
55555 + return 0;
55556 +}
55557 +
55558 +int
55559 +gr_is_capable_nolog(const int cap)
55560 +{
55561 + struct acl_subject_label *curracl;
55562 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55563 +
55564 + if (!gr_acl_is_enabled())
55565 + return 1;
55566 +
55567 + curracl = current->acl;
55568 +
55569 + cap_drop = curracl->cap_lower;
55570 + cap_mask = curracl->cap_mask;
55571 +
55572 + while ((curracl = curracl->parent_subject)) {
55573 + /* if the cap isn't specified in the current computed mask but is specified in the
55574 + current level subject, and is lowered in the current level subject, then add
55575 + it to the set of dropped capabilities
55576 + otherwise, add the current level subject's mask to the current computed mask
55577 + */
55578 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55579 + cap_raise(cap_mask, cap);
55580 + if (cap_raised(curracl->cap_lower, cap))
55581 + cap_raise(cap_drop, cap);
55582 + }
55583 + }
55584 +
55585 + if (!cap_raised(cap_drop, cap))
55586 + return 1;
55587 +
55588 + return 0;
55589 +}
55590 +
55591 diff -urNp linux-2.6.39.1/grsecurity/gracl_fs.c linux-2.6.39.1/grsecurity/gracl_fs.c
55592 --- linux-2.6.39.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
55593 +++ linux-2.6.39.1/grsecurity/gracl_fs.c 2011-05-22 19:41:42.000000000 -0400
55594 @@ -0,0 +1,431 @@
55595 +#include <linux/kernel.h>
55596 +#include <linux/sched.h>
55597 +#include <linux/types.h>
55598 +#include <linux/fs.h>
55599 +#include <linux/file.h>
55600 +#include <linux/stat.h>
55601 +#include <linux/grsecurity.h>
55602 +#include <linux/grinternal.h>
55603 +#include <linux/gracl.h>
55604 +
55605 +__u32
55606 +gr_acl_handle_hidden_file(const struct dentry * dentry,
55607 + const struct vfsmount * mnt)
55608 +{
55609 + __u32 mode;
55610 +
55611 + if (unlikely(!dentry->d_inode))
55612 + return GR_FIND;
55613 +
55614 + mode =
55615 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
55616 +
55617 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
55618 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
55619 + return mode;
55620 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
55621 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
55622 + return 0;
55623 + } else if (unlikely(!(mode & GR_FIND)))
55624 + return 0;
55625 +
55626 + return GR_FIND;
55627 +}
55628 +
55629 +__u32
55630 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
55631 + const int fmode)
55632 +{
55633 + __u32 reqmode = GR_FIND;
55634 + __u32 mode;
55635 +
55636 + if (unlikely(!dentry->d_inode))
55637 + return reqmode;
55638 +
55639 + if (unlikely(fmode & O_APPEND))
55640 + reqmode |= GR_APPEND;
55641 + else if (unlikely(fmode & FMODE_WRITE))
55642 + reqmode |= GR_WRITE;
55643 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
55644 + reqmode |= GR_READ;
55645 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
55646 + reqmode &= ~GR_READ;
55647 + mode =
55648 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
55649 + mnt);
55650 +
55651 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
55652 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
55653 + reqmode & GR_READ ? " reading" : "",
55654 + reqmode & GR_WRITE ? " writing" : reqmode &
55655 + GR_APPEND ? " appending" : "");
55656 + return reqmode;
55657 + } else
55658 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
55659 + {
55660 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
55661 + reqmode & GR_READ ? " reading" : "",
55662 + reqmode & GR_WRITE ? " writing" : reqmode &
55663 + GR_APPEND ? " appending" : "");
55664 + return 0;
55665 + } else if (unlikely((mode & reqmode) != reqmode))
55666 + return 0;
55667 +
55668 + return reqmode;
55669 +}
55670 +
55671 +__u32
55672 +gr_acl_handle_creat(const struct dentry * dentry,
55673 + const struct dentry * p_dentry,
55674 + const struct vfsmount * p_mnt, const int fmode,
55675 + const int imode)
55676 +{
55677 + __u32 reqmode = GR_WRITE | GR_CREATE;
55678 + __u32 mode;
55679 +
55680 + if (unlikely(fmode & O_APPEND))
55681 + reqmode |= GR_APPEND;
55682 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
55683 + reqmode |= GR_READ;
55684 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
55685 + reqmode |= GR_SETID;
55686 +
55687 + mode =
55688 + gr_check_create(dentry, p_dentry, p_mnt,
55689 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
55690 +
55691 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
55692 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
55693 + reqmode & GR_READ ? " reading" : "",
55694 + reqmode & GR_WRITE ? " writing" : reqmode &
55695 + GR_APPEND ? " appending" : "");
55696 + return reqmode;
55697 + } else
55698 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
55699 + {
55700 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
55701 + reqmode & GR_READ ? " reading" : "",
55702 + reqmode & GR_WRITE ? " writing" : reqmode &
55703 + GR_APPEND ? " appending" : "");
55704 + return 0;
55705 + } else if (unlikely((mode & reqmode) != reqmode))
55706 + return 0;
55707 +
55708 + return reqmode;
55709 +}
55710 +
55711 +__u32
55712 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
55713 + const int fmode)
55714 +{
55715 + __u32 mode, reqmode = GR_FIND;
55716 +
55717 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
55718 + reqmode |= GR_EXEC;
55719 + if (fmode & S_IWOTH)
55720 + reqmode |= GR_WRITE;
55721 + if (fmode & S_IROTH)
55722 + reqmode |= GR_READ;
55723 +
55724 + mode =
55725 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
55726 + mnt);
55727 +
55728 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
55729 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
55730 + reqmode & GR_READ ? " reading" : "",
55731 + reqmode & GR_WRITE ? " writing" : "",
55732 + reqmode & GR_EXEC ? " executing" : "");
55733 + return reqmode;
55734 + } else
55735 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
55736 + {
55737 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
55738 + reqmode & GR_READ ? " reading" : "",
55739 + reqmode & GR_WRITE ? " writing" : "",
55740 + reqmode & GR_EXEC ? " executing" : "");
55741 + return 0;
55742 + } else if (unlikely((mode & reqmode) != reqmode))
55743 + return 0;
55744 +
55745 + return reqmode;
55746 +}
55747 +
55748 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
55749 +{
55750 + __u32 mode;
55751 +
55752 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
55753 +
55754 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
55755 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
55756 + return mode;
55757 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
55758 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
55759 + return 0;
55760 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
55761 + return 0;
55762 +
55763 + return (reqmode);
55764 +}
55765 +
55766 +__u32
55767 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
55768 +{
55769 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
55770 +}
55771 +
55772 +__u32
55773 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
55774 +{
55775 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
55776 +}
55777 +
55778 +__u32
55779 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
55780 +{
55781 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
55782 +}
55783 +
55784 +__u32
55785 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
55786 +{
55787 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
55788 +}
55789 +
55790 +__u32
55791 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
55792 + mode_t mode)
55793 +{
55794 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
55795 + return 1;
55796 +
55797 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
55798 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
55799 + GR_FCHMOD_ACL_MSG);
55800 + } else {
55801 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
55802 + }
55803 +}
55804 +
55805 +__u32
55806 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
55807 + mode_t mode)
55808 +{
55809 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
55810 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
55811 + GR_CHMOD_ACL_MSG);
55812 + } else {
55813 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
55814 + }
55815 +}
55816 +
55817 +__u32
55818 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
55819 +{
55820 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
55821 +}
55822 +
55823 +__u32
55824 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
55825 +{
55826 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
55827 +}
55828 +
55829 +__u32
55830 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
55831 +{
55832 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
55833 +}
55834 +
55835 +__u32
55836 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
55837 +{
55838 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
55839 + GR_UNIXCONNECT_ACL_MSG);
55840 +}
55841 +
55842 +/* hardlinks require at minimum create permission,
55843 + any additional privilege required is based on the
55844 + privilege of the file being linked to
55845 +*/
55846 +__u32
55847 +gr_acl_handle_link(const struct dentry * new_dentry,
55848 + const struct dentry * parent_dentry,
55849 + const struct vfsmount * parent_mnt,
55850 + const struct dentry * old_dentry,
55851 + const struct vfsmount * old_mnt, const char *to)
55852 +{
55853 + __u32 mode;
55854 + __u32 needmode = GR_CREATE | GR_LINK;
55855 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
55856 +
55857 + mode =
55858 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
55859 + old_mnt);
55860 +
55861 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
55862 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
55863 + return mode;
55864 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
55865 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
55866 + return 0;
55867 + } else if (unlikely((mode & needmode) != needmode))
55868 + return 0;
55869 +
55870 + return 1;
55871 +}
55872 +
55873 +__u32
55874 +gr_acl_handle_symlink(const struct dentry * new_dentry,
55875 + const struct dentry * parent_dentry,
55876 + const struct vfsmount * parent_mnt, const char *from)
55877 +{
55878 + __u32 needmode = GR_WRITE | GR_CREATE;
55879 + __u32 mode;
55880 +
55881 + mode =
55882 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
55883 + GR_CREATE | GR_AUDIT_CREATE |
55884 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
55885 +
55886 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
55887 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
55888 + return mode;
55889 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
55890 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
55891 + return 0;
55892 + } else if (unlikely((mode & needmode) != needmode))
55893 + return 0;
55894 +
55895 + return (GR_WRITE | GR_CREATE);
55896 +}
55897 +
55898 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
55899 +{
55900 + __u32 mode;
55901 +
55902 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
55903 +
55904 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
55905 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
55906 + return mode;
55907 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
55908 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
55909 + return 0;
55910 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
55911 + return 0;
55912 +
55913 + return (reqmode);
55914 +}
55915 +
55916 +__u32
55917 +gr_acl_handle_mknod(const struct dentry * new_dentry,
55918 + const struct dentry * parent_dentry,
55919 + const struct vfsmount * parent_mnt,
55920 + const int mode)
55921 +{
55922 + __u32 reqmode = GR_WRITE | GR_CREATE;
55923 + if (unlikely(mode & (S_ISUID | S_ISGID)))
55924 + reqmode |= GR_SETID;
55925 +
55926 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
55927 + reqmode, GR_MKNOD_ACL_MSG);
55928 +}
55929 +
55930 +__u32
55931 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
55932 + const struct dentry *parent_dentry,
55933 + const struct vfsmount *parent_mnt)
55934 +{
55935 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
55936 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
55937 +}
55938 +
55939 +#define RENAME_CHECK_SUCCESS(old, new) \
55940 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
55941 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
55942 +
55943 +int
55944 +gr_acl_handle_rename(struct dentry *new_dentry,
55945 + struct dentry *parent_dentry,
55946 + const struct vfsmount *parent_mnt,
55947 + struct dentry *old_dentry,
55948 + struct inode *old_parent_inode,
55949 + struct vfsmount *old_mnt, const char *newname)
55950 +{
55951 + __u32 comp1, comp2;
55952 + int error = 0;
55953 +
55954 + if (unlikely(!gr_acl_is_enabled()))
55955 + return 0;
55956 +
55957 + if (!new_dentry->d_inode) {
55958 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
55959 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
55960 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
55961 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
55962 + GR_DELETE | GR_AUDIT_DELETE |
55963 + GR_AUDIT_READ | GR_AUDIT_WRITE |
55964 + GR_SUPPRESS, old_mnt);
55965 + } else {
55966 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
55967 + GR_CREATE | GR_DELETE |
55968 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
55969 + GR_AUDIT_READ | GR_AUDIT_WRITE |
55970 + GR_SUPPRESS, parent_mnt);
55971 + comp2 =
55972 + gr_search_file(old_dentry,
55973 + GR_READ | GR_WRITE | GR_AUDIT_READ |
55974 + GR_DELETE | GR_AUDIT_DELETE |
55975 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
55976 + }
55977 +
55978 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
55979 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
55980 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
55981 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
55982 + && !(comp2 & GR_SUPPRESS)) {
55983 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
55984 + error = -EACCES;
55985 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
55986 + error = -EACCES;
55987 +
55988 + return error;
55989 +}
55990 +
55991 +void
55992 +gr_acl_handle_exit(void)
55993 +{
55994 + u16 id;
55995 + char *rolename;
55996 + struct file *exec_file;
55997 +
55998 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
55999 + !(current->role->roletype & GR_ROLE_PERSIST))) {
56000 + id = current->acl_role_id;
56001 + rolename = current->role->rolename;
56002 + gr_set_acls(1);
56003 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56004 + }
56005 +
56006 + write_lock(&grsec_exec_file_lock);
56007 + exec_file = current->exec_file;
56008 + current->exec_file = NULL;
56009 + write_unlock(&grsec_exec_file_lock);
56010 +
56011 + if (exec_file)
56012 + fput(exec_file);
56013 +}
56014 +
56015 +int
56016 +gr_acl_handle_procpidmem(const struct task_struct *task)
56017 +{
56018 + if (unlikely(!gr_acl_is_enabled()))
56019 + return 0;
56020 +
56021 + if (task != current && task->acl->mode & GR_PROTPROCFD)
56022 + return -EACCES;
56023 +
56024 + return 0;
56025 +}
56026 diff -urNp linux-2.6.39.1/grsecurity/gracl_ip.c linux-2.6.39.1/grsecurity/gracl_ip.c
56027 --- linux-2.6.39.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
56028 +++ linux-2.6.39.1/grsecurity/gracl_ip.c 2011-05-22 22:47:31.000000000 -0400
56029 @@ -0,0 +1,381 @@
56030 +#include <linux/kernel.h>
56031 +#include <asm/uaccess.h>
56032 +#include <asm/errno.h>
56033 +#include <net/sock.h>
56034 +#include <linux/file.h>
56035 +#include <linux/fs.h>
56036 +#include <linux/net.h>
56037 +#include <linux/in.h>
56038 +#include <linux/skbuff.h>
56039 +#include <linux/ip.h>
56040 +#include <linux/udp.h>
56041 +#include <linux/types.h>
56042 +#include <linux/sched.h>
56043 +#include <linux/netdevice.h>
56044 +#include <linux/inetdevice.h>
56045 +#include <linux/gracl.h>
56046 +#include <linux/grsecurity.h>
56047 +#include <linux/grinternal.h>
56048 +
56049 +#define GR_BIND 0x01
56050 +#define GR_CONNECT 0x02
56051 +#define GR_INVERT 0x04
56052 +#define GR_BINDOVERRIDE 0x08
56053 +#define GR_CONNECTOVERRIDE 0x10
56054 +#define GR_SOCK_FAMILY 0x20
56055 +
56056 +static const char * gr_protocols[IPPROTO_MAX] = {
56057 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
56058 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
56059 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
56060 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
56061 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
56062 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
56063 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
56064 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
56065 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
56066 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
56067 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
56068 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
56069 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
56070 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
56071 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
56072 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
56073 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
56074 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
56075 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
56076 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
56077 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
56078 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
56079 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
56080 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
56081 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
56082 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
56083 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
56084 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
56085 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
56086 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
56087 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
56088 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
56089 + };
56090 +
56091 +static const char * gr_socktypes[SOCK_MAX] = {
56092 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
56093 + "unknown:7", "unknown:8", "unknown:9", "packet"
56094 + };
56095 +
56096 +static const char * gr_sockfamilies[AF_MAX+1] = {
56097 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
56098 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
56099 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
56100 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
56101 + };
56102 +
56103 +const char *
56104 +gr_proto_to_name(unsigned char proto)
56105 +{
56106 + return gr_protocols[proto];
56107 +}
56108 +
56109 +const char *
56110 +gr_socktype_to_name(unsigned char type)
56111 +{
56112 + return gr_socktypes[type];
56113 +}
56114 +
56115 +const char *
56116 +gr_sockfamily_to_name(unsigned char family)
56117 +{
56118 + return gr_sockfamilies[family];
56119 +}
56120 +
56121 +int
56122 +gr_search_socket(const int domain, const int type, const int protocol)
56123 +{
56124 + struct acl_subject_label *curr;
56125 + const struct cred *cred = current_cred();
56126 +
56127 + if (unlikely(!gr_acl_is_enabled()))
56128 + goto exit;
56129 +
56130 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
56131 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
56132 + goto exit; // let the kernel handle it
56133 +
56134 + curr = current->acl;
56135 +
56136 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
56137 + /* the family is allowed, if this is PF_INET allow it only if
56138 + the extra sock type/protocol checks pass */
56139 + if (domain == PF_INET)
56140 + goto inet_check;
56141 + goto exit;
56142 + } else {
56143 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56144 + __u32 fakeip = 0;
56145 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56146 + current->role->roletype, cred->uid,
56147 + cred->gid, current->exec_file ?
56148 + gr_to_filename(current->exec_file->f_path.dentry,
56149 + current->exec_file->f_path.mnt) :
56150 + curr->filename, curr->filename,
56151 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
56152 + &current->signal->saved_ip);
56153 + goto exit;
56154 + }
56155 + goto exit_fail;
56156 + }
56157 +
56158 +inet_check:
56159 + /* the rest of this checking is for IPv4 only */
56160 + if (!curr->ips)
56161 + goto exit;
56162 +
56163 + if ((curr->ip_type & (1 << type)) &&
56164 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
56165 + goto exit;
56166 +
56167 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56168 + /* we don't place acls on raw sockets , and sometimes
56169 + dgram/ip sockets are opened for ioctl and not
56170 + bind/connect, so we'll fake a bind learn log */
56171 + if (type == SOCK_RAW || type == SOCK_PACKET) {
56172 + __u32 fakeip = 0;
56173 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56174 + current->role->roletype, cred->uid,
56175 + cred->gid, current->exec_file ?
56176 + gr_to_filename(current->exec_file->f_path.dentry,
56177 + current->exec_file->f_path.mnt) :
56178 + curr->filename, curr->filename,
56179 + &fakeip, 0, type,
56180 + protocol, GR_CONNECT, &current->signal->saved_ip);
56181 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
56182 + __u32 fakeip = 0;
56183 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56184 + current->role->roletype, cred->uid,
56185 + cred->gid, current->exec_file ?
56186 + gr_to_filename(current->exec_file->f_path.dentry,
56187 + current->exec_file->f_path.mnt) :
56188 + curr->filename, curr->filename,
56189 + &fakeip, 0, type,
56190 + protocol, GR_BIND, &current->signal->saved_ip);
56191 + }
56192 + /* we'll log when they use connect or bind */
56193 + goto exit;
56194 + }
56195 +
56196 +exit_fail:
56197 + if (domain == PF_INET)
56198 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
56199 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
56200 + else
56201 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
56202 + gr_socktype_to_name(type), protocol);
56203 +
56204 + return 0;
56205 +exit:
56206 + return 1;
56207 +}
56208 +
56209 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
56210 +{
56211 + if ((ip->mode & mode) &&
56212 + (ip_port >= ip->low) &&
56213 + (ip_port <= ip->high) &&
56214 + ((ntohl(ip_addr) & our_netmask) ==
56215 + (ntohl(our_addr) & our_netmask))
56216 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
56217 + && (ip->type & (1 << type))) {
56218 + if (ip->mode & GR_INVERT)
56219 + return 2; // specifically denied
56220 + else
56221 + return 1; // allowed
56222 + }
56223 +
56224 + return 0; // not specifically allowed, may continue parsing
56225 +}
56226 +
56227 +static int
56228 +gr_search_connectbind(const int full_mode, struct sock *sk,
56229 + struct sockaddr_in *addr, const int type)
56230 +{
56231 + char iface[IFNAMSIZ] = {0};
56232 + struct acl_subject_label *curr;
56233 + struct acl_ip_label *ip;
56234 + struct inet_sock *isk;
56235 + struct net_device *dev;
56236 + struct in_device *idev;
56237 + unsigned long i;
56238 + int ret;
56239 + int mode = full_mode & (GR_BIND | GR_CONNECT);
56240 + __u32 ip_addr = 0;
56241 + __u32 our_addr;
56242 + __u32 our_netmask;
56243 + char *p;
56244 + __u16 ip_port = 0;
56245 + const struct cred *cred = current_cred();
56246 +
56247 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
56248 + return 0;
56249 +
56250 + curr = current->acl;
56251 + isk = inet_sk(sk);
56252 +
56253 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
56254 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
56255 + addr->sin_addr.s_addr = curr->inaddr_any_override;
56256 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
56257 + struct sockaddr_in saddr;
56258 + int err;
56259 +
56260 + saddr.sin_family = AF_INET;
56261 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
56262 + saddr.sin_port = isk->inet_sport;
56263 +
56264 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56265 + if (err)
56266 + return err;
56267 +
56268 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56269 + if (err)
56270 + return err;
56271 + }
56272 +
56273 + if (!curr->ips)
56274 + return 0;
56275 +
56276 + ip_addr = addr->sin_addr.s_addr;
56277 + ip_port = ntohs(addr->sin_port);
56278 +
56279 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56280 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56281 + current->role->roletype, cred->uid,
56282 + cred->gid, current->exec_file ?
56283 + gr_to_filename(current->exec_file->f_path.dentry,
56284 + current->exec_file->f_path.mnt) :
56285 + curr->filename, curr->filename,
56286 + &ip_addr, ip_port, type,
56287 + sk->sk_protocol, mode, &current->signal->saved_ip);
56288 + return 0;
56289 + }
56290 +
56291 + for (i = 0; i < curr->ip_num; i++) {
56292 + ip = *(curr->ips + i);
56293 + if (ip->iface != NULL) {
56294 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
56295 + p = strchr(iface, ':');
56296 + if (p != NULL)
56297 + *p = '\0';
56298 + dev = dev_get_by_name(sock_net(sk), iface);
56299 + if (dev == NULL)
56300 + continue;
56301 + idev = in_dev_get(dev);
56302 + if (idev == NULL) {
56303 + dev_put(dev);
56304 + continue;
56305 + }
56306 + rcu_read_lock();
56307 + for_ifa(idev) {
56308 + if (!strcmp(ip->iface, ifa->ifa_label)) {
56309 + our_addr = ifa->ifa_address;
56310 + our_netmask = 0xffffffff;
56311 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56312 + if (ret == 1) {
56313 + rcu_read_unlock();
56314 + in_dev_put(idev);
56315 + dev_put(dev);
56316 + return 0;
56317 + } else if (ret == 2) {
56318 + rcu_read_unlock();
56319 + in_dev_put(idev);
56320 + dev_put(dev);
56321 + goto denied;
56322 + }
56323 + }
56324 + } endfor_ifa(idev);
56325 + rcu_read_unlock();
56326 + in_dev_put(idev);
56327 + dev_put(dev);
56328 + } else {
56329 + our_addr = ip->addr;
56330 + our_netmask = ip->netmask;
56331 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56332 + if (ret == 1)
56333 + return 0;
56334 + else if (ret == 2)
56335 + goto denied;
56336 + }
56337 + }
56338 +
56339 +denied:
56340 + if (mode == GR_BIND)
56341 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56342 + else if (mode == GR_CONNECT)
56343 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56344 +
56345 + return -EACCES;
56346 +}
56347 +
56348 +int
56349 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
56350 +{
56351 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
56352 +}
56353 +
56354 +int
56355 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
56356 +{
56357 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
56358 +}
56359 +
56360 +int gr_search_listen(struct socket *sock)
56361 +{
56362 + struct sock *sk = sock->sk;
56363 + struct sockaddr_in addr;
56364 +
56365 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56366 + addr.sin_port = inet_sk(sk)->inet_sport;
56367 +
56368 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56369 +}
56370 +
56371 +int gr_search_accept(struct socket *sock)
56372 +{
56373 + struct sock *sk = sock->sk;
56374 + struct sockaddr_in addr;
56375 +
56376 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56377 + addr.sin_port = inet_sk(sk)->inet_sport;
56378 +
56379 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56380 +}
56381 +
56382 +int
56383 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
56384 +{
56385 + if (addr)
56386 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
56387 + else {
56388 + struct sockaddr_in sin;
56389 + const struct inet_sock *inet = inet_sk(sk);
56390 +
56391 + sin.sin_addr.s_addr = inet->inet_daddr;
56392 + sin.sin_port = inet->inet_dport;
56393 +
56394 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56395 + }
56396 +}
56397 +
56398 +int
56399 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
56400 +{
56401 + struct sockaddr_in sin;
56402 +
56403 + if (unlikely(skb->len < sizeof (struct udphdr)))
56404 + return 0; // skip this packet
56405 +
56406 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
56407 + sin.sin_port = udp_hdr(skb)->source;
56408 +
56409 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56410 +}
56411 diff -urNp linux-2.6.39.1/grsecurity/gracl_learn.c linux-2.6.39.1/grsecurity/gracl_learn.c
56412 --- linux-2.6.39.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
56413 +++ linux-2.6.39.1/grsecurity/gracl_learn.c 2011-05-22 22:47:45.000000000 -0400
56414 @@ -0,0 +1,210 @@
56415 +#include <linux/kernel.h>
56416 +#include <linux/mm.h>
56417 +#include <linux/sched.h>
56418 +#include <linux/poll.h>
56419 +#include <linux/string.h>
56420 +#include <linux/file.h>
56421 +#include <linux/types.h>
56422 +#include <linux/vmalloc.h>
56423 +#include <linux/grinternal.h>
56424 +
56425 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
56426 + size_t count, loff_t *ppos);
56427 +extern int gr_acl_is_enabled(void);
56428 +
56429 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
56430 +static int gr_learn_attached;
56431 +
56432 +/* use a 512k buffer */
56433 +#define LEARN_BUFFER_SIZE (512 * 1024)
56434 +
56435 +static DEFINE_SPINLOCK(gr_learn_lock);
56436 +static DEFINE_MUTEX(gr_learn_user_mutex);
56437 +
56438 +/* we need to maintain two buffers, so that the kernel context of grlearn
56439 + uses a semaphore around the userspace copying, and the other kernel contexts
56440 + use a spinlock when copying into the buffer, since they cannot sleep
56441 +*/
56442 +static char *learn_buffer;
56443 +static char *learn_buffer_user;
56444 +static int learn_buffer_len;
56445 +static int learn_buffer_user_len;
56446 +
56447 +static ssize_t
56448 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
56449 +{
56450 + DECLARE_WAITQUEUE(wait, current);
56451 + ssize_t retval = 0;
56452 +
56453 + add_wait_queue(&learn_wait, &wait);
56454 + set_current_state(TASK_INTERRUPTIBLE);
56455 + do {
56456 + mutex_lock(&gr_learn_user_mutex);
56457 + spin_lock(&gr_learn_lock);
56458 + if (learn_buffer_len)
56459 + break;
56460 + spin_unlock(&gr_learn_lock);
56461 + mutex_unlock(&gr_learn_user_mutex);
56462 + if (file->f_flags & O_NONBLOCK) {
56463 + retval = -EAGAIN;
56464 + goto out;
56465 + }
56466 + if (signal_pending(current)) {
56467 + retval = -ERESTARTSYS;
56468 + goto out;
56469 + }
56470 +
56471 + schedule();
56472 + } while (1);
56473 +
56474 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
56475 + learn_buffer_user_len = learn_buffer_len;
56476 + retval = learn_buffer_len;
56477 + learn_buffer_len = 0;
56478 +
56479 + spin_unlock(&gr_learn_lock);
56480 +
56481 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
56482 + retval = -EFAULT;
56483 +
56484 + mutex_unlock(&gr_learn_user_mutex);
56485 +out:
56486 + set_current_state(TASK_RUNNING);
56487 + remove_wait_queue(&learn_wait, &wait);
56488 + return retval;
56489 +}
56490 +
56491 +static unsigned int
56492 +poll_learn(struct file * file, poll_table * wait)
56493 +{
56494 + poll_wait(file, &learn_wait, wait);
56495 +
56496 + if (learn_buffer_len)
56497 + return (POLLIN | POLLRDNORM);
56498 +
56499 + return 0;
56500 +}
56501 +
56502 +void
56503 +gr_clear_learn_entries(void)
56504 +{
56505 + char *tmp;
56506 +
56507 + mutex_lock(&gr_learn_user_mutex);
56508 + if (learn_buffer != NULL) {
56509 + spin_lock(&gr_learn_lock);
56510 + tmp = learn_buffer;
56511 + learn_buffer = NULL;
56512 + spin_unlock(&gr_learn_lock);
56513 + vfree(learn_buffer);
56514 + }
56515 + if (learn_buffer_user != NULL) {
56516 + vfree(learn_buffer_user);
56517 + learn_buffer_user = NULL;
56518 + }
56519 + learn_buffer_len = 0;
56520 + mutex_unlock(&gr_learn_user_mutex);
56521 +
56522 + return;
56523 +}
56524 +
56525 +void
56526 +gr_add_learn_entry(const char *fmt, ...)
56527 +{
56528 + va_list args;
56529 + unsigned int len;
56530 +
56531 + if (!gr_learn_attached)
56532 + return;
56533 +
56534 + spin_lock(&gr_learn_lock);
56535 +
56536 + /* leave a gap at the end so we know when it's "full" but don't have to
56537 + compute the exact length of the string we're trying to append
56538 + */
56539 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
56540 + spin_unlock(&gr_learn_lock);
56541 + wake_up_interruptible(&learn_wait);
56542 + return;
56543 + }
56544 + if (learn_buffer == NULL) {
56545 + spin_unlock(&gr_learn_lock);
56546 + return;
56547 + }
56548 +
56549 + va_start(args, fmt);
56550 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
56551 + va_end(args);
56552 +
56553 + learn_buffer_len += len + 1;
56554 +
56555 + spin_unlock(&gr_learn_lock);
56556 + wake_up_interruptible(&learn_wait);
56557 +
56558 + return;
56559 +}
56560 +
56561 +static int
56562 +open_learn(struct inode *inode, struct file *file)
56563 +{
56564 + if (file->f_mode & FMODE_READ && gr_learn_attached)
56565 + return -EBUSY;
56566 + if (file->f_mode & FMODE_READ) {
56567 + int retval = 0;
56568 + mutex_lock(&gr_learn_user_mutex);
56569 + if (learn_buffer == NULL)
56570 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
56571 + if (learn_buffer_user == NULL)
56572 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
56573 + if (learn_buffer == NULL) {
56574 + retval = -ENOMEM;
56575 + goto out_error;
56576 + }
56577 + if (learn_buffer_user == NULL) {
56578 + retval = -ENOMEM;
56579 + goto out_error;
56580 + }
56581 + learn_buffer_len = 0;
56582 + learn_buffer_user_len = 0;
56583 + gr_learn_attached = 1;
56584 +out_error:
56585 + mutex_unlock(&gr_learn_user_mutex);
56586 + return retval;
56587 + }
56588 + return 0;
56589 +}
56590 +
56591 +static int
56592 +close_learn(struct inode *inode, struct file *file)
56593 +{
56594 + char *tmp;
56595 +
56596 + if (file->f_mode & FMODE_READ) {
56597 + mutex_lock(&gr_learn_user_mutex);
56598 + if (learn_buffer != NULL) {
56599 + spin_lock(&gr_learn_lock);
56600 + tmp = learn_buffer;
56601 + learn_buffer = NULL;
56602 + spin_unlock(&gr_learn_lock);
56603 + vfree(tmp);
56604 + }
56605 + if (learn_buffer_user != NULL) {
56606 + vfree(learn_buffer_user);
56607 + learn_buffer_user = NULL;
56608 + }
56609 + learn_buffer_len = 0;
56610 + learn_buffer_user_len = 0;
56611 + gr_learn_attached = 0;
56612 + mutex_unlock(&gr_learn_user_mutex);
56613 + }
56614 +
56615 + return 0;
56616 +}
56617 +
56618 +const struct file_operations grsec_fops = {
56619 + .read = read_learn,
56620 + .write = write_grsec_handler,
56621 + .open = open_learn,
56622 + .release = close_learn,
56623 + .poll = poll_learn,
56624 +};
56625 diff -urNp linux-2.6.39.1/grsecurity/gracl_res.c linux-2.6.39.1/grsecurity/gracl_res.c
56626 --- linux-2.6.39.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
56627 +++ linux-2.6.39.1/grsecurity/gracl_res.c 2011-05-22 19:41:42.000000000 -0400
56628 @@ -0,0 +1,68 @@
56629 +#include <linux/kernel.h>
56630 +#include <linux/sched.h>
56631 +#include <linux/gracl.h>
56632 +#include <linux/grinternal.h>
56633 +
56634 +static const char *restab_log[] = {
56635 + [RLIMIT_CPU] = "RLIMIT_CPU",
56636 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
56637 + [RLIMIT_DATA] = "RLIMIT_DATA",
56638 + [RLIMIT_STACK] = "RLIMIT_STACK",
56639 + [RLIMIT_CORE] = "RLIMIT_CORE",
56640 + [RLIMIT_RSS] = "RLIMIT_RSS",
56641 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
56642 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
56643 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
56644 + [RLIMIT_AS] = "RLIMIT_AS",
56645 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
56646 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
56647 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
56648 + [RLIMIT_NICE] = "RLIMIT_NICE",
56649 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
56650 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
56651 + [GR_CRASH_RES] = "RLIMIT_CRASH"
56652 +};
56653 +
56654 +void
56655 +gr_log_resource(const struct task_struct *task,
56656 + const int res, const unsigned long wanted, const int gt)
56657 +{
56658 + const struct cred *cred;
56659 + unsigned long rlim;
56660 +
56661 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
56662 + return;
56663 +
56664 + // not yet supported resource
56665 + if (unlikely(!restab_log[res]))
56666 + return;
56667 +
56668 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
56669 + rlim = task_rlimit_max(task, res);
56670 + else
56671 + rlim = task_rlimit(task, res);
56672 +
56673 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
56674 + return;
56675 +
56676 + rcu_read_lock();
56677 + cred = __task_cred(task);
56678 +
56679 + if (res == RLIMIT_NPROC &&
56680 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
56681 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
56682 + goto out_rcu_unlock;
56683 + else if (res == RLIMIT_MEMLOCK &&
56684 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
56685 + goto out_rcu_unlock;
56686 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
56687 + goto out_rcu_unlock;
56688 + rcu_read_unlock();
56689 +
56690 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
56691 +
56692 + return;
56693 +out_rcu_unlock:
56694 + rcu_read_unlock();
56695 + return;
56696 +}
56697 diff -urNp linux-2.6.39.1/grsecurity/gracl_segv.c linux-2.6.39.1/grsecurity/gracl_segv.c
56698 --- linux-2.6.39.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
56699 +++ linux-2.6.39.1/grsecurity/gracl_segv.c 2011-05-22 22:47:39.000000000 -0400
56700 @@ -0,0 +1,299 @@
56701 +#include <linux/kernel.h>
56702 +#include <linux/mm.h>
56703 +#include <asm/uaccess.h>
56704 +#include <asm/errno.h>
56705 +#include <asm/mman.h>
56706 +#include <net/sock.h>
56707 +#include <linux/file.h>
56708 +#include <linux/fs.h>
56709 +#include <linux/net.h>
56710 +#include <linux/in.h>
56711 +#include <linux/slab.h>
56712 +#include <linux/types.h>
56713 +#include <linux/sched.h>
56714 +#include <linux/timer.h>
56715 +#include <linux/gracl.h>
56716 +#include <linux/grsecurity.h>
56717 +#include <linux/grinternal.h>
56718 +
56719 +static struct crash_uid *uid_set;
56720 +static unsigned short uid_used;
56721 +static DEFINE_SPINLOCK(gr_uid_lock);
56722 +extern rwlock_t gr_inode_lock;
56723 +extern struct acl_subject_label *
56724 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
56725 + struct acl_role_label *role);
56726 +
56727 +#ifdef CONFIG_BTRFS_FS
56728 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
56729 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
56730 +#endif
56731 +
56732 +static inline dev_t __get_dev(const struct dentry *dentry)
56733 +{
56734 +#ifdef CONFIG_BTRFS_FS
56735 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
56736 + return get_btrfs_dev_from_inode(dentry->d_inode);
56737 + else
56738 +#endif
56739 + return dentry->d_inode->i_sb->s_dev;
56740 +}
56741 +
56742 +int
56743 +gr_init_uidset(void)
56744 +{
56745 + uid_set =
56746 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
56747 + uid_used = 0;
56748 +
56749 + return uid_set ? 1 : 0;
56750 +}
56751 +
56752 +void
56753 +gr_free_uidset(void)
56754 +{
56755 + if (uid_set)
56756 + kfree(uid_set);
56757 +
56758 + return;
56759 +}
56760 +
56761 +int
56762 +gr_find_uid(const uid_t uid)
56763 +{
56764 + struct crash_uid *tmp = uid_set;
56765 + uid_t buid;
56766 + int low = 0, high = uid_used - 1, mid;
56767 +
56768 + while (high >= low) {
56769 + mid = (low + high) >> 1;
56770 + buid = tmp[mid].uid;
56771 + if (buid == uid)
56772 + return mid;
56773 + if (buid > uid)
56774 + high = mid - 1;
56775 + if (buid < uid)
56776 + low = mid + 1;
56777 + }
56778 +
56779 + return -1;
56780 +}
56781 +
56782 +static __inline__ void
56783 +gr_insertsort(void)
56784 +{
56785 + unsigned short i, j;
56786 + struct crash_uid index;
56787 +
56788 + for (i = 1; i < uid_used; i++) {
56789 + index = uid_set[i];
56790 + j = i;
56791 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
56792 + uid_set[j] = uid_set[j - 1];
56793 + j--;
56794 + }
56795 + uid_set[j] = index;
56796 + }
56797 +
56798 + return;
56799 +}
56800 +
56801 +static __inline__ void
56802 +gr_insert_uid(const uid_t uid, const unsigned long expires)
56803 +{
56804 + int loc;
56805 +
56806 + if (uid_used == GR_UIDTABLE_MAX)
56807 + return;
56808 +
56809 + loc = gr_find_uid(uid);
56810 +
56811 + if (loc >= 0) {
56812 + uid_set[loc].expires = expires;
56813 + return;
56814 + }
56815 +
56816 + uid_set[uid_used].uid = uid;
56817 + uid_set[uid_used].expires = expires;
56818 + uid_used++;
56819 +
56820 + gr_insertsort();
56821 +
56822 + return;
56823 +}
56824 +
56825 +void
56826 +gr_remove_uid(const unsigned short loc)
56827 +{
56828 + unsigned short i;
56829 +
56830 + for (i = loc + 1; i < uid_used; i++)
56831 + uid_set[i - 1] = uid_set[i];
56832 +
56833 + uid_used--;
56834 +
56835 + return;
56836 +}
56837 +
56838 +int
56839 +gr_check_crash_uid(const uid_t uid)
56840 +{
56841 + int loc;
56842 + int ret = 0;
56843 +
56844 + if (unlikely(!gr_acl_is_enabled()))
56845 + return 0;
56846 +
56847 + spin_lock(&gr_uid_lock);
56848 + loc = gr_find_uid(uid);
56849 +
56850 + if (loc < 0)
56851 + goto out_unlock;
56852 +
56853 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
56854 + gr_remove_uid(loc);
56855 + else
56856 + ret = 1;
56857 +
56858 +out_unlock:
56859 + spin_unlock(&gr_uid_lock);
56860 + return ret;
56861 +}
56862 +
56863 +static __inline__ int
56864 +proc_is_setxid(const struct cred *cred)
56865 +{
56866 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
56867 + cred->uid != cred->fsuid)
56868 + return 1;
56869 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
56870 + cred->gid != cred->fsgid)
56871 + return 1;
56872 +
56873 + return 0;
56874 +}
56875 +
56876 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
56877 +
56878 +void
56879 +gr_handle_crash(struct task_struct *task, const int sig)
56880 +{
56881 + struct acl_subject_label *curr;
56882 + struct acl_subject_label *curr2;
56883 + struct task_struct *tsk, *tsk2;
56884 + const struct cred *cred;
56885 + const struct cred *cred2;
56886 +
56887 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
56888 + return;
56889 +
56890 + if (unlikely(!gr_acl_is_enabled()))
56891 + return;
56892 +
56893 + curr = task->acl;
56894 +
56895 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
56896 + return;
56897 +
56898 + if (time_before_eq(curr->expires, get_seconds())) {
56899 + curr->expires = 0;
56900 + curr->crashes = 0;
56901 + }
56902 +
56903 + curr->crashes++;
56904 +
56905 + if (!curr->expires)
56906 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
56907 +
56908 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
56909 + time_after(curr->expires, get_seconds())) {
56910 + rcu_read_lock();
56911 + cred = __task_cred(task);
56912 + if (cred->uid && proc_is_setxid(cred)) {
56913 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
56914 + spin_lock(&gr_uid_lock);
56915 + gr_insert_uid(cred->uid, curr->expires);
56916 + spin_unlock(&gr_uid_lock);
56917 + curr->expires = 0;
56918 + curr->crashes = 0;
56919 + read_lock(&tasklist_lock);
56920 + do_each_thread(tsk2, tsk) {
56921 + cred2 = __task_cred(tsk);
56922 + if (tsk != task && cred2->uid == cred->uid)
56923 + gr_fake_force_sig(SIGKILL, tsk);
56924 + } while_each_thread(tsk2, tsk);
56925 + read_unlock(&tasklist_lock);
56926 + } else {
56927 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
56928 + read_lock(&tasklist_lock);
56929 + do_each_thread(tsk2, tsk) {
56930 + if (likely(tsk != task)) {
56931 + curr2 = tsk->acl;
56932 +
56933 + if (curr2->device == curr->device &&
56934 + curr2->inode == curr->inode)
56935 + gr_fake_force_sig(SIGKILL, tsk);
56936 + }
56937 + } while_each_thread(tsk2, tsk);
56938 + read_unlock(&tasklist_lock);
56939 + }
56940 + rcu_read_unlock();
56941 + }
56942 +
56943 + return;
56944 +}
56945 +
56946 +int
56947 +gr_check_crash_exec(const struct file *filp)
56948 +{
56949 + struct acl_subject_label *curr;
56950 +
56951 + if (unlikely(!gr_acl_is_enabled()))
56952 + return 0;
56953 +
56954 + read_lock(&gr_inode_lock);
56955 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
56956 + __get_dev(filp->f_path.dentry),
56957 + current->role);
56958 + read_unlock(&gr_inode_lock);
56959 +
56960 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
56961 + (!curr->crashes && !curr->expires))
56962 + return 0;
56963 +
56964 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
56965 + time_after(curr->expires, get_seconds()))
56966 + return 1;
56967 + else if (time_before_eq(curr->expires, get_seconds())) {
56968 + curr->crashes = 0;
56969 + curr->expires = 0;
56970 + }
56971 +
56972 + return 0;
56973 +}
56974 +
56975 +void
56976 +gr_handle_alertkill(struct task_struct *task)
56977 +{
56978 + struct acl_subject_label *curracl;
56979 + __u32 curr_ip;
56980 + struct task_struct *p, *p2;
56981 +
56982 + if (unlikely(!gr_acl_is_enabled()))
56983 + return;
56984 +
56985 + curracl = task->acl;
56986 + curr_ip = task->signal->curr_ip;
56987 +
56988 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
56989 + read_lock(&tasklist_lock);
56990 + do_each_thread(p2, p) {
56991 + if (p->signal->curr_ip == curr_ip)
56992 + gr_fake_force_sig(SIGKILL, p);
56993 + } while_each_thread(p2, p);
56994 + read_unlock(&tasklist_lock);
56995 + } else if (curracl->mode & GR_KILLPROC)
56996 + gr_fake_force_sig(SIGKILL, task);
56997 +
56998 + return;
56999 +}
57000 diff -urNp linux-2.6.39.1/grsecurity/gracl_shm.c linux-2.6.39.1/grsecurity/gracl_shm.c
57001 --- linux-2.6.39.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57002 +++ linux-2.6.39.1/grsecurity/gracl_shm.c 2011-05-22 19:41:42.000000000 -0400
57003 @@ -0,0 +1,40 @@
57004 +#include <linux/kernel.h>
57005 +#include <linux/mm.h>
57006 +#include <linux/sched.h>
57007 +#include <linux/file.h>
57008 +#include <linux/ipc.h>
57009 +#include <linux/gracl.h>
57010 +#include <linux/grsecurity.h>
57011 +#include <linux/grinternal.h>
57012 +
57013 +int
57014 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57015 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57016 +{
57017 + struct task_struct *task;
57018 +
57019 + if (!gr_acl_is_enabled())
57020 + return 1;
57021 +
57022 + rcu_read_lock();
57023 + read_lock(&tasklist_lock);
57024 +
57025 + task = find_task_by_vpid(shm_cprid);
57026 +
57027 + if (unlikely(!task))
57028 + task = find_task_by_vpid(shm_lapid);
57029 +
57030 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57031 + (task->pid == shm_lapid)) &&
57032 + (task->acl->mode & GR_PROTSHM) &&
57033 + (task->acl != current->acl))) {
57034 + read_unlock(&tasklist_lock);
57035 + rcu_read_unlock();
57036 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
57037 + return 0;
57038 + }
57039 + read_unlock(&tasklist_lock);
57040 + rcu_read_unlock();
57041 +
57042 + return 1;
57043 +}
57044 diff -urNp linux-2.6.39.1/grsecurity/grsec_chdir.c linux-2.6.39.1/grsecurity/grsec_chdir.c
57045 --- linux-2.6.39.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
57046 +++ linux-2.6.39.1/grsecurity/grsec_chdir.c 2011-05-22 19:41:42.000000000 -0400
57047 @@ -0,0 +1,19 @@
57048 +#include <linux/kernel.h>
57049 +#include <linux/sched.h>
57050 +#include <linux/fs.h>
57051 +#include <linux/file.h>
57052 +#include <linux/grsecurity.h>
57053 +#include <linux/grinternal.h>
57054 +
57055 +void
57056 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
57057 +{
57058 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57059 + if ((grsec_enable_chdir && grsec_enable_group &&
57060 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
57061 + !grsec_enable_group)) {
57062 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
57063 + }
57064 +#endif
57065 + return;
57066 +}
57067 diff -urNp linux-2.6.39.1/grsecurity/grsec_chroot.c linux-2.6.39.1/grsecurity/grsec_chroot.c
57068 --- linux-2.6.39.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
57069 +++ linux-2.6.39.1/grsecurity/grsec_chroot.c 2011-05-22 19:41:42.000000000 -0400
57070 @@ -0,0 +1,355 @@
57071 +#include <linux/kernel.h>
57072 +#include <linux/module.h>
57073 +#include <linux/sched.h>
57074 +#include <linux/file.h>
57075 +#include <linux/fs.h>
57076 +#include <linux/mount.h>
57077 +#include <linux/types.h>
57078 +#include <linux/pid_namespace.h>
57079 +#include <linux/grsecurity.h>
57080 +#include <linux/grinternal.h>
57081 +
57082 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
57083 +{
57084 +#ifdef CONFIG_GRKERNSEC
57085 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
57086 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
57087 + task->gr_is_chrooted = 1;
57088 + else
57089 + task->gr_is_chrooted = 0;
57090 +
57091 + task->gr_chroot_dentry = path->dentry;
57092 +#endif
57093 + return;
57094 +}
57095 +
57096 +void gr_clear_chroot_entries(struct task_struct *task)
57097 +{
57098 +#ifdef CONFIG_GRKERNSEC
57099 + task->gr_is_chrooted = 0;
57100 + task->gr_chroot_dentry = NULL;
57101 +#endif
57102 + return;
57103 +}
57104 +
57105 +int
57106 +gr_handle_chroot_unix(struct pid *pid)
57107 +{
57108 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57109 + struct task_struct *p;
57110 +
57111 + if (unlikely(!grsec_enable_chroot_unix))
57112 + return 1;
57113 +
57114 + if (likely(!proc_is_chrooted(current)))
57115 + return 1;
57116 +
57117 + rcu_read_lock();
57118 + read_lock(&tasklist_lock);
57119 + p = pid_task(pid, PIDTYPE_PID);
57120 + if (unlikely(p && !have_same_root(current, p))) {
57121 + read_unlock(&tasklist_lock);
57122 + rcu_read_unlock();
57123 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
57124 + return 0;
57125 + }
57126 + read_unlock(&tasklist_lock);
57127 + rcu_read_unlock();
57128 +#endif
57129 + return 1;
57130 +}
57131 +
57132 +int
57133 +gr_handle_chroot_nice(void)
57134 +{
57135 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57136 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
57137 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
57138 + return -EPERM;
57139 + }
57140 +#endif
57141 + return 0;
57142 +}
57143 +
57144 +int
57145 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
57146 +{
57147 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57148 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
57149 + && proc_is_chrooted(current)) {
57150 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
57151 + return -EACCES;
57152 + }
57153 +#endif
57154 + return 0;
57155 +}
57156 +
57157 +int
57158 +gr_handle_chroot_rawio(const struct inode *inode)
57159 +{
57160 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57161 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
57162 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
57163 + return 1;
57164 +#endif
57165 + return 0;
57166 +}
57167 +
57168 +int
57169 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
57170 +{
57171 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57172 + struct task_struct *p;
57173 + int ret = 0;
57174 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
57175 + return ret;
57176 +
57177 + read_lock(&tasklist_lock);
57178 + do_each_pid_task(pid, type, p) {
57179 + if (!have_same_root(current, p)) {
57180 + ret = 1;
57181 + goto out;
57182 + }
57183 + } while_each_pid_task(pid, type, p);
57184 +out:
57185 + read_unlock(&tasklist_lock);
57186 + return ret;
57187 +#endif
57188 + return 0;
57189 +}
57190 +
57191 +int
57192 +gr_pid_is_chrooted(struct task_struct *p)
57193 +{
57194 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57195 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
57196 + return 0;
57197 +
57198 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
57199 + !have_same_root(current, p)) {
57200 + return 1;
57201 + }
57202 +#endif
57203 + return 0;
57204 +}
57205 +
57206 +EXPORT_SYMBOL(gr_pid_is_chrooted);
57207 +
57208 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
57209 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
57210 +{
57211 + struct path path, currentroot;
57212 + int ret = 0;
57213 +
57214 + path.dentry = (struct dentry *)u_dentry;
57215 + path.mnt = (struct vfsmount *)u_mnt;
57216 + get_fs_root(current->fs, &currentroot);
57217 + if (path_is_under(&path, &currentroot))
57218 + ret = 1;
57219 + path_put(&currentroot);
57220 +
57221 + return ret;
57222 +}
57223 +#endif
57224 +
57225 +int
57226 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
57227 +{
57228 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
57229 + if (!grsec_enable_chroot_fchdir)
57230 + return 1;
57231 +
57232 + if (!proc_is_chrooted(current))
57233 + return 1;
57234 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
57235 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
57236 + return 0;
57237 + }
57238 +#endif
57239 + return 1;
57240 +}
57241 +
57242 +int
57243 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57244 + const time_t shm_createtime)
57245 +{
57246 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
57247 + struct pid *pid = NULL;
57248 + time_t starttime;
57249 +
57250 + if (unlikely(!grsec_enable_chroot_shmat))
57251 + return 1;
57252 +
57253 + if (likely(!proc_is_chrooted(current)))
57254 + return 1;
57255 +
57256 + rcu_read_lock();
57257 + read_lock(&tasklist_lock);
57258 +
57259 + pid = find_vpid(shm_cprid);
57260 + if (pid) {
57261 + struct task_struct *p;
57262 + p = pid_task(pid, PIDTYPE_PID);
57263 + if (p == NULL)
57264 + goto unlock;
57265 + starttime = p->start_time.tv_sec;
57266 + if (unlikely(!have_same_root(current, p) &&
57267 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
57268 + read_unlock(&tasklist_lock);
57269 + rcu_read_unlock();
57270 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57271 + return 0;
57272 + }
57273 + } else {
57274 + pid = find_vpid(shm_lapid);
57275 + if (pid) {
57276 + struct task_struct *p;
57277 + p = pid_task(pid, PIDTYPE_PID);
57278 + if (p == NULL)
57279 + goto unlock;
57280 + if (unlikely(!have_same_root(current, p))) {
57281 + read_unlock(&tasklist_lock);
57282 + rcu_read_unlock();
57283 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57284 + return 0;
57285 + }
57286 + }
57287 + }
57288 +unlock:
57289 + read_unlock(&tasklist_lock);
57290 + rcu_read_unlock();
57291 +#endif
57292 + return 1;
57293 +}
57294 +
57295 +void
57296 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
57297 +{
57298 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
57299 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
57300 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
57301 +#endif
57302 + return;
57303 +}
57304 +
57305 +int
57306 +gr_handle_chroot_mknod(const struct dentry *dentry,
57307 + const struct vfsmount *mnt, const int mode)
57308 +{
57309 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
57310 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
57311 + proc_is_chrooted(current)) {
57312 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
57313 + return -EPERM;
57314 + }
57315 +#endif
57316 + return 0;
57317 +}
57318 +
57319 +int
57320 +gr_handle_chroot_mount(const struct dentry *dentry,
57321 + const struct vfsmount *mnt, const char *dev_name)
57322 +{
57323 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
57324 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
57325 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
57326 + return -EPERM;
57327 + }
57328 +#endif
57329 + return 0;
57330 +}
57331 +
57332 +int
57333 +gr_handle_chroot_pivot(void)
57334 +{
57335 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
57336 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
57337 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
57338 + return -EPERM;
57339 + }
57340 +#endif
57341 + return 0;
57342 +}
57343 +
57344 +int
57345 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
57346 +{
57347 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
57348 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
57349 + !gr_is_outside_chroot(dentry, mnt)) {
57350 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
57351 + return -EPERM;
57352 + }
57353 +#endif
57354 + return 0;
57355 +}
57356 +
57357 +int
57358 +gr_handle_chroot_caps(struct path *path)
57359 +{
57360 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57361 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
57362 + (init_task.fs->root.dentry != path->dentry) &&
57363 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
57364 +
57365 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
57366 + const struct cred *old = current_cred();
57367 + struct cred *new = prepare_creds();
57368 + if (new == NULL)
57369 + return 1;
57370 +
57371 + new->cap_permitted = cap_drop(old->cap_permitted,
57372 + chroot_caps);
57373 + new->cap_inheritable = cap_drop(old->cap_inheritable,
57374 + chroot_caps);
57375 + new->cap_effective = cap_drop(old->cap_effective,
57376 + chroot_caps);
57377 +
57378 + commit_creds(new);
57379 +
57380 + return 0;
57381 + }
57382 +#endif
57383 + return 0;
57384 +}
57385 +
57386 +int
57387 +gr_handle_chroot_sysctl(const int op)
57388 +{
57389 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
57390 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
57391 + proc_is_chrooted(current))
57392 + return -EACCES;
57393 +#endif
57394 + return 0;
57395 +}
57396 +
57397 +void
57398 +gr_handle_chroot_chdir(struct path *path)
57399 +{
57400 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
57401 + if (grsec_enable_chroot_chdir)
57402 + set_fs_pwd(current->fs, path);
57403 +#endif
57404 + return;
57405 +}
57406 +
57407 +int
57408 +gr_handle_chroot_chmod(const struct dentry *dentry,
57409 + const struct vfsmount *mnt, const int mode)
57410 +{
57411 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
57412 + /* allow chmod +s on directories, but not files */
57413 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
57414 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
57415 + proc_is_chrooted(current)) {
57416 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
57417 + return -EPERM;
57418 + }
57419 +#endif
57420 + return 0;
57421 +}
57422 +
57423 +#ifdef CONFIG_SECURITY
57424 +EXPORT_SYMBOL(gr_handle_chroot_caps);
57425 +#endif
57426 diff -urNp linux-2.6.39.1/grsecurity/grsec_disabled.c linux-2.6.39.1/grsecurity/grsec_disabled.c
57427 --- linux-2.6.39.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
57428 +++ linux-2.6.39.1/grsecurity/grsec_disabled.c 2011-05-22 19:41:42.000000000 -0400
57429 @@ -0,0 +1,447 @@
57430 +#include <linux/kernel.h>
57431 +#include <linux/module.h>
57432 +#include <linux/sched.h>
57433 +#include <linux/file.h>
57434 +#include <linux/fs.h>
57435 +#include <linux/kdev_t.h>
57436 +#include <linux/net.h>
57437 +#include <linux/in.h>
57438 +#include <linux/ip.h>
57439 +#include <linux/skbuff.h>
57440 +#include <linux/sysctl.h>
57441 +
57442 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57443 +void
57444 +pax_set_initial_flags(struct linux_binprm *bprm)
57445 +{
57446 + return;
57447 +}
57448 +#endif
57449 +
57450 +#ifdef CONFIG_SYSCTL
57451 +__u32
57452 +gr_handle_sysctl(const struct ctl_table * table, const int op)
57453 +{
57454 + return 0;
57455 +}
57456 +#endif
57457 +
57458 +#ifdef CONFIG_TASKSTATS
57459 +int gr_is_taskstats_denied(int pid)
57460 +{
57461 + return 0;
57462 +}
57463 +#endif
57464 +
57465 +int
57466 +gr_acl_is_enabled(void)
57467 +{
57468 + return 0;
57469 +}
57470 +
57471 +int
57472 +gr_handle_rawio(const struct inode *inode)
57473 +{
57474 + return 0;
57475 +}
57476 +
57477 +void
57478 +gr_acl_handle_psacct(struct task_struct *task, const long code)
57479 +{
57480 + return;
57481 +}
57482 +
57483 +int
57484 +gr_handle_ptrace(struct task_struct *task, const long request)
57485 +{
57486 + return 0;
57487 +}
57488 +
57489 +int
57490 +gr_handle_proc_ptrace(struct task_struct *task)
57491 +{
57492 + return 0;
57493 +}
57494 +
57495 +void
57496 +gr_learn_resource(const struct task_struct *task,
57497 + const int res, const unsigned long wanted, const int gt)
57498 +{
57499 + return;
57500 +}
57501 +
57502 +int
57503 +gr_set_acls(const int type)
57504 +{
57505 + return 0;
57506 +}
57507 +
57508 +int
57509 +gr_check_hidden_task(const struct task_struct *tsk)
57510 +{
57511 + return 0;
57512 +}
57513 +
57514 +int
57515 +gr_check_protected_task(const struct task_struct *task)
57516 +{
57517 + return 0;
57518 +}
57519 +
57520 +int
57521 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
57522 +{
57523 + return 0;
57524 +}
57525 +
57526 +void
57527 +gr_copy_label(struct task_struct *tsk)
57528 +{
57529 + return;
57530 +}
57531 +
57532 +void
57533 +gr_set_pax_flags(struct task_struct *task)
57534 +{
57535 + return;
57536 +}
57537 +
57538 +int
57539 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
57540 + const int unsafe_share)
57541 +{
57542 + return 0;
57543 +}
57544 +
57545 +void
57546 +gr_handle_delete(const ino_t ino, const dev_t dev)
57547 +{
57548 + return;
57549 +}
57550 +
57551 +void
57552 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
57553 +{
57554 + return;
57555 +}
57556 +
57557 +void
57558 +gr_handle_crash(struct task_struct *task, const int sig)
57559 +{
57560 + return;
57561 +}
57562 +
57563 +int
57564 +gr_check_crash_exec(const struct file *filp)
57565 +{
57566 + return 0;
57567 +}
57568 +
57569 +int
57570 +gr_check_crash_uid(const uid_t uid)
57571 +{
57572 + return 0;
57573 +}
57574 +
57575 +void
57576 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
57577 + struct dentry *old_dentry,
57578 + struct dentry *new_dentry,
57579 + struct vfsmount *mnt, const __u8 replace)
57580 +{
57581 + return;
57582 +}
57583 +
57584 +int
57585 +gr_search_socket(const int family, const int type, const int protocol)
57586 +{
57587 + return 1;
57588 +}
57589 +
57590 +int
57591 +gr_search_connectbind(const int mode, const struct socket *sock,
57592 + const struct sockaddr_in *addr)
57593 +{
57594 + return 0;
57595 +}
57596 +
57597 +int
57598 +gr_is_capable(const int cap)
57599 +{
57600 + return 1;
57601 +}
57602 +
57603 +int
57604 +gr_is_capable_nolog(const int cap)
57605 +{
57606 + return 1;
57607 +}
57608 +
57609 +void
57610 +gr_handle_alertkill(struct task_struct *task)
57611 +{
57612 + return;
57613 +}
57614 +
57615 +__u32
57616 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
57617 +{
57618 + return 1;
57619 +}
57620 +
57621 +__u32
57622 +gr_acl_handle_hidden_file(const struct dentry * dentry,
57623 + const struct vfsmount * mnt)
57624 +{
57625 + return 1;
57626 +}
57627 +
57628 +__u32
57629 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
57630 + const int fmode)
57631 +{
57632 + return 1;
57633 +}
57634 +
57635 +__u32
57636 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
57637 +{
57638 + return 1;
57639 +}
57640 +
57641 +__u32
57642 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
57643 +{
57644 + return 1;
57645 +}
57646 +
57647 +int
57648 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
57649 + unsigned int *vm_flags)
57650 +{
57651 + return 1;
57652 +}
57653 +
57654 +__u32
57655 +gr_acl_handle_truncate(const struct dentry * dentry,
57656 + const struct vfsmount * mnt)
57657 +{
57658 + return 1;
57659 +}
57660 +
57661 +__u32
57662 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
57663 +{
57664 + return 1;
57665 +}
57666 +
57667 +__u32
57668 +gr_acl_handle_access(const struct dentry * dentry,
57669 + const struct vfsmount * mnt, const int fmode)
57670 +{
57671 + return 1;
57672 +}
57673 +
57674 +__u32
57675 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
57676 + mode_t mode)
57677 +{
57678 + return 1;
57679 +}
57680 +
57681 +__u32
57682 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
57683 + mode_t mode)
57684 +{
57685 + return 1;
57686 +}
57687 +
57688 +__u32
57689 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
57690 +{
57691 + return 1;
57692 +}
57693 +
57694 +__u32
57695 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
57696 +{
57697 + return 1;
57698 +}
57699 +
57700 +void
57701 +grsecurity_init(void)
57702 +{
57703 + return;
57704 +}
57705 +
57706 +__u32
57707 +gr_acl_handle_mknod(const struct dentry * new_dentry,
57708 + const struct dentry * parent_dentry,
57709 + const struct vfsmount * parent_mnt,
57710 + const int mode)
57711 +{
57712 + return 1;
57713 +}
57714 +
57715 +__u32
57716 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
57717 + const struct dentry * parent_dentry,
57718 + const struct vfsmount * parent_mnt)
57719 +{
57720 + return 1;
57721 +}
57722 +
57723 +__u32
57724 +gr_acl_handle_symlink(const struct dentry * new_dentry,
57725 + const struct dentry * parent_dentry,
57726 + const struct vfsmount * parent_mnt, const char *from)
57727 +{
57728 + return 1;
57729 +}
57730 +
57731 +__u32
57732 +gr_acl_handle_link(const struct dentry * new_dentry,
57733 + const struct dentry * parent_dentry,
57734 + const struct vfsmount * parent_mnt,
57735 + const struct dentry * old_dentry,
57736 + const struct vfsmount * old_mnt, const char *to)
57737 +{
57738 + return 1;
57739 +}
57740 +
57741 +int
57742 +gr_acl_handle_rename(const struct dentry *new_dentry,
57743 + const struct dentry *parent_dentry,
57744 + const struct vfsmount *parent_mnt,
57745 + const struct dentry *old_dentry,
57746 + const struct inode *old_parent_inode,
57747 + const struct vfsmount *old_mnt, const char *newname)
57748 +{
57749 + return 0;
57750 +}
57751 +
57752 +int
57753 +gr_acl_handle_filldir(const struct file *file, const char *name,
57754 + const int namelen, const ino_t ino)
57755 +{
57756 + return 1;
57757 +}
57758 +
57759 +int
57760 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57761 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57762 +{
57763 + return 1;
57764 +}
57765 +
57766 +int
57767 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
57768 +{
57769 + return 0;
57770 +}
57771 +
57772 +int
57773 +gr_search_accept(const struct socket *sock)
57774 +{
57775 + return 0;
57776 +}
57777 +
57778 +int
57779 +gr_search_listen(const struct socket *sock)
57780 +{
57781 + return 0;
57782 +}
57783 +
57784 +int
57785 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
57786 +{
57787 + return 0;
57788 +}
57789 +
57790 +__u32
57791 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
57792 +{
57793 + return 1;
57794 +}
57795 +
57796 +__u32
57797 +gr_acl_handle_creat(const struct dentry * dentry,
57798 + const struct dentry * p_dentry,
57799 + const struct vfsmount * p_mnt, const int fmode,
57800 + const int imode)
57801 +{
57802 + return 1;
57803 +}
57804 +
57805 +void
57806 +gr_acl_handle_exit(void)
57807 +{
57808 + return;
57809 +}
57810 +
57811 +int
57812 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
57813 +{
57814 + return 1;
57815 +}
57816 +
57817 +void
57818 +gr_set_role_label(const uid_t uid, const gid_t gid)
57819 +{
57820 + return;
57821 +}
57822 +
57823 +int
57824 +gr_acl_handle_procpidmem(const struct task_struct *task)
57825 +{
57826 + return 0;
57827 +}
57828 +
57829 +int
57830 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
57831 +{
57832 + return 0;
57833 +}
57834 +
57835 +int
57836 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
57837 +{
57838 + return 0;
57839 +}
57840 +
57841 +void
57842 +gr_set_kernel_label(struct task_struct *task)
57843 +{
57844 + return;
57845 +}
57846 +
57847 +int
57848 +gr_check_user_change(int real, int effective, int fs)
57849 +{
57850 + return 0;
57851 +}
57852 +
57853 +int
57854 +gr_check_group_change(int real, int effective, int fs)
57855 +{
57856 + return 0;
57857 +}
57858 +
57859 +int gr_acl_enable_at_secure(void)
57860 +{
57861 + return 0;
57862 +}
57863 +
57864 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
57865 +{
57866 + return dentry->d_inode->i_sb->s_dev;
57867 +}
57868 +
57869 +EXPORT_SYMBOL(gr_is_capable);
57870 +EXPORT_SYMBOL(gr_is_capable_nolog);
57871 +EXPORT_SYMBOL(gr_learn_resource);
57872 +EXPORT_SYMBOL(gr_set_kernel_label);
57873 +#ifdef CONFIG_SECURITY
57874 +EXPORT_SYMBOL(gr_check_user_change);
57875 +EXPORT_SYMBOL(gr_check_group_change);
57876 +#endif
57877 diff -urNp linux-2.6.39.1/grsecurity/grsec_exec.c linux-2.6.39.1/grsecurity/grsec_exec.c
57878 --- linux-2.6.39.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
57879 +++ linux-2.6.39.1/grsecurity/grsec_exec.c 2011-05-22 22:41:29.000000000 -0400
57880 @@ -0,0 +1,146 @@
57881 +#include <linux/kernel.h>
57882 +#include <linux/sched.h>
57883 +#include <linux/file.h>
57884 +#include <linux/binfmts.h>
57885 +#include <linux/fs.h>
57886 +#include <linux/types.h>
57887 +#include <linux/grdefs.h>
57888 +#include <linux/grinternal.h>
57889 +#include <linux/capability.h>
57890 +#include <linux/compat.h>
57891 +
57892 +#include <asm/uaccess.h>
57893 +
57894 +#ifdef CONFIG_GRKERNSEC_EXECLOG
57895 +static char gr_exec_arg_buf[132];
57896 +static DEFINE_MUTEX(gr_exec_arg_mutex);
57897 +#endif
57898 +
57899 +int
57900 +gr_handle_nproc(void)
57901 +{
57902 +#ifdef CONFIG_GRKERNSEC_EXECVE
57903 + const struct cred *cred = current_cred();
57904 + if (grsec_enable_execve && cred->user &&
57905 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
57906 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
57907 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
57908 + return -EAGAIN;
57909 + }
57910 +#endif
57911 + return 0;
57912 +}
57913 +
57914 +void
57915 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
57916 +{
57917 +#ifdef CONFIG_GRKERNSEC_EXECLOG
57918 + char *grarg = gr_exec_arg_buf;
57919 + unsigned int i, x, execlen = 0;
57920 + char c;
57921 +
57922 + if (!((grsec_enable_execlog && grsec_enable_group &&
57923 + in_group_p(grsec_audit_gid))
57924 + || (grsec_enable_execlog && !grsec_enable_group)))
57925 + return;
57926 +
57927 + mutex_lock(&gr_exec_arg_mutex);
57928 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
57929 +
57930 + if (unlikely(argv == NULL))
57931 + goto log;
57932 +
57933 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
57934 + const char __user *p;
57935 + unsigned int len;
57936 +
57937 + if (copy_from_user(&p, argv + i, sizeof(p)))
57938 + goto log;
57939 + if (!p)
57940 + goto log;
57941 + len = strnlen_user(p, 128 - execlen);
57942 + if (len > 128 - execlen)
57943 + len = 128 - execlen;
57944 + else if (len > 0)
57945 + len--;
57946 + if (copy_from_user(grarg + execlen, p, len))
57947 + goto log;
57948 +
57949 + /* rewrite unprintable characters */
57950 + for (x = 0; x < len; x++) {
57951 + c = *(grarg + execlen + x);
57952 + if (c < 32 || c > 126)
57953 + *(grarg + execlen + x) = ' ';
57954 + }
57955 +
57956 + execlen += len;
57957 + *(grarg + execlen) = ' ';
57958 + *(grarg + execlen + 1) = '\0';
57959 + execlen++;
57960 + }
57961 +
57962 + log:
57963 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
57964 + bprm->file->f_path.mnt, grarg);
57965 + mutex_unlock(&gr_exec_arg_mutex);
57966 +#endif
57967 + return;
57968 +}
57969 +
57970 +#ifdef CONFIG_COMPAT
57971 +void
57972 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
57973 +{
57974 +#ifdef CONFIG_GRKERNSEC_EXECLOG
57975 + char *grarg = gr_exec_arg_buf;
57976 + unsigned int i, x, execlen = 0;
57977 + char c;
57978 +
57979 + if (!((grsec_enable_execlog && grsec_enable_group &&
57980 + in_group_p(grsec_audit_gid))
57981 + || (grsec_enable_execlog && !grsec_enable_group)))
57982 + return;
57983 +
57984 + mutex_lock(&gr_exec_arg_mutex);
57985 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
57986 +
57987 + if (unlikely(argv == NULL))
57988 + goto log;
57989 +
57990 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
57991 + compat_uptr_t p;
57992 + unsigned int len;
57993 +
57994 + if (get_user(p, argv + i))
57995 + goto log;
57996 + len = strnlen_user(compat_ptr(p), 128 - execlen);
57997 + if (len > 128 - execlen)
57998 + len = 128 - execlen;
57999 + else if (len > 0)
58000 + len--;
58001 + else
58002 + goto log;
58003 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58004 + goto log;
58005 +
58006 + /* rewrite unprintable characters */
58007 + for (x = 0; x < len; x++) {
58008 + c = *(grarg + execlen + x);
58009 + if (c < 32 || c > 126)
58010 + *(grarg + execlen + x) = ' ';
58011 + }
58012 +
58013 + execlen += len;
58014 + *(grarg + execlen) = ' ';
58015 + *(grarg + execlen + 1) = '\0';
58016 + execlen++;
58017 + }
58018 +
58019 + log:
58020 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58021 + bprm->file->f_path.mnt, grarg);
58022 + mutex_unlock(&gr_exec_arg_mutex);
58023 +#endif
58024 + return;
58025 +}
58026 +#endif
58027 diff -urNp linux-2.6.39.1/grsecurity/grsec_fifo.c linux-2.6.39.1/grsecurity/grsec_fifo.c
58028 --- linux-2.6.39.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
58029 +++ linux-2.6.39.1/grsecurity/grsec_fifo.c 2011-05-22 19:41:42.000000000 -0400
58030 @@ -0,0 +1,24 @@
58031 +#include <linux/kernel.h>
58032 +#include <linux/sched.h>
58033 +#include <linux/fs.h>
58034 +#include <linux/file.h>
58035 +#include <linux/grinternal.h>
58036 +
58037 +int
58038 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
58039 + const struct dentry *dir, const int flag, const int acc_mode)
58040 +{
58041 +#ifdef CONFIG_GRKERNSEC_FIFO
58042 + const struct cred *cred = current_cred();
58043 +
58044 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
58045 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
58046 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
58047 + (cred->fsuid != dentry->d_inode->i_uid)) {
58048 + if (!inode_permission(dentry->d_inode, acc_mode))
58049 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
58050 + return -EACCES;
58051 + }
58052 +#endif
58053 + return 0;
58054 +}
58055 diff -urNp linux-2.6.39.1/grsecurity/grsec_fork.c linux-2.6.39.1/grsecurity/grsec_fork.c
58056 --- linux-2.6.39.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
58057 +++ linux-2.6.39.1/grsecurity/grsec_fork.c 2011-05-22 19:41:42.000000000 -0400
58058 @@ -0,0 +1,23 @@
58059 +#include <linux/kernel.h>
58060 +#include <linux/sched.h>
58061 +#include <linux/grsecurity.h>
58062 +#include <linux/grinternal.h>
58063 +#include <linux/errno.h>
58064 +
58065 +void
58066 +gr_log_forkfail(const int retval)
58067 +{
58068 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58069 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
58070 + switch (retval) {
58071 + case -EAGAIN:
58072 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
58073 + break;
58074 + case -ENOMEM:
58075 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
58076 + break;
58077 + }
58078 + }
58079 +#endif
58080 + return;
58081 +}
58082 diff -urNp linux-2.6.39.1/grsecurity/grsec_init.c linux-2.6.39.1/grsecurity/grsec_init.c
58083 --- linux-2.6.39.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
58084 +++ linux-2.6.39.1/grsecurity/grsec_init.c 2011-05-22 22:47:15.000000000 -0400
58085 @@ -0,0 +1,269 @@
58086 +#include <linux/kernel.h>
58087 +#include <linux/sched.h>
58088 +#include <linux/mm.h>
58089 +#include <linux/gracl.h>
58090 +#include <linux/slab.h>
58091 +#include <linux/vmalloc.h>
58092 +#include <linux/percpu.h>
58093 +#include <linux/module.h>
58094 +
58095 +int grsec_enable_link;
58096 +int grsec_enable_dmesg;
58097 +int grsec_enable_harden_ptrace;
58098 +int grsec_enable_fifo;
58099 +int grsec_enable_execve;
58100 +int grsec_enable_execlog;
58101 +int grsec_enable_signal;
58102 +int grsec_enable_forkfail;
58103 +int grsec_enable_audit_ptrace;
58104 +int grsec_enable_time;
58105 +int grsec_enable_audit_textrel;
58106 +int grsec_enable_group;
58107 +int grsec_audit_gid;
58108 +int grsec_enable_chdir;
58109 +int grsec_enable_mount;
58110 +int grsec_enable_rofs;
58111 +int grsec_enable_chroot_findtask;
58112 +int grsec_enable_chroot_mount;
58113 +int grsec_enable_chroot_shmat;
58114 +int grsec_enable_chroot_fchdir;
58115 +int grsec_enable_chroot_double;
58116 +int grsec_enable_chroot_pivot;
58117 +int grsec_enable_chroot_chdir;
58118 +int grsec_enable_chroot_chmod;
58119 +int grsec_enable_chroot_mknod;
58120 +int grsec_enable_chroot_nice;
58121 +int grsec_enable_chroot_execlog;
58122 +int grsec_enable_chroot_caps;
58123 +int grsec_enable_chroot_sysctl;
58124 +int grsec_enable_chroot_unix;
58125 +int grsec_enable_tpe;
58126 +int grsec_tpe_gid;
58127 +int grsec_enable_blackhole;
58128 +#ifdef CONFIG_IPV6_MODULE
58129 +EXPORT_SYMBOL(grsec_enable_blackhole);
58130 +#endif
58131 +int grsec_lastack_retries;
58132 +int grsec_enable_tpe_all;
58133 +int grsec_enable_tpe_invert;
58134 +int grsec_enable_socket_all;
58135 +int grsec_socket_all_gid;
58136 +int grsec_enable_socket_client;
58137 +int grsec_socket_client_gid;
58138 +int grsec_enable_socket_server;
58139 +int grsec_socket_server_gid;
58140 +int grsec_resource_logging;
58141 +int grsec_disable_privio;
58142 +int grsec_enable_log_rwxmaps;
58143 +int grsec_lock;
58144 +
58145 +DEFINE_SPINLOCK(grsec_alert_lock);
58146 +unsigned long grsec_alert_wtime = 0;
58147 +unsigned long grsec_alert_fyet = 0;
58148 +
58149 +DEFINE_SPINLOCK(grsec_audit_lock);
58150 +
58151 +DEFINE_RWLOCK(grsec_exec_file_lock);
58152 +
58153 +char *gr_shared_page[4];
58154 +
58155 +char *gr_alert_log_fmt;
58156 +char *gr_audit_log_fmt;
58157 +char *gr_alert_log_buf;
58158 +char *gr_audit_log_buf;
58159 +
58160 +extern struct gr_arg *gr_usermode;
58161 +extern unsigned char *gr_system_salt;
58162 +extern unsigned char *gr_system_sum;
58163 +
58164 +void __init
58165 +grsecurity_init(void)
58166 +{
58167 + int j;
58168 + /* create the per-cpu shared pages */
58169 +
58170 +#ifdef CONFIG_X86
58171 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
58172 +#endif
58173 +
58174 + for (j = 0; j < 4; j++) {
58175 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
58176 + if (gr_shared_page[j] == NULL) {
58177 + panic("Unable to allocate grsecurity shared page");
58178 + return;
58179 + }
58180 + }
58181 +
58182 + /* allocate log buffers */
58183 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
58184 + if (!gr_alert_log_fmt) {
58185 + panic("Unable to allocate grsecurity alert log format buffer");
58186 + return;
58187 + }
58188 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
58189 + if (!gr_audit_log_fmt) {
58190 + panic("Unable to allocate grsecurity audit log format buffer");
58191 + return;
58192 + }
58193 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58194 + if (!gr_alert_log_buf) {
58195 + panic("Unable to allocate grsecurity alert log buffer");
58196 + return;
58197 + }
58198 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58199 + if (!gr_audit_log_buf) {
58200 + panic("Unable to allocate grsecurity audit log buffer");
58201 + return;
58202 + }
58203 +
58204 + /* allocate memory for authentication structure */
58205 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
58206 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
58207 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
58208 +
58209 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
58210 + panic("Unable to allocate grsecurity authentication structure");
58211 + return;
58212 + }
58213 +
58214 +
58215 +#ifdef CONFIG_GRKERNSEC_IO
58216 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
58217 + grsec_disable_privio = 1;
58218 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58219 + grsec_disable_privio = 1;
58220 +#else
58221 + grsec_disable_privio = 0;
58222 +#endif
58223 +#endif
58224 +
58225 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
58226 + /* for backward compatibility, tpe_invert always defaults to on if
58227 + enabled in the kernel
58228 + */
58229 + grsec_enable_tpe_invert = 1;
58230 +#endif
58231 +
58232 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58233 +#ifndef CONFIG_GRKERNSEC_SYSCTL
58234 + grsec_lock = 1;
58235 +#endif
58236 +
58237 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
58238 + grsec_enable_audit_textrel = 1;
58239 +#endif
58240 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58241 + grsec_enable_log_rwxmaps = 1;
58242 +#endif
58243 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
58244 + grsec_enable_group = 1;
58245 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
58246 +#endif
58247 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
58248 + grsec_enable_chdir = 1;
58249 +#endif
58250 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
58251 + grsec_enable_harden_ptrace = 1;
58252 +#endif
58253 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58254 + grsec_enable_mount = 1;
58255 +#endif
58256 +#ifdef CONFIG_GRKERNSEC_LINK
58257 + grsec_enable_link = 1;
58258 +#endif
58259 +#ifdef CONFIG_GRKERNSEC_DMESG
58260 + grsec_enable_dmesg = 1;
58261 +#endif
58262 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58263 + grsec_enable_blackhole = 1;
58264 + grsec_lastack_retries = 4;
58265 +#endif
58266 +#ifdef CONFIG_GRKERNSEC_FIFO
58267 + grsec_enable_fifo = 1;
58268 +#endif
58269 +#ifdef CONFIG_GRKERNSEC_EXECVE
58270 + grsec_enable_execve = 1;
58271 +#endif
58272 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58273 + grsec_enable_execlog = 1;
58274 +#endif
58275 +#ifdef CONFIG_GRKERNSEC_SIGNAL
58276 + grsec_enable_signal = 1;
58277 +#endif
58278 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58279 + grsec_enable_forkfail = 1;
58280 +#endif
58281 +#ifdef CONFIG_GRKERNSEC_TIME
58282 + grsec_enable_time = 1;
58283 +#endif
58284 +#ifdef CONFIG_GRKERNSEC_RESLOG
58285 + grsec_resource_logging = 1;
58286 +#endif
58287 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58288 + grsec_enable_chroot_findtask = 1;
58289 +#endif
58290 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58291 + grsec_enable_chroot_unix = 1;
58292 +#endif
58293 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58294 + grsec_enable_chroot_mount = 1;
58295 +#endif
58296 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58297 + grsec_enable_chroot_fchdir = 1;
58298 +#endif
58299 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58300 + grsec_enable_chroot_shmat = 1;
58301 +#endif
58302 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
58303 + grsec_enable_audit_ptrace = 1;
58304 +#endif
58305 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58306 + grsec_enable_chroot_double = 1;
58307 +#endif
58308 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58309 + grsec_enable_chroot_pivot = 1;
58310 +#endif
58311 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58312 + grsec_enable_chroot_chdir = 1;
58313 +#endif
58314 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58315 + grsec_enable_chroot_chmod = 1;
58316 +#endif
58317 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58318 + grsec_enable_chroot_mknod = 1;
58319 +#endif
58320 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58321 + grsec_enable_chroot_nice = 1;
58322 +#endif
58323 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58324 + grsec_enable_chroot_execlog = 1;
58325 +#endif
58326 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58327 + grsec_enable_chroot_caps = 1;
58328 +#endif
58329 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58330 + grsec_enable_chroot_sysctl = 1;
58331 +#endif
58332 +#ifdef CONFIG_GRKERNSEC_TPE
58333 + grsec_enable_tpe = 1;
58334 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
58335 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
58336 + grsec_enable_tpe_all = 1;
58337 +#endif
58338 +#endif
58339 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
58340 + grsec_enable_socket_all = 1;
58341 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
58342 +#endif
58343 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
58344 + grsec_enable_socket_client = 1;
58345 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
58346 +#endif
58347 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58348 + grsec_enable_socket_server = 1;
58349 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
58350 +#endif
58351 +#endif
58352 +
58353 + return;
58354 +}
58355 diff -urNp linux-2.6.39.1/grsecurity/grsec_link.c linux-2.6.39.1/grsecurity/grsec_link.c
58356 --- linux-2.6.39.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
58357 +++ linux-2.6.39.1/grsecurity/grsec_link.c 2011-05-22 19:41:42.000000000 -0400
58358 @@ -0,0 +1,43 @@
58359 +#include <linux/kernel.h>
58360 +#include <linux/sched.h>
58361 +#include <linux/fs.h>
58362 +#include <linux/file.h>
58363 +#include <linux/grinternal.h>
58364 +
58365 +int
58366 +gr_handle_follow_link(const struct inode *parent,
58367 + const struct inode *inode,
58368 + const struct dentry *dentry, const struct vfsmount *mnt)
58369 +{
58370 +#ifdef CONFIG_GRKERNSEC_LINK
58371 + const struct cred *cred = current_cred();
58372 +
58373 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
58374 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
58375 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
58376 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
58377 + return -EACCES;
58378 + }
58379 +#endif
58380 + return 0;
58381 +}
58382 +
58383 +int
58384 +gr_handle_hardlink(const struct dentry *dentry,
58385 + const struct vfsmount *mnt,
58386 + struct inode *inode, const int mode, const char *to)
58387 +{
58388 +#ifdef CONFIG_GRKERNSEC_LINK
58389 + const struct cred *cred = current_cred();
58390 +
58391 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
58392 + (!S_ISREG(mode) || (mode & S_ISUID) ||
58393 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
58394 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
58395 + !capable(CAP_FOWNER) && cred->uid) {
58396 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
58397 + return -EPERM;
58398 + }
58399 +#endif
58400 + return 0;
58401 +}
58402 diff -urNp linux-2.6.39.1/grsecurity/grsec_log.c linux-2.6.39.1/grsecurity/grsec_log.c
58403 --- linux-2.6.39.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
58404 +++ linux-2.6.39.1/grsecurity/grsec_log.c 2011-05-22 19:41:42.000000000 -0400
58405 @@ -0,0 +1,310 @@
58406 +#include <linux/kernel.h>
58407 +#include <linux/sched.h>
58408 +#include <linux/file.h>
58409 +#include <linux/tty.h>
58410 +#include <linux/fs.h>
58411 +#include <linux/grinternal.h>
58412 +
58413 +#ifdef CONFIG_TREE_PREEMPT_RCU
58414 +#define DISABLE_PREEMPT() preempt_disable()
58415 +#define ENABLE_PREEMPT() preempt_enable()
58416 +#else
58417 +#define DISABLE_PREEMPT()
58418 +#define ENABLE_PREEMPT()
58419 +#endif
58420 +
58421 +#define BEGIN_LOCKS(x) \
58422 + DISABLE_PREEMPT(); \
58423 + rcu_read_lock(); \
58424 + read_lock(&tasklist_lock); \
58425 + read_lock(&grsec_exec_file_lock); \
58426 + if (x != GR_DO_AUDIT) \
58427 + spin_lock(&grsec_alert_lock); \
58428 + else \
58429 + spin_lock(&grsec_audit_lock)
58430 +
58431 +#define END_LOCKS(x) \
58432 + if (x != GR_DO_AUDIT) \
58433 + spin_unlock(&grsec_alert_lock); \
58434 + else \
58435 + spin_unlock(&grsec_audit_lock); \
58436 + read_unlock(&grsec_exec_file_lock); \
58437 + read_unlock(&tasklist_lock); \
58438 + rcu_read_unlock(); \
58439 + ENABLE_PREEMPT(); \
58440 + if (x == GR_DONT_AUDIT) \
58441 + gr_handle_alertkill(current)
58442 +
58443 +enum {
58444 + FLOODING,
58445 + NO_FLOODING
58446 +};
58447 +
58448 +extern char *gr_alert_log_fmt;
58449 +extern char *gr_audit_log_fmt;
58450 +extern char *gr_alert_log_buf;
58451 +extern char *gr_audit_log_buf;
58452 +
58453 +static int gr_log_start(int audit)
58454 +{
58455 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
58456 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
58457 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58458 +
58459 + if (audit == GR_DO_AUDIT)
58460 + goto set_fmt;
58461 +
58462 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
58463 + grsec_alert_wtime = jiffies;
58464 + grsec_alert_fyet = 0;
58465 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
58466 + grsec_alert_fyet++;
58467 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
58468 + grsec_alert_wtime = jiffies;
58469 + grsec_alert_fyet++;
58470 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
58471 + return FLOODING;
58472 + } else return FLOODING;
58473 +
58474 +set_fmt:
58475 + memset(buf, 0, PAGE_SIZE);
58476 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
58477 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
58478 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58479 + } else if (current->signal->curr_ip) {
58480 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
58481 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
58482 + } else if (gr_acl_is_enabled()) {
58483 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
58484 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58485 + } else {
58486 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
58487 + strcpy(buf, fmt);
58488 + }
58489 +
58490 + return NO_FLOODING;
58491 +}
58492 +
58493 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58494 + __attribute__ ((format (printf, 2, 0)));
58495 +
58496 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58497 +{
58498 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58499 + unsigned int len = strlen(buf);
58500 +
58501 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58502 +
58503 + return;
58504 +}
58505 +
58506 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58507 + __attribute__ ((format (printf, 2, 3)));
58508 +
58509 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58510 +{
58511 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58512 + unsigned int len = strlen(buf);
58513 + va_list ap;
58514 +
58515 + va_start(ap, msg);
58516 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58517 + va_end(ap);
58518 +
58519 + return;
58520 +}
58521 +
58522 +static void gr_log_end(int audit)
58523 +{
58524 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58525 + unsigned int len = strlen(buf);
58526 +
58527 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
58528 + printk("%s\n", buf);
58529 +
58530 + return;
58531 +}
58532 +
58533 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
58534 +{
58535 + int logtype;
58536 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
58537 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
58538 + void *voidptr = NULL;
58539 + int num1 = 0, num2 = 0;
58540 + unsigned long ulong1 = 0, ulong2 = 0;
58541 + struct dentry *dentry = NULL;
58542 + struct vfsmount *mnt = NULL;
58543 + struct file *file = NULL;
58544 + struct task_struct *task = NULL;
58545 + const struct cred *cred, *pcred;
58546 + va_list ap;
58547 +
58548 + BEGIN_LOCKS(audit);
58549 + logtype = gr_log_start(audit);
58550 + if (logtype == FLOODING) {
58551 + END_LOCKS(audit);
58552 + return;
58553 + }
58554 + va_start(ap, argtypes);
58555 + switch (argtypes) {
58556 + case GR_TTYSNIFF:
58557 + task = va_arg(ap, struct task_struct *);
58558 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
58559 + break;
58560 + case GR_SYSCTL_HIDDEN:
58561 + str1 = va_arg(ap, char *);
58562 + gr_log_middle_varargs(audit, msg, result, str1);
58563 + break;
58564 + case GR_RBAC:
58565 + dentry = va_arg(ap, struct dentry *);
58566 + mnt = va_arg(ap, struct vfsmount *);
58567 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
58568 + break;
58569 + case GR_RBAC_STR:
58570 + dentry = va_arg(ap, struct dentry *);
58571 + mnt = va_arg(ap, struct vfsmount *);
58572 + str1 = va_arg(ap, char *);
58573 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
58574 + break;
58575 + case GR_STR_RBAC:
58576 + str1 = va_arg(ap, char *);
58577 + dentry = va_arg(ap, struct dentry *);
58578 + mnt = va_arg(ap, struct vfsmount *);
58579 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
58580 + break;
58581 + case GR_RBAC_MODE2:
58582 + dentry = va_arg(ap, struct dentry *);
58583 + mnt = va_arg(ap, struct vfsmount *);
58584 + str1 = va_arg(ap, char *);
58585 + str2 = va_arg(ap, char *);
58586 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
58587 + break;
58588 + case GR_RBAC_MODE3:
58589 + dentry = va_arg(ap, struct dentry *);
58590 + mnt = va_arg(ap, struct vfsmount *);
58591 + str1 = va_arg(ap, char *);
58592 + str2 = va_arg(ap, char *);
58593 + str3 = va_arg(ap, char *);
58594 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
58595 + break;
58596 + case GR_FILENAME:
58597 + dentry = va_arg(ap, struct dentry *);
58598 + mnt = va_arg(ap, struct vfsmount *);
58599 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
58600 + break;
58601 + case GR_STR_FILENAME:
58602 + str1 = va_arg(ap, char *);
58603 + dentry = va_arg(ap, struct dentry *);
58604 + mnt = va_arg(ap, struct vfsmount *);
58605 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
58606 + break;
58607 + case GR_FILENAME_STR:
58608 + dentry = va_arg(ap, struct dentry *);
58609 + mnt = va_arg(ap, struct vfsmount *);
58610 + str1 = va_arg(ap, char *);
58611 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
58612 + break;
58613 + case GR_FILENAME_TWO_INT:
58614 + dentry = va_arg(ap, struct dentry *);
58615 + mnt = va_arg(ap, struct vfsmount *);
58616 + num1 = va_arg(ap, int);
58617 + num2 = va_arg(ap, int);
58618 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
58619 + break;
58620 + case GR_FILENAME_TWO_INT_STR:
58621 + dentry = va_arg(ap, struct dentry *);
58622 + mnt = va_arg(ap, struct vfsmount *);
58623 + num1 = va_arg(ap, int);
58624 + num2 = va_arg(ap, int);
58625 + str1 = va_arg(ap, char *);
58626 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
58627 + break;
58628 + case GR_TEXTREL:
58629 + file = va_arg(ap, struct file *);
58630 + ulong1 = va_arg(ap, unsigned long);
58631 + ulong2 = va_arg(ap, unsigned long);
58632 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
58633 + break;
58634 + case GR_PTRACE:
58635 + task = va_arg(ap, struct task_struct *);
58636 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
58637 + break;
58638 + case GR_RESOURCE:
58639 + task = va_arg(ap, struct task_struct *);
58640 + cred = __task_cred(task);
58641 + pcred = __task_cred(task->real_parent);
58642 + ulong1 = va_arg(ap, unsigned long);
58643 + str1 = va_arg(ap, char *);
58644 + ulong2 = va_arg(ap, unsigned long);
58645 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58646 + break;
58647 + case GR_CAP:
58648 + task = va_arg(ap, struct task_struct *);
58649 + cred = __task_cred(task);
58650 + pcred = __task_cred(task->real_parent);
58651 + str1 = va_arg(ap, char *);
58652 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58653 + break;
58654 + case GR_SIG:
58655 + str1 = va_arg(ap, char *);
58656 + voidptr = va_arg(ap, void *);
58657 + gr_log_middle_varargs(audit, msg, str1, voidptr);
58658 + break;
58659 + case GR_SIG2:
58660 + task = va_arg(ap, struct task_struct *);
58661 + cred = __task_cred(task);
58662 + pcred = __task_cred(task->real_parent);
58663 + num1 = va_arg(ap, int);
58664 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58665 + break;
58666 + case GR_CRASH1:
58667 + task = va_arg(ap, struct task_struct *);
58668 + cred = __task_cred(task);
58669 + pcred = __task_cred(task->real_parent);
58670 + ulong1 = va_arg(ap, unsigned long);
58671 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
58672 + break;
58673 + case GR_CRASH2:
58674 + task = va_arg(ap, struct task_struct *);
58675 + cred = __task_cred(task);
58676 + pcred = __task_cred(task->real_parent);
58677 + ulong1 = va_arg(ap, unsigned long);
58678 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
58679 + break;
58680 + case GR_RWXMAP:
58681 + file = va_arg(ap, struct file *);
58682 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
58683 + break;
58684 + case GR_PSACCT:
58685 + {
58686 + unsigned int wday, cday;
58687 + __u8 whr, chr;
58688 + __u8 wmin, cmin;
58689 + __u8 wsec, csec;
58690 + char cur_tty[64] = { 0 };
58691 + char parent_tty[64] = { 0 };
58692 +
58693 + task = va_arg(ap, struct task_struct *);
58694 + wday = va_arg(ap, unsigned int);
58695 + cday = va_arg(ap, unsigned int);
58696 + whr = va_arg(ap, int);
58697 + chr = va_arg(ap, int);
58698 + wmin = va_arg(ap, int);
58699 + cmin = va_arg(ap, int);
58700 + wsec = va_arg(ap, int);
58701 + csec = va_arg(ap, int);
58702 + ulong1 = va_arg(ap, unsigned long);
58703 + cred = __task_cred(task);
58704 + pcred = __task_cred(task->real_parent);
58705 +
58706 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58707 + }
58708 + break;
58709 + default:
58710 + gr_log_middle(audit, msg, ap);
58711 + }
58712 + va_end(ap);
58713 + gr_log_end(audit);
58714 + END_LOCKS(audit);
58715 +}
58716 diff -urNp linux-2.6.39.1/grsecurity/grsec_mem.c linux-2.6.39.1/grsecurity/grsec_mem.c
58717 --- linux-2.6.39.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
58718 +++ linux-2.6.39.1/grsecurity/grsec_mem.c 2011-05-22 19:41:42.000000000 -0400
58719 @@ -0,0 +1,33 @@
58720 +#include <linux/kernel.h>
58721 +#include <linux/sched.h>
58722 +#include <linux/mm.h>
58723 +#include <linux/mman.h>
58724 +#include <linux/grinternal.h>
58725 +
58726 +void
58727 +gr_handle_ioperm(void)
58728 +{
58729 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
58730 + return;
58731 +}
58732 +
58733 +void
58734 +gr_handle_iopl(void)
58735 +{
58736 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
58737 + return;
58738 +}
58739 +
58740 +void
58741 +gr_handle_mem_readwrite(u64 from, u64 to)
58742 +{
58743 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
58744 + return;
58745 +}
58746 +
58747 +void
58748 +gr_handle_vm86(void)
58749 +{
58750 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
58751 + return;
58752 +}
58753 diff -urNp linux-2.6.39.1/grsecurity/grsec_mount.c linux-2.6.39.1/grsecurity/grsec_mount.c
58754 --- linux-2.6.39.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
58755 +++ linux-2.6.39.1/grsecurity/grsec_mount.c 2011-05-22 19:41:42.000000000 -0400
58756 @@ -0,0 +1,62 @@
58757 +#include <linux/kernel.h>
58758 +#include <linux/sched.h>
58759 +#include <linux/mount.h>
58760 +#include <linux/grsecurity.h>
58761 +#include <linux/grinternal.h>
58762 +
58763 +void
58764 +gr_log_remount(const char *devname, const int retval)
58765 +{
58766 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58767 + if (grsec_enable_mount && (retval >= 0))
58768 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
58769 +#endif
58770 + return;
58771 +}
58772 +
58773 +void
58774 +gr_log_unmount(const char *devname, const int retval)
58775 +{
58776 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58777 + if (grsec_enable_mount && (retval >= 0))
58778 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
58779 +#endif
58780 + return;
58781 +}
58782 +
58783 +void
58784 +gr_log_mount(const char *from, const char *to, const int retval)
58785 +{
58786 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58787 + if (grsec_enable_mount && (retval >= 0))
58788 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
58789 +#endif
58790 + return;
58791 +}
58792 +
58793 +int
58794 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
58795 +{
58796 +#ifdef CONFIG_GRKERNSEC_ROFS
58797 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
58798 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
58799 + return -EPERM;
58800 + } else
58801 + return 0;
58802 +#endif
58803 + return 0;
58804 +}
58805 +
58806 +int
58807 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
58808 +{
58809 +#ifdef CONFIG_GRKERNSEC_ROFS
58810 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
58811 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
58812 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
58813 + return -EPERM;
58814 + } else
58815 + return 0;
58816 +#endif
58817 + return 0;
58818 +}
58819 diff -urNp linux-2.6.39.1/grsecurity/grsec_pax.c linux-2.6.39.1/grsecurity/grsec_pax.c
58820 --- linux-2.6.39.1/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
58821 +++ linux-2.6.39.1/grsecurity/grsec_pax.c 2011-05-22 19:41:42.000000000 -0400
58822 @@ -0,0 +1,36 @@
58823 +#include <linux/kernel.h>
58824 +#include <linux/sched.h>
58825 +#include <linux/mm.h>
58826 +#include <linux/file.h>
58827 +#include <linux/grinternal.h>
58828 +#include <linux/grsecurity.h>
58829 +
58830 +void
58831 +gr_log_textrel(struct vm_area_struct * vma)
58832 +{
58833 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
58834 + if (grsec_enable_audit_textrel)
58835 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
58836 +#endif
58837 + return;
58838 +}
58839 +
58840 +void
58841 +gr_log_rwxmmap(struct file *file)
58842 +{
58843 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58844 + if (grsec_enable_log_rwxmaps)
58845 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
58846 +#endif
58847 + return;
58848 +}
58849 +
58850 +void
58851 +gr_log_rwxmprotect(struct file *file)
58852 +{
58853 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58854 + if (grsec_enable_log_rwxmaps)
58855 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
58856 +#endif
58857 + return;
58858 +}
58859 diff -urNp linux-2.6.39.1/grsecurity/grsec_ptrace.c linux-2.6.39.1/grsecurity/grsec_ptrace.c
58860 --- linux-2.6.39.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
58861 +++ linux-2.6.39.1/grsecurity/grsec_ptrace.c 2011-05-22 19:41:42.000000000 -0400
58862 @@ -0,0 +1,14 @@
58863 +#include <linux/kernel.h>
58864 +#include <linux/sched.h>
58865 +#include <linux/grinternal.h>
58866 +#include <linux/grsecurity.h>
58867 +
58868 +void
58869 +gr_audit_ptrace(struct task_struct *task)
58870 +{
58871 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
58872 + if (grsec_enable_audit_ptrace)
58873 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
58874 +#endif
58875 + return;
58876 +}
58877 diff -urNp linux-2.6.39.1/grsecurity/grsec_sig.c linux-2.6.39.1/grsecurity/grsec_sig.c
58878 --- linux-2.6.39.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
58879 +++ linux-2.6.39.1/grsecurity/grsec_sig.c 2011-05-22 19:41:42.000000000 -0400
58880 @@ -0,0 +1,203 @@
58881 +#include <linux/kernel.h>
58882 +#include <linux/sched.h>
58883 +#include <linux/delay.h>
58884 +#include <linux/grsecurity.h>
58885 +#include <linux/grinternal.h>
58886 +#include <linux/hardirq.h>
58887 +
58888 +char *signames[] = {
58889 + [SIGSEGV] = "Segmentation fault",
58890 + [SIGILL] = "Illegal instruction",
58891 + [SIGABRT] = "Abort",
58892 + [SIGBUS] = "Invalid alignment/Bus error"
58893 +};
58894 +
58895 +void
58896 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
58897 +{
58898 +#ifdef CONFIG_GRKERNSEC_SIGNAL
58899 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
58900 + (sig == SIGABRT) || (sig == SIGBUS))) {
58901 + if (t->pid == current->pid) {
58902 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
58903 + } else {
58904 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
58905 + }
58906 + }
58907 +#endif
58908 + return;
58909 +}
58910 +
58911 +int
58912 +gr_handle_signal(const struct task_struct *p, const int sig)
58913 +{
58914 +#ifdef CONFIG_GRKERNSEC
58915 + if (current->pid > 1 && gr_check_protected_task(p)) {
58916 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
58917 + return -EPERM;
58918 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
58919 + return -EPERM;
58920 + }
58921 +#endif
58922 + return 0;
58923 +}
58924 +
58925 +#ifdef CONFIG_GRKERNSEC
58926 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
58927 +
58928 +int gr_fake_force_sig(int sig, struct task_struct *t)
58929 +{
58930 + unsigned long int flags;
58931 + int ret, blocked, ignored;
58932 + struct k_sigaction *action;
58933 +
58934 + spin_lock_irqsave(&t->sighand->siglock, flags);
58935 + action = &t->sighand->action[sig-1];
58936 + ignored = action->sa.sa_handler == SIG_IGN;
58937 + blocked = sigismember(&t->blocked, sig);
58938 + if (blocked || ignored) {
58939 + action->sa.sa_handler = SIG_DFL;
58940 + if (blocked) {
58941 + sigdelset(&t->blocked, sig);
58942 + recalc_sigpending_and_wake(t);
58943 + }
58944 + }
58945 + if (action->sa.sa_handler == SIG_DFL)
58946 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
58947 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
58948 +
58949 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
58950 +
58951 + return ret;
58952 +}
58953 +#endif
58954 +
58955 +#ifdef CONFIG_GRKERNSEC_BRUTE
58956 +#define GR_USER_BAN_TIME (15 * 60)
58957 +
58958 +static int __get_dumpable(unsigned long mm_flags)
58959 +{
58960 + int ret;
58961 +
58962 + ret = mm_flags & MMF_DUMPABLE_MASK;
58963 + return (ret >= 2) ? 2 : ret;
58964 +}
58965 +#endif
58966 +
58967 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
58968 +{
58969 +#ifdef CONFIG_GRKERNSEC_BRUTE
58970 + uid_t uid = 0;
58971 +
58972 + rcu_read_lock();
58973 + read_lock(&tasklist_lock);
58974 + read_lock(&grsec_exec_file_lock);
58975 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
58976 + p->real_parent->brute = 1;
58977 + else {
58978 + const struct cred *cred = __task_cred(p), *cred2;
58979 + struct task_struct *tsk, *tsk2;
58980 +
58981 + if (!__get_dumpable(mm_flags) && cred->uid) {
58982 + struct user_struct *user;
58983 +
58984 + uid = cred->uid;
58985 +
58986 + /* this is put upon execution past expiration */
58987 + user = find_user(uid);
58988 + if (user == NULL)
58989 + goto unlock;
58990 + user->banned = 1;
58991 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
58992 + if (user->ban_expires == ~0UL)
58993 + user->ban_expires--;
58994 +
58995 + do_each_thread(tsk2, tsk) {
58996 + cred2 = __task_cred(tsk);
58997 + if (tsk != p && cred2->uid == uid)
58998 + gr_fake_force_sig(SIGKILL, tsk);
58999 + } while_each_thread(tsk2, tsk);
59000 + }
59001 + }
59002 +unlock:
59003 + read_unlock(&grsec_exec_file_lock);
59004 + read_unlock(&tasklist_lock);
59005 + rcu_read_unlock();
59006 +
59007 + if (uid)
59008 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
59009 +
59010 +#endif
59011 + return;
59012 +}
59013 +
59014 +void gr_handle_brute_check(void)
59015 +{
59016 +#ifdef CONFIG_GRKERNSEC_BRUTE
59017 + if (current->brute)
59018 + msleep(30 * 1000);
59019 +#endif
59020 + return;
59021 +}
59022 +
59023 +void gr_handle_kernel_exploit(void)
59024 +{
59025 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
59026 + const struct cred *cred;
59027 + struct task_struct *tsk, *tsk2;
59028 + struct user_struct *user;
59029 + uid_t uid;
59030 +
59031 + if (in_irq() || in_serving_softirq() || in_nmi())
59032 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
59033 +
59034 + uid = current_uid();
59035 +
59036 + if (uid == 0)
59037 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
59038 + else {
59039 + /* kill all the processes of this user, hold a reference
59040 + to their creds struct, and prevent them from creating
59041 + another process until system reset
59042 + */
59043 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
59044 + /* we intentionally leak this ref */
59045 + user = get_uid(current->cred->user);
59046 + if (user) {
59047 + user->banned = 1;
59048 + user->ban_expires = ~0UL;
59049 + }
59050 +
59051 + read_lock(&tasklist_lock);
59052 + do_each_thread(tsk2, tsk) {
59053 + cred = __task_cred(tsk);
59054 + if (cred->uid == uid)
59055 + gr_fake_force_sig(SIGKILL, tsk);
59056 + } while_each_thread(tsk2, tsk);
59057 + read_unlock(&tasklist_lock);
59058 + }
59059 +#endif
59060 +}
59061 +
59062 +int __gr_process_user_ban(struct user_struct *user)
59063 +{
59064 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59065 + if (unlikely(user->banned)) {
59066 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
59067 + user->banned = 0;
59068 + user->ban_expires = 0;
59069 + free_uid(user);
59070 + } else
59071 + return -EPERM;
59072 + }
59073 +#endif
59074 + return 0;
59075 +}
59076 +
59077 +int gr_process_user_ban(void)
59078 +{
59079 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59080 + return __gr_process_user_ban(current->cred->user);
59081 +#endif
59082 + return 0;
59083 +}
59084 diff -urNp linux-2.6.39.1/grsecurity/grsec_sock.c linux-2.6.39.1/grsecurity/grsec_sock.c
59085 --- linux-2.6.39.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
59086 +++ linux-2.6.39.1/grsecurity/grsec_sock.c 2011-05-22 20:29:21.000000000 -0400
59087 @@ -0,0 +1,244 @@
59088 +#include <linux/kernel.h>
59089 +#include <linux/module.h>
59090 +#include <linux/sched.h>
59091 +#include <linux/file.h>
59092 +#include <linux/net.h>
59093 +#include <linux/in.h>
59094 +#include <linux/ip.h>
59095 +#include <net/sock.h>
59096 +#include <net/inet_sock.h>
59097 +#include <linux/grsecurity.h>
59098 +#include <linux/grinternal.h>
59099 +#include <linux/gracl.h>
59100 +
59101 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
59102 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
59103 +
59104 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
59105 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
59106 +
59107 +#ifdef CONFIG_UNIX_MODULE
59108 +EXPORT_SYMBOL(gr_acl_handle_unix);
59109 +EXPORT_SYMBOL(gr_acl_handle_mknod);
59110 +EXPORT_SYMBOL(gr_handle_chroot_unix);
59111 +EXPORT_SYMBOL(gr_handle_create);
59112 +#endif
59113 +
59114 +#ifdef CONFIG_GRKERNSEC
59115 +#define gr_conn_table_size 32749
59116 +struct conn_table_entry {
59117 + struct conn_table_entry *next;
59118 + struct signal_struct *sig;
59119 +};
59120 +
59121 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
59122 +DEFINE_SPINLOCK(gr_conn_table_lock);
59123 +
59124 +extern const char * gr_socktype_to_name(unsigned char type);
59125 +extern const char * gr_proto_to_name(unsigned char proto);
59126 +extern const char * gr_sockfamily_to_name(unsigned char family);
59127 +
59128 +static __inline__ int
59129 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
59130 +{
59131 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
59132 +}
59133 +
59134 +static __inline__ int
59135 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
59136 + __u16 sport, __u16 dport)
59137 +{
59138 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
59139 + sig->gr_sport == sport && sig->gr_dport == dport))
59140 + return 1;
59141 + else
59142 + return 0;
59143 +}
59144 +
59145 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
59146 +{
59147 + struct conn_table_entry **match;
59148 + unsigned int index;
59149 +
59150 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59151 + sig->gr_sport, sig->gr_dport,
59152 + gr_conn_table_size);
59153 +
59154 + newent->sig = sig;
59155 +
59156 + match = &gr_conn_table[index];
59157 + newent->next = *match;
59158 + *match = newent;
59159 +
59160 + return;
59161 +}
59162 +
59163 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
59164 +{
59165 + struct conn_table_entry *match, *last = NULL;
59166 + unsigned int index;
59167 +
59168 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59169 + sig->gr_sport, sig->gr_dport,
59170 + gr_conn_table_size);
59171 +
59172 + match = gr_conn_table[index];
59173 + while (match && !conn_match(match->sig,
59174 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
59175 + sig->gr_dport)) {
59176 + last = match;
59177 + match = match->next;
59178 + }
59179 +
59180 + if (match) {
59181 + if (last)
59182 + last->next = match->next;
59183 + else
59184 + gr_conn_table[index] = NULL;
59185 + kfree(match);
59186 + }
59187 +
59188 + return;
59189 +}
59190 +
59191 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
59192 + __u16 sport, __u16 dport)
59193 +{
59194 + struct conn_table_entry *match;
59195 + unsigned int index;
59196 +
59197 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
59198 +
59199 + match = gr_conn_table[index];
59200 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
59201 + match = match->next;
59202 +
59203 + if (match)
59204 + return match->sig;
59205 + else
59206 + return NULL;
59207 +}
59208 +
59209 +#endif
59210 +
59211 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
59212 +{
59213 +#ifdef CONFIG_GRKERNSEC
59214 + struct signal_struct *sig = task->signal;
59215 + struct conn_table_entry *newent;
59216 +
59217 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
59218 + if (newent == NULL)
59219 + return;
59220 + /* no bh lock needed since we are called with bh disabled */
59221 + spin_lock(&gr_conn_table_lock);
59222 + gr_del_task_from_ip_table_nolock(sig);
59223 + sig->gr_saddr = inet->inet_rcv_saddr;
59224 + sig->gr_daddr = inet->inet_daddr;
59225 + sig->gr_sport = inet->inet_sport;
59226 + sig->gr_dport = inet->inet_dport;
59227 + gr_add_to_task_ip_table_nolock(sig, newent);
59228 + spin_unlock(&gr_conn_table_lock);
59229 +#endif
59230 + return;
59231 +}
59232 +
59233 +void gr_del_task_from_ip_table(struct task_struct *task)
59234 +{
59235 +#ifdef CONFIG_GRKERNSEC
59236 + spin_lock_bh(&gr_conn_table_lock);
59237 + gr_del_task_from_ip_table_nolock(task->signal);
59238 + spin_unlock_bh(&gr_conn_table_lock);
59239 +#endif
59240 + return;
59241 +}
59242 +
59243 +void
59244 +gr_attach_curr_ip(const struct sock *sk)
59245 +{
59246 +#ifdef CONFIG_GRKERNSEC
59247 + struct signal_struct *p, *set;
59248 + const struct inet_sock *inet = inet_sk(sk);
59249 +
59250 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
59251 + return;
59252 +
59253 + set = current->signal;
59254 +
59255 + spin_lock_bh(&gr_conn_table_lock);
59256 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
59257 + inet->inet_dport, inet->inet_sport);
59258 + if (unlikely(p != NULL)) {
59259 + set->curr_ip = p->curr_ip;
59260 + set->used_accept = 1;
59261 + gr_del_task_from_ip_table_nolock(p);
59262 + spin_unlock_bh(&gr_conn_table_lock);
59263 + return;
59264 + }
59265 + spin_unlock_bh(&gr_conn_table_lock);
59266 +
59267 + set->curr_ip = inet->inet_daddr;
59268 + set->used_accept = 1;
59269 +#endif
59270 + return;
59271 +}
59272 +
59273 +int
59274 +gr_handle_sock_all(const int family, const int type, const int protocol)
59275 +{
59276 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59277 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
59278 + (family != AF_UNIX)) {
59279 + if (family == AF_INET)
59280 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
59281 + else
59282 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
59283 + return -EACCES;
59284 + }
59285 +#endif
59286 + return 0;
59287 +}
59288 +
59289 +int
59290 +gr_handle_sock_server(const struct sockaddr *sck)
59291 +{
59292 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59293 + if (grsec_enable_socket_server &&
59294 + in_group_p(grsec_socket_server_gid) &&
59295 + sck && (sck->sa_family != AF_UNIX) &&
59296 + (sck->sa_family != AF_LOCAL)) {
59297 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59298 + return -EACCES;
59299 + }
59300 +#endif
59301 + return 0;
59302 +}
59303 +
59304 +int
59305 +gr_handle_sock_server_other(const struct sock *sck)
59306 +{
59307 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59308 + if (grsec_enable_socket_server &&
59309 + in_group_p(grsec_socket_server_gid) &&
59310 + sck && (sck->sk_family != AF_UNIX) &&
59311 + (sck->sk_family != AF_LOCAL)) {
59312 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59313 + return -EACCES;
59314 + }
59315 +#endif
59316 + return 0;
59317 +}
59318 +
59319 +int
59320 +gr_handle_sock_client(const struct sockaddr *sck)
59321 +{
59322 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59323 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
59324 + sck && (sck->sa_family != AF_UNIX) &&
59325 + (sck->sa_family != AF_LOCAL)) {
59326 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
59327 + return -EACCES;
59328 + }
59329 +#endif
59330 + return 0;
59331 +}
59332 diff -urNp linux-2.6.39.1/grsecurity/grsec_sysctl.c linux-2.6.39.1/grsecurity/grsec_sysctl.c
59333 --- linux-2.6.39.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
59334 +++ linux-2.6.39.1/grsecurity/grsec_sysctl.c 2011-05-22 19:41:42.000000000 -0400
59335 @@ -0,0 +1,433 @@
59336 +#include <linux/kernel.h>
59337 +#include <linux/sched.h>
59338 +#include <linux/sysctl.h>
59339 +#include <linux/grsecurity.h>
59340 +#include <linux/grinternal.h>
59341 +
59342 +int
59343 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
59344 +{
59345 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59346 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
59347 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
59348 + return -EACCES;
59349 + }
59350 +#endif
59351 + return 0;
59352 +}
59353 +
59354 +#ifdef CONFIG_GRKERNSEC_ROFS
59355 +static int __maybe_unused one = 1;
59356 +#endif
59357 +
59358 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
59359 +struct ctl_table grsecurity_table[] = {
59360 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59361 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
59362 +#ifdef CONFIG_GRKERNSEC_IO
59363 + {
59364 + .procname = "disable_priv_io",
59365 + .data = &grsec_disable_privio,
59366 + .maxlen = sizeof(int),
59367 + .mode = 0600,
59368 + .proc_handler = &proc_dointvec,
59369 + },
59370 +#endif
59371 +#endif
59372 +#ifdef CONFIG_GRKERNSEC_LINK
59373 + {
59374 + .procname = "linking_restrictions",
59375 + .data = &grsec_enable_link,
59376 + .maxlen = sizeof(int),
59377 + .mode = 0600,
59378 + .proc_handler = &proc_dointvec,
59379 + },
59380 +#endif
59381 +#ifdef CONFIG_GRKERNSEC_FIFO
59382 + {
59383 + .procname = "fifo_restrictions",
59384 + .data = &grsec_enable_fifo,
59385 + .maxlen = sizeof(int),
59386 + .mode = 0600,
59387 + .proc_handler = &proc_dointvec,
59388 + },
59389 +#endif
59390 +#ifdef CONFIG_GRKERNSEC_EXECVE
59391 + {
59392 + .procname = "execve_limiting",
59393 + .data = &grsec_enable_execve,
59394 + .maxlen = sizeof(int),
59395 + .mode = 0600,
59396 + .proc_handler = &proc_dointvec,
59397 + },
59398 +#endif
59399 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59400 + {
59401 + .procname = "ip_blackhole",
59402 + .data = &grsec_enable_blackhole,
59403 + .maxlen = sizeof(int),
59404 + .mode = 0600,
59405 + .proc_handler = &proc_dointvec,
59406 + },
59407 + {
59408 + .procname = "lastack_retries",
59409 + .data = &grsec_lastack_retries,
59410 + .maxlen = sizeof(int),
59411 + .mode = 0600,
59412 + .proc_handler = &proc_dointvec,
59413 + },
59414 +#endif
59415 +#ifdef CONFIG_GRKERNSEC_EXECLOG
59416 + {
59417 + .procname = "exec_logging",
59418 + .data = &grsec_enable_execlog,
59419 + .maxlen = sizeof(int),
59420 + .mode = 0600,
59421 + .proc_handler = &proc_dointvec,
59422 + },
59423 +#endif
59424 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59425 + {
59426 + .procname = "rwxmap_logging",
59427 + .data = &grsec_enable_log_rwxmaps,
59428 + .maxlen = sizeof(int),
59429 + .mode = 0600,
59430 + .proc_handler = &proc_dointvec,
59431 + },
59432 +#endif
59433 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59434 + {
59435 + .procname = "signal_logging",
59436 + .data = &grsec_enable_signal,
59437 + .maxlen = sizeof(int),
59438 + .mode = 0600,
59439 + .proc_handler = &proc_dointvec,
59440 + },
59441 +#endif
59442 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
59443 + {
59444 + .procname = "forkfail_logging",
59445 + .data = &grsec_enable_forkfail,
59446 + .maxlen = sizeof(int),
59447 + .mode = 0600,
59448 + .proc_handler = &proc_dointvec,
59449 + },
59450 +#endif
59451 +#ifdef CONFIG_GRKERNSEC_TIME
59452 + {
59453 + .procname = "timechange_logging",
59454 + .data = &grsec_enable_time,
59455 + .maxlen = sizeof(int),
59456 + .mode = 0600,
59457 + .proc_handler = &proc_dointvec,
59458 + },
59459 +#endif
59460 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59461 + {
59462 + .procname = "chroot_deny_shmat",
59463 + .data = &grsec_enable_chroot_shmat,
59464 + .maxlen = sizeof(int),
59465 + .mode = 0600,
59466 + .proc_handler = &proc_dointvec,
59467 + },
59468 +#endif
59469 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59470 + {
59471 + .procname = "chroot_deny_unix",
59472 + .data = &grsec_enable_chroot_unix,
59473 + .maxlen = sizeof(int),
59474 + .mode = 0600,
59475 + .proc_handler = &proc_dointvec,
59476 + },
59477 +#endif
59478 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59479 + {
59480 + .procname = "chroot_deny_mount",
59481 + .data = &grsec_enable_chroot_mount,
59482 + .maxlen = sizeof(int),
59483 + .mode = 0600,
59484 + .proc_handler = &proc_dointvec,
59485 + },
59486 +#endif
59487 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59488 + {
59489 + .procname = "chroot_deny_fchdir",
59490 + .data = &grsec_enable_chroot_fchdir,
59491 + .maxlen = sizeof(int),
59492 + .mode = 0600,
59493 + .proc_handler = &proc_dointvec,
59494 + },
59495 +#endif
59496 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59497 + {
59498 + .procname = "chroot_deny_chroot",
59499 + .data = &grsec_enable_chroot_double,
59500 + .maxlen = sizeof(int),
59501 + .mode = 0600,
59502 + .proc_handler = &proc_dointvec,
59503 + },
59504 +#endif
59505 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59506 + {
59507 + .procname = "chroot_deny_pivot",
59508 + .data = &grsec_enable_chroot_pivot,
59509 + .maxlen = sizeof(int),
59510 + .mode = 0600,
59511 + .proc_handler = &proc_dointvec,
59512 + },
59513 +#endif
59514 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59515 + {
59516 + .procname = "chroot_enforce_chdir",
59517 + .data = &grsec_enable_chroot_chdir,
59518 + .maxlen = sizeof(int),
59519 + .mode = 0600,
59520 + .proc_handler = &proc_dointvec,
59521 + },
59522 +#endif
59523 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59524 + {
59525 + .procname = "chroot_deny_chmod",
59526 + .data = &grsec_enable_chroot_chmod,
59527 + .maxlen = sizeof(int),
59528 + .mode = 0600,
59529 + .proc_handler = &proc_dointvec,
59530 + },
59531 +#endif
59532 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59533 + {
59534 + .procname = "chroot_deny_mknod",
59535 + .data = &grsec_enable_chroot_mknod,
59536 + .maxlen = sizeof(int),
59537 + .mode = 0600,
59538 + .proc_handler = &proc_dointvec,
59539 + },
59540 +#endif
59541 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59542 + {
59543 + .procname = "chroot_restrict_nice",
59544 + .data = &grsec_enable_chroot_nice,
59545 + .maxlen = sizeof(int),
59546 + .mode = 0600,
59547 + .proc_handler = &proc_dointvec,
59548 + },
59549 +#endif
59550 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59551 + {
59552 + .procname = "chroot_execlog",
59553 + .data = &grsec_enable_chroot_execlog,
59554 + .maxlen = sizeof(int),
59555 + .mode = 0600,
59556 + .proc_handler = &proc_dointvec,
59557 + },
59558 +#endif
59559 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59560 + {
59561 + .procname = "chroot_caps",
59562 + .data = &grsec_enable_chroot_caps,
59563 + .maxlen = sizeof(int),
59564 + .mode = 0600,
59565 + .proc_handler = &proc_dointvec,
59566 + },
59567 +#endif
59568 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59569 + {
59570 + .procname = "chroot_deny_sysctl",
59571 + .data = &grsec_enable_chroot_sysctl,
59572 + .maxlen = sizeof(int),
59573 + .mode = 0600,
59574 + .proc_handler = &proc_dointvec,
59575 + },
59576 +#endif
59577 +#ifdef CONFIG_GRKERNSEC_TPE
59578 + {
59579 + .procname = "tpe",
59580 + .data = &grsec_enable_tpe,
59581 + .maxlen = sizeof(int),
59582 + .mode = 0600,
59583 + .proc_handler = &proc_dointvec,
59584 + },
59585 + {
59586 + .procname = "tpe_gid",
59587 + .data = &grsec_tpe_gid,
59588 + .maxlen = sizeof(int),
59589 + .mode = 0600,
59590 + .proc_handler = &proc_dointvec,
59591 + },
59592 +#endif
59593 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
59594 + {
59595 + .procname = "tpe_invert",
59596 + .data = &grsec_enable_tpe_invert,
59597 + .maxlen = sizeof(int),
59598 + .mode = 0600,
59599 + .proc_handler = &proc_dointvec,
59600 + },
59601 +#endif
59602 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
59603 + {
59604 + .procname = "tpe_restrict_all",
59605 + .data = &grsec_enable_tpe_all,
59606 + .maxlen = sizeof(int),
59607 + .mode = 0600,
59608 + .proc_handler = &proc_dointvec,
59609 + },
59610 +#endif
59611 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59612 + {
59613 + .procname = "socket_all",
59614 + .data = &grsec_enable_socket_all,
59615 + .maxlen = sizeof(int),
59616 + .mode = 0600,
59617 + .proc_handler = &proc_dointvec,
59618 + },
59619 + {
59620 + .procname = "socket_all_gid",
59621 + .data = &grsec_socket_all_gid,
59622 + .maxlen = sizeof(int),
59623 + .mode = 0600,
59624 + .proc_handler = &proc_dointvec,
59625 + },
59626 +#endif
59627 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59628 + {
59629 + .procname = "socket_client",
59630 + .data = &grsec_enable_socket_client,
59631 + .maxlen = sizeof(int),
59632 + .mode = 0600,
59633 + .proc_handler = &proc_dointvec,
59634 + },
59635 + {
59636 + .procname = "socket_client_gid",
59637 + .data = &grsec_socket_client_gid,
59638 + .maxlen = sizeof(int),
59639 + .mode = 0600,
59640 + .proc_handler = &proc_dointvec,
59641 + },
59642 +#endif
59643 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59644 + {
59645 + .procname = "socket_server",
59646 + .data = &grsec_enable_socket_server,
59647 + .maxlen = sizeof(int),
59648 + .mode = 0600,
59649 + .proc_handler = &proc_dointvec,
59650 + },
59651 + {
59652 + .procname = "socket_server_gid",
59653 + .data = &grsec_socket_server_gid,
59654 + .maxlen = sizeof(int),
59655 + .mode = 0600,
59656 + .proc_handler = &proc_dointvec,
59657 + },
59658 +#endif
59659 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
59660 + {
59661 + .procname = "audit_group",
59662 + .data = &grsec_enable_group,
59663 + .maxlen = sizeof(int),
59664 + .mode = 0600,
59665 + .proc_handler = &proc_dointvec,
59666 + },
59667 + {
59668 + .procname = "audit_gid",
59669 + .data = &grsec_audit_gid,
59670 + .maxlen = sizeof(int),
59671 + .mode = 0600,
59672 + .proc_handler = &proc_dointvec,
59673 + },
59674 +#endif
59675 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
59676 + {
59677 + .procname = "audit_chdir",
59678 + .data = &grsec_enable_chdir,
59679 + .maxlen = sizeof(int),
59680 + .mode = 0600,
59681 + .proc_handler = &proc_dointvec,
59682 + },
59683 +#endif
59684 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59685 + {
59686 + .procname = "audit_mount",
59687 + .data = &grsec_enable_mount,
59688 + .maxlen = sizeof(int),
59689 + .mode = 0600,
59690 + .proc_handler = &proc_dointvec,
59691 + },
59692 +#endif
59693 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59694 + {
59695 + .procname = "audit_textrel",
59696 + .data = &grsec_enable_audit_textrel,
59697 + .maxlen = sizeof(int),
59698 + .mode = 0600,
59699 + .proc_handler = &proc_dointvec,
59700 + },
59701 +#endif
59702 +#ifdef CONFIG_GRKERNSEC_DMESG
59703 + {
59704 + .procname = "dmesg",
59705 + .data = &grsec_enable_dmesg,
59706 + .maxlen = sizeof(int),
59707 + .mode = 0600,
59708 + .proc_handler = &proc_dointvec,
59709 + },
59710 +#endif
59711 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59712 + {
59713 + .procname = "chroot_findtask",
59714 + .data = &grsec_enable_chroot_findtask,
59715 + .maxlen = sizeof(int),
59716 + .mode = 0600,
59717 + .proc_handler = &proc_dointvec,
59718 + },
59719 +#endif
59720 +#ifdef CONFIG_GRKERNSEC_RESLOG
59721 + {
59722 + .procname = "resource_logging",
59723 + .data = &grsec_resource_logging,
59724 + .maxlen = sizeof(int),
59725 + .mode = 0600,
59726 + .proc_handler = &proc_dointvec,
59727 + },
59728 +#endif
59729 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59730 + {
59731 + .procname = "audit_ptrace",
59732 + .data = &grsec_enable_audit_ptrace,
59733 + .maxlen = sizeof(int),
59734 + .mode = 0600,
59735 + .proc_handler = &proc_dointvec,
59736 + },
59737 +#endif
59738 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
59739 + {
59740 + .procname = "harden_ptrace",
59741 + .data = &grsec_enable_harden_ptrace,
59742 + .maxlen = sizeof(int),
59743 + .mode = 0600,
59744 + .proc_handler = &proc_dointvec,
59745 + },
59746 +#endif
59747 + {
59748 + .procname = "grsec_lock",
59749 + .data = &grsec_lock,
59750 + .maxlen = sizeof(int),
59751 + .mode = 0600,
59752 + .proc_handler = &proc_dointvec,
59753 + },
59754 +#endif
59755 +#ifdef CONFIG_GRKERNSEC_ROFS
59756 + {
59757 + .procname = "romount_protect",
59758 + .data = &grsec_enable_rofs,
59759 + .maxlen = sizeof(int),
59760 + .mode = 0600,
59761 + .proc_handler = &proc_dointvec_minmax,
59762 + .extra1 = &one,
59763 + .extra2 = &one,
59764 + },
59765 +#endif
59766 + { }
59767 +};
59768 +#endif
59769 diff -urNp linux-2.6.39.1/grsecurity/grsec_time.c linux-2.6.39.1/grsecurity/grsec_time.c
59770 --- linux-2.6.39.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
59771 +++ linux-2.6.39.1/grsecurity/grsec_time.c 2011-05-22 19:41:42.000000000 -0400
59772 @@ -0,0 +1,16 @@
59773 +#include <linux/kernel.h>
59774 +#include <linux/sched.h>
59775 +#include <linux/grinternal.h>
59776 +#include <linux/module.h>
59777 +
59778 +void
59779 +gr_log_timechange(void)
59780 +{
59781 +#ifdef CONFIG_GRKERNSEC_TIME
59782 + if (grsec_enable_time)
59783 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
59784 +#endif
59785 + return;
59786 +}
59787 +
59788 +EXPORT_SYMBOL(gr_log_timechange);
59789 diff -urNp linux-2.6.39.1/grsecurity/grsec_tpe.c linux-2.6.39.1/grsecurity/grsec_tpe.c
59790 --- linux-2.6.39.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
59791 +++ linux-2.6.39.1/grsecurity/grsec_tpe.c 2011-05-22 19:41:42.000000000 -0400
59792 @@ -0,0 +1,39 @@
59793 +#include <linux/kernel.h>
59794 +#include <linux/sched.h>
59795 +#include <linux/file.h>
59796 +#include <linux/fs.h>
59797 +#include <linux/grinternal.h>
59798 +
59799 +extern int gr_acl_tpe_check(void);
59800 +
59801 +int
59802 +gr_tpe_allow(const struct file *file)
59803 +{
59804 +#ifdef CONFIG_GRKERNSEC
59805 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
59806 + const struct cred *cred = current_cred();
59807 +
59808 + if (cred->uid && ((grsec_enable_tpe &&
59809 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
59810 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
59811 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
59812 +#else
59813 + in_group_p(grsec_tpe_gid)
59814 +#endif
59815 + ) || gr_acl_tpe_check()) &&
59816 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
59817 + (inode->i_mode & S_IWOTH))))) {
59818 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
59819 + return 0;
59820 + }
59821 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
59822 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
59823 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
59824 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
59825 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
59826 + return 0;
59827 + }
59828 +#endif
59829 +#endif
59830 + return 1;
59831 +}
59832 diff -urNp linux-2.6.39.1/grsecurity/grsum.c linux-2.6.39.1/grsecurity/grsum.c
59833 --- linux-2.6.39.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
59834 +++ linux-2.6.39.1/grsecurity/grsum.c 2011-05-22 19:41:42.000000000 -0400
59835 @@ -0,0 +1,61 @@
59836 +#include <linux/err.h>
59837 +#include <linux/kernel.h>
59838 +#include <linux/sched.h>
59839 +#include <linux/mm.h>
59840 +#include <linux/scatterlist.h>
59841 +#include <linux/crypto.h>
59842 +#include <linux/gracl.h>
59843 +
59844 +
59845 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
59846 +#error "crypto and sha256 must be built into the kernel"
59847 +#endif
59848 +
59849 +int
59850 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
59851 +{
59852 + char *p;
59853 + struct crypto_hash *tfm;
59854 + struct hash_desc desc;
59855 + struct scatterlist sg;
59856 + unsigned char temp_sum[GR_SHA_LEN];
59857 + volatile int retval = 0;
59858 + volatile int dummy = 0;
59859 + unsigned int i;
59860 +
59861 + sg_init_table(&sg, 1);
59862 +
59863 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
59864 + if (IS_ERR(tfm)) {
59865 + /* should never happen, since sha256 should be built in */
59866 + return 1;
59867 + }
59868 +
59869 + desc.tfm = tfm;
59870 + desc.flags = 0;
59871 +
59872 + crypto_hash_init(&desc);
59873 +
59874 + p = salt;
59875 + sg_set_buf(&sg, p, GR_SALT_LEN);
59876 + crypto_hash_update(&desc, &sg, sg.length);
59877 +
59878 + p = entry->pw;
59879 + sg_set_buf(&sg, p, strlen(p));
59880 +
59881 + crypto_hash_update(&desc, &sg, sg.length);
59882 +
59883 + crypto_hash_final(&desc, temp_sum);
59884 +
59885 + memset(entry->pw, 0, GR_PW_LEN);
59886 +
59887 + for (i = 0; i < GR_SHA_LEN; i++)
59888 + if (sum[i] != temp_sum[i])
59889 + retval = 1;
59890 + else
59891 + dummy = 1; // waste a cycle
59892 +
59893 + crypto_free_hash(tfm);
59894 +
59895 + return retval;
59896 +}
59897 diff -urNp linux-2.6.39.1/grsecurity/Kconfig linux-2.6.39.1/grsecurity/Kconfig
59898 --- linux-2.6.39.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
59899 +++ linux-2.6.39.1/grsecurity/Kconfig 2011-05-22 19:41:42.000000000 -0400
59900 @@ -0,0 +1,1045 @@
59901 +#
59902 +# grecurity configuration
59903 +#
59904 +
59905 +menu "Grsecurity"
59906 +
59907 +config GRKERNSEC
59908 + bool "Grsecurity"
59909 + select CRYPTO
59910 + select CRYPTO_SHA256
59911 + help
59912 + If you say Y here, you will be able to configure many features
59913 + that will enhance the security of your system. It is highly
59914 + recommended that you say Y here and read through the help
59915 + for each option so that you fully understand the features and
59916 + can evaluate their usefulness for your machine.
59917 +
59918 +choice
59919 + prompt "Security Level"
59920 + depends on GRKERNSEC
59921 + default GRKERNSEC_CUSTOM
59922 +
59923 +config GRKERNSEC_LOW
59924 + bool "Low"
59925 + select GRKERNSEC_LINK
59926 + select GRKERNSEC_FIFO
59927 + select GRKERNSEC_EXECVE
59928 + select GRKERNSEC_RANDNET
59929 + select GRKERNSEC_DMESG
59930 + select GRKERNSEC_CHROOT
59931 + select GRKERNSEC_CHROOT_CHDIR
59932 +
59933 + help
59934 + If you choose this option, several of the grsecurity options will
59935 + be enabled that will give you greater protection against a number
59936 + of attacks, while assuring that none of your software will have any
59937 + conflicts with the additional security measures. If you run a lot
59938 + of unusual software, or you are having problems with the higher
59939 + security levels, you should say Y here. With this option, the
59940 + following features are enabled:
59941 +
59942 + - Linking restrictions
59943 + - FIFO restrictions
59944 + - Enforcing RLIMIT_NPROC on execve
59945 + - Restricted dmesg
59946 + - Enforced chdir("/") on chroot
59947 + - Runtime module disabling
59948 +
59949 +config GRKERNSEC_MEDIUM
59950 + bool "Medium"
59951 + select PAX
59952 + select PAX_EI_PAX
59953 + select PAX_PT_PAX_FLAGS
59954 + select PAX_HAVE_ACL_FLAGS
59955 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
59956 + select GRKERNSEC_CHROOT
59957 + select GRKERNSEC_CHROOT_SYSCTL
59958 + select GRKERNSEC_LINK
59959 + select GRKERNSEC_FIFO
59960 + select GRKERNSEC_EXECVE
59961 + select GRKERNSEC_DMESG
59962 + select GRKERNSEC_RANDNET
59963 + select GRKERNSEC_FORKFAIL
59964 + select GRKERNSEC_TIME
59965 + select GRKERNSEC_SIGNAL
59966 + select GRKERNSEC_CHROOT
59967 + select GRKERNSEC_CHROOT_UNIX
59968 + select GRKERNSEC_CHROOT_MOUNT
59969 + select GRKERNSEC_CHROOT_PIVOT
59970 + select GRKERNSEC_CHROOT_DOUBLE
59971 + select GRKERNSEC_CHROOT_CHDIR
59972 + select GRKERNSEC_CHROOT_MKNOD
59973 + select GRKERNSEC_PROC
59974 + select GRKERNSEC_PROC_USERGROUP
59975 + select PAX_RANDUSTACK
59976 + select PAX_ASLR
59977 + select PAX_RANDMMAP
59978 + select PAX_REFCOUNT if (X86 || SPARC64)
59979 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
59980 +
59981 + help
59982 + If you say Y here, several features in addition to those included
59983 + in the low additional security level will be enabled. These
59984 + features provide even more security to your system, though in rare
59985 + cases they may be incompatible with very old or poorly written
59986 + software. If you enable this option, make sure that your auth
59987 + service (identd) is running as gid 1001. With this option,
59988 + the following features (in addition to those provided in the
59989 + low additional security level) will be enabled:
59990 +
59991 + - Failed fork logging
59992 + - Time change logging
59993 + - Signal logging
59994 + - Deny mounts in chroot
59995 + - Deny double chrooting
59996 + - Deny sysctl writes in chroot
59997 + - Deny mknod in chroot
59998 + - Deny access to abstract AF_UNIX sockets out of chroot
59999 + - Deny pivot_root in chroot
60000 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
60001 + - /proc restrictions with special GID set to 10 (usually wheel)
60002 + - Address Space Layout Randomization (ASLR)
60003 + - Prevent exploitation of most refcount overflows
60004 + - Bounds checking of copying between the kernel and userland
60005 +
60006 +config GRKERNSEC_HIGH
60007 + bool "High"
60008 + select GRKERNSEC_LINK
60009 + select GRKERNSEC_FIFO
60010 + select GRKERNSEC_EXECVE
60011 + select GRKERNSEC_DMESG
60012 + select GRKERNSEC_FORKFAIL
60013 + select GRKERNSEC_TIME
60014 + select GRKERNSEC_SIGNAL
60015 + select GRKERNSEC_CHROOT
60016 + select GRKERNSEC_CHROOT_SHMAT
60017 + select GRKERNSEC_CHROOT_UNIX
60018 + select GRKERNSEC_CHROOT_MOUNT
60019 + select GRKERNSEC_CHROOT_FCHDIR
60020 + select GRKERNSEC_CHROOT_PIVOT
60021 + select GRKERNSEC_CHROOT_DOUBLE
60022 + select GRKERNSEC_CHROOT_CHDIR
60023 + select GRKERNSEC_CHROOT_MKNOD
60024 + select GRKERNSEC_CHROOT_CAPS
60025 + select GRKERNSEC_CHROOT_SYSCTL
60026 + select GRKERNSEC_CHROOT_FINDTASK
60027 + select GRKERNSEC_SYSFS_RESTRICT
60028 + select GRKERNSEC_PROC
60029 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60030 + select GRKERNSEC_HIDESYM
60031 + select GRKERNSEC_BRUTE
60032 + select GRKERNSEC_PROC_USERGROUP
60033 + select GRKERNSEC_KMEM
60034 + select GRKERNSEC_RESLOG
60035 + select GRKERNSEC_RANDNET
60036 + select GRKERNSEC_PROC_ADD
60037 + select GRKERNSEC_CHROOT_CHMOD
60038 + select GRKERNSEC_CHROOT_NICE
60039 + select GRKERNSEC_AUDIT_MOUNT
60040 + select GRKERNSEC_MODHARDEN if (MODULES)
60041 + select GRKERNSEC_HARDEN_PTRACE
60042 + select GRKERNSEC_VM86 if (X86_32)
60043 + select GRKERNSEC_KERN_LOCKOUT if (X86)
60044 + select PAX
60045 + select PAX_RANDUSTACK
60046 + select PAX_ASLR
60047 + select PAX_RANDMMAP
60048 + select PAX_NOEXEC
60049 + select PAX_MPROTECT
60050 + select PAX_EI_PAX
60051 + select PAX_PT_PAX_FLAGS
60052 + select PAX_HAVE_ACL_FLAGS
60053 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
60054 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
60055 + select PAX_RANDKSTACK if (X86_TSC && X86)
60056 + select PAX_SEGMEXEC if (X86_32)
60057 + select PAX_PAGEEXEC
60058 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
60059 + select PAX_EMUTRAMP if (PARISC)
60060 + select PAX_EMUSIGRT if (PARISC)
60061 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
60062 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
60063 + select PAX_REFCOUNT if (X86 || SPARC64)
60064 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
60065 + help
60066 + If you say Y here, many of the features of grsecurity will be
60067 + enabled, which will protect you against many kinds of attacks
60068 + against your system. The heightened security comes at a cost
60069 + of an increased chance of incompatibilities with rare software
60070 + on your machine. Since this security level enables PaX, you should
60071 + view <http://pax.grsecurity.net> and read about the PaX
60072 + project. While you are there, download chpax and run it on
60073 + binaries that cause problems with PaX. Also remember that
60074 + since the /proc restrictions are enabled, you must run your
60075 + identd as gid 1001. This security level enables the following
60076 + features in addition to those listed in the low and medium
60077 + security levels:
60078 +
60079 + - Additional /proc restrictions
60080 + - Chmod restrictions in chroot
60081 + - No signals, ptrace, or viewing of processes outside of chroot
60082 + - Capability restrictions in chroot
60083 + - Deny fchdir out of chroot
60084 + - Priority restrictions in chroot
60085 + - Segmentation-based implementation of PaX
60086 + - Mprotect restrictions
60087 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
60088 + - Kernel stack randomization
60089 + - Mount/unmount/remount logging
60090 + - Kernel symbol hiding
60091 + - Prevention of memory exhaustion-based exploits
60092 + - Hardening of module auto-loading
60093 + - Ptrace restrictions
60094 + - Restricted vm86 mode
60095 + - Restricted sysfs/debugfs
60096 + - Active kernel exploit response
60097 +
60098 +config GRKERNSEC_CUSTOM
60099 + bool "Custom"
60100 + help
60101 + If you say Y here, you will be able to configure every grsecurity
60102 + option, which allows you to enable many more features that aren't
60103 + covered in the basic security levels. These additional features
60104 + include TPE, socket restrictions, and the sysctl system for
60105 + grsecurity. It is advised that you read through the help for
60106 + each option to determine its usefulness in your situation.
60107 +
60108 +endchoice
60109 +
60110 +menu "Address Space Protection"
60111 +depends on GRKERNSEC
60112 +
60113 +config GRKERNSEC_KMEM
60114 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
60115 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
60116 + help
60117 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
60118 + be written to via mmap or otherwise to modify the running kernel.
60119 + /dev/port will also not be allowed to be opened. If you have module
60120 + support disabled, enabling this will close up four ways that are
60121 + currently used to insert malicious code into the running kernel.
60122 + Even with all these features enabled, we still highly recommend that
60123 + you use the RBAC system, as it is still possible for an attacker to
60124 + modify the running kernel through privileged I/O granted by ioperm/iopl.
60125 + If you are not using XFree86, you may be able to stop this additional
60126 + case by enabling the 'Disable privileged I/O' option. Though nothing
60127 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
60128 + but only to video memory, which is the only writing we allow in this
60129 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
60130 + not be allowed to mprotect it with PROT_WRITE later.
60131 + It is highly recommended that you say Y here if you meet all the
60132 + conditions above.
60133 +
60134 +config GRKERNSEC_VM86
60135 + bool "Restrict VM86 mode"
60136 + depends on X86_32
60137 +
60138 + help
60139 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
60140 + make use of a special execution mode on 32bit x86 processors called
60141 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
60142 + video cards and will still work with this option enabled. The purpose
60143 + of the option is to prevent exploitation of emulation errors in
60144 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
60145 + Nearly all users should be able to enable this option.
60146 +
60147 +config GRKERNSEC_IO
60148 + bool "Disable privileged I/O"
60149 + depends on X86
60150 + select RTC_CLASS
60151 + select RTC_INTF_DEV
60152 + select RTC_DRV_CMOS
60153 +
60154 + help
60155 + If you say Y here, all ioperm and iopl calls will return an error.
60156 + Ioperm and iopl can be used to modify the running kernel.
60157 + Unfortunately, some programs need this access to operate properly,
60158 + the most notable of which are XFree86 and hwclock. hwclock can be
60159 + remedied by having RTC support in the kernel, so real-time
60160 + clock support is enabled if this option is enabled, to ensure
60161 + that hwclock operates correctly. XFree86 still will not
60162 + operate correctly with this option enabled, so DO NOT CHOOSE Y
60163 + IF YOU USE XFree86. If you use XFree86 and you still want to
60164 + protect your kernel against modification, use the RBAC system.
60165 +
60166 +config GRKERNSEC_PROC_MEMMAP
60167 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
60168 + default y if (PAX_NOEXEC || PAX_ASLR)
60169 + depends on PAX_NOEXEC || PAX_ASLR
60170 + help
60171 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
60172 + give no information about the addresses of its mappings if
60173 + PaX features that rely on random addresses are enabled on the task.
60174 + If you use PaX it is greatly recommended that you say Y here as it
60175 + closes up a hole that makes the full ASLR useless for suid
60176 + binaries.
60177 +
60178 +config GRKERNSEC_BRUTE
60179 + bool "Deter exploit bruteforcing"
60180 + help
60181 + If you say Y here, attempts to bruteforce exploits against forking
60182 + daemons such as apache or sshd, as well as against suid/sgid binaries
60183 + will be deterred. When a child of a forking daemon is killed by PaX
60184 + or crashes due to an illegal instruction or other suspicious signal,
60185 + the parent process will be delayed 30 seconds upon every subsequent
60186 + fork until the administrator is able to assess the situation and
60187 + restart the daemon.
60188 + In the suid/sgid case, the attempt is logged, the user has all their
60189 + processes terminated, and they are prevented from executing any further
60190 + processes for 15 minutes.
60191 + It is recommended that you also enable signal logging in the auditing
60192 + section so that logs are generated when a process triggers a suspicious
60193 + signal.
60194 +
60195 +config GRKERNSEC_MODHARDEN
60196 + bool "Harden module auto-loading"
60197 + depends on MODULES
60198 + help
60199 + If you say Y here, module auto-loading in response to use of some
60200 + feature implemented by an unloaded module will be restricted to
60201 + root users. Enabling this option helps defend against attacks
60202 + by unprivileged users who abuse the auto-loading behavior to
60203 + cause a vulnerable module to load that is then exploited.
60204 +
60205 + If this option prevents a legitimate use of auto-loading for a
60206 + non-root user, the administrator can execute modprobe manually
60207 + with the exact name of the module mentioned in the alert log.
60208 + Alternatively, the administrator can add the module to the list
60209 + of modules loaded at boot by modifying init scripts.
60210 +
60211 + Modification of init scripts will most likely be needed on
60212 + Ubuntu servers with encrypted home directory support enabled,
60213 + as the first non-root user logging in will cause the ecb(aes),
60214 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
60215 +
60216 +config GRKERNSEC_HIDESYM
60217 + bool "Hide kernel symbols"
60218 + help
60219 + If you say Y here, getting information on loaded modules, and
60220 + displaying all kernel symbols through a syscall will be restricted
60221 + to users with CAP_SYS_MODULE. For software compatibility reasons,
60222 + /proc/kallsyms will be restricted to the root user. The RBAC
60223 + system can hide that entry even from root.
60224 +
60225 + This option also prevents leaking of kernel addresses through
60226 + several /proc entries.
60227 +
60228 + Note that this option is only effective provided the following
60229 + conditions are met:
60230 + 1) The kernel using grsecurity is not precompiled by some distribution
60231 + 2) You have also enabled GRKERNSEC_DMESG
60232 + 3) You are using the RBAC system and hiding other files such as your
60233 + kernel image and System.map. Alternatively, enabling this option
60234 + causes the permissions on /boot, /lib/modules, and the kernel
60235 + source directory to change at compile time to prevent
60236 + reading by non-root users.
60237 + If the above conditions are met, this option will aid in providing a
60238 + useful protection against local kernel exploitation of overflows
60239 + and arbitrary read/write vulnerabilities.
60240 +
60241 +config GRKERNSEC_KERN_LOCKOUT
60242 + bool "Active kernel exploit response"
60243 + depends on X86
60244 + help
60245 + If you say Y here, when a PaX alert is triggered due to suspicious
60246 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
60247 + or an OOPs occurs due to bad memory accesses, instead of just
60248 + terminating the offending process (and potentially allowing
60249 + a subsequent exploit from the same user), we will take one of two
60250 + actions:
60251 + If the user was root, we will panic the system
60252 + If the user was non-root, we will log the attempt, terminate
60253 + all processes owned by the user, then prevent them from creating
60254 + any new processes until the system is restarted
60255 + This deters repeated kernel exploitation/bruteforcing attempts
60256 + and is useful for later forensics.
60257 +
60258 +endmenu
60259 +menu "Role Based Access Control Options"
60260 +depends on GRKERNSEC
60261 +
60262 +config GRKERNSEC_RBAC_DEBUG
60263 + bool
60264 +
60265 +config GRKERNSEC_NO_RBAC
60266 + bool "Disable RBAC system"
60267 + help
60268 + If you say Y here, the /dev/grsec device will be removed from the kernel,
60269 + preventing the RBAC system from being enabled. You should only say Y
60270 + here if you have no intention of using the RBAC system, so as to prevent
60271 + an attacker with root access from misusing the RBAC system to hide files
60272 + and processes when loadable module support and /dev/[k]mem have been
60273 + locked down.
60274 +
60275 +config GRKERNSEC_ACL_HIDEKERN
60276 + bool "Hide kernel processes"
60277 + help
60278 + If you say Y here, all kernel threads will be hidden to all
60279 + processes but those whose subject has the "view hidden processes"
60280 + flag.
60281 +
60282 +config GRKERNSEC_ACL_MAXTRIES
60283 + int "Maximum tries before password lockout"
60284 + default 3
60285 + help
60286 + This option enforces the maximum number of times a user can attempt
60287 + to authorize themselves with the grsecurity RBAC system before being
60288 + denied the ability to attempt authorization again for a specified time.
60289 + The lower the number, the harder it will be to brute-force a password.
60290 +
60291 +config GRKERNSEC_ACL_TIMEOUT
60292 + int "Time to wait after max password tries, in seconds"
60293 + default 30
60294 + help
60295 + This option specifies the time the user must wait after attempting to
60296 + authorize to the RBAC system with the maximum number of invalid
60297 + passwords. The higher the number, the harder it will be to brute-force
60298 + a password.
60299 +
60300 +endmenu
60301 +menu "Filesystem Protections"
60302 +depends on GRKERNSEC
60303 +
60304 +config GRKERNSEC_PROC
60305 + bool "Proc restrictions"
60306 + help
60307 + If you say Y here, the permissions of the /proc filesystem
60308 + will be altered to enhance system security and privacy. You MUST
60309 + choose either a user only restriction or a user and group restriction.
60310 + Depending upon the option you choose, you can either restrict users to
60311 + see only the processes they themselves run, or choose a group that can
60312 + view all processes and files normally restricted to root if you choose
60313 + the "restrict to user only" option. NOTE: If you're running identd as
60314 + a non-root user, you will have to run it as the group you specify here.
60315 +
60316 +config GRKERNSEC_PROC_USER
60317 + bool "Restrict /proc to user only"
60318 + depends on GRKERNSEC_PROC
60319 + help
60320 + If you say Y here, non-root users will only be able to view their own
60321 + processes, and restricts them from viewing network-related information,
60322 + and viewing kernel symbol and module information.
60323 +
60324 +config GRKERNSEC_PROC_USERGROUP
60325 + bool "Allow special group"
60326 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
60327 + help
60328 + If you say Y here, you will be able to select a group that will be
60329 + able to view all processes and network-related information. If you've
60330 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
60331 + remain hidden. This option is useful if you want to run identd as
60332 + a non-root user.
60333 +
60334 +config GRKERNSEC_PROC_GID
60335 + int "GID for special group"
60336 + depends on GRKERNSEC_PROC_USERGROUP
60337 + default 1001
60338 +
60339 +config GRKERNSEC_PROC_ADD
60340 + bool "Additional restrictions"
60341 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
60342 + help
60343 + If you say Y here, additional restrictions will be placed on
60344 + /proc that keep normal users from viewing device information and
60345 + slabinfo information that could be useful for exploits.
60346 +
60347 +config GRKERNSEC_LINK
60348 + bool "Linking restrictions"
60349 + help
60350 + If you say Y here, /tmp race exploits will be prevented, since users
60351 + will no longer be able to follow symlinks owned by other users in
60352 + world-writable +t directories (e.g. /tmp), unless the owner of the
60353 + symlink is the owner of the directory. users will also not be
60354 + able to hardlink to files they do not own. If the sysctl option is
60355 + enabled, a sysctl option with name "linking_restrictions" is created.
