]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.39.2-201106292104.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.39.2-201106292104.patch
1 diff -urNp linux-2.6.39.2/arch/alpha/include/asm/dma-mapping.h linux-2.6.39.2/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.39.2/arch/alpha/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3 +++ linux-2.6.39.2/arch/alpha/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
4 @@ -3,9 +3,9 @@
5
6 #include <linux/dma-attrs.h>
7
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
10
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
13 {
14 return dma_ops;
15 }
16 diff -urNp linux-2.6.39.2/arch/alpha/include/asm/elf.h linux-2.6.39.2/arch/alpha/include/asm/elf.h
17 --- linux-2.6.39.2/arch/alpha/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
18 +++ linux-2.6.39.2/arch/alpha/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
20
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
22
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25 +
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
28 +#endif
29 +
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.39.2/arch/alpha/include/asm/pgtable.h linux-2.6.39.2/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.39.2/arch/alpha/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
35 +++ linux-2.6.39.2/arch/alpha/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
40 +
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
45 +#else
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
49 +#endif
50 +
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
52
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_apecs.c linux-2.6.39.2/arch/alpha/kernel/core_apecs.c
55 --- linux-2.6.39.2/arch/alpha/kernel/core_apecs.c 2011-05-19 00:06:34.000000000 -0400
56 +++ linux-2.6.39.2/arch/alpha/kernel/core_apecs.c 2011-05-22 19:36:30.000000000 -0400
57 @@ -305,7 +305,7 @@ apecs_write_config(struct pci_bus *bus,
58 return PCIBIOS_SUCCESSFUL;
59 }
60
61 -struct pci_ops apecs_pci_ops =
62 +const struct pci_ops apecs_pci_ops =
63 {
64 .read = apecs_read_config,
65 .write = apecs_write_config,
66 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_cia.c linux-2.6.39.2/arch/alpha/kernel/core_cia.c
67 --- linux-2.6.39.2/arch/alpha/kernel/core_cia.c 2011-05-19 00:06:34.000000000 -0400
68 +++ linux-2.6.39.2/arch/alpha/kernel/core_cia.c 2011-05-22 19:36:30.000000000 -0400
69 @@ -239,7 +239,7 @@ cia_write_config(struct pci_bus *bus, un
70 return PCIBIOS_SUCCESSFUL;
71 }
72
73 -struct pci_ops cia_pci_ops =
74 +const struct pci_ops cia_pci_ops =
75 {
76 .read = cia_read_config,
77 .write = cia_write_config,
78 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_irongate.c linux-2.6.39.2/arch/alpha/kernel/core_irongate.c
79 --- linux-2.6.39.2/arch/alpha/kernel/core_irongate.c 2011-05-19 00:06:34.000000000 -0400
80 +++ linux-2.6.39.2/arch/alpha/kernel/core_irongate.c 2011-05-22 19:36:30.000000000 -0400
81 @@ -155,7 +155,7 @@ irongate_write_config(struct pci_bus *bu
82 return PCIBIOS_SUCCESSFUL;
83 }
84
85 -struct pci_ops irongate_pci_ops =
86 +const struct pci_ops irongate_pci_ops =
87 {
88 .read = irongate_read_config,
89 .write = irongate_write_config,
90 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_lca.c linux-2.6.39.2/arch/alpha/kernel/core_lca.c
91 --- linux-2.6.39.2/arch/alpha/kernel/core_lca.c 2011-05-19 00:06:34.000000000 -0400
92 +++ linux-2.6.39.2/arch/alpha/kernel/core_lca.c 2011-05-22 19:36:30.000000000 -0400
93 @@ -231,7 +231,7 @@ lca_write_config(struct pci_bus *bus, un
94 return PCIBIOS_SUCCESSFUL;
95 }
96
97 -struct pci_ops lca_pci_ops =
98 +const struct pci_ops lca_pci_ops =
99 {
100 .read = lca_read_config,
101 .write = lca_write_config,
102 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_marvel.c linux-2.6.39.2/arch/alpha/kernel/core_marvel.c
103 --- linux-2.6.39.2/arch/alpha/kernel/core_marvel.c 2011-05-19 00:06:34.000000000 -0400
104 +++ linux-2.6.39.2/arch/alpha/kernel/core_marvel.c 2011-05-22 19:36:30.000000000 -0400
105 @@ -588,7 +588,7 @@ marvel_write_config(struct pci_bus *bus,
106 return PCIBIOS_SUCCESSFUL;
107 }
108
109 -struct pci_ops marvel_pci_ops =
110 +const struct pci_ops marvel_pci_ops =
111 {
112 .read = marvel_read_config,
113 .write = marvel_write_config,
114 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_mcpcia.c linux-2.6.39.2/arch/alpha/kernel/core_mcpcia.c
115 --- linux-2.6.39.2/arch/alpha/kernel/core_mcpcia.c 2011-05-19 00:06:34.000000000 -0400
116 +++ linux-2.6.39.2/arch/alpha/kernel/core_mcpcia.c 2011-05-22 19:36:30.000000000 -0400
117 @@ -235,7 +235,7 @@ mcpcia_write_config(struct pci_bus *bus,
118 return PCIBIOS_SUCCESSFUL;
119 }
120
121 -struct pci_ops mcpcia_pci_ops =
122 +const struct pci_ops mcpcia_pci_ops =
123 {
124 .read = mcpcia_read_config,
125 .write = mcpcia_write_config,
126 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_polaris.c linux-2.6.39.2/arch/alpha/kernel/core_polaris.c
127 --- linux-2.6.39.2/arch/alpha/kernel/core_polaris.c 2011-05-19 00:06:34.000000000 -0400