60356 +
60357 +config GRKERNSEC_FIFO
60358 + bool "FIFO restrictions"
60359 + help
60360 + If you say Y here, users will not be able to write to FIFOs they don't
60361 + own in world-writable +t directories (e.g. /tmp), unless the owner of
60362 + the FIFO is the same owner of the directory it's held in. If the sysctl
60363 + option is enabled, a sysctl option with name "fifo_restrictions" is
60364 + created.
60365 +
60366 +config GRKERNSEC_SYSFS_RESTRICT
60367 + bool "Sysfs/debugfs restriction"
60368 + depends on SYSFS
60369 + help
60370 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
60371 + any filesystem normally mounted under it (e.g. debugfs) will only
60372 + be accessible by root. These filesystems generally provide access
60373 + to hardware and debug information that isn't appropriate for unprivileged
60374 + users of the system. Sysfs and debugfs have also become a large source
60375 + of new vulnerabilities, ranging from infoleaks to local compromise.
60376 + There has been very little oversight with an eye toward security involved
60377 + in adding new exporters of information to these filesystems, so their
60378 + use is discouraged.
60379 + This option is equivalent to a chmod 0700 of the mount paths.
60380 +
60381 +config GRKERNSEC_ROFS
60382 + bool "Runtime read-only mount protection"
60383 + help
60384 + If you say Y here, a sysctl option with name "romount_protect" will
60385 + be created. By setting this option to 1 at runtime, filesystems
60386 + will be protected in the following ways:
60387 + * No new writable mounts will be allowed
60388 + * Existing read-only mounts won't be able to be remounted read/write
60389 + * Write operations will be denied on all block devices
60390 + This option acts independently of grsec_lock: once it is set to 1,
60391 + it cannot be turned off. Therefore, please be mindful of the resulting
60392 + behavior if this option is enabled in an init script on a read-only
60393 + filesystem. This feature is mainly intended for secure embedded systems.
60394 +
60395 +config GRKERNSEC_CHROOT
60396 + bool "Chroot jail restrictions"
60397 + help
60398 + If you say Y here, you will be able to choose several options that will
60399 + make breaking out of a chrooted jail much more difficult. If you
60400 + encounter no software incompatibilities with the following options, it
60401 + is recommended that you enable each one.
60402 +
60403 +config GRKERNSEC_CHROOT_MOUNT
60404 + bool "Deny mounts"
60405 + depends on GRKERNSEC_CHROOT
60406 + help
60407 + If you say Y here, processes inside a chroot will not be able to
60408 + mount or remount filesystems. If the sysctl option is enabled, a
60409 + sysctl option with name "chroot_deny_mount" is created.
60410 +
60411 +config GRKERNSEC_CHROOT_DOUBLE
60412 + bool "Deny double-chroots"
60413 + depends on GRKERNSEC_CHROOT
60414 + help
60415 + If you say Y here, processes inside a chroot will not be able to chroot
60416 + again outside the chroot. This is a widely used method of breaking
60417 + out of a chroot jail and should not be allowed. If the sysctl
60418 + option is enabled, a sysctl option with name
60419 + "chroot_deny_chroot" is created.
60420 +
60421 +config GRKERNSEC_CHROOT_PIVOT
60422 + bool "Deny pivot_root in chroot"
60423 + depends on GRKERNSEC_CHROOT
60424 + help
60425 + If you say Y here, processes inside a chroot will not be able to use
60426 + a function called pivot_root() that was introduced in Linux 2.3.41. It
60427 + works similar to chroot in that it changes the root filesystem. This
60428 + function could be misused in a chrooted process to attempt to break out
60429 + of the chroot, and therefore should not be allowed. If the sysctl
60430 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
60431 + created.
60432 +
60433 +config GRKERNSEC_CHROOT_CHDIR
60434 + bool "Enforce chdir(\"/\") on all chroots"
60435 + depends on GRKERNSEC_CHROOT
60436 + help
60437 + If you say Y here, the current working directory of all newly-chrooted
60438 + applications will be set to the the root directory of the chroot.
60439 + The man page on chroot(2) states:
60440 + Note that this call does not change the current working
60441 + directory, so that `.' can be outside the tree rooted at
60442 + `/'. In particular, the super-user can escape from a
60443 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
60444 +
60445 + It is recommended that you say Y here, since it's not known to break
60446 + any software. If the sysctl option is enabled, a sysctl option with
60447 + name "chroot_enforce_chdir" is created.
60448 +
60449 +config GRKERNSEC_CHROOT_CHMOD
60450 + bool "Deny (f)chmod +s"
60451 + depends on GRKERNSEC_CHROOT
60452 + help
60453 + If you say Y here, processes inside a chroot will not be able to chmod
60454 + or fchmod files to make them have suid or sgid bits. This protects
60455 + against another published method of breaking a chroot. If the sysctl
60456 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
60457 + created.
60458 +
60459 +config GRKERNSEC_CHROOT_FCHDIR
60460 + bool "Deny fchdir out of chroot"
60461 + depends on GRKERNSEC_CHROOT
60462 + help
60463 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
60464 + to a file descriptor of the chrooting process that points to a directory
60465 + outside the filesystem will be stopped. If the sysctl option
60466 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
60467 +
60468 +config GRKERNSEC_CHROOT_MKNOD
60469 + bool "Deny mknod"
60470 + depends on GRKERNSEC_CHROOT
60471 + help
60472 + If you say Y here, processes inside a chroot will not be allowed to
60473 + mknod. The problem with using mknod inside a chroot is that it
60474 + would allow an attacker to create a device entry that is the same
60475 + as one on the physical root of your system, which could range from
60476 + anything from the console device to a device for your harddrive (which
60477 + they could then use to wipe the drive or steal data). It is recommended
60478 + that you say Y here, unless you run into software incompatibilities.
60479 + If the sysctl option is enabled, a sysctl option with name
60480 + "chroot_deny_mknod" is created.
60481 +
60482 +config GRKERNSEC_CHROOT_SHMAT
60483 + bool "Deny shmat() out of chroot"
60484 + depends on GRKERNSEC_CHROOT
60485 + help
60486 + If you say Y here, processes inside a chroot will not be able to attach
60487 + to shared memory segments that were created outside of the chroot jail.
60488 + It is recommended that you say Y here. If the sysctl option is enabled,
60489 + a sysctl option with name "chroot_deny_shmat" is created.
60490 +
60491 +config GRKERNSEC_CHROOT_UNIX
60492 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
60493 + depends on GRKERNSEC_CHROOT
60494 + help
60495 + If you say Y here, processes inside a chroot will not be able to
60496 + connect to abstract (meaning not belonging to a filesystem) Unix
60497 + domain sockets that were bound outside of a chroot. It is recommended
60498 + that you say Y here. If the sysctl option is enabled, a sysctl option
60499 + with name "chroot_deny_unix" is created.
60500 +
60501 +config GRKERNSEC_CHROOT_FINDTASK
60502 + bool "Protect outside processes"
60503 + depends on GRKERNSEC_CHROOT
60504 + help
60505 + If you say Y here, processes inside a chroot will not be able to
60506 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
60507 + getsid, or view any process outside of the chroot. If the sysctl
60508 + option is enabled, a sysctl option with name "chroot_findtask" is
60509 + created.
60510 +
60511 +config GRKERNSEC_CHROOT_NICE
60512 + bool "Restrict priority changes"
60513 + depends on GRKERNSEC_CHROOT
60514 + help
60515 + If you say Y here, processes inside a chroot will not be able to raise
60516 + the priority of processes in the chroot, or alter the priority of
60517 + processes outside the chroot. This provides more security than simply
60518 + removing CAP_SYS_NICE from the process' capability set. If the
60519 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
60520 + is created.
60521 +
60522 +config GRKERNSEC_CHROOT_SYSCTL
60523 + bool "Deny sysctl writes"
60524 + depends on GRKERNSEC_CHROOT
60525 + help
60526 + If you say Y here, an attacker in a chroot will not be able to
60527 + write to sysctl entries, either by sysctl(2) or through a /proc
60528 + interface. It is strongly recommended that you say Y here. If the
60529 + sysctl option is enabled, a sysctl option with name
60530 + "chroot_deny_sysctl" is created.
60531 +
60532 +config GRKERNSEC_CHROOT_CAPS
60533 + bool "Capability restrictions"
60534 + depends on GRKERNSEC_CHROOT
60535 + help
60536 + If you say Y here, the capabilities on all root processes within a
60537 + chroot jail will be lowered to stop module insertion, raw i/o,
60538 + system and net admin tasks, rebooting the system, modifying immutable
60539 + files, modifying IPC owned by another, and changing the system time.
60540 + This is left an option because it can break some apps. Disable this
60541 + if your chrooted apps are having problems performing those kinds of
60542 + tasks. If the sysctl option is enabled, a sysctl option with
60543 + name "chroot_caps" is created.
60544 +
60545 +endmenu
60546 +menu "Kernel Auditing"
60547 +depends on GRKERNSEC
60548 +
60549 +config GRKERNSEC_AUDIT_GROUP
60550 + bool "Single group for auditing"
60551 + help
60552 + If you say Y here, the exec, chdir, and (un)mount logging features
60553 + will only operate on a group you specify. This option is recommended
60554 + if you only want to watch certain users instead of having a large
60555 + amount of logs from the entire system. If the sysctl option is enabled,
60556 + a sysctl option with name "audit_group" is created.
60557 +
60558 +config GRKERNSEC_AUDIT_GID
60559 + int "GID for auditing"
60560 + depends on GRKERNSEC_AUDIT_GROUP
60561 + default 1007
60562 +
60563 +config GRKERNSEC_EXECLOG
60564 + bool "Exec logging"
60565 + help
60566 + If you say Y here, all execve() calls will be logged (since the
60567 + other exec*() calls are frontends to execve(), all execution
60568 + will be logged). Useful for shell-servers that like to keep track
60569 + of their users. If the sysctl option is enabled, a sysctl option with
60570 + name "exec_logging" is created.
60571 + WARNING: This option when enabled will produce a LOT of logs, especially
60572 + on an active system.
60573 +
60574 +config GRKERNSEC_RESLOG
60575 + bool "Resource logging"
60576 + help
60577 + If you say Y here, all attempts to overstep resource limits will
60578 + be logged with the resource name, the requested size, and the current
60579 + limit. It is highly recommended that you say Y here. If the sysctl
60580 + option is enabled, a sysctl option with name "resource_logging" is
60581 + created. If the RBAC system is enabled, the sysctl value is ignored.
60582 +
60583 +config GRKERNSEC_CHROOT_EXECLOG
60584 + bool "Log execs within chroot"
60585 + help
60586 + If you say Y here, all executions inside a chroot jail will be logged
60587 + to syslog. This can cause a large amount of logs if certain
60588 + applications (eg. djb's daemontools) are installed on the system, and
60589 + is therefore left as an option. If the sysctl option is enabled, a
60590 + sysctl option with name "chroot_execlog" is created.
60591 +
60592 +config GRKERNSEC_AUDIT_PTRACE
60593 + bool "Ptrace logging"
60594 + help
60595 + If you say Y here, all attempts to attach to a process via ptrace
60596 + will be logged. If the sysctl option is enabled, a sysctl option
60597 + with name "audit_ptrace" is created.
60598 +
60599 +config GRKERNSEC_AUDIT_CHDIR
60600 + bool "Chdir logging"
60601 + help
60602 + If you say Y here, all chdir() calls will be logged. If the sysctl
60603 + option is enabled, a sysctl option with name "audit_chdir" is created.
60604 +
60605 +config GRKERNSEC_AUDIT_MOUNT
60606 + bool "(Un)Mount logging"
60607 + help
60608 + If you say Y here, all mounts and unmounts will be logged. If the
60609 + sysctl option is enabled, a sysctl option with name "audit_mount" is
60610 + created.
60611 +
60612 +config GRKERNSEC_SIGNAL
60613 + bool "Signal logging"
60614 + help
60615 + If you say Y here, certain important signals will be logged, such as
60616 + SIGSEGV, which will as a result inform you of when a error in a program
60617 + occurred, which in some cases could mean a possible exploit attempt.
60618 + If the sysctl option is enabled, a sysctl option with name
60619 + "signal_logging" is created.
60620 +
60621 +config GRKERNSEC_FORKFAIL
60622 + bool "Fork failure logging"
60623 + help
60624 + If you say Y here, all failed fork() attempts will be logged.
60625 + This could suggest a fork bomb, or someone attempting to overstep
60626 + their process limit. If the sysctl option is enabled, a sysctl option
60627 + with name "forkfail_logging" is created.
60628 +
60629 +config GRKERNSEC_TIME
60630 + bool "Time change logging"
60631 + help
60632 + If you say Y here, any changes of the system clock will be logged.
60633 + If the sysctl option is enabled, a sysctl option with name
60634 + "timechange_logging" is created.
60635 +
60636 +config GRKERNSEC_PROC_IPADDR
60637 + bool "/proc/<pid>/ipaddr support"
60638 + help
60639 + If you say Y here, a new entry will be added to each /proc/<pid>
60640 + directory that contains the IP address of the person using the task.
60641 + The IP is carried across local TCP and AF_UNIX stream sockets.
60642 + This information can be useful for IDS/IPSes to perform remote response
60643 + to a local attack. The entry is readable by only the owner of the
60644 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
60645 + the RBAC system), and thus does not create privacy concerns.
60646 +
60647 +config GRKERNSEC_RWXMAP_LOG
60648 + bool 'Denied RWX mmap/mprotect logging'
60649 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
60650 + help
60651 + If you say Y here, calls to mmap() and mprotect() with explicit
60652 + usage of PROT_WRITE and PROT_EXEC together will be logged when
60653 + denied by the PAX_MPROTECT feature. If the sysctl option is
60654 + enabled, a sysctl option with name "rwxmap_logging" is created.
60655 +
60656 +config GRKERNSEC_AUDIT_TEXTREL
60657 + bool 'ELF text relocations logging (READ HELP)'
60658 + depends on PAX_MPROTECT
60659 + help
60660 + If you say Y here, text relocations will be logged with the filename
60661 + of the offending library or binary. The purpose of the feature is
60662 + to help Linux distribution developers get rid of libraries and
60663 + binaries that need text relocations which hinder the future progress
60664 + of PaX. Only Linux distribution developers should say Y here, and
60665 + never on a production machine, as this option creates an information
60666 + leak that could aid an attacker in defeating the randomization of
60667 + a single memory region. If the sysctl option is enabled, a sysctl
60668 + option with name "audit_textrel" is created.
60669 +
60670 +endmenu
60671 +
60672 +menu "Executable Protections"
60673 +depends on GRKERNSEC
60674 +
60675 +config GRKERNSEC_EXECVE
60676 + bool "Enforce RLIMIT_NPROC on execs"
60677 + help
60678 + If you say Y here, users with a resource limit on processes will
60679 + have the value checked during execve() calls. The current system
60680 + only checks the system limit during fork() calls. If the sysctl option
60681 + is enabled, a sysctl option with name "execve_limiting" is created.
60682 +
60683 +config GRKERNSEC_DMESG
60684 + bool "Dmesg(8) restriction"
60685 + help
60686 + If you say Y here, non-root users will not be able to use dmesg(8)
60687 + to view up to the last 4kb of messages in the kernel's log buffer.
60688 + The kernel's log buffer often contains kernel addresses and other
60689 + identifying information useful to an attacker in fingerprinting a
60690 + system for a targeted exploit.
60691 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
60692 + created.
60693 +
60694 +config GRKERNSEC_HARDEN_PTRACE
60695 + bool "Deter ptrace-based process snooping"
60696 + help
60697 + If you say Y here, TTY sniffers and other malicious monitoring
60698 + programs implemented through ptrace will be defeated. If you
60699 + have been using the RBAC system, this option has already been
60700 + enabled for several years for all users, with the ability to make
60701 + fine-grained exceptions.
60702 +
60703 + This option only affects the ability of non-root users to ptrace
60704 + processes that are not a descendent of the ptracing process.
60705 + This means that strace ./binary and gdb ./binary will still work,
60706 + but attaching to arbitrary processes will not. If the sysctl
60707 + option is enabled, a sysctl option with name "harden_ptrace" is
60708 + created.
60709 +
60710 +config GRKERNSEC_TPE
60711 + bool "Trusted Path Execution (TPE)"
60712 + help
60713 + If you say Y here, you will be able to choose a gid to add to the
60714 + supplementary groups of users you want to mark as "untrusted."
60715 + These users will not be able to execute any files that are not in
60716 + root-owned directories writable only by root. If the sysctl option
60717 + is enabled, a sysctl option with name "tpe" is created.
60718 +
60719 +config GRKERNSEC_TPE_ALL
60720 + bool "Partially restrict all non-root users"
60721 + depends on GRKERNSEC_TPE
60722 + help
60723 + If you say Y here, all non-root users will be covered under
60724 + a weaker TPE restriction. This is separate from, and in addition to,
60725 + the main TPE options that you have selected elsewhere. Thus, if a
60726 + "trusted" GID is chosen, this restriction applies to even that GID.
60727 + Under this restriction, all non-root users will only be allowed to
60728 + execute files in directories they own that are not group or
60729 + world-writable, or in directories owned by root and writable only by
60730 + root. If the sysctl option is enabled, a sysctl option with name
60731 + "tpe_restrict_all" is created.
60732 +
60733 +config GRKERNSEC_TPE_INVERT
60734 + bool "Invert GID option"
60735 + depends on GRKERNSEC_TPE
60736 + help
60737 + If you say Y here, the group you specify in the TPE configuration will
60738 + decide what group TPE restrictions will be *disabled* for. This
60739 + option is useful if you want TPE restrictions to be applied to most
60740 + users on the system. If the sysctl option is enabled, a sysctl option
60741 + with name "tpe_invert" is created. Unlike other sysctl options, this
60742 + entry will default to on for backward-compatibility.
60743 +
60744 +config GRKERNSEC_TPE_GID
60745 + int "GID for untrusted users"
60746 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
60747 + default 1005
60748 + help
60749 + Setting this GID determines what group TPE restrictions will be
60750 + *enabled* for. If the sysctl option is enabled, a sysctl option
60751 + with name "tpe_gid" is created.
60752 +
60753 +config GRKERNSEC_TPE_GID
60754 + int "GID for trusted users"
60755 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
60756 + default 1005
60757 + help
60758 + Setting this GID determines what group TPE restrictions will be
60759 + *disabled* for. If the sysctl option is enabled, a sysctl option
60760 + with name "tpe_gid" is created.
60761 +
60762 +endmenu
60763 +menu "Network Protections"
60764 +depends on GRKERNSEC
60765 +
60766 +config GRKERNSEC_RANDNET
60767 + bool "Larger entropy pools"
60768 + help
60769 + If you say Y here, the entropy pools used for many features of Linux
60770 + and grsecurity will be doubled in size. Since several grsecurity
60771 + features use additional randomness, it is recommended that you say Y
60772 + here. Saying Y here has a similar effect as modifying
60773 + /proc/sys/kernel/random/poolsize.
60774 +
60775 +config GRKERNSEC_BLACKHOLE
60776 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
60777 + help
60778 + If you say Y here, neither TCP resets nor ICMP
60779 + destination-unreachable packets will be sent in response to packets
60780 + sent to ports for which no associated listening process exists.
60781 + This feature supports both IPV4 and IPV6 and exempts the
60782 + loopback interface from blackholing. Enabling this feature
60783 + makes a host more resilient to DoS attacks and reduces network
60784 + visibility against scanners.
60785 +
60786 + The blackhole feature as-implemented is equivalent to the FreeBSD
60787 + blackhole feature, as it prevents RST responses to all packets, not
60788 + just SYNs. Under most application behavior this causes no
60789 + problems, but applications (like haproxy) may not close certain
60790 + connections in a way that cleanly terminates them on the remote
60791 + end, leaving the remote host in LAST_ACK state. Because of this
60792 + side-effect and to prevent intentional LAST_ACK DoSes, this
60793 + feature also adds automatic mitigation against such attacks.
60794 + The mitigation drastically reduces the amount of time a socket
60795 + can spend in LAST_ACK state. If you're using haproxy and not
60796 + all servers it connects to have this option enabled, consider
60797 + disabling this feature on the haproxy host.
60798 +
60799 + If the sysctl option is enabled, two sysctl options with names
60800 + "ip_blackhole" and "lastack_retries" will be created.
60801 + While "ip_blackhole" takes the standard zero/non-zero on/off
60802 + toggle, "lastack_retries" uses the same kinds of values as
60803 + "tcp_retries1" and "tcp_retries2". The default value of 4
60804 + prevents a socket from lasting more than 45 seconds in LAST_ACK
60805 + state.
60806 +
60807 +config GRKERNSEC_SOCKET
60808 + bool "Socket restrictions"
60809 + help
60810 + If you say Y here, you will be able to choose from several options.
60811 + If you assign a GID on your system and add it to the supplementary
60812 + groups of users you want to restrict socket access to, this patch
60813 + will perform up to three things, based on the option(s) you choose.
60814 +
60815 +config GRKERNSEC_SOCKET_ALL
60816 + bool "Deny any sockets to group"
60817 + depends on GRKERNSEC_SOCKET
60818 + help
60819 + If you say Y here, you will be able to choose a GID of whose users will
60820 + be unable to connect to other hosts from your machine or run server
60821 + applications from your machine. If the sysctl option is enabled, a
60822 + sysctl option with name "socket_all" is created.
60823 +
60824 +config GRKERNSEC_SOCKET_ALL_GID
60825 + int "GID to deny all sockets for"
60826 + depends on GRKERNSEC_SOCKET_ALL
60827 + default 1004
60828 + help
60829 + Here you can choose the GID to disable socket access for. Remember to
60830 + add the users you want socket access disabled for to the GID
60831 + specified here. If the sysctl option is enabled, a sysctl option
60832 + with name "socket_all_gid" is created.
60833 +
60834 +config GRKERNSEC_SOCKET_CLIENT
60835 + bool "Deny client sockets to group"
60836 + depends on GRKERNSEC_SOCKET
60837 + help
60838 + If you say Y here, you will be able to choose a GID of whose users will
60839 + be unable to connect to other hosts from your machine, but will be
60840 + able to run servers. If this option is enabled, all users in the group
60841 + you specify will have to use passive mode when initiating ftp transfers
60842 + from the shell on your machine. If the sysctl option is enabled, a
60843 + sysctl option with name "socket_client" is created.
60844 +
60845 +config GRKERNSEC_SOCKET_CLIENT_GID
60846 + int "GID to deny client sockets for"
60847 + depends on GRKERNSEC_SOCKET_CLIENT
60848 + default 1003
60849 + help
60850 + Here you can choose the GID to disable client socket access for.
60851 + Remember to add the users you want client socket access disabled for to
60852 + the GID specified here. If the sysctl option is enabled, a sysctl
60853 + option with name "socket_client_gid" is created.
60854 +
60855 +config GRKERNSEC_SOCKET_SERVER
60856 + bool "Deny server sockets to group"
60857 + depends on GRKERNSEC_SOCKET
60858 + help
60859 + If you say Y here, you will be able to choose a GID of whose users will
60860 + be unable to run server applications from your machine. If the sysctl
60861 + option is enabled, a sysctl option with name "socket_server" is created.
60862 +
60863 +config GRKERNSEC_SOCKET_SERVER_GID
60864 + int "GID to deny server sockets for"
60865 + depends on GRKERNSEC_SOCKET_SERVER
60866 + default 1002
60867 + help
60868 + Here you can choose the GID to disable server socket access for.
60869 + Remember to add the users you want server socket access disabled for to
60870 + the GID specified here. If the sysctl option is enabled, a sysctl
60871 + option with name "socket_server_gid" is created.
60872 +
60873 +endmenu
60874 +menu "Sysctl support"
60875 +depends on GRKERNSEC && SYSCTL
60876 +
60877 +config GRKERNSEC_SYSCTL
60878 + bool "Sysctl support"
60879 + help
60880 + If you say Y here, you will be able to change the options that
60881 + grsecurity runs with at bootup, without having to recompile your
60882 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
60883 + to enable (1) or disable (0) various features. All the sysctl entries
60884 + are mutable until the "grsec_lock" entry is set to a non-zero value.
60885 + All features enabled in the kernel configuration are disabled at boot
60886 + if you do not say Y to the "Turn on features by default" option.
60887 + All options should be set at startup, and the grsec_lock entry should
60888 + be set to a non-zero value after all the options are set.
60889 + *THIS IS EXTREMELY IMPORTANT*
60890 +
60891 +config GRKERNSEC_SYSCTL_DISTRO
60892 + bool "Extra sysctl support for distro makers (READ HELP)"
60893 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
60894 + help
60895 + If you say Y here, additional sysctl options will be created
60896 + for features that affect processes running as root. Therefore,
60897 + it is critical when using this option that the grsec_lock entry be
60898 + enabled after boot. Only distros with prebuilt kernel packages
60899 + with this option enabled that can ensure grsec_lock is enabled
60900 + after boot should use this option.
60901 + *Failure to set grsec_lock after boot makes all grsec features
60902 + this option covers useless*
60903 +
60904 + Currently this option creates the following sysctl entries:
60905 + "Disable Privileged I/O": "disable_priv_io"
60906 +
60907 +config GRKERNSEC_SYSCTL_ON
60908 + bool "Turn on features by default"
60909 + depends on GRKERNSEC_SYSCTL
60910 + help
60911 + If you say Y here, instead of having all features enabled in the
60912 + kernel configuration disabled at boot time, the features will be
60913 + enabled at boot time. It is recommended you say Y here unless
60914 + there is some reason you would want all sysctl-tunable features to
60915 + be disabled by default. As mentioned elsewhere, it is important
60916 + to enable the grsec_lock entry once you have finished modifying
60917 + the sysctl entries.
60918 +
60919 +endmenu
60920 +menu "Logging Options"
60921 +depends on GRKERNSEC
60922 +
60923 +config GRKERNSEC_FLOODTIME
60924 + int "Seconds in between log messages (minimum)"
60925 + default 10
60926 + help
60927 + This option allows you to enforce the number of seconds between
60928 + grsecurity log messages. The default should be suitable for most
60929 + people, however, if you choose to change it, choose a value small enough
60930 + to allow informative logs to be produced, but large enough to
60931 + prevent flooding.
60932 +
60933 +config GRKERNSEC_FLOODBURST
60934 + int "Number of messages in a burst (maximum)"
60935 + default 4
60936 + help
60937 + This option allows you to choose the maximum number of messages allowed
60938 + within the flood time interval you chose in a separate option. The
60939 + default should be suitable for most people, however if you find that
60940 + many of your logs are being interpreted as flooding, you may want to
60941 + raise this value.
60942 +
60943 +endmenu
60944 +
60945 +endmenu
60946 diff -urNp linux-2.6.39.1/grsecurity/Makefile linux-2.6.39.1/grsecurity/Makefile
60947 --- linux-2.6.39.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
60948 +++ linux-2.6.39.1/grsecurity/Makefile 2011-05-24 20:26:54.000000000 -0400
60949 @@ -0,0 +1,33 @@
60950 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
60951 +# during 2001-2009 it has been completely redesigned by Brad Spengler
60952 +# into an RBAC system
60953 +#
60954 +# All code in this directory and various hooks inserted throughout the kernel
60955 +# are copyright Brad Spengler - Open Source Security, Inc., and released
60956 +# under the GPL v2 or higher
60957 +
60958 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
60959 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
60960 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
60961 +
60962 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
60963 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
60964 + gracl_learn.o grsec_log.o
60965 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
60966 +
60967 +ifdef CONFIG_NET
60968 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
60969 +endif
60970 +
60971 +ifndef CONFIG_GRKERNSEC
60972 +obj-y += grsec_disabled.o
60973 +endif
60974 +
60975 +ifdef CONFIG_GRKERNSEC_HIDESYM
60976 +extra-y := grsec_hidesym.o
60977 +$(obj)/grsec_hidesym.o:
60978 + @-chmod -f 500 /boot
60979 + @-chmod -f 500 /lib/modules
60980 + @-chmod -f 700 .
60981 + @echo ' grsec: protected kernel image paths'
60982 +endif
60983 diff -urNp linux-2.6.39.1/include/acpi/acpi_drivers.h linux-2.6.39.1/include/acpi/acpi_drivers.h
60984 --- linux-2.6.39.1/include/acpi/acpi_drivers.h 2011-05-19 00:06:34.000000000 -0400
60985 +++ linux-2.6.39.1/include/acpi/acpi_drivers.h 2011-05-22 19:36:32.000000000 -0400
60986 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
60987 Dock Station
60988 -------------------------------------------------------------------------- */
60989 struct acpi_dock_ops {
60990 - acpi_notify_handler handler;
60991 - acpi_notify_handler uevent;
60992 + const acpi_notify_handler handler;
60993 + const acpi_notify_handler uevent;
60994 };
60995
60996 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
60997 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
60998 extern int register_dock_notifier(struct notifier_block *nb);
60999 extern void unregister_dock_notifier(struct notifier_block *nb);
61000 extern int register_hotplug_dock_device(acpi_handle handle,
61001 - struct acpi_dock_ops *ops,
61002 + const struct acpi_dock_ops *ops,
61003 void *context);
61004 extern void unregister_hotplug_dock_device(acpi_handle handle);
61005 #else
61006 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
61007 {
61008 }
61009 static inline int register_hotplug_dock_device(acpi_handle handle,
61010 - struct acpi_dock_ops *ops,
61011 + const struct acpi_dock_ops *ops,
61012 void *context)
61013 {
61014 return -ENODEV;
61015 diff -urNp linux-2.6.39.1/include/acpi/processor.h linux-2.6.39.1/include/acpi/processor.h
61016 --- linux-2.6.39.1/include/acpi/processor.h 2011-05-19 00:06:34.000000000 -0400
61017 +++ linux-2.6.39.1/include/acpi/processor.h 2011-05-22 19:36:32.000000000 -0400
61018 @@ -344,7 +344,7 @@ extern struct cpuidle_driver acpi_idle_d
61019
61020 /* in processor_thermal.c */
61021 int acpi_processor_get_limit_info(struct acpi_processor *pr);
61022 -extern struct thermal_cooling_device_ops processor_cooling_ops;
61023 +extern const struct thermal_cooling_device_ops processor_cooling_ops;
61024 #ifdef CONFIG_CPU_FREQ
61025 void acpi_thermal_cpufreq_init(void);
61026 void acpi_thermal_cpufreq_exit(void);
61027 diff -urNp linux-2.6.39.1/include/asm-generic/atomic-long.h linux-2.6.39.1/include/asm-generic/atomic-long.h
61028 --- linux-2.6.39.1/include/asm-generic/atomic-long.h 2011-05-19 00:06:34.000000000 -0400
61029 +++ linux-2.6.39.1/include/asm-generic/atomic-long.h 2011-05-22 19:36:32.000000000 -0400
61030 @@ -22,6 +22,12 @@
61031
61032 typedef atomic64_t atomic_long_t;
61033
61034 +#ifdef CONFIG_PAX_REFCOUNT
61035 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
61036 +#else
61037 +typedef atomic64_t atomic_long_unchecked_t;
61038 +#endif
61039 +
61040 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
61041
61042 static inline long atomic_long_read(atomic_long_t *l)
61043 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
61044 return (long)atomic64_read(v);
61045 }
61046
61047 +#ifdef CONFIG_PAX_REFCOUNT
61048 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61049 +{
61050 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61051 +
61052 + return (long)atomic64_read_unchecked(v);
61053 +}
61054 +#endif
61055 +
61056 static inline void atomic_long_set(atomic_long_t *l, long i)
61057 {
61058 atomic64_t *v = (atomic64_t *)l;
61059 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
61060 atomic64_set(v, i);
61061 }
61062
61063 +#ifdef CONFIG_PAX_REFCOUNT
61064 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61065 +{
61066 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61067 +
61068 + atomic64_set_unchecked(v, i);
61069 +}
61070 +#endif
61071 +
61072 static inline void atomic_long_inc(atomic_long_t *l)
61073 {
61074 atomic64_t *v = (atomic64_t *)l;
61075 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
61076 atomic64_inc(v);
61077 }
61078
61079 +#ifdef CONFIG_PAX_REFCOUNT
61080 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61081 +{
61082 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61083 +
61084 + atomic64_inc_unchecked(v);
61085 +}
61086 +#endif
61087 +
61088 static inline void atomic_long_dec(atomic_long_t *l)
61089 {
61090 atomic64_t *v = (atomic64_t *)l;
61091 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
61092 atomic64_dec(v);
61093 }
61094
61095 +#ifdef CONFIG_PAX_REFCOUNT
61096 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61097 +{
61098 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61099 +
61100 + atomic64_dec_unchecked(v);
61101 +}
61102 +#endif
61103 +
61104 static inline void atomic_long_add(long i, atomic_long_t *l)
61105 {
61106 atomic64_t *v = (atomic64_t *)l;
61107 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
61108 atomic64_add(i, v);
61109 }
61110
61111 +#ifdef CONFIG_PAX_REFCOUNT
61112 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61113 +{
61114 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61115 +
61116 + atomic64_add_unchecked(i, v);
61117 +}
61118 +#endif
61119 +
61120 static inline void atomic_long_sub(long i, atomic_long_t *l)
61121 {
61122 atomic64_t *v = (atomic64_t *)l;
61123 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
61124 atomic64_sub(i, v);
61125 }
61126
61127 +#ifdef CONFIG_PAX_REFCOUNT
61128 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61129 +{
61130 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61131 +
61132 + atomic64_sub_unchecked(i, v);
61133 +}
61134 +#endif
61135 +
61136 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61137 {
61138 atomic64_t *v = (atomic64_t *)l;
61139 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
61140 return (long)atomic64_inc_return(v);
61141 }
61142
61143 +#ifdef CONFIG_PAX_REFCOUNT
61144 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61145 +{
61146 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61147 +
61148 + return (long)atomic64_inc_return_unchecked(v);
61149 +}
61150 +#endif
61151 +
61152 static inline long atomic_long_dec_return(atomic_long_t *l)
61153 {
61154 atomic64_t *v = (atomic64_t *)l;
61155 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
61156
61157 typedef atomic_t atomic_long_t;
61158
61159 +#ifdef CONFIG_PAX_REFCOUNT
61160 +typedef atomic_unchecked_t atomic_long_unchecked_t;
61161 +#else
61162 +typedef atomic_t atomic_long_unchecked_t;
61163 +#endif
61164 +
61165 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
61166 static inline long atomic_long_read(atomic_long_t *l)
61167 {
61168 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
61169 return (long)atomic_read(v);
61170 }
61171
61172 +#ifdef CONFIG_PAX_REFCOUNT
61173 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61174 +{
61175 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61176 +
61177 + return (long)atomic_read_unchecked(v);
61178 +}
61179 +#endif
61180 +
61181 static inline void atomic_long_set(atomic_long_t *l, long i)
61182 {
61183 atomic_t *v = (atomic_t *)l;
61184 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
61185 atomic_set(v, i);
61186 }
61187
61188 +#ifdef CONFIG_PAX_REFCOUNT
61189 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61190 +{
61191 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61192 +
61193 + atomic_set_unchecked(v, i);
61194 +}
61195 +#endif
61196 +
61197 static inline void atomic_long_inc(atomic_long_t *l)
61198 {
61199 atomic_t *v = (atomic_t *)l;
61200 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
61201 atomic_inc(v);
61202 }
61203
61204 +#ifdef CONFIG_PAX_REFCOUNT
61205 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61206 +{
61207 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61208 +
61209 + atomic_inc_unchecked(v);
61210 +}
61211 +#endif
61212 +
61213 static inline void atomic_long_dec(atomic_long_t *l)
61214 {
61215 atomic_t *v = (atomic_t *)l;
61216 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
61217 atomic_dec(v);
61218 }
61219
61220 +#ifdef CONFIG_PAX_REFCOUNT
61221 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61222 +{
61223 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61224 +
61225 + atomic_dec_unchecked(v);
61226 +}
61227 +#endif
61228 +
61229 static inline void atomic_long_add(long i, atomic_long_t *l)
61230 {
61231 atomic_t *v = (atomic_t *)l;
61232 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
61233 atomic_add(i, v);
61234 }
61235
61236 +#ifdef CONFIG_PAX_REFCOUNT
61237 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61238 +{
61239 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61240 +
61241 + atomic_add_unchecked(i, v);
61242 +}
61243 +#endif
61244 +
61245 static inline void atomic_long_sub(long i, atomic_long_t *l)
61246 {
61247 atomic_t *v = (atomic_t *)l;
61248 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
61249 atomic_sub(i, v);
61250 }
61251
61252 +#ifdef CONFIG_PAX_REFCOUNT
61253 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61254 +{
61255 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61256 +
61257 + atomic_sub_unchecked(i, v);
61258 +}
61259 +#endif
61260 +
61261 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61262 {
61263 atomic_t *v = (atomic_t *)l;
61264 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
61265 return (long)atomic_inc_return(v);
61266 }
61267
61268 +#ifdef CONFIG_PAX_REFCOUNT
61269 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61270 +{
61271 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61272 +
61273 + return (long)atomic_inc_return_unchecked(v);
61274 +}
61275 +#endif
61276 +
61277 static inline long atomic_long_dec_return(atomic_long_t *l)
61278 {
61279 atomic_t *v = (atomic_t *)l;
61280 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
61281
61282 #endif /* BITS_PER_LONG == 64 */
61283
61284 +#ifdef CONFIG_PAX_REFCOUNT
61285 +static inline void pax_refcount_needs_these_functions(void)
61286 +{
61287 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
61288 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
61289 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
61290 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
61291 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
61292 + atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
61293 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
61294 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
61295 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
61296 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
61297 + atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
61298 +
61299 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
61300 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
61301 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
61302 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
61303 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
61304 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
61305 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
61306 +}
61307 +#else
61308 +#define atomic_read_unchecked(v) atomic_read(v)
61309 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
61310 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
61311 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
61312 +#define atomic_inc_unchecked(v) atomic_inc(v)
61313 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
61314 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
61315 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
61316 +#define atomic_dec_unchecked(v) atomic_dec(v)
61317 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
61318 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
61319 +
61320 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
61321 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
61322 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
61323 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
61324 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
61325 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
61326 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
61327 +#endif
61328 +
61329 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
61330 diff -urNp linux-2.6.39.1/include/asm-generic/cache.h linux-2.6.39.1/include/asm-generic/cache.h
61331 --- linux-2.6.39.1/include/asm-generic/cache.h 2011-05-19 00:06:34.000000000 -0400
61332 +++ linux-2.6.39.1/include/asm-generic/cache.h 2011-05-22 19:36:32.000000000 -0400
61333 @@ -6,7 +6,7 @@
61334 * cache lines need to provide their own cache.h.
61335 */
61336
61337 -#define L1_CACHE_SHIFT 5
61338 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
61339 +#define L1_CACHE_SHIFT 5U
61340 +#define L1_CACHE_BYTES (1U << L1_CACHE_SHIFT)
61341
61342 #endif /* __ASM_GENERIC_CACHE_H */
61343 diff -urNp linux-2.6.39.1/include/asm-generic/dma-mapping-common.h linux-2.6.39.1/include/asm-generic/dma-mapping-common.h
61344 --- linux-2.6.39.1/include/asm-generic/dma-mapping-common.h 2011-05-19 00:06:34.000000000 -0400
61345 +++ linux-2.6.39.1/include/asm-generic/dma-mapping-common.h 2011-05-22 19:36:32.000000000 -0400
61346 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
61347 enum dma_data_direction dir,
61348 struct dma_attrs *attrs)
61349 {
61350 - struct dma_map_ops *ops = get_dma_ops(dev);
61351 + const struct dma_map_ops *ops = get_dma_ops(dev);
61352 dma_addr_t addr;
61353
61354 kmemcheck_mark_initialized(ptr, size);
61355 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
61356 enum dma_data_direction dir,
61357 struct dma_attrs *attrs)
61358 {
61359 - struct dma_map_ops *ops = get_dma_ops(dev);
61360 + const struct dma_map_ops *ops = get_dma_ops(dev);
61361
61362 BUG_ON(!valid_dma_direction(dir));
61363 if (ops->unmap_page)
61364 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
61365 int nents, enum dma_data_direction dir,
61366 struct dma_attrs *attrs)
61367 {
61368 - struct dma_map_ops *ops = get_dma_ops(dev);
61369 + const struct dma_map_ops *ops = get_dma_ops(dev);
61370 int i, ents;
61371 struct scatterlist *s;
61372
61373 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
61374 int nents, enum dma_data_direction dir,
61375 struct dma_attrs *attrs)
61376 {
61377 - struct dma_map_ops *ops = get_dma_ops(dev);
61378 + const struct dma_map_ops *ops = get_dma_ops(dev);
61379
61380 BUG_ON(!valid_dma_direction(dir));
61381 debug_dma_unmap_sg(dev, sg, nents, dir);
61382 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
61383 size_t offset, size_t size,
61384 enum dma_data_direction dir)
61385 {
61386 - struct dma_map_ops *ops = get_dma_ops(dev);
61387 + const struct dma_map_ops *ops = get_dma_ops(dev);
61388 dma_addr_t addr;
61389
61390 kmemcheck_mark_initialized(page_address(page) + offset, size);
61391 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
61392 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
61393 size_t size, enum dma_data_direction dir)
61394 {
61395 - struct dma_map_ops *ops = get_dma_ops(dev);
61396 + const struct dma_map_ops *ops = get_dma_ops(dev);
61397
61398 BUG_ON(!valid_dma_direction(dir));
61399 if (ops->unmap_page)
61400 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
61401 size_t size,
61402 enum dma_data_direction dir)
61403 {
61404 - struct dma_map_ops *ops = get_dma_ops(dev);
61405 + const struct dma_map_ops *ops = get_dma_ops(dev);
61406
61407 BUG_ON(!valid_dma_direction(dir));
61408 if (ops->sync_single_for_cpu)
61409 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
61410 dma_addr_t addr, size_t size,
61411 enum dma_data_direction dir)
61412 {
61413 - struct dma_map_ops *ops = get_dma_ops(dev);
61414 + const struct dma_map_ops *ops = get_dma_ops(dev);
61415
61416 BUG_ON(!valid_dma_direction(dir));
61417 if (ops->sync_single_for_device)
61418 @@ -139,7 +139,7 @@ static inline void
61419 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
61420 int nelems, enum dma_data_direction dir)
61421 {
61422 - struct dma_map_ops *ops = get_dma_ops(dev);
61423 + const struct dma_map_ops *ops = get_dma_ops(dev);
61424
61425 BUG_ON(!valid_dma_direction(dir));
61426 if (ops->sync_sg_for_cpu)
61427 @@ -151,7 +151,7 @@ static inline void
61428 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
61429 int nelems, enum dma_data_direction dir)
61430 {
61431 - struct dma_map_ops *ops = get_dma_ops(dev);
61432 + const struct dma_map_ops *ops = get_dma_ops(dev);
61433
61434 BUG_ON(!valid_dma_direction(dir));
61435 if (ops->sync_sg_for_device)
61436 diff -urNp linux-2.6.39.1/include/asm-generic/int-l64.h linux-2.6.39.1/include/asm-generic/int-l64.h
61437 --- linux-2.6.39.1/include/asm-generic/int-l64.h 2011-05-19 00:06:34.000000000 -0400
61438 +++ linux-2.6.39.1/include/asm-generic/int-l64.h 2011-05-22 19:36:32.000000000 -0400
61439 @@ -46,6 +46,8 @@ typedef unsigned int u32;
61440 typedef signed long s64;
61441 typedef unsigned long u64;
61442
61443 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
61444 +
61445 #define S8_C(x) x
61446 #define U8_C(x) x ## U
61447 #define S16_C(x) x
61448 diff -urNp linux-2.6.39.1/include/asm-generic/int-ll64.h linux-2.6.39.1/include/asm-generic/int-ll64.h
61449 --- linux-2.6.39.1/include/asm-generic/int-ll64.h 2011-05-19 00:06:34.000000000 -0400
61450 +++ linux-2.6.39.1/include/asm-generic/int-ll64.h 2011-05-22 19:36:32.000000000 -0400
61451 @@ -51,6 +51,8 @@ typedef unsigned int u32;
61452 typedef signed long long s64;
61453 typedef unsigned long long u64;
61454
61455 +typedef unsigned long long intoverflow_t;
61456 +
61457 #define S8_C(x) x
61458 #define U8_C(x) x ## U
61459 #define S16_C(x) x
61460 diff -urNp linux-2.6.39.1/include/asm-generic/kmap_types.h linux-2.6.39.1/include/asm-generic/kmap_types.h
61461 --- linux-2.6.39.1/include/asm-generic/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
61462 +++ linux-2.6.39.1/include/asm-generic/kmap_types.h 2011-05-22 19:36:32.000000000 -0400
61463 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
61464 KMAP_D(17) KM_NMI,
61465 KMAP_D(18) KM_NMI_PTE,
61466 KMAP_D(19) KM_KDB,
61467 +KMAP_D(20) KM_CLEARPAGE,
61468 /*
61469 * Remember to update debug_kmap_atomic() when adding new kmap types!
61470 */
61471 -KMAP_D(20) KM_TYPE_NR
61472 +KMAP_D(21) KM_TYPE_NR
61473 };
61474
61475 #undef KMAP_D
61476 diff -urNp linux-2.6.39.1/include/asm-generic/pgtable.h linux-2.6.39.1/include/asm-generic/pgtable.h
61477 --- linux-2.6.39.1/include/asm-generic/pgtable.h 2011-05-19 00:06:34.000000000 -0400
61478 +++ linux-2.6.39.1/include/asm-generic/pgtable.h 2011-05-22 19:36:32.000000000 -0400
61479 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
61480 #endif /* __HAVE_ARCH_PMD_WRITE */
61481 #endif
61482
61483 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
61484 +static inline unsigned long pax_open_kernel(void) { return 0; }
61485 +#endif
61486 +
61487 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
61488 +static inline unsigned long pax_close_kernel(void) { return 0; }
61489 +#endif
61490 +
61491 #endif /* !__ASSEMBLY__ */
61492
61493 #endif /* _ASM_GENERIC_PGTABLE_H */
61494 diff -urNp linux-2.6.39.1/include/asm-generic/pgtable-nopmd.h linux-2.6.39.1/include/asm-generic/pgtable-nopmd.h
61495 --- linux-2.6.39.1/include/asm-generic/pgtable-nopmd.h 2011-05-19 00:06:34.000000000 -0400
61496 +++ linux-2.6.39.1/include/asm-generic/pgtable-nopmd.h 2011-05-22 19:36:32.000000000 -0400
61497 @@ -1,14 +1,19 @@
61498 #ifndef _PGTABLE_NOPMD_H
61499 #define _PGTABLE_NOPMD_H
61500
61501 -#ifndef __ASSEMBLY__
61502 -
61503 #include <asm-generic/pgtable-nopud.h>
61504
61505 -struct mm_struct;
61506 -
61507 #define __PAGETABLE_PMD_FOLDED
61508
61509 +#define PMD_SHIFT PUD_SHIFT
61510 +#define PTRS_PER_PMD 1
61511 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
61512 +#define PMD_MASK (~(PMD_SIZE-1))
61513 +
61514 +#ifndef __ASSEMBLY__
61515 +
61516 +struct mm_struct;
61517 +
61518 /*
61519 * Having the pmd type consist of a pud gets the size right, and allows
61520 * us to conceptually access the pud entry that this pmd is folded into
61521 @@ -16,11 +21,6 @@ struct mm_struct;
61522 */
61523 typedef struct { pud_t pud; } pmd_t;
61524
61525 -#define PMD_SHIFT PUD_SHIFT
61526 -#define PTRS_PER_PMD 1
61527 -#define PMD_SIZE (1UL << PMD_SHIFT)
61528 -#define PMD_MASK (~(PMD_SIZE-1))
61529 -
61530 /*
61531 * The "pud_xxx()" functions here are trivial for a folded two-level
61532 * setup: the pmd is never bad, and a pmd always exists (as it's folded
61533 diff -urNp linux-2.6.39.1/include/asm-generic/pgtable-nopud.h linux-2.6.39.1/include/asm-generic/pgtable-nopud.h
61534 --- linux-2.6.39.1/include/asm-generic/pgtable-nopud.h 2011-05-19 00:06:34.000000000 -0400
61535 +++ linux-2.6.39.1/include/asm-generic/pgtable-nopud.h 2011-05-22 19:36:32.000000000 -0400
61536 @@ -1,10 +1,15 @@
61537 #ifndef _PGTABLE_NOPUD_H
61538 #define _PGTABLE_NOPUD_H
61539
61540 -#ifndef __ASSEMBLY__
61541 -
61542 #define __PAGETABLE_PUD_FOLDED
61543
61544 +#define PUD_SHIFT PGDIR_SHIFT
61545 +#define PTRS_PER_PUD 1
61546 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
61547 +#define PUD_MASK (~(PUD_SIZE-1))
61548 +
61549 +#ifndef __ASSEMBLY__
61550 +
61551 /*
61552 * Having the pud type consist of a pgd gets the size right, and allows
61553 * us to conceptually access the pgd entry that this pud is folded into
61554 @@ -12,11 +17,6 @@
61555 */
61556 typedef struct { pgd_t pgd; } pud_t;
61557
61558 -#define PUD_SHIFT PGDIR_SHIFT
61559 -#define PTRS_PER_PUD 1
61560 -#define PUD_SIZE (1UL << PUD_SHIFT)
61561 -#define PUD_MASK (~(PUD_SIZE-1))
61562 -
61563 /*
61564 * The "pgd_xxx()" functions here are trivial for a folded two-level
61565 * setup: the pud is never bad, and a pud always exists (as it's folded
61566 diff -urNp linux-2.6.39.1/include/asm-generic/vmlinux.lds.h linux-2.6.39.1/include/asm-generic/vmlinux.lds.h
61567 --- linux-2.6.39.1/include/asm-generic/vmlinux.lds.h 2011-05-19 00:06:34.000000000 -0400
61568 +++ linux-2.6.39.1/include/asm-generic/vmlinux.lds.h 2011-05-22 19:36:32.000000000 -0400
61569 @@ -213,6 +213,7 @@
61570 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
61571 VMLINUX_SYMBOL(__start_rodata) = .; \
61572 *(.rodata) *(.rodata.*) \
61573 + *(.data..read_only) \
61574 *(__vermagic) /* Kernel version magic */ \
61575 . = ALIGN(8); \
61576 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
61577 @@ -707,14 +708,15 @@
61578 * section in the linker script will go there too. @phdr should have
61579 * a leading colon.
61580 *
61581 - * Note that this macros defines __per_cpu_load as an absolute symbol.
61582 + * Note that this macros defines per_cpu_load as an absolute symbol.
61583 * If there is no need to put the percpu section at a predetermined
61584 * address, use PERCPU().
61585 */
61586 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
61587 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
61588 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
61589 + per_cpu_load = .; \
61590 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
61591 - LOAD_OFFSET) { \
61592 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
61593 VMLINUX_SYMBOL(__per_cpu_start) = .; \
61594 *(.data..percpu..first) \
61595 . = ALIGN(PAGE_SIZE); \
61596 @@ -726,7 +728,7 @@
61597 *(.data..percpu..shared_aligned) \
61598 VMLINUX_SYMBOL(__per_cpu_end) = .; \
61599 } phdr \
61600 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
61601 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
61602
61603 /**
61604 * PERCPU - define output section for percpu area, simple version
61605 diff -urNp linux-2.6.39.1/include/drm/drmP.h linux-2.6.39.1/include/drm/drmP.h
61606 --- linux-2.6.39.1/include/drm/drmP.h 2011-05-19 00:06:34.000000000 -0400
61607 +++ linux-2.6.39.1/include/drm/drmP.h 2011-05-22 19:41:42.000000000 -0400
61608 @@ -73,6 +73,7 @@
61609 #include <linux/workqueue.h>
61610 #include <linux/poll.h>
61611 #include <asm/pgalloc.h>
61612 +#include <asm/local.h>
61613 #include "drm.h"
61614
61615 #include <linux/idr.h>
61616 @@ -908,7 +909,7 @@ struct drm_driver {
61617 uint32_t handle);
61618
61619 /* Driver private ops for this object */
61620 - struct vm_operations_struct *gem_vm_ops;
61621 + const struct vm_operations_struct *gem_vm_ops;
61622
61623 int major;
61624 int minor;
61625 @@ -1023,7 +1024,7 @@ struct drm_device {
61626
61627 /** \name Usage Counters */
61628 /*@{ */
61629 - int open_count; /**< Outstanding files open */
61630 + local_t open_count; /**< Outstanding files open */
61631 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
61632 atomic_t vma_count; /**< Outstanding vma areas open */
61633 int buf_use; /**< Buffers in use -- cannot alloc */
61634 @@ -1034,7 +1035,7 @@ struct drm_device {
61635 /*@{ */
61636 unsigned long counters;
61637 enum drm_stat_type types[15];
61638 - atomic_t counts[15];
61639 + atomic_unchecked_t counts[15];
61640 /*@} */
61641
61642 struct list_head filelist;
61643 diff -urNp linux-2.6.39.1/include/linux/a.out.h linux-2.6.39.1/include/linux/a.out.h
61644 --- linux-2.6.39.1/include/linux/a.out.h 2011-05-19 00:06:34.000000000 -0400
61645 +++ linux-2.6.39.1/include/linux/a.out.h 2011-05-22 19:36:32.000000000 -0400
61646 @@ -39,6 +39,14 @@ enum machine_type {
61647 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
61648 };
61649
61650 +/* Constants for the N_FLAGS field */
61651 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
61652 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
61653 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
61654 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
61655 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
61656 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
61657 +
61658 #if !defined (N_MAGIC)
61659 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
61660 #endif
61661 diff -urNp linux-2.6.39.1/include/linux/atmdev.h linux-2.6.39.1/include/linux/atmdev.h
61662 --- linux-2.6.39.1/include/linux/atmdev.h 2011-05-19 00:06:34.000000000 -0400
61663 +++ linux-2.6.39.1/include/linux/atmdev.h 2011-05-22 19:36:32.000000000 -0400
61664 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
61665 #endif
61666
61667 struct k_atm_aal_stats {
61668 -#define __HANDLE_ITEM(i) atomic_t i
61669 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
61670 __AAL_STAT_ITEMS
61671 #undef __HANDLE_ITEM
61672 };
61673 diff -urNp linux-2.6.39.1/include/linux/binfmts.h linux-2.6.39.1/include/linux/binfmts.h
61674 --- linux-2.6.39.1/include/linux/binfmts.h 2011-05-19 00:06:34.000000000 -0400
61675 +++ linux-2.6.39.1/include/linux/binfmts.h 2011-05-22 19:36:32.000000000 -0400
61676 @@ -92,6 +92,7 @@ struct linux_binfmt {
61677 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
61678 int (*load_shlib)(struct file *);
61679 int (*core_dump)(struct coredump_params *cprm);
61680 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
61681 unsigned long min_coredump; /* minimal dump size */
61682 };
61683
61684 diff -urNp linux-2.6.39.1/include/linux/blkdev.h linux-2.6.39.1/include/linux/blkdev.h
61685 --- linux-2.6.39.1/include/linux/blkdev.h 2011-06-03 00:04:14.000000000 -0400
61686 +++ linux-2.6.39.1/include/linux/blkdev.h 2011-06-03 00:32:08.000000000 -0400
61687 @@ -1292,22 +1292,22 @@ queue_max_integrity_segments(struct requ
61688 #endif /* CONFIG_BLK_DEV_INTEGRITY */
61689
61690 struct block_device_operations {
61691 - int (*open) (struct block_device *, fmode_t);
61692 - int (*release) (struct gendisk *, fmode_t);
61693 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61694 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61695 - int (*direct_access) (struct block_device *, sector_t,
61696 + int (* const open) (struct block_device *, fmode_t);
61697 + int (* const release) (struct gendisk *, fmode_t);
61698 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61699 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61700 + int (* const direct_access) (struct block_device *, sector_t,
61701 void **, unsigned long *);
61702 - unsigned int (*check_events) (struct gendisk *disk,
61703 + unsigned int (* const check_events) (struct gendisk *disk,
61704 unsigned int clearing);
61705 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
61706 - int (*media_changed) (struct gendisk *);
61707 - void (*unlock_native_capacity) (struct gendisk *);
61708 - int (*revalidate_disk) (struct gendisk *);
61709 - int (*getgeo)(struct block_device *, struct hd_geometry *);
61710 + int (* const media_changed) (struct gendisk *);
61711 + void (* const unlock_native_capacity) (struct gendisk *);
61712 + int (* const revalidate_disk) (struct gendisk *);
61713 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
61714 /* this callback is with swap_lock and sometimes page table lock held */
61715 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
61716 - struct module *owner;
61717 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
61718 + struct module * const owner;
61719 };
61720
61721 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
61722 diff -urNp linux-2.6.39.1/include/linux/blktrace_api.h linux-2.6.39.1/include/linux/blktrace_api.h
61723 --- linux-2.6.39.1/include/linux/blktrace_api.h 2011-05-19 00:06:34.000000000 -0400
61724 +++ linux-2.6.39.1/include/linux/blktrace_api.h 2011-05-22 19:36:32.000000000 -0400
61725 @@ -161,7 +161,7 @@ struct blk_trace {
61726 struct dentry *dir;
61727 struct dentry *dropped_file;
61728 struct dentry *msg_file;
61729 - atomic_t dropped;
61730 + atomic_unchecked_t dropped;
61731 };
61732
61733 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
61734 diff -urNp linux-2.6.39.1/include/linux/byteorder/little_endian.h linux-2.6.39.1/include/linux/byteorder/little_endian.h
61735 --- linux-2.6.39.1/include/linux/byteorder/little_endian.h 2011-05-19 00:06:34.000000000 -0400
61736 +++ linux-2.6.39.1/include/linux/byteorder/little_endian.h 2011-05-22 19:36:32.000000000 -0400
61737 @@ -42,51 +42,51 @@
61738
61739 static inline __le64 __cpu_to_le64p(const __u64 *p)
61740 {
61741 - return (__force __le64)*p;
61742 + return (__force const __le64)*p;
61743 }
61744 static inline __u64 __le64_to_cpup(const __le64 *p)
61745 {
61746 - return (__force __u64)*p;
61747 + return (__force const __u64)*p;
61748 }
61749 static inline __le32 __cpu_to_le32p(const __u32 *p)
61750 {
61751 - return (__force __le32)*p;
61752 + return (__force const __le32)*p;
61753 }
61754 static inline __u32 __le32_to_cpup(const __le32 *p)
61755 {
61756 - return (__force __u32)*p;
61757 + return (__force const __u32)*p;
61758 }
61759 static inline __le16 __cpu_to_le16p(const __u16 *p)
61760 {
61761 - return (__force __le16)*p;
61762 + return (__force const __le16)*p;
61763 }
61764 static inline __u16 __le16_to_cpup(const __le16 *p)
61765 {
61766 - return (__force __u16)*p;
61767 + return (__force const __u16)*p;
61768 }
61769 static inline __be64 __cpu_to_be64p(const __u64 *p)
61770 {
61771 - return (__force __be64)__swab64p(p);
61772 + return (__force const __be64)__swab64p(p);
61773 }
61774 static inline __u64 __be64_to_cpup(const __be64 *p)
61775 {
61776 - return __swab64p((__u64 *)p);
61777 + return __swab64p((const __u64 *)p);
61778 }
61779 static inline __be32 __cpu_to_be32p(const __u32 *p)
61780 {
61781 - return (__force __be32)__swab32p(p);
61782 + return (__force const __be32)__swab32p(p);
61783 }
61784 static inline __u32 __be32_to_cpup(const __be32 *p)
61785 {
61786 - return __swab32p((__u32 *)p);
61787 + return __swab32p((const __u32 *)p);
61788 }
61789 static inline __be16 __cpu_to_be16p(const __u16 *p)
61790 {
61791 - return (__force __be16)__swab16p(p);
61792 + return (__force const __be16)__swab16p(p);
61793 }
61794 static inline __u16 __be16_to_cpup(const __be16 *p)
61795 {
61796 - return __swab16p((__u16 *)p);
61797 + return __swab16p((const __u16 *)p);
61798 }
61799 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
61800 #define __le64_to_cpus(x) do { (void)(x); } while (0)
61801 diff -urNp linux-2.6.39.1/include/linux/cache.h linux-2.6.39.1/include/linux/cache.h
61802 --- linux-2.6.39.1/include/linux/cache.h 2011-05-19 00:06:34.000000000 -0400
61803 +++ linux-2.6.39.1/include/linux/cache.h 2011-05-22 19:36:32.000000000 -0400
61804 @@ -16,6 +16,10 @@
61805 #define __read_mostly
61806 #endif
61807
61808 +#ifndef __read_only
61809 +#define __read_only __read_mostly
61810 +#endif
61811 +
61812 #ifndef ____cacheline_aligned
61813 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
61814 #endif
61815 diff -urNp linux-2.6.39.1/include/linux/capability.h linux-2.6.39.1/include/linux/capability.h
61816 --- linux-2.6.39.1/include/linux/capability.h 2011-05-19 00:06:34.000000000 -0400
61817 +++ linux-2.6.39.1/include/linux/capability.h 2011-05-22 21:02:47.000000000 -0400
61818 @@ -547,6 +547,9 @@ extern bool capable(int cap);
61819 extern bool ns_capable(struct user_namespace *ns, int cap);
61820 extern bool task_ns_capable(struct task_struct *t, int cap);
61821 extern bool nsown_capable(int cap);
61822 +extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
61823 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
61824 +extern bool capable_nolog(int cap);
61825
61826 /* audit system wants to get cap info from files as well */
61827 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
61828 diff -urNp linux-2.6.39.1/include/linux/compiler-gcc4.h linux-2.6.39.1/include/linux/compiler-gcc4.h
61829 --- linux-2.6.39.1/include/linux/compiler-gcc4.h 2011-05-19 00:06:34.000000000 -0400
61830 +++ linux-2.6.39.1/include/linux/compiler-gcc4.h 2011-05-22 19:36:32.000000000 -0400
61831 @@ -46,6 +46,11 @@
61832 #define __noclone __attribute__((__noclone__))
61833
61834 #endif
61835 +
61836 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
61837 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
61838 +#define __bos0(ptr) __bos((ptr), 0)
61839 +#define __bos1(ptr) __bos((ptr), 1)
61840 #endif
61841
61842 #if __GNUC_MINOR__ > 0
61843 diff -urNp linux-2.6.39.1/include/linux/compiler.h linux-2.6.39.1/include/linux/compiler.h
61844 --- linux-2.6.39.1/include/linux/compiler.h 2011-05-19 00:06:34.000000000 -0400
61845 +++ linux-2.6.39.1/include/linux/compiler.h 2011-05-22 19:36:32.000000000 -0400
61846 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
61847 #define __cold
61848 #endif
61849
61850 +#ifndef __alloc_size
61851 +#define __alloc_size
61852 +#endif
61853 +
61854 +#ifndef __bos
61855 +#define __bos
61856 +#endif
61857 +
61858 +#ifndef __bos0
61859 +#define __bos0
61860 +#endif
61861 +
61862 +#ifndef __bos1
61863 +#define __bos1
61864 +#endif
61865 +
61866 /* Simple shorthand for a section definition */
61867 #ifndef __section
61868 # define __section(S) __attribute__ ((__section__(#S)))
61869 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
61870 * use is to mediate communication between process-level code and irq/NMI
61871 * handlers, all running on the same CPU.
61872 */
61873 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
61874 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
61875 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
61876
61877 #endif /* __LINUX_COMPILER_H */
61878 diff -urNp linux-2.6.39.1/include/linux/concap.h linux-2.6.39.1/include/linux/concap.h
61879 --- linux-2.6.39.1/include/linux/concap.h 2011-05-19 00:06:34.000000000 -0400
61880 +++ linux-2.6.39.1/include/linux/concap.h 2011-05-22 19:36:32.000000000 -0400
61881 @@ -30,7 +30,7 @@ struct concap_device_ops;
61882 struct concap_proto{
61883 struct net_device *net_dev; /* net device using our service */
61884 struct concap_device_ops *dops; /* callbacks provided by device */
61885 - struct concap_proto_ops *pops; /* callbacks provided by us */
61886 + const struct concap_proto_ops *pops; /* callbacks provided by us */
61887 spinlock_t lock;
61888 int flags;
61889 void *proto_data; /* protocol specific private data, to
61890 diff -urNp linux-2.6.39.1/include/linux/configfs.h linux-2.6.39.1/include/linux/configfs.h
61891 --- linux-2.6.39.1/include/linux/configfs.h 2011-05-19 00:06:34.000000000 -0400
61892 +++ linux-2.6.39.1/include/linux/configfs.h 2011-05-22 19:36:32.000000000 -0400
61893 @@ -82,7 +82,7 @@ extern void config_item_put(struct confi
61894 struct config_item_type {
61895 struct module *ct_owner;
61896 struct configfs_item_operations *ct_item_ops;
61897 - struct configfs_group_operations *ct_group_ops;
61898 + const struct configfs_group_operations *ct_group_ops;
61899 struct configfs_attribute **ct_attrs;
61900 };
61901
61902 diff -urNp linux-2.6.39.1/include/linux/cpuset.h linux-2.6.39.1/include/linux/cpuset.h
61903 --- linux-2.6.39.1/include/linux/cpuset.h 2011-05-19 00:06:34.000000000 -0400
61904 +++ linux-2.6.39.1/include/linux/cpuset.h 2011-05-22 19:36:32.000000000 -0400
61905 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
61906 * nodemask.
61907 */
61908 smp_mb();
61909 - --ACCESS_ONCE(current->mems_allowed_change_disable);
61910 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
61911 }
61912
61913 static inline void set_mems_allowed(nodemask_t nodemask)
61914 diff -urNp linux-2.6.39.1/include/linux/dca.h linux-2.6.39.1/include/linux/dca.h
61915 --- linux-2.6.39.1/include/linux/dca.h 2011-05-19 00:06:34.000000000 -0400
61916 +++ linux-2.6.39.1/include/linux/dca.h 2011-05-22 19:36:32.000000000 -0400
61917 @@ -34,7 +34,7 @@ void dca_unregister_notify(struct notifi
61918
61919 struct dca_provider {
61920 struct list_head node;
61921 - struct dca_ops *ops;
61922 + const struct dca_ops *ops;
61923 struct device *cd;
61924 int id;
61925 };
61926 @@ -53,7 +53,7 @@ struct dca_ops {
61927 int (*dev_managed) (struct dca_provider *, struct device *);
61928 };
61929
61930 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size);
61931 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size);
61932 void free_dca_provider(struct dca_provider *dca);
61933 int register_dca_provider(struct dca_provider *dca, struct device *dev);
61934 void unregister_dca_provider(struct dca_provider *dca, struct device *dev);
61935 diff -urNp linux-2.6.39.1/include/linux/decompress/mm.h linux-2.6.39.1/include/linux/decompress/mm.h
61936 --- linux-2.6.39.1/include/linux/decompress/mm.h 2011-05-19 00:06:34.000000000 -0400
61937 +++ linux-2.6.39.1/include/linux/decompress/mm.h 2011-05-22 19:36:33.000000000 -0400
61938 @@ -77,7 +77,7 @@ static void free(void *where)
61939 * warnings when not needed (indeed large_malloc / large_free are not
61940 * needed by inflate */
61941
61942 -#define malloc(a) kmalloc(a, GFP_KERNEL)
61943 +#define malloc(a) kmalloc((a), GFP_KERNEL)
61944 #define free(a) kfree(a)
61945
61946 #define large_malloc(a) vmalloc(a)
61947 diff -urNp linux-2.6.39.1/include/linux/dma-mapping.h linux-2.6.39.1/include/linux/dma-mapping.h
61948 --- linux-2.6.39.1/include/linux/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
61949 +++ linux-2.6.39.1/include/linux/dma-mapping.h 2011-05-22 19:36:33.000000000 -0400
61950 @@ -16,40 +16,40 @@ enum dma_data_direction {
61951 };
61952
61953 struct dma_map_ops {
61954 - void* (*alloc_coherent)(struct device *dev, size_t size,
61955 + void* (* const alloc_coherent)(struct device *dev, size_t size,
61956 dma_addr_t *dma_handle, gfp_t gfp);
61957 - void (*free_coherent)(struct device *dev, size_t size,
61958 + void (* const free_coherent)(struct device *dev, size_t size,
61959 void *vaddr, dma_addr_t dma_handle);
61960 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
61961 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
61962 unsigned long offset, size_t size,
61963 enum dma_data_direction dir,
61964 struct dma_attrs *attrs);
61965 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
61966 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
61967 size_t size, enum dma_data_direction dir,
61968 struct dma_attrs *attrs);
61969 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
61970 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
61971 int nents, enum dma_data_direction dir,
61972 struct dma_attrs *attrs);
61973 - void (*unmap_sg)(struct device *dev,
61974 + void (* const unmap_sg)(struct device *dev,
61975 struct scatterlist *sg, int nents,
61976 enum dma_data_direction dir,
61977 struct dma_attrs *attrs);
61978 - void (*sync_single_for_cpu)(struct device *dev,
61979 + void (* const sync_single_for_cpu)(struct device *dev,
61980 dma_addr_t dma_handle, size_t size,
61981 enum dma_data_direction dir);
61982 - void (*sync_single_for_device)(struct device *dev,
61983 + void (* const sync_single_for_device)(struct device *dev,
61984 dma_addr_t dma_handle, size_t size,
61985 enum dma_data_direction dir);
61986 - void (*sync_sg_for_cpu)(struct device *dev,
61987 + void (* const sync_sg_for_cpu)(struct device *dev,
61988 struct scatterlist *sg, int nents,
61989 enum dma_data_direction dir);
61990 - void (*sync_sg_for_device)(struct device *dev,
61991 + void (* const sync_sg_for_device)(struct device *dev,
61992 struct scatterlist *sg, int nents,
61993 enum dma_data_direction dir);
61994 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
61995 - int (*dma_supported)(struct device *dev, u64 mask);
61996 - int (*set_dma_mask)(struct device *dev, u64 mask);
61997 - int is_phys;
61998 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
61999 + int (* const dma_supported)(struct device *dev, u64 mask);
62000 + int (* set_dma_mask)(struct device *dev, u64 mask);
62001 + const int is_phys;
62002 };
62003
62004 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
62005 diff -urNp linux-2.6.39.1/include/linux/elf.h linux-2.6.39.1/include/linux/elf.h
62006 --- linux-2.6.39.1/include/linux/elf.h 2011-05-19 00:06:34.000000000 -0400
62007 +++ linux-2.6.39.1/include/linux/elf.h 2011-05-22 19:36:33.000000000 -0400
62008 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
62009 #define PT_GNU_EH_FRAME 0x6474e550
62010
62011 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
62012 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
62013 +
62014 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
62015 +
62016 +/* Constants for the e_flags field */
62017 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62018 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
62019 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
62020 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
62021 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62022 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62023
62024 /*
62025 * Extended Numbering
62026 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
62027 #define DT_DEBUG 21
62028 #define DT_TEXTREL 22
62029 #define DT_JMPREL 23
62030 +#define DT_FLAGS 30
62031 + #define DF_TEXTREL 0x00000004
62032 #define DT_ENCODING 32
62033 #define OLD_DT_LOOS 0x60000000
62034 #define DT_LOOS 0x6000000d
62035 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
62036 #define PF_W 0x2
62037 #define PF_X 0x1
62038
62039 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
62040 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
62041 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
62042 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
62043 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
62044 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
62045 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
62046 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
62047 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
62048 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
62049 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
62050 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
62051 +
62052 typedef struct elf32_phdr{
62053 Elf32_Word p_type;
62054 Elf32_Off p_offset;
62055 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
62056 #define EI_OSABI 7
62057 #define EI_PAD 8
62058
62059 +#define EI_PAX 14
62060 +
62061 #define ELFMAG0 0x7f /* EI_MAG */
62062 #define ELFMAG1 'E'
62063 #define ELFMAG2 'L'
62064 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
62065 #define elf_note elf32_note
62066 #define elf_addr_t Elf32_Off
62067 #define Elf_Half Elf32_Half
62068 +#define elf_dyn Elf32_Dyn
62069
62070 #else
62071
62072 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
62073 #define elf_note elf64_note
62074 #define elf_addr_t Elf64_Off
62075 #define Elf_Half Elf64_Half
62076 +#define elf_dyn Elf64_Dyn
62077
62078 #endif
62079
62080 diff -urNp linux-2.6.39.1/include/linux/enclosure.h linux-2.6.39.1/include/linux/enclosure.h
62081 --- linux-2.6.39.1/include/linux/enclosure.h 2011-05-19 00:06:34.000000000 -0400
62082 +++ linux-2.6.39.1/include/linux/enclosure.h 2011-05-22 19:36:33.000000000 -0400
62083 @@ -98,7 +98,7 @@ struct enclosure_device {
62084 void *scratch;
62085 struct list_head node;
62086 struct device edev;
62087 - struct enclosure_component_callbacks *cb;
62088 + const struct enclosure_component_callbacks *cb;
62089 int components;
62090 struct enclosure_component component[0];
62091 };
62092 diff -urNp linux-2.6.39.1/include/linux/fscache-cache.h linux-2.6.39.1/include/linux/fscache-cache.h
62093 --- linux-2.6.39.1/include/linux/fscache-cache.h 2011-05-19 00:06:34.000000000 -0400
62094 +++ linux-2.6.39.1/include/linux/fscache-cache.h 2011-05-22 19:36:33.000000000 -0400
62095 @@ -113,7 +113,7 @@ struct fscache_operation {
62096 #endif
62097 };
62098
62099 -extern atomic_t fscache_op_debug_id;
62100 +extern atomic_unchecked_t fscache_op_debug_id;
62101 extern void fscache_op_work_func(struct work_struct *work);
62102
62103 extern void fscache_enqueue_operation(struct fscache_operation *);
62104 @@ -133,7 +133,7 @@ static inline void fscache_operation_ini
62105 {
62106 INIT_WORK(&op->work, fscache_op_work_func);
62107 atomic_set(&op->usage, 1);
62108 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
62109 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
62110 op->processor = processor;
62111 op->release = release;
62112 INIT_LIST_HEAD(&op->pend_link);
62113 diff -urNp linux-2.6.39.1/include/linux/fs.h linux-2.6.39.1/include/linux/fs.h
62114 --- linux-2.6.39.1/include/linux/fs.h 2011-05-19 00:06:34.000000000 -0400
62115 +++ linux-2.6.39.1/include/linux/fs.h 2011-05-22 19:41:42.000000000 -0400
62116 @@ -108,6 +108,11 @@ struct inodes_stat_t {
62117 /* File was opened by fanotify and shouldn't generate fanotify events */
62118 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
62119
62120 +/* Hack for grsec so as not to require read permission simply to execute
62121 + * a binary
62122 + */
62123 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
62124 +
62125 /*
62126 * The below are the various read and write types that we support. Some of
62127 * them include behavioral modifiers that send information down to the
62128 @@ -575,41 +580,41 @@ typedef int (*read_actor_t)(read_descrip
62129 unsigned long, unsigned long);
62130
62131 struct address_space_operations {
62132 - int (*writepage)(struct page *page, struct writeback_control *wbc);
62133 - int (*readpage)(struct file *, struct page *);
62134 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
62135 + int (* const readpage)(struct file *, struct page *);
62136
62137 /* Write back some dirty pages from this mapping. */
62138 - int (*writepages)(struct address_space *, struct writeback_control *);
62139 + int (* const writepages)(struct address_space *, struct writeback_control *);
62140
62141 /* Set a page dirty. Return true if this dirtied it */
62142 - int (*set_page_dirty)(struct page *page);
62143 + int (* const set_page_dirty)(struct page *page);
62144
62145 - int (*readpages)(struct file *filp, struct address_space *mapping,
62146 + int (* const readpages)(struct file *filp, struct address_space *mapping,
62147 struct list_head *pages, unsigned nr_pages);
62148
62149 - int (*write_begin)(struct file *, struct address_space *mapping,
62150 + int (* const write_begin)(struct file *, struct address_space *mapping,
62151 loff_t pos, unsigned len, unsigned flags,
62152 struct page **pagep, void **fsdata);
62153 - int (*write_end)(struct file *, struct address_space *mapping,
62154 + int (* const write_end)(struct file *, struct address_space *mapping,
62155 loff_t pos, unsigned len, unsigned copied,
62156 struct page *page, void *fsdata);
62157
62158 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
62159 - sector_t (*bmap)(struct address_space *, sector_t);
62160 - void (*invalidatepage) (struct page *, unsigned long);
62161 - int (*releasepage) (struct page *, gfp_t);
62162 - void (*freepage)(struct page *);
62163 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
62164 + sector_t (* const bmap)(struct address_space *, sector_t);
62165 + void (* const invalidatepage) (struct page *, unsigned long);
62166 + int (* const releasepage) (struct page *, gfp_t);
62167 + void (* const freepage)(struct page *);
62168 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
62169 loff_t offset, unsigned long nr_segs);
62170 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
62171 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
62172 void **, unsigned long *);
62173 /* migrate the contents of a page to the specified target */
62174 - int (*migratepage) (struct address_space *,
62175 + int (* const migratepage) (struct address_space *,
62176 struct page *, struct page *);
62177 - int (*launder_page) (struct page *);
62178 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
62179 + int (* const launder_page) (struct page *);
62180 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
62181 unsigned long);
62182 - int (*error_remove_page)(struct address_space *, struct page *);
62183 + int (* const error_remove_page)(struct address_space *, struct page *);
62184 };
62185
62186 extern const struct address_space_operations empty_aops;
62187 @@ -1060,17 +1065,17 @@ static inline int file_check_writeable(s
62188 typedef struct files_struct *fl_owner_t;
62189
62190 struct file_lock_operations {
62191 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
62192 - void (*fl_release_private)(struct file_lock *);
62193 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
62194 + void (* const fl_release_private)(struct file_lock *);
62195 };
62196
62197 struct lock_manager_operations {
62198 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
62199 - void (*fl_notify)(struct file_lock *); /* unblock callback */
62200 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
62201 - void (*fl_release_private)(struct file_lock *);
62202 - void (*fl_break)(struct file_lock *);
62203 - int (*fl_change)(struct file_lock **, int);
62204 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
62205 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
62206 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
62207 + void (* const fl_release_private)(struct file_lock *);
62208 + void (* const fl_break)(struct file_lock *);
62209 + int (* const fl_change)(struct file_lock **, int);
62210 };
62211
62212 struct lock_manager {
62213 @@ -1611,31 +1616,31 @@ extern ssize_t vfs_writev(struct file *,
62214 unsigned long, loff_t *);
62215
62216 struct super_operations {
62217 - struct inode *(*alloc_inode)(struct super_block *sb);
62218 - void (*destroy_inode)(struct inode *);
62219 + struct inode *(* const alloc_inode)(struct super_block *sb);
62220 + void (* const destroy_inode)(struct inode *);
62221
62222 - void (*dirty_inode) (struct inode *);
62223 - int (*write_inode) (struct inode *, struct writeback_control *wbc);
62224 - int (*drop_inode) (struct inode *);
62225 - void (*evict_inode) (struct inode *);
62226 - void (*put_super) (struct super_block *);
62227 - void (*write_super) (struct super_block *);
62228 - int (*sync_fs)(struct super_block *sb, int wait);
62229 - int (*freeze_fs) (struct super_block *);
62230 - int (*unfreeze_fs) (struct super_block *);
62231 - int (*statfs) (struct dentry *, struct kstatfs *);
62232 - int (*remount_fs) (struct super_block *, int *, char *);
62233 - void (*umount_begin) (struct super_block *);
62234 -
62235 - int (*show_options)(struct seq_file *, struct vfsmount *);
62236 - int (*show_devname)(struct seq_file *, struct vfsmount *);
62237 - int (*show_path)(struct seq_file *, struct vfsmount *);
62238 - int (*show_stats)(struct seq_file *, struct vfsmount *);
62239 + void (* const dirty_inode) (struct inode *);
62240 + int (* const write_inode) (struct inode *, struct writeback_control *wbc);
62241 + int (* const drop_inode) (struct inode *);
62242 + void (* const evict_inode) (struct inode *);
62243 + void (* const put_super) (struct super_block *);
62244 + void (* const write_super) (struct super_block *);
62245 + int (* const sync_fs)(struct super_block *sb, int wait);
62246 + int (* const freeze_fs) (struct super_block *);
62247 + int (* const unfreeze_fs) (struct super_block *);
62248 + int (* const statfs) (struct dentry *, struct kstatfs *);
62249 + int (* const remount_fs) (struct super_block *, int *, char *);
62250 + void (* const umount_begin) (struct super_block *);
62251 +
62252 + int (* const show_options)(struct seq_file *, struct vfsmount *);
62253 + int (* const show_devname)(struct seq_file *, struct vfsmount *);
62254 + int (* const show_path)(struct seq_file *, struct vfsmount *);
62255 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
62256 #ifdef CONFIG_QUOTA
62257 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
62258 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62259 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
62260 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62261 #endif
62262 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62263 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62264 };
62265
62266 /*
62267 diff -urNp linux-2.6.39.1/include/linux/fs_struct.h linux-2.6.39.1/include/linux/fs_struct.h
62268 --- linux-2.6.39.1/include/linux/fs_struct.h 2011-05-19 00:06:34.000000000 -0400
62269 +++ linux-2.6.39.1/include/linux/fs_struct.h 2011-05-22 19:36:33.000000000 -0400
62270 @@ -6,7 +6,7 @@
62271 #include <linux/seqlock.h>
62272
62273 struct fs_struct {
62274 - int users;
62275 + atomic_t users;
62276 spinlock_t lock;
62277 seqcount_t seq;
62278 int umask;
62279 diff -urNp linux-2.6.39.1/include/linux/ftrace_event.h linux-2.6.39.1/include/linux/ftrace_event.h
62280 --- linux-2.6.39.1/include/linux/ftrace_event.h 2011-05-19 00:06:34.000000000 -0400
62281 +++ linux-2.6.39.1/include/linux/ftrace_event.h 2011-05-22 19:36:33.000000000 -0400
62282 @@ -235,7 +235,7 @@ extern int trace_define_field(struct ftr
62283 extern int trace_add_event_call(struct ftrace_event_call *call);
62284 extern void trace_remove_event_call(struct ftrace_event_call *call);
62285
62286 -#define is_signed_type(type) (((type)(-1)) < 0)
62287 +#define is_signed_type(type) (((type)(-1)) < (type)1)
62288
62289 int trace_set_clr_event(const char *system, const char *event, int set);
62290
62291 diff -urNp linux-2.6.39.1/include/linux/ftrace.h linux-2.6.39.1/include/linux/ftrace.h
62292 --- linux-2.6.39.1/include/linux/ftrace.h 2011-05-19 00:06:34.000000000 -0400
62293 +++ linux-2.6.39.1/include/linux/ftrace.h 2011-05-22 19:36:33.000000000 -0400
62294 @@ -140,7 +140,7 @@ extern void
62295 unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
62296 void *data);
62297 extern void
62298 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops);
62299 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops);
62300 extern void unregister_ftrace_function_probe_all(char *glob);
62301
62302 extern int ftrace_text_reserved(void *start, void *end);
62303 diff -urNp linux-2.6.39.1/include/linux/genhd.h linux-2.6.39.1/include/linux/genhd.h
62304 --- linux-2.6.39.1/include/linux/genhd.h 2011-06-03 00:04:14.000000000 -0400
62305 +++ linux-2.6.39.1/include/linux/genhd.h 2011-06-03 00:32:08.000000000 -0400
62306 @@ -184,7 +184,7 @@ struct gendisk {
62307 struct kobject *slave_dir;
62308
62309 struct timer_rand_state *random;
62310 - atomic_t sync_io; /* RAID */
62311 + atomic_unchecked_t sync_io; /* RAID */
62312 struct disk_events *ev;
62313 #ifdef CONFIG_BLK_DEV_INTEGRITY
62314 struct blk_integrity *integrity;
62315 diff -urNp linux-2.6.39.1/include/linux/gracl.h linux-2.6.39.1/include/linux/gracl.h
62316 --- linux-2.6.39.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
62317 +++ linux-2.6.39.1/include/linux/gracl.h 2011-05-22 19:41:42.000000000 -0400
62318 @@ -0,0 +1,317 @@
62319 +#ifndef GR_ACL_H
62320 +#define GR_ACL_H
62321 +
62322 +#include <linux/grdefs.h>
62323 +#include <linux/resource.h>
62324 +#include <linux/capability.h>
62325 +#include <linux/dcache.h>
62326 +#include <asm/resource.h>
62327 +
62328 +/* Major status information */
62329 +
62330 +#define GR_VERSION "grsecurity 2.2.2"
62331 +#define GRSECURITY_VERSION 0x2202
62332 +
62333 +enum {
62334 + GR_SHUTDOWN = 0,
62335 + GR_ENABLE = 1,
62336 + GR_SPROLE = 2,
62337 + GR_RELOAD = 3,
62338 + GR_SEGVMOD = 4,
62339 + GR_STATUS = 5,
62340 + GR_UNSPROLE = 6,
62341 + GR_PASSSET = 7,
62342 + GR_SPROLEPAM = 8,
62343 +};
62344 +
62345 +/* Password setup definitions
62346 + * kernel/grhash.c */
62347 +enum {
62348 + GR_PW_LEN = 128,
62349 + GR_SALT_LEN = 16,
62350 + GR_SHA_LEN = 32,
62351 +};
62352 +
62353 +enum {
62354 + GR_SPROLE_LEN = 64,
62355 +};
62356 +
62357 +enum {
62358 + GR_NO_GLOB = 0,
62359 + GR_REG_GLOB,
62360 + GR_CREATE_GLOB
62361 +};
62362 +
62363 +#define GR_NLIMITS 32
62364 +
62365 +/* Begin Data Structures */
62366 +
62367 +struct sprole_pw {
62368 + unsigned char *rolename;
62369 + unsigned char salt[GR_SALT_LEN];
62370 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
62371 +};
62372 +
62373 +struct name_entry {
62374 + __u32 key;
62375 + ino_t inode;
62376 + dev_t device;
62377 + char *name;
62378 + __u16 len;
62379 + __u8 deleted;
62380 + struct name_entry *prev;
62381 + struct name_entry *next;
62382 +};
62383 +
62384 +struct inodev_entry {
62385 + struct name_entry *nentry;
62386 + struct inodev_entry *prev;
62387 + struct inodev_entry *next;
62388 +};
62389 +
62390 +struct acl_role_db {
62391 + struct acl_role_label **r_hash;
62392 + __u32 r_size;
62393 +};
62394 +
62395 +struct inodev_db {
62396 + struct inodev_entry **i_hash;
62397 + __u32 i_size;
62398 +};
62399 +
62400 +struct name_db {
62401 + struct name_entry **n_hash;
62402 + __u32 n_size;
62403 +};
62404 +
62405 +struct crash_uid {
62406 + uid_t uid;
62407 + unsigned long expires;
62408 +};
62409 +
62410 +struct gr_hash_struct {
62411 + void **table;
62412 + void **nametable;
62413 + void *first;
62414 + __u32 table_size;
62415 + __u32 used_size;
62416 + int type;
62417 +};
62418 +
62419 +/* Userspace Grsecurity ACL data structures */
62420 +
62421 +struct acl_subject_label {
62422 + char *filename;
62423 + ino_t inode;
62424 + dev_t device;
62425 + __u32 mode;
62426 + kernel_cap_t cap_mask;
62427 + kernel_cap_t cap_lower;
62428 + kernel_cap_t cap_invert_audit;
62429 +
62430 + struct rlimit res[GR_NLIMITS];
62431 + __u32 resmask;
62432 +
62433 + __u8 user_trans_type;
62434 + __u8 group_trans_type;
62435 + uid_t *user_transitions;
62436 + gid_t *group_transitions;
62437 + __u16 user_trans_num;
62438 + __u16 group_trans_num;
62439 +
62440 + __u32 sock_families[2];
62441 + __u32 ip_proto[8];
62442 + __u32 ip_type;
62443 + struct acl_ip_label **ips;
62444 + __u32 ip_num;
62445 + __u32 inaddr_any_override;
62446 +
62447 + __u32 crashes;
62448 + unsigned long expires;
62449 +
62450 + struct acl_subject_label *parent_subject;
62451 + struct gr_hash_struct *hash;
62452 + struct acl_subject_label *prev;
62453 + struct acl_subject_label *next;
62454 +
62455 + struct acl_object_label **obj_hash;
62456 + __u32 obj_hash_size;
62457 + __u16 pax_flags;
62458 +};
62459 +
62460 +struct role_allowed_ip {
62461 + __u32 addr;
62462 + __u32 netmask;
62463 +
62464 + struct role_allowed_ip *prev;
62465 + struct role_allowed_ip *next;
62466 +};
62467 +
62468 +struct role_transition {
62469 + char *rolename;
62470 +
62471 + struct role_transition *prev;
62472 + struct role_transition *next;
62473 +};
62474 +
62475 +struct acl_role_label {
62476 + char *rolename;
62477 + uid_t uidgid;
62478 + __u16 roletype;
62479 +
62480 + __u16 auth_attempts;
62481 + unsigned long expires;
62482 +
62483 + struct acl_subject_label *root_label;
62484 + struct gr_hash_struct *hash;
62485 +
62486 + struct acl_role_label *prev;
62487 + struct acl_role_label *next;
62488 +
62489 + struct role_transition *transitions;
62490 + struct role_allowed_ip *allowed_ips;
62491 + uid_t *domain_children;
62492 + __u16 domain_child_num;
62493 +
62494 + struct acl_subject_label **subj_hash;
62495 + __u32 subj_hash_size;
62496 +};
62497 +
62498 +struct user_acl_role_db {
62499 + struct acl_role_label **r_table;
62500 + __u32 num_pointers; /* Number of allocations to track */
62501 + __u32 num_roles; /* Number of roles */
62502 + __u32 num_domain_children; /* Number of domain children */
62503 + __u32 num_subjects; /* Number of subjects */
62504 + __u32 num_objects; /* Number of objects */
62505 +};
62506 +
62507 +struct acl_object_label {
62508 + char *filename;
62509 + ino_t inode;
62510 + dev_t device;
62511 + __u32 mode;
62512 +
62513 + struct acl_subject_label *nested;
62514 + struct acl_object_label *globbed;
62515 +
62516 + /* next two structures not used */
62517 +
62518 + struct acl_object_label *prev;
62519 + struct acl_object_label *next;
62520 +};
62521 +
62522 +struct acl_ip_label {
62523 + char *iface;
62524 + __u32 addr;
62525 + __u32 netmask;
62526 + __u16 low, high;
62527 + __u8 mode;
62528 + __u32 type;
62529 + __u32 proto[8];
62530 +
62531 + /* next two structures not used */
62532 +
62533 + struct acl_ip_label *prev;
62534 + struct acl_ip_label *next;
62535 +};
62536 +
62537 +struct gr_arg {
62538 + struct user_acl_role_db role_db;
62539 + unsigned char pw[GR_PW_LEN];
62540 + unsigned char salt[GR_SALT_LEN];
62541 + unsigned char sum[GR_SHA_LEN];
62542 + unsigned char sp_role[GR_SPROLE_LEN];
62543 + struct sprole_pw *sprole_pws;
62544 + dev_t segv_device;
62545 + ino_t segv_inode;
62546 + uid_t segv_uid;
62547 + __u16 num_sprole_pws;
62548 + __u16 mode;
62549 +};
62550 +
62551 +struct gr_arg_wrapper {
62552 + struct gr_arg *arg;
62553 + __u32 version;
62554 + __u32 size;
62555 +};
62556 +
62557 +struct subject_map {
62558 + struct acl_subject_label *user;
62559 + struct acl_subject_label *kernel;
62560 + struct subject_map *prev;
62561 + struct subject_map *next;
62562 +};
62563 +
62564 +struct acl_subj_map_db {
62565 + struct subject_map **s_hash;
62566 + __u32 s_size;
62567 +};
62568 +
62569 +/* End Data Structures Section */
62570 +
62571 +/* Hash functions generated by empirical testing by Brad Spengler
62572 + Makes good use of the low bits of the inode. Generally 0-1 times
62573 + in loop for successful match. 0-3 for unsuccessful match.
62574 + Shift/add algorithm with modulus of table size and an XOR*/
62575 +
62576 +static __inline__ unsigned int
62577 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
62578 +{
62579 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
62580 +}
62581 +
62582 + static __inline__ unsigned int
62583 +shash(const struct acl_subject_label *userp, const unsigned int sz)
62584 +{
62585 + return ((const unsigned long)userp % sz);
62586 +}
62587 +
62588 +static __inline__ unsigned int
62589 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
62590 +{
62591 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
62592 +}
62593 +
62594 +static __inline__ unsigned int
62595 +nhash(const char *name, const __u16 len, const unsigned int sz)
62596 +{
62597 + return full_name_hash((const unsigned char *)name, len) % sz;
62598 +}
62599 +
62600 +#define FOR_EACH_ROLE_START(role) \
62601 + role = role_list; \
62602 + while (role) {
62603 +
62604 +#define FOR_EACH_ROLE_END(role) \
62605 + role = role->prev; \
62606 + }
62607 +
62608 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
62609 + subj = NULL; \
62610 + iter = 0; \
62611 + while (iter < role->subj_hash_size) { \
62612 + if (subj == NULL) \
62613 + subj = role->subj_hash[iter]; \
62614 + if (subj == NULL) { \
62615 + iter++; \
62616 + continue; \
62617 + }
62618 +
62619 +#define FOR_EACH_SUBJECT_END(subj,iter) \
62620 + subj = subj->next; \
62621 + if (subj == NULL) \
62622 + iter++; \
62623 + }
62624 +
62625 +
62626 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
62627 + subj = role->hash->first; \
62628 + while (subj != NULL) {
62629 +
62630 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
62631 + subj = subj->next; \
62632 + }
62633 +
62634 +#endif
62635 +
62636 diff -urNp linux-2.6.39.1/include/linux/gralloc.h linux-2.6.39.1/include/linux/gralloc.h
62637 --- linux-2.6.39.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
62638 +++ linux-2.6.39.1/include/linux/gralloc.h 2011-05-22 19:41:42.000000000 -0400
62639 @@ -0,0 +1,9 @@
62640 +#ifndef __GRALLOC_H
62641 +#define __GRALLOC_H
62642 +
62643 +void acl_free_all(void);
62644 +int acl_alloc_stack_init(unsigned long size);
62645 +void *acl_alloc(unsigned long len);
62646 +void *acl_alloc_num(unsigned long num, unsigned long len);
62647 +
62648 +#endif
62649 diff -urNp linux-2.6.39.1/include/linux/grdefs.h linux-2.6.39.1/include/linux/grdefs.h
62650 --- linux-2.6.39.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
62651 +++ linux-2.6.39.1/include/linux/grdefs.h 2011-06-11 16:24:51.000000000 -0400
62652 @@ -0,0 +1,140 @@
62653 +#ifndef GRDEFS_H
62654 +#define GRDEFS_H
62655 +
62656 +/* Begin grsecurity status declarations */
62657 +
62658 +enum {
62659 + GR_READY = 0x01,
62660 + GR_STATUS_INIT = 0x00 // disabled state
62661 +};
62662 +
62663 +/* Begin ACL declarations */
62664 +
62665 +/* Role flags */
62666 +
62667 +enum {
62668 + GR_ROLE_USER = 0x0001,
62669 + GR_ROLE_GROUP = 0x0002,
62670 + GR_ROLE_DEFAULT = 0x0004,
62671 + GR_ROLE_SPECIAL = 0x0008,
62672 + GR_ROLE_AUTH = 0x0010,
62673 + GR_ROLE_NOPW = 0x0020,
62674 + GR_ROLE_GOD = 0x0040,
62675 + GR_ROLE_LEARN = 0x0080,
62676 + GR_ROLE_TPE = 0x0100,
62677 + GR_ROLE_DOMAIN = 0x0200,
62678 + GR_ROLE_PAM = 0x0400,
62679 + GR_ROLE_PERSIST = 0x0800
62680 +};
62681 +
62682 +/* ACL Subject and Object mode flags */
62683 +enum {
62684 + GR_DELETED = 0x80000000
62685 +};
62686 +
62687 +/* ACL Object-only mode flags */
62688 +enum {
62689 + GR_READ = 0x00000001,
62690 + GR_APPEND = 0x00000002,
62691 + GR_WRITE = 0x00000004,
62692 + GR_EXEC = 0x00000008,
62693 + GR_FIND = 0x00000010,
62694 + GR_INHERIT = 0x00000020,
62695 + GR_SETID = 0x00000040,
62696 + GR_CREATE = 0x00000080,
62697 + GR_DELETE = 0x00000100,
62698 + GR_LINK = 0x00000200,
62699 + GR_AUDIT_READ = 0x00000400,
62700 + GR_AUDIT_APPEND = 0x00000800,
62701 + GR_AUDIT_WRITE = 0x00001000,
62702 + GR_AUDIT_EXEC = 0x00002000,
62703 + GR_AUDIT_FIND = 0x00004000,
62704 + GR_AUDIT_INHERIT= 0x00008000,
62705 + GR_AUDIT_SETID = 0x00010000,
62706 + GR_AUDIT_CREATE = 0x00020000,
62707 + GR_AUDIT_DELETE = 0x00040000,
62708 + GR_AUDIT_LINK = 0x00080000,
62709 + GR_PTRACERD = 0x00100000,
62710 + GR_NOPTRACE = 0x00200000,
62711 + GR_SUPPRESS = 0x00400000,
62712 + GR_NOLEARN = 0x00800000,
62713 + GR_INIT_TRANSFER= 0x01000000
62714 +};
62715 +
62716 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
62717 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
62718 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
62719 +
62720 +/* ACL subject-only mode flags */
62721 +enum {
62722 + GR_KILL = 0x00000001,
62723 + GR_VIEW = 0x00000002,
62724 + GR_PROTECTED = 0x00000004,
62725 + GR_LEARN = 0x00000008,
62726 + GR_OVERRIDE = 0x00000010,
62727 + /* just a placeholder, this mode is only used in userspace */
62728 + GR_DUMMY = 0x00000020,
62729 + GR_PROTSHM = 0x00000040,
62730 + GR_KILLPROC = 0x00000080,
62731 + GR_KILLIPPROC = 0x00000100,
62732 + /* just a placeholder, this mode is only used in userspace */
62733 + GR_NOTROJAN = 0x00000200,
62734 + GR_PROTPROCFD = 0x00000400,
62735 + GR_PROCACCT = 0x00000800,
62736 + GR_RELAXPTRACE = 0x00001000,
62737 + GR_NESTED = 0x00002000,
62738 + GR_INHERITLEARN = 0x00004000,
62739 + GR_PROCFIND = 0x00008000,
62740 + GR_POVERRIDE = 0x00010000,
62741 + GR_KERNELAUTH = 0x00020000,
62742 + GR_ATSECURE = 0x00040000,
62743 + GR_SHMEXEC = 0x00080000
62744 +};
62745 +
62746 +enum {
62747 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
62748 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
62749 + GR_PAX_ENABLE_MPROTECT = 0x0004,
62750 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
62751 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
62752 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
62753 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
62754 + GR_PAX_DISABLE_MPROTECT = 0x0400,
62755 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
62756 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
62757 +};
62758 +
62759 +enum {
62760 + GR_ID_USER = 0x01,
62761 + GR_ID_GROUP = 0x02,
62762 +};
62763 +
62764 +enum {
62765 + GR_ID_ALLOW = 0x01,
62766 + GR_ID_DENY = 0x02,
62767 +};
62768 +
62769 +#define GR_CRASH_RES 31
62770 +#define GR_UIDTABLE_MAX 500
62771 +
62772 +/* begin resource learning section */
62773 +enum {
62774 + GR_RLIM_CPU_BUMP = 60,
62775 + GR_RLIM_FSIZE_BUMP = 50000,
62776 + GR_RLIM_DATA_BUMP = 10000,
62777 + GR_RLIM_STACK_BUMP = 1000,
62778 + GR_RLIM_CORE_BUMP = 10000,
62779 + GR_RLIM_RSS_BUMP = 500000,
62780 + GR_RLIM_NPROC_BUMP = 1,
62781 + GR_RLIM_NOFILE_BUMP = 5,
62782 + GR_RLIM_MEMLOCK_BUMP = 50000,
62783 + GR_RLIM_AS_BUMP = 500000,
62784 + GR_RLIM_LOCKS_BUMP = 2,
62785 + GR_RLIM_SIGPENDING_BUMP = 5,
62786 + GR_RLIM_MSGQUEUE_BUMP = 10000,
62787 + GR_RLIM_NICE_BUMP = 1,
62788 + GR_RLIM_RTPRIO_BUMP = 1,
62789 + GR_RLIM_RTTIME_BUMP = 1000000
62790 +};
62791 +
62792 +#endif
62793 diff -urNp linux-2.6.39.1/include/linux/grinternal.h linux-2.6.39.1/include/linux/grinternal.h
62794 --- linux-2.6.39.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
62795 +++ linux-2.6.39.1/include/linux/grinternal.h 2011-05-22 19:41:42.000000000 -0400
62796 @@ -0,0 +1,219 @@
62797 +#ifndef __GRINTERNAL_H
62798 +#define __GRINTERNAL_H
62799 +
62800 +#ifdef CONFIG_GRKERNSEC
62801 +
62802 +#include <linux/fs.h>
62803 +#include <linux/mnt_namespace.h>
62804 +#include <linux/nsproxy.h>
62805 +#include <linux/gracl.h>
62806 +#include <linux/grdefs.h>
62807 +#include <linux/grmsg.h>
62808 +
62809 +void gr_add_learn_entry(const char *fmt, ...)
62810 + __attribute__ ((format (printf, 1, 2)));
62811 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
62812 + const struct vfsmount *mnt);
62813 +__u32 gr_check_create(const struct dentry *new_dentry,
62814 + const struct dentry *parent,
62815 + const struct vfsmount *mnt, const __u32 mode);
62816 +int gr_check_protected_task(const struct task_struct *task);
62817 +__u32 to_gr_audit(const __u32 reqmode);
62818 +int gr_set_acls(const int type);
62819 +int gr_apply_subject_to_task(struct task_struct *task);
62820 +int gr_acl_is_enabled(void);
62821 +char gr_roletype_to_char(void);
62822 +
62823 +void gr_handle_alertkill(struct task_struct *task);
62824 +char *gr_to_filename(const struct dentry *dentry,
62825 + const struct vfsmount *mnt);
62826 +char *gr_to_filename1(const struct dentry *dentry,
62827 + const struct vfsmount *mnt);
62828 +char *gr_to_filename2(const struct dentry *dentry,
62829 + const struct vfsmount *mnt);
62830 +char *gr_to_filename3(const struct dentry *dentry,
62831 + const struct vfsmount *mnt);
62832 +
62833 +extern int grsec_enable_harden_ptrace;
62834 +extern int grsec_enable_link;
62835 +extern int grsec_enable_fifo;
62836 +extern int grsec_enable_execve;
62837 +extern int grsec_enable_shm;
62838 +extern int grsec_enable_execlog;
62839 +extern int grsec_enable_signal;
62840 +extern int grsec_enable_audit_ptrace;
62841 +extern int grsec_enable_forkfail;
62842 +extern int grsec_enable_time;
62843 +extern int grsec_enable_rofs;
62844 +extern int grsec_enable_chroot_shmat;
62845 +extern int grsec_enable_chroot_findtask;
62846 +extern int grsec_enable_chroot_mount;
62847 +extern int grsec_enable_chroot_double;
62848 +extern int grsec_enable_chroot_pivot;
62849 +extern int grsec_enable_chroot_chdir;
62850 +extern int grsec_enable_chroot_chmod;
62851 +extern int grsec_enable_chroot_mknod;
62852 +extern int grsec_enable_chroot_fchdir;
62853 +extern int grsec_enable_chroot_nice;
62854 +extern int grsec_enable_chroot_execlog;
62855 +extern int grsec_enable_chroot_caps;
62856 +extern int grsec_enable_chroot_sysctl;
62857 +extern int grsec_enable_chroot_unix;
62858 +extern int grsec_enable_tpe;
62859 +extern int grsec_tpe_gid;
62860 +extern int grsec_enable_tpe_all;
62861 +extern int grsec_enable_tpe_invert;
62862 +extern int grsec_enable_socket_all;
62863 +extern int grsec_socket_all_gid;
62864 +extern int grsec_enable_socket_client;
62865 +extern int grsec_socket_client_gid;
62866 +extern int grsec_enable_socket_server;
62867 +extern int grsec_socket_server_gid;
62868 +extern int grsec_audit_gid;
62869 +extern int grsec_enable_group;
62870 +extern int grsec_enable_audit_textrel;
62871 +extern int grsec_enable_log_rwxmaps;
62872 +extern int grsec_enable_mount;
62873 +extern int grsec_enable_chdir;
62874 +extern int grsec_resource_logging;
62875 +extern int grsec_enable_blackhole;
62876 +extern int grsec_lastack_retries;
62877 +extern int grsec_lock;
62878 +
62879 +extern spinlock_t grsec_alert_lock;
62880 +extern unsigned long grsec_alert_wtime;
62881 +extern unsigned long grsec_alert_fyet;
62882 +
62883 +extern spinlock_t grsec_audit_lock;
62884 +
62885 +extern rwlock_t grsec_exec_file_lock;
62886 +
62887 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
62888 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
62889 + (tsk)->exec_file->f_vfsmnt) : "/")
62890 +
62891 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
62892 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
62893 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
62894 +
62895 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
62896 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
62897 + (tsk)->exec_file->f_vfsmnt) : "/")
62898 +
62899 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
62900 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
62901 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
62902 +
62903 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
62904 +
62905 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
62906 +
62907 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
62908 + (task)->pid, (cred)->uid, \
62909 + (cred)->euid, (cred)->gid, (cred)->egid, \
62910 + gr_parent_task_fullpath(task), \
62911 + (task)->real_parent->comm, (task)->real_parent->pid, \
62912 + (pcred)->uid, (pcred)->euid, \
62913 + (pcred)->gid, (pcred)->egid
62914 +
62915 +#define GR_CHROOT_CAPS {{ \
62916 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
62917 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
62918 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
62919 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
62920 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
62921 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
62922 +
62923 +#define security_learn(normal_msg,args...) \
62924 +({ \
62925 + read_lock(&grsec_exec_file_lock); \
62926 + gr_add_learn_entry(normal_msg "\n", ## args); \
62927 + read_unlock(&grsec_exec_file_lock); \
62928 +})
62929 +
62930 +enum {
62931 + GR_DO_AUDIT,
62932 + GR_DONT_AUDIT,
62933 + /* used for non-audit messages that we shouldn't kill the task on */
62934 + GR_DONT_AUDIT_GOOD
62935 +};
62936 +
62937 +enum {
62938 + GR_TTYSNIFF,
62939 + GR_RBAC,
62940 + GR_RBAC_STR,
62941 + GR_STR_RBAC,
62942 + GR_RBAC_MODE2,
62943 + GR_RBAC_MODE3,
62944 + GR_FILENAME,
62945 + GR_SYSCTL_HIDDEN,
62946 + GR_NOARGS,
62947 + GR_ONE_INT,
62948 + GR_ONE_INT_TWO_STR,
62949 + GR_ONE_STR,
62950 + GR_STR_INT,
62951 + GR_TWO_STR_INT,
62952 + GR_TWO_INT,
62953 + GR_TWO_U64,
62954 + GR_THREE_INT,
62955 + GR_FIVE_INT_TWO_STR,
62956 + GR_TWO_STR,
62957 + GR_THREE_STR,
62958 + GR_FOUR_STR,
62959 + GR_STR_FILENAME,
62960 + GR_FILENAME_STR,
62961 + GR_FILENAME_TWO_INT,
62962 + GR_FILENAME_TWO_INT_STR,
62963 + GR_TEXTREL,
62964 + GR_PTRACE,
62965 + GR_RESOURCE,
62966 + GR_CAP,
62967 + GR_SIG,
62968 + GR_SIG2,
62969 + GR_CRASH1,
62970 + GR_CRASH2,
62971 + GR_PSACCT,
62972 + GR_RWXMAP
62973 +};
62974 +
62975 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
62976 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
62977 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
62978 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
62979 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
62980 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
62981 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
62982 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
62983 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
62984 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
62985 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
62986 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
62987 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
62988 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
62989 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
62990 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
62991 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
62992 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
62993 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
62994 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
62995 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
62996 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
62997 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
62998 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
62999 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
63000 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
63001 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
63002 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
63003 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
63004 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
63005 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
63006 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
63007 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
63008 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
63009 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
63010 +
63011 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
63012 +
63013 +#endif
63014 +
63015 +#endif
63016 diff -urNp linux-2.6.39.1/include/linux/grmsg.h linux-2.6.39.1/include/linux/grmsg.h
63017 --- linux-2.6.39.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
63018 +++ linux-2.6.39.1/include/linux/grmsg.h 2011-05-22 19:41:42.000000000 -0400
63019 @@ -0,0 +1,108 @@
63020 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
63021 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
63022 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
63023 +#define GR_STOPMOD_MSG "denied modification of module state by "
63024 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
63025 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
63026 +#define GR_IOPERM_MSG "denied use of ioperm() by "
63027 +#define GR_IOPL_MSG "denied use of iopl() by "
63028 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
63029 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
63030 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
63031 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
63032 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
63033 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
63034 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
63035 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
63036 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
63037 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
63038 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
63039 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
63040 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
63041 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
63042 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
63043 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
63044 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
63045 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
63046 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
63047 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
63048 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
63049 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
63050 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
63051 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
63052 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
63053 +#define GR_NPROC_MSG "denied overstep of process limit by "
63054 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
63055 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
63056 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
63057 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
63058 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
63059 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
63060 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
63061 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
63062 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
63063 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
63064 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
63065 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
63066 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
63067 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
63068 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
63069 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
63070 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
63071 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
63072 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
63073 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
63074 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
63075 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
63076 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
63077 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
63078 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
63079 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
63080 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
63081 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
63082 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
63083 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
63084 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
63085 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
63086 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
63087 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
63088 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
63089 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
63090 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
63091 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
63092 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
63093 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
63094 +#define GR_NICE_CHROOT_MSG "denied priority change by "
63095 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
63096 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
63097 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
63098 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
63099 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
63100 +#define GR_TIME_MSG "time set by "
63101 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
63102 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
63103 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
63104 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
63105 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
63106 +#define GR_BIND_MSG "denied bind() by "
63107 +#define GR_CONNECT_MSG "denied connect() by "
63108 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
63109 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
63110 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
63111 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
63112 +#define GR_CAP_ACL_MSG "use of %s denied for "
63113 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
63114 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
63115 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
63116 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
63117 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
63118 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
63119 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
63120 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
63121 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
63122 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
63123 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
63124 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
63125 +#define GR_VM86_MSG "denied use of vm86 by "
63126 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
63127 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
63128 diff -urNp linux-2.6.39.1/include/linux/grsecurity.h linux-2.6.39.1/include/linux/grsecurity.h
63129 --- linux-2.6.39.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
63130 +++ linux-2.6.39.1/include/linux/grsecurity.h 2011-05-22 19:41:42.000000000 -0400
63131 @@ -0,0 +1,212 @@
63132 +#ifndef GR_SECURITY_H
63133 +#define GR_SECURITY_H
63134 +#include <linux/fs.h>
63135 +#include <linux/fs_struct.h>
63136 +#include <linux/binfmts.h>
63137 +#include <linux/gracl.h>
63138 +#include <linux/compat.h>
63139 +
63140 +/* notify of brain-dead configs */
63141 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
63142 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
63143 +#endif
63144 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63145 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63146 +#endif
63147 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63148 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63149 +#endif
63150 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
63151 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
63152 +#endif
63153 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
63154 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
63155 +#endif
63156 +
63157 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
63158 +void gr_handle_brute_check(void);
63159 +void gr_handle_kernel_exploit(void);
63160 +int gr_process_user_ban(void);
63161 +
63162 +char gr_roletype_to_char(void);
63163 +
63164 +int gr_acl_enable_at_secure(void);
63165 +
63166 +int gr_check_user_change(int real, int effective, int fs);
63167 +int gr_check_group_change(int real, int effective, int fs);
63168 +
63169 +void gr_del_task_from_ip_table(struct task_struct *p);
63170 +
63171 +int gr_pid_is_chrooted(struct task_struct *p);
63172 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
63173 +int gr_handle_chroot_nice(void);
63174 +int gr_handle_chroot_sysctl(const int op);
63175 +int gr_handle_chroot_setpriority(struct task_struct *p,
63176 + const int niceval);
63177 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
63178 +int gr_handle_chroot_chroot(const struct dentry *dentry,
63179 + const struct vfsmount *mnt);
63180 +int gr_handle_chroot_caps(struct path *path);
63181 +void gr_handle_chroot_chdir(struct path *path);
63182 +int gr_handle_chroot_chmod(const struct dentry *dentry,
63183 + const struct vfsmount *mnt, const int mode);
63184 +int gr_handle_chroot_mknod(const struct dentry *dentry,
63185 + const struct vfsmount *mnt, const int mode);
63186 +int gr_handle_chroot_mount(const struct dentry *dentry,
63187 + const struct vfsmount *mnt,
63188 + const char *dev_name);
63189 +int gr_handle_chroot_pivot(void);
63190 +int gr_handle_chroot_unix(struct pid *pid);
63191 +
63192 +int gr_handle_rawio(const struct inode *inode);
63193 +int gr_handle_nproc(void);
63194 +
63195 +void gr_handle_ioperm(void);
63196 +void gr_handle_iopl(void);
63197 +
63198 +int gr_tpe_allow(const struct file *file);
63199 +
63200 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
63201 +void gr_clear_chroot_entries(struct task_struct *task);
63202 +
63203 +void gr_log_forkfail(const int retval);
63204 +void gr_log_timechange(void);
63205 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
63206 +void gr_log_chdir(const struct dentry *dentry,
63207 + const struct vfsmount *mnt);
63208 +void gr_log_chroot_exec(const struct dentry *dentry,
63209 + const struct vfsmount *mnt);
63210 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
63211 +#ifdef CONFIG_COMPAT
63212 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
63213 +#endif
63214 +void gr_log_remount(const char *devname, const int retval);
63215 +void gr_log_unmount(const char *devname, const int retval);
63216 +void gr_log_mount(const char *from, const char *to, const int retval);
63217 +void gr_log_textrel(struct vm_area_struct *vma);
63218 +void gr_log_rwxmmap(struct file *file);
63219 +void gr_log_rwxmprotect(struct file *file);
63220 +
63221 +int gr_handle_follow_link(const struct inode *parent,
63222 + const struct inode *inode,
63223 + const struct dentry *dentry,
63224 + const struct vfsmount *mnt);
63225 +int gr_handle_fifo(const struct dentry *dentry,
63226 + const struct vfsmount *mnt,
63227 + const struct dentry *dir, const int flag,
63228 + const int acc_mode);
63229 +int gr_handle_hardlink(const struct dentry *dentry,
63230 + const struct vfsmount *mnt,
63231 + struct inode *inode,
63232 + const int mode, const char *to);
63233 +
63234 +int gr_is_capable(const int cap);
63235 +int gr_is_capable_nolog(const int cap);
63236 +void gr_learn_resource(const struct task_struct *task, const int limit,
63237 + const unsigned long wanted, const int gt);
63238 +void gr_copy_label(struct task_struct *tsk);
63239 +void gr_handle_crash(struct task_struct *task, const int sig);
63240 +int gr_handle_signal(const struct task_struct *p, const int sig);
63241 +int gr_check_crash_uid(const uid_t uid);
63242 +int gr_check_protected_task(const struct task_struct *task);
63243 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
63244 +int gr_acl_handle_mmap(const struct file *file,
63245 + const unsigned long prot);
63246 +int gr_acl_handle_mprotect(const struct file *file,
63247 + const unsigned long prot);
63248 +int gr_check_hidden_task(const struct task_struct *tsk);
63249 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
63250 + const struct vfsmount *mnt);
63251 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
63252 + const struct vfsmount *mnt);
63253 +__u32 gr_acl_handle_access(const struct dentry *dentry,
63254 + const struct vfsmount *mnt, const int fmode);
63255 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
63256 + const struct vfsmount *mnt, mode_t mode);
63257 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
63258 + const struct vfsmount *mnt, mode_t mode);
63259 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
63260 + const struct vfsmount *mnt);
63261 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
63262 + const struct vfsmount *mnt);
63263 +int gr_handle_ptrace(struct task_struct *task, const long request);
63264 +int gr_handle_proc_ptrace(struct task_struct *task);
63265 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
63266 + const struct vfsmount *mnt);
63267 +int gr_check_crash_exec(const struct file *filp);
63268 +int gr_acl_is_enabled(void);
63269 +void gr_set_kernel_label(struct task_struct *task);
63270 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
63271 + const gid_t gid);
63272 +int gr_set_proc_label(const struct dentry *dentry,
63273 + const struct vfsmount *mnt,
63274 + const int unsafe_share);
63275 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
63276 + const struct vfsmount *mnt);
63277 +__u32 gr_acl_handle_open(const struct dentry *dentry,
63278 + const struct vfsmount *mnt, const int fmode);
63279 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
63280 + const struct dentry *p_dentry,
63281 + const struct vfsmount *p_mnt, const int fmode,
63282 + const int imode);
63283 +void gr_handle_create(const struct dentry *dentry,
63284 + const struct vfsmount *mnt);
63285 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
63286 + const struct dentry *parent_dentry,
63287 + const struct vfsmount *parent_mnt,
63288 + const int mode);
63289 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
63290 + const struct dentry *parent_dentry,
63291 + const struct vfsmount *parent_mnt);
63292 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
63293 + const struct vfsmount *mnt);
63294 +void gr_handle_delete(const ino_t ino, const dev_t dev);
63295 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
63296 + const struct vfsmount *mnt);
63297 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
63298 + const struct dentry *parent_dentry,
63299 + const struct vfsmount *parent_mnt,
63300 + const char *from);
63301 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
63302 + const struct dentry *parent_dentry,
63303 + const struct vfsmount *parent_mnt,
63304 + const struct dentry *old_dentry,
63305 + const struct vfsmount *old_mnt, const char *to);
63306 +int gr_acl_handle_rename(struct dentry *new_dentry,
63307 + struct dentry *parent_dentry,
63308 + const struct vfsmount *parent_mnt,
63309 + struct dentry *old_dentry,
63310 + struct inode *old_parent_inode,
63311 + struct vfsmount *old_mnt, const char *newname);
63312 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
63313 + struct dentry *old_dentry,
63314 + struct dentry *new_dentry,
63315 + struct vfsmount *mnt, const __u8 replace);
63316 +__u32 gr_check_link(const struct dentry *new_dentry,
63317 + const struct dentry *parent_dentry,
63318 + const struct vfsmount *parent_mnt,
63319 + const struct dentry *old_dentry,
63320 + const struct vfsmount *old_mnt);
63321 +int gr_acl_handle_filldir(const struct file *file, const char *name,
63322 + const unsigned int namelen, const ino_t ino);
63323 +
63324 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
63325 + const struct vfsmount *mnt);
63326 +void gr_acl_handle_exit(void);
63327 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
63328 +int gr_acl_handle_procpidmem(const struct task_struct *task);
63329 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
63330 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
63331 +void gr_audit_ptrace(struct task_struct *task);
63332 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
63333 +
63334 +#ifdef CONFIG_GRKERNSEC
63335 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
63336 +void gr_handle_vm86(void);
63337 +void gr_handle_mem_readwrite(u64 from, u64 to);
63338 +
63339 +extern int grsec_enable_dmesg;
63340 +extern int grsec_disable_privio;
63341 +#endif
63342 +
63343 +#endif
63344 diff -urNp linux-2.6.39.1/include/linux/grsock.h linux-2.6.39.1/include/linux/grsock.h
63345 --- linux-2.6.39.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
63346 +++ linux-2.6.39.1/include/linux/grsock.h 2011-05-22 19:41:42.000000000 -0400
63347 @@ -0,0 +1,19 @@
63348 +#ifndef __GRSOCK_H
63349 +#define __GRSOCK_H
63350 +
63351 +extern void gr_attach_curr_ip(const struct sock *sk);
63352 +extern int gr_handle_sock_all(const int family, const int type,
63353 + const int protocol);
63354 +extern int gr_handle_sock_server(const struct sockaddr *sck);
63355 +extern int gr_handle_sock_server_other(const struct sock *sck);
63356 +extern int gr_handle_sock_client(const struct sockaddr *sck);
63357 +extern int gr_search_connect(struct socket * sock,
63358 + struct sockaddr_in * addr);
63359 +extern int gr_search_bind(struct socket * sock,
63360 + struct sockaddr_in * addr);
63361 +extern int gr_search_listen(struct socket * sock);
63362 +extern int gr_search_accept(struct socket * sock);
63363 +extern int gr_search_socket(const int domain, const int type,
63364 + const int protocol);
63365 +
63366 +#endif
63367 diff -urNp linux-2.6.39.1/include/linux/highmem.h linux-2.6.39.1/include/linux/highmem.h
63368 --- linux-2.6.39.1/include/linux/highmem.h 2011-05-19 00:06:34.000000000 -0400
63369 +++ linux-2.6.39.1/include/linux/highmem.h 2011-05-22 19:36:33.000000000 -0400
63370 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
63371 kunmap_atomic(kaddr, KM_USER0);
63372 }
63373
63374 +static inline void sanitize_highpage(struct page *page)
63375 +{
63376 + void *kaddr;
63377 + unsigned long flags;
63378 +
63379 + local_irq_save(flags);
63380 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
63381 + clear_page(kaddr);
63382 + kunmap_atomic(kaddr, KM_CLEARPAGE);
63383 + local_irq_restore(flags);
63384 +}
63385 +
63386 static inline void zero_user_segments(struct page *page,
63387 unsigned start1, unsigned end1,
63388 unsigned start2, unsigned end2)
63389 diff -urNp linux-2.6.39.1/include/linux/i2o.h linux-2.6.39.1/include/linux/i2o.h
63390 --- linux-2.6.39.1/include/linux/i2o.h 2011-05-19 00:06:34.000000000 -0400
63391 +++ linux-2.6.39.1/include/linux/i2o.h 2011-05-22 19:36:33.000000000 -0400
63392 @@ -564,7 +564,7 @@ struct i2o_controller {
63393 struct i2o_device *exec; /* Executive */
63394 #if BITS_PER_LONG == 64
63395 spinlock_t context_list_lock; /* lock for context_list */
63396 - atomic_t context_list_counter; /* needed for unique contexts */
63397 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
63398 struct list_head context_list; /* list of context id's
63399 and pointers */
63400 #endif
63401 diff -urNp linux-2.6.39.1/include/linux/if_phonet.h linux-2.6.39.1/include/linux/if_phonet.h
63402 --- linux-2.6.39.1/include/linux/if_phonet.h 2011-05-19 00:06:34.000000000 -0400
63403 +++ linux-2.6.39.1/include/linux/if_phonet.h 2011-05-22 19:36:33.000000000 -0400
63404 @@ -13,7 +13,7 @@
63405 #define PHONET_DEV_MTU PHONET_MAX_MTU
63406
63407 #ifdef __KERNEL__
63408 -extern struct header_ops phonet_header_ops;
63409 +extern const struct header_ops phonet_header_ops;
63410 #endif
63411
63412 #endif
63413 diff -urNp linux-2.6.39.1/include/linux/init.h linux-2.6.39.1/include/linux/init.h
63414 --- linux-2.6.39.1/include/linux/init.h 2011-05-19 00:06:34.000000000 -0400
63415 +++ linux-2.6.39.1/include/linux/init.h 2011-05-22 19:36:33.000000000 -0400
63416 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
63417
63418 /* Each module must use one module_init(). */
63419 #define module_init(initfn) \
63420 - static inline initcall_t __inittest(void) \
63421 + static inline __used initcall_t __inittest(void) \
63422 { return initfn; } \
63423 int init_module(void) __attribute__((alias(#initfn)));
63424
63425 /* This is only required if you want to be unloadable. */
63426 #define module_exit(exitfn) \
63427 - static inline exitcall_t __exittest(void) \
63428 + static inline __used exitcall_t __exittest(void) \
63429 { return exitfn; } \
63430 void cleanup_module(void) __attribute__((alias(#exitfn)));
63431
63432 diff -urNp linux-2.6.39.1/include/linux/init_task.h linux-2.6.39.1/include/linux/init_task.h
63433 --- linux-2.6.39.1/include/linux/init_task.h 2011-05-19 00:06:34.000000000 -0400
63434 +++ linux-2.6.39.1/include/linux/init_task.h 2011-05-22 19:36:33.000000000 -0400
63435 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
63436 #define INIT_IDS
63437 #endif
63438
63439 +#ifdef CONFIG_X86
63440 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
63441 +#else
63442 +#define INIT_TASK_THREAD_INFO
63443 +#endif
63444 +
63445 /*
63446 * Because of the reduced scope of CAP_SETPCAP when filesystem
63447 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
63448 @@ -163,6 +169,7 @@ extern struct cred init_cred;
63449 RCU_INIT_POINTER(.cred, &init_cred), \
63450 .comm = "swapper", \
63451 .thread = INIT_THREAD, \
63452 + INIT_TASK_THREAD_INFO \
63453 .fs = &init_fs, \
63454 .files = &init_files, \
63455 .signal = &init_signals, \
63456 diff -urNp linux-2.6.39.1/include/linux/interrupt.h linux-2.6.39.1/include/linux/interrupt.h
63457 --- linux-2.6.39.1/include/linux/interrupt.h 2011-05-19 00:06:34.000000000 -0400
63458 +++ linux-2.6.39.1/include/linux/interrupt.h 2011-05-22 19:36:33.000000000 -0400
63459 @@ -422,7 +422,7 @@ enum
63460 /* map softirq index to softirq name. update 'softirq_to_name' in
63461 * kernel/softirq.c when adding a new softirq.
63462 */
63463 -extern char *softirq_to_name[NR_SOFTIRQS];
63464 +extern const char * const softirq_to_name[NR_SOFTIRQS];
63465
63466 /* softirq mask and active fields moved to irq_cpustat_t in
63467 * asm/hardirq.h to get better cache usage. KAO
63468 @@ -430,12 +430,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
63469
63470 struct softirq_action
63471 {
63472 - void (*action)(struct softirq_action *);
63473 + void (*action)(void);
63474 };
63475
63476 asmlinkage void do_softirq(void);
63477 asmlinkage void __do_softirq(void);
63478 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
63479 +extern void open_softirq(int nr, void (*action)(void));
63480 extern void softirq_init(void);
63481 static inline void __raise_softirq_irqoff(unsigned int nr)
63482 {
63483 diff -urNp linux-2.6.39.1/include/linux/iommu.h linux-2.6.39.1/include/linux/iommu.h
63484 --- linux-2.6.39.1/include/linux/iommu.h 2011-05-19 00:06:34.000000000 -0400
63485 +++ linux-2.6.39.1/include/linux/iommu.h 2011-05-22 19:36:33.000000000 -0400
63486 @@ -49,7 +49,7 @@ struct iommu_ops {
63487
63488 #ifdef CONFIG_IOMMU_API
63489
63490 -extern void register_iommu(struct iommu_ops *ops);
63491 +extern void register_iommu(const struct iommu_ops *ops);
63492 extern bool iommu_found(void);
63493 extern struct iommu_domain *iommu_domain_alloc(void);
63494 extern void iommu_domain_free(struct iommu_domain *domain);
63495 diff -urNp linux-2.6.39.1/include/linux/ipmi.h linux-2.6.39.1/include/linux/ipmi.h
63496 --- linux-2.6.39.1/include/linux/ipmi.h 2011-05-19 00:06:34.000000000 -0400
63497 +++ linux-2.6.39.1/include/linux/ipmi.h 2011-05-22 19:36:33.000000000 -0400
63498 @@ -282,7 +282,7 @@ struct ipmi_user_hndl {
63499
63500 /* Create a new user of the IPMI layer on the given interface number. */
63501 int ipmi_create_user(unsigned int if_num,
63502 - struct ipmi_user_hndl *handler,
63503 + const struct ipmi_user_hndl *handler,
63504 void *handler_data,
63505 ipmi_user_t *user);
63506
63507 diff -urNp linux-2.6.39.1/include/linux/kallsyms.h linux-2.6.39.1/include/linux/kallsyms.h
63508 --- linux-2.6.39.1/include/linux/kallsyms.h 2011-05-19 00:06:34.000000000 -0400
63509 +++ linux-2.6.39.1/include/linux/kallsyms.h 2011-05-22 22:52:54.000000000 -0400
63510 @@ -15,7 +15,8 @@
63511
63512 struct module;
63513
63514 -#ifdef CONFIG_KALLSYMS
63515 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
63516 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63517 /* Lookup the address for a symbol. Returns 0 if not found. */
63518 unsigned long kallsyms_lookup_name(const char *name);
63519
63520 @@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
63521 /* Stupid that this does nothing, but I didn't create this mess. */
63522 #define __print_symbol(fmt, addr)
63523 #endif /*CONFIG_KALLSYMS*/
63524 +#else /* when included by kallsyms.c, vsnprintf.c, or
63525 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
63526 +extern void __print_symbol(const char *fmt, unsigned long address);
63527 +extern int sprint_backtrace(char *buffer, unsigned long address);
63528 +extern int sprint_symbol(char *buffer, unsigned long address);
63529 +const char *kallsyms_lookup(unsigned long addr,
63530 + unsigned long *symbolsize,
63531 + unsigned long *offset,
63532 + char **modname, char *namebuf);
63533 +#endif
63534
63535 /* This macro allows us to keep printk typechecking */
63536 static void __check_printsym_format(const char *fmt, ...)
63537 diff -urNp linux-2.6.39.1/include/linux/kgdb.h linux-2.6.39.1/include/linux/kgdb.h
63538 --- linux-2.6.39.1/include/linux/kgdb.h 2011-05-19 00:06:34.000000000 -0400
63539 +++ linux-2.6.39.1/include/linux/kgdb.h 2011-05-22 19:36:33.000000000 -0400
63540 @@ -53,7 +53,7 @@ extern int kgdb_connected;
63541 extern int kgdb_io_module_registered;
63542
63543 extern atomic_t kgdb_setting_breakpoint;
63544 -extern atomic_t kgdb_cpu_doing_single_step;
63545 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
63546
63547 extern struct task_struct *kgdb_usethread;
63548 extern struct task_struct *kgdb_contthread;
63549 @@ -269,22 +269,22 @@ struct kgdb_arch {
63550 */
63551 struct kgdb_io {
63552 const char *name;
63553 - int (*read_char) (void);
63554 - void (*write_char) (u8);
63555 - void (*flush) (void);
63556 - int (*init) (void);
63557 - void (*pre_exception) (void);
63558 - void (*post_exception) (void);
63559 + int (* const read_char) (void);
63560 + void (* const write_char) (u8);
63561 + void (* const flush) (void);
63562 + int (* const init) (void);
63563 + void (* const pre_exception) (void);
63564 + void (* const post_exception) (void);
63565 int is_console;
63566 };
63567
63568 -extern struct kgdb_arch arch_kgdb_ops;
63569 +extern const struct kgdb_arch arch_kgdb_ops;
63570
63571 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
63572
63573 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
63574 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
63575 -extern struct kgdb_io *dbg_io_ops;
63576 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
63577 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
63578 +extern const struct kgdb_io *dbg_io_ops;
63579
63580 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
63581 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
63582 diff -urNp linux-2.6.39.1/include/linux/kmod.h linux-2.6.39.1/include/linux/kmod.h
63583 --- linux-2.6.39.1/include/linux/kmod.h 2011-05-19 00:06:34.000000000 -0400
63584 +++ linux-2.6.39.1/include/linux/kmod.h 2011-05-22 19:41:42.000000000 -0400
63585 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
63586 * usually useless though. */
63587 extern int __request_module(bool wait, const char *name, ...) \
63588 __attribute__((format(printf, 2, 3)));
63589 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
63590 + __attribute__((format(printf, 3, 4)));
63591 #define request_module(mod...) __request_module(true, mod)
63592 #define request_module_nowait(mod...) __request_module(false, mod)
63593 #define try_then_request_module(x, mod...) \
63594 diff -urNp linux-2.6.39.1/include/linux/kvm_host.h linux-2.6.39.1/include/linux/kvm_host.h
63595 --- linux-2.6.39.1/include/linux/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
63596 +++ linux-2.6.39.1/include/linux/kvm_host.h 2011-05-22 19:36:33.000000000 -0400
63597 @@ -302,7 +302,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
63598 void vcpu_load(struct kvm_vcpu *vcpu);
63599 void vcpu_put(struct kvm_vcpu *vcpu);
63600
63601 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
63602 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
63603 struct module *module);
63604 void kvm_exit(void);
63605
63606 @@ -442,7 +442,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
63607 struct kvm_guest_debug *dbg);
63608 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
63609
63610 -int kvm_arch_init(void *opaque);
63611 +int kvm_arch_init(const void *opaque);
63612 void kvm_arch_exit(void);
63613
63614 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
63615 diff -urNp linux-2.6.39.1/include/linux/lapb.h linux-2.6.39.1/include/linux/lapb.h
63616 --- linux-2.6.39.1/include/linux/lapb.h 2011-05-19 00:06:34.000000000 -0400
63617 +++ linux-2.6.39.1/include/linux/lapb.h 2011-05-22 19:36:33.000000000 -0400
63618 @@ -44,7 +44,7 @@ struct lapb_parms_struct {
63619 unsigned int mode;
63620 };
63621
63622 -extern int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks);
63623 +extern int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks);
63624 extern int lapb_unregister(struct net_device *dev);
63625 extern int lapb_getparms(struct net_device *dev, struct lapb_parms_struct *parms);
63626 extern int lapb_setparms(struct net_device *dev, struct lapb_parms_struct *parms);
63627 diff -urNp linux-2.6.39.1/include/linux/lcd.h linux-2.6.39.1/include/linux/lcd.h
63628 --- linux-2.6.39.1/include/linux/lcd.h 2011-05-19 00:06:34.000000000 -0400
63629 +++ linux-2.6.39.1/include/linux/lcd.h 2011-05-22 19:36:33.000000000 -0400
63630 @@ -60,7 +60,7 @@ struct lcd_device {
63631 points to something in the body of that driver, it is also invalid. */
63632 struct mutex ops_lock;
63633 /* If this is NULL, the backing module is unloaded */
63634 - struct lcd_ops *ops;
63635 + const struct lcd_ops *ops;
63636 /* Serialise access to set_power method */
63637 struct mutex update_lock;
63638 /* The framebuffer notifier block */
63639 @@ -101,7 +101,7 @@ static inline void lcd_set_power(struct
63640 }
63641
63642 extern struct lcd_device *lcd_device_register(const char *name,
63643 - struct device *parent, void *devdata, struct lcd_ops *ops);
63644 + struct device *parent, void *devdata, const struct lcd_ops *ops);
63645 extern void lcd_device_unregister(struct lcd_device *ld);
63646
63647 #define to_lcd_device(obj) container_of(obj, struct lcd_device, dev)
63648 diff -urNp linux-2.6.39.1/include/linux/libata.h linux-2.6.39.1/include/linux/libata.h
63649 --- linux-2.6.39.1/include/linux/libata.h 2011-05-19 00:06:34.000000000 -0400
63650 +++ linux-2.6.39.1/include/linux/libata.h 2011-05-22 19:36:33.000000000 -0400
63651 @@ -524,11 +524,11 @@ struct ata_ioports {
63652
63653 struct ata_host {
63654 spinlock_t lock;
63655 - struct device *dev;
63656 + struct device *dev;
63657 void __iomem * const *iomap;
63658 unsigned int n_ports;
63659 void *private_data;
63660 - struct ata_port_operations *ops;
63661 + const struct ata_port_operations *ops;
63662 unsigned long flags;
63663
63664 struct mutex eh_mutex;
63665 @@ -719,7 +719,7 @@ struct ata_link {
63666
63667 struct ata_port {
63668 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
63669 - struct ata_port_operations *ops;
63670 + const struct ata_port_operations *ops;
63671 spinlock_t *lock;
63672 /* Flags owned by the EH context. Only EH should touch these once the
63673 port is active */
63674 @@ -907,7 +907,7 @@ struct ata_port_info {
63675 unsigned long pio_mask;
63676 unsigned long mwdma_mask;
63677 unsigned long udma_mask;
63678 - struct ata_port_operations *port_ops;
63679 + const struct ata_port_operations *port_ops;
63680 void *private_data;
63681 };
63682
63683 @@ -931,7 +931,7 @@ extern const unsigned long sata_deb_timi
63684 extern const unsigned long sata_deb_timing_hotplug[];
63685 extern const unsigned long sata_deb_timing_long[];
63686
63687 -extern struct ata_port_operations ata_dummy_port_ops;
63688 +extern const struct ata_port_operations ata_dummy_port_ops;
63689 extern const struct ata_port_info ata_dummy_port_info;
63690
63691 static inline const unsigned long *
63692 @@ -977,7 +977,7 @@ extern int ata_host_activate(struct ata_
63693 struct scsi_host_template *sht);
63694 extern void ata_host_detach(struct ata_host *host);
63695 extern void ata_host_init(struct ata_host *, struct device *,
63696 - unsigned long, struct ata_port_operations *);
63697 + unsigned long, const struct ata_port_operations *);
63698 extern int ata_scsi_detect(struct scsi_host_template *sht);
63699 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
63700 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
63701 diff -urNp linux-2.6.39.1/include/linux/lockd/bind.h linux-2.6.39.1/include/linux/lockd/bind.h
63702 --- linux-2.6.39.1/include/linux/lockd/bind.h 2011-05-19 00:06:34.000000000 -0400
63703 +++ linux-2.6.39.1/include/linux/lockd/bind.h 2011-05-22 19:36:33.000000000 -0400
63704 @@ -23,13 +23,13 @@ struct svc_rqst;
63705 * This is the set of functions for lockd->nfsd communication
63706 */
63707 struct nlmsvc_binding {
63708 - __be32 (*fopen)(struct svc_rqst *,
63709 + __be32 (* const fopen)(struct svc_rqst *,
63710 struct nfs_fh *,
63711 struct file **);
63712 - void (*fclose)(struct file *);
63713 + void (* const fclose)(struct file *);
63714 };
63715
63716 -extern struct nlmsvc_binding * nlmsvc_ops;
63717 +extern const struct nlmsvc_binding * nlmsvc_ops;
63718
63719 /*
63720 * Similar to nfs_client_initdata, but without the NFS-specific
63721 diff -urNp linux-2.6.39.1/include/linux/mfd/abx500.h linux-2.6.39.1/include/linux/mfd/abx500.h
63722 --- linux-2.6.39.1/include/linux/mfd/abx500.h 2011-05-19 00:06:34.000000000 -0400
63723 +++ linux-2.6.39.1/include/linux/mfd/abx500.h 2011-05-22 19:36:33.000000000 -0400
63724 @@ -227,6 +227,6 @@ struct abx500_ops {
63725 int (*startup_irq_enabled) (struct device *, unsigned int);
63726 };
63727
63728 -int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
63729 +int abx500_register_ops(struct device *core_dev, const struct abx500_ops *ops);
63730 void abx500_remove_ops(struct device *dev);
63731 #endif
63732 diff -urNp linux-2.6.39.1/include/linux/mm.h linux-2.6.39.1/include/linux/mm.h
63733 --- linux-2.6.39.1/include/linux/mm.h 2011-05-19 00:06:34.000000000 -0400
63734 +++ linux-2.6.39.1/include/linux/mm.h 2011-05-22 19:36:33.000000000 -0400
63735 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
63736
63737 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
63738 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
63739 +
63740 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
63741 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
63742 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
63743 +#else
63744 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
63745 +#endif
63746 +
63747 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
63748 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
63749
63750 @@ -1010,34 +1017,6 @@ int set_page_dirty(struct page *page);
63751 int set_page_dirty_lock(struct page *page);
63752 int clear_page_dirty_for_io(struct page *page);
63753
63754 -/* Is the vma a continuation of the stack vma above it? */
63755 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
63756 -{
63757 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
63758 -}
63759 -
63760 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
63761 - unsigned long addr)
63762 -{
63763 - return (vma->vm_flags & VM_GROWSDOWN) &&
63764 - (vma->vm_start == addr) &&
63765 - !vma_growsdown(vma->vm_prev, addr);
63766 -}
63767 -
63768 -/* Is the vma a continuation of the stack vma below it? */
63769 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
63770 -{
63771 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
63772 -}
63773 -
63774 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
63775 - unsigned long addr)
63776 -{
63777 - return (vma->vm_flags & VM_GROWSUP) &&
63778 - (vma->vm_end == addr) &&
63779 - !vma_growsup(vma->vm_next, addr);
63780 -}
63781 -
63782 extern unsigned long move_page_tables(struct vm_area_struct *vma,
63783 unsigned long old_addr, struct vm_area_struct *new_vma,
63784 unsigned long new_addr, unsigned long len);
63785 @@ -1189,6 +1168,15 @@ struct shrinker {
63786 extern void register_shrinker(struct shrinker *);
63787 extern void unregister_shrinker(struct shrinker *);
63788
63789 +#ifdef CONFIG_MMU
63790 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
63791 +#else
63792 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
63793 +{
63794 + return __pgprot(0);
63795 +}
63796 +#endif
63797 +
63798 int vma_wants_writenotify(struct vm_area_struct *vma);
63799
63800 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
63801 @@ -1476,6 +1464,7 @@ out:
63802 }
63803
63804 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
63805 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
63806
63807 extern unsigned long do_brk(unsigned long, unsigned long);
63808
63809 @@ -1532,6 +1521,10 @@ extern struct vm_area_struct * find_vma(
63810 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
63811 struct vm_area_struct **pprev);
63812
63813 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
63814 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
63815 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
63816 +
63817 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
63818 NULL if none. Assume start_addr < end_addr. */
63819 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
63820 @@ -1548,15 +1541,6 @@ static inline unsigned long vma_pages(st
63821 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
63822 }
63823
63824 -#ifdef CONFIG_MMU
63825 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
63826 -#else
63827 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
63828 -{
63829 - return __pgprot(0);
63830 -}
63831 -#endif
63832 -
63833 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
63834 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
63835 unsigned long pfn, unsigned long size, pgprot_t);
63836 @@ -1668,7 +1652,7 @@ extern int unpoison_memory(unsigned long
63837 extern int sysctl_memory_failure_early_kill;
63838 extern int sysctl_memory_failure_recovery;
63839 extern void shake_page(struct page *p, int access);
63840 -extern atomic_long_t mce_bad_pages;
63841 +extern atomic_long_unchecked_t mce_bad_pages;
63842 extern int soft_offline_page(struct page *page, int flags);
63843
63844 extern void dump_page(struct page *page);
63845 @@ -1682,5 +1666,11 @@ extern void copy_user_huge_page(struct p
63846 unsigned int pages_per_huge_page);
63847 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
63848
63849 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
63850 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
63851 +#else
63852 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
63853 +#endif
63854 +
63855 #endif /* __KERNEL__ */
63856 #endif /* _LINUX_MM_H */
63857 diff -urNp linux-2.6.39.1/include/linux/mm_types.h linux-2.6.39.1/include/linux/mm_types.h
63858 --- linux-2.6.39.1/include/linux/mm_types.h 2011-05-19 00:06:34.000000000 -0400
63859 +++ linux-2.6.39.1/include/linux/mm_types.h 2011-05-22 19:36:33.000000000 -0400
63860 @@ -183,6 +183,8 @@ struct vm_area_struct {
63861 #ifdef CONFIG_NUMA
63862 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
63863 #endif
63864 +
63865 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
63866 };
63867
63868 struct core_thread {
63869 @@ -317,6 +319,24 @@ struct mm_struct {
63870 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
63871 pgtable_t pmd_huge_pte; /* protected by page_table_lock */
63872 #endif
63873 +
63874 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
63875 + unsigned long pax_flags;
63876 +#endif
63877 +
63878 +#ifdef CONFIG_PAX_DLRESOLVE
63879 + unsigned long call_dl_resolve;
63880 +#endif
63881 +
63882 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
63883 + unsigned long call_syscall;
63884 +#endif
63885 +
63886 +#ifdef CONFIG_PAX_ASLR
63887 + unsigned long delta_mmap; /* randomized offset */
63888 + unsigned long delta_stack; /* randomized offset */
63889 +#endif
63890 +
63891 };
63892
63893 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
63894 diff -urNp linux-2.6.39.1/include/linux/mmu_notifier.h linux-2.6.39.1/include/linux/mmu_notifier.h
63895 --- linux-2.6.39.1/include/linux/mmu_notifier.h 2011-05-19 00:06:34.000000000 -0400
63896 +++ linux-2.6.39.1/include/linux/mmu_notifier.h 2011-05-22 19:36:33.000000000 -0400
63897 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
63898 */
63899 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
63900 ({ \
63901 - pte_t __pte; \
63902 + pte_t ___pte; \
63903 struct vm_area_struct *___vma = __vma; \
63904 unsigned long ___address = __address; \
63905 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
63906 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
63907 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
63908 - __pte; \
63909 + ___pte; \
63910 })
63911
63912 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
63913 diff -urNp linux-2.6.39.1/include/linux/mmzone.h linux-2.6.39.1/include/linux/mmzone.h
63914 --- linux-2.6.39.1/include/linux/mmzone.h 2011-05-19 00:06:34.000000000 -0400
63915 +++ linux-2.6.39.1/include/linux/mmzone.h 2011-05-22 19:36:33.000000000 -0400
63916 @@ -355,7 +355,7 @@ struct zone {
63917 unsigned long flags; /* zone flags, see below */
63918
63919 /* Zone statistics */
63920 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
63921 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
63922
63923 /*
63924 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
63925 diff -urNp linux-2.6.39.1/include/linux/mod_devicetable.h linux-2.6.39.1/include/linux/mod_devicetable.h
63926 --- linux-2.6.39.1/include/linux/mod_devicetable.h 2011-05-19 00:06:34.000000000 -0400
63927 +++ linux-2.6.39.1/include/linux/mod_devicetable.h 2011-05-22 19:36:33.000000000 -0400
63928 @@ -12,7 +12,7 @@
63929 typedef unsigned long kernel_ulong_t;
63930 #endif
63931
63932 -#define PCI_ANY_ID (~0)
63933 +#define PCI_ANY_ID ((__u16)~0)
63934
63935 struct pci_device_id {
63936 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
63937 @@ -131,7 +131,7 @@ struct usb_device_id {
63938 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
63939 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
63940
63941 -#define HID_ANY_ID (~0)
63942 +#define HID_ANY_ID (~0U)
63943
63944 struct hid_device_id {
63945 __u16 bus;
63946 diff -urNp linux-2.6.39.1/include/linux/module.h linux-2.6.39.1/include/linux/module.h
63947 --- linux-2.6.39.1/include/linux/module.h 2011-05-19 00:06:34.000000000 -0400
63948 +++ linux-2.6.39.1/include/linux/module.h 2011-05-22 19:36:33.000000000 -0400
63949 @@ -324,19 +324,16 @@ struct module
63950 int (*init)(void);
63951
63952 /* If this is non-NULL, vfree after init() returns */
63953 - void *module_init;
63954 + void *module_init_rx, *module_init_rw;
63955
63956 /* Here is the actual code + data, vfree'd on unload. */
63957 - void *module_core;
63958 + void *module_core_rx, *module_core_rw;
63959
63960 /* Here are the sizes of the init and core sections */
63961 - unsigned int init_size, core_size;
63962 + unsigned int init_size_rw, core_size_rw;
63963
63964 /* The size of the executable code in each section. */
63965 - unsigned int init_text_size, core_text_size;
63966 -
63967 - /* Size of RO sections of the module (text+rodata) */
63968 - unsigned int init_ro_size, core_ro_size;
63969 + unsigned int init_size_rx, core_size_rx;
63970
63971 /* Arch-specific module values */
63972 struct mod_arch_specific arch;
63973 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
63974 bool is_module_percpu_address(unsigned long addr);
63975 bool is_module_text_address(unsigned long addr);
63976
63977 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
63978 +{
63979 +
63980 +#ifdef CONFIG_PAX_KERNEXEC
63981 + if (ktla_ktva(addr) >= (unsigned long)start &&
63982 + ktla_ktva(addr) < (unsigned long)start + size)
63983 + return 1;
63984 +#endif
63985 +
63986 + return ((void *)addr >= start && (void *)addr < start + size);
63987 +}
63988 +
63989 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
63990 +{
63991 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
63992 +}
63993 +
63994 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
63995 +{
63996 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
63997 +}
63998 +
63999 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
64000 +{
64001 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
64002 +}
64003 +
64004 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
64005 +{
64006 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
64007 +}
64008 +
64009 static inline int within_module_core(unsigned long addr, struct module *mod)
64010 {
64011 - return (unsigned long)mod->module_core <= addr &&
64012 - addr < (unsigned long)mod->module_core + mod->core_size;
64013 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
64014 }
64015
64016 static inline int within_module_init(unsigned long addr, struct module *mod)
64017 {
64018 - return (unsigned long)mod->module_init <= addr &&
64019 - addr < (unsigned long)mod->module_init + mod->init_size;
64020 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
64021 }
64022
64023 /* Search for module by name: must hold module_mutex. */
64024 diff -urNp linux-2.6.39.1/include/linux/moduleloader.h linux-2.6.39.1/include/linux/moduleloader.h
64025 --- linux-2.6.39.1/include/linux/moduleloader.h 2011-05-19 00:06:34.000000000 -0400
64026 +++ linux-2.6.39.1/include/linux/moduleloader.h 2011-05-22 19:36:33.000000000 -0400
64027 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
64028 sections. Returns NULL on failure. */
64029 void *module_alloc(unsigned long size);
64030
64031 +#ifdef CONFIG_PAX_KERNEXEC
64032 +void *module_alloc_exec(unsigned long size);
64033 +#else
64034 +#define module_alloc_exec(x) module_alloc(x)
64035 +#endif
64036 +
64037 /* Free memory returned from module_alloc. */
64038 void module_free(struct module *mod, void *module_region);
64039
64040 +#ifdef CONFIG_PAX_KERNEXEC
64041 +void module_free_exec(struct module *mod, void *module_region);
64042 +#else
64043 +#define module_free_exec(x, y) module_free((x), (y))
64044 +#endif
64045 +
64046 /* Apply the given relocation to the (simplified) ELF. Return -error
64047 or 0. */
64048 int apply_relocate(Elf_Shdr *sechdrs,
64049 diff -urNp linux-2.6.39.1/include/linux/moduleparam.h linux-2.6.39.1/include/linux/moduleparam.h
64050 --- linux-2.6.39.1/include/linux/moduleparam.h 2011-05-19 00:06:34.000000000 -0400
64051 +++ linux-2.6.39.1/include/linux/moduleparam.h 2011-05-22 19:36:33.000000000 -0400
64052 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
64053 * @len is usually just sizeof(string).
64054 */
64055 #define module_param_string(name, string, len, perm) \
64056 - static const struct kparam_string __param_string_##name \
64057 + static const struct kparam_string __param_string_##name __used \
64058 = { len, string }; \
64059 __module_param_call(MODULE_PARAM_PREFIX, name, \
64060 &param_ops_string, \
64061 @@ -285,48 +285,48 @@ static inline void destroy_params(const
64062 #define __param_check(name, p, type) \
64063 static inline type *__check_##name(void) { return(p); }
64064
64065 -extern struct kernel_param_ops param_ops_byte;
64066 +extern const struct kernel_param_ops param_ops_byte;
64067 extern int param_set_byte(const char *val, const struct kernel_param *kp);
64068 extern int param_get_byte(char *buffer, const struct kernel_param *kp);
64069 #define param_check_byte(name, p) __param_check(name, p, unsigned char)
64070
64071 -extern struct kernel_param_ops param_ops_short;
64072 +extern const struct kernel_param_ops param_ops_short;
64073 extern int param_set_short(const char *val, const struct kernel_param *kp);
64074 extern int param_get_short(char *buffer, const struct kernel_param *kp);
64075 #define param_check_short(name, p) __param_check(name, p, short)
64076
64077 -extern struct kernel_param_ops param_ops_ushort;
64078 +extern const struct kernel_param_ops param_ops_ushort;
64079 extern int param_set_ushort(const char *val, const struct kernel_param *kp);
64080 extern int param_get_ushort(char *buffer, const struct kernel_param *kp);
64081 #define param_check_ushort(name, p) __param_check(name, p, unsigned short)
64082
64083 -extern struct kernel_param_ops param_ops_int;
64084 +extern const struct kernel_param_ops param_ops_int;
64085 extern int param_set_int(const char *val, const struct kernel_param *kp);
64086 extern int param_get_int(char *buffer, const struct kernel_param *kp);
64087 #define param_check_int(name, p) __param_check(name, p, int)
64088
64089 -extern struct kernel_param_ops param_ops_uint;
64090 +extern const struct kernel_param_ops param_ops_uint;
64091 extern int param_set_uint(const char *val, const struct kernel_param *kp);
64092 extern int param_get_uint(char *buffer, const struct kernel_param *kp);
64093 #define param_check_uint(name, p) __param_check(name, p, unsigned int)
64094
64095 -extern struct kernel_param_ops param_ops_long;
64096 +extern const struct kernel_param_ops param_ops_long;
64097 extern int param_set_long(const char *val, const struct kernel_param *kp);
64098 extern int param_get_long(char *buffer, const struct kernel_param *kp);
64099 #define param_check_long(name, p) __param_check(name, p, long)
64100
64101 -extern struct kernel_param_ops param_ops_ulong;
64102 +extern const struct kernel_param_ops param_ops_ulong;
64103 extern int param_set_ulong(const char *val, const struct kernel_param *kp);
64104 extern int param_get_ulong(char *buffer, const struct kernel_param *kp);
64105 #define param_check_ulong(name, p) __param_check(name, p, unsigned long)
64106
64107 -extern struct kernel_param_ops param_ops_charp;
64108 +extern const struct kernel_param_ops param_ops_charp;
64109 extern int param_set_charp(const char *val, const struct kernel_param *kp);
64110 extern int param_get_charp(char *buffer, const struct kernel_param *kp);
64111 #define param_check_charp(name, p) __param_check(name, p, char *)
64112
64113 /* For historical reasons "bool" parameters can be (unsigned) "int". */
64114 -extern struct kernel_param_ops param_ops_bool;
64115 +extern const struct kernel_param_ops param_ops_bool;
64116 extern int param_set_bool(const char *val, const struct kernel_param *kp);
64117 extern int param_get_bool(char *buffer, const struct kernel_param *kp);
64118 #define param_check_bool(name, p) \
64119 @@ -337,7 +337,7 @@ extern int param_get_bool(char *buffer,
64120 !__same_type((p), int *)); \
64121 }
64122
64123 -extern struct kernel_param_ops param_ops_invbool;
64124 +extern const struct kernel_param_ops param_ops_invbool;
64125 extern int param_set_invbool(const char *val, const struct kernel_param *kp);
64126 extern int param_get_invbool(char *buffer, const struct kernel_param *kp);
64127 #define param_check_invbool(name, p) __param_check(name, p, bool)
64128 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
64129 * module_param_named() for why this might be necessary.
64130 */
64131 #define module_param_array_named(name, array, type, nump, perm) \
64132 - static const struct kparam_array __param_arr_##name \
64133 + static const struct kparam_array __param_arr_##name __used \
64134 = { ARRAY_SIZE(array), nump, &param_ops_##type, \
64135 sizeof(array[0]), array }; \
64136 __module_param_call(MODULE_PARAM_PREFIX, name, \
64137 @@ -379,9 +379,9 @@ extern int param_get_invbool(char *buffe
64138 __same_type(array[0], bool), perm); \
64139 __MODULE_PARM_TYPE(name, "array of " #type)
64140
64141 -extern struct kernel_param_ops param_array_ops;
64142 +extern const struct kernel_param_ops param_array_ops;
64143
64144 -extern struct kernel_param_ops param_ops_string;
64145 +extern const struct kernel_param_ops param_ops_string;
64146 extern int param_set_copystring(const char *val, const struct kernel_param *);
64147 extern int param_get_string(char *buffer, const struct kernel_param *kp);
64148
64149 diff -urNp linux-2.6.39.1/include/linux/mutex.h linux-2.6.39.1/include/linux/mutex.h
64150 --- linux-2.6.39.1/include/linux/mutex.h 2011-05-19 00:06:34.000000000 -0400
64151 +++ linux-2.6.39.1/include/linux/mutex.h 2011-05-22 19:36:33.000000000 -0400
64152 @@ -51,7 +51,7 @@ struct mutex {
64153 spinlock_t wait_lock;
64154 struct list_head wait_list;
64155 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
64156 - struct thread_info *owner;
64157 + struct task_struct *owner;
64158 #endif
64159 #ifdef CONFIG_DEBUG_MUTEXES
64160 const char *name;
64161 diff -urNp linux-2.6.39.1/include/linux/namei.h linux-2.6.39.1/include/linux/namei.h
64162 --- linux-2.6.39.1/include/linux/namei.h 2011-05-19 00:06:34.000000000 -0400
64163 +++ linux-2.6.39.1/include/linux/namei.h 2011-05-22 19:36:33.000000000 -0400
64164 @@ -24,7 +24,7 @@ struct nameidata {
64165 unsigned seq;
64166 int last_type;
64167 unsigned depth;
64168 - char *saved_names[MAX_NESTED_LINKS + 1];
64169 + const char *saved_names[MAX_NESTED_LINKS + 1];
64170
64171 /* Intent data */
64172 union {
64173 @@ -91,12 +91,12 @@ extern int follow_up(struct path *);
64174 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
64175 extern void unlock_rename(struct dentry *, struct dentry *);
64176
64177 -static inline void nd_set_link(struct nameidata *nd, char *path)
64178 +static inline void nd_set_link(struct nameidata *nd, const char *path)
64179 {
64180 nd->saved_names[nd->depth] = path;
64181 }
64182
64183 -static inline char *nd_get_link(struct nameidata *nd)
64184 +static inline const char *nd_get_link(const struct nameidata *nd)
64185 {
64186 return nd->saved_names[nd->depth];
64187 }
64188 diff -urNp linux-2.6.39.1/include/linux/netfilter/xt_gradm.h linux-2.6.39.1/include/linux/netfilter/xt_gradm.h
64189 --- linux-2.6.39.1/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
64190 +++ linux-2.6.39.1/include/linux/netfilter/xt_gradm.h 2011-05-22 19:41:42.000000000 -0400
64191 @@ -0,0 +1,9 @@
64192 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
64193 +#define _LINUX_NETFILTER_XT_GRADM_H 1
64194 +
64195 +struct xt_gradm_mtinfo {
64196 + __u16 flags;
64197 + __u16 invflags;
64198 +};
64199 +
64200 +#endif
64201 diff -urNp linux-2.6.39.1/include/linux/oprofile.h linux-2.6.39.1/include/linux/oprofile.h
64202 --- linux-2.6.39.1/include/linux/oprofile.h 2011-05-19 00:06:34.000000000 -0400
64203 +++ linux-2.6.39.1/include/linux/oprofile.h 2011-05-22 19:36:33.000000000 -0400
64204 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
64205 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
64206 char const * name, ulong * val);
64207
64208 -/** Create a file for read-only access to an atomic_t. */
64209 +/** Create a file for read-only access to an atomic_unchecked_t. */
64210 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
64211 - char const * name, atomic_t * val);
64212 + char const * name, atomic_unchecked_t * val);
64213
64214 /** create a directory */
64215 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
64216 diff -urNp linux-2.6.39.1/include/linux/padata.h linux-2.6.39.1/include/linux/padata.h
64217 --- linux-2.6.39.1/include/linux/padata.h 2011-05-19 00:06:34.000000000 -0400
64218 +++ linux-2.6.39.1/include/linux/padata.h 2011-05-22 19:36:33.000000000 -0400
64219 @@ -129,7 +129,7 @@ struct parallel_data {
64220 struct padata_instance *pinst;
64221 struct padata_parallel_queue __percpu *pqueue;
64222 struct padata_serial_queue __percpu *squeue;
64223 - atomic_t seq_nr;
64224 + atomic_unchecked_t seq_nr;
64225 atomic_t reorder_objects;
64226 atomic_t refcnt;
64227 unsigned int max_seq_nr;
64228 diff -urNp linux-2.6.39.1/include/linux/pci.h linux-2.6.39.1/include/linux/pci.h
64229 --- linux-2.6.39.1/include/linux/pci.h 2011-05-19 00:06:34.000000000 -0400
64230 +++ linux-2.6.39.1/include/linux/pci.h 2011-05-22 19:36:33.000000000 -0400
64231 @@ -411,7 +411,7 @@ struct pci_bus {
64232 struct resource *resource[PCI_BRIDGE_RESOURCE_NUM];
64233 struct list_head resources; /* address space routed to this bus */
64234
64235 - struct pci_ops *ops; /* configuration access functions */
64236 + const struct pci_ops *ops; /* configuration access functions */
64237 void *sysdata; /* hook for sys-specific extension */
64238 struct proc_dir_entry *procdir; /* directory entry in /proc/bus/pci */
64239
64240 @@ -550,7 +550,7 @@ struct pci_driver {
64241 int (*resume_early) (struct pci_dev *dev);
64242 int (*resume) (struct pci_dev *dev); /* Device woken up */
64243 void (*shutdown) (struct pci_dev *dev);
64244 - struct pci_error_handlers *err_handler;
64245 + const struct pci_error_handlers *err_handler;
64246 struct device_driver driver;
64247 struct pci_dynids dynids;
64248 };
64249 @@ -639,7 +639,7 @@ void pcibios_scan_specific_bus(int busn)
64250 extern struct pci_bus *pci_find_bus(int domain, int busnr);
64251 void pci_bus_add_devices(const struct pci_bus *bus);
64252 struct pci_bus *pci_scan_bus_parented(struct device *parent, int bus,
64253 - struct pci_ops *ops, void *sysdata);
64254 + const struct pci_ops *ops, void *sysdata);
64255 static inline struct pci_bus * __devinit pci_scan_bus(int bus, struct pci_ops *ops,
64256 void *sysdata)
64257 {
64258 @@ -650,7 +650,7 @@ static inline struct pci_bus * __devinit
64259 return root_bus;
64260 }
64261 struct pci_bus *pci_create_bus(struct device *parent, int bus,
64262 - struct pci_ops *ops, void *sysdata);
64263 + const struct pci_ops *ops, void *sysdata);
64264 struct pci_bus *pci_add_new_bus(struct pci_bus *parent, struct pci_dev *dev,
64265 int busnr);
64266 void pcie_update_link_speed(struct pci_bus *bus, u16 link_status);
64267 @@ -727,7 +727,7 @@ int pci_bus_write_config_word(struct pci
64268 int where, u16 val);
64269 int pci_bus_write_config_dword(struct pci_bus *bus, unsigned int devfn,
64270 int where, u32 val);
64271 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops);
64272 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops);
64273
64274 static inline int pci_read_config_byte(struct pci_dev *dev, int where, u8 *val)
64275 {
64276 diff -urNp linux-2.6.39.1/include/linux/perf_event.h linux-2.6.39.1/include/linux/perf_event.h
64277 --- linux-2.6.39.1/include/linux/perf_event.h 2011-05-19 00:06:34.000000000 -0400
64278 +++ linux-2.6.39.1/include/linux/perf_event.h 2011-05-22 19:36:33.000000000 -0400
64279 @@ -759,8 +759,8 @@ struct perf_event {
64280
64281 enum perf_event_active_state state;
64282 unsigned int attach_state;
64283 - local64_t count;
64284 - atomic64_t child_count;
64285 + local64_t count; /* PaX: fix it one day */
64286 + atomic64_unchecked_t child_count;
64287
64288 /*
64289 * These are the total time in nanoseconds that the event
64290 @@ -811,8 +811,8 @@ struct perf_event {
64291 * These accumulate total time (in nanoseconds) that children
64292 * events have been enabled and running, respectively.
64293 */
64294 - atomic64_t child_total_time_enabled;
64295 - atomic64_t child_total_time_running;
64296 + atomic64_unchecked_t child_total_time_enabled;
64297 + atomic64_unchecked_t child_total_time_running;
64298
64299 /*
64300 * Protect attach/detach and child_list:
64301 @@ -1090,9 +1090,9 @@ void perf_event_task_sched_out(struct ta
64302 }
64303
64304 extern void perf_event_mmap(struct vm_area_struct *vma);
64305 -extern struct perf_guest_info_callbacks *perf_guest_cbs;
64306 -extern int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64307 -extern int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64308 +extern const struct perf_guest_info_callbacks *perf_guest_cbs;
64309 +extern int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64310 +extern int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64311
64312 extern void perf_event_comm(struct task_struct *tsk);
64313 extern void perf_event_fork(struct task_struct *tsk);
64314 diff -urNp linux-2.6.39.1/include/linux/pipe_fs_i.h linux-2.6.39.1/include/linux/pipe_fs_i.h
64315 --- linux-2.6.39.1/include/linux/pipe_fs_i.h 2011-05-19 00:06:34.000000000 -0400
64316 +++ linux-2.6.39.1/include/linux/pipe_fs_i.h 2011-05-22 19:36:33.000000000 -0400
64317 @@ -46,9 +46,9 @@ struct pipe_buffer {
64318 struct pipe_inode_info {
64319 wait_queue_head_t wait;
64320 unsigned int nrbufs, curbuf, buffers;
64321 - unsigned int readers;
64322 - unsigned int writers;
64323 - unsigned int waiting_writers;
64324 + atomic_t readers;
64325 + atomic_t writers;
64326 + atomic_t waiting_writers;
64327 unsigned int r_counter;
64328 unsigned int w_counter;
64329 struct page *tmp_page;
64330 diff -urNp linux-2.6.39.1/include/linux/pm.h linux-2.6.39.1/include/linux/pm.h
64331 --- linux-2.6.39.1/include/linux/pm.h 2011-05-19 00:06:34.000000000 -0400
64332 +++ linux-2.6.39.1/include/linux/pm.h 2011-05-22 19:36:33.000000000 -0400
64333 @@ -268,7 +268,7 @@ const struct dev_pm_ops name = { \
64334 * runtime PM, make the pm member point to generic_subsys_pm_ops.
64335 */
64336 #ifdef CONFIG_PM
64337 -extern struct dev_pm_ops generic_subsys_pm_ops;
64338 +extern const struct dev_pm_ops generic_subsys_pm_ops;
64339 #define GENERIC_SUBSYS_PM_OPS (&generic_subsys_pm_ops)
64340 #else
64341 #define GENERIC_SUBSYS_PM_OPS NULL
64342 @@ -471,7 +471,7 @@ extern void update_pm_runtime_accounting
64343 * subsystem-level and driver-level callbacks.
64344 */
64345 struct dev_power_domain {
64346 - struct dev_pm_ops ops;
64347 + const struct dev_pm_ops ops;
64348 };
64349
64350 /*
64351 diff -urNp linux-2.6.39.1/include/linux/pm_runtime.h linux-2.6.39.1/include/linux/pm_runtime.h
64352 --- linux-2.6.39.1/include/linux/pm_runtime.h 2011-05-19 00:06:34.000000000 -0400
64353 +++ linux-2.6.39.1/include/linux/pm_runtime.h 2011-05-22 19:36:33.000000000 -0400
64354 @@ -94,7 +94,7 @@ static inline bool pm_runtime_callbacks_
64355
64356 static inline void pm_runtime_mark_last_busy(struct device *dev)
64357 {
64358 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
64359 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
64360 }
64361
64362 #else /* !CONFIG_PM_RUNTIME */
64363 diff -urNp linux-2.6.39.1/include/linux/poison.h linux-2.6.39.1/include/linux/poison.h
64364 --- linux-2.6.39.1/include/linux/poison.h 2011-05-19 00:06:34.000000000 -0400
64365 +++ linux-2.6.39.1/include/linux/poison.h 2011-05-22 19:36:33.000000000 -0400
64366 @@ -19,8 +19,8 @@
64367 * under normal circumstances, used to verify that nobody uses
64368 * non-initialized list entries.
64369 */
64370 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
64371 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
64372 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
64373 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
64374
64375 /********** include/linux/timer.h **********/
64376 /*
64377 diff -urNp linux-2.6.39.1/include/linux/posix-timers.h linux-2.6.39.1/include/linux/posix-timers.h
64378 --- linux-2.6.39.1/include/linux/posix-timers.h 2011-05-19 00:06:34.000000000 -0400
64379 +++ linux-2.6.39.1/include/linux/posix-timers.h 2011-05-22 19:36:33.000000000 -0400
64380 @@ -102,10 +102,10 @@ struct k_clock {
64381 struct itimerspec * cur_setting);
64382 };
64383
64384 -extern struct k_clock clock_posix_cpu;
64385 -extern struct k_clock clock_posix_dynamic;
64386 +extern const struct k_clock clock_posix_cpu;
64387 +extern const struct k_clock clock_posix_dynamic;
64388
64389 -void posix_timers_register_clock(const clockid_t clock_id, struct k_clock *new_clock);
64390 +void posix_timers_register_clock(const clockid_t clock_id, const struct k_clock *new_clock);
64391
64392 /* function to call to trigger timer event */
64393 int posix_timer_event(struct k_itimer *timr, int si_private);
64394 diff -urNp linux-2.6.39.1/include/linux/proc_fs.h linux-2.6.39.1/include/linux/proc_fs.h
64395 --- linux-2.6.39.1/include/linux/proc_fs.h 2011-05-19 00:06:34.000000000 -0400
64396 +++ linux-2.6.39.1/include/linux/proc_fs.h 2011-05-22 19:41:42.000000000 -0400
64397 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
64398 return proc_create_data(name, mode, parent, proc_fops, NULL);
64399 }
64400
64401 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
64402 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
64403 +{
64404 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64405 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
64406 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64407 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
64408 +#else
64409 + return proc_create_data(name, mode, parent, proc_fops, NULL);
64410 +#endif
64411 +}
64412 +
64413 +
64414 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
64415 mode_t mode, struct proc_dir_entry *base,
64416 read_proc_t *read_proc, void * data)
64417 diff -urNp linux-2.6.39.1/include/linux/ptrace.h linux-2.6.39.1/include/linux/ptrace.h
64418 --- linux-2.6.39.1/include/linux/ptrace.h 2011-05-19 00:06:34.000000000 -0400
64419 +++ linux-2.6.39.1/include/linux/ptrace.h 2011-05-22 19:41:42.000000000 -0400
64420 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
64421 extern void exit_ptrace(struct task_struct *tracer);
64422 #define PTRACE_MODE_READ 1
64423 #define PTRACE_MODE_ATTACH 2
64424 -/* Returns 0 on success, -errno on denial. */
64425 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
64426 /* Returns true on success, false on denial. */
64427 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
64428 +/* Returns true on success, false on denial. */
64429 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
64430
64431 static inline int ptrace_reparented(struct task_struct *child)
64432 {
64433 diff -urNp linux-2.6.39.1/include/linux/random.h linux-2.6.39.1/include/linux/random.h
64434 --- linux-2.6.39.1/include/linux/random.h 2011-05-19 00:06:34.000000000 -0400
64435 +++ linux-2.6.39.1/include/linux/random.h 2011-05-22 19:36:33.000000000 -0400
64436 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
64437
64438 u32 prandom32(struct rnd_state *);
64439
64440 +static inline unsigned long pax_get_random_long(void)
64441 +{
64442 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
64443 +}
64444 +
64445 /*
64446 * Handle minimum values for seeds
64447 */
64448 static inline u32 __seed(u32 x, u32 m)
64449 {
64450 - return (x < m) ? x + m : x;
64451 + return (x <= m) ? x + m + 1 : x;
64452 }
64453
64454 /**
64455 diff -urNp linux-2.6.39.1/include/linux/reboot.h linux-2.6.39.1/include/linux/reboot.h
64456 --- linux-2.6.39.1/include/linux/reboot.h 2011-05-19 00:06:34.000000000 -0400
64457 +++ linux-2.6.39.1/include/linux/reboot.h 2011-05-22 19:36:33.000000000 -0400
64458 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
64459 * Architecture-specific implementations of sys_reboot commands.
64460 */
64461
64462 -extern void machine_restart(char *cmd);
64463 -extern void machine_halt(void);
64464 -extern void machine_power_off(void);
64465 +extern void machine_restart(char *cmd) __noreturn;
64466 +extern void machine_halt(void) __noreturn;
64467 +extern void machine_power_off(void) __noreturn;
64468
64469 extern void machine_shutdown(void);
64470 struct pt_regs;
64471 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
64472 */
64473
64474 extern void kernel_restart_prepare(char *cmd);
64475 -extern void kernel_restart(char *cmd);
64476 -extern void kernel_halt(void);
64477 -extern void kernel_power_off(void);
64478 +extern void kernel_restart(char *cmd) __noreturn;
64479 +extern void kernel_halt(void) __noreturn;
64480 +extern void kernel_power_off(void) __noreturn;
64481
64482 extern int C_A_D; /* for sysctl */
64483 void ctrl_alt_del(void);
64484 @@ -76,7 +76,7 @@ extern int orderly_poweroff(bool force);
64485 * Emergency restart, callable from an interrupt handler.
64486 */
64487
64488 -extern void emergency_restart(void);
64489 +extern void emergency_restart(void) __noreturn;
64490 #include <asm/emergency-restart.h>
64491
64492 #endif
64493 diff -urNp linux-2.6.39.1/include/linux/reiserfs_fs.h linux-2.6.39.1/include/linux/reiserfs_fs.h
64494 --- linux-2.6.39.1/include/linux/reiserfs_fs.h 2011-05-19 00:06:34.000000000 -0400
64495 +++ linux-2.6.39.1/include/linux/reiserfs_fs.h 2011-05-22 19:36:33.000000000 -0400
64496 @@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
64497 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
64498
64499 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
64500 -#define get_generation(s) atomic_read (&fs_generation(s))
64501 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
64502 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
64503 #define __fs_changed(gen,s) (gen != get_generation (s))
64504 #define fs_changed(gen,s) \
64505 @@ -1618,24 +1618,24 @@ static inline struct super_block *sb_fro
64506 */
64507
64508 struct item_operations {
64509 - int (*bytes_number) (struct item_head * ih, int block_size);
64510 - void (*decrement_key) (struct cpu_key *);
64511 - int (*is_left_mergeable) (struct reiserfs_key * ih,
64512 + int (* const bytes_number) (struct item_head * ih, int block_size);
64513 + void (* const decrement_key) (struct cpu_key *);
64514 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
64515 unsigned long bsize);
64516 - void (*print_item) (struct item_head *, char *item);
64517 - void (*check_item) (struct item_head *, char *item);
64518 + void (* const print_item) (struct item_head *, char *item);
64519 + void (* const check_item) (struct item_head *, char *item);
64520
64521 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64522 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64523 int is_affected, int insert_size);
64524 - int (*check_left) (struct virtual_item * vi, int free,
64525 + int (* const check_left) (struct virtual_item * vi, int free,
64526 int start_skip, int end_skip);
64527 - int (*check_right) (struct virtual_item * vi, int free);
64528 - int (*part_size) (struct virtual_item * vi, int from, int to);
64529 - int (*unit_num) (struct virtual_item * vi);
64530 - void (*print_vi) (struct virtual_item * vi);
64531 + int (* const check_right) (struct virtual_item * vi, int free);
64532 + int (* const part_size) (struct virtual_item * vi, int from, int to);
64533 + int (* const unit_num) (struct virtual_item * vi);
64534 + void (* const print_vi) (struct virtual_item * vi);
64535 };
64536
64537 -extern struct item_operations *item_ops[TYPE_ANY + 1];
64538 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
64539
64540 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
64541 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
64542 diff -urNp linux-2.6.39.1/include/linux/reiserfs_fs_sb.h linux-2.6.39.1/include/linux/reiserfs_fs_sb.h
64543 --- linux-2.6.39.1/include/linux/reiserfs_fs_sb.h 2011-05-19 00:06:34.000000000 -0400
64544 +++ linux-2.6.39.1/include/linux/reiserfs_fs_sb.h 2011-05-22 19:36:33.000000000 -0400
64545 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
64546 /* Comment? -Hans */
64547 wait_queue_head_t s_wait;
64548 /* To be obsoleted soon by per buffer seals.. -Hans */
64549 - atomic_t s_generation_counter; // increased by one every time the
64550 + atomic_unchecked_t s_generation_counter; // increased by one every time the
64551 // tree gets re-balanced
64552 unsigned long s_properties; /* File system properties. Currently holds
64553 on-disk FS format */
64554 diff -urNp linux-2.6.39.1/include/linux/rmap.h linux-2.6.39.1/include/linux/rmap.h
64555 --- linux-2.6.39.1/include/linux/rmap.h 2011-05-19 00:06:34.000000000 -0400
64556 +++ linux-2.6.39.1/include/linux/rmap.h 2011-05-22 19:36:33.000000000 -0400
64557 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
64558 void anon_vma_init(void); /* create anon_vma_cachep */
64559 int anon_vma_prepare(struct vm_area_struct *);
64560 void unlink_anon_vmas(struct vm_area_struct *);
64561 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
64562 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
64563 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
64564 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
64565 void __anon_vma_link(struct vm_area_struct *);
64566
64567 static inline void anon_vma_merge(struct vm_area_struct *vma,
64568 diff -urNp linux-2.6.39.1/include/linux/sched.h linux-2.6.39.1/include/linux/sched.h
64569 --- linux-2.6.39.1/include/linux/sched.h 2011-05-19 00:06:34.000000000 -0400
64570 +++ linux-2.6.39.1/include/linux/sched.h 2011-06-03 23:34:26.000000000 -0400
64571 @@ -100,6 +100,7 @@ struct bio_list;
64572 struct fs_struct;
64573 struct perf_event_context;
64574 struct blk_plug;
64575 +struct linux_binprm;
64576
64577 /*
64578 * List of flags we want to share for kernel threads,
64579 @@ -360,7 +361,7 @@ extern signed long schedule_timeout_inte
64580 extern signed long schedule_timeout_killable(signed long timeout);
64581 extern signed long schedule_timeout_uninterruptible(signed long timeout);
64582 asmlinkage void schedule(void);
64583 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
64584 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
64585
64586 struct nsproxy;
64587 struct user_namespace;
64588 @@ -381,10 +382,13 @@ struct user_namespace;
64589 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
64590
64591 extern int sysctl_max_map_count;
64592 +extern unsigned long sysctl_heap_stack_gap;
64593
64594 #include <linux/aio.h>
64595
64596 #ifdef CONFIG_MMU
64597 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
64598 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
64599 extern void arch_pick_mmap_layout(struct mm_struct *mm);
64600 extern unsigned long
64601 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
64602 @@ -629,6 +633,17 @@ struct signal_struct {
64603 #ifdef CONFIG_TASKSTATS
64604 struct taskstats *stats;
64605 #endif
64606 +
64607 +#ifdef CONFIG_GRKERNSEC
64608 + u32 curr_ip;
64609 + u32 saved_ip;
64610 + u32 gr_saddr;
64611 + u32 gr_daddr;
64612 + u16 gr_sport;
64613 + u16 gr_dport;
64614 + u8 used_accept:1;
64615 +#endif
64616 +
64617 #ifdef CONFIG_AUDIT
64618 unsigned audit_tty;
64619 struct tty_audit_buf *tty_audit_buf;
64620 @@ -701,6 +716,11 @@ struct user_struct {
64621 struct key *session_keyring; /* UID's default session keyring */
64622 #endif
64623
64624 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
64625 + unsigned int banned;
64626 + unsigned long ban_expires;
64627 +#endif
64628 +
64629 /* Hash table maintenance information */
64630 struct hlist_node uidhash_node;
64631 uid_t uid;
64632 @@ -1310,8 +1330,8 @@ struct task_struct {
64633 struct list_head thread_group;
64634
64635 struct completion *vfork_done; /* for vfork() */
64636 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
64637 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
64638 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
64639 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
64640
64641 cputime_t utime, stime, utimescaled, stimescaled;
64642 cputime_t gtime;
64643 @@ -1327,13 +1347,6 @@ struct task_struct {
64644 struct task_cputime cputime_expires;
64645 struct list_head cpu_timers[3];
64646
64647 -/* process credentials */
64648 - const struct cred __rcu *real_cred; /* objective and real subjective task
64649 - * credentials (COW) */
64650 - const struct cred __rcu *cred; /* effective (overridable) subjective task
64651 - * credentials (COW) */
64652 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
64653 -
64654 char comm[TASK_COMM_LEN]; /* executable name excluding path
64655 - access with [gs]et_task_comm (which lock
64656 it with task_lock())
64657 @@ -1350,8 +1363,16 @@ struct task_struct {
64658 #endif
64659 /* CPU-specific state of this task */
64660 struct thread_struct thread;
64661 +/* thread_info moved to task_struct */
64662 +#ifdef CONFIG_X86
64663 + struct thread_info tinfo;
64664 +#endif
64665 /* filesystem information */
64666 struct fs_struct *fs;
64667 +
64668 + const struct cred __rcu *cred; /* effective (overridable) subjective task
64669 + * credentials (COW) */
64670 +
64671 /* open file information */
64672 struct files_struct *files;
64673 /* namespaces */
64674 @@ -1398,6 +1419,11 @@ struct task_struct {
64675 struct rt_mutex_waiter *pi_blocked_on;
64676 #endif
64677
64678 +/* process credentials */
64679 + const struct cred __rcu *real_cred; /* objective and real subjective task
64680 + * credentials (COW) */
64681 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
64682 +
64683 #ifdef CONFIG_DEBUG_MUTEXES
64684 /* mutex deadlock detection */
64685 struct mutex_waiter *blocked_on;
64686 @@ -1508,6 +1534,21 @@ struct task_struct {
64687 unsigned long default_timer_slack_ns;
64688
64689 struct list_head *scm_work_list;
64690 +
64691 +#ifdef CONFIG_GRKERNSEC
64692 + /* grsecurity */
64693 + struct dentry *gr_chroot_dentry;
64694 + struct acl_subject_label *acl;
64695 + struct acl_role_label *role;
64696 + struct file *exec_file;
64697 + u16 acl_role_id;
64698 + /* is this the task that authenticated to the special role */
64699 + u8 acl_sp_role;
64700 + u8 is_writable;
64701 + u8 brute;
64702 + u8 gr_is_chrooted;
64703 +#endif
64704 +
64705 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
64706 /* Index of current stored address in ret_stack */
64707 int curr_ret_stack;
64708 @@ -1542,6 +1583,57 @@ struct task_struct {
64709 #endif
64710 };
64711
64712 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
64713 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
64714 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
64715 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
64716 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
64717 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
64718 +
64719 +#ifdef CONFIG_PAX_SOFTMODE
64720 +extern unsigned int pax_softmode;
64721 +#endif
64722 +
64723 +extern int pax_check_flags(unsigned long *);
64724 +
64725 +/* if tsk != current then task_lock must be held on it */
64726 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64727 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
64728 +{
64729 + if (likely(tsk->mm))
64730 + return tsk->mm->pax_flags;
64731 + else
64732 + return 0UL;
64733 +}
64734 +
64735 +/* if tsk != current then task_lock must be held on it */
64736 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
64737 +{
64738 + if (likely(tsk->mm)) {
64739 + tsk->mm->pax_flags = flags;
64740 + return 0;
64741 + }
64742 + return -EINVAL;
64743 +}
64744 +#endif
64745 +
64746 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
64747 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
64748 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
64749 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
64750 +#endif
64751 +
64752 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
64753 +void pax_report_insns(void *pc, void *sp);
64754 +void pax_report_refcount_overflow(struct pt_regs *regs);
64755 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type);
64756 +
64757 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
64758 +extern void pax_track_stack(void);
64759 +#else
64760 +static inline void pax_track_stack(void) {}
64761 +#endif
64762 +
64763 /* Future-safe accessor for struct task_struct's cpus_allowed. */
64764 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
64765
64766 @@ -2009,7 +2101,9 @@ void yield(void);
64767 extern struct exec_domain default_exec_domain;
64768
64769 union thread_union {
64770 +#ifndef CONFIG_X86
64771 struct thread_info thread_info;
64772 +#endif
64773 unsigned long stack[THREAD_SIZE/sizeof(long)];
64774 };
64775
64776 @@ -2179,7 +2273,7 @@ extern void __cleanup_sighand(struct sig
64777 extern void exit_itimers(struct signal_struct *);
64778 extern void flush_itimer_signals(void);
64779
64780 -extern NORET_TYPE void do_group_exit(int);
64781 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
64782
64783 extern void daemonize(const char *, ...);
64784 extern int allow_signal(int);
64785 @@ -2320,13 +2414,17 @@ static inline unsigned long *end_of_stac
64786
64787 #endif
64788
64789 -static inline int object_is_on_stack(void *obj)
64790 +static inline int object_starts_on_stack(void *obj)
64791 {
64792 - void *stack = task_stack_page(current);
64793 + const void *stack = task_stack_page(current);
64794
64795 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
64796 }
64797
64798 +#ifdef CONFIG_PAX_USERCOPY
64799 +extern int object_is_on_stack(const void *obj, unsigned long len);
64800 +#endif
64801 +
64802 extern void thread_info_cache_init(void);
64803
64804 #ifdef CONFIG_DEBUG_STACK_USAGE
64805 diff -urNp linux-2.6.39.1/include/linux/screen_info.h linux-2.6.39.1/include/linux/screen_info.h
64806 --- linux-2.6.39.1/include/linux/screen_info.h 2011-05-19 00:06:34.000000000 -0400
64807 +++ linux-2.6.39.1/include/linux/screen_info.h 2011-05-22 19:36:33.000000000 -0400
64808 @@ -43,7 +43,8 @@ struct screen_info {
64809 __u16 pages; /* 0x32 */
64810 __u16 vesa_attributes; /* 0x34 */
64811 __u32 capabilities; /* 0x36 */
64812 - __u8 _reserved[6]; /* 0x3a */
64813 + __u16 vesapm_size; /* 0x3a */
64814 + __u8 _reserved[4]; /* 0x3c */
64815 } __attribute__((packed));
64816
64817 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
64818 diff -urNp linux-2.6.39.1/include/linux/security.h linux-2.6.39.1/include/linux/security.h
64819 --- linux-2.6.39.1/include/linux/security.h 2011-05-19 00:06:34.000000000 -0400
64820 +++ linux-2.6.39.1/include/linux/security.h 2011-05-22 19:41:42.000000000 -0400
64821 @@ -36,6 +36,7 @@
64822 #include <linux/key.h>
64823 #include <linux/xfrm.h>
64824 #include <linux/slab.h>
64825 +#include <linux/grsecurity.h>
64826 #include <net/flow.h>
64827
64828 /* Maximum number of letters for an LSM name string */
64829 diff -urNp linux-2.6.39.1/include/linux/shm.h linux-2.6.39.1/include/linux/shm.h
64830 --- linux-2.6.39.1/include/linux/shm.h 2011-05-19 00:06:34.000000000 -0400
64831 +++ linux-2.6.39.1/include/linux/shm.h 2011-05-22 19:41:42.000000000 -0400
64832 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
64833 pid_t shm_cprid;
64834 pid_t shm_lprid;
64835 struct user_struct *mlock_user;
64836 +#ifdef CONFIG_GRKERNSEC
64837 + time_t shm_createtime;
64838 + pid_t shm_lapid;
64839 +#endif
64840 };
64841
64842 /* shm_mode upper byte flags */
64843 diff -urNp linux-2.6.39.1/include/linux/skbuff.h linux-2.6.39.1/include/linux/skbuff.h
64844 --- linux-2.6.39.1/include/linux/skbuff.h 2011-05-19 00:06:34.000000000 -0400
64845 +++ linux-2.6.39.1/include/linux/skbuff.h 2011-05-22 19:36:33.000000000 -0400
64846 @@ -592,7 +592,7 @@ static inline struct skb_shared_hwtstamp
64847 */
64848 static inline int skb_queue_empty(const struct sk_buff_head *list)
64849 {
64850 - return list->next == (struct sk_buff *)list;
64851 + return list->next == (const struct sk_buff *)list;
64852 }
64853
64854 /**
64855 @@ -605,7 +605,7 @@ static inline int skb_queue_empty(const
64856 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
64857 const struct sk_buff *skb)
64858 {
64859 - return skb->next == (struct sk_buff *)list;
64860 + return skb->next == (const struct sk_buff *)list;
64861 }
64862
64863 /**
64864 @@ -618,7 +618,7 @@ static inline bool skb_queue_is_last(con
64865 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
64866 const struct sk_buff *skb)
64867 {
64868 - return skb->prev == (struct sk_buff *)list;
64869 + return skb->prev == (const struct sk_buff *)list;
64870 }
64871
64872 /**
64873 @@ -1435,7 +1435,7 @@ static inline int pskb_network_may_pull(
64874 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
64875 */
64876 #ifndef NET_SKB_PAD
64877 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
64878 +#define NET_SKB_PAD max(_AC(32,U), L1_CACHE_BYTES)
64879 #endif
64880
64881 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
64882 diff -urNp linux-2.6.39.1/include/linux/slab_def.h linux-2.6.39.1/include/linux/slab_def.h
64883 --- linux-2.6.39.1/include/linux/slab_def.h 2011-05-19 00:06:34.000000000 -0400
64884 +++ linux-2.6.39.1/include/linux/slab_def.h 2011-05-22 19:36:33.000000000 -0400
64885 @@ -96,10 +96,10 @@ struct kmem_cache {
64886 unsigned long node_allocs;
64887 unsigned long node_frees;
64888 unsigned long node_overflow;
64889 - atomic_t allochit;
64890 - atomic_t allocmiss;
64891 - atomic_t freehit;
64892 - atomic_t freemiss;
64893 + atomic_unchecked_t allochit;
64894 + atomic_unchecked_t allocmiss;
64895 + atomic_unchecked_t freehit;
64896 + atomic_unchecked_t freemiss;
64897
64898 /*
64899 * If debugging is enabled, then the allocator can add additional
64900 diff -urNp linux-2.6.39.1/include/linux/slab.h linux-2.6.39.1/include/linux/slab.h
64901 --- linux-2.6.39.1/include/linux/slab.h 2011-05-19 00:06:34.000000000 -0400
64902 +++ linux-2.6.39.1/include/linux/slab.h 2011-05-23 17:07:00.000000000 -0400
64903 @@ -11,12 +11,20 @@
64904
64905 #include <linux/gfp.h>
64906 #include <linux/types.h>
64907 +#include <linux/err.h>
64908
64909 /*
64910 * Flags to pass to kmem_cache_create().
64911 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
64912 */
64913 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
64914 +
64915 +#ifdef CONFIG_PAX_USERCOPY
64916 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
64917 +#else
64918 +#define SLAB_USERCOPY 0x00000000UL
64919 +#endif
64920 +
64921 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
64922 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
64923 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
64924 @@ -87,10 +95,13 @@
64925 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
64926 * Both make kfree a no-op.
64927 */
64928 -#define ZERO_SIZE_PTR ((void *)16)
64929 +#define ZERO_SIZE_PTR \
64930 +({ \
64931 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
64932 + (void *)(-MAX_ERRNO-1L); \
64933 +})
64934
64935 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
64936 - (unsigned long)ZERO_SIZE_PTR)
64937 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
64938
64939 /*
64940 * struct kmem_cache related prototypes
64941 @@ -141,6 +152,7 @@ void * __must_check krealloc(const void
64942 void kfree(const void *);
64943 void kzfree(const void *);
64944 size_t ksize(const void *);
64945 +void check_object_size(const void *ptr, unsigned long n, bool to);
64946
64947 /*
64948 * Allocator specific definitions. These are mainly used to establish optimized
64949 @@ -333,4 +345,59 @@ static inline void *kzalloc_node(size_t
64950
64951 void __init kmem_cache_init_late(void);
64952
64953 +#define kmalloc(x, y) \
64954 +({ \
64955 + void *___retval; \
64956 + intoverflow_t ___x = (intoverflow_t)x; \
64957 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
64958 + ___retval = NULL; \
64959 + else \
64960 + ___retval = kmalloc((size_t)___x, (y)); \
64961 + ___retval; \
64962 +})
64963 +
64964 +#define kmalloc_node(x, y, z) \
64965 +({ \
64966 + void *___retval; \
64967 + intoverflow_t ___x = (intoverflow_t)x; \
64968 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
64969 + ___retval = NULL; \
64970 + else \
64971 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
64972 + ___retval; \
64973 +})
64974 +
64975 +#define kzalloc(x, y) \
64976 +({ \
64977 + void *___retval; \
64978 + intoverflow_t ___x = (intoverflow_t)x; \
64979 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
64980 + ___retval = NULL; \
64981 + else \
64982 + ___retval = kzalloc((size_t)___x, (y)); \
64983 + ___retval; \
64984 +})
64985 +
64986 +#define __krealloc(x, y, z) \
64987 +({ \
64988 + void *___retval; \
64989 + intoverflow_t ___y = (intoverflow_t)y; \
64990 + if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
64991 + ___retval = NULL; \
64992 + else \
64993 + ___retval = __krealloc((x), (size_t)___y, (z)); \
64994 + ___retval; \
64995 +})
64996 +
64997 +#define krealloc(x, y, z) \
64998 +({ \
64999 + void *___retval; \
65000 + intoverflow_t ___y = (intoverflow_t)y; \
65001 + if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
65002 + ___retval = NULL; \
65003 + else \
65004 + ___retval = krealloc((x), (size_t)___y, (z)); \
65005 + ___retval; \
65006 +})
65007 +
65008 #endif /* _LINUX_SLAB_H */
65009 diff -urNp linux-2.6.39.1/include/linux/slub_def.h linux-2.6.39.1/include/linux/slub_def.h
65010 --- linux-2.6.39.1/include/linux/slub_def.h 2011-05-19 00:06:34.000000000 -0400
65011 +++ linux-2.6.39.1/include/linux/slub_def.h 2011-05-22 19:36:33.000000000 -0400
65012 @@ -84,7 +84,7 @@ struct kmem_cache {
65013 struct kmem_cache_order_objects max;
65014 struct kmem_cache_order_objects min;
65015 gfp_t allocflags; /* gfp flags to use on each alloc */
65016 - int refcount; /* Refcount for slab cache destroy */
65017 + atomic_t refcount; /* Refcount for slab cache destroy */
65018 void (*ctor)(void *);
65019 int inuse; /* Offset to metadata */
65020 int align; /* Alignment */
65021 diff -urNp linux-2.6.39.1/include/linux/sonet.h linux-2.6.39.1/include/linux/sonet.h
65022 --- linux-2.6.39.1/include/linux/sonet.h 2011-05-19 00:06:34.000000000 -0400
65023 +++ linux-2.6.39.1/include/linux/sonet.h 2011-05-22 19:36:33.000000000 -0400
65024 @@ -61,7 +61,7 @@ struct sonet_stats {
65025 #include <asm/atomic.h>
65026
65027 struct k_sonet_stats {
65028 -#define __HANDLE_ITEM(i) atomic_t i
65029 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
65030 __SONET_ITEMS
65031 #undef __HANDLE_ITEM
65032 };
65033 diff -urNp linux-2.6.39.1/include/linux/ssb/ssb_driver_gige.h linux-2.6.39.1/include/linux/ssb/ssb_driver_gige.h
65034 --- linux-2.6.39.1/include/linux/ssb/ssb_driver_gige.h 2011-05-19 00:06:34.000000000 -0400
65035 +++ linux-2.6.39.1/include/linux/ssb/ssb_driver_gige.h 2011-05-22 19:36:33.000000000 -0400
65036 @@ -44,7 +44,7 @@ struct ssb_gige {
65037
65038 /* The PCI controller device. */
65039 struct pci_controller pci_controller;
65040 - struct pci_ops pci_ops;
65041 + const struct pci_ops pci_ops;
65042 struct resource mem_resource;
65043 struct resource io_resource;
65044 };
65045 diff -urNp linux-2.6.39.1/include/linux/sunrpc/clnt.h linux-2.6.39.1/include/linux/sunrpc/clnt.h
65046 --- linux-2.6.39.1/include/linux/sunrpc/clnt.h 2011-05-19 00:06:34.000000000 -0400
65047 +++ linux-2.6.39.1/include/linux/sunrpc/clnt.h 2011-05-22 19:36:33.000000000 -0400
65048 @@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
65049 {
65050 switch (sap->sa_family) {
65051 case AF_INET:
65052 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
65053 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
65054 case AF_INET6:
65055 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
65056 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
65057 }
65058 return 0;
65059 }
65060 @@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
65061 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
65062 const struct sockaddr *src)
65063 {
65064 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
65065 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
65066 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
65067
65068 dsin->sin_family = ssin->sin_family;
65069 @@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
65070 if (sa->sa_family != AF_INET6)
65071 return 0;
65072
65073 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
65074 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
65075 }
65076
65077 #endif /* __KERNEL__ */
65078 diff -urNp linux-2.6.39.1/include/linux/sunrpc/svc_rdma.h linux-2.6.39.1/include/linux/sunrpc/svc_rdma.h
65079 --- linux-2.6.39.1/include/linux/sunrpc/svc_rdma.h 2011-05-19 00:06:34.000000000 -0400
65080 +++ linux-2.6.39.1/include/linux/sunrpc/svc_rdma.h 2011-05-22 19:36:33.000000000 -0400
65081 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
65082 extern unsigned int svcrdma_max_requests;
65083 extern unsigned int svcrdma_max_req_size;
65084
65085 -extern atomic_t rdma_stat_recv;
65086 -extern atomic_t rdma_stat_read;
65087 -extern atomic_t rdma_stat_write;
65088 -extern atomic_t rdma_stat_sq_starve;
65089 -extern atomic_t rdma_stat_rq_starve;
65090 -extern atomic_t rdma_stat_rq_poll;
65091 -extern atomic_t rdma_stat_rq_prod;
65092 -extern atomic_t rdma_stat_sq_poll;
65093 -extern atomic_t rdma_stat_sq_prod;
65094 +extern atomic_unchecked_t rdma_stat_recv;
65095 +extern atomic_unchecked_t rdma_stat_read;
65096 +extern atomic_unchecked_t rdma_stat_write;
65097 +extern atomic_unchecked_t rdma_stat_sq_starve;
65098 +extern atomic_unchecked_t rdma_stat_rq_starve;
65099 +extern atomic_unchecked_t rdma_stat_rq_poll;
65100 +extern atomic_unchecked_t rdma_stat_rq_prod;
65101 +extern atomic_unchecked_t rdma_stat_sq_poll;
65102 +extern atomic_unchecked_t rdma_stat_sq_prod;
65103
65104 #define RPCRDMA_VERSION 1
65105
65106 diff -urNp linux-2.6.39.1/include/linux/suspend.h linux-2.6.39.1/include/linux/suspend.h
65107 --- linux-2.6.39.1/include/linux/suspend.h 2011-05-19 00:06:34.000000000 -0400
65108 +++ linux-2.6.39.1/include/linux/suspend.h 2011-05-22 19:36:33.000000000 -0400
65109 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
65110 * which require special recovery actions in that situation.
65111 */
65112 struct platform_suspend_ops {
65113 - int (*valid)(suspend_state_t state);
65114 - int (*begin)(suspend_state_t state);
65115 - int (*prepare)(void);
65116 - int (*prepare_late)(void);
65117 - int (*enter)(suspend_state_t state);
65118 - void (*wake)(void);
65119 - void (*finish)(void);
65120 - void (*end)(void);
65121 - void (*recover)(void);
65122 + int (* const valid)(suspend_state_t state);
65123 + int (* const begin)(suspend_state_t state);
65124 + int (* const prepare)(void);
65125 + int (* const prepare_late)(void);
65126 + int (* const enter)(suspend_state_t state);
65127 + void (* const wake)(void);
65128 + void (* const finish)(void);
65129 + void (* const end)(void);
65130 + void (* const recover)(void);
65131 };
65132
65133 #ifdef CONFIG_SUSPEND
65134 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
65135 * platforms which require special recovery actions in that situation.
65136 */
65137 struct platform_hibernation_ops {
65138 - int (*begin)(void);
65139 - void (*end)(void);
65140 - int (*pre_snapshot)(void);
65141 - void (*finish)(void);
65142 - int (*prepare)(void);
65143 - int (*enter)(void);
65144 - void (*leave)(void);
65145 - int (*pre_restore)(void);
65146 - void (*restore_cleanup)(void);
65147 - void (*recover)(void);
65148 + int (* const begin)(void);
65149 + void (* const end)(void);
65150 + int (* const pre_snapshot)(void);
65151 + void (* const finish)(void);
65152 + int (* const prepare)(void);
65153 + int (* const enter)(void);
65154 + void (* const leave)(void);
65155 + int (* const pre_restore)(void);
65156 + void (* const restore_cleanup)(void);
65157 + void (* const recover)(void);
65158 };
65159
65160 #ifdef CONFIG_HIBERNATION
65161 diff -urNp linux-2.6.39.1/include/linux/sysctl.h linux-2.6.39.1/include/linux/sysctl.h
65162 --- linux-2.6.39.1/include/linux/sysctl.h 2011-05-19 00:06:34.000000000 -0400
65163 +++ linux-2.6.39.1/include/linux/sysctl.h 2011-05-22 19:41:42.000000000 -0400
65164 @@ -155,7 +155,11 @@ enum
65165 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
65166 };
65167
65168 -
65169 +#ifdef CONFIG_PAX_SOFTMODE
65170 +enum {
65171 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65172 +};
65173 +#endif
65174
65175 /* CTL_VM names: */
65176 enum
65177 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
65178
65179 extern int proc_dostring(struct ctl_table *, int,
65180 void __user *, size_t *, loff_t *);
65181 +extern int proc_dostring_modpriv(struct ctl_table *, int,
65182 + void __user *, size_t *, loff_t *);
65183 extern int proc_dointvec(struct ctl_table *, int,
65184 void __user *, size_t *, loff_t *);
65185 extern int proc_dointvec_minmax(struct ctl_table *, int,
65186 diff -urNp linux-2.6.39.1/include/linux/sysfs.h linux-2.6.39.1/include/linux/sysfs.h
65187 --- linux-2.6.39.1/include/linux/sysfs.h 2011-05-19 00:06:34.000000000 -0400
65188 +++ linux-2.6.39.1/include/linux/sysfs.h 2011-05-22 19:36:33.000000000 -0400
65189 @@ -110,8 +110,8 @@ struct bin_attribute {
65190 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
65191
65192 struct sysfs_ops {
65193 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
65194 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
65195 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
65196 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
65197 };
65198
65199 struct sysfs_dirent;
65200 diff -urNp linux-2.6.39.1/include/linux/tty.h linux-2.6.39.1/include/linux/tty.h
65201 --- linux-2.6.39.1/include/linux/tty.h 2011-05-19 00:06:34.000000000 -0400
65202 +++ linux-2.6.39.1/include/linux/tty.h 2011-05-22 19:36:33.000000000 -0400
65203 @@ -13,6 +13,7 @@
65204 #include <linux/tty_driver.h>
65205 #include <linux/tty_ldisc.h>
65206 #include <linux/mutex.h>
65207 +#include <linux/poll.h>
65208
65209 #include <asm/system.h>
65210
65211 @@ -466,7 +467,6 @@ extern int tty_perform_flush(struct tty_
65212 extern dev_t tty_devnum(struct tty_struct *tty);
65213 extern void proc_clear_tty(struct task_struct *p);
65214 extern struct tty_struct *get_current_tty(void);
65215 -extern void tty_default_fops(struct file_operations *fops);
65216 extern struct tty_struct *alloc_tty_struct(void);
65217 extern int tty_add_file(struct tty_struct *tty, struct file *file);
65218 extern void free_tty_struct(struct tty_struct *tty);
65219 @@ -529,6 +529,18 @@ extern void tty_ldisc_begin(void);
65220 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
65221 extern void tty_ldisc_enable(struct tty_struct *tty);
65222
65223 +/* tty_io.c */
65224 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
65225 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
65226 +extern unsigned int tty_poll(struct file *, poll_table *);
65227 +#ifdef CONFIG_COMPAT
65228 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
65229 + unsigned long arg);
65230 +#else
65231 +#define tty_compat_ioctl NULL
65232 +#endif
65233 +extern int tty_release(struct inode *, struct file *);
65234 +extern int tty_fasync(int fd, struct file *filp, int on);
65235
65236 /* n_tty.c */
65237 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
65238 diff -urNp linux-2.6.39.1/include/linux/tty_ldisc.h linux-2.6.39.1/include/linux/tty_ldisc.h
65239 --- linux-2.6.39.1/include/linux/tty_ldisc.h 2011-05-19 00:06:34.000000000 -0400
65240 +++ linux-2.6.39.1/include/linux/tty_ldisc.h 2011-05-22 19:36:33.000000000 -0400
65241 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
65242
65243 struct module *owner;
65244
65245 - int refcount;
65246 + atomic_t refcount;
65247 };
65248
65249 struct tty_ldisc {
65250 diff -urNp linux-2.6.39.1/include/linux/types.h linux-2.6.39.1/include/linux/types.h
65251 --- linux-2.6.39.1/include/linux/types.h 2011-05-19 00:06:34.000000000 -0400
65252 +++ linux-2.6.39.1/include/linux/types.h 2011-05-22 19:36:33.000000000 -0400
65253 @@ -213,10 +213,26 @@ typedef struct {
65254 int counter;
65255 } atomic_t;
65256
65257 +#ifdef CONFIG_PAX_REFCOUNT
65258 +typedef struct {
65259 + int counter;
65260 +} atomic_unchecked_t;
65261 +#else
65262 +typedef atomic_t atomic_unchecked_t;
65263 +#endif
65264 +
65265 #ifdef CONFIG_64BIT
65266 typedef struct {
65267 long counter;
65268 } atomic64_t;
65269 +
65270 +#ifdef CONFIG_PAX_REFCOUNT
65271 +typedef struct {
65272 + long counter;
65273 +} atomic64_unchecked_t;
65274 +#else
65275 +typedef atomic64_t atomic64_unchecked_t;
65276 +#endif
65277 #endif
65278
65279 struct list_head {
65280 diff -urNp linux-2.6.39.1/include/linux/uaccess.h linux-2.6.39.1/include/linux/uaccess.h
65281 --- linux-2.6.39.1/include/linux/uaccess.h 2011-05-19 00:06:34.000000000 -0400
65282 +++ linux-2.6.39.1/include/linux/uaccess.h 2011-05-22 19:36:33.000000000 -0400
65283 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65284 long ret; \
65285 mm_segment_t old_fs = get_fs(); \
65286 \
65287 - set_fs(KERNEL_DS); \
65288 pagefault_disable(); \
65289 + set_fs(KERNEL_DS); \
65290 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
65291 - pagefault_enable(); \
65292 set_fs(old_fs); \
65293 + pagefault_enable(); \
65294 ret; \
65295 })
65296
65297 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
65298 * Safely read from address @src to the buffer at @dst. If a kernel fault
65299 * happens, handle that and return -EFAULT.
65300 */
65301 -extern long probe_kernel_read(void *dst, void *src, size_t size);
65302 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
65303 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
65304 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
65305
65306 /*
65307 * probe_kernel_write(): safely attempt to write to a location
65308 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
65309 * Safely write to address @dst from the buffer at @src. If a kernel fault
65310 * happens, handle that and return -EFAULT.
65311 */
65312 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
65313 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
65314 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
65315 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
65316
65317 #endif /* __LINUX_UACCESS_H__ */
65318 diff -urNp linux-2.6.39.1/include/linux/unaligned/access_ok.h linux-2.6.39.1/include/linux/unaligned/access_ok.h
65319 --- linux-2.6.39.1/include/linux/unaligned/access_ok.h 2011-05-19 00:06:34.000000000 -0400
65320 +++ linux-2.6.39.1/include/linux/unaligned/access_ok.h 2011-05-22 19:36:33.000000000 -0400
65321 @@ -6,32 +6,32 @@
65322
65323 static inline u16 get_unaligned_le16(const void *p)
65324 {
65325 - return le16_to_cpup((__le16 *)p);
65326 + return le16_to_cpup((const __le16 *)p);
65327 }
65328
65329 static inline u32 get_unaligned_le32(const void *p)
65330 {
65331 - return le32_to_cpup((__le32 *)p);
65332 + return le32_to_cpup((const __le32 *)p);
65333 }
65334
65335 static inline u64 get_unaligned_le64(const void *p)
65336 {
65337 - return le64_to_cpup((__le64 *)p);
65338 + return le64_to_cpup((const __le64 *)p);
65339 }
65340
65341 static inline u16 get_unaligned_be16(const void *p)
65342 {
65343 - return be16_to_cpup((__be16 *)p);
65344 + return be16_to_cpup((const __be16 *)p);
65345 }
65346
65347 static inline u32 get_unaligned_be32(const void *p)
65348 {
65349 - return be32_to_cpup((__be32 *)p);
65350 + return be32_to_cpup((const __be32 *)p);
65351 }
65352
65353 static inline u64 get_unaligned_be64(const void *p)
65354 {
65355 - return be64_to_cpup((__be64 *)p);
65356 + return be64_to_cpup((const __be64 *)p);
65357 }
65358
65359 static inline void put_unaligned_le16(u16 val, void *p)
65360 diff -urNp linux-2.6.39.1/include/linux/usb/hcd.h linux-2.6.39.1/include/linux/usb/hcd.h
65361 --- linux-2.6.39.1/include/linux/usb/hcd.h 2011-05-19 00:06:34.000000000 -0400
65362 +++ linux-2.6.39.1/include/linux/usb/hcd.h 2011-05-22 19:36:33.000000000 -0400
65363 @@ -615,7 +615,7 @@ struct usb_mon_operations {
65364 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
65365 };
65366
65367 -extern struct usb_mon_operations *mon_ops;
65368 +extern const struct usb_mon_operations *mon_ops;
65369
65370 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
65371 {
65372 @@ -637,7 +637,7 @@ static inline void usbmon_urb_complete(s
65373 (*mon_ops->urb_complete)(bus, urb, status);
65374 }
65375
65376 -int usb_mon_register(struct usb_mon_operations *ops);
65377 +int usb_mon_register(const struct usb_mon_operations *ops);
65378 void usb_mon_deregister(void);
65379
65380 #else
65381 diff -urNp linux-2.6.39.1/include/linux/usb/intel_mid_otg.h linux-2.6.39.1/include/linux/usb/intel_mid_otg.h
65382 --- linux-2.6.39.1/include/linux/usb/intel_mid_otg.h 2011-05-19 00:06:34.000000000 -0400
65383 +++ linux-2.6.39.1/include/linux/usb/intel_mid_otg.h 2011-05-22 19:36:33.000000000 -0400
65384 @@ -115,7 +115,7 @@ struct intel_mid_otg_xceiv {
65385 void __iomem *base;
65386
65387 /* ops to access ulpi */
65388 - struct iotg_ulpi_access_ops ulpi_ops;
65389 + const struct iotg_ulpi_access_ops ulpi_ops;
65390
65391 /* atomic notifier for interrupt context */
65392 struct atomic_notifier_head iotg_notifier;
65393 diff -urNp linux-2.6.39.1/include/linux/usb/ulpi.h linux-2.6.39.1/include/linux/usb/ulpi.h
65394 --- linux-2.6.39.1/include/linux/usb/ulpi.h 2011-05-19 00:06:34.000000000 -0400
65395 +++ linux-2.6.39.1/include/linux/usb/ulpi.h 2011-05-22 19:36:33.000000000 -0400
65396 @@ -186,7 +186,7 @@ struct otg_transceiver *otg_ulpi_create(
65397
65398 #ifdef CONFIG_USB_ULPI_VIEWPORT
65399 /* access ops for controllers with a viewport register */
65400 -extern struct otg_io_access_ops ulpi_viewport_access_ops;
65401 +extern const struct otg_io_access_ops ulpi_viewport_access_ops;
65402 #endif
65403
65404 #endif /* __LINUX_USB_ULPI_H */
65405 diff -urNp linux-2.6.39.1/include/linux/vga_switcheroo.h linux-2.6.39.1/include/linux/vga_switcheroo.h
65406 --- linux-2.6.39.1/include/linux/vga_switcheroo.h 2011-05-19 00:06:34.000000000 -0400
65407 +++ linux-2.6.39.1/include/linux/vga_switcheroo.h 2011-05-22 19:36:33.000000000 -0400
65408 @@ -39,7 +39,7 @@ int vga_switcheroo_register_client(struc
65409 void vga_switcheroo_client_fb_set(struct pci_dev *dev,
65410 struct fb_info *info);
65411
65412 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler);
65413 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler);
65414 void vga_switcheroo_unregister_handler(void);
65415
65416 int vga_switcheroo_process_delayed_switch(void);
65417 @@ -52,7 +52,7 @@ static inline int vga_switcheroo_registe
65418 void (*reprobe)(struct pci_dev *dev),
65419 bool (*can_switch)(struct pci_dev *dev)) { return 0; }
65420 static inline void vga_switcheroo_client_fb_set(struct pci_dev *dev, struct fb_info *info) {}
65421 -static inline int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler) { return 0; }
65422 +static inline int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler) { return 0; }
65423 static inline void vga_switcheroo_unregister_handler(void) {}
65424 static inline int vga_switcheroo_process_delayed_switch(void) { return 0; }
65425
65426 diff -urNp linux-2.6.39.1/include/linux/virtio.h linux-2.6.39.1/include/linux/virtio.h
65427 --- linux-2.6.39.1/include/linux/virtio.h 2011-05-19 00:06:34.000000000 -0400
65428 +++ linux-2.6.39.1/include/linux/virtio.h 2011-05-22 19:36:33.000000000 -0400
65429 @@ -102,7 +102,7 @@ struct virtio_device {
65430 int index;
65431 struct device dev;
65432 struct virtio_device_id id;
65433 - struct virtio_config_ops *config;
65434 + const struct virtio_config_ops *config;
65435 struct list_head vqs;
65436 /* Note that this is a Linux set_bit-style bitmap. */
65437 unsigned long features[1];
65438 diff -urNp linux-2.6.39.1/include/linux/vmalloc.h linux-2.6.39.1/include/linux/vmalloc.h
65439 --- linux-2.6.39.1/include/linux/vmalloc.h 2011-05-19 00:06:34.000000000 -0400
65440 +++ linux-2.6.39.1/include/linux/vmalloc.h 2011-05-22 19:36:33.000000000 -0400
65441 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
65442 #define VM_MAP 0x00000004 /* vmap()ed pages */
65443 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
65444 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
65445 +
65446 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65447 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
65448 +#endif
65449 +
65450 /* bits [20..32] reserved for arch specific ioremap internals */
65451
65452 /*
65453 @@ -155,4 +160,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
65454 # endif
65455 #endif
65456
65457 +#define vmalloc(x) \
65458 +({ \
65459 + void *___retval; \
65460 + intoverflow_t ___x = (intoverflow_t)x; \
65461 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
65462 + ___retval = NULL; \
65463 + else \
65464 + ___retval = vmalloc((unsigned long)___x); \
65465 + ___retval; \
65466 +})
65467 +
65468 +#define vzalloc(x) \
65469 +({ \
65470 + void *___retval; \
65471 + intoverflow_t ___x = (intoverflow_t)x; \
65472 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
65473 + ___retval = NULL; \
65474 + else \
65475 + ___retval = vzalloc((unsigned long)___x); \
65476 + ___retval; \
65477 +})
65478 +
65479 +#define __vmalloc(x, y, z) \
65480 +({ \
65481 + void *___retval; \
65482 + intoverflow_t ___x = (intoverflow_t)x; \
65483 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
65484 + ___retval = NULL; \
65485 + else \
65486 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
65487 + ___retval; \
65488 +})
65489 +
65490 +#define vmalloc_user(x) \
65491 +({ \
65492 + void *___retval; \
65493 + intoverflow_t ___x = (intoverflow_t)x; \
65494 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
65495 + ___retval = NULL; \
65496 + else \
65497 + ___retval = vmalloc_user((unsigned long)___x); \
65498 + ___retval; \
65499 +})
65500 +
65501 +#define vmalloc_exec(x) \
65502 +({ \
65503 + void *___retval; \
65504 + intoverflow_t ___x = (intoverflow_t)x; \
65505 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
65506 + ___retval = NULL; \
65507 + else \
65508 + ___retval = vmalloc_exec((unsigned long)___x); \
65509 + ___retval; \
65510 +})
65511 +
65512 +#define vmalloc_node(x, y) \
65513 +({ \
65514 + void *___retval; \
65515 + intoverflow_t ___x = (intoverflow_t)x; \
65516 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
65517 + ___retval = NULL; \
65518 + else \
65519 + ___retval = vmalloc_node((unsigned long)___x, (y));\
65520 + ___retval; \
65521 +})
65522 +
65523 +#define vzalloc_node(x, y) \
65524 +({ \
65525 + void *___retval; \
65526 + intoverflow_t ___x = (intoverflow_t)x; \
65527 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
65528 + ___retval = NULL; \
65529 + else \
65530 + ___retval = vzalloc_node((unsigned long)___x, (y));\
65531 + ___retval; \
65532 +})
65533 +
65534 +#define vmalloc_32(x) \
65535 +({ \
65536 + void *___retval; \
65537 + intoverflow_t ___x = (intoverflow_t)x; \
65538 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
65539 + ___retval = NULL; \
65540 + else \
65541 + ___retval = vmalloc_32((unsigned long)___x); \
65542 + ___retval; \
65543 +})
65544 +
65545 +#define vmalloc_32_user(x) \
65546 +({ \
65547 +void *___retval; \
65548 + intoverflow_t ___x = (intoverflow_t)x; \
65549 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
65550 + ___retval = NULL; \
65551 + else \
65552 + ___retval = vmalloc_32_user((unsigned long)___x);\
65553 + ___retval; \
65554 +})
65555 +
65556 #endif /* _LINUX_VMALLOC_H */
65557 diff -urNp linux-2.6.39.1/include/linux/vmstat.h linux-2.6.39.1/include/linux/vmstat.h
65558 --- linux-2.6.39.1/include/linux/vmstat.h 2011-05-19 00:06:34.000000000 -0400
65559 +++ linux-2.6.39.1/include/linux/vmstat.h 2011-05-22 19:36:33.000000000 -0400
65560 @@ -147,18 +147,18 @@ static inline void vm_events_fold_cpu(in
65561 /*
65562 * Zone based page accounting with per cpu differentials.
65563 */
65564 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65565 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65566
65567 static inline void zone_page_state_add(long x, struct zone *zone,
65568 enum zone_stat_item item)
65569 {
65570 - atomic_long_add(x, &zone->vm_stat[item]);
65571 - atomic_long_add(x, &vm_stat[item]);
65572 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
65573 + atomic_long_add_unchecked(x, &vm_stat[item]);
65574 }
65575
65576 static inline unsigned long global_page_state(enum zone_stat_item item)
65577 {
65578 - long x = atomic_long_read(&vm_stat[item]);
65579 + long x = atomic_long_read_unchecked(&vm_stat[item]);
65580 #ifdef CONFIG_SMP
65581 if (x < 0)
65582 x = 0;
65583 @@ -169,7 +169,7 @@ static inline unsigned long global_page_
65584 static inline unsigned long zone_page_state(struct zone *zone,
65585 enum zone_stat_item item)
65586 {
65587 - long x = atomic_long_read(&zone->vm_stat[item]);
65588 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
65589 #ifdef CONFIG_SMP
65590 if (x < 0)
65591 x = 0;
65592 @@ -186,7 +186,7 @@ static inline unsigned long zone_page_st
65593 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
65594 enum zone_stat_item item)
65595 {
65596 - long x = atomic_long_read(&zone->vm_stat[item]);
65597 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
65598
65599 #ifdef CONFIG_SMP
65600 int cpu;
65601 @@ -280,8 +280,8 @@ static inline void __mod_zone_page_state
65602
65603 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
65604 {
65605 - atomic_long_inc(&zone->vm_stat[item]);
65606 - atomic_long_inc(&vm_stat[item]);
65607 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
65608 + atomic_long_inc_unchecked(&vm_stat[item]);
65609 }
65610
65611 static inline void __inc_zone_page_state(struct page *page,
65612 @@ -292,8 +292,8 @@ static inline void __inc_zone_page_state
65613
65614 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
65615 {
65616 - atomic_long_dec(&zone->vm_stat[item]);
65617 - atomic_long_dec(&vm_stat[item]);
65618 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
65619 + atomic_long_dec_unchecked(&vm_stat[item]);
65620 }
65621
65622 static inline void __dec_zone_page_state(struct page *page,
65623 diff -urNp linux-2.6.39.1/include/media/saa7146_vv.h linux-2.6.39.1/include/media/saa7146_vv.h
65624 --- linux-2.6.39.1/include/media/saa7146_vv.h 2011-05-19 00:06:34.000000000 -0400
65625 +++ linux-2.6.39.1/include/media/saa7146_vv.h 2011-05-22 19:36:33.000000000 -0400
65626 @@ -202,13 +202,13 @@ void saa7146_set_gpio(struct saa7146_dev
65627
65628 /* from saa7146_video.c */
65629 extern const struct v4l2_ioctl_ops saa7146_video_ioctl_ops;
65630 -extern struct saa7146_use_ops saa7146_video_uops;
65631 +extern const struct saa7146_use_ops saa7146_video_uops;
65632 int saa7146_start_preview(struct saa7146_fh *fh);
65633 int saa7146_stop_preview(struct saa7146_fh *fh);
65634 long saa7146_video_do_ioctl(struct file *file, unsigned int cmd, void *arg);
65635
65636 /* from saa7146_vbi.c */
65637 -extern struct saa7146_use_ops saa7146_vbi_uops;
65638 +extern const struct saa7146_use_ops saa7146_vbi_uops;
65639
65640 /* resource management functions */
65641 int saa7146_res_get(struct saa7146_fh *fh, unsigned int bit);
65642 diff -urNp linux-2.6.39.1/include/media/v4l2-device.h linux-2.6.39.1/include/media/v4l2-device.h
65643 --- linux-2.6.39.1/include/media/v4l2-device.h 2011-05-19 00:06:34.000000000 -0400
65644 +++ linux-2.6.39.1/include/media/v4l2-device.h 2011-05-22 19:36:33.000000000 -0400
65645 @@ -95,7 +95,7 @@ int __must_check v4l2_device_register(st
65646 this function returns 0. If the name ends with a digit (e.g. cx18),
65647 then the name will be set to cx18-0 since cx180 looks really odd. */
65648 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
65649 - atomic_t *instance);
65650 + atomic_unchecked_t *instance);
65651
65652 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
65653 Since the parent disappears this ensures that v4l2_dev doesn't have an
65654 diff -urNp linux-2.6.39.1/include/net/caif/cfctrl.h linux-2.6.39.1/include/net/caif/cfctrl.h
65655 --- linux-2.6.39.1/include/net/caif/cfctrl.h 2011-05-19 00:06:34.000000000 -0400
65656 +++ linux-2.6.39.1/include/net/caif/cfctrl.h 2011-05-22 19:36:33.000000000 -0400
65657 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
65658 struct cfctrl {
65659 struct cfsrvl serv;
65660 struct cfctrl_rsp res;
65661 - atomic_t req_seq_no;
65662 - atomic_t rsp_seq_no;
65663 + atomic_unchecked_t req_seq_no;
65664 + atomic_unchecked_t rsp_seq_no;
65665 struct list_head list;
65666 /* Protects from simultaneous access to first_req list */
65667 spinlock_t info_list_lock;
65668 diff -urNp linux-2.6.39.1/include/net/flow.h linux-2.6.39.1/include/net/flow.h
65669 --- linux-2.6.39.1/include/net/flow.h 2011-05-19 00:06:34.000000000 -0400
65670 +++ linux-2.6.39.1/include/net/flow.h 2011-05-22 19:36:33.000000000 -0400
65671 @@ -167,6 +167,6 @@ extern struct flow_cache_object *flow_ca
65672 u8 dir, flow_resolve_t resolver, void *ctx);
65673
65674 extern void flow_cache_flush(void);
65675 -extern atomic_t flow_cache_genid;
65676 +extern atomic_unchecked_t flow_cache_genid;
65677
65678 #endif
65679 diff -urNp linux-2.6.39.1/include/net/inetpeer.h linux-2.6.39.1/include/net/inetpeer.h
65680 --- linux-2.6.39.1/include/net/inetpeer.h 2011-05-19 00:06:34.000000000 -0400
65681 +++ linux-2.6.39.1/include/net/inetpeer.h 2011-05-22 19:36:33.000000000 -0400
65682 @@ -43,8 +43,8 @@ struct inet_peer {
65683 */
65684 union {
65685 struct {
65686 - atomic_t rid; /* Frag reception counter */
65687 - atomic_t ip_id_count; /* IP ID for the next packet */
65688 + atomic_unchecked_t rid; /* Frag reception counter */
65689 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
65690 __u32 tcp_ts;
65691 __u32 tcp_ts_stamp;
65692 u32 metrics[RTAX_MAX];
65693 @@ -108,7 +108,7 @@ static inline __u16 inet_getid(struct in
65694 {
65695 more++;
65696 inet_peer_refcheck(p);
65697 - return atomic_add_return(more, &p->ip_id_count) - more;
65698 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
65699 }
65700
65701 #endif /* _NET_INETPEER_H */
65702 diff -urNp linux-2.6.39.1/include/net/ip_fib.h linux-2.6.39.1/include/net/ip_fib.h
65703 --- linux-2.6.39.1/include/net/ip_fib.h 2011-05-19 00:06:34.000000000 -0400
65704 +++ linux-2.6.39.1/include/net/ip_fib.h 2011-05-22 19:36:33.000000000 -0400
65705 @@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
65706
65707 #define FIB_RES_SADDR(net, res) \
65708 ((FIB_RES_NH(res).nh_saddr_genid == \
65709 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
65710 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
65711 FIB_RES_NH(res).nh_saddr : \
65712 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
65713 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
65714 diff -urNp linux-2.6.39.1/include/net/ip_vs.h linux-2.6.39.1/include/net/ip_vs.h
65715 --- linux-2.6.39.1/include/net/ip_vs.h 2011-05-19 00:06:34.000000000 -0400
65716 +++ linux-2.6.39.1/include/net/ip_vs.h 2011-05-22 19:36:33.000000000 -0400
65717 @@ -512,7 +512,7 @@ struct ip_vs_conn {
65718 struct ip_vs_conn *control; /* Master control connection */
65719 atomic_t n_control; /* Number of controlled ones */
65720 struct ip_vs_dest *dest; /* real server */
65721 - atomic_t in_pkts; /* incoming packet counter */
65722 + atomic_unchecked_t in_pkts; /* incoming packet counter */
65723
65724 /* packet transmitter for different forwarding methods. If it
65725 mangles the packet, it must return NF_DROP or better NF_STOLEN,
65726 @@ -650,7 +650,7 @@ struct ip_vs_dest {
65727 __be16 port; /* port number of the server */
65728 union nf_inet_addr addr; /* IP address of the server */
65729 volatile unsigned flags; /* dest status flags */
65730 - atomic_t conn_flags; /* flags to copy to conn */
65731 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
65732 atomic_t weight; /* server weight */
65733
65734 atomic_t refcnt; /* reference counter */
65735 diff -urNp linux-2.6.39.1/include/net/irda/ircomm_tty.h linux-2.6.39.1/include/net/irda/ircomm_tty.h
65736 --- linux-2.6.39.1/include/net/irda/ircomm_tty.h 2011-05-19 00:06:34.000000000 -0400
65737 +++ linux-2.6.39.1/include/net/irda/ircomm_tty.h 2011-05-22 19:36:33.000000000 -0400
65738 @@ -35,6 +35,7 @@
65739 #include <linux/termios.h>
65740 #include <linux/timer.h>
65741 #include <linux/tty.h> /* struct tty_struct */
65742 +#include <asm/local.h>
65743
65744 #include <net/irda/irias_object.h>
65745 #include <net/irda/ircomm_core.h>
65746 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
65747 unsigned short close_delay;
65748 unsigned short closing_wait; /* time to wait before closing */
65749
65750 - int open_count;
65751 - int blocked_open; /* # of blocked opens */
65752 + local_t open_count;
65753 + local_t blocked_open; /* # of blocked opens */
65754
65755 /* Protect concurent access to :
65756 * o self->open_count
65757 diff -urNp linux-2.6.39.1/include/net/iucv/af_iucv.h linux-2.6.39.1/include/net/iucv/af_iucv.h
65758 --- linux-2.6.39.1/include/net/iucv/af_iucv.h 2011-05-19 00:06:34.000000000 -0400
65759 +++ linux-2.6.39.1/include/net/iucv/af_iucv.h 2011-05-22 19:36:33.000000000 -0400
65760 @@ -87,7 +87,7 @@ struct iucv_sock {
65761 struct iucv_sock_list {
65762 struct hlist_head head;
65763 rwlock_t lock;
65764 - atomic_t autobind_name;
65765 + atomic_unchecked_t autobind_name;
65766 };
65767
65768 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
65769 diff -urNp linux-2.6.39.1/include/net/neighbour.h linux-2.6.39.1/include/net/neighbour.h
65770 --- linux-2.6.39.1/include/net/neighbour.h 2011-05-19 00:06:34.000000000 -0400
65771 +++ linux-2.6.39.1/include/net/neighbour.h 2011-05-22 19:36:33.000000000 -0400
65772 @@ -118,12 +118,12 @@ struct neighbour {
65773
65774 struct neigh_ops {
65775 int family;
65776 - void (*solicit)(struct neighbour *, struct sk_buff*);
65777 - void (*error_report)(struct neighbour *, struct sk_buff*);
65778 - int (*output)(struct sk_buff*);
65779 - int (*connected_output)(struct sk_buff*);
65780 - int (*hh_output)(struct sk_buff*);
65781 - int (*queue_xmit)(struct sk_buff*);
65782 + void (* const solicit)(struct neighbour *, struct sk_buff*);
65783 + void (* const error_report)(struct neighbour *, struct sk_buff*);
65784 + int (* const output)(struct sk_buff*);
65785 + int (* const connected_output)(struct sk_buff*);
65786 + int (* const hh_output)(struct sk_buff*);
65787 + int (* const queue_xmit)(struct sk_buff*);
65788 };
65789
65790 struct pneigh_entry {
65791 diff -urNp linux-2.6.39.1/include/net/netfilter/nf_conntrack_ecache.h linux-2.6.39.1/include/net/netfilter/nf_conntrack_ecache.h
65792 --- linux-2.6.39.1/include/net/netfilter/nf_conntrack_ecache.h 2011-05-19 00:06:34.000000000 -0400
65793 +++ linux-2.6.39.1/include/net/netfilter/nf_conntrack_ecache.h 2011-05-22 19:36:33.000000000 -0400
65794 @@ -95,7 +95,7 @@ nf_conntrack_eventmask_report(unsigned i
65795 int report)
65796 {
65797 int ret = 0;
65798 - struct nf_ct_event_notifier *notify;
65799 + const struct nf_ct_event_notifier *notify;
65800 struct nf_conntrack_ecache *e;
65801
65802 rcu_read_lock();
65803 @@ -174,7 +174,7 @@ nf_ct_expect_event_report(enum ip_conntr
65804 u32 pid,
65805 int report)
65806 {
65807 - struct nf_exp_event_notifier *notify;
65808 + const struct nf_exp_event_notifier *notify;
65809 struct nf_conntrack_ecache *e;
65810
65811 rcu_read_lock();
65812 diff -urNp linux-2.6.39.1/include/net/netlink.h linux-2.6.39.1/include/net/netlink.h
65813 --- linux-2.6.39.1/include/net/netlink.h 2011-05-19 00:06:34.000000000 -0400
65814 +++ linux-2.6.39.1/include/net/netlink.h 2011-05-22 19:36:33.000000000 -0400
65815 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
65816 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
65817 {
65818 if (mark)
65819 - skb_trim(skb, (unsigned char *) mark - skb->data);
65820 + skb_trim(skb, (const unsigned char *) mark - skb->data);
65821 }
65822
65823 /**
65824 diff -urNp linux-2.6.39.1/include/net/netns/ipv4.h linux-2.6.39.1/include/net/netns/ipv4.h
65825 --- linux-2.6.39.1/include/net/netns/ipv4.h 2011-05-19 00:06:34.000000000 -0400
65826 +++ linux-2.6.39.1/include/net/netns/ipv4.h 2011-05-22 19:36:33.000000000 -0400
65827 @@ -54,8 +54,8 @@ struct netns_ipv4 {
65828 int sysctl_rt_cache_rebuild_count;
65829 int current_rt_cache_rebuild_count;
65830
65831 - atomic_t rt_genid;
65832 - atomic_t dev_addr_genid;
65833 + atomic_unchecked_t rt_genid;
65834 + atomic_unchecked_t dev_addr_genid;
65835
65836 #ifdef CONFIG_IP_MROUTE
65837 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
65838 diff -urNp linux-2.6.39.1/include/net/sctp/sctp.h linux-2.6.39.1/include/net/sctp/sctp.h
65839 --- linux-2.6.39.1/include/net/sctp/sctp.h 2011-05-19 00:06:34.000000000 -0400
65840 +++ linux-2.6.39.1/include/net/sctp/sctp.h 2011-05-22 19:36:33.000000000 -0400
65841 @@ -316,9 +316,9 @@ do { \
65842
65843 #else /* SCTP_DEBUG */
65844
65845 -#define SCTP_DEBUG_PRINTK(whatever...)
65846 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
65847 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
65848 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
65849 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
65850 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
65851 #define SCTP_ENABLE_DEBUG
65852 #define SCTP_DISABLE_DEBUG
65853 #define SCTP_ASSERT(expr, str, func)
65854 diff -urNp linux-2.6.39.1/include/net/sock.h linux-2.6.39.1/include/net/sock.h
65855 --- linux-2.6.39.1/include/net/sock.h 2011-05-19 00:06:34.000000000 -0400
65856 +++ linux-2.6.39.1/include/net/sock.h 2011-05-22 19:36:33.000000000 -0400
65857 @@ -277,7 +277,7 @@ struct sock {
65858 #ifdef CONFIG_RPS
65859 __u32 sk_rxhash;
65860 #endif
65861 - atomic_t sk_drops;
65862 + atomic_unchecked_t sk_drops;
65863 int sk_rcvbuf;
65864
65865 struct sk_filter __rcu *sk_filter;
65866 diff -urNp linux-2.6.39.1/include/net/tcp.h linux-2.6.39.1/include/net/tcp.h
65867 --- linux-2.6.39.1/include/net/tcp.h 2011-05-19 00:06:34.000000000 -0400
65868 +++ linux-2.6.39.1/include/net/tcp.h 2011-05-22 19:36:33.000000000 -0400
65869 @@ -1374,7 +1374,7 @@ enum tcp_seq_states {
65870 struct tcp_seq_afinfo {
65871 char *name;
65872 sa_family_t family;
65873 - struct file_operations seq_fops;
65874 + struct file_operations seq_fops; /* cannot be const */
65875 struct seq_operations seq_ops;
65876 };
65877
65878 diff -urNp linux-2.6.39.1/include/net/udp.h linux-2.6.39.1/include/net/udp.h
65879 --- linux-2.6.39.1/include/net/udp.h 2011-05-19 00:06:34.000000000 -0400
65880 +++ linux-2.6.39.1/include/net/udp.h 2011-05-22 19:36:33.000000000 -0400
65881 @@ -234,7 +234,7 @@ struct udp_seq_afinfo {
65882 char *name;
65883 sa_family_t family;
65884 struct udp_table *udp_table;
65885 - struct file_operations seq_fops;
65886 + struct file_operations seq_fops; /* cannot be const */
65887 struct seq_operations seq_ops;
65888 };
65889
65890 diff -urNp linux-2.6.39.1/include/net/xfrm.h linux-2.6.39.1/include/net/xfrm.h
65891 --- linux-2.6.39.1/include/net/xfrm.h 2011-05-19 00:06:34.000000000 -0400
65892 +++ linux-2.6.39.1/include/net/xfrm.h 2011-05-22 19:36:33.000000000 -0400
65893 @@ -505,7 +505,7 @@ struct xfrm_policy {
65894 struct timer_list timer;
65895
65896 struct flow_cache_object flo;
65897 - atomic_t genid;
65898 + atomic_unchecked_t genid;
65899 u32 priority;
65900 u32 index;
65901 struct xfrm_mark mark;
65902 diff -urNp linux-2.6.39.1/include/pcmcia/ss.h linux-2.6.39.1/include/pcmcia/ss.h
65903 --- linux-2.6.39.1/include/pcmcia/ss.h 2011-05-19 00:06:34.000000000 -0400
65904 +++ linux-2.6.39.1/include/pcmcia/ss.h 2011-05-22 19:36:33.000000000 -0400
65905 @@ -241,9 +241,9 @@ struct pcmcia_socket {
65906 * "select PCCARD_NONSTATIC" in Kconfig.
65907 *
65908 */
65909 -extern struct pccard_resource_ops pccard_static_ops;
65910 +extern const struct pccard_resource_ops pccard_static_ops;
65911 #if defined(CONFIG_PCMCIA) || defined(CONFIG_PCMCIA_MODULE)
65912 -extern struct pccard_resource_ops pccard_iodyn_ops;
65913 +extern const struct pccard_resource_ops pccard_iodyn_ops;
65914 extern struct pccard_resource_ops pccard_nonstatic_ops;
65915 #else
65916 /* If PCMCIA is not used, but only CARDBUS, these functions are not used
65917 diff -urNp linux-2.6.39.1/include/rdma/ib_verbs.h linux-2.6.39.1/include/rdma/ib_verbs.h
65918 --- linux-2.6.39.1/include/rdma/ib_verbs.h 2011-05-19 00:06:34.000000000 -0400
65919 +++ linux-2.6.39.1/include/rdma/ib_verbs.h 2011-05-22 19:36:33.000000000 -0400
65920 @@ -1149,7 +1149,7 @@ struct ib_device {
65921 struct ib_mad *in_mad,
65922 struct ib_mad *out_mad);
65923
65924 - struct ib_dma_mapping_ops *dma_ops;
65925 + const struct ib_dma_mapping_ops *dma_ops;
65926
65927 struct module *owner;
65928 struct device dev;
65929 diff -urNp linux-2.6.39.1/include/scsi/libfc.h linux-2.6.39.1/include/scsi/libfc.h
65930 --- linux-2.6.39.1/include/scsi/libfc.h 2011-05-19 00:06:34.000000000 -0400
65931 +++ linux-2.6.39.1/include/scsi/libfc.h 2011-05-22 19:36:33.000000000 -0400
65932 @@ -202,7 +202,7 @@ struct fc_rport_priv {
65933 struct mutex rp_mutex;
65934 struct delayed_work retry_work;
65935 enum fc_rport_event event;
65936 - struct fc_rport_operations *ops;
65937 + const struct fc_rport_operations *ops;
65938 struct list_head peers;
65939 struct work_struct event_work;
65940 u32 supported_classes;
65941 diff -urNp linux-2.6.39.1/include/scsi/scsi_device.h linux-2.6.39.1/include/scsi/scsi_device.h
65942 --- linux-2.6.39.1/include/scsi/scsi_device.h 2011-05-19 00:06:34.000000000 -0400
65943 +++ linux-2.6.39.1/include/scsi/scsi_device.h 2011-05-22 19:36:33.000000000 -0400
65944 @@ -161,9 +161,9 @@ struct scsi_device {
65945 unsigned int max_device_blocked; /* what device_blocked counts down from */
65946 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
65947
65948 - atomic_t iorequest_cnt;
65949 - atomic_t iodone_cnt;
65950 - atomic_t ioerr_cnt;
65951 + atomic_unchecked_t iorequest_cnt;
65952 + atomic_unchecked_t iodone_cnt;
65953 + atomic_unchecked_t ioerr_cnt;
65954
65955 struct device sdev_gendev,
65956 sdev_dev;
65957 diff -urNp linux-2.6.39.1/include/sound/ac97_codec.h linux-2.6.39.1/include/sound/ac97_codec.h
65958 --- linux-2.6.39.1/include/sound/ac97_codec.h 2011-05-19 00:06:34.000000000 -0400
65959 +++ linux-2.6.39.1/include/sound/ac97_codec.h 2011-05-22 19:36:33.000000000 -0400
65960 @@ -424,15 +424,15 @@
65961 struct snd_ac97;
65962
65963 struct snd_ac97_build_ops {
65964 - int (*build_3d) (struct snd_ac97 *ac97);
65965 - int (*build_specific) (struct snd_ac97 *ac97);
65966 - int (*build_spdif) (struct snd_ac97 *ac97);
65967 - int (*build_post_spdif) (struct snd_ac97 *ac97);
65968 + int (* const build_3d) (struct snd_ac97 *ac97);
65969 + int (* const build_specific) (struct snd_ac97 *ac97);
65970 + int (* const build_spdif) (struct snd_ac97 *ac97);
65971 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
65972 #ifdef CONFIG_PM
65973 - void (*suspend) (struct snd_ac97 *ac97);
65974 - void (*resume) (struct snd_ac97 *ac97);
65975 + void (* const suspend) (struct snd_ac97 *ac97);
65976 + void (* const resume) (struct snd_ac97 *ac97);
65977 #endif
65978 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
65979 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
65980 };
65981
65982 struct snd_ac97_bus_ops {
65983 @@ -446,7 +446,7 @@ struct snd_ac97_bus_ops {
65984
65985 struct snd_ac97_bus {
65986 /* -- lowlevel (hardware) driver specific -- */
65987 - struct snd_ac97_bus_ops *ops;
65988 + const struct snd_ac97_bus_ops *ops;
65989 void *private_data;
65990 void (*private_free) (struct snd_ac97_bus *bus);
65991 /* --- */
65992 @@ -556,7 +556,7 @@ static inline int ac97_can_spdif(struct
65993
65994 /* functions */
65995 /* create new AC97 bus */
65996 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
65997 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
65998 void *private_data, struct snd_ac97_bus **rbus);
65999 /* create mixer controls */
66000 int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
66001 diff -urNp linux-2.6.39.1/include/sound/core.h linux-2.6.39.1/include/sound/core.h
66002 --- linux-2.6.39.1/include/sound/core.h 2011-05-19 00:06:34.000000000 -0400
66003 +++ linux-2.6.39.1/include/sound/core.h 2011-05-22 19:36:33.000000000 -0400
66004 @@ -88,7 +88,7 @@ struct snd_device {
66005 snd_device_state_t state; /* state of the device */
66006 snd_device_type_t type; /* device type */
66007 void *device_data; /* device structure */
66008 - struct snd_device_ops *ops; /* operations */
66009 + const struct snd_device_ops *ops; /* operations */
66010 };
66011
66012 #define snd_device(n) list_entry(n, struct snd_device, list)
66013 @@ -301,7 +301,7 @@ int snd_card_file_remove(struct snd_card
66014 /* device.c */
66015
66016 int snd_device_new(struct snd_card *card, snd_device_type_t type,
66017 - void *device_data, struct snd_device_ops *ops);
66018 + void *device_data, const struct snd_device_ops *ops);
66019 int snd_device_register(struct snd_card *card, void *device_data);
66020 int snd_device_register_all(struct snd_card *card);
66021 int snd_device_disconnect(struct snd_card *card, void *device_data);
66022 diff -urNp linux-2.6.39.1/include/sound/pcm.h linux-2.6.39.1/include/sound/pcm.h
66023 --- linux-2.6.39.1/include/sound/pcm.h 2011-05-19 00:06:34.000000000 -0400
66024 +++ linux-2.6.39.1/include/sound/pcm.h 2011-05-22 19:36:33.000000000 -0400
66025 @@ -379,7 +379,7 @@ struct snd_pcm_substream {
66026 unsigned int dma_buf_id;
66027 size_t dma_max;
66028 /* -- hardware operations -- */
66029 - struct snd_pcm_ops *ops;
66030 + const struct snd_pcm_ops *ops;
66031 /* -- runtime information -- */
66032 struct snd_pcm_runtime *runtime;
66033 /* -- timer section -- */
66034 @@ -845,7 +845,7 @@ const unsigned char *snd_pcm_format_sile
66035 int snd_pcm_format_set_silence(snd_pcm_format_t format, void *buf, unsigned int frames);
66036 snd_pcm_format_t snd_pcm_build_linear_format(int width, int unsignd, int big_endian);
66037
66038 -void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, struct snd_pcm_ops *ops);
66039 +void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, const struct snd_pcm_ops *ops);
66040 void snd_pcm_set_sync(struct snd_pcm_substream *substream);
66041 int snd_pcm_lib_interleave_len(struct snd_pcm_substream *substream);
66042 int snd_pcm_lib_ioctl(struct snd_pcm_substream *substream,
66043 diff -urNp linux-2.6.39.1/include/sound/rawmidi.h linux-2.6.39.1/include/sound/rawmidi.h
66044 --- linux-2.6.39.1/include/sound/rawmidi.h 2011-05-19 00:06:34.000000000 -0400
66045 +++ linux-2.6.39.1/include/sound/rawmidi.h 2011-05-22 19:36:33.000000000 -0400
66046 @@ -100,7 +100,7 @@ struct snd_rawmidi_substream {
66047 struct snd_rawmidi_runtime *runtime;
66048 struct pid *pid;
66049 /* hardware layer */
66050 - struct snd_rawmidi_ops *ops;
66051 + const struct snd_rawmidi_ops *ops;
66052 };
66053
66054 struct snd_rawmidi_file {
66055 @@ -127,7 +127,7 @@ struct snd_rawmidi {
66056 int ossreg;
66057 #endif
66058
66059 - struct snd_rawmidi_global_ops *ops;
66060 + const struct snd_rawmidi_global_ops *ops;
66061
66062 struct snd_rawmidi_str streams[2];
66063
66064 @@ -151,7 +151,7 @@ int snd_rawmidi_new(struct snd_card *car
66065 int output_count, int input_count,
66066 struct snd_rawmidi **rmidi);
66067 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
66068 - struct snd_rawmidi_ops *ops);
66069 + const struct snd_rawmidi_ops *ops);
66070
66071 /* callbacks */
66072
66073 diff -urNp linux-2.6.39.1/include/sound/seq_device.h linux-2.6.39.1/include/sound/seq_device.h
66074 --- linux-2.6.39.1/include/sound/seq_device.h 2011-05-19 00:06:34.000000000 -0400
66075 +++ linux-2.6.39.1/include/sound/seq_device.h 2011-05-22 19:36:33.000000000 -0400
66076 @@ -69,7 +69,7 @@ struct snd_seq_dev_ops {
66077 */
66078 void snd_seq_device_load_drivers(void);
66079 int snd_seq_device_new(struct snd_card *card, int device, char *id, int argsize, struct snd_seq_device **result);
66080 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry, int argsize);
66081 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry, int argsize);
66082 int snd_seq_device_unregister_driver(char *id);
66083
66084 #define SNDRV_SEQ_DEVICE_ARGPTR(dev) (void *)((char *)(dev) + sizeof(struct snd_seq_device))
66085 diff -urNp linux-2.6.39.1/include/sound/snd_wavefront.h linux-2.6.39.1/include/sound/snd_wavefront.h
66086 --- linux-2.6.39.1/include/sound/snd_wavefront.h 2011-05-19 00:06:34.000000000 -0400
66087 +++ linux-2.6.39.1/include/sound/snd_wavefront.h 2011-05-22 19:36:33.000000000 -0400
66088 @@ -37,8 +37,8 @@ struct _snd_wavefront_midi {
66089 #define MPU_ACK 0xFE
66090 #define UART_MODE_ON 0x3F
66091
66092 -extern struct snd_rawmidi_ops snd_wavefront_midi_output;
66093 -extern struct snd_rawmidi_ops snd_wavefront_midi_input;
66094 +extern const struct snd_rawmidi_ops snd_wavefront_midi_output;
66095 +extern const struct snd_rawmidi_ops snd_wavefront_midi_input;
66096
66097 extern void snd_wavefront_midi_enable_virtual (snd_wavefront_card_t *);
66098 extern void snd_wavefront_midi_disable_virtual (snd_wavefront_card_t *);
66099 diff -urNp linux-2.6.39.1/include/sound/soc.h linux-2.6.39.1/include/sound/soc.h
66100 --- linux-2.6.39.1/include/sound/soc.h 2011-05-19 00:06:34.000000000 -0400
66101 +++ linux-2.6.39.1/include/sound/soc.h 2011-05-22 19:36:33.000000000 -0400
66102 @@ -245,7 +245,7 @@ struct snd_soc_jack_gpio;
66103
66104 typedef int (*hw_write_t)(void *,const char* ,int);
66105
66106 -extern struct snd_ac97_bus_ops soc_ac97_ops;
66107 +extern const struct snd_ac97_bus_ops soc_ac97_ops;
66108
66109 enum snd_soc_control_type {
66110 SND_SOC_CUSTOM,
66111 diff -urNp linux-2.6.39.1/include/sound/ymfpci.h linux-2.6.39.1/include/sound/ymfpci.h
66112 --- linux-2.6.39.1/include/sound/ymfpci.h 2011-05-19 00:06:34.000000000 -0400
66113 +++ linux-2.6.39.1/include/sound/ymfpci.h 2011-05-22 19:36:33.000000000 -0400
66114 @@ -358,7 +358,7 @@ struct snd_ymfpci {
66115 spinlock_t reg_lock;
66116 spinlock_t voice_lock;
66117 wait_queue_head_t interrupt_sleep;
66118 - atomic_t interrupt_sleep_count;
66119 + atomic_unchecked_t interrupt_sleep_count;
66120 struct snd_info_entry *proc_entry;
66121 const struct firmware *dsp_microcode;
66122 const struct firmware *controller_microcode;
66123 diff -urNp linux-2.6.39.1/include/target/target_core_base.h linux-2.6.39.1/include/target/target_core_base.h
66124 --- linux-2.6.39.1/include/target/target_core_base.h 2011-06-03 00:04:14.000000000 -0400
66125 +++ linux-2.6.39.1/include/target/target_core_base.h 2011-06-03 00:32:08.000000000 -0400
66126 @@ -432,8 +432,8 @@ struct se_transport_task {
66127 atomic_t t_task_cdbs_left;
66128 atomic_t t_task_cdbs_ex_left;
66129 atomic_t t_task_cdbs_timeout_left;
66130 - atomic_t t_task_cdbs_sent;
66131 - atomic_t t_transport_aborted;
66132 + atomic_unchecked_t t_task_cdbs_sent;
66133 + atomic_unchecked_t t_transport_aborted;
66134 atomic_t t_transport_active;
66135 atomic_t t_transport_complete;
66136 atomic_t t_transport_queue_active;
66137 @@ -774,7 +774,7 @@ struct se_device {
66138 atomic_t active_cmds;
66139 atomic_t simple_cmds;
66140 atomic_t depth_left;
66141 - atomic_t dev_ordered_id;
66142 + atomic_unchecked_t dev_ordered_id;
66143 atomic_t dev_tur_active;
66144 atomic_t execute_tasks;
66145 atomic_t dev_status_thr_count;
66146 diff -urNp linux-2.6.39.1/include/trace/events/irq.h linux-2.6.39.1/include/trace/events/irq.h
66147 --- linux-2.6.39.1/include/trace/events/irq.h 2011-05-19 00:06:34.000000000 -0400
66148 +++ linux-2.6.39.1/include/trace/events/irq.h 2011-05-22 19:36:33.000000000 -0400
66149 @@ -36,7 +36,7 @@ struct softirq_action;
66150 */
66151 TRACE_EVENT(irq_handler_entry,
66152
66153 - TP_PROTO(int irq, struct irqaction *action),
66154 + TP_PROTO(int irq, const struct irqaction *action),
66155
66156 TP_ARGS(irq, action),
66157
66158 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
66159 */
66160 TRACE_EVENT(irq_handler_exit,
66161
66162 - TP_PROTO(int irq, struct irqaction *action, int ret),
66163 + TP_PROTO(int irq, const struct irqaction *action, int ret),
66164
66165 TP_ARGS(irq, action, ret),
66166
66167 diff -urNp linux-2.6.39.1/include/video/udlfb.h linux-2.6.39.1/include/video/udlfb.h
66168 --- linux-2.6.39.1/include/video/udlfb.h 2011-05-19 00:06:34.000000000 -0400
66169 +++ linux-2.6.39.1/include/video/udlfb.h 2011-05-22 19:36:33.000000000 -0400
66170 @@ -51,10 +51,10 @@ struct dlfb_data {
66171 int base8;
66172 u32 pseudo_palette[256];
66173 /* blit-only rendering path metrics, exposed through sysfs */
66174 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66175 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
66176 - atomic_t bytes_sent; /* to usb, after compression including overhead */
66177 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
66178 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66179 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
66180 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
66181 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
66182 };
66183
66184 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
66185 diff -urNp linux-2.6.39.1/include/video/uvesafb.h linux-2.6.39.1/include/video/uvesafb.h
66186 --- linux-2.6.39.1/include/video/uvesafb.h 2011-05-19 00:06:34.000000000 -0400
66187 +++ linux-2.6.39.1/include/video/uvesafb.h 2011-05-22 19:36:33.000000000 -0400
66188 @@ -177,6 +177,7 @@ struct uvesafb_par {
66189 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
66190 u8 pmi_setpal; /* PMI for palette changes */
66191 u16 *pmi_base; /* protected mode interface location */
66192 + u8 *pmi_code; /* protected mode code location */
66193 void *pmi_start;
66194 void *pmi_pal;
66195 u8 *vbe_state_orig; /*
66196 diff -urNp linux-2.6.39.1/init/do_mounts.c linux-2.6.39.1/init/do_mounts.c
66197 --- linux-2.6.39.1/init/do_mounts.c 2011-05-19 00:06:34.000000000 -0400
66198 +++ linux-2.6.39.1/init/do_mounts.c 2011-05-22 19:36:33.000000000 -0400
66199 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
66200
66201 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
66202 {
66203 - int err = sys_mount(name, "/root", fs, flags, data);
66204 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
66205 if (err)
66206 return err;
66207
66208 @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
66209 va_start(args, fmt);
66210 vsprintf(buf, fmt, args);
66211 va_end(args);
66212 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
66213 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
66214 if (fd >= 0) {
66215 sys_ioctl(fd, FDEJECT, 0);
66216 sys_close(fd);
66217 }
66218 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
66219 - fd = sys_open("/dev/console", O_RDWR, 0);
66220 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
66221 if (fd >= 0) {
66222 sys_ioctl(fd, TCGETS, (long)&termios);
66223 termios.c_lflag &= ~ICANON;
66224 sys_ioctl(fd, TCSETSF, (long)&termios);
66225 - sys_read(fd, &c, 1);
66226 + sys_read(fd, (char __user *)&c, 1);
66227 termios.c_lflag |= ICANON;
66228 sys_ioctl(fd, TCSETSF, (long)&termios);
66229 sys_close(fd);
66230 @@ -488,6 +488,6 @@ void __init prepare_namespace(void)
66231 mount_root();
66232 out:
66233 devtmpfs_mount("dev");
66234 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66235 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66236 sys_chroot((const char __user __force *)".");
66237 }
66238 diff -urNp linux-2.6.39.1/init/do_mounts.h linux-2.6.39.1/init/do_mounts.h
66239 --- linux-2.6.39.1/init/do_mounts.h 2011-05-19 00:06:34.000000000 -0400
66240 +++ linux-2.6.39.1/init/do_mounts.h 2011-05-22 19:36:33.000000000 -0400
66241 @@ -15,15 +15,15 @@ extern int root_mountflags;
66242
66243 static inline int create_dev(char *name, dev_t dev)
66244 {
66245 - sys_unlink(name);
66246 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
66247 + sys_unlink((__force char __user *)name);
66248 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
66249 }
66250
66251 #if BITS_PER_LONG == 32
66252 static inline u32 bstat(char *name)
66253 {
66254 struct stat64 stat;
66255 - if (sys_stat64(name, &stat) != 0)
66256 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
66257 return 0;
66258 if (!S_ISBLK(stat.st_mode))
66259 return 0;
66260 diff -urNp linux-2.6.39.1/init/do_mounts_initrd.c linux-2.6.39.1/init/do_mounts_initrd.c
66261 --- linux-2.6.39.1/init/do_mounts_initrd.c 2011-05-19 00:06:34.000000000 -0400
66262 +++ linux-2.6.39.1/init/do_mounts_initrd.c 2011-05-22 19:36:33.000000000 -0400
66263 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
66264 create_dev("/dev/root.old", Root_RAM0);
66265 /* mount initrd on rootfs' /root */
66266 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
66267 - sys_mkdir("/old", 0700);
66268 - root_fd = sys_open("/", 0, 0);
66269 - old_fd = sys_open("/old", 0, 0);
66270 + sys_mkdir((__force const char __user *)"/old", 0700);
66271 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
66272 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
66273 /* move initrd over / and chdir/chroot in initrd root */
66274 - sys_chdir("/root");
66275 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66276 - sys_chroot(".");
66277 + sys_chdir((__force const char __user *)"/root");
66278 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66279 + sys_chroot((__force const char __user *)".");
66280
66281 /*
66282 * In case that a resume from disk is carried out by linuxrc or one of
66283 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
66284
66285 /* move initrd to rootfs' /old */
66286 sys_fchdir(old_fd);
66287 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
66288 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
66289 /* switch root and cwd back to / of rootfs */
66290 sys_fchdir(root_fd);
66291 - sys_chroot(".");
66292 + sys_chroot((__force const char __user *)".");
66293 sys_close(old_fd);
66294 sys_close(root_fd);
66295
66296 if (new_decode_dev(real_root_dev) == Root_RAM0) {
66297 - sys_chdir("/old");
66298 + sys_chdir((__force const char __user *)"/old");
66299 return;
66300 }
66301
66302 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
66303 mount_root();
66304
66305 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
66306 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
66307 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
66308 if (!error)
66309 printk("okay\n");
66310 else {
66311 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
66312 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
66313 if (error == -ENOENT)
66314 printk("/initrd does not exist. Ignored.\n");
66315 else
66316 printk("failed\n");
66317 printk(KERN_NOTICE "Unmounting old root\n");
66318 - sys_umount("/old", MNT_DETACH);
66319 + sys_umount((__force char __user *)"/old", MNT_DETACH);
66320 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
66321 if (fd < 0) {
66322 error = fd;
66323 @@ -116,11 +116,11 @@ int __init initrd_load(void)
66324 * mounted in the normal path.
66325 */
66326 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
66327 - sys_unlink("/initrd.image");
66328 + sys_unlink((__force const char __user *)"/initrd.image");
66329 handle_initrd();
66330 return 1;
66331 }
66332 }
66333 - sys_unlink("/initrd.image");
66334 + sys_unlink((__force const char __user *)"/initrd.image");
66335 return 0;
66336 }
66337 diff -urNp linux-2.6.39.1/init/do_mounts_md.c linux-2.6.39.1/init/do_mounts_md.c
66338 --- linux-2.6.39.1/init/do_mounts_md.c 2011-05-19 00:06:34.000000000 -0400
66339 +++ linux-2.6.39.1/init/do_mounts_md.c 2011-05-22 19:36:33.000000000 -0400
66340 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
66341 partitioned ? "_d" : "", minor,
66342 md_setup_args[ent].device_names);
66343
66344 - fd = sys_open(name, 0, 0);
66345 + fd = sys_open((__force char __user *)name, 0, 0);
66346 if (fd < 0) {
66347 printk(KERN_ERR "md: open failed - cannot start "
66348 "array %s\n", name);
66349 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
66350 * array without it
66351 */
66352 sys_close(fd);
66353 - fd = sys_open(name, 0, 0);
66354 + fd = sys_open((__force char __user *)name, 0, 0);
66355 sys_ioctl(fd, BLKRRPART, 0);
66356 }
66357 sys_close(fd);
66358 diff -urNp linux-2.6.39.1/init/initramfs.c linux-2.6.39.1/init/initramfs.c
66359 --- linux-2.6.39.1/init/initramfs.c 2011-05-19 00:06:34.000000000 -0400
66360 +++ linux-2.6.39.1/init/initramfs.c 2011-05-22 19:36:33.000000000 -0400
66361 @@ -74,7 +74,7 @@ static void __init free_hash(void)
66362 }
66363 }
66364
66365 -static long __init do_utime(char __user *filename, time_t mtime)
66366 +static long __init do_utime(__force char __user *filename, time_t mtime)
66367 {
66368 struct timespec t[2];
66369
66370 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
66371 struct dir_entry *de, *tmp;
66372 list_for_each_entry_safe(de, tmp, &dir_list, list) {
66373 list_del(&de->list);
66374 - do_utime(de->name, de->mtime);
66375 + do_utime((__force char __user *)de->name, de->mtime);
66376 kfree(de->name);
66377 kfree(de);
66378 }
66379 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
66380 if (nlink >= 2) {
66381 char *old = find_link(major, minor, ino, mode, collected);
66382 if (old)
66383 - return (sys_link(old, collected) < 0) ? -1 : 1;
66384 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
66385 }
66386 return 0;
66387 }
66388 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
66389 {
66390 struct stat st;
66391
66392 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
66393 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
66394 if (S_ISDIR(st.st_mode))
66395 - sys_rmdir(path);
66396 + sys_rmdir((__force char __user *)path);
66397 else
66398 - sys_unlink(path);
66399 + sys_unlink((__force char __user *)path);
66400 }
66401 }
66402
66403 @@ -305,7 +305,7 @@ static int __init do_name(void)
66404 int openflags = O_WRONLY|O_CREAT;
66405 if (ml != 1)
66406 openflags |= O_TRUNC;
66407 - wfd = sys_open(collected, openflags, mode);
66408 + wfd = sys_open((__force char __user *)collected, openflags, mode);
66409
66410 if (wfd >= 0) {
66411 sys_fchown(wfd, uid, gid);
66412 @@ -317,17 +317,17 @@ static int __init do_name(void)
66413 }
66414 }
66415 } else if (S_ISDIR(mode)) {
66416 - sys_mkdir(collected, mode);
66417 - sys_chown(collected, uid, gid);
66418 - sys_chmod(collected, mode);
66419 + sys_mkdir((__force char __user *)collected, mode);
66420 + sys_chown((__force char __user *)collected, uid, gid);
66421 + sys_chmod((__force char __user *)collected, mode);
66422 dir_add(collected, mtime);
66423 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
66424 S_ISFIFO(mode) || S_ISSOCK(mode)) {
66425 if (maybe_link() == 0) {
66426 - sys_mknod(collected, mode, rdev);
66427 - sys_chown(collected, uid, gid);
66428 - sys_chmod(collected, mode);
66429 - do_utime(collected, mtime);
66430 + sys_mknod((__force char __user *)collected, mode, rdev);
66431 + sys_chown((__force char __user *)collected, uid, gid);
66432 + sys_chmod((__force char __user *)collected, mode);
66433 + do_utime((__force char __user *)collected, mtime);
66434 }
66435 }
66436 return 0;
66437 @@ -336,15 +336,15 @@ static int __init do_name(void)
66438 static int __init do_copy(void)
66439 {
66440 if (count >= body_len) {
66441 - sys_write(wfd, victim, body_len);
66442 + sys_write(wfd, (__force char __user *)victim, body_len);
66443 sys_close(wfd);
66444 - do_utime(vcollected, mtime);
66445 + do_utime((__force char __user *)vcollected, mtime);
66446 kfree(vcollected);
66447 eat(body_len);
66448 state = SkipIt;
66449 return 0;
66450 } else {
66451 - sys_write(wfd, victim, count);
66452 + sys_write(wfd, (__force char __user *)victim, count);
66453 body_len -= count;
66454 eat(count);
66455 return 1;
66456 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
66457 {
66458 collected[N_ALIGN(name_len) + body_len] = '\0';
66459 clean_path(collected, 0);
66460 - sys_symlink(collected + N_ALIGN(name_len), collected);
66461 - sys_lchown(collected, uid, gid);
66462 - do_utime(collected, mtime);
66463 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
66464 + sys_lchown((__force char __user *)collected, uid, gid);
66465 + do_utime((__force char __user *)collected, mtime);
66466 state = SkipIt;
66467 next_state = Reset;
66468 return 0;
66469 diff -urNp linux-2.6.39.1/init/Kconfig linux-2.6.39.1/init/Kconfig
66470 --- linux-2.6.39.1/init/Kconfig 2011-05-19 00:06:34.000000000 -0400
66471 +++ linux-2.6.39.1/init/Kconfig 2011-05-22 19:36:33.000000000 -0400
66472 @@ -1202,7 +1202,7 @@ config SLUB_DEBUG
66473
66474 config COMPAT_BRK
66475 bool "Disable heap randomization"
66476 - default y
66477 + default n
66478 help
66479 Randomizing heap placement makes heap exploits harder, but it
66480 also breaks ancient binaries (including anything libc5 based).
66481 diff -urNp linux-2.6.39.1/init/main.c linux-2.6.39.1/init/main.c
66482 --- linux-2.6.39.1/init/main.c 2011-06-03 00:04:14.000000000 -0400
66483 +++ linux-2.6.39.1/init/main.c 2011-06-03 00:32:08.000000000 -0400
66484 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
66485 extern void tc_init(void);
66486 #endif
66487
66488 +extern void grsecurity_init(void);
66489 +
66490 /*
66491 * Debug helper: via this flag we know that we are in 'early bootup code'
66492 * where only the boot processor is running with IRQ disabled. This means
66493 @@ -149,6 +151,49 @@ static int __init set_reset_devices(char
66494
66495 __setup("reset_devices", set_reset_devices);
66496
66497 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
66498 +extern char pax_enter_kernel_user[];
66499 +extern char pax_exit_kernel_user[];
66500 +extern pgdval_t clone_pgd_mask;
66501 +#endif
66502 +
66503 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
66504 +static int __init setup_pax_nouderef(char *str)
66505 +{
66506 +#ifdef CONFIG_X86_32
66507 + unsigned int cpu;
66508 + struct desc_struct *gdt;
66509 +
66510 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
66511 + gdt = get_cpu_gdt_table(cpu);
66512 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
66513 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
66514 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
66515 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
66516 + }
66517 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
66518 +#else
66519 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
66520 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
66521 + clone_pgd_mask = ~(pgdval_t)0UL;
66522 +#endif
66523 +
66524 + return 0;
66525 +}
66526 +early_param("pax_nouderef", setup_pax_nouderef);
66527 +#endif
66528 +
66529 +#ifdef CONFIG_PAX_SOFTMODE
66530 +unsigned int pax_softmode;
66531 +
66532 +static int __init setup_pax_softmode(char *str)
66533 +{
66534 + get_option(&str, &pax_softmode);
66535 + return 1;
66536 +}
66537 +__setup("pax_softmode=", setup_pax_softmode);
66538 +#endif
66539 +
66540 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
66541 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
66542 static const char *panic_later, *panic_param;
66543 @@ -663,6 +708,7 @@ int __init_or_module do_one_initcall(ini
66544 {
66545 int count = preempt_count();
66546 int ret;
66547 + const char *msg1 = "", *msg2 = "";
66548
66549 if (initcall_debug)
66550 ret = do_one_initcall_debug(fn);
66551 @@ -675,15 +721,15 @@ int __init_or_module do_one_initcall(ini
66552 sprintf(msgbuf, "error code %d ", ret);
66553
66554 if (preempt_count() != count) {
66555 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
66556 + msg1 = " preemption imbalance";
66557 preempt_count() = count;
66558 }
66559 if (irqs_disabled()) {
66560 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
66561 + msg2 = " disabled interrupts";
66562 local_irq_enable();
66563 }
66564 - if (msgbuf[0]) {
66565 - printk("initcall %pF returned with %s\n", fn, msgbuf);
66566 + if (msgbuf[0] || *msg1 || *msg2) {
66567 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
66568 }
66569
66570 return ret;
66571 @@ -801,7 +847,7 @@ static int __init kernel_init(void * unu
66572 do_basic_setup();
66573
66574 /* Open the /dev/console on the rootfs, this should never fail */
66575 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
66576 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
66577 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
66578
66579 (void) sys_dup(0);
66580 @@ -814,11 +860,13 @@ static int __init kernel_init(void * unu
66581 if (!ramdisk_execute_command)
66582 ramdisk_execute_command = "/init";
66583
66584 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
66585 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
66586 ramdisk_execute_command = NULL;
66587 prepare_namespace();
66588 }
66589
66590 + grsecurity_init();
66591 +
66592 /*
66593 * Ok, we have completed the initial bootup, and
66594 * we're essentially up and running. Get rid of the
66595 diff -urNp linux-2.6.39.1/ipc/mqueue.c linux-2.6.39.1/ipc/mqueue.c
66596 --- linux-2.6.39.1/ipc/mqueue.c 2011-05-19 00:06:34.000000000 -0400
66597 +++ linux-2.6.39.1/ipc/mqueue.c 2011-05-22 19:41:42.000000000 -0400
66598 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
66599 mq_bytes = (mq_msg_tblsz +
66600 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
66601
66602 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
66603 spin_lock(&mq_lock);
66604 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
66605 u->mq_bytes + mq_bytes >
66606 diff -urNp linux-2.6.39.1/ipc/sem.c linux-2.6.39.1/ipc/sem.c
66607 --- linux-2.6.39.1/ipc/sem.c 2011-05-19 00:06:34.000000000 -0400
66608 +++ linux-2.6.39.1/ipc/sem.c 2011-05-22 19:36:33.000000000 -0400
66609 @@ -854,6 +854,8 @@ static int semctl_main(struct ipc_namesp
66610 int nsems;
66611 struct list_head tasks;
66612
66613 + pax_track_stack();
66614 +
66615 sma = sem_lock_check(ns, semid);
66616 if (IS_ERR(sma))
66617 return PTR_ERR(sma);
66618 @@ -1301,6 +1303,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
66619 struct ipc_namespace *ns;
66620 struct list_head tasks;
66621
66622 + pax_track_stack();
66623 +
66624 ns = current->nsproxy->ipc_ns;
66625
66626 if (nsops < 1 || semid < 0)
66627 diff -urNp linux-2.6.39.1/ipc/shm.c linux-2.6.39.1/ipc/shm.c
66628 --- linux-2.6.39.1/ipc/shm.c 2011-05-19 00:06:34.000000000 -0400
66629 +++ linux-2.6.39.1/ipc/shm.c 2011-05-22 19:41:42.000000000 -0400
66630 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
66631 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
66632 #endif
66633
66634 +#ifdef CONFIG_GRKERNSEC
66635 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66636 + const time_t shm_createtime, const uid_t cuid,
66637 + const int shmid);
66638 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66639 + const time_t shm_createtime);
66640 +#endif
66641 +
66642 void shm_init_ns(struct ipc_namespace *ns)
66643 {
66644 ns->shm_ctlmax = SHMMAX;
66645 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
66646 shp->shm_lprid = 0;
66647 shp->shm_atim = shp->shm_dtim = 0;
66648 shp->shm_ctim = get_seconds();
66649 +#ifdef CONFIG_GRKERNSEC
66650 + {
66651 + struct timespec timeval;
66652 + do_posix_clock_monotonic_gettime(&timeval);
66653 +
66654 + shp->shm_createtime = timeval.tv_sec;
66655 + }
66656 +#endif
66657 shp->shm_segsz = size;
66658 shp->shm_nattch = 0;
66659 shp->shm_file = file;
66660 @@ -762,8 +778,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
66661 case SHM_LOCK:
66662 case SHM_UNLOCK:
66663 {
66664 - struct file *uninitialized_var(shm_file);
66665 -
66666 lru_add_drain_all(); /* drain pagevecs to lru lists */
66667
66668 shp = shm_lock_check(ns, shmid);
66669 @@ -896,9 +910,21 @@ long do_shmat(int shmid, char __user *sh
66670 if (err)
66671 goto out_unlock;
66672
66673 +#ifdef CONFIG_GRKERNSEC
66674 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
66675 + shp->shm_perm.cuid, shmid) ||
66676 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
66677 + err = -EACCES;
66678 + goto out_unlock;
66679 + }
66680 +#endif
66681 +
66682 path = shp->shm_file->f_path;
66683 path_get(&path);
66684 shp->shm_nattch++;
66685 +#ifdef CONFIG_GRKERNSEC
66686 + shp->shm_lapid = current->pid;
66687 +#endif
66688 size = i_size_read(path.dentry->d_inode);
66689 shm_unlock(shp);
66690
66691 diff -urNp linux-2.6.39.1/kernel/acct.c linux-2.6.39.1/kernel/acct.c
66692 --- linux-2.6.39.1/kernel/acct.c 2011-05-19 00:06:34.000000000 -0400
66693 +++ linux-2.6.39.1/kernel/acct.c 2011-05-22 19:36:33.000000000 -0400
66694 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
66695 */
66696 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
66697 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
66698 - file->f_op->write(file, (char *)&ac,
66699 + file->f_op->write(file, (__force char __user *)&ac,
66700 sizeof(acct_t), &file->f_pos);
66701 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
66702 set_fs(fs);
66703 diff -urNp linux-2.6.39.1/kernel/audit.c linux-2.6.39.1/kernel/audit.c
66704 --- linux-2.6.39.1/kernel/audit.c 2011-05-19 00:06:34.000000000 -0400
66705 +++ linux-2.6.39.1/kernel/audit.c 2011-05-22 19:36:33.000000000 -0400
66706 @@ -112,7 +112,7 @@ u32 audit_sig_sid = 0;
66707 3) suppressed due to audit_rate_limit
66708 4) suppressed due to audit_backlog_limit
66709 */
66710 -static atomic_t audit_lost = ATOMIC_INIT(0);
66711 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
66712
66713 /* The netlink socket. */
66714 static struct sock *audit_sock;
66715 @@ -234,7 +234,7 @@ void audit_log_lost(const char *message)
66716 unsigned long now;
66717 int print;
66718
66719 - atomic_inc(&audit_lost);
66720 + atomic_inc_unchecked(&audit_lost);
66721
66722 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
66723
66724 @@ -253,7 +253,7 @@ void audit_log_lost(const char *message)
66725 printk(KERN_WARNING
66726 "audit: audit_lost=%d audit_rate_limit=%d "
66727 "audit_backlog_limit=%d\n",
66728 - atomic_read(&audit_lost),
66729 + atomic_read_unchecked(&audit_lost),
66730 audit_rate_limit,
66731 audit_backlog_limit);
66732 audit_panic(message);
66733 @@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_b
66734 status_set.pid = audit_pid;
66735 status_set.rate_limit = audit_rate_limit;
66736 status_set.backlog_limit = audit_backlog_limit;
66737 - status_set.lost = atomic_read(&audit_lost);
66738 + status_set.lost = atomic_read_unchecked(&audit_lost);
66739 status_set.backlog = skb_queue_len(&audit_skb_queue);
66740 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
66741 &status_set, sizeof(status_set));
66742 diff -urNp linux-2.6.39.1/kernel/auditsc.c linux-2.6.39.1/kernel/auditsc.c
66743 --- linux-2.6.39.1/kernel/auditsc.c 2011-05-19 00:06:34.000000000 -0400
66744 +++ linux-2.6.39.1/kernel/auditsc.c 2011-05-22 19:36:33.000000000 -0400
66745 @@ -2111,7 +2111,7 @@ int auditsc_get_stamp(struct audit_conte
66746 }
66747
66748 /* global counter which is incremented every time something logs in */
66749 -static atomic_t session_id = ATOMIC_INIT(0);
66750 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
66751
66752 /**
66753 * audit_set_loginuid - set a task's audit_context loginuid
66754 @@ -2124,7 +2124,7 @@ static atomic_t session_id = ATOMIC_INIT
66755 */
66756 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
66757 {
66758 - unsigned int sessionid = atomic_inc_return(&session_id);
66759 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
66760 struct audit_context *context = task->audit_context;
66761
66762 if (context && context->in_syscall) {
66763 diff -urNp linux-2.6.39.1/kernel/capability.c linux-2.6.39.1/kernel/capability.c
66764 --- linux-2.6.39.1/kernel/capability.c 2011-05-19 00:06:34.000000000 -0400
66765 +++ linux-2.6.39.1/kernel/capability.c 2011-05-22 21:02:23.000000000 -0400
66766 @@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
66767 * before modification is attempted and the application
66768 * fails.
66769 */
66770 + if (tocopy > ARRAY_SIZE(kdata))
66771 + return -EFAULT;
66772 +
66773 if (copy_to_user(dataptr, kdata, tocopy
66774 * sizeof(struct __user_cap_data_struct))) {
66775 return -EFAULT;
66776 @@ -378,7 +381,7 @@ bool ns_capable(struct user_namespace *n
66777 BUG();
66778 }
66779
66780 - if (security_capable(ns, current_cred(), cap) == 0) {
66781 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
66782 current->flags |= PF_SUPERPRIV;
66783 return true;
66784 }
66785 @@ -386,6 +389,27 @@ bool ns_capable(struct user_namespace *n
66786 }
66787 EXPORT_SYMBOL(ns_capable);
66788
66789 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
66790 +{
66791 + if (unlikely(!cap_valid(cap))) {
66792 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
66793 + BUG();
66794 + }
66795 +
66796 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
66797 + current->flags |= PF_SUPERPRIV;
66798 + return true;
66799 + }
66800 + return false;
66801 +}
66802 +EXPORT_SYMBOL(ns_capable_nolog);
66803 +
66804 +bool capable_nolog(int cap)
66805 +{
66806 + return ns_capable_nolog(&init_user_ns, cap);
66807 +}
66808 +EXPORT_SYMBOL(capable_nolog);
66809 +
66810 /**
66811 * task_ns_capable - Determine whether current task has a superior
66812 * capability targeted at a specific task's user namespace.
66813 @@ -400,6 +424,12 @@ bool task_ns_capable(struct task_struct
66814 }
66815 EXPORT_SYMBOL(task_ns_capable);
66816
66817 +bool task_ns_capable_nolog(struct task_struct *t, int cap)
66818 +{
66819 + return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
66820 +}
66821 +EXPORT_SYMBOL(task_ns_capable_nolog);
66822 +
66823 /**
66824 * nsown_capable - Check superior capability to one's own user_ns
66825 * @cap: The capability in question
66826 diff -urNp linux-2.6.39.1/kernel/cgroup.c linux-2.6.39.1/kernel/cgroup.c
66827 --- linux-2.6.39.1/kernel/cgroup.c 2011-05-19 00:06:34.000000000 -0400
66828 +++ linux-2.6.39.1/kernel/cgroup.c 2011-05-22 19:36:33.000000000 -0400
66829 @@ -598,6 +598,8 @@ static struct css_set *find_css_set(
66830 struct hlist_head *hhead;
66831 struct cg_cgroup_link *link;
66832
66833 + pax_track_stack();
66834 +
66835 /* First see if we already have a cgroup group that matches
66836 * the desired set */
66837 read_lock(&css_set_lock);
66838 diff -urNp linux-2.6.39.1/kernel/compat.c linux-2.6.39.1/kernel/compat.c
66839 --- linux-2.6.39.1/kernel/compat.c 2011-05-19 00:06:34.000000000 -0400
66840 +++ linux-2.6.39.1/kernel/compat.c 2011-05-22 19:41:42.000000000 -0400
66841 @@ -13,6 +13,7 @@
66842
66843 #include <linux/linkage.h>
66844 #include <linux/compat.h>
66845 +#include <linux/module.h>
66846 #include <linux/errno.h>
66847 #include <linux/time.h>
66848 #include <linux/signal.h>
66849 diff -urNp linux-2.6.39.1/kernel/configs.c linux-2.6.39.1/kernel/configs.c
66850 --- linux-2.6.39.1/kernel/configs.c 2011-05-19 00:06:34.000000000 -0400
66851 +++ linux-2.6.39.1/kernel/configs.c 2011-05-22 19:41:42.000000000 -0400
66852 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
66853 struct proc_dir_entry *entry;
66854
66855 /* create the current config file */
66856 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
66857 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
66858 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
66859 + &ikconfig_file_ops);
66860 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
66861 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
66862 + &ikconfig_file_ops);
66863 +#endif
66864 +#else
66865 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
66866 &ikconfig_file_ops);
66867 +#endif
66868 +
66869 if (!entry)
66870 return -ENOMEM;
66871
66872 diff -urNp linux-2.6.39.1/kernel/cred.c linux-2.6.39.1/kernel/cred.c
66873 --- linux-2.6.39.1/kernel/cred.c 2011-05-19 00:06:34.000000000 -0400
66874 +++ linux-2.6.39.1/kernel/cred.c 2011-05-22 19:41:42.000000000 -0400
66875 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
66876 */
66877 void __put_cred(struct cred *cred)
66878 {
66879 + pax_track_stack();
66880 +
66881 kdebug("__put_cred(%p{%d,%d})", cred,
66882 atomic_read(&cred->usage),
66883 read_cred_subscribers(cred));
66884 @@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
66885 {
66886 struct cred *cred;
66887
66888 + pax_track_stack();
66889 +
66890 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
66891 atomic_read(&tsk->cred->usage),
66892 read_cred_subscribers(tsk->cred));
66893 @@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
66894 {
66895 const struct cred *cred;
66896
66897 + pax_track_stack();
66898 +
66899 rcu_read_lock();
66900
66901 do {
66902 @@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
66903 {
66904 struct cred *new;
66905
66906 + pax_track_stack();
66907 +
66908 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
66909 if (!new)
66910 return NULL;
66911 @@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
66912 const struct cred *old;
66913 struct cred *new;
66914
66915 + pax_track_stack();
66916 +
66917 validate_process_creds();
66918
66919 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
66920 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
66921 struct thread_group_cred *tgcred = NULL;
66922 struct cred *new;
66923
66924 + pax_track_stack();
66925 +
66926 #ifdef CONFIG_KEYS
66927 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
66928 if (!tgcred)
66929 @@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
66930 struct cred *new;
66931 int ret;
66932
66933 + pax_track_stack();
66934 +
66935 if (
66936 #ifdef CONFIG_KEYS
66937 !p->cred->thread_keyring &&
66938 @@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
66939 struct task_struct *task = current;
66940 const struct cred *old = task->real_cred;
66941
66942 + pax_track_stack();
66943 +
66944 kdebug("commit_creds(%p{%d,%d})", new,
66945 atomic_read(&new->usage),
66946 read_cred_subscribers(new));
66947 @@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
66948
66949 get_cred(new); /* we will require a ref for the subj creds too */
66950
66951 + gr_set_role_label(task, new->uid, new->gid);
66952 +
66953 /* dumpability changes */
66954 if (old->euid != new->euid ||
66955 old->egid != new->egid ||
66956 @@ -551,6 +569,8 @@ EXPORT_SYMBOL(commit_creds);
66957 */
66958 void abort_creds(struct cred *new)
66959 {
66960 + pax_track_stack();
66961 +
66962 kdebug("abort_creds(%p{%d,%d})", new,
66963 atomic_read(&new->usage),
66964 read_cred_subscribers(new));
66965 @@ -574,6 +594,8 @@ const struct cred *override_creds(const
66966 {
66967 const struct cred *old = current->cred;
66968
66969 + pax_track_stack();
66970 +
66971 kdebug("override_creds(%p{%d,%d})", new,
66972 atomic_read(&new->usage),
66973 read_cred_subscribers(new));
66974 @@ -603,6 +625,8 @@ void revert_creds(const struct cred *old
66975 {
66976 const struct cred *override = current->cred;
66977
66978 + pax_track_stack();
66979 +
66980 kdebug("revert_creds(%p{%d,%d})", old,
66981 atomic_read(&old->usage),
66982 read_cred_subscribers(old));
66983 @@ -649,6 +673,8 @@ struct cred *prepare_kernel_cred(struct
66984 const struct cred *old;
66985 struct cred *new;
66986
66987 + pax_track_stack();
66988 +
66989 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
66990 if (!new)
66991 return NULL;
66992 @@ -703,6 +729,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
66993 */
66994 int set_security_override(struct cred *new, u32 secid)
66995 {
66996 + pax_track_stack();
66997 +
66998 return security_kernel_act_as(new, secid);
66999 }
67000 EXPORT_SYMBOL(set_security_override);
67001 @@ -722,6 +750,8 @@ int set_security_override_from_ctx(struc
67002 u32 secid;
67003 int ret;
67004
67005 + pax_track_stack();
67006 +
67007 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
67008 if (ret < 0)
67009 return ret;
67010 diff -urNp linux-2.6.39.1/kernel/debug/debug_core.c linux-2.6.39.1/kernel/debug/debug_core.c
67011 --- linux-2.6.39.1/kernel/debug/debug_core.c 2011-05-19 00:06:34.000000000 -0400
67012 +++ linux-2.6.39.1/kernel/debug/debug_core.c 2011-05-22 19:36:33.000000000 -0400
67013 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
67014 /* Guard for recursive entry */
67015 static int exception_level;
67016
67017 -struct kgdb_io *dbg_io_ops;
67018 +const struct kgdb_io *dbg_io_ops;
67019 static DEFINE_SPINLOCK(kgdb_registration_lock);
67020
67021 /* kgdb console driver is loaded */
67022 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
67023 */
67024 static atomic_t masters_in_kgdb;
67025 static atomic_t slaves_in_kgdb;
67026 -static atomic_t kgdb_break_tasklet_var;
67027 +static atomic_unchecked_t kgdb_break_tasklet_var;
67028 atomic_t kgdb_setting_breakpoint;
67029
67030 struct task_struct *kgdb_usethread;
67031 @@ -129,7 +129,7 @@ int kgdb_single_step;
67032 static pid_t kgdb_sstep_pid;
67033
67034 /* to keep track of the CPU which is doing the single stepping*/
67035 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67036 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67037
67038 /*
67039 * If you are debugging a problem where roundup (the collection of
67040 @@ -542,7 +542,7 @@ return_normal:
67041 * kernel will only try for the value of sstep_tries before
67042 * giving up and continuing on.
67043 */
67044 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
67045 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
67046 (kgdb_info[cpu].task &&
67047 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
67048 atomic_set(&kgdb_active, -1);
67049 @@ -636,8 +636,8 @@ cpu_master_loop:
67050 }
67051
67052 kgdb_restore:
67053 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
67054 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
67055 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
67056 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
67057 if (kgdb_info[sstep_cpu].task)
67058 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
67059 else
67060 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
67061 static void kgdb_tasklet_bpt(unsigned long ing)
67062 {
67063 kgdb_breakpoint();
67064 - atomic_set(&kgdb_break_tasklet_var, 0);
67065 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
67066 }
67067
67068 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
67069
67070 void kgdb_schedule_breakpoint(void)
67071 {
67072 - if (atomic_read(&kgdb_break_tasklet_var) ||
67073 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
67074 atomic_read(&kgdb_active) != -1 ||
67075 atomic_read(&kgdb_setting_breakpoint))
67076 return;
67077 - atomic_inc(&kgdb_break_tasklet_var);
67078 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
67079 tasklet_schedule(&kgdb_tasklet_breakpoint);
67080 }
67081 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
67082 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
67083 *
67084 * Register it with the KGDB core.
67085 */
67086 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
67087 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
67088 {
67089 int err;
67090
67091 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
67092 *
67093 * Unregister it with the KGDB core.
67094 */
67095 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
67096 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
67097 {
67098 BUG_ON(kgdb_connected);
67099
67100 diff -urNp linux-2.6.39.1/kernel/debug/kdb/kdb_main.c linux-2.6.39.1/kernel/debug/kdb/kdb_main.c
67101 --- linux-2.6.39.1/kernel/debug/kdb/kdb_main.c 2011-05-19 00:06:34.000000000 -0400
67102 +++ linux-2.6.39.1/kernel/debug/kdb/kdb_main.c 2011-05-22 19:36:33.000000000 -0400
67103 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
67104 list_for_each_entry(mod, kdb_modules, list) {
67105
67106 kdb_printf("%-20s%8u 0x%p ", mod->name,
67107 - mod->core_size, (void *)mod);
67108 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
67109 #ifdef CONFIG_MODULE_UNLOAD
67110 kdb_printf("%4d ", module_refcount(mod));
67111 #endif
67112 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
67113 kdb_printf(" (Loading)");
67114 else
67115 kdb_printf(" (Live)");
67116 - kdb_printf(" 0x%p", mod->module_core);
67117 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67118
67119 #ifdef CONFIG_MODULE_UNLOAD
67120 {
67121 diff -urNp linux-2.6.39.1/kernel/exit.c linux-2.6.39.1/kernel/exit.c
67122 --- linux-2.6.39.1/kernel/exit.c 2011-05-19 00:06:34.000000000 -0400
67123 +++ linux-2.6.39.1/kernel/exit.c 2011-05-22 20:02:30.000000000 -0400
67124 @@ -57,6 +57,10 @@
67125 #include <asm/pgtable.h>
67126 #include <asm/mmu_context.h>
67127
67128 +#ifdef CONFIG_GRKERNSEC
67129 +extern rwlock_t grsec_exec_file_lock;
67130 +#endif
67131 +
67132 static void exit_mm(struct task_struct * tsk);
67133
67134 static void __unhash_process(struct task_struct *p, bool group_dead)
67135 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
67136 struct task_struct *leader;
67137 int zap_leader;
67138 repeat:
67139 + gr_del_task_from_ip_table(p);
67140 +
67141 tracehook_prepare_release_task(p);
67142 /* don't need to get the RCU readlock here - the process is dead and
67143 * can't be modifying its own credentials. But shut RCU-lockdep up */
67144 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
67145 {
67146 write_lock_irq(&tasklist_lock);
67147
67148 +#ifdef CONFIG_GRKERNSEC
67149 + write_lock(&grsec_exec_file_lock);
67150 + if (current->exec_file) {
67151 + fput(current->exec_file);
67152 + current->exec_file = NULL;
67153 + }
67154 + write_unlock(&grsec_exec_file_lock);
67155 +#endif
67156 +
67157 ptrace_unlink(current);
67158 /* Reparent to init */
67159 current->real_parent = current->parent = kthreadd_task;
67160 list_move_tail(&current->sibling, &current->real_parent->children);
67161
67162 + gr_set_kernel_label(current);
67163 +
67164 /* Set the exit signal to SIGCHLD so we signal init on exit */
67165 current->exit_signal = SIGCHLD;
67166
67167 @@ -394,7 +411,7 @@ int allow_signal(int sig)
67168 * know it'll be handled, so that they don't get converted to
67169 * SIGKILL or just silently dropped.
67170 */
67171 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
67172 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
67173 recalc_sigpending();
67174 spin_unlock_irq(&current->sighand->siglock);
67175 return 0;
67176 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
67177 vsnprintf(current->comm, sizeof(current->comm), name, args);
67178 va_end(args);
67179
67180 +#ifdef CONFIG_GRKERNSEC
67181 + write_lock(&grsec_exec_file_lock);
67182 + if (current->exec_file) {
67183 + fput(current->exec_file);
67184 + current->exec_file = NULL;
67185 + }
67186 + write_unlock(&grsec_exec_file_lock);
67187 +#endif
67188 +
67189 + gr_set_kernel_label(current);
67190 +
67191 /*
67192 * If we were started as result of loading a module, close all of the
67193 * user space pages. We don't need them, and if we didn't close them
67194 @@ -905,15 +933,8 @@ NORET_TYPE void do_exit(long code)
67195 struct task_struct *tsk = current;
67196 int group_dead;
67197
67198 - profile_task_exit(tsk);
67199 -
67200 - WARN_ON(atomic_read(&tsk->fs_excl));
67201 - WARN_ON(blk_needs_flush_plug(tsk));
67202 -
67203 if (unlikely(in_interrupt()))
67204 panic("Aiee, killing interrupt handler!");
67205 - if (unlikely(!tsk->pid))
67206 - panic("Attempted to kill the idle task!");
67207
67208 /*
67209 * If do_exit is called because this processes oopsed, it's possible
67210 @@ -924,6 +945,14 @@ NORET_TYPE void do_exit(long code)
67211 */
67212 set_fs(USER_DS);
67213
67214 + profile_task_exit(tsk);
67215 +
67216 + WARN_ON(atomic_read(&tsk->fs_excl));
67217 + WARN_ON(blk_needs_flush_plug(tsk));
67218 +
67219 + if (unlikely(!tsk->pid))
67220 + panic("Attempted to kill the idle task!");
67221 +
67222 tracehook_report_exit(&code);
67223
67224 validate_creds_for_do_exit(tsk);
67225 @@ -984,6 +1013,9 @@ NORET_TYPE void do_exit(long code)
67226 tsk->exit_code = code;
67227 taskstats_exit(tsk, group_dead);
67228
67229 + gr_acl_handle_psacct(tsk, code);
67230 + gr_acl_handle_exit();
67231 +
67232 exit_mm(tsk);
67233
67234 if (group_dead)
67235 diff -urNp linux-2.6.39.1/kernel/fork.c linux-2.6.39.1/kernel/fork.c
67236 --- linux-2.6.39.1/kernel/fork.c 2011-05-19 00:06:34.000000000 -0400
67237 +++ linux-2.6.39.1/kernel/fork.c 2011-05-22 19:41:42.000000000 -0400
67238 @@ -287,7 +287,7 @@ static struct task_struct *dup_task_stru
67239 *stackend = STACK_END_MAGIC; /* for overflow detection */
67240
67241 #ifdef CONFIG_CC_STACKPROTECTOR
67242 - tsk->stack_canary = get_random_int();
67243 + tsk->stack_canary = pax_get_random_long();
67244 #endif
67245
67246 /* One for us, one for whoever does the "release_task()" (usually parent) */
67247 @@ -309,13 +309,78 @@ out:
67248 }
67249
67250 #ifdef CONFIG_MMU
67251 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
67252 +{
67253 + struct vm_area_struct *tmp;
67254 + unsigned long charge;
67255 + struct mempolicy *pol;
67256 + struct file *file;
67257 +
67258 + charge = 0;
67259 + if (mpnt->vm_flags & VM_ACCOUNT) {
67260 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67261 + if (security_vm_enough_memory(len))
67262 + goto fail_nomem;
67263 + charge = len;
67264 + }
67265 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67266 + if (!tmp)
67267 + goto fail_nomem;
67268 + *tmp = *mpnt;
67269 + tmp->vm_mm = mm;
67270 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
67271 + pol = mpol_dup(vma_policy(mpnt));
67272 + if (IS_ERR(pol))
67273 + goto fail_nomem_policy;
67274 + vma_set_policy(tmp, pol);
67275 + if (anon_vma_fork(tmp, mpnt))
67276 + goto fail_nomem_anon_vma_fork;
67277 + tmp->vm_flags &= ~VM_LOCKED;
67278 + tmp->vm_next = tmp->vm_prev = NULL;
67279 + tmp->vm_mirror = NULL;
67280 + file = tmp->vm_file;
67281 + if (file) {
67282 + struct inode *inode = file->f_path.dentry->d_inode;
67283 + struct address_space *mapping = file->f_mapping;
67284 +
67285 + get_file(file);
67286 + if (tmp->vm_flags & VM_DENYWRITE)
67287 + atomic_dec(&inode->i_writecount);
67288 + spin_lock(&mapping->i_mmap_lock);
67289 + if (tmp->vm_flags & VM_SHARED)
67290 + mapping->i_mmap_writable++;
67291 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
67292 + flush_dcache_mmap_lock(mapping);
67293 + /* insert tmp into the share list, just after mpnt */
67294 + vma_prio_tree_add(tmp, mpnt);
67295 + flush_dcache_mmap_unlock(mapping);
67296 + spin_unlock(&mapping->i_mmap_lock);
67297 + }
67298 +
67299 + /*
67300 + * Clear hugetlb-related page reserves for children. This only
67301 + * affects MAP_PRIVATE mappings. Faults generated by the child
67302 + * are not guaranteed to succeed, even if read-only
67303 + */
67304 + if (is_vm_hugetlb_page(tmp))
67305 + reset_vma_resv_huge_pages(tmp);
67306 +
67307 + return tmp;
67308 +
67309 +fail_nomem_anon_vma_fork:
67310 + mpol_put(pol);
67311 +fail_nomem_policy:
67312 + kmem_cache_free(vm_area_cachep, tmp);
67313 +fail_nomem:
67314 + vm_unacct_memory(charge);
67315 + return NULL;
67316 +}
67317 +
67318 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
67319 {
67320 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
67321 struct rb_node **rb_link, *rb_parent;
67322 int retval;
67323 - unsigned long charge;
67324 - struct mempolicy *pol;
67325
67326 down_write(&oldmm->mmap_sem);
67327 flush_cache_dup_mm(oldmm);
67328 @@ -327,8 +392,8 @@ static int dup_mmap(struct mm_struct *mm
67329 mm->locked_vm = 0;
67330 mm->mmap = NULL;
67331 mm->mmap_cache = NULL;
67332 - mm->free_area_cache = oldmm->mmap_base;
67333 - mm->cached_hole_size = ~0UL;
67334 + mm->free_area_cache = oldmm->free_area_cache;
67335 + mm->cached_hole_size = oldmm->cached_hole_size;
67336 mm->map_count = 0;
67337 cpumask_clear(mm_cpumask(mm));
67338 mm->mm_rb = RB_ROOT;
67339 @@ -344,8 +409,6 @@ static int dup_mmap(struct mm_struct *mm
67340
67341 prev = NULL;
67342 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
67343 - struct file *file;
67344 -
67345 if (mpnt->vm_flags & VM_DONTCOPY) {
67346 long pages = vma_pages(mpnt);
67347 mm->total_vm -= pages;
67348 @@ -353,56 +416,13 @@ static int dup_mmap(struct mm_struct *mm
67349 -pages);
67350 continue;
67351 }
67352 - charge = 0;
67353 - if (mpnt->vm_flags & VM_ACCOUNT) {
67354 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67355 - if (security_vm_enough_memory(len))
67356 - goto fail_nomem;
67357 - charge = len;
67358 - }
67359 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67360 - if (!tmp)
67361 - goto fail_nomem;
67362 - *tmp = *mpnt;
67363 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
67364 - pol = mpol_dup(vma_policy(mpnt));
67365 - retval = PTR_ERR(pol);
67366 - if (IS_ERR(pol))
67367 - goto fail_nomem_policy;
67368 - vma_set_policy(tmp, pol);
67369 - tmp->vm_mm = mm;
67370 - if (anon_vma_fork(tmp, mpnt))
67371 - goto fail_nomem_anon_vma_fork;
67372 - tmp->vm_flags &= ~VM_LOCKED;
67373 - tmp->vm_next = tmp->vm_prev = NULL;
67374 - file = tmp->vm_file;
67375 - if (file) {
67376 - struct inode *inode = file->f_path.dentry->d_inode;
67377 - struct address_space *mapping = file->f_mapping;
67378 -
67379 - get_file(file);
67380 - if (tmp->vm_flags & VM_DENYWRITE)
67381 - atomic_dec(&inode->i_writecount);
67382 - spin_lock(&mapping->i_mmap_lock);
67383 - if (tmp->vm_flags & VM_SHARED)
67384 - mapping->i_mmap_writable++;
67385 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
67386 - flush_dcache_mmap_lock(mapping);
67387 - /* insert tmp into the share list, just after mpnt */
67388 - vma_prio_tree_add(tmp, mpnt);
67389 - flush_dcache_mmap_unlock(mapping);
67390 - spin_unlock(&mapping->i_mmap_lock);
67391 + tmp = dup_vma(mm, mpnt);
67392 + if (!tmp) {
67393 + retval = -ENOMEM;
67394 + goto out;
67395 }
67396
67397 /*
67398 - * Clear hugetlb-related page reserves for children. This only
67399 - * affects MAP_PRIVATE mappings. Faults generated by the child
67400 - * are not guaranteed to succeed, even if read-only
67401 - */
67402 - if (is_vm_hugetlb_page(tmp))
67403 - reset_vma_resv_huge_pages(tmp);
67404 -
67405 - /*
67406 * Link in the new vma and copy the page table entries.
67407 */
67408 *pprev = tmp;
67409 @@ -423,6 +443,31 @@ static int dup_mmap(struct mm_struct *mm
67410 if (retval)
67411 goto out;
67412 }
67413 +
67414 +#ifdef CONFIG_PAX_SEGMEXEC
67415 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
67416 + struct vm_area_struct *mpnt_m;
67417 +
67418 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
67419 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
67420 +
67421 + if (!mpnt->vm_mirror)
67422 + continue;
67423 +
67424 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
67425 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
67426 + mpnt->vm_mirror = mpnt_m;
67427 + } else {
67428 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
67429 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
67430 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
67431 + mpnt->vm_mirror->vm_mirror = mpnt;
67432 + }
67433 + }
67434 + BUG_ON(mpnt_m);
67435 + }
67436 +#endif
67437 +
67438 /* a new mm has just been created */
67439 arch_dup_mmap(oldmm, mm);
67440 retval = 0;
67441 @@ -431,14 +476,6 @@ out:
67442 flush_tlb_mm(oldmm);
67443 up_write(&oldmm->mmap_sem);
67444 return retval;
67445 -fail_nomem_anon_vma_fork:
67446 - mpol_put(pol);
67447 -fail_nomem_policy:
67448 - kmem_cache_free(vm_area_cachep, tmp);
67449 -fail_nomem:
67450 - retval = -ENOMEM;
67451 - vm_unacct_memory(charge);
67452 - goto out;
67453 }
67454
67455 static inline int mm_alloc_pgd(struct mm_struct * mm)
67456 @@ -785,13 +822,14 @@ static int copy_fs(unsigned long clone_f
67457 spin_unlock(&fs->lock);
67458 return -EAGAIN;
67459 }
67460 - fs->users++;
67461 + atomic_inc(&fs->users);
67462 spin_unlock(&fs->lock);
67463 return 0;
67464 }
67465 tsk->fs = copy_fs_struct(fs);
67466 if (!tsk->fs)
67467 return -ENOMEM;
67468 + gr_set_chroot_entries(tsk, &tsk->fs->root);
67469 return 0;
67470 }
67471
67472 @@ -1049,10 +1087,13 @@ static struct task_struct *copy_process(
67473 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
67474 #endif
67475 retval = -EAGAIN;
67476 +
67477 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
67478 +
67479 if (atomic_read(&p->real_cred->user->processes) >=
67480 task_rlimit(p, RLIMIT_NPROC)) {
67481 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
67482 - p->real_cred->user != INIT_USER)
67483 + if (p->real_cred->user != INIT_USER &&
67484 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
67485 goto bad_fork_free;
67486 }
67487
67488 @@ -1200,6 +1241,8 @@ static struct task_struct *copy_process(
67489 goto bad_fork_free_pid;
67490 }
67491
67492 + gr_copy_label(p);
67493 +
67494 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
67495 /*
67496 * Clear TID on mm_release()?
67497 @@ -1360,6 +1403,8 @@ bad_fork_cleanup_count:
67498 bad_fork_free:
67499 free_task(p);
67500 fork_out:
67501 + gr_log_forkfail(retval);
67502 +
67503 return ERR_PTR(retval);
67504 }
67505
67506 @@ -1448,6 +1493,8 @@ long do_fork(unsigned long clone_flags,
67507 if (clone_flags & CLONE_PARENT_SETTID)
67508 put_user(nr, parent_tidptr);
67509
67510 + gr_handle_brute_check();
67511 +
67512 if (clone_flags & CLONE_VFORK) {
67513 p->vfork_done = &vfork;
67514 init_completion(&vfork);
67515 @@ -1549,7 +1596,7 @@ static int unshare_fs(unsigned long unsh
67516 return 0;
67517
67518 /* don't need lock here; in the worst case we'll do useless copy */
67519 - if (fs->users == 1)
67520 + if (atomic_read(&fs->users) == 1)
67521 return 0;
67522
67523 *new_fsp = copy_fs_struct(fs);
67524 @@ -1636,7 +1683,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
67525 fs = current->fs;
67526 spin_lock(&fs->lock);
67527 current->fs = new_fs;
67528 - if (--fs->users)
67529 + gr_set_chroot_entries(current, &current->fs->root);
67530 + if (atomic_dec_return(&fs->users))
67531 new_fs = NULL;
67532 else
67533 new_fs = fs;
67534 diff -urNp linux-2.6.39.1/kernel/futex.c linux-2.6.39.1/kernel/futex.c
67535 --- linux-2.6.39.1/kernel/futex.c 2011-05-19 00:06:34.000000000 -0400
67536 +++ linux-2.6.39.1/kernel/futex.c 2011-05-22 22:41:57.000000000 -0400
67537 @@ -54,6 +54,7 @@
67538 #include <linux/mount.h>
67539 #include <linux/pagemap.h>
67540 #include <linux/syscalls.h>
67541 +#include <linux/ptrace.h>
67542 #include <linux/signal.h>
67543 #include <linux/module.h>
67544 #include <linux/magic.h>
67545 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
67546 struct page *page, *page_head;
67547 int err;
67548
67549 +#ifdef CONFIG_PAX_SEGMEXEC
67550 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
67551 + return -EFAULT;
67552 +#endif
67553 +
67554 /*
67555 * The futex address must be "naturally" aligned.