128 +++ linux-2.6.39.2/arch/alpha/kernel/core_polaris.c 2011-05-22 19:36:30.000000000 -0400
129 @@ -136,7 +136,7 @@ polaris_write_config(struct pci_bus *bus
130 return PCIBIOS_SUCCESSFUL;
131 }
132
133 -struct pci_ops polaris_pci_ops =
134 +const struct pci_ops polaris_pci_ops =
135 {
136 .read = polaris_read_config,
137 .write = polaris_write_config,
138 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_t2.c linux-2.6.39.2/arch/alpha/kernel/core_t2.c
139 --- linux-2.6.39.2/arch/alpha/kernel/core_t2.c 2011-05-19 00:06:34.000000000 -0400
140 +++ linux-2.6.39.2/arch/alpha/kernel/core_t2.c 2011-05-22 19:36:30.000000000 -0400
141 @@ -314,7 +314,7 @@ t2_write_config(struct pci_bus *bus, uns
142 return PCIBIOS_SUCCESSFUL;
143 }
144
145 -struct pci_ops t2_pci_ops =
146 +const struct pci_ops t2_pci_ops =
147 {
148 .read = t2_read_config,
149 .write = t2_write_config,
150 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_titan.c linux-2.6.39.2/arch/alpha/kernel/core_titan.c
151 --- linux-2.6.39.2/arch/alpha/kernel/core_titan.c 2011-05-19 00:06:34.000000000 -0400
152 +++ linux-2.6.39.2/arch/alpha/kernel/core_titan.c 2011-05-22 19:36:30.000000000 -0400
153 @@ -191,7 +191,7 @@ titan_write_config(struct pci_bus *bus,
154 return PCIBIOS_SUCCESSFUL;
155 }
156
157 -struct pci_ops titan_pci_ops =
158 +const struct pci_ops titan_pci_ops =
159 {
160 .read = titan_read_config,
161 .write = titan_write_config,
162 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_tsunami.c linux-2.6.39.2/arch/alpha/kernel/core_tsunami.c
163 --- linux-2.6.39.2/arch/alpha/kernel/core_tsunami.c 2011-05-19 00:06:34.000000000 -0400
164 +++ linux-2.6.39.2/arch/alpha/kernel/core_tsunami.c 2011-05-22 19:36:30.000000000 -0400
165 @@ -166,7 +166,7 @@ tsunami_write_config(struct pci_bus *bus
166 return PCIBIOS_SUCCESSFUL;
167 }
168
169 -struct pci_ops tsunami_pci_ops =
170 +const struct pci_ops tsunami_pci_ops =
171 {
172 .read = tsunami_read_config,
173 .write = tsunami_write_config,
174 diff -urNp linux-2.6.39.2/arch/alpha/kernel/core_wildfire.c linux-2.6.39.2/arch/alpha/kernel/core_wildfire.c
175 --- linux-2.6.39.2/arch/alpha/kernel/core_wildfire.c 2011-05-19 00:06:34.000000000 -0400
176 +++ linux-2.6.39.2/arch/alpha/kernel/core_wildfire.c 2011-05-22 19:36:30.000000000 -0400
177 @@ -431,7 +431,7 @@ wildfire_write_config(struct pci_bus *bu
178 return PCIBIOS_SUCCESSFUL;
179 }
180
181 -struct pci_ops wildfire_pci_ops =
182 +const struct pci_ops wildfire_pci_ops =
183 {
184 .read = wildfire_read_config,
185 .write = wildfire_write_config,
186 diff -urNp linux-2.6.39.2/arch/alpha/kernel/module.c linux-2.6.39.2/arch/alpha/kernel/module.c
187 --- linux-2.6.39.2/arch/alpha/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
188 +++ linux-2.6.39.2/arch/alpha/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
189 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
190
191 /* The small sections were sorted to the end of the segment.
192 The following should definitely cover them. */
193 - gp = (u64)me->module_core + me->core_size - 0x8000;
194 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
195 got = sechdrs[me->arch.gotsecindex].sh_addr;
196
197 for (i = 0; i < n; i++) {
198 diff -urNp linux-2.6.39.2/arch/alpha/kernel/osf_sys.c linux-2.6.39.2/arch/alpha/kernel/osf_sys.c
199 --- linux-2.6.39.2/arch/alpha/kernel/osf_sys.c 2011-05-19 00:06:34.000000000 -0400
200 +++ linux-2.6.39.2/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:07.000000000 -0400
201 @@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
202 return -EFAULT;
203
204 len = namelen;
205 - if (namelen > 32)
206 + if (len > 32)
207 len = 32;
208
209 down_read(&uts_sem);
210 @@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
211 down_read(&uts_sem);
212 res = sysinfo_table[offset];
213 len = strlen(res)+1;
214 - if (len > count)
215 + if ((unsigned long)len > (unsigned long)count)
216 len = count;
217 if (copy_to_user(buf, res, len))
218 err = -EFAULT;
219 @@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
220 return 1;
221
222 case GSI_GET_HWRPB:
223 - if (nbytes < sizeof(*hwrpb))
224 + if (nbytes > sizeof(*hwrpb))
225 return -EINVAL;
226 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
227 return -EFAULT;
228 @@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
229 {
230 struct rusage r;
231 long ret, err;
232 + unsigned int status = 0;
233 mm_segment_t old_fs;
234
235 if (!ur)
236 @@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
237 old_fs = get_fs();
238
239 set_fs (KERNEL_DS);
240 - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
241 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
242 + (struct rusage __user *) &r);
243 set_fs (old_fs);
244
245 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
246 return -EFAULT;
247
248 err = 0;
249 + err |= put_user(status, ustatus);
250 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
251 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
252 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