67556 */
67557 @@ -1833,6 +1839,8 @@ static int futex_wait(u32 __user *uaddr,
67558 struct futex_q q = futex_q_init;
67559 int ret;
67560
67561 + pax_track_stack();
67562 +
67563 if (!bitset)
67564 return -EINVAL;
67565 q.bitset = bitset;
67566 @@ -2229,6 +2237,8 @@ static int futex_wait_requeue_pi(u32 __u
67567 struct futex_q q = futex_q_init;
67568 int res, ret;
67569
67570 + pax_track_stack();
67571 +
67572 if (!bitset)
67573 return -EINVAL;
67574
67575 @@ -2401,7 +2411,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67576 {
67577 struct robust_list_head __user *head;
67578 unsigned long ret;
67579 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67580 const struct cred *cred = current_cred(), *pcred;
67581 +#endif
67582
67583 if (!futex_cmpxchg_enabled)
67584 return -ENOSYS;
67585 @@ -2417,6 +2429,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67586 if (!p)
67587 goto err_unlock;
67588 ret = -EPERM;
67589 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67590 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
67591 + goto err_unlock;
67592 +#else
67593 pcred = __task_cred(p);
67594 /* If victim is in different user_ns, then uids are not
67595 comparable, so we must have CAP_SYS_PTRACE */
67596 @@ -2431,6 +2447,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67597 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
67598 goto err_unlock;
67599 ok:
67600 +#endif
67601 head = p->robust_list;
67602 rcu_read_unlock();
67603 }
67604 @@ -2682,6 +2699,7 @@ static int __init futex_init(void)
67605 {
67606 u32 curval;
67607 int i;
67608 + mm_segment_t oldfs;
67609
67610 /*
67611 * This will fail and we want it. Some arch implementations do
67612 @@ -2693,8 +2711,11 @@ static int __init futex_init(void)
67613 * implementation, the non-functional ones will return
67614 * -ENOSYS.
67615 */
67616 + oldfs = get_fs();
67617 + set_fs(USER_DS);
67618 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
67619 futex_cmpxchg_enabled = 1;
67620 + set_fs(oldfs);
67621
67622 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
67623 plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
67624 diff -urNp linux-2.6.39.1/kernel/futex_compat.c linux-2.6.39.1/kernel/futex_compat.c
67625 --- linux-2.6.39.1/kernel/futex_compat.c 2011-05-19 00:06:34.000000000 -0400
67626 +++ linux-2.6.39.1/kernel/futex_compat.c 2011-05-22 22:42:09.000000000 -0400
67627 @@ -10,6 +10,7 @@
67628 #include <linux/compat.h>
67629 #include <linux/nsproxy.h>
67630 #include <linux/futex.h>
67631 +#include <linux/ptrace.h>
67632
67633 #include <asm/uaccess.h>
67634
67635 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
67636 {
67637 struct compat_robust_list_head __user *head;
67638 unsigned long ret;
67639 - const struct cred *cred = current_cred(), *pcred;
67640 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67641 + const struct cred *cred = current_cred();
67642 + const struct cred *pcred;
67643 +#endif
67644
67645 if (!futex_cmpxchg_enabled)
67646 return -ENOSYS;
67647 @@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
67648 if (!p)
67649 goto err_unlock;
67650 ret = -EPERM;
67651 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67652 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
67653 + goto err_unlock;
67654 +#else
67655 pcred = __task_cred(p);
67656 /* If victim is in different user_ns, then uids are not
67657 comparable, so we must have CAP_SYS_PTRACE */
67658 @@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
67659 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
67660 goto err_unlock;
67661 ok:
67662 +#endif
67663 head = p->compat_robust_list;
67664 rcu_read_unlock();
67665 }
67666 diff -urNp linux-2.6.39.1/kernel/gcov/base.c linux-2.6.39.1/kernel/gcov/base.c
67667 --- linux-2.6.39.1/kernel/gcov/base.c 2011-05-19 00:06:34.000000000 -0400
67668 +++ linux-2.6.39.1/kernel/gcov/base.c 2011-05-22 19:36:33.000000000 -0400
67669 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
67670 }
67671
67672 #ifdef CONFIG_MODULES
67673 -static inline int within(void *addr, void *start, unsigned long size)
67674 -{
67675 - return ((addr >= start) && (addr < start + size));
67676 -}
67677 -
67678 /* Update list and generate events when modules are unloaded. */
67679 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
67680 void *data)
67681 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
67682 prev = NULL;
67683 /* Remove entries located in module from linked list. */
67684 for (info = gcov_info_head; info; info = info->next) {
67685 - if (within(info, mod->module_core, mod->core_size)) {
67686 + if (within_module_core_rw((unsigned long)info, mod)) {
67687 if (prev)
67688 prev->next = info->next;
67689 else
67690 diff -urNp linux-2.6.39.1/kernel/hrtimer.c linux-2.6.39.1/kernel/hrtimer.c
67691 --- linux-2.6.39.1/kernel/hrtimer.c 2011-05-19 00:06:34.000000000 -0400
67692 +++ linux-2.6.39.1/kernel/hrtimer.c 2011-05-22 19:36:33.000000000 -0400
67693 @@ -1383,7 +1383,7 @@ void hrtimer_peek_ahead_timers(void)
67694 local_irq_restore(flags);
67695 }
67696
67697 -static void run_hrtimer_softirq(struct softirq_action *h)
67698 +static void run_hrtimer_softirq(void)
67699 {
67700 hrtimer_peek_ahead_timers();
67701 }
67702 diff -urNp linux-2.6.39.1/kernel/irq/manage.c linux-2.6.39.1/kernel/irq/manage.c
67703 --- linux-2.6.39.1/kernel/irq/manage.c 2011-05-19 00:06:34.000000000 -0400
67704 +++ linux-2.6.39.1/kernel/irq/manage.c 2011-06-13 17:09:06.000000000 -0400
67705 @@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, u
67706 struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
67707 int ret = 0;
67708
67709 + if (!desc)
67710 + return -EINVAL;
67711 +
67712 /* wakeup-capable irqs can be shared between drivers that
67713 * don't need to have the same sleep mode behaviors.
67714 */
67715 diff -urNp linux-2.6.39.1/kernel/jump_label.c linux-2.6.39.1/kernel/jump_label.c
67716 --- linux-2.6.39.1/kernel/jump_label.c 2011-05-19 00:06:34.000000000 -0400
67717 +++ linux-2.6.39.1/kernel/jump_label.c 2011-05-22 19:36:33.000000000 -0400
67718 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
67719 mutex_unlock(&jump_label_mutex);
67720 }
67721
67722 +static void jump_label_swap(void *a, void *b, int size)
67723 +{
67724 + struct jump_entry t;
67725 +
67726 + t = *(struct jump_entry *)a;
67727 + pax_open_kernel();
67728 + *(struct jump_entry *)a = *(struct jump_entry *)b;
67729 + *(struct jump_entry *)b = t;
67730 + pax_close_kernel();
67731 +}
67732 +
67733 static int jump_label_cmp(const void *a, const void *b)
67734 {
67735 const struct jump_entry *jea = a;
67736 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
67737
67738 size = (((unsigned long)stop - (unsigned long)start)
67739 / sizeof(struct jump_entry));
67740 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
67741 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
67742 }
67743
67744 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
67745 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
67746 count = e_module->nr_entries;
67747 iter = e_module->table;
67748 while (count--) {
67749 - if (within_module_init(iter->code, mod))
67750 + if (within_module_init(iter->code, mod)) {
67751 + pax_open_kernel();
67752 iter->key = 0;
67753 + pax_close_kernel();
67754 + }
67755 iter++;
67756 }
67757 }
67758 diff -urNp linux-2.6.39.1/kernel/kallsyms.c linux-2.6.39.1/kernel/kallsyms.c
67759 --- linux-2.6.39.1/kernel/kallsyms.c 2011-05-19 00:06:34.000000000 -0400
67760 +++ linux-2.6.39.1/kernel/kallsyms.c 2011-05-22 19:41:42.000000000 -0400
67761 @@ -11,6 +11,9 @@
67762 * Changed the compression method from stem compression to "table lookup"
67763 * compression (see scripts/kallsyms.c for a more complete description)
67764 */
67765 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67766 +#define __INCLUDED_BY_HIDESYM 1
67767 +#endif
67768 #include <linux/kallsyms.h>
67769 #include <linux/module.h>
67770 #include <linux/init.h>
67771 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
67772
67773 static inline int is_kernel_inittext(unsigned long addr)
67774 {
67775 + if (system_state != SYSTEM_BOOTING)
67776 + return 0;
67777 +
67778 if (addr >= (unsigned long)_sinittext
67779 && addr <= (unsigned long)_einittext)
67780 return 1;
67781 return 0;
67782 }
67783
67784 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
67785 +#ifdef CONFIG_MODULES
67786 +static inline int is_module_text(unsigned long addr)
67787 +{
67788 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
67789 + return 1;
67790 +
67791 + addr = ktla_ktva(addr);
67792 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
67793 +}
67794 +#else
67795 +static inline int is_module_text(unsigned long addr)
67796 +{
67797 + return 0;
67798 +}
67799 +#endif
67800 +#endif
67801 +
67802 static inline int is_kernel_text(unsigned long addr)
67803 {
67804 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
67805 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
67806
67807 static inline int is_kernel(unsigned long addr)
67808 {
67809 +
67810 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
67811 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
67812 + return 1;
67813 +
67814 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
67815 +#else
67816 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
67817 +#endif
67818 +
67819 return 1;
67820 return in_gate_area_no_mm(addr);
67821 }
67822
67823 static int is_ksym_addr(unsigned long addr)
67824 {
67825 +
67826 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
67827 + if (is_module_text(addr))
67828 + return 0;
67829 +#endif
67830 +
67831 if (all_var)
67832 return is_kernel(addr);
67833
67834 @@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
67835
67836 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
67837 {
67838 - iter->name[0] = '\0';
67839 iter->nameoff = get_symbol_offset(new_pos);
67840 iter->pos = new_pos;
67841 }
67842 @@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
67843 {
67844 struct kallsym_iter *iter = m->private;
67845
67846 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67847 + if (current_uid())
67848 + return 0;
67849 +#endif
67850 +
67851 /* Some debugging symbols have no name. Ignore them. */
67852 if (!iter->name[0])
67853 return 0;
67854 @@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
67855 struct kallsym_iter *iter;
67856 int ret;
67857
67858 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
67859 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
67860 if (!iter)
67861 return -ENOMEM;
67862 reset_iter(iter, 0);
67863 diff -urNp linux-2.6.39.1/kernel/kmod.c linux-2.6.39.1/kernel/kmod.c
67864 --- linux-2.6.39.1/kernel/kmod.c 2011-05-19 00:06:34.000000000 -0400
67865 +++ linux-2.6.39.1/kernel/kmod.c 2011-05-22 19:41:42.000000000 -0400
67866 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
67867 * If module auto-loading support is disabled then this function
67868 * becomes a no-operation.
67869 */
67870 -int __request_module(bool wait, const char *fmt, ...)
67871 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
67872 {
67873 - va_list args;
67874 char module_name[MODULE_NAME_LEN];
67875 unsigned int max_modprobes;
67876 int ret;
67877 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
67878 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
67879 static char *envp[] = { "HOME=/",
67880 "TERM=linux",
67881 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
67882 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
67883 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
67884 static int kmod_loop_msg;
67885
67886 - va_start(args, fmt);
67887 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
67888 - va_end(args);
67889 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
67890 if (ret >= MODULE_NAME_LEN)
67891 return -ENAMETOOLONG;
67892
67893 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
67894 if (ret)
67895 return ret;
67896
67897 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67898 + if (!current_uid()) {
67899 + /* hack to workaround consolekit/udisks stupidity */
67900 + read_lock(&tasklist_lock);
67901 + if (!strcmp(current->comm, "mount") &&
67902 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
67903 + read_unlock(&tasklist_lock);
67904 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
67905 + return -EPERM;
67906 + }
67907 + read_unlock(&tasklist_lock);
67908 + }
67909 +#endif
67910 +
67911 /* If modprobe needs a service that is in a module, we get a recursive
67912 * loop. Limit the number of running kmod threads to max_threads/2 or
67913 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
67914 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
67915 atomic_dec(&kmod_concurrent);
67916 return ret;
67917 }
67918 +
67919 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
67920 +{
67921 + va_list args;
67922 + int ret;
67923 +
67924 + va_start(args, fmt);
67925 + ret = ____request_module(wait, module_param, fmt, args);
67926 + va_end(args);
67927 +
67928 + return ret;
67929 +}
67930 +
67931 +int __request_module(bool wait, const char *fmt, ...)
67932 +{
67933 + va_list args;
67934 + int ret;
67935 +
67936 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67937 + if (current_uid()) {
67938 + char module_param[MODULE_NAME_LEN];
67939 +
67940 + memset(module_param, 0, sizeof(module_param));
67941 +
67942 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
67943 +
67944 + va_start(args, fmt);
67945 + ret = ____request_module(wait, module_param, fmt, args);
67946 + va_end(args);
67947 +
67948 + return ret;
67949 + }
67950 +#endif
67951 +
67952 + va_start(args, fmt);
67953 + ret = ____request_module(wait, NULL, fmt, args);
67954 + va_end(args);
67955 +
67956 + return ret;
67957 +}
67958 +
67959 EXPORT_SYMBOL(__request_module);
67960 #endif /* CONFIG_MODULES */
67961
67962 diff -urNp linux-2.6.39.1/kernel/kprobes.c linux-2.6.39.1/kernel/kprobes.c
67963 --- linux-2.6.39.1/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
67964 +++ linux-2.6.39.1/kernel/kprobes.c 2011-05-22 19:36:33.000000000 -0400
67965 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
67966 * kernel image and loaded module images reside. This is required
67967 * so x86_64 can correctly handle the %rip-relative fixups.
67968 */
67969 - kip->insns = module_alloc(PAGE_SIZE);
67970 + kip->insns = module_alloc_exec(PAGE_SIZE);
67971 if (!kip->insns) {
67972 kfree(kip);
67973 return NULL;
67974 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
67975 */
67976 if (!list_is_singular(&kip->list)) {
67977 list_del(&kip->list);
67978 - module_free(NULL, kip->insns);
67979 + module_free_exec(NULL, kip->insns);
67980 kfree(kip);
67981 }
67982 return 1;
67983 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
67984 {
67985 int i, err = 0;
67986 unsigned long offset = 0, size = 0;
67987 - char *modname, namebuf[128];
67988 + char *modname, namebuf[KSYM_NAME_LEN];
67989 const char *symbol_name;
67990 void *addr;
67991 struct kprobe_blackpoint *kb;
67992 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
67993 const char *sym = NULL;
67994 unsigned int i = *(loff_t *) v;
67995 unsigned long offset = 0;
67996 - char *modname, namebuf[128];
67997 + char *modname, namebuf[KSYM_NAME_LEN];
67998
67999 head = &kprobe_table[i];
68000 preempt_disable();
68001 diff -urNp linux-2.6.39.1/kernel/lockdep.c linux-2.6.39.1/kernel/lockdep.c
68002 --- linux-2.6.39.1/kernel/lockdep.c 2011-05-19 00:06:34.000000000 -0400
68003 +++ linux-2.6.39.1/kernel/lockdep.c 2011-05-22 19:36:33.000000000 -0400
68004 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
68005 end = (unsigned long) &_end,
68006 addr = (unsigned long) obj;
68007
68008 +#ifdef CONFIG_PAX_KERNEXEC
68009 + start = ktla_ktva(start);
68010 +#endif
68011 +
68012 /*
68013 * static variable?
68014 */
68015 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
68016 if (!static_obj(lock->key)) {
68017 debug_locks_off();
68018 printk("INFO: trying to register non-static key.\n");
68019 + printk("lock:%pS key:%pS.\n", lock, lock->key);
68020 printk("the code is fine but needs lockdep annotation.\n");
68021 printk("turning off the locking correctness validator.\n");
68022 dump_stack();
68023 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
68024 if (!class)
68025 return 0;
68026 }
68027 - atomic_inc((atomic_t *)&class->ops);
68028 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
68029 if (very_verbose(class)) {
68030 printk("\nacquire class [%p] %s", class->key, class->name);
68031 if (class->name_version > 1)
68032 diff -urNp linux-2.6.39.1/kernel/lockdep_proc.c linux-2.6.39.1/kernel/lockdep_proc.c
68033 --- linux-2.6.39.1/kernel/lockdep_proc.c 2011-05-19 00:06:34.000000000 -0400
68034 +++ linux-2.6.39.1/kernel/lockdep_proc.c 2011-05-22 19:36:33.000000000 -0400
68035 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
68036
68037 static void print_name(struct seq_file *m, struct lock_class *class)
68038 {
68039 - char str[128];
68040 + char str[KSYM_NAME_LEN];
68041 const char *name = class->name;
68042
68043 if (!name) {
68044 diff -urNp linux-2.6.39.1/kernel/module.c linux-2.6.39.1/kernel/module.c
68045 --- linux-2.6.39.1/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
68046 +++ linux-2.6.39.1/kernel/module.c 2011-05-22 19:41:42.000000000 -0400
68047 @@ -57,6 +57,7 @@
68048 #include <linux/kmemleak.h>
68049 #include <linux/jump_label.h>
68050 #include <linux/pfn.h>
68051 +#include <linux/grsecurity.h>
68052
68053 #define CREATE_TRACE_POINTS
68054 #include <trace/events/module.h>
68055 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
68056
68057 /* Bounds of module allocation, for speeding __module_address.
68058 * Protected by module_mutex. */
68059 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
68060 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
68061 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
68062
68063 int register_module_notifier(struct notifier_block * nb)
68064 {
68065 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
68066 return true;
68067
68068 list_for_each_entry_rcu(mod, &modules, list) {
68069 - struct symsearch arr[] = {
68070 + struct symsearch modarr[] = {
68071 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
68072 NOT_GPL_ONLY, false },
68073 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
68074 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
68075 #endif
68076 };
68077
68078 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
68079 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
68080 return true;
68081 }
68082 return false;
68083 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
68084 static int percpu_modalloc(struct module *mod,
68085 unsigned long size, unsigned long align)
68086 {
68087 - if (align > PAGE_SIZE) {
68088 + if (align-1 >= PAGE_SIZE) {
68089 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
68090 mod->name, align, PAGE_SIZE);
68091 align = PAGE_SIZE;
68092 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
68093 */
68094 #ifdef CONFIG_SYSFS
68095
68096 -#ifdef CONFIG_KALLSYMS
68097 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
68098 static inline bool sect_empty(const Elf_Shdr *sect)
68099 {
68100 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
68101 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
68102 {
68103 unsigned long total_pages;
68104
68105 - if (mod->module_core == module_region) {
68106 + if (mod->module_core_rx == module_region) {
68107 /* Set core as NX+RW */
68108 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
68109 - set_memory_nx((unsigned long)mod->module_core, total_pages);
68110 - set_memory_rw((unsigned long)mod->module_core, total_pages);
68111 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
68112 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
68113 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
68114
68115 - } else if (mod->module_init == module_region) {
68116 + } else if (mod->module_init_rx == module_region) {
68117 /* Set init as NX+RW */
68118 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
68119 - set_memory_nx((unsigned long)mod->module_init, total_pages);
68120 - set_memory_rw((unsigned long)mod->module_init, total_pages);
68121 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
68122 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
68123 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
68124 }
68125 }
68126
68127 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
68128
68129 mutex_lock(&module_mutex);
68130 list_for_each_entry_rcu(mod, &modules, list) {
68131 - if ((mod->module_core) && (mod->core_text_size)) {
68132 - set_page_attributes(mod->module_core,
68133 - mod->module_core + mod->core_text_size,
68134 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68135 + set_page_attributes(mod->module_core_rx,
68136 + mod->module_core_rx + mod->core_size_rx,
68137 set_memory_rw);
68138 }
68139 - if ((mod->module_init) && (mod->init_text_size)) {
68140 - set_page_attributes(mod->module_init,
68141 - mod->module_init + mod->init_text_size,
68142 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68143 + set_page_attributes(mod->module_init_rx,
68144 + mod->module_init_rx + mod->init_size_rx,
68145 set_memory_rw);
68146 }
68147 }
68148 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
68149
68150 mutex_lock(&module_mutex);
68151 list_for_each_entry_rcu(mod, &modules, list) {
68152 - if ((mod->module_core) && (mod->core_text_size)) {
68153 - set_page_attributes(mod->module_core,
68154 - mod->module_core + mod->core_text_size,
68155 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68156 + set_page_attributes(mod->module_core_rx,
68157 + mod->module_core_rx + mod->core_size_rx,
68158 set_memory_ro);
68159 }
68160 - if ((mod->module_init) && (mod->init_text_size)) {
68161 - set_page_attributes(mod->module_init,
68162 - mod->module_init + mod->init_text_size,
68163 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68164 + set_page_attributes(mod->module_init_rx,
68165 + mod->module_init_rx + mod->init_size_rx,
68166 set_memory_ro);
68167 }
68168 }
68169 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
68170 destroy_params(mod->kp, mod->num_kp);
68171
68172 /* This may be NULL, but that's OK */
68173 - unset_section_ro_nx(mod, mod->module_init);
68174 - module_free(mod, mod->module_init);
68175 + unset_section_ro_nx(mod, mod->module_init_rx);
68176 + module_free(mod, mod->module_init_rw);
68177 + module_free_exec(mod, mod->module_init_rx);
68178 kfree(mod->args);
68179 percpu_modfree(mod);
68180
68181 /* Free lock-classes: */
68182 - lockdep_free_key_range(mod->module_core, mod->core_size);
68183 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
68184 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
68185
68186 /* Finally, free the core (containing the module structure) */
68187 - unset_section_ro_nx(mod, mod->module_core);
68188 - module_free(mod, mod->module_core);
68189 + unset_section_ro_nx(mod, mod->module_core_rx);
68190 + module_free_exec(mod, mod->module_core_rx);
68191 + module_free(mod, mod->module_core_rw);
68192
68193 #ifdef CONFIG_MPU
68194 update_protections(current->mm);
68195 @@ -1775,10 +1780,31 @@ static int simplify_symbols(struct modul
68196 unsigned int i;
68197 int ret = 0;
68198 const struct kernel_symbol *ksym;
68199 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68200 + int is_fs_load = 0;
68201 + int register_filesystem_found = 0;
68202 + char *p;
68203 +
68204 + p = strstr(mod->args, "grsec_modharden_fs");
68205 + if (p) {
68206 + char *endptr = p + strlen("grsec_modharden_fs");
68207 + /* copy \0 as well */
68208 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
68209 + is_fs_load = 1;
68210 + }
68211 +#endif
68212
68213 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
68214 const char *name = info->strtab + sym[i].st_name;
68215
68216 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68217 + /* it's a real shame this will never get ripped and copied
68218 + upstream! ;(
68219 + */
68220 + if (is_fs_load && !strcmp(name, "register_filesystem"))
68221 + register_filesystem_found = 1;
68222 +#endif
68223 +
68224 switch (sym[i].st_shndx) {
68225 case SHN_COMMON:
68226 /* We compiled with -fno-common. These are not
68227 @@ -1799,7 +1825,9 @@ static int simplify_symbols(struct modul
68228 ksym = resolve_symbol_wait(mod, info, name);
68229 /* Ok if resolved. */
68230 if (ksym && !IS_ERR(ksym)) {
68231 + pax_open_kernel();
68232 sym[i].st_value = ksym->value;
68233 + pax_close_kernel();
68234 break;
68235 }
68236
68237 @@ -1818,11 +1846,20 @@ static int simplify_symbols(struct modul
68238 secbase = (unsigned long)mod_percpu(mod);
68239 else
68240 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
68241 + pax_open_kernel();
68242 sym[i].st_value += secbase;
68243 + pax_close_kernel();
68244 break;
68245 }
68246 }
68247
68248 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68249 + if (is_fs_load && !register_filesystem_found) {
68250 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
68251 + ret = -EPERM;
68252 + }
68253 +#endif
68254 +
68255 return ret;
68256 }
68257
68258 @@ -1906,22 +1943,12 @@ static void layout_sections(struct modul
68259 || s->sh_entsize != ~0UL
68260 || strstarts(sname, ".init"))
68261 continue;
68262 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
68263 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68264 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
68265 + else
68266 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
68267 DEBUGP("\t%s\n", name);
68268 }
68269 - switch (m) {
68270 - case 0: /* executable */
68271 - mod->core_size = debug_align(mod->core_size);
68272 - mod->core_text_size = mod->core_size;
68273 - break;
68274 - case 1: /* RO: text and ro-data */
68275 - mod->core_size = debug_align(mod->core_size);
68276 - mod->core_ro_size = mod->core_size;
68277 - break;
68278 - case 3: /* whole core */
68279 - mod->core_size = debug_align(mod->core_size);
68280 - break;
68281 - }
68282 }
68283
68284 DEBUGP("Init section allocation order:\n");
68285 @@ -1935,23 +1962,13 @@ static void layout_sections(struct modul
68286 || s->sh_entsize != ~0UL
68287 || !strstarts(sname, ".init"))
68288 continue;
68289 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
68290 - | INIT_OFFSET_MASK);
68291 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68292 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
68293 + else
68294 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
68295 + s->sh_entsize |= INIT_OFFSET_MASK;
68296 DEBUGP("\t%s\n", sname);
68297 }
68298 - switch (m) {
68299 - case 0: /* executable */
68300 - mod->init_size = debug_align(mod->init_size);
68301 - mod->init_text_size = mod->init_size;
68302 - break;
68303 - case 1: /* RO: text and ro-data */
68304 - mod->init_size = debug_align(mod->init_size);
68305 - mod->init_ro_size = mod->init_size;
68306 - break;
68307 - case 3: /* whole init */
68308 - mod->init_size = debug_align(mod->init_size);
68309 - break;
68310 - }
68311 }
68312 }
68313
68314 @@ -2119,7 +2136,7 @@ static void layout_symtab(struct module
68315
68316 /* Put symbol section at end of init part of module. */
68317 symsect->sh_flags |= SHF_ALLOC;
68318 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
68319 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
68320 info->index.sym) | INIT_OFFSET_MASK;
68321 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
68322
68323 @@ -2136,19 +2153,19 @@ static void layout_symtab(struct module
68324 }
68325
68326 /* Append room for core symbols at end of core part. */
68327 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
68328 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
68329 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
68330 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
68331
68332 /* Put string table section at end of init part of module. */
68333 strsect->sh_flags |= SHF_ALLOC;
68334 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
68335 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
68336 info->index.str) | INIT_OFFSET_MASK;
68337 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
68338
68339 /* Append room for core symbols' strings at end of core part. */
68340 - info->stroffs = mod->core_size;
68341 + info->stroffs = mod->core_size_rx;
68342 __set_bit(0, info->strmap);
68343 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
68344 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
68345 }
68346
68347 static void add_kallsyms(struct module *mod, const struct load_info *info)
68348 @@ -2164,11 +2181,13 @@ static void add_kallsyms(struct module *
68349 /* Make sure we get permanent strtab: don't use info->strtab. */
68350 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
68351
68352 + pax_open_kernel();
68353 +
68354 /* Set types up while we still have access to sections. */
68355 for (i = 0; i < mod->num_symtab; i++)
68356 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
68357
68358 - mod->core_symtab = dst = mod->module_core + info->symoffs;
68359 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
68360 src = mod->symtab;
68361 *dst = *src;
68362 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
68363 @@ -2181,10 +2200,12 @@ static void add_kallsyms(struct module *
68364 }
68365 mod->core_num_syms = ndst;
68366
68367 - mod->core_strtab = s = mod->module_core + info->stroffs;
68368 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
68369 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
68370 if (test_bit(i, info->strmap))
68371 *++s = mod->strtab[i];
68372 +
68373 + pax_close_kernel();
68374 }
68375 #else
68376 static inline void layout_symtab(struct module *mod, struct load_info *info)
68377 @@ -2213,17 +2234,33 @@ static void dynamic_debug_remove(struct
68378 ddebug_remove_module(debug->modname);
68379 }
68380
68381 -static void *module_alloc_update_bounds(unsigned long size)
68382 +static void *module_alloc_update_bounds_rw(unsigned long size)
68383 {
68384 void *ret = module_alloc(size);
68385
68386 if (ret) {
68387 mutex_lock(&module_mutex);
68388 /* Update module bounds. */
68389 - if ((unsigned long)ret < module_addr_min)
68390 - module_addr_min = (unsigned long)ret;
68391 - if ((unsigned long)ret + size > module_addr_max)
68392 - module_addr_max = (unsigned long)ret + size;
68393 + if ((unsigned long)ret < module_addr_min_rw)
68394 + module_addr_min_rw = (unsigned long)ret;
68395 + if ((unsigned long)ret + size > module_addr_max_rw)
68396 + module_addr_max_rw = (unsigned long)ret + size;
68397 + mutex_unlock(&module_mutex);
68398 + }
68399 + return ret;
68400 +}
68401 +
68402 +static void *module_alloc_update_bounds_rx(unsigned long size)
68403 +{
68404 + void *ret = module_alloc_exec(size);
68405 +
68406 + if (ret) {
68407 + mutex_lock(&module_mutex);
68408 + /* Update module bounds. */
68409 + if ((unsigned long)ret < module_addr_min_rx)
68410 + module_addr_min_rx = (unsigned long)ret;
68411 + if ((unsigned long)ret + size > module_addr_max_rx)
68412 + module_addr_max_rx = (unsigned long)ret + size;
68413 mutex_unlock(&module_mutex);
68414 }
68415 return ret;
68416 @@ -2516,7 +2553,7 @@ static int move_module(struct module *mo
68417 void *ptr;
68418
68419 /* Do the allocs. */
68420 - ptr = module_alloc_update_bounds(mod->core_size);
68421 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
68422 /*
68423 * The pointer to this block is stored in the module structure
68424 * which is inside the block. Just mark it as not being a
68425 @@ -2526,23 +2563,50 @@ static int move_module(struct module *mo
68426 if (!ptr)
68427 return -ENOMEM;
68428
68429 - memset(ptr, 0, mod->core_size);
68430 - mod->module_core = ptr;
68431 + memset(ptr, 0, mod->core_size_rw);
68432 + mod->module_core_rw = ptr;
68433
68434 - ptr = module_alloc_update_bounds(mod->init_size);
68435 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
68436 /*
68437 * The pointer to this block is stored in the module structure
68438 * which is inside the block. This block doesn't need to be
68439 * scanned as it contains data and code that will be freed
68440 * after the module is initialized.
68441 */
68442 - kmemleak_ignore(ptr);
68443 - if (!ptr && mod->init_size) {
68444 - module_free(mod, mod->module_core);
68445 + kmemleak_not_leak(ptr);
68446 + if (!ptr && mod->init_size_rw) {
68447 + module_free(mod, mod->module_core_rw);
68448 return -ENOMEM;
68449 }
68450 - memset(ptr, 0, mod->init_size);
68451 - mod->module_init = ptr;
68452 + memset(ptr, 0, mod->init_size_rw);
68453 + mod->module_init_rw = ptr;
68454 +
68455 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
68456 + kmemleak_not_leak(ptr);
68457 + if (!ptr) {
68458 + module_free(mod, mod->module_init_rw);
68459 + module_free(mod, mod->module_core_rw);
68460 + return -ENOMEM;
68461 + }
68462 +
68463 + pax_open_kernel();
68464 + memset(ptr, 0, mod->core_size_rx);
68465 + pax_close_kernel();
68466 + mod->module_core_rx = ptr;
68467 +
68468 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
68469 + kmemleak_not_leak(ptr);
68470 + if (!ptr && mod->init_size_rx) {
68471 + module_free_exec(mod, mod->module_core_rx);
68472 + module_free(mod, mod->module_init_rw);
68473 + module_free(mod, mod->module_core_rw);
68474 + return -ENOMEM;
68475 + }
68476 +
68477 + pax_open_kernel();
68478 + memset(ptr, 0, mod->init_size_rx);
68479 + pax_close_kernel();
68480 + mod->module_init_rx = ptr;
68481
68482 /* Transfer each section which specifies SHF_ALLOC */
68483 DEBUGP("final section addresses:\n");
68484 @@ -2553,16 +2617,45 @@ static int move_module(struct module *mo
68485 if (!(shdr->sh_flags & SHF_ALLOC))
68486 continue;
68487
68488 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
68489 - dest = mod->module_init
68490 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68491 - else
68492 - dest = mod->module_core + shdr->sh_entsize;
68493 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
68494 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68495 + dest = mod->module_init_rw
68496 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68497 + else
68498 + dest = mod->module_init_rx
68499 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68500 + } else {
68501 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68502 + dest = mod->module_core_rw + shdr->sh_entsize;
68503 + else
68504 + dest = mod->module_core_rx + shdr->sh_entsize;
68505 + }
68506 +
68507 + if (shdr->sh_type != SHT_NOBITS) {
68508 +
68509 +#ifdef CONFIG_PAX_KERNEXEC
68510 +#ifdef CONFIG_X86_64
68511 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
68512 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
68513 +#endif
68514 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
68515 + pax_open_kernel();
68516 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68517 + pax_close_kernel();
68518 + } else
68519 +#endif
68520
68521 - if (shdr->sh_type != SHT_NOBITS)
68522 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68523 + }
68524 /* Update sh_addr to point to copy in image. */
68525 - shdr->sh_addr = (unsigned long)dest;
68526 +
68527 +#ifdef CONFIG_PAX_KERNEXEC
68528 + if (shdr->sh_flags & SHF_EXECINSTR)
68529 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
68530 + else
68531 +#endif
68532 +
68533 + shdr->sh_addr = (unsigned long)dest;
68534 DEBUGP("\t0x%lx %s\n",
68535 shdr->sh_addr, info->secstrings + shdr->sh_name);
68536 }
68537 @@ -2613,12 +2706,12 @@ static void flush_module_icache(const st
68538 * Do it before processing of module parameters, so the module
68539 * can provide parameter accessor functions of its own.
68540 */
68541 - if (mod->module_init)
68542 - flush_icache_range((unsigned long)mod->module_init,
68543 - (unsigned long)mod->module_init
68544 - + mod->init_size);
68545 - flush_icache_range((unsigned long)mod->module_core,
68546 - (unsigned long)mod->module_core + mod->core_size);
68547 + if (mod->module_init_rx)
68548 + flush_icache_range((unsigned long)mod->module_init_rx,
68549 + (unsigned long)mod->module_init_rx
68550 + + mod->init_size_rx);
68551 + flush_icache_range((unsigned long)mod->module_core_rx,
68552 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
68553
68554 set_fs(old_fs);
68555 }
68556 @@ -2690,8 +2783,10 @@ static void module_deallocate(struct mod
68557 {
68558 kfree(info->strmap);
68559 percpu_modfree(mod);
68560 - module_free(mod, mod->module_init);
68561 - module_free(mod, mod->module_core);
68562 + module_free_exec(mod, mod->module_init_rx);
68563 + module_free_exec(mod, mod->module_core_rx);
68564 + module_free(mod, mod->module_init_rw);
68565 + module_free(mod, mod->module_core_rw);
68566 }
68567
68568 static int post_relocation(struct module *mod, const struct load_info *info)
68569 @@ -2748,9 +2843,38 @@ static struct module *load_module(void _
68570 if (err)
68571 goto free_unload;
68572
68573 + /* Now copy in args */
68574 + mod->args = strndup_user(uargs, ~0UL >> 1);
68575 + if (IS_ERR(mod->args)) {
68576 + err = PTR_ERR(mod->args);
68577 + goto free_unload;
68578 + }
68579 +
68580 /* Set up MODINFO_ATTR fields */
68581 setup_modinfo(mod, &info);
68582
68583 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68584 + {
68585 + char *p, *p2;
68586 +
68587 + if (strstr(mod->args, "grsec_modharden_netdev")) {
68588 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
68589 + err = -EPERM;
68590 + goto free_modinfo;
68591 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
68592 + p += strlen("grsec_modharden_normal");
68593 + p2 = strstr(p, "_");
68594 + if (p2) {
68595 + *p2 = '\0';
68596 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
68597 + *p2 = '_';
68598 + }
68599 + err = -EPERM;
68600 + goto free_modinfo;
68601 + }
68602 + }
68603 +#endif
68604 +
68605 /* Fix up syms, so that st_value is a pointer to location. */
68606 err = simplify_symbols(mod, &info);
68607 if (err < 0)
68608 @@ -2766,13 +2890,6 @@ static struct module *load_module(void _
68609
68610 flush_module_icache(mod);
68611
68612 - /* Now copy in args */
68613 - mod->args = strndup_user(uargs, ~0UL >> 1);
68614 - if (IS_ERR(mod->args)) {
68615 - err = PTR_ERR(mod->args);
68616 - goto free_arch_cleanup;
68617 - }
68618 -
68619 /* Mark state as coming so strong_try_module_get() ignores us. */
68620 mod->state = MODULE_STATE_COMING;
68621
68622 @@ -2832,11 +2949,10 @@ static struct module *load_module(void _
68623 unlock:
68624 mutex_unlock(&module_mutex);
68625 synchronize_sched();
68626 - kfree(mod->args);
68627 - free_arch_cleanup:
68628 module_arch_cleanup(mod);
68629 free_modinfo:
68630 free_modinfo(mod);
68631 + kfree(mod->args);
68632 free_unload:
68633 module_unload_free(mod);
68634 free_module:
68635 @@ -2877,16 +2993,16 @@ SYSCALL_DEFINE3(init_module, void __user
68636 MODULE_STATE_COMING, mod);
68637
68638 /* Set RO and NX regions for core */
68639 - set_section_ro_nx(mod->module_core,
68640 - mod->core_text_size,
68641 - mod->core_ro_size,
68642 - mod->core_size);
68643 + set_section_ro_nx(mod->module_core_rx,
68644 + mod->core_size_rx,
68645 + mod->core_size_rx,
68646 + mod->core_size_rx);
68647
68648 /* Set RO and NX regions for init */
68649 - set_section_ro_nx(mod->module_init,
68650 - mod->init_text_size,
68651 - mod->init_ro_size,
68652 - mod->init_size);
68653 + set_section_ro_nx(mod->module_init_rx,
68654 + mod->init_size_rx,
68655 + mod->init_size_rx,
68656 + mod->init_size_rx);
68657
68658 do_mod_ctors(mod);
68659 /* Start the module */
68660 @@ -2931,11 +3047,13 @@ SYSCALL_DEFINE3(init_module, void __user
68661 mod->symtab = mod->core_symtab;
68662 mod->strtab = mod->core_strtab;
68663 #endif
68664 - unset_section_ro_nx(mod, mod->module_init);
68665 - module_free(mod, mod->module_init);
68666 - mod->module_init = NULL;
68667 - mod->init_size = 0;
68668 - mod->init_text_size = 0;
68669 + unset_section_ro_nx(mod, mod->module_init_rx);
68670 + module_free(mod, mod->module_init_rw);
68671 + module_free_exec(mod, mod->module_init_rx);
68672 + mod->module_init_rw = NULL;
68673 + mod->module_init_rx = NULL;
68674 + mod->init_size_rw = 0;
68675 + mod->init_size_rx = 0;
68676 mutex_unlock(&module_mutex);
68677
68678 return 0;
68679 @@ -2966,10 +3084,16 @@ static const char *get_ksymbol(struct mo
68680 unsigned long nextval;
68681
68682 /* At worse, next value is at end of module */
68683 - if (within_module_init(addr, mod))
68684 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
68685 + if (within_module_init_rx(addr, mod))
68686 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
68687 + else if (within_module_init_rw(addr, mod))
68688 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
68689 + else if (within_module_core_rx(addr, mod))
68690 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
68691 + else if (within_module_core_rw(addr, mod))
68692 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
68693 else
68694 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
68695 + return NULL;
68696
68697 /* Scan for closest preceding symbol, and next symbol. (ELF
68698 starts real symbols at 1). */
68699 @@ -3215,7 +3339,7 @@ static int m_show(struct seq_file *m, vo
68700 char buf[8];
68701
68702 seq_printf(m, "%s %u",
68703 - mod->name, mod->init_size + mod->core_size);
68704 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
68705 print_unload_info(m, mod);
68706
68707 /* Informative for users. */
68708 @@ -3224,7 +3348,7 @@ static int m_show(struct seq_file *m, vo
68709 mod->state == MODULE_STATE_COMING ? "Loading":
68710 "Live");
68711 /* Used by oprofile and other similar tools. */
68712 - seq_printf(m, " 0x%pK", mod->module_core);
68713 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
68714
68715 /* Taints info */
68716 if (mod->taints)
68717 @@ -3260,7 +3384,17 @@ static const struct file_operations proc
68718
68719 static int __init proc_modules_init(void)
68720 {
68721 +#ifndef CONFIG_GRKERNSEC_HIDESYM
68722 +#ifdef CONFIG_GRKERNSEC_PROC_USER
68723 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
68724 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
68725 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
68726 +#else
68727 proc_create("modules", 0, NULL, &proc_modules_operations);
68728 +#endif
68729 +#else
68730 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
68731 +#endif
68732 return 0;
68733 }
68734 module_init(proc_modules_init);
68735 @@ -3319,12 +3453,12 @@ struct module *__module_address(unsigned
68736 {
68737 struct module *mod;
68738
68739 - if (addr < module_addr_min || addr > module_addr_max)
68740 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
68741 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
68742 return NULL;
68743
68744 list_for_each_entry_rcu(mod, &modules, list)
68745 - if (within_module_core(addr, mod)
68746 - || within_module_init(addr, mod))
68747 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
68748 return mod;
68749 return NULL;
68750 }
68751 @@ -3358,11 +3492,20 @@ bool is_module_text_address(unsigned lon
68752 */
68753 struct module *__module_text_address(unsigned long addr)
68754 {
68755 - struct module *mod = __module_address(addr);
68756 + struct module *mod;
68757 +
68758 +#ifdef CONFIG_X86_32
68759 + addr = ktla_ktva(addr);
68760 +#endif
68761 +
68762 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
68763 + return NULL;
68764 +
68765 + mod = __module_address(addr);
68766 +
68767 if (mod) {
68768 /* Make sure it's within the text section. */
68769 - if (!within(addr, mod->module_init, mod->init_text_size)
68770 - && !within(addr, mod->module_core, mod->core_text_size))
68771 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
68772 mod = NULL;
68773 }
68774 return mod;
68775 diff -urNp linux-2.6.39.1/kernel/mutex.c linux-2.6.39.1/kernel/mutex.c
68776 --- linux-2.6.39.1/kernel/mutex.c 2011-05-19 00:06:34.000000000 -0400
68777 +++ linux-2.6.39.1/kernel/mutex.c 2011-05-22 19:36:33.000000000 -0400
68778 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
68779 */
68780
68781 for (;;) {
68782 - struct thread_info *owner;
68783 + struct task_struct *owner;
68784
68785 /*
68786 * If we own the BKL, then don't spin. The owner of
68787 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
68788 spin_lock_mutex(&lock->wait_lock, flags);
68789
68790 debug_mutex_lock_common(lock, &waiter);
68791 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
68792 + debug_mutex_add_waiter(lock, &waiter, task);
68793
68794 /* add waiting tasks to the end of the waitqueue (FIFO): */
68795 list_add_tail(&waiter.list, &lock->wait_list);
68796 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
68797 * TASK_UNINTERRUPTIBLE case.)
68798 */
68799 if (unlikely(signal_pending_state(state, task))) {
68800 - mutex_remove_waiter(lock, &waiter,
68801 - task_thread_info(task));
68802 + mutex_remove_waiter(lock, &waiter, task);
68803 mutex_release(&lock->dep_map, 1, ip);
68804 spin_unlock_mutex(&lock->wait_lock, flags);
68805
68806 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
68807 done:
68808 lock_acquired(&lock->dep_map, ip);
68809 /* got the lock - rejoice! */
68810 - mutex_remove_waiter(lock, &waiter, current_thread_info());
68811 + mutex_remove_waiter(lock, &waiter, task);
68812 mutex_set_owner(lock);
68813
68814 /* set it to 0 if there are no waiters left: */
68815 diff -urNp linux-2.6.39.1/kernel/mutex-debug.c linux-2.6.39.1/kernel/mutex-debug.c
68816 --- linux-2.6.39.1/kernel/mutex-debug.c 2011-05-19 00:06:34.000000000 -0400
68817 +++ linux-2.6.39.1/kernel/mutex-debug.c 2011-05-22 19:36:33.000000000 -0400
68818 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
68819 }
68820
68821 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
68822 - struct thread_info *ti)
68823 + struct task_struct *task)
68824 {
68825 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
68826
68827 /* Mark the current thread as blocked on the lock: */
68828 - ti->task->blocked_on = waiter;
68829 + task->blocked_on = waiter;
68830 }
68831
68832 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
68833 - struct thread_info *ti)
68834 + struct task_struct *task)
68835 {
68836 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
68837 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
68838 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
68839 - ti->task->blocked_on = NULL;
68840 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
68841 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
68842 + task->blocked_on = NULL;
68843
68844 list_del_init(&waiter->list);
68845 waiter->task = NULL;
68846 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
68847 return;
68848
68849 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
68850 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
68851 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
68852 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
68853 mutex_clear_owner(lock);
68854 }
68855 diff -urNp linux-2.6.39.1/kernel/mutex-debug.h linux-2.6.39.1/kernel/mutex-debug.h
68856 --- linux-2.6.39.1/kernel/mutex-debug.h 2011-05-19 00:06:34.000000000 -0400
68857 +++ linux-2.6.39.1/kernel/mutex-debug.h 2011-05-22 19:36:33.000000000 -0400
68858 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
68859 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
68860 extern void debug_mutex_add_waiter(struct mutex *lock,
68861 struct mutex_waiter *waiter,
68862 - struct thread_info *ti);
68863 + struct task_struct *task);
68864 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
68865 - struct thread_info *ti);
68866 + struct task_struct *task);
68867 extern void debug_mutex_unlock(struct mutex *lock);
68868 extern void debug_mutex_init(struct mutex *lock, const char *name,
68869 struct lock_class_key *key);
68870
68871 static inline void mutex_set_owner(struct mutex *lock)
68872 {
68873 - lock->owner = current_thread_info();
68874 + lock->owner = current;
68875 }
68876
68877 static inline void mutex_clear_owner(struct mutex *lock)
68878 diff -urNp linux-2.6.39.1/kernel/mutex.h linux-2.6.39.1/kernel/mutex.h
68879 --- linux-2.6.39.1/kernel/mutex.h 2011-05-19 00:06:34.000000000 -0400
68880 +++ linux-2.6.39.1/kernel/mutex.h 2011-05-22 19:36:33.000000000 -0400
68881 @@ -19,7 +19,7 @@
68882 #ifdef CONFIG_SMP
68883 static inline void mutex_set_owner(struct mutex *lock)
68884 {
68885 - lock->owner = current_thread_info();
68886 + lock->owner = current;
68887 }
68888
68889 static inline void mutex_clear_owner(struct mutex *lock)
68890 diff -urNp linux-2.6.39.1/kernel/padata.c linux-2.6.39.1/kernel/padata.c
68891 --- linux-2.6.39.1/kernel/padata.c 2011-05-19 00:06:34.000000000 -0400
68892 +++ linux-2.6.39.1/kernel/padata.c 2011-05-22 19:36:33.000000000 -0400
68893 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
68894 padata->pd = pd;
68895 padata->cb_cpu = cb_cpu;
68896
68897 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
68898 - atomic_set(&pd->seq_nr, -1);
68899 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
68900 + atomic_set_unchecked(&pd->seq_nr, -1);
68901
68902 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
68903 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
68904
68905 target_cpu = padata_cpu_hash(padata);
68906 queue = per_cpu_ptr(pd->pqueue, target_cpu);
68907 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
68908 padata_init_pqueues(pd);
68909 padata_init_squeues(pd);
68910 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
68911 - atomic_set(&pd->seq_nr, -1);
68912 + atomic_set_unchecked(&pd->seq_nr, -1);
68913 atomic_set(&pd->reorder_objects, 0);
68914 atomic_set(&pd->refcnt, 0);
68915 pd->pinst = pinst;
68916 diff -urNp linux-2.6.39.1/kernel/panic.c linux-2.6.39.1/kernel/panic.c
68917 --- linux-2.6.39.1/kernel/panic.c 2011-05-19 00:06:34.000000000 -0400
68918 +++ linux-2.6.39.1/kernel/panic.c 2011-05-22 19:41:42.000000000 -0400
68919 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
68920 const char *board;
68921
68922 printk(KERN_WARNING "------------[ cut here ]------------\n");
68923 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
68924 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
68925 board = dmi_get_system_info(DMI_PRODUCT_NAME);
68926 if (board)
68927 printk(KERN_WARNING "Hardware name: %s\n", board);
68928 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
68929 */
68930 void __stack_chk_fail(void)
68931 {
68932 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
68933 + dump_stack();
68934 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
68935 __builtin_return_address(0));
68936 }
68937 EXPORT_SYMBOL(__stack_chk_fail);
68938 diff -urNp linux-2.6.39.1/kernel/params.c linux-2.6.39.1/kernel/params.c
68939 --- linux-2.6.39.1/kernel/params.c 2011-05-19 00:06:34.000000000 -0400
68940 +++ linux-2.6.39.1/kernel/params.c 2011-05-22 19:36:33.000000000 -0400
68941 @@ -234,7 +234,7 @@ int parse_args(const char *name,
68942 { \
68943 return sprintf(buffer, format, *((type *)kp->arg)); \
68944 } \
68945 - struct kernel_param_ops param_ops_##name = { \
68946 + const struct kernel_param_ops param_ops_##name = { \
68947 .set = param_set_##name, \
68948 .get = param_get_##name, \
68949 }; \
68950 @@ -286,7 +286,7 @@ static void param_free_charp(void *arg)
68951 maybe_kfree_parameter(*((char **)arg));
68952 }
68953
68954 -struct kernel_param_ops param_ops_charp = {
68955 +const struct kernel_param_ops param_ops_charp = {
68956 .set = param_set_charp,
68957 .get = param_get_charp,
68958 .free = param_free_charp,
68959 @@ -334,7 +334,7 @@ int param_get_bool(char *buffer, const s
68960 }
68961 EXPORT_SYMBOL(param_get_bool);
68962
68963 -struct kernel_param_ops param_ops_bool = {
68964 +const struct kernel_param_ops param_ops_bool = {
68965 .set = param_set_bool,
68966 .get = param_get_bool,
68967 };
68968 @@ -362,7 +362,7 @@ int param_get_invbool(char *buffer, cons
68969 }
68970 EXPORT_SYMBOL(param_get_invbool);
68971
68972 -struct kernel_param_ops param_ops_invbool = {
68973 +const struct kernel_param_ops param_ops_invbool = {
68974 .set = param_set_invbool,
68975 .get = param_get_invbool,
68976 };
68977 @@ -460,7 +460,7 @@ static void param_array_free(void *arg)
68978 arr->ops->free(arr->elem + arr->elemsize * i);
68979 }
68980
68981 -struct kernel_param_ops param_array_ops = {
68982 +const struct kernel_param_ops param_array_ops = {
68983 .set = param_array_set,
68984 .get = param_array_get,
68985 .free = param_array_free,
68986 @@ -488,7 +488,7 @@ int param_get_string(char *buffer, const
68987 }
68988 EXPORT_SYMBOL(param_get_string);
68989
68990 -struct kernel_param_ops param_ops_string = {
68991 +const struct kernel_param_ops param_ops_string = {
68992 .set = param_set_copystring,
68993 .get = param_get_string,
68994 };
68995 diff -urNp linux-2.6.39.1/kernel/perf_event.c linux-2.6.39.1/kernel/perf_event.c
68996 --- linux-2.6.39.1/kernel/perf_event.c 2011-05-19 00:06:34.000000000 -0400
68997 +++ linux-2.6.39.1/kernel/perf_event.c 2011-05-22 19:36:33.000000000 -0400
68998 @@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
68999 return 0;
69000 }
69001
69002 -static atomic64_t perf_event_id;
69003 +static atomic64_unchecked_t perf_event_id;
69004
69005 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
69006 enum event_type_t event_type);
69007 @@ -2496,7 +2496,7 @@ static void __perf_event_read(void *info
69008
69009 static inline u64 perf_event_count(struct perf_event *event)
69010 {
69011 - return local64_read(&event->count) + atomic64_read(&event->child_count);
69012 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
69013 }
69014
69015 static u64 perf_event_read(struct perf_event *event)
69016 @@ -3031,9 +3031,9 @@ u64 perf_event_read_value(struct perf_ev
69017 mutex_lock(&event->child_mutex);
69018 total += perf_event_read(event);
69019 *enabled += event->total_time_enabled +
69020 - atomic64_read(&event->child_total_time_enabled);
69021 + atomic64_read_unchecked(&event->child_total_time_enabled);
69022 *running += event->total_time_running +
69023 - atomic64_read(&event->child_total_time_running);
69024 + atomic64_read_unchecked(&event->child_total_time_running);
69025
69026 list_for_each_entry(child, &event->child_list, child_list) {
69027 total += perf_event_read(child);
69028 @@ -3396,10 +3396,10 @@ void perf_event_update_userpage(struct p
69029 userpg->offset -= local64_read(&event->hw.prev_count);
69030
69031 userpg->time_enabled = event->total_time_enabled +
69032 - atomic64_read(&event->child_total_time_enabled);
69033 + atomic64_read_unchecked(&event->child_total_time_enabled);
69034
69035 userpg->time_running = event->total_time_running +
69036 - atomic64_read(&event->child_total_time_running);
69037 + atomic64_read_unchecked(&event->child_total_time_running);
69038
69039 barrier();
69040 ++userpg->lock;
69041 @@ -3884,16 +3884,16 @@ static void perf_pending_event(struct ir
69042 * Later on, we might change it to a list if there is
69043 * another virtualization implementation supporting the callbacks.
69044 */
69045 -struct perf_guest_info_callbacks *perf_guest_cbs;
69046 +const struct perf_guest_info_callbacks *perf_guest_cbs;
69047
69048 -int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69049 +int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69050 {
69051 perf_guest_cbs = cbs;
69052 return 0;
69053 }
69054 EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks);
69055
69056 -int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69057 +int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69058 {
69059 perf_guest_cbs = NULL;
69060 return 0;
69061 @@ -4196,11 +4196,11 @@ static void perf_output_read_one(struct
69062 values[n++] = perf_event_count(event);
69063 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69064 values[n++] = enabled +
69065 - atomic64_read(&event->child_total_time_enabled);
69066 + atomic64_read_unchecked(&event->child_total_time_enabled);
69067 }
69068 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69069 values[n++] = running +
69070 - atomic64_read(&event->child_total_time_running);
69071 + atomic64_read_unchecked(&event->child_total_time_running);
69072 }
69073 if (read_format & PERF_FORMAT_ID)
69074 values[n++] = primary_event_id(event);
69075 @@ -6201,7 +6201,7 @@ perf_event_alloc(struct perf_event_attr
69076 event->parent = parent_event;
69077
69078 event->ns = get_pid_ns(current->nsproxy->pid_ns);
69079 - event->id = atomic64_inc_return(&perf_event_id);
69080 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
69081
69082 event->state = PERF_EVENT_STATE_INACTIVE;
69083
69084 @@ -6724,10 +6724,10 @@ static void sync_child_event(struct perf
69085 /*
69086 * Add back the child's count to the parent's count:
69087 */
69088 - atomic64_add(child_val, &parent_event->child_count);
69089 - atomic64_add(child_event->total_time_enabled,
69090 + atomic64_add_unchecked(child_val, &parent_event->child_count);
69091 + atomic64_add_unchecked(child_event->total_time_enabled,
69092 &parent_event->child_total_time_enabled);
69093 - atomic64_add(child_event->total_time_running,
69094 + atomic64_add_unchecked(child_event->total_time_running,
69095 &parent_event->child_total_time_running);
69096
69097 /*
69098 diff -urNp linux-2.6.39.1/kernel/pid.c linux-2.6.39.1/kernel/pid.c
69099 --- linux-2.6.39.1/kernel/pid.c 2011-05-19 00:06:34.000000000 -0400
69100 +++ linux-2.6.39.1/kernel/pid.c 2011-05-22 19:41:42.000000000 -0400
69101 @@ -33,6 +33,7 @@
69102 #include <linux/rculist.h>
69103 #include <linux/bootmem.h>
69104 #include <linux/hash.h>
69105 +#include <linux/security.h>
69106 #include <linux/pid_namespace.h>
69107 #include <linux/init_task.h>
69108 #include <linux/syscalls.h>
69109 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
69110
69111 int pid_max = PID_MAX_DEFAULT;
69112
69113 -#define RESERVED_PIDS 300
69114 +#define RESERVED_PIDS 500
69115
69116 int pid_max_min = RESERVED_PIDS + 1;
69117 int pid_max_max = PID_MAX_LIMIT;
69118 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
69119 */
69120 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
69121 {
69122 + struct task_struct *task;
69123 +
69124 rcu_lockdep_assert(rcu_read_lock_held());
69125 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69126 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69127 +
69128 + if (gr_pid_is_chrooted(task))
69129 + return NULL;
69130 +
69131 + return task;
69132 }
69133
69134 struct task_struct *find_task_by_vpid(pid_t vnr)
69135 diff -urNp linux-2.6.39.1/kernel/posix-cpu-timers.c linux-2.6.39.1/kernel/posix-cpu-timers.c
69136 --- linux-2.6.39.1/kernel/posix-cpu-timers.c 2011-05-19 00:06:34.000000000 -0400
69137 +++ linux-2.6.39.1/kernel/posix-cpu-timers.c 2011-05-22 19:41:42.000000000 -0400
69138 @@ -6,6 +6,7 @@
69139 #include <linux/posix-timers.h>
69140 #include <linux/errno.h>
69141 #include <linux/math64.h>
69142 +#include <linux/security.h>
69143 #include <asm/uaccess.h>
69144 #include <linux/kernel_stat.h>
69145 #include <trace/events/timer.h>
69146 @@ -1590,7 +1591,7 @@ static int thread_cpu_timer_create(struc
69147 return posix_cpu_timer_create(timer);
69148 }
69149
69150 -struct k_clock clock_posix_cpu = {
69151 +const struct k_clock clock_posix_cpu = {
69152 .clock_getres = posix_cpu_clock_getres,
69153 .clock_set = posix_cpu_clock_set,
69154 .clock_get = posix_cpu_clock_get,
69155 @@ -1604,14 +1605,14 @@ struct k_clock clock_posix_cpu = {
69156
69157 static __init int init_posix_cpu_timers(void)
69158 {
69159 - struct k_clock process = {
69160 + const struct k_clock process = {
69161 .clock_getres = process_cpu_clock_getres,
69162 .clock_get = process_cpu_clock_get,
69163 .timer_create = process_cpu_timer_create,
69164 .nsleep = process_cpu_nsleep,
69165 .nsleep_restart = process_cpu_nsleep_restart,
69166 };
69167 - struct k_clock thread = {
69168 + const struct k_clock thread = {
69169 .clock_getres = thread_cpu_clock_getres,
69170 .clock_get = thread_cpu_clock_get,
69171 .timer_create = thread_cpu_timer_create,
69172 diff -urNp linux-2.6.39.1/kernel/posix-timers.c linux-2.6.39.1/kernel/posix-timers.c
69173 --- linux-2.6.39.1/kernel/posix-timers.c 2011-05-19 00:06:34.000000000 -0400
69174 +++ linux-2.6.39.1/kernel/posix-timers.c 2011-05-22 20:13:41.000000000 -0400
69175 @@ -43,6 +43,7 @@
69176 #include <linux/idr.h>
69177 #include <linux/posix-clock.h>
69178 #include <linux/posix-timers.h>
69179 +#include <linux/grsecurity.h>
69180 #include <linux/syscalls.h>
69181 #include <linux/wait.h>
69182 #include <linux/workqueue.h>
69183 @@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
69184 */
69185 static __init int init_posix_timers(void)
69186 {
69187 - struct k_clock clock_realtime = {
69188 + const struct k_clock clock_realtime = {
69189 .clock_getres = hrtimer_get_res,
69190 .clock_get = posix_clock_realtime_get,
69191 .clock_set = posix_clock_realtime_set,
69192 @@ -239,7 +240,7 @@ static __init int init_posix_timers(void
69193 .timer_get = common_timer_get,
69194 .timer_del = common_timer_del,
69195 };
69196 - struct k_clock clock_monotonic = {
69197 + const struct k_clock clock_monotonic = {
69198 .clock_getres = hrtimer_get_res,
69199 .clock_get = posix_ktime_get_ts,
69200 .nsleep = common_nsleep,
69201 @@ -249,19 +250,19 @@ static __init int init_posix_timers(void
69202 .timer_get = common_timer_get,
69203 .timer_del = common_timer_del,
69204 };
69205 - struct k_clock clock_monotonic_raw = {
69206 + const struct k_clock clock_monotonic_raw = {
69207 .clock_getres = hrtimer_get_res,
69208 .clock_get = posix_get_monotonic_raw,
69209 };
69210 - struct k_clock clock_realtime_coarse = {
69211 + const struct k_clock clock_realtime_coarse = {
69212 .clock_getres = posix_get_coarse_res,
69213 .clock_get = posix_get_realtime_coarse,
69214 };
69215 - struct k_clock clock_monotonic_coarse = {
69216 + const struct k_clock clock_monotonic_coarse = {
69217 .clock_getres = posix_get_coarse_res,
69218 .clock_get = posix_get_monotonic_coarse,
69219 };
69220 - struct k_clock clock_boottime = {
69221 + const struct k_clock clock_boottime = {
69222 .clock_getres = hrtimer_get_res,
69223 .clock_get = posix_get_boottime,
69224 .nsleep = common_nsleep,
69225 @@ -272,6 +273,8 @@ static __init int init_posix_timers(void
69226 .timer_del = common_timer_del,
69227 };
69228
69229 + pax_track_stack();
69230 +
69231 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
69232 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
69233 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
69234 @@ -454,7 +457,7 @@ static struct pid *good_sigevent(sigeven
69235 }
69236
69237 void posix_timers_register_clock(const clockid_t clock_id,
69238 - struct k_clock *new_clock)
69239 + const struct k_clock *new_clock)
69240 {
69241 if ((unsigned) clock_id >= MAX_CLOCKS) {
69242 printk(KERN_WARNING "POSIX clock register failed for clock_id %d\n",
69243 @@ -506,7 +509,7 @@ static void release_posix_timer(struct k
69244 kmem_cache_free(posix_timers_cache, tmr);
69245 }
69246
69247 -static struct k_clock *clockid_to_kclock(const clockid_t id)
69248 +static const struct k_clock *clockid_to_kclock(const clockid_t id)
69249 {
69250 if (id < 0)
69251 return (id & CLOCKFD_MASK) == CLOCKFD ?
69252 @@ -529,7 +532,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
69253 struct sigevent __user *, timer_event_spec,
69254 timer_t __user *, created_timer_id)
69255 {
69256 - struct k_clock *kc = clockid_to_kclock(which_clock);
69257 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69258 struct k_itimer *new_timer;
69259 int error, new_timer_id;
69260 sigevent_t event;
69261 @@ -714,7 +717,7 @@ SYSCALL_DEFINE2(timer_gettime, timer_t,
69262 {
69263 struct itimerspec cur_setting;
69264 struct k_itimer *timr;
69265 - struct k_clock *kc;
69266 + const struct k_clock *kc;
69267 unsigned long flags;
69268 int ret = 0;
69269
69270 @@ -822,7 +825,7 @@ SYSCALL_DEFINE4(timer_settime, timer_t,
69271 int error = 0;
69272 unsigned long flag;
69273 struct itimerspec *rtn = old_setting ? &old_spec : NULL;
69274 - struct k_clock *kc;
69275 + const struct k_clock *kc;
69276
69277 if (!new_setting)
69278 return -EINVAL;
69279 @@ -868,7 +871,7 @@ static int common_timer_del(struct k_iti
69280
69281 static inline int timer_delete_hook(struct k_itimer *timer)
69282 {
69283 - struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69284 + const struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69285
69286 if (WARN_ON_ONCE(!kc || !kc->timer_del))
69287 return -EINVAL;
69288 @@ -947,7 +950,7 @@ void exit_itimers(struct signal_struct *
69289 SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
69290 const struct timespec __user *, tp)
69291 {
69292 - struct k_clock *kc = clockid_to_kclock(which_clock);
69293 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69294 struct timespec new_tp;
69295
69296 if (!kc || !kc->clock_set)
69297 @@ -956,13 +959,20 @@ SYSCALL_DEFINE2(clock_settime, const clo
69298 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
69299 return -EFAULT;
69300
69301 + /* only the CLOCK_REALTIME clock can be set, all other clocks
69302 + have their clock_set fptr set to a nosettime dummy function
69303 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
69304 + call common_clock_set, which calls do_sys_settimeofday, which
69305 + we hook
69306 + */
69307 +
69308 return kc->clock_set(which_clock, &new_tp);
69309 }
69310
69311 SYSCALL_DEFINE2(clock_gettime, const clockid_t, which_clock,
69312 struct timespec __user *,tp)
69313 {
69314 - struct k_clock *kc = clockid_to_kclock(which_clock);
69315 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69316 struct timespec kernel_tp;
69317 int error;
69318
69319 @@ -980,7 +990,7 @@ SYSCALL_DEFINE2(clock_gettime, const clo
69320 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
69321 struct timex __user *, utx)
69322 {
69323 - struct k_clock *kc = clockid_to_kclock(which_clock);
69324 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69325 struct timex ktx;
69326 int err;
69327
69328 @@ -1003,7 +1013,7 @@ SYSCALL_DEFINE2(clock_adjtime, const clo
69329 SYSCALL_DEFINE2(clock_getres, const clockid_t, which_clock,
69330 struct timespec __user *, tp)
69331 {
69332 - struct k_clock *kc = clockid_to_kclock(which_clock);
69333 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69334 struct timespec rtn_tp;
69335 int error;
69336
69337 @@ -1033,7 +1043,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69338 const struct timespec __user *, rqtp,
69339 struct timespec __user *, rmtp)
69340 {
69341 - struct k_clock *kc = clockid_to_kclock(which_clock);
69342 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69343 struct timespec t;
69344
69345 if (!kc)
69346 @@ -1057,7 +1067,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69347 long clock_nanosleep_restart(struct restart_block *restart_block)
69348 {
69349 clockid_t which_clock = restart_block->nanosleep.index;
69350 - struct k_clock *kc = clockid_to_kclock(which_clock);
69351 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69352
69353 if (WARN_ON_ONCE(!kc || !kc->nsleep_restart))
69354 return -EINVAL;
69355 diff -urNp linux-2.6.39.1/kernel/power/poweroff.c linux-2.6.39.1/kernel/power/poweroff.c
69356 --- linux-2.6.39.1/kernel/power/poweroff.c 2011-05-19 00:06:34.000000000 -0400
69357 +++ linux-2.6.39.1/kernel/power/poweroff.c 2011-05-22 19:36:33.000000000 -0400
69358 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
69359 .enable_mask = SYSRQ_ENABLE_BOOT,
69360 };
69361
69362 -static int pm_sysrq_init(void)
69363 +static int __init pm_sysrq_init(void)
69364 {
69365 register_sysrq_key('o', &sysrq_poweroff_op);
69366 return 0;
69367 diff -urNp linux-2.6.39.1/kernel/power/process.c linux-2.6.39.1/kernel/power/process.c
69368 --- linux-2.6.39.1/kernel/power/process.c 2011-05-19 00:06:34.000000000 -0400
69369 +++ linux-2.6.39.1/kernel/power/process.c 2011-05-22 19:36:33.000000000 -0400
69370 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
69371 u64 elapsed_csecs64;
69372 unsigned int elapsed_csecs;
69373 bool wakeup = false;
69374 + bool timedout = false;
69375
69376 do_gettimeofday(&start);
69377
69378 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
69379
69380 while (true) {
69381 todo = 0;
69382 + if (time_after(jiffies, end_time))
69383 + timedout = true;
69384 read_lock(&tasklist_lock);
69385 do_each_thread(g, p) {
69386 if (frozen(p) || !freezable(p))
69387 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
69388 * try_to_stop() after schedule() in ptrace/signal
69389 * stop sees TIF_FREEZE.
69390 */
69391 - if (!task_is_stopped_or_traced(p) &&
69392 - !freezer_should_skip(p))
69393 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
69394 todo++;
69395 + if (timedout) {
69396 + printk(KERN_ERR "Task refusing to freeze:\n");
69397 + sched_show_task(p);
69398 + }
69399 + }
69400 } while_each_thread(g, p);
69401 read_unlock(&tasklist_lock);
69402
69403 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
69404 todo += wq_busy;
69405 }
69406
69407 - if (!todo || time_after(jiffies, end_time))
69408 + if (!todo || timedout)
69409 break;
69410
69411 if (pm_wakeup_pending()) {
69412 diff -urNp linux-2.6.39.1/kernel/printk.c linux-2.6.39.1/kernel/printk.c
69413 --- linux-2.6.39.1/kernel/printk.c 2011-05-19 00:06:34.000000000 -0400
69414 +++ linux-2.6.39.1/kernel/printk.c 2011-05-22 19:41:42.000000000 -0400
69415 @@ -284,12 +284,17 @@ static int check_syslog_permissions(int
69416 if (from_file && type != SYSLOG_ACTION_OPEN)
69417 return 0;
69418
69419 +#ifdef CONFIG_GRKERNSEC_DMESG
69420 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
69421 + return -EPERM;
69422 +#endif
69423 +
69424 if (syslog_action_restricted(type)) {
69425 if (capable(CAP_SYSLOG))
69426 return 0;
69427 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
69428 if (capable(CAP_SYS_ADMIN)) {
69429 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
69430 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
69431 "but no CAP_SYSLOG (deprecated).\n");
69432 return 0;
69433 }
69434 diff -urNp linux-2.6.39.1/kernel/profile.c linux-2.6.39.1/kernel/profile.c
69435 --- linux-2.6.39.1/kernel/profile.c 2011-05-19 00:06:34.000000000 -0400
69436 +++ linux-2.6.39.1/kernel/profile.c 2011-05-22 19:36:33.000000000 -0400
69437 @@ -39,7 +39,7 @@ struct profile_hit {
69438 /* Oprofile timer tick hook */
69439 static int (*timer_hook)(struct pt_regs *) __read_mostly;
69440
69441 -static atomic_t *prof_buffer;
69442 +static atomic_unchecked_t *prof_buffer;
69443 static unsigned long prof_len, prof_shift;
69444
69445 int prof_on __read_mostly;
69446 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
69447 hits[i].pc = 0;
69448 continue;
69449 }
69450 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69451 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69452 hits[i].hits = hits[i].pc = 0;
69453 }
69454 }
69455 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
69456 * Add the current hit(s) and flush the write-queue out
69457 * to the global buffer:
69458 */
69459 - atomic_add(nr_hits, &prof_buffer[pc]);
69460 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
69461 for (i = 0; i < NR_PROFILE_HIT; ++i) {
69462 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69463 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69464 hits[i].pc = hits[i].hits = 0;
69465 }
69466 out:
69467 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
69468 if (prof_on != type || !prof_buffer)
69469 return;
69470 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
69471 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69472 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69473 }
69474 #endif /* !CONFIG_SMP */
69475 EXPORT_SYMBOL_GPL(profile_hits);
69476 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
69477 return -EFAULT;
69478 buf++; p++; count--; read++;
69479 }
69480 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
69481 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
69482 if (copy_to_user(buf, (void *)pnt, count))
69483 return -EFAULT;
69484 read += count;
69485 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
69486 }
69487 #endif
69488 profile_discard_flip_buffers();
69489 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
69490 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
69491 return count;
69492 }
69493
69494 diff -urNp linux-2.6.39.1/kernel/ptrace.c linux-2.6.39.1/kernel/ptrace.c
69495 --- linux-2.6.39.1/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
69496 +++ linux-2.6.39.1/kernel/ptrace.c 2011-05-23 17:07:00.000000000 -0400
69497 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
69498 return ret;
69499 }
69500
69501 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
69502 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
69503 + unsigned int log)
69504 {
69505 const struct cred *cred = current_cred(), *tcred;
69506
69507 @@ -143,7 +144,8 @@ int __ptrace_may_access(struct task_stru
69508 cred->gid == tcred->sgid &&
69509 cred->gid == tcred->gid))
69510 goto ok;
69511 - if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
69512 + if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
69513 + (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
69514 goto ok;
69515 rcu_read_unlock();
69516 return -EPERM;
69517 @@ -152,7 +154,9 @@ ok:
69518 smp_rmb();
69519 if (task->mm)
69520 dumpable = get_dumpable(task->mm);
69521 - if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
69522 + if (!dumpable &&
69523 + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
69524 + (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
69525 return -EPERM;
69526
69527 return security_ptrace_access_check(task, mode);
69528 @@ -162,7 +166,16 @@ bool ptrace_may_access(struct task_struc
69529 {
69530 int err;
69531 task_lock(task);
69532 - err = __ptrace_may_access(task, mode);
69533 + err = __ptrace_may_access(task, mode, 0);
69534 + task_unlock(task);
69535 + return !err;
69536 +}
69537 +
69538 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
69539 +{
69540 + int err;
69541 + task_lock(task);
69542 + err = __ptrace_may_access(task, mode, 1);
69543 task_unlock(task);
69544 return !err;
69545 }
69546 @@ -189,7 +202,7 @@ static int ptrace_attach(struct task_str
69547 goto out;
69548
69549 task_lock(task);
69550 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
69551 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
69552 task_unlock(task);
69553 if (retval)
69554 goto unlock_creds;
69555 @@ -202,7 +215,7 @@ static int ptrace_attach(struct task_str
69556 goto unlock_tasklist;
69557
69558 task->ptrace = PT_PTRACED;
69559 - if (task_ns_capable(task, CAP_SYS_PTRACE))
69560 + if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
69561 task->ptrace |= PT_PTRACE_CAP;
69562
69563 __ptrace_link(task, current);
69564 @@ -362,6 +375,8 @@ int ptrace_readdata(struct task_struct *
69565 {
69566 int copied = 0;
69567
69568 + pax_track_stack();
69569 +
69570 while (len > 0) {
69571 char buf[128];
69572 int this_len, retval;
69573 @@ -373,7 +388,7 @@ int ptrace_readdata(struct task_struct *
69574 break;
69575 return -EIO;
69576 }
69577 - if (copy_to_user(dst, buf, retval))
69578 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
69579 return -EFAULT;
69580 copied += retval;
69581 src += retval;
69582 @@ -387,6 +402,8 @@ int ptrace_writedata(struct task_struct
69583 {
69584 int copied = 0;
69585
69586 + pax_track_stack();
69587 +
69588 while (len > 0) {
69589 char buf[128];
69590 int this_len, retval;
69591 @@ -569,9 +586,11 @@ int ptrace_request(struct task_struct *c
69592 {
69593 int ret = -EIO;
69594 siginfo_t siginfo;
69595 - void __user *datavp = (void __user *) data;
69596 + void __user *datavp = (__force void __user *) data;
69597 unsigned long __user *datalp = datavp;
69598
69599 + pax_track_stack();
69600 +
69601 switch (request) {
69602 case PTRACE_PEEKTEXT:
69603 case PTRACE_PEEKDATA:
69604 @@ -717,14 +736,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
69605 goto out;
69606 }
69607
69608 + if (gr_handle_ptrace(child, request)) {
69609 + ret = -EPERM;
69610 + goto out_put_task_struct;
69611 + }
69612 +
69613 if (request == PTRACE_ATTACH) {
69614 ret = ptrace_attach(child);
69615 /*
69616 * Some architectures need to do book-keeping after
69617 * a ptrace attach.
69618 */
69619 - if (!ret)
69620 + if (!ret) {
69621 arch_ptrace_attach(child);
69622 + gr_audit_ptrace(child);
69623 + }
69624 goto out_put_task_struct;
69625 }
69626
69627 @@ -749,7 +775,7 @@ int generic_ptrace_peekdata(struct task_
69628 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
69629 if (copied != sizeof(tmp))
69630 return -EIO;
69631 - return put_user(tmp, (unsigned long __user *)data);
69632 + return put_user(tmp, (__force unsigned long __user *)data);
69633 }
69634
69635 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
69636 @@ -772,6 +798,8 @@ int compat_ptrace_request(struct task_st
69637 siginfo_t siginfo;
69638 int ret;
69639
69640 + pax_track_stack();
69641 +
69642 switch (request) {
69643 case PTRACE_PEEKTEXT:
69644 case PTRACE_PEEKDATA:
69645 @@ -859,14 +887,21 @@ asmlinkage long compat_sys_ptrace(compat
69646 goto out;
69647 }
69648
69649 + if (gr_handle_ptrace(child, request)) {
69650 + ret = -EPERM;
69651 + goto out_put_task_struct;
69652 + }
69653 +
69654 if (request == PTRACE_ATTACH) {
69655 ret = ptrace_attach(child);
69656 /*
69657 * Some architectures need to do book-keeping after
69658 * a ptrace attach.
69659 */
69660 - if (!ret)
69661 + if (!ret) {
69662 arch_ptrace_attach(child);
69663 + gr_audit_ptrace(child);
69664 + }
69665 goto out_put_task_struct;
69666 }
69667
69668 diff -urNp linux-2.6.39.1/kernel/rcutorture.c linux-2.6.39.1/kernel/rcutorture.c
69669 --- linux-2.6.39.1/kernel/rcutorture.c 2011-05-19 00:06:34.000000000 -0400
69670 +++ linux-2.6.39.1/kernel/rcutorture.c 2011-05-22 19:36:33.000000000 -0400
69671 @@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
69672 { 0 };
69673 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
69674 { 0 };
69675 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
69676 -static atomic_t n_rcu_torture_alloc;
69677 -static atomic_t n_rcu_torture_alloc_fail;
69678 -static atomic_t n_rcu_torture_free;
69679 -static atomic_t n_rcu_torture_mberror;
69680 -static atomic_t n_rcu_torture_error;
69681 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
69682 +static atomic_unchecked_t n_rcu_torture_alloc;
69683 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
69684 +static atomic_unchecked_t n_rcu_torture_free;
69685 +static atomic_unchecked_t n_rcu_torture_mberror;
69686 +static atomic_unchecked_t n_rcu_torture_error;
69687 static long n_rcu_torture_boost_ktrerror;
69688 static long n_rcu_torture_boost_rterror;
69689 static long n_rcu_torture_boost_allocerror;
69690 @@ -225,11 +225,11 @@ rcu_torture_alloc(void)
69691
69692 spin_lock_bh(&rcu_torture_lock);
69693 if (list_empty(&rcu_torture_freelist)) {
69694 - atomic_inc(&n_rcu_torture_alloc_fail);
69695 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
69696 spin_unlock_bh(&rcu_torture_lock);
69697 return NULL;
69698 }
69699 - atomic_inc(&n_rcu_torture_alloc);
69700 + atomic_inc_unchecked(&n_rcu_torture_alloc);
69701 p = rcu_torture_freelist.next;
69702 list_del_init(p);
69703 spin_unlock_bh(&rcu_torture_lock);
69704 @@ -242,7 +242,7 @@ rcu_torture_alloc(void)
69705 static void
69706 rcu_torture_free(struct rcu_torture *p)
69707 {
69708 - atomic_inc(&n_rcu_torture_free);
69709 + atomic_inc_unchecked(&n_rcu_torture_free);
69710 spin_lock_bh(&rcu_torture_lock);
69711 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
69712 spin_unlock_bh(&rcu_torture_lock);
69713 @@ -362,7 +362,7 @@ rcu_torture_cb(struct rcu_head *p)
69714 i = rp->rtort_pipe_count;
69715 if (i > RCU_TORTURE_PIPE_LEN)
69716 i = RCU_TORTURE_PIPE_LEN;
69717 - atomic_inc(&rcu_torture_wcount[i]);
69718 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
69719 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
69720 rp->rtort_mbtest = 0;
69721 rcu_torture_free(rp);
69722 @@ -409,7 +409,7 @@ static void rcu_sync_torture_deferred_fr
69723 i = rp->rtort_pipe_count;
69724 if (i > RCU_TORTURE_PIPE_LEN)
69725 i = RCU_TORTURE_PIPE_LEN;
69726 - atomic_inc(&rcu_torture_wcount[i]);
69727 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
69728 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
69729 rp->rtort_mbtest = 0;
69730 list_del(&rp->rtort_free);
69731 @@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
69732 i = old_rp->rtort_pipe_count;
69733 if (i > RCU_TORTURE_PIPE_LEN)
69734 i = RCU_TORTURE_PIPE_LEN;
69735 - atomic_inc(&rcu_torture_wcount[i]);
69736 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
69737 old_rp->rtort_pipe_count++;
69738 cur_ops->deferred_free(old_rp);
69739 }
69740 @@ -951,7 +951,7 @@ static void rcu_torture_timer(unsigned l
69741 return;
69742 }
69743 if (p->rtort_mbtest == 0)
69744 - atomic_inc(&n_rcu_torture_mberror);
69745 + atomic_inc_unchecked(&n_rcu_torture_mberror);
69746 spin_lock(&rand_lock);
69747 cur_ops->read_delay(&rand);
69748 n_rcu_torture_timers++;
69749 @@ -1013,7 +1013,7 @@ rcu_torture_reader(void *arg)
69750 continue;
69751 }
69752 if (p->rtort_mbtest == 0)
69753 - atomic_inc(&n_rcu_torture_mberror);
69754 + atomic_inc_unchecked(&n_rcu_torture_mberror);
69755 cur_ops->read_delay(&rand);
69756 preempt_disable();
69757 pipe_count = p->rtort_pipe_count;
69758 @@ -1072,10 +1072,10 @@ rcu_torture_printk(char *page)
69759 rcu_torture_current,
69760 rcu_torture_current_version,
69761 list_empty(&rcu_torture_freelist),
69762 - atomic_read(&n_rcu_torture_alloc),
69763 - atomic_read(&n_rcu_torture_alloc_fail),
69764 - atomic_read(&n_rcu_torture_free),
69765 - atomic_read(&n_rcu_torture_mberror),
69766 + atomic_read_unchecked(&n_rcu_torture_alloc),
69767 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
69768 + atomic_read_unchecked(&n_rcu_torture_free),
69769 + atomic_read_unchecked(&n_rcu_torture_mberror),
69770 n_rcu_torture_boost_ktrerror,
69771 n_rcu_torture_boost_rterror,
69772 n_rcu_torture_boost_allocerror,
69773 @@ -1083,7 +1083,7 @@ rcu_torture_printk(char *page)
69774 n_rcu_torture_boost_failure,
69775 n_rcu_torture_boosts,
69776 n_rcu_torture_timers);
69777 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
69778 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
69779 n_rcu_torture_boost_ktrerror != 0 ||
69780 n_rcu_torture_boost_rterror != 0 ||
69781 n_rcu_torture_boost_allocerror != 0 ||
69782 @@ -1093,7 +1093,7 @@ rcu_torture_printk(char *page)
69783 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
69784 if (i > 1) {
69785 cnt += sprintf(&page[cnt], "!!! ");
69786 - atomic_inc(&n_rcu_torture_error);
69787 + atomic_inc_unchecked(&n_rcu_torture_error);
69788 WARN_ON_ONCE(1);
69789 }
69790 cnt += sprintf(&page[cnt], "Reader Pipe: ");
69791 @@ -1107,7 +1107,7 @@ rcu_torture_printk(char *page)
69792 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
69793 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
69794 cnt += sprintf(&page[cnt], " %d",
69795 - atomic_read(&rcu_torture_wcount[i]));
69796 + atomic_read_unchecked(&rcu_torture_wcount[i]));
69797 }
69798 cnt += sprintf(&page[cnt], "\n");
69799 if (cur_ops->stats)
69800 @@ -1415,7 +1415,7 @@ rcu_torture_cleanup(void)
69801
69802 if (cur_ops->cleanup)
69803 cur_ops->cleanup();
69804 - if (atomic_read(&n_rcu_torture_error))
69805 + if (atomic_read_unchecked(&n_rcu_torture_error))
69806 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
69807 else
69808 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
69809 @@ -1479,11 +1479,11 @@ rcu_torture_init(void)
69810
69811 rcu_torture_current = NULL;
69812 rcu_torture_current_version = 0;
69813 - atomic_set(&n_rcu_torture_alloc, 0);
69814 - atomic_set(&n_rcu_torture_alloc_fail, 0);
69815 - atomic_set(&n_rcu_torture_free, 0);
69816 - atomic_set(&n_rcu_torture_mberror, 0);
69817 - atomic_set(&n_rcu_torture_error, 0);
69818 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
69819 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
69820 + atomic_set_unchecked(&n_rcu_torture_free, 0);
69821 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
69822 + atomic_set_unchecked(&n_rcu_torture_error, 0);
69823 n_rcu_torture_boost_ktrerror = 0;
69824 n_rcu_torture_boost_rterror = 0;
69825 n_rcu_torture_boost_allocerror = 0;
69826 @@ -1491,7 +1491,7 @@ rcu_torture_init(void)
69827 n_rcu_torture_boost_failure = 0;
69828 n_rcu_torture_boosts = 0;
69829 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
69830 - atomic_set(&rcu_torture_wcount[i], 0);
69831 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
69832 for_each_possible_cpu(cpu) {
69833 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
69834 per_cpu(rcu_torture_count, cpu)[i] = 0;
69835 diff -urNp linux-2.6.39.1/kernel/rcutree.c linux-2.6.39.1/kernel/rcutree.c
69836 --- linux-2.6.39.1/kernel/rcutree.c 2011-05-19 00:06:34.000000000 -0400
69837 +++ linux-2.6.39.1/kernel/rcutree.c 2011-05-22 19:36:33.000000000 -0400
69838 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
69839 /*
69840 * Do softirq processing for the current CPU.
69841 */
69842 -static void rcu_process_callbacks(struct softirq_action *unused)
69843 +static void rcu_process_callbacks(void)
69844 {
69845 /*
69846 * Memory references from any prior RCU read-side critical sections
69847 diff -urNp linux-2.6.39.1/kernel/rcutree_plugin.h linux-2.6.39.1/kernel/rcutree_plugin.h
69848 --- linux-2.6.39.1/kernel/rcutree_plugin.h 2011-05-19 00:06:34.000000000 -0400
69849 +++ linux-2.6.39.1/kernel/rcutree_plugin.h 2011-05-22 19:36:33.000000000 -0400
69850 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
69851
69852 /* Clean up and exit. */
69853 smp_mb(); /* ensure expedited GP seen before counter increment. */
69854 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
69855 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
69856 unlock_mb_ret:
69857 mutex_unlock(&sync_rcu_preempt_exp_mutex);
69858 mb_ret:
69859 @@ -1025,8 +1025,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
69860
69861 #else /* #ifndef CONFIG_SMP */
69862
69863 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
69864 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
69865 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
69866 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
69867
69868 static int synchronize_sched_expedited_cpu_stop(void *data)
69869 {
69870 @@ -1081,7 +1081,7 @@ void synchronize_sched_expedited(void)
69871 int firstsnap, s, snap, trycount = 0;
69872
69873 /* Note that atomic_inc_return() implies full memory barrier. */
69874 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
69875 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
69876 get_online_cpus();
69877
69878 /*
69879 @@ -1102,7 +1102,7 @@ void synchronize_sched_expedited(void)
69880 }
69881
69882 /* Check to see if someone else did our work for us. */
69883 - s = atomic_read(&sync_sched_expedited_done);
69884 + s = atomic_read_unchecked(&sync_sched_expedited_done);
69885 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
69886 smp_mb(); /* ensure test happens before caller kfree */
69887 return;
69888 @@ -1117,7 +1117,7 @@ void synchronize_sched_expedited(void)
69889 * grace period works for us.
69890 */
69891 get_online_cpus();
69892 - snap = atomic_read(&sync_sched_expedited_started) - 1;
69893 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
69894 smp_mb(); /* ensure read is before try_stop_cpus(). */
69895 }
69896
69897 @@ -1128,12 +1128,12 @@ void synchronize_sched_expedited(void)
69898 * than we did beat us to the punch.
69899 */
69900 do {
69901 - s = atomic_read(&sync_sched_expedited_done);
69902 + s = atomic_read_unchecked(&sync_sched_expedited_done);
69903 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
69904 smp_mb(); /* ensure test happens before caller kfree */
69905 break;
69906 }
69907 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
69908 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
69909
69910 put_online_cpus();
69911 }
69912 diff -urNp linux-2.6.39.1/kernel/relay.c linux-2.6.39.1/kernel/relay.c
69913 --- linux-2.6.39.1/kernel/relay.c 2011-05-19 00:06:34.000000000 -0400
69914 +++ linux-2.6.39.1/kernel/relay.c 2011-05-22 19:36:33.000000000 -0400
69915 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
69916 };
69917 ssize_t ret;
69918
69919 + pax_track_stack();
69920 +
69921 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
69922 return 0;
69923 if (splice_grow_spd(pipe, &spd))
69924 diff -urNp linux-2.6.39.1/kernel/resource.c linux-2.6.39.1/kernel/resource.c
69925 --- linux-2.6.39.1/kernel/resource.c 2011-05-19 00:06:34.000000000 -0400
69926 +++ linux-2.6.39.1/kernel/resource.c 2011-05-22 19:41:42.000000000 -0400
69927 @@ -133,8 +133,18 @@ static const struct file_operations proc
69928
69929 static int __init ioresources_init(void)
69930 {
69931 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
69932 +#ifdef CONFIG_GRKERNSEC_PROC_USER
69933 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
69934 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
69935 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69936 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
69937 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
69938 +#endif
69939 +#else
69940 proc_create("ioports", 0, NULL, &proc_ioports_operations);
69941 proc_create("iomem", 0, NULL, &proc_iomem_operations);
69942 +#endif
69943 return 0;
69944 }
69945 __initcall(ioresources_init);
69946 diff -urNp linux-2.6.39.1/kernel/rtmutex-tester.c linux-2.6.39.1/kernel/rtmutex-tester.c
69947 --- linux-2.6.39.1/kernel/rtmutex-tester.c 2011-05-19 00:06:34.000000000 -0400
69948 +++ linux-2.6.39.1/kernel/rtmutex-tester.c 2011-05-22 19:36:33.000000000 -0400
69949 @@ -20,7 +20,7 @@
69950 #define MAX_RT_TEST_MUTEXES 8
69951
69952 static spinlock_t rttest_lock;
69953 -static atomic_t rttest_event;
69954 +static atomic_unchecked_t rttest_event;
69955
69956 struct test_thread_data {
69957 int opcode;
69958 @@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
69959
69960 case RTTEST_LOCKCONT:
69961 td->mutexes[td->opdata] = 1;
69962 - td->event = atomic_add_return(1, &rttest_event);
69963 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69964 return 0;
69965
69966 case RTTEST_RESET:
69967 @@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
69968 return 0;
69969
69970 case RTTEST_RESETEVENT:
69971 - atomic_set(&rttest_event, 0);
69972 + atomic_set_unchecked(&rttest_event, 0);
69973 return 0;
69974
69975 default:
69976 @@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
69977 return ret;
69978
69979 td->mutexes[id] = 1;
69980 - td->event = atomic_add_return(1, &rttest_event);
69981 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69982 rt_mutex_lock(&mutexes[id]);
69983 - td->event = atomic_add_return(1, &rttest_event);
69984 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69985 td->mutexes[id] = 4;
69986 return 0;
69987
69988 @@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
69989 return ret;
69990
69991 td->mutexes[id] = 1;
69992 - td->event = atomic_add_return(1, &rttest_event);
69993 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69994 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
69995 - td->event = atomic_add_return(1, &rttest_event);
69996 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69997 td->mutexes[id] = ret ? 0 : 4;
69998 return ret ? -EINTR : 0;
69999
70000 @@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
70001 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
70002 return ret;
70003
70004 - td->event = atomic_add_return(1, &rttest_event);
70005 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70006 rt_mutex_unlock(&mutexes[id]);
70007 - td->event = atomic_add_return(1, &rttest_event);
70008 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70009 td->mutexes[id] = 0;
70010 return 0;
70011
70012 @@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
70013 break;
70014
70015 td->mutexes[dat] = 2;
70016 - td->event = atomic_add_return(1, &rttest_event);
70017 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70018 break;
70019
70020 default:
70021 @@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
70022 return;
70023
70024 td->mutexes[dat] = 3;
70025 - td->event = atomic_add_return(1, &rttest_event);
70026 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70027 break;
70028
70029 case RTTEST_LOCKNOWAIT:
70030 @@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
70031 return;
70032
70033 td->mutexes[dat] = 1;
70034 - td->event = atomic_add_return(1, &rttest_event);
70035 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70036 return;
70037
70038 default:
70039 diff -urNp linux-2.6.39.1/kernel/sched_autogroup.c linux-2.6.39.1/kernel/sched_autogroup.c
70040 --- linux-2.6.39.1/kernel/sched_autogroup.c 2011-05-19 00:06:34.000000000 -0400
70041 +++ linux-2.6.39.1/kernel/sched_autogroup.c 2011-05-22 19:36:33.000000000 -0400
70042 @@ -7,7 +7,7 @@
70043
70044 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
70045 static struct autogroup autogroup_default;
70046 -static atomic_t autogroup_seq_nr;
70047 +static atomic_unchecked_t autogroup_seq_nr;
70048
70049 static void __init autogroup_init(struct task_struct *init_task)
70050 {
70051 @@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
70052
70053 kref_init(&ag->kref);
70054 init_rwsem(&ag->lock);
70055 - ag->id = atomic_inc_return(&autogroup_seq_nr);
70056 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
70057 ag->tg = tg;
70058 #ifdef CONFIG_RT_GROUP_SCHED
70059 /*
70060 diff -urNp linux-2.6.39.1/kernel/sched.c linux-2.6.39.1/kernel/sched.c
70061 --- linux-2.6.39.1/kernel/sched.c 2011-05-19 00:06:34.000000000 -0400
70062 +++ linux-2.6.39.1/kernel/sched.c 2011-05-23 17:07:00.000000000 -0400
70063 @@ -4078,6 +4078,8 @@ asmlinkage void __sched schedule(void)
70064 struct rq *rq;
70065 int cpu;
70066
70067 + pax_track_stack();
70068 +
70069 need_resched:
70070 preempt_disable();
70071 cpu = smp_processor_id();
70072 @@ -4165,7 +4167,7 @@ EXPORT_SYMBOL(schedule);
70073 * Look out! "owner" is an entirely speculative pointer
70074 * access and not reliable.
70075 */
70076 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
70077 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
70078 {
70079 unsigned int cpu;
70080 struct rq *rq;
70081 @@ -4179,10 +4181,10 @@ int mutex_spin_on_owner(struct mutex *lo
70082 * DEBUG_PAGEALLOC could have unmapped it if
70083 * the mutex owner just released it and exited.
70084 */
70085 - if (probe_kernel_address(&owner->cpu, cpu))
70086 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
70087 return 0;
70088 #else
70089 - cpu = owner->cpu;
70090 + cpu = task_thread_info(owner)->cpu;
70091 #endif
70092
70093 /*
70094 @@ -4219,7 +4221,7 @@ int mutex_spin_on_owner(struct mutex *lo
70095 /*
70096 * Is that owner really running on that cpu?
70097 */
70098 - if (task_thread_info(rq->curr) != owner || need_resched())
70099 + if (rq->curr != owner || need_resched())
70100 return 0;
70101
70102 arch_mutex_cpu_relax();
70103 @@ -4778,6 +4780,8 @@ int can_nice(const struct task_struct *p
70104 /* convert nice value [19,-20] to rlimit style value [1,40] */
70105 int nice_rlim = 20 - nice;
70106
70107 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
70108 +
70109 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
70110 capable(CAP_SYS_NICE));
70111 }
70112 @@ -4811,7 +4815,8 @@ SYSCALL_DEFINE1(nice, int, increment)
70113 if (nice > 19)
70114 nice = 19;
70115
70116 - if (increment < 0 && !can_nice(current, nice))
70117 + if (increment < 0 && (!can_nice(current, nice) ||
70118 + gr_handle_chroot_nice()))
70119 return -EPERM;
70120
70121 retval = security_task_setnice(current, nice);
70122 @@ -4957,6 +4962,7 @@ recheck:
70123 unsigned long rlim_rtprio =
70124 task_rlimit(p, RLIMIT_RTPRIO);
70125
70126 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
70127 /* can't set/change the rt policy */
70128 if (policy != p->policy && !rlim_rtprio)
70129 return -EPERM;
70130 @@ -7164,7 +7170,7 @@ static void init_sched_groups_power(int
70131 long power;
70132 int weight;
70133
70134 - WARN_ON(!sd || !sd->groups);
70135 + BUG_ON(!sd || !sd->groups);
70136
70137 if (cpu != group_first_cpu(sd->groups))
70138 return;
70139 diff -urNp linux-2.6.39.1/kernel/sched_fair.c linux-2.6.39.1/kernel/sched_fair.c
70140 --- linux-2.6.39.1/kernel/sched_fair.c 2011-05-19 00:06:34.000000000 -0400
70141 +++ linux-2.6.39.1/kernel/sched_fair.c 2011-05-22 19:36:33.000000000 -0400
70142 @@ -3999,7 +3999,7 @@ static void nohz_idle_balance(int this_c
70143 * run_rebalance_domains is triggered when needed from the scheduler tick.
70144 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
70145 */
70146 -static void run_rebalance_domains(struct softirq_action *h)
70147 +static void run_rebalance_domains(void)
70148 {
70149 int this_cpu = smp_processor_id();
70150 struct rq *this_rq = cpu_rq(this_cpu);
70151 diff -urNp linux-2.6.39.1/kernel/signal.c linux-2.6.39.1/kernel/signal.c
70152 --- linux-2.6.39.1/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
70153 +++ linux-2.6.39.1/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
70154 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
70155
70156 int print_fatal_signals __read_mostly;
70157
70158 -static void __user *sig_handler(struct task_struct *t, int sig)
70159 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
70160 {
70161 return t->sighand->action[sig - 1].sa.sa_handler;
70162 }
70163
70164 -static int sig_handler_ignored(void __user *handler, int sig)
70165 +static int sig_handler_ignored(__sighandler_t handler, int sig)
70166 {
70167 /* Is it explicitly or implicitly ignored? */
70168 return handler == SIG_IGN ||
70169 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
70170 static int sig_task_ignored(struct task_struct *t, int sig,
70171 int from_ancestor_ns)
70172 {
70173 - void __user *handler;
70174 + __sighandler_t handler;
70175
70176 handler = sig_handler(t, sig);
70177
70178 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
70179 atomic_inc(&user->sigpending);
70180 rcu_read_unlock();
70181
70182 + if (!override_rlimit)
70183 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
70184 +
70185 if (override_rlimit ||
70186 atomic_read(&user->sigpending) <=
70187 task_rlimit(t, RLIMIT_SIGPENDING)) {
70188 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
70189
70190 int unhandled_signal(struct task_struct *tsk, int sig)
70191 {
70192 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
70193 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
70194 if (is_global_init(tsk))
70195 return 1;
70196 if (handler != SIG_IGN && handler != SIG_DFL)
70197 @@ -693,6 +696,9 @@ static int check_kill_permission(int sig
70198 }
70199 }
70200
70201 + if (gr_handle_signal(t, sig))
70202 + return -EPERM;
70203 +
70204 return security_task_kill(t, info, sig, 0);
70205 }
70206
70207 @@ -1041,7 +1047,7 @@ __group_send_sig_info(int sig, struct si
70208 return send_signal(sig, info, p, 1);
70209 }
70210
70211 -static int
70212 +int
70213 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70214 {
70215 return send_signal(sig, info, t, 0);
70216 @@ -1078,6 +1084,7 @@ force_sig_info(int sig, struct siginfo *
70217 unsigned long int flags;
70218 int ret, blocked, ignored;
70219 struct k_sigaction *action;
70220 + int is_unhandled = 0;
70221
70222 spin_lock_irqsave(&t->sighand->siglock, flags);
70223 action = &t->sighand->action[sig-1];
70224 @@ -1092,9 +1099,18 @@ force_sig_info(int sig, struct siginfo *
70225 }
70226 if (action->sa.sa_handler == SIG_DFL)
70227 t->signal->flags &= ~SIGNAL_UNKILLABLE;
70228 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
70229 + is_unhandled = 1;
70230 ret = specific_send_sig_info(sig, info, t);
70231 spin_unlock_irqrestore(&t->sighand->siglock, flags);
70232
70233 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
70234 + normal operation */
70235 + if (is_unhandled) {
70236 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
70237 + gr_handle_crash(t, sig);
70238 + }
70239 +
70240 return ret;
70241 }
70242
70243 @@ -1153,8 +1169,11 @@ int group_send_sig_info(int sig, struct
70244 ret = check_kill_permission(sig, info, p);
70245 rcu_read_unlock();
70246
70247 - if (!ret && sig)
70248 + if (!ret && sig) {
70249 ret = do_send_sig_info(sig, info, p, true);
70250 + if (!ret)
70251 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
70252 + }
70253
70254 return ret;
70255 }
70256 @@ -1718,6 +1737,8 @@ void ptrace_notify(int exit_code)
70257 {
70258 siginfo_t info;
70259
70260 + pax_track_stack();
70261 +
70262 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
70263
70264 memset(&info, 0, sizeof info);
70265 diff -urNp linux-2.6.39.1/kernel/smp.c linux-2.6.39.1/kernel/smp.c
70266 --- linux-2.6.39.1/kernel/smp.c 2011-05-19 00:06:34.000000000 -0400
70267 +++ linux-2.6.39.1/kernel/smp.c 2011-05-22 19:36:33.000000000 -0400
70268 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
70269 }
70270 EXPORT_SYMBOL(smp_call_function);
70271
70272 -void ipi_call_lock(void)
70273 +void ipi_call_lock(void) __acquires(call_function.lock)
70274 {
70275 raw_spin_lock(&call_function.lock);
70276 }
70277
70278 -void ipi_call_unlock(void)
70279 +void ipi_call_unlock(void) __releases(call_function.lock)
70280 {
70281 raw_spin_unlock(&call_function.lock);
70282 }
70283
70284 -void ipi_call_lock_irq(void)
70285 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
70286 {
70287 raw_spin_lock_irq(&call_function.lock);
70288 }
70289
70290 -void ipi_call_unlock_irq(void)
70291 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
70292 {
70293 raw_spin_unlock_irq(&call_function.lock);
70294 }
70295 diff -urNp linux-2.6.39.1/kernel/softirq.c linux-2.6.39.1/kernel/softirq.c
70296 --- linux-2.6.39.1/kernel/softirq.c 2011-05-19 00:06:34.000000000 -0400
70297 +++ linux-2.6.39.1/kernel/softirq.c 2011-05-22 19:36:33.000000000 -0400
70298 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
70299
70300 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
70301
70302 -char *softirq_to_name[NR_SOFTIRQS] = {
70303 +const char * const softirq_to_name[NR_SOFTIRQS] = {
70304 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
70305 "TASKLET", "SCHED", "HRTIMER", "RCU"
70306 };
70307 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
70308
70309 asmlinkage void __do_softirq(void)
70310 {
70311 - struct softirq_action *h;
70312 + const struct softirq_action *h;
70313 __u32 pending;
70314 int max_restart = MAX_SOFTIRQ_RESTART;
70315 int cpu;
70316 @@ -235,7 +235,7 @@ restart:
70317 kstat_incr_softirqs_this_cpu(vec_nr);
70318
70319 trace_softirq_entry(vec_nr);
70320 - h->action(h);
70321 + h->action();
70322 trace_softirq_exit(vec_nr);
70323 if (unlikely(prev_count != preempt_count())) {
70324 printk(KERN_ERR "huh, entered softirq %u %s %p"
70325 @@ -377,7 +377,7 @@ void raise_softirq(unsigned int nr)
70326 local_irq_restore(flags);
70327 }
70328
70329 -void open_softirq(int nr, void (*action)(struct softirq_action *))
70330 +void open_softirq(int nr, void (*action)(void))
70331 {
70332 softirq_vec[nr].action = action;
70333 }
70334 @@ -433,7 +433,7 @@ void __tasklet_hi_schedule_first(struct
70335
70336 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
70337
70338 -static void tasklet_action(struct softirq_action *a)
70339 +static void tasklet_action(void)
70340 {
70341 struct tasklet_struct *list;
70342
70343 @@ -468,7 +468,7 @@ static void tasklet_action(struct softir
70344 }
70345 }
70346
70347 -static void tasklet_hi_action(struct softirq_action *a)
70348 +static void tasklet_hi_action(void)
70349 {
70350 struct tasklet_struct *list;
70351
70352 diff -urNp linux-2.6.39.1/kernel/sys.c linux-2.6.39.1/kernel/sys.c
70353 --- linux-2.6.39.1/kernel/sys.c 2011-05-19 00:06:34.000000000 -0400
70354 +++ linux-2.6.39.1/kernel/sys.c 2011-05-22 21:08:10.000000000 -0400
70355 @@ -154,6 +154,12 @@ static int set_one_prio(struct task_stru
70356 error = -EACCES;
70357 goto out;
70358 }
70359 +
70360 + if (gr_handle_chroot_setpriority(p, niceval)) {
70361 + error = -EACCES;
70362 + goto out;
70363 + }
70364 +
70365 no_nice = security_task_setnice(p, niceval);
70366 if (no_nice) {
70367 error = no_nice;
70368 @@ -538,6 +544,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
70369 goto error;
70370 }
70371
70372 + if (gr_check_group_change(new->gid, new->egid, -1))
70373 + goto error;
70374 +
70375 if (rgid != (gid_t) -1 ||
70376 (egid != (gid_t) -1 && egid != old->gid))
70377 new->sgid = new->egid;
70378 @@ -567,6 +576,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
70379 old = current_cred();
70380
70381 retval = -EPERM;
70382 +
70383 + if (gr_check_group_change(gid, gid, gid))
70384 + goto error;
70385 +
70386 if (nsown_capable(CAP_SETGID))
70387 new->gid = new->egid = new->sgid = new->fsgid = gid;
70388 else if (gid == old->gid || gid == old->sgid)
70389 @@ -647,6 +660,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
70390 goto error;
70391 }
70392
70393 + if (gr_check_user_change(new->uid, new->euid, -1))
70394 + goto error;
70395 +
70396 if (new->uid != old->uid) {
70397 retval = set_user(new);
70398 if (retval < 0)
70399 @@ -691,6 +707,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
70400 old = current_cred();
70401
70402 retval = -EPERM;
70403 +
70404 + if (gr_check_crash_uid(uid))
70405 + goto error;
70406 + if (gr_check_user_change(uid, uid, uid))
70407 + goto error;
70408 +
70409 if (nsown_capable(CAP_SETUID)) {
70410 new->suid = new->uid = uid;
70411 if (uid != old->uid) {
70412 @@ -745,6 +767,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
70413 goto error;
70414 }
70415
70416 + if (gr_check_user_change(ruid, euid, -1))
70417 + goto error;
70418 +
70419 if (ruid != (uid_t) -1) {
70420 new->uid = ruid;
70421 if (ruid != old->uid) {
70422 @@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
70423 goto error;
70424 }
70425
70426 + if (gr_check_group_change(rgid, egid, -1))
70427 + goto error;
70428 +
70429 if (rgid != (gid_t) -1)
70430 new->gid = rgid;
70431 if (egid != (gid_t) -1)
70432 @@ -855,6 +883,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70433 old = current_cred();
70434 old_fsuid = old->fsuid;
70435
70436 + if (gr_check_user_change(-1, -1, uid))
70437 + goto error;
70438 +
70439 if (uid == old->uid || uid == old->euid ||
70440 uid == old->suid || uid == old->fsuid ||
70441 nsown_capable(CAP_SETUID)) {
70442 @@ -865,6 +896,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70443 }
70444 }
70445
70446 +error:
70447 abort_creds(new);
70448 return old_fsuid;
70449
70450 @@ -891,12 +923,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
70451 if (gid == old->gid || gid == old->egid ||
70452 gid == old->sgid || gid == old->fsgid ||
70453 nsown_capable(CAP_SETGID)) {
70454 + if (gr_check_group_change(-1, -1, gid))
70455 + goto error;
70456 +
70457 if (gid != old_fsgid) {
70458 new->fsgid = gid;
70459 goto change_okay;
70460 }
70461 }
70462
70463 +error:
70464 abort_creds(new);
70465 return old_fsgid;
70466
70467 @@ -1643,7 +1679,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
70468 error = get_dumpable(me->mm);
70469 break;
70470 case PR_SET_DUMPABLE:
70471 - if (arg2 < 0 || arg2 > 1) {
70472 + if (arg2 > 1) {
70473 error = -EINVAL;
70474 break;
70475 }
70476 diff -urNp linux-2.6.39.1/kernel/sysctl.c linux-2.6.39.1/kernel/sysctl.c
70477 --- linux-2.6.39.1/kernel/sysctl.c 2011-05-19 00:06:34.000000000 -0400
70478 +++ linux-2.6.39.1/kernel/sysctl.c 2011-05-22 20:23:10.000000000 -0400
70479 @@ -84,6 +84,13 @@
70480
70481
70482 #if defined(CONFIG_SYSCTL)
70483 +#include <linux/grsecurity.h>
70484 +#include <linux/grinternal.h>
70485 +
70486 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
70487 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
70488 + const int op);
70489 +extern int gr_handle_chroot_sysctl(const int op);
70490
70491 /* External variables not in a header file. */
70492 extern int sysctl_overcommit_memory;
70493 @@ -196,6 +203,7 @@ static int sysrq_sysctl_handler(ctl_tabl
70494 }
70495
70496 #endif
70497 +extern struct ctl_table grsecurity_table[];
70498
70499 static struct ctl_table root_table[];
70500 static struct ctl_table_root sysctl_table_root;
70501 @@ -225,6 +233,20 @@ extern struct ctl_table epoll_table[];
70502 int sysctl_legacy_va_layout;
70503 #endif
70504
70505 +#ifdef CONFIG_PAX_SOFTMODE
70506 +static ctl_table pax_table[] = {
70507 + {
70508 + .procname = "softmode",
70509 + .data = &pax_softmode,
70510 + .maxlen = sizeof(unsigned int),
70511 + .mode = 0600,
70512 + .proc_handler = &proc_dointvec,
70513 + },
70514 +
70515 + { }
70516 +};
70517 +#endif
70518 +
70519 /* The default sysctl tables: */
70520
70521 static struct ctl_table root_table[] = {
70522 @@ -271,6 +293,22 @@ static int max_extfrag_threshold = 1000;
70523 #endif
70524
70525 static struct ctl_table kern_table[] = {
70526 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
70527 + {
70528 + .procname = "grsecurity",
70529 + .mode = 0500,
70530 + .child = grsecurity_table,
70531 + },
70532 +#endif
70533 +
70534 +#ifdef CONFIG_PAX_SOFTMODE
70535 + {
70536 + .procname = "pax",
70537 + .mode = 0500,
70538 + .child = pax_table,
70539 + },
70540 +#endif
70541 +
70542 {
70543 .procname = "sched_child_runs_first",
70544 .data = &sysctl_sched_child_runs_first,
70545 @@ -545,7 +583,7 @@ static struct ctl_table kern_table[] = {
70546 .data = &modprobe_path,
70547 .maxlen = KMOD_PATH_LEN,
70548 .mode = 0644,
70549 - .proc_handler = proc_dostring,
70550 + .proc_handler = proc_dostring_modpriv,
70551 },
70552 {
70553 .procname = "modules_disabled",
70554 @@ -707,16 +745,20 @@ static struct ctl_table kern_table[] = {
70555 .extra1 = &zero,
70556 .extra2 = &one,
70557 },
70558 +#endif
70559 {
70560 .procname = "kptr_restrict",
70561 .data = &kptr_restrict,
70562 .maxlen = sizeof(int),
70563 .mode = 0644,
70564 .proc_handler = proc_dmesg_restrict,
70565 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70566 + .extra1 = &two,
70567 +#else
70568 .extra1 = &zero,
70569 +#endif
70570 .extra2 = &two,
70571 },
70572 -#endif
70573 {
70574 .procname = "ngroups_max",
70575 .data = &ngroups_max,
70576 @@ -1189,6 +1231,13 @@ static struct ctl_table vm_table[] = {
70577 .proc_handler = proc_dointvec_minmax,
70578 .extra1 = &zero,
70579 },
70580 + {
70581 + .procname = "heap_stack_gap",
70582 + .data = &sysctl_heap_stack_gap,
70583 + .maxlen = sizeof(sysctl_heap_stack_gap),
70584 + .mode = 0644,
70585 + .proc_handler = proc_doulongvec_minmax,
70586 + },
70587 #else
70588 {
70589 .procname = "nr_trim_pages",
70590 @@ -1698,6 +1747,17 @@ static int test_perm(int mode, int op)
70591 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
70592 {
70593 int mode;
70594 + int error;
70595 +
70596 + if (table->parent != NULL && table->parent->procname != NULL &&
70597 + table->procname != NULL &&
70598 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
70599 + return -EACCES;
70600 + if (gr_handle_chroot_sysctl(op))
70601 + return -EACCES;
70602 + error = gr_handle_sysctl(table, op);
70603 + if (error)
70604 + return error;
70605
70606 if (root->permissions)
70607 mode = root->permissions(root, current->nsproxy, table);
70608 @@ -2102,6 +2162,16 @@ int proc_dostring(struct ctl_table *tabl
70609 buffer, lenp, ppos);
70610 }
70611
70612 +int proc_dostring_modpriv(struct ctl_table *table, int write,
70613 + void __user *buffer, size_t *lenp, loff_t *ppos)
70614 +{
70615 + if (write && !capable(CAP_SYS_MODULE))
70616 + return -EPERM;
70617 +
70618 + return _proc_do_string(table->data, table->maxlen, write,
70619 + buffer, lenp, ppos);
70620 +}
70621 +
70622 static size_t proc_skip_spaces(char **buf)
70623 {
70624 size_t ret;
70625 @@ -2207,6 +2277,8 @@ static int proc_put_long(void __user **b
70626 len = strlen(tmp);
70627 if (len > *size)
70628 len = *size;
70629 + if (len > sizeof(tmp))
70630 + len = sizeof(tmp);
70631 if (copy_to_user(*buf, tmp, len))
70632 return -EFAULT;
70633 *size -= len;
70634 @@ -2523,8 +2595,11 @@ static int __do_proc_doulongvec_minmax(v
70635 *i = val;
70636 } else {
70637 val = convdiv * (*i) / convmul;
70638 - if (!first)
70639 + if (!first) {
70640 err = proc_put_char(&buffer, &left, '\t');
70641 + if (err)
70642 + break;
70643 + }
70644 err = proc_put_long(&buffer, &left, val, false);
70645 if (err)
70646 break;
70647 @@ -2919,6 +2994,12 @@ int proc_dostring(struct ctl_table *tabl
70648 return -ENOSYS;
70649 }
70650
70651 +int proc_dostring_modpriv(struct ctl_table *table, int write,
70652 + void __user *buffer, size_t *lenp, loff_t *ppos)
70653 +{
70654 + return -ENOSYS;
70655 +}
70656 +
70657 int proc_dointvec(struct ctl_table *table, int write,
70658 void __user *buffer, size_t *lenp, loff_t *ppos)
70659 {
70660 @@ -2975,6 +3056,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
70661 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
70662 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
70663 EXPORT_SYMBOL(proc_dostring);
70664 +EXPORT_SYMBOL(proc_dostring_modpriv);
70665 EXPORT_SYMBOL(proc_doulongvec_minmax);
70666 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
70667 EXPORT_SYMBOL(register_sysctl_table);
70668 diff -urNp linux-2.6.39.1/kernel/sysctl_check.c linux-2.6.39.1/kernel/sysctl_check.c
70669 --- linux-2.6.39.1/kernel/sysctl_check.c 2011-05-19 00:06:34.000000000 -0400
70670 +++ linux-2.6.39.1/kernel/sysctl_check.c 2011-05-22 19:41:42.000000000 -0400
70671 @@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
70672 set_fail(&fail, table, "Directory with extra2");
70673 } else {
70674 if ((table->proc_handler == proc_dostring) ||
70675 + (table->proc_handler == proc_dostring_modpriv) ||
70676 (table->proc_handler == proc_dointvec) ||
70677 (table->proc_handler == proc_dointvec_minmax) ||
70678 (table->proc_handler == proc_dointvec_jiffies) ||
70679 diff -urNp linux-2.6.39.1/kernel/taskstats.c linux-2.6.39.1/kernel/taskstats.c
70680 --- linux-2.6.39.1/kernel/taskstats.c 2011-05-19 00:06:34.000000000 -0400
70681 +++ linux-2.6.39.1/kernel/taskstats.c 2011-05-22 19:41:42.000000000 -0400
70682 @@ -27,9 +27,12 @@
70683 #include <linux/cgroup.h>
70684 #include <linux/fs.h>
70685 #include <linux/file.h>
70686 +#include <linux/grsecurity.h>
70687 #include <net/genetlink.h>
70688 #include <asm/atomic.h>
70689
70690 +extern int gr_is_taskstats_denied(int pid);
70691 +
70692 /*
70693 * Maximum length of a cpumask that can be specified in
70694 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
70695 @@ -549,6 +552,9 @@ err:
70696
70697 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
70698 {
70699 + if (gr_is_taskstats_denied(current->pid))
70700 + return -EACCES;
70701 +
70702 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
70703 return cmd_attr_register_cpumask(info);
70704 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
70705 diff -urNp linux-2.6.39.1/kernel/time/posix-clock.c linux-2.6.39.1/kernel/time/posix-clock.c
70706 --- linux-2.6.39.1/kernel/time/posix-clock.c 2011-05-19 00:06:34.000000000 -0400
70707 +++ linux-2.6.39.1/kernel/time/posix-clock.c 2011-05-22 19:36:33.000000000 -0400
70708 @@ -433,7 +433,7 @@ static int pc_timer_settime(struct k_iti
70709 return err;
70710 }
70711
70712 -struct k_clock clock_posix_dynamic = {
70713 +const struct k_clock clock_posix_dynamic = {
70714 .clock_getres = pc_clock_getres,
70715 .clock_set = pc_clock_settime,
70716 .clock_get = pc_clock_gettime,
70717 diff -urNp linux-2.6.39.1/kernel/time/tick-broadcast.c linux-2.6.39.1/kernel/time/tick-broadcast.c
70718 --- linux-2.6.39.1/kernel/time/tick-broadcast.c 2011-05-19 00:06:34.000000000 -0400
70719 +++ linux-2.6.39.1/kernel/time/tick-broadcast.c 2011-05-22 19:36:33.000000000 -0400
70720 @@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
70721 * then clear the broadcast bit.
70722 */
70723 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
70724 - int cpu = smp_processor_id();
70725 + cpu = smp_processor_id();
70726
70727 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
70728 tick_broadcast_clear_oneshot(cpu);
70729 diff -urNp linux-2.6.39.1/kernel/time/timekeeping.c linux-2.6.39.1/kernel/time/timekeeping.c
70730 --- linux-2.6.39.1/kernel/time/timekeeping.c 2011-05-19 00:06:34.000000000 -0400
70731 +++ linux-2.6.39.1/kernel/time/timekeeping.c 2011-05-22 20:40:50.000000000 -0400
70732 @@ -14,6 +14,7 @@
70733 #include <linux/init.h>
70734 #include <linux/mm.h>
70735 #include <linux/sched.h>
70736 +#include <linux/grsecurity.h>
70737 #include <linux/syscore_ops.h>
70738 #include <linux/clocksource.h>
70739 #include <linux/jiffies.h>
70740 @@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
70741 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
70742 return -EINVAL;
70743
70744 + gr_log_timechange();
70745 +
70746 write_seqlock_irqsave(&xtime_lock, flags);
70747
70748 timekeeping_forward_now();
70749 diff -urNp linux-2.6.39.1/kernel/time/timer_list.c linux-2.6.39.1/kernel/time/timer_list.c
70750 --- linux-2.6.39.1/kernel/time/timer_list.c 2011-05-19 00:06:34.000000000 -0400
70751 +++ linux-2.6.39.1/kernel/time/timer_list.c 2011-05-22 19:41:42.000000000 -0400
70752 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
70753
70754 static void print_name_offset(struct seq_file *m, void *sym)
70755 {
70756 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70757 + SEQ_printf(m, "<%p>", NULL);
70758 +#else
70759 char symname[KSYM_NAME_LEN];
70760
70761 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
70762 SEQ_printf(m, "<%pK>", sym);
70763 else
70764 SEQ_printf(m, "%s", symname);
70765 +#endif
70766 }
70767
70768 static void
70769 @@ -112,7 +116,11 @@ next_one:
70770 static void
70771 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
70772 {
70773 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70774 + SEQ_printf(m, " .base: %p\n", NULL);
70775 +#else
70776 SEQ_printf(m, " .base: %pK\n", base);
70777 +#endif
70778 SEQ_printf(m, " .index: %d\n",
70779 base->index);
70780 SEQ_printf(m, " .resolution: %Lu nsecs\n",
70781 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
70782 {
70783 struct proc_dir_entry *pe;
70784
70785 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70786 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
70787 +#else
70788 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
70789 +#endif
70790 if (!pe)
70791 return -ENOMEM;
70792 return 0;
70793 diff -urNp linux-2.6.39.1/kernel/time/timer_stats.c linux-2.6.39.1/kernel/time/timer_stats.c
70794 --- linux-2.6.39.1/kernel/time/timer_stats.c 2011-05-19 00:06:34.000000000 -0400
70795 +++ linux-2.6.39.1/kernel/time/timer_stats.c 2011-05-22 19:41:42.000000000 -0400
70796 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
70797 static unsigned long nr_entries;
70798 static struct entry entries[MAX_ENTRIES];
70799
70800 -static atomic_t overflow_count;
70801 +static atomic_unchecked_t overflow_count;
70802
70803 /*
70804 * The entries are in a hash-table, for fast lookup:
70805 @@ -140,7 +140,7 @@ static void reset_entries(void)
70806 nr_entries = 0;
70807 memset(entries, 0, sizeof(entries));
70808 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
70809 - atomic_set(&overflow_count, 0);
70810 + atomic_set_unchecked(&overflow_count, 0);
70811 }
70812
70813 static struct entry *alloc_entry(void)
70814 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
70815 if (likely(entry))
70816 entry->count++;
70817 else
70818 - atomic_inc(&overflow_count);
70819 + atomic_inc_unchecked(&overflow_count);
70820
70821 out_unlock:
70822 raw_spin_unlock_irqrestore(lock, flags);
70823 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
70824
70825 static void print_name_offset(struct seq_file *m, unsigned long addr)
70826 {
70827 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70828 + seq_printf(m, "<%p>", NULL);
70829 +#else
70830 char symname[KSYM_NAME_LEN];
70831
70832 if (lookup_symbol_name(addr, symname) < 0)
70833 seq_printf(m, "<%p>", (void *)addr);
70834 else
70835 seq_printf(m, "%s", symname);
70836 +#endif
70837 }
70838
70839 static int tstats_show(struct seq_file *m, void *v)
70840 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
70841
70842 seq_puts(m, "Timer Stats Version: v0.2\n");
70843 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
70844 - if (atomic_read(&overflow_count))
70845 + if (atomic_read_unchecked(&overflow_count))
70846 seq_printf(m, "Overflow: %d entries\n",
70847 - atomic_read(&overflow_count));
70848 + atomic_read_unchecked(&overflow_count));
70849
70850 for (i = 0; i < nr_entries; i++) {
70851 entry = entries + i;
70852 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
70853 {
70854 struct proc_dir_entry *pe;
70855
70856 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70857 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
70858 +#else
70859 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
70860 +#endif
70861 if (!pe)
70862 return -ENOMEM;
70863 return 0;
70864 diff -urNp linux-2.6.39.1/kernel/time.c linux-2.6.39.1/kernel/time.c
70865 --- linux-2.6.39.1/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
70866 +++ linux-2.6.39.1/kernel/time.c 2011-05-22 19:41:42.000000000 -0400
70867 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
70868 return error;
70869
70870 if (tz) {
70871 + /* we log in do_settimeofday called below, so don't log twice
70872 + */
70873 + if (!tv)
70874 + gr_log_timechange();
70875 +
70876 /* SMP safe, global irq locking makes it work. */
70877 sys_tz = *tz;
70878 update_vsyscall_tz();
70879 diff -urNp linux-2.6.39.1/kernel/timer.c linux-2.6.39.1/kernel/timer.c
70880 --- linux-2.6.39.1/kernel/timer.c 2011-05-19 00:06:34.000000000 -0400
70881 +++ linux-2.6.39.1/kernel/timer.c 2011-05-22 19:36:33.000000000 -0400
70882 @@ -1305,7 +1305,7 @@ void update_process_times(int user_tick)
70883 /*
70884 * This function runs timers and the timer-tq in bottom half context.
70885 */
70886 -static void run_timer_softirq(struct softirq_action *h)
70887 +static void run_timer_softirq(void)
70888 {
70889 struct tvec_base *base = __this_cpu_read(tvec_bases);
70890
70891 diff -urNp linux-2.6.39.1/kernel/trace/blktrace.c linux-2.6.39.1/kernel/trace/blktrace.c
70892 --- linux-2.6.39.1/kernel/trace/blktrace.c 2011-05-19 00:06:34.000000000 -0400
70893 +++ linux-2.6.39.1/kernel/trace/blktrace.c 2011-05-22 19:36:33.000000000 -0400
70894 @@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
70895 struct blk_trace *bt = filp->private_data;
70896 char buf[16];
70897
70898 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
70899 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
70900
70901 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
70902 }
70903 @@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
70904 return 1;
70905
70906 bt = buf->chan->private_data;
70907 - atomic_inc(&bt->dropped);
70908 + atomic_inc_unchecked(&bt->dropped);
70909 return 0;
70910 }
70911
70912 @@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
70913
70914 bt->dir = dir;
70915 bt->dev = dev;
70916 - atomic_set(&bt->dropped, 0);
70917 + atomic_set_unchecked(&bt->dropped, 0);
70918
70919 ret = -EIO;
70920 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
70921 diff -urNp linux-2.6.39.1/kernel/trace/ftrace.c linux-2.6.39.1/kernel/trace/ftrace.c
70922 --- linux-2.6.39.1/kernel/trace/ftrace.c 2011-06-03 00:04:14.000000000 -0400
70923 +++ linux-2.6.39.1/kernel/trace/ftrace.c 2011-06-03 00:32:08.000000000 -0400
70924 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
70925
70926 ip = rec->ip;
70927
70928 + ret = ftrace_arch_code_modify_prepare();
70929 + FTRACE_WARN_ON(ret);
70930 + if (ret)
70931 + return 0;
70932 +
70933 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
70934 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
70935 if (ret) {
70936 ftrace_bug(ret, ip);
70937 rec->flags |= FTRACE_FL_FAILED;
70938 - return 0;
70939 }
70940 - return 1;
70941 + return ret ? 0 : 1;
70942 }
70943
70944 /*
70945 @@ -2011,7 +2016,7 @@ static void ftrace_free_entry_rcu(struct
70946
70947 int
70948 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
70949 - void *data)
70950 + void *data)
70951 {
70952 struct ftrace_func_probe *entry;
70953 struct ftrace_page *pg;
70954 @@ -2083,7 +2088,7 @@ enum {
70955 };
70956
70957 static void
70958 -__unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
70959 +__unregister_ftrace_function_probe(char *glob, const struct ftrace_probe_ops *ops,
70960 void *data, int flags)
70961 {
70962 struct ftrace_func_probe *entry;
70963 @@ -2144,7 +2149,7 @@ unregister_ftrace_function_probe(char *g
70964 }
70965
70966 void
70967 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops)
70968 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops)
70969 {
70970 __unregister_ftrace_function_probe(glob, ops, NULL, PROBE_TEST_FUNC);
70971 }
70972 diff -urNp linux-2.6.39.1/kernel/trace/trace.c linux-2.6.39.1/kernel/trace/trace.c
70973 --- linux-2.6.39.1/kernel/trace/trace.c 2011-05-19 00:06:34.000000000 -0400
70974 +++ linux-2.6.39.1/kernel/trace/trace.c 2011-05-22 19:36:33.000000000 -0400
70975 @@ -3330,6 +3330,8 @@ static ssize_t tracing_splice_read_pipe(
70976 size_t rem;
70977 unsigned int i;
70978
70979 + pax_track_stack();
70980 +
70981 if (splice_grow_spd(pipe, &spd))
70982 return -ENOMEM;
70983
70984 @@ -3813,6 +3815,8 @@ tracing_buffers_splice_read(struct file
70985 int entries, size, i;
70986 size_t ret;
70987
70988 + pax_track_stack();
70989 +
70990 if (splice_grow_spd(pipe, &spd))
70991 return -ENOMEM;
70992
70993 @@ -3981,10 +3985,9 @@ static const struct file_operations trac
70994 };
70995 #endif
70996
70997 -static struct dentry *d_tracer;
70998 -
70999 struct dentry *tracing_init_dentry(void)
71000 {
71001 + static struct dentry *d_tracer;
71002 static int once;
71003
71004 if (d_tracer)
71005 @@ -4004,10 +4007,9 @@ struct dentry *tracing_init_dentry(void)
71006 return d_tracer;
71007 }
71008
71009 -static struct dentry *d_percpu;
71010 -
71011 struct dentry *tracing_dentry_percpu(void)
71012 {
71013 + static struct dentry *d_percpu;
71014 static int once;
71015 struct dentry *d_tracer;
71016
71017 diff -urNp linux-2.6.39.1/kernel/trace/trace_events.c linux-2.6.39.1/kernel/trace/trace_events.c
71018 --- linux-2.6.39.1/kernel/trace/trace_events.c 2011-05-19 00:06:34.000000000 -0400
71019 +++ linux-2.6.39.1/kernel/trace/trace_events.c 2011-05-22 19:36:33.000000000 -0400
71020 @@ -1241,10 +1241,10 @@ static LIST_HEAD(ftrace_module_file_list
71021 struct ftrace_module_file_ops {
71022 struct list_head list;
71023 struct module *mod;
71024 - struct file_operations id;
71025 - struct file_operations enable;
71026 - struct file_operations format;
71027 - struct file_operations filter;
71028 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
71029 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
71030 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
71031 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
71032 };
71033
71034 static struct ftrace_module_file_ops *
71035 diff -urNp linux-2.6.39.1/kernel/trace/trace_functions.c linux-2.6.39.1/kernel/trace/trace_functions.c
71036 --- linux-2.6.39.1/kernel/trace/trace_functions.c 2011-05-19 00:06:34.000000000 -0400
71037 +++ linux-2.6.39.1/kernel/trace/trace_functions.c 2011-05-22 19:36:33.000000000 -0400
71038 @@ -308,7 +308,7 @@ ftrace_trace_onoff_print(struct seq_file
71039 static int
71040 ftrace_trace_onoff_unreg(char *glob, char *cmd, char *param)
71041 {
71042 - struct ftrace_probe_ops *ops;
71043 + const struct ftrace_probe_ops *ops;
71044
71045 /* we register both traceon and traceoff to this callback */
71046 if (strcmp(cmd, "traceon") == 0)
71047 diff -urNp linux-2.6.39.1/kernel/trace/trace_mmiotrace.c linux-2.6.39.1/kernel/trace/trace_mmiotrace.c
71048 --- linux-2.6.39.1/kernel/trace/trace_mmiotrace.c 2011-05-19 00:06:34.000000000 -0400
71049 +++ linux-2.6.39.1/kernel/trace/trace_mmiotrace.c 2011-05-22 19:36:33.000000000 -0400
71050 @@ -24,7 +24,7 @@ struct header_iter {
71051 static struct trace_array *mmio_trace_array;
71052 static bool overrun_detected;
71053 static unsigned long prev_overruns;
71054 -static atomic_t dropped_count;
71055 +static atomic_unchecked_t dropped_count;
71056
71057 static void mmio_reset_data(struct trace_array *tr)
71058 {
71059 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
71060
71061 static unsigned long count_overruns(struct trace_iterator *iter)
71062 {
71063 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
71064 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
71065 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
71066
71067 if (over > prev_overruns)
71068 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
71069 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
71070 sizeof(*entry), 0, pc);
71071 if (!event) {
71072 - atomic_inc(&dropped_count);
71073 + atomic_inc_unchecked(&dropped_count);
71074 return;
71075 }
71076 entry = ring_buffer_event_data(event);
71077 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
71078 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
71079 sizeof(*entry), 0, pc);
71080 if (!event) {
71081 - atomic_inc(&dropped_count);
71082 + atomic_inc_unchecked(&dropped_count);
71083 return;
71084 }
71085 entry = ring_buffer_event_data(event);
71086 diff -urNp linux-2.6.39.1/kernel/trace/trace_output.c linux-2.6.39.1/kernel/trace/trace_output.c
71087 --- linux-2.6.39.1/kernel/trace/trace_output.c 2011-05-19 00:06:34.000000000 -0400
71088 +++ linux-2.6.39.1/kernel/trace/trace_output.c 2011-05-22 19:36:33.000000000 -0400
71089 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
71090
71091 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
71092 if (!IS_ERR(p)) {
71093 - p = mangle_path(s->buffer + s->len, p, "\n");
71094 + p = mangle_path(s->buffer + s->len, p, "\n\\");
71095 if (p) {
71096 s->len = p - s->buffer;
71097 return 1;
71098 diff -urNp linux-2.6.39.1/kernel/trace/trace_stack.c linux-2.6.39.1/kernel/trace/trace_stack.c
71099 --- linux-2.6.39.1/kernel/trace/trace_stack.c 2011-05-19 00:06:34.000000000 -0400
71100 +++ linux-2.6.39.1/kernel/trace/trace_stack.c 2011-05-22 19:36:33.000000000 -0400
71101 @@ -50,7 +50,7 @@ static inline void check_stack(void)
71102 return;
71103
71104 /* we do not handle interrupt stacks yet */
71105 - if (!object_is_on_stack(&this_size))
71106 + if (!object_starts_on_stack(&this_size))
71107 return;
71108
71109 local_irq_save(flags);
71110 diff -urNp linux-2.6.39.1/kernel/trace/trace_workqueue.c linux-2.6.39.1/kernel/trace/trace_workqueue.c
71111 --- linux-2.6.39.1/kernel/trace/trace_workqueue.c 2011-05-19 00:06:34.000000000 -0400
71112 +++ linux-2.6.39.1/kernel/trace/trace_workqueue.c 2011-05-22 19:36:33.000000000 -0400
71113 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
71114 int cpu;
71115 pid_t pid;
71116 /* Can be inserted from interrupt or user context, need to be atomic */
71117 - atomic_t inserted;
71118 + atomic_unchecked_t inserted;
71119 /*
71120 * Don't need to be atomic, works are serialized in a single workqueue thread
71121 * on a single CPU.
71122 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
71123 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
71124 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
71125 if (node->pid == wq_thread->pid) {
71126 - atomic_inc(&node->inserted);
71127 + atomic_inc_unchecked(&node->inserted);
71128 goto found;
71129 }
71130 }
71131 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
71132 tsk = get_pid_task(pid, PIDTYPE_PID);
71133 if (tsk) {
71134 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
71135 - atomic_read(&cws->inserted), cws->executed,
71136 + atomic_read_unchecked(&cws->inserted), cws->executed,
71137 tsk->comm);
71138 put_task_struct(tsk);
71139 }
71140 diff -urNp linux-2.6.39.1/lib/bug.c linux-2.6.39.1/lib/bug.c
71141 --- linux-2.6.39.1/lib/bug.c 2011-05-19 00:06:34.000000000 -0400
71142 +++ linux-2.6.39.1/lib/bug.c 2011-05-22 19:36:33.000000000 -0400
71143 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
71144 return BUG_TRAP_TYPE_NONE;
71145
71146 bug = find_bug(bugaddr);
71147 + if (!bug)
71148 + return BUG_TRAP_TYPE_NONE;
71149
71150 file = NULL;
71151 line = 0;
71152 diff -urNp linux-2.6.39.1/lib/debugobjects.c linux-2.6.39.1/lib/debugobjects.c
71153 --- linux-2.6.39.1/lib/debugobjects.c 2011-05-19 00:06:34.000000000 -0400
71154 +++ linux-2.6.39.1/lib/debugobjects.c 2011-05-22 19:36:33.000000000 -0400
71155 @@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
71156 if (limit > 4)
71157 return;
71158
71159 - is_on_stack = object_is_on_stack(addr);
71160 + is_on_stack = object_starts_on_stack(addr);
71161 if (is_on_stack == onstack)
71162 return;
71163
71164 diff -urNp linux-2.6.39.1/lib/dma-debug.c linux-2.6.39.1/lib/dma-debug.c
71165 --- linux-2.6.39.1/lib/dma-debug.c 2011-05-19 00:06:34.000000000 -0400
71166 +++ linux-2.6.39.1/lib/dma-debug.c 2011-05-22 19:36:33.000000000 -0400
71167 @@ -862,7 +862,7 @@ out:
71168
71169 static void check_for_stack(struct device *dev, void *addr)
71170 {
71171 - if (object_is_on_stack(addr))
71172 + if (object_starts_on_stack(addr))
71173 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
71174 "stack [addr=%p]\n", addr);
71175 }
71176 diff -urNp linux-2.6.39.1/lib/inflate.c linux-2.6.39.1/lib/inflate.c
71177 --- linux-2.6.39.1/lib/inflate.c 2011-05-19 00:06:34.000000000 -0400
71178 +++ linux-2.6.39.1/lib/inflate.c 2011-05-22 19:36:33.000000000 -0400
71179 @@ -269,7 +269,7 @@ static void free(void *where)
71180 malloc_ptr = free_mem_ptr;
71181 }
71182 #else
71183 -#define malloc(a) kmalloc(a, GFP_KERNEL)
71184 +#define malloc(a) kmalloc((a), GFP_KERNEL)
71185 #define free(a) kfree(a)
71186 #endif
71187
71188 diff -urNp linux-2.6.39.1/lib/Kconfig.debug linux-2.6.39.1/lib/Kconfig.debug
71189 --- linux-2.6.39.1/lib/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
71190 +++ linux-2.6.39.1/lib/Kconfig.debug 2011-05-22 19:41:42.000000000 -0400
71191 @@ -1078,6 +1078,7 @@ config LATENCYTOP
71192 depends on DEBUG_KERNEL
71193 depends on STACKTRACE_SUPPORT
71194 depends on PROC_FS
71195 + depends on !GRKERNSEC_HIDESYM
71196 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
71197 select KALLSYMS
71198 select KALLSYMS_ALL
71199 diff -urNp linux-2.6.39.1/lib/kref.c linux-2.6.39.1/lib/kref.c
71200 --- linux-2.6.39.1/lib/kref.c 2011-05-19 00:06:34.000000000 -0400
71201 +++ linux-2.6.39.1/lib/kref.c 2011-05-22 19:36:33.000000000 -0400
71202 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
71203 */
71204 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
71205 {
71206 - WARN_ON(release == NULL);
71207 + BUG_ON(release == NULL);
71208 WARN_ON(release == (void (*)(struct kref *))kfree);
71209
71210 if (atomic_dec_and_test(&kref->refcount)) {
71211 diff -urNp linux-2.6.39.1/lib/radix-tree.c linux-2.6.39.1/lib/radix-tree.c
71212 --- linux-2.6.39.1/lib/radix-tree.c 2011-05-19 00:06:34.000000000 -0400
71213 +++ linux-2.6.39.1/lib/radix-tree.c 2011-05-22 19:36:33.000000000 -0400
71214 @@ -80,7 +80,7 @@ struct radix_tree_preload {
71215 int nr;
71216 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71217 };
71218 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71219 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
71220
71221 static inline void *ptr_to_indirect(void *ptr)
71222 {
71223 diff -urNp linux-2.6.39.1/lib/vsprintf.c linux-2.6.39.1/lib/vsprintf.c
71224 --- linux-2.6.39.1/lib/vsprintf.c 2011-05-19 00:06:34.000000000 -0400
71225 +++ linux-2.6.39.1/lib/vsprintf.c 2011-05-22 20:54:59.000000000 -0400
71226 @@ -16,6 +16,9 @@
71227 * - scnprintf and vscnprintf
71228 */
71229
71230 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71231 +#define __INCLUDED_BY_HIDESYM 1
71232 +#endif
71233 #include <stdarg.h>
71234 #include <linux/module.h>
71235 #include <linux/types.h>
71236 @@ -435,7 +438,7 @@ char *symbol_string(char *buf, char *end
71237 char sym[KSYM_SYMBOL_LEN];
71238 if (ext == 'B')
71239 sprint_backtrace(sym, value);
71240 - else if (ext != 'f' && ext != 's')
71241 + else if (ext != 'f' && ext != 's' && ext != 'a')
71242 sprint_symbol(sym, value);
71243 else
71244 kallsyms_lookup(value, NULL, NULL, NULL, sym);
71245 @@ -797,7 +800,11 @@ char *uuid_string(char *buf, char *end,
71246 return string(buf, end, uuid, spec);
71247 }
71248
71249 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71250 +int kptr_restrict __read_mostly = 2;
71251 +#else
71252 int kptr_restrict __read_mostly;
71253 +#endif
71254
71255 /*
71256 * Show a '%p' thing. A kernel extension is that the '%p' is followed
71257 @@ -811,6 +818,8 @@ int kptr_restrict __read_mostly;
71258 * - 'S' For symbolic direct pointers with offset
71259 * - 's' For symbolic direct pointers without offset
71260 * - 'B' For backtraced symbolic direct pointers with offset
71261 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
71262 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
71263 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
71264 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
71265 * - 'M' For a 6-byte MAC address, it prints the address in the
71266 @@ -855,12 +864,12 @@ char *pointer(const char *fmt, char *buf
71267 {
71268 if (!ptr && *fmt != 'K') {
71269 /*
71270 - * Print (null) with the same width as a pointer so it makes
71271 + * Print (nil) with the same width as a pointer so it makes
71272 * tabular output look nice.
71273 */
71274 if (spec.field_width == -1)
71275 spec.field_width = 2 * sizeof(void *);
71276 - return string(buf, end, "(null)", spec);
71277 + return string(buf, end, "(nil)", spec);
71278 }
71279
71280 switch (*fmt) {
71281 @@ -870,6 +879,13 @@ char *pointer(const char *fmt, char *buf
71282 /* Fallthrough */
71283 case 'S':
71284 case 's':
71285 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71286 + break;
71287 +#else
71288 + return symbol_string(buf, end, ptr, spec, *fmt);
71289 +#endif
71290 + case 'A':
71291 + case 'a':
71292 case 'B':
71293 return symbol_string(buf, end, ptr, spec, *fmt);
71294 case 'R':
71295 @@ -1632,11 +1648,11 @@ int bstr_printf(char *buf, size_t size,
71296 typeof(type) value; \
71297 if (sizeof(type) == 8) { \
71298 args = PTR_ALIGN(args, sizeof(u32)); \
71299 - *(u32 *)&value = *(u32 *)args; \
71300 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
71301 + *(u32 *)&value = *(const u32 *)args; \
71302 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
71303 } else { \
71304 args = PTR_ALIGN(args, sizeof(type)); \
71305 - value = *(typeof(type) *)args; \
71306 + value = *(const typeof(type) *)args; \
71307 } \
71308 args += sizeof(type); \
71309 value; \
71310 @@ -1699,7 +1715,7 @@ int bstr_printf(char *buf, size_t size,
71311 case FORMAT_TYPE_STR: {
71312 const char *str_arg = args;
71313 args += strlen(str_arg) + 1;
71314 - str = string(str, end, (char *)str_arg, spec);
71315 + str = string(str, end, str_arg, spec);
71316 break;
71317 }
71318
71319 diff -urNp linux-2.6.39.1/localversion-grsec linux-2.6.39.1/localversion-grsec
71320 --- linux-2.6.39.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71321 +++ linux-2.6.39.1/localversion-grsec 2011-05-22 19:41:42.000000000 -0400
71322 @@ -0,0 +1 @@
71323 +-grsec
71324 diff -urNp linux-2.6.39.1/Makefile linux-2.6.39.1/Makefile
71325 --- linux-2.6.39.1/Makefile 2011-06-03 00:04:13.000000000 -0400
71326 +++ linux-2.6.39.1/Makefile 2011-06-04 17:40:47.000000000 -0400
71327 @@ -237,8 +237,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
71328
71329 HOSTCC = gcc
71330 HOSTCXX = g++
71331 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
71332 -HOSTCXXFLAGS = -O2
71333 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
71334 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
71335 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
71336
71337 # Decide whether to build built-in, modular, or both.
71338 # Normally, just do built-in.
71339 @@ -356,10 +357,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
71340 KBUILD_CPPFLAGS := -D__KERNEL__
71341
71342 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
71343 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
71344 -fno-strict-aliasing -fno-common \
71345 -Werror-implicit-function-declaration \
71346 -Wno-format-security \
71347 -fno-delete-null-pointer-checks
71348 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
71349 KBUILD_AFLAGS_KERNEL :=
71350 KBUILD_CFLAGS_KERNEL :=
71351 KBUILD_AFLAGS := -D__ASSEMBLY__
71352 @@ -685,7 +688,7 @@ export mod_strip_cmd
71353
71354
71355 ifeq ($(KBUILD_EXTMOD),)
71356 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
71357 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
71358
71359 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
71360 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
71361 @@ -931,7 +934,19 @@ include/config/kernel.release: include/c
71362 # version.h and scripts_basic is processed / created.
71363
71364 # Listed in dependency order
71365 -PHONY += prepare archprepare prepare0 prepare1 prepare2 prepare3
71366 +PHONY += prepare archprepare prepare0 prepare1 prepare2 prepare3 pax-plugin
71367 +
71368 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71369 +KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0405, -fplugin=$(objtree)/tools/gcc/pax_plugin.so -fplugin-arg-pax_plugin-track-lowest-sp=100)
71370 +endif
71371 +pax-plugin:
71372 +ifneq (,$(findstring pax_plugin, $(KBUILD_CFLAGS)))
71373 + $(Q)$(MAKE) $(build)=tools/gcc
71374 +else
71375 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71376 + $(Q)echo "warning, your gcc does not support plugins, PAX_MEMORY_STACKLEAK will be less secure"
71377 +endif
71378 +endif
71379
71380 # prepare3 is used to check if we are building in a separate output directory,
71381 # and if so do:
71382 @@ -947,7 +962,7 @@ ifneq ($(KBUILD_SRC),)
71383 endif
71384
71385 # prepare2 creates a makefile if using a separate output directory
71386 -prepare2: prepare3 outputmakefile
71387 +prepare2: prepare3 outputmakefile pax-plugin
71388
71389 prepare1: prepare2 include/linux/version.h include/generated/utsrelease.h \
71390 include/config/auto.conf
71391 diff -urNp linux-2.6.39.1/mm/filemap.c linux-2.6.39.1/mm/filemap.c
71392 --- linux-2.6.39.1/mm/filemap.c 2011-05-19 00:06:34.000000000 -0400
71393 +++ linux-2.6.39.1/mm/filemap.c 2011-05-22 19:41:42.000000000 -0400
71394 @@ -1724,7 +1724,7 @@ int generic_file_mmap(struct file * file
71395 struct address_space *mapping = file->f_mapping;
71396
71397 if (!mapping->a_ops->readpage)
71398 - return -ENOEXEC;
71399 + return -ENODEV;
71400 file_accessed(file);
71401 vma->vm_ops = &generic_file_vm_ops;
71402 vma->vm_flags |= VM_CAN_NONLINEAR;
71403 @@ -2120,6 +2120,7 @@ inline int generic_write_checks(struct f
71404 *pos = i_size_read(inode);
71405
71406 if (limit != RLIM_INFINITY) {
71407 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71408 if (*pos >= limit) {
71409 send_sig(SIGXFSZ, current, 0);
71410 return -EFBIG;
71411 diff -urNp linux-2.6.39.1/mm/fremap.c linux-2.6.39.1/mm/fremap.c
71412 --- linux-2.6.39.1/mm/fremap.c 2011-05-19 00:06:34.000000000 -0400
71413 +++ linux-2.6.39.1/mm/fremap.c 2011-05-22 19:36:33.000000000 -0400
71414 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71415 retry:
71416 vma = find_vma(mm, start);
71417
71418 +#ifdef CONFIG_PAX_SEGMEXEC
71419 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
71420 + goto out;
71421 +#endif
71422 +
71423 /*
71424 * Make sure the vma is shared, that it supports prefaulting,
71425 * and that the remapped range is valid and fully within
71426 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71427 /*
71428 * drop PG_Mlocked flag for over-mapped range
71429 */
71430 - unsigned int saved_flags = vma->vm_flags;
71431 + unsigned long saved_flags = vma->vm_flags;
71432 munlock_vma_pages_range(vma, start, start + size);
71433 vma->vm_flags = saved_flags;
71434 }
71435 diff -urNp linux-2.6.39.1/mm/highmem.c linux-2.6.39.1/mm/highmem.c
71436 --- linux-2.6.39.1/mm/highmem.c 2011-05-19 00:06:34.000000000 -0400
71437 +++ linux-2.6.39.1/mm/highmem.c 2011-05-22 19:36:33.000000000 -0400
71438 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
71439 * So no dangers, even with speculative execution.
71440 */
71441 page = pte_page(pkmap_page_table[i]);
71442 + pax_open_kernel();
71443 pte_clear(&init_mm, (unsigned long)page_address(page),
71444 &pkmap_page_table[i]);
71445 -
71446 + pax_close_kernel();
71447 set_page_address(page, NULL);
71448 need_flush = 1;
71449 }
71450 @@ -186,9 +187,11 @@ start:
71451 }
71452 }
71453 vaddr = PKMAP_ADDR(last_pkmap_nr);
71454 +
71455 + pax_open_kernel();
71456 set_pte_at(&init_mm, vaddr,
71457 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
71458 -
71459 + pax_close_kernel();
71460 pkmap_count[last_pkmap_nr] = 1;
71461 set_page_address(page, (void *)vaddr);
71462
71463 diff -urNp linux-2.6.39.1/mm/huge_memory.c linux-2.6.39.1/mm/huge_memory.c
71464 --- linux-2.6.39.1/mm/huge_memory.c 2011-05-19 00:06:34.000000000 -0400
71465 +++ linux-2.6.39.1/mm/huge_memory.c 2011-05-22 19:36:33.000000000 -0400
71466 @@ -702,7 +702,7 @@ out:
71467 * run pte_offset_map on the pmd, if an huge pmd could
71468 * materialize from under us from a different thread.
71469 */
71470 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
71471 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
71472 return VM_FAULT_OOM;
71473 /* if an huge pmd materialized from under us just retry later */
71474 if (unlikely(pmd_trans_huge(*pmd)))
71475 diff -urNp linux-2.6.39.1/mm/hugetlb.c linux-2.6.39.1/mm/hugetlb.c
71476 --- linux-2.6.39.1/mm/hugetlb.c 2011-05-19 00:06:34.000000000 -0400
71477 +++ linux-2.6.39.1/mm/hugetlb.c 2011-05-22 19:36:33.000000000 -0400
71478 @@ -2331,6 +2331,27 @@ static int unmap_ref_private(struct mm_s
71479 return 1;
71480 }
71481
71482 +#ifdef CONFIG_PAX_SEGMEXEC
71483 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71484 +{
71485 + struct mm_struct *mm = vma->vm_mm;
71486 + struct vm_area_struct *vma_m;
71487 + unsigned long address_m;
71488 + pte_t *ptep_m;
71489 +
71490 + vma_m = pax_find_mirror_vma(vma);
71491 + if (!vma_m)
71492 + return;
71493 +
71494 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71495 + address_m = address + SEGMEXEC_TASK_SIZE;
71496 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71497 + get_page(page_m);
71498 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
71499 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71500 +}
71501 +#endif
71502 +
71503 /*
71504 * Hugetlb_cow() should be called with page lock of the original hugepage held.