253 @@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
254 /* At this point: (!vma || addr < vma->vm_end). */
255 if (limit - len < addr)
256 return -ENOMEM;
257 - if (!vma || addr + len <= vma->vm_start)
258 + if (check_heap_stack_gap(vma, addr, len))
259 return addr;
260 addr = vma->vm_end;
261 vma = vma->vm_next;
262 @@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
263 merely specific addresses, but regions of memory -- perhaps
264 this feature should be incorporated into all ports? */
265
266 +#ifdef CONFIG_PAX_RANDMMAP
267 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
268 +#endif
269 +
270 if (addr) {
271 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
272 if (addr != (unsigned long) -ENOMEM)
273 @@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
274 }
275
276 /* Next, try allocating at TASK_UNMAPPED_BASE. */
277 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
278 - len, limit);
279 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
280 +
281 if (addr != (unsigned long) -ENOMEM)
282 return addr;
283
284 diff -urNp linux-2.6.39.2/arch/alpha/kernel/pci_iommu.c linux-2.6.39.2/arch/alpha/kernel/pci_iommu.c
285 --- linux-2.6.39.2/arch/alpha/kernel/pci_iommu.c 2011-05-19 00:06:34.000000000 -0400
286 +++ linux-2.6.39.2/arch/alpha/kernel/pci_iommu.c 2011-05-22 19:36:30.000000000 -0400
287 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
288 return 0;
289 }
290
291 -struct dma_map_ops alpha_pci_ops = {
292 +const struct dma_map_ops alpha_pci_ops = {
293 .alloc_coherent = alpha_pci_alloc_coherent,
294 .free_coherent = alpha_pci_free_coherent,
295 .map_page = alpha_pci_map_page,
296 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
297 .set_dma_mask = alpha_pci_set_mask,
298 };
299
300 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
301 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
302 EXPORT_SYMBOL(dma_ops);
303 diff -urNp linux-2.6.39.2/arch/alpha/kernel/pci-noop.c linux-2.6.39.2/arch/alpha/kernel/pci-noop.c
304 --- linux-2.6.39.2/arch/alpha/kernel/pci-noop.c 2011-05-19 00:06:34.000000000 -0400
305 +++ linux-2.6.39.2/arch/alpha/kernel/pci-noop.c 2011-05-22 19:36:30.000000000 -0400
306 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
307 return 0;
308 }
309
310 -struct dma_map_ops alpha_noop_ops = {
311 +const struct dma_map_ops alpha_noop_ops = {
312 .alloc_coherent = alpha_noop_alloc_coherent,
313 .free_coherent = alpha_noop_free_coherent,
314 .map_page = alpha_noop_map_page,
315 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
316 .set_dma_mask = alpha_noop_set_mask,
317 };
318
319 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
320 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
321 EXPORT_SYMBOL(dma_ops);
322
323 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
324 diff -urNp linux-2.6.39.2/arch/alpha/kernel/proto.h linux-2.6.39.2/arch/alpha/kernel/proto.h
325 --- linux-2.6.39.2/arch/alpha/kernel/proto.h 2011-05-19 00:06:34.000000000 -0400
326 +++ linux-2.6.39.2/arch/alpha/kernel/proto.h 2011-05-22 19:36:30.000000000 -0400
327 @@ -17,14 +17,14 @@ struct pci_dev;
328 struct pci_controller;
329
330 /* core_apecs.c */
331 -extern struct pci_ops apecs_pci_ops;
332 +extern const struct pci_ops apecs_pci_ops;
333 extern void apecs_init_arch(void);
334 extern void apecs_pci_clr_err(void);
335 extern void apecs_machine_check(unsigned long vector, unsigned long la_ptr);
336 extern void apecs_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
337
338 /* core_cia.c */
339 -extern struct pci_ops cia_pci_ops;
340 +extern const struct pci_ops cia_pci_ops;
341 extern void cia_init_pci(void);
342 extern void cia_init_arch(void);
343 extern void pyxis_init_arch(void);
344 @@ -33,19 +33,19 @@ extern void cia_machine_check(unsigned l
345 extern void cia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
346
347 /* core_irongate.c */
348 -extern struct pci_ops irongate_pci_ops;
349 +extern const struct pci_ops irongate_pci_ops;
350 extern int irongate_pci_clr_err(void);
351 extern void irongate_init_arch(void);
352 #define irongate_pci_tbi ((void *)0)
353
354 /* core_lca.c */
355 -extern struct pci_ops lca_pci_ops;
356 +extern const struct pci_ops lca_pci_ops;
357 extern void lca_init_arch(void);
358 extern void lca_machine_check(unsigned long vector, unsigned long la_ptr);
359 extern void lca_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
360
361 /* core_marvel.c */
362 -extern struct pci_ops marvel_pci_ops;
363 +extern const struct pci_ops marvel_pci_ops;
364 extern void marvel_init_arch(void);
365 extern void marvel_kill_arch(int);
366 extern void marvel_machine_check(unsigned long, unsigned long);
367 @@ -60,14 +60,14 @@ struct io7 *marvel_next_io7(struct io7 *
368 void io7_clear_errors(struct io7 *io7);
369
370 /* core_mcpcia.c */
371 -extern struct pci_ops mcpcia_pci_ops;
372 +extern const struct pci_ops mcpcia_pci_ops;
373 extern void mcpcia_init_arch(void);
374 extern void mcpcia_init_hoses(void);
375 extern void mcpcia_machine_check(unsigned long vector, unsigned long la_ptr);
376 extern void mcpcia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
377
378 /* core_polaris.c */
379 -extern struct pci_ops polaris_pci_ops;
380 +extern const struct pci_ops polaris_pci_ops;
381 extern int polaris_read_config_dword(struct pci_dev *, int, u32 *);
382 extern int polaris_write_config_dword(struct pci_dev *, int, u32);
383 extern void polaris_init_arch(void);
384 @@ -75,14 +75,14 @@ extern void polaris_machine_check(unsign
385 #define polaris_pci_tbi ((void *)0)
386
387 /* core_t2.c */
388 -extern struct pci_ops t2_pci_ops;
389 +extern const struct pci_ops t2_pci_ops;
390 extern void t2_init_arch(void);
391 extern void t2_kill_arch(int);
392 extern void t2_machine_check(unsigned long vector, unsigned long la_ptr);
393 extern void t2_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
394
395 /* core_titan.c */
396 -extern struct pci_ops titan_pci_ops;
397 +extern const struct pci_ops titan_pci_ops;
398 extern void titan_init_arch(void);
399 extern void titan_kill_arch(int);
400 extern void titan_machine_check(unsigned long, unsigned long);
401 @@ -90,14 +90,14 @@ extern void titan_pci_tbi(struct pci_con
402 extern struct _alpha_agp_info *titan_agp_info(void);
403
404 /* core_tsunami.c */
405 -extern struct pci_ops tsunami_pci_ops;
406 +extern const struct pci_ops tsunami_pci_ops;
407 extern void tsunami_init_arch(void);
408 extern void tsunami_kill_arch(int);
409 extern void tsunami_machine_check(unsigned long vector, unsigned long la_ptr);
410 extern void tsunami_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
411
412 /* core_wildfire.c */
413 -extern struct pci_ops wildfire_pci_ops;
414 +extern const struct pci_ops wildfire_pci_ops;
415 extern void wildfire_init_arch(void);
416 extern void wildfire_kill_arch(int);
417 extern void wildfire_machine_check(unsigned long vector, unsigned long la_ptr);
418 diff -urNp linux-2.6.39.2/arch/alpha/mm/fault.c linux-2.6.39.2/arch/alpha/mm/fault.c
419 --- linux-2.6.39.2/arch/alpha/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
420 +++ linux-2.6.39.2/arch/alpha/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
421 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
422 __reload_thread(pcb);
423 }
424
425 +#ifdef CONFIG_PAX_PAGEEXEC
426 +/*
427 + * PaX: decide what to do with offenders (regs->pc = fault address)
428 + *
429 + * returns 1 when task should be killed
430 + * 2 when patched PLT trampoline was detected
431 + * 3 when unpatched PLT trampoline was detected
432 + */
433 +static int pax_handle_fetch_fault(struct pt_regs *regs)
434 +{
435 +
436 +#ifdef CONFIG_PAX_EMUPLT
437 + int err;
438 +
439 + do { /* PaX: patched PLT emulation #1 */
440 + unsigned int ldah, ldq, jmp;
441 +
442 + err = get_user(ldah, (unsigned int *)regs->pc);
443 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
444 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
445 +
446 + if (err)
447 + break;
448 +
449 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
450 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
451 + jmp == 0x6BFB0000U)
452 + {
453 + unsigned long r27, addr;
454 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
455 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
456 +
457 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
458 + err = get_user(r27, (unsigned long *)addr);
459 + if (err)
460 + break;
461 +
462 + regs->r27 = r27;
463 + regs->pc = r27;
464 + return 2;
465 + }
466 + } while (0);
467 +
468 + do { /* PaX: patched PLT emulation #2 */
469 + unsigned int ldah, lda, br;
470 +
471 + err = get_user(ldah, (unsigned int *)regs->pc);
472 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
473 + err |= get_user(br, (unsigned int *)(regs->pc+8));
474 +
475 + if (err)
476 + break;
477 +
478 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
479 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
480 + (br & 0xFFE00000U) == 0xC3E00000U)
481 + {
482 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
483 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
484 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
485 +
486 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
487 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
488 + return 2;
489 + }
490 + } while (0);
491 +
492 + do { /* PaX: unpatched PLT emulation */
493 + unsigned int br;
494 +
495 + err = get_user(br, (unsigned int *)regs->pc);
496 +
497 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
498 + unsigned int br2, ldq, nop, jmp;
499 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
500 +
501 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
502 + err = get_user(br2, (unsigned int *)addr);
503 + err |= get_user(ldq, (unsigned int *)(addr+4));
504 + err |= get_user(nop, (unsigned int *)(addr+8));
505 + err |= get_user(jmp, (unsigned int *)(addr+12));
506 + err |= get_user(resolver, (unsigned long *)(addr+16));
507 +
508 + if (err)
509 + break;
510 +
511 + if (br2 == 0xC3600000U &&
512 + ldq == 0xA77B000CU &&
513 + nop == 0x47FF041FU &&
514 + jmp == 0x6B7B0000U)