71505 */
71506 @@ -2432,6 +2453,11 @@ retry_avoidcopy:
71507 make_huge_pte(vma, new_page, 1));
71508 page_remove_rmap(old_page);
71509 hugepage_add_new_anon_rmap(new_page, vma, address);
71510 +
71511 +#ifdef CONFIG_PAX_SEGMEXEC
71512 + pax_mirror_huge_pte(vma, address, new_page);
71513 +#endif
71514 +
71515 /* Make the old page be freed below */
71516 new_page = old_page;
71517 mmu_notifier_invalidate_range_end(mm,
71518 @@ -2583,6 +2609,10 @@ retry:
71519 && (vma->vm_flags & VM_SHARED)));
71520 set_huge_pte_at(mm, address, ptep, new_pte);
71521
71522 +#ifdef CONFIG_PAX_SEGMEXEC
71523 + pax_mirror_huge_pte(vma, address, page);
71524 +#endif
71525 +
71526 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
71527 /* Optimization, do the COW without a second fault */
71528 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
71529 @@ -2612,6 +2642,10 @@ int hugetlb_fault(struct mm_struct *mm,
71530 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71531 struct hstate *h = hstate_vma(vma);
71532
71533 +#ifdef CONFIG_PAX_SEGMEXEC
71534 + struct vm_area_struct *vma_m;
71535 +#endif
71536 +
71537 ptep = huge_pte_offset(mm, address);
71538 if (ptep) {
71539 entry = huge_ptep_get(ptep);
71540 @@ -2623,6 +2657,26 @@ int hugetlb_fault(struct mm_struct *mm,
71541 VM_FAULT_SET_HINDEX(h - hstates);
71542 }
71543
71544 +#ifdef CONFIG_PAX_SEGMEXEC
71545 + vma_m = pax_find_mirror_vma(vma);
71546 + if (vma_m) {
71547 + unsigned long address_m;
71548 +
71549 + if (vma->vm_start > vma_m->vm_start) {
71550 + address_m = address;
71551 + address -= SEGMEXEC_TASK_SIZE;
71552 + vma = vma_m;
71553 + h = hstate_vma(vma);
71554 + } else
71555 + address_m = address + SEGMEXEC_TASK_SIZE;
71556 +
71557 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
71558 + return VM_FAULT_OOM;
71559 + address_m &= HPAGE_MASK;
71560 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
71561 + }
71562 +#endif
71563 +
71564 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
71565 if (!ptep)
71566 return VM_FAULT_OOM;
71567 diff -urNp linux-2.6.39.1/mm/Kconfig linux-2.6.39.1/mm/Kconfig
71568 --- linux-2.6.39.1/mm/Kconfig 2011-05-19 00:06:34.000000000 -0400
71569 +++ linux-2.6.39.1/mm/Kconfig 2011-05-22 19:41:42.000000000 -0400
71570 @@ -240,7 +240,7 @@ config KSM
71571 config DEFAULT_MMAP_MIN_ADDR
71572 int "Low address space to protect from user allocation"
71573 depends on MMU
71574 - default 4096
71575 + default 65536
71576 help
71577 This is the portion of low virtual memory which should be protected
71578 from userspace allocation. Keeping a user from writing to low pages
71579 diff -urNp linux-2.6.39.1/mm/kmemleak.c linux-2.6.39.1/mm/kmemleak.c
71580 --- linux-2.6.39.1/mm/kmemleak.c 2011-06-03 00:04:14.000000000 -0400
71581 +++ linux-2.6.39.1/mm/kmemleak.c 2011-06-03 00:32:08.000000000 -0400
71582 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
71583
71584 for (i = 0; i < object->trace_len; i++) {
71585 void *ptr = (void *)object->trace[i];
71586 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
71587 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
71588 }
71589 }
71590
71591 diff -urNp linux-2.6.39.1/mm/maccess.c linux-2.6.39.1/mm/maccess.c
71592 --- linux-2.6.39.1/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
71593 +++ linux-2.6.39.1/mm/maccess.c 2011-05-22 19:36:33.000000000 -0400
71594 @@ -15,10 +15,10 @@
71595 * happens, handle that and return -EFAULT.
71596 */
71597
71598 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
71599 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
71600 __attribute__((alias("__probe_kernel_read")));
71601
71602 -long __probe_kernel_read(void *dst, void *src, size_t size)
71603 +long __probe_kernel_read(void *dst, const void *src, size_t size)
71604 {
71605 long ret;
71606 mm_segment_t old_fs = get_fs();
71607 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
71608 * Safely write to address @dst from the buffer at @src. If a kernel fault
71609 * happens, handle that and return -EFAULT.
71610 */
71611 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
71612 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
71613 __attribute__((alias("__probe_kernel_write")));
71614
71615 -long __probe_kernel_write(void *dst, void *src, size_t size)
71616 +long __probe_kernel_write(void *dst, const void *src, size_t size)
71617 {
71618 long ret;
71619 mm_segment_t old_fs = get_fs();
71620 diff -urNp linux-2.6.39.1/mm/madvise.c linux-2.6.39.1/mm/madvise.c
71621 --- linux-2.6.39.1/mm/madvise.c 2011-05-19 00:06:34.000000000 -0400
71622 +++ linux-2.6.39.1/mm/madvise.c 2011-05-22 19:36:33.000000000 -0400
71623 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
71624 pgoff_t pgoff;
71625 unsigned long new_flags = vma->vm_flags;
71626
71627 +#ifdef CONFIG_PAX_SEGMEXEC
71628 + struct vm_area_struct *vma_m;
71629 +#endif
71630 +
71631 switch (behavior) {
71632 case MADV_NORMAL:
71633 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
71634 @@ -110,6 +114,13 @@ success:
71635 /*
71636 * vm_flags is protected by the mmap_sem held in write mode.
71637 */
71638 +
71639 +#ifdef CONFIG_PAX_SEGMEXEC
71640 + vma_m = pax_find_mirror_vma(vma);
71641 + if (vma_m)
71642 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
71643 +#endif
71644 +
71645 vma->vm_flags = new_flags;
71646
71647 out:
71648 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
71649 struct vm_area_struct ** prev,
71650 unsigned long start, unsigned long end)
71651 {
71652 +
71653 +#ifdef CONFIG_PAX_SEGMEXEC
71654 + struct vm_area_struct *vma_m;
71655 +#endif
71656 +
71657 *prev = vma;
71658 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
71659 return -EINVAL;
71660 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
71661 zap_page_range(vma, start, end - start, &details);
71662 } else
71663 zap_page_range(vma, start, end - start, NULL);
71664 +
71665 +#ifdef CONFIG_PAX_SEGMEXEC
71666 + vma_m = pax_find_mirror_vma(vma);
71667 + if (vma_m) {
71668 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
71669 + struct zap_details details = {
71670 + .nonlinear_vma = vma_m,
71671 + .last_index = ULONG_MAX,
71672 + };
71673 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
71674 + } else
71675 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
71676 + }
71677 +#endif
71678 +
71679 return 0;
71680 }
71681
71682 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
71683 if (end < start)
71684 goto out;
71685
71686 +#ifdef CONFIG_PAX_SEGMEXEC
71687 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
71688 + if (end > SEGMEXEC_TASK_SIZE)
71689 + goto out;
71690 + } else
71691 +#endif
71692 +
71693 + if (end > TASK_SIZE)
71694 + goto out;
71695 +
71696 error = 0;
71697 if (end == start)
71698 goto out;
71699 diff -urNp linux-2.6.39.1/mm/memory.c linux-2.6.39.1/mm/memory.c
71700 --- linux-2.6.39.1/mm/memory.c 2011-05-19 00:06:34.000000000 -0400
71701 +++ linux-2.6.39.1/mm/memory.c 2011-05-22 19:36:33.000000000 -0400
71702 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
71703 return;
71704
71705 pmd = pmd_offset(pud, start);
71706 +
71707 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
71708 pud_clear(pud);
71709 pmd_free_tlb(tlb, pmd, start);
71710 +#endif
71711 +
71712 }
71713
71714 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
71715 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
71716 if (end - 1 > ceiling - 1)
71717 return;
71718
71719 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
71720 pud = pud_offset(pgd, start);
71721 pgd_clear(pgd);
71722 pud_free_tlb(tlb, pud, start);
71723 +#endif
71724 +
71725 }
71726
71727 /*
71728 @@ -1410,12 +1417,6 @@ no_page_table:
71729 return page;
71730 }
71731
71732 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
71733 -{
71734 - return stack_guard_page_start(vma, addr) ||
71735 - stack_guard_page_end(vma, addr+PAGE_SIZE);
71736 -}
71737 -
71738 /**
71739 * __get_user_pages() - pin user pages in memory
71740 * @tsk: task_struct of target task
71741 @@ -1488,10 +1489,10 @@ int __get_user_pages(struct task_struct
71742 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
71743 i = 0;
71744
71745 - do {
71746 + while (nr_pages) {
71747 struct vm_area_struct *vma;
71748
71749 - vma = find_extend_vma(mm, start);
71750 + vma = find_vma(mm, start);
71751 if (!vma && in_gate_area(mm, start)) {
71752 unsigned long pg = start & PAGE_MASK;
71753 pgd_t *pgd;
71754 @@ -1539,7 +1540,7 @@ int __get_user_pages(struct task_struct
71755 goto next_page;
71756 }
71757
71758 - if (!vma ||
71759 + if (!vma || start < vma->vm_start ||
71760 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
71761 !(vm_flags & vma->vm_flags))
71762 return i ? : -EFAULT;
71763 @@ -1566,11 +1567,6 @@ int __get_user_pages(struct task_struct
71764 int ret;
71765 unsigned int fault_flags = 0;
71766
71767 - /* For mlock, just skip the stack guard page. */
71768 - if (foll_flags & FOLL_MLOCK) {
71769 - if (stack_guard_page(vma, start))
71770 - goto next_page;
71771 - }
71772 if (foll_flags & FOLL_WRITE)
71773 fault_flags |= FAULT_FLAG_WRITE;
71774 if (nonblocking)
71775 @@ -1644,7 +1640,7 @@ next_page:
71776 start += PAGE_SIZE;
71777 nr_pages--;
71778 } while (nr_pages && start < vma->vm_end);
71779 - } while (nr_pages);
71780 + }
71781 return i;
71782 }
71783 EXPORT_SYMBOL(__get_user_pages);
71784 @@ -1795,6 +1791,10 @@ static int insert_page(struct vm_area_st
71785 page_add_file_rmap(page);
71786 set_pte_at(mm, addr, pte, mk_pte(page, prot));
71787
71788 +#ifdef CONFIG_PAX_SEGMEXEC
71789 + pax_mirror_file_pte(vma, addr, page, ptl);
71790 +#endif
71791 +
71792 retval = 0;
71793 pte_unmap_unlock(pte, ptl);
71794 return retval;
71795 @@ -1829,10 +1829,22 @@ out:
71796 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
71797 struct page *page)
71798 {
71799 +
71800 +#ifdef CONFIG_PAX_SEGMEXEC
71801 + struct vm_area_struct *vma_m;
71802 +#endif
71803 +
71804 if (addr < vma->vm_start || addr >= vma->vm_end)
71805 return -EFAULT;
71806 if (!page_count(page))
71807 return -EINVAL;
71808 +
71809 +#ifdef CONFIG_PAX_SEGMEXEC
71810 + vma_m = pax_find_mirror_vma(vma);
71811 + if (vma_m)
71812 + vma_m->vm_flags |= VM_INSERTPAGE;
71813 +#endif
71814 +
71815 vma->vm_flags |= VM_INSERTPAGE;
71816 return insert_page(vma, addr, page, vma->vm_page_prot);
71817 }
71818 @@ -1918,6 +1930,7 @@ int vm_insert_mixed(struct vm_area_struc
71819 unsigned long pfn)
71820 {
71821 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
71822 + BUG_ON(vma->vm_mirror);
71823
71824 if (addr < vma->vm_start || addr >= vma->vm_end)
71825 return -EFAULT;
71826 @@ -2233,6 +2246,186 @@ static inline void cow_user_page(struct
71827 copy_user_highpage(dst, src, va, vma);
71828 }
71829
71830 +#ifdef CONFIG_PAX_SEGMEXEC
71831 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
71832 +{
71833 + struct mm_struct *mm = vma->vm_mm;
71834 + spinlock_t *ptl;
71835 + pte_t *pte, entry;
71836 +
71837 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
71838 + entry = *pte;
71839 + if (!pte_present(entry)) {
71840 + if (!pte_none(entry)) {
71841 + BUG_ON(pte_file(entry));
71842 + free_swap_and_cache(pte_to_swp_entry(entry));
71843 + pte_clear_not_present_full(mm, address, pte, 0);
71844 + }
71845 + } else {
71846 + struct page *page;
71847 +
71848 + flush_cache_page(vma, address, pte_pfn(entry));
71849 + entry = ptep_clear_flush(vma, address, pte);
71850 + BUG_ON(pte_dirty(entry));
71851 + page = vm_normal_page(vma, address, entry);
71852 + if (page) {
71853 + update_hiwater_rss(mm);
71854 + if (PageAnon(page))
71855 + dec_mm_counter_fast(mm, MM_ANONPAGES);
71856 + else
71857 + dec_mm_counter_fast(mm, MM_FILEPAGES);
71858 + page_remove_rmap(page);
71859 + page_cache_release(page);
71860 + }
71861 + }
71862 + pte_unmap_unlock(pte, ptl);
71863 +}
71864 +
71865 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
71866 + *
71867 + * the ptl of the lower mapped page is held on entry and is not released on exit
71868 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
71869 + */
71870 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71871 +{
71872 + struct mm_struct *mm = vma->vm_mm;
71873 + unsigned long address_m;
71874 + spinlock_t *ptl_m;
71875 + struct vm_area_struct *vma_m;
71876 + pmd_t *pmd_m;
71877 + pte_t *pte_m, entry_m;
71878 +
71879 + BUG_ON(!page_m || !PageAnon(page_m));
71880 +
71881 + vma_m = pax_find_mirror_vma(vma);
71882 + if (!vma_m)
71883 + return;
71884 +
71885 + BUG_ON(!PageLocked(page_m));
71886 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71887 + address_m = address + SEGMEXEC_TASK_SIZE;
71888 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71889 + pte_m = pte_offset_map(pmd_m, address_m);
71890 + ptl_m = pte_lockptr(mm, pmd_m);
71891 + if (ptl != ptl_m) {
71892 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71893 + if (!pte_none(*pte_m))
71894 + goto out;
71895 + }
71896 +
71897 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71898 + page_cache_get(page_m);
71899 + page_add_anon_rmap(page_m, vma_m, address_m);
71900 + inc_mm_counter_fast(mm, MM_ANONPAGES);
71901 + set_pte_at(mm, address_m, pte_m, entry_m);
71902 + update_mmu_cache(vma_m, address_m, entry_m);
71903 +out:
71904 + if (ptl != ptl_m)
71905 + spin_unlock(ptl_m);
71906 + pte_unmap(pte_m);
71907 + unlock_page(page_m);
71908 +}
71909 +
71910 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71911 +{
71912 + struct mm_struct *mm = vma->vm_mm;
71913 + unsigned long address_m;
71914 + spinlock_t *ptl_m;
71915 + struct vm_area_struct *vma_m;
71916 + pmd_t *pmd_m;
71917 + pte_t *pte_m, entry_m;
71918 +
71919 + BUG_ON(!page_m || PageAnon(page_m));
71920 +
71921 + vma_m = pax_find_mirror_vma(vma);
71922 + if (!vma_m)
71923 + return;
71924 +
71925 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71926 + address_m = address + SEGMEXEC_TASK_SIZE;
71927 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71928 + pte_m = pte_offset_map(pmd_m, address_m);
71929 + ptl_m = pte_lockptr(mm, pmd_m);
71930 + if (ptl != ptl_m) {
71931 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71932 + if (!pte_none(*pte_m))
71933 + goto out;
71934 + }
71935 +
71936 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71937 + page_cache_get(page_m);
71938 + page_add_file_rmap(page_m);
71939 + inc_mm_counter_fast(mm, MM_FILEPAGES);
71940 + set_pte_at(mm, address_m, pte_m, entry_m);
71941 + update_mmu_cache(vma_m, address_m, entry_m);
71942 +out:
71943 + if (ptl != ptl_m)
71944 + spin_unlock(ptl_m);
71945 + pte_unmap(pte_m);
71946 +}
71947 +
71948 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
71949 +{
71950 + struct mm_struct *mm = vma->vm_mm;
71951 + unsigned long address_m;
71952 + spinlock_t *ptl_m;
71953 + struct vm_area_struct *vma_m;
71954 + pmd_t *pmd_m;
71955 + pte_t *pte_m, entry_m;
71956 +
71957 + vma_m = pax_find_mirror_vma(vma);
71958 + if (!vma_m)
71959 + return;
71960 +
71961 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71962 + address_m = address + SEGMEXEC_TASK_SIZE;
71963 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71964 + pte_m = pte_offset_map(pmd_m, address_m);
71965 + ptl_m = pte_lockptr(mm, pmd_m);
71966 + if (ptl != ptl_m) {
71967 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71968 + if (!pte_none(*pte_m))
71969 + goto out;
71970 + }
71971 +
71972 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
71973 + set_pte_at(mm, address_m, pte_m, entry_m);
71974 +out:
71975 + if (ptl != ptl_m)
71976 + spin_unlock(ptl_m);
71977 + pte_unmap(pte_m);
71978 +}
71979 +
71980 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
71981 +{
71982 + struct page *page_m;
71983 + pte_t entry;
71984 +
71985 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
71986 + goto out;
71987 +
71988 + entry = *pte;
71989 + page_m = vm_normal_page(vma, address, entry);
71990 + if (!page_m)
71991 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
71992 + else if (PageAnon(page_m)) {
71993 + if (pax_find_mirror_vma(vma)) {
71994 + pte_unmap_unlock(pte, ptl);
71995 + lock_page(page_m);
71996 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
71997 + if (pte_same(entry, *pte))
71998 + pax_mirror_anon_pte(vma, address, page_m, ptl);
71999 + else
72000 + unlock_page(page_m);
72001 + }
72002 + } else
72003 + pax_mirror_file_pte(vma, address, page_m, ptl);
72004 +
72005 +out:
72006 + pte_unmap_unlock(pte, ptl);
72007 +}
72008 +#endif
72009 +
72010 /*
72011 * This routine handles present pages, when users try to write
72012 * to a shared page. It is done by copying the page to a new address
72013 @@ -2444,6 +2637,12 @@ gotten:
72014 */
72015 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72016 if (likely(pte_same(*page_table, orig_pte))) {
72017 +
72018 +#ifdef CONFIG_PAX_SEGMEXEC
72019 + if (pax_find_mirror_vma(vma))
72020 + BUG_ON(!trylock_page(new_page));
72021 +#endif
72022 +
72023 if (old_page) {
72024 if (!PageAnon(old_page)) {
72025 dec_mm_counter_fast(mm, MM_FILEPAGES);
72026 @@ -2495,6 +2694,10 @@ gotten:
72027 page_remove_rmap(old_page);
72028 }
72029
72030 +#ifdef CONFIG_PAX_SEGMEXEC
72031 + pax_mirror_anon_pte(vma, address, new_page, ptl);
72032 +#endif
72033 +
72034 /* Free the old page.. */
72035 new_page = old_page;
72036 ret |= VM_FAULT_WRITE;
72037 @@ -2905,6 +3108,11 @@ static int do_swap_page(struct mm_struct
72038 swap_free(entry);
72039 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
72040 try_to_free_swap(page);
72041 +
72042 +#ifdef CONFIG_PAX_SEGMEXEC
72043 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
72044 +#endif
72045 +
72046 unlock_page(page);
72047 if (swapcache) {
72048 /*
72049 @@ -2928,6 +3136,11 @@ static int do_swap_page(struct mm_struct
72050
72051 /* No need to invalidate - it was non-present before */
72052 update_mmu_cache(vma, address, page_table);
72053 +
72054 +#ifdef CONFIG_PAX_SEGMEXEC
72055 + pax_mirror_anon_pte(vma, address, page, ptl);
72056 +#endif
72057 +
72058 unlock:
72059 pte_unmap_unlock(page_table, ptl);
72060 out:
72061 @@ -2947,40 +3160,6 @@ out_release:
72062 }
72063
72064 /*
72065 - * This is like a special single-page "expand_{down|up}wards()",
72066 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
72067 - * doesn't hit another vma.
72068 - */
72069 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
72070 -{
72071 - address &= PAGE_MASK;
72072 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
72073 - struct vm_area_struct *prev = vma->vm_prev;
72074 -
72075 - /*
72076 - * Is there a mapping abutting this one below?
72077 - *
72078 - * That's only ok if it's the same stack mapping
72079 - * that has gotten split..
72080 - */
72081 - if (prev && prev->vm_end == address)
72082 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
72083 -
72084 - expand_stack(vma, address - PAGE_SIZE);
72085 - }
72086 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
72087 - struct vm_area_struct *next = vma->vm_next;
72088 -
72089 - /* As VM_GROWSDOWN but s/below/above/ */
72090 - if (next && next->vm_start == address + PAGE_SIZE)
72091 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
72092 -
72093 - expand_upwards(vma, address + PAGE_SIZE);
72094 - }
72095 - return 0;
72096 -}
72097 -
72098 -/*
72099 * We enter with non-exclusive mmap_sem (to exclude vma changes,
72100 * but allow concurrent faults), and pte mapped but not yet locked.
72101 * We return with mmap_sem still held, but pte unmapped and unlocked.
72102 @@ -2989,27 +3168,23 @@ static int do_anonymous_page(struct mm_s
72103 unsigned long address, pte_t *page_table, pmd_t *pmd,
72104 unsigned int flags)
72105 {
72106 - struct page *page;
72107 + struct page *page = NULL;
72108 spinlock_t *ptl;
72109 pte_t entry;
72110
72111 - pte_unmap(page_table);
72112 -
72113 - /* Check if we need to add a guard page to the stack */
72114 - if (check_stack_guard_page(vma, address) < 0)
72115 - return VM_FAULT_SIGBUS;
72116 -
72117 - /* Use the zero-page for reads */
72118 if (!(flags & FAULT_FLAG_WRITE)) {
72119 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
72120 vma->vm_page_prot));
72121 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72122 + ptl = pte_lockptr(mm, pmd);
72123 + spin_lock(ptl);
72124 if (!pte_none(*page_table))
72125 goto unlock;
72126 goto setpte;
72127 }
72128
72129 /* Allocate our own private page. */
72130 + pte_unmap(page_table);
72131 +
72132 if (unlikely(anon_vma_prepare(vma)))
72133 goto oom;
72134 page = alloc_zeroed_user_highpage_movable(vma, address);
72135 @@ -3028,6 +3203,11 @@ static int do_anonymous_page(struct mm_s
72136 if (!pte_none(*page_table))
72137 goto release;
72138
72139 +#ifdef CONFIG_PAX_SEGMEXEC
72140 + if (pax_find_mirror_vma(vma))
72141 + BUG_ON(!trylock_page(page));
72142 +#endif
72143 +
72144 inc_mm_counter_fast(mm, MM_ANONPAGES);
72145 page_add_new_anon_rmap(page, vma, address);
72146 setpte:
72147 @@ -3035,6 +3215,12 @@ setpte:
72148
72149 /* No need to invalidate - it was non-present before */
72150 update_mmu_cache(vma, address, page_table);
72151 +
72152 +#ifdef CONFIG_PAX_SEGMEXEC
72153 + if (page)
72154 + pax_mirror_anon_pte(vma, address, page, ptl);
72155 +#endif
72156 +
72157 unlock:
72158 pte_unmap_unlock(page_table, ptl);
72159 return 0;
72160 @@ -3172,6 +3358,12 @@ static int __do_fault(struct mm_struct *
72161 */
72162 /* Only go through if we didn't race with anybody else... */
72163 if (likely(pte_same(*page_table, orig_pte))) {
72164 +
72165 +#ifdef CONFIG_PAX_SEGMEXEC
72166 + if (anon && pax_find_mirror_vma(vma))
72167 + BUG_ON(!trylock_page(page));
72168 +#endif
72169 +
72170 flush_icache_page(vma, page);
72171 entry = mk_pte(page, vma->vm_page_prot);
72172 if (flags & FAULT_FLAG_WRITE)
72173 @@ -3191,6 +3383,14 @@ static int __do_fault(struct mm_struct *
72174
72175 /* no need to invalidate: a not-present page won't be cached */
72176 update_mmu_cache(vma, address, page_table);
72177 +
72178 +#ifdef CONFIG_PAX_SEGMEXEC
72179 + if (anon)
72180 + pax_mirror_anon_pte(vma, address, page, ptl);
72181 + else
72182 + pax_mirror_file_pte(vma, address, page, ptl);
72183 +#endif
72184 +
72185 } else {
72186 if (charged)
72187 mem_cgroup_uncharge_page(page);
72188 @@ -3338,6 +3538,12 @@ int handle_pte_fault(struct mm_struct *m
72189 if (flags & FAULT_FLAG_WRITE)
72190 flush_tlb_fix_spurious_fault(vma, address);
72191 }
72192 +
72193 +#ifdef CONFIG_PAX_SEGMEXEC
72194 + pax_mirror_pte(vma, address, pte, pmd, ptl);
72195 + return 0;
72196 +#endif
72197 +
72198 unlock:
72199 pte_unmap_unlock(pte, ptl);
72200 return 0;
72201 @@ -3354,6 +3560,10 @@ int handle_mm_fault(struct mm_struct *mm
72202 pmd_t *pmd;
72203 pte_t *pte;
72204
72205 +#ifdef CONFIG_PAX_SEGMEXEC
72206 + struct vm_area_struct *vma_m;
72207 +#endif
72208 +
72209 __set_current_state(TASK_RUNNING);
72210
72211 count_vm_event(PGFAULT);
72212 @@ -3364,6 +3574,34 @@ int handle_mm_fault(struct mm_struct *mm
72213 if (unlikely(is_vm_hugetlb_page(vma)))
72214 return hugetlb_fault(mm, vma, address, flags);
72215
72216 +#ifdef CONFIG_PAX_SEGMEXEC
72217 + vma_m = pax_find_mirror_vma(vma);
72218 + if (vma_m) {
72219 + unsigned long address_m;
72220 + pgd_t *pgd_m;
72221 + pud_t *pud_m;
72222 + pmd_t *pmd_m;
72223 +
72224 + if (vma->vm_start > vma_m->vm_start) {
72225 + address_m = address;
72226 + address -= SEGMEXEC_TASK_SIZE;
72227 + vma = vma_m;
72228 + } else
72229 + address_m = address + SEGMEXEC_TASK_SIZE;
72230 +
72231 + pgd_m = pgd_offset(mm, address_m);
72232 + pud_m = pud_alloc(mm, pgd_m, address_m);
72233 + if (!pud_m)
72234 + return VM_FAULT_OOM;
72235 + pmd_m = pmd_alloc(mm, pud_m, address_m);
72236 + if (!pmd_m)
72237 + return VM_FAULT_OOM;
72238 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
72239 + return VM_FAULT_OOM;
72240 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
72241 + }
72242 +#endif
72243 +
72244 pgd = pgd_offset(mm, address);
72245 pud = pud_alloc(mm, pgd, address);
72246 if (!pud)
72247 @@ -3393,7 +3631,7 @@ int handle_mm_fault(struct mm_struct *mm
72248 * run pte_offset_map on the pmd, if an huge pmd could
72249 * materialize from under us from a different thread.
72250 */
72251 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
72252 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
72253 return VM_FAULT_OOM;
72254 /* if an huge pmd materialized from under us just retry later */
72255 if (unlikely(pmd_trans_huge(*pmd)))
72256 @@ -3497,7 +3735,7 @@ static int __init gate_vma_init(void)
72257 gate_vma.vm_start = FIXADDR_USER_START;
72258 gate_vma.vm_end = FIXADDR_USER_END;
72259 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
72260 - gate_vma.vm_page_prot = __P101;
72261 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
72262 /*
72263 * Make sure the vDSO gets into every core dump.
72264 * Dumping its contents makes post-mortem fully interpretable later
72265 diff -urNp linux-2.6.39.1/mm/memory-failure.c linux-2.6.39.1/mm/memory-failure.c
72266 --- linux-2.6.39.1/mm/memory-failure.c 2011-05-19 00:06:34.000000000 -0400
72267 +++ linux-2.6.39.1/mm/memory-failure.c 2011-05-22 19:36:33.000000000 -0400
72268 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
72269
72270 int sysctl_memory_failure_recovery __read_mostly = 1;
72271
72272 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72273 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72274
72275 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
72276
72277 @@ -1012,7 +1012,7 @@ int __memory_failure(unsigned long pfn,
72278 }
72279
72280 nr_pages = 1 << compound_trans_order(hpage);
72281 - atomic_long_add(nr_pages, &mce_bad_pages);
72282 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
72283
72284 /*
72285 * We need/can do nothing about count=0 pages.
72286 @@ -1042,7 +1042,7 @@ int __memory_failure(unsigned long pfn,
72287 if (!PageHWPoison(hpage)
72288 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
72289 || (p != hpage && TestSetPageHWPoison(hpage))) {
72290 - atomic_long_sub(nr_pages, &mce_bad_pages);
72291 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72292 return 0;
72293 }
72294 set_page_hwpoison_huge_page(hpage);
72295 @@ -1100,7 +1100,7 @@ int __memory_failure(unsigned long pfn,
72296 }
72297 if (hwpoison_filter(p)) {
72298 if (TestClearPageHWPoison(p))
72299 - atomic_long_sub(nr_pages, &mce_bad_pages);
72300 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72301 unlock_page(hpage);
72302 put_page(hpage);
72303 return 0;
72304 @@ -1226,7 +1226,7 @@ int unpoison_memory(unsigned long pfn)
72305 return 0;
72306 }
72307 if (TestClearPageHWPoison(p))
72308 - atomic_long_sub(nr_pages, &mce_bad_pages);
72309 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72310 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
72311 return 0;
72312 }
72313 @@ -1240,7 +1240,7 @@ int unpoison_memory(unsigned long pfn)
72314 */
72315 if (TestClearPageHWPoison(page)) {
72316 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
72317 - atomic_long_sub(nr_pages, &mce_bad_pages);
72318 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72319 freeit = 1;
72320 if (PageHuge(page))
72321 clear_page_hwpoison_huge_page(page);
72322 @@ -1353,7 +1353,7 @@ static int soft_offline_huge_page(struct
72323 }
72324 done:
72325 if (!PageHWPoison(hpage))
72326 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
72327 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
72328 set_page_hwpoison_huge_page(hpage);
72329 dequeue_hwpoisoned_huge_page(hpage);
72330 /* keep elevated page count for bad page */
72331 @@ -1482,7 +1482,7 @@ int soft_offline_page(struct page *page,
72332 return ret;
72333
72334 done:
72335 - atomic_long_add(1, &mce_bad_pages);
72336 + atomic_long_add_unchecked(1, &mce_bad_pages);
72337 SetPageHWPoison(page);
72338 /* keep elevated page count for bad page */
72339 return ret;
72340 diff -urNp linux-2.6.39.1/mm/mempolicy.c linux-2.6.39.1/mm/mempolicy.c
72341 --- linux-2.6.39.1/mm/mempolicy.c 2011-05-19 00:06:34.000000000 -0400
72342 +++ linux-2.6.39.1/mm/mempolicy.c 2011-05-22 19:41:42.000000000 -0400
72343 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
72344 unsigned long vmstart;
72345 unsigned long vmend;
72346
72347 +#ifdef CONFIG_PAX_SEGMEXEC
72348 + struct vm_area_struct *vma_m;
72349 +#endif
72350 +
72351 vma = find_vma_prev(mm, start, &prev);
72352 if (!vma || vma->vm_start > start)
72353 return -EFAULT;
72354 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
72355 err = policy_vma(vma, new_pol);
72356 if (err)
72357 goto out;
72358 +
72359 +#ifdef CONFIG_PAX_SEGMEXEC
72360 + vma_m = pax_find_mirror_vma(vma);
72361 + if (vma_m) {
72362 + err = policy_vma(vma_m, new_pol);
72363 + if (err)
72364 + goto out;
72365 + }
72366 +#endif
72367 +
72368 }
72369
72370 out:
72371 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
72372
72373 if (end < start)
72374 return -EINVAL;
72375 +
72376 +#ifdef CONFIG_PAX_SEGMEXEC
72377 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72378 + if (end > SEGMEXEC_TASK_SIZE)
72379 + return -EINVAL;
72380 + } else
72381 +#endif
72382 +
72383 + if (end > TASK_SIZE)
72384 + return -EINVAL;
72385 +
72386 if (end == start)
72387 return 0;
72388
72389 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72390 if (!mm)
72391 goto out;
72392
72393 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72394 + if (mm != current->mm &&
72395 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72396 + err = -EPERM;
72397 + goto out;
72398 + }
72399 +#endif
72400 +
72401 /*
72402 * Check if this process has the right to modify the specified
72403 * process. The right exists if the process has administrative
72404 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72405 rcu_read_lock();
72406 tcred = __task_cred(task);
72407 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72408 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72409 - !capable(CAP_SYS_NICE)) {
72410 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72411 rcu_read_unlock();
72412 err = -EPERM;
72413 goto out;
72414 @@ -2634,7 +2666,7 @@ int show_numa_map(struct seq_file *m, vo
72415
72416 if (file) {
72417 seq_printf(m, " file=");
72418 - seq_path(m, &file->f_path, "\n\t= ");
72419 + seq_path(m, &file->f_path, "\n\t\\= ");
72420 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
72421 seq_printf(m, " heap");
72422 } else if (vma->vm_start <= mm->start_stack &&
72423 diff -urNp linux-2.6.39.1/mm/migrate.c linux-2.6.39.1/mm/migrate.c
72424 --- linux-2.6.39.1/mm/migrate.c 2011-05-19 00:06:34.000000000 -0400
72425 +++ linux-2.6.39.1/mm/migrate.c 2011-05-22 19:41:42.000000000 -0400
72426 @@ -1133,6 +1133,8 @@ static int do_pages_move(struct mm_struc
72427 unsigned long chunk_start;
72428 int err;
72429
72430 + pax_track_stack();
72431 +
72432 task_nodes = cpuset_mems_allowed(task);
72433
72434 err = -ENOMEM;
72435 @@ -1317,6 +1319,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72436 if (!mm)
72437 return -EINVAL;
72438
72439 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72440 + if (mm != current->mm &&
72441 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72442 + err = -EPERM;
72443 + goto out;
72444 + }
72445 +#endif
72446 +
72447 /*
72448 * Check if this process has the right to modify the specified
72449 * process. The right exists if the process has administrative
72450 @@ -1326,8 +1336,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72451 rcu_read_lock();
72452 tcred = __task_cred(task);
72453 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72454 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72455 - !capable(CAP_SYS_NICE)) {
72456 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72457 rcu_read_unlock();
72458 err = -EPERM;
72459 goto out;
72460 diff -urNp linux-2.6.39.1/mm/mlock.c linux-2.6.39.1/mm/mlock.c
72461 --- linux-2.6.39.1/mm/mlock.c 2011-05-19 00:06:34.000000000 -0400
72462 +++ linux-2.6.39.1/mm/mlock.c 2011-05-22 19:41:42.000000000 -0400
72463 @@ -13,6 +13,7 @@
72464 #include <linux/pagemap.h>
72465 #include <linux/mempolicy.h>
72466 #include <linux/syscalls.h>
72467 +#include <linux/security.h>
72468 #include <linux/sched.h>
72469 #include <linux/module.h>
72470 #include <linux/rmap.h>
72471 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
72472 return -EINVAL;
72473 if (end == start)
72474 return 0;
72475 + if (end > TASK_SIZE)
72476 + return -EINVAL;
72477 +
72478 vma = find_vma_prev(current->mm, start, &prev);
72479 if (!vma || vma->vm_start > start)
72480 return -ENOMEM;
72481 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
72482 for (nstart = start ; ; ) {
72483 unsigned int newflags;
72484
72485 +#ifdef CONFIG_PAX_SEGMEXEC
72486 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72487 + break;
72488 +#endif
72489 +
72490 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
72491
72492 newflags = vma->vm_flags | VM_LOCKED;
72493 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
72494 lock_limit >>= PAGE_SHIFT;
72495
72496 /* check against resource limits */
72497 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72498 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72499 error = do_mlock(start, len, 1);
72500 up_write(&current->mm->mmap_sem);
72501 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
72502 static int do_mlockall(int flags)
72503 {
72504 struct vm_area_struct * vma, * prev = NULL;
72505 - unsigned int def_flags = 0;
72506
72507 if (flags & MCL_FUTURE)
72508 - def_flags = VM_LOCKED;
72509 - current->mm->def_flags = def_flags;
72510 + current->mm->def_flags |= VM_LOCKED;
72511 + else
72512 + current->mm->def_flags &= ~VM_LOCKED;
72513 if (flags == MCL_FUTURE)
72514 goto out;
72515
72516 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72517 - unsigned int newflags;
72518 + unsigned long newflags;
72519 +
72520 +#ifdef CONFIG_PAX_SEGMEXEC
72521 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72522 + break;
72523 +#endif
72524
72525 + BUG_ON(vma->vm_end > TASK_SIZE);
72526 newflags = vma->vm_flags | VM_LOCKED;
72527 if (!(flags & MCL_CURRENT))
72528 newflags &= ~VM_LOCKED;
72529 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
72530 lock_limit >>= PAGE_SHIFT;
72531
72532 ret = -ENOMEM;
72533 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
72534 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
72535 capable(CAP_IPC_LOCK))
72536 ret = do_mlockall(flags);
72537 diff -urNp linux-2.6.39.1/mm/mmap.c linux-2.6.39.1/mm/mmap.c
72538 --- linux-2.6.39.1/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
72539 +++ linux-2.6.39.1/mm/mmap.c 2011-05-22 19:41:42.000000000 -0400
72540 @@ -46,6 +46,16 @@
72541 #define arch_rebalance_pgtables(addr, len) (addr)
72542 #endif
72543
72544 +static inline void verify_mm_writelocked(struct mm_struct *mm)
72545 +{
72546 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
72547 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
72548 + up_read(&mm->mmap_sem);
72549 + BUG();
72550 + }
72551 +#endif
72552 +}
72553 +
72554 static void unmap_region(struct mm_struct *mm,
72555 struct vm_area_struct *vma, struct vm_area_struct *prev,
72556 unsigned long start, unsigned long end);
72557 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
72558 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
72559 *
72560 */
72561 -pgprot_t protection_map[16] = {
72562 +pgprot_t protection_map[16] __read_only = {
72563 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
72564 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
72565 };
72566
72567 pgprot_t vm_get_page_prot(unsigned long vm_flags)
72568 {
72569 - return __pgprot(pgprot_val(protection_map[vm_flags &
72570 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
72571 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
72572 pgprot_val(arch_vm_get_page_prot(vm_flags)));
72573 +
72574 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72575 + if (!(__supported_pte_mask & _PAGE_NX) &&
72576 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
72577 + (vm_flags & (VM_READ | VM_WRITE)))
72578 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
72579 +#endif
72580 +
72581 + return prot;
72582 }
72583 EXPORT_SYMBOL(vm_get_page_prot);
72584
72585 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
72586 int sysctl_overcommit_ratio = 50; /* default is 50% */
72587 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
72588 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
72589 struct percpu_counter vm_committed_as;
72590
72591 /*
72592 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
72593 struct vm_area_struct *next = vma->vm_next;
72594
72595 might_sleep();
72596 + BUG_ON(vma->vm_mirror);
72597 if (vma->vm_ops && vma->vm_ops->close)
72598 vma->vm_ops->close(vma);
72599 if (vma->vm_file) {
72600 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
72601 * not page aligned -Ram Gupta
72602 */
72603 rlim = rlimit(RLIMIT_DATA);
72604 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
72605 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
72606 (mm->end_data - mm->start_data) > rlim)
72607 goto out;
72608 @@ -719,6 +741,12 @@ static int
72609 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
72610 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72611 {
72612 +
72613 +#ifdef CONFIG_PAX_SEGMEXEC
72614 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
72615 + return 0;
72616 +#endif
72617 +
72618 if (is_mergeable_vma(vma, file, vm_flags) &&
72619 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72620 if (vma->vm_pgoff == vm_pgoff)
72621 @@ -738,6 +766,12 @@ static int
72622 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
72623 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72624 {
72625 +
72626 +#ifdef CONFIG_PAX_SEGMEXEC
72627 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
72628 + return 0;
72629 +#endif
72630 +
72631 if (is_mergeable_vma(vma, file, vm_flags) &&
72632 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72633 pgoff_t vm_pglen;
72634 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
72635 struct vm_area_struct *vma_merge(struct mm_struct *mm,
72636 struct vm_area_struct *prev, unsigned long addr,
72637 unsigned long end, unsigned long vm_flags,
72638 - struct anon_vma *anon_vma, struct file *file,
72639 + struct anon_vma *anon_vma, struct file *file,
72640 pgoff_t pgoff, struct mempolicy *policy)
72641 {
72642 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
72643 struct vm_area_struct *area, *next;
72644 int err;
72645
72646 +#ifdef CONFIG_PAX_SEGMEXEC
72647 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
72648 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
72649 +
72650 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
72651 +#endif
72652 +
72653 /*
72654 * We later require that vma->vm_flags == vm_flags,
72655 * so this tests vma->vm_flags & VM_SPECIAL, too.
72656 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
72657 if (next && next->vm_end == end) /* cases 6, 7, 8 */
72658 next = next->vm_next;
72659
72660 +#ifdef CONFIG_PAX_SEGMEXEC
72661 + if (prev)
72662 + prev_m = pax_find_mirror_vma(prev);
72663 + if (area)
72664 + area_m = pax_find_mirror_vma(area);
72665 + if (next)
72666 + next_m = pax_find_mirror_vma(next);
72667 +#endif
72668 +
72669 /*
72670 * Can it merge with the predecessor?
72671 */
72672 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
72673 /* cases 1, 6 */
72674 err = vma_adjust(prev, prev->vm_start,
72675 next->vm_end, prev->vm_pgoff, NULL);
72676 - } else /* cases 2, 5, 7 */
72677 +
72678 +#ifdef CONFIG_PAX_SEGMEXEC
72679 + if (!err && prev_m)
72680 + err = vma_adjust(prev_m, prev_m->vm_start,
72681 + next_m->vm_end, prev_m->vm_pgoff, NULL);
72682 +#endif
72683 +
72684 + } else { /* cases 2, 5, 7 */
72685 err = vma_adjust(prev, prev->vm_start,
72686 end, prev->vm_pgoff, NULL);
72687 +
72688 +#ifdef CONFIG_PAX_SEGMEXEC
72689 + if (!err && prev_m)
72690 + err = vma_adjust(prev_m, prev_m->vm_start,
72691 + end_m, prev_m->vm_pgoff, NULL);
72692 +#endif
72693 +
72694 + }
72695 if (err)
72696 return NULL;
72697 khugepaged_enter_vma_merge(prev);
72698 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
72699 mpol_equal(policy, vma_policy(next)) &&
72700 can_vma_merge_before(next, vm_flags,
72701 anon_vma, file, pgoff+pglen)) {
72702 - if (prev && addr < prev->vm_end) /* case 4 */
72703 + if (prev && addr < prev->vm_end) { /* case 4 */
72704 err = vma_adjust(prev, prev->vm_start,
72705 addr, prev->vm_pgoff, NULL);
72706 - else /* cases 3, 8 */
72707 +
72708 +#ifdef CONFIG_PAX_SEGMEXEC
72709 + if (!err && prev_m)
72710 + err = vma_adjust(prev_m, prev_m->vm_start,
72711 + addr_m, prev_m->vm_pgoff, NULL);
72712 +#endif
72713 +
72714 + } else { /* cases 3, 8 */
72715 err = vma_adjust(area, addr, next->vm_end,
72716 next->vm_pgoff - pglen, NULL);
72717 +
72718 +#ifdef CONFIG_PAX_SEGMEXEC
72719 + if (!err && area_m)
72720 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
72721 + next_m->vm_pgoff - pglen, NULL);
72722 +#endif
72723 +
72724 + }
72725 if (err)
72726 return NULL;
72727 khugepaged_enter_vma_merge(area);
72728 @@ -958,14 +1038,11 @@ none:
72729 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
72730 struct file *file, long pages)
72731 {
72732 - const unsigned long stack_flags
72733 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
72734 -
72735 if (file) {
72736 mm->shared_vm += pages;
72737 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
72738 mm->exec_vm += pages;
72739 - } else if (flags & stack_flags)
72740 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
72741 mm->stack_vm += pages;
72742 if (flags & (VM_RESERVED|VM_IO))
72743 mm->reserved_vm += pages;
72744 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
72745 * (the exception is when the underlying filesystem is noexec
72746 * mounted, in which case we dont add PROT_EXEC.)
72747 */
72748 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
72749 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
72750 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
72751 prot |= PROT_EXEC;
72752
72753 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
72754 /* Obtain the address to map to. we verify (or select) it and ensure
72755 * that it represents a valid section of the address space.
72756 */
72757 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
72758 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
72759 if (addr & ~PAGE_MASK)
72760 return addr;
72761
72762 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
72763 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
72764 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
72765
72766 +#ifdef CONFIG_PAX_MPROTECT
72767 + if (mm->pax_flags & MF_PAX_MPROTECT) {
72768 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
72769 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
72770 + gr_log_rwxmmap(file);
72771 +
72772 +#ifdef CONFIG_PAX_EMUPLT
72773 + vm_flags &= ~VM_EXEC;
72774 +#else
72775 + return -EPERM;
72776 +#endif
72777 +
72778 + }
72779 +
72780 + if (!(vm_flags & VM_EXEC))
72781 + vm_flags &= ~VM_MAYEXEC;
72782 +#else
72783 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
72784 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
72785 +#endif
72786 + else
72787 + vm_flags &= ~VM_MAYWRITE;
72788 + }
72789 +#endif
72790 +
72791 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72792 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
72793 + vm_flags &= ~VM_PAGEEXEC;
72794 +#endif
72795 +
72796 if (flags & MAP_LOCKED)
72797 if (!can_do_mlock())
72798 return -EPERM;
72799 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
72800 locked += mm->locked_vm;
72801 lock_limit = rlimit(RLIMIT_MEMLOCK);
72802 lock_limit >>= PAGE_SHIFT;
72803 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
72804 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
72805 return -EAGAIN;
72806 }
72807 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
72808 if (error)
72809 return error;
72810
72811 + if (!gr_acl_handle_mmap(file, prot))
72812 + return -EACCES;
72813 +
72814 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
72815 }
72816 EXPORT_SYMBOL(do_mmap_pgoff);
72817 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
72818 */
72819 int vma_wants_writenotify(struct vm_area_struct *vma)
72820 {
72821 - unsigned int vm_flags = vma->vm_flags;
72822 + unsigned long vm_flags = vma->vm_flags;
72823
72824 /* If it was private or non-writable, the write bit is already clear */
72825 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
72826 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
72827 return 0;
72828
72829 /* The backer wishes to know when pages are first written to? */
72830 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
72831 unsigned long charged = 0;
72832 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
72833
72834 +#ifdef CONFIG_PAX_SEGMEXEC
72835 + struct vm_area_struct *vma_m = NULL;
72836 +#endif
72837 +
72838 + /*
72839 + * mm->mmap_sem is required to protect against another thread
72840 + * changing the mappings in case we sleep.
72841 + */
72842 + verify_mm_writelocked(mm);
72843 +
72844 /* Clear old maps */
72845 error = -ENOMEM;
72846 -munmap_back:
72847 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72848 if (vma && vma->vm_start < addr + len) {
72849 if (do_munmap(mm, addr, len))
72850 return -ENOMEM;
72851 - goto munmap_back;
72852 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72853 + BUG_ON(vma && vma->vm_start < addr + len);
72854 }
72855
72856 /* Check against address space limit. */
72857 @@ -1295,6 +1416,16 @@ munmap_back:
72858 goto unacct_error;
72859 }
72860
72861 +#ifdef CONFIG_PAX_SEGMEXEC
72862 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72863 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72864 + if (!vma_m) {
72865 + error = -ENOMEM;
72866 + goto free_vma;
72867 + }
72868 + }
72869 +#endif
72870 +
72871 vma->vm_mm = mm;
72872 vma->vm_start = addr;
72873 vma->vm_end = addr + len;
72874 @@ -1318,6 +1449,19 @@ munmap_back:
72875 error = file->f_op->mmap(file, vma);
72876 if (error)
72877 goto unmap_and_free_vma;
72878 +
72879 +#ifdef CONFIG_PAX_SEGMEXEC
72880 + if (vma_m && (vm_flags & VM_EXECUTABLE))
72881 + added_exe_file_vma(mm);
72882 +#endif
72883 +
72884 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72885 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72886 + vma->vm_flags |= VM_PAGEEXEC;
72887 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
72888 + }
72889 +#endif
72890 +
72891 if (vm_flags & VM_EXECUTABLE)
72892 added_exe_file_vma(mm);
72893
72894 @@ -1353,6 +1497,11 @@ munmap_back:
72895 vma_link(mm, vma, prev, rb_link, rb_parent);
72896 file = vma->vm_file;
72897
72898 +#ifdef CONFIG_PAX_SEGMEXEC
72899 + if (vma_m)
72900 + BUG_ON(pax_mirror_vma(vma_m, vma));
72901 +#endif
72902 +
72903 /* Once vma denies write, undo our temporary denial count */
72904 if (correct_wcount)
72905 atomic_inc(&inode->i_writecount);
72906 @@ -1361,6 +1510,7 @@ out:
72907
72908 mm->total_vm += len >> PAGE_SHIFT;
72909 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
72910 + track_exec_limit(mm, addr, addr + len, vm_flags);
72911 if (vm_flags & VM_LOCKED) {
72912 if (!mlock_vma_pages_range(vma, addr, addr + len))
72913 mm->locked_vm += (len >> PAGE_SHIFT);
72914 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
72915 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
72916 charged = 0;
72917 free_vma:
72918 +
72919 +#ifdef CONFIG_PAX_SEGMEXEC
72920 + if (vma_m)
72921 + kmem_cache_free(vm_area_cachep, vma_m);
72922 +#endif
72923 +
72924 kmem_cache_free(vm_area_cachep, vma);
72925 unacct_error:
72926 if (charged)
72927 @@ -1385,6 +1541,44 @@ unacct_error:
72928 return error;
72929 }
72930
72931 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
72932 +{
72933 + if (!vma) {
72934 +#ifdef CONFIG_STACK_GROWSUP
72935 + if (addr > sysctl_heap_stack_gap)
72936 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
72937 + else
72938 + vma = find_vma(current->mm, 0);
72939 + if (vma && (vma->vm_flags & VM_GROWSUP))
72940 + return false;
72941 +#endif
72942 + return true;
72943 + }
72944 +
72945 + if (addr + len > vma->vm_start)
72946 + return false;
72947 +
72948 + if (vma->vm_flags & VM_GROWSDOWN)
72949 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
72950 +#ifdef CONFIG_STACK_GROWSUP
72951 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
72952 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
72953 +#endif
72954 +
72955 + return true;
72956 +}
72957 +
72958 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
72959 +{
72960 + if (vma->vm_start < len)
72961 + return -ENOMEM;
72962 + if (!(vma->vm_flags & VM_GROWSDOWN))
72963 + return vma->vm_start - len;
72964 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
72965 + return vma->vm_start - len - sysctl_heap_stack_gap;
72966 + return -ENOMEM;
72967 +}
72968 +
72969 /* Get an address range which is currently unmapped.
72970 * For shmat() with addr=0.
72971 *
72972 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
72973 if (flags & MAP_FIXED)
72974 return addr;
72975
72976 +#ifdef CONFIG_PAX_RANDMMAP
72977 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
72978 +#endif
72979 +
72980 if (addr) {
72981 addr = PAGE_ALIGN(addr);
72982 - vma = find_vma(mm, addr);
72983 - if (TASK_SIZE - len >= addr &&
72984 - (!vma || addr + len <= vma->vm_start))
72985 - return addr;
72986 + if (TASK_SIZE - len >= addr) {
72987 + vma = find_vma(mm, addr);
72988 + if (check_heap_stack_gap(vma, addr, len))
72989 + return addr;
72990 + }
72991 }
72992 if (len > mm->cached_hole_size) {
72993 - start_addr = addr = mm->free_area_cache;
72994 + start_addr = addr = mm->free_area_cache;
72995 } else {
72996 - start_addr = addr = TASK_UNMAPPED_BASE;
72997 - mm->cached_hole_size = 0;
72998 + start_addr = addr = mm->mmap_base;
72999 + mm->cached_hole_size = 0;
73000 }
73001
73002 full_search:
73003 @@ -1433,34 +1632,40 @@ full_search:
73004 * Start a new search - just in case we missed
73005 * some holes.
73006 */
73007 - if (start_addr != TASK_UNMAPPED_BASE) {
73008 - addr = TASK_UNMAPPED_BASE;
73009 - start_addr = addr;
73010 + if (start_addr != mm->mmap_base) {
73011 + start_addr = addr = mm->mmap_base;
73012 mm->cached_hole_size = 0;
73013 goto full_search;
73014 }
73015 return -ENOMEM;
73016 }
73017 - if (!vma || addr + len <= vma->vm_start) {
73018 - /*
73019 - * Remember the place where we stopped the search:
73020 - */
73021 - mm->free_area_cache = addr + len;
73022 - return addr;
73023 - }
73024 + if (check_heap_stack_gap(vma, addr, len))
73025 + break;
73026 if (addr + mm->cached_hole_size < vma->vm_start)
73027 mm->cached_hole_size = vma->vm_start - addr;
73028 addr = vma->vm_end;
73029 }
73030 +
73031 + /*
73032 + * Remember the place where we stopped the search:
73033 + */
73034 + mm->free_area_cache = addr + len;
73035 + return addr;
73036 }
73037 #endif
73038
73039 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
73040 {
73041 +
73042 +#ifdef CONFIG_PAX_SEGMEXEC
73043 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73044 + return;
73045 +#endif
73046 +
73047 /*
73048 * Is this a new hole at the lowest possible address?
73049 */
73050 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
73051 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
73052 mm->free_area_cache = addr;
73053 mm->cached_hole_size = ~0UL;
73054 }
73055 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
73056 {
73057 struct vm_area_struct *vma;
73058 struct mm_struct *mm = current->mm;
73059 - unsigned long addr = addr0;
73060 + unsigned long base = mm->mmap_base, addr = addr0;
73061
73062 /* requested length too big for entire address space */
73063 if (len > TASK_SIZE)
73064 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
73065 if (flags & MAP_FIXED)
73066 return addr;
73067
73068 +#ifdef CONFIG_PAX_RANDMMAP
73069 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73070 +#endif
73071 +
73072 /* requesting a specific address */
73073 if (addr) {
73074 addr = PAGE_ALIGN(addr);
73075 - vma = find_vma(mm, addr);
73076 - if (TASK_SIZE - len >= addr &&
73077 - (!vma || addr + len <= vma->vm_start))
73078 - return addr;
73079 + if (TASK_SIZE - len >= addr) {
73080 + vma = find_vma(mm, addr);
73081 + if (check_heap_stack_gap(vma, addr, len))
73082 + return addr;
73083 + }
73084 }
73085
73086 /* check if free_area_cache is useful for us */
73087 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
73088 /* make sure it can fit in the remaining address space */
73089 if (addr > len) {
73090 vma = find_vma(mm, addr-len);
73091 - if (!vma || addr <= vma->vm_start)
73092 + if (check_heap_stack_gap(vma, addr - len, len))
73093 /* remember the address as a hint for next time */
73094 return (mm->free_area_cache = addr-len);
73095 }
73096 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
73097 * return with success:
73098 */
73099 vma = find_vma(mm, addr);
73100 - if (!vma || addr+len <= vma->vm_start)
73101 + if (check_heap_stack_gap(vma, addr, len))
73102 /* remember the address as a hint for next time */
73103 return (mm->free_area_cache = addr);
73104
73105 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
73106 mm->cached_hole_size = vma->vm_start - addr;
73107
73108 /* try just below the current vma->vm_start */
73109 - addr = vma->vm_start-len;
73110 - } while (len < vma->vm_start);
73111 + addr = skip_heap_stack_gap(vma, len);
73112 + } while (!IS_ERR_VALUE(addr));
73113
73114 bottomup:
73115 /*
73116 @@ -1544,13 +1754,21 @@ bottomup:
73117 * can happen with large stack limits and large mmap()
73118 * allocations.
73119 */
73120 + mm->mmap_base = TASK_UNMAPPED_BASE;
73121 +
73122 +#ifdef CONFIG_PAX_RANDMMAP
73123 + if (mm->pax_flags & MF_PAX_RANDMMAP)
73124 + mm->mmap_base += mm->delta_mmap;
73125 +#endif
73126 +
73127 + mm->free_area_cache = mm->mmap_base;
73128 mm->cached_hole_size = ~0UL;
73129 - mm->free_area_cache = TASK_UNMAPPED_BASE;
73130 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
73131 /*
73132 * Restore the topdown base:
73133 */
73134 - mm->free_area_cache = mm->mmap_base;
73135 + mm->mmap_base = base;
73136 + mm->free_area_cache = base;
73137 mm->cached_hole_size = ~0UL;
73138
73139 return addr;
73140 @@ -1559,6 +1777,12 @@ bottomup:
73141
73142 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
73143 {
73144 +
73145 +#ifdef CONFIG_PAX_SEGMEXEC
73146 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73147 + return;
73148 +#endif
73149 +
73150 /*
73151 * Is this a new hole at the highest possible address?
73152 */
73153 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
73154 mm->free_area_cache = addr;
73155
73156 /* dont allow allocations above current base */
73157 - if (mm->free_area_cache > mm->mmap_base)
73158 + if (mm->free_area_cache > mm->mmap_base) {
73159 mm->free_area_cache = mm->mmap_base;
73160 + mm->cached_hole_size = ~0UL;
73161 + }
73162 }
73163
73164 unsigned long
73165 @@ -1675,6 +1901,28 @@ out:
73166 return prev ? prev->vm_next : vma;
73167 }
73168
73169 +#ifdef CONFIG_PAX_SEGMEXEC
73170 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
73171 +{
73172 + struct vm_area_struct *vma_m;
73173 +
73174 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
73175 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
73176 + BUG_ON(vma->vm_mirror);
73177 + return NULL;
73178 + }
73179 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
73180 + vma_m = vma->vm_mirror;
73181 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
73182 + BUG_ON(vma->vm_file != vma_m->vm_file);
73183 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
73184 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
73185 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
73186 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
73187 + return vma_m;
73188 +}
73189 +#endif
73190 +
73191 /*
73192 * Verify that the stack growth is acceptable and
73193 * update accounting. This is shared with both the
73194 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
73195 return -ENOMEM;
73196
73197 /* Stack limit test */
73198 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
73199 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
73200 return -ENOMEM;
73201
73202 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
73203 locked = mm->locked_vm + grow;
73204 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
73205 limit >>= PAGE_SHIFT;
73206 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73207 if (locked > limit && !capable(CAP_IPC_LOCK))
73208 return -ENOMEM;
73209 }
73210 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
73211 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
73212 * vma is the last one with address > vma->vm_end. Have to extend vma.
73213 */
73214 +#ifndef CONFIG_IA64
73215 +static
73216 +#endif
73217 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
73218 {
73219 int error;
73220 + bool locknext;
73221
73222 if (!(vma->vm_flags & VM_GROWSUP))
73223 return -EFAULT;
73224
73225 + /* Also guard against wrapping around to address 0. */
73226 + if (address < PAGE_ALIGN(address+1))
73227 + address = PAGE_ALIGN(address+1);
73228 + else
73229 + return -ENOMEM;
73230 +
73231 /*
73232 * We must make sure the anon_vma is allocated
73233 * so that the anon_vma locking is not a noop.
73234 */
73235 if (unlikely(anon_vma_prepare(vma)))
73236 return -ENOMEM;
73237 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
73238 + if (locknext && anon_vma_prepare(vma->vm_next))
73239 + return -ENOMEM;
73240 vma_lock_anon_vma(vma);
73241 + if (locknext)
73242 + vma_lock_anon_vma(vma->vm_next);
73243
73244 /*
73245 * vma->vm_start/vm_end cannot change under us because the caller
73246 * is required to hold the mmap_sem in read mode. We need the
73247 - * anon_vma lock to serialize against concurrent expand_stacks.
73248 - * Also guard against wrapping around to address 0.
73249 + * anon_vma locks to serialize against concurrent expand_stacks
73250 + * and expand_upwards.
73251 */
73252 - if (address < PAGE_ALIGN(address+4))
73253 - address = PAGE_ALIGN(address+4);
73254 - else {
73255 - vma_unlock_anon_vma(vma);
73256 - return -ENOMEM;
73257 - }
73258 error = 0;
73259
73260 /* Somebody else might have raced and expanded it already */
73261 - if (address > vma->vm_end) {
73262 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
73263 + error = -ENOMEM;
73264 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
73265 unsigned long size, grow;
73266
73267 size = address - vma->vm_start;
73268 @@ -1776,6 +2037,8 @@ int expand_upwards(struct vm_area_struct
73269 }
73270 }
73271 }
73272 + if (locknext)
73273 + vma_unlock_anon_vma(vma->vm_next);
73274 vma_unlock_anon_vma(vma);
73275 khugepaged_enter_vma_merge(vma);
73276 return error;
73277 @@ -1789,6 +2052,8 @@ static int expand_downwards(struct vm_ar
73278 unsigned long address)
73279 {
73280 int error;
73281 + bool lockprev = false;
73282 + struct vm_area_struct *prev;
73283
73284 /*
73285 * We must make sure the anon_vma is allocated
73286 @@ -1802,6 +2067,15 @@ static int expand_downwards(struct vm_ar
73287 if (error)
73288 return error;
73289
73290 + prev = vma->vm_prev;
73291 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
73292 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
73293 +#endif
73294 + if (lockprev && anon_vma_prepare(prev))
73295 + return -ENOMEM;
73296 + if (lockprev)
73297 + vma_lock_anon_vma(prev);
73298 +
73299 vma_lock_anon_vma(vma);
73300
73301 /*
73302 @@ -1811,9 +2085,17 @@ static int expand_downwards(struct vm_ar
73303 */
73304
73305 /* Somebody else might have raced and expanded it already */
73306 - if (address < vma->vm_start) {
73307 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
73308 + error = -ENOMEM;
73309 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
73310 unsigned long size, grow;
73311
73312 +#ifdef CONFIG_PAX_SEGMEXEC
73313 + struct vm_area_struct *vma_m;
73314 +
73315 + vma_m = pax_find_mirror_vma(vma);
73316 +#endif
73317 +
73318 size = vma->vm_end - address;
73319 grow = (vma->vm_start - address) >> PAGE_SHIFT;
73320
73321 @@ -1823,11 +2105,22 @@ static int expand_downwards(struct vm_ar
73322 if (!error) {
73323 vma->vm_start = address;
73324 vma->vm_pgoff -= grow;
73325 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
73326 +
73327 +#ifdef CONFIG_PAX_SEGMEXEC
73328 + if (vma_m) {
73329 + vma_m->vm_start -= grow << PAGE_SHIFT;
73330 + vma_m->vm_pgoff -= grow;
73331 + }
73332 +#endif
73333 +
73334 perf_event_mmap(vma);
73335 }
73336 }
73337 }
73338 vma_unlock_anon_vma(vma);
73339 + if (lockprev)
73340 + vma_unlock_anon_vma(prev);
73341 khugepaged_enter_vma_merge(vma);
73342 return error;
73343 }
73344 @@ -1902,6 +2195,13 @@ static void remove_vma_list(struct mm_st
73345 do {
73346 long nrpages = vma_pages(vma);
73347
73348 +#ifdef CONFIG_PAX_SEGMEXEC
73349 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
73350 + vma = remove_vma(vma);
73351 + continue;
73352 + }
73353 +#endif
73354 +
73355 mm->total_vm -= nrpages;
73356 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
73357 vma = remove_vma(vma);
73358 @@ -1947,6 +2247,16 @@ detach_vmas_to_be_unmapped(struct mm_str
73359 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
73360 vma->vm_prev = NULL;
73361 do {
73362 +
73363 +#ifdef CONFIG_PAX_SEGMEXEC
73364 + if (vma->vm_mirror) {
73365 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
73366 + vma->vm_mirror->vm_mirror = NULL;
73367 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
73368 + vma->vm_mirror = NULL;
73369 + }
73370 +#endif
73371 +
73372 rb_erase(&vma->vm_rb, &mm->mm_rb);
73373 mm->map_count--;
73374 tail_vma = vma;
73375 @@ -1975,14 +2285,33 @@ static int __split_vma(struct mm_struct
73376 struct vm_area_struct *new;
73377 int err = -ENOMEM;
73378
73379 +#ifdef CONFIG_PAX_SEGMEXEC
73380 + struct vm_area_struct *vma_m, *new_m = NULL;
73381 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
73382 +#endif
73383 +
73384 if (is_vm_hugetlb_page(vma) && (addr &
73385 ~(huge_page_mask(hstate_vma(vma)))))
73386 return -EINVAL;
73387
73388 +#ifdef CONFIG_PAX_SEGMEXEC
73389 + vma_m = pax_find_mirror_vma(vma);
73390 +#endif
73391 +
73392 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73393 if (!new)
73394 goto out_err;
73395
73396 +#ifdef CONFIG_PAX_SEGMEXEC
73397 + if (vma_m) {
73398 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73399 + if (!new_m) {
73400 + kmem_cache_free(vm_area_cachep, new);
73401 + goto out_err;
73402 + }
73403 + }
73404 +#endif
73405 +
73406 /* most fields are the same, copy all, and then fixup */
73407 *new = *vma;
73408
73409 @@ -1995,6 +2324,22 @@ static int __split_vma(struct mm_struct
73410 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
73411 }
73412
73413 +#ifdef CONFIG_PAX_SEGMEXEC
73414 + if (vma_m) {
73415 + *new_m = *vma_m;
73416 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
73417 + new_m->vm_mirror = new;
73418 + new->vm_mirror = new_m;
73419 +
73420 + if (new_below)
73421 + new_m->vm_end = addr_m;
73422 + else {
73423 + new_m->vm_start = addr_m;
73424 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
73425 + }
73426 + }
73427 +#endif
73428 +
73429 pol = mpol_dup(vma_policy(vma));
73430 if (IS_ERR(pol)) {
73431 err = PTR_ERR(pol);
73432 @@ -2020,6 +2365,42 @@ static int __split_vma(struct mm_struct
73433 else
73434 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
73435
73436 +#ifdef CONFIG_PAX_SEGMEXEC
73437 + if (!err && vma_m) {
73438 + if (anon_vma_clone(new_m, vma_m))
73439 + goto out_free_mpol;
73440 +
73441 + mpol_get(pol);
73442 + vma_set_policy(new_m, pol);
73443 +
73444 + if (new_m->vm_file) {
73445 + get_file(new_m->vm_file);
73446 + if (vma_m->vm_flags & VM_EXECUTABLE)
73447 + added_exe_file_vma(mm);
73448 + }
73449 +
73450 + if (new_m->vm_ops && new_m->vm_ops->open)
73451 + new_m->vm_ops->open(new_m);
73452 +
73453 + if (new_below)
73454 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
73455 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
73456 + else
73457 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
73458 +
73459 + if (err) {
73460 + if (new_m->vm_ops && new_m->vm_ops->close)
73461 + new_m->vm_ops->close(new_m);
73462 + if (new_m->vm_file) {
73463 + if (vma_m->vm_flags & VM_EXECUTABLE)
73464 + removed_exe_file_vma(mm);
73465 + fput(new_m->vm_file);
73466 + }
73467 + mpol_put(pol);
73468 + }
73469 + }
73470 +#endif
73471 +
73472 /* Success. */
73473 if (!err)
73474 return 0;
73475 @@ -2032,10 +2413,18 @@ static int __split_vma(struct mm_struct
73476 removed_exe_file_vma(mm);
73477 fput(new->vm_file);
73478 }
73479 - unlink_anon_vmas(new);
73480 out_free_mpol:
73481 mpol_put(pol);
73482 out_free_vma:
73483 +
73484 +#ifdef CONFIG_PAX_SEGMEXEC
73485 + if (new_m) {
73486 + unlink_anon_vmas(new_m);
73487 + kmem_cache_free(vm_area_cachep, new_m);
73488 + }
73489 +#endif
73490 +
73491 + unlink_anon_vmas(new);
73492 kmem_cache_free(vm_area_cachep, new);
73493 out_err:
73494 return err;
73495 @@ -2048,6 +2437,15 @@ static int __split_vma(struct mm_struct
73496 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
73497 unsigned long addr, int new_below)
73498 {
73499 +
73500 +#ifdef CONFIG_PAX_SEGMEXEC
73501 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
73502 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
73503 + if (mm->map_count >= sysctl_max_map_count-1)
73504 + return -ENOMEM;
73505 + } else
73506 +#endif
73507 +
73508 if (mm->map_count >= sysctl_max_map_count)
73509 return -ENOMEM;
73510
73511 @@ -2059,11 +2457,30 @@ int split_vma(struct mm_struct *mm, stru
73512 * work. This now handles partial unmappings.
73513 * Jeremy Fitzhardinge <jeremy@goop.org>
73514 */
73515 +#ifdef CONFIG_PAX_SEGMEXEC
73516 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73517 +{
73518 + int ret = __do_munmap(mm, start, len);
73519 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73520 + return ret;
73521 +
73522 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73523 +}
73524 +
73525 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73526 +#else
73527 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73528 +#endif
73529 {
73530 unsigned long end;
73531 struct vm_area_struct *vma, *prev, *last;
73532
73533 + /*
73534 + * mm->mmap_sem is required to protect against another thread
73535 + * changing the mappings in case we sleep.
73536 + */
73537 + verify_mm_writelocked(mm);
73538 +
73539 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
73540 return -EINVAL;
73541
73542 @@ -2137,6 +2554,8 @@ int do_munmap(struct mm_struct *mm, unsi
73543 /* Fix up all other VM information */
73544 remove_vma_list(mm, vma);
73545
73546 + track_exec_limit(mm, start, end, 0UL);
73547 +
73548 return 0;
73549 }
73550
73551 @@ -2149,22 +2568,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
73552
73553 profile_munmap(addr);
73554
73555 +#ifdef CONFIG_PAX_SEGMEXEC
73556 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
73557 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
73558 + return -EINVAL;
73559 +#endif
73560 +
73561 down_write(&mm->mmap_sem);
73562 ret = do_munmap(mm, addr, len);
73563 up_write(&mm->mmap_sem);
73564 return ret;
73565 }
73566
73567 -static inline void verify_mm_writelocked(struct mm_struct *mm)
73568 -{
73569 -#ifdef CONFIG_DEBUG_VM
73570 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73571 - WARN_ON(1);
73572 - up_read(&mm->mmap_sem);
73573 - }
73574 -#endif
73575 -}
73576 -
73577 /*
73578 * this is really a simplified "do_mmap". it only handles
73579 * anonymous maps. eventually we may be able to do some
73580 @@ -2178,6 +2593,7 @@ unsigned long do_brk(unsigned long addr,
73581 struct rb_node ** rb_link, * rb_parent;
73582 pgoff_t pgoff = addr >> PAGE_SHIFT;
73583 int error;
73584 + unsigned long charged;
73585
73586 len = PAGE_ALIGN(len);
73587 if (!len)
73588 @@ -2189,16 +2605,30 @@ unsigned long do_brk(unsigned long addr,
73589
73590 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
73591
73592 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
73593 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
73594 + flags &= ~VM_EXEC;
73595 +
73596 +#ifdef CONFIG_PAX_MPROTECT
73597 + if (mm->pax_flags & MF_PAX_MPROTECT)
73598 + flags &= ~VM_MAYEXEC;
73599 +#endif
73600 +
73601 + }
73602 +#endif
73603 +
73604 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
73605 if (error & ~PAGE_MASK)
73606 return error;
73607
73608 + charged = len >> PAGE_SHIFT;
73609 +
73610 /*
73611 * mlock MCL_FUTURE?
73612 */
73613 if (mm->def_flags & VM_LOCKED) {
73614 unsigned long locked, lock_limit;
73615 - locked = len >> PAGE_SHIFT;
73616 + locked = charged;
73617 locked += mm->locked_vm;
73618 lock_limit = rlimit(RLIMIT_MEMLOCK);
73619 lock_limit >>= PAGE_SHIFT;
73620 @@ -2215,22 +2645,22 @@ unsigned long do_brk(unsigned long addr,
73621 /*
73622 * Clear old maps. this also does some error checking for us
73623 */
73624 - munmap_back:
73625 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73626 if (vma && vma->vm_start < addr + len) {
73627 if (do_munmap(mm, addr, len))
73628 return -ENOMEM;
73629 - goto munmap_back;
73630 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73631 + BUG_ON(vma && vma->vm_start < addr + len);
73632 }
73633
73634 /* Check against address space limits *after* clearing old maps... */
73635 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
73636 + if (!may_expand_vm(mm, charged))
73637 return -ENOMEM;
73638
73639 if (mm->map_count > sysctl_max_map_count)
73640 return -ENOMEM;
73641
73642 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
73643 + if (security_vm_enough_memory(charged))
73644 return -ENOMEM;
73645
73646 /* Can we just expand an old private anonymous mapping? */
73647 @@ -2244,7 +2674,7 @@ unsigned long do_brk(unsigned long addr,
73648 */
73649 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73650 if (!vma) {
73651 - vm_unacct_memory(len >> PAGE_SHIFT);
73652 + vm_unacct_memory(charged);
73653 return -ENOMEM;
73654 }
73655
73656 @@ -2258,11 +2688,12 @@ unsigned long do_brk(unsigned long addr,
73657 vma_link(mm, vma, prev, rb_link, rb_parent);
73658 out:
73659 perf_event_mmap(vma);
73660 - mm->total_vm += len >> PAGE_SHIFT;
73661 + mm->total_vm += charged;
73662 if (flags & VM_LOCKED) {
73663 if (!mlock_vma_pages_range(vma, addr, addr + len))
73664 - mm->locked_vm += (len >> PAGE_SHIFT);
73665 + mm->locked_vm += charged;
73666 }
73667 + track_exec_limit(mm, addr, addr + len, flags);
73668 return addr;
73669 }
73670
73671 @@ -2309,8 +2740,10 @@ void exit_mmap(struct mm_struct *mm)
73672 * Walk the list again, actually closing and freeing it,
73673 * with preemption enabled, without holding any MM locks.
73674 */
73675 - while (vma)
73676 + while (vma) {
73677 + vma->vm_mirror = NULL;
73678 vma = remove_vma(vma);
73679 + }
73680
73681 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
73682 }
73683 @@ -2324,6 +2757,13 @@ int insert_vm_struct(struct mm_struct *
73684 struct vm_area_struct * __vma, * prev;
73685 struct rb_node ** rb_link, * rb_parent;
73686
73687 +#ifdef CONFIG_PAX_SEGMEXEC
73688 + struct vm_area_struct *vma_m = NULL;
73689 +#endif
73690 +
73691 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
73692 + return -EPERM;
73693 +
73694 /*
73695 * The vm_pgoff of a purely anonymous vma should be irrelevant
73696 * until its first write fault, when page's anon_vma and index
73697 @@ -2346,7 +2786,22 @@ int insert_vm_struct(struct mm_struct *
73698 if ((vma->vm_flags & VM_ACCOUNT) &&
73699 security_vm_enough_memory_mm(mm, vma_pages(vma)))
73700 return -ENOMEM;
73701 +
73702 +#ifdef CONFIG_PAX_SEGMEXEC
73703 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
73704 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73705 + if (!vma_m)
73706 + return -ENOMEM;
73707 + }
73708 +#endif
73709 +
73710 vma_link(mm, vma, prev, rb_link, rb_parent);
73711 +
73712 +#ifdef CONFIG_PAX_SEGMEXEC
73713 + if (vma_m)
73714 + BUG_ON(pax_mirror_vma(vma_m, vma));
73715 +#endif
73716 +
73717 return 0;
73718 }
73719
73720 @@ -2364,6 +2819,8 @@ struct vm_area_struct *copy_vma(struct v
73721 struct rb_node **rb_link, *rb_parent;
73722 struct mempolicy *pol;
73723
73724 + BUG_ON(vma->vm_mirror);
73725 +
73726 /*
73727 * If anonymous vma has not yet been faulted, update new pgoff
73728 * to match new location, to increase its chance of merging.
73729 @@ -2413,6 +2870,39 @@ struct vm_area_struct *copy_vma(struct v
73730 kmem_cache_free(vm_area_cachep, new_vma);
73731 return NULL;
73732 }
73733 +
73734 +#ifdef CONFIG_PAX_SEGMEXEC
73735 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
73736 +{
73737 + struct vm_area_struct *prev_m;
73738 + struct rb_node **rb_link_m, *rb_parent_m;
73739 + struct mempolicy *pol_m;
73740 +
73741 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
73742 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
73743 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
73744 + *vma_m = *vma;
73745 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
73746 + if (anon_vma_clone(vma_m, vma))
73747 + return -ENOMEM;
73748 + pol_m = vma_policy(vma_m);
73749 + mpol_get(pol_m);
73750 + vma_set_policy(vma_m, pol_m);
73751 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
73752 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
73753 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
73754 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
73755 + if (vma_m->vm_file)
73756 + get_file(vma_m->vm_file);
73757 + if (vma_m->vm_ops && vma_m->vm_ops->open)
73758 + vma_m->vm_ops->open(vma_m);
73759 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
73760 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
73761 + vma_m->vm_mirror = vma;
73762 + vma->vm_mirror = vma_m;
73763 + return 0;
73764 +}
73765 +#endif
73766
73767 /*
73768 * Return true if the calling process may expand its vm space by the passed
73769 @@ -2424,7 +2914,7 @@ int may_expand_vm(struct mm_struct *mm,
73770 unsigned long lim;
73771
73772 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
73773 -
73774 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
73775 if (cur + npages > lim)
73776 return 0;
73777 return 1;
73778 @@ -2495,6 +2985,22 @@ int install_special_mapping(struct mm_st
73779 vma->vm_start = addr;
73780 vma->vm_end = addr + len;
73781
73782 +#ifdef CONFIG_PAX_MPROTECT
73783 + if (mm->pax_flags & MF_PAX_MPROTECT) {
73784 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
73785 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
73786 + return -EPERM;
73787 + if (!(vm_flags & VM_EXEC))
73788 + vm_flags &= ~VM_MAYEXEC;
73789 +#else
73790 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73791 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73792 +#endif
73793 + else
73794 + vm_flags &= ~VM_MAYWRITE;
73795 + }
73796 +#endif
73797 +
73798 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
73799 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73800
73801 diff -urNp linux-2.6.39.1/mm/mprotect.c linux-2.6.39.1/mm/mprotect.c
73802 --- linux-2.6.39.1/mm/mprotect.c 2011-05-19 00:06:34.000000000 -0400
73803 +++ linux-2.6.39.1/mm/mprotect.c 2011-05-22 19:41:42.000000000 -0400
73804 @@ -23,10 +23,16 @@
73805 #include <linux/mmu_notifier.h>
73806 #include <linux/migrate.h>
73807 #include <linux/perf_event.h>
73808 +
73809 +#ifdef CONFIG_PAX_MPROTECT
73810 +#include <linux/elf.h>
73811 +#endif
73812 +
73813 #include <asm/uaccess.h>
73814 #include <asm/pgtable.h>
73815 #include <asm/cacheflush.h>
73816 #include <asm/tlbflush.h>
73817 +#include <asm/mmu_context.h>
73818
73819 #ifndef pgprot_modify
73820 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
73821 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
73822 flush_tlb_range(vma, start, end);
73823 }
73824
73825 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73826 +/* called while holding the mmap semaphor for writing except stack expansion */
73827 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
73828 +{
73829 + unsigned long oldlimit, newlimit = 0UL;
73830 +
73831 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
73832 + return;
73833 +
73834 + spin_lock(&mm->page_table_lock);
73835 + oldlimit = mm->context.user_cs_limit;
73836 + if ((prot & VM_EXEC) && oldlimit < end)
73837 + /* USER_CS limit moved up */
73838 + newlimit = end;
73839 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
73840 + /* USER_CS limit moved down */
73841 + newlimit = start;
73842 +
73843 + if (newlimit) {
73844 + mm->context.user_cs_limit = newlimit;
73845 +
73846 +#ifdef CONFIG_SMP
73847 + wmb();
73848 + cpus_clear(mm->context.cpu_user_cs_mask);
73849 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
73850 +#endif
73851 +
73852 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
73853 + }
73854 + spin_unlock(&mm->page_table_lock);
73855 + if (newlimit == end) {
73856 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
73857 +
73858 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
73859 + if (is_vm_hugetlb_page(vma))
73860 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
73861 + else
73862 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
73863 + }
73864 +}
73865 +#endif
73866 +
73867 int
73868 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
73869 unsigned long start, unsigned long end, unsigned long newflags)
73870 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
73871 int error;
73872 int dirty_accountable = 0;
73873
73874 +#ifdef CONFIG_PAX_SEGMEXEC
73875 + struct vm_area_struct *vma_m = NULL;
73876 + unsigned long start_m, end_m;
73877 +
73878 + start_m = start + SEGMEXEC_TASK_SIZE;
73879 + end_m = end + SEGMEXEC_TASK_SIZE;
73880 +#endif
73881 +
73882 if (newflags == oldflags) {
73883 *pprev = vma;
73884 return 0;
73885 }
73886
73887 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
73888 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
73889 +
73890 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
73891 + return -ENOMEM;
73892 +
73893 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
73894 + return -ENOMEM;
73895 + }
73896 +
73897 /*
73898 * If we make a private mapping writable we increase our commit;
73899 * but (without finer accounting) cannot reduce our commit if we
73900 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
73901 }
73902 }
73903
73904 +#ifdef CONFIG_PAX_SEGMEXEC
73905 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
73906 + if (start != vma->vm_start) {
73907 + error = split_vma(mm, vma, start, 1);
73908 + if (error)
73909 + goto fail;
73910 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
73911 + *pprev = (*pprev)->vm_next;
73912 + }
73913 +
73914 + if (end != vma->vm_end) {
73915 + error = split_vma(mm, vma, end, 0);
73916 + if (error)
73917 + goto fail;
73918 + }
73919 +
73920 + if (pax_find_mirror_vma(vma)) {
73921 + error = __do_munmap(mm, start_m, end_m - start_m);
73922 + if (error)
73923 + goto fail;
73924 + } else {
73925 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73926 + if (!vma_m) {
73927 + error = -ENOMEM;
73928 + goto fail;
73929 + }
73930 + vma->vm_flags = newflags;
73931 + error = pax_mirror_vma(vma_m, vma);
73932 + if (error) {
73933 + vma->vm_flags = oldflags;
73934 + goto fail;
73935 + }
73936 + }
73937 + }
73938 +#endif
73939 +
73940 /*
73941 * First try to merge with previous and/or next vma.
73942 */
73943 @@ -204,9 +306,21 @@ success:
73944 * vm_flags and vm_page_prot are protected by the mmap_sem
73945 * held in write mode.
73946 */
73947 +
73948 +#ifdef CONFIG_PAX_SEGMEXEC
73949 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
73950 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
73951 +#endif
73952 +
73953 vma->vm_flags = newflags;
73954 +
73955 +#ifdef CONFIG_PAX_MPROTECT
73956 + if (mm->binfmt && mm->binfmt->handle_mprotect)
73957 + mm->binfmt->handle_mprotect(vma, newflags);
73958 +#endif
73959 +
73960 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
73961 - vm_get_page_prot(newflags));
73962 + vm_get_page_prot(vma->vm_flags));
73963
73964 if (vma_wants_writenotify(vma)) {
73965 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
73966 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73967 end = start + len;
73968 if (end <= start)
73969 return -ENOMEM;
73970 +
73971 +#ifdef CONFIG_PAX_SEGMEXEC
73972 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
73973 + if (end > SEGMEXEC_TASK_SIZE)
73974 + return -EINVAL;
73975 + } else
73976 +#endif
73977 +
73978 + if (end > TASK_SIZE)
73979 + return -EINVAL;
73980 +
73981 if (!arch_validate_prot(prot))
73982 return -EINVAL;
73983
73984 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73985 /*
73986 * Does the application expect PROT_READ to imply PROT_EXEC:
73987 */
73988 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73989 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73990 prot |= PROT_EXEC;
73991
73992 vm_flags = calc_vm_prot_bits(prot);
73993 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73994 if (start > vma->vm_start)
73995 prev = vma;
73996
73997 +#ifdef CONFIG_PAX_MPROTECT
73998 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
73999 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
74000 +#endif
74001 +
74002 for (nstart = start ; ; ) {
74003 unsigned long newflags;
74004
74005 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74006
74007 /* newflags >> 4 shift VM_MAY% in place of VM_% */
74008 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
74009 + if (prot & (PROT_WRITE | PROT_EXEC))
74010 + gr_log_rwxmprotect(vma->vm_file);
74011 +
74012 + error = -EACCES;
74013 + goto out;
74014 + }
74015 +
74016 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
74017 error = -EACCES;
74018 goto out;
74019 }
74020 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74021 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
74022 if (error)
74023 goto out;
74024 +
74025 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
74026 +
74027 nstart = tmp;
74028
74029 if (nstart < prev->vm_end)
74030 diff -urNp linux-2.6.39.1/mm/mremap.c linux-2.6.39.1/mm/mremap.c
74031 --- linux-2.6.39.1/mm/mremap.c 2011-05-19 00:06:34.000000000 -0400
74032 +++ linux-2.6.39.1/mm/mremap.c 2011-05-22 19:36:33.000000000 -0400
74033 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
74034 continue;
74035 pte = ptep_clear_flush(vma, old_addr, old_pte);
74036 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
74037 +
74038 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74039 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
74040 + pte = pte_exprotect(pte);
74041 +#endif
74042 +
74043 set_pte_at(mm, new_addr, new_pte, pte);
74044 }
74045
74046 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
74047 if (is_vm_hugetlb_page(vma))
74048 goto Einval;
74049
74050 +#ifdef CONFIG_PAX_SEGMEXEC
74051 + if (pax_find_mirror_vma(vma))
74052 + goto Einval;
74053 +#endif
74054 +
74055 /* We can't remap across vm area boundaries */
74056 if (old_len > vma->vm_end - addr)
74057 goto Efault;
74058 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
74059 unsigned long ret = -EINVAL;
74060 unsigned long charged = 0;
74061 unsigned long map_flags;
74062 + unsigned long pax_task_size = TASK_SIZE;
74063
74064 if (new_addr & ~PAGE_MASK)
74065 goto out;
74066
74067 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
74068 +#ifdef CONFIG_PAX_SEGMEXEC
74069 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74070 + pax_task_size = SEGMEXEC_TASK_SIZE;
74071 +#endif
74072 +
74073 + pax_task_size -= PAGE_SIZE;
74074 +
74075 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
74076 goto out;
74077
74078 /* Check if the location we're moving into overlaps the
74079 * old location at all, and fail if it does.
74080 */
74081 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
74082 - goto out;
74083 -
74084 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
74085 + if (addr + old_len > new_addr && new_addr + new_len > addr)
74086 goto out;
74087
74088 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74089 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
74090 struct vm_area_struct *vma;
74091 unsigned long ret = -EINVAL;
74092 unsigned long charged = 0;
74093 + unsigned long pax_task_size = TASK_SIZE;
74094
74095 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
74096 goto out;
74097 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
74098 if (!new_len)
74099 goto out;
74100
74101 +#ifdef CONFIG_PAX_SEGMEXEC
74102 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74103 + pax_task_size = SEGMEXEC_TASK_SIZE;
74104 +#endif
74105 +
74106 + pax_task_size -= PAGE_SIZE;
74107 +
74108 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
74109 + old_len > pax_task_size || addr > pax_task_size-old_len)
74110 + goto out;
74111 +
74112 if (flags & MREMAP_FIXED) {
74113 if (flags & MREMAP_MAYMOVE)
74114 ret = mremap_to(addr, old_len, new_addr, new_len);
74115 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
74116 addr + new_len);
74117 }
74118 ret = addr;
74119 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
74120 goto out;
74121 }
74122 }
74123 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
74124 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74125 if (ret)
74126 goto out;
74127 +
74128 + map_flags = vma->vm_flags;
74129 ret = move_vma(vma, addr, old_len, new_len, new_addr);
74130 + if (!(ret & ~PAGE_MASK)) {
74131 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
74132 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
74133 + }
74134 }
74135 out:
74136 if (ret & ~PAGE_MASK)
74137 diff -urNp linux-2.6.39.1/mm/nobootmem.c linux-2.6.39.1/mm/nobootmem.c
74138 --- linux-2.6.39.1/mm/nobootmem.c 2011-05-19 00:06:34.000000000 -0400
74139 +++ linux-2.6.39.1/mm/nobootmem.c 2011-05-22 19:36:33.000000000 -0400
74140 @@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
74141 unsigned long __init free_all_memory_core_early(int nodeid)
74142 {
74143 int i;
74144 - u64 start, end;
74145 + u64 start, end, startrange, endrange;
74146 unsigned long count = 0;
74147 - struct range *range = NULL;
74148 + struct range *range = NULL, rangerange = { 0, 0 };
74149 int nr_range;
74150
74151 nr_range = get_free_all_memory_range(&range, nodeid);
74152 + startrange = __pa(range) >> PAGE_SHIFT;
74153 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
74154
74155 for (i = 0; i < nr_range; i++) {
74156 start = range[i].start;
74157 end = range[i].end;
74158 + if (start <= endrange && startrange < end) {
74159 + BUG_ON(rangerange.start | rangerange.end);
74160 + rangerange = range[i];
74161 + continue;
74162 + }
74163 count += end - start;
74164 __free_pages_memory(start, end);
74165 }
74166 + start = rangerange.start;
74167 + end = rangerange.end;
74168 + count += end - start;
74169 + __free_pages_memory(start, end);
74170
74171 return count;
74172 }
74173 diff -urNp linux-2.6.39.1/mm/nommu.c linux-2.6.39.1/mm/nommu.c
74174 --- linux-2.6.39.1/mm/nommu.c 2011-05-19 00:06:34.000000000 -0400
74175 +++ linux-2.6.39.1/mm/nommu.c 2011-05-22 19:36:33.000000000 -0400
74176 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
74177 int sysctl_overcommit_ratio = 50; /* default is 50% */
74178 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
74179 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
74180 -int heap_stack_gap = 0;
74181
74182 atomic_long_t mmap_pages_allocated;
74183
74184 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
74185 EXPORT_SYMBOL(find_vma);
74186
74187 /*
74188 - * find a VMA
74189 - * - we don't extend stack VMAs under NOMMU conditions
74190 - */
74191 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
74192 -{
74193 - return find_vma(mm, addr);
74194 -}
74195 -
74196 -/*
74197 * expand a stack to a given address
74198 * - not supported under NOMMU conditions
74199 */
74200 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
74201
74202 /* most fields are the same, copy all, and then fixup */
74203 *new = *vma;
74204 + INIT_LIST_HEAD(&new->anon_vma_chain);
74205 *region = *vma->vm_region;
74206 new->vm_region = region;
74207
74208 diff -urNp linux-2.6.39.1/mm/page_alloc.c linux-2.6.39.1/mm/page_alloc.c
74209 --- linux-2.6.39.1/mm/page_alloc.c 2011-06-03 00:04:14.000000000 -0400
74210 +++ linux-2.6.39.1/mm/page_alloc.c 2011-06-03 00:32:08.000000000 -0400
74211 @@ -650,6 +650,10 @@ static bool free_pages_prepare(struct pa
74212 int i;
74213 int bad = 0;
74214
74215 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74216 + unsigned long index = 1UL << order;
74217 +#endif
74218 +
74219 trace_mm_page_free_direct(page, order);
74220 kmemcheck_free_shadow(page, order);
74221
74222 @@ -665,6 +669,12 @@ static bool free_pages_prepare(struct pa
74223 debug_check_no_obj_freed(page_address(page),
74224 PAGE_SIZE << order);
74225 }
74226 +
74227 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74228 + for (; index; --index)
74229 + sanitize_highpage(page + index - 1);
74230 +#endif
74231 +
74232 arch_free_page(page, order);
74233 kernel_map_pages(page, 1 << order, 0);
74234
74235 @@ -780,8 +790,10 @@ static int prep_new_page(struct page *pa
74236 arch_alloc_page(page, order);
74237 kernel_map_pages(page, 1 << order, 1);
74238
74239 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
74240 if (gfp_flags & __GFP_ZERO)
74241 prep_zero_page(page, order, gfp_flags);
74242 +#endif
74243
74244 if (order && (gfp_flags & __GFP_COMP))
74245 prep_compound_page(page, order);
74246 @@ -2504,6 +2516,8 @@ void __show_free_areas(unsigned int filt
74247 int cpu;
74248 struct zone *zone;
74249
74250 + pax_track_stack();
74251 +
74252 for_each_populated_zone(zone) {
74253 if (skip_free_areas_zone(filter, zone))
74254 continue;
74255 diff -urNp linux-2.6.39.1/mm/percpu.c linux-2.6.39.1/mm/percpu.c
74256 --- linux-2.6.39.1/mm/percpu.c 2011-05-19 00:06:34.000000000 -0400
74257 +++ linux-2.6.39.1/mm/percpu.c 2011-05-22 19:36:33.000000000 -0400
74258 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
74259 static unsigned int pcpu_last_unit_cpu __read_mostly;
74260
74261 /* the address of the first chunk which starts with the kernel static area */
74262 -void *pcpu_base_addr __read_mostly;
74263 +void *pcpu_base_addr __read_only;
74264 EXPORT_SYMBOL_GPL(pcpu_base_addr);
74265
74266 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
74267 diff -urNp linux-2.6.39.1/mm/rmap.c linux-2.6.39.1/mm/rmap.c
74268 --- linux-2.6.39.1/mm/rmap.c 2011-05-19 00:06:34.000000000 -0400
74269 +++ linux-2.6.39.1/mm/rmap.c 2011-05-22 19:36:33.000000000 -0400
74270 @@ -131,6 +131,10 @@ int anon_vma_prepare(struct vm_area_stru
74271 struct anon_vma *anon_vma = vma->anon_vma;
74272 struct anon_vma_chain *avc;
74273
74274 +#ifdef CONFIG_PAX_SEGMEXEC
74275 + struct anon_vma_chain *avc_m = NULL;
74276 +#endif
74277 +
74278 might_sleep();
74279 if (unlikely(!anon_vma)) {
74280 struct mm_struct *mm = vma->vm_mm;
74281 @@ -140,6 +144,12 @@ int anon_vma_prepare(struct vm_area_stru
74282 if (!avc)
74283 goto out_enomem;
74284
74285 +#ifdef CONFIG_PAX_SEGMEXEC
74286 + avc_m = anon_vma_chain_alloc();
74287 + if (!avc_m)
74288 + goto out_enomem_free_avc;
74289 +#endif
74290 +
74291 anon_vma = find_mergeable_anon_vma(vma);
74292 allocated = NULL;
74293 if (!anon_vma) {
74294 @@ -153,6 +163,21 @@ int anon_vma_prepare(struct vm_area_stru
74295 /* page_table_lock to protect against threads */
74296 spin_lock(&mm->page_table_lock);
74297 if (likely(!vma->anon_vma)) {
74298 +
74299 +#ifdef CONFIG_PAX_SEGMEXEC
74300 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
74301 +
74302 + if (vma_m) {
74303 + BUG_ON(vma_m->anon_vma);
74304 + vma_m->anon_vma = anon_vma;
74305 + avc_m->anon_vma = anon_vma;
74306 + avc_m->vma = vma;
74307 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
74308 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
74309 + avc_m = NULL;
74310 + }
74311 +#endif
74312 +
74313 vma->anon_vma = anon_vma;
74314 avc->anon_vma = anon_vma;
74315 avc->vma = vma;
74316 @@ -166,12 +191,24 @@ int anon_vma_prepare(struct vm_area_stru
74317
74318 if (unlikely(allocated))
74319 put_anon_vma(allocated);
74320 +
74321 +#ifdef CONFIG_PAX_SEGMEXEC
74322 + if (unlikely(avc_m))
74323 + anon_vma_chain_free(avc_m);
74324 +#endif
74325 +
74326 if (unlikely(avc))
74327 anon_vma_chain_free(avc);
74328 }
74329 return 0;
74330
74331 out_enomem_free_avc:
74332 +
74333 +#ifdef CONFIG_PAX_SEGMEXEC
74334 + if (avc_m)
74335 + anon_vma_chain_free(avc_m);
74336 +#endif
74337 +
74338 anon_vma_chain_free(avc);
74339 out_enomem:
74340 return -ENOMEM;
74341 @@ -198,7 +235,7 @@ static void anon_vma_chain_link(struct v
74342 * Attach the anon_vmas from src to dst.
74343 * Returns 0 on success, -ENOMEM on failure.
74344 */
74345 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
74346 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
74347 {
74348 struct anon_vma_chain *avc, *pavc;
74349
74350 @@ -220,7 +257,7 @@ int anon_vma_clone(struct vm_area_struct
74351 * the corresponding VMA in the parent process is attached to.
74352 * Returns 0 on success, non-zero on failure.
74353 */
74354 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
74355 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
74356 {
74357 struct anon_vma_chain *avc;
74358 struct anon_vma *anon_vma;
74359 diff -urNp linux-2.6.39.1/mm/shmem.c linux-2.6.39.1/mm/shmem.c
74360 --- linux-2.6.39.1/mm/shmem.c 2011-06-03 00:04:14.000000000 -0400
74361 +++ linux-2.6.39.1/mm/shmem.c 2011-06-03 00:32:08.000000000 -0400
74362 @@ -31,7 +31,7 @@
74363 #include <linux/percpu_counter.h>
74364 #include <linux/swap.h>
74365
74366 -static struct vfsmount *shm_mnt;
74367 +struct vfsmount *shm_mnt;
74368
74369 #ifdef CONFIG_SHMEM
74370 /*
74371 @@ -1087,6 +1087,8 @@ static int shmem_writepage(struct page *
74372 goto unlock;
74373 }
74374 entry = shmem_swp_entry(info, index, NULL);
74375 + if (!entry)
74376 + goto unlock;
74377 if (entry->val) {
74378 /*
74379 * The more uptodate page coming down from a stacked
74380 @@ -1158,6 +1160,8 @@ static struct page *shmem_swapin(swp_ent
74381 struct vm_area_struct pvma;
74382 struct page *page;
74383
74384 + pax_track_stack();
74385 +
74386 spol = mpol_cond_copy(&mpol,
74387 mpol_shared_policy_lookup(&info->policy, idx));
74388
74389 @@ -2014,7 +2018,7 @@ static int shmem_symlink(struct inode *d
74390
74391 info = SHMEM_I(inode);
74392 inode->i_size = len-1;
74393 - if (len <= (char *)inode - (char *)info) {
74394 + if (len <= (char *)inode - (char *)info && len <= 64) {
74395 /* do it inline */
74396 memcpy(info, symname, len);
74397 inode->i_op = &shmem_symlink_inline_operations;
74398 @@ -2362,8 +2366,7 @@ int shmem_fill_super(struct super_block
74399 int err = -ENOMEM;
74400
74401 /* Round up to L1_CACHE_BYTES to resist false sharing */
74402 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
74403 - L1_CACHE_BYTES), GFP_KERNEL);
74404 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
74405 if (!sbinfo)
74406 return -ENOMEM;
74407
74408 diff -urNp linux-2.6.39.1/mm/slab.c linux-2.6.39.1/mm/slab.c
74409 --- linux-2.6.39.1/mm/slab.c 2011-05-19 00:06:34.000000000 -0400
74410 +++ linux-2.6.39.1/mm/slab.c 2011-05-22 19:41:42.000000000 -0400
74411 @@ -150,7 +150,7 @@
74412
74413 /* Legal flag mask for kmem_cache_create(). */
74414 #if DEBUG
74415 -# define CREATE_MASK (SLAB_RED_ZONE | \
74416 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
74417 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
74418 SLAB_CACHE_DMA | \
74419 SLAB_STORE_USER | \
74420 @@ -158,7 +158,7 @@
74421 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74422 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
74423 #else
74424 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
74425 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
74426 SLAB_CACHE_DMA | \
74427 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
74428 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74429 @@ -287,7 +287,7 @@ struct kmem_list3 {
74430 * Need this for bootstrapping a per node allocator.
74431 */
74432 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
74433 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
74434 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
74435 #define CACHE_CACHE 0
74436 #define SIZE_AC MAX_NUMNODES
74437 #define SIZE_L3 (2 * MAX_NUMNODES)
74438 @@ -388,10 +388,10 @@ static void kmem_list3_init(struct kmem_
74439 if ((x)->max_freeable < i) \
74440 (x)->max_freeable = i; \
74441 } while (0)
74442 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
74443 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
74444 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
74445 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
74446 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
74447 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
74448 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
74449 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
74450 #else
74451 #define STATS_INC_ACTIVE(x) do { } while (0)
74452 #define STATS_DEC_ACTIVE(x) do { } while (0)
74453 @@ -537,7 +537,7 @@ static inline void *index_to_obj(struct
74454 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
74455 */
74456 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
74457 - const struct slab *slab, void *obj)
74458 + const struct slab *slab, const void *obj)
74459 {
74460 u32 offset = (obj - slab->s_mem);
74461 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
74462 @@ -563,7 +563,7 @@ struct cache_names {
74463 static struct cache_names __initdata cache_names[] = {
74464 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
74465 #include <linux/kmalloc_sizes.h>
74466 - {NULL,}
74467 + {NULL}
74468 #undef CACHE
74469 };
74470
74471 @@ -1529,7 +1529,7 @@ void __init kmem_cache_init(void)
74472 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
74473 sizes[INDEX_AC].cs_size,
74474 ARCH_KMALLOC_MINALIGN,
74475 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74476 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74477 NULL);
74478
74479 if (INDEX_AC != INDEX_L3) {
74480 @@ -1537,7 +1537,7 @@ void __init kmem_cache_init(void)
74481 kmem_cache_create(names[INDEX_L3].name,
74482 sizes[INDEX_L3].cs_size,
74483 ARCH_KMALLOC_MINALIGN,
74484 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74485 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74486 NULL);
74487 }
74488
74489 @@ -1555,7 +1555,7 @@ void __init kmem_cache_init(void)
74490 sizes->cs_cachep = kmem_cache_create(names->name,
74491 sizes->cs_size,
74492 ARCH_KMALLOC_MINALIGN,
74493 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74494 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74495 NULL);
74496 }
74497 #ifdef CONFIG_ZONE_DMA
74498 @@ -4270,10 +4270,10 @@ static int s_show(struct seq_file *m, vo
74499 }
74500 /* cpu stats */
74501 {
74502 - unsigned long allochit = atomic_read(&cachep->allochit);
74503 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
74504 - unsigned long freehit = atomic_read(&cachep->freehit);
74505 - unsigned long freemiss = atomic_read(&cachep->freemiss);
74506 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
74507 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
74508 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
74509 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
74510
74511 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
74512 allochit, allocmiss, freehit, freemiss);
74513 @@ -4530,15 +4530,66 @@ static const struct file_operations proc
74514
74515 static int __init slab_proc_init(void)
74516 {
74517 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
74518 + mode_t gr_mode = S_IRUGO;
74519 +
74520 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
74521 + gr_mode = S_IRUSR;
74522 +#endif
74523 +
74524 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
74525 #ifdef CONFIG_DEBUG_SLAB_LEAK
74526 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
74527 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
74528 #endif
74529 return 0;
74530 }
74531 module_init(slab_proc_init);
74532 #endif
74533
74534 +void check_object_size(const void *ptr, unsigned long n, bool to)
74535 +{
74536 +
74537 +#ifdef CONFIG_PAX_USERCOPY
74538 + struct page *page;
74539 + struct kmem_cache *cachep = NULL;
74540 + struct slab *slabp;
74541 + unsigned int objnr;
74542 + unsigned long offset;
74543 +
74544 + if (!n)
74545 + return;
74546 +
74547 + if (ZERO_OR_NULL_PTR(ptr))
74548 + goto report;
74549 +
74550 + if (!virt_addr_valid(ptr))
74551 + return;
74552 +
74553 + page = virt_to_head_page(ptr);
74554 +
74555 + if (!PageSlab(page)) {
74556 + if (object_is_on_stack(ptr, n) == -1)
74557 + goto report;
74558 + return;
74559 + }
74560 +
74561 + cachep = page_get_cache(page);
74562 + if (!(cachep->flags & SLAB_USERCOPY))
74563 + goto report;
74564 +
74565 + slabp = page_get_slab(page);
74566 + objnr = obj_to_index(cachep, slabp, ptr);
74567 + BUG_ON(objnr >= cachep->num);
74568 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
74569 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
74570 + return;
74571 +
74572 +report:
74573 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
74574 +#endif
74575 +
74576 +}
74577 +EXPORT_SYMBOL(check_object_size);
74578 +
74579 /**
74580 * ksize - get the actual amount of memory allocated for a given object
74581 * @objp: Pointer to the object
74582 diff -urNp linux-2.6.39.1/mm/slob.c linux-2.6.39.1/mm/slob.c
74583 --- linux-2.6.39.1/mm/slob.c 2011-05-19 00:06:34.000000000 -0400
74584 +++ linux-2.6.39.1/mm/slob.c 2011-05-22 19:36:33.000000000 -0400
74585 @@ -29,7 +29,7 @@
74586 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
74587 * alloc_pages() directly, allocating compound pages so the page order
74588 * does not have to be separately tracked, and also stores the exact
74589 - * allocation size in page->private so that it can be used to accurately
74590 + * allocation size in slob_page->size so that it can be used to accurately
74591 * provide ksize(). These objects are detected in kfree() because slob_page()
74592 * is false for them.
74593 *
74594 @@ -58,6 +58,7 @@
74595 */
74596
74597 #include <linux/kernel.h>
74598 +#include <linux/sched.h>
74599 #include <linux/slab.h>
74600 #include <linux/mm.h>
74601 #include <linux/swap.h> /* struct reclaim_state */
74602 @@ -102,7 +103,8 @@ struct slob_page {
74603 unsigned long flags; /* mandatory */
74604 atomic_t _count; /* mandatory */
74605 slobidx_t units; /* free units left in page */
74606 - unsigned long pad[2];
74607 + unsigned long pad[1];
74608 + unsigned long size; /* size when >=PAGE_SIZE */
74609 slob_t *free; /* first free slob_t in page */
74610 struct list_head list; /* linked list of free pages */
74611 };
74612 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
74613 */
74614 static inline int is_slob_page(struct slob_page *sp)
74615 {
74616 - return PageSlab((struct page *)sp);
74617 + return PageSlab((struct page *)sp) && !sp->size;
74618 }
74619
74620 static inline void set_slob_page(struct slob_page *sp)
74621 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
74622
74623 static inline struct slob_page *slob_page(const void *addr)
74624 {
74625 - return (struct slob_page *)virt_to_page(addr);
74626 + return (struct slob_page *)virt_to_head_page(addr);
74627 }
74628
74629 /*
74630 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
74631 /*
74632 * Return the size of a slob block.
74633 */
74634 -static slobidx_t slob_units(slob_t *s)
74635 +static slobidx_t slob_units(const slob_t *s)
74636 {
74637 if (s->units > 0)
74638 return s->units;
74639 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
74640 /*
74641 * Return the next free slob block pointer after this one.
74642 */
74643 -static slob_t *slob_next(slob_t *s)
74644 +static slob_t *slob_next(const slob_t *s)
74645 {
74646 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
74647 slobidx_t next;
74648 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
74649 /*
74650 * Returns true if s is the last free block in its page.
74651 */
74652 -static int slob_last(slob_t *s)
74653 +static int slob_last(const slob_t *s)
74654 {
74655 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
74656 }
74657 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
74658 if (!page)
74659 return NULL;
74660
74661 + set_slob_page(page);
74662 return page_address(page);
74663 }
74664
74665 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
74666 if (!b)
74667 return NULL;
74668 sp = slob_page(b);
74669 - set_slob_page(sp);
74670
74671 spin_lock_irqsave(&slob_lock, flags);
74672 sp->units = SLOB_UNITS(PAGE_SIZE);
74673 sp->free = b;
74674 + sp->size = 0;
74675 INIT_LIST_HEAD(&sp->list);
74676 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
74677 set_slob_page_free(sp, slob_list);
74678 @@ -476,10 +479,9 @@ out:
74679 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
74680 */
74681
74682 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74683 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
74684 {
74685 - unsigned int *m;
74686 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74687 + slob_t *m;
74688 void *ret;
74689
74690 lockdep_trace_alloc(gfp);
74691 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
74692
74693 if (!m)
74694 return NULL;
74695 - *m = size;
74696 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
74697 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
74698 + m[0].units = size;
74699 + m[1].units = align;
74700 ret = (void *)m + align;
74701
74702 trace_kmalloc_node(_RET_IP_, ret,
74703 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
74704 gfp |= __GFP_COMP;
74705 ret = slob_new_pages(gfp, order, node);
74706 if (ret) {
74707 - struct page *page;
74708 - page = virt_to_page(ret);
74709 - page->private = size;
74710 + struct slob_page *sp;
74711 + sp = slob_page(ret);
74712 + sp->size = size;
74713 }
74714
74715 trace_kmalloc_node(_RET_IP_, ret,
74716 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
74717 kmemleak_alloc(ret, size, 1, gfp);
74718 return ret;
74719 }
74720 +
74721 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74722 +{
74723 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74724 +
74725 + return __kmalloc_node_align(size, gfp, node, align);
74726 +}
74727 EXPORT_SYMBOL(__kmalloc_node);
74728
74729 void kfree(const void *block)
74730 @@ -531,13 +543,81 @@ void kfree(const void *block)
74731 sp = slob_page(block);
74732 if (is_slob_page(sp)) {
74733 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74734 - unsigned int *m = (unsigned int *)(block - align);
74735 - slob_free(m, *m + align);
74736 - } else
74737 + slob_t *m = (slob_t *)(block - align);
74738 + slob_free(m, m[0].units + align);
74739 + } else {
74740 + clear_slob_page(sp);
74741 + free_slob_page(sp);
74742 + sp->size = 0;
74743 put_page(&sp->page);
74744 + }
74745 }
74746 EXPORT_SYMBOL(kfree);
74747
74748 +void check_object_size(const void *ptr, unsigned long n, bool to)
74749 +{
74750 +
74751 +#ifdef CONFIG_PAX_USERCOPY
74752 + struct slob_page *sp;
74753 + const slob_t *free;
74754 + const void *base;
74755 +
74756 + if (!n)
74757 + return;
74758 +
74759 + if (ZERO_OR_NULL_PTR(ptr))
74760 + goto report;
74761 +
74762 + if (!virt_addr_valid(ptr))
74763 + return;
74764 +
74765 + sp = slob_page(ptr);
74766 + if (!PageSlab((struct page*)sp)) {
74767 + if (object_is_on_stack(ptr, n) == -1)
74768 + goto report;
74769 + return;
74770 + }
74771 +
74772 + if (sp->size) {
74773 + base = page_address(&sp->page);
74774 + if (base <= ptr && n <= sp->size - (ptr - base))
74775 + return;
74776 + goto report;
74777 + }
74778 +
74779 + /* some tricky double walking to find the chunk */
74780 + base = (void *)((unsigned long)ptr & PAGE_MASK);
74781 + free = sp->free;
74782 +
74783 + while (!slob_last(free) && (void *)free <= ptr) {
74784 + base = free + slob_units(free);
74785 + free = slob_next(free);
74786 + }
74787 +
74788 + while (base < (void *)free) {
74789 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
74790 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
74791 + int offset;
74792 +
74793 + if (ptr < base + align)
74794 + goto report;
74795 +
74796 + offset = ptr - base - align;
74797 + if (offset < m) {
74798 + if (n <= m - offset)
74799 + return;
74800 + goto report;
74801 + }
74802 + base += size;
74803 + }
74804 +
74805 +report:
74806 + pax_report_usercopy(ptr, n, to, NULL);
74807 +#endif
74808 +
74809 +}
74810 +EXPORT_SYMBOL(check_object_size);
74811 +
74812 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
74813 size_t ksize(const void *block)
74814 {
74815 @@ -550,10 +630,10 @@ size_t ksize(const void *block)
74816 sp = slob_page(block);
74817 if (is_slob_page(sp)) {
74818 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74819 - unsigned int *m = (unsigned int *)(block - align);
74820 - return SLOB_UNITS(*m) * SLOB_UNIT;
74821 + slob_t *m = (slob_t *)(block - align);
74822 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
74823 } else
74824 - return sp->page.private;
74825 + return sp->size;
74826 }
74827 EXPORT_SYMBOL(ksize);
74828
74829 @@ -608,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
74830 {
74831 void *b;
74832
74833 +#ifdef CONFIG_PAX_USERCOPY
74834 + b = __kmalloc_node_align(c->size, flags, node, c->align);
74835 +#else
74836 if (c->size < PAGE_SIZE) {
74837 b = slob_alloc(c->size, flags, c->align, node);
74838 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
74839 SLOB_UNITS(c->size) * SLOB_UNIT,
74840 flags, node);
74841 } else {
74842 + struct slob_page *sp;
74843 +
74844 b = slob_new_pages(flags, get_order(c->size), node);
74845 + sp = slob_page(b);
74846 + sp->size = c->size;
74847 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
74848 PAGE_SIZE << get_order(c->size),
74849 flags, node);
74850 }
74851 +#endif
74852
74853 if (c->ctor)
74854 c->ctor(b);
74855 @@ -630,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
74856
74857 static void __kmem_cache_free(void *b, int size)
74858 {
74859 - if (size < PAGE_SIZE)
74860 + struct slob_page *sp = slob_page(b);
74861 +
74862 + if (is_slob_page(sp))
74863 slob_free(b, size);
74864 - else
74865 + else {
74866 + clear_slob_page(sp);
74867 + free_slob_page(sp);
74868 + sp->size = 0;
74869 slob_free_pages(b, get_order(size));
74870 + }
74871 }
74872
74873 static void kmem_rcu_free(struct rcu_head *head)
74874 @@ -646,14 +740,23 @@ static void kmem_rcu_free(struct rcu_hea
74875
74876 void kmem_cache_free(struct kmem_cache *c, void *b)
74877 {
74878 + int size = c->size;
74879 +
74880 +#ifdef CONFIG_PAX_USERCOPY
74881 + if (size + c->align < PAGE_SIZE) {
74882 + size += c->align;
74883 + b -= c->align;
74884 + }
74885 +#endif
74886 +
74887 kmemleak_free_recursive(b, c->flags);
74888 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
74889 struct slob_rcu *slob_rcu;
74890 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
74891 - slob_rcu->size = c->size;
74892 + slob_rcu = b + (size - sizeof(struct slob_rcu));
74893 + slob_rcu->size = size;
74894 call_rcu(&slob_rcu->head, kmem_rcu_free);
74895 } else {
74896 - __kmem_cache_free(b, c->size);
74897 + __kmem_cache_free(b, size);
74898 }
74899
74900 trace_kmem_cache_free(_RET_IP_, b);
74901 diff -urNp linux-2.6.39.1/mm/slub.c linux-2.6.39.1/mm/slub.c
74902 --- linux-2.6.39.1/mm/slub.c 2011-06-03 00:04:14.000000000 -0400
74903 +++ linux-2.6.39.1/mm/slub.c 2011-06-03 00:32:08.000000000 -0400
74904 @@ -431,7 +431,7 @@ static void print_track(const char *s, s
74905 if (!t->addr)
74906 return;
74907
74908 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
74909 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
74910 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
74911 }
74912
74913 @@ -2183,6 +2183,8 @@ void kmem_cache_free(struct kmem_cache *
74914
74915 page = virt_to_head_page(x);
74916
74917 + BUG_ON(!PageSlab(page));
74918 +
74919 slab_free(s, page, x, _RET_IP_);
74920
74921 trace_kmem_cache_free(_RET_IP_, x);
74922 @@ -2216,7 +2218,7 @@ static int slub_min_objects;
74923 * Merge control. If this is set then no merging of slab caches will occur.
74924 * (Could be removed. This was introduced to pacify the merge skeptics.)
74925 */
74926 -static int slub_nomerge;
74927 +static int slub_nomerge = 1;
74928
74929 /*
74930 * Calculate the order of allocation given an slab object size.
74931 @@ -2644,7 +2646,7 @@ static int kmem_cache_open(struct kmem_c
74932 * list to avoid pounding the page allocator excessively.
74933 */
74934 set_min_partial(s, ilog2(s->size));
74935 - s->refcount = 1;
74936 + atomic_set(&s->refcount, 1);
74937 #ifdef CONFIG_NUMA
74938 s->remote_node_defrag_ratio = 1000;
74939 #endif
74940 @@ -2750,8 +2752,7 @@ static inline int kmem_cache_close(struc
74941 void kmem_cache_destroy(struct kmem_cache *s)
74942 {
74943 down_write(&slub_lock);
74944 - s->refcount--;
74945 - if (!s->refcount) {
74946 + if (atomic_dec_and_test(&s->refcount)) {
74947 list_del(&s->list);
74948 if (kmem_cache_close(s)) {
74949 printk(KERN_ERR "SLUB %s: %s called for cache that "
74950 @@ -2961,6 +2962,46 @@ void *__kmalloc_node(size_t size, gfp_t
74951 EXPORT_SYMBOL(__kmalloc_node);
74952 #endif
74953
74954 +void check_object_size(const void *ptr, unsigned long n, bool to)
74955 +{
74956 +
74957 +#ifdef CONFIG_PAX_USERCOPY
74958 + struct page *page;
74959 + struct kmem_cache *s = NULL;
74960 + unsigned long offset;
74961 +
74962 + if (!n)
74963 + return;
74964 +
74965 + if (ZERO_OR_NULL_PTR(ptr))
74966 + goto report;
74967 +
74968 + if (!virt_addr_valid(ptr))
74969 + return;
74970 +
74971 + page = virt_to_head_page(ptr);
74972 +
74973 + if (!PageSlab(page)) {
74974 + if (object_is_on_stack(ptr, n) == -1)
74975 + goto report;
74976 + return;
74977 + }
74978 +
74979 + s = page->slab;
74980 + if (!(s->flags & SLAB_USERCOPY))
74981 + goto report;
74982 +
74983 + offset = (ptr - page_address(page)) % s->size;
74984 + if (offset <= s->objsize && n <= s->objsize - offset)
74985 + return;
74986 +
74987 +report:
74988 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
74989 +#endif
74990 +
74991 +}
74992 +EXPORT_SYMBOL(check_object_size);
74993 +
74994 size_t ksize(const void *object)
74995 {
74996 struct page *page;
74997 @@ -3205,7 +3246,7 @@ static void __init kmem_cache_bootstrap_
74998 int node;
74999
75000 list_add(&s->list, &slab_caches);
75001 - s->refcount = -1;
75002 + atomic_set(&s->refcount, -1);
75003
75004 for_each_node_state(node, N_NORMAL_MEMORY) {
75005 struct kmem_cache_node *n = get_node(s, node);
75006 @@ -3322,17 +3363,17 @@ void __init kmem_cache_init(void)
75007
75008 /* Caches that are not of the two-to-the-power-of size */
75009 if (KMALLOC_MIN_SIZE <= 32) {
75010 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
75011 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
75012 caches++;
75013 }
75014
75015 if (KMALLOC_MIN_SIZE <= 64) {
75016 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
75017 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
75018 caches++;
75019 }
75020
75021 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
75022 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
75023 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
75024 caches++;
75025 }
75026
75027 @@ -3400,7 +3441,7 @@ static int slab_unmergeable(struct kmem_
75028 /*
75029 * We may have set a slab to be unmergeable during bootstrap.
75030 */
75031 - if (s->refcount < 0)
75032 + if (atomic_read(&s->refcount) < 0)
75033 return 1;
75034
75035 return 0;
75036 @@ -3459,7 +3500,7 @@ struct kmem_cache *kmem_cache_create(con
75037 down_write(&slub_lock);
75038 s = find_mergeable(size, align, flags, name, ctor);
75039 if (s) {
75040 - s->refcount++;
75041 + atomic_inc(&s->refcount);
75042 /*
75043 * Adjust the object sizes so that we clear
75044 * the complete object on kzalloc.
75045 @@ -3468,7 +3509,7 @@ struct kmem_cache *kmem_cache_create(con
75046 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
75047
75048 if (sysfs_slab_alias(s, name)) {
75049 - s->refcount--;
75050 + atomic_dec(&s->refcount);
75051 goto err;
75052 }
75053 up_write(&slub_lock);
75054 @@ -4201,7 +4242,7 @@ SLAB_ATTR_RO(ctor);
75055
75056 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
75057 {
75058 - return sprintf(buf, "%d\n", s->refcount - 1);
75059 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
75060 }
75061 SLAB_ATTR_RO(aliases);
75062
75063 @@ -4945,7 +4986,13 @@ static const struct file_operations proc
75064
75065 static int __init slab_proc_init(void)
75066 {
75067 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
75068 + mode_t gr_mode = S_IRUGO;
75069 +
75070 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75071 + gr_mode = S_IRUSR;
75072 +#endif
75073 +
75074 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
75075 return 0;
75076 }
75077 module_init(slab_proc_init);
75078 diff -urNp linux-2.6.39.1/mm/swapfile.c linux-2.6.39.1/mm/swapfile.c
75079 --- linux-2.6.39.1/mm/swapfile.c 2011-05-19 00:06:34.000000000 -0400
75080 +++ linux-2.6.39.1/mm/swapfile.c 2011-05-22 19:36:33.000000000 -0400
75081 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(swapon_mutex);
75082
75083 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
75084 /* Activity counter to indicate that a swapon or swapoff has occurred */
75085 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
75086 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
75087
75088 static inline unsigned char swap_count(unsigned char ent)
75089 {
75090 @@ -1669,7 +1669,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
75091 }
75092 filp_close(swap_file, NULL);
75093 err = 0;
75094 - atomic_inc(&proc_poll_event);
75095 + atomic_inc_unchecked(&proc_poll_event);
75096 wake_up_interruptible(&proc_poll_wait);
75097
75098 out_dput:
75099 @@ -1690,8 +1690,8 @@ static unsigned swaps_poll(struct file *
75100
75101 poll_wait(file, &proc_poll_wait, wait);
75102
75103 - if (s->event != atomic_read(&proc_poll_event)) {
75104 - s->event = atomic_read(&proc_poll_event);
75105 + if (s->event != atomic_read_unchecked(&proc_poll_event)) {
75106 + s->event = atomic_read_unchecked(&proc_poll_event);
75107 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
75108 }
75109
75110 @@ -1797,7 +1797,7 @@ static int swaps_open(struct inode *inod
75111 }
75112
75113 s->seq.private = s;
75114 - s->event = atomic_read(&proc_poll_event);
75115 + s->event = atomic_read_unchecked(&proc_poll_event);
75116 return ret;
75117 }
75118
75119 @@ -2131,7 +2131,7 @@ SYSCALL_DEFINE2(swapon, const char __use
75120 (p->flags & SWP_DISCARDABLE) ? "D" : "");
75121
75122 mutex_unlock(&swapon_mutex);
75123 - atomic_inc(&proc_poll_event);
75124 + atomic_inc_unchecked(&proc_poll_event);
75125 wake_up_interruptible(&proc_poll_wait);
75126
75127 if (S_ISREG(inode->i_mode))
75128 diff -urNp linux-2.6.39.1/mm/util.c linux-2.6.39.1/mm/util.c
75129 --- linux-2.6.39.1/mm/util.c 2011-05-19 00:06:34.000000000 -0400
75130 +++ linux-2.6.39.1/mm/util.c 2011-05-23 17:07:00.000000000 -0400
75131 @@ -112,6 +112,7 @@ EXPORT_SYMBOL(memdup_user);
75132 * allocated buffer. Use this if you don't want to free the buffer immediately
75133 * like, for example, with RCU.
75134 */
75135 +#undef __krealloc
75136 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
75137 {
75138 void *ret;
75139 @@ -145,6 +146,7 @@ EXPORT_SYMBOL(__krealloc);
75140 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
75141 * %NULL pointer, the object pointed to is freed.
75142 */
75143 +#undef krealloc
75144 void *krealloc(const void *p, size_t new_size, gfp_t flags)
75145 {
75146 void *ret;
75147 @@ -219,6 +221,12 @@ EXPORT_SYMBOL(strndup_user);
75148 void arch_pick_mmap_layout(struct mm_struct *mm)
75149 {
75150 mm->mmap_base = TASK_UNMAPPED_BASE;
75151 +
75152 +#ifdef CONFIG_PAX_RANDMMAP
75153 + if (mm->pax_flags & MF_PAX_RANDMMAP)
75154 + mm->mmap_base += mm->delta_mmap;
75155 +#endif
75156 +
75157 mm->get_unmapped_area = arch_get_unmapped_area;
75158 mm->unmap_area = arch_unmap_area;
75159 }
75160 diff -urNp linux-2.6.39.1/mm/vmalloc.c linux-2.6.39.1/mm/vmalloc.c
75161 --- linux-2.6.39.1/mm/vmalloc.c 2011-05-19 00:06:34.000000000 -0400
75162 +++ linux-2.6.39.1/mm/vmalloc.c 2011-05-22 19:36:33.000000000 -0400
75163 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
75164
75165 pte = pte_offset_kernel(pmd, addr);
75166 do {
75167 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75168 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75169 +
75170 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75171 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
75172 + BUG_ON(!pte_exec(*pte));
75173 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
75174 + continue;
75175 + }
75176 +#endif
75177 +
75178 + {
75179 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75180 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75181 + }
75182 } while (pte++, addr += PAGE_SIZE, addr != end);
75183 }
75184
75185 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
75186 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
75187 {
75188 pte_t *pte;
75189 + int ret = -ENOMEM;
75190
75191 /*
75192 * nr is a running index into the array which helps higher level
75193 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
75194 pte = pte_alloc_kernel(pmd, addr);
75195 if (!pte)
75196 return -ENOMEM;
75197 +
75198 + pax_open_kernel();
75199 do {
75200 struct page *page = pages[*nr];
75201
75202 - if (WARN_ON(!pte_none(*pte)))
75203 - return -EBUSY;
75204 - if (WARN_ON(!page))
75205 - return -ENOMEM;
75206 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75207 + if (pgprot_val(prot) & _PAGE_NX)
75208 +#endif
75209 +
75210 + if (WARN_ON(!pte_none(*pte))) {
75211 + ret = -EBUSY;
75212 + goto out;
75213 + }
75214 + if (WARN_ON(!page)) {
75215 + ret = -ENOMEM;
75216 + goto out;
75217 + }
75218 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
75219 (*nr)++;
75220 } while (pte++, addr += PAGE_SIZE, addr != end);
75221 - return 0;
75222 + ret = 0;
75223 +out:
75224 + pax_close_kernel();
75225 + return ret;
75226 }
75227
75228 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
75229 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
75230 * and fall back on vmalloc() if that fails. Others
75231 * just put it in the vmalloc space.
75232 */
75233 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
75234 +#ifdef CONFIG_MODULES
75235 +#ifdef MODULES_VADDR
75236 unsigned long addr = (unsigned long)x;
75237 if (addr >= MODULES_VADDR && addr < MODULES_END)
75238 return 1;
75239 #endif
75240 +
75241 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75242 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
75243 + return 1;
75244 +#endif
75245 +
75246 +#endif
75247 +
75248 return is_vmalloc_addr(x);
75249 }
75250
75251 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
75252
75253 if (!pgd_none(*pgd)) {
75254 pud_t *pud = pud_offset(pgd, addr);
75255 +#ifdef CONFIG_X86
75256 + if (!pud_large(*pud))
75257 +#endif
75258 if (!pud_none(*pud)) {
75259 pmd_t *pmd = pmd_offset(pud, addr);
75260 +#ifdef CONFIG_X86
75261 + if (!pmd_large(*pmd))
75262 +#endif
75263 if (!pmd_none(*pmd)) {
75264 pte_t *ptep, pte;
75265
75266 @@ -1296,6 +1336,16 @@ static struct vm_struct *__get_vm_area_n
75267 struct vm_struct *area;
75268
75269 BUG_ON(in_interrupt());
75270 +
75271 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75272 + if (flags & VM_KERNEXEC) {
75273 + if (start != VMALLOC_START || end != VMALLOC_END)
75274 + return NULL;
75275 + start = (unsigned long)MODULES_EXEC_VADDR;
75276 + end = (unsigned long)MODULES_EXEC_END;
75277 + }
75278 +#endif
75279 +
75280 if (flags & VM_IOREMAP) {
75281 int bit = fls(size);
75282
75283 @@ -1514,6 +1564,11 @@ void *vmap(struct page **pages, unsigned
75284 if (count > totalram_pages)
75285 return NULL;
75286
75287 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75288 + if (!(pgprot_val(prot) & _PAGE_NX))
75289 + flags |= VM_KERNEXEC;
75290 +#endif
75291 +
75292 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
75293 __builtin_return_address(0));
75294 if (!area)
75295 @@ -1610,6 +1665,13 @@ void *__vmalloc_node_range(unsigned long
75296 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
75297 return NULL;
75298
75299 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75300 + if (!(pgprot_val(prot) & _PAGE_NX))
75301 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
75302 + node, gfp_mask, caller);
75303 + else
75304 +#endif
75305 +
75306 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
75307 gfp_mask, caller);
75308
75309 @@ -1649,6 +1711,7 @@ static void *__vmalloc_node(unsigned lon
75310 gfp_mask, prot, node, caller);
75311 }
75312
75313 +#undef __vmalloc
75314 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
75315 {
75316 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
75317 @@ -1672,6 +1735,7 @@ static inline void *__vmalloc_node_flags
75318 * For tight control over page level allocator and protection flags
75319 * use __vmalloc() instead.
75320 */
75321 +#undef vmalloc
75322 void *vmalloc(unsigned long size)
75323 {
75324 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
75325 @@ -1688,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc);
75326 * For tight control over page level allocator and protection flags
75327 * use __vmalloc() instead.
75328 */
75329 +#undef vzalloc
75330 void *vzalloc(unsigned long size)
75331 {
75332 return __vmalloc_node_flags(size, -1,
75333 @@ -1702,6 +1767,7 @@ EXPORT_SYMBOL(vzalloc);
75334 * The resulting memory area is zeroed so it can be mapped to userspace
75335 * without leaking data.
75336 */
75337 +#undef vmalloc_user
75338 void *vmalloc_user(unsigned long size)
75339 {
75340 struct vm_struct *area;
75341 @@ -1729,6 +1795,7 @@ EXPORT_SYMBOL(vmalloc_user);
75342 * For tight control over page level allocator and protection flags
75343 * use __vmalloc() instead.
75344 */
75345 +#undef vmalloc_node
75346 void *vmalloc_node(unsigned long size, int node)
75347 {
75348 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
75349 @@ -1748,6 +1815,7 @@ EXPORT_SYMBOL(vmalloc_node);
75350 * For tight control over page level allocator and protection flags
75351 * use __vmalloc_node() instead.
75352 */
75353 +#undef vzalloc_node
75354 void *vzalloc_node(unsigned long size, int node)
75355 {
75356 return __vmalloc_node_flags(size, node,
75357 @@ -1770,10 +1838,10 @@ EXPORT_SYMBOL(vzalloc_node);
75358 * For tight control over page level allocator and protection flags
75359 * use __vmalloc() instead.
75360 */
75361 -
75362 +#undef vmalloc_exec
75363 void *vmalloc_exec(unsigned long size)
75364 {
75365 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
75366 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
75367 -1, __builtin_return_address(0));
75368 }
75369
75370 @@ -1792,6 +1860,7 @@ void *vmalloc_exec(unsigned long size)
75371 * Allocate enough 32bit PA addressable pages to cover @size from the
75372 * page level allocator and map them into contiguous kernel virtual space.
75373 */
75374 +#undef vmalloc_32
75375 void *vmalloc_32(unsigned long size)
75376 {
75377 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
75378 @@ -1806,6 +1875,7 @@ EXPORT_SYMBOL(vmalloc_32);
75379 * The resulting memory area is 32bit addressable and zeroed so it can be
75380 * mapped to userspace without leaking data.
75381 */
75382 +#undef vmalloc_32_user
75383 void *vmalloc_32_user(unsigned long size)
75384 {
75385 struct vm_struct *area;
75386 @@ -2068,6 +2138,8 @@ int remap_vmalloc_range(struct vm_area_s
75387 unsigned long uaddr = vma->vm_start;
75388 unsigned long usize = vma->vm_end - vma->vm_start;
75389
75390 + BUG_ON(vma->vm_mirror);
75391 +
75392 if ((PAGE_SIZE-1) & (unsigned long)addr)
75393 return -EINVAL;
75394
75395 diff -urNp linux-2.6.39.1/mm/vmstat.c linux-2.6.39.1/mm/vmstat.c
75396 --- linux-2.6.39.1/mm/vmstat.c 2011-05-19 00:06:34.000000000 -0400
75397 +++ linux-2.6.39.1/mm/vmstat.c 2011-05-22 19:41:42.000000000 -0400
75398 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
75399 *
75400 * vm_stat contains the global counters
75401 */
75402 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75403 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75404 EXPORT_SYMBOL(vm_stat);
75405
75406 #ifdef CONFIG_SMP
75407 @@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
75408 v = p->vm_stat_diff[i];
75409 p->vm_stat_diff[i] = 0;
75410 local_irq_restore(flags);
75411 - atomic_long_add(v, &zone->vm_stat[i]);
75412 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
75413 global_diff[i] += v;
75414 #ifdef CONFIG_NUMA
75415 /* 3 seconds idle till flush */
75416 @@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
75417
75418 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
75419 if (global_diff[i])
75420 - atomic_long_add(global_diff[i], &vm_stat[i]);
75421 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
75422 }
75423
75424 #endif
75425 @@ -1205,10 +1205,20 @@ static int __init setup_vmstat(void)
75426 start_cpu_timer(cpu);
75427 #endif
75428 #ifdef CONFIG_PROC_FS
75429 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
75430 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
75431 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
75432 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
75433 + {
75434 + mode_t gr_mode = S_IRUGO;
75435 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75436 + gr_mode = S_IRUSR;
75437 +#endif
75438 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
75439 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
75440 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
75441 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
75442 +#else
75443 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
75444 +#endif
75445 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
75446 + }
75447 #endif
75448 return 0;
75449 }
75450 diff -urNp linux-2.6.39.1/net/8021q/vlan.c linux-2.6.39.1/net/8021q/vlan.c
75451 --- linux-2.6.39.1/net/8021q/vlan.c 2011-05-19 00:06:34.000000000 -0400
75452 +++ linux-2.6.39.1/net/8021q/vlan.c 2011-05-22 19:36:33.000000000 -0400
75453 @@ -592,8 +592,7 @@ static int vlan_ioctl_handler(struct net
75454 err = -EPERM;
75455 if (!capable(CAP_NET_ADMIN))
75456 break;
75457 - if ((args.u.name_type >= 0) &&
75458 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
75459 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
75460 struct vlan_net *vn;
75461
75462 vn = net_generic(net, vlan_net_id);
75463 diff -urNp linux-2.6.39.1/net/atm/atm_misc.c linux-2.6.39.1/net/atm/atm_misc.c
75464 --- linux-2.6.39.1/net/atm/atm_misc.c 2011-05-19 00:06:34.000000000 -0400
75465 +++ linux-2.6.39.1/net/atm/atm_misc.c 2011-05-22 19:36:33.000000000 -0400
75466 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
75467 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
75468 return 1;
75469 atm_return(vcc, truesize);
75470 - atomic_inc(&vcc->stats->rx_drop);
75471 + atomic_inc_unchecked(&vcc->stats->rx_drop);
75472 return 0;
75473 }
75474 EXPORT_SYMBOL(atm_charge);
75475 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
75476 }
75477 }
75478 atm_return(vcc, guess);
75479 - atomic_inc(&vcc->stats->rx_drop);
75480 + atomic_inc_unchecked(&vcc->stats->rx_drop);
75481 return NULL;
75482 }
75483 EXPORT_SYMBOL(atm_alloc_charge);
75484 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
75485
75486 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
75487 {
75488 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75489 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75490 __SONET_ITEMS
75491 #undef __HANDLE_ITEM
75492 }
75493 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
75494
75495 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
75496 {
75497 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
75498 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
75499 __SONET_ITEMS
75500 #undef __HANDLE_ITEM
75501 }
75502 diff -urNp linux-2.6.39.1/net/atm/mpoa_caches.c linux-2.6.39.1/net/atm/mpoa_caches.c
75503 --- linux-2.6.39.1/net/atm/mpoa_caches.c 2011-05-19 00:06:34.000000000 -0400
75504 +++ linux-2.6.39.1/net/atm/mpoa_caches.c 2011-05-22 19:36:33.000000000 -0400
75505 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
75506 struct timeval now;
75507 struct k_message msg;
75508
75509 + pax_track_stack();
75510 +
75511 do_gettimeofday(&now);
75512
75513 read_lock_bh(&client->ingress_lock);
75514 diff -urNp linux-2.6.39.1/net/atm/proc.c linux-2.6.39.1/net/atm/proc.c
75515 --- linux-2.6.39.1/net/atm/proc.c 2011-05-19 00:06:34.000000000 -0400
75516 +++ linux-2.6.39.1/net/atm/proc.c 2011-05-22 19:41:42.000000000 -0400
75517 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
75518 const struct k_atm_aal_stats *stats)
75519 {
75520 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
75521 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
75522 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
75523 - atomic_read(&stats->rx_drop));
75524 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
75525 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
75526 + atomic_read_unchecked(&stats->rx_drop));
75527 }
75528
75529 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
75530 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
75531 {
75532 struct sock *sk = sk_atm(vcc);
75533
75534 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75535 + seq_printf(seq, "%p ", NULL);
75536 +#else
75537 seq_printf(seq, "%p ", vcc);
75538 +#endif
75539 +
75540 if (!vcc->dev)
75541 seq_printf(seq, "Unassigned ");
75542 else
75543 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
75544 {
75545 if (!vcc->dev)
75546 seq_printf(seq, sizeof(void *) == 4 ?
75547 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75548 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
75549 +#else
75550 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
75551 +#endif
75552 else
75553 seq_printf(seq, "%3d %3d %5d ",
75554 vcc->dev->number, vcc->vpi, vcc->vci);
75555 diff -urNp linux-2.6.39.1/net/atm/resources.c linux-2.6.39.1/net/atm/resources.c
75556 --- linux-2.6.39.1/net/atm/resources.c 2011-05-19 00:06:34.000000000 -0400
75557 +++ linux-2.6.39.1/net/atm/resources.c 2011-05-22 19:36:33.000000000 -0400
75558 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
75559 static void copy_aal_stats(struct k_atm_aal_stats *from,
75560 struct atm_aal_stats *to)
75561 {
75562 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75563 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75564 __AAL_STAT_ITEMS
75565 #undef __HANDLE_ITEM
75566 }
75567 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
75568 static void subtract_aal_stats(struct k_atm_aal_stats *from,
75569 struct atm_aal_stats *to)
75570 {
75571 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
75572 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
75573 __AAL_STAT_ITEMS
75574 #undef __HANDLE_ITEM
75575 }
75576 diff -urNp linux-2.6.39.1/net/batman-adv/hard-interface.c linux-2.6.39.1/net/batman-adv/hard-interface.c
75577 --- linux-2.6.39.1/net/batman-adv/hard-interface.c 2011-05-19 00:06:34.000000000 -0400
75578 +++ linux-2.6.39.1/net/batman-adv/hard-interface.c 2011-05-22 19:36:33.000000000 -0400
75579 @@ -339,8 +339,8 @@ int hardif_enable_interface(struct hard_
75580 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
75581 dev_add_pack(&hard_iface->batman_adv_ptype);
75582
75583 - atomic_set(&hard_iface->seqno, 1);
75584 - atomic_set(&hard_iface->frag_seqno, 1);
75585 + atomic_set_unchecked(&hard_iface->seqno, 1);
75586 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
75587 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
75588 hard_iface->net_dev->name);
75589
75590 diff -urNp linux-2.6.39.1/net/batman-adv/routing.c linux-2.6.39.1/net/batman-adv/routing.c
75591 --- linux-2.6.39.1/net/batman-adv/routing.c 2011-05-19 00:06:34.000000000 -0400
75592 +++ linux-2.6.39.1/net/batman-adv/routing.c 2011-05-22 19:36:33.000000000 -0400
75593 @@ -625,7 +625,7 @@ void receive_bat_packet(struct ethhdr *e
75594 return;
75595
75596 /* could be changed by schedule_own_packet() */
75597 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
75598 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
75599
75600 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
75601
75602 diff -urNp linux-2.6.39.1/net/batman-adv/send.c linux-2.6.39.1/net/batman-adv/send.c
75603 --- linux-2.6.39.1/net/batman-adv/send.c 2011-05-19 00:06:34.000000000 -0400
75604 +++ linux-2.6.39.1/net/batman-adv/send.c 2011-05-22 19:36:33.000000000 -0400
75605 @@ -277,7 +277,7 @@ void schedule_own_packet(struct hard_ifa
75606
75607 /* change sequence number to network order */
75608 batman_packet->seqno =
75609 - htonl((uint32_t)atomic_read(&hard_iface->seqno));
75610 + htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
75611
75612 if (vis_server == VIS_TYPE_SERVER_SYNC)
75613 batman_packet->flags |= VIS_SERVER;
75614 @@ -291,7 +291,7 @@ void schedule_own_packet(struct hard_ifa
75615 else
75616 batman_packet->gw_flags = 0;
75617
75618 - atomic_inc(&hard_iface->seqno);
75619 + atomic_inc_unchecked(&hard_iface->seqno);
75620
75621 slide_own_bcast_window(hard_iface);
75622 send_time = own_send_time(bat_priv);
75623 diff -urNp linux-2.6.39.1/net/batman-adv/soft-interface.c linux-2.6.39.1/net/batman-adv/soft-interface.c
75624 --- linux-2.6.39.1/net/batman-adv/soft-interface.c 2011-05-19 00:06:34.000000000 -0400
75625 +++ linux-2.6.39.1/net/batman-adv/soft-interface.c 2011-05-22 19:36:33.000000000 -0400
75626 @@ -386,7 +386,7 @@ int interface_tx(struct sk_buff *skb, st
75627
75628 /* set broadcast sequence number */
75629 bcast_packet->seqno =
75630 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
75631 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
75632
75633 add_bcast_packet_to_list(bat_priv, skb);
75634
75635 @@ -579,7 +579,7 @@ struct net_device *softif_create(char *n
75636 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
75637
75638 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
75639 - atomic_set(&bat_priv->bcast_seqno, 1);
75640 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
75641 atomic_set(&bat_priv->hna_local_changed, 0);
75642
75643 bat_priv->primary_if = NULL;
75644 diff -urNp linux-2.6.39.1/net/batman-adv/types.h linux-2.6.39.1/net/batman-adv/types.h
75645 --- linux-2.6.39.1/net/batman-adv/types.h 2011-05-19 00:06:34.000000000 -0400
75646 +++ linux-2.6.39.1/net/batman-adv/types.h 2011-05-22 19:36:33.000000000 -0400
75647 @@ -38,8 +38,8 @@ struct hard_iface {
75648 int16_t if_num;
75649 char if_status;
75650 struct net_device *net_dev;
75651 - atomic_t seqno;
75652 - atomic_t frag_seqno;
75653 + atomic_unchecked_t seqno;
75654 + atomic_unchecked_t frag_seqno;
75655 unsigned char *packet_buff;
75656 int packet_len;
75657 struct kobject *hardif_obj;
75658 @@ -141,7 +141,7 @@ struct bat_priv {
75659 atomic_t orig_interval; /* uint */
75660 atomic_t hop_penalty; /* uint */
75661 atomic_t log_level; /* uint */
75662 - atomic_t bcast_seqno;
75663 + atomic_unchecked_t bcast_seqno;
75664 atomic_t bcast_queue_left;
75665 atomic_t batman_queue_left;
75666 char num_ifaces;
75667 diff -urNp linux-2.6.39.1/net/batman-adv/unicast.c linux-2.6.39.1/net/batman-adv/unicast.c
75668 --- linux-2.6.39.1/net/batman-adv/unicast.c 2011-05-19 00:06:34.000000000 -0400
75669 +++ linux-2.6.39.1/net/batman-adv/unicast.c 2011-05-22 19:36:33.000000000 -0400
75670 @@ -263,7 +263,7 @@ int frag_send_skb(struct sk_buff *skb, s
75671 frag1->flags = UNI_FRAG_HEAD | large_tail;
75672 frag2->flags = large_tail;
75673
75674 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
75675 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
75676 frag1->seqno = htons(seqno - 1);
75677 frag2->seqno = htons(seqno);
75678
75679 diff -urNp linux-2.6.39.1/net/bluetooth/l2cap_sock.c linux-2.6.39.1/net/bluetooth/l2cap_sock.c
75680 --- linux-2.6.39.1/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400
75681 +++ linux-2.6.39.1/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400
75682 @@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str
75683 break;
75684 }
75685
75686 + memset(&cinfo, 0, sizeof(cinfo));
75687 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
75688 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
75689
75690 diff -urNp linux-2.6.39.1/net/bluetooth/rfcomm/sock.c linux-2.6.39.1/net/bluetooth/rfcomm/sock.c
75691 --- linux-2.6.39.1/net/bluetooth/rfcomm/sock.c 2011-05-19 00:06:34.000000000 -0400
75692 +++ linux-2.6.39.1/net/bluetooth/rfcomm/sock.c 2011-06-12 06:36:42.000000000 -0400
75693 @@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st
75694
75695 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
75696
75697 + memset(&cinfo, 0, sizeof(cinfo));
75698 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
75699 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
75700
75701 diff -urNp linux-2.6.39.1/net/bridge/br_multicast.c linux-2.6.39.1/net/bridge/br_multicast.c
75702 --- linux-2.6.39.1/net/bridge/br_multicast.c 2011-05-19 00:06:34.000000000 -0400
75703 +++ linux-2.6.39.1/net/bridge/br_multicast.c 2011-05-22 19:36:33.000000000 -0400
75704 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
75705 nexthdr = ip6h->nexthdr;
75706 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
75707
75708 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
75709 + if (nexthdr != IPPROTO_ICMPV6)
75710 return 0;
75711
75712 /* Okay, we found ICMPv6 header */
75713 diff -urNp linux-2.6.39.1/net/bridge/netfilter/ebtables.c linux-2.6.39.1/net/bridge/netfilter/ebtables.c
75714 --- linux-2.6.39.1/net/bridge/netfilter/ebtables.c 2011-05-19 00:06:34.000000000 -0400
75715 +++ linux-2.6.39.1/net/bridge/netfilter/ebtables.c 2011-05-22 19:36:33.000000000 -0400
75716 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
75717 tmp.valid_hooks = t->table->valid_hooks;
75718 }
75719 mutex_unlock(&ebt_mutex);
75720 - if (copy_to_user(user, &tmp, *len) != 0){
75721 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
75722 BUGPRINT("c2u Didn't work\n");
75723 ret = -EFAULT;
75724 break;
75725 @@ -1780,6 +1780,8 @@ static int compat_copy_everything_to_use
75726 int ret;
75727 void __user *pos;
75728
75729 + pax_track_stack();
75730 +
75731 memset(&tinfo, 0, sizeof(tinfo));
75732
75733 if (cmd == EBT_SO_GET_ENTRIES) {
75734 diff -urNp linux-2.6.39.1/net/caif/caif_socket.c linux-2.6.39.1/net/caif/caif_socket.c
75735 --- linux-2.6.39.1/net/caif/caif_socket.c 2011-05-19 00:06:34.000000000 -0400
75736 +++ linux-2.6.39.1/net/caif/caif_socket.c 2011-05-22 19:36:33.000000000 -0400
75737 @@ -48,18 +48,19 @@ static struct dentry *debugfsdir;
75738 #ifdef CONFIG_DEBUG_FS
75739 struct debug_fs_counter {
75740 atomic_t caif_nr_socks;
75741 - atomic_t num_connect_req;
75742 - atomic_t num_connect_resp;
75743 - atomic_t num_connect_fail_resp;
75744 - atomic_t num_disconnect;
75745 - atomic_t num_remote_shutdown_ind;
75746 - atomic_t num_tx_flow_off_ind;
75747 - atomic_t num_tx_flow_on_ind;
75748 - atomic_t num_rx_flow_off;
75749 - atomic_t num_rx_flow_on;
75750 + atomic_unchecked_t num_connect_req;
75751 + atomic_unchecked_t num_connect_resp;
75752 + atomic_unchecked_t num_connect_fail_resp;
75753 + atomic_unchecked_t num_disconnect;
75754 + atomic_unchecked_t num_remote_shutdown_ind;
75755 + atomic_unchecked_t num_tx_flow_off_ind;
75756 + atomic_unchecked_t num_tx_flow_on_ind;
75757 + atomic_unchecked_t num_rx_flow_off;
75758 + atomic_unchecked_t num_rx_flow_on;
75759 };
75760 static struct debug_fs_counter cnt;
75761 #define dbfs_atomic_inc(v) atomic_inc(v)
75762 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_unchecked(v)
75763 #define dbfs_atomic_dec(v) atomic_dec(v)
75764 #else
75765 #define dbfs_atomic_inc(v)
75766 @@ -159,7 +160,7 @@ static int caif_queue_rcv_skb(struct soc
75767 atomic_read(&cf_sk->sk.sk_rmem_alloc),
75768 sk_rcvbuf_lowwater(cf_sk));
75769 set_rx_flow_off(cf_sk);
75770 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
75771 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
75772 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
75773 }
75774
75775 @@ -169,7 +170,7 @@ static int caif_queue_rcv_skb(struct soc
75776 if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
75777 set_rx_flow_off(cf_sk);
75778 pr_debug("sending flow OFF due to rmem_schedule\n");
75779 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
75780 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
75781 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
75782 }
75783 skb->dev = NULL;
75784 @@ -218,21 +219,21 @@ static void caif_ctrl_cb(struct cflayer
75785 switch (flow) {
75786 case CAIF_CTRLCMD_FLOW_ON_IND:
75787 /* OK from modem to start sending again */
75788 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
75789 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
75790 set_tx_flow_on(cf_sk);
75791 cf_sk->sk.sk_state_change(&cf_sk->sk);
75792 break;
75793
75794 case CAIF_CTRLCMD_FLOW_OFF_IND:
75795 /* Modem asks us to shut up */
75796 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
75797 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
75798 set_tx_flow_off(cf_sk);
75799 cf_sk->sk.sk_state_change(&cf_sk->sk);
75800 break;
75801
75802 case CAIF_CTRLCMD_INIT_RSP:
75803 /* We're now connected */
75804 - dbfs_atomic_inc(&cnt.num_connect_resp);
75805 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
75806 cf_sk->sk.sk_state = CAIF_CONNECTED;
75807 set_tx_flow_on(cf_sk);
75808 cf_sk->sk.sk_state_change(&cf_sk->sk);
75809 @@ -247,7 +248,7 @@ static void caif_ctrl_cb(struct cflayer
75810
75811 case CAIF_CTRLCMD_INIT_FAIL_RSP:
75812 /* Connect request failed */
75813 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
75814 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
75815 cf_sk->sk.sk_err = ECONNREFUSED;
75816 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
75817 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
75818 @@ -261,7 +262,7 @@ static void caif_ctrl_cb(struct cflayer
75819
75820 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
75821 /* Modem has closed this connection, or device is down. */
75822 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
75823 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
75824 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
75825 cf_sk->sk.sk_err = ECONNRESET;
75826 set_rx_flow_on(cf_sk);
75827 @@ -281,7 +282,7 @@ static void caif_check_flow_release(stru
75828 return;
75829
75830 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
75831 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
75832 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
75833 set_rx_flow_on(cf_sk);
75834 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
75835 }
75836 @@ -864,7 +865,7 @@ static int caif_connect(struct socket *s
75837 /*ifindex = id of the interface.*/
75838 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
75839
75840 - dbfs_atomic_inc(&cnt.num_connect_req);
75841 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
75842 cf_sk->layer.receive = caif_sktrecv_cb;
75843 err = caif_connect_client(&cf_sk->conn_req,
75844 &cf_sk->layer, &ifindex, &headroom, &tailroom);
75845 @@ -952,7 +953,7 @@ static int caif_release(struct socket *s
75846 spin_unlock(&sk->sk_receive_queue.lock);
75847 sock->sk = NULL;
75848
75849 - dbfs_atomic_inc(&cnt.num_disconnect);
75850 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
75851
75852 if (cf_sk->debugfs_socket_dir != NULL)
75853 debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
75854 diff -urNp linux-2.6.39.1/net/caif/cfctrl.c linux-2.6.39.1/net/caif/cfctrl.c
75855 --- linux-2.6.39.1/net/caif/cfctrl.c 2011-05-19 00:06:34.000000000 -0400
75856 +++ linux-2.6.39.1/net/caif/cfctrl.c 2011-05-22 19:36:33.000000000 -0400
75857 @@ -9,6 +9,7 @@
75858 #include <linux/stddef.h>
75859 #include <linux/spinlock.h>
75860 #include <linux/slab.h>
75861 +#include <linux/sched.h>
75862 #include <net/caif/caif_layer.h>
75863 #include <net/caif/cfpkt.h>
75864 #include <net/caif/cfctrl.h>
75865 @@ -46,8 +47,8 @@ struct cflayer *cfctrl_create(void)
75866 dev_info.id = 0xff;
75867 memset(this, 0, sizeof(*this));
75868 cfsrvl_init(&this->serv, 0, &dev_info, false);
75869 - atomic_set(&this->req_seq_no, 1);
75870 - atomic_set(&this->rsp_seq_no, 1);
75871 + atomic_set_unchecked(&this->req_seq_no, 1);
75872 + atomic_set_unchecked(&this->rsp_seq_no, 1);
75873 this->serv.layer.receive = cfctrl_recv;
75874 sprintf(this->serv.layer.name, "ctrl");
75875 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
75876 @@ -116,8 +117,8 @@ void cfctrl_insert_req(struct cfctrl *ct
75877 struct cfctrl_request_info *req)
75878 {
75879 spin_lock(&ctrl->info_list_lock);
75880 - atomic_inc(&ctrl->req_seq_no);
75881 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
75882 + atomic_inc_unchecked(&ctrl->req_seq_no);
75883 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
75884 list_add_tail(&req->list, &ctrl->list);
75885 spin_unlock(&ctrl->info_list_lock);
75886 }
75887 @@ -136,7 +137,7 @@ struct cfctrl_request_info *cfctrl_remov
75888 if (p != first)
75889 pr_warn("Requests are not received in order\n");
75890
75891 - atomic_set(&ctrl->rsp_seq_no,
75892 + atomic_set_unchecked(&ctrl->rsp_seq_no,
75893 p->sequence_no);
75894 list_del(&p->list);
75895 goto out;
75896 @@ -385,6 +386,7 @@ static int cfctrl_recv(struct cflayer *l
75897 struct cfctrl *cfctrl = container_obj(layer);
75898 struct cfctrl_request_info rsp, *req;
75899
75900 + pax_track_stack();
75901
75902 cfpkt_extr_head(pkt, &cmdrsp, 1);
75903 cmd = cmdrsp & CFCTRL_CMD_MASK;
75904 diff -urNp linux-2.6.39.1/net/can/bcm.c linux-2.6.39.1/net/can/bcm.c
75905 --- linux-2.6.39.1/net/can/bcm.c 2011-05-19 00:06:34.000000000 -0400
75906 +++ linux-2.6.39.1/net/can/bcm.c 2011-05-22 19:41:42.000000000 -0400
75907 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
75908 struct bcm_sock *bo = bcm_sk(sk);
75909 struct bcm_op *op;
75910
75911 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75912 + seq_printf(m, ">>> socket %p", NULL);
75913 + seq_printf(m, " / sk %p", NULL);
75914 + seq_printf(m, " / bo %p", NULL);
75915 +#else
75916 seq_printf(m, ">>> socket %p", sk->sk_socket);
75917 seq_printf(m, " / sk %p", sk);
75918 seq_printf(m, " / bo %p", bo);
75919 +#endif
75920 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
75921 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
75922 seq_printf(m, " <<<\n");
75923 diff -urNp linux-2.6.39.1/net/core/datagram.c linux-2.6.39.1/net/core/datagram.c
75924 --- linux-2.6.39.1/net/core/datagram.c 2011-05-19 00:06:34.000000000 -0400
75925 +++ linux-2.6.39.1/net/core/datagram.c 2011-05-22 19:36:33.000000000 -0400
75926 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
75927 }
75928
75929 kfree_skb(skb);
75930 - atomic_inc(&sk->sk_drops);
75931 + atomic_inc_unchecked(&sk->sk_drops);
75932 sk_mem_reclaim_partial(sk);
75933
75934 return err;
75935 diff -urNp linux-2.6.39.1/net/core/dev.c linux-2.6.39.1/net/core/dev.c
75936 --- linux-2.6.39.1/net/core/dev.c 2011-06-03 00:04:14.000000000 -0400
75937 +++ linux-2.6.39.1/net/core/dev.c 2011-06-03 00:32:08.000000000 -0400
75938 @@ -1125,10 +1125,14 @@ void dev_load(struct net *net, const cha
75939 if (no_module && capable(CAP_NET_ADMIN))
75940 no_module = request_module("netdev-%s", name);
75941 if (no_module && capable(CAP_SYS_MODULE)) {
75942 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
75943 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
75944 +#else
75945 if (!request_module("%s", name))
75946 pr_err("Loading kernel module for a network device "
75947 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
75948 "instead\n", name);
75949 +#endif
75950 }
75951 }
75952 EXPORT_SYMBOL(dev_load);
75953 @@ -1957,7 +1961,7 @@ struct dev_gso_cb {
75954
75955 static void dev_gso_skb_destructor(struct sk_buff *skb)
75956 {
75957 - struct dev_gso_cb *cb;
75958 + const struct dev_gso_cb *cb;
75959
75960 do {
75961 struct sk_buff *nskb = skb->next;
75962 @@ -2901,7 +2905,7 @@ int netif_rx_ni(struct sk_buff *skb)
75963 }
75964 EXPORT_SYMBOL(netif_rx_ni);
75965
75966 -static void net_tx_action(struct softirq_action *h)
75967 +static void net_tx_action(void)
75968 {
75969 struct softnet_data *sd = &__get_cpu_var(softnet_data);
75970
75971 @@ -3765,7 +3769,7 @@ void netif_napi_del(struct napi_struct *
75972 }
75973 EXPORT_SYMBOL(netif_napi_del);
75974
75975 -static void net_rx_action(struct softirq_action *h)
75976 +static void net_rx_action(void)
75977 {
75978 struct softnet_data *sd = &__get_cpu_var(softnet_data);
75979 unsigned long time_limit = jiffies + 2;
75980 diff -urNp linux-2.6.39.1/net/core/flow.c linux-2.6.39.1/net/core/flow.c
75981 --- linux-2.6.39.1/net/core/flow.c 2011-05-19 00:06:34.000000000 -0400
75982 +++ linux-2.6.39.1/net/core/flow.c 2011-05-22 19:36:34.000000000 -0400
75983 @@ -60,7 +60,7 @@ struct flow_cache {
75984 struct timer_list rnd_timer;
75985 };
75986
75987 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
75988 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
75989 EXPORT_SYMBOL(flow_cache_genid);
75990 static struct flow_cache flow_cache_global;
75991 static struct kmem_cache *flow_cachep __read_mostly;
75992 @@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
75993
75994 static int flow_entry_valid(struct flow_cache_entry *fle)
75995 {
75996 - if (atomic_read(&flow_cache_genid) != fle->genid)
75997 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
75998 return 0;
75999 if (fle->object && !fle->object->ops->check(fle->object))
76000 return 0;
76001 @@ -253,7 +253,7 @@ flow_cache_lookup(struct net *net, const
76002 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
76003 fcp->hash_count++;
76004 }
76005 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
76006 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
76007 flo = fle->object;
76008 if (!flo)
76009 goto ret_object;
76010 @@ -274,7 +274,7 @@ nocache:
76011 }
76012 flo = resolver(net, key, family, dir, flo, ctx);
76013 if (fle) {
76014 - fle->genid = atomic_read(&flow_cache_genid);
76015 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
76016 if (!IS_ERR(flo))
76017 fle->object = flo;
76018 else
76019 diff -urNp linux-2.6.39.1/net/core/skbuff.c linux-2.6.39.1/net/core/skbuff.c
76020 --- linux-2.6.39.1/net/core/skbuff.c 2011-06-03 00:04:14.000000000 -0400
76021 +++ linux-2.6.39.1/net/core/skbuff.c 2011-06-03 00:32:08.000000000 -0400
76022 @@ -1542,6 +1542,8 @@ int skb_splice_bits(struct sk_buff *skb,
76023 struct sock *sk = skb->sk;
76024 int ret = 0;
76025
76026 + pax_track_stack();
76027 +
76028 if (splice_grow_spd(pipe, &spd))
76029 return -ENOMEM;
76030
76031 diff -urNp linux-2.6.39.1/net/core/sock.c linux-2.6.39.1/net/core/sock.c
76032 --- linux-2.6.39.1/net/core/sock.c 2011-05-19 00:06:34.000000000 -0400
76033 +++ linux-2.6.39.1/net/core/sock.c 2011-05-22 19:36:34.000000000 -0400
76034 @@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76035 */
76036 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
76037 (unsigned)sk->sk_rcvbuf) {
76038 - atomic_inc(&sk->sk_drops);
76039 + atomic_inc_unchecked(&sk->sk_drops);
76040 return -ENOMEM;
76041 }
76042
76043 @@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76044 return err;
76045
76046 if (!sk_rmem_schedule(sk, skb->truesize)) {
76047 - atomic_inc(&sk->sk_drops);
76048 + atomic_inc_unchecked(&sk->sk_drops);
76049 return -ENOBUFS;
76050 }
76051
76052 @@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76053 skb_dst_force(skb);
76054
76055 spin_lock_irqsave(&list->lock, flags);
76056 - skb->dropcount = atomic_read(&sk->sk_drops);
76057 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
76058 __skb_queue_tail(list, skb);
76059 spin_unlock_irqrestore(&list->lock, flags);
76060
76061 @@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
76062 skb->dev = NULL;
76063
76064 if (sk_rcvqueues_full(sk, skb)) {
76065 - atomic_inc(&sk->sk_drops);
76066 + atomic_inc_unchecked(&sk->sk_drops);
76067 goto discard_and_relse;
76068 }
76069 if (nested)
76070 @@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
76071 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
76072 } else if (sk_add_backlog(sk, skb)) {
76073 bh_unlock_sock(sk);
76074 - atomic_inc(&sk->sk_drops);
76075 + atomic_inc_unchecked(&sk->sk_drops);
76076 goto discard_and_relse;
76077 }
76078
76079 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
76080 return -ENOTCONN;
76081 if (lv < len)
76082 return -EINVAL;
76083 - if (copy_to_user(optval, address, len))
76084 + if (len > sizeof(address) || copy_to_user(optval, address, len))
76085 return -EFAULT;
76086 goto lenout;
76087 }
76088 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
76089
76090 if (len > lv)
76091 len = lv;
76092 - if (copy_to_user(optval, &v, len))
76093 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
76094 return -EFAULT;
76095 lenout:
76096 if (put_user(len, optlen))
76097 @@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock,
76098 */
76099 smp_wmb();
76100 atomic_set(&sk->sk_refcnt, 1);
76101 - atomic_set(&sk->sk_drops, 0);
76102 + atomic_set_unchecked(&sk->sk_drops, 0);
76103 }
76104 EXPORT_SYMBOL(sock_init_data);
76105
76106 diff -urNp linux-2.6.39.1/net/decnet/sysctl_net_decnet.c linux-2.6.39.1/net/decnet/sysctl_net_decnet.c
76107 --- linux-2.6.39.1/net/decnet/sysctl_net_decnet.c 2011-05-19 00:06:34.000000000 -0400
76108 +++ linux-2.6.39.1/net/decnet/sysctl_net_decnet.c 2011-05-22 19:36:34.000000000 -0400
76109 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
76110
76111 if (len > *lenp) len = *lenp;
76112
76113 - if (copy_to_user(buffer, addr, len))
76114 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
76115 return -EFAULT;
76116
76117 *lenp = len;
76118 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
76119
76120 if (len > *lenp) len = *lenp;
76121
76122 - if (copy_to_user(buffer, devname, len))
76123 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
76124 return -EFAULT;
76125
76126 *lenp = len;
76127 diff -urNp linux-2.6.39.1/net/econet/Kconfig linux-2.6.39.1/net/econet/Kconfig
76128 --- linux-2.6.39.1/net/econet/Kconfig 2011-05-19 00:06:34.000000000 -0400
76129 +++ linux-2.6.39.1/net/econet/Kconfig 2011-05-22 19:41:42.000000000 -0400
76130 @@ -4,7 +4,7 @@
76131
76132 config ECONET
76133 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
76134 - depends on EXPERIMENTAL && INET
76135 + depends on EXPERIMENTAL && INET && BROKEN
76136 ---help---
76137 Econet is a fairly old and slow networking protocol mainly used by
76138 Acorn computers to access file and print servers. It uses native
76139 diff -urNp linux-2.6.39.1/net/ipv4/fib_frontend.c linux-2.6.39.1/net/ipv4/fib_frontend.c
76140 --- linux-2.6.39.1/net/ipv4/fib_frontend.c 2011-05-19 00:06:34.000000000 -0400
76141 +++ linux-2.6.39.1/net/ipv4/fib_frontend.c 2011-05-22 19:36:34.000000000 -0400
76142 @@ -968,12 +968,12 @@ static int fib_inetaddr_event(struct not
76143 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76144 fib_sync_up(dev);
76145 #endif
76146 - atomic_inc(&net->ipv4.dev_addr_genid);
76147 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76148 rt_cache_flush(dev_net(dev), -1);
76149 break;
76150 case NETDEV_DOWN:
76151 fib_del_ifaddr(ifa, NULL);
76152 - atomic_inc(&net->ipv4.dev_addr_genid);
76153 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76154 if (ifa->ifa_dev->ifa_list == NULL) {
76155 /* Last address was deleted from this interface.