515 + {
516 + regs->r28 = regs->pc+4;
517 + regs->r27 = addr+16;
518 + regs->pc = resolver;
519 + return 3;
520 + }
521 + }
522 + } while (0);
523 +#endif
524 +
525 + return 1;
526 +}
527 +
528 +void pax_report_insns(void *pc, void *sp)
529 +{
530 + unsigned long i;
531 +
532 + printk(KERN_ERR "PAX: bytes at PC: ");
533 + for (i = 0; i < 5; i++) {
534 + unsigned int c;
535 + if (get_user(c, (unsigned int *)pc+i))
536 + printk(KERN_CONT "???????? ");
537 + else
538 + printk(KERN_CONT "%08x ", c);
539 + }
540 + printk("\n");
541 +}
542 +#endif
543
544 /*
545 * This routine handles page faults. It determines the address,
546 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
547 good_area:
548 si_code = SEGV_ACCERR;
549 if (cause < 0) {
550 - if (!(vma->vm_flags & VM_EXEC))
551 + if (!(vma->vm_flags & VM_EXEC)) {
552 +
553 +#ifdef CONFIG_PAX_PAGEEXEC
554 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
555 + goto bad_area;
556 +
557 + up_read(&mm->mmap_sem);
558 + switch (pax_handle_fetch_fault(regs)) {
559 +
560 +#ifdef CONFIG_PAX_EMUPLT
561 + case 2:
562 + case 3:
563 + return;
564 +#endif
565 +
566 + }
567 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
568 + do_group_exit(SIGKILL);
569 +#else
570 goto bad_area;
571 +#endif
572 +
573 + }
574 } else if (!cause) {
575 /* Allow reads even for write-only mappings */
576 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
577 diff -urNp linux-2.6.39.2/arch/arm/common/it8152.c linux-2.6.39.2/arch/arm/common/it8152.c
578 --- linux-2.6.39.2/arch/arm/common/it8152.c 2011-05-19 00:06:34.000000000 -0400
579 +++ linux-2.6.39.2/arch/arm/common/it8152.c 2011-05-22 19:36:30.000000000 -0400
580 @@ -221,7 +221,7 @@ static int it8152_pci_write_config(struc
581 return PCIBIOS_SUCCESSFUL;
582 }
583
584 -static struct pci_ops it8152_ops = {
585 +static const struct pci_ops it8152_ops = {
586 .read = it8152_pci_read_config,
587 .write = it8152_pci_write_config,
588 };
589 diff -urNp linux-2.6.39.2/arch/arm/common/via82c505.c linux-2.6.39.2/arch/arm/common/via82c505.c
590 --- linux-2.6.39.2/arch/arm/common/via82c505.c 2011-05-19 00:06:34.000000000 -0400
591 +++ linux-2.6.39.2/arch/arm/common/via82c505.c 2011-05-22 19:36:30.000000000 -0400
592 @@ -52,7 +52,7 @@ via82c505_write_config(struct pci_bus *b
593 return PCIBIOS_SUCCESSFUL;
594 }
595
596 -static struct pci_ops via82c505_ops = {
597 +static const struct pci_ops via82c505_ops = {
598 .read = via82c505_read_config,
599 .write = via82c505_write_config,
600 };
601 diff -urNp linux-2.6.39.2/arch/arm/include/asm/cacheflush.h linux-2.6.39.2/arch/arm/include/asm/cacheflush.h
602 --- linux-2.6.39.2/arch/arm/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
603 +++ linux-2.6.39.2/arch/arm/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
604 @@ -115,7 +115,7 @@ struct cpu_cache_fns {
605 */
606 #ifdef MULTI_CACHE
607
608 -extern struct cpu_cache_fns cpu_cache;
609 +extern const struct cpu_cache_fns cpu_cache;
610
611 #define __cpuc_flush_icache_all cpu_cache.flush_icache_all
612 #define __cpuc_flush_kern_all cpu_cache.flush_kern_all
613 diff -urNp linux-2.6.39.2/arch/arm/include/asm/elf.h linux-2.6.39.2/arch/arm/include/asm/elf.h
614 --- linux-2.6.39.2/arch/arm/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
615 +++ linux-2.6.39.2/arch/arm/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
616 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
617 the loader. We need to make sure that it is out of the way of the program
618 that it will "exec", and that there is sufficient room for the brk. */
619
620 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
621 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
622 +
623 +#ifdef CONFIG_PAX_ASLR
624 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
625 +
626 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
627 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
628 +#endif
629
630 /* When the program starts, a1 contains a pointer to a function to be
631 registered with atexit, as per the SVR4 ABI. A value of 0 means we
632 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
633 extern void elf_set_personality(const struct elf32_hdr *);
634 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
635
636 -struct mm_struct;
637 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
638 -#define arch_randomize_brk arch_randomize_brk
639 -
640 extern int vectors_user_mapping(void);
641 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
642 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
643 diff -urNp linux-2.6.39.2/arch/arm/include/asm/kmap_types.h linux-2.6.39.2/arch/arm/include/asm/kmap_types.h
644 --- linux-2.6.39.2/arch/arm/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
645 +++ linux-2.6.39.2/arch/arm/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
646 @@ -21,6 +21,7 @@ enum km_type {
647 KM_L1_CACHE,
648 KM_L2_CACHE,
649 KM_KDB,
650 + KM_CLEARPAGE,
651 KM_TYPE_NR
652 };
653
654 diff -urNp linux-2.6.39.2/arch/arm/include/asm/outercache.h linux-2.6.39.2/arch/arm/include/asm/outercache.h
655 --- linux-2.6.39.2/arch/arm/include/asm/outercache.h 2011-05-19 00:06:34.000000000 -0400
656 +++ linux-2.6.39.2/arch/arm/include/asm/outercache.h 2011-05-22 19:36:30.000000000 -0400
657 @@ -38,7 +38,7 @@ struct outer_cache_fns {
658
659 #ifdef CONFIG_OUTER_CACHE
660
661 -extern struct outer_cache_fns outer_cache;
662 +extern const struct outer_cache_fns outer_cache;
663
664 static inline void outer_inv_range(phys_addr_t start, phys_addr_t end)
665 {
666 diff -urNp linux-2.6.39.2/arch/arm/include/asm/page.h linux-2.6.39.2/arch/arm/include/asm/page.h
667 --- linux-2.6.39.2/arch/arm/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
668 +++ linux-2.6.39.2/arch/arm/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
669 @@ -126,7 +126,7 @@ struct cpu_user_fns {
670 };
671
672 #ifdef MULTI_USER
673 -extern struct cpu_user_fns cpu_user;
674 +extern const struct cpu_user_fns cpu_user;
675
676 #define __cpu_clear_user_highpage cpu_user.cpu_clear_user_highpage
677 #define __cpu_copy_user_highpage cpu_user.cpu_copy_user_highpage
678 diff -urNp linux-2.6.39.2/arch/arm/include/asm/uaccess.h linux-2.6.39.2/arch/arm/include/asm/uaccess.h
679 --- linux-2.6.39.2/arch/arm/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
680 +++ linux-2.6.39.2/arch/arm/include/asm/uaccess.h 2011-06-29 21:04:12.000000000 -0400
681 @@ -22,6 +22,8 @@
682 #define VERIFY_READ 0
683 #define VERIFY_WRITE 1
684
685 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
686 +
687 /*
688 * The exception table consists of pairs of addresses: the first is the
689 * address of an instruction that is allowed to fault, and the second is
690 @@ -387,8 +389,23 @@ do { \
691
692
693 #ifdef CONFIG_MMU
694 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
695 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
696 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
697 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
698 +
699 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
700 +{
701 + if (!__builtin_constant_p(n))
702 + check_object_size(to, n, false);
703 + return ___copy_from_user(to, from, n);
704 +}
705 +
706 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
707 +{
708 + if (!__builtin_constant_p(n))
709 + check_object_size(from, n, true);
710 + return ___copy_to_user(to, from, n);
711 +}
712 +
713 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
714 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
715 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
716 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
717
718 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
719 {
720 + if ((long)n < 0)
721 + return n;
722 +
723 if (access_ok(VERIFY_READ, from, n))
724 n = __copy_from_user(to, from, n);
725 else /* security hole - plug it */
726 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
727
728 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
729 {
730 + if ((long)n < 0)
731 + return n;
732 +
733 if (access_ok(VERIFY_WRITE, to, n))
734 n = __copy_to_user(to, from, n);
735 return n;
736 diff -urNp linux-2.6.39.2/arch/arm/kernel/kgdb.c linux-2.6.39.2/arch/arm/kernel/kgdb.c
737 --- linux-2.6.39.2/arch/arm/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
738 +++ linux-2.6.39.2/arch/arm/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
739 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
740 * and we handle the normal undef case within the do_undefinstr
741 * handler.
742 */
743 -struct kgdb_arch arch_kgdb_ops = {
744 +const struct kgdb_arch arch_kgdb_ops = {
745 #ifndef __ARMEB__
746 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
747 #else /* ! __ARMEB__ */
748 diff -urNp linux-2.6.39.2/arch/arm/kernel/process.c linux-2.6.39.2/arch/arm/kernel/process.c
749 --- linux-2.6.39.2/arch/arm/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
750 +++ linux-2.6.39.2/arch/arm/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
751 @@ -28,7 +28,6 @@
752 #include <linux/tick.h>
753 #include <linux/utsname.h>
754 #include <linux/uaccess.h>
755 -#include <linux/random.h>
756 #include <linux/hw_breakpoint.h>
757
758 #include <asm/cacheflush.h>
759 @@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru
760 return 0;
761 }
762
763 -unsigned long arch_randomize_brk(struct mm_struct *mm)
764 -{
765 - unsigned long range_end = mm->brk + 0x02000000;
766 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
767 -}
768 -
769 #ifdef CONFIG_MMU
770 /*
771 * The vectors page is always readable from user space for the
772 diff -urNp linux-2.6.39.2/arch/arm/kernel/traps.c linux-2.6.39.2/arch/arm/kernel/traps.c
773 --- linux-2.6.39.2/arch/arm/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
774 +++ linux-2.6.39.2/arch/arm/kernel/traps.c 2011-06-13 21:30:34.000000000 -0400
775 @@ -258,6 +258,8 @@ static int __die(const char *str, int er
776
777 static DEFINE_SPINLOCK(die_lock);
778
779 +extern void gr_handle_kernel_exploit(void);
780 +
781 /*
782 * This function is protected against re-entrancy.