76156 * Disable IP.
76157 @@ -1009,7 +1009,7 @@ static int fib_netdev_event(struct notif
76158 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76159 fib_sync_up(dev);
76160 #endif
76161 - atomic_inc(&net->ipv4.dev_addr_genid);
76162 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76163 rt_cache_flush(dev_net(dev), -1);
76164 break;
76165 case NETDEV_DOWN:
76166 diff -urNp linux-2.6.39.1/net/ipv4/fib_semantics.c linux-2.6.39.1/net/ipv4/fib_semantics.c
76167 --- linux-2.6.39.1/net/ipv4/fib_semantics.c 2011-05-19 00:06:34.000000000 -0400
76168 +++ linux-2.6.39.1/net/ipv4/fib_semantics.c 2011-05-22 19:36:34.000000000 -0400
76169 @@ -701,7 +701,7 @@ __be32 fib_info_update_nh_saddr(struct n
76170 nh->nh_saddr = inet_select_addr(nh->nh_dev,
76171 nh->nh_gw,
76172 nh->nh_parent->fib_scope);
76173 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
76174 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
76175
76176 return nh->nh_saddr;
76177 }
76178 diff -urNp linux-2.6.39.1/net/ipv4/inet_diag.c linux-2.6.39.1/net/ipv4/inet_diag.c
76179 --- linux-2.6.39.1/net/ipv4/inet_diag.c 2011-05-19 00:06:34.000000000 -0400
76180 +++ linux-2.6.39.1/net/ipv4/inet_diag.c 2011-05-22 19:41:42.000000000 -0400
76181 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
76182 r->idiag_retrans = 0;
76183
76184 r->id.idiag_if = sk->sk_bound_dev_if;
76185 +
76186 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76187 + r->id.idiag_cookie[0] = 0;
76188 + r->id.idiag_cookie[1] = 0;
76189 +#else
76190 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
76191 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
76192 +#endif
76193
76194 r->id.idiag_sport = inet->inet_sport;
76195 r->id.idiag_dport = inet->inet_dport;
76196 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
76197 r->idiag_family = tw->tw_family;
76198 r->idiag_retrans = 0;
76199 r->id.idiag_if = tw->tw_bound_dev_if;
76200 +
76201 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76202 + r->id.idiag_cookie[0] = 0;
76203 + r->id.idiag_cookie[1] = 0;
76204 +#else
76205 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
76206 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
76207 +#endif
76208 +
76209 r->id.idiag_sport = tw->tw_sport;
76210 r->id.idiag_dport = tw->tw_dport;
76211 r->id.idiag_src[0] = tw->tw_rcv_saddr;
76212 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
76213 if (sk == NULL)
76214 goto unlock;
76215
76216 +#ifndef CONFIG_GRKERNSEC_HIDESYM
76217 err = -ESTALE;
76218 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
76219 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
76220 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
76221 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
76222 goto out;
76223 +#endif
76224
76225 err = -ENOMEM;
76226 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
76227 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
76228 r->idiag_retrans = req->retrans;
76229
76230 r->id.idiag_if = sk->sk_bound_dev_if;
76231 +
76232 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76233 + r->id.idiag_cookie[0] = 0;
76234 + r->id.idiag_cookie[1] = 0;
76235 +#else
76236 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
76237 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
76238 +#endif
76239
76240 tmo = req->expires - jiffies;
76241 if (tmo < 0)
76242 diff -urNp linux-2.6.39.1/net/ipv4/inet_hashtables.c linux-2.6.39.1/net/ipv4/inet_hashtables.c
76243 --- linux-2.6.39.1/net/ipv4/inet_hashtables.c 2011-05-19 00:06:34.000000000 -0400
76244 +++ linux-2.6.39.1/net/ipv4/inet_hashtables.c 2011-05-22 19:41:42.000000000 -0400
76245 @@ -18,11 +18,14 @@
76246 #include <linux/sched.h>
76247 #include <linux/slab.h>
76248 #include <linux/wait.h>
76249 +#include <linux/security.h>
76250
76251 #include <net/inet_connection_sock.h>
76252 #include <net/inet_hashtables.h>
76253 #include <net/ip.h>
76254
76255 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
76256 +
76257 /*
76258 * Allocate and initialize a new local port bind bucket.
76259 * The bindhash mutex for snum's hash chain must be held here.
76260 @@ -529,6 +532,8 @@ ok:
76261 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
76262 spin_unlock(&head->lock);
76263
76264 + gr_update_task_in_ip_table(current, inet_sk(sk));
76265 +
76266 if (tw) {
76267 inet_twsk_deschedule(tw, death_row);
76268 while (twrefcnt) {
76269 diff -urNp linux-2.6.39.1/net/ipv4/inetpeer.c linux-2.6.39.1/net/ipv4/inetpeer.c
76270 --- linux-2.6.39.1/net/ipv4/inetpeer.c 2011-05-19 00:06:34.000000000 -0400
76271 +++ linux-2.6.39.1/net/ipv4/inetpeer.c 2011-05-22 19:36:34.000000000 -0400
76272 @@ -467,6 +467,8 @@ struct inet_peer *inet_getpeer(struct in
76273 unsigned int sequence;
76274 int invalidated;
76275
76276 + pax_track_stack();
76277 +
76278 /* Look up for the address quickly, lockless.
76279 * Because of a concurrent writer, we might not find an existing entry.
76280 */
76281 @@ -504,8 +506,8 @@ struct inet_peer *inet_getpeer(struct in
76282 if (p) {
76283 p->daddr = *daddr;
76284 atomic_set(&p->refcnt, 1);
76285 - atomic_set(&p->rid, 0);
76286 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76287 + atomic_set_unchecked(&p->rid, 0);
76288 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76289 p->tcp_ts_stamp = 0;
76290 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
76291 p->rate_tokens = 0;
76292 diff -urNp linux-2.6.39.1/net/ipv4/ip_fragment.c linux-2.6.39.1/net/ipv4/ip_fragment.c
76293 --- linux-2.6.39.1/net/ipv4/ip_fragment.c 2011-05-19 00:06:34.000000000 -0400
76294 +++ linux-2.6.39.1/net/ipv4/ip_fragment.c 2011-05-22 19:36:34.000000000 -0400
76295 @@ -297,7 +297,7 @@ static inline int ip_frag_too_far(struct
76296 return 0;
76297
76298 start = qp->rid;
76299 - end = atomic_inc_return(&peer->rid);
76300 + end = atomic_inc_return_unchecked(&peer->rid);
76301 qp->rid = end;
76302
76303 rc = qp->q.fragments && (end - start) > max;
76304 diff -urNp linux-2.6.39.1/net/ipv4/ip_sockglue.c linux-2.6.39.1/net/ipv4/ip_sockglue.c
76305 --- linux-2.6.39.1/net/ipv4/ip_sockglue.c 2011-05-19 00:06:34.000000000 -0400
76306 +++ linux-2.6.39.1/net/ipv4/ip_sockglue.c 2011-05-22 19:36:34.000000000 -0400
76307 @@ -1064,6 +1064,8 @@ static int do_ip_getsockopt(struct sock
76308 int val;
76309 int len;
76310
76311 + pax_track_stack();
76312 +
76313 if (level != SOL_IP)
76314 return -EOPNOTSUPP;
76315
76316 diff -urNp linux-2.6.39.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.39.1/net/ipv4/netfilter/nf_nat_snmp_basic.c
76317 --- linux-2.6.39.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-19 00:06:34.000000000 -0400
76318 +++ linux-2.6.39.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-22 19:36:34.000000000 -0400
76319 @@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
76320
76321 *len = 0;
76322
76323 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
76324 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
76325 if (*octets == NULL) {
76326 if (net_ratelimit())
76327 pr_notice("OOM in bsalg (%d)\n", __LINE__);
76328 diff -urNp linux-2.6.39.1/net/ipv4/raw.c linux-2.6.39.1/net/ipv4/raw.c
76329 --- linux-2.6.39.1/net/ipv4/raw.c 2011-05-19 00:06:34.000000000 -0400
76330 +++ linux-2.6.39.1/net/ipv4/raw.c 2011-05-22 19:41:42.000000000 -0400
76331 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
76332 int raw_rcv(struct sock *sk, struct sk_buff *skb)
76333 {
76334 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
76335 - atomic_inc(&sk->sk_drops);
76336 + atomic_inc_unchecked(&sk->sk_drops);
76337 kfree_skb(skb);
76338 return NET_RX_DROP;
76339 }
76340 @@ -730,15 +730,19 @@ static int raw_init(struct sock *sk)
76341
76342 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
76343 {
76344 + struct icmp_filter filter;
76345 +
76346 if (optlen > sizeof(struct icmp_filter))
76347 optlen = sizeof(struct icmp_filter);
76348 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
76349 + if (copy_from_user(&filter, optval, optlen))
76350 return -EFAULT;
76351 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
76352 return 0;
76353 }
76354
76355 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
76356 {
76357 + struct icmp_filter filter;
76358 int len, ret = -EFAULT;
76359
76360 if (get_user(len, optlen))
76361 @@ -749,8 +753,9 @@ static int raw_geticmpfilter(struct sock
76362 if (len > sizeof(struct icmp_filter))
76363 len = sizeof(struct icmp_filter);
76364 ret = -EFAULT;
76365 + memcpy(&filter, &raw_sk(sk)->filter, len);
76366 if (put_user(len, optlen) ||
76367 - copy_to_user(optval, &raw_sk(sk)->filter, len))
76368 + copy_to_user(optval, &filter, len))
76369 goto out;
76370 ret = 0;
76371 out: return ret;
76372 @@ -978,7 +983,13 @@ static void raw_sock_seq_show(struct seq
76373 sk_wmem_alloc_get(sp),
76374 sk_rmem_alloc_get(sp),
76375 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76376 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76377 + atomic_read(&sp->sk_refcnt),
76378 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76379 + NULL,
76380 +#else
76381 + sp,
76382 +#endif
76383 + atomic_read_unchecked(&sp->sk_drops));
76384 }
76385
76386 static int raw_seq_show(struct seq_file *seq, void *v)
76387 diff -urNp linux-2.6.39.1/net/ipv4/route.c linux-2.6.39.1/net/ipv4/route.c
76388 --- linux-2.6.39.1/net/ipv4/route.c 2011-05-19 00:06:34.000000000 -0400
76389 +++ linux-2.6.39.1/net/ipv4/route.c 2011-05-22 19:36:34.000000000 -0400
76390 @@ -303,7 +303,7 @@ static inline unsigned int rt_hash(__be3
76391
76392 static inline int rt_genid(struct net *net)
76393 {
76394 - return atomic_read(&net->ipv4.rt_genid);
76395 + return atomic_read_unchecked(&net->ipv4.rt_genid);
76396 }
76397
76398 #ifdef CONFIG_PROC_FS
76399 @@ -831,7 +831,7 @@ static void rt_cache_invalidate(struct n
76400 unsigned char shuffle;
76401
76402 get_random_bytes(&shuffle, sizeof(shuffle));
76403 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
76404 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
76405 }
76406
76407 /*
76408 @@ -2835,7 +2835,7 @@ static int rt_fill_info(struct net *net,
76409 rt->peer->pmtu_expires - jiffies : 0;
76410 if (rt->peer) {
76411 inet_peer_refcheck(rt->peer);
76412 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
76413 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
76414 if (rt->peer->tcp_ts_stamp) {
76415 ts = rt->peer->tcp_ts;
76416 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
76417 diff -urNp linux-2.6.39.1/net/ipv4/tcp.c linux-2.6.39.1/net/ipv4/tcp.c
76418 --- linux-2.6.39.1/net/ipv4/tcp.c 2011-05-19 00:06:34.000000000 -0400
76419 +++ linux-2.6.39.1/net/ipv4/tcp.c 2011-05-22 19:36:34.000000000 -0400
76420 @@ -2121,6 +2121,8 @@ static int do_tcp_setsockopt(struct sock
76421 int val;
76422 int err = 0;
76423
76424 + pax_track_stack();
76425 +
76426 /* These are data/string values, all the others are ints */
76427 switch (optname) {
76428 case TCP_CONGESTION: {
76429 @@ -2500,6 +2502,8 @@ static int do_tcp_getsockopt(struct sock
76430 struct tcp_sock *tp = tcp_sk(sk);
76431 int val, len;
76432
76433 + pax_track_stack();
76434 +
76435 if (get_user(len, optlen))
76436 return -EFAULT;
76437
76438 diff -urNp linux-2.6.39.1/net/ipv4/tcp_ipv4.c linux-2.6.39.1/net/ipv4/tcp_ipv4.c
76439 --- linux-2.6.39.1/net/ipv4/tcp_ipv4.c 2011-05-19 00:06:34.000000000 -0400
76440 +++ linux-2.6.39.1/net/ipv4/tcp_ipv4.c 2011-05-22 19:41:42.000000000 -0400
76441 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
76442 int sysctl_tcp_low_latency __read_mostly;
76443 EXPORT_SYMBOL(sysctl_tcp_low_latency);
76444
76445 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76446 +extern int grsec_enable_blackhole;
76447 +#endif
76448
76449 #ifdef CONFIG_TCP_MD5SIG
76450 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
76451 @@ -1594,6 +1597,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
76452 return 0;
76453
76454 reset:
76455 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76456 + if (!grsec_enable_blackhole)
76457 +#endif
76458 tcp_v4_send_reset(rsk, skb);
76459 discard:
76460 kfree_skb(skb);
76461 @@ -1656,12 +1662,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
76462 TCP_SKB_CB(skb)->sacked = 0;
76463
76464 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
76465 - if (!sk)
76466 + if (!sk) {
76467 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76468 + ret = 1;
76469 +#endif
76470 goto no_tcp_socket;
76471 -
76472 + }
76473 process:
76474 - if (sk->sk_state == TCP_TIME_WAIT)
76475 + if (sk->sk_state == TCP_TIME_WAIT) {
76476 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76477 + ret = 2;
76478 +#endif
76479 goto do_time_wait;
76480 + }
76481
76482 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
76483 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
76484 @@ -1711,6 +1724,10 @@ no_tcp_socket:
76485 bad_packet:
76486 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
76487 } else {
76488 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76489 + if (!grsec_enable_blackhole || (ret == 1 &&
76490 + (skb->dev->flags & IFF_LOOPBACK)))
76491 +#endif
76492 tcp_v4_send_reset(NULL, skb);
76493 }
76494
76495 @@ -2374,7 +2391,11 @@ static void get_openreq4(struct sock *sk
76496 0, /* non standard timer */
76497 0, /* open_requests have no inode */
76498 atomic_read(&sk->sk_refcnt),
76499 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76500 + NULL,
76501 +#else
76502 req,
76503 +#endif
76504 len);
76505 }
76506
76507 @@ -2424,7 +2445,12 @@ static void get_tcp4_sock(struct sock *s
76508 sock_i_uid(sk),
76509 icsk->icsk_probes_out,
76510 sock_i_ino(sk),
76511 - atomic_read(&sk->sk_refcnt), sk,
76512 + atomic_read(&sk->sk_refcnt),
76513 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76514 + NULL,
76515 +#else
76516 + sk,
76517 +#endif
76518 jiffies_to_clock_t(icsk->icsk_rto),
76519 jiffies_to_clock_t(icsk->icsk_ack.ato),
76520 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
76521 @@ -2452,7 +2478,13 @@ static void get_timewait4_sock(struct in
76522 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
76523 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
76524 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
76525 - atomic_read(&tw->tw_refcnt), tw, len);
76526 + atomic_read(&tw->tw_refcnt),
76527 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76528 + NULL,
76529 +#else
76530 + tw,
76531 +#endif
76532 + len);
76533 }
76534
76535 #define TMPSZ 150
76536 diff -urNp linux-2.6.39.1/net/ipv4/tcp_minisocks.c linux-2.6.39.1/net/ipv4/tcp_minisocks.c
76537 --- linux-2.6.39.1/net/ipv4/tcp_minisocks.c 2011-05-19 00:06:34.000000000 -0400
76538 +++ linux-2.6.39.1/net/ipv4/tcp_minisocks.c 2011-05-22 19:41:42.000000000 -0400
76539 @@ -27,6 +27,10 @@
76540 #include <net/inet_common.h>
76541 #include <net/xfrm.h>
76542
76543 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76544 +extern int grsec_enable_blackhole;
76545 +#endif
76546 +
76547 int sysctl_tcp_syncookies __read_mostly = 1;
76548 EXPORT_SYMBOL(sysctl_tcp_syncookies);
76549
76550 @@ -745,6 +749,10 @@ listen_overflow:
76551
76552 embryonic_reset:
76553 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
76554 +
76555 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76556 + if (!grsec_enable_blackhole)
76557 +#endif
76558 if (!(flg & TCP_FLAG_RST))
76559 req->rsk_ops->send_reset(sk, skb);
76560
76561 diff -urNp linux-2.6.39.1/net/ipv4/tcp_output.c linux-2.6.39.1/net/ipv4/tcp_output.c
76562 --- linux-2.6.39.1/net/ipv4/tcp_output.c 2011-05-19 00:06:34.000000000 -0400
76563 +++ linux-2.6.39.1/net/ipv4/tcp_output.c 2011-05-22 19:36:34.000000000 -0400
76564 @@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
76565 int mss;
76566 int s_data_desired = 0;
76567
76568 + pax_track_stack();
76569 +
76570 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
76571 s_data_desired = cvp->s_data_desired;
76572 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
76573 diff -urNp linux-2.6.39.1/net/ipv4/tcp_probe.c linux-2.6.39.1/net/ipv4/tcp_probe.c
76574 --- linux-2.6.39.1/net/ipv4/tcp_probe.c 2011-05-19 00:06:34.000000000 -0400
76575 +++ linux-2.6.39.1/net/ipv4/tcp_probe.c 2011-05-22 19:36:34.000000000 -0400
76576 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
76577 if (cnt + width >= len)
76578 break;
76579
76580 - if (copy_to_user(buf + cnt, tbuf, width))
76581 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
76582 return -EFAULT;
76583 cnt += width;
76584 }
76585 diff -urNp linux-2.6.39.1/net/ipv4/tcp_timer.c linux-2.6.39.1/net/ipv4/tcp_timer.c
76586 --- linux-2.6.39.1/net/ipv4/tcp_timer.c 2011-05-19 00:06:34.000000000 -0400
76587 +++ linux-2.6.39.1/net/ipv4/tcp_timer.c 2011-05-22 19:41:42.000000000 -0400
76588 @@ -22,6 +22,10 @@
76589 #include <linux/gfp.h>
76590 #include <net/tcp.h>
76591
76592 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76593 +extern int grsec_lastack_retries;
76594 +#endif
76595 +
76596 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
76597 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
76598 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
76599 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
76600 }
76601 }
76602
76603 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76604 + if ((sk->sk_state == TCP_LAST_ACK) &&
76605 + (grsec_lastack_retries > 0) &&
76606 + (grsec_lastack_retries < retry_until))
76607 + retry_until = grsec_lastack_retries;
76608 +#endif
76609 +
76610 if (retransmits_timed_out(sk, retry_until,
76611 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
76612 /* Has it gone just too far? */
76613 diff -urNp linux-2.6.39.1/net/ipv4/udp.c linux-2.6.39.1/net/ipv4/udp.c
76614 --- linux-2.6.39.1/net/ipv4/udp.c 2011-05-19 00:06:34.000000000 -0400
76615 +++ linux-2.6.39.1/net/ipv4/udp.c 2011-05-22 19:41:42.000000000 -0400
76616 @@ -86,6 +86,7 @@
76617 #include <linux/types.h>
76618 #include <linux/fcntl.h>
76619 #include <linux/module.h>
76620 +#include <linux/security.h>
76621 #include <linux/socket.h>
76622 #include <linux/sockios.h>
76623 #include <linux/igmp.h>
76624 @@ -107,6 +108,10 @@
76625 #include <net/xfrm.h>
76626 #include "udp_impl.h"
76627
76628 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76629 +extern int grsec_enable_blackhole;
76630 +#endif
76631 +
76632 struct udp_table udp_table __read_mostly;
76633 EXPORT_SYMBOL(udp_table);
76634
76635 @@ -564,6 +569,9 @@ found:
76636 return s;
76637 }
76638
76639 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
76640 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
76641 +
76642 /*
76643 * This routine is called by the ICMP module when it gets some
76644 * sort of error condition. If err < 0 then the socket should
76645 @@ -853,9 +861,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
76646 dport = usin->sin_port;
76647 if (dport == 0)
76648 return -EINVAL;
76649 +
76650 + err = gr_search_udp_sendmsg(sk, usin);
76651 + if (err)
76652 + return err;
76653 } else {
76654 if (sk->sk_state != TCP_ESTABLISHED)
76655 return -EDESTADDRREQ;
76656 +
76657 + err = gr_search_udp_sendmsg(sk, NULL);
76658 + if (err)
76659 + return err;
76660 +
76661 daddr = inet->inet_daddr;
76662 dport = inet->inet_dport;
76663 /* Open fast path for connected socket.
76664 @@ -1090,7 +1107,7 @@ static unsigned int first_packet_length(
76665 udp_lib_checksum_complete(skb)) {
76666 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
76667 IS_UDPLITE(sk));
76668 - atomic_inc(&sk->sk_drops);
76669 + atomic_inc_unchecked(&sk->sk_drops);
76670 __skb_unlink(skb, rcvq);
76671 __skb_queue_tail(&list_kill, skb);
76672 }
76673 @@ -1176,6 +1193,10 @@ try_again:
76674 if (!skb)
76675 goto out;
76676
76677 + err = gr_search_udp_recvmsg(sk, skb);
76678 + if (err)
76679 + goto out_free;
76680 +
76681 ulen = skb->len - sizeof(struct udphdr);
76682 if (len > ulen)
76683 len = ulen;
76684 @@ -1472,7 +1493,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
76685
76686 drop:
76687 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
76688 - atomic_inc(&sk->sk_drops);
76689 + atomic_inc_unchecked(&sk->sk_drops);
76690 kfree_skb(skb);
76691 return -1;
76692 }
76693 @@ -1491,7 +1512,7 @@ static void flush_stack(struct sock **st
76694 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
76695
76696 if (!skb1) {
76697 - atomic_inc(&sk->sk_drops);
76698 + atomic_inc_unchecked(&sk->sk_drops);
76699 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
76700 IS_UDPLITE(sk));
76701 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
76702 @@ -1660,6 +1681,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
76703 goto csum_error;
76704
76705 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
76706 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76707 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
76708 +#endif
76709 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
76710
76711 /*
76712 @@ -2087,8 +2111,13 @@ static void udp4_format_sock(struct sock
76713 sk_wmem_alloc_get(sp),
76714 sk_rmem_alloc_get(sp),
76715 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76716 - atomic_read(&sp->sk_refcnt), sp,
76717 - atomic_read(&sp->sk_drops), len);
76718 + atomic_read(&sp->sk_refcnt),
76719 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76720 + NULL,
76721 +#else
76722 + sp,
76723 +#endif
76724 + atomic_read_unchecked(&sp->sk_drops), len);
76725 }
76726
76727 int udp4_seq_show(struct seq_file *seq, void *v)
76728 diff -urNp linux-2.6.39.1/net/ipv6/inet6_connection_sock.c linux-2.6.39.1/net/ipv6/inet6_connection_sock.c
76729 --- linux-2.6.39.1/net/ipv6/inet6_connection_sock.c 2011-05-19 00:06:34.000000000 -0400
76730 +++ linux-2.6.39.1/net/ipv6/inet6_connection_sock.c 2011-05-22 19:36:34.000000000 -0400
76731 @@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
76732 #ifdef CONFIG_XFRM
76733 {
76734 struct rt6_info *rt = (struct rt6_info *)dst;
76735 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
76736 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
76737 }
76738 #endif
76739 }
76740 @@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
76741 #ifdef CONFIG_XFRM
76742 if (dst) {
76743 struct rt6_info *rt = (struct rt6_info *)dst;
76744 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
76745 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
76746 __sk_dst_reset(sk);
76747 dst = NULL;
76748 }
76749 diff -urNp linux-2.6.39.1/net/ipv6/ipv6_sockglue.c linux-2.6.39.1/net/ipv6/ipv6_sockglue.c
76750 --- linux-2.6.39.1/net/ipv6/ipv6_sockglue.c 2011-05-19 00:06:34.000000000 -0400
76751 +++ linux-2.6.39.1/net/ipv6/ipv6_sockglue.c 2011-05-22 19:36:34.000000000 -0400
76752 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
76753 int val, valbool;
76754 int retv = -ENOPROTOOPT;
76755
76756 + pax_track_stack();
76757 +
76758 if (optval == NULL)
76759 val=0;
76760 else {
76761 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
76762 int len;
76763 int val;
76764
76765 + pax_track_stack();
76766 +
76767 if (ip6_mroute_opt(optname))
76768 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
76769
76770 diff -urNp linux-2.6.39.1/net/ipv6/raw.c linux-2.6.39.1/net/ipv6/raw.c
76771 --- linux-2.6.39.1/net/ipv6/raw.c 2011-05-19 00:06:34.000000000 -0400
76772 +++ linux-2.6.39.1/net/ipv6/raw.c 2011-05-22 19:41:42.000000000 -0400
76773 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
76774 {
76775 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
76776 skb_checksum_complete(skb)) {
76777 - atomic_inc(&sk->sk_drops);
76778 + atomic_inc_unchecked(&sk->sk_drops);
76779 kfree_skb(skb);
76780 return NET_RX_DROP;
76781 }
76782 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
76783 struct raw6_sock *rp = raw6_sk(sk);
76784
76785 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
76786 - atomic_inc(&sk->sk_drops);
76787 + atomic_inc_unchecked(&sk->sk_drops);
76788 kfree_skb(skb);
76789 return NET_RX_DROP;
76790 }
76791 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
76792
76793 if (inet->hdrincl) {
76794 if (skb_checksum_complete(skb)) {
76795 - atomic_inc(&sk->sk_drops);
76796 + atomic_inc_unchecked(&sk->sk_drops);
76797 kfree_skb(skb);
76798 return NET_RX_DROP;
76799 }
76800 @@ -601,7 +601,7 @@ out:
76801 return err;
76802 }
76803
76804 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
76805 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
76806 struct flowi6 *fl6, struct dst_entry **dstp,
76807 unsigned int flags)
76808 {
76809 @@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
76810 u16 proto;
76811 int err;
76812
76813 + pax_track_stack();
76814 +
76815 /* Rough check on arithmetic overflow,
76816 better check is made in ip6_append_data().
76817 */
76818 @@ -909,12 +911,15 @@ do_confirm:
76819 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
76820 char __user *optval, int optlen)
76821 {
76822 + struct icmp6_filter filter;
76823 +
76824 switch (optname) {
76825 case ICMPV6_FILTER:
76826 if (optlen > sizeof(struct icmp6_filter))
76827 optlen = sizeof(struct icmp6_filter);
76828 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
76829 + if (copy_from_user(&filter, optval, optlen))
76830 return -EFAULT;
76831 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
76832 return 0;
76833 default:
76834 return -ENOPROTOOPT;
76835 @@ -926,6 +931,7 @@ static int rawv6_seticmpfilter(struct so
76836 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
76837 char __user *optval, int __user *optlen)
76838 {
76839 + struct icmp6_filter filter;
76840 int len;
76841
76842 switch (optname) {
76843 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
76844 len = sizeof(struct icmp6_filter);
76845 if (put_user(len, optlen))
76846 return -EFAULT;
76847 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
76848 + memcpy(&filter, &raw6_sk(sk)->filter, len);
76849 + if (copy_to_user(optval, &filter, len))
76850 return -EFAULT;
76851 return 0;
76852 default:
76853 @@ -1252,7 +1259,13 @@ static void raw6_sock_seq_show(struct se
76854 0, 0L, 0,
76855 sock_i_uid(sp), 0,
76856 sock_i_ino(sp),
76857 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76858 + atomic_read(&sp->sk_refcnt),
76859 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76860 + NULL,
76861 +#else
76862 + sp,
76863 +#endif
76864 + atomic_read_unchecked(&sp->sk_drops));
76865 }
76866
76867 static int raw6_seq_show(struct seq_file *seq, void *v)
76868 diff -urNp linux-2.6.39.1/net/ipv6/tcp_ipv6.c linux-2.6.39.1/net/ipv6/tcp_ipv6.c
76869 --- linux-2.6.39.1/net/ipv6/tcp_ipv6.c 2011-05-19 00:06:34.000000000 -0400
76870 +++ linux-2.6.39.1/net/ipv6/tcp_ipv6.c 2011-05-22 19:41:42.000000000 -0400
76871 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
76872 }
76873 #endif
76874
76875 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76876 +extern int grsec_enable_blackhole;
76877 +#endif
76878 +
76879 static void tcp_v6_hash(struct sock *sk)
76880 {
76881 if (sk->sk_state != TCP_CLOSE) {
76882 @@ -1660,6 +1664,9 @@ static int tcp_v6_do_rcv(struct sock *sk
76883 return 0;
76884
76885 reset:
76886 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76887 + if (!grsec_enable_blackhole)
76888 +#endif
76889 tcp_v6_send_reset(sk, skb);
76890 discard:
76891 if (opt_skb)
76892 @@ -1739,12 +1746,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
76893 TCP_SKB_CB(skb)->sacked = 0;
76894
76895 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
76896 - if (!sk)
76897 + if (!sk) {
76898 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76899 + ret = 1;
76900 +#endif
76901 goto no_tcp_socket;
76902 + }
76903
76904 process:
76905 - if (sk->sk_state == TCP_TIME_WAIT)
76906 + if (sk->sk_state == TCP_TIME_WAIT) {
76907 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76908 + ret = 2;
76909 +#endif
76910 goto do_time_wait;
76911 + }
76912
76913 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
76914 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
76915 @@ -1792,6 +1807,10 @@ no_tcp_socket:
76916 bad_packet:
76917 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
76918 } else {
76919 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76920 + if (!grsec_enable_blackhole || (ret == 1 &&
76921 + (skb->dev->flags & IFF_LOOPBACK)))
76922 +#endif
76923 tcp_v6_send_reset(NULL, skb);
76924 }
76925
76926 @@ -2052,7 +2071,13 @@ static void get_openreq6(struct seq_file
76927 uid,
76928 0, /* non standard timer */
76929 0, /* open_requests have no inode */
76930 - 0, req);
76931 + 0,
76932 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76933 + NULL
76934 +#else
76935 + req
76936 +#endif
76937 + );
76938 }
76939
76940 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
76941 @@ -2102,7 +2127,12 @@ static void get_tcp6_sock(struct seq_fil
76942 sock_i_uid(sp),
76943 icsk->icsk_probes_out,
76944 sock_i_ino(sp),
76945 - atomic_read(&sp->sk_refcnt), sp,
76946 + atomic_read(&sp->sk_refcnt),
76947 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76948 + NULL,
76949 +#else
76950 + sp,
76951 +#endif
76952 jiffies_to_clock_t(icsk->icsk_rto),
76953 jiffies_to_clock_t(icsk->icsk_ack.ato),
76954 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
76955 @@ -2137,7 +2167,13 @@ static void get_timewait6_sock(struct se
76956 dest->s6_addr32[2], dest->s6_addr32[3], destp,
76957 tw->tw_substate, 0, 0,
76958 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
76959 - atomic_read(&tw->tw_refcnt), tw);
76960 + atomic_read(&tw->tw_refcnt),
76961 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76962 + NULL
76963 +#else
76964 + tw
76965 +#endif
76966 + );
76967 }
76968
76969 static int tcp6_seq_show(struct seq_file *seq, void *v)
76970 diff -urNp linux-2.6.39.1/net/ipv6/udp.c linux-2.6.39.1/net/ipv6/udp.c
76971 --- linux-2.6.39.1/net/ipv6/udp.c 2011-05-19 00:06:34.000000000 -0400
76972 +++ linux-2.6.39.1/net/ipv6/udp.c 2011-05-22 19:41:42.000000000 -0400
76973 @@ -50,6 +50,10 @@
76974 #include <linux/seq_file.h>
76975 #include "udp_impl.h"
76976
76977 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76978 +extern int grsec_enable_blackhole;
76979 +#endif
76980 +
76981 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
76982 {
76983 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
76984 @@ -545,7 +549,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
76985
76986 return 0;
76987 drop:
76988 - atomic_inc(&sk->sk_drops);
76989 + atomic_inc_unchecked(&sk->sk_drops);
76990 drop_no_sk_drops_inc:
76991 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
76992 kfree_skb(skb);
76993 @@ -621,7 +625,7 @@ static void flush_stack(struct sock **st
76994 continue;
76995 }
76996 drop:
76997 - atomic_inc(&sk->sk_drops);
76998 + atomic_inc_unchecked(&sk->sk_drops);
76999 UDP6_INC_STATS_BH(sock_net(sk),
77000 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
77001 UDP6_INC_STATS_BH(sock_net(sk),
77002 @@ -776,6 +780,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77003 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
77004 proto == IPPROTO_UDPLITE);
77005
77006 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77007 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77008 +#endif
77009 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
77010
77011 kfree_skb(skb);
77012 @@ -792,7 +799,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77013 if (!sock_owned_by_user(sk))
77014 udpv6_queue_rcv_skb(sk, skb);
77015 else if (sk_add_backlog(sk, skb)) {
77016 - atomic_inc(&sk->sk_drops);
77017 + atomic_inc_unchecked(&sk->sk_drops);
77018 bh_unlock_sock(sk);
77019 sock_put(sk);
77020 goto discard;
77021 @@ -1403,8 +1410,13 @@ static void udp6_sock_seq_show(struct se
77022 0, 0L, 0,
77023 sock_i_uid(sp), 0,
77024 sock_i_ino(sp),
77025 - atomic_read(&sp->sk_refcnt), sp,
77026 - atomic_read(&sp->sk_drops));
77027 + atomic_read(&sp->sk_refcnt),
77028 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77029 + NULL,
77030 +#else
77031 + sp,
77032 +#endif
77033 + atomic_read_unchecked(&sp->sk_drops));
77034 }
77035
77036 int udp6_seq_show(struct seq_file *seq, void *v)
77037 diff -urNp linux-2.6.39.1/net/irda/ircomm/ircomm_tty.c linux-2.6.39.1/net/irda/ircomm/ircomm_tty.c
77038 --- linux-2.6.39.1/net/irda/ircomm/ircomm_tty.c 2011-05-19 00:06:34.000000000 -0400
77039 +++ linux-2.6.39.1/net/irda/ircomm/ircomm_tty.c 2011-05-22 19:36:34.000000000 -0400
77040 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
77041 add_wait_queue(&self->open_wait, &wait);
77042
77043 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
77044 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77045 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77046
77047 /* As far as I can see, we protect open_count - Jean II */
77048 spin_lock_irqsave(&self->spinlock, flags);
77049 if (!tty_hung_up_p(filp)) {
77050 extra_count = 1;
77051 - self->open_count--;
77052 + local_dec(&self->open_count);
77053 }
77054 spin_unlock_irqrestore(&self->spinlock, flags);
77055 - self->blocked_open++;
77056 + local_inc(&self->blocked_open);
77057
77058 while (1) {
77059 if (tty->termios->c_cflag & CBAUD) {
77060 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
77061 }
77062
77063 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
77064 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77065 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77066
77067 schedule();
77068 }
77069 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
77070 if (extra_count) {
77071 /* ++ is not atomic, so this should be protected - Jean II */
77072 spin_lock_irqsave(&self->spinlock, flags);
77073 - self->open_count++;
77074 + local_inc(&self->open_count);
77075 spin_unlock_irqrestore(&self->spinlock, flags);
77076 }
77077 - self->blocked_open--;
77078 + local_dec(&self->blocked_open);
77079
77080 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
77081 - __FILE__,__LINE__, tty->driver->name, self->open_count);
77082 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
77083
77084 if (!retval)
77085 self->flags |= ASYNC_NORMAL_ACTIVE;
77086 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
77087 }
77088 /* ++ is not atomic, so this should be protected - Jean II */
77089 spin_lock_irqsave(&self->spinlock, flags);
77090 - self->open_count++;
77091 + local_inc(&self->open_count);
77092
77093 tty->driver_data = self;
77094 self->tty = tty;
77095 spin_unlock_irqrestore(&self->spinlock, flags);
77096
77097 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
77098 - self->line, self->open_count);
77099 + self->line, local_read(&self->open_count));
77100
77101 /* Not really used by us, but lets do it anyway */
77102 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
77103 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
77104 return;
77105 }
77106
77107 - if ((tty->count == 1) && (self->open_count != 1)) {
77108 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
77109 /*
77110 * Uh, oh. tty->count is 1, which means that the tty
77111 * structure will be freed. state->count should always
77112 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
77113 */
77114 IRDA_DEBUG(0, "%s(), bad serial port count; "
77115 "tty->count is 1, state->count is %d\n", __func__ ,
77116 - self->open_count);
77117 - self->open_count = 1;
77118 + local_read(&self->open_count));
77119 + local_set(&self->open_count, 1);
77120 }
77121
77122 - if (--self->open_count < 0) {
77123 + if (local_dec_return(&self->open_count) < 0) {
77124 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
77125 - __func__, self->line, self->open_count);
77126 - self->open_count = 0;
77127 + __func__, self->line, local_read(&self->open_count));
77128 + local_set(&self->open_count, 0);
77129 }
77130 - if (self->open_count) {
77131 + if (local_read(&self->open_count)) {
77132 spin_unlock_irqrestore(&self->spinlock, flags);
77133
77134 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
77135 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
77136 tty->closing = 0;
77137 self->tty = NULL;
77138
77139 - if (self->blocked_open) {
77140 + if (local_read(&self->blocked_open)) {
77141 if (self->close_delay)
77142 schedule_timeout_interruptible(self->close_delay);
77143 wake_up_interruptible(&self->open_wait);
77144 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
77145 spin_lock_irqsave(&self->spinlock, flags);
77146 self->flags &= ~ASYNC_NORMAL_ACTIVE;
77147 self->tty = NULL;
77148 - self->open_count = 0;
77149 + local_set(&self->open_count, 0);
77150 spin_unlock_irqrestore(&self->spinlock, flags);
77151
77152 wake_up_interruptible(&self->open_wait);
77153 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
77154 seq_putc(m, '\n');
77155
77156 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
77157 - seq_printf(m, "Open count: %d\n", self->open_count);
77158 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
77159 seq_printf(m, "Max data size: %d\n", self->max_data_size);
77160 seq_printf(m, "Max header size: %d\n", self->max_header_size);
77161
77162 diff -urNp linux-2.6.39.1/net/iucv/af_iucv.c linux-2.6.39.1/net/iucv/af_iucv.c
77163 --- linux-2.6.39.1/net/iucv/af_iucv.c 2011-05-19 00:06:34.000000000 -0400
77164 +++ linux-2.6.39.1/net/iucv/af_iucv.c 2011-05-22 19:36:34.000000000 -0400
77165 @@ -653,10 +653,10 @@ static int iucv_sock_autobind(struct soc
77166
77167 write_lock_bh(&iucv_sk_list.lock);
77168
77169 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
77170 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77171 while (__iucv_get_sock_by_name(name)) {
77172 sprintf(name, "%08x",
77173 - atomic_inc_return(&iucv_sk_list.autobind_name));
77174 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77175 }
77176
77177 write_unlock_bh(&iucv_sk_list.lock);
77178 diff -urNp linux-2.6.39.1/net/key/af_key.c linux-2.6.39.1/net/key/af_key.c
77179 --- linux-2.6.39.1/net/key/af_key.c 2011-05-19 00:06:34.000000000 -0400
77180 +++ linux-2.6.39.1/net/key/af_key.c 2011-05-22 19:41:42.000000000 -0400
77181 @@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
77182 struct xfrm_migrate m[XFRM_MAX_DEPTH];
77183 struct xfrm_kmaddress k;
77184
77185 + pax_track_stack();
77186 +
77187 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
77188 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
77189 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
77190 @@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
77191 static u32 get_acqseq(void)
77192 {
77193 u32 res;
77194 - static atomic_t acqseq;
77195 + static atomic_unchecked_t acqseq;
77196
77197 do {
77198 - res = atomic_inc_return(&acqseq);
77199 + res = atomic_inc_return_unchecked(&acqseq);
77200 } while (!res);
77201 return res;
77202 }
77203 @@ -3657,7 +3659,11 @@ static int pfkey_seq_show(struct seq_fil
77204 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
77205 else
77206 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
77207 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77208 + NULL,
77209 +#else
77210 s,
77211 +#endif
77212 atomic_read(&s->sk_refcnt),
77213 sk_rmem_alloc_get(s),
77214 sk_wmem_alloc_get(s),
77215 diff -urNp linux-2.6.39.1/net/l2tp/l2tp_ip.c linux-2.6.39.1/net/l2tp/l2tp_ip.c
77216 --- linux-2.6.39.1/net/l2tp/l2tp_ip.c 2011-05-19 00:06:34.000000000 -0400
77217 +++ linux-2.6.39.1/net/l2tp/l2tp_ip.c 2011-05-22 19:36:34.000000000 -0400
77218 @@ -625,7 +625,7 @@ static struct inet_protosw l2tp_ip_proto
77219 .no_check = 0,
77220 };
77221
77222 -static struct net_protocol l2tp_ip_protocol __read_mostly = {
77223 +static const struct net_protocol l2tp_ip_protocol = {
77224 .handler = l2tp_ip_recv,
77225 };
77226
77227 diff -urNp linux-2.6.39.1/net/lapb/lapb_iface.c linux-2.6.39.1/net/lapb/lapb_iface.c
77228 --- linux-2.6.39.1/net/lapb/lapb_iface.c 2011-05-19 00:06:34.000000000 -0400
77229 +++ linux-2.6.39.1/net/lapb/lapb_iface.c 2011-05-22 19:36:34.000000000 -0400
77230 @@ -138,8 +138,7 @@ static struct lapb_cb *lapb_create_cb(vo
77231 out:
77232 return lapb;
77233 }
77234 -
77235 -int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks)
77236 +int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks)
77237 {
77238 struct lapb_cb *lapb;
77239 int rc = LAPB_BADTOKEN;
77240 diff -urNp linux-2.6.39.1/net/mac80211/cfg.c linux-2.6.39.1/net/mac80211/cfg.c
77241 --- linux-2.6.39.1/net/mac80211/cfg.c 2011-06-03 00:04:14.000000000 -0400
77242 +++ linux-2.6.39.1/net/mac80211/cfg.c 2011-06-03 00:32:08.000000000 -0400
77243 @@ -2031,7 +2031,7 @@ static void ieee80211_get_ringparam(stru
77244 drv_get_ringparam(local, tx, tx_max, rx, rx_max);
77245 }
77246
77247 -struct cfg80211_ops mac80211_config_ops = {
77248 +const struct cfg80211_ops mac80211_config_ops = {
77249 .add_virtual_intf = ieee80211_add_iface,
77250 .del_virtual_intf = ieee80211_del_iface,
77251 .change_virtual_intf = ieee80211_change_iface,
77252 diff -urNp linux-2.6.39.1/net/mac80211/cfg.h linux-2.6.39.1/net/mac80211/cfg.h
77253 --- linux-2.6.39.1/net/mac80211/cfg.h 2011-05-19 00:06:34.000000000 -0400
77254 +++ linux-2.6.39.1/net/mac80211/cfg.h 2011-05-22 19:36:34.000000000 -0400
77255 @@ -4,6 +4,6 @@
77256 #ifndef __CFG_H
77257 #define __CFG_H
77258
77259 -extern struct cfg80211_ops mac80211_config_ops;
77260 +extern const struct cfg80211_ops mac80211_config_ops;
77261
77262 #endif /* __CFG_H */
77263 diff -urNp linux-2.6.39.1/net/mac80211/debugfs_sta.c linux-2.6.39.1/net/mac80211/debugfs_sta.c
77264 --- linux-2.6.39.1/net/mac80211/debugfs_sta.c 2011-05-19 00:06:34.000000000 -0400
77265 +++ linux-2.6.39.1/net/mac80211/debugfs_sta.c 2011-05-22 19:36:34.000000000 -0400
77266 @@ -115,6 +115,8 @@ static ssize_t sta_agg_status_read(struc
77267 struct tid_ampdu_rx *tid_rx;
77268 struct tid_ampdu_tx *tid_tx;
77269
77270 + pax_track_stack();
77271 +
77272 rcu_read_lock();
77273
77274 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
77275 @@ -215,6 +217,8 @@ static ssize_t sta_ht_capa_read(struct f
77276 struct sta_info *sta = file->private_data;
77277 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
77278
77279 + pax_track_stack();
77280 +
77281 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
77282 htc->ht_supported ? "" : "not ");
77283 if (htc->ht_supported) {
77284 diff -urNp linux-2.6.39.1/net/mac80211/ieee80211_i.h linux-2.6.39.1/net/mac80211/ieee80211_i.h
77285 --- linux-2.6.39.1/net/mac80211/ieee80211_i.h 2011-05-19 00:06:34.000000000 -0400
77286 +++ linux-2.6.39.1/net/mac80211/ieee80211_i.h 2011-05-22 19:36:34.000000000 -0400
77287 @@ -27,6 +27,7 @@
77288 #include <net/ieee80211_radiotap.h>
77289 #include <net/cfg80211.h>
77290 #include <net/mac80211.h>
77291 +#include <asm/local.h>
77292 #include "key.h"
77293 #include "sta_info.h"
77294
77295 @@ -714,7 +715,7 @@ struct ieee80211_local {
77296 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
77297 spinlock_t queue_stop_reason_lock;
77298
77299 - int open_count;
77300 + local_t open_count;
77301 int monitors, cooked_mntrs;
77302 /* number of interfaces with corresponding FIF_ flags */
77303 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
77304 diff -urNp linux-2.6.39.1/net/mac80211/iface.c linux-2.6.39.1/net/mac80211/iface.c
77305 --- linux-2.6.39.1/net/mac80211/iface.c 2011-05-19 00:06:34.000000000 -0400
77306 +++ linux-2.6.39.1/net/mac80211/iface.c 2011-05-22 19:36:34.000000000 -0400
77307 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
77308 break;
77309 }
77310
77311 - if (local->open_count == 0) {
77312 + if (local_read(&local->open_count) == 0) {
77313 res = drv_start(local);
77314 if (res)
77315 goto err_del_bss;
77316 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
77317 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
77318
77319 if (!is_valid_ether_addr(dev->dev_addr)) {
77320 - if (!local->open_count)
77321 + if (!local_read(&local->open_count))
77322 drv_stop(local);
77323 return -EADDRNOTAVAIL;
77324 }
77325 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
77326 mutex_unlock(&local->mtx);
77327
77328 if (coming_up)
77329 - local->open_count++;
77330 + local_inc(&local->open_count);
77331
77332 if (hw_reconf_flags) {
77333 ieee80211_hw_config(local, hw_reconf_flags);
77334 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
77335 err_del_interface:
77336 drv_remove_interface(local, &sdata->vif);
77337 err_stop:
77338 - if (!local->open_count)
77339 + if (!local_read(&local->open_count))
77340 drv_stop(local);
77341 err_del_bss:
77342 sdata->bss = NULL;
77343 @@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct iee
77344 }
77345
77346 if (going_down)
77347 - local->open_count--;
77348 + local_dec(&local->open_count);
77349
77350 switch (sdata->vif.type) {
77351 case NL80211_IFTYPE_AP_VLAN:
77352 @@ -533,7 +533,7 @@ static void ieee80211_do_stop(struct iee
77353
77354 ieee80211_recalc_ps(local, -1);
77355
77356 - if (local->open_count == 0) {
77357 + if (local_read(&local->open_count) == 0) {
77358 if (local->ops->napi_poll)
77359 napi_disable(&local->napi);
77360 ieee80211_clear_tx_pending(local);
77361 diff -urNp linux-2.6.39.1/net/mac80211/main.c linux-2.6.39.1/net/mac80211/main.c
77362 --- linux-2.6.39.1/net/mac80211/main.c 2011-05-19 00:06:34.000000000 -0400
77363 +++ linux-2.6.39.1/net/mac80211/main.c 2011-05-22 19:36:34.000000000 -0400
77364 @@ -215,7 +215,7 @@ int ieee80211_hw_config(struct ieee80211
77365 local->hw.conf.power_level = power;
77366 }
77367
77368 - if (changed && local->open_count) {
77369 + if (changed && local_read(&local->open_count)) {
77370 ret = drv_config(local, changed);
77371 /*
77372 * Goal:
77373 diff -urNp linux-2.6.39.1/net/mac80211/mlme.c linux-2.6.39.1/net/mac80211/mlme.c
77374 --- linux-2.6.39.1/net/mac80211/mlme.c 2011-06-03 00:04:14.000000000 -0400
77375 +++ linux-2.6.39.1/net/mac80211/mlme.c 2011-06-03 00:32:08.000000000 -0400
77376 @@ -1431,6 +1431,8 @@ static bool ieee80211_assoc_success(stru
77377 bool have_higher_than_11mbit = false;
77378 u16 ap_ht_cap_flags;
77379
77380 + pax_track_stack();
77381 +
77382 /* AssocResp and ReassocResp have identical structure */
77383
77384 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
77385 diff -urNp linux-2.6.39.1/net/mac80211/pm.c linux-2.6.39.1/net/mac80211/pm.c
77386 --- linux-2.6.39.1/net/mac80211/pm.c 2011-05-19 00:06:34.000000000 -0400
77387 +++ linux-2.6.39.1/net/mac80211/pm.c 2011-05-22 19:36:34.000000000 -0400
77388 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
77389 }
77390
77391 /* stop hardware - this must stop RX */
77392 - if (local->open_count)
77393 + if (local_read(&local->open_count))
77394 ieee80211_stop_device(local);
77395
77396 local->suspended = true;
77397 diff -urNp linux-2.6.39.1/net/mac80211/rate.c linux-2.6.39.1/net/mac80211/rate.c
77398 --- linux-2.6.39.1/net/mac80211/rate.c 2011-05-19 00:06:34.000000000 -0400
77399 +++ linux-2.6.39.1/net/mac80211/rate.c 2011-05-22 19:36:34.000000000 -0400
77400 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
77401
77402 ASSERT_RTNL();
77403
77404 - if (local->open_count)
77405 + if (local_read(&local->open_count))
77406 return -EBUSY;
77407
77408 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
77409 diff -urNp linux-2.6.39.1/net/mac80211/rc80211_pid_debugfs.c linux-2.6.39.1/net/mac80211/rc80211_pid_debugfs.c
77410 --- linux-2.6.39.1/net/mac80211/rc80211_pid_debugfs.c 2011-05-19 00:06:34.000000000 -0400
77411 +++ linux-2.6.39.1/net/mac80211/rc80211_pid_debugfs.c 2011-05-22 19:36:34.000000000 -0400
77412 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
77413
77414 spin_unlock_irqrestore(&events->lock, status);
77415
77416 - if (copy_to_user(buf, pb, p))
77417 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
77418 return -EFAULT;
77419
77420 return p;
77421 diff -urNp linux-2.6.39.1/net/mac80211/util.c linux-2.6.39.1/net/mac80211/util.c
77422 --- linux-2.6.39.1/net/mac80211/util.c 2011-05-19 00:06:34.000000000 -0400
77423 +++ linux-2.6.39.1/net/mac80211/util.c 2011-05-22 19:36:34.000000000 -0400
77424 @@ -1129,7 +1129,7 @@ int ieee80211_reconfig(struct ieee80211_
77425 local->resuming = true;
77426
77427 /* restart hardware */
77428 - if (local->open_count) {
77429 + if (local_read(&local->open_count)) {
77430 /*
77431 * Upon resume hardware can sometimes be goofy due to
77432 * various platform / driver / bus issues, so restarting
77433 diff -urNp linux-2.6.39.1/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.39.1/net/netfilter/ipvs/ip_vs_conn.c
77434 --- linux-2.6.39.1/net/netfilter/ipvs/ip_vs_conn.c 2011-05-19 00:06:34.000000000 -0400
77435 +++ linux-2.6.39.1/net/netfilter/ipvs/ip_vs_conn.c 2011-05-22 19:36:34.000000000 -0400
77436 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
77437 /* Increase the refcnt counter of the dest */
77438 atomic_inc(&dest->refcnt);
77439
77440 - conn_flags = atomic_read(&dest->conn_flags);
77441 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
77442 if (cp->protocol != IPPROTO_UDP)
77443 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
77444 /* Bind with the destination and its corresponding transmitter */
77445 @@ -861,7 +861,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
77446 atomic_set(&cp->refcnt, 1);
77447
77448 atomic_set(&cp->n_control, 0);
77449 - atomic_set(&cp->in_pkts, 0);
77450 + atomic_set_unchecked(&cp->in_pkts, 0);
77451
77452 atomic_inc(&ipvs->conn_count);
77453 if (flags & IP_VS_CONN_F_NO_CPORT)
77454 @@ -1141,7 +1141,7 @@ static inline int todrop_entry(struct ip
77455
77456 /* Don't drop the entry if its number of incoming packets is not
77457 located in [0, 8] */
77458 - i = atomic_read(&cp->in_pkts);
77459 + i = atomic_read_unchecked(&cp->in_pkts);
77460 if (i > 8 || i < 0) return 0;
77461
77462 if (!todrop_rate[i]) return 0;
77463 diff -urNp linux-2.6.39.1/net/netfilter/ipvs/ip_vs_core.c linux-2.6.39.1/net/netfilter/ipvs/ip_vs_core.c
77464 --- linux-2.6.39.1/net/netfilter/ipvs/ip_vs_core.c 2011-05-19 00:06:34.000000000 -0400
77465 +++ linux-2.6.39.1/net/netfilter/ipvs/ip_vs_core.c 2011-05-22 19:36:34.000000000 -0400
77466 @@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
77467 ret = cp->packet_xmit(skb, cp, pd->pp);
77468 /* do not touch skb anymore */
77469
77470 - atomic_inc(&cp->in_pkts);
77471 + atomic_inc_unchecked(&cp->in_pkts);
77472 ip_vs_conn_put(cp);
77473 return ret;
77474 }
77475 @@ -1633,7 +1633,7 @@ ip_vs_in(unsigned int hooknum, struct sk
77476 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
77477 pkts = sysctl_sync_threshold(ipvs);
77478 else
77479 - pkts = atomic_add_return(1, &cp->in_pkts);
77480 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
77481
77482 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
77483 cp->protocol == IPPROTO_SCTP) {
77484 diff -urNp linux-2.6.39.1/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.39.1/net/netfilter/ipvs/ip_vs_ctl.c
77485 --- linux-2.6.39.1/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-19 00:06:34.000000000 -0400
77486 +++ linux-2.6.39.1/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-22 19:36:34.000000000 -0400
77487 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
77488 ip_vs_rs_hash(ipvs, dest);
77489 write_unlock_bh(&ipvs->rs_lock);
77490 }
77491 - atomic_set(&dest->conn_flags, conn_flags);
77492 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
77493
77494 /* bind the service */
77495 if (!dest->svc) {
77496 @@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
77497 " %-7s %-6d %-10d %-10d\n",
77498 &dest->addr.in6,
77499 ntohs(dest->port),
77500 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77501 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77502 atomic_read(&dest->weight),
77503 atomic_read(&dest->activeconns),
77504 atomic_read(&dest->inactconns));
77505 @@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
77506 "%-7s %-6d %-10d %-10d\n",
77507 ntohl(dest->addr.ip),
77508 ntohs(dest->port),
77509 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77510 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77511 atomic_read(&dest->weight),
77512 atomic_read(&dest->activeconns),
77513 atomic_read(&dest->inactconns));
77514 @@ -2287,6 +2287,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
77515 struct ip_vs_dest_user *udest_compat;
77516 struct ip_vs_dest_user_kern udest;
77517
77518 + pax_track_stack();
77519 +
77520 if (!capable(CAP_NET_ADMIN))
77521 return -EPERM;
77522
77523 @@ -2501,7 +2503,7 @@ __ip_vs_get_dest_entries(struct net *net
77524
77525 entry.addr = dest->addr.ip;
77526 entry.port = dest->port;
77527 - entry.conn_flags = atomic_read(&dest->conn_flags);
77528 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
77529 entry.weight = atomic_read(&dest->weight);
77530 entry.u_threshold = dest->u_threshold;
77531 entry.l_threshold = dest->l_threshold;
77532 @@ -3029,7 +3031,7 @@ static int ip_vs_genl_fill_dest(struct s
77533 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
77534
77535 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
77536 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77537 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77538 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
77539 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
77540 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
77541 diff -urNp linux-2.6.39.1/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.39.1/net/netfilter/ipvs/ip_vs_sync.c
77542 --- linux-2.6.39.1/net/netfilter/ipvs/ip_vs_sync.c 2011-05-19 00:06:34.000000000 -0400
77543 +++ linux-2.6.39.1/net/netfilter/ipvs/ip_vs_sync.c 2011-05-22 19:36:34.000000000 -0400
77544 @@ -648,7 +648,7 @@ control:
77545 * i.e only increment in_pkts for Templates.
77546 */
77547 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
77548 - int pkts = atomic_add_return(1, &cp->in_pkts);
77549 + int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
77550
77551 if (pkts % sysctl_sync_period(ipvs) != 1)
77552 return;
77553 @@ -794,7 +794,7 @@ static void ip_vs_proc_conn(struct net *
77554
77555 if (opt)
77556 memcpy(&cp->in_seq, opt, sizeof(*opt));
77557 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
77558 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
77559 cp->state = state;
77560 cp->old_state = cp->state;
77561 /*
77562 diff -urNp linux-2.6.39.1/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.39.1/net/netfilter/ipvs/ip_vs_xmit.c
77563 --- linux-2.6.39.1/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-19 00:06:34.000000000 -0400
77564 +++ linux-2.6.39.1/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-22 19:36:34.000000000 -0400
77565 @@ -1127,7 +1127,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
77566 else
77567 rc = NF_ACCEPT;
77568 /* do not touch skb anymore */
77569 - atomic_inc(&cp->in_pkts);
77570 + atomic_inc_unchecked(&cp->in_pkts);
77571 goto out;
77572 }
77573
77574 @@ -1245,7 +1245,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
77575 else
77576 rc = NF_ACCEPT;
77577 /* do not touch skb anymore */
77578 - atomic_inc(&cp->in_pkts);
77579 + atomic_inc_unchecked(&cp->in_pkts);
77580 goto out;
77581 }
77582
77583 diff -urNp linux-2.6.39.1/net/netfilter/Kconfig linux-2.6.39.1/net/netfilter/Kconfig
77584 --- linux-2.6.39.1/net/netfilter/Kconfig 2011-05-19 00:06:34.000000000 -0400
77585 +++ linux-2.6.39.1/net/netfilter/Kconfig 2011-05-22 19:41:42.000000000 -0400
77586 @@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
77587
77588 To compile it as a module, choose M here. If unsure, say N.
77589
77590 +config NETFILTER_XT_MATCH_GRADM
77591 + tristate '"gradm" match support'
77592 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
77593 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
77594 + ---help---
77595 + The gradm match allows to match on grsecurity RBAC being enabled.
77596 + It is useful when iptables rules are applied early on bootup to
77597 + prevent connections to the machine (except from a trusted host)
77598 + while the RBAC system is disabled.
77599 +
77600 config NETFILTER_XT_MATCH_HASHLIMIT
77601 tristate '"hashlimit" match support'
77602 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
77603 diff -urNp linux-2.6.39.1/net/netfilter/Makefile linux-2.6.39.1/net/netfilter/Makefile
77604 --- linux-2.6.39.1/net/netfilter/Makefile 2011-05-19 00:06:34.000000000 -0400
77605 +++ linux-2.6.39.1/net/netfilter/Makefile 2011-05-22 20:40:16.000000000 -0400
77606 @@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
77607 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
77608 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
77609 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
77610 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
77611 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
77612 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
77613 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
77614 diff -urNp linux-2.6.39.1/net/netfilter/nfnetlink_log.c linux-2.6.39.1/net/netfilter/nfnetlink_log.c
77615 --- linux-2.6.39.1/net/netfilter/nfnetlink_log.c 2011-05-19 00:06:34.000000000 -0400
77616 +++ linux-2.6.39.1/net/netfilter/nfnetlink_log.c 2011-05-22 19:36:35.000000000 -0400
77617 @@ -70,7 +70,7 @@ struct nfulnl_instance {
77618 };
77619
77620 static DEFINE_SPINLOCK(instances_lock);
77621 -static atomic_t global_seq;
77622 +static atomic_unchecked_t global_seq;
77623
77624 #define INSTANCE_BUCKETS 16
77625 static struct hlist_head instance_table[INSTANCE_BUCKETS];
77626 @@ -506,7 +506,7 @@ __build_packet_message(struct nfulnl_ins
77627 /* global sequence number */
77628 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
77629 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
77630 - htonl(atomic_inc_return(&global_seq)));
77631 + htonl(atomic_inc_return_unchecked(&global_seq)));
77632
77633 if (data_len) {
77634 struct nlattr *nla;
77635 diff -urNp linux-2.6.39.1/net/netfilter/nfnetlink_queue.c linux-2.6.39.1/net/netfilter/nfnetlink_queue.c
77636 --- linux-2.6.39.1/net/netfilter/nfnetlink_queue.c 2011-05-19 00:06:34.000000000 -0400
77637 +++ linux-2.6.39.1/net/netfilter/nfnetlink_queue.c 2011-05-22 19:36:35.000000000 -0400
77638 @@ -58,7 +58,7 @@ struct nfqnl_instance {
77639 */
77640 spinlock_t lock;
77641 unsigned int queue_total;
77642 - atomic_t id_sequence; /* 'sequence' of pkt ids */
77643 + atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
77644 struct list_head queue_list; /* packets in queue */
77645 };
77646
77647 @@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
77648 nfmsg->version = NFNETLINK_V0;
77649 nfmsg->res_id = htons(queue->queue_num);
77650
77651 - entry->id = atomic_inc_return(&queue->id_sequence);
77652 + entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
77653 pmsg.packet_id = htonl(entry->id);
77654 pmsg.hw_protocol = entskb->protocol;
77655 pmsg.hook = entry->hook;
77656 @@ -869,7 +869,7 @@ static int seq_show(struct seq_file *s,
77657 inst->peer_pid, inst->queue_total,
77658 inst->copy_mode, inst->copy_range,
77659 inst->queue_dropped, inst->queue_user_dropped,
77660 - atomic_read(&inst->id_sequence), 1);
77661 + atomic_read_unchecked(&inst->id_sequence), 1);
77662 }
77663
77664 static const struct seq_operations nfqnl_seq_ops = {
77665 diff -urNp linux-2.6.39.1/net/netfilter/xt_gradm.c linux-2.6.39.1/net/netfilter/xt_gradm.c
77666 --- linux-2.6.39.1/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
77667 +++ linux-2.6.39.1/net/netfilter/xt_gradm.c 2011-05-22 19:41:42.000000000 -0400
77668 @@ -0,0 +1,51 @@
77669 +/*
77670 + * gradm match for netfilter
77671 + * Copyright © Zbigniew Krzystolik, 2010
77672 + *
77673 + * This program is free software; you can redistribute it and/or modify
77674 + * it under the terms of the GNU General Public License; either version
77675 + * 2 or 3 as published by the Free Software Foundation.
77676 + */
77677 +#include <linux/module.h>
77678 +#include <linux/moduleparam.h>
77679 +#include <linux/skbuff.h>
77680 +#include <linux/netfilter/x_tables.h>
77681 +#include <linux/grsecurity.h>
77682 +#include <linux/netfilter/xt_gradm.h>
77683 +
77684 +static bool
77685 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
77686 +{
77687 + const struct xt_gradm_mtinfo *info = par->matchinfo;
77688 + bool retval = false;
77689 + if (gr_acl_is_enabled())
77690 + retval = true;
77691 + return retval ^ info->invflags;
77692 +}
77693 +
77694 +static struct xt_match gradm_mt_reg __read_mostly = {
77695 + .name = "gradm",
77696 + .revision = 0,
77697 + .family = NFPROTO_UNSPEC,
77698 + .match = gradm_mt,
77699 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
77700 + .me = THIS_MODULE,
77701 +};
77702 +
77703 +static int __init gradm_mt_init(void)
77704 +{
77705 + return xt_register_match(&gradm_mt_reg);
77706 +}
77707 +
77708 +static void __exit gradm_mt_exit(void)
77709 +{
77710 + xt_unregister_match(&gradm_mt_reg);
77711 +}
77712 +
77713 +module_init(gradm_mt_init);
77714 +module_exit(gradm_mt_exit);
77715 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
77716 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
77717 +MODULE_LICENSE("GPL");
77718 +MODULE_ALIAS("ipt_gradm");
77719 +MODULE_ALIAS("ip6t_gradm");
77720 diff -urNp linux-2.6.39.1/net/netfilter/xt_statistic.c linux-2.6.39.1/net/netfilter/xt_statistic.c
77721 --- linux-2.6.39.1/net/netfilter/xt_statistic.c 2011-05-19 00:06:34.000000000 -0400
77722 +++ linux-2.6.39.1/net/netfilter/xt_statistic.c 2011-05-22 19:36:35.000000000 -0400
77723 @@ -18,7 +18,7 @@
77724 #include <linux/netfilter/x_tables.h>
77725
77726 struct xt_statistic_priv {
77727 - atomic_t count;
77728 + atomic_unchecked_t count;
77729 } ____cacheline_aligned_in_smp;
77730
77731 MODULE_LICENSE("GPL");
77732 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
77733 break;
77734 case XT_STATISTIC_MODE_NTH:
77735 do {
77736 - oval = atomic_read(&info->master->count);
77737 + oval = atomic_read_unchecked(&info->master->count);
77738 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
77739 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
77740 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
77741 if (nval == 0)
77742 ret = !ret;
77743 break;
77744 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
77745 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
77746 if (info->master == NULL)
77747 return -ENOMEM;
77748 - atomic_set(&info->master->count, info->u.nth.count);
77749 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
77750
77751 return 0;
77752 }
77753 diff -urNp linux-2.6.39.1/net/netlink/af_netlink.c linux-2.6.39.1/net/netlink/af_netlink.c
77754 --- linux-2.6.39.1/net/netlink/af_netlink.c 2011-05-19 00:06:34.000000000 -0400
77755 +++ linux-2.6.39.1/net/netlink/af_netlink.c 2011-05-22 19:41:42.000000000 -0400
77756 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
77757 sk->sk_error_report(sk);
77758 }
77759 }
77760 - atomic_inc(&sk->sk_drops);
77761 + atomic_inc_unchecked(&sk->sk_drops);
77762 }
77763
77764 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
77765 @@ -1992,15 +1992,23 @@ static int netlink_seq_show(struct seq_f
77766 struct netlink_sock *nlk = nlk_sk(s);
77767
77768 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
77769 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77770 + NULL,
77771 +#else
77772 s,
77773 +#endif
77774 s->sk_protocol,
77775 nlk->pid,
77776 nlk->groups ? (u32)nlk->groups[0] : 0,
77777 sk_rmem_alloc_get(s),
77778 sk_wmem_alloc_get(s),
77779 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77780 + NULL,
77781 +#else
77782 nlk->cb,
77783 +#endif
77784 atomic_read(&s->sk_refcnt),
77785 - atomic_read(&s->sk_drops),
77786 + atomic_read_unchecked(&s->sk_drops),
77787 sock_i_ino(s)
77788 );
77789
77790 diff -urNp linux-2.6.39.1/net/netrom/af_netrom.c linux-2.6.39.1/net/netrom/af_netrom.c
77791 --- linux-2.6.39.1/net/netrom/af_netrom.c 2011-05-19 00:06:34.000000000 -0400
77792 +++ linux-2.6.39.1/net/netrom/af_netrom.c 2011-05-22 19:41:42.000000000 -0400
77793 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
77794 struct sock *sk = sock->sk;
77795 struct nr_sock *nr = nr_sk(sk);
77796
77797 + memset(sax, 0, sizeof(*sax));
77798 lock_sock(sk);
77799 if (peer != 0) {
77800 if (sk->sk_state != TCP_ESTABLISHED) {
77801 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
77802 *uaddr_len = sizeof(struct full_sockaddr_ax25);
77803 } else {
77804 sax->fsa_ax25.sax25_family = AF_NETROM;
77805 - sax->fsa_ax25.sax25_ndigis = 0;
77806 sax->fsa_ax25.sax25_call = nr->source_addr;
77807 *uaddr_len = sizeof(struct sockaddr_ax25);
77808 }
77809 diff -urNp linux-2.6.39.1/net/packet/af_packet.c linux-2.6.39.1/net/packet/af_packet.c
77810 --- linux-2.6.39.1/net/packet/af_packet.c 2011-05-19 00:06:34.000000000 -0400
77811 +++ linux-2.6.39.1/net/packet/af_packet.c 2011-05-22 19:41:42.000000000 -0400
77812 @@ -647,14 +647,14 @@ static int packet_rcv(struct sk_buff *sk
77813
77814 spin_lock(&sk->sk_receive_queue.lock);
77815 po->stats.tp_packets++;
77816 - skb->dropcount = atomic_read(&sk->sk_drops);
77817 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
77818 __skb_queue_tail(&sk->sk_receive_queue, skb);
77819 spin_unlock(&sk->sk_receive_queue.lock);
77820 sk->sk_data_ready(sk, skb->len);
77821 return 0;
77822
77823 drop_n_acct:
77824 - po->stats.tp_drops = atomic_inc_return(&sk->sk_drops);
77825 + po->stats.tp_drops = atomic_inc_return_unchecked(&sk->sk_drops);
77826
77827 drop_n_restore:
77828 if (skb_head != skb->data && skb_shared(skb)) {
77829 @@ -2157,7 +2157,7 @@ static int packet_getsockopt(struct sock
77830 case PACKET_HDRLEN:
77831 if (len > sizeof(int))
77832 len = sizeof(int);
77833 - if (copy_from_user(&val, optval, len))
77834 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
77835 return -EFAULT;
77836 switch (val) {
77837 case TPACKET_V1:
77838 @@ -2195,7 +2195,7 @@ static int packet_getsockopt(struct sock
77839
77840 if (put_user(len, optlen))
77841 return -EFAULT;
77842 - if (copy_to_user(optval, data, len))
77843 + if (len > sizeof(st) || copy_to_user(optval, data, len))
77844 return -EFAULT;
77845 return 0;
77846 }
77847 @@ -2707,7 +2707,11 @@ static int packet_seq_show(struct seq_fi
77848
77849 seq_printf(seq,
77850 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
77851 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77852 + NULL,
77853 +#else
77854 s,
77855 +#endif
77856 atomic_read(&s->sk_refcnt),
77857 s->sk_type,
77858 ntohs(po->num),
77859 diff -urNp linux-2.6.39.1/net/phonet/af_phonet.c linux-2.6.39.1/net/phonet/af_phonet.c
77860 --- linux-2.6.39.1/net/phonet/af_phonet.c 2011-05-19 00:06:34.000000000 -0400
77861 +++ linux-2.6.39.1/net/phonet/af_phonet.c 2011-05-22 19:41:42.000000000 -0400
77862 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
77863 {
77864 struct phonet_protocol *pp;
77865
77866 - if (protocol >= PHONET_NPROTO)
77867 + if (protocol < 0 || protocol >= PHONET_NPROTO)
77868 return NULL;
77869
77870 rcu_read_lock();
77871 @@ -149,7 +149,7 @@ static int pn_header_parse(const struct
77872 return 1;
77873 }
77874
77875 -struct header_ops phonet_header_ops = {
77876 +const struct header_ops phonet_header_ops = {
77877 .create = pn_header_create,
77878 .parse = pn_header_parse,
77879 };
77880 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_regist
77881 {
77882 int err = 0;
77883
77884 - if (protocol >= PHONET_NPROTO)
77885 + if (protocol < 0 || protocol >= PHONET_NPROTO)
77886 return -EINVAL;
77887
77888 err = proto_register(pp->prot, 1);
77889 diff -urNp linux-2.6.39.1/net/phonet/pep.c linux-2.6.39.1/net/phonet/pep.c
77890 --- linux-2.6.39.1/net/phonet/pep.c 2011-05-19 00:06:34.000000000 -0400
77891 +++ linux-2.6.39.1/net/phonet/pep.c 2011-05-22 19:36:35.000000000 -0400
77892 @@ -387,7 +387,7 @@ static int pipe_do_rcv(struct sock *sk,
77893
77894 case PNS_PEP_CTRL_REQ:
77895 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
77896 - atomic_inc(&sk->sk_drops);
77897 + atomic_inc_unchecked(&sk->sk_drops);
77898 break;
77899 }
77900 __skb_pull(skb, 4);
77901 @@ -408,7 +408,7 @@ static int pipe_do_rcv(struct sock *sk,
77902 }
77903
77904 if (pn->rx_credits == 0) {
77905 - atomic_inc(&sk->sk_drops);
77906 + atomic_inc_unchecked(&sk->sk_drops);
77907 err = -ENOBUFS;
77908 break;
77909 }
77910 @@ -556,7 +556,7 @@ static int pipe_handler_do_rcv(struct so
77911 }
77912
77913 if (pn->rx_credits == 0) {
77914 - atomic_inc(&sk->sk_drops);
77915 + atomic_inc_unchecked(&sk->sk_drops);
77916 err = NET_RX_DROP;
77917 break;
77918 }
77919 diff -urNp linux-2.6.39.1/net/phonet/socket.c linux-2.6.39.1/net/phonet/socket.c
77920 --- linux-2.6.39.1/net/phonet/socket.c 2011-05-19 00:06:34.000000000 -0400
77921 +++ linux-2.6.39.1/net/phonet/socket.c 2011-05-22 20:39:26.000000000 -0400
77922 @@ -613,8 +613,13 @@ static int pn_sock_seq_show(struct seq_f
77923 pn->resource, sk->sk_state,
77924 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
77925 sock_i_uid(sk), sock_i_ino(sk),
77926 - atomic_read(&sk->sk_refcnt), sk,
77927 - atomic_read(&sk->sk_drops), &len);
77928 + atomic_read(&sk->sk_refcnt),
77929 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77930 + NULL,
77931 +#else
77932 + sk,
77933 +#endif
77934 + atomic_read_unchecked(&sk->sk_drops), &len);
77935 }
77936 seq_printf(seq, "%*s\n", 127 - len, "");
77937 return 0;
77938 diff -urNp linux-2.6.39.1/net/rds/cong.c linux-2.6.39.1/net/rds/cong.c
77939 --- linux-2.6.39.1/net/rds/cong.c 2011-05-19 00:06:34.000000000 -0400
77940 +++ linux-2.6.39.1/net/rds/cong.c 2011-05-22 19:36:35.000000000 -0400
77941 @@ -77,7 +77,7 @@
77942 * finds that the saved generation number is smaller than the global generation
77943 * number, it wakes up the process.
77944 */
77945 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
77946 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
77947
77948 /*
77949 * Congestion monitoring
77950 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
77951 rdsdebug("waking map %p for %pI4\n",
77952 map, &map->m_addr);
77953 rds_stats_inc(s_cong_update_received);
77954 - atomic_inc(&rds_cong_generation);
77955 + atomic_inc_unchecked(&rds_cong_generation);
77956 if (waitqueue_active(&map->m_waitq))
77957 wake_up(&map->m_waitq);
77958 if (waitqueue_active(&rds_poll_waitq))
77959 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
77960
77961 int rds_cong_updated_since(unsigned long *recent)
77962 {
77963 - unsigned long gen = atomic_read(&rds_cong_generation);
77964 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
77965
77966 if (likely(*recent == gen))
77967 return 0;
77968 diff -urNp linux-2.6.39.1/net/rds/ib_cm.c linux-2.6.39.1/net/rds/ib_cm.c
77969 --- linux-2.6.39.1/net/rds/ib_cm.c 2011-05-19 00:06:34.000000000 -0400
77970 +++ linux-2.6.39.1/net/rds/ib_cm.c 2011-05-22 19:36:35.000000000 -0400
77971 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
77972 /* Clear the ACK state */
77973 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
77974 #ifdef KERNEL_HAS_ATOMIC64
77975 - atomic64_set(&ic->i_ack_next, 0);
77976 + atomic64_set_unchecked(&ic->i_ack_next, 0);
77977 #else
77978 ic->i_ack_next = 0;
77979 #endif
77980 diff -urNp linux-2.6.39.1/net/rds/ib.h linux-2.6.39.1/net/rds/ib.h
77981 --- linux-2.6.39.1/net/rds/ib.h 2011-05-19 00:06:34.000000000 -0400
77982 +++ linux-2.6.39.1/net/rds/ib.h 2011-05-22 19:36:35.000000000 -0400
77983 @@ -127,7 +127,7 @@ struct rds_ib_connection {
77984 /* sending acks */
77985 unsigned long i_ack_flags;
77986 #ifdef KERNEL_HAS_ATOMIC64
77987 - atomic64_t i_ack_next; /* next ACK to send */
77988 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
77989 #else
77990 spinlock_t i_ack_lock; /* protect i_ack_next */
77991 u64 i_ack_next; /* next ACK to send */
77992 diff -urNp linux-2.6.39.1/net/rds/ib_recv.c linux-2.6.39.1/net/rds/ib_recv.c
77993 --- linux-2.6.39.1/net/rds/ib_recv.c 2011-05-19 00:06:34.000000000 -0400
77994 +++ linux-2.6.39.1/net/rds/ib_recv.c 2011-05-22 19:36:35.000000000 -0400
77995 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
77996 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
77997 int ack_required)
77998 {
77999 - atomic64_set(&ic->i_ack_next, seq);
78000 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78001 if (ack_required) {
78002 smp_mb__before_clear_bit();
78003 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78004 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78005 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78006 smp_mb__after_clear_bit();
78007
78008 - return atomic64_read(&ic->i_ack_next);
78009 + return atomic64_read_unchecked(&ic->i_ack_next);
78010 }
78011 #endif
78012
78013 diff -urNp linux-2.6.39.1/net/rds/iw_cm.c linux-2.6.39.1/net/rds/iw_cm.c
78014 --- linux-2.6.39.1/net/rds/iw_cm.c 2011-05-19 00:06:34.000000000 -0400
78015 +++ linux-2.6.39.1/net/rds/iw_cm.c 2011-05-22 19:36:35.000000000 -0400
78016 @@ -664,7 +664,7 @@ void rds_iw_conn_shutdown(struct rds_con
78017 /* Clear the ACK state */
78018 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78019 #ifdef KERNEL_HAS_ATOMIC64
78020 - atomic64_set(&ic->i_ack_next, 0);
78021 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78022 #else
78023 ic->i_ack_next = 0;
78024 #endif
78025 diff -urNp linux-2.6.39.1/net/rds/iw.h linux-2.6.39.1/net/rds/iw.h
78026 --- linux-2.6.39.1/net/rds/iw.h 2011-05-19 00:06:34.000000000 -0400
78027 +++ linux-2.6.39.1/net/rds/iw.h 2011-05-22 19:36:35.000000000 -0400
78028 @@ -133,7 +133,7 @@ struct rds_iw_connection {
78029 /* sending acks */
78030 unsigned long i_ack_flags;
78031 #ifdef KERNEL_HAS_ATOMIC64
78032 - atomic64_t i_ack_next; /* next ACK to send */
78033 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78034 #else
78035 spinlock_t i_ack_lock; /* protect i_ack_next */
78036 u64 i_ack_next; /* next ACK to send */
78037 diff -urNp linux-2.6.39.1/net/rds/iw_rdma.c linux-2.6.39.1/net/rds/iw_rdma.c
78038 --- linux-2.6.39.1/net/rds/iw_rdma.c 2011-05-19 00:06:34.000000000 -0400
78039 +++ linux-2.6.39.1/net/rds/iw_rdma.c 2011-05-22 19:36:35.000000000 -0400
78040 @@ -182,6 +182,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
78041 struct rdma_cm_id *pcm_id;
78042 int rc;
78043
78044 + pax_track_stack();
78045 +
78046 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
78047 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
78048
78049 diff -urNp linux-2.6.39.1/net/rds/iw_recv.c linux-2.6.39.1/net/rds/iw_recv.c
78050 --- linux-2.6.39.1/net/rds/iw_recv.c 2011-05-19 00:06:34.000000000 -0400
78051 +++ linux-2.6.39.1/net/rds/iw_recv.c 2011-05-22 19:36:35.000000000 -0400
78052 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78053 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
78054 int ack_required)
78055 {
78056 - atomic64_set(&ic->i_ack_next, seq);
78057 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78058 if (ack_required) {
78059 smp_mb__before_clear_bit();
78060 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78061 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78062 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78063 smp_mb__after_clear_bit();
78064
78065 - return atomic64_read(&ic->i_ack_next);
78066 + return atomic64_read_unchecked(&ic->i_ack_next);
78067 }
78068 #endif
78069
78070 diff -urNp linux-2.6.39.1/net/rxrpc/af_rxrpc.c linux-2.6.39.1/net/rxrpc/af_rxrpc.c
78071 --- linux-2.6.39.1/net/rxrpc/af_rxrpc.c 2011-05-19 00:06:34.000000000 -0400
78072 +++ linux-2.6.39.1/net/rxrpc/af_rxrpc.c 2011-05-22 19:36:35.000000000 -0400
78073 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
78074 __be32 rxrpc_epoch;
78075
78076 /* current debugging ID */
78077 -atomic_t rxrpc_debug_id;
78078 +atomic_unchecked_t rxrpc_debug_id;
78079
78080 /* count of skbs currently in use */
78081 atomic_t rxrpc_n_skbs;
78082 diff -urNp linux-2.6.39.1/net/rxrpc/ar-ack.c linux-2.6.39.1/net/rxrpc/ar-ack.c
78083 --- linux-2.6.39.1/net/rxrpc/ar-ack.c 2011-05-19 00:06:34.000000000 -0400
78084 +++ linux-2.6.39.1/net/rxrpc/ar-ack.c 2011-05-22 19:36:35.000000000 -0400
78085 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
78086
78087 _enter("{%d,%d,%d,%d},",
78088 call->acks_hard, call->acks_unacked,
78089 - atomic_read(&call->sequence),
78090 + atomic_read_unchecked(&call->sequence),
78091 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
78092
78093 stop = 0;
78094 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
78095
78096 /* each Tx packet has a new serial number */
78097 sp->hdr.serial =
78098 - htonl(atomic_inc_return(&call->conn->serial));
78099 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
78100
78101 hdr = (struct rxrpc_header *) txb->head;
78102 hdr->serial = sp->hdr.serial;
78103 @@ -405,7 +405,7 @@ static void rxrpc_rotate_tx_window(struc
78104 */
78105 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
78106 {
78107 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
78108 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
78109 }
78110
78111 /*
78112 @@ -631,7 +631,7 @@ process_further:
78113
78114 latest = ntohl(sp->hdr.serial);
78115 hard = ntohl(ack.firstPacket);
78116 - tx = atomic_read(&call->sequence);
78117 + tx = atomic_read_unchecked(&call->sequence);
78118
78119 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78120 latest,
78121 @@ -844,6 +844,8 @@ void rxrpc_process_call(struct work_stru
78122 u32 abort_code = RX_PROTOCOL_ERROR;
78123 u8 *acks = NULL;
78124
78125 + pax_track_stack();
78126 +
78127 //printk("\n--------------------\n");
78128 _enter("{%d,%s,%lx} [%lu]",
78129 call->debug_id, rxrpc_call_states[call->state], call->events,
78130 @@ -1163,7 +1165,7 @@ void rxrpc_process_call(struct work_stru
78131 goto maybe_reschedule;
78132
78133 send_ACK_with_skew:
78134 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
78135 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
78136 ntohl(ack.serial));
78137 send_ACK:
78138 mtu = call->conn->trans->peer->if_mtu;
78139 @@ -1175,7 +1177,7 @@ send_ACK:
78140 ackinfo.rxMTU = htonl(5692);
78141 ackinfo.jumbo_max = htonl(4);
78142
78143 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78144 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78145 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78146 ntohl(hdr.serial),
78147 ntohs(ack.maxSkew),
78148 @@ -1193,7 +1195,7 @@ send_ACK:
78149 send_message:
78150 _debug("send message");
78151
78152 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78153 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78154 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
78155 send_message_2:
78156
78157 diff -urNp linux-2.6.39.1/net/rxrpc/ar-call.c linux-2.6.39.1/net/rxrpc/ar-call.c
78158 --- linux-2.6.39.1/net/rxrpc/ar-call.c 2011-05-19 00:06:34.000000000 -0400
78159 +++ linux-2.6.39.1/net/rxrpc/ar-call.c 2011-05-22 19:36:35.000000000 -0400
78160 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
78161 spin_lock_init(&call->lock);
78162 rwlock_init(&call->state_lock);
78163 atomic_set(&call->usage, 1);
78164 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
78165 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78166 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
78167
78168 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
78169 diff -urNp linux-2.6.39.1/net/rxrpc/ar-connection.c linux-2.6.39.1/net/rxrpc/ar-connection.c
78170 --- linux-2.6.39.1/net/rxrpc/ar-connection.c 2011-05-19 00:06:34.000000000 -0400
78171 +++ linux-2.6.39.1/net/rxrpc/ar-connection.c 2011-05-22 19:36:35.000000000 -0400
78172 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
78173 rwlock_init(&conn->lock);
78174 spin_lock_init(&conn->state_lock);
78175 atomic_set(&conn->usage, 1);
78176 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
78177 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78178 conn->avail_calls = RXRPC_MAXCALLS;
78179 conn->size_align = 4;
78180 conn->header_size = sizeof(struct rxrpc_header);
78181 diff -urNp linux-2.6.39.1/net/rxrpc/ar-connevent.c linux-2.6.39.1/net/rxrpc/ar-connevent.c
78182 --- linux-2.6.39.1/net/rxrpc/ar-connevent.c 2011-05-19 00:06:34.000000000 -0400
78183 +++ linux-2.6.39.1/net/rxrpc/ar-connevent.c 2011-05-22 19:36:35.000000000 -0400
78184 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
78185
78186 len = iov[0].iov_len + iov[1].iov_len;
78187
78188 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78189 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78190 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
78191
78192 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78193 diff -urNp linux-2.6.39.1/net/rxrpc/ar-input.c linux-2.6.39.1/net/rxrpc/ar-input.c
78194 --- linux-2.6.39.1/net/rxrpc/ar-input.c 2011-05-19 00:06:34.000000000 -0400
78195 +++ linux-2.6.39.1/net/rxrpc/ar-input.c 2011-05-22 19:36:35.000000000 -0400
78196 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
78197 /* track the latest serial number on this connection for ACK packet
78198 * information */
78199 serial = ntohl(sp->hdr.serial);
78200 - hi_serial = atomic_read(&call->conn->hi_serial);
78201 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
78202 while (serial > hi_serial)
78203 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
78204 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
78205 serial);
78206
78207 /* request ACK generation for any ACK or DATA packet that requests
78208 diff -urNp linux-2.6.39.1/net/rxrpc/ar-internal.h linux-2.6.39.1/net/rxrpc/ar-internal.h
78209 --- linux-2.6.39.1/net/rxrpc/ar-internal.h 2011-05-19 00:06:34.000000000 -0400
78210 +++ linux-2.6.39.1/net/rxrpc/ar-internal.h 2011-05-22 19:36:35.000000000 -0400
78211 @@ -272,8 +272,8 @@ struct rxrpc_connection {
78212 int error; /* error code for local abort */
78213 int debug_id; /* debug ID for printks */
78214 unsigned call_counter; /* call ID counter */
78215 - atomic_t serial; /* packet serial number counter */
78216 - atomic_t hi_serial; /* highest serial number received */
78217 + atomic_unchecked_t serial; /* packet serial number counter */
78218 + atomic_unchecked_t hi_serial; /* highest serial number received */
78219 u8 avail_calls; /* number of calls available */
78220 u8 size_align; /* data size alignment (for security) */
78221 u8 header_size; /* rxrpc + security header size */
78222 @@ -346,7 +346,7 @@ struct rxrpc_call {
78223 spinlock_t lock;
78224 rwlock_t state_lock; /* lock for state transition */
78225 atomic_t usage;
78226 - atomic_t sequence; /* Tx data packet sequence counter */
78227 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
78228 u32 abort_code; /* local/remote abort code */
78229 enum { /* current state of call */
78230 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
78231 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
78232 */
78233 extern atomic_t rxrpc_n_skbs;
78234 extern __be32 rxrpc_epoch;
78235 -extern atomic_t rxrpc_debug_id;
78236 +extern atomic_unchecked_t rxrpc_debug_id;
78237 extern struct workqueue_struct *rxrpc_workqueue;
78238
78239 /*
78240 diff -urNp linux-2.6.39.1/net/rxrpc/ar-local.c linux-2.6.39.1/net/rxrpc/ar-local.c
78241 --- linux-2.6.39.1/net/rxrpc/ar-local.c 2011-05-19 00:06:34.000000000 -0400
78242 +++ linux-2.6.39.1/net/rxrpc/ar-local.c 2011-05-22 19:36:35.000000000 -0400
78243 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
78244 spin_lock_init(&local->lock);
78245 rwlock_init(&local->services_lock);
78246 atomic_set(&local->usage, 1);
78247 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
78248 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78249 memcpy(&local->srx, srx, sizeof(*srx));
78250 }
78251
78252 diff -urNp linux-2.6.39.1/net/rxrpc/ar-output.c linux-2.6.39.1/net/rxrpc/ar-output.c
78253 --- linux-2.6.39.1/net/rxrpc/ar-output.c 2011-05-19 00:06:34.000000000 -0400
78254 +++ linux-2.6.39.1/net/rxrpc/ar-output.c 2011-05-22 19:36:35.000000000 -0400
78255 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
78256 sp->hdr.cid = call->cid;
78257 sp->hdr.callNumber = call->call_id;
78258 sp->hdr.seq =
78259 - htonl(atomic_inc_return(&call->sequence));
78260 + htonl(atomic_inc_return_unchecked(&call->sequence));
78261 sp->hdr.serial =
78262 - htonl(atomic_inc_return(&conn->serial));
78263 + htonl(atomic_inc_return_unchecked(&conn->serial));
78264 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
78265 sp->hdr.userStatus = 0;
78266 sp->hdr.securityIndex = conn->security_ix;
78267 diff -urNp linux-2.6.39.1/net/rxrpc/ar-peer.c linux-2.6.39.1/net/rxrpc/ar-peer.c
78268 --- linux-2.6.39.1/net/rxrpc/ar-peer.c 2011-05-19 00:06:34.000000000 -0400
78269 +++ linux-2.6.39.1/net/rxrpc/ar-peer.c 2011-05-22 19:36:35.000000000 -0400
78270 @@ -71,7 +71,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
78271 INIT_LIST_HEAD(&peer->error_targets);
78272 spin_lock_init(&peer->lock);
78273 atomic_set(&peer->usage, 1);
78274 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
78275 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78276 memcpy(&peer->srx, srx, sizeof(*srx));
78277
78278 rxrpc_assess_MTU_size(peer);
78279 diff -urNp linux-2.6.39.1/net/rxrpc/ar-proc.c linux-2.6.39.1/net/rxrpc/ar-proc.c
78280 --- linux-2.6.39.1/net/rxrpc/ar-proc.c 2011-05-19 00:06:34.000000000 -0400
78281 +++ linux-2.6.39.1/net/rxrpc/ar-proc.c 2011-05-22 19:36:35.000000000 -0400
78282 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
78283 atomic_read(&conn->usage),
78284 rxrpc_conn_states[conn->state],
78285 key_serial(conn->key),
78286 - atomic_read(&conn->serial),
78287 - atomic_read(&conn->hi_serial));
78288 + atomic_read_unchecked(&conn->serial),
78289 + atomic_read_unchecked(&conn->hi_serial));
78290
78291 return 0;
78292 }
78293 diff -urNp linux-2.6.39.1/net/rxrpc/ar-transport.c linux-2.6.39.1/net/rxrpc/ar-transport.c
78294 --- linux-2.6.39.1/net/rxrpc/ar-transport.c 2011-05-19 00:06:34.000000000 -0400
78295 +++ linux-2.6.39.1/net/rxrpc/ar-transport.c 2011-05-22 19:36:35.000000000 -0400
78296 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
78297 spin_lock_init(&trans->client_lock);
78298 rwlock_init(&trans->conn_lock);
78299 atomic_set(&trans->usage, 1);
78300 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
78301 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78302
78303 if (peer->srx.transport.family == AF_INET) {
78304 switch (peer->srx.transport_type) {
78305 diff -urNp linux-2.6.39.1/net/rxrpc/rxkad.c linux-2.6.39.1/net/rxrpc/rxkad.c
78306 --- linux-2.6.39.1/net/rxrpc/rxkad.c 2011-05-19 00:06:34.000000000 -0400
78307 +++ linux-2.6.39.1/net/rxrpc/rxkad.c 2011-05-22 19:36:35.000000000 -0400
78308 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
78309 u16 check;
78310 int nsg;
78311
78312 + pax_track_stack();
78313 +
78314 sp = rxrpc_skb(skb);
78315
78316 _enter("");
78317 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
78318 u16 check;
78319 int nsg;
78320
78321 + pax_track_stack();
78322 +
78323 _enter("");
78324
78325 sp = rxrpc_skb(skb);
78326 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
78327
78328 len = iov[0].iov_len + iov[1].iov_len;
78329
78330 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78331 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78332 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
78333
78334 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78335 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
78336
78337 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
78338
78339 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
78340 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78341 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
78342
78343 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
78344 diff -urNp linux-2.6.39.1/net/sched/em_meta.c linux-2.6.39.1/net/sched/em_meta.c
78345 --- linux-2.6.39.1/net/sched/em_meta.c 2011-05-19 00:06:34.000000000 -0400
78346 +++ linux-2.6.39.1/net/sched/em_meta.c 2011-05-22 19:36:35.000000000 -0400
78347 @@ -832,7 +832,7 @@ static int em_meta_dump(struct sk_buff *
78348 {
78349 struct meta_match *meta = (struct meta_match *) em->data;
78350 struct tcf_meta_hdr hdr;
78351 - struct meta_type_ops *ops;
78352 + const struct meta_type_ops *ops;
78353
78354 memset(&hdr, 0, sizeof(hdr));
78355 memcpy(&hdr.left, &meta->lvalue.hdr, sizeof(hdr.left));
78356 diff -urNp linux-2.6.39.1/net/sctp/proc.c linux-2.6.39.1/net/sctp/proc.c
78357 --- linux-2.6.39.1/net/sctp/proc.c 2011-05-19 00:06:34.000000000 -0400
78358 +++ linux-2.6.39.1/net/sctp/proc.c 2011-05-22 19:41:42.000000000 -0400
78359 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
78360 sctp_for_each_hentry(epb, node, &head->chain) {
78361 ep = sctp_ep(epb);
78362 sk = epb->sk;
78363 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
78364 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
78365 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78366 + NULL, NULL,
78367 +#else
78368 + ep, sk,
78369 +#endif
78370 sctp_sk(sk)->type, sk->sk_state, hash,
78371 epb->bind_addr.port,
78372 sock_i_uid(sk), sock_i_ino(sk));
78373 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
78374 seq_printf(seq,
78375 "%8p %8p %-3d %-3d %-2d %-4d "
78376 "%4d %8d %8d %7d %5lu %-5d %5d ",
78377 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
78378 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78379 + NULL, NULL,
78380 +#else
78381 + assoc, sk,
78382 +#endif
78383 + sctp_sk(sk)->type, sk->sk_state,
78384 assoc->state, hash,
78385 assoc->assoc_id,
78386 assoc->sndbuf_used,
78387 diff -urNp linux-2.6.39.1/net/sctp/socket.c linux-2.6.39.1/net/sctp/socket.c
78388 --- linux-2.6.39.1/net/sctp/socket.c 2011-05-19 00:06:34.000000000 -0400
78389 +++ linux-2.6.39.1/net/sctp/socket.c 2011-05-22 19:36:35.000000000 -0400
78390 @@ -4433,7 +4433,7 @@ static int sctp_getsockopt_peer_addrs(st
78391 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
78392 if (space_left < addrlen)
78393 return -ENOMEM;
78394 - if (copy_to_user(to, &temp, addrlen))
78395 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
78396 return -EFAULT;
78397 to += addrlen;
78398 cnt++;
78399 diff -urNp linux-2.6.39.1/net/socket.c linux-2.6.39.1/net/socket.c
78400 --- linux-2.6.39.1/net/socket.c 2011-06-03 00:04:14.000000000 -0400
78401 +++ linux-2.6.39.1/net/socket.c 2011-06-03 00:32:08.000000000 -0400
78402 @@ -88,6 +88,7 @@
78403 #include <linux/nsproxy.h>
78404 #include <linux/magic.h>
78405 #include <linux/slab.h>
78406 +#include <linux/in.h>
78407
78408 #include <asm/uaccess.h>
78409 #include <asm/unistd.h>
78410 @@ -105,6 +106,8 @@
78411 #include <linux/sockios.h>
78412 #include <linux/atalk.h>
78413
78414 +#include <linux/grsock.h>
78415 +
78416 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
78417 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
78418 unsigned long nr_segs, loff_t pos);
78419 @@ -330,7 +333,7 @@ static struct dentry *sockfs_mount(struc
78420 &sockfs_dentry_operations, SOCKFS_MAGIC);
78421 }
78422
78423 -static struct vfsmount *sock_mnt __read_mostly;
78424 +struct vfsmount *sock_mnt __read_mostly;
78425
78426 static struct file_system_type sock_fs_type = {
78427 .name = "sockfs",
78428 @@ -1179,6 +1182,8 @@ int __sock_create(struct net *net, int f
78429 return -EAFNOSUPPORT;
78430 if (type < 0 || type >= SOCK_MAX)
78431 return -EINVAL;
78432 + if (protocol < 0)
78433 + return -EINVAL;
78434
78435 /* Compatibility.
78436
78437 @@ -1311,6 +1316,16 @@ SYSCALL_DEFINE3(socket, int, family, int
78438 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
78439 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
78440
78441 + if(!gr_search_socket(family, type, protocol)) {
78442 + retval = -EACCES;
78443 + goto out;
78444 + }
78445 +
78446 + if (gr_handle_sock_all(family, type, protocol)) {
78447 + retval = -EACCES;
78448 + goto out;
78449 + }
78450 +
78451 retval = sock_create(family, type, protocol, &sock);
78452 if (retval < 0)
78453 goto out;
78454 @@ -1423,6 +1438,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78455 if (sock) {
78456 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
78457 if (err >= 0) {
78458 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
78459 + err = -EACCES;
78460 + goto error;
78461 + }
78462 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
78463 + if (err)
78464 + goto error;
78465 +
78466 err = security_socket_bind(sock,
78467 (struct sockaddr *)&address,
78468 addrlen);
78469 @@ -1431,6 +1454,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78470 (struct sockaddr *)
78471 &address, addrlen);
78472 }
78473 +error:
78474 fput_light(sock->file, fput_needed);
78475 }
78476 return err;
78477 @@ -1454,10 +1478,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
78478 if ((unsigned)backlog > somaxconn)
78479 backlog = somaxconn;
78480
78481 + if (gr_handle_sock_server_other(sock->sk)) {
78482 + err = -EPERM;
78483 + goto error;
78484 + }
78485 +
78486 + err = gr_search_listen(sock);
78487 + if (err)
78488 + goto error;
78489 +
78490 err = security_socket_listen(sock, backlog);
78491 if (!err)
78492 err = sock->ops->listen(sock, backlog);
78493
78494 +error:
78495 fput_light(sock->file, fput_needed);
78496 }
78497 return err;
78498 @@ -1501,6 +1535,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78499 newsock->type = sock->type;
78500 newsock->ops = sock->ops;
78501
78502 + if (gr_handle_sock_server_other(sock->sk)) {
78503 + err = -EPERM;
78504 + sock_release(newsock);
78505 + goto out_put;
78506 + }
78507 +
78508 + err = gr_search_accept(sock);
78509 + if (err) {
78510 + sock_release(newsock);
78511 + goto out_put;
78512 + }
78513 +
78514 /*
78515 * We don't need try_module_get here, as the listening socket (sock)
78516 * has the protocol module (sock->ops->owner) held.
78517 @@ -1539,6 +1585,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78518 fd_install(newfd, newfile);
78519 err = newfd;
78520
78521 + gr_attach_curr_ip(newsock->sk);
78522 +
78523 out_put:
78524 fput_light(sock->file, fput_needed);
78525 out:
78526 @@ -1571,6 +1619,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78527 int, addrlen)
78528 {
78529 struct socket *sock;
78530 + struct sockaddr *sck;
78531 struct sockaddr_storage address;
78532 int err, fput_needed;
78533
78534 @@ -1581,6 +1630,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78535 if (err < 0)
78536 goto out_put;
78537
78538 + sck = (struct sockaddr *)&address;
78539 +
78540 + if (gr_handle_sock_client(sck)) {
78541 + err = -EACCES;
78542 + goto out_put;
78543 + }
78544 +
78545 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
78546 + if (err)
78547 + goto out_put;
78548 +
78549 err =
78550 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
78551 if (err)
78552 @@ -1882,6 +1942,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
78553 int err, ctl_len, iov_size, total_len;
78554 int fput_needed;
78555
78556 + pax_track_stack();
78557 +
78558 err = -EFAULT;
78559 if (MSG_CMSG_COMPAT & flags) {
78560 if (get_compat_msghdr(&msg_sys, msg_compat))
78561 diff -urNp linux-2.6.39.1/net/sunrpc/sched.c linux-2.6.39.1/net/sunrpc/sched.c
78562 --- linux-2.6.39.1/net/sunrpc/sched.c 2011-05-19 00:06:34.000000000 -0400
78563 +++ linux-2.6.39.1/net/sunrpc/sched.c 2011-05-22 19:36:35.000000000 -0400
78564 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
78565 #ifdef RPC_DEBUG
78566 static void rpc_task_set_debuginfo(struct rpc_task *task)
78567 {
78568 - static atomic_t rpc_pid;
78569 + static atomic_unchecked_t rpc_pid;
78570
78571 - task->tk_pid = atomic_inc_return(&rpc_pid);
78572 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
78573 }
78574 #else
78575 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
78576 diff -urNp linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma.c
78577 --- linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-19 00:06:34.000000000 -0400
78578 +++ linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-22 19:36:35.000000000 -0400
78579 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
78580 static unsigned int min_max_inline = 4096;
78581 static unsigned int max_max_inline = 65536;
78582
78583 -atomic_t rdma_stat_recv;
78584 -atomic_t rdma_stat_read;
78585 -atomic_t rdma_stat_write;
78586 -atomic_t rdma_stat_sq_starve;
78587 -atomic_t rdma_stat_rq_starve;
78588 -atomic_t rdma_stat_rq_poll;
78589 -atomic_t rdma_stat_rq_prod;
78590 -atomic_t rdma_stat_sq_poll;
78591 -atomic_t rdma_stat_sq_prod;
78592 +atomic_unchecked_t rdma_stat_recv;
78593 +atomic_unchecked_t rdma_stat_read;
78594 +atomic_unchecked_t rdma_stat_write;
78595 +atomic_unchecked_t rdma_stat_sq_starve;
78596 +atomic_unchecked_t rdma_stat_rq_starve;
78597 +atomic_unchecked_t rdma_stat_rq_poll;
78598 +atomic_unchecked_t rdma_stat_rq_prod;
78599 +atomic_unchecked_t rdma_stat_sq_poll;
78600 +atomic_unchecked_t rdma_stat_sq_prod;
78601
78602 /* Temporary NFS request map and context caches */
78603 struct kmem_cache *svc_rdma_map_cachep;
78604 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
78605 len -= *ppos;
78606 if (len > *lenp)
78607 len = *lenp;
78608 - if (len && copy_to_user(buffer, str_buf, len))
78609 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
78610 return -EFAULT;
78611 *lenp = len;
78612 *ppos += len;
78613 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
78614 {
78615 .procname = "rdma_stat_read",
78616 .data = &rdma_stat_read,
78617 - .maxlen = sizeof(atomic_t),
78618 + .maxlen = sizeof(atomic_unchecked_t),
78619 .mode = 0644,
78620 .proc_handler = read_reset_stat,
78621 },
78622 {
78623 .procname = "rdma_stat_recv",
78624 .data = &rdma_stat_recv,
78625 - .maxlen = sizeof(atomic_t),
78626 + .maxlen = sizeof(atomic_unchecked_t),
78627 .mode = 0644,
78628 .proc_handler = read_reset_stat,
78629 },
78630 {
78631 .procname = "rdma_stat_write",
78632 .data = &rdma_stat_write,
78633 - .maxlen = sizeof(atomic_t),
78634 + .maxlen = sizeof(atomic_unchecked_t),
78635 .mode = 0644,
78636 .proc_handler = read_reset_stat,
78637 },
78638 {
78639 .procname = "rdma_stat_sq_starve",
78640 .data = &rdma_stat_sq_starve,
78641 - .maxlen = sizeof(atomic_t),
78642 + .maxlen = sizeof(atomic_unchecked_t),
78643 .mode = 0644,
78644 .proc_handler = read_reset_stat,
78645 },
78646 {
78647 .procname = "rdma_stat_rq_starve",
78648 .data = &rdma_stat_rq_starve,
78649 - .maxlen = sizeof(atomic_t),
78650 + .maxlen = sizeof(atomic_unchecked_t),
78651 .mode = 0644,
78652 .proc_handler = read_reset_stat,
78653 },
78654 {
78655 .procname = "rdma_stat_rq_poll",
78656 .data = &rdma_stat_rq_poll,
78657 - .maxlen = sizeof(atomic_t),
78658 + .maxlen = sizeof(atomic_unchecked_t),
78659 .mode = 0644,
78660 .proc_handler = read_reset_stat,
78661 },
78662 {
78663 .procname = "rdma_stat_rq_prod",
78664 .data = &rdma_stat_rq_prod,
78665 - .maxlen = sizeof(atomic_t),
78666 + .maxlen = sizeof(atomic_unchecked_t),
78667 .mode = 0644,
78668 .proc_handler = read_reset_stat,
78669 },
78670 {
78671 .procname = "rdma_stat_sq_poll",
78672 .data = &rdma_stat_sq_poll,
78673 - .maxlen = sizeof(atomic_t),
78674 + .maxlen = sizeof(atomic_unchecked_t),
78675 .mode = 0644,
78676 .proc_handler = read_reset_stat,
78677 },
78678 {
78679 .procname = "rdma_stat_sq_prod",
78680 .data = &rdma_stat_sq_prod,
78681 - .maxlen = sizeof(atomic_t),
78682 + .maxlen = sizeof(atomic_unchecked_t),
78683 .mode = 0644,
78684 .proc_handler = read_reset_stat,
78685 },
78686 diff -urNp linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
78687 --- linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-19 00:06:34.000000000 -0400
78688 +++ linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-22 19:36:35.000000000 -0400
78689 @@ -499,7 +499,7 @@ next_sge:
78690 svc_rdma_put_context(ctxt, 0);
78691 goto out;
78692 }
78693 - atomic_inc(&rdma_stat_read);
78694 + atomic_inc_unchecked(&rdma_stat_read);
78695
78696 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
78697 chl_map->ch[ch_no].count -= read_wr.num_sge;
78698 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
78699 dto_q);
78700 list_del_init(&ctxt->dto_q);
78701 } else {
78702 - atomic_inc(&rdma_stat_rq_starve);
78703 + atomic_inc_unchecked(&rdma_stat_rq_starve);
78704 clear_bit(XPT_DATA, &xprt->xpt_flags);
78705 ctxt = NULL;
78706 }
78707 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
78708 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
78709 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
78710 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
78711 - atomic_inc(&rdma_stat_recv);
78712 + atomic_inc_unchecked(&rdma_stat_recv);
78713
78714 /* Build up the XDR from the receive buffers. */
78715 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
78716 diff -urNp linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c
78717 --- linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-19 00:06:34.000000000 -0400
78718 +++ linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-22 19:36:35.000000000 -0400
78719 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
78720 write_wr.wr.rdma.remote_addr = to;
78721
78722 /* Post It */
78723 - atomic_inc(&rdma_stat_write);
78724 + atomic_inc_unchecked(&rdma_stat_write);
78725 if (svc_rdma_send(xprt, &write_wr))
78726 goto err;
78727 return 0;
78728 diff -urNp linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_transport.c
78729 --- linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-19 00:06:34.000000000 -0400
78730 +++ linux-2.6.39.1/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-22 19:36:35.000000000 -0400
78731 @@ -298,7 +298,7 @@ static void rq_cq_reap(struct svcxprt_rd
78732 return;
78733
78734 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
78735 - atomic_inc(&rdma_stat_rq_poll);
78736 + atomic_inc_unchecked(&rdma_stat_rq_poll);
78737
78738 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
78739 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
78740 @@ -320,7 +320,7 @@ static void rq_cq_reap(struct svcxprt_rd
78741 }
78742
78743 if (ctxt)
78744 - atomic_inc(&rdma_stat_rq_prod);
78745 + atomic_inc_unchecked(&rdma_stat_rq_prod);
78746
78747 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
78748 /*
78749 @@ -392,7 +392,7 @@ static void sq_cq_reap(struct svcxprt_rd
78750 return;
78751
78752 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
78753 - atomic_inc(&rdma_stat_sq_poll);
78754 + atomic_inc_unchecked(&rdma_stat_sq_poll);
78755 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
78756 if (wc.status != IB_WC_SUCCESS)
78757 /* Close the transport */
78758 @@ -410,7 +410,7 @@ static void sq_cq_reap(struct svcxprt_rd
78759 }
78760
78761 if (ctxt)
78762 - atomic_inc(&rdma_stat_sq_prod);
78763 + atomic_inc_unchecked(&rdma_stat_sq_prod);
78764 }
78765
78766 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
78767 @@ -1271,7 +1271,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
78768 spin_lock_bh(&xprt->sc_lock);
78769 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
78770 spin_unlock_bh(&xprt->sc_lock);
78771 - atomic_inc(&rdma_stat_sq_starve);
78772 + atomic_inc_unchecked(&rdma_stat_sq_starve);
78773
78774 /* See if we can opportunistically reap SQ WR to make room */
78775 sq_cq_reap(xprt);
78776 diff -urNp linux-2.6.39.1/net/sysctl_net.c linux-2.6.39.1/net/sysctl_net.c
78777 --- linux-2.6.39.1/net/sysctl_net.c 2011-05-19 00:06:34.000000000 -0400
78778 +++ linux-2.6.39.1/net/sysctl_net.c 2011-05-22 19:41:42.000000000 -0400
78779 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
78780 struct ctl_table *table)
78781 {
78782 /* Allow network administrator to have same access as root. */
78783 - if (capable(CAP_NET_ADMIN)) {
78784 + if (capable_nolog(CAP_NET_ADMIN)) {
78785 int mode = (table->mode >> 6) & 7;
78786 return (mode << 6) | (mode << 3) | mode;
78787 }
78788 diff -urNp linux-2.6.39.1/net/unix/af_unix.c linux-2.6.39.1/net/unix/af_unix.c
78789 --- linux-2.6.39.1/net/unix/af_unix.c 2011-05-19 00:06:34.000000000 -0400
78790 +++ linux-2.6.39.1/net/unix/af_unix.c 2011-05-22 19:41:42.000000000 -0400
78791 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
78792 err = -ECONNREFUSED;
78793 if (!S_ISSOCK(inode->i_mode))
78794 goto put_fail;
78795 +
78796 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
78797 + err = -EACCES;
78798 + goto put_fail;
78799 + }
78800 +
78801 u = unix_find_socket_byinode(inode);
78802 if (!u)
78803 goto put_fail;
78804 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
78805 if (u) {
78806 struct dentry *dentry;
78807 dentry = unix_sk(u)->dentry;
78808 +
78809 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
78810 + err = -EPERM;
78811 + sock_put(u);
78812 + goto fail;
78813 + }
78814 +
78815 if (dentry)
78816 touch_atime(unix_sk(u)->mnt, dentry);
78817 } else
78818 @@ -872,11 +885,18 @@ static int unix_bind(struct socket *sock
78819 err = security_path_mknod(&nd.path, dentry, mode, 0);
78820 if (err)
78821 goto out_mknod_drop_write;
78822 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
78823 + err = -EACCES;
78824 + goto out_mknod_drop_write;
78825 + }
78826 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
78827 out_mknod_drop_write:
78828 mnt_drop_write(nd.path.mnt);
78829 if (err)
78830 goto out_mknod_dput;
78831 +
78832 + gr_handle_create(dentry, nd.path.mnt);
78833 +
78834 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
78835 dput(nd.path.dentry);
78836 nd.path.dentry = dentry;
78837 @@ -894,6 +914,11 @@ out_mknod_drop_write:
78838 goto out_unlock;
78839 }
78840
78841 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
78842 + put_pid(sk->sk_peer_pid);
78843 + sk->sk_peer_pid = get_pid(task_tgid(current));
78844 +#endif
78845 +
78846 list = &unix_socket_table[addr->hash];
78847 } else {
78848 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
78849 @@ -2255,7 +2280,11 @@ static int unix_seq_show(struct seq_file
78850 unix_state_lock(s);
78851
78852 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
78853 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78854 + NULL,
78855 +#else
78856 s,
78857 +#endif
78858 atomic_read(&s->sk_refcnt),
78859 0,
78860 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
78861 diff -urNp linux-2.6.39.1/net/wireless/wext-core.c linux-2.6.39.1/net/wireless/wext-core.c
78862 --- linux-2.6.39.1/net/wireless/wext-core.c 2011-05-19 00:06:34.000000000 -0400
78863 +++ linux-2.6.39.1/net/wireless/wext-core.c 2011-05-22 19:36:35.000000000 -0400
78864 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
78865 */
78866
78867 /* Support for very large requests */
78868 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
78869 - (user_length > descr->max_tokens)) {
78870 + if (user_length > descr->max_tokens) {
78871 /* Allow userspace to GET more than max so
78872 * we can support any size GET requests.
78873 * There is still a limit : -ENOMEM.
78874 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
78875 }
78876 }
78877
78878 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
78879 - /*
78880 - * If this is a GET, but not NOMAX, it means that the extra
78881 - * data is not bounded by userspace, but by max_tokens. Thus
78882 - * set the length to max_tokens. This matches the extra data
78883 - * allocation.
78884 - * The driver should fill it with the number of tokens it
78885 - * provided, and it may check iwp->length rather than having
78886 - * knowledge of max_tokens. If the driver doesn't change the
78887 - * iwp->length, this ioctl just copies back max_token tokens
78888 - * filled with zeroes. Hopefully the driver isn't claiming
78889 - * them to be valid data.
78890 - */
78891 - iwp->length = descr->max_tokens;
78892 - }
78893 -
78894 err = handler(dev, info, (union iwreq_data *) iwp, extra);
78895
78896 iwp->length += essid_compat;
78897 diff -urNp linux-2.6.39.1/net/xfrm/xfrm_policy.c linux-2.6.39.1/net/xfrm/xfrm_policy.c
78898 --- linux-2.6.39.1/net/xfrm/xfrm_policy.c 2011-05-19 00:06:34.000000000 -0400
78899 +++ linux-2.6.39.1/net/xfrm/xfrm_policy.c 2011-05-22 19:36:35.000000000 -0400
78900 @@ -299,7 +299,7 @@ static void xfrm_policy_kill(struct xfrm
78901 {
78902 policy->walk.dead = 1;
78903
78904 - atomic_inc(&policy->genid);
78905 + atomic_inc_unchecked(&policy->genid);
78906
78907 if (del_timer(&policy->timer))
78908 xfrm_pol_put(policy);
78909 @@ -583,7 +583,7 @@ int xfrm_policy_insert(int dir, struct x
78910 hlist_add_head(&policy->bydst, chain);
78911 xfrm_pol_hold(policy);
78912 net->xfrm.policy_count[dir]++;
78913 - atomic_inc(&flow_cache_genid);
78914 + atomic_inc_unchecked(&flow_cache_genid);
78915 if (delpol)
78916 __xfrm_policy_unlink(delpol, dir);
78917 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
78918 @@ -1527,7 +1527,7 @@ free_dst:
78919 goto out;
78920 }
78921
78922 -static int inline
78923 +static inline int
78924 xfrm_dst_alloc_copy(void **target, const void *src, int size)
78925 {
78926 if (!*target) {
78927 @@ -1539,7 +1539,7 @@ xfrm_dst_alloc_copy(void **target, const
78928 return 0;
78929 }
78930
78931 -static int inline
78932 +static inline int
78933 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
78934 {
78935 #ifdef CONFIG_XFRM_SUB_POLICY
78936 @@ -1551,7 +1551,7 @@ xfrm_dst_update_parent(struct dst_entry
78937 #endif
78938 }
78939
78940 -static int inline
78941 +static inline int
78942 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
78943 {
78944 #ifdef CONFIG_XFRM_SUB_POLICY
78945 @@ -1645,7 +1645,7 @@ xfrm_resolve_and_create_bundle(struct xf
78946
78947 xdst->num_pols = num_pols;
78948 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
78949 - xdst->policy_genid = atomic_read(&pols[0]->genid);
78950 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
78951
78952 return xdst;
78953 }
78954 @@ -2332,7 +2332,7 @@ static int xfrm_bundle_ok(struct xfrm_ds
78955 if (xdst->xfrm_genid != dst->xfrm->genid)
78956 return 0;
78957 if (xdst->num_pols > 0 &&
78958 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
78959 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
78960 return 0;
78961
78962 mtu = dst_mtu(dst->child);
78963 @@ -2860,7 +2860,7 @@ static int xfrm_policy_migrate(struct xf
78964 sizeof(pol->xfrm_vec[i].saddr));
78965 pol->xfrm_vec[i].encap_family = mp->new_family;
78966 /* flush bundles */
78967 - atomic_inc(&pol->genid);
78968 + atomic_inc_unchecked(&pol->genid);
78969 }
78970 }
78971
78972 diff -urNp linux-2.6.39.1/net/xfrm/xfrm_user.c linux-2.6.39.1/net/xfrm/xfrm_user.c
78973 --- linux-2.6.39.1/net/xfrm/xfrm_user.c 2011-05-19 00:06:34.000000000 -0400
78974 +++ linux-2.6.39.1/net/xfrm/xfrm_user.c 2011-05-22 19:36:35.000000000 -0400
78975 @@ -1394,6 +1394,8 @@ static int copy_to_user_tmpl(struct xfrm
78976 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
78977 int i;
78978
78979 + pax_track_stack();
78980 +
78981 if (xp->xfrm_nr == 0)
78982 return 0;
78983
78984 @@ -2062,6 +2064,8 @@ static int xfrm_do_migrate(struct sk_buf
78985 int err;
78986 int n = 0;
78987
78988 + pax_track_stack();
78989 +
78990 if (attrs[XFRMA_MIGRATE] == NULL)
78991 return -EINVAL;
78992
78993 diff -urNp linux-2.6.39.1/scripts/basic/fixdep.c linux-2.6.39.1/scripts/basic/fixdep.c
78994 --- linux-2.6.39.1/scripts/basic/fixdep.c 2011-05-19 00:06:34.000000000 -0400
78995 +++ linux-2.6.39.1/scripts/basic/fixdep.c 2011-05-22 19:36:35.000000000 -0400
78996 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
78997
78998 static void parse_config_file(const char *map, size_t len)
78999 {
79000 - const int *end = (const int *) (map + len);
79001 + const unsigned int *end = (const unsigned int *) (map + len);
79002 /* start at +1, so that p can never be < map */
79003 - const int *m = (const int *) map + 1;
79004 + const unsigned int *m = (const unsigned int *) map + 1;
79005 const char *p, *q;
79006
79007 for (; m < end; m++) {
79008 @@ -405,7 +405,7 @@ static void print_deps(void)
79009 static void traps(void)
79010 {
79011 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
79012 - int *p = (int *)test;
79013 + unsigned int *p = (unsigned int *)test;
79014
79015 if (*p != INT_CONF) {
79016 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
79017 diff -urNp linux-2.6.39.1/scripts/dtc/flattree.c linux-2.6.39.1/scripts/dtc/flattree.c
79018 --- linux-2.6.39.1/scripts/dtc/flattree.c 2011-05-19 00:06:34.000000000 -0400
79019 +++ linux-2.6.39.1/scripts/dtc/flattree.c 2011-05-22 19:36:35.000000000 -0400
79020 @@ -104,7 +104,7 @@ static void bin_emit_property(void *e, s
79021 bin_emit_cell(e, FDT_PROP);
79022 }
79023
79024 -static struct emitter bin_emitter = {
79025 +static const struct emitter bin_emitter = {
79026 .cell = bin_emit_cell,
79027 .string = bin_emit_string,
79028 .align = bin_emit_align,
79029 @@ -230,7 +230,7 @@ static void asm_emit_property(void *e, s
79030 asm_emit_cell(e, FDT_PROP);
79031 }
79032
79033 -static struct emitter asm_emitter = {
79034 +static const struct emitter asm_emitter = {
79035 .cell = asm_emit_cell,
79036 .string = asm_emit_string,
79037 .align = asm_emit_align,
79038 diff -urNp linux-2.6.39.1/scripts/Makefile.build linux-2.6.39.1/scripts/Makefile.build
79039 --- linux-2.6.39.1/scripts/Makefile.build 2011-05-19 00:06:34.000000000 -0400
79040 +++ linux-2.6.39.1/scripts/Makefile.build 2011-06-03 01:15:00.000000000 -0400
79041 @@ -93,7 +93,7 @@ endif
79042 endif
79043
79044 # Do not include host rules unless needed
79045 -ifneq ($(hostprogs-y)$(hostprogs-m),)
79046 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
79047 include scripts/Makefile.host
79048 endif
79049
79050 diff -urNp linux-2.6.39.1/scripts/Makefile.clean linux-2.6.39.1/scripts/Makefile.clean
79051 --- linux-2.6.39.1/scripts/Makefile.clean 2011-05-19 00:06:34.000000000 -0400
79052 +++ linux-2.6.39.1/scripts/Makefile.clean 2011-06-03 01:16:02.000000000 -0400
79053 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
79054 __clean-files := $(extra-y) $(always) \
79055 $(targets) $(clean-files) \
79056 $(host-progs) \
79057 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
79058 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
79059 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
79060
79061 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
79062
79063 diff -urNp linux-2.6.39.1/scripts/Makefile.host linux-2.6.39.1/scripts/Makefile.host
79064 --- linux-2.6.39.1/scripts/Makefile.host 2011-05-19 00:06:34.000000000 -0400
79065 +++ linux-2.6.39.1/scripts/Makefile.host 2011-06-03 01:17:12.000000000 -0400
79066 @@ -31,6 +31,7 @@
79067 # Note: Shared libraries consisting of C++ files are not supported
79068
79069 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
79070 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
79071
79072 # C code
79073 # Executables compiled from a single .c file
79074 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
79075 # Shared libaries (only .c supported)
79076 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
79077 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
79078 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
79079 # Remove .so files from "xxx-objs"
79080 host-cobjs := $(filter-out %.so,$(host-cobjs))
79081
79082 diff -urNp linux-2.6.39.1/scripts/mod/file2alias.c linux-2.6.39.1/scripts/mod/file2alias.c
79083 --- linux-2.6.39.1/scripts/mod/file2alias.c 2011-05-19 00:06:34.000000000 -0400
79084 +++ linux-2.6.39.1/scripts/mod/file2alias.c 2011-05-22 19:36:35.000000000 -0400
79085 @@ -72,7 +72,7 @@ static void device_id_check(const char *
79086 unsigned long size, unsigned long id_size,
79087 void *symval)
79088 {
79089 - int i;
79090 + unsigned int i;
79091
79092 if (size % id_size || size < id_size) {
79093 if (cross_build != 0)
79094 @@ -102,7 +102,7 @@ static void device_id_check(const char *
79095 /* USB is special because the bcdDevice can be matched against a numeric range */
79096 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
79097 static void do_usb_entry(struct usb_device_id *id,
79098 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
79099 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
79100 unsigned char range_lo, unsigned char range_hi,
79101 unsigned char max, struct module *mod)
79102 {
79103 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
79104 for (i = 0; i < count; i++) {
79105 const char *id = (char *)devs[i].id;
79106 char acpi_id[sizeof(devs[0].id)];
79107 - int j;
79108 + unsigned int j;
79109
79110 buf_printf(&mod->dev_table_buf,
79111 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79112 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
79113
79114 for (j = 0; j < PNP_MAX_DEVICES; j++) {
79115 const char *id = (char *)card->devs[j].id;
79116 - int i2, j2;
79117 + unsigned int i2, j2;
79118 int dup = 0;
79119
79120 if (!id[0])
79121 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
79122 /* add an individual alias for every device entry */
79123 if (!dup) {
79124 char acpi_id[sizeof(card->devs[0].id)];
79125 - int k;
79126 + unsigned int k;
79127
79128 buf_printf(&mod->dev_table_buf,
79129 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79130 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
79131 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
79132 char *alias)
79133 {
79134 - int i, j;
79135 + unsigned int i, j;
79136
79137 sprintf(alias, "dmi*");
79138
79139 diff -urNp linux-2.6.39.1/scripts/mod/modpost.c linux-2.6.39.1/scripts/mod/modpost.c
79140 --- linux-2.6.39.1/scripts/mod/modpost.c 2011-05-19 00:06:34.000000000 -0400
79141 +++ linux-2.6.39.1/scripts/mod/modpost.c 2011-05-22 19:36:35.000000000 -0400
79142 @@ -896,6 +896,7 @@ enum mismatch {
79143 ANY_INIT_TO_ANY_EXIT,
79144 ANY_EXIT_TO_ANY_INIT,
79145 EXPORT_TO_INIT_EXIT,
79146 + DATA_TO_TEXT
79147 };
79148
79149 struct sectioncheck {
79150 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
79151 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
79152 .mismatch = EXPORT_TO_INIT_EXIT,
79153 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
79154 +},
79155 +/* Do not reference code from writable data */
79156 +{
79157 + .fromsec = { DATA_SECTIONS, NULL },
79158 + .tosec = { TEXT_SECTIONS, NULL },
79159 + .mismatch = DATA_TO_TEXT
79160 }
79161 };
79162
79163 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
79164 continue;
79165 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
79166 continue;
79167 - if (sym->st_value == addr)
79168 - return sym;
79169 /* Find a symbol nearby - addr are maybe negative */
79170 d = sym->st_value - addr;
79171 + if (d == 0)
79172 + return sym;
79173 if (d < 0)
79174 d = addr - sym->st_value;
79175 if (d < distance) {
79176 @@ -1408,6 +1415,14 @@ static void report_sec_mismatch(const ch
79177 tosym, prl_to, prl_to, tosym);
79178 free(prl_to);
79179 break;
79180 + case DATA_TO_TEXT:
79181 +/*
79182 + fprintf(stderr,
79183 + "The variable %s references\n"
79184 + "the %s %s%s%s\n",
79185 + fromsym, to, sec2annotation(tosec), tosym, to_p);
79186 +*/
79187 + break;
79188 }
79189 fprintf(stderr, "\n");
79190 }
79191 @@ -1731,7 +1746,7 @@ void __attribute__((format(printf, 2, 3)
79192 va_end(ap);
79193 }
79194
79195 -void buf_write(struct buffer *buf, const char *s, int len)
79196 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
79197 {
79198 if (buf->size - buf->pos < len) {
79199 buf->size += len + SZ;
79200 @@ -1943,7 +1958,7 @@ static void write_if_changed(struct buff
79201 if (fstat(fileno(file), &st) < 0)
79202 goto close_write;
79203
79204 - if (st.st_size != b->pos)
79205 + if (st.st_size != (off_t)b->pos)
79206 goto close_write;
79207
79208 tmp = NOFAIL(malloc(b->pos));
79209 diff -urNp linux-2.6.39.1/scripts/mod/modpost.h linux-2.6.39.1/scripts/mod/modpost.h
79210 --- linux-2.6.39.1/scripts/mod/modpost.h 2011-05-19 00:06:34.000000000 -0400
79211 +++ linux-2.6.39.1/scripts/mod/modpost.h 2011-05-22 19:36:35.000000000 -0400
79212 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
79213
79214 struct buffer {
79215 char *p;
79216 - int pos;
79217 - int size;
79218 + unsigned int pos;
79219 + unsigned int size;
79220 };
79221
79222 void __attribute__((format(printf, 2, 3)))
79223 buf_printf(struct buffer *buf, const char *fmt, ...);
79224
79225 void
79226 -buf_write(struct buffer *buf, const char *s, int len);
79227 +buf_write(struct buffer *buf, const char *s, unsigned int len);
79228
79229 struct module {
79230 struct module *next;
79231 diff -urNp linux-2.6.39.1/scripts/mod/sumversion.c linux-2.6.39.1/scripts/mod/sumversion.c
79232 --- linux-2.6.39.1/scripts/mod/sumversion.c 2011-05-19 00:06:34.000000000 -0400
79233 +++ linux-2.6.39.1/scripts/mod/sumversion.c 2011-05-22 19:36:35.000000000 -0400
79234 @@ -470,7 +470,7 @@ static void write_version(const char *fi
79235 goto out;
79236 }
79237
79238 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
79239 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
79240 warn("writing sum in %s failed: %s\n",
79241 filename, strerror(errno));
79242 goto out;
79243 diff -urNp linux-2.6.39.1/scripts/pnmtologo.c linux-2.6.39.1/scripts/pnmtologo.c
79244 --- linux-2.6.39.1/scripts/pnmtologo.c 2011-05-19 00:06:34.000000000 -0400
79245 +++ linux-2.6.39.1/scripts/pnmtologo.c 2011-05-22 19:36:35.000000000 -0400
79246 @@ -237,14 +237,14 @@ static void write_header(void)
79247 fprintf(out, " * Linux logo %s\n", logoname);
79248 fputs(" */\n\n", out);
79249 fputs("#include <linux/linux_logo.h>\n\n", out);
79250 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
79251 + fprintf(out, "static unsigned char %s_data[] = {\n",
79252 logoname);
79253 }
79254
79255 static void write_footer(void)
79256 {
79257 fputs("\n};\n\n", out);
79258 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
79259 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
79260 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
79261 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
79262 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
79263 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
79264 fputs("\n};\n\n", out);
79265
79266 /* write logo clut */
79267 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
79268 + fprintf(out, "static unsigned char %s_clut[] = {\n",
79269 logoname);
79270 write_hex_cnt = 0;
79271 for (i = 0; i < logo_clutsize; i++) {
79272 diff -urNp linux-2.6.39.1/security/apparmor/lsm.c linux-2.6.39.1/security/apparmor/lsm.c
79273 --- linux-2.6.39.1/security/apparmor/lsm.c 2011-06-03 00:04:14.000000000 -0400
79274 +++ linux-2.6.39.1/security/apparmor/lsm.c 2011-06-03 00:32:08.000000000 -0400
79275 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
79276 return error;
79277 }
79278
79279 -static struct security_operations apparmor_ops = {
79280 +static struct security_operations apparmor_ops __read_only = {
79281 .name = "apparmor",
79282
79283 .ptrace_access_check = apparmor_ptrace_access_check,
79284 @@ -672,7 +672,7 @@ static struct security_operations apparm
79285 static int param_set_aabool(const char *val, const struct kernel_param *kp);
79286 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
79287 #define param_check_aabool(name, p) __param_check(name, p, int)
79288 -static struct kernel_param_ops param_ops_aabool = {
79289 +static const struct kernel_param_ops param_ops_aabool = {
79290 .set = param_set_aabool,
79291 .get = param_get_aabool
79292 };
79293 @@ -680,7 +680,7 @@ static struct kernel_param_ops param_ops
79294 static int param_set_aauint(const char *val, const struct kernel_param *kp);
79295 static int param_get_aauint(char *buffer, const struct kernel_param *kp);
79296 #define param_check_aauint(name, p) __param_check(name, p, int)
79297 -static struct kernel_param_ops param_ops_aauint = {
79298 +static const struct kernel_param_ops param_ops_aauint = {
79299 .set = param_set_aauint,
79300 .get = param_get_aauint
79301 };
79302 @@ -688,7 +688,7 @@ static struct kernel_param_ops param_ops
79303 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
79304 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
79305 #define param_check_aalockpolicy(name, p) __param_check(name, p, int)
79306 -static struct kernel_param_ops param_ops_aalockpolicy = {
79307 +static const struct kernel_param_ops param_ops_aalockpolicy = {
79308 .set = param_set_aalockpolicy,
79309 .get = param_get_aalockpolicy
79310 };
79311 diff -urNp linux-2.6.39.1/security/commoncap.c linux-2.6.39.1/security/commoncap.c
79312 --- linux-2.6.39.1/security/commoncap.c 2011-05-19 00:06:34.000000000 -0400
79313 +++ linux-2.6.39.1/security/commoncap.c 2011-05-22 20:28:59.000000000 -0400
79314 @@ -28,6 +28,7 @@
79315 #include <linux/prctl.h>
79316 #include <linux/securebits.h>
79317 #include <linux/user_namespace.h>
79318 +#include <net/sock.h>
79319
79320 /*
79321 * If a non-root user executes a setuid-root binary in
79322 @@ -58,7 +59,7 @@ int cap_netlink_send(struct sock *sk, st
79323
79324 int cap_netlink_recv(struct sk_buff *skb, int cap)
79325 {
79326 - if (!cap_raised(current_cap(), cap))
79327 + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
79328 return -EPERM;
79329 return 0;
79330 }
79331 @@ -580,6 +581,9 @@ int cap_bprm_secureexec(struct linux_bin
79332 {
79333 const struct cred *cred = current_cred();
79334
79335 + if (gr_acl_enable_at_secure())
79336 + return 1;
79337 +
79338 if (cred->uid != 0) {
79339 if (bprm->cap_effective)
79340 return 1;
79341 diff -urNp linux-2.6.39.1/security/integrity/ima/ima_api.c linux-2.6.39.1/security/integrity/ima/ima_api.c
79342 --- linux-2.6.39.1/security/integrity/ima/ima_api.c 2011-05-19 00:06:34.000000000 -0400
79343 +++ linux-2.6.39.1/security/integrity/ima/ima_api.c 2011-05-22 19:36:35.000000000 -0400
79344 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
79345 int result;
79346
79347 /* can overflow, only indicator */
79348 - atomic_long_inc(&ima_htable.violations);
79349 + atomic_long_inc_unchecked(&ima_htable.violations);
79350
79351 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
79352 if (!entry) {
79353 diff -urNp linux-2.6.39.1/security/integrity/ima/ima_fs.c linux-2.6.39.1/security/integrity/ima/ima_fs.c
79354 --- linux-2.6.39.1/security/integrity/ima/ima_fs.c 2011-05-19 00:06:34.000000000 -0400
79355 +++ linux-2.6.39.1/security/integrity/ima/ima_fs.c 2011-05-22 19:36:35.000000000 -0400
79356 @@ -28,12 +28,12 @@
79357 static int valid_policy = 1;
79358 #define TMPBUFLEN 12
79359 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
79360 - loff_t *ppos, atomic_long_t *val)
79361 + loff_t *ppos, atomic_long_unchecked_t *val)
79362 {
79363 char tmpbuf[TMPBUFLEN];
79364 ssize_t len;
79365
79366 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
79367 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
79368 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
79369 }
79370
79371 diff -urNp linux-2.6.39.1/security/integrity/ima/ima.h linux-2.6.39.1/security/integrity/ima/ima.h
79372 --- linux-2.6.39.1/security/integrity/ima/ima.h 2011-05-19 00:06:34.000000000 -0400
79373 +++ linux-2.6.39.1/security/integrity/ima/ima.h 2011-05-22 19:36:35.000000000 -0400
79374 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
79375 extern spinlock_t ima_queue_lock;
79376
79377 struct ima_h_table {
79378 - atomic_long_t len; /* number of stored measurements in the list */
79379 - atomic_long_t violations;
79380 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
79381 + atomic_long_unchecked_t violations;
79382 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
79383 };
79384 extern struct ima_h_table ima_htable;
79385 diff -urNp linux-2.6.39.1/security/integrity/ima/ima_queue.c linux-2.6.39.1/security/integrity/ima/ima_queue.c
79386 --- linux-2.6.39.1/security/integrity/ima/ima_queue.c 2011-05-19 00:06:34.000000000 -0400
79387 +++ linux-2.6.39.1/security/integrity/ima/ima_queue.c 2011-05-22 19:36:35.000000000 -0400
79388 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
79389 INIT_LIST_HEAD(&qe->later);
79390 list_add_tail_rcu(&qe->later, &ima_measurements);
79391
79392 - atomic_long_inc(&ima_htable.len);
79393 + atomic_long_inc_unchecked(&ima_htable.len);
79394 key = ima_hash_key(entry->digest);
79395 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
79396 return 0;
79397 diff -urNp linux-2.6.39.1/security/Kconfig linux-2.6.39.1/security/Kconfig
79398 --- linux-2.6.39.1/security/Kconfig 2011-05-19 00:06:34.000000000 -0400
79399 +++ linux-2.6.39.1/security/Kconfig 2011-06-03 01:13:26.000000000 -0400
79400 @@ -4,6 +4,554 @@
79401
79402 menu "Security options"
79403
79404 +source grsecurity/Kconfig
79405 +
79406 +menu "PaX"
79407 +
79408 + config ARCH_TRACK_EXEC_LIMIT
79409 + bool
79410 +
79411 + config PAX_PER_CPU_PGD
79412 + bool
79413 +
79414 + config TASK_SIZE_MAX_SHIFT
79415 + int
79416 + depends on X86_64
79417 + default 47 if !PAX_PER_CPU_PGD
79418 + default 42 if PAX_PER_CPU_PGD
79419 +
79420 + config PAX_ENABLE_PAE
79421 + bool
79422 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
79423 +
79424 +config PAX
79425 + bool "Enable various PaX features"
79426 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
79427 + help
79428 + This allows you to enable various PaX features. PaX adds
79429 + intrusion prevention mechanisms to the kernel that reduce
79430 + the risks posed by exploitable memory corruption bugs.
79431 +
79432 +menu "PaX Control"
79433 + depends on PAX
79434 +
79435 +config PAX_SOFTMODE
79436 + bool 'Support soft mode'
79437 + select PAX_PT_PAX_FLAGS
79438 + help
79439 + Enabling this option will allow you to run PaX in soft mode, that
79440 + is, PaX features will not be enforced by default, only on executables
79441 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
79442 + is the only way to mark executables for soft mode use.
79443 +
79444 + Soft mode can be activated by using the "pax_softmode=1" kernel command
79445 + line option on boot. Furthermore you can control various PaX features
79446 + at runtime via the entries in /proc/sys/kernel/pax.
79447 +
79448 +config PAX_EI_PAX
79449 + bool 'Use legacy ELF header marking'
79450 + help
79451 + Enabling this option will allow you to control PaX features on
79452 + a per executable basis via the 'chpax' utility available at
79453 + http://pax.grsecurity.net/. The control flags will be read from
79454 + an otherwise reserved part of the ELF header. This marking has
79455 + numerous drawbacks (no support for soft-mode, toolchain does not
79456 + know about the non-standard use of the ELF header) therefore it
79457 + has been deprecated in favour of PT_PAX_FLAGS support.
79458 +
79459 + Note that if you enable PT_PAX_FLAGS marking support as well,
79460 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
79461 +
79462 +config PAX_PT_PAX_FLAGS
79463 + bool 'Use ELF program header marking'
79464 + help
79465 + Enabling this option will allow you to control PaX features on
79466 + a per executable basis via the 'paxctl' utility available at
79467 + http://pax.grsecurity.net/. The control flags will be read from
79468 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
79469 + has the benefits of supporting both soft mode and being fully
79470 + integrated into the toolchain (the binutils patch is available
79471 + from http://pax.grsecurity.net).
79472 +
79473 + If your toolchain does not support PT_PAX_FLAGS markings,
79474 + you can create one in most cases with 'paxctl -C'.
79475 +
79476 + Note that if you enable the legacy EI_PAX marking support as well,
79477 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
79478 +
79479 +choice
79480 + prompt 'MAC system integration'
79481 + default PAX_HAVE_ACL_FLAGS
79482 + help
79483 + Mandatory Access Control systems have the option of controlling
79484 + PaX flags on a per executable basis, choose the method supported
79485 + by your particular system.
79486 +
79487 + - "none": if your MAC system does not interact with PaX,
79488 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
79489 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
79490 +
79491 + NOTE: this option is for developers/integrators only.