783 */
784 @@ -285,6 +287,9 @@ void die(const char *str, struct pt_regs
785 panic("Fatal exception in interrupt");
786 if (panic_on_oops)
787 panic("Fatal exception");
788 +
789 + gr_handle_kernel_exploit();
790 +
791 if (ret != NOTIFY_STOP)
792 do_exit(SIGSEGV);
793 }
794 diff -urNp linux-2.6.39.2/arch/arm/lib/copy_from_user.S linux-2.6.39.2/arch/arm/lib/copy_from_user.S
795 --- linux-2.6.39.2/arch/arm/lib/copy_from_user.S 2011-05-19 00:06:34.000000000 -0400
796 +++ linux-2.6.39.2/arch/arm/lib/copy_from_user.S 2011-06-29 20:58:18.000000000 -0400
797 @@ -16,7 +16,7 @@
798 /*
799 * Prototype:
800 *
801 - * size_t __copy_from_user(void *to, const void *from, size_t n)
802 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
803 *
804 * Purpose:
805 *
806 @@ -84,11 +84,11 @@
807
808 .text
809
810 -ENTRY(__copy_from_user)
811 +ENTRY(___copy_from_user)
812
813 #include "copy_template.S"
814
815 -ENDPROC(__copy_from_user)
816 +ENDPROC(___copy_from_user)
817
818 .pushsection .fixup,"ax"
819 .align 0
820 diff -urNp linux-2.6.39.2/arch/arm/lib/copy_to_user.S linux-2.6.39.2/arch/arm/lib/copy_to_user.S
821 --- linux-2.6.39.2/arch/arm/lib/copy_to_user.S 2011-05-19 00:06:34.000000000 -0400
822 +++ linux-2.6.39.2/arch/arm/lib/copy_to_user.S 2011-06-29 20:59:20.000000000 -0400
823 @@ -16,7 +16,7 @@
824 /*
825 * Prototype:
826 *
827 - * size_t __copy_to_user(void *to, const void *from, size_t n)
828 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
829 *
830 * Purpose:
831 *
832 @@ -88,11 +88,11 @@
833 .text
834
835 ENTRY(__copy_to_user_std)
836 -WEAK(__copy_to_user)
837 +WEAK(___copy_to_user)
838
839 #include "copy_template.S"
840
841 -ENDPROC(__copy_to_user)
842 +ENDPROC(___copy_to_user)
843 ENDPROC(__copy_to_user_std)
844
845 .pushsection .fixup,"ax"
846 diff -urNp linux-2.6.39.2/arch/arm/lib/uaccess.S linux-2.6.39.2/arch/arm/lib/uaccess.S
847 --- linux-2.6.39.2/arch/arm/lib/uaccess.S 2011-05-19 00:06:34.000000000 -0400
848 +++ linux-2.6.39.2/arch/arm/lib/uaccess.S 2011-06-29 20:59:01.000000000 -0400
849 @@ -20,7 +20,7 @@
850
851 #define PAGE_SHIFT 12
852
853 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
854 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
855 * Purpose : copy a block to user memory from kernel memory
856 * Params : to - user memory
857 * : from - kernel memory
858 @@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
859 sub r2, r2, ip
860 b .Lc2u_dest_aligned
861
862 -ENTRY(__copy_to_user)
863 +ENTRY(___copy_to_user)
864 stmfd sp!, {r2, r4 - r7, lr}
865 cmp r2, #4
866 blt .Lc2u_not_enough
867 @@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
868 ldrgtb r3, [r1], #0
869 USER( T(strgtb) r3, [r0], #1) @ May fault
870 b .Lc2u_finished
871 -ENDPROC(__copy_to_user)
872 +ENDPROC(___copy_to_user)
873
874 .pushsection .fixup,"ax"
875 .align 0
876 9001: ldmfd sp!, {r0, r4 - r7, pc}
877 .popsection
878
879 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
880 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
881 * Purpose : copy a block from user memory to kernel memory
882 * Params : to - kernel memory
883 * : from - user memory
884 @@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
885 sub r2, r2, ip
886 b .Lcfu_dest_aligned
887
888 -ENTRY(__copy_from_user)
889 +ENTRY(___copy_from_user)
890 stmfd sp!, {r0, r2, r4 - r7, lr}
891 cmp r2, #4
892 blt .Lcfu_not_enough
893 @@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
894 USER( T(ldrgtb) r3, [r1], #1) @ May fault
895 strgtb r3, [r0], #1
896 b .Lcfu_finished
897 -ENDPROC(__copy_from_user)
898 +ENDPROC(___copy_from_user)
899
900 .pushsection .fixup,"ax"
901 .align 0
902 diff -urNp linux-2.6.39.2/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.39.2/arch/arm/lib/uaccess_with_memcpy.c
903 --- linux-2.6.39.2/arch/arm/lib/uaccess_with_memcpy.c 2011-05-19 00:06:34.000000000 -0400
904 +++ linux-2.6.39.2/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:59:55.000000000 -0400
905 @@ -103,7 +103,7 @@ out:
906 }
907
908 unsigned long
909 -__copy_to_user(void __user *to, const void *from, unsigned long n)
910 +___copy_to_user(void __user *to, const void *from, unsigned long n)
911 {
912 /*
913 * This test is stubbed out of the main function above to keep
914 diff -urNp linux-2.6.39.2/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.2/arch/arm/mach-cns3xxx/pcie.c
915 --- linux-2.6.39.2/arch/arm/mach-cns3xxx/pcie.c 2011-05-19 00:06:34.000000000 -0400
916 +++ linux-2.6.39.2/arch/arm/mach-cns3xxx/pcie.c 2011-05-22 19:36:30.000000000 -0400
917 @@ -162,7 +162,7 @@ static int cns3xxx_pci_setup(int nr, str
918 return 1;
919 }
920
921 -static struct pci_ops cns3xxx_pcie_ops = {
922 +static const struct pci_ops cns3xxx_pcie_ops = {
923 .read = cns3xxx_pci_read_config,
924 .write = cns3xxx_pci_write_config,
925 };
926 diff -urNp linux-2.6.39.2/arch/arm/mach-dove/pcie.c linux-2.6.39.2/arch/arm/mach-dove/pcie.c
927 --- linux-2.6.39.2/arch/arm/mach-dove/pcie.c 2011-05-19 00:06:34.000000000 -0400
928 +++ linux-2.6.39.2/arch/arm/mach-dove/pcie.c 2011-05-22 19:36:30.000000000 -0400
929 @@ -155,7 +155,7 @@ static int pcie_wr_conf(struct pci_bus *
930 return ret;
931 }
932
933 -static struct pci_ops pcie_ops = {
934 +static const struct pci_ops pcie_ops = {
935 .read = pcie_rd_conf,
936 .write = pcie_wr_conf,
937 };
938 diff -urNp linux-2.6.39.2/arch/arm/mach-footbridge/dc21285.c linux-2.6.39.2/arch/arm/mach-footbridge/dc21285.c
939 --- linux-2.6.39.2/arch/arm/mach-footbridge/dc21285.c 2011-05-19 00:06:34.000000000 -0400
940 +++ linux-2.6.39.2/arch/arm/mach-footbridge/dc21285.c 2011-05-22 19:36:30.000000000 -0400
941 @@ -129,7 +129,7 @@ dc21285_write_config(struct pci_bus *bus
942 return PCIBIOS_SUCCESSFUL;
943 }
944
945 -static struct pci_ops dc21285_ops = {
946 +static const struct pci_ops dc21285_ops = {
947 .read = dc21285_read_config,
948 .write = dc21285_write_config,
949 };
950 diff -urNp linux-2.6.39.2/arch/arm/mach-integrator/pci_v3.c linux-2.6.39.2/arch/arm/mach-integrator/pci_v3.c
951 --- linux-2.6.39.2/arch/arm/mach-integrator/pci_v3.c 2011-05-19 00:06:34.000000000 -0400
952 +++ linux-2.6.39.2/arch/arm/mach-integrator/pci_v3.c 2011-05-22 19:36:30.000000000 -0400
953 @@ -340,7 +340,7 @@ static int v3_write_config(struct pci_bu
954 return PCIBIOS_SUCCESSFUL;
955 }
956
957 -static struct pci_ops pci_v3_ops = {
958 +static const struct pci_ops pci_v3_ops = {
959 .read = v3_read_config,
960 .write = v3_write_config,
961 };
962 diff -urNp linux-2.6.39.2/arch/arm/mach-iop13xx/pci.c linux-2.6.39.2/arch/arm/mach-iop13xx/pci.c
963 --- linux-2.6.39.2/arch/arm/mach-iop13xx/pci.c 2011-05-19 00:06:34.000000000 -0400
964 +++ linux-2.6.39.2/arch/arm/mach-iop13xx/pci.c 2011-05-22 19:36:30.000000000 -0400
965 @@ -324,7 +324,7 @@ iop13xx_atux_write_config(struct pci_bus
966 return PCIBIOS_SUCCESSFUL;
967 }
968
969 -static struct pci_ops iop13xx_atux_ops = {
970 +static const struct pci_ops iop13xx_atux_ops = {
971 .read = iop13xx_atux_read_config,
972 .write = iop13xx_atux_write_config,
973 };
974 @@ -471,7 +471,7 @@ iop13xx_atue_write_config(struct pci_bus
975 return PCIBIOS_SUCCESSFUL;
976 }
977
978 -static struct pci_ops iop13xx_atue_ops = {
979 +static const struct pci_ops iop13xx_atue_ops = {
980 .read = iop13xx_atue_read_config,
981 .write = iop13xx_atue_write_config,
982 };
983 diff -urNp linux-2.6.39.2/arch/arm/mach-ixp2000/enp2611.c linux-2.6.39.2/arch/arm/mach-ixp2000/enp2611.c
984 --- linux-2.6.39.2/arch/arm/mach-ixp2000/enp2611.c 2011-05-19 00:06:34.000000000 -0400
985 +++ linux-2.6.39.2/arch/arm/mach-ixp2000/enp2611.c 2011-05-22 19:36:30.000000000 -0400
986 @@ -137,7 +137,7 @@ static int enp2611_pci_write_config(stru
987 return PCIBIOS_DEVICE_NOT_FOUND;
988 }
989
990 -static struct pci_ops enp2611_pci_ops = {
991 +static const struct pci_ops enp2611_pci_ops = {
992 .read = enp2611_pci_read_config,
993 .write = enp2611_pci_write_config
994 };
995 diff -urNp linux-2.6.39.2/arch/arm/mach-ixp2000/pci.c linux-2.6.39.2/arch/arm/mach-ixp2000/pci.c
996 --- linux-2.6.39.2/arch/arm/mach-ixp2000/pci.c 2011-05-19 00:06:34.000000000 -0400
997 +++ linux-2.6.39.2/arch/arm/mach-ixp2000/pci.c 2011-05-22 19:36:30.000000000 -0400
998 @@ -125,7 +125,7 @@ int ixp2000_pci_write_config(struct pci_
999 }
1000
1001
1002 -static struct pci_ops ixp2000_pci_ops = {
1003 +static const struct pci_ops ixp2000_pci_ops = {
1004 .read = ixp2000_pci_read_config,
1005 .write = ixp2000_pci_write_config
1006 };
1007 diff -urNp linux-2.6.39.2/arch/arm/mach-ixp23xx/pci.c linux-2.6.39.2/arch/arm/mach-ixp23xx/pci.c
1008 --- linux-2.6.39.2/arch/arm/mach-ixp23xx/pci.c 2011-05-19 00:06:34.000000000 -0400
1009 +++ linux-2.6.39.2/arch/arm/mach-ixp23xx/pci.c 2011-05-22 19:36:30.000000000 -0400
1010 @@ -136,7 +136,7 @@ static int ixp23xx_pci_write_config(stru
1011 return PCIBIOS_SUCCESSFUL;
1012 }
1013
1014 -struct pci_ops ixp23xx_pci_ops = {
1015 +const struct pci_ops ixp23xx_pci_ops = {
1016 .read = ixp23xx_pci_read_config,
1017 .write = ixp23xx_pci_write_config,
1018 };
1019 diff -urNp linux-2.6.39.2/arch/arm/mach-ixp4xx/common-pci.c linux-2.6.39.2/arch/arm/mach-ixp4xx/common-pci.c
1020 --- linux-2.6.39.2/arch/arm/mach-ixp4xx/common-pci.c 2011-05-19 00:06:34.000000000 -0400
1021 +++ linux-2.6.39.2/arch/arm/mach-ixp4xx/common-pci.c 2011-05-22 19:36:30.000000000 -0400
1022 @@ -283,7 +283,7 @@ static