79492 +
79493 + config PAX_NO_ACL_FLAGS
79494 + bool 'none'
79495 +
79496 + config PAX_HAVE_ACL_FLAGS
79497 + bool 'direct'
79498 +
79499 + config PAX_HOOK_ACL_FLAGS
79500 + bool 'hook'
79501 +endchoice
79502 +
79503 +endmenu
79504 +
79505 +menu "Non-executable pages"
79506 + depends on PAX
79507 +
79508 +config PAX_NOEXEC
79509 + bool "Enforce non-executable pages"
79510 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
79511 + help
79512 + By design some architectures do not allow for protecting memory
79513 + pages against execution or even if they do, Linux does not make
79514 + use of this feature. In practice this means that if a page is
79515 + readable (such as the stack or heap) it is also executable.
79516 +
79517 + There is a well known exploit technique that makes use of this
79518 + fact and a common programming mistake where an attacker can
79519 + introduce code of his choice somewhere in the attacked program's
79520 + memory (typically the stack or the heap) and then execute it.
79521 +
79522 + If the attacked program was running with different (typically
79523 + higher) privileges than that of the attacker, then he can elevate
79524 + his own privilege level (e.g. get a root shell, write to files for
79525 + which he does not have write access to, etc).
79526 +
79527 + Enabling this option will let you choose from various features
79528 + that prevent the injection and execution of 'foreign' code in
79529 + a program.
79530 +
79531 + This will also break programs that rely on the old behaviour and
79532 + expect that dynamically allocated memory via the malloc() family
79533 + of functions is executable (which it is not). Notable examples
79534 + are the XFree86 4.x server, the java runtime and wine.
79535 +
79536 +config PAX_PAGEEXEC
79537 + bool "Paging based non-executable pages"
79538 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
79539 + select S390_SWITCH_AMODE if S390
79540 + select S390_EXEC_PROTECT if S390
79541 + select ARCH_TRACK_EXEC_LIMIT if X86_32
79542 + help
79543 + This implementation is based on the paging feature of the CPU.
79544 + On i386 without hardware non-executable bit support there is a
79545 + variable but usually low performance impact, however on Intel's
79546 + P4 core based CPUs it is very high so you should not enable this
79547 + for kernels meant to be used on such CPUs.
79548 +
79549 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
79550 + with hardware non-executable bit support there is no performance
79551 + impact, on ppc the impact is negligible.
79552 +
79553 + Note that several architectures require various emulations due to
79554 + badly designed userland ABIs, this will cause a performance impact
79555 + but will disappear as soon as userland is fixed. For example, ppc
79556 + userland MUST have been built with secure-plt by a recent toolchain.
79557 +
79558 +config PAX_SEGMEXEC
79559 + bool "Segmentation based non-executable pages"
79560 + depends on PAX_NOEXEC && X86_32
79561 + help
79562 + This implementation is based on the segmentation feature of the
79563 + CPU and has a very small performance impact, however applications
79564 + will be limited to a 1.5 GB address space instead of the normal
79565 + 3 GB.
79566 +
79567 +config PAX_EMUTRAMP
79568 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
79569 + default y if PARISC
79570 + help
79571 + There are some programs and libraries that for one reason or
79572 + another attempt to execute special small code snippets from
79573 + non-executable memory pages. Most notable examples are the
79574 + signal handler return code generated by the kernel itself and
79575 + the GCC trampolines.
79576 +
79577 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
79578 + such programs will no longer work under your kernel.
79579 +
79580 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
79581 + utilities to enable trampoline emulation for the affected programs
79582 + yet still have the protection provided by the non-executable pages.
79583 +
79584 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
79585 + your system will not even boot.
79586 +
79587 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
79588 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
79589 + for the affected files.
79590 +
79591 + NOTE: enabling this feature *may* open up a loophole in the
79592 + protection provided by non-executable pages that an attacker
79593 + could abuse. Therefore the best solution is to not have any
79594 + files on your system that would require this option. This can
79595 + be achieved by not using libc5 (which relies on the kernel
79596 + signal handler return code) and not using or rewriting programs
79597 + that make use of the nested function implementation of GCC.
79598 + Skilled users can just fix GCC itself so that it implements
79599 + nested function calls in a way that does not interfere with PaX.
79600 +
79601 +config PAX_EMUSIGRT
79602 + bool "Automatically emulate sigreturn trampolines"
79603 + depends on PAX_EMUTRAMP && PARISC
79604 + default y
79605 + help
79606 + Enabling this option will have the kernel automatically detect
79607 + and emulate signal return trampolines executing on the stack
79608 + that would otherwise lead to task termination.
79609 +
79610 + This solution is intended as a temporary one for users with
79611 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
79612 + Modula-3 runtime, etc) or executables linked to such, basically
79613 + everything that does not specify its own SA_RESTORER function in
79614 + normal executable memory like glibc 2.1+ does.
79615 +
79616 + On parisc you MUST enable this option, otherwise your system will
79617 + not even boot.
79618 +
79619 + NOTE: this feature cannot be disabled on a per executable basis
79620 + and since it *does* open up a loophole in the protection provided
79621 + by non-executable pages, the best solution is to not have any
79622 + files on your system that would require this option.
79623 +
79624 +config PAX_MPROTECT
79625 + bool "Restrict mprotect()"
79626 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
79627 + help
79628 + Enabling this option will prevent programs from
79629 + - changing the executable status of memory pages that were
79630 + not originally created as executable,
79631 + - making read-only executable pages writable again,
79632 + - creating executable pages from anonymous memory,
79633 + - making read-only-after-relocations (RELRO) data pages writable again.
79634 +
79635 + You should say Y here to complete the protection provided by
79636 + the enforcement of non-executable pages.
79637 +
79638 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
79639 + this feature on a per file basis.
79640 +
79641 +config PAX_MPROTECT_COMPAT
79642 + bool "Use legacy/compat protection demoting (read help)"
79643 + depends on PAX_MPROTECT
79644 + default n
79645 + help
79646 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
79647 + by sending the proper error code to the application. For some broken
79648 + userland, this can cause problems with Python or other applications. The
79649 + current implementation however allows for applications like clamav to
79650 + detect if JIT compilation/execution is allowed and to fall back gracefully
79651 + to an interpreter-based mode if it does not. While we encourage everyone
79652 + to use the current implementation as-is and push upstream to fix broken
79653 + userland (note that the RWX logging option can assist with this), in some
79654 + environments this may not be possible. Having to disable MPROTECT
79655 + completely on certain binaries reduces the security benefit of PaX,
79656 + so this option is provided for those environments to revert to the old
79657 + behavior.
79658 +
79659 +config PAX_ELFRELOCS
79660 + bool "Allow ELF text relocations (read help)"
79661 + depends on PAX_MPROTECT
79662 + default n
79663 + help
79664 + Non-executable pages and mprotect() restrictions are effective
79665 + in preventing the introduction of new executable code into an
79666 + attacked task's address space. There remain only two venues
79667 + for this kind of attack: if the attacker can execute already
79668 + existing code in the attacked task then he can either have it
79669 + create and mmap() a file containing his code or have it mmap()
79670 + an already existing ELF library that does not have position
79671 + independent code in it and use mprotect() on it to make it
79672 + writable and copy his code there. While protecting against
79673 + the former approach is beyond PaX, the latter can be prevented
79674 + by having only PIC ELF libraries on one's system (which do not
79675 + need to relocate their code). If you are sure this is your case,
79676 + as is the case with all modern Linux distributions, then leave
79677 + this option disabled. You should say 'n' here.
79678 +
79679 +config PAX_ETEXECRELOCS
79680 + bool "Allow ELF ET_EXEC text relocations"
79681 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
79682 + select PAX_ELFRELOCS
79683 + default y
79684 + help
79685 + On some architectures there are incorrectly created applications
79686 + that require text relocations and would not work without enabling
79687 + this option. If you are an alpha, ia64 or parisc user, you should
79688 + enable this option and disable it once you have made sure that
79689 + none of your applications need it.
79690 +
79691 +config PAX_EMUPLT
79692 + bool "Automatically emulate ELF PLT"
79693 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
79694 + default y
79695 + help
79696 + Enabling this option will have the kernel automatically detect
79697 + and emulate the Procedure Linkage Table entries in ELF files.
79698 + On some architectures such entries are in writable memory, and
79699 + become non-executable leading to task termination. Therefore
79700 + it is mandatory that you enable this option on alpha, parisc,
79701 + sparc and sparc64, otherwise your system would not even boot.
79702 +
79703 + NOTE: this feature *does* open up a loophole in the protection
79704 + provided by the non-executable pages, therefore the proper
79705 + solution is to modify the toolchain to produce a PLT that does
79706 + not need to be writable.
79707 +
79708 +config PAX_DLRESOLVE
79709 + bool 'Emulate old glibc resolver stub'
79710 + depends on PAX_EMUPLT && SPARC
79711 + default n
79712 + help
79713 + This option is needed if userland has an old glibc (before 2.4)
79714 + that puts a 'save' instruction into the runtime generated resolver
79715 + stub that needs special emulation.
79716 +
79717 +config PAX_KERNEXEC
79718 + bool "Enforce non-executable kernel pages"
79719 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
79720 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
79721 + help
79722 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
79723 + that is, enabling this option will make it harder to inject
79724 + and execute 'foreign' code in kernel memory itself.
79725 +
79726 + Note that on x86_64 kernels there is a known regression when
79727 + this feature and KVM/VMX are both enabled in the host kernel.
79728 +
79729 +config PAX_KERNEXEC_MODULE_TEXT
79730 + int "Minimum amount of memory reserved for module code"
79731 + default "4"
79732 + depends on PAX_KERNEXEC && X86_32 && MODULES
79733 + help
79734 + Due to implementation details the kernel must reserve a fixed
79735 + amount of memory for module code at compile time that cannot be
79736 + changed at runtime. Here you can specify the minimum amount
79737 + in MB that will be reserved. Due to the same implementation
79738 + details this size will always be rounded up to the next 2/4 MB
79739 + boundary (depends on PAE) so the actually available memory for
79740 + module code will usually be more than this minimum.
79741 +
79742 + The default 4 MB should be enough for most users but if you have
79743 + an excessive number of modules (e.g., most distribution configs
79744 + compile many drivers as modules) or use huge modules such as
79745 + nvidia's kernel driver, you will need to adjust this amount.
79746 + A good rule of thumb is to look at your currently loaded kernel
79747 + modules and add up their sizes.
79748 +
79749 +endmenu
79750 +
79751 +menu "Address Space Layout Randomization"
79752 + depends on PAX
79753 +
79754 +config PAX_ASLR
79755 + bool "Address Space Layout Randomization"
79756 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
79757 + help
79758 + Many if not most exploit techniques rely on the knowledge of
79759 + certain addresses in the attacked program. The following options
79760 + will allow the kernel to apply a certain amount of randomization
79761 + to specific parts of the program thereby forcing an attacker to
79762 + guess them in most cases. Any failed guess will most likely crash
79763 + the attacked program which allows the kernel to detect such attempts
79764 + and react on them. PaX itself provides no reaction mechanisms,
79765 + instead it is strongly encouraged that you make use of Nergal's
79766 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
79767 + (http://www.grsecurity.net/) built-in crash detection features or
79768 + develop one yourself.
79769 +
79770 + By saying Y here you can choose to randomize the following areas:
79771 + - top of the task's kernel stack
79772 + - top of the task's userland stack
79773 + - base address for mmap() requests that do not specify one
79774 + (this includes all libraries)
79775 + - base address of the main executable
79776 +
79777 + It is strongly recommended to say Y here as address space layout
79778 + randomization has negligible impact on performance yet it provides
79779 + a very effective protection.
79780 +
79781 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
79782 + this feature on a per file basis.
79783 +
79784 +config PAX_RANDKSTACK
79785 + bool "Randomize kernel stack base"
79786 + depends on PAX_ASLR && X86_TSC && X86
79787 + help
79788 + By saying Y here the kernel will randomize every task's kernel
79789 + stack on every system call. This will not only force an attacker
79790 + to guess it but also prevent him from making use of possible
79791 + leaked information about it.
79792 +
79793 + Since the kernel stack is a rather scarce resource, randomization
79794 + may cause unexpected stack overflows, therefore you should very
79795 + carefully test your system. Note that once enabled in the kernel
79796 + configuration, this feature cannot be disabled on a per file basis.
79797 +
79798 +config PAX_RANDUSTACK
79799 + bool "Randomize user stack base"
79800 + depends on PAX_ASLR
79801 + help
79802 + By saying Y here the kernel will randomize every task's userland
79803 + stack. The randomization is done in two steps where the second
79804 + one may apply a big amount of shift to the top of the stack and
79805 + cause problems for programs that want to use lots of memory (more
79806 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
79807 + For this reason the second step can be controlled by 'chpax' or
79808 + 'paxctl' on a per file basis.
79809 +
79810 +config PAX_RANDMMAP
79811 + bool "Randomize mmap() base"
79812 + depends on PAX_ASLR
79813 + help
79814 + By saying Y here the kernel will use a randomized base address for
79815 + mmap() requests that do not specify one themselves. As a result
79816 + all dynamically loaded libraries will appear at random addresses
79817 + and therefore be harder to exploit by a technique where an attacker
79818 + attempts to execute library code for his purposes (e.g. spawn a
79819 + shell from an exploited program that is running at an elevated
79820 + privilege level).
79821 +
79822 + Furthermore, if a program is relinked as a dynamic ELF file, its
79823 + base address will be randomized as well, completing the full
79824 + randomization of the address space layout. Attacking such programs
79825 + becomes a guess game. You can find an example of doing this at
79826 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
79827 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
79828 +
79829 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
79830 + feature on a per file basis.
79831 +
79832 +endmenu
79833 +
79834 +menu "Miscellaneous hardening features"
79835 +
79836 +config PAX_MEMORY_SANITIZE
79837 + bool "Sanitize all freed memory"
79838 + help
79839 + By saying Y here the kernel will erase memory pages as soon as they
79840 + are freed. This in turn reduces the lifetime of data stored in the
79841 + pages, making it less likely that sensitive information such as
79842 + passwords, cryptographic secrets, etc stay in memory for too long.
79843 +
79844 + This is especially useful for programs whose runtime is short, long
79845 + lived processes and the kernel itself benefit from this as long as
79846 + they operate on whole memory pages and ensure timely freeing of pages
79847 + that may hold sensitive information.
79848 +
79849 + The tradeoff is performance impact, on a single CPU system kernel
79850 + compilation sees a 3% slowdown, other systems and workloads may vary
79851 + and you are advised to test this feature on your expected workload
79852 + before deploying it.
79853 +
79854 + Note that this feature does not protect data stored in live pages,
79855 + e.g., process memory swapped to disk may stay there for a long time.
79856 +
79857 +config PAX_MEMORY_STACKLEAK
79858 + bool "Sanitize kernel stack"
79859 + depends on X86
79860 + help
79861 + By saying Y here the kernel will erase the kernel stack before it
79862 + returns from a system call. This in turn reduces the information
79863 + that a kernel stack leak bug can reveal.
79864 +
79865 + Note that such a bug can still leak information that was put on
79866 + the stack by the current system call (the one eventually triggering
79867 + the bug) but traces of earlier system calls on the kernel stack
79868 + cannot leak anymore.
79869 +
79870 + The tradeoff is performance impact: on a single CPU system kernel
79871 + compilation sees a 1% slowdown, other systems and workloads may vary
79872 + and you are advised to test this feature on your expected workload
79873 + before deploying it.
79874 +
79875 + Note: full support for this feature requires gcc with plugin support
79876 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
79877 + is not supported). Using older gcc versions means that functions
79878 + with large enough stack frames may leave uninitialized memory behind
79879 + that may be exposed to a later syscall leaking the stack.
79880 +
79881 +config PAX_MEMORY_UDEREF
79882 + bool "Prevent invalid userland pointer dereference"
79883 + depends on X86 && !UML_X86 && !XEN
79884 + select PAX_PER_CPU_PGD if X86_64
79885 + help
79886 + By saying Y here the kernel will be prevented from dereferencing
79887 + userland pointers in contexts where the kernel expects only kernel
79888 + pointers. This is both a useful runtime debugging feature and a
79889 + security measure that prevents exploiting a class of kernel bugs.
79890 +
79891 + The tradeoff is that some virtualization solutions may experience
79892 + a huge slowdown and therefore you should not enable this feature
79893 + for kernels meant to run in such environments. Whether a given VM
79894 + solution is affected or not is best determined by simply trying it
79895 + out, the performance impact will be obvious right on boot as this
79896 + mechanism engages from very early on. A good rule of thumb is that
79897 + VMs running on CPUs without hardware virtualization support (i.e.,
79898 + the majority of IA-32 CPUs) will likely experience the slowdown.
79899 +
79900 +config PAX_REFCOUNT
79901 + bool "Prevent various kernel object reference counter overflows"
79902 + depends on GRKERNSEC && (X86 || SPARC64)
79903 + help
79904 + By saying Y here the kernel will detect and prevent overflowing
79905 + various (but not all) kinds of object reference counters. Such
79906 + overflows can normally occur due to bugs only and are often, if
79907 + not always, exploitable.
79908 +
79909 + The tradeoff is that data structures protected by an overflowed
79910 + refcount will never be freed and therefore will leak memory. Note
79911 + that this leak also happens even without this protection but in
79912 + that case the overflow can eventually trigger the freeing of the
79913 + data structure while it is still being used elsewhere, resulting
79914 + in the exploitable situation that this feature prevents.
79915 +
79916 + Since this has a negligible performance impact, you should enable
79917 + this feature.
79918 +
79919 +config PAX_USERCOPY
79920 + bool "Harden heap object copies between kernel and userland"
79921 + depends on X86 || PPC || SPARC
79922 + depends on GRKERNSEC && (SLAB || SLUB)
79923 + help
79924 + By saying Y here the kernel will enforce the size of heap objects
79925 + when they are copied in either direction between the kernel and
79926 + userland, even if only a part of the heap object is copied.
79927 +
79928 + Specifically, this checking prevents information leaking from the
79929 + kernel heap during kernel to userland copies (if the kernel heap
79930 + object is otherwise fully initialized) and prevents kernel heap
79931 + overflows during userland to kernel copies.
79932 +
79933 + Note that the current implementation provides the strictest bounds
79934 + checks for the SLUB allocator.
79935 +
79936 + Enabling this option also enables per-slab cache protection against
79937 + data in a given cache being copied into/out of via userland
79938 + accessors. Though the whitelist of regions will be reduced over
79939 + time, it notably protects important data structures like task structs.
79940 +
79941 + If frame pointers are enabled on x86, this option will also restrict
79942 + copies into and out of the kernel stack to local variables within a
79943 + single frame.
79944 +
79945 + Since this has a negligible performance impact, you should enable
79946 + this feature.
79947 +
79948 +endmenu
79949 +
79950 +endmenu
79951 +
79952 config KEYS
79953 bool "Enable access key retention support"
79954 help
79955 @@ -167,7 +715,7 @@ config INTEL_TXT
79956 config LSM_MMAP_MIN_ADDR
79957 int "Low address space for LSM to protect from user allocation"
79958 depends on SECURITY && SECURITY_SELINUX
79959 - default 65536
79960 + default 32768
79961 help
79962 This is the portion of low virtual memory which should be protected
79963 from userspace allocation. Keeping a user from writing to low pages
79964 diff -urNp linux-2.6.39.1/security/keys/keyring.c linux-2.6.39.1/security/keys/keyring.c
79965 --- linux-2.6.39.1/security/keys/keyring.c 2011-05-19 00:06:34.000000000 -0400
79966 +++ linux-2.6.39.1/security/keys/keyring.c 2011-05-22 19:36:35.000000000 -0400
79967 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
79968 ret = -EFAULT;
79969
79970 for (loop = 0; loop < klist->nkeys; loop++) {
79971 + key_serial_t serial;
79972 key = klist->keys[loop];
79973 + serial = key->serial;
79974
79975 tmp = sizeof(key_serial_t);
79976 if (tmp > buflen)
79977 tmp = buflen;
79978
79979 - if (copy_to_user(buffer,
79980 - &key->serial,
79981 - tmp) != 0)
79982 + if (copy_to_user(buffer, &serial, tmp))
79983 goto error;
79984
79985 buflen -= tmp;
79986 diff -urNp linux-2.6.39.1/security/min_addr.c linux-2.6.39.1/security/min_addr.c
79987 --- linux-2.6.39.1/security/min_addr.c 2011-05-19 00:06:34.000000000 -0400
79988 +++ linux-2.6.39.1/security/min_addr.c 2011-05-22 19:41:42.000000000 -0400
79989 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
79990 */
79991 static void update_mmap_min_addr(void)
79992 {
79993 +#ifndef SPARC
79994 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
79995 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
79996 mmap_min_addr = dac_mmap_min_addr;
79997 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
79998 #else
79999 mmap_min_addr = dac_mmap_min_addr;
80000 #endif
80001 +#endif
80002 }
80003
80004 /*
80005 diff -urNp linux-2.6.39.1/security/security.c linux-2.6.39.1/security/security.c
80006 --- linux-2.6.39.1/security/security.c 2011-05-19 00:06:34.000000000 -0400
80007 +++ linux-2.6.39.1/security/security.c 2011-05-22 19:41:42.000000000 -0400
80008 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
80009 /* things that live in capability.c */
80010 extern void __init security_fixup_ops(struct security_operations *ops);
80011
80012 -static struct security_operations *security_ops;
80013 -static struct security_operations default_security_ops = {
80014 +static struct security_operations *security_ops __read_only;
80015 +static struct security_operations default_security_ops __read_only = {
80016 .name = "default",
80017 };
80018
80019 @@ -67,7 +67,9 @@ int __init security_init(void)
80020
80021 void reset_security_ops(void)
80022 {
80023 + pax_open_kernel();
80024 security_ops = &default_security_ops;
80025 + pax_close_kernel();
80026 }
80027
80028 /* Save user chosen LSM */
80029 diff -urNp linux-2.6.39.1/security/selinux/hooks.c linux-2.6.39.1/security/selinux/hooks.c
80030 --- linux-2.6.39.1/security/selinux/hooks.c 2011-05-19 00:06:34.000000000 -0400
80031 +++ linux-2.6.39.1/security/selinux/hooks.c 2011-05-22 19:41:42.000000000 -0400
80032 @@ -93,7 +93,6 @@
80033 #define NUM_SEL_MNT_OPTS 5
80034
80035 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
80036 -extern struct security_operations *security_ops;
80037
80038 /* SECMARK reference count */
80039 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
80040 @@ -5431,7 +5430,7 @@ static int selinux_key_getsecurity(struc
80041
80042 #endif
80043
80044 -static struct security_operations selinux_ops = {
80045 +static struct security_operations selinux_ops __read_only = {
80046 .name = "selinux",
80047
80048 .ptrace_access_check = selinux_ptrace_access_check,
80049 diff -urNp linux-2.6.39.1/security/selinux/include/xfrm.h linux-2.6.39.1/security/selinux/include/xfrm.h
80050 --- linux-2.6.39.1/security/selinux/include/xfrm.h 2011-05-19 00:06:34.000000000 -0400
80051 +++ linux-2.6.39.1/security/selinux/include/xfrm.h 2011-05-22 19:36:35.000000000 -0400
80052 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
80053
80054 static inline void selinux_xfrm_notify_policyload(void)
80055 {
80056 - atomic_inc(&flow_cache_genid);
80057 + atomic_inc_unchecked(&flow_cache_genid);
80058 }
80059 #else
80060 static inline int selinux_xfrm_enabled(void)
80061 diff -urNp linux-2.6.39.1/security/selinux/ss/services.c linux-2.6.39.1/security/selinux/ss/services.c
80062 --- linux-2.6.39.1/security/selinux/ss/services.c 2011-05-19 00:06:34.000000000 -0400
80063 +++ linux-2.6.39.1/security/selinux/ss/services.c 2011-05-22 19:36:35.000000000 -0400
80064 @@ -1806,6 +1806,8 @@ int security_load_policy(void *data, siz
80065 int rc = 0;
80066 struct policy_file file = { data, len }, *fp = &file;
80067
80068 + pax_track_stack();
80069 +
80070 if (!ss_initialized) {
80071 avtab_cache_init();
80072 rc = policydb_read(&policydb, fp);
80073 diff -urNp linux-2.6.39.1/security/smack/smack_lsm.c linux-2.6.39.1/security/smack/smack_lsm.c
80074 --- linux-2.6.39.1/security/smack/smack_lsm.c 2011-05-19 00:06:34.000000000 -0400
80075 +++ linux-2.6.39.1/security/smack/smack_lsm.c 2011-05-22 19:36:35.000000000 -0400
80076 @@ -3386,7 +3386,7 @@ static int smack_inode_getsecctx(struct
80077 return 0;
80078 }
80079
80080 -struct security_operations smack_ops = {
80081 +struct security_operations smack_ops __read_only = {
80082 .name = "smack",
80083
80084 .ptrace_access_check = smack_ptrace_access_check,
80085 diff -urNp linux-2.6.39.1/security/tomoyo/tomoyo.c linux-2.6.39.1/security/tomoyo/tomoyo.c
80086 --- linux-2.6.39.1/security/tomoyo/tomoyo.c 2011-05-19 00:06:34.000000000 -0400
80087 +++ linux-2.6.39.1/security/tomoyo/tomoyo.c 2011-05-22 19:36:35.000000000 -0400
80088 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
80089 * tomoyo_security_ops is a "struct security_operations" which is used for
80090 * registering TOMOYO.
80091 */
80092 -static struct security_operations tomoyo_security_ops = {
80093 +static struct security_operations tomoyo_security_ops __read_only = {
80094 .name = "tomoyo",
80095 .cred_alloc_blank = tomoyo_cred_alloc_blank,
80096 .cred_prepare = tomoyo_cred_prepare,
80097 diff -urNp linux-2.6.39.1/sound/aoa/aoa.h linux-2.6.39.1/sound/aoa/aoa.h
80098 --- linux-2.6.39.1/sound/aoa/aoa.h 2011-05-19 00:06:34.000000000 -0400
80099 +++ linux-2.6.39.1/sound/aoa/aoa.h 2011-05-22 19:36:35.000000000 -0400
80100 @@ -122,8 +122,8 @@ extern struct snd_card *aoa_get_card(voi
80101 extern int aoa_snd_ctl_add(struct snd_kcontrol* control);
80102
80103 /* GPIO stuff */
80104 -extern struct gpio_methods *pmf_gpio_methods;
80105 -extern struct gpio_methods *ftr_gpio_methods;
80106 +extern const struct gpio_methods *pmf_gpio_methods;
80107 +extern const struct gpio_methods *ftr_gpio_methods;
80108 /* extern struct gpio_methods *map_gpio_methods; */
80109
80110 #endif /* __AOA_H */
80111 diff -urNp linux-2.6.39.1/sound/aoa/codecs/onyx.c linux-2.6.39.1/sound/aoa/codecs/onyx.c
80112 --- linux-2.6.39.1/sound/aoa/codecs/onyx.c 2011-05-19 00:06:34.000000000 -0400
80113 +++ linux-2.6.39.1/sound/aoa/codecs/onyx.c 2011-05-22 19:36:35.000000000 -0400
80114 @@ -54,7 +54,7 @@ struct onyx {
80115 spdif_locked:1,
80116 analog_locked:1,
80117 original_mute:2;
80118 - int open_count;
80119 + local_t open_count;
80120 struct codec_info *codec_info;
80121
80122 /* mutex serializes concurrent access to the device
80123 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
80124 struct onyx *onyx = cii->codec_data;
80125
80126 mutex_lock(&onyx->mutex);
80127 - onyx->open_count++;
80128 + local_inc(&onyx->open_count);
80129 mutex_unlock(&onyx->mutex);
80130
80131 return 0;
80132 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
80133 struct onyx *onyx = cii->codec_data;
80134
80135 mutex_lock(&onyx->mutex);
80136 - onyx->open_count--;
80137 - if (!onyx->open_count)
80138 + if (local_dec_and_test(&onyx->open_count))
80139 onyx->spdif_locked = onyx->analog_locked = 0;
80140 mutex_unlock(&onyx->mutex);
80141
80142 diff -urNp linux-2.6.39.1/sound/aoa/codecs/onyx.h linux-2.6.39.1/sound/aoa/codecs/onyx.h
80143 --- linux-2.6.39.1/sound/aoa/codecs/onyx.h 2011-05-19 00:06:34.000000000 -0400
80144 +++ linux-2.6.39.1/sound/aoa/codecs/onyx.h 2011-05-22 19:36:35.000000000 -0400
80145 @@ -11,6 +11,7 @@
80146 #include <linux/i2c.h>
80147 #include <asm/pmac_low_i2c.h>
80148 #include <asm/prom.h>
80149 +#include <asm/local.h>
80150
80151 /* PCM3052 register definitions */
80152
80153 diff -urNp linux-2.6.39.1/sound/arm/aaci.c linux-2.6.39.1/sound/arm/aaci.c
80154 --- linux-2.6.39.1/sound/arm/aaci.c 2011-05-19 00:06:34.000000000 -0400
80155 +++ linux-2.6.39.1/sound/arm/aaci.c 2011-05-22 19:36:35.000000000 -0400
80156 @@ -635,7 +635,7 @@ static int aaci_pcm_playback_trigger(str
80157 return ret;
80158 }
80159
80160 -static struct snd_pcm_ops aaci_playback_ops = {
80161 +static const struct snd_pcm_ops aaci_playback_ops = {
80162 .open = aaci_pcm_open,
80163 .close = aaci_pcm_close,
80164 .ioctl = snd_pcm_lib_ioctl,
80165 @@ -738,7 +738,7 @@ static int aaci_pcm_capture_prepare(stru
80166 return 0;
80167 }
80168
80169 -static struct snd_pcm_ops aaci_capture_ops = {
80170 +static const struct snd_pcm_ops aaci_capture_ops = {
80171 .open = aaci_pcm_open,
80172 .close = aaci_pcm_close,
80173 .ioctl = snd_pcm_lib_ioctl,
80174 @@ -827,7 +827,7 @@ static struct ac97_pcm ac97_defs[] __dev
80175 }
80176 };
80177
80178 -static struct snd_ac97_bus_ops aaci_bus_ops = {
80179 +static const struct snd_ac97_bus_ops aaci_bus_ops = {
80180 .write = aaci_ac97_write,
80181 .read = aaci_ac97_read,
80182 };
80183 diff -urNp linux-2.6.39.1/sound/arm/pxa2xx-ac97.c linux-2.6.39.1/sound/arm/pxa2xx-ac97.c
80184 --- linux-2.6.39.1/sound/arm/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
80185 +++ linux-2.6.39.1/sound/arm/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
80186 @@ -34,7 +34,7 @@ static void pxa2xx_ac97_reset(struct snd
80187 pxa2xx_ac97_finish_reset(ac97);
80188 }
80189
80190 -static struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80191 +static const struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80192 .read = pxa2xx_ac97_read,
80193 .write = pxa2xx_ac97_write,
80194 .reset = pxa2xx_ac97_reset,
80195 diff -urNp linux-2.6.39.1/sound/atmel/abdac.c linux-2.6.39.1/sound/atmel/abdac.c
80196 --- linux-2.6.39.1/sound/atmel/abdac.c 2011-05-19 00:06:34.000000000 -0400
80197 +++ linux-2.6.39.1/sound/atmel/abdac.c 2011-05-22 19:36:35.000000000 -0400
80198 @@ -297,7 +297,7 @@ static irqreturn_t abdac_interrupt(int i
80199 return IRQ_HANDLED;
80200 }
80201
80202 -static struct snd_pcm_ops atmel_abdac_ops = {
80203 +static const struct snd_pcm_ops atmel_abdac_ops = {
80204 .open = atmel_abdac_open,
80205 .close = atmel_abdac_close,
80206 .ioctl = snd_pcm_lib_ioctl,
80207 diff -urNp linux-2.6.39.1/sound/atmel/ac97c.c linux-2.6.39.1/sound/atmel/ac97c.c
80208 --- linux-2.6.39.1/sound/atmel/ac97c.c 2011-05-19 00:06:34.000000000 -0400
80209 +++ linux-2.6.39.1/sound/atmel/ac97c.c 2011-05-22 19:36:35.000000000 -0400
80210 @@ -626,7 +626,7 @@ atmel_ac97c_capture_pointer(struct snd_p
80211 return frames;
80212 }
80213
80214 -static struct snd_pcm_ops atmel_ac97_playback_ops = {
80215 +static const struct snd_pcm_ops atmel_ac97_playback_ops = {
80216 .open = atmel_ac97c_playback_open,
80217 .close = atmel_ac97c_playback_close,
80218 .ioctl = snd_pcm_lib_ioctl,
80219 @@ -637,7 +637,7 @@ static struct snd_pcm_ops atmel_ac97_pla
80220 .pointer = atmel_ac97c_playback_pointer,
80221 };
80222
80223 -static struct snd_pcm_ops atmel_ac97_capture_ops = {
80224 +static const struct snd_pcm_ops atmel_ac97_capture_ops = {
80225 .open = atmel_ac97c_capture_open,
80226 .close = atmel_ac97c_capture_close,
80227 .ioctl = snd_pcm_lib_ioctl,
80228 @@ -909,7 +909,7 @@ static int __devinit atmel_ac97c_probe(s
80229 struct resource *regs;
80230 struct ac97c_platform_data *pdata;
80231 struct clk *pclk;
80232 - static struct snd_ac97_bus_ops ops = {
80233 + static const struct snd_ac97_bus_ops ops = {
80234 .write = atmel_ac97c_write,
80235 .read = atmel_ac97c_read,
80236 };
80237 diff -urNp linux-2.6.39.1/sound/core/control.c linux-2.6.39.1/sound/core/control.c
80238 --- linux-2.6.39.1/sound/core/control.c 2011-05-19 00:06:34.000000000 -0400
80239 +++ linux-2.6.39.1/sound/core/control.c 2011-05-22 19:36:35.000000000 -0400
80240 @@ -1520,7 +1520,7 @@ static int snd_ctl_dev_free(struct snd_d
80241 */
80242 int snd_ctl_create(struct snd_card *card)
80243 {
80244 - static struct snd_device_ops ops = {
80245 + static const struct snd_device_ops ops = {
80246 .dev_free = snd_ctl_dev_free,
80247 .dev_register = snd_ctl_dev_register,
80248 .dev_disconnect = snd_ctl_dev_disconnect,
80249 diff -urNp linux-2.6.39.1/sound/core/device.c linux-2.6.39.1/sound/core/device.c
80250 --- linux-2.6.39.1/sound/core/device.c 2011-05-19 00:06:34.000000000 -0400
80251 +++ linux-2.6.39.1/sound/core/device.c 2011-05-22 19:36:35.000000000 -0400
80252 @@ -41,7 +41,7 @@
80253 * Returns zero if successful, or a negative error code on failure.
80254 */
80255 int snd_device_new(struct snd_card *card, snd_device_type_t type,
80256 - void *device_data, struct snd_device_ops *ops)
80257 + void *device_data, const struct snd_device_ops *ops)
80258 {
80259 struct snd_device *dev;
80260
80261 diff -urNp linux-2.6.39.1/sound/core/hwdep.c linux-2.6.39.1/sound/core/hwdep.c
80262 --- linux-2.6.39.1/sound/core/hwdep.c 2011-05-19 00:06:34.000000000 -0400
80263 +++ linux-2.6.39.1/sound/core/hwdep.c 2011-05-22 19:36:35.000000000 -0400
80264 @@ -348,7 +348,7 @@ int snd_hwdep_new(struct snd_card *card,
80265 {
80266 struct snd_hwdep *hwdep;
80267 int err;
80268 - static struct snd_device_ops ops = {
80269 + static const struct snd_device_ops ops = {
80270 .dev_free = snd_hwdep_dev_free,
80271 .dev_register = snd_hwdep_dev_register,
80272 .dev_disconnect = snd_hwdep_dev_disconnect,
80273 diff -urNp linux-2.6.39.1/sound/core/info.c linux-2.6.39.1/sound/core/info.c
80274 --- linux-2.6.39.1/sound/core/info.c 2011-05-19 00:06:34.000000000 -0400
80275 +++ linux-2.6.39.1/sound/core/info.c 2011-05-22 19:36:35.000000000 -0400
80276 @@ -897,7 +897,7 @@ static int snd_info_dev_register_entry(s
80277 int snd_card_proc_new(struct snd_card *card, const char *name,
80278 struct snd_info_entry **entryp)
80279 {
80280 - static struct snd_device_ops ops = {
80281 + static const struct snd_device_ops ops = {
80282 .dev_free = snd_info_dev_free_entry,
80283 .dev_register = snd_info_dev_register_entry,
80284 /* disconnect is done via snd_info_card_disconnect() */
80285 diff -urNp linux-2.6.39.1/sound/core/jack.c linux-2.6.39.1/sound/core/jack.c
80286 --- linux-2.6.39.1/sound/core/jack.c 2011-05-19 00:06:34.000000000 -0400
80287 +++ linux-2.6.39.1/sound/core/jack.c 2011-05-22 19:36:35.000000000 -0400
80288 @@ -105,7 +105,7 @@ int snd_jack_new(struct snd_card *card,
80289 struct snd_jack *jack;
80290 int err;
80291 int i;
80292 - static struct snd_device_ops ops = {
80293 + static const struct snd_device_ops ops = {
80294 .dev_free = snd_jack_dev_free,
80295 .dev_register = snd_jack_dev_register,
80296 };
80297 diff -urNp linux-2.6.39.1/sound/core/pcm.c linux-2.6.39.1/sound/core/pcm.c
80298 --- linux-2.6.39.1/sound/core/pcm.c 2011-05-19 00:06:34.000000000 -0400
80299 +++ linux-2.6.39.1/sound/core/pcm.c 2011-05-22 19:36:35.000000000 -0400
80300 @@ -717,7 +717,7 @@ int snd_pcm_new(struct snd_card *card, c
80301 {
80302 struct snd_pcm *pcm;
80303 int err;
80304 - static struct snd_device_ops ops = {
80305 + static const struct snd_device_ops ops = {
80306 .dev_free = snd_pcm_dev_free,
80307 .dev_register = snd_pcm_dev_register,
80308 .dev_disconnect = snd_pcm_dev_disconnect,
80309 diff -urNp linux-2.6.39.1/sound/core/pcm_lib.c linux-2.6.39.1/sound/core/pcm_lib.c
80310 --- linux-2.6.39.1/sound/core/pcm_lib.c 2011-05-19 00:06:34.000000000 -0400
80311 +++ linux-2.6.39.1/sound/core/pcm_lib.c 2011-05-22 19:36:35.000000000 -0400
80312 @@ -505,7 +505,7 @@ int snd_pcm_update_hw_ptr(struct snd_pcm
80313 *
80314 * Sets the given PCM operators to the pcm instance.
80315 */
80316 -void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, struct snd_pcm_ops *ops)
80317 +void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, const struct snd_pcm_ops *ops)
80318 {
80319 struct snd_pcm_str *stream = &pcm->streams[direction];
80320 struct snd_pcm_substream *substream;
80321 diff -urNp linux-2.6.39.1/sound/core/pcm_native.c linux-2.6.39.1/sound/core/pcm_native.c
80322 --- linux-2.6.39.1/sound/core/pcm_native.c 2011-05-19 00:06:34.000000000 -0400
80323 +++ linux-2.6.39.1/sound/core/pcm_native.c 2011-05-22 19:36:35.000000000 -0400
80324 @@ -702,7 +702,7 @@ struct action_ops {
80325 * Note: the stream state might be changed also on failure
80326 * Note2: call with calling stream lock + link lock
80327 */
80328 -static int snd_pcm_action_group(struct action_ops *ops,
80329 +static int snd_pcm_action_group(const struct action_ops *ops,
80330 struct snd_pcm_substream *substream,
80331 int state, int do_lock)
80332 {
80333 @@ -751,7 +751,7 @@ static int snd_pcm_action_group(struct a
80334 /*
80335 * Note: call with stream lock
80336 */
80337 -static int snd_pcm_action_single(struct action_ops *ops,
80338 +static int snd_pcm_action_single(const struct action_ops *ops,
80339 struct snd_pcm_substream *substream,
80340 int state)
80341 {
80342 @@ -771,7 +771,7 @@ static int snd_pcm_action_single(struct
80343 /*
80344 * Note: call with stream lock
80345 */
80346 -static int snd_pcm_action(struct action_ops *ops,
80347 +static int snd_pcm_action(const struct action_ops *ops,
80348 struct snd_pcm_substream *substream,
80349 int state)
80350 {
80351 @@ -794,7 +794,7 @@ static int snd_pcm_action(struct action_
80352 /*
80353 * Note: don't use any locks before
80354 */
80355 -static int snd_pcm_action_lock_irq(struct action_ops *ops,
80356 +static int snd_pcm_action_lock_irq(const struct action_ops *ops,
80357 struct snd_pcm_substream *substream,
80358 int state)
80359 {
80360 @@ -818,7 +818,7 @@ static int snd_pcm_action_lock_irq(struc
80361
80362 /*
80363 */
80364 -static int snd_pcm_action_nonatomic(struct action_ops *ops,
80365 +static int snd_pcm_action_nonatomic(const struct action_ops *ops,
80366 struct snd_pcm_substream *substream,
80367 int state)
80368 {
80369 @@ -877,7 +877,7 @@ static void snd_pcm_post_start(struct sn
80370 &runtime->trigger_tstamp);
80371 }
80372
80373 -static struct action_ops snd_pcm_action_start = {
80374 +static const struct action_ops snd_pcm_action_start = {
80375 .pre_action = snd_pcm_pre_start,
80376 .do_action = snd_pcm_do_start,
80377 .undo_action = snd_pcm_undo_start,
80378 @@ -928,7 +928,7 @@ static void snd_pcm_post_stop(struct snd
80379 wake_up(&runtime->tsleep);
80380 }
80381
80382 -static struct action_ops snd_pcm_action_stop = {
80383 +static const struct action_ops snd_pcm_action_stop = {
80384 .pre_action = snd_pcm_pre_stop,
80385 .do_action = snd_pcm_do_stop,
80386 .post_action = snd_pcm_post_stop
80387 @@ -1025,7 +1025,7 @@ static void snd_pcm_post_pause(struct sn
80388 }
80389 }
80390
80391 -static struct action_ops snd_pcm_action_pause = {
80392 +static const struct action_ops snd_pcm_action_pause = {
80393 .pre_action = snd_pcm_pre_pause,
80394 .do_action = snd_pcm_do_pause,
80395 .undo_action = snd_pcm_undo_pause,
80396 @@ -1076,7 +1076,7 @@ static void snd_pcm_post_suspend(struct
80397 wake_up(&runtime->tsleep);
80398 }
80399
80400 -static struct action_ops snd_pcm_action_suspend = {
80401 +static const struct action_ops snd_pcm_action_suspend = {
80402 .pre_action = snd_pcm_pre_suspend,
80403 .do_action = snd_pcm_do_suspend,
80404 .post_action = snd_pcm_post_suspend
80405 @@ -1175,7 +1175,7 @@ static void snd_pcm_post_resume(struct s
80406 runtime->status->state = runtime->status->suspended_state;
80407 }
80408
80409 -static struct action_ops snd_pcm_action_resume = {
80410 +static const struct action_ops snd_pcm_action_resume = {
80411 .pre_action = snd_pcm_pre_resume,
80412 .do_action = snd_pcm_do_resume,
80413 .undo_action = snd_pcm_undo_resume,
80414 @@ -1278,7 +1278,7 @@ static void snd_pcm_post_reset(struct sn
80415 snd_pcm_playback_silence(substream, ULONG_MAX);
80416 }
80417
80418 -static struct action_ops snd_pcm_action_reset = {
80419 +static const struct action_ops snd_pcm_action_reset = {
80420 .pre_action = snd_pcm_pre_reset,
80421 .do_action = snd_pcm_do_reset,
80422 .post_action = snd_pcm_post_reset
80423 @@ -1322,7 +1322,7 @@ static void snd_pcm_post_prepare(struct
80424 runtime->status->state = SNDRV_PCM_STATE_PREPARED;
80425 }
80426
80427 -static struct action_ops snd_pcm_action_prepare = {
80428 +static const struct action_ops snd_pcm_action_prepare = {
80429 .pre_action = snd_pcm_pre_prepare,
80430 .do_action = snd_pcm_do_prepare,
80431 .post_action = snd_pcm_post_prepare
80432 @@ -1397,7 +1397,7 @@ static void snd_pcm_post_drain_init(stru
80433 {
80434 }
80435
80436 -static struct action_ops snd_pcm_action_drain_init = {
80437 +static const struct action_ops snd_pcm_action_drain_init = {
80438 .pre_action = snd_pcm_pre_drain_init,
80439 .do_action = snd_pcm_do_drain_init,
80440 .post_action = snd_pcm_post_drain_init
80441 diff -urNp linux-2.6.39.1/sound/core/rawmidi.c linux-2.6.39.1/sound/core/rawmidi.c
80442 --- linux-2.6.39.1/sound/core/rawmidi.c 2011-05-19 00:06:34.000000000 -0400
80443 +++ linux-2.6.39.1/sound/core/rawmidi.c 2011-05-22 19:36:35.000000000 -0400
80444 @@ -1449,7 +1449,7 @@ int snd_rawmidi_new(struct snd_card *car
80445 {
80446 struct snd_rawmidi *rmidi;
80447 int err;
80448 - static struct snd_device_ops ops = {
80449 + static const struct snd_device_ops ops = {
80450 .dev_free = snd_rawmidi_dev_free,
80451 .dev_register = snd_rawmidi_dev_register,
80452 .dev_disconnect = snd_rawmidi_dev_disconnect,
80453 @@ -1654,7 +1654,7 @@ static int snd_rawmidi_dev_disconnect(st
80454 * Sets the rawmidi operators for the given stream direction.
80455 */
80456 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
80457 - struct snd_rawmidi_ops *ops)
80458 + const struct snd_rawmidi_ops *ops)
80459 {
80460 struct snd_rawmidi_substream *substream;
80461
80462 diff -urNp linux-2.6.39.1/sound/core/seq/seq_device.c linux-2.6.39.1/sound/core/seq/seq_device.c
80463 --- linux-2.6.39.1/sound/core/seq/seq_device.c 2011-05-19 00:06:34.000000000 -0400
80464 +++ linux-2.6.39.1/sound/core/seq/seq_device.c 2011-05-22 19:36:35.000000000 -0400
80465 @@ -178,7 +178,7 @@ int snd_seq_device_new(struct snd_card *
80466 struct snd_seq_device *dev;
80467 struct ops_list *ops;
80468 int err;
80469 - static struct snd_device_ops dops = {
80470 + static const struct snd_device_ops dops = {
80471 .dev_free = snd_seq_device_dev_free,
80472 .dev_register = snd_seq_device_dev_register,
80473 .dev_disconnect = snd_seq_device_dev_disconnect,
80474 @@ -307,7 +307,7 @@ static int snd_seq_device_dev_disconnect
80475 * id = driver id
80476 * entry = driver operators - duplicated to each instance
80477 */
80478 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry,
80479 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry,
80480 int argsize)
80481 {
80482 struct ops_list *ops;
80483 diff -urNp linux-2.6.39.1/sound/core/seq/seq_midi.c linux-2.6.39.1/sound/core/seq/seq_midi.c
80484 --- linux-2.6.39.1/sound/core/seq/seq_midi.c 2011-05-19 00:06:34.000000000 -0400
80485 +++ linux-2.6.39.1/sound/core/seq/seq_midi.c 2011-05-22 19:36:35.000000000 -0400
80486 @@ -461,7 +461,7 @@ snd_seq_midisynth_unregister_port(struct
80487
80488 static int __init alsa_seq_midi_init(void)
80489 {
80490 - static struct snd_seq_dev_ops ops = {
80491 + static const struct snd_seq_dev_ops ops = {
80492 snd_seq_midisynth_register_port,
80493 snd_seq_midisynth_unregister_port,
80494 };
80495 diff -urNp linux-2.6.39.1/sound/core/seq/seq_virmidi.c linux-2.6.39.1/sound/core/seq/seq_virmidi.c
80496 --- linux-2.6.39.1/sound/core/seq/seq_virmidi.c 2011-05-19 00:06:34.000000000 -0400
80497 +++ linux-2.6.39.1/sound/core/seq/seq_virmidi.c 2011-05-22 19:36:35.000000000 -0400
80498 @@ -337,13 +337,13 @@ static int snd_virmidi_unuse(void *priva
80499 * Register functions
80500 */
80501
80502 -static struct snd_rawmidi_ops snd_virmidi_input_ops = {
80503 +static const struct snd_rawmidi_ops snd_virmidi_input_ops = {
80504 .open = snd_virmidi_input_open,
80505 .close = snd_virmidi_input_close,
80506 .trigger = snd_virmidi_input_trigger,
80507 };
80508
80509 -static struct snd_rawmidi_ops snd_virmidi_output_ops = {
80510 +static const struct snd_rawmidi_ops snd_virmidi_output_ops = {
80511 .open = snd_virmidi_output_open,
80512 .close = snd_virmidi_output_close,
80513 .trigger = snd_virmidi_output_trigger,
80514 @@ -467,7 +467,7 @@ static int snd_virmidi_dev_unregister(st
80515 /*
80516 *
80517 */
80518 -static struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
80519 +static const struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
80520 .dev_register = snd_virmidi_dev_register,
80521 .dev_unregister = snd_virmidi_dev_unregister,
80522 };
80523 diff -urNp linux-2.6.39.1/sound/core/timer.c linux-2.6.39.1/sound/core/timer.c
80524 --- linux-2.6.39.1/sound/core/timer.c 2011-05-19 00:06:34.000000000 -0400
80525 +++ linux-2.6.39.1/sound/core/timer.c 2011-05-22 19:36:35.000000000 -0400
80526 @@ -756,7 +756,7 @@ int snd_timer_new(struct snd_card *card,
80527 {
80528 struct snd_timer *timer;
80529 int err;
80530 - static struct snd_device_ops ops = {
80531 + static const struct snd_device_ops ops = {
80532 .dev_free = snd_timer_dev_free,
80533 .dev_register = snd_timer_dev_register,
80534 .dev_disconnect = snd_timer_dev_disconnect,
80535 diff -urNp linux-2.6.39.1/sound/drivers/aloop.c linux-2.6.39.1/sound/drivers/aloop.c
80536 --- linux-2.6.39.1/sound/drivers/aloop.c 2011-05-19 00:06:34.000000000 -0400
80537 +++ linux-2.6.39.1/sound/drivers/aloop.c 2011-05-22 19:36:35.000000000 -0400
80538 @@ -731,7 +731,7 @@ static int loopback_close(struct snd_pcm
80539 return 0;
80540 }
80541
80542 -static struct snd_pcm_ops loopback_playback_ops = {
80543 +static const struct snd_pcm_ops loopback_playback_ops = {
80544 .open = loopback_open,
80545 .close = loopback_close,
80546 .ioctl = snd_pcm_lib_ioctl,
80547 @@ -742,7 +742,7 @@ static struct snd_pcm_ops loopback_playb
80548 .pointer = loopback_pointer,
80549 };
80550
80551 -static struct snd_pcm_ops loopback_capture_ops = {
80552 +static const struct snd_pcm_ops loopback_capture_ops = {
80553 .open = loopback_open,
80554 .close = loopback_close,
80555 .ioctl = snd_pcm_lib_ioctl,
80556 diff -urNp linux-2.6.39.1/sound/drivers/dummy.c linux-2.6.39.1/sound/drivers/dummy.c
80557 --- linux-2.6.39.1/sound/drivers/dummy.c 2011-05-19 00:06:34.000000000 -0400
80558 +++ linux-2.6.39.1/sound/drivers/dummy.c 2011-05-22 19:36:35.000000000 -0400
80559 @@ -350,7 +350,7 @@ static void dummy_systimer_free(struct s
80560 kfree(substream->runtime->private_data);
80561 }
80562
80563 -static struct dummy_timer_ops dummy_systimer_ops = {
80564 +static const struct dummy_timer_ops dummy_systimer_ops = {
80565 .create = dummy_systimer_create,
80566 .free = dummy_systimer_free,
80567 .prepare = dummy_systimer_prepare,
80568 @@ -474,7 +474,7 @@ static void dummy_hrtimer_free(struct sn
80569 kfree(dpcm);
80570 }
80571
80572 -static struct dummy_timer_ops dummy_hrtimer_ops = {
80573 +static const struct dummy_timer_ops dummy_hrtimer_ops = {
80574 .create = dummy_hrtimer_create,
80575 .free = dummy_hrtimer_free,
80576 .prepare = dummy_hrtimer_prepare,
80577 @@ -660,7 +660,7 @@ static struct page *dummy_pcm_page(struc
80578 return virt_to_page(dummy_page[substream->stream]); /* the same page */
80579 }
80580
80581 -static struct snd_pcm_ops dummy_pcm_ops = {
80582 +static const struct snd_pcm_ops dummy_pcm_ops = {
80583 .open = dummy_pcm_open,
80584 .close = dummy_pcm_close,
80585 .ioctl = snd_pcm_lib_ioctl,
80586 @@ -671,7 +671,7 @@ static struct snd_pcm_ops dummy_pcm_ops
80587 .pointer = dummy_pcm_pointer,
80588 };
80589
80590 -static struct snd_pcm_ops dummy_pcm_ops_no_buf = {
80591 +static const struct snd_pcm_ops dummy_pcm_ops_no_buf = {
80592 .open = dummy_pcm_open,
80593 .close = dummy_pcm_close,
80594 .ioctl = snd_pcm_lib_ioctl,
80595 @@ -689,7 +689,7 @@ static int __devinit snd_card_dummy_pcm(
80596 int substreams)
80597 {
80598 struct snd_pcm *pcm;
80599 - struct snd_pcm_ops *ops;
80600 + const struct snd_pcm_ops *ops;
80601 int err;
80602
80603 err = snd_pcm_new(dummy->card, "Dummy PCM", device,
80604 diff -urNp linux-2.6.39.1/sound/drivers/ml403-ac97cr.c linux-2.6.39.1/sound/drivers/ml403-ac97cr.c
80605 --- linux-2.6.39.1/sound/drivers/ml403-ac97cr.c 2011-05-19 00:06:34.000000000 -0400
80606 +++ linux-2.6.39.1/sound/drivers/ml403-ac97cr.c 2011-05-22 19:36:35.000000000 -0400
80607 @@ -759,7 +759,7 @@ static int snd_ml403_ac97cr_capture_clos
80608 return 0;
80609 }
80610
80611 -static struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
80612 +static const struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
80613 .open = snd_ml403_ac97cr_playback_open,
80614 .close = snd_ml403_ac97cr_playback_close,
80615 .ioctl = snd_pcm_lib_ioctl,
80616 @@ -770,7 +770,7 @@ static struct snd_pcm_ops snd_ml403_ac97
80617 .pointer = snd_ml403_ac97cr_pcm_pointer,
80618 };
80619
80620 -static struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
80621 +static const struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
80622 .open = snd_ml403_ac97cr_capture_open,
80623 .close = snd_ml403_ac97cr_capture_close,
80624 .ioctl = snd_pcm_lib_ioctl,
80625 @@ -1114,7 +1114,7 @@ snd_ml403_ac97cr_create(struct snd_card
80626 {
80627 struct snd_ml403_ac97cr *ml403_ac97cr;
80628 int err;
80629 - static struct snd_device_ops ops = {
80630 + static const struct snd_device_ops ops = {
80631 .dev_free = snd_ml403_ac97cr_dev_free,
80632 };
80633 struct resource *resource;
80634 @@ -1210,7 +1210,7 @@ snd_ml403_ac97cr_mixer(struct snd_ml403_
80635 struct snd_ac97_bus *bus;
80636 struct snd_ac97_template ac97;
80637 int err;
80638 - static struct snd_ac97_bus_ops ops = {
80639 + static const struct snd_ac97_bus_ops ops = {
80640 .write = snd_ml403_ac97cr_codec_write,
80641 .read = snd_ml403_ac97cr_codec_read,
80642 };
80643 diff -urNp linux-2.6.39.1/sound/drivers/mtpav.c linux-2.6.39.1/sound/drivers/mtpav.c
80644 --- linux-2.6.39.1/sound/drivers/mtpav.c 2011-05-19 00:06:34.000000000 -0400
80645 +++ linux-2.6.39.1/sound/drivers/mtpav.c 2011-05-22 19:36:35.000000000 -0400
80646 @@ -601,13 +601,13 @@ static int __devinit snd_mtpav_get_ISA(s
80647 /*
80648 */
80649
80650 -static struct snd_rawmidi_ops snd_mtpav_output = {
80651 +static const struct snd_rawmidi_ops snd_mtpav_output = {
80652 .open = snd_mtpav_output_open,
80653 .close = snd_mtpav_output_close,
80654 .trigger = snd_mtpav_output_trigger,
80655 };
80656
80657 -static struct snd_rawmidi_ops snd_mtpav_input = {
80658 +static const struct snd_rawmidi_ops snd_mtpav_input = {
80659 .open = snd_mtpav_input_open,
80660 .close = snd_mtpav_input_close,
80661 .trigger = snd_mtpav_input_trigger,
80662 diff -urNp linux-2.6.39.1/sound/drivers/mts64.c linux-2.6.39.1/sound/drivers/mts64.c
80663 --- linux-2.6.39.1/sound/drivers/mts64.c 2011-05-19 00:06:34.000000000 -0400
80664 +++ linux-2.6.39.1/sound/drivers/mts64.c 2011-05-22 19:36:35.000000000 -0400
80665 @@ -28,6 +28,7 @@
80666 #include <sound/initval.h>
80667 #include <sound/rawmidi.h>
80668 #include <sound/control.h>
80669 +#include <asm/local.h>
80670
80671 #define CARD_NAME "Miditerminal 4140"
80672 #define DRIVER_NAME "MTS64"
80673 @@ -66,7 +67,7 @@ struct mts64 {
80674 struct pardevice *pardev;
80675 int pardev_claimed;
80676
80677 - int open_count;
80678 + local_t open_count;
80679 int current_midi_output_port;
80680 int current_midi_input_port;
80681 u8 mode[MTS64_NUM_INPUT_PORTS];
80682 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
80683 {
80684 struct mts64 *mts = substream->rmidi->private_data;
80685
80686 - if (mts->open_count == 0) {
80687 + if (local_read(&mts->open_count) == 0) {
80688 /* We don't need a spinlock here, because this is just called
80689 if the device has not been opened before.
80690 So there aren't any IRQs from the device */
80691 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
80692
80693 msleep(50);
80694 }
80695 - ++(mts->open_count);
80696 + local_inc(&mts->open_count);
80697
80698 return 0;
80699 }
80700 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
80701 struct mts64 *mts = substream->rmidi->private_data;
80702 unsigned long flags;
80703
80704 - --(mts->open_count);
80705 - if (mts->open_count == 0) {
80706 + if (local_dec_return(&mts->open_count) == 0) {
80707 /* We need the spinlock_irqsave here because we can still
80708 have IRQs at this point */
80709 spin_lock_irqsave(&mts->lock, flags);
80710 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
80711
80712 msleep(500);
80713
80714 - } else if (mts->open_count < 0)
80715 - mts->open_count = 0;
80716 + } else if (local_read(&mts->open_count) < 0)
80717 + local_set(&mts->open_count, 0);
80718
80719 return 0;
80720 }
80721 @@ -760,13 +760,13 @@ static void snd_mts64_rawmidi_input_trig
80722 spin_unlock_irqrestore(&mts->lock, flags);
80723 }
80724
80725 -static struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
80726 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
80727 .open = snd_mts64_rawmidi_open,
80728 .close = snd_mts64_rawmidi_close,
80729 .trigger = snd_mts64_rawmidi_output_trigger
80730 };
80731
80732 -static struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
80733 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
80734 .open = snd_mts64_rawmidi_open,
80735 .close = snd_mts64_rawmidi_close,
80736 .trigger = snd_mts64_rawmidi_input_trigger
80737 diff -urNp linux-2.6.39.1/sound/drivers/pcsp/pcsp.c linux-2.6.39.1/sound/drivers/pcsp/pcsp.c
80738 --- linux-2.6.39.1/sound/drivers/pcsp/pcsp.c 2011-05-19 00:06:34.000000000 -0400
80739 +++ linux-2.6.39.1/sound/drivers/pcsp/pcsp.c 2011-05-22 19:36:35.000000000 -0400
80740 @@ -41,7 +41,7 @@ struct snd_pcsp pcsp_chip;
80741
80742 static int __devinit snd_pcsp_create(struct snd_card *card)
80743 {
80744 - static struct snd_device_ops ops = { };
80745 + static const struct snd_device_ops ops = { };
80746 struct timespec tp;
80747 int err;
80748 int div, min_div, order;
80749 diff -urNp linux-2.6.39.1/sound/drivers/pcsp/pcsp_lib.c linux-2.6.39.1/sound/drivers/pcsp/pcsp_lib.c
80750 --- linux-2.6.39.1/sound/drivers/pcsp/pcsp_lib.c 2011-05-19 00:06:34.000000000 -0400
80751 +++ linux-2.6.39.1/sound/drivers/pcsp/pcsp_lib.c 2011-05-22 19:36:35.000000000 -0400
80752 @@ -323,7 +323,7 @@ static int snd_pcsp_playback_open(struct
80753 return 0;
80754 }
80755
80756 -static struct snd_pcm_ops snd_pcsp_playback_ops = {
80757 +static const struct snd_pcm_ops snd_pcsp_playback_ops = {
80758 .open = snd_pcsp_playback_open,
80759 .close = snd_pcsp_playback_close,
80760 .ioctl = snd_pcm_lib_ioctl,
80761 diff -urNp linux-2.6.39.1/sound/drivers/portman2x4.c linux-2.6.39.1/sound/drivers/portman2x4.c
80762 --- linux-2.6.39.1/sound/drivers/portman2x4.c 2011-05-19 00:06:34.000000000 -0400
80763 +++ linux-2.6.39.1/sound/drivers/portman2x4.c 2011-05-22 19:36:35.000000000 -0400
80764 @@ -47,6 +47,7 @@
80765 #include <sound/initval.h>
80766 #include <sound/rawmidi.h>
80767 #include <sound/control.h>
80768 +#include <asm/local.h>
80769
80770 #define CARD_NAME "Portman 2x4"
80771 #define DRIVER_NAME "portman"
80772 @@ -84,7 +85,7 @@ struct portman {
80773 struct pardevice *pardev;
80774 int pardev_claimed;
80775
80776 - int open_count;
80777 + local_t open_count;
80778 int mode[PORTMAN_NUM_INPUT_PORTS];
80779 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
80780 };
80781 @@ -547,13 +548,13 @@ static void snd_portman_midi_output_trig
80782 spin_unlock_irqrestore(&pm->reg_lock, flags);
80783 }
80784
80785 -static struct snd_rawmidi_ops snd_portman_midi_output = {
80786 +static const struct snd_rawmidi_ops snd_portman_midi_output = {
80787 .open = snd_portman_midi_open,
80788 .close = snd_portman_midi_close,
80789 .trigger = snd_portman_midi_output_trigger,
80790 };
80791
80792 -static struct snd_rawmidi_ops snd_portman_midi_input = {
80793 +static const struct snd_rawmidi_ops snd_portman_midi_input = {
80794 .open = snd_portman_midi_open,
80795 .close = snd_portman_midi_close,
80796 .trigger = snd_portman_midi_input_trigger,
80797 diff -urNp linux-2.6.39.1/sound/drivers/serial-u16550.c linux-2.6.39.1/sound/drivers/serial-u16550.c
80798 --- linux-2.6.39.1/sound/drivers/serial-u16550.c 2011-05-19 00:06:34.000000000 -0400
80799 +++ linux-2.6.39.1/sound/drivers/serial-u16550.c 2011-05-22 19:36:35.000000000 -0400
80800 @@ -754,15 +754,13 @@ static void snd_uart16550_output_trigger
80801 snd_uart16550_output_write(substream);
80802 }
80803
80804 -static struct snd_rawmidi_ops snd_uart16550_output =
80805 -{
80806 +static const struct snd_rawmidi_ops snd_uart16550_output = {
80807 .open = snd_uart16550_output_open,
80808 .close = snd_uart16550_output_close,
80809 .trigger = snd_uart16550_output_trigger,
80810 };
80811
80812 -static struct snd_rawmidi_ops snd_uart16550_input =
80813 -{
80814 +static const struct snd_rawmidi_ops snd_uart16550_input = {
80815 .open = snd_uart16550_input_open,
80816 .close = snd_uart16550_input_close,
80817 .trigger = snd_uart16550_input_trigger,
80818 @@ -792,7 +790,7 @@ static int __devinit snd_uart16550_creat
80819 int droponfull,
80820 struct snd_uart16550 **ruart)
80821 {
80822 - static struct snd_device_ops ops = {
80823 + static const struct snd_device_ops ops = {
80824 .dev_free = snd_uart16550_dev_free,
80825 };
80826 struct snd_uart16550 *uart;
80827 diff -urNp linux-2.6.39.1/sound/drivers/vx/vx_pcm.c linux-2.6.39.1/sound/drivers/vx/vx_pcm.c
80828 --- linux-2.6.39.1/sound/drivers/vx/vx_pcm.c 2011-05-19 00:06:34.000000000 -0400
80829 +++ linux-2.6.39.1/sound/drivers/vx/vx_pcm.c 2011-05-22 19:36:35.000000000 -0400
80830 @@ -895,7 +895,7 @@ static int vx_pcm_prepare(struct snd_pcm
80831 /*
80832 * operators for PCM playback
80833 */
80834 -static struct snd_pcm_ops vx_pcm_playback_ops = {
80835 +static const struct snd_pcm_ops vx_pcm_playback_ops = {
80836 .open = vx_pcm_playback_open,
80837 .close = vx_pcm_playback_close,
80838 .ioctl = snd_pcm_lib_ioctl,
80839 @@ -1116,7 +1116,7 @@ static snd_pcm_uframes_t vx_pcm_capture_
80840 /*
80841 * operators for PCM capture
80842 */
80843 -static struct snd_pcm_ops vx_pcm_capture_ops = {
80844 +static const struct snd_pcm_ops vx_pcm_capture_ops = {
80845 .open = vx_pcm_capture_open,
80846 .close = vx_pcm_capture_close,
80847 .ioctl = snd_pcm_lib_ioctl,
80848 diff -urNp linux-2.6.39.1/sound/firewire/amdtp.c linux-2.6.39.1/sound/firewire/amdtp.c
80849 --- linux-2.6.39.1/sound/firewire/amdtp.c 2011-05-19 00:06:34.000000000 -0400
80850 +++ linux-2.6.39.1/sound/firewire/amdtp.c 2011-05-22 19:36:35.000000000 -0400
80851 @@ -371,7 +371,7 @@ static void queue_out_packet(struct amdt
80852 ptr = s->pcm_buffer_pointer + data_blocks;
80853 if (ptr >= pcm->runtime->buffer_size)
80854 ptr -= pcm->runtime->buffer_size;
80855 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
80856 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
80857
80858 s->pcm_period_pointer += data_blocks;
80859 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
80860 @@ -510,7 +510,7 @@ EXPORT_SYMBOL(amdtp_out_stream_start);
80861 */
80862 void amdtp_out_stream_update(struct amdtp_out_stream *s)
80863 {
80864 - ACCESS_ONCE(s->source_node_id_field) =
80865 + ACCESS_ONCE_RW(s->source_node_id_field) =
80866 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
80867 }
80868 EXPORT_SYMBOL(amdtp_out_stream_update);
80869 diff -urNp linux-2.6.39.1/sound/firewire/amdtp.h linux-2.6.39.1/sound/firewire/amdtp.h
80870 --- linux-2.6.39.1/sound/firewire/amdtp.h 2011-05-19 00:06:34.000000000 -0400
80871 +++ linux-2.6.39.1/sound/firewire/amdtp.h 2011-05-22 19:36:35.000000000 -0400
80872 @@ -146,7 +146,7 @@ static inline void amdtp_out_stream_pcm_
80873 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
80874 struct snd_pcm_substream *pcm)
80875 {
80876 - ACCESS_ONCE(s->pcm) = pcm;
80877 + ACCESS_ONCE_RW(s->pcm) = pcm;
80878 }
80879
80880 /**
80881 diff -urNp linux-2.6.39.1/sound/i2c/i2c.c linux-2.6.39.1/sound/i2c/i2c.c
80882 --- linux-2.6.39.1/sound/i2c/i2c.c 2011-05-19 00:06:34.000000000 -0400
80883 +++ linux-2.6.39.1/sound/i2c/i2c.c 2011-05-22 19:36:35.000000000 -0400
80884 @@ -80,7 +80,7 @@ int snd_i2c_bus_create(struct snd_card *
80885 {
80886 struct snd_i2c_bus *bus;
80887 int err;
80888 - static struct snd_device_ops ops = {
80889 + static const struct snd_device_ops ops = {
80890 .dev_free = snd_i2c_bus_dev_free,
80891 };
80892
80893 diff -urNp linux-2.6.39.1/sound/i2c/other/ak4113.c linux-2.6.39.1/sound/i2c/other/ak4113.c
80894 --- linux-2.6.39.1/sound/i2c/other/ak4113.c 2011-05-19 00:06:34.000000000 -0400
80895 +++ linux-2.6.39.1/sound/i2c/other/ak4113.c 2011-05-22 19:36:35.000000000 -0400
80896 @@ -75,7 +75,7 @@ int snd_ak4113_create(struct snd_card *c
80897 struct ak4113 *chip;
80898 int err = 0;
80899 unsigned char reg;
80900 - static struct snd_device_ops ops = {
80901 + static const struct snd_device_ops ops = {
80902 .dev_free = snd_ak4113_dev_free,
80903 };
80904
80905 diff -urNp linux-2.6.39.1/sound/i2c/other/ak4114.c linux-2.6.39.1/sound/i2c/other/ak4114.c
80906 --- linux-2.6.39.1/sound/i2c/other/ak4114.c 2011-05-19 00:06:34.000000000 -0400
80907 +++ linux-2.6.39.1/sound/i2c/other/ak4114.c 2011-05-22 19:36:35.000000000 -0400
80908 @@ -86,7 +86,7 @@ int snd_ak4114_create(struct snd_card *c
80909 struct ak4114 *chip;
80910 int err = 0;
80911 unsigned char reg;
80912 - static struct snd_device_ops ops = {
80913 + static const struct snd_device_ops ops = {
80914 .dev_free = snd_ak4114_dev_free,
80915 };
80916
80917 diff -urNp linux-2.6.39.1/sound/i2c/other/ak4117.c linux-2.6.39.1/sound/i2c/other/ak4117.c
80918 --- linux-2.6.39.1/sound/i2c/other/ak4117.c 2011-05-19 00:06:34.000000000 -0400
80919 +++ linux-2.6.39.1/sound/i2c/other/ak4117.c 2011-05-22 19:36:35.000000000 -0400
80920 @@ -78,7 +78,7 @@ int snd_ak4117_create(struct snd_card *c
80921 struct ak4117 *chip;
80922 int err = 0;
80923 unsigned char reg;
80924 - static struct snd_device_ops ops = {
80925 + static const struct snd_device_ops ops = {
80926 .dev_free = snd_ak4117_dev_free,
80927 };
80928
80929 diff -urNp linux-2.6.39.1/sound/isa/ad1816a/ad1816a_lib.c linux-2.6.39.1/sound/isa/ad1816a/ad1816a_lib.c
80930 --- linux-2.6.39.1/sound/isa/ad1816a/ad1816a_lib.c 2011-05-19 00:06:34.000000000 -0400
80931 +++ linux-2.6.39.1/sound/isa/ad1816a/ad1816a_lib.c 2011-05-22 19:36:35.000000000 -0400
80932 @@ -575,7 +575,7 @@ int __devinit snd_ad1816a_create(struct
80933 unsigned long port, int irq, int dma1, int dma2,
80934 struct snd_ad1816a **rchip)
80935 {
80936 - static struct snd_device_ops ops = {
80937 + static const struct snd_device_ops ops = {
80938 .dev_free = snd_ad1816a_dev_free,
80939 };
80940 int error;
80941 diff -urNp linux-2.6.39.1/sound/isa/es1688/es1688_lib.c linux-2.6.39.1/sound/isa/es1688/es1688_lib.c
80942 --- linux-2.6.39.1/sound/isa/es1688/es1688_lib.c 2011-05-19 00:06:34.000000000 -0400
80943 +++ linux-2.6.39.1/sound/isa/es1688/es1688_lib.c 2011-05-22 19:36:35.000000000 -0400
80944 @@ -646,7 +646,7 @@ int snd_es1688_create(struct snd_card *c
80945 int dma8,
80946 unsigned short hardware)
80947 {
80948 - static struct snd_device_ops ops = {
80949 + static const struct snd_device_ops ops = {
80950 .dev_free = snd_es1688_dev_free,
80951 };
80952
80953 diff -urNp linux-2.6.39.1/sound/isa/es18xx.c linux-2.6.39.1/sound/isa/es18xx.c
80954 --- linux-2.6.39.1/sound/isa/es18xx.c 2011-05-19 00:06:34.000000000 -0400
80955 +++ linux-2.6.39.1/sound/isa/es18xx.c 2011-05-22 19:36:35.000000000 -0400
80956 @@ -1658,7 +1658,7 @@ static int __devinit snd_es18xx_probe(st
80957 return snd_es18xx_initialize(chip, mpu_port, fm_port);
80958 }
80959
80960 -static struct snd_pcm_ops snd_es18xx_playback_ops = {
80961 +static const struct snd_pcm_ops snd_es18xx_playback_ops = {
80962 .open = snd_es18xx_playback_open,
80963 .close = snd_es18xx_playback_close,
80964 .ioctl = snd_pcm_lib_ioctl,
80965 @@ -1669,7 +1669,7 @@ static struct snd_pcm_ops snd_es18xx_pla
80966 .pointer = snd_es18xx_playback_pointer,
80967 };
80968
80969 -static struct snd_pcm_ops snd_es18xx_capture_ops = {
80970 +static const struct snd_pcm_ops snd_es18xx_capture_ops = {
80971 .open = snd_es18xx_capture_open,
80972 .close = snd_es18xx_capture_close,
80973 .ioctl = snd_pcm_lib_ioctl,
80974 @@ -1784,7 +1784,7 @@ static int __devinit snd_es18xx_new_devi
80975 int irq, int dma1, int dma2)
80976 {
80977 struct snd_es18xx *chip = card->private_data;
80978 - static struct snd_device_ops ops = {
80979 + static const struct snd_device_ops ops = {
80980 .dev_free = snd_es18xx_dev_free,
80981 };
80982 int err;
80983 diff -urNp linux-2.6.39.1/sound/isa/gus/gus_main.c linux-2.6.39.1/sound/isa/gus/gus_main.c
80984 --- linux-2.6.39.1/sound/isa/gus/gus_main.c 2011-05-19 00:06:34.000000000 -0400
80985 +++ linux-2.6.39.1/sound/isa/gus/gus_main.c 2011-05-22 19:36:35.000000000 -0400
80986 @@ -139,7 +139,7 @@ int snd_gus_create(struct snd_card *card
80987 {
80988 struct snd_gus_card *gus;
80989 int err;
80990 - static struct snd_device_ops ops = {
80991 + static const struct snd_device_ops ops = {
80992 .dev_free = snd_gus_dev_free,
80993 };
80994
80995 diff -urNp linux-2.6.39.1/sound/isa/msnd/msnd.c linux-2.6.39.1/sound/isa/msnd/msnd.c
80996 --- linux-2.6.39.1/sound/isa/msnd/msnd.c 2011-05-19 00:06:34.000000000 -0400
80997 +++ linux-2.6.39.1/sound/isa/msnd/msnd.c 2011-05-22 19:36:35.000000000 -0400
80998 @@ -570,7 +570,7 @@ snd_msnd_playback_pointer(struct snd_pcm
80999 }
81000
81001
81002 -static struct snd_pcm_ops snd_msnd_playback_ops = {
81003 +static const struct snd_pcm_ops snd_msnd_playback_ops = {
81004 .open = snd_msnd_playback_open,
81005 .close = snd_msnd_playback_close,
81006 .ioctl = snd_pcm_lib_ioctl,
81007 @@ -667,7 +667,7 @@ static int snd_msnd_capture_hw_params(st
81008 }
81009
81010
81011 -static struct snd_pcm_ops snd_msnd_capture_ops = {
81012 +static const struct snd_pcm_ops snd_msnd_capture_ops = {
81013 .open = snd_msnd_capture_open,
81014 .close = snd_msnd_capture_close,
81015 .ioctl = snd_pcm_lib_ioctl,
81016 diff -urNp linux-2.6.39.1/sound/isa/msnd/msnd_midi.c linux-2.6.39.1/sound/isa/msnd/msnd_midi.c
81017 --- linux-2.6.39.1/sound/isa/msnd/msnd_midi.c 2011-05-19 00:06:34.000000000 -0400
81018 +++ linux-2.6.39.1/sound/isa/msnd/msnd_midi.c 2011-05-22 19:36:35.000000000 -0400
81019 @@ -141,7 +141,7 @@ void snd_msndmidi_input_read(void *mpuv)
81020 }
81021 EXPORT_SYMBOL(snd_msndmidi_input_read);
81022
81023 -static struct snd_rawmidi_ops snd_msndmidi_input = {
81024 +static const struct snd_rawmidi_ops snd_msndmidi_input = {
81025 .open = snd_msndmidi_input_open,
81026 .close = snd_msndmidi_input_close,
81027 .trigger = snd_msndmidi_input_trigger,
81028 diff -urNp linux-2.6.39.1/sound/isa/msnd/msnd_pinnacle.c linux-2.6.39.1/sound/isa/msnd/msnd_pinnacle.c
81029 --- linux-2.6.39.1/sound/isa/msnd/msnd_pinnacle.c 2011-05-19 00:06:34.000000000 -0400
81030 +++ linux-2.6.39.1/sound/isa/msnd/msnd_pinnacle.c 2011-05-22 19:36:35.000000000 -0400
81031 @@ -539,7 +539,7 @@ static int __devinit snd_msnd_attach(str
81032 {
81033 struct snd_msnd *chip = card->private_data;
81034 int err;
81035 - static struct snd_device_ops ops = {
81036 + static const struct snd_device_ops ops = {
81037 .dev_free = snd_msnd_dev_free,
81038 };
81039
81040 diff -urNp linux-2.6.39.1/sound/isa/sb/emu8000.c linux-2.6.39.1/sound/isa/sb/emu8000.c
81041 --- linux-2.6.39.1/sound/isa/sb/emu8000.c 2011-05-19 00:06:34.000000000 -0400
81042 +++ linux-2.6.39.1/sound/isa/sb/emu8000.c 2011-05-22 19:36:35.000000000 -0400
81043 @@ -1079,7 +1079,7 @@ snd_emu8000_new(struct snd_card *card, i
81044 struct snd_seq_device *awe;
81045 struct snd_emu8000 *hw;
81046 int err;
81047 - static struct snd_device_ops ops = {
81048 + static const struct snd_device_ops ops = {
81049 .dev_free = snd_emu8000_dev_free,
81050 };
81051
81052 diff -urNp linux-2.6.39.1/sound/isa/sb/emu8000_pcm.c linux-2.6.39.1/sound/isa/sb/emu8000_pcm.c
81053 --- linux-2.6.39.1/sound/isa/sb/emu8000_pcm.c 2011-05-19 00:06:34.000000000 -0400
81054 +++ linux-2.6.39.1/sound/isa/sb/emu8000_pcm.c 2011-05-22 19:36:35.000000000 -0400
81055 @@ -667,7 +667,7 @@ static snd_pcm_uframes_t emu8k_pcm_point
81056 }
81057
81058
81059 -static struct snd_pcm_ops emu8k_pcm_ops = {
81060 +static const struct snd_pcm_ops emu8k_pcm_ops = {
81061 .open = emu8k_pcm_open,
81062 .close = emu8k_pcm_close,
81063 .ioctl = snd_pcm_lib_ioctl,
81064 diff -urNp linux-2.6.39.1/sound/isa/sb/sb_common.c linux-2.6.39.1/sound/isa/sb/sb_common.c
81065 --- linux-2.6.39.1/sound/isa/sb/sb_common.c 2011-05-19 00:06:34.000000000 -0400
81066 +++ linux-2.6.39.1/sound/isa/sb/sb_common.c 2011-05-22 19:36:35.000000000 -0400
81067 @@ -218,7 +218,7 @@ int snd_sbdsp_create(struct snd_card *ca
81068 {
81069 struct snd_sb *chip;
81070 int err;
81071 - static struct snd_device_ops ops = {
81072 + static const struct snd_device_ops ops = {
81073 .dev_free = snd_sbdsp_dev_free,
81074 };
81075
81076 diff -urNp linux-2.6.39.1/sound/isa/wavefront/wavefront_midi.c linux-2.6.39.1/sound/isa/wavefront/wavefront_midi.c
81077 --- linux-2.6.39.1/sound/isa/wavefront/wavefront_midi.c 2011-05-19 00:06:34.000000000 -0400
81078 +++ linux-2.6.39.1/sound/isa/wavefront/wavefront_midi.c 2011-05-22 19:36:35.000000000 -0400
81079 @@ -561,14 +561,14 @@ snd_wavefront_midi_start (snd_wavefront_
81080 return 0;
81081 }
81082
81083 -struct snd_rawmidi_ops snd_wavefront_midi_output =
81084 +const struct snd_rawmidi_ops snd_wavefront_midi_output =
81085 {
81086 .open = snd_wavefront_midi_output_open,
81087 .close = snd_wavefront_midi_output_close,
81088 .trigger = snd_wavefront_midi_output_trigger,
81089 };
81090
81091 -struct snd_rawmidi_ops snd_wavefront_midi_input =
81092 +const struct snd_rawmidi_ops snd_wavefront_midi_input =
81093 {
81094 .open = snd_wavefront_midi_input_open,
81095 .close = snd_wavefront_midi_input_close,
81096 diff -urNp linux-2.6.39.1/sound/isa/wss/wss_lib.c linux-2.6.39.1/sound/isa/wss/wss_lib.c
81097 --- linux-2.6.39.1/sound/isa/wss/wss_lib.c 2011-05-19 00:06:34.000000000 -0400
81098 +++ linux-2.6.39.1/sound/isa/wss/wss_lib.c 2011-05-22 19:36:35.000000000 -0400
81099 @@ -1801,7 +1801,7 @@ int snd_wss_create(struct snd_card *card
81100 unsigned short hwshare,
81101 struct snd_wss **rchip)
81102 {
81103 - static struct snd_device_ops ops = {
81104 + static const struct snd_device_ops ops = {
81105 .dev_free = snd_wss_dev_free,
81106 };
81107 struct snd_wss *chip;
81108 diff -urNp linux-2.6.39.1/sound/mips/au1x00.c linux-2.6.39.1/sound/mips/au1x00.c
81109 --- linux-2.6.39.1/sound/mips/au1x00.c 2011-05-19 00:06:34.000000000 -0400
81110 +++ linux-2.6.39.1/sound/mips/au1x00.c 2011-05-22 19:36:35.000000000 -0400
81111 @@ -416,7 +416,7 @@ snd_au1000_pointer(struct snd_pcm_substr
81112 return bytes_to_frames(runtime,location);
81113 }
81114
81115 -static struct snd_pcm_ops snd_card_au1000_playback_ops = {
81116 +static const struct snd_pcm_ops snd_card_au1000_playback_ops = {
81117 .open = snd_au1000_playback_open,
81118 .close = snd_au1000_playback_close,
81119 .ioctl = snd_pcm_lib_ioctl,
81120 @@ -427,7 +427,7 @@ static struct snd_pcm_ops snd_card_au100
81121 .pointer = snd_au1000_pointer,
81122 };
81123
81124 -static struct snd_pcm_ops snd_card_au1000_capture_ops = {
81125 +static const struct snd_pcm_ops snd_card_au1000_capture_ops = {
81126 .open = snd_au1000_capture_open,
81127 .close = snd_au1000_capture_close,
81128 .ioctl = snd_pcm_lib_ioctl,
81129 @@ -557,7 +557,7 @@ snd_au1000_ac97_new(struct snd_au1000 *a
81130 int err;
81131 struct snd_ac97_bus *pbus;
81132 struct snd_ac97_template ac97;
81133 - static struct snd_ac97_bus_ops ops = {
81134 + static const struct snd_ac97_bus_ops ops = {
81135 .write = snd_au1000_ac97_write,
81136 .read = snd_au1000_ac97_read,
81137 };
81138 diff -urNp linux-2.6.39.1/sound/mips/hal2.c linux-2.6.39.1/sound/mips/hal2.c
81139 --- linux-2.6.39.1/sound/mips/hal2.c 2011-05-19 00:06:34.000000000 -0400
81140 +++ linux-2.6.39.1/sound/mips/hal2.c 2011-05-22 19:36:35.000000000 -0400
81141 @@ -708,7 +708,7 @@ static int hal2_capture_ack(struct snd_p
81142 return 0;
81143 }
81144
81145 -static struct snd_pcm_ops hal2_playback_ops = {
81146 +static const struct snd_pcm_ops hal2_playback_ops = {
81147 .open = hal2_playback_open,
81148 .close = hal2_playback_close,
81149 .ioctl = snd_pcm_lib_ioctl,
81150 @@ -720,7 +720,7 @@ static struct snd_pcm_ops hal2_playback_
81151 .ack = hal2_playback_ack,
81152 };
81153
81154 -static struct snd_pcm_ops hal2_capture_ops = {
81155 +static const struct snd_pcm_ops hal2_capture_ops = {
81156 .open = hal2_capture_open,
81157 .close = hal2_capture_close,
81158 .ioctl = snd_pcm_lib_ioctl,
81159 @@ -766,7 +766,7 @@ static int hal2_dev_free(struct snd_devi
81160 return 0;
81161 }
81162
81163 -static struct snd_device_ops hal2_ops = {
81164 +static const struct snd_device_ops hal2_ops = {
81165 .dev_free = hal2_dev_free,
81166 };
81167
81168 diff -urNp linux-2.6.39.1/sound/mips/sgio2audio.c linux-2.6.39.1/sound/mips/sgio2audio.c
81169 --- linux-2.6.39.1/sound/mips/sgio2audio.c 2011-05-19 00:06:34.000000000 -0400
81170 +++ linux-2.6.39.1/sound/mips/sgio2audio.c 2011-05-22 19:36:35.000000000 -0400
81171 @@ -681,7 +681,7 @@ snd_sgio2audio_pcm_pointer(struct snd_pc
81172 }
81173
81174 /* operators */
81175 -static struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81176 +static const struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81177 .open = snd_sgio2audio_playback1_open,
81178 .close = snd_sgio2audio_pcm_close,
81179 .ioctl = snd_pcm_lib_ioctl,
81180 @@ -694,7 +694,7 @@ static struct snd_pcm_ops snd_sgio2audio
81181 .mmap = snd_pcm_lib_mmap_vmalloc,
81182 };
81183
81184 -static struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81185 +static const struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81186 .open = snd_sgio2audio_playback2_open,
81187 .close = snd_sgio2audio_pcm_close,
81188 .ioctl = snd_pcm_lib_ioctl,
81189 @@ -707,7 +707,7 @@ static struct snd_pcm_ops snd_sgio2audio
81190 .mmap = snd_pcm_lib_mmap_vmalloc,
81191 };
81192
81193 -static struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81194 +static const struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81195 .open = snd_sgio2audio_capture_open,
81196 .close = snd_sgio2audio_pcm_close,
81197 .ioctl = snd_pcm_lib_ioctl,
81198 @@ -829,7 +829,7 @@ static int snd_sgio2audio_dev_free(struc
81199 return snd_sgio2audio_free(chip);
81200 }
81201
81202 -static struct snd_device_ops ops = {
81203 +static const struct snd_device_ops ops = {
81204 .dev_free = snd_sgio2audio_dev_free,
81205 };
81206
81207 diff -urNp linux-2.6.39.1/sound/oss/ac97_codec.c linux-2.6.39.1/sound/oss/ac97_codec.c
81208 --- linux-2.6.39.1/sound/oss/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81209 +++ linux-2.6.39.1/sound/oss/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81210 @@ -99,23 +99,23 @@ static int generic_digital_control(struc
81211 * operations yet
81212 */
81213
81214 -static struct ac97_ops null_ops = { NULL, NULL, NULL };
81215 -static struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81216 -static struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81217 -static struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81218 -static struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81219 -static struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81220 -static struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81221 -static struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81222 -static struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81223 -static struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81224 -static struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81225 -static struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81226 -static struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81227 -static struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81228 -static struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81229 -static struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81230 -static struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81231 +static const struct ac97_ops null_ops = { NULL, NULL, NULL };
81232 +static const struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81233 +static const struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81234 +static const struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81235 +static const struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81236 +static const struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81237 +static const struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81238 +static const struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81239 +static const struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81240 +static const struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81241 +static const struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81242 +static const struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81243 +static const struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81244 +static const struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81245 +static const struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81246 +static const struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81247 +static const struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81248
81249 /* sorted by vendor/device id */
81250 static const struct {
81251 diff -urNp linux-2.6.39.1/sound/oss/sb_audio.c linux-2.6.39.1/sound/oss/sb_audio.c
81252 --- linux-2.6.39.1/sound/oss/sb_audio.c 2011-05-19 00:06:34.000000000 -0400
81253 +++ linux-2.6.39.1/sound/oss/sb_audio.c 2011-05-22 19:36:35.000000000 -0400
81254 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
81255 buf16 = (signed short *)(localbuf + localoffs);
81256 while (c)
81257 {
81258 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81259 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81260 if (copy_from_user(lbuf8,
81261 userbuf+useroffs + p,
81262 locallen))
81263 diff -urNp linux-2.6.39.1/sound/oss/swarm_cs4297a.c linux-2.6.39.1/sound/oss/swarm_cs4297a.c
81264 --- linux-2.6.39.1/sound/oss/swarm_cs4297a.c 2011-05-19 00:06:34.000000000 -0400
81265 +++ linux-2.6.39.1/sound/oss/swarm_cs4297a.c 2011-05-22 19:36:35.000000000 -0400
81266 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
81267 {
81268 struct cs4297a_state *s;
81269 u32 pwr, id;
81270 - mm_segment_t fs;
81271 int rval;
81272 #ifndef CONFIG_BCM_CS4297A_CSWARM
81273 u64 cfg;
81274 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
81275 if (!rval) {
81276 char *sb1250_duart_present;
81277
81278 +#if 0
81279 + mm_segment_t fs;
81280 fs = get_fs();
81281 set_fs(KERNEL_DS);
81282 -#if 0
81283 val = SOUND_MASK_LINE;
81284 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
81285 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
81286 val = initvol[i].vol;
81287 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
81288 }
81289 + set_fs(fs);
81290 // cs4297a_write_ac97(s, 0x18, 0x0808);
81291 #else
81292 // cs4297a_write_ac97(s, 0x5e, 0x180);
81293 cs4297a_write_ac97(s, 0x02, 0x0808);
81294 cs4297a_write_ac97(s, 0x18, 0x0808);
81295 #endif
81296 - set_fs(fs);
81297
81298 list_add(&s->list, &cs4297a_devs);
81299
81300 diff -urNp linux-2.6.39.1/sound/parisc/harmony.c linux-2.6.39.1/sound/parisc/harmony.c
81301 --- linux-2.6.39.1/sound/parisc/harmony.c 2011-05-19 00:06:34.000000000 -0400
81302 +++ linux-2.6.39.1/sound/parisc/harmony.c 2011-05-22 19:36:35.000000000 -0400
81303 @@ -596,7 +596,7 @@ snd_harmony_hw_free(struct snd_pcm_subst
81304 return snd_pcm_lib_free_pages(ss);
81305 }
81306
81307 -static struct snd_pcm_ops snd_harmony_playback_ops = {
81308 +static const struct snd_pcm_ops snd_harmony_playback_ops = {
81309 .open = snd_harmony_playback_open,
81310 .close = snd_harmony_playback_close,
81311 .ioctl = snd_pcm_lib_ioctl,
81312 @@ -607,7 +607,7 @@ static struct snd_pcm_ops snd_harmony_pl
81313 .pointer = snd_harmony_playback_pointer,
81314 };
81315
81316 -static struct snd_pcm_ops snd_harmony_capture_ops = {
81317 +static const struct snd_pcm_ops snd_harmony_capture_ops = {
81318 .open = snd_harmony_capture_open,
81319 .close = snd_harmony_capture_close,
81320 .ioctl = snd_pcm_lib_ioctl,
81321 @@ -922,7 +922,7 @@ snd_harmony_create(struct snd_card *card
81322 {
81323 int err;
81324 struct snd_harmony *h;
81325 - static struct snd_device_ops ops = {
81326 + static const struct snd_device_ops ops = {
81327 .dev_free = snd_harmony_dev_free,
81328 };
81329
81330 diff -urNp linux-2.6.39.1/sound/pci/ac97/ac97_codec.c linux-2.6.39.1/sound/pci/ac97/ac97_codec.c
81331 --- linux-2.6.39.1/sound/pci/ac97/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81332 +++ linux-2.6.39.1/sound/pci/ac97/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81333 @@ -1910,12 +1910,12 @@ static int ac97_reset_wait(struct snd_ac
81334 *
81335 * Returns zero if successful, or a negative error code on failure.
81336 */
81337 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
81338 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
81339 void *private_data, struct snd_ac97_bus **rbus)
81340 {
81341 int err;
81342 struct snd_ac97_bus *bus;
81343 - static struct snd_device_ops dev_ops = {
81344 + static const struct snd_device_ops dev_ops = {
81345 .dev_free = snd_ac97_bus_dev_free,
81346 };
81347
81348 @@ -2015,7 +2015,7 @@ int snd_ac97_mixer(struct snd_ac97_bus *
81349 unsigned long end_time;
81350 unsigned int reg;
81351 const struct ac97_codec_id *pid;
81352 - static struct snd_device_ops ops = {
81353 + static const struct snd_device_ops ops = {
81354 .dev_free = snd_ac97_dev_free,
81355 .dev_register = snd_ac97_dev_register,
81356 .dev_disconnect = snd_ac97_dev_disconnect,
81357 diff -urNp linux-2.6.39.1/sound/pci/ad1889.c linux-2.6.39.1/sound/pci/ad1889.c
81358 --- linux-2.6.39.1/sound/pci/ad1889.c 2011-05-19 00:06:34.000000000 -0400
81359 +++ linux-2.6.39.1/sound/pci/ad1889.c 2011-05-22 19:36:35.000000000 -0400
81360 @@ -574,7 +574,7 @@ snd_ad1889_capture_pointer(struct snd_pc
81361 return bytes_to_frames(ss->runtime, ptr);
81362 }
81363
81364 -static struct snd_pcm_ops snd_ad1889_playback_ops = {
81365 +static const struct snd_pcm_ops snd_ad1889_playback_ops = {
81366 .open = snd_ad1889_playback_open,
81367 .close = snd_ad1889_playback_close,
81368 .ioctl = snd_pcm_lib_ioctl,
81369 @@ -585,7 +585,7 @@ static struct snd_pcm_ops snd_ad1889_pla
81370 .pointer = snd_ad1889_playback_pointer,
81371 };
81372
81373 -static struct snd_pcm_ops snd_ad1889_capture_ops = {
81374 +static const struct snd_pcm_ops snd_ad1889_capture_ops = {
81375 .open = snd_ad1889_capture_open,
81376 .close = snd_ad1889_capture_close,
81377 .ioctl = snd_pcm_lib_ioctl,
81378 @@ -809,7 +809,7 @@ snd_ad1889_ac97_init(struct snd_ad1889 *
81379 {
81380 int err;
81381 struct snd_ac97_template ac97;
81382 - static struct snd_ac97_bus_ops ops = {
81383 + static const struct snd_ac97_bus_ops ops = {
81384 .write = snd_ad1889_ac97_write,
81385 .read = snd_ad1889_ac97_read,
81386 };
81387 @@ -899,7 +899,7 @@ snd_ad1889_create(struct snd_card *card,
81388 int err;
81389
81390 struct snd_ad1889 *chip;
81391 - static struct snd_device_ops ops = {
81392 + static const struct snd_device_ops ops = {
81393 .dev_free = snd_ad1889_dev_free,
81394 };
81395
81396 diff -urNp linux-2.6.39.1/sound/pci/ak4531_codec.c linux-2.6.39.1/sound/pci/ak4531_codec.c
81397 --- linux-2.6.39.1/sound/pci/ak4531_codec.c 2011-05-19 00:06:34.000000000 -0400
81398 +++ linux-2.6.39.1/sound/pci/ak4531_codec.c 2011-05-22 19:36:35.000000000 -0400
81399 @@ -389,7 +389,7 @@ int __devinit snd_ak4531_mixer(struct sn
81400 unsigned int idx;
81401 int err;
81402 struct snd_ak4531 *ak4531;
81403 - static struct snd_device_ops ops = {
81404 + static const struct snd_device_ops ops = {
81405 .dev_free = snd_ak4531_dev_free,
81406 };
81407
81408 diff -urNp linux-2.6.39.1/sound/pci/ali5451/ali5451.c linux-2.6.39.1/sound/pci/ali5451/ali5451.c
81409 --- linux-2.6.39.1/sound/pci/ali5451/ali5451.c 2011-05-19 00:06:34.000000000 -0400
81410 +++ linux-2.6.39.1/sound/pci/ali5451/ali5451.c 2011-05-22 19:36:35.000000000 -0400
81411 @@ -1847,7 +1847,7 @@ static int __devinit snd_ali_mixer(struc
81412 struct snd_ac97_template ac97;
81413 unsigned int idx;
81414 int i, err;
81415 - static struct snd_ac97_bus_ops ops = {
81416 + static const struct snd_ac97_bus_ops ops = {
81417 .write = snd_ali_codec_write,
81418 .read = snd_ali_codec_read,
81419 };
81420 @@ -2114,7 +2114,7 @@ static int __devinit snd_ali_create(stru
81421 struct snd_ali *codec;
81422 int i, err;
81423 unsigned short cmdw;
81424 - static struct snd_device_ops ops = {
81425 + static const struct snd_device_ops ops = {
81426 .dev_free = snd_ali_dev_free,
81427 };
81428
81429 diff -urNp linux-2.6.39.1/sound/pci/als300.c linux-2.6.39.1/sound/pci/als300.c
81430 --- linux-2.6.39.1/sound/pci/als300.c 2011-05-19 00:06:34.000000000 -0400
81431 +++ linux-2.6.39.1/sound/pci/als300.c 2011-05-22 19:36:35.000000000 -0400
81432 @@ -319,7 +319,7 @@ static int snd_als300_ac97(struct snd_al
81433 struct snd_ac97_bus *bus;
81434 struct snd_ac97_template ac97;
81435 int err;
81436 - static struct snd_ac97_bus_ops ops = {
81437 + static const struct snd_ac97_bus_ops ops = {
81438 .write = snd_als300_ac97_write,
81439 .read = snd_als300_ac97_read,
81440 };
81441 @@ -589,7 +589,7 @@ static snd_pcm_uframes_t snd_als300_poin
81442 return bytes_to_frames(substream->runtime, current_ptr);
81443 }
81444
81445 -static struct snd_pcm_ops snd_als300_playback_ops = {
81446 +static const struct snd_pcm_ops snd_als300_playback_ops = {
81447 .open = snd_als300_playback_open,
81448 .close = snd_als300_playback_close,
81449 .ioctl = snd_pcm_lib_ioctl,
81450 @@ -600,7 +600,7 @@ static struct snd_pcm_ops snd_als300_pla
81451 .pointer = snd_als300_pointer,
81452 };
81453
81454 -static struct snd_pcm_ops snd_als300_capture_ops = {
81455 +static const struct snd_pcm_ops snd_als300_capture_ops = {
81456 .open = snd_als300_capture_open,
81457 .close = snd_als300_capture_close,
81458 .ioctl = snd_pcm_lib_ioctl,
81459 @@ -680,7 +680,7 @@ static int __devinit snd_als300_create(s
81460 void *irq_handler;
81461 int err;
81462
81463 - static struct snd_device_ops ops = {
81464 + static const struct snd_device_ops ops = {
81465 .dev_free = snd_als300_dev_free,
81466 };
81467 *rchip = NULL;
81468 diff -urNp linux-2.6.39.1/sound/pci/als4000.c linux-2.6.39.1/sound/pci/als4000.c
81469 --- linux-2.6.39.1/sound/pci/als4000.c 2011-05-19 00:06:34.000000000 -0400
81470 +++ linux-2.6.39.1/sound/pci/als4000.c 2011-05-22 19:36:35.000000000 -0400
81471 @@ -672,7 +672,7 @@ static int snd_als4000_capture_close(str
81472
81473 /******************************************************************/
81474
81475 -static struct snd_pcm_ops snd_als4000_playback_ops = {
81476 +static const struct snd_pcm_ops snd_als4000_playback_ops = {
81477 .open = snd_als4000_playback_open,
81478 .close = snd_als4000_playback_close,
81479 .ioctl = snd_pcm_lib_ioctl,
81480 @@ -683,7 +683,7 @@ static struct snd_pcm_ops snd_als4000_pl
81481 .pointer = snd_als4000_playback_pointer
81482 };
81483
81484 -static struct snd_pcm_ops snd_als4000_capture_ops = {
81485 +static const struct snd_pcm_ops snd_als4000_capture_ops = {
81486 .open = snd_als4000_capture_open,
81487 .close = snd_als4000_capture_close,
81488 .ioctl = snd_pcm_lib_ioctl,
81489 diff -urNp linux-2.6.39.1/sound/pci/asihpi/asihpi.c linux-2.6.39.1/sound/pci/asihpi/asihpi.c
81490 --- linux-2.6.39.1/sound/pci/asihpi/asihpi.c 2011-05-19 00:06:34.000000000 -0400
81491 +++ linux-2.6.39.1/sound/pci/asihpi/asihpi.c 2011-05-22 19:36:35.000000000 -0400
81492 @@ -1067,7 +1067,7 @@ static int snd_card_asihpi_playback_sile
81493 return 0;
81494 }
81495
81496 -static struct snd_pcm_ops snd_card_asihpi_playback_ops = {
81497 +static const struct snd_pcm_ops snd_card_asihpi_playback_ops = {
81498 .open = snd_card_asihpi_playback_open,
81499 .close = snd_card_asihpi_playback_close,
81500 .ioctl = snd_card_asihpi_playback_ioctl,
81501 @@ -1080,7 +1080,7 @@ static struct snd_pcm_ops snd_card_asihp
81502 .silence = snd_card_asihpi_playback_silence,
81503 };
81504
81505 -static struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
81506 +static const struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
81507 .open = snd_card_asihpi_playback_open,
81508 .close = snd_card_asihpi_playback_close,
81509 .ioctl = snd_card_asihpi_playback_ioctl,
81510 @@ -1268,7 +1268,7 @@ static int snd_card_asihpi_capture_copy(
81511 return 0;
81512 }
81513
81514 -static struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
81515 +static const struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
81516 .open = snd_card_asihpi_capture_open,
81517 .close = snd_card_asihpi_capture_close,
81518 .ioctl = snd_card_asihpi_capture_ioctl,
81519 @@ -1279,7 +1279,7 @@ static struct snd_pcm_ops snd_card_asihp
81520 .pointer = snd_card_asihpi_capture_pointer,
81521 };
81522
81523 -static struct snd_pcm_ops snd_card_asihpi_capture_ops = {
81524 +static const struct snd_pcm_ops snd_card_asihpi_capture_ops = {
81525 .open = snd_card_asihpi_capture_open,
81526 .close = snd_card_asihpi_capture_close,
81527 .ioctl = snd_card_asihpi_capture_ioctl,
81528 diff -urNp linux-2.6.39.1/sound/pci/atiixp.c linux-2.6.39.1/sound/pci/atiixp.c
81529 --- linux-2.6.39.1/sound/pci/atiixp.c 2011-05-19 00:06:34.000000000 -0400
81530 +++ linux-2.6.39.1/sound/pci/atiixp.c 2011-05-22 19:36:35.000000000 -0400
81531 @@ -1148,7 +1148,7 @@ static int snd_atiixp_spdif_close(struct
81532 }
81533
81534 /* AC97 playback */
81535 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
81536 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
81537 .open = snd_atiixp_playback_open,
81538 .close = snd_atiixp_playback_close,
81539 .ioctl = snd_pcm_lib_ioctl,
81540 @@ -1160,7 +1160,7 @@ static struct snd_pcm_ops snd_atiixp_pla
81541 };
81542
81543 /* AC97 capture */
81544 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
81545 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
81546 .open = snd_atiixp_capture_open,
81547 .close = snd_atiixp_capture_close,
81548 .ioctl = snd_pcm_lib_ioctl,
81549 @@ -1172,7 +1172,7 @@ static struct snd_pcm_ops snd_atiixp_cap
81550 };
81551
81552 /* SPDIF playback */
81553 -static struct snd_pcm_ops snd_atiixp_spdif_ops = {
81554 +static const struct snd_pcm_ops snd_atiixp_spdif_ops = {
81555 .open = snd_atiixp_spdif_open,
81556 .close = snd_atiixp_spdif_close,
81557 .ioctl = snd_pcm_lib_ioctl,
81558 @@ -1410,7 +1410,7 @@ static int __devinit snd_atiixp_mixer_ne
81559 struct snd_ac97_template ac97;
81560 int i, err;
81561 int codec_count;
81562 - static struct snd_ac97_bus_ops ops = {
81563 + static const struct snd_ac97_bus_ops ops = {
81564 .write = snd_atiixp_ac97_write,
81565 .read = snd_atiixp_ac97_read,
81566 };
81567 @@ -1590,7 +1590,7 @@ static int __devinit snd_atiixp_create(s
81568 struct pci_dev *pci,
81569 struct atiixp **r_chip)
81570 {
81571 - static struct snd_device_ops ops = {
81572 + static const struct snd_device_ops ops = {
81573 .dev_free = snd_atiixp_dev_free,
81574 };
81575 struct atiixp *chip;
81576 diff -urNp linux-2.6.39.1/sound/pci/atiixp_modem.c linux-2.6.39.1/sound/pci/atiixp_modem.c
81577 --- linux-2.6.39.1/sound/pci/atiixp_modem.c 2011-05-19 00:06:34.000000000 -0400
81578 +++ linux-2.6.39.1/sound/pci/atiixp_modem.c 2011-05-22 19:36:35.000000000 -0400
81579 @@ -947,7 +947,7 @@ static int snd_atiixp_capture_close(stru
81580
81581
81582 /* AC97 playback */
81583 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
81584 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
81585 .open = snd_atiixp_playback_open,
81586 .close = snd_atiixp_playback_close,
81587 .ioctl = snd_pcm_lib_ioctl,
81588 @@ -959,7 +959,7 @@ static struct snd_pcm_ops snd_atiixp_pla
81589 };
81590
81591 /* AC97 capture */
81592 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
81593 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
81594 .open = snd_atiixp_capture_open,
81595 .close = snd_atiixp_capture_close,
81596 .ioctl = snd_pcm_lib_ioctl,
81597 @@ -1067,7 +1067,7 @@ static int __devinit snd_atiixp_mixer_ne
81598 struct snd_ac97_template ac97;
81599 int i, err;
81600 int codec_count;
81601 - static struct snd_ac97_bus_ops ops = {
81602 + static const struct snd_ac97_bus_ops ops = {
81603 .write = snd_atiixp_ac97_write,
81604 .read = snd_atiixp_ac97_read,
81605 };
81606 @@ -1226,7 +1226,7 @@ static int __devinit snd_atiixp_create(s
81607 struct pci_dev *pci,
81608 struct atiixp_modem **r_chip)
81609 {
81610 - static struct snd_device_ops ops = {
81611 + static const struct snd_device_ops ops = {
81612 .dev_free = snd_atiixp_dev_free,
81613 };
81614 struct atiixp_modem *chip;
81615 diff -urNp linux-2.6.39.1/sound/pci/au88x0/au88x0_pcm.c linux-2.6.39.1/sound/pci/au88x0/au88x0_pcm.c
81616 --- linux-2.6.39.1/sound/pci/au88x0/au88x0_pcm.c 2011-05-19 00:06:34.000000000 -0400
81617 +++ linux-2.6.39.1/sound/pci/au88x0/au88x0_pcm.c 2011-05-22 19:36:35.000000000 -0400
81618 @@ -409,7 +409,7 @@ static snd_pcm_uframes_t snd_vortex_pcm_
81619 }
81620
81621 /* operators */
81622 -static struct snd_pcm_ops snd_vortex_playback_ops = {
81623 +static const struct snd_pcm_ops snd_vortex_playback_ops = {
81624 .open = snd_vortex_pcm_open,
81625 .close = snd_vortex_pcm_close,
81626 .ioctl = snd_pcm_lib_ioctl,
81627 diff -urNp linux-2.6.39.1/sound/pci/aw2/aw2-alsa.c linux-2.6.39.1/sound/pci/aw2/aw2-alsa.c
81628 --- linux-2.6.39.1/sound/pci/aw2/aw2-alsa.c 2011-05-19 00:06:34.000000000 -0400
81629 +++ linux-2.6.39.1/sound/pci/aw2/aw2-alsa.c 2011-05-22 19:36:35.000000000 -0400
81630 @@ -178,7 +178,7 @@ static struct pci_driver driver = {
81631 };
81632
81633 /* operators for playback PCM alsa interface */
81634 -static struct snd_pcm_ops snd_aw2_playback_ops = {
81635 +static const struct snd_pcm_ops snd_aw2_playback_ops = {
81636 .open = snd_aw2_pcm_playback_open,
81637 .close = snd_aw2_pcm_playback_close,
81638 .ioctl = snd_pcm_lib_ioctl,
81639 @@ -190,7 +190,7 @@ static struct snd_pcm_ops snd_aw2_playba
81640 };
81641
81642 /* operators for capture PCM alsa interface */
81643 -static struct snd_pcm_ops snd_aw2_capture_ops = {
81644 +static const struct snd_pcm_ops snd_aw2_capture_ops = {
81645 .open = snd_aw2_pcm_capture_open,
81646 .close = snd_aw2_pcm_capture_close,
81647 .ioctl = snd_pcm_lib_ioctl,
81648 @@ -263,7 +263,7 @@ static int __devinit snd_aw2_create(stru
81649 {
81650 struct aw2 *chip;
81651 int err;
81652 - static struct snd_device_ops ops = {
81653 + static const struct snd_device_ops ops = {
81654 .dev_free = snd_aw2_dev_free,
81655 };
81656
81657 diff -urNp linux-2.6.39.1/sound/pci/azt3328.c linux-2.6.39.1/sound/pci/azt3328.c
81658 --- linux-2.6.39.1/sound/pci/azt3328.c 2011-05-19 00:06:34.000000000 -0400
81659 +++ linux-2.6.39.1/sound/pci/azt3328.c 2011-05-22 19:36:35.000000000 -0400
81660 @@ -822,7 +822,7 @@ snd_azf3328_mixer_new(struct snd_azf3328
81661 {
81662 struct snd_ac97_bus *bus;
81663 struct snd_ac97_template ac97;
81664 - static struct snd_ac97_bus_ops ops = {
81665 + static const struct snd_ac97_bus_ops ops = {
81666 .write = snd_azf3328_mixer_ac97_write,
81667 .read = snd_azf3328_mixer_ac97_read,
81668 };
81669 @@ -2179,7 +2179,7 @@ snd_azf3328_pcm_close(struct snd_pcm_sub
81670
81671 /******************************************************************/
81672
81673 -static struct snd_pcm_ops snd_azf3328_playback_ops = {
81674 +static const struct snd_pcm_ops snd_azf3328_playback_ops = {
81675 .open = snd_azf3328_pcm_playback_open,
81676 .close = snd_azf3328_pcm_close,
81677 .ioctl = snd_pcm_lib_ioctl,
81678 @@ -2190,7 +2190,7 @@ static struct snd_pcm_ops snd_azf3328_pl
81679 .pointer = snd_azf3328_pcm_pointer
81680 };
81681
81682 -static struct snd_pcm_ops snd_azf3328_capture_ops = {
81683 +static const struct snd_pcm_ops snd_azf3328_capture_ops = {
81684 .open = snd_azf3328_pcm_capture_open,
81685 .close = snd_azf3328_pcm_close,
81686 .ioctl = snd_pcm_lib_ioctl,
81687 @@ -2201,7 +2201,7 @@ static struct snd_pcm_ops snd_azf3328_ca
81688 .pointer = snd_azf3328_pcm_pointer
81689 };
81690
81691 -static struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
81692 +static const struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
81693 .open = snd_azf3328_pcm_i2s_out_open,
81694 .close = snd_azf3328_pcm_close,
81695 .ioctl = snd_pcm_lib_ioctl,
81696 @@ -2497,7 +2497,7 @@ snd_azf3328_create(struct snd_card *card
81697 {
81698 struct snd_azf3328 *chip;
81699 int err;
81700 - static struct snd_device_ops ops = {
81701 + static const struct snd_device_ops ops = {
81702 .dev_free = snd_azf3328_dev_free,
81703 };
81704 u8 dma_init;
81705 diff -urNp linux-2.6.39.1/sound/pci/bt87x.c linux-2.6.39.1/sound/pci/bt87x.c
81706 --- linux-2.6.39.1/sound/pci/bt87x.c 2011-05-19 00:06:34.000000000 -0400
81707 +++ linux-2.6.39.1/sound/pci/bt87x.c 2011-05-22 19:36:35.000000000 -0400
81708 @@ -542,7 +542,7 @@ static snd_pcm_uframes_t snd_bt87x_point
81709 return (snd_pcm_uframes_t)bytes_to_frames(runtime, chip->current_line * chip->line_bytes);
81710 }
81711
81712 -static struct snd_pcm_ops snd_bt87x_pcm_ops = {
81713 +static const struct snd_pcm_ops snd_bt87x_pcm_ops = {
81714 .open = snd_bt87x_pcm_open,
81715 .close = snd_bt87x_close,
81716 .ioctl = snd_pcm_lib_ioctl,
81717 @@ -720,7 +720,7 @@ static int __devinit snd_bt87x_create(st
81718 {
81719 struct snd_bt87x *chip;
81720 int err;
81721 - static struct snd_device_ops ops = {
81722 + static const struct snd_device_ops ops = {
81723 .dev_free = snd_bt87x_dev_free
81724 };
81725
81726 diff -urNp linux-2.6.39.1/sound/pci/ca0106/ca0106_main.c linux-2.6.39.1/sound/pci/ca0106/ca0106_main.c
81727 --- linux-2.6.39.1/sound/pci/ca0106/ca0106_main.c 2011-05-19 00:06:34.000000000 -0400
81728 +++ linux-2.6.39.1/sound/pci/ca0106/ca0106_main.c 2011-05-22 19:36:35.000000000 -0400
81729 @@ -1103,7 +1103,7 @@ snd_ca0106_pcm_pointer_capture(struct sn
81730 }
81731
81732 /* operators */
81733 -static struct snd_pcm_ops snd_ca0106_playback_front_ops = {
81734 +static const struct snd_pcm_ops snd_ca0106_playback_front_ops = {
81735 .open = snd_ca0106_pcm_open_playback_front,
81736 .close = snd_ca0106_pcm_close_playback,
81737 .ioctl = snd_pcm_lib_ioctl,
81738 @@ -1114,7 +1114,7 @@ static struct snd_pcm_ops snd_ca0106_pla
81739 .pointer = snd_ca0106_pcm_pointer_playback,
81740 };
81741
81742 -static struct snd_pcm_ops snd_ca0106_capture_0_ops = {
81743 +static const struct snd_pcm_ops snd_ca0106_capture_0_ops = {
81744 .open = snd_ca0106_pcm_open_0_capture,
81745 .close = snd_ca0106_pcm_close_capture,
81746 .ioctl = snd_pcm_lib_ioctl,
81747 @@ -1125,7 +1125,7 @@ static struct snd_pcm_ops snd_ca0106_cap
81748 .pointer = snd_ca0106_pcm_pointer_capture,
81749 };
81750
81751 -static struct snd_pcm_ops snd_ca0106_capture_1_ops = {
81752 +static const struct snd_pcm_ops snd_ca0106_capture_1_ops = {
81753 .open = snd_ca0106_pcm_open_1_capture,
81754 .close = snd_ca0106_pcm_close_capture,
81755 .ioctl = snd_pcm_lib_ioctl,
81756 @@ -1136,7 +1136,7 @@ static struct snd_pcm_ops snd_ca0106_cap
81757 .pointer = snd_ca0106_pcm_pointer_capture,
81758 };
81759
81760 -static struct snd_pcm_ops snd_ca0106_capture_2_ops = {
81761 +static const struct snd_pcm_ops snd_ca0106_capture_2_ops = {
81762 .open = snd_ca0106_pcm_open_2_capture,
81763 .close = snd_ca0106_pcm_close_capture,
81764 .ioctl = snd_pcm_lib_ioctl,
81765 @@ -1147,7 +1147,7 @@ static struct snd_pcm_ops snd_ca0106_cap
81766 .pointer = snd_ca0106_pcm_pointer_capture,
81767 };
81768
81769 -static struct snd_pcm_ops snd_ca0106_capture_3_ops = {
81770 +static const struct snd_pcm_ops snd_ca0106_capture_3_ops = {
81771 .open = snd_ca0106_pcm_open_3_capture,
81772 .close = snd_ca0106_pcm_close_capture,
81773 .ioctl = snd_pcm_lib_ioctl,
81774 @@ -1158,7 +1158,7 @@ static struct snd_pcm_ops snd_ca0106_cap
81775 .pointer = snd_ca0106_pcm_pointer_capture,
81776 };
81777
81778 -static struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
81779 +static const struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
81780 .open = snd_ca0106_pcm_open_playback_center_lfe,
81781 .close = snd_ca0106_pcm_close_playback,
81782 .ioctl = snd_pcm_lib_ioctl,
81783 @@ -1169,7 +1169,7 @@ static struct snd_pcm_ops snd_ca0106_pla
81784 .pointer = snd_ca0106_pcm_pointer_playback,
81785 };
81786
81787 -static struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
81788 +static const struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
81789 .open = snd_ca0106_pcm_open_playback_unknown,
81790 .close = snd_ca0106_pcm_close_playback,
81791 .ioctl = snd_pcm_lib_ioctl,
81792 @@ -1180,7 +1180,7 @@ static struct snd_pcm_ops snd_ca0106_pla
81793 .pointer = snd_ca0106_pcm_pointer_playback,
81794 };
81795
81796 -static struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
81797 +static const struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
81798 .open = snd_ca0106_pcm_open_playback_rear,
81799 .close = snd_ca0106_pcm_close_playback,
81800 .ioctl = snd_pcm_lib_ioctl,
81801 @@ -1223,7 +1223,7 @@ static int snd_ca0106_ac97(struct snd_ca
81802 struct snd_ac97_bus *pbus;
81803 struct snd_ac97_template ac97;
81804 int err;
81805 - static struct snd_ac97_bus_ops ops = {
81806 + static const struct snd_ac97_bus_ops ops = {
81807 .write = snd_ca0106_ac97_write,
81808 .read = snd_ca0106_ac97_read,
81809 };
81810 @@ -1629,7 +1629,7 @@ static int __devinit snd_ca0106_create(i
81811 struct snd_ca0106 *chip;
81812 struct snd_ca0106_details *c;
81813 int err;
81814 - static struct snd_device_ops ops = {
81815 + static const struct snd_device_ops ops = {
81816 .dev_free = snd_ca0106_dev_free,
81817 };
81818
81819 diff -urNp linux-2.6.39.1/sound/pci/ca0106/ca_midi.c linux-2.6.39.1/sound/pci/ca0106/ca_midi.c
81820 --- linux-2.6.39.1/sound/pci/ca0106/ca_midi.c 2011-05-19 00:06:34.000000000 -0400
81821 +++ linux-2.6.39.1/sound/pci/ca0106/ca_midi.c 2011-05-22 19:36:35.000000000 -0400
81822 @@ -255,15 +255,13 @@ static void ca_midi_output_trigger(struc
81823 }
81824 }
81825
81826 -static struct snd_rawmidi_ops ca_midi_output =
81827 -{
81828 +static const struct snd_rawmidi_ops ca_midi_output = {
81829 .open = ca_midi_output_open,
81830 .close = ca_midi_output_close,
81831 .trigger = ca_midi_output_trigger,
81832 };
81833
81834 -static struct snd_rawmidi_ops ca_midi_input =
81835 -{
81836 +static const struct snd_rawmidi_ops ca_midi_input = {
81837 .open = ca_midi_input_open,
81838 .close = ca_midi_input_close,
81839 .trigger = ca_midi_input_trigger,
81840 diff -urNp linux-2.6.39.1/sound/pci/cmipci.c linux-2.6.39.1/sound/pci/cmipci.c
81841 --- linux-2.6.39.1/sound/pci/cmipci.c 2011-05-19 00:06:34.000000000 -0400
81842 +++ linux-2.6.39.1/sound/pci/cmipci.c 2011-05-22 19:36:35.000000000 -0400
81843 @@ -1838,7 +1838,7 @@ static int snd_cmipci_capture_spdif_clos
81844 /*
81845 */
81846
81847 -static struct snd_pcm_ops snd_cmipci_playback_ops = {
81848 +static const struct snd_pcm_ops snd_cmipci_playback_ops = {
81849 .open = snd_cmipci_playback_open,
81850 .close = snd_cmipci_playback_close,
81851 .ioctl = snd_pcm_lib_ioctl,
81852 @@ -1849,7 +1849,7 @@ static struct snd_pcm_ops snd_cmipci_pla
81853 .pointer = snd_cmipci_playback_pointer,
81854 };
81855
81856 -static struct snd_pcm_ops snd_cmipci_capture_ops = {
81857 +static const struct snd_pcm_ops snd_cmipci_capture_ops = {
81858 .open = snd_cmipci_capture_open,
81859 .close = snd_cmipci_capture_close,
81860 .ioctl = snd_pcm_lib_ioctl,
81861 @@ -1860,7 +1860,7 @@ static struct snd_pcm_ops snd_cmipci_cap
81862 .pointer = snd_cmipci_capture_pointer,
81863 };
81864
81865 -static struct snd_pcm_ops snd_cmipci_playback2_ops = {
81866 +static const struct snd_pcm_ops snd_cmipci_playback2_ops = {
81867 .open = snd_cmipci_playback2_open,
81868 .close = snd_cmipci_playback2_close,
81869 .ioctl = snd_pcm_lib_ioctl,
81870 @@ -1871,7 +1871,7 @@ static struct snd_pcm_ops snd_cmipci_pla
81871 .pointer = snd_cmipci_capture_pointer, /* channel B */
81872 };
81873
81874 -static struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
81875 +static const struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
81876 .open = snd_cmipci_playback_spdif_open,
81877 .close = snd_cmipci_playback_spdif_close,
81878 .ioctl = snd_pcm_lib_ioctl,
81879 @@ -1882,7 +1882,7 @@ static struct snd_pcm_ops snd_cmipci_pla
81880 .pointer = snd_cmipci_playback_pointer,
81881 };
81882
81883 -static struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
81884 +static const struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
81885 .open = snd_cmipci_capture_spdif_open,
81886 .close = snd_cmipci_capture_spdif_close,
81887 .ioctl = snd_pcm_lib_ioctl,
81888 @@ -3011,7 +3011,7 @@ static int __devinit snd_cmipci_create(s
81889 {
81890 struct cmipci *cm;
81891 int err;
81892 - static struct snd_device_ops ops = {
81893 + static const struct snd_device_ops ops = {
81894 .dev_free = snd_cmipci_dev_free,
81895 };
81896 unsigned int val;
81897 diff -urNp linux-2.6.39.1/sound/pci/cs4281.c linux-2.6.39.1/sound/pci/cs4281.c
81898 --- linux-2.6.39.1/sound/pci/cs4281.c 2011-05-19 00:06:34.000000000 -0400
81899 +++ linux-2.6.39.1/sound/pci/cs4281.c 2011-05-22 19:36:35.000000000 -0400
81900 @@ -947,7 +947,7 @@ static int snd_cs4281_capture_close(stru
81901 return 0;
81902 }
81903
81904 -static struct snd_pcm_ops snd_cs4281_playback_ops = {
81905 +static const struct snd_pcm_ops snd_cs4281_playback_ops = {
81906 .open = snd_cs4281_playback_open,
81907 .close = snd_cs4281_playback_close,
81908 .ioctl = snd_pcm_lib_ioctl,
81909 @@ -958,7 +958,7 @@ static struct snd_pcm_ops snd_cs4281_pla
81910 .pointer = snd_cs4281_pointer,
81911 };
81912
81913 -static struct snd_pcm_ops snd_cs4281_capture_ops = {
81914 +static const struct snd_pcm_ops snd_cs4281_capture_ops = {
81915 .open = snd_cs4281_capture_open,
81916 .close = snd_cs4281_capture_close,
81917 .ioctl = snd_pcm_lib_ioctl,
81918 @@ -1098,7 +1098,7 @@ static int __devinit snd_cs4281_mixer(st
81919 struct snd_card *card = chip->card;
81920 struct snd_ac97_template ac97;
81921 int err;
81922 - static struct snd_ac97_bus_ops ops = {
81923 + static const struct snd_ac97_bus_ops ops = {
81924 .write = snd_cs4281_ac97_write,
81925 .read = snd_cs4281_ac97_read,
81926 };
81927 @@ -1343,7 +1343,7 @@ static int __devinit snd_cs4281_create(s
81928 struct cs4281 *chip;
81929 unsigned int tmp;
81930 int err;
81931 - static struct snd_device_ops ops = {
81932 + static const struct snd_device_ops ops = {
81933 .dev_free = snd_cs4281_dev_free,
81934 };
81935
81936 @@ -1765,15 +1765,13 @@ static void snd_cs4281_midi_output_trigg
81937 spin_unlock_irqrestore(&chip->reg_lock, flags);
81938 }
81939
81940 -static struct snd_rawmidi_ops snd_cs4281_midi_output =
81941 -{
81942 +static const struct snd_rawmidi_ops snd_cs4281_midi_output = {
81943 .open = snd_cs4281_midi_output_open,
81944 .close = snd_cs4281_midi_output_close,
81945 .trigger = snd_cs4281_midi_output_trigger,
81946 };
81947
81948 -static struct snd_rawmidi_ops snd_cs4281_midi_input =
81949 -{
81950 +static const struct snd_rawmidi_ops snd_cs4281_midi_input = {
81951 .open = snd_cs4281_midi_input_open,
81952 .close = snd_cs4281_midi_input_close,
81953 .trigger = snd_cs4281_midi_input_trigger,
81954 diff -urNp linux-2.6.39.1/sound/pci/cs46xx/cs46xx_lib.c linux-2.6.39.1/sound/pci/cs46xx/cs46xx_lib.c
81955 --- linux-2.6.39.1/sound/pci/cs46xx/cs46xx_lib.c 2011-05-19 00:06:34.000000000 -0400
81956 +++ linux-2.6.39.1/sound/pci/cs46xx/cs46xx_lib.c 2011-05-22 19:36:35.000000000 -0400
81957 @@ -3722,7 +3722,7 @@ int __devinit snd_cs46xx_create(struct s
81958 struct snd_cs46xx_region *region;
81959 struct cs_card_type *cp;
81960 u16 ss_card, ss_vendor;
81961 - static struct snd_device_ops ops = {
81962 + static const struct snd_device_ops ops = {
81963 .dev_free = snd_cs46xx_dev_free,
81964 };
81965
81966 diff -urNp linux-2.6.39.1/sound/pci/cs5530.c linux-2.6.39.1/sound/pci/cs5530.c
81967 --- linux-2.6.39.1/sound/pci/cs5530.c 2011-05-19 00:06:34.000000000 -0400
81968 +++ linux-2.6.39.1/sound/pci/cs5530.c 2011-05-22 19:36:35.000000000 -0400
81969 @@ -107,7 +107,7 @@ static int __devinit snd_cs5530_create(s
81970 void __iomem *mem;
81971 int err;
81972
81973 - static struct snd_device_ops ops = {
81974 + static const struct snd_device_ops ops = {
81975 .dev_free = snd_cs5530_dev_free,
81976 };
81977 *rchip = NULL;
81978 diff -urNp linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio.c linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio.c
81979 --- linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio.c 2011-05-19 00:06:34.000000000 -0400
81980 +++ linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio.c 2011-05-22 19:36:35.000000000 -0400
81981 @@ -150,7 +150,7 @@ static int __devinit snd_cs5535audio_mix
81982 struct snd_ac97_bus *pbus;
81983 struct snd_ac97_template ac97;
81984 int err;
81985 - static struct snd_ac97_bus_ops ops = {
81986 + static const struct snd_ac97_bus_ops ops = {
81987 .write = snd_cs5535audio_ac97_codec_write,
81988 .read = snd_cs5535audio_ac97_codec_read,
81989 };
81990 @@ -277,7 +277,7 @@ static int __devinit snd_cs5535audio_cre
81991 struct cs5535audio *cs5535au;
81992
81993 int err;
81994 - static struct snd_device_ops ops = {
81995 + static const struct snd_device_ops ops = {
81996 .dev_free = snd_cs5535audio_dev_free,
81997 };
81998
81999 diff -urNp linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio_pcm.c linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio_pcm.c
82000 --- linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-19 00:06:34.000000000 -0400
82001 +++ linux-2.6.39.1/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-22 19:36:35.000000000 -0400
82002 @@ -380,7 +380,7 @@ static int snd_cs5535audio_capture_prepa
82003 substream->runtime->rate);
82004 }
82005
82006 -static struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82007 +static const struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82008 .open = snd_cs5535audio_playback_open,
82009 .close = snd_cs5535audio_playback_close,
82010 .ioctl = snd_pcm_lib_ioctl,
82011 @@ -391,7 +391,7 @@ static struct snd_pcm_ops snd_cs5535audi
82012 .pointer = snd_cs5535audio_pcm_pointer,
82013 };
82014
82015 -static struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82016 +static const struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82017 .open = snd_cs5535audio_capture_open,
82018 .close = snd_cs5535audio_capture_close,
82019 .ioctl = snd_pcm_lib_ioctl,
82020 diff -urNp linux-2.6.39.1/sound/pci/ctxfi/ctpcm.c linux-2.6.39.1/sound/pci/ctxfi/ctpcm.c
82021 --- linux-2.6.39.1/sound/pci/ctxfi/ctpcm.c 2011-05-19 00:06:34.000000000 -0400
82022 +++ linux-2.6.39.1/sound/pci/ctxfi/ctpcm.c 2011-05-22 19:36:35.000000000 -0400
82023 @@ -370,7 +370,7 @@ ct_pcm_capture_pointer(struct snd_pcm_su
82024 }
82025
82026 /* PCM operators for playback */
82027 -static struct snd_pcm_ops ct_pcm_playback_ops = {
82028 +static const struct snd_pcm_ops ct_pcm_playback_ops = {
82029 .open = ct_pcm_playback_open,
82030 .close = ct_pcm_playback_close,
82031 .ioctl = snd_pcm_lib_ioctl,
82032 @@ -383,7 +383,7 @@ static struct snd_pcm_ops ct_pcm_playbac
82033 };
82034
82035 /* PCM operators for capture */
82036 -static struct snd_pcm_ops ct_pcm_capture_ops = {
82037 +static const struct snd_pcm_ops ct_pcm_capture_ops = {
82038 .open = ct_pcm_capture_open,
82039 .close = ct_pcm_capture_close,
82040 .ioctl = snd_pcm_lib_ioctl,
82041 diff -urNp linux-2.6.39.1/sound/pci/echoaudio/echoaudio.c linux-2.6.39.1/sound/pci/echoaudio/echoaudio.c
82042 --- linux-2.6.39.1/sound/pci/echoaudio/echoaudio.c 2011-05-19 00:06:34.000000000 -0400
82043 +++ linux-2.6.39.1/sound/pci/echoaudio/echoaudio.c 2011-05-22 19:36:35.000000000 -0400
82044 @@ -831,7 +831,7 @@ static snd_pcm_uframes_t pcm_pointer(str
82045
82046
82047 /* pcm *_ops structures */
82048 -static struct snd_pcm_ops analog_playback_ops = {
82049 +static const struct snd_pcm_ops analog_playback_ops = {
82050 .open = pcm_analog_out_open,
82051 .close = pcm_close,
82052 .ioctl = snd_pcm_lib_ioctl,
82053 @@ -842,7 +842,7 @@ static struct snd_pcm_ops analog_playbac
82054 .pointer = pcm_pointer,
82055 .page = snd_pcm_sgbuf_ops_page,
82056 };
82057 -static struct snd_pcm_ops analog_capture_ops = {
82058 +static const struct snd_pcm_ops analog_capture_ops = {
82059 .open = pcm_analog_in_open,
82060 .close = pcm_close,
82061 .ioctl = snd_pcm_lib_ioctl,
82062 @@ -855,7 +855,7 @@ static struct snd_pcm_ops analog_capture
82063 };
82064 #ifdef ECHOCARD_HAS_DIGITAL_IO
82065 #ifndef ECHOCARD_HAS_VMIXER
82066 -static struct snd_pcm_ops digital_playback_ops = {
82067 +static const struct snd_pcm_ops digital_playback_ops = {
82068 .open = pcm_digital_out_open,
82069 .close = pcm_close,
82070 .ioctl = snd_pcm_lib_ioctl,
82071 @@ -867,7 +867,7 @@ static struct snd_pcm_ops digital_playba
82072 .page = snd_pcm_sgbuf_ops_page,
82073 };
82074 #endif /* !ECHOCARD_HAS_VMIXER */
82075 -static struct snd_pcm_ops digital_capture_ops = {
82076 +static const struct snd_pcm_ops digital_capture_ops = {
82077 .open = pcm_digital_in_open,
82078 .close = pcm_close,
82079 .ioctl = snd_pcm_lib_ioctl,
82080 @@ -1945,7 +1945,7 @@ static __devinit int snd_echo_create(str
82081 struct echoaudio *chip;
82082 int err;
82083 size_t sz;
82084 - static struct snd_device_ops ops = {
82085 + static const struct snd_device_ops ops = {
82086 .dev_free = snd_echo_dev_free,
82087 };
82088
82089 diff -urNp linux-2.6.39.1/sound/pci/echoaudio/midi.c linux-2.6.39.1/sound/pci/echoaudio/midi.c
82090 --- linux-2.6.39.1/sound/pci/echoaudio/midi.c 2011-05-19 00:06:34.000000000 -0400
82091 +++ linux-2.6.39.1/sound/pci/echoaudio/midi.c 2011-05-22 19:36:35.000000000 -0400
82092 @@ -292,13 +292,13 @@ static int snd_echo_midi_output_close(st
82093
82094
82095
82096 -static struct snd_rawmidi_ops snd_echo_midi_input = {
82097 +static const struct snd_rawmidi_ops snd_echo_midi_input = {
82098 .open = snd_echo_midi_input_open,
82099 .close = snd_echo_midi_input_close,
82100 .trigger = snd_echo_midi_input_trigger,
82101 };
82102
82103 -static struct snd_rawmidi_ops snd_echo_midi_output = {
82104 +static const struct snd_rawmidi_ops snd_echo_midi_output = {
82105 .open = snd_echo_midi_output_open,
82106 .close = snd_echo_midi_output_close,
82107 .trigger = snd_echo_midi_output_trigger,
82108 diff -urNp linux-2.6.39.1/sound/pci/emu10k1/emu10k1_main.c linux-2.6.39.1/sound/pci/emu10k1/emu10k1_main.c
82109 --- linux-2.6.39.1/sound/pci/emu10k1/emu10k1_main.c 2011-05-19 00:06:34.000000000 -0400
82110 +++ linux-2.6.39.1/sound/pci/emu10k1/emu10k1_main.c 2011-05-22 19:36:35.000000000 -0400
82111 @@ -1722,7 +1722,7 @@ int __devinit snd_emu10k1_create(struct
82112 int is_audigy;
82113 unsigned int silent_page;
82114 const struct snd_emu_chip_details *c;
82115 - static struct snd_device_ops ops = {
82116 + static const struct snd_device_ops ops = {
82117 .dev_free = snd_emu10k1_dev_free,
82118 };
82119
82120 diff -urNp linux-2.6.39.1/sound/pci/emu10k1/emu10k1x.c linux-2.6.39.1/sound/pci/emu10k1/emu10k1x.c
82121 --- linux-2.6.39.1/sound/pci/emu10k1/emu10k1x.c 2011-05-19 00:06:34.000000000 -0400
82122 +++ linux-2.6.39.1/sound/pci/emu10k1/emu10k1x.c 2011-05-22 19:36:35.000000000 -0400
82123 @@ -543,7 +543,7 @@ snd_emu10k1x_pcm_pointer(struct snd_pcm_
82124 }
82125
82126 /* operators */
82127 -static struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82128 +static const struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82129 .open = snd_emu10k1x_playback_open,
82130 .close = snd_emu10k1x_playback_close,
82131 .ioctl = snd_pcm_lib_ioctl,
82132 @@ -689,7 +689,7 @@ snd_emu10k1x_pcm_pointer_capture(struct
82133 return ptr;
82134 }
82135
82136 -static struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82137 +static const struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82138 .open = snd_emu10k1x_pcm_open_capture,
82139 .close = snd_emu10k1x_pcm_close_capture,
82140 .ioctl = snd_pcm_lib_ioctl,
82141 @@ -731,7 +731,7 @@ static int snd_emu10k1x_ac97(struct emu1
82142 struct snd_ac97_bus *pbus;
82143 struct snd_ac97_template ac97;
82144 int err;
82145 - static struct snd_ac97_bus_ops ops = {
82146 + static const struct snd_ac97_bus_ops ops = {
82147 .write = snd_emu10k1x_ac97_write,
82148 .read = snd_emu10k1x_ac97_read,
82149 };
82150 @@ -888,7 +888,7 @@ static int __devinit snd_emu10k1x_create
82151 struct emu10k1x *chip;
82152 int err;
82153 int ch;
82154 - static struct snd_device_ops ops = {
82155 + static const struct snd_device_ops ops = {
82156 .dev_free = snd_emu10k1x_dev_free,
82157 };
82158
82159 @@ -1465,15 +1465,13 @@ static void snd_emu10k1x_midi_output_tri
82160
82161 */
82162
82163 -static struct snd_rawmidi_ops snd_emu10k1x_midi_output =
82164 -{
82165 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_output = {
82166 .open = snd_emu10k1x_midi_output_open,
82167 .close = snd_emu10k1x_midi_output_close,
82168 .trigger = snd_emu10k1x_midi_output_trigger,
82169 };
82170
82171 -static struct snd_rawmidi_ops snd_emu10k1x_midi_input =
82172 -{
82173 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_input = {
82174 .open = snd_emu10k1x_midi_input_open,
82175 .close = snd_emu10k1x_midi_input_close,
82176 .trigger = snd_emu10k1x_midi_input_trigger,
82177 diff -urNp linux-2.6.39.1/sound/pci/emu10k1/p16v.c linux-2.6.39.1/sound/pci/emu10k1/p16v.c
82178 --- linux-2.6.39.1/sound/pci/emu10k1/p16v.c 2011-05-19 00:06:34.000000000 -0400
82179 +++ linux-2.6.39.1/sound/pci/emu10k1/p16v.c 2011-05-22 19:36:35.000000000 -0400
82180 @@ -601,7 +601,7 @@ snd_p16v_pcm_pointer_capture(struct snd_
82181 }
82182
82183 /* operators */
82184 -static struct snd_pcm_ops snd_p16v_playback_front_ops = {
82185 +static const struct snd_pcm_ops snd_p16v_playback_front_ops = {
82186 .open = snd_p16v_pcm_open_playback_front,
82187 .close = snd_p16v_pcm_close_playback,
82188 .ioctl = snd_pcm_lib_ioctl,
82189 @@ -612,7 +612,7 @@ static struct snd_pcm_ops snd_p16v_playb
82190 .pointer = snd_p16v_pcm_pointer_playback,
82191 };
82192
82193 -static struct snd_pcm_ops snd_p16v_capture_ops = {
82194 +static const struct snd_pcm_ops snd_p16v_capture_ops = {
82195 .open = snd_p16v_pcm_open_capture,
82196 .close = snd_p16v_pcm_close_capture,
82197 .ioctl = snd_pcm_lib_ioctl,
82198 diff -urNp linux-2.6.39.1/sound/pci/ens1370.c linux-2.6.39.1/sound/pci/ens1370.c
82199 --- linux-2.6.39.1/sound/pci/ens1370.c 2011-05-19 00:06:34.000000000 -0400
82200 +++ linux-2.6.39.1/sound/pci/ens1370.c 2011-05-22 19:36:35.000000000 -0400
82201 @@ -1225,7 +1225,7 @@ static int snd_ensoniq_capture_close(str
82202 return 0;
82203 }
82204
82205 -static struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82206 +static const struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82207 .open = snd_ensoniq_playback1_open,
82208 .close = snd_ensoniq_playback1_close,
82209 .ioctl = snd_pcm_lib_ioctl,
82210 @@ -1236,7 +1236,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82211 .pointer = snd_ensoniq_playback1_pointer,
82212 };
82213
82214 -static struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82215 +static const struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82216 .open = snd_ensoniq_playback2_open,
82217 .close = snd_ensoniq_playback2_close,
82218 .ioctl = snd_pcm_lib_ioctl,
82219 @@ -1247,7 +1247,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82220 .pointer = snd_ensoniq_playback2_pointer,
82221 };
82222
82223 -static struct snd_pcm_ops snd_ensoniq_capture_ops = {
82224 +static const struct snd_pcm_ops snd_ensoniq_capture_ops = {
82225 .open = snd_ensoniq_capture_open,
82226 .close = snd_ensoniq_capture_close,
82227 .ioctl = snd_pcm_lib_ioctl,
82228 @@ -1633,7 +1633,7 @@ static int __devinit snd_ensoniq_1371_mi
82229 struct snd_ac97_bus *pbus;
82230 struct snd_ac97_template ac97;
82231 int err;
82232 - static struct snd_ac97_bus_ops ops = {
82233 + static const struct snd_ac97_bus_ops ops = {
82234 .write = snd_es1371_codec_write,
82235 .read = snd_es1371_codec_read,
82236 .wait = snd_es1371_codec_wait,
82237 @@ -2096,7 +2096,7 @@ static int __devinit snd_ensoniq_create(
82238 {
82239 struct ensoniq *ensoniq;
82240 int err;
82241 - static struct snd_device_ops ops = {
82242 + static const struct snd_device_ops ops = {
82243 .dev_free = snd_ensoniq_dev_free,
82244 };
82245
82246 @@ -2331,15 +2331,13 @@ static void snd_ensoniq_midi_output_trig
82247 spin_unlock_irqrestore(&ensoniq->reg_lock, flags);
82248 }
82249
82250 -static struct snd_rawmidi_ops snd_ensoniq_midi_output =
82251 -{
82252 +static const struct snd_rawmidi_ops snd_ensoniq_midi_output = {
82253 .open = snd_ensoniq_midi_output_open,
82254 .close = snd_ensoniq_midi_output_close,
82255 .trigger = snd_ensoniq_midi_output_trigger,
82256 };
82257
82258 -static struct snd_rawmidi_ops snd_ensoniq_midi_input =
82259 -{
82260 +static const struct snd_rawmidi_ops snd_ensoniq_midi_input = {
82261 .open = snd_ensoniq_midi_input_open,
82262 .close = snd_ensoniq_midi_input_close,
82263 .trigger = snd_ensoniq_midi_input_trigger,
82264 diff -urNp linux-2.6.39.1/sound/pci/es1938.c linux-2.6.39.1/sound/pci/es1938.c
82265 --- linux-2.6.39.1/sound/pci/es1938.c 2011-05-19 00:06:34.000000000 -0400
82266 +++ linux-2.6.39.1/sound/pci/es1938.c 2011-05-22 19:36:35.000000000 -0400
82267 @@ -1004,7 +1004,7 @@ static int snd_es1938_playback_close(str
82268 return 0;
82269 }
82270
82271 -static struct snd_pcm_ops snd_es1938_playback_ops = {
82272 +static const struct snd_pcm_ops snd_es1938_playback_ops = {
82273 .open = snd_es1938_playback_open,
82274 .close = snd_es1938_playback_close,
82275 .ioctl = snd_pcm_lib_ioctl,
82276 @@ -1015,7 +1015,7 @@ static struct snd_pcm_ops snd_es1938_pla
82277 .pointer = snd_es1938_playback_pointer,
82278 };
82279
82280 -static struct snd_pcm_ops snd_es1938_capture_ops = {
82281 +static const struct snd_pcm_ops snd_es1938_capture_ops = {
82282 .open = snd_es1938_capture_open,
82283 .close = snd_es1938_capture_close,
82284 .ioctl = snd_pcm_lib_ioctl,
82285 @@ -1598,7 +1598,7 @@ static int __devinit snd_es1938_create(s
82286 {
82287 struct es1938 *chip;
82288 int err;
82289 - static struct snd_device_ops ops = {
82290 + static const struct snd_device_ops ops = {
82291 .dev_free = snd_es1938_dev_free,
82292 };
82293
82294 diff -urNp linux-2.6.39.1/sound/pci/es1968.c linux-2.6.39.1/sound/pci/es1968.c
82295 --- linux-2.6.39.1/sound/pci/es1968.c 2011-05-19 00:06:34.000000000 -0400
82296 +++ linux-2.6.39.1/sound/pci/es1968.c 2011-05-22 19:36:35.000000000 -0400
82297 @@ -1682,7 +1682,7 @@ static int snd_es1968_capture_close(stru
82298 return 0;
82299 }
82300
82301 -static struct snd_pcm_ops snd_es1968_playback_ops = {
82302 +static const struct snd_pcm_ops snd_es1968_playback_ops = {
82303 .open = snd_es1968_playback_open,
82304 .close = snd_es1968_playback_close,
82305 .ioctl = snd_pcm_lib_ioctl,
82306 @@ -1693,7 +1693,7 @@ static struct snd_pcm_ops snd_es1968_pla
82307 .pointer = snd_es1968_pcm_pointer,
82308 };
82309
82310 -static struct snd_pcm_ops snd_es1968_capture_ops = {
82311 +static const struct snd_pcm_ops snd_es1968_capture_ops = {
82312 .open = snd_es1968_capture_open,
82313 .close = snd_es1968_capture_close,
82314 .ioctl = snd_pcm_lib_ioctl,
82315 @@ -2053,7 +2053,7 @@ snd_es1968_mixer(struct es1968 *chip)
82316 struct snd_ctl_elem_id elem_id;
82317 #endif
82318 int err;
82319 - static struct snd_ac97_bus_ops ops = {
82320 + static const struct snd_ac97_bus_ops ops = {
82321 .write = snd_es1968_ac97_write,
82322 .read = snd_es1968_ac97_read,
82323 };
82324 @@ -2627,7 +2627,7 @@ static int __devinit snd_es1968_create(s
82325 int do_pm,
82326 struct es1968 **chip_ret)
82327 {
82328 - static struct snd_device_ops ops = {
82329 + static const struct snd_device_ops ops = {
82330 .dev_free = snd_es1968_dev_free,
82331 };
82332 struct es1968 *chip;
82333 diff -urNp linux-2.6.39.1/sound/pci/fm801.c linux-2.6.39.1/sound/pci/fm801.c
82334 --- linux-2.6.39.1/sound/pci/fm801.c 2011-05-19 00:06:34.000000000 -0400
82335 +++ linux-2.6.39.1/sound/pci/fm801.c 2011-05-22 19:36:35.000000000 -0400
82336 @@ -662,7 +662,7 @@ static int snd_fm801_capture_close(struc
82337 return 0;
82338 }
82339
82340 -static struct snd_pcm_ops snd_fm801_playback_ops = {
82341 +static const struct snd_pcm_ops snd_fm801_playback_ops = {
82342 .open = snd_fm801_playback_open,
82343 .close = snd_fm801_playback_close,
82344 .ioctl = snd_pcm_lib_ioctl,
82345 @@ -673,7 +673,7 @@ static struct snd_pcm_ops snd_fm801_play
82346 .pointer = snd_fm801_playback_pointer,
82347 };
82348
82349 -static struct snd_pcm_ops snd_fm801_capture_ops = {
82350 +static const struct snd_pcm_ops snd_fm801_capture_ops = {
82351 .open = snd_fm801_capture_open,
82352 .close = snd_fm801_capture_close,
82353 .ioctl = snd_pcm_lib_ioctl,
82354 @@ -1236,7 +1236,7 @@ static int __devinit snd_fm801_mixer(str
82355 struct snd_ac97_template ac97;
82356 unsigned int i;
82357 int err;
82358 - static struct snd_ac97_bus_ops ops = {
82359 + static const struct snd_ac97_bus_ops ops = {
82360 .write = snd_fm801_codec_write,
82361 .read = snd_fm801_codec_read,
82362 };
82363 @@ -1396,7 +1396,7 @@ static int __devinit snd_fm801_create(st
82364 {
82365 struct fm801 *chip;
82366 int err;
82367 - static struct snd_device_ops ops = {
82368 + static const struct snd_device_ops ops = {
82369 .dev_free = snd_fm801_dev_free,
82370 };
82371
82372 diff -urNp linux-2.6.39.1/sound/pci/hda/hda_generic.c linux-2.6.39.1/sound/pci/hda/hda_generic.c
82373 --- linux-2.6.39.1/sound/pci/hda/hda_generic.c 2011-05-19 00:06:34.000000000 -0400
82374 +++ linux-2.6.39.1/sound/pci/hda/hda_generic.c 2011-05-22 19:36:35.000000000 -0400
82375 @@ -1038,7 +1038,7 @@ static int generic_check_power_status(st
82376
82377 /*
82378 */
82379 -static struct hda_codec_ops generic_patch_ops = {
82380 +static const struct hda_codec_ops generic_patch_ops = {
82381 .build_controls = build_generic_controls,
82382 .build_pcms = build_generic_pcms,
82383 .free = snd_hda_generic_free,
82384 diff -urNp linux-2.6.39.1/sound/pci/hda/hda_intel.c linux-2.6.39.1/sound/pci/hda/hda_intel.c
82385 --- linux-2.6.39.1/sound/pci/hda/hda_intel.c 2011-06-03 00:04:14.000000000 -0400
82386 +++ linux-2.6.39.1/sound/pci/hda/hda_intel.c 2011-06-03 00:32:08.000000000 -0400
82387 @@ -2459,7 +2459,7 @@ static int __devinit azx_create(struct s
82388 struct azx *chip;
82389 int i, err;
82390 unsigned short gcap;
82391 - static struct snd_device_ops ops = {
82392 + static const struct snd_device_ops ops = {
82393 .dev_free = azx_dev_free,
82394 };
82395
82396 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_ca0110.c linux-2.6.39.1/sound/pci/hda/patch_ca0110.c
82397 --- linux-2.6.39.1/sound/pci/hda/patch_ca0110.c 2011-05-19 00:06:34.000000000 -0400
82398 +++ linux-2.6.39.1/sound/pci/hda/patch_ca0110.c 2011-05-22 19:36:35.000000000 -0400
82399 @@ -389,7 +389,7 @@ static void ca0110_free(struct hda_codec
82400 kfree(codec->spec);
82401 }
82402
82403 -static struct hda_codec_ops ca0110_patch_ops = {
82404 +static const struct hda_codec_ops ca0110_patch_ops = {
82405 .build_controls = ca0110_build_controls,
82406 .build_pcms = ca0110_build_pcms,
82407 .init = ca0110_init,
82408 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_cirrus.c linux-2.6.39.1/sound/pci/hda/patch_cirrus.c
82409 --- linux-2.6.39.1/sound/pci/hda/patch_cirrus.c 2011-05-19 00:06:34.000000000 -0400
82410 +++ linux-2.6.39.1/sound/pci/hda/patch_cirrus.c 2011-05-22 19:36:35.000000000 -0400
82411 @@ -1126,7 +1126,7 @@ static void cs_unsol_event(struct hda_co
82412 }
82413 }
82414
82415 -static struct hda_codec_ops cs_patch_ops = {
82416 +static const struct hda_codec_ops cs_patch_ops = {
82417 .build_controls = cs_build_controls,
82418 .build_pcms = cs_build_pcms,
82419 .init = cs_init,
82420 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_cmedia.c linux-2.6.39.1/sound/pci/hda/patch_cmedia.c
82421 --- linux-2.6.39.1/sound/pci/hda/patch_cmedia.c 2011-05-19 00:06:34.000000000 -0400
82422 +++ linux-2.6.39.1/sound/pci/hda/patch_cmedia.c 2011-05-22 19:36:35.000000000 -0400
82423 @@ -624,7 +624,7 @@ static struct snd_pci_quirk cmi9880_cfg_
82424 {} /* terminator */
82425 };
82426
82427 -static struct hda_codec_ops cmi9880_patch_ops = {
82428 +static const struct hda_codec_ops cmi9880_patch_ops = {
82429 .build_controls = cmi9880_build_controls,
82430 .build_pcms = cmi9880_build_pcms,
82431 .init = cmi9880_init,
82432 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_conexant.c linux-2.6.39.1/sound/pci/hda/patch_conexant.c
82433 --- linux-2.6.39.1/sound/pci/hda/patch_conexant.c 2011-06-03 00:04:14.000000000 -0400
82434 +++ linux-2.6.39.1/sound/pci/hda/patch_conexant.c 2011-06-03 00:32:08.000000000 -0400
82435 @@ -546,7 +546,7 @@ static int conexant_suspend(struct hda_c
82436 }
82437 #endif
82438
82439 -static struct hda_codec_ops conexant_patch_ops = {
82440 +static const struct hda_codec_ops conexant_patch_ops = {
82441 .build_controls = conexant_build_controls,
82442 .build_pcms = conexant_build_pcms,
82443 .init = conexant_init,
82444 @@ -3792,7 +3792,7 @@ static int cx_auto_build_controls(struct
82445 return conexant_build_controls(codec);
82446 }
82447
82448 -static struct hda_codec_ops cx_auto_patch_ops = {
82449 +static const struct hda_codec_ops cx_auto_patch_ops = {
82450 .build_controls = cx_auto_build_controls,
82451 .build_pcms = conexant_build_pcms,
82452 .init = cx_auto_init,
82453 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_hdmi.c linux-2.6.39.1/sound/pci/hda/patch_hdmi.c
82454 --- linux-2.6.39.1/sound/pci/hda/patch_hdmi.c 2011-05-19 00:06:34.000000000 -0400
82455 +++ linux-2.6.39.1/sound/pci/hda/patch_hdmi.c 2011-05-22 19:36:35.000000000 -0400
82456 @@ -1124,7 +1124,7 @@ static void generic_hdmi_free(struct hda
82457 kfree(spec);
82458 }
82459
82460 -static struct hda_codec_ops generic_hdmi_patch_ops = {
82461 +static const struct hda_codec_ops generic_hdmi_patch_ops = {
82462 .init = generic_hdmi_init,
82463 .free = generic_hdmi_free,
82464 .build_pcms = generic_hdmi_build_pcms,
82465 @@ -1465,14 +1465,14 @@ static struct hda_pcm_stream nvhdmi_pcm_
82466 },
82467 };
82468
82469 -static struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
82470 +static const struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
82471 .build_controls = generic_hdmi_build_controls,
82472 .build_pcms = generic_hdmi_build_pcms,
82473 .init = nvhdmi_7x_init,
82474 .free = generic_hdmi_free,
82475 };
82476
82477 -static struct hda_codec_ops nvhdmi_patch_ops_2ch = {
82478 +static const struct hda_codec_ops nvhdmi_patch_ops_2ch = {
82479 .build_controls = generic_hdmi_build_controls,
82480 .build_pcms = generic_hdmi_build_pcms,
82481 .init = nvhdmi_7x_init,
82482 @@ -1599,7 +1599,7 @@ static int atihdmi_init(struct hda_codec
82483 return 0;
82484 }
82485
82486 -static struct hda_codec_ops atihdmi_patch_ops = {
82487 +static const struct hda_codec_ops atihdmi_patch_ops = {
82488 .build_controls = generic_hdmi_build_controls,
82489 .build_pcms = generic_hdmi_build_pcms,
82490 .init = atihdmi_init,
82491 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_realtek.c linux-2.6.39.1/sound/pci/hda/patch_realtek.c
82492 --- linux-2.6.39.1/sound/pci/hda/patch_realtek.c 2011-05-19 00:06:34.000000000 -0400
82493 +++ linux-2.6.39.1/sound/pci/hda/patch_realtek.c 2011-05-22 19:36:35.000000000 -0400
82494 @@ -4273,7 +4273,7 @@ static int alc_resume(struct hda_codec *
82495
82496 /*
82497 */
82498 -static struct hda_codec_ops alc_patch_ops = {
82499 +static const struct hda_codec_ops alc_patch_ops = {
82500 .build_controls = alc_build_controls,
82501 .build_pcms = alc_build_pcms,
82502 .init = alc_init,
82503 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_si3054.c linux-2.6.39.1/sound/pci/hda/patch_si3054.c
82504 --- linux-2.6.39.1/sound/pci/hda/patch_si3054.c 2011-05-19 00:06:34.000000000 -0400
82505 +++ linux-2.6.39.1/sound/pci/hda/patch_si3054.c 2011-05-22 19:36:35.000000000 -0400
82506 @@ -263,7 +263,7 @@ static void si3054_free(struct hda_codec
82507 /*
82508 */
82509
82510 -static struct hda_codec_ops si3054_patch_ops = {
82511 +static const struct hda_codec_ops si3054_patch_ops = {
82512 .build_controls = si3054_build_controls,
82513 .build_pcms = si3054_build_pcms,
82514 .init = si3054_init,
82515 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_sigmatel.c linux-2.6.39.1/sound/pci/hda/patch_sigmatel.c
82516 --- linux-2.6.39.1/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:04:14.000000000 -0400
82517 +++ linux-2.6.39.1/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:32:08.000000000 -0400
82518 @@ -4968,7 +4968,7 @@ static int stac92xx_suspend(struct hda_c
82519 }
82520 #endif
82521
82522 -static struct hda_codec_ops stac92xx_patch_ops = {
82523 +static const struct hda_codec_ops stac92xx_patch_ops = {
82524 .build_controls = stac92xx_build_controls,
82525 .build_pcms = stac92xx_build_pcms,
82526 .init = stac92xx_init,
82527 diff -urNp linux-2.6.39.1/sound/pci/hda/patch_via.c linux-2.6.39.1/sound/pci/hda/patch_via.c
82528 --- linux-2.6.39.1/sound/pci/hda/patch_via.c 2011-05-19 00:06:34.000000000 -0400
82529 +++ linux-2.6.39.1/sound/pci/hda/patch_via.c 2011-05-22 19:36:35.000000000 -0400
82530 @@ -2254,7 +2254,7 @@ static int via_check_power_status(struct
82531
82532 /*
82533 */
82534 -static struct hda_codec_ops via_patch_ops = {
82535 +static const struct hda_codec_ops via_patch_ops = {
82536 .build_controls = via_build_controls,
82537 .build_pcms = via_build_pcms,
82538 .init = via_init,
82539 diff -urNp linux-2.6.39.1/sound/pci/ice1712/ice1712.c linux-2.6.39.1/sound/pci/ice1712/ice1712.c
82540 --- linux-2.6.39.1/sound/pci/ice1712/ice1712.c 2011-05-19 00:06:34.000000000 -0400
82541 +++ linux-2.6.39.1/sound/pci/ice1712/ice1712.c 2011-05-22 19:36:35.000000000 -0400
82542 @@ -2541,7 +2541,7 @@ static int __devinit snd_ice1712_create(
82543 {
82544 struct snd_ice1712 *ice;
82545 int err;
82546 - static struct snd_device_ops ops = {
82547 + static const struct snd_device_ops ops = {
82548 .dev_free = snd_ice1712_dev_free,
82549 };
82550
82551 diff -urNp linux-2.6.39.1/sound/pci/ice1712/ice1724.c linux-2.6.39.1/sound/pci/ice1712/ice1724.c
82552 --- linux-2.6.39.1/sound/pci/ice1712/ice1724.c 2011-05-19 00:06:34.000000000 -0400
82553 +++ linux-2.6.39.1/sound/pci/ice1712/ice1724.c 2011-05-22 19:36:35.000000000 -0400
82554 @@ -367,7 +367,7 @@ static void vt1724_midi_output_drain(str
82555 } while (time_after(timeout, jiffies));
82556 }
82557
82558 -static struct snd_rawmidi_ops vt1724_midi_output_ops = {
82559 +static const struct snd_rawmidi_ops vt1724_midi_output_ops = {
82560 .open = vt1724_midi_output_open,
82561 .close = vt1724_midi_output_close,
82562 .trigger = vt1724_midi_output_trigger,
82563 @@ -402,7 +402,7 @@ static void vt1724_midi_input_trigger(st
82564 spin_unlock_irqrestore(&ice->reg_lock, flags);
82565 }
82566
82567 -static struct snd_rawmidi_ops vt1724_midi_input_ops = {
82568 +static const struct snd_rawmidi_ops vt1724_midi_input_ops = {
82569 .open = vt1724_midi_input_open,
82570 .close = vt1724_midi_input_close,
82571 .trigger = vt1724_midi_input_trigger,
82572 @@ -2463,7 +2463,7 @@ static int __devinit snd_vt1724_create(s
82573 {
82574 struct snd_ice1712 *ice;
82575 int err;
82576 - static struct snd_device_ops ops = {
82577 + static const struct snd_device_ops ops = {
82578 .dev_free = snd_vt1724_dev_free,
82579 };
82580
82581 diff -urNp linux-2.6.39.1/sound/pci/intel8x0.c linux-2.6.39.1/sound/pci/intel8x0.c
82582 --- linux-2.6.39.1/sound/pci/intel8x0.c 2011-05-19 00:06:34.000000000 -0400
82583 +++ linux-2.6.39.1/sound/pci/intel8x0.c 2011-05-22 19:36:35.000000000 -0400
82584 @@ -2152,12 +2152,12 @@ static int __devinit snd_intel8x0_mixer(
82585 int err;
82586 unsigned int i, codecs;
82587 unsigned int glob_sta = 0;
82588 - struct snd_ac97_bus_ops *ops;
82589 - static struct snd_ac97_bus_ops standard_bus_ops = {
82590 + const struct snd_ac97_bus_ops *ops;
82591 + static const struct snd_ac97_bus_ops standard_bus_ops = {
82592 .write = snd_intel8x0_codec_write,
82593 .read = snd_intel8x0_codec_read,
82594 };
82595 - static struct snd_ac97_bus_ops ali_bus_ops = {
82596 + static const struct snd_ac97_bus_ops ali_bus_ops = {
82597 .write = snd_intel8x0_ali_codec_write,
82598 .read = snd_intel8x0_ali_codec_read,
82599 };
82600 @@ -2921,7 +2921,7 @@ static int __devinit snd_intel8x0_create
82601 unsigned int i;
82602 unsigned int int_sta_masks;
82603 struct ichdev *ichdev;
82604 - static struct snd_device_ops ops = {
82605 + static const struct snd_device_ops ops = {
82606 .dev_free = snd_intel8x0_dev_free,
82607 };
82608
82609 diff -urNp linux-2.6.39.1/sound/pci/intel8x0m.c linux-2.6.39.1/sound/pci/intel8x0m.c
82610 --- linux-2.6.39.1/sound/pci/intel8x0m.c 2011-05-19 00:06:34.000000000 -0400
82611 +++ linux-2.6.39.1/sound/pci/intel8x0m.c 2011-05-22 19:36:35.000000000 -0400
82612 @@ -826,7 +826,7 @@ static int __devinit snd_intel8x0m_mixer
82613 struct snd_ac97 *x97;
82614 int err;
82615 unsigned int glob_sta = 0;
82616 - static struct snd_ac97_bus_ops ops = {
82617 + static const struct snd_ac97_bus_ops ops = {
82618 .write = snd_intel8x0m_codec_write,
82619 .read = snd_intel8x0m_codec_read,
82620 };
82621 @@ -1116,7 +1116,7 @@ static int __devinit snd_intel8x0m_creat
82622 unsigned int i;
82623 unsigned int int_sta_masks;
82624 struct ichdev *ichdev;
82625 - static struct snd_device_ops ops = {
82626 + static const struct snd_device_ops ops = {
82627 .dev_free = snd_intel8x0m_dev_free,
82628 };
82629 static struct ich_reg_info intel_regs[2] = {
82630 @@ -1265,7 +1265,7 @@ static struct shortname_table {
82631 { 0x5455, "ALi M5455" },
82632 { 0x746d, "AMD AMD8111" },
82633 #endif
82634 - { 0 },
82635 + { 0, },
82636 };
82637
82638 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
82639 diff -urNp linux-2.6.39.1/sound/pci/korg1212/korg1212.c linux-2.6.39.1/sound/pci/korg1212/korg1212.c
82640 --- linux-2.6.39.1/sound/pci/korg1212/korg1212.c 2011-05-19 00:06:34.000000000 -0400
82641 +++ linux-2.6.39.1/sound/pci/korg1212/korg1212.c 2011-05-22 19:36:35.000000000 -0400
82642 @@ -1682,7 +1682,7 @@ static int snd_korg1212_capture_copy(str
82643 return snd_korg1212_copy_to(korg1212, dst, pos, count, 0, korg1212->channels * 2);
82644 }
82645
82646 -static struct snd_pcm_ops snd_korg1212_playback_ops = {
82647 +static const struct snd_pcm_ops snd_korg1212_playback_ops = {
82648 .open = snd_korg1212_playback_open,
82649 .close = snd_korg1212_playback_close,
82650 .ioctl = snd_korg1212_ioctl,
82651 @@ -1694,7 +1694,7 @@ static struct snd_pcm_ops snd_korg1212_p
82652 .silence = snd_korg1212_playback_silence,
82653 };
82654
82655 -static struct snd_pcm_ops snd_korg1212_capture_ops = {
82656 +static const struct snd_pcm_ops snd_korg1212_capture_ops = {
82657 .open = snd_korg1212_capture_open,
82658 .close = snd_korg1212_capture_close,
82659 .ioctl = snd_korg1212_ioctl,
82660 @@ -2164,7 +2164,7 @@ static int __devinit snd_korg1212_create
82661 struct snd_korg1212 * korg1212;
82662 const struct firmware *dsp_code;
82663
82664 - static struct snd_device_ops ops = {
82665 + static const struct snd_device_ops ops = {
82666 .dev_free = snd_korg1212_dev_free,
82667 };
82668
82669 diff -urNp linux-2.6.39.1/sound/pci/maestro3.c linux-2.6.39.1/sound/pci/maestro3.c
82670 --- linux-2.6.39.1/sound/pci/maestro3.c 2011-05-19 00:06:34.000000000 -0400
82671 +++ linux-2.6.39.1/sound/pci/maestro3.c 2011-05-22 19:36:35.000000000 -0400
82672 @@ -1926,7 +1926,7 @@ snd_m3_capture_close(struct snd_pcm_subs
82673 * create pcm instance
82674 */
82675
82676 -static struct snd_pcm_ops snd_m3_playback_ops = {
82677 +static const struct snd_pcm_ops snd_m3_playback_ops = {
82678 .open = snd_m3_playback_open,
82679 .close = snd_m3_playback_close,
82680 .ioctl = snd_pcm_lib_ioctl,
82681 @@ -1937,7 +1937,7 @@ static struct snd_pcm_ops snd_m3_playbac
82682 .pointer = snd_m3_pcm_pointer,
82683 };
82684
82685 -static struct snd_pcm_ops snd_m3_capture_ops = {
82686 +static const struct snd_pcm_ops snd_m3_capture_ops = {
82687 .open = snd_m3_capture_open,
82688 .close = snd_m3_capture_close,
82689 .ioctl = snd_pcm_lib_ioctl,
82690 @@ -2150,7 +2150,7 @@ static int __devinit snd_m3_mixer(struct
82691 struct snd_ctl_elem_id elem_id;
82692 #endif
82693 int err;
82694 - static struct snd_ac97_bus_ops ops = {
82695 + static const struct snd_ac97_bus_ops ops = {
82696 .write = snd_m3_ac97_write,
82697 .read = snd_m3_ac97_read,
82698 };
82699 @@ -2643,7 +2643,7 @@ snd_m3_create(struct snd_card *card, str
82700 struct snd_m3 *chip;
82701 int i, err;
82702 const struct snd_pci_quirk *quirk;
82703 - static struct snd_device_ops ops = {
82704 + static const struct snd_device_ops ops = {
82705 .dev_free = snd_m3_dev_free,
82706 };
82707
82708 diff -urNp linux-2.6.39.1/sound/pci/mixart/mixart.c linux-2.6.39.1/sound/pci/mixart/mixart.c
82709 --- linux-2.6.39.1/sound/pci/mixart/mixart.c 2011-05-19 00:06:34.000000000 -0400
82710 +++ linux-2.6.39.1/sound/pci/mixart/mixart.c 2011-05-22 19:36:35.000000000 -0400
82711 @@ -887,7 +887,7 @@ static snd_pcm_uframes_t snd_mixart_stre
82712
82713
82714
82715 -static struct snd_pcm_ops snd_mixart_playback_ops = {
82716 +static const struct snd_pcm_ops snd_mixart_playback_ops = {
82717 .open = snd_mixart_playback_open,
82718 .close = snd_mixart_close,
82719 .ioctl = snd_pcm_lib_ioctl,
82720 @@ -898,7 +898,7 @@ static struct snd_pcm_ops snd_mixart_pla
82721 .pointer = snd_mixart_stream_pointer,
82722 };
82723
82724 -static struct snd_pcm_ops snd_mixart_capture_ops = {
82725 +static const struct snd_pcm_ops snd_mixart_capture_ops = {
82726 .open = snd_mixart_capture_open,
82727 .close = snd_mixart_close,
82728 .ioctl = snd_pcm_lib_ioctl,
82729 @@ -1008,7 +1008,7 @@ static int __devinit snd_mixart_create(s
82730 {
82731 int err;
82732 struct snd_mixart *chip;
82733 - static struct snd_device_ops ops = {
82734 + static const struct snd_device_ops ops = {
82735 .dev_free = snd_mixart_chip_dev_free,
82736 };
82737
82738 diff -urNp linux-2.6.39.1/sound/pci/nm256/nm256.c linux-2.6.39.1/sound/pci/nm256/nm256.c
82739 --- linux-2.6.39.1/sound/pci/nm256/nm256.c 2011-05-19 00:06:34.000000000 -0400
82740 +++ linux-2.6.39.1/sound/pci/nm256/nm256.c 2011-05-22 19:36:35.000000000 -0400
82741 @@ -899,7 +899,7 @@ snd_nm256_capture_close(struct snd_pcm_s
82742 /*
82743 * create a pcm instance
82744 */
82745 -static struct snd_pcm_ops snd_nm256_playback_ops = {
82746 +static const struct snd_pcm_ops snd_nm256_playback_ops = {
82747 .open = snd_nm256_playback_open,
82748 .close = snd_nm256_playback_close,
82749 .ioctl = snd_pcm_lib_ioctl,
82750 @@ -914,7 +914,7 @@ static struct snd_pcm_ops snd_nm256_play
82751 .mmap = snd_pcm_lib_mmap_iomem,
82752 };
82753
82754 -static struct snd_pcm_ops snd_nm256_capture_ops = {
82755 +static const struct snd_pcm_ops snd_nm256_capture_ops = {
82756 .open = snd_nm256_capture_open,
82757 .close = snd_nm256_capture_close,
82758 .ioctl = snd_pcm_lib_ioctl,
82759 @@ -1301,7 +1301,7 @@ snd_nm256_mixer(struct nm256 *chip)
82760 struct snd_ac97_bus *pbus;
82761 struct snd_ac97_template ac97;
82762 int err;
82763 - static struct snd_ac97_bus_ops ops = {
82764 + static const struct snd_ac97_bus_ops ops = {
82765 .reset = snd_nm256_ac97_reset,
82766 .write = snd_nm256_ac97_write,
82767 .read = snd_nm256_ac97_read,
82768 @@ -1471,7 +1471,7 @@ snd_nm256_create(struct snd_card *card,
82769 {
82770 struct nm256 *chip;
82771 int err, pval;
82772 - static struct snd_device_ops ops = {
82773 + static const struct snd_device_ops ops = {
82774 .dev_free = snd_nm256_dev_free,
82775 };
82776 u32 addr;
82777 diff -urNp linux-2.6.39.1/sound/pci/oxygen/oxygen_pcm.c linux-2.6.39.1/sound/pci/oxygen/oxygen_pcm.c
82778 --- linux-2.6.39.1/sound/pci/oxygen/oxygen_pcm.c 2011-05-19 00:06:34.000000000 -0400
82779 +++ linux-2.6.39.1/sound/pci/oxygen/oxygen_pcm.c 2011-05-22 19:36:35.000000000 -0400
82780 @@ -606,7 +606,7 @@ static snd_pcm_uframes_t oxygen_pointer(
82781 return bytes_to_frames(runtime, curr_addr - (u32)runtime->dma_addr);
82782 }
82783
82784 -static struct snd_pcm_ops oxygen_rec_a_ops = {
82785 +static const struct snd_pcm_ops oxygen_rec_a_ops = {
82786 .open = oxygen_rec_a_open,
82787 .close = oxygen_close,
82788 .ioctl = snd_pcm_lib_ioctl,
82789 @@ -617,7 +617,7 @@ static struct snd_pcm_ops oxygen_rec_a_o
82790 .pointer = oxygen_pointer,
82791 };
82792
82793 -static struct snd_pcm_ops oxygen_rec_b_ops = {
82794 +static const struct snd_pcm_ops oxygen_rec_b_ops = {
82795 .open = oxygen_rec_b_open,
82796 .close = oxygen_close,
82797 .ioctl = snd_pcm_lib_ioctl,
82798 @@ -628,7 +628,7 @@ static struct snd_pcm_ops oxygen_rec_b_o
82799 .pointer = oxygen_pointer,
82800 };
82801
82802 -static struct snd_pcm_ops oxygen_rec_c_ops = {
82803 +static const struct snd_pcm_ops oxygen_rec_c_ops = {
82804 .open = oxygen_rec_c_open,
82805 .close = oxygen_close,
82806 .ioctl = snd_pcm_lib_ioctl,
82807 @@ -639,7 +639,7 @@ static struct snd_pcm_ops oxygen_rec_c_o
82808 .pointer = oxygen_pointer,
82809 };
82810
82811 -static struct snd_pcm_ops oxygen_spdif_ops = {
82812 +static const struct snd_pcm_ops oxygen_spdif_ops = {
82813 .open = oxygen_spdif_open,
82814 .close = oxygen_close,
82815 .ioctl = snd_pcm_lib_ioctl,
82816 @@ -650,7 +650,7 @@ static struct snd_pcm_ops oxygen_spdif_o
82817 .pointer = oxygen_pointer,
82818 };
82819
82820 -static struct snd_pcm_ops oxygen_multich_ops = {
82821 +static const struct snd_pcm_ops oxygen_multich_ops = {
82822 .open = oxygen_multich_open,
82823 .close = oxygen_close,
82824 .ioctl = snd_pcm_lib_ioctl,
82825 @@ -661,7 +661,7 @@ static struct snd_pcm_ops oxygen_multich
82826 .pointer = oxygen_pointer,
82827 };
82828
82829 -static struct snd_pcm_ops oxygen_ac97_ops = {
82830 +static const struct snd_pcm_ops oxygen_ac97_ops = {
82831 .open = oxygen_ac97_open,
82832 .close = oxygen_close,
82833 .ioctl = snd_pcm_lib_ioctl,
82834 diff -urNp linux-2.6.39.1/sound/pci/pcxhr/pcxhr.c linux-2.6.39.1/sound/pci/pcxhr/pcxhr.c
82835 --- linux-2.6.39.1/sound/pci/pcxhr/pcxhr.c 2011-05-19 00:06:34.000000000 -0400
82836 +++ linux-2.6.39.1/sound/pci/pcxhr/pcxhr.c 2011-05-22 19:36:35.000000000 -0400
82837 @@ -1121,7 +1121,7 @@ static snd_pcm_uframes_t pcxhr_stream_po
82838 }
82839
82840
82841 -static struct snd_pcm_ops pcxhr_ops = {
82842 +static const struct snd_pcm_ops pcxhr_ops = {
82843 .open = pcxhr_open,
82844 .close = pcxhr_close,
82845 .ioctl = snd_pcm_lib_ioctl,
82846 @@ -1184,7 +1184,7 @@ static int __devinit pcxhr_create(struct
82847 {
82848 int err;
82849 struct snd_pcxhr *chip;
82850 - static struct snd_device_ops ops = {
82851 + static const struct snd_device_ops ops = {
82852 .dev_free = pcxhr_chip_dev_free,
82853 };
82854
82855 diff -urNp linux-2.6.39.1/sound/pci/riptide/riptide.c linux-2.6.39.1/sound/pci/riptide/riptide.c
82856 --- linux-2.6.39.1/sound/pci/riptide/riptide.c 2011-05-19 00:06:34.000000000 -0400
82857 +++ linux-2.6.39.1/sound/pci/riptide/riptide.c 2011-05-22 19:36:35.000000000 -0400
82858 @@ -1675,7 +1675,7 @@ static int snd_riptide_capture_close(str
82859 return 0;
82860 }
82861
82862 -static struct snd_pcm_ops snd_riptide_playback_ops = {
82863 +static const struct snd_pcm_ops snd_riptide_playback_ops = {
82864 .open = snd_riptide_playback_open,
82865 .close = snd_riptide_playback_close,
82866 .ioctl = snd_pcm_lib_ioctl,
82867 @@ -1686,7 +1686,7 @@ static struct snd_pcm_ops snd_riptide_pl
82868 .trigger = snd_riptide_trigger,
82869 .pointer = snd_riptide_pointer,
82870 };
82871 -static struct snd_pcm_ops snd_riptide_capture_ops = {
82872 +static const struct snd_pcm_ops snd_riptide_capture_ops = {
82873 .open = snd_riptide_capture_open,
82874 .close = snd_riptide_capture_close,
82875 .ioctl = snd_pcm_lib_ioctl,
82876 @@ -1857,7 +1857,7 @@ snd_riptide_create(struct snd_card *card
82877 struct snd_riptide *chip;
82878 struct riptideport *hwport;
82879 int err;
82880 - static struct snd_device_ops ops = {
82881 + static const struct snd_device_ops ops = {
82882 .dev_free = snd_riptide_dev_free,
82883 };
82884
82885 @@ -1999,7 +1999,7 @@ static int __devinit snd_riptide_mixer(s
82886 struct snd_ac97_bus *pbus;
82887 struct snd_ac97_template ac97;
82888 int err = 0;
82889 - static struct snd_ac97_bus_ops ops = {
82890 + static const struct snd_ac97_bus_ops ops = {
82891 .write = snd_riptide_codec_write,
82892 .read = snd_riptide_codec_read,
82893 };
82894 diff -urNp linux-2.6.39.1/sound/pci/rme32.c linux-2.6.39.1/sound/pci/rme32.c
82895 --- linux-2.6.39.1/sound/pci/rme32.c 2011-05-19 00:06:34.000000000 -0400
82896 +++ linux-2.6.39.1/sound/pci/rme32.c 2011-05-22 19:36:35.000000000 -0400
82897 @@ -1197,7 +1197,7 @@ snd_rme32_capture_fd_pointer(struct snd_
82898 }
82899
82900 /* for halfduplex mode */
82901 -static struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
82902 +static const struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
82903 .open = snd_rme32_playback_spdif_open,
82904 .close = snd_rme32_playback_close,
82905 .ioctl = snd_pcm_lib_ioctl,
82906 @@ -1211,7 +1211,7 @@ static struct snd_pcm_ops snd_rme32_play
82907 .mmap = snd_pcm_lib_mmap_iomem,
82908 };
82909
82910 -static struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
82911 +static const struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
82912 .open = snd_rme32_capture_spdif_open,
82913 .close = snd_rme32_capture_close,
82914 .ioctl = snd_pcm_lib_ioctl,
82915 @@ -1224,7 +1224,7 @@ static struct snd_pcm_ops snd_rme32_capt
82916 .mmap = snd_pcm_lib_mmap_iomem,
82917 };
82918
82919 -static struct snd_pcm_ops snd_rme32_playback_adat_ops = {
82920 +static const struct snd_pcm_ops snd_rme32_playback_adat_ops = {
82921 .open = snd_rme32_playback_adat_open,
82922 .close = snd_rme32_playback_close,
82923 .ioctl = snd_pcm_lib_ioctl,
82924 @@ -1237,7 +1237,7 @@ static struct snd_pcm_ops snd_rme32_play
82925 .mmap = snd_pcm_lib_mmap_iomem,
82926 };
82927
82928 -static struct snd_pcm_ops snd_rme32_capture_adat_ops = {
82929 +static const struct snd_pcm_ops snd_rme32_capture_adat_ops = {
82930 .open = snd_rme32_capture_adat_open,
82931 .close = snd_rme32_capture_close,
82932 .ioctl = snd_pcm_lib_ioctl,
82933 @@ -1250,7 +1250,7 @@ static struct snd_pcm_ops snd_rme32_capt
82934 };
82935
82936 /* for fullduplex mode */
82937 -static struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
82938 +static const struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
82939 .open = snd_rme32_playback_spdif_open,
82940 .close = snd_rme32_playback_close,
82941 .ioctl = snd_pcm_lib_ioctl,
82942 @@ -1262,7 +1262,7 @@ static struct snd_pcm_ops snd_rme32_play
82943 .ack = snd_rme32_playback_fd_ack,
82944 };
82945
82946 -static struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
82947 +static const struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
82948 .open = snd_rme32_capture_spdif_open,
82949 .close = snd_rme32_capture_close,
82950 .ioctl = snd_pcm_lib_ioctl,
82951 @@ -1274,7 +1274,7 @@ static struct snd_pcm_ops snd_rme32_capt
82952 .ack = snd_rme32_capture_fd_ack,
82953 };
82954
82955 -static struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
82956 +static const struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
82957 .open = snd_rme32_playback_adat_open,
82958 .close = snd_rme32_playback_close,
82959 .ioctl = snd_pcm_lib_ioctl,
82960 @@ -1285,7 +1285,7 @@ static struct snd_pcm_ops snd_rme32_play
82961 .ack = snd_rme32_playback_fd_ack,
82962 };
82963
82964 -static struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
82965 +static const struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
82966 .open = snd_rme32_capture_adat_open,
82967 .close = snd_rme32_capture_close,
82968 .ioctl = snd_pcm_lib_ioctl,
82969 diff -urNp linux-2.6.39.1/sound/pci/rme9652/hdsp.c linux-2.6.39.1/sound/pci/rme9652/hdsp.c
82970 --- linux-2.6.39.1/sound/pci/rme9652/hdsp.c 2011-05-19 00:06:34.000000000 -0400
82971 +++ linux-2.6.39.1/sound/pci/rme9652/hdsp.c 2011-05-22 19:36:35.000000000 -0400
82972 @@ -1469,15 +1469,13 @@ static int snd_hdsp_midi_output_close(st
82973 return 0;
82974 }
82975
82976 -static struct snd_rawmidi_ops snd_hdsp_midi_output =
82977 -{
82978 +static const struct snd_rawmidi_ops snd_hdsp_midi_output = {
82979 .open = snd_hdsp_midi_output_open,
82980 .close = snd_hdsp_midi_output_close,
82981 .trigger = snd_hdsp_midi_output_trigger,
82982 };
82983
82984 -static struct snd_rawmidi_ops snd_hdsp_midi_input =
82985 -{
82986 +static const struct snd_rawmidi_ops snd_hdsp_midi_input = {
82987 .open = snd_hdsp_midi_input_open,
82988 .close = snd_hdsp_midi_input_close,
82989 .trigger = snd_hdsp_midi_input_trigger,
82990 @@ -5135,7 +5133,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
82991 return 0;
82992 }
82993
82994 -static struct snd_pcm_ops snd_hdsp_playback_ops = {
82995 +static const struct snd_pcm_ops snd_hdsp_playback_ops = {
82996 .open = snd_hdsp_playback_open,
82997 .close = snd_hdsp_playback_release,
82998 .ioctl = snd_hdsp_ioctl,
82999 @@ -5147,7 +5145,7 @@ static struct snd_pcm_ops snd_hdsp_playb
83000 .silence = snd_hdsp_hw_silence,
83001 };
83002
83003 -static struct snd_pcm_ops snd_hdsp_capture_ops = {
83004 +static const struct snd_pcm_ops snd_hdsp_capture_ops = {
83005 .open = snd_hdsp_capture_open,
83006 .close = snd_hdsp_capture_release,
83007 .ioctl = snd_hdsp_ioctl,
83008 diff -urNp linux-2.6.39.1/sound/pci/rme9652/hdspm.c linux-2.6.39.1/sound/pci/rme9652/hdspm.c
83009 --- linux-2.6.39.1/sound/pci/rme9652/hdspm.c 2011-05-19 00:06:34.000000000 -0400
83010 +++ linux-2.6.39.1/sound/pci/rme9652/hdspm.c 2011-05-22 19:36:35.000000000 -0400
83011 @@ -1773,15 +1773,13 @@ static int snd_hdspm_midi_output_close(s
83012 return 0;
83013 }
83014
83015 -static struct snd_rawmidi_ops snd_hdspm_midi_output =
83016 -{
83017 +static const struct snd_rawmidi_ops snd_hdspm_midi_output = {
83018 .open = snd_hdspm_midi_output_open,
83019 .close = snd_hdspm_midi_output_close,
83020 .trigger = snd_hdspm_midi_output_trigger,
83021 };
83022
83023 -static struct snd_rawmidi_ops snd_hdspm_midi_input =
83024 -{
83025 +static const struct snd_rawmidi_ops snd_hdspm_midi_input = {
83026 .open = snd_hdspm_midi_input_open,
83027 .close = snd_hdspm_midi_input_close,
83028 .trigger = snd_hdspm_midi_input_trigger,
83029 @@ -6172,7 +6170,7 @@ static int snd_hdspm_hwdep_ioctl(struct
83030 return 0;
83031 }
83032
83033 -static struct snd_pcm_ops snd_hdspm_playback_ops = {
83034 +static const struct snd_pcm_ops snd_hdspm_playback_ops = {
83035 .open = snd_hdspm_playback_open,
83036 .close = snd_hdspm_playback_release,
83037 .ioctl = snd_hdspm_ioctl,
83038 @@ -6184,7 +6182,7 @@ static struct snd_pcm_ops snd_hdspm_play
83039 .page = snd_pcm_sgbuf_ops_page,
83040 };
83041
83042 -static struct snd_pcm_ops snd_hdspm_capture_ops = {
83043 +static const struct snd_pcm_ops snd_hdspm_capture_ops = {
83044 .open = snd_hdspm_capture_open,
83045 .close = snd_hdspm_capture_release,
83046 .ioctl = snd_hdspm_ioctl,
83047 diff -urNp linux-2.6.39.1/sound/pci/rme9652/rme9652.c linux-2.6.39.1/sound/pci/rme9652/rme9652.c
83048 --- linux-2.6.39.1/sound/pci/rme9652/rme9652.c 2011-05-19 00:06:34.000000000 -0400
83049 +++ linux-2.6.39.1/sound/pci/rme9652/rme9652.c 2011-05-22 19:36:35.000000000 -0400
83050 @@ -2391,7 +2391,7 @@ static int snd_rme9652_capture_release(s
83051 return 0;
83052 }
83053
83054 -static struct snd_pcm_ops snd_rme9652_playback_ops = {
83055 +static const struct snd_pcm_ops snd_rme9652_playback_ops = {
83056 .open = snd_rme9652_playback_open,
83057 .close = snd_rme9652_playback_release,
83058 .ioctl = snd_rme9652_ioctl,
83059 @@ -2403,7 +2403,7 @@ static struct snd_pcm_ops snd_rme9652_pl
83060 .silence = snd_rme9652_hw_silence,
83061 };
83062
83063 -static struct snd_pcm_ops snd_rme9652_capture_ops = {
83064 +static const struct snd_pcm_ops snd_rme9652_capture_ops = {
83065 .open = snd_rme9652_capture_open,
83066 .close = snd_rme9652_capture_release,
83067 .ioctl = snd_rme9652_ioctl,
83068 diff -urNp linux-2.6.39.1/sound/pci/rme96.c linux-2.6.39.1/sound/pci/rme96.c
83069 --- linux-2.6.39.1/sound/pci/rme96.c 2011-05-19 00:06:34.000000000 -0400
83070 +++ linux-2.6.39.1/sound/pci/rme96.c 2011-05-22 19:36:35.000000000 -0400
83071 @@ -1447,7 +1447,7 @@ snd_rme96_capture_pointer(struct snd_pcm
83072 return snd_rme96_capture_ptr(rme96);
83073 }
83074
83075 -static struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83076 +static const struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83077 .open = snd_rme96_playback_spdif_open,
83078 .close = snd_rme96_playback_close,
83079 .ioctl = snd_pcm_lib_ioctl,
83080 @@ -1460,7 +1460,7 @@ static struct snd_pcm_ops snd_rme96_play
83081 .mmap = snd_pcm_lib_mmap_iomem,
83082 };
83083
83084 -static struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83085 +static const struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83086 .open = snd_rme96_capture_spdif_open,
83087 .close = snd_rme96_capture_close,
83088 .ioctl = snd_pcm_lib_ioctl,
83089 @@ -1472,7 +1472,7 @@ static struct snd_pcm_ops snd_rme96_capt
83090 .mmap = snd_pcm_lib_mmap_iomem,
83091 };
83092
83093 -static struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83094 +static const struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83095 .open = snd_rme96_playback_adat_open,
83096 .close = snd_rme96_playback_close,
83097 .ioctl = snd_pcm_lib_ioctl,
83098 @@ -1485,7 +1485,7 @@ static struct snd_pcm_ops snd_rme96_play
83099 .mmap = snd_pcm_lib_mmap_iomem,
83100 };
83101
83102 -static struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83103 +static const struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83104 .open = snd_rme96_capture_adat_open,
83105 .close = snd_rme96_capture_close,
83106 .ioctl = snd_pcm_lib_ioctl,
83107 diff -urNp linux-2.6.39.1/sound/pci/sis7019.c linux-2.6.39.1/sound/pci/sis7019.c
83108 --- linux-2.6.39.1/sound/pci/sis7019.c 2011-05-19 00:06:34.000000000 -0400
83109 +++ linux-2.6.39.1/sound/pci/sis7019.c 2011-05-22 19:36:35.000000000 -0400
83110 @@ -1011,7 +1011,7 @@ static int __devinit sis_mixer_create(st
83111 {
83112 struct snd_ac97_bus *bus;
83113 struct snd_ac97_template ac97;
83114 - static struct snd_ac97_bus_ops ops = {
83115 + static const struct snd_ac97_bus_ops ops = {
83116 .write = sis_ac97_write,
83117 .read = sis_ac97_read,
83118 };
83119 @@ -1293,7 +1293,7 @@ static int __devinit sis_chip_create(str
83120 {
83121 struct sis7019 *sis = card->private_data;
83122 struct voice *voice;
83123 - static struct snd_device_ops ops = {
83124 + static const struct snd_device_ops ops = {
83125 .dev_free = sis_dev_free,
83126 };
83127 int rc;
83128 diff -urNp linux-2.6.39.1/sound/pci/sonicvibes.c linux-2.6.39.1/sound/pci/sonicvibes.c
83129 --- linux-2.6.39.1/sound/pci/sonicvibes.c 2011-05-19 00:06:34.000000000 -0400
83130 +++ linux-2.6.39.1/sound/pci/sonicvibes.c 2011-05-22 19:36:35.000000000 -0400
83131 @@ -855,7 +855,7 @@ static int snd_sonicvibes_capture_close(
83132 return 0;
83133 }
83134
83135 -static struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83136 +static const struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83137 .open = snd_sonicvibes_playback_open,
83138 .close = snd_sonicvibes_playback_close,
83139 .ioctl = snd_pcm_lib_ioctl,
83140 @@ -866,7 +866,7 @@ static struct snd_pcm_ops snd_sonicvibes
83141 .pointer = snd_sonicvibes_playback_pointer,
83142 };
83143
83144 -static struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83145 +static const struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83146 .open = snd_sonicvibes_capture_open,
83147 .close = snd_sonicvibes_capture_close,
83148 .ioctl = snd_pcm_lib_ioctl,
83149 @@ -1255,7 +1255,7 @@ static int __devinit snd_sonicvibes_crea
83150 struct sonicvibes *sonic;
83151 unsigned int dmaa, dmac;
83152 int err;
83153 - static struct snd_device_ops ops = {
83154 + static const struct snd_device_ops ops = {
83155 .dev_free = snd_sonicvibes_dev_free,
83156 };
83157
83158 diff -urNp linux-2.6.39.1/sound/pci/trident/trident_main.c linux-2.6.39.1/sound/pci/trident/trident_main.c
83159 --- linux-2.6.39.1/sound/pci/trident/trident_main.c 2011-05-19 00:06:34.000000000 -0400
83160 +++ linux-2.6.39.1/sound/pci/trident/trident_main.c 2011-05-22 19:36:35.000000000 -0400
83161 @@ -3549,7 +3549,7 @@ int __devinit snd_trident_create(struct
83162 int i, err;
83163 struct snd_trident_voice *voice;
83164 struct snd_trident_pcm_mixer *tmix;
83165 - static struct snd_device_ops ops = {
83166 + static const struct snd_device_ops ops = {
83167 .dev_free = snd_trident_dev_free,
83168 };
83169
83170 diff -urNp linux-2.6.39.1/sound/pci/via82xx.c linux-2.6.39.1/sound/pci/via82xx.c
83171 --- linux-2.6.39.1/sound/pci/via82xx.c 2011-05-19 00:06:34.000000000 -0400
83172 +++ linux-2.6.39.1/sound/pci/via82xx.c 2011-05-22 19:36:35.000000000 -0400
83173 @@ -1352,7 +1352,7 @@ static int snd_via8233_playback_close(st
83174
83175
83176 /* via686 playback callbacks */
83177 -static struct snd_pcm_ops snd_via686_playback_ops = {
83178 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83179 .open = snd_via686_playback_open,
83180 .close = snd_via82xx_pcm_close,
83181 .ioctl = snd_pcm_lib_ioctl,
83182 @@ -1365,7 +1365,7 @@ static struct snd_pcm_ops snd_via686_pla
83183 };
83184
83185 /* via686 capture callbacks */
83186 -static struct snd_pcm_ops snd_via686_capture_ops = {
83187 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83188 .open = snd_via82xx_capture_open,
83189 .close = snd_via82xx_pcm_close,
83190 .ioctl = snd_pcm_lib_ioctl,
83191 @@ -1378,7 +1378,7 @@ static struct snd_pcm_ops snd_via686_cap
83192 };
83193
83194 /* via823x DSX playback callbacks */
83195 -static struct snd_pcm_ops snd_via8233_playback_ops = {
83196 +static const struct snd_pcm_ops snd_via8233_playback_ops = {
83197 .open = snd_via8233_playback_open,
83198 .close = snd_via8233_playback_close,
83199 .ioctl = snd_pcm_lib_ioctl,
83200 @@ -1391,7 +1391,7 @@ static struct snd_pcm_ops snd_via8233_pl
83201 };
83202
83203 /* via823x multi-channel playback callbacks */
83204 -static struct snd_pcm_ops snd_via8233_multi_ops = {
83205 +static const struct snd_pcm_ops snd_via8233_multi_ops = {
83206 .open = snd_via8233_multi_open,
83207 .close = snd_via82xx_pcm_close,
83208 .ioctl = snd_pcm_lib_ioctl,
83209 @@ -1404,7 +1404,7 @@ static struct snd_pcm_ops snd_via8233_mu
83210 };
83211
83212 /* via823x capture callbacks */
83213 -static struct snd_pcm_ops snd_via8233_capture_ops = {
83214 +static const struct snd_pcm_ops snd_via8233_capture_ops = {
83215 .open = snd_via82xx_capture_open,
83216 .close = snd_via82xx_pcm_close,
83217 .ioctl = snd_pcm_lib_ioctl,
83218 @@ -1868,7 +1868,7 @@ static int __devinit snd_via82xx_mixer_n
83219 {
83220 struct snd_ac97_template ac97;
83221 int err;
83222 - static struct snd_ac97_bus_ops ops = {
83223 + static const struct snd_ac97_bus_ops ops = {
83224 .write = snd_via82xx_codec_write,
83225 .read = snd_via82xx_codec_read,
83226 .wait = snd_via82xx_codec_wait,
83227 @@ -2340,7 +2340,7 @@ static int __devinit snd_via82xx_create(
83228 {
83229 struct via82xx *chip;
83230 int err;
83231 - static struct snd_device_ops ops = {
83232 + static const struct snd_device_ops ops = {
83233 .dev_free = snd_via82xx_dev_free,
83234 };
83235
83236 diff -urNp linux-2.6.39.1/sound/pci/via82xx_modem.c linux-2.6.39.1/sound/pci/via82xx_modem.c
83237 --- linux-2.6.39.1/sound/pci/via82xx_modem.c 2011-05-19 00:06:34.000000000 -0400
83238 +++ linux-2.6.39.1/sound/pci/via82xx_modem.c 2011-05-22 19:36:35.000000000 -0400
83239 @@ -799,7 +799,7 @@ static int snd_via82xx_pcm_close(struct
83240
83241
83242 /* via686 playback callbacks */
83243 -static struct snd_pcm_ops snd_via686_playback_ops = {
83244 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83245 .open = snd_via82xx_playback_open,
83246 .close = snd_via82xx_pcm_close,
83247 .ioctl = snd_pcm_lib_ioctl,
83248 @@ -812,7 +812,7 @@ static struct snd_pcm_ops snd_via686_pla
83249 };
83250
83251 /* via686 capture callbacks */
83252 -static struct snd_pcm_ops snd_via686_capture_ops = {
83253 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83254 .open = snd_via82xx_capture_open,
83255 .close = snd_via82xx_pcm_close,
83256 .ioctl = snd_pcm_lib_ioctl,
83257 @@ -889,7 +889,7 @@ static int __devinit snd_via82xx_mixer_n
83258 {
83259 struct snd_ac97_template ac97;
83260 int err;
83261 - static struct snd_ac97_bus_ops ops = {
83262 + static const struct snd_ac97_bus_ops ops = {
83263 .write = snd_via82xx_codec_write,
83264 .read = snd_via82xx_codec_read,
83265 .wait = snd_via82xx_codec_wait,
83266 @@ -1105,7 +1105,7 @@ static int __devinit snd_via82xx_create(
83267 {
83268 struct via82xx_modem *chip;
83269 int err;
83270 - static struct snd_device_ops ops = {
83271 + static const struct snd_device_ops ops = {
83272 .dev_free = snd_via82xx_dev_free,
83273 };
83274
83275 diff -urNp linux-2.6.39.1/sound/pci/vx222/vx222.c linux-2.6.39.1/sound/pci/vx222/vx222.c
83276 --- linux-2.6.39.1/sound/pci/vx222/vx222.c 2011-05-19 00:06:34.000000000 -0400
83277 +++ linux-2.6.39.1/sound/pci/vx222/vx222.c 2011-05-22 19:36:35.000000000 -0400
83278 @@ -141,7 +141,7 @@ static int __devinit snd_vx222_create(st
83279 struct vx_core *chip;
83280 struct snd_vx222 *vx;
83281 int i, err;
83282 - static struct snd_device_ops ops = {
83283 + static const struct snd_device_ops ops = {
83284 .dev_free = snd_vx222_dev_free,
83285 };
83286 struct snd_vx_ops *vx_ops;
83287 diff -urNp linux-2.6.39.1/sound/pci/ymfpci/ymfpci_main.c linux-2.6.39.1/sound/pci/ymfpci/ymfpci_main.c
83288 --- linux-2.6.39.1/sound/pci/ymfpci/ymfpci_main.c 2011-05-19 00:06:34.000000000 -0400
83289 +++ linux-2.6.39.1/sound/pci/ymfpci/ymfpci_main.c 2011-05-22 19:36:35.000000000 -0400
83290 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
83291 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
83292 break;
83293 }
83294 - if (atomic_read(&chip->interrupt_sleep_count)) {
83295 - atomic_set(&chip->interrupt_sleep_count, 0);
83296 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83297 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83298 wake_up(&chip->interrupt_sleep);
83299 }
83300 __end:
83301 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
83302 continue;
83303 init_waitqueue_entry(&wait, current);
83304 add_wait_queue(&chip->interrupt_sleep, &wait);
83305 - atomic_inc(&chip->interrupt_sleep_count);
83306 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
83307 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
83308 remove_wait_queue(&chip->interrupt_sleep, &wait);
83309 }
83310 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
83311 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
83312 spin_unlock(&chip->reg_lock);
83313
83314 - if (atomic_read(&chip->interrupt_sleep_count)) {
83315 - atomic_set(&chip->interrupt_sleep_count, 0);
83316 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83317 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83318 wake_up(&chip->interrupt_sleep);
83319 }
83320 }
83321 @@ -2344,7 +2344,7 @@ int __devinit snd_ymfpci_create(struct s
83322 {
83323 struct snd_ymfpci *chip;
83324 int err;
83325 - static struct snd_device_ops ops = {
83326 + static const struct snd_device_ops ops = {
83327 .dev_free = snd_ymfpci_dev_free,
83328 };
83329
83330 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
83331 spin_lock_init(&chip->reg_lock);
83332 spin_lock_init(&chip->voice_lock);
83333 init_waitqueue_head(&chip->interrupt_sleep);
83334 - atomic_set(&chip->interrupt_sleep_count, 0);
83335 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83336 chip->card = card;
83337 chip->pci = pci;
83338 chip->irq = -1;
83339 diff -urNp linux-2.6.39.1/sound/pcmcia/pdaudiocf/pdaudiocf.c linux-2.6.39.1/sound/pcmcia/pdaudiocf/pdaudiocf.c
83340 --- linux-2.6.39.1/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-19 00:06:34.000000000 -0400
83341 +++ linux-2.6.39.1/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-22 19:36:35.000000000 -0400
83342 @@ -94,7 +94,7 @@ static int snd_pdacf_probe(struct pcmcia
83343 int i, err;
83344 struct snd_pdacf *pdacf;
83345 struct snd_card *card;
83346 - static struct snd_device_ops ops = {
83347 + static const struct snd_device_ops ops = {
83348 .dev_free = snd_pdacf_dev_free,
83349 };
83350
83351 diff -urNp linux-2.6.39.1/sound/pcmcia/vx/vxpocket.c linux-2.6.39.1/sound/pcmcia/vx/vxpocket.c
83352 --- linux-2.6.39.1/sound/pcmcia/vx/vxpocket.c 2011-05-19 00:06:34.000000000 -0400
83353 +++ linux-2.6.39.1/sound/pcmcia/vx/vxpocket.c 2011-05-22 19:36:35.000000000 -0400
83354 @@ -137,7 +137,7 @@ static int snd_vxpocket_new(struct snd_c
83355 {
83356 struct vx_core *chip;
83357 struct snd_vxpocket *vxp;
83358 - static struct snd_device_ops ops = {
83359 + static const struct snd_device_ops ops = {
83360 .dev_free = snd_vxpocket_dev_free,
83361 };
83362 int err;
83363 diff -urNp linux-2.6.39.1/sound/ppc/pmac.c linux-2.6.39.1/sound/ppc/pmac.c
83364 --- linux-2.6.39.1/sound/ppc/pmac.c 2011-05-19 00:06:34.000000000 -0400
83365 +++ linux-2.6.39.1/sound/ppc/pmac.c 2011-05-22 19:36:35.000000000 -0400
83366 @@ -1186,7 +1186,7 @@ int __devinit snd_pmac_new(struct snd_ca
83367 int i, err;
83368 unsigned int irq;
83369 unsigned long ctrl_addr, txdma_addr, rxdma_addr;
83370 - static struct snd_device_ops ops = {
83371 + static const struct snd_device_ops ops = {
83372 .dev_free = snd_pmac_dev_free,
83373 };
83374
83375 diff -urNp linux-2.6.39.1/sound/ppc/snd_ps3.c linux-2.6.39.1/sound/ppc/snd_ps3.c
83376 --- linux-2.6.39.1/sound/ppc/snd_ps3.c 2011-05-19 00:06:34.000000000 -0400
83377 +++ linux-2.6.39.1/sound/ppc/snd_ps3.c 2011-05-22 19:36:35.000000000 -0400
83378 @@ -773,7 +773,7 @@ static struct snd_kcontrol_new spdif_ctl
83379 },
83380 };
83381
83382 -static struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83383 +static const struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83384 .open = snd_ps3_pcm_open,
83385 .close = snd_ps3_pcm_close,
83386 .ioctl = snd_pcm_lib_ioctl,
83387 diff -urNp linux-2.6.39.1/sound/sh/aica.c linux-2.6.39.1/sound/sh/aica.c
83388 --- linux-2.6.39.1/sound/sh/aica.c 2011-05-19 00:06:34.000000000 -0400
83389 +++ linux-2.6.39.1/sound/sh/aica.c 2011-05-22 19:36:35.000000000 -0400
83390 @@ -441,7 +441,7 @@ static unsigned long snd_aicapcm_pcm_poi
83391 return readl(AICA_CONTROL_CHANNEL_SAMPLE_NUMBER);
83392 }
83393
83394 -static struct snd_pcm_ops snd_aicapcm_playback_ops = {
83395 +static const struct snd_pcm_ops snd_aicapcm_playback_ops = {
83396 .open = snd_aicapcm_pcm_open,
83397 .close = snd_aicapcm_pcm_close,
83398 .ioctl = snd_pcm_lib_ioctl,
83399 diff -urNp linux-2.6.39.1/sound/sh/sh_dac_audio.c linux-2.6.39.1/sound/sh/sh_dac_audio.c
83400 --- linux-2.6.39.1/sound/sh/sh_dac_audio.c 2011-05-19 00:06:34.000000000 -0400
83401 +++ linux-2.6.39.1/sound/sh/sh_dac_audio.c 2011-05-22 19:36:35.000000000 -0400
83402 @@ -246,7 +246,7 @@ snd_pcm_uframes_t snd_sh_dac_pcm_pointer
83403 }
83404
83405 /* pcm ops */
83406 -static struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83407 +static const struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83408 .open = snd_sh_dac_pcm_open,
83409 .close = snd_sh_dac_pcm_close,
83410 .ioctl = snd_pcm_lib_ioctl,
83411 @@ -352,7 +352,7 @@ static int __devinit snd_sh_dac_create(s
83412 struct snd_sh_dac *chip;
83413 int err;
83414
83415 - static struct snd_device_ops ops = {
83416 + static const struct snd_device_ops ops = {
83417 .dev_free = snd_sh_dac_dev_free,
83418 };
83419
83420 diff -urNp linux-2.6.39.1/sound/soc/atmel/atmel-pcm.c linux-2.6.39.1/sound/soc/atmel/atmel-pcm.c
83421 --- linux-2.6.39.1/sound/soc/atmel/atmel-pcm.c 2011-05-19 00:06:34.000000000 -0400
83422 +++ linux-2.6.39.1/sound/soc/atmel/atmel-pcm.c 2011-05-22 19:36:35.000000000 -0400
83423 @@ -346,7 +346,7 @@ static int atmel_pcm_mmap(struct snd_pcm
83424 vma->vm_end - vma->vm_start, vma->vm_page_prot);
83425 }
83426
83427 -static struct snd_pcm_ops atmel_pcm_ops = {
83428 +static const struct snd_pcm_ops atmel_pcm_ops = {
83429 .open = atmel_pcm_open,
83430 .close = atmel_pcm_close,
83431 .ioctl = snd_pcm_lib_ioctl,
83432 diff -urNp linux-2.6.39.1/sound/soc/atmel/playpaq_wm8510.c linux-2.6.39.1/sound/soc/atmel/playpaq_wm8510.c
83433 --- linux-2.6.39.1/sound/soc/atmel/playpaq_wm8510.c 2011-05-19 00:06:34.000000000 -0400
83434 +++ linux-2.6.39.1/sound/soc/atmel/playpaq_wm8510.c 2011-05-22 19:36:35.000000000 -0400
83435 @@ -289,7 +289,7 @@ static int playpaq_wm8510_hw_params(stru
83436
83437
83438
83439 -static struct snd_soc_ops playpaq_wm8510_ops = {
83440 +static const struct snd_soc_ops playpaq_wm8510_ops = {
83441 .hw_params = playpaq_wm8510_hw_params,
83442 };
83443
83444 diff -urNp linux-2.6.39.1/sound/soc/atmel/sam9g20_wm8731.c linux-2.6.39.1/sound/soc/atmel/sam9g20_wm8731.c
83445 --- linux-2.6.39.1/sound/soc/atmel/sam9g20_wm8731.c 2011-05-19 00:06:34.000000000 -0400
83446 +++ linux-2.6.39.1/sound/soc/atmel/sam9g20_wm8731.c 2011-05-22 19:36:35.000000000 -0400
83447 @@ -87,7 +87,7 @@ static int at91sam9g20ek_hw_params(struc
83448 return 0;
83449 }
83450
83451 -static struct snd_soc_ops at91sam9g20ek_ops = {
83452 +static const struct snd_soc_ops at91sam9g20ek_ops = {
83453 .hw_params = at91sam9g20ek_hw_params,
83454 };
83455
83456 diff -urNp linux-2.6.39.1/sound/soc/atmel/snd-soc-afeb9260.c linux-2.6.39.1/sound/soc/atmel/snd-soc-afeb9260.c
83457 --- linux-2.6.39.1/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-19 00:06:34.000000000 -0400
83458 +++ linux-2.6.39.1/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-22 19:36:35.000000000 -0400
83459 @@ -81,7 +81,7 @@ static int afeb9260_hw_params(struct snd
83460 return err;
83461 }
83462
83463 -static struct snd_soc_ops afeb9260_ops = {
83464 +static const struct snd_soc_ops afeb9260_ops = {
83465 .hw_params = afeb9260_hw_params,
83466 };
83467
83468 diff -urNp linux-2.6.39.1/sound/soc/au1x/db1200.c linux-2.6.39.1/sound/soc/au1x/db1200.c
83469 --- linux-2.6.39.1/sound/soc/au1x/db1200.c 2011-05-19 00:06:34.000000000 -0400
83470 +++ linux-2.6.39.1/sound/soc/au1x/db1200.c 2011-05-22 19:36:35.000000000 -0400
83471 @@ -67,7 +67,7 @@ out:
83472 return ret;
83473 }
83474
83475 -static struct snd_soc_ops db1200_i2s_wm8731_ops = {
83476 +static const struct snd_soc_ops db1200_i2s_wm8731_ops = {
83477 .startup = db1200_i2s_startup,
83478 };
83479
83480 diff -urNp linux-2.6.39.1/sound/soc/au1x/dbdma2.c linux-2.6.39.1/sound/soc/au1x/dbdma2.c
83481 --- linux-2.6.39.1/sound/soc/au1x/dbdma2.c 2011-05-19 00:06:34.000000000 -0400
83482 +++ linux-2.6.39.1/sound/soc/au1x/dbdma2.c 2011-05-22 19:36:35.000000000 -0400
83483 @@ -303,7 +303,7 @@ static int au1xpsc_pcm_close(struct snd_
83484 return 0;
83485 }
83486
83487 -static struct snd_pcm_ops au1xpsc_pcm_ops = {
83488 +static const struct snd_pcm_ops au1xpsc_pcm_ops = {
83489 .open = au1xpsc_pcm_open,
83490 .close = au1xpsc_pcm_close,
83491 .ioctl = snd_pcm_lib_ioctl,
83492 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.c
83493 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
83494 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
83495 @@ -244,7 +244,7 @@ static void bf5xx_ac97_cold_reset(struct
83496 #endif
83497 }
83498
83499 -struct snd_ac97_bus_ops soc_ac97_ops = {
83500 +const struct snd_ac97_bus_ops soc_ac97_ops = {
83501 .read = bf5xx_ac97_read,
83502 .write = bf5xx_ac97_write,
83503 .warm_reset = bf5xx_ac97_warm_reset,
83504 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.h linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.h
83505 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
83506 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
83507 @@ -9,7 +9,7 @@
83508 #ifndef _BF5XX_AC97_H
83509 #define _BF5XX_AC97_H
83510
83511 -extern struct snd_ac97_bus_ops bf5xx_ac97_ops;
83512 +extern const struct snd_ac97_bus_ops bf5xx_ac97_ops;
83513 extern struct snd_ac97 *ac97;
83514 /* Frame format in memory, only support stereo currently */
83515 struct ac97_frame {
83516 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97-pcm.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97-pcm.c
83517 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-19 00:06:34.000000000 -0400
83518 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-22 19:36:35.000000000 -0400
83519 @@ -297,7 +297,7 @@ static int bf5xx_pcm_copy(struct snd_pcm
83520 }
83521 #endif
83522
83523 -static struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
83524 +static const struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
83525 .open = bf5xx_pcm_open,
83526 .ioctl = snd_pcm_lib_ioctl,
83527 .hw_params = bf5xx_pcm_hw_params,
83528 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1836.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1836.c
83529 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-19 00:06:34.000000000 -0400
83530 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-22 19:36:35.000000000 -0400
83531 @@ -74,7 +74,7 @@ static int bf5xx_ad1836_hw_params(struct
83532 return 0;
83533 }
83534
83535 -static struct snd_soc_ops bf5xx_ad1836_ops = {
83536 +static const struct snd_soc_ops bf5xx_ad1836_ops = {
83537 .startup = bf5xx_ad1836_startup,
83538 .hw_params = bf5xx_ad1836_hw_params,
83539 };
83540 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad193x.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad193x.c
83541 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-19 00:06:34.000000000 -0400
83542 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-22 19:36:35.000000000 -0400
83543 @@ -88,7 +88,7 @@ static int bf5xx_ad193x_hw_params(struct
83544 return 0;
83545 }
83546
83547 -static struct snd_soc_ops bf5xx_ad193x_ops = {
83548 +static const struct snd_soc_ops bf5xx_ad193x_ops = {
83549 .startup = bf5xx_ad193x_startup,
83550 .hw_params = bf5xx_ad193x_hw_params,
83551 };
83552 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1980.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1980.c
83553 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-19 00:06:34.000000000 -0400
83554 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-22 19:36:35.000000000 -0400
83555 @@ -63,7 +63,7 @@ static int bf5xx_board_startup(struct sn
83556 return 0;
83557 }
83558
83559 -static struct snd_soc_ops bf5xx_board_ops = {
83560 +static const struct snd_soc_ops bf5xx_board_ops = {
83561 .startup = bf5xx_board_startup,
83562 };
83563
83564 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad73311.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad73311.c
83565 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-19 00:06:34.000000000 -0400
83566 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-22 19:36:35.000000000 -0400
83567 @@ -175,7 +175,7 @@ static int bf5xx_ad73311_hw_params(struc
83568 }
83569
83570
83571 -static struct snd_soc_ops bf5xx_ad73311_ops = {
83572 +static const struct snd_soc_ops bf5xx_ad73311_ops = {
83573 .startup = bf5xx_ad73311_startup,
83574 .hw_params = bf5xx_ad73311_hw_params,
83575 };
83576 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-i2s-pcm.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-i2s-pcm.c
83577 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-19 00:06:34.000000000 -0400
83578 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-22 19:36:35.000000000 -0400
83579 @@ -183,7 +183,7 @@ static int bf5xx_pcm_mmap(struct snd_pcm
83580 return 0 ;
83581 }
83582
83583 -static struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
83584 +static const struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
83585 .open = bf5xx_pcm_open,
83586 .ioctl = snd_pcm_lib_ioctl,
83587 .hw_params = bf5xx_pcm_hw_params,
83588 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-ssm2602.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-ssm2602.c
83589 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-19 00:06:34.000000000 -0400
83590 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-22 19:36:35.000000000 -0400
83591 @@ -108,7 +108,7 @@ static int bf5xx_ssm2602_hw_params(struc
83592 return 0;
83593 }
83594
83595 -static struct snd_soc_ops bf5xx_ssm2602_ops = {
83596 +static const struct snd_soc_ops bf5xx_ssm2602_ops = {
83597 .startup = bf5xx_ssm2602_startup,
83598 .hw_params = bf5xx_ssm2602_hw_params,
83599 };
83600 diff -urNp linux-2.6.39.1/sound/soc/blackfin/bf5xx-tdm-pcm.c linux-2.6.39.1/sound/soc/blackfin/bf5xx-tdm-pcm.c
83601 --- linux-2.6.39.1/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-19 00:06:34.000000000 -0400
83602 +++ linux-2.6.39.1/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-22 19:36:35.000000000 -0400
83603 @@ -220,7 +220,7 @@ static int bf5xx_pcm_silence(struct snd_
83604 }
83605
83606
83607 -struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
83608 +const struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
83609 .open = bf5xx_pcm_open,
83610 .ioctl = snd_pcm_lib_ioctl,
83611 .hw_params = bf5xx_pcm_hw_params,
83612 diff -urNp linux-2.6.39.1/sound/soc/davinci/davinci-evm.c linux-2.6.39.1/sound/soc/davinci/davinci-evm.c
83613 --- linux-2.6.39.1/sound/soc/davinci/davinci-evm.c 2011-05-19 00:06:34.000000000 -0400
83614 +++ linux-2.6.39.1/sound/soc/davinci/davinci-evm.c 2011-05-22 19:36:35.000000000 -0400
83615 @@ -88,11 +88,11 @@ static int evm_spdif_hw_params(struct sn
83616 return snd_soc_dai_set_fmt(cpu_dai, AUDIO_FORMAT);
83617 }
83618
83619 -static struct snd_soc_ops evm_ops = {
83620 +static const struct snd_soc_ops evm_ops = {
83621 .hw_params = evm_hw_params,
83622 };
83623
83624 -static struct snd_soc_ops evm_spdif_ops = {
83625 +static const struct snd_soc_ops evm_spdif_ops = {
83626 .hw_params = evm_spdif_hw_params,
83627 };
83628
83629 diff -urNp linux-2.6.39.1/sound/soc/davinci/davinci-pcm.c linux-2.6.39.1/sound/soc/davinci/davinci-pcm.c
83630 --- linux-2.6.39.1/sound/soc/davinci/davinci-pcm.c 2011-05-19 00:06:34.000000000 -0400
83631 +++ linux-2.6.39.1/sound/soc/davinci/davinci-pcm.c 2011-05-22 19:36:35.000000000 -0400
83632 @@ -748,7 +748,7 @@ static int davinci_pcm_mmap(struct snd_p
83633 runtime->dma_bytes);
83634 }
83635
83636 -static struct snd_pcm_ops davinci_pcm_ops = {
83637 +static const struct snd_pcm_ops davinci_pcm_ops = {
83638 .open = davinci_pcm_open,
83639 .close = davinci_pcm_close,
83640 .ioctl = snd_pcm_lib_ioctl,
83641 diff -urNp linux-2.6.39.1/sound/soc/davinci/davinci-sffsdr.c linux-2.6.39.1/sound/soc/davinci/davinci-sffsdr.c
83642 --- linux-2.6.39.1/sound/soc/davinci/davinci-sffsdr.c 2011-05-19 00:06:34.000000000 -0400
83643 +++ linux-2.6.39.1/sound/soc/davinci/davinci-sffsdr.c 2011-05-22 19:36:35.000000000 -0400
83644 @@ -75,7 +75,7 @@ static int sffsdr_hw_params(struct snd_p
83645 #endif
83646 }
83647
83648 -static struct snd_soc_ops sffsdr_ops = {
83649 +static const struct snd_soc_ops sffsdr_ops = {
83650 .hw_params = sffsdr_hw_params,
83651 };
83652
83653 diff -urNp linux-2.6.39.1/sound/soc/ep93xx/edb93xx.c linux-2.6.39.1/sound/soc/ep93xx/edb93xx.c
83654 --- linux-2.6.39.1/sound/soc/ep93xx/edb93xx.c 2011-05-19 00:06:34.000000000 -0400
83655 +++ linux-2.6.39.1/sound/soc/ep93xx/edb93xx.c 2011-05-22 19:36:35.000000000 -0400
83656 @@ -74,7 +74,7 @@ static int edb93xx_hw_params(struct snd_
83657 SND_SOC_CLOCK_OUT);
83658 }
83659
83660 -static struct snd_soc_ops edb93xx_ops = {
83661 +static const struct snd_soc_ops edb93xx_ops = {
83662 .hw_params = edb93xx_hw_params,
83663 };
83664
83665 diff -urNp linux-2.6.39.1/sound/soc/ep93xx/ep93xx-ac97.c linux-2.6.39.1/sound/soc/ep93xx/ep93xx-ac97.c
83666 --- linux-2.6.39.1/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
83667 +++ linux-2.6.39.1/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
83668 @@ -239,7 +239,7 @@ static irqreturn_t ep93xx_ac97_interrupt
83669 return IRQ_HANDLED;
83670 }
83671
83672 -struct snd_ac97_bus_ops soc_ac97_ops = {
83673 +const struct snd_ac97_bus_ops soc_ac97_ops = {
83674 .read = ep93xx_ac97_read,
83675 .write = ep93xx_ac97_write,
83676 .reset = ep93xx_ac97_cold_reset,
83677 diff -urNp linux-2.6.39.1/sound/soc/ep93xx/ep93xx-pcm.c linux-2.6.39.1/sound/soc/ep93xx/ep93xx-pcm.c
83678 --- linux-2.6.39.1/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-19 00:06:34.000000000 -0400
83679 +++ linux-2.6.39.1/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-22 19:36:35.000000000 -0400
83680 @@ -216,7 +216,7 @@ static int ep93xx_pcm_mmap(struct snd_pc
83681 runtime->dma_bytes);
83682 }
83683
83684 -static struct snd_pcm_ops ep93xx_pcm_ops = {
83685 +static const struct snd_pcm_ops ep93xx_pcm_ops = {
83686 .open = ep93xx_pcm_open,
83687 .close = ep93xx_pcm_close,
83688 .ioctl = snd_pcm_lib_ioctl,
83689 diff -urNp linux-2.6.39.1/sound/soc/ep93xx/snappercl15.c linux-2.6.39.1/sound/soc/ep93xx/snappercl15.c
83690 --- linux-2.6.39.1/sound/soc/ep93xx/snappercl15.c 2011-05-19 00:06:34.000000000 -0400
83691 +++ linux-2.6.39.1/sound/soc/ep93xx/snappercl15.c 2011-05-22 19:36:35.000000000 -0400
83692 @@ -55,7 +55,7 @@ static int snappercl15_hw_params(struct
83693 return 0;
83694 }
83695
83696 -static struct snd_soc_ops snappercl15_ops = {
83697 +static const struct snd_soc_ops snappercl15_ops = {
83698 .hw_params = snappercl15_hw_params,
83699 };
83700
83701 diff -urNp linux-2.6.39.1/sound/soc/fsl/fsl_dma.c linux-2.6.39.1/sound/soc/fsl/fsl_dma.c
83702 --- linux-2.6.39.1/sound/soc/fsl/fsl_dma.c 2011-05-19 00:06:34.000000000 -0400
83703 +++ linux-2.6.39.1/sound/soc/fsl/fsl_dma.c 2011-05-22 19:36:35.000000000 -0400
83704 @@ -887,7 +887,7 @@ static struct device_node *find_ssi_node
83705 return NULL;
83706 }
83707
83708 -static struct snd_pcm_ops fsl_dma_ops = {
83709 +static const struct snd_pcm_ops fsl_dma_ops = {
83710 .open = fsl_dma_open,
83711 .close = fsl_dma_close,
83712 .ioctl = snd_pcm_lib_ioctl,
83713 diff -urNp linux-2.6.39.1/sound/soc/fsl/mpc8610_hpcd.c linux-2.6.39.1/sound/soc/fsl/mpc8610_hpcd.c
83714 --- linux-2.6.39.1/sound/soc/fsl/mpc8610_hpcd.c 2011-05-19 00:06:34.000000000 -0400
83715 +++ linux-2.6.39.1/sound/soc/fsl/mpc8610_hpcd.c 2011-05-22 19:36:35.000000000 -0400
83716 @@ -175,7 +175,7 @@ static int mpc8610_hpcd_machine_remove(s
83717 /**
83718 * mpc8610_hpcd_ops: ASoC machine driver operations
83719 */
83720 -static struct snd_soc_ops mpc8610_hpcd_ops = {
83721 +static const struct snd_soc_ops mpc8610_hpcd_ops = {
83722 .startup = mpc8610_hpcd_startup,
83723 };
83724
83725 diff -urNp linux-2.6.39.1/sound/soc/fsl/p1022_ds.c linux-2.6.39.1/sound/soc/fsl/p1022_ds.c
83726 --- linux-2.6.39.1/sound/soc/fsl/p1022_ds.c 2011-05-19 00:06:34.000000000 -0400
83727 +++ linux-2.6.39.1/sound/soc/fsl/p1022_ds.c 2011-05-22 19:36:35.000000000 -0400
83728 @@ -185,7 +185,7 @@ static int p1022_ds_machine_remove(struc
83729 /**
83730 * p1022_ds_ops: ASoC machine driver operations
83731 */
83732 -static struct snd_soc_ops p1022_ds_ops = {
83733 +static const struct snd_soc_ops p1022_ds_ops = {
83734 .startup = p1022_ds_startup,
83735 };
83736
83737 diff -urNp linux-2.6.39.1/sound/soc/imx/eukrea-tlv320.c linux-2.6.39.1/sound/soc/imx/eukrea-tlv320.c
83738 --- linux-2.6.39.1/sound/soc/imx/eukrea-tlv320.c 2011-05-19 00:06:34.000000000 -0400
83739 +++ linux-2.6.39.1/sound/soc/imx/eukrea-tlv320.c 2011-05-22 19:36:35.000000000 -0400
83740 @@ -71,7 +71,7 @@ static int eukrea_tlv320_hw_params(struc
83741 return 0;
83742 }
83743
83744 -static struct snd_soc_ops eukrea_tlv320_snd_ops = {
83745 +static const struct snd_soc_ops eukrea_tlv320_snd_ops = {
83746 .hw_params = eukrea_tlv320_hw_params,
83747 };
83748
83749 diff -urNp linux-2.6.39.1/sound/soc/imx/imx-pcm-dma-mx2.c linux-2.6.39.1/sound/soc/imx/imx-pcm-dma-mx2.c
83750 --- linux-2.6.39.1/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-19 00:06:34.000000000 -0400
83751 +++ linux-2.6.39.1/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-22 19:36:35.000000000 -0400
83752 @@ -283,7 +283,7 @@ static int snd_imx_close(struct snd_pcm_
83753 return 0;
83754 }
83755
83756 -static struct snd_pcm_ops imx_pcm_ops = {
83757 +static const struct snd_pcm_ops imx_pcm_ops = {
83758 .open = snd_imx_open,
83759 .close = snd_imx_close,
83760 .ioctl = snd_pcm_lib_ioctl,
83761 diff -urNp linux-2.6.39.1/sound/soc/imx/imx-pcm-fiq.c linux-2.6.39.1/sound/soc/imx/imx-pcm-fiq.c
83762 --- linux-2.6.39.1/sound/soc/imx/imx-pcm-fiq.c 2011-05-19 00:06:34.000000000 -0400
83763 +++ linux-2.6.39.1/sound/soc/imx/imx-pcm-fiq.c 2011-05-22 19:36:35.000000000 -0400
83764 @@ -225,7 +225,7 @@ static int snd_imx_close(struct snd_pcm_
83765 return 0;
83766 }
83767
83768 -static struct snd_pcm_ops imx_pcm_ops = {
83769 +static const struct snd_pcm_ops imx_pcm_ops = {
83770 .open = snd_imx_open,
83771 .close = snd_imx_close,
83772 .ioctl = snd_pcm_lib_ioctl,
83773 diff -urNp linux-2.6.39.1/sound/soc/imx/mx27vis-aic32x4.c linux-2.6.39.1/sound/soc/imx/mx27vis-aic32x4.c
83774 --- linux-2.6.39.1/sound/soc/imx/mx27vis-aic32x4.c 2011-05-19 00:06:34.000000000 -0400
83775 +++ linux-2.6.39.1/sound/soc/imx/mx27vis-aic32x4.c 2011-05-22 19:36:35.000000000 -0400
83776 @@ -70,7 +70,7 @@ static int mx27vis_aic32x4_hw_params(str
83777 return 0;
83778 }
83779
83780 -static struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
83781 +static const struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
83782 .hw_params = mx27vis_aic32x4_hw_params,
83783 };
83784
83785 diff -urNp linux-2.6.39.1/sound/soc/imx/phycore-ac97.c linux-2.6.39.1/sound/soc/imx/phycore-ac97.c
83786 --- linux-2.6.39.1/sound/soc/imx/phycore-ac97.c 2011-05-19 00:06:34.000000000 -0400
83787 +++ linux-2.6.39.1/sound/soc/imx/phycore-ac97.c 2011-05-22 19:36:35.000000000 -0400
83788 @@ -21,7 +21,7 @@
83789
83790 static struct snd_soc_card imx_phycore;
83791
83792 -static struct snd_soc_ops imx_phycore_hifi_ops = {
83793 +static const struct snd_soc_ops imx_phycore_hifi_ops = {
83794 };
83795
83796 static struct snd_soc_dai_link imx_phycore_dai_ac97[] = {
83797 diff -urNp linux-2.6.39.1/sound/soc/imx/wm1133-ev1.c linux-2.6.39.1/sound/soc/imx/wm1133-ev1.c
83798 --- linux-2.6.39.1/sound/soc/imx/wm1133-ev1.c 2011-05-19 00:06:34.000000000 -0400
83799 +++ linux-2.6.39.1/sound/soc/imx/wm1133-ev1.c 2011-05-22 19:36:35.000000000 -0400
83800 @@ -149,7 +149,7 @@ static int wm1133_ev1_hw_params(struct s
83801 return 0;
83802 }
83803
83804 -static struct snd_soc_ops wm1133_ev1_ops = {
83805 +static const struct snd_soc_ops wm1133_ev1_ops = {
83806 .hw_params = wm1133_ev1_hw_params,
83807 };
83808
83809 diff -urNp linux-2.6.39.1/sound/soc/jz4740/jz4740-pcm.c linux-2.6.39.1/sound/soc/jz4740/jz4740-pcm.c
83810 --- linux-2.6.39.1/sound/soc/jz4740/jz4740-pcm.c 2011-05-19 00:06:34.000000000 -0400
83811 +++ linux-2.6.39.1/sound/soc/jz4740/jz4740-pcm.c 2011-05-22 19:36:35.000000000 -0400
83812 @@ -244,7 +244,7 @@ static int jz4740_pcm_mmap(struct snd_pc
83813 vma->vm_end - vma->vm_start, vma->vm_page_prot);
83814 }
83815
83816 -static struct snd_pcm_ops jz4740_pcm_ops = {
83817 +static const struct snd_pcm_ops jz4740_pcm_ops = {
83818 .open = jz4740_pcm_open,
83819 .close = jz4740_pcm_close,
83820 .ioctl = snd_pcm_lib_ioctl,
83821 diff -urNp linux-2.6.39.1/sound/soc/kirkwood/kirkwood-openrd.c linux-2.6.39.1/sound/soc/kirkwood/kirkwood-openrd.c
83822 --- linux-2.6.39.1/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-19 00:06:34.000000000 -0400
83823 +++ linux-2.6.39.1/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-22 19:36:35.000000000 -0400
83824 @@ -56,7 +56,7 @@ static int openrd_client_hw_params(struc
83825
83826 }
83827
83828 -static struct snd_soc_ops openrd_client_ops = {
83829 +static const struct snd_soc_ops openrd_client_ops = {
83830 .hw_params = openrd_client_hw_params,
83831 };
83832
83833 diff -urNp linux-2.6.39.1/sound/soc/kirkwood/kirkwood-t5325.c linux-2.6.39.1/sound/soc/kirkwood/kirkwood-t5325.c
83834 --- linux-2.6.39.1/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-19 00:06:34.000000000 -0400
83835 +++ linux-2.6.39.1/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-22 19:36:35.000000000 -0400
83836 @@ -44,7 +44,7 @@ static int t5325_hw_params(struct snd_pc
83837
83838 }
83839
83840 -static struct snd_soc_ops t5325_ops = {
83841 +static const struct snd_soc_ops t5325_ops = {
83842 .hw_params = t5325_hw_params,
83843 };
83844
83845 diff -urNp linux-2.6.39.1/sound/soc/mid-x86/sst_platform.c linux-2.6.39.1/sound/soc/mid-x86/sst_platform.c
83846 --- linux-2.6.39.1/sound/soc/mid-x86/sst_platform.c 2011-05-19 00:06:34.000000000 -0400
83847 +++ linux-2.6.39.1/sound/soc/mid-x86/sst_platform.c 2011-05-22 19:36:35.000000000 -0400
83848 @@ -381,7 +381,7 @@ static int sst_platform_pcm_hw_free(stru
83849 return snd_pcm_lib_free_pages(substream);
83850 }
83851
83852 -static struct snd_pcm_ops sst_platform_ops = {
83853 +static const struct snd_pcm_ops sst_platform_ops = {
83854 .open = sst_platform_open,
83855 .close = sst_platform_close,
83856 .ioctl = snd_pcm_lib_ioctl,
83857 diff -urNp linux-2.6.39.1/sound/soc/nuc900/nuc900-pcm.c linux-2.6.39.1/sound/soc/nuc900/nuc900-pcm.c
83858 --- linux-2.6.39.1/sound/soc/nuc900/nuc900-pcm.c 2011-05-19 00:06:34.000000000 -0400
83859 +++ linux-2.6.39.1/sound/soc/nuc900/nuc900-pcm.c 2011-05-22 19:36:35.000000000 -0400
83860 @@ -297,7 +297,7 @@ static int nuc900_dma_mmap(struct snd_pc
83861 runtime->dma_bytes);
83862 }
83863
83864 -static struct snd_pcm_ops nuc900_dma_ops = {
83865 +static const struct snd_pcm_ops nuc900_dma_ops = {
83866 .open = nuc900_dma_open,
83867 .close = nuc900_dma_close,
83868 .ioctl = snd_pcm_lib_ioctl,
83869 diff -urNp linux-2.6.39.1/sound/soc/omap/am3517evm.c linux-2.6.39.1/sound/soc/omap/am3517evm.c
83870 --- linux-2.6.39.1/sound/soc/omap/am3517evm.c 2011-05-19 00:06:34.000000000 -0400
83871 +++ linux-2.6.39.1/sound/soc/omap/am3517evm.c 2011-05-22 19:36:35.000000000 -0400
83872 @@ -88,7 +88,7 @@ static int am3517evm_hw_params(struct sn
83873 return 0;
83874 }
83875
83876 -static struct snd_soc_ops am3517evm_ops = {
83877 +static const struct snd_soc_ops am3517evm_ops = {
83878 .hw_params = am3517evm_hw_params,
83879 };
83880
83881 diff -urNp linux-2.6.39.1/sound/soc/omap/ams-delta.c linux-2.6.39.1/sound/soc/omap/ams-delta.c
83882 --- linux-2.6.39.1/sound/soc/omap/ams-delta.c 2011-05-19 00:06:34.000000000 -0400
83883 +++ linux-2.6.39.1/sound/soc/omap/ams-delta.c 2011-05-22 19:36:35.000000000 -0400
83884 @@ -420,7 +420,7 @@ static int ams_delta_hw_params(struct sn
83885 SND_SOC_DAIFMT_CBM_CFM);
83886 }
83887
83888 -static struct snd_soc_ops ams_delta_ops = {
83889 +static const struct snd_soc_ops ams_delta_ops = {
83890 .hw_params = ams_delta_hw_params,
83891 };
83892
83893 diff -urNp linux-2.6.39.1/sound/soc/omap/igep0020.c linux-2.6.39.1/sound/soc/omap/igep0020.c
83894 --- linux-2.6.39.1/sound/soc/omap/igep0020.c 2011-05-19 00:06:34.000000000 -0400
83895 +++ linux-2.6.39.1/sound/soc/omap/igep0020.c 2011-05-22 19:36:35.000000000 -0400
83896 @@ -72,7 +72,7 @@ static int igep2_hw_params(struct snd_pc
83897 return 0;
83898 }
83899
83900 -static struct snd_soc_ops igep2_ops = {
83901 +static const struct snd_soc_ops igep2_ops = {
83902 .hw_params = igep2_hw_params,
83903 };
83904
83905 diff -urNp linux-2.6.39.1/sound/soc/omap/n810.c linux-2.6.39.1/sound/soc/omap/n810.c
83906 --- linux-2.6.39.1/sound/soc/omap/n810.c 2011-05-19 00:06:34.000000000 -0400
83907 +++ linux-2.6.39.1/sound/soc/omap/n810.c 2011-05-22 19:36:35.000000000 -0400
83908 @@ -141,7 +141,7 @@ static int n810_hw_params(struct snd_pcm
83909 return err;
83910 }
83911
83912 -static struct snd_soc_ops n810_ops = {
83913 +static const struct snd_soc_ops n810_ops = {
83914 .startup = n810_startup,
83915 .hw_params = n810_hw_params,
83916 .shutdown = n810_shutdown,
83917 diff -urNp linux-2.6.39.1/sound/soc/omap/omap2evm.c linux-2.6.39.1/sound/soc/omap/omap2evm.c
83918 --- linux-2.6.39.1/sound/soc/omap/omap2evm.c 2011-05-19 00:06:34.000000000 -0400
83919 +++ linux-2.6.39.1/sound/soc/omap/omap2evm.c 2011-05-22 19:36:35.000000000 -0400
83920 @@ -74,7 +74,7 @@ static int omap2evm_hw_params(struct snd
83921 return 0;
83922 }
83923
83924 -static struct snd_soc_ops omap2evm_ops = {
83925 +static const struct snd_soc_ops omap2evm_ops = {
83926 .hw_params = omap2evm_hw_params,
83927 };
83928
83929 diff -urNp linux-2.6.39.1/sound/soc/omap/omap3beagle.c linux-2.6.39.1/sound/soc/omap/omap3beagle.c
83930 --- linux-2.6.39.1/sound/soc/omap/omap3beagle.c 2011-05-19 00:06:34.000000000 -0400
83931 +++ linux-2.6.39.1/sound/soc/omap/omap3beagle.c 2011-05-22 19:36:35.000000000 -0400
83932 @@ -82,7 +82,7 @@ static int omap3beagle_hw_params(struct
83933 return 0;
83934 }
83935
83936 -static struct snd_soc_ops omap3beagle_ops = {
83937 +static const struct snd_soc_ops omap3beagle_ops = {
83938 .hw_params = omap3beagle_hw_params,
83939 };
83940
83941 diff -urNp linux-2.6.39.1/sound/soc/omap/omap3evm.c linux-2.6.39.1/sound/soc/omap/omap3evm.c
83942 --- linux-2.6.39.1/sound/soc/omap/omap3evm.c 2011-05-19 00:06:34.000000000 -0400
83943 +++ linux-2.6.39.1/sound/soc/omap/omap3evm.c 2011-05-22 19:36:35.000000000 -0400
83944 @@ -70,7 +70,7 @@ static int omap3evm_hw_params(struct snd
83945 return 0;
83946 }
83947
83948 -static struct snd_soc_ops omap3evm_ops = {
83949 +static const struct snd_soc_ops omap3evm_ops = {
83950 .hw_params = omap3evm_hw_params,
83951 };
83952
83953 diff -urNp linux-2.6.39.1/sound/soc/omap/omap3pandora.c linux-2.6.39.1/sound/soc/omap/omap3pandora.c
83954 --- linux-2.6.39.1/sound/soc/omap/omap3pandora.c 2011-05-19 00:06:34.000000000 -0400
83955 +++ linux-2.6.39.1/sound/soc/omap/omap3pandora.c 2011-05-22 19:36:35.000000000 -0400
83956 @@ -218,7 +218,7 @@ static int omap3pandora_in_init(struct s
83957 return snd_soc_dapm_sync(dapm);
83958 }
83959
83960 -static struct snd_soc_ops omap3pandora_ops = {
83961 +static const struct snd_soc_ops omap3pandora_ops = {
83962 .hw_params = omap3pandora_hw_params,
83963 };
83964
83965 diff -urNp linux-2.6.39.1/sound/soc/omap/omap-pcm.c linux-2.6.39.1/sound/soc/omap/omap-pcm.c
83966 --- linux-2.6.39.1/sound/soc/omap/omap-pcm.c 2011-05-19 00:06:34.000000000 -0400
83967 +++ linux-2.6.39.1/sound/soc/omap/omap-pcm.c 2011-05-22 19:36:35.000000000 -0400
83968 @@ -311,7 +311,7 @@ static int omap_pcm_mmap(struct snd_pcm_
83969 runtime->dma_bytes);
83970 }
83971
83972 -static struct snd_pcm_ops omap_pcm_ops = {
83973 +static const struct snd_pcm_ops omap_pcm_ops = {
83974 .open = omap_pcm_open,
83975 .close = omap_pcm_close,
83976 .ioctl = snd_pcm_lib_ioctl,
83977 diff -urNp linux-2.6.39.1/sound/soc/omap/osk5912.c linux-2.6.39.1/sound/soc/omap/osk5912.c
83978 --- linux-2.6.39.1/sound/soc/omap/osk5912.c 2011-05-19 00:06:34.000000000 -0400
83979 +++ linux-2.6.39.1/sound/soc/omap/osk5912.c 2011-05-22 19:36:35.000000000 -0400
83980 @@ -90,7 +90,7 @@ static int osk_hw_params(struct snd_pcm_
83981 return err;
83982 }
83983
83984 -static struct snd_soc_ops osk_ops = {
83985 +static const struct snd_soc_ops osk_ops = {
83986 .startup = osk_startup,
83987 .hw_params = osk_hw_params,
83988 .shutdown = osk_shutdown,
83989 diff -urNp linux-2.6.39.1/sound/soc/omap/overo.c linux-2.6.39.1/sound/soc/omap/overo.c
83990 --- linux-2.6.39.1/sound/soc/omap/overo.c 2011-05-19 00:06:34.000000000 -0400
83991 +++ linux-2.6.39.1/sound/soc/omap/overo.c 2011-05-22 19:36:35.000000000 -0400
83992 @@ -72,7 +72,7 @@ static int overo_hw_params(struct snd_pc
83993 return 0;
83994 }
83995
83996 -static struct snd_soc_ops overo_ops = {
83997 +static const struct snd_soc_ops overo_ops = {
83998 .hw_params = overo_hw_params,
83999 };
84000
84001 diff -urNp linux-2.6.39.1/sound/soc/omap/rx51.c linux-2.6.39.1/sound/soc/omap/rx51.c
84002 --- linux-2.6.39.1/sound/soc/omap/rx51.c 2011-05-19 00:06:34.000000000 -0400
84003 +++ linux-2.6.39.1/sound/soc/omap/rx51.c 2011-05-22 19:36:35.000000000 -0400
84004 @@ -139,7 +139,7 @@ static int rx51_hw_params(struct snd_pcm
84005 SND_SOC_CLOCK_IN);
84006 }
84007
84008 -static struct snd_soc_ops rx51_ops = {
84009 +static const struct snd_soc_ops rx51_ops = {
84010 .startup = rx51_startup,
84011 .hw_params = rx51_hw_params,
84012 };
84013 diff -urNp linux-2.6.39.1/sound/soc/omap/sdp3430.c linux-2.6.39.1/sound/soc/omap/sdp3430.c
84014 --- linux-2.6.39.1/sound/soc/omap/sdp3430.c 2011-05-19 00:06:34.000000000 -0400
84015 +++ linux-2.6.39.1/sound/soc/omap/sdp3430.c 2011-05-22 19:36:35.000000000 -0400
84016 @@ -87,7 +87,7 @@ static int sdp3430_hw_params(struct snd_
84017 return 0;
84018 }
84019
84020 -static struct snd_soc_ops sdp3430_ops = {
84021 +static const struct snd_soc_ops sdp3430_ops = {
84022 .hw_params = sdp3430_hw_params,
84023 };
84024
84025 @@ -130,7 +130,7 @@ static int sdp3430_hw_voice_params(struc
84026 return 0;
84027 }
84028
84029 -static struct snd_soc_ops sdp3430_voice_ops = {
84030 +static const struct snd_soc_ops sdp3430_voice_ops = {
84031 .hw_params = sdp3430_hw_voice_params,
84032 };
84033
84034 diff -urNp linux-2.6.39.1/sound/soc/omap/sdp4430.c linux-2.6.39.1/sound/soc/omap/sdp4430.c
84035 --- linux-2.6.39.1/sound/soc/omap/sdp4430.c 2011-05-19 00:06:34.000000000 -0400
84036 +++ linux-2.6.39.1/sound/soc/omap/sdp4430.c 2011-05-22 19:36:35.000000000 -0400
84037 @@ -62,7 +62,7 @@ static int sdp4430_hw_params(struct snd_
84038 return ret;
84039 }
84040
84041 -static struct snd_soc_ops sdp4430_ops = {
84042 +static const struct snd_soc_ops sdp4430_ops = {
84043 .hw_params = sdp4430_hw_params,
84044 };
84045
84046 diff -urNp linux-2.6.39.1/sound/soc/omap/zoom2.c linux-2.6.39.1/sound/soc/omap/zoom2.c
84047 --- linux-2.6.39.1/sound/soc/omap/zoom2.c 2011-05-19 00:06:34.000000000 -0400
84048 +++ linux-2.6.39.1/sound/soc/omap/zoom2.c 2011-05-22 19:36:35.000000000 -0400
84049 @@ -78,7 +78,7 @@ static int zoom2_hw_params(struct snd_pc
84050 return 0;
84051 }
84052
84053 -static struct snd_soc_ops zoom2_ops = {
84054 +static const struct snd_soc_ops zoom2_ops = {
84055 .hw_params = zoom2_hw_params,
84056 };
84057
84058 @@ -121,7 +121,7 @@ static int zoom2_hw_voice_params(struct
84059 return 0;
84060 }
84061
84062 -static struct snd_soc_ops zoom2_voice_ops = {
84063 +static const struct snd_soc_ops zoom2_voice_ops = {
84064 .hw_params = zoom2_hw_voice_params,
84065 };
84066
84067 diff -urNp linux-2.6.39.1/sound/soc/pxa/corgi.c linux-2.6.39.1/sound/soc/pxa/corgi.c
84068 --- linux-2.6.39.1/sound/soc/pxa/corgi.c 2011-05-19 00:06:34.000000000 -0400
84069 +++ linux-2.6.39.1/sound/soc/pxa/corgi.c 2011-05-22 19:36:35.000000000 -0400
84070 @@ -169,7 +169,7 @@ static int corgi_hw_params(struct snd_pc
84071 return 0;
84072 }
84073
84074 -static struct snd_soc_ops corgi_ops = {
84075 +static const struct snd_soc_ops corgi_ops = {
84076 .startup = corgi_startup,
84077 .hw_params = corgi_hw_params,
84078 .shutdown = corgi_shutdown,
84079 diff -urNp linux-2.6.39.1/sound/soc/pxa/imote2.c linux-2.6.39.1/sound/soc/pxa/imote2.c
84080 --- linux-2.6.39.1/sound/soc/pxa/imote2.c 2011-05-19 00:06:34.000000000 -0400
84081 +++ linux-2.6.39.1/sound/soc/pxa/imote2.c 2011-05-22 19:36:35.000000000 -0400
84082 @@ -56,7 +56,7 @@ static int imote2_asoc_hw_params(struct
84083 return ret;
84084 }
84085
84086 -static struct snd_soc_ops imote2_asoc_ops = {
84087 +static const struct snd_soc_ops imote2_asoc_ops = {
84088 .hw_params = imote2_asoc_hw_params,
84089 };
84090
84091 diff -urNp linux-2.6.39.1/sound/soc/pxa/magician.c linux-2.6.39.1/sound/soc/pxa/magician.c
84092 --- linux-2.6.39.1/sound/soc/pxa/magician.c 2011-05-19 00:06:34.000000000 -0400
84093 +++ linux-2.6.39.1/sound/soc/pxa/magician.c 2011-05-22 19:36:35.000000000 -0400
84094 @@ -258,12 +258,12 @@ static int magician_capture_hw_params(st
84095 return 0;
84096 }
84097
84098 -static struct snd_soc_ops magician_capture_ops = {
84099 +static const struct snd_soc_ops magician_capture_ops = {
84100 .startup = magician_startup,
84101 .hw_params = magician_capture_hw_params,
84102 };
84103
84104 -static struct snd_soc_ops magician_playback_ops = {
84105 +static const struct snd_soc_ops magician_playback_ops = {
84106 .startup = magician_startup,
84107 .hw_params = magician_playback_hw_params,
84108 };
84109 diff -urNp linux-2.6.39.1/sound/soc/pxa/mioa701_wm9713.c linux-2.6.39.1/sound/soc/pxa/mioa701_wm9713.c
84110 --- linux-2.6.39.1/sound/soc/pxa/mioa701_wm9713.c 2011-05-19 00:06:34.000000000 -0400
84111 +++ linux-2.6.39.1/sound/soc/pxa/mioa701_wm9713.c 2011-05-22 19:36:35.000000000 -0400
84112 @@ -156,7 +156,7 @@ static int mioa701_wm9713_init(struct sn
84113 return 0;
84114 }
84115
84116 -static struct snd_soc_ops mioa701_ops;
84117 +static const struct snd_soc_ops mioa701_ops;
84118
84119 static struct snd_soc_dai_link mioa701_dai[] = {
84120 {
84121 diff -urNp linux-2.6.39.1/sound/soc/pxa/poodle.c linux-2.6.39.1/sound/soc/pxa/poodle.c
84122 --- linux-2.6.39.1/sound/soc/pxa/poodle.c 2011-05-19 00:06:34.000000000 -0400
84123 +++ linux-2.6.39.1/sound/soc/pxa/poodle.c 2011-05-22 19:36:35.000000000 -0400
84124 @@ -148,7 +148,7 @@ static int poodle_hw_params(struct snd_p
84125 return 0;
84126 }
84127
84128 -static struct snd_soc_ops poodle_ops = {
84129 +static const struct snd_soc_ops poodle_ops = {
84130 .startup = poodle_startup,
84131 .hw_params = poodle_hw_params,
84132 .shutdown = poodle_shutdown,
84133 diff -urNp linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.c linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.c
84134 --- linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84135 +++ linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84136 @@ -40,7 +40,7 @@ static void pxa2xx_ac97_cold_reset(struc
84137 pxa2xx_ac97_finish_reset(ac97);
84138 }
84139
84140 -struct snd_ac97_bus_ops soc_ac97_ops = {
84141 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84142 .read = pxa2xx_ac97_read,
84143 .write = pxa2xx_ac97_write,
84144 .warm_reset = pxa2xx_ac97_warm_reset,
84145 diff -urNp linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.h linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.h
84146 --- linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84147 +++ linux-2.6.39.1/sound/soc/pxa/pxa2xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84148 @@ -15,6 +15,6 @@
84149 #define PXA2XX_DAI_AC97_MIC 2
84150
84151 /* platform data */
84152 -extern struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84153 +extern const struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84154
84155 #endif
84156 diff -urNp linux-2.6.39.1/sound/soc/pxa/raumfeld.c linux-2.6.39.1/sound/soc/pxa/raumfeld.c
84157 --- linux-2.6.39.1/sound/soc/pxa/raumfeld.c 2011-06-03 00:04:14.000000000 -0400
84158 +++ linux-2.6.39.1/sound/soc/pxa/raumfeld.c 2011-06-03 00:32:09.000000000 -0400
84159 @@ -145,7 +145,7 @@ static int raumfeld_cs4270_hw_params(str
84160 return 0;
84161 }
84162
84163 -static struct snd_soc_ops raumfeld_cs4270_ops = {
84164 +static const struct snd_soc_ops raumfeld_cs4270_ops = {
84165 .startup = raumfeld_cs4270_startup,
84166 .shutdown = raumfeld_cs4270_shutdown,
84167 .hw_params = raumfeld_cs4270_hw_params,
84168 @@ -221,7 +221,7 @@ static int raumfeld_ak4104_hw_params(str
84169 return 0;
84170 }
84171
84172 -static struct snd_soc_ops raumfeld_ak4104_ops = {
84173 +static const struct snd_soc_ops raumfeld_ak4104_ops = {
84174 .hw_params = raumfeld_ak4104_hw_params,
84175 };
84176
84177 diff -urNp linux-2.6.39.1/sound/soc/pxa/saarb.c linux-2.6.39.1/sound/soc/pxa/saarb.c
84178 --- linux-2.6.39.1/sound/soc/pxa/saarb.c 2011-05-19 00:06:34.000000000 -0400
84179 +++ linux-2.6.39.1/sound/soc/pxa/saarb.c 2011-05-22 19:36:35.000000000 -0400
84180 @@ -106,7 +106,7 @@ static int saarb_i2s_hw_params(struct sn
84181 return ret;
84182 }
84183
84184 -static struct snd_soc_ops saarb_i2s_ops = {
84185 +static const struct snd_soc_ops saarb_i2s_ops = {
84186 .hw_params = saarb_i2s_hw_params,
84187 };
84188
84189 diff -urNp linux-2.6.39.1/sound/soc/pxa/spitz.c linux-2.6.39.1/sound/soc/pxa/spitz.c
84190 --- linux-2.6.39.1/sound/soc/pxa/spitz.c 2011-05-19 00:06:34.000000000 -0400
84191 +++ linux-2.6.39.1/sound/soc/pxa/spitz.c 2011-05-22 19:36:35.000000000 -0400
84192 @@ -169,7 +169,7 @@ static int spitz_hw_params(struct snd_pc
84193 return 0;
84194 }
84195
84196 -static struct snd_soc_ops spitz_ops = {
84197 +static const struct snd_soc_ops spitz_ops = {
84198 .startup = spitz_startup,
84199 .hw_params = spitz_hw_params,
84200 };
84201 diff -urNp linux-2.6.39.1/sound/soc/pxa/tavorevb3.c linux-2.6.39.1/sound/soc/pxa/tavorevb3.c
84202 --- linux-2.6.39.1/sound/soc/pxa/tavorevb3.c 2011-05-19 00:06:34.000000000 -0400
84203 +++ linux-2.6.39.1/sound/soc/pxa/tavorevb3.c 2011-05-22 19:36:35.000000000 -0400
84204 @@ -106,7 +106,7 @@ static int evb3_i2s_hw_params(struct snd
84205 return ret;
84206 }
84207
84208 -static struct snd_soc_ops evb3_i2s_ops = {
84209 +static const struct snd_soc_ops evb3_i2s_ops = {
84210 .hw_params = evb3_i2s_hw_params,
84211 };
84212
84213 diff -urNp linux-2.6.39.1/sound/soc/pxa/tosa.c linux-2.6.39.1/sound/soc/pxa/tosa.c
84214 --- linux-2.6.39.1/sound/soc/pxa/tosa.c 2011-05-19 00:06:34.000000000 -0400
84215 +++ linux-2.6.39.1/sound/soc/pxa/tosa.c 2011-05-22 19:36:35.000000000 -0400
84216 @@ -92,7 +92,7 @@ static int tosa_startup(struct snd_pcm_s
84217 return 0;
84218 }
84219
84220 -static struct snd_soc_ops tosa_ops = {
84221 +static const struct snd_soc_ops tosa_ops = {
84222 .startup = tosa_startup,
84223 };
84224
84225 diff -urNp linux-2.6.39.1/sound/soc/pxa/z2.c linux-2.6.39.1/sound/soc/pxa/z2.c
84226 --- linux-2.6.39.1/sound/soc/pxa/z2.c 2011-05-19 00:06:34.000000000 -0400
84227 +++ linux-2.6.39.1/sound/soc/pxa/z2.c 2011-05-22 19:36:35.000000000 -0400
84228 @@ -187,7 +187,7 @@ err:
84229 return ret;
84230 }
84231
84232 -static struct snd_soc_ops z2_ops = {
84233 +static const struct snd_soc_ops z2_ops = {
84234 .hw_params = z2_hw_params,
84235 };
84236
84237 diff -urNp linux-2.6.39.1/sound/soc/pxa/zylonite.c linux-2.6.39.1/sound/soc/pxa/zylonite.c
84238 --- linux-2.6.39.1/sound/soc/pxa/zylonite.c 2011-05-19 00:06:34.000000000 -0400
84239 +++ linux-2.6.39.1/sound/soc/pxa/zylonite.c 2011-05-22 19:36:35.000000000 -0400
84240 @@ -156,7 +156,7 @@ static int zylonite_voice_hw_params(stru
84241 return 0;
84242 }
84243
84244 -static struct snd_soc_ops zylonite_voice_ops = {
84245 +static const struct snd_soc_ops zylonite_voice_ops = {
84246 .hw_params = zylonite_voice_hw_params,
84247 };
84248
84249 diff -urNp linux-2.6.39.1/sound/soc/s6000/s6000-pcm.c linux-2.6.39.1/sound/soc/s6000/s6000-pcm.c
84250 --- linux-2.6.39.1/sound/soc/s6000/s6000-pcm.c 2011-05-19 00:06:34.000000000 -0400
84251 +++ linux-2.6.39.1/sound/soc/s6000/s6000-pcm.c 2011-05-22 19:36:35.000000000 -0400
84252 @@ -420,7 +420,7 @@ static int s6000_pcm_hw_free(struct snd_
84253 return snd_pcm_lib_free_pages(substream);
84254 }
84255
84256 -static struct snd_pcm_ops s6000_pcm_ops = {
84257 +static const struct snd_pcm_ops s6000_pcm_ops = {
84258 .open = s6000_pcm_open,
84259 .close = s6000_pcm_close,
84260 .ioctl = snd_pcm_lib_ioctl,
84261 diff -urNp linux-2.6.39.1/sound/soc/s6000/s6105-ipcam.c linux-2.6.39.1/sound/soc/s6000/s6105-ipcam.c
84262 --- linux-2.6.39.1/sound/soc/s6000/s6105-ipcam.c 2011-05-19 00:06:34.000000000 -0400
84263 +++ linux-2.6.39.1/sound/soc/s6000/s6105-ipcam.c 2011-05-22 19:36:35.000000000 -0400
84264 @@ -55,7 +55,7 @@ static int s6105_hw_params(struct snd_pc
84265 return 0;
84266 }
84267
84268 -static struct snd_soc_ops s6105_ops = {
84269 +static const struct snd_soc_ops s6105_ops = {
84270 .hw_params = s6105_hw_params,
84271 };
84272
84273 diff -urNp linux-2.6.39.1/sound/soc/samsung/goni_wm8994.c linux-2.6.39.1/sound/soc/samsung/goni_wm8994.c
84274 --- linux-2.6.39.1/sound/soc/samsung/goni_wm8994.c 2011-05-19 00:06:34.000000000 -0400
84275 +++ linux-2.6.39.1/sound/soc/samsung/goni_wm8994.c 2011-05-22 19:36:35.000000000 -0400
84276 @@ -176,7 +176,7 @@ static int goni_hifi_hw_params(struct sn
84277 return 0;
84278 }
84279
84280 -static struct snd_soc_ops goni_hifi_ops = {
84281 +static const struct snd_soc_ops goni_hifi_ops = {
84282 .hw_params = goni_hifi_hw_params,
84283 };
84284
84285 @@ -227,7 +227,7 @@ static struct snd_soc_dai_driver voice_d
84286 .formats = SNDRV_PCM_FMTBIT_S16_LE,},
84287 };
84288
84289 -static struct snd_soc_ops goni_voice_ops = {
84290 +static const struct snd_soc_ops goni_voice_ops = {
84291 .hw_params = goni_voice_hw_params,
84292 };
84293
84294 diff -urNp linux-2.6.39.1/sound/soc/samsung/h1940_uda1380.c linux-2.6.39.1/sound/soc/samsung/h1940_uda1380.c
84295 --- linux-2.6.39.1/sound/soc/samsung/h1940_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84296 +++ linux-2.6.39.1/sound/soc/samsung/h1940_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84297 @@ -136,7 +136,7 @@ static int h1940_hw_params(struct snd_pc
84298 return 0;
84299 }
84300
84301 -static struct snd_soc_ops h1940_ops = {
84302 +static const struct snd_soc_ops h1940_ops = {
84303 .startup = h1940_startup,
84304 .hw_params = h1940_hw_params,
84305 };
84306 diff -urNp linux-2.6.39.1/sound/soc/samsung/jive_wm8750.c linux-2.6.39.1/sound/soc/samsung/jive_wm8750.c
84307 --- linux-2.6.39.1/sound/soc/samsung/jive_wm8750.c 2011-05-19 00:06:34.000000000 -0400
84308 +++ linux-2.6.39.1/sound/soc/samsung/jive_wm8750.c 2011-05-22 19:36:35.000000000 -0400
84309 @@ -92,7 +92,7 @@ static int jive_hw_params(struct snd_pcm
84310 return 0;
84311 }
84312
84313 -static struct snd_soc_ops jive_ops = {
84314 +static const struct snd_soc_ops jive_ops = {
84315 .hw_params = jive_hw_params,
84316 };
84317
84318 diff -urNp linux-2.6.39.1/sound/soc/samsung/neo1973_wm8753.c linux-2.6.39.1/sound/soc/samsung/neo1973_wm8753.c
84319 --- linux-2.6.39.1/sound/soc/samsung/neo1973_wm8753.c 2011-05-19 00:06:34.000000000 -0400
84320 +++ linux-2.6.39.1/sound/soc/samsung/neo1973_wm8753.c 2011-05-22 19:36:35.000000000 -0400
84321 @@ -128,7 +128,7 @@ static int neo1973_hifi_hw_free(struct s
84322 /*
84323 * Neo1973 WM8753 HiFi DAI opserations.
84324 */
84325 -static struct snd_soc_ops neo1973_hifi_ops = {
84326 +static const struct snd_soc_ops neo1973_hifi_ops = {
84327 .hw_params = neo1973_hifi_hw_params,
84328 .hw_free = neo1973_hifi_hw_free,
84329 };
84330 @@ -187,7 +187,7 @@ static int neo1973_voice_hw_free(struct
84331 return snd_soc_dai_set_pll(codec_dai, WM8753_PLL2, 0, 0, 0);
84332 }
84333
84334 -static struct snd_soc_ops neo1973_voice_ops = {
84335 +static const struct snd_soc_ops neo1973_voice_ops = {
84336 .hw_params = neo1973_voice_hw_params,
84337 .hw_free = neo1973_voice_hw_free,
84338 };
84339 diff -urNp linux-2.6.39.1/sound/soc/samsung/rx1950_uda1380.c linux-2.6.39.1/sound/soc/samsung/rx1950_uda1380.c
84340 --- linux-2.6.39.1/sound/soc/samsung/rx1950_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84341 +++ linux-2.6.39.1/sound/soc/samsung/rx1950_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84342 @@ -70,7 +70,7 @@ static struct snd_soc_jack_gpio hp_jack_
84343 },
84344 };
84345
84346 -static struct snd_soc_ops rx1950_ops = {
84347 +static const struct snd_soc_ops rx1950_ops = {
84348 .startup = rx1950_startup,
84349 .hw_params = rx1950_hw_params,
84350 };
84351 diff -urNp linux-2.6.39.1/sound/soc/samsung/s3c24xx_simtec.c linux-2.6.39.1/sound/soc/samsung/s3c24xx_simtec.c
84352 --- linux-2.6.39.1/sound/soc/samsung/s3c24xx_simtec.c 2011-05-19 00:06:34.000000000 -0400
84353 +++ linux-2.6.39.1/sound/soc/samsung/s3c24xx_simtec.c 2011-05-22 19:36:35.000000000 -0400
84354 @@ -228,7 +228,7 @@ static int simtec_call_startup(struct s3
84355 return 0;
84356 }
84357
84358 -static struct snd_soc_ops simtec_snd_ops = {
84359 +static const struct snd_soc_ops simtec_snd_ops = {
84360 .hw_params = simtec_hw_params,
84361 };
84362
84363 diff -urNp linux-2.6.39.1/sound/soc/samsung/s3c24xx_uda134x.c linux-2.6.39.1/sound/soc/samsung/s3c24xx_uda134x.c
84364 --- linux-2.6.39.1/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-19 00:06:34.000000000 -0400
84365 +++ linux-2.6.39.1/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-22 19:36:35.000000000 -0400
84366 @@ -210,7 +210,7 @@ static int s3c24xx_uda134x_hw_params(str
84367 return 0;
84368 }
84369
84370 -static struct snd_soc_ops s3c24xx_uda134x_ops = {
84371 +static const struct snd_soc_ops s3c24xx_uda134x_ops = {
84372 .startup = s3c24xx_uda134x_startup,
84373 .shutdown = s3c24xx_uda134x_shutdown,
84374 .hw_params = s3c24xx_uda134x_hw_params,
84375 diff -urNp linux-2.6.39.1/sound/soc/samsung/smartq_wm8987.c linux-2.6.39.1/sound/soc/samsung/smartq_wm8987.c
84376 --- linux-2.6.39.1/sound/soc/samsung/smartq_wm8987.c 2011-05-19 00:06:34.000000000 -0400
84377 +++ linux-2.6.39.1/sound/soc/samsung/smartq_wm8987.c 2011-05-22 19:36:35.000000000 -0400
84378 @@ -92,7 +92,7 @@ static int smartq_hifi_hw_params(struct
84379 /*
84380 * SmartQ WM8987 HiFi DAI operations.
84381 */
84382 -static struct snd_soc_ops smartq_hifi_ops = {
84383 +static const struct snd_soc_ops smartq_hifi_ops = {
84384 .hw_params = smartq_hifi_hw_params,
84385 };
84386
84387 diff -urNp linux-2.6.39.1/sound/soc/samsung/smdk_spdif.c linux-2.6.39.1/sound/soc/samsung/smdk_spdif.c
84388 --- linux-2.6.39.1/sound/soc/samsung/smdk_spdif.c 2011-05-19 00:06:34.000000000 -0400
84389 +++ linux-2.6.39.1/sound/soc/samsung/smdk_spdif.c 2011-05-22 19:36:35.000000000 -0400
84390 @@ -143,7 +143,7 @@ static int smdk_hw_params(struct snd_pcm
84391 return ret;
84392 }
84393
84394 -static struct snd_soc_ops smdk_spdif_ops = {
84395 +static const struct snd_soc_ops smdk_spdif_ops = {
84396 .hw_params = smdk_hw_params,
84397 };
84398
84399 diff -urNp linux-2.6.39.1/sound/soc/samsung/smdk_wm8580.c linux-2.6.39.1/sound/soc/samsung/smdk_wm8580.c
84400 --- linux-2.6.39.1/sound/soc/samsung/smdk_wm8580.c 2011-05-19 00:06:34.000000000 -0400
84401 +++ linux-2.6.39.1/sound/soc/samsung/smdk_wm8580.c 2011-05-22 19:36:35.000000000 -0400
84402 @@ -114,7 +114,7 @@ static int smdk_hw_params(struct snd_pcm
84403 /*
84404 * SMDK WM8580 DAI operations.
84405 */
84406 -static struct snd_soc_ops smdk_ops = {
84407 +static const struct snd_soc_ops smdk_ops = {
84408 .hw_params = smdk_hw_params,
84409 };
84410
84411 diff -urNp linux-2.6.39.1/sound/soc/sh/dma-sh7760.c linux-2.6.39.1/sound/soc/sh/dma-sh7760.c
84412 --- linux-2.6.39.1/sound/soc/sh/dma-sh7760.c 2011-05-19 00:06:34.000000000 -0400
84413 +++ linux-2.6.39.1/sound/soc/sh/dma-sh7760.c 2011-05-22 19:36:35.000000000 -0400
84414 @@ -311,7 +311,7 @@ static snd_pcm_uframes_t camelot_pos(str
84415 return bytes_to_frames(runtime, pos);
84416 }
84417
84418 -static struct snd_pcm_ops camelot_pcm_ops = {
84419 +static const struct snd_pcm_ops camelot_pcm_ops = {
84420 .open = camelot_pcm_open,
84421 .close = camelot_pcm_close,
84422 .ioctl = snd_pcm_lib_ioctl,
84423 diff -urNp linux-2.6.39.1/sound/soc/sh/hac.c linux-2.6.39.1/sound/soc/sh/hac.c
84424 --- linux-2.6.39.1/sound/soc/sh/hac.c 2011-05-19 00:06:34.000000000 -0400
84425 +++ linux-2.6.39.1/sound/soc/sh/hac.c 2011-05-22 19:36:35.000000000 -0400
84426 @@ -227,7 +227,7 @@ static void hac_ac97_coldrst(struct snd_
84427 hac_ac97_warmrst(ac97);
84428 }
84429
84430 -struct snd_ac97_bus_ops soc_ac97_ops = {
84431 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84432 .read = hac_ac97_read,
84433 .write = hac_ac97_write,
84434 .reset = hac_ac97_coldrst,
84435 diff -urNp linux-2.6.39.1/sound/soc/sh/migor.c linux-2.6.39.1/sound/soc/sh/migor.c
84436 --- linux-2.6.39.1/sound/soc/sh/migor.c 2011-05-19 00:06:34.000000000 -0400
84437 +++ linux-2.6.39.1/sound/soc/sh/migor.c 2011-05-22 19:36:35.000000000 -0400
84438 @@ -108,7 +108,7 @@ static int migor_hw_free(struct snd_pcm_
84439 return 0;
84440 }
84441
84442 -static struct snd_soc_ops migor_dai_ops = {
84443 +static const struct snd_soc_ops migor_dai_ops = {
84444 .hw_params = migor_hw_params,
84445 .hw_free = migor_hw_free,
84446 };
84447 diff -urNp linux-2.6.39.1/sound/soc/sh/siu_pcm.c linux-2.6.39.1/sound/soc/sh/siu_pcm.c
84448 --- linux-2.6.39.1/sound/soc/sh/siu_pcm.c 2011-05-19 00:06:34.000000000 -0400
84449 +++ linux-2.6.39.1/sound/soc/sh/siu_pcm.c 2011-05-22 19:36:35.000000000 -0400
84450 @@ -597,7 +597,7 @@ static void siu_pcm_free(struct snd_pcm
84451 dev_dbg(pcm->card->dev, "%s\n", __func__);
84452 }
84453
84454 -static struct snd_pcm_ops siu_pcm_ops = {
84455 +static const struct snd_pcm_ops siu_pcm_ops = {
84456 .open = siu_pcm_open,
84457 .close = siu_pcm_close,
84458 .ioctl = snd_pcm_lib_ioctl,
84459 diff -urNp linux-2.6.39.1/sound/soc/tegra/harmony.c linux-2.6.39.1/sound/soc/tegra/harmony.c
84460 --- linux-2.6.39.1/sound/soc/tegra/harmony.c 2011-05-19 00:06:34.000000000 -0400
84461 +++ linux-2.6.39.1/sound/soc/tegra/harmony.c 2011-05-22 19:36:35.000000000 -0400
84462 @@ -126,7 +126,7 @@ static int harmony_asoc_hw_params(struct
84463 return 0;
84464 }
84465
84466 -static struct snd_soc_ops harmony_asoc_ops = {
84467 +static const struct snd_soc_ops harmony_asoc_ops = {
84468 .hw_params = harmony_asoc_hw_params,
84469 };
84470
84471 diff -urNp linux-2.6.39.1/sound/soc/tegra/tegra_pcm.c linux-2.6.39.1/sound/soc/tegra/tegra_pcm.c
84472 --- linux-2.6.39.1/sound/soc/tegra/tegra_pcm.c 2011-05-19 00:06:34.000000000 -0400
84473 +++ linux-2.6.39.1/sound/soc/tegra/tegra_pcm.c 2011-05-22 19:36:36.000000000 -0400
84474 @@ -277,7 +277,7 @@ static int tegra_pcm_mmap(struct snd_pcm
84475 runtime->dma_bytes);
84476 }
84477
84478 -static struct snd_pcm_ops tegra_pcm_ops = {
84479 +static const struct snd_pcm_ops tegra_pcm_ops = {
84480 .open = tegra_pcm_open,
84481 .close = tegra_pcm_close,
84482 .ioctl = snd_pcm_lib_ioctl,
84483 diff -urNp linux-2.6.39.1/sound/soc/txx9/txx9aclc.c linux-2.6.39.1/sound/soc/txx9/txx9aclc.c
84484 --- linux-2.6.39.1/sound/soc/txx9/txx9aclc.c 2011-05-19 00:06:34.000000000 -0400
84485 +++ linux-2.6.39.1/sound/soc/txx9/txx9aclc.c 2011-05-22 19:36:36.000000000 -0400
84486 @@ -272,7 +272,7 @@ static int txx9aclc_pcm_close(struct snd
84487 return 0;
84488 }
84489
84490 -static struct snd_pcm_ops txx9aclc_pcm_ops = {
84491 +static const struct snd_pcm_ops txx9aclc_pcm_ops = {
84492 .open = txx9aclc_pcm_open,
84493 .close = txx9aclc_pcm_close,
84494 .ioctl = snd_pcm_lib_ioctl,
84495 diff -urNp linux-2.6.39.1/sound/sparc/amd7930.c linux-2.6.39.1/sound/sparc/amd7930.c
84496 --- linux-2.6.39.1/sound/sparc/amd7930.c 2011-05-19 00:06:34.000000000 -0400
84497 +++ linux-2.6.39.1/sound/sparc/amd7930.c 2011-05-22 19:36:36.000000000 -0400
84498 @@ -733,7 +733,7 @@ static int snd_amd7930_hw_free(struct sn
84499 return snd_pcm_lib_free_pages(substream);
84500 }
84501
84502 -static struct snd_pcm_ops snd_amd7930_playback_ops = {
84503 +static const struct snd_pcm_ops snd_amd7930_playback_ops = {
84504 .open = snd_amd7930_playback_open,
84505 .close = snd_amd7930_playback_close,
84506 .ioctl = snd_pcm_lib_ioctl,
84507 @@ -744,7 +744,7 @@ static struct snd_pcm_ops snd_amd7930_pl
84508 .pointer = snd_amd7930_playback_pointer,
84509 };
84510
84511 -static struct snd_pcm_ops snd_amd7930_capture_ops = {
84512 +static const struct snd_pcm_ops snd_amd7930_capture_ops = {
84513 .open = snd_amd7930_capture_open,
84514 .close = snd_amd7930_capture_close,
84515 .ioctl = snd_pcm_lib_ioctl,
84516 @@ -929,7 +929,7 @@ static int snd_amd7930_dev_free(struct s
84517 return snd_amd7930_free(amd);
84518 }
84519
84520 -static struct snd_device_ops snd_amd7930_dev_ops = {
84521 +static const struct snd_device_ops snd_amd7930_dev_ops = {
84522 .dev_free = snd_amd7930_dev_free,
84523 };
84524
84525 diff -urNp linux-2.6.39.1/sound/sparc/cs4231.c linux-2.6.39.1/sound/sparc/cs4231.c
84526 --- linux-2.6.39.1/sound/sparc/cs4231.c 2011-05-19 00:06:34.000000000 -0400
84527 +++ linux-2.6.39.1/sound/sparc/cs4231.c 2011-05-22 19:36:36.000000000 -0400
84528 @@ -1196,7 +1196,7 @@ static int snd_cs4231_capture_close(stru
84529 * XXX the audio AUXIO register...
84530 */
84531
84532 -static struct snd_pcm_ops snd_cs4231_playback_ops = {
84533 +static const struct snd_pcm_ops snd_cs4231_playback_ops = {
84534 .open = snd_cs4231_playback_open,
84535 .close = snd_cs4231_playback_close,
84536 .ioctl = snd_pcm_lib_ioctl,
84537 @@ -1207,7 +1207,7 @@ static struct snd_pcm_ops snd_cs4231_pla
84538 .pointer = snd_cs4231_playback_pointer,
84539 };
84540
84541 -static struct snd_pcm_ops snd_cs4231_capture_ops = {
84542 +static const struct snd_pcm_ops snd_cs4231_capture_ops = {
84543 .open = snd_cs4231_capture_open,
84544 .close = snd_cs4231_capture_close,
84545 .ioctl = snd_pcm_lib_ioctl,
84546 @@ -1789,7 +1789,7 @@ static int snd_cs4231_sbus_dev_free(stru
84547 return snd_cs4231_sbus_free(cp);
84548 }
84549
84550 -static struct snd_device_ops snd_cs4231_sbus_dev_ops = {
84551 +static const struct snd_device_ops snd_cs4231_sbus_dev_ops = {
84552 .dev_free = snd_cs4231_sbus_dev_free,
84553 };
84554
84555 @@ -1955,7 +1955,7 @@ static int snd_cs4231_ebus_dev_free(stru
84556 return snd_cs4231_ebus_free(cp);
84557 }
84558
84559 -static struct snd_device_ops snd_cs4231_ebus_dev_ops = {
84560 +static const struct snd_device_ops snd_cs4231_ebus_dev_ops = {
84561 .dev_free = snd_cs4231_ebus_dev_free,
84562 };
84563
84564 diff -urNp linux-2.6.39.1/sound/sparc/dbri.c linux-2.6.39.1/sound/sparc/dbri.c
84565 --- linux-2.6.39.1/sound/sparc/dbri.c 2011-05-19 00:06:34.000000000 -0400
84566 +++ linux-2.6.39.1/sound/sparc/dbri.c 2011-05-22 19:36:36.000000000 -0400
84567 @@ -2205,7 +2205,7 @@ static snd_pcm_uframes_t snd_dbri_pointe
84568 return ret;
84569 }
84570
84571 -static struct snd_pcm_ops snd_dbri_ops = {
84572 +static const struct snd_pcm_ops snd_dbri_ops = {
84573 .open = snd_dbri_open,
84574 .close = snd_dbri_close,
84575 .ioctl = snd_pcm_lib_ioctl,
84576 diff -urNp linux-2.6.39.1/sound/spi/at73c213.c linux-2.6.39.1/sound/spi/at73c213.c
84577 --- linux-2.6.39.1/sound/spi/at73c213.c 2011-05-19 00:06:34.000000000 -0400
84578 +++ linux-2.6.39.1/sound/spi/at73c213.c 2011-05-22 19:36:36.000000000 -0400
84579 @@ -319,7 +319,7 @@ snd_at73c213_pcm_pointer(struct snd_pcm_
84580 return pos;
84581 }
84582
84583 -static struct snd_pcm_ops at73c213_playback_ops = {
84584 +static const struct snd_pcm_ops at73c213_playback_ops = {
84585 .open = snd_at73c213_pcm_open,
84586 .close = snd_at73c213_pcm_close,
84587 .ioctl = snd_pcm_lib_ioctl,
84588 @@ -882,7 +882,7 @@ static int snd_at73c213_dev_free(struct
84589 static int __devinit snd_at73c213_dev_init(struct snd_card *card,
84590 struct spi_device *spi)
84591 {
84592 - static struct snd_device_ops ops = {
84593 + static const struct snd_device_ops ops = {
84594 .dev_free = snd_at73c213_dev_free,
84595 };
84596 struct snd_at73c213 *chip = get_chip(card);
84597 diff -urNp linux-2.6.39.1/sound/usb/6fire/midi.c linux-2.6.39.1/sound/usb/6fire/midi.c
84598 --- linux-2.6.39.1/sound/usb/6fire/midi.c 2011-05-19 00:06:34.000000000 -0400
84599 +++ linux-2.6.39.1/sound/usb/6fire/midi.c 2011-05-22 19:36:36.000000000 -0400
84600 @@ -134,14 +134,14 @@ static void usb6fire_midi_in_trigger(
84601 spin_unlock_irqrestore(&rt->in_lock, flags);
84602 }
84603
84604 -static struct snd_rawmidi_ops out_ops = {
84605 +static const struct snd_rawmidi_ops out_ops = {
84606 .open = usb6fire_midi_out_open,
84607 .close = usb6fire_midi_out_close,
84608 .trigger = usb6fire_midi_out_trigger,
84609 .drain = usb6fire_midi_out_drain
84610 };
84611
84612 -static struct snd_rawmidi_ops in_ops = {
84613 +static const struct snd_rawmidi_ops in_ops = {
84614 .open = usb6fire_midi_in_open,
84615 .close = usb6fire_midi_in_close,
84616 .trigger = usb6fire_midi_in_trigger
84617 diff -urNp linux-2.6.39.1/sound/usb/caiaq/audio.c linux-2.6.39.1/sound/usb/caiaq/audio.c
84618 --- linux-2.6.39.1/sound/usb/caiaq/audio.c 2011-05-19 00:06:34.000000000 -0400
84619 +++ linux-2.6.39.1/sound/usb/caiaq/audio.c 2011-05-22 19:36:36.000000000 -0400
84620 @@ -322,7 +322,7 @@ snd_usb_caiaq_pcm_pointer(struct snd_pcm
84621 }
84622
84623 /* operators for both playback and capture */
84624 -static struct snd_pcm_ops snd_usb_caiaq_ops = {
84625 +static const struct snd_pcm_ops snd_usb_caiaq_ops = {
84626 .open = snd_usb_caiaq_substream_open,
84627 .close = snd_usb_caiaq_substream_close,
84628 .ioctl = snd_pcm_lib_ioctl,
84629 diff -urNp linux-2.6.39.1/sound/usb/caiaq/midi.c linux-2.6.39.1/sound/usb/caiaq/midi.c
84630 --- linux-2.6.39.1/sound/usb/caiaq/midi.c 2011-05-19 00:06:34.000000000 -0400
84631 +++ linux-2.6.39.1/sound/usb/caiaq/midi.c 2011-05-22 19:36:36.000000000 -0400
84632 @@ -100,15 +100,13 @@ static void snd_usb_caiaq_midi_output_tr
84633 }
84634
84635
84636 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_output =
84637 -{
84638 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_output = {
84639 .open = snd_usb_caiaq_midi_output_open,
84640 .close = snd_usb_caiaq_midi_output_close,
84641 .trigger = snd_usb_caiaq_midi_output_trigger,
84642 };
84643
84644 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_input =
84645 -{
84646 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_input = {
84647 .open = snd_usb_caiaq_midi_input_open,
84648 .close = snd_usb_caiaq_midi_input_close,
84649 .trigger = snd_usb_caiaq_midi_input_trigger,
84650 diff -urNp linux-2.6.39.1/sound/usb/card.c linux-2.6.39.1/sound/usb/card.c
84651 --- linux-2.6.39.1/sound/usb/card.c 2011-05-19 00:06:34.000000000 -0400
84652 +++ linux-2.6.39.1/sound/usb/card.c 2011-05-22 19:36:36.000000000 -0400
84653 @@ -305,7 +305,7 @@ static int snd_usb_audio_create(struct u
84654 struct snd_usb_audio *chip;
84655 int err, len;
84656 char component[14];
84657 - static struct snd_device_ops ops = {
84658 + static const struct snd_device_ops ops = {
84659 .dev_free = snd_usb_audio_dev_free,
84660 };
84661
84662 diff -urNp linux-2.6.39.1/sound/usb/midi.c linux-2.6.39.1/sound/usb/midi.c
84663 --- linux-2.6.39.1/sound/usb/midi.c 2011-05-19 00:06:34.000000000 -0400
84664 +++ linux-2.6.39.1/sound/usb/midi.c 2011-05-22 19:36:36.000000000 -0400
84665 @@ -1146,14 +1146,14 @@ static void snd_usbmidi_input_trigger(st
84666 clear_bit(substream->number, &umidi->input_triggered);
84667 }
84668
84669 -static struct snd_rawmidi_ops snd_usbmidi_output_ops = {
84670 +static const struct snd_rawmidi_ops snd_usbmidi_output_ops = {
84671 .open = snd_usbmidi_output_open,
84672 .close = snd_usbmidi_output_close,
84673 .trigger = snd_usbmidi_output_trigger,
84674 .drain = snd_usbmidi_output_drain,
84675 };
84676
84677 -static struct snd_rawmidi_ops snd_usbmidi_input_ops = {
84678 +static const struct snd_rawmidi_ops snd_usbmidi_input_ops = {
84679 .open = snd_usbmidi_input_open,
84680 .close = snd_usbmidi_input_close,
84681 .trigger = snd_usbmidi_input_trigger
84682 diff -urNp linux-2.6.39.1/sound/usb/misc/ua101.c linux-2.6.39.1/sound/usb/misc/ua101.c
84683 --- linux-2.6.39.1/sound/usb/misc/ua101.c 2011-05-19 00:06:34.000000000 -0400
84684 +++ linux-2.6.39.1/sound/usb/misc/ua101.c 2011-05-22 19:36:36.000000000 -0400
84685 @@ -886,7 +886,7 @@ static snd_pcm_uframes_t playback_pcm_po
84686 return ua101_pcm_pointer(ua, &ua->playback);
84687 }
84688
84689 -static struct snd_pcm_ops capture_pcm_ops = {
84690 +static const struct snd_pcm_ops capture_pcm_ops = {
84691 .open = capture_pcm_open,
84692 .close = capture_pcm_close,
84693 .ioctl = snd_pcm_lib_ioctl,
84694 @@ -899,7 +899,7 @@ static struct snd_pcm_ops capture_pcm_op
84695 .mmap = snd_pcm_lib_mmap_vmalloc,
84696 };
84697
84698 -static struct snd_pcm_ops playback_pcm_ops = {
84699 +static const struct snd_pcm_ops playback_pcm_ops = {
84700 .open = playback_pcm_open,
84701 .close = playback_pcm_close,
84702 .ioctl = snd_pcm_lib_ioctl,
84703 diff -urNp linux-2.6.39.1/sound/usb/mixer.c linux-2.6.39.1/sound/usb/mixer.c
84704 --- linux-2.6.39.1/sound/usb/mixer.c 2011-05-19 00:06:34.000000000 -0400
84705 +++ linux-2.6.39.1/sound/usb/mixer.c 2011-05-22 19:36:36.000000000 -0400
84706 @@ -2201,7 +2201,7 @@ static int snd_usb_mixer_status_create(s
84707 int snd_usb_create_mixer(struct snd_usb_audio *chip, int ctrlif,
84708 int ignore_error)
84709 {
84710 - static struct snd_device_ops dev_ops = {
84711 + static const struct snd_device_ops dev_ops = {
84712 .dev_free = snd_usb_mixer_dev_free
84713 };
84714 struct usb_mixer_interface *mixer;
84715 diff -urNp linux-2.6.39.1/sound/usb/pcm.c linux-2.6.39.1/sound/usb/pcm.c
84716 --- linux-2.6.39.1/sound/usb/pcm.c 2011-05-19 00:06:34.000000000 -0400
84717 +++ linux-2.6.39.1/sound/usb/pcm.c 2011-05-22 19:36:36.000000000 -0400
84718 @@ -844,7 +844,7 @@ static int snd_usb_capture_close(struct
84719 return snd_usb_pcm_close(substream, SNDRV_PCM_STREAM_CAPTURE);
84720 }
84721
84722 -static struct snd_pcm_ops snd_usb_playback_ops = {
84723 +static const struct snd_pcm_ops snd_usb_playback_ops = {
84724 .open = snd_usb_playback_open,
84725 .close = snd_usb_playback_close,
84726 .ioctl = snd_pcm_lib_ioctl,
84727 @@ -857,7 +857,7 @@ static struct snd_pcm_ops snd_usb_playba
84728 .mmap = snd_pcm_lib_mmap_vmalloc,
84729 };
84730
84731 -static struct snd_pcm_ops snd_usb_capture_ops = {
84732 +static const struct snd_pcm_ops snd_usb_capture_ops = {
84733 .open = snd_usb_capture_open,
84734 .close = snd_usb_capture_close,
84735 .ioctl = snd_pcm_lib_ioctl,
84736 diff -urNp linux-2.6.39.1/sound/usb/usx2y/usbusx2yaudio.c linux-2.6.39.1/sound/usb/usx2y/usbusx2yaudio.c
84737 --- linux-2.6.39.1/sound/usb/usx2y/usbusx2yaudio.c 2011-05-19 00:06:34.000000000 -0400
84738 +++ linux-2.6.39.1/sound/usb/usx2y/usbusx2yaudio.c 2011-05-22 19:36:36.000000000 -0400
84739 @@ -919,8 +919,7 @@ static int snd_usX2Y_pcm_close(struct sn
84740 }
84741
84742
84743 -static struct snd_pcm_ops snd_usX2Y_pcm_ops =
84744 -{
84745 +static const struct snd_pcm_ops snd_usX2Y_pcm_ops = {
84746 .open = snd_usX2Y_pcm_open,
84747 .close = snd_usX2Y_pcm_close,
84748 .ioctl = snd_pcm_lib_ioctl,
84749 diff -urNp linux-2.6.39.1/tools/gcc/Makefile linux-2.6.39.1/tools/gcc/Makefile
84750 --- linux-2.6.39.1/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
84751 +++ linux-2.6.39.1/tools/gcc/Makefile 2011-06-03 01:19:01.000000000 -0400
84752 @@ -0,0 +1,11 @@
84753 +#CC := gcc
84754 +#PLUGIN_SOURCE_FILES := pax_plugin.c
84755 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
84756 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
84757 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
84758 +
84759 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
84760 +
84761 +hostlibs-y := pax_plugin.so
84762 +always := $(hostlibs-y)
84763 +pax_plugin-objs := pax_plugin.o
84764 diff -urNp linux-2.6.39.1/tools/gcc/pax_plugin.c linux-2.6.39.1/tools/gcc/pax_plugin.c
84765 --- linux-2.6.39.1/tools/gcc/pax_plugin.c 1969-12-31 19:00:00.000000000 -0500
84766 +++ linux-2.6.39.1/tools/gcc/pax_plugin.c 2011-06-03 23:14:36.000000000 -0400
84767 @@ -0,0 +1,242 @@
84768 +/*
84769 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
84770 + * Licensed under the GPL v2
84771 + *
84772 + * Note: the choice of the license means that the compilation process is
84773 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
84774 + * but for the kernel it doesn't matter since it doesn't link against
84775 + * any of the gcc libraries
84776 + *
84777 + * gcc plugin to help implement various PaX features
84778 + *
84779 + * - track lowest stack pointer
84780 + *
84781 + * TODO:
84782 + * - initialize all local variables
84783 + *
84784 + * BUGS:
84785 + */
84786 +#include "gcc-plugin.h"
84787 +#include "plugin-version.h"
84788 +#include "config.h"
84789 +#include "system.h"
84790 +#include "coretypes.h"
84791 +#include "tm.h"
84792 +#include "toplev.h"
84793 +#include "basic-block.h"
84794 +#include "gimple.h"
84795 +//#include "expr.h" where are you...
84796 +#include "diagnostic.h"
84797 +#include "rtl.h"
84798 +#include "emit-rtl.h"
84799 +#include "function.h"
84800 +#include "tree.h"
84801 +#include "tree-pass.h"
84802 +#include "intl.h"
84803 +
84804 +int plugin_is_GPL_compatible;
84805 +
84806 +static int track_frame_size = -1;
84807 +static const char track_function[] = "pax_track_stack";
84808 +static bool init_locals;
84809 +
84810 +static struct plugin_info pax_plugin_info = {
84811 + .version = "201106030000",
84812 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
84813 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
84814 +};
84815 +
84816 +static bool gate_pax_track_stack(void);
84817 +static unsigned int execute_pax_tree_instrument(void);
84818 +static unsigned int execute_pax_final(void);
84819 +
84820 +static struct gimple_opt_pass pax_tree_instrument_pass = {
84821 + .pass = {
84822 + .type = GIMPLE_PASS,
84823 + .name = "pax_tree_instrument",
84824 + .gate = gate_pax_track_stack,
84825 + .execute = execute_pax_tree_instrument,
84826 + .sub = NULL,
84827 + .next = NULL,
84828 + .static_pass_number = 0,
84829 + .tv_id = TV_NONE,
84830 + .properties_required = PROP_gimple_leh | PROP_cfg,
84831 + .properties_provided = 0,
84832 + .properties_destroyed = 0,
84833 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
84834 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
84835 + }
84836 +};
84837 +
84838 +static struct rtl_opt_pass pax_final_rtl_opt_pass = {
84839 + .pass = {
84840 + .type = RTL_PASS,
84841 + .name = "pax_final",
84842 + .gate = gate_pax_track_stack,
84843 + .execute = execute_pax_final,
84844 + .sub = NULL,
84845 + .next = NULL,
84846 + .static_pass_number = 0,
84847 + .tv_id = TV_NONE,
84848 + .properties_required = 0,
84849 + .properties_provided = 0,
84850 + .properties_destroyed = 0,
84851 + .todo_flags_start = 0,
84852 + .todo_flags_finish = 0
84853 + }
84854 +};
84855 +
84856 +static bool gate_pax_track_stack(void)
84857 +{
84858 + return track_frame_size >= 0;
84859 +}
84860 +
84861 +static void pax_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
84862 +{
84863 + gimple call;
84864 + tree decl, type;
84865 +
84866 + // insert call to void pax_track_stack(void)
84867 + type = build_function_type_list(void_type_node, NULL_TREE);
84868 + decl = build_fn_decl(track_function, type);
84869 + DECL_ASSEMBLER_NAME(decl); // for LTO
84870 + call = gimple_build_call(decl, 0);
84871 + if (before)
84872 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
84873 + else
84874 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
84875 +}
84876 +
84877 +static unsigned int execute_pax_tree_instrument(void)
84878 +{
84879 + basic_block bb;
84880 + gimple_stmt_iterator gsi;
84881 +
84882 + // 1. loop through BBs and GIMPLE statements
84883 + FOR_EACH_BB(bb) {
84884 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
84885 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
84886 + tree decl;
84887 + gimple stmt = gsi_stmt(gsi);
84888 +
84889 + if (!is_gimple_call(stmt))
84890 + continue;
84891 + decl = gimple_call_fndecl(stmt);
84892 + if (!decl)
84893 + continue;
84894 + if (TREE_CODE(decl) != FUNCTION_DECL)
84895 + continue;
84896 + if (!DECL_BUILT_IN(decl))
84897 + continue;
84898 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
84899 + continue;
84900 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
84901 + continue;
84902 +
84903 + // 2. insert track call after each __builtin_alloca call
84904 + pax_add_instrumentation(&gsi, false);
84905 +// print_node(stderr, "pax", decl, 4);
84906 + }
84907 + }
84908 +
84909 + // 3. insert track call at the beginning
84910 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
84911 + gsi = gsi_start_bb(bb);
84912 + pax_add_instrumentation(&gsi, true);
84913 +
84914 + return 0;
84915 +}
84916 +
84917 +static unsigned int execute_pax_final(void)
84918 +{
84919 + rtx insn;
84920 +
84921 + if (cfun->calls_alloca)
84922 + return 0;
84923 +
84924 + // 1. find pax_track_stack calls
84925 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
84926 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
84927 + rtx body;
84928 +
84929 + if (!CALL_P(insn))
84930 + continue;
84931 + body = PATTERN(insn);
84932 + if (GET_CODE(body) != CALL)
84933 + continue;
84934 + body = XEXP(body, 0);
84935 + if (GET_CODE(body) != MEM)
84936 + continue;
84937 + body = XEXP(body, 0);
84938 + if (GET_CODE(body) != SYMBOL_REF)
84939 + continue;
84940 + if (strcmp(XSTR(body, 0), track_function))
84941 + continue;
84942 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
84943 + // 2. delete call if function frame is not big enough
84944 + if (get_frame_size() >= track_frame_size)
84945 + continue;
84946 + delete_insn_and_edges(insn);
84947 + }
84948 +
84949 +// print_simple_rtl(stderr, get_insns());
84950 +// print_rtl(stderr, get_insns());
84951 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
84952 +
84953 + return 0;
84954 +}
84955 +
84956 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
84957 +{
84958 + const char * const plugin_name = plugin_info->base_name;
84959 + const int argc = plugin_info->argc;
84960 + const struct plugin_argument * const argv = plugin_info->argv;
84961 + int i;
84962 + struct register_pass_info pax_tree_instrument_pass_info = {
84963 + .pass = &pax_tree_instrument_pass.pass,
84964 +// .reference_pass_name = "tree_profile",
84965 + .reference_pass_name = "optimized",
84966 + .ref_pass_instance_number = 0,
84967 + .pos_op = PASS_POS_INSERT_AFTER
84968 + };
84969 + struct register_pass_info pax_final_pass_info = {
84970 + .pass = &pax_final_rtl_opt_pass.pass,
84971 + .reference_pass_name = "final",
84972 + .ref_pass_instance_number = 0,
84973 + .pos_op = PASS_POS_INSERT_BEFORE
84974 + };
84975 +
84976 + if (!plugin_default_version_check(version, &gcc_version)) {
84977 + error(G_("incompatible gcc/plugin versions"));
84978 + return 1;
84979 + }
84980 +
84981 + register_callback(plugin_name, PLUGIN_INFO, NULL, &pax_plugin_info);
84982 +
84983 + for (i = 0; i < argc; ++i) {
84984 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
84985 + if (!argv[i].value) {
84986 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
84987 + continue;
84988 + }
84989 + track_frame_size = atoi(argv[i].value);
84990 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
84991 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
84992 + continue;
84993 + }
84994 + if (!strcmp(argv[i].key, "initialize-locals")) {
84995 + if (argv[i].value) {
84996 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
84997 + continue;
84998 + }
84999 + init_locals = true;
85000 + continue;
85001 + }
85002 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85003 + }
85004 +
85005 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_tree_instrument_pass_info);
85006 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_final_pass_info);
85007 +
85008 + return 0;
85009 +}
85010 Binary files linux-2.6.39.1/tools/gcc/pax_plugin.so and linux-2.6.39.1/tools/gcc/pax_plugin.so differ
85011 diff -urNp linux-2.6.39.1/tools/perf/builtin-lock.c linux-2.6.39.1/tools/perf/builtin-lock.c
85012 --- linux-2.6.39.1/tools/perf/builtin-lock.c 2011-05-19 00:06:34.000000000 -0400
85013 +++ linux-2.6.39.1/tools/perf/builtin-lock.c 2011-05-22 19:36:36.000000000 -0400
85014 @@ -635,14 +635,14 @@ end:
85015
85016 /* lock oriented handlers */
85017 /* TODO: handlers for CPU oriented, thread oriented */
85018 -static struct trace_lock_handler report_lock_ops = {
85019 +static const struct trace_lock_handler report_lock_ops = {
85020 .acquire_event = report_lock_acquire_event,
85021 .acquired_event = report_lock_acquired_event,
85022 .contended_event = report_lock_contended_event,
85023 .release_event = report_lock_release_event,
85024 };
85025
85026 -static struct trace_lock_handler *trace_handler;
85027 +static const struct trace_lock_handler *trace_handler;
85028
85029 static void
85030 process_lock_acquire_event(void *data,
85031 diff -urNp linux-2.6.39.1/tools/perf/builtin-sched.c linux-2.6.39.1/tools/perf/builtin-sched.c
85032 --- linux-2.6.39.1/tools/perf/builtin-sched.c 2011-05-19 00:06:34.000000000 -0400
85033 +++ linux-2.6.39.1/tools/perf/builtin-sched.c 2011-05-22 19:36:36.000000000 -0400
85034 @@ -845,7 +845,7 @@ replay_fork_event(struct trace_fork_even
85035 register_pid(fork_event->child_pid, fork_event->child_comm);
85036 }
85037
85038 -static struct trace_sched_handler replay_ops = {
85039 +static const struct trace_sched_handler replay_ops = {
85040 .wakeup_event = replay_wakeup_event,
85041 .switch_event = replay_switch_event,
85042 .fork_event = replay_fork_event,
85043 @@ -1183,7 +1183,7 @@ latency_migrate_task_event(struct trace_
85044 nr_unordered_timestamps++;
85045 }
85046
85047 -static struct trace_sched_handler lat_ops = {
85048 +static const struct trace_sched_handler lat_ops = {
85049 .wakeup_event = latency_wakeup_event,
85050 .switch_event = latency_switch_event,
85051 .runtime_event = latency_runtime_event,
85052 @@ -1353,7 +1353,7 @@ static void sort_lat(void)
85053 }
85054 }
85055
85056 -static struct trace_sched_handler *trace_handler;
85057 +static const struct trace_sched_handler *trace_handler;
85058
85059 static void
85060 process_sched_wakeup_event(void *data, struct perf_session *session,
85061 @@ -1719,7 +1719,7 @@ static void __cmd_lat(void)
85062
85063 }
85064
85065 -static struct trace_sched_handler map_ops = {
85066 +static const struct trace_sched_handler map_ops = {
85067 .wakeup_event = NULL,
85068 .switch_event = map_switch_event,
85069 .runtime_event = NULL,
85070 diff -urNp linux-2.6.39.1/usr/gen_init_cpio.c linux-2.6.39.1/usr/gen_init_cpio.c
85071 --- linux-2.6.39.1/usr/gen_init_cpio.c 2011-05-19 00:06:34.000000000 -0400
85072 +++ linux-2.6.39.1/usr/gen_init_cpio.c 2011-05-22 19:36:36.000000000 -0400
85073 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
85074 int retval;
85075 int rc = -1;
85076 int namesize;
85077 - int i;
85078 + unsigned int i;
85079
85080 mode |= S_IFREG;
85081
85082 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
85083 *env_var = *expanded = '\0';
85084 strncat(env_var, start + 2, end - start - 2);
85085 strncat(expanded, new_location, start - new_location);
85086 - strncat(expanded, getenv(env_var), PATH_MAX);
85087 - strncat(expanded, end + 1, PATH_MAX);
85088 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
85089 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
85090 strncpy(new_location, expanded, PATH_MAX);
85091 + new_location[PATH_MAX] = 0;
85092 } else
85093 break;
85094 }
85095 diff -urNp linux-2.6.39.1/virt/kvm/kvm_main.c linux-2.6.39.1/virt/kvm/kvm_main.c
85096 --- linux-2.6.39.1/virt/kvm/kvm_main.c 2011-05-19 00:06:34.000000000 -0400
85097 +++ linux-2.6.39.1/virt/kvm/kvm_main.c 2011-05-22 19:36:36.000000000 -0400
85098 @@ -73,7 +73,7 @@ LIST_HEAD(vm_list);
85099
85100 static cpumask_var_t cpus_hardware_enabled;
85101 static int kvm_usage_count = 0;
85102 -static atomic_t hardware_enable_failed;
85103 +static atomic_unchecked_t hardware_enable_failed;
85104
85105 struct kmem_cache *kvm_vcpu_cache;
85106 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
85107 @@ -1594,7 +1594,7 @@ static int kvm_vcpu_release(struct inode
85108 return 0;
85109 }
85110
85111 -static struct file_operations kvm_vcpu_fops = {
85112 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
85113 .release = kvm_vcpu_release,
85114 .unlocked_ioctl = kvm_vcpu_ioctl,
85115 .compat_ioctl = kvm_vcpu_ioctl,
85116 @@ -2063,7 +2063,7 @@ static int kvm_vm_mmap(struct file *file
85117 return 0;
85118 }
85119
85120 -static struct file_operations kvm_vm_fops = {
85121 +static struct file_operations kvm_vm_fops = { /* cannot be const */
85122 .release = kvm_vm_release,
85123 .unlocked_ioctl = kvm_vm_ioctl,
85124 #ifdef CONFIG_COMPAT
85125 @@ -2161,7 +2161,7 @@ out:
85126 return r;
85127 }
85128
85129 -static struct file_operations kvm_chardev_ops = {
85130 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
85131 .unlocked_ioctl = kvm_dev_ioctl,
85132 .compat_ioctl = kvm_dev_ioctl,
85133 .llseek = noop_llseek,
85134 @@ -2187,7 +2187,7 @@ static void hardware_enable_nolock(void
85135
85136 if (r) {
85137 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
85138 - atomic_inc(&hardware_enable_failed);
85139 + atomic_inc_unchecked(&hardware_enable_failed);
85140 printk(KERN_INFO "kvm: enabling virtualization on "
85141 "CPU%d failed\n", cpu);
85142 }
85143 @@ -2241,10 +2241,10 @@ static int hardware_enable_all(void)
85144
85145 kvm_usage_count++;
85146 if (kvm_usage_count == 1) {
85147 - atomic_set(&hardware_enable_failed, 0);
85148 + atomic_set_unchecked(&hardware_enable_failed, 0);
85149 on_each_cpu(hardware_enable_nolock, NULL, 1);
85150
85151 - if (atomic_read(&hardware_enable_failed)) {
85152 + if (atomic_read_unchecked(&hardware_enable_failed)) {
85153 hardware_disable_all_nolock();
85154 r = -EBUSY;
85155 }
85156 @@ -2509,7 +2509,7 @@ static void kvm_sched_out(struct preempt
85157 kvm_arch_vcpu_put(vcpu);
85158 }
85159
85160 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85161 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85162 struct module *module)
85163 {
85164 int r;
85165 @@ -2572,7 +2572,7 @@ int kvm_init(void *opaque, unsigned vcpu
85166 if (!vcpu_align)
85167 vcpu_align = __alignof__(struct kvm_vcpu);
85168 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
85169 - 0, NULL);
85170 + SLAB_USERCOPY, NULL);
85171 if (!kvm_vcpu_cache) {
85172 r = -ENOMEM;
85173 goto out_free_3;
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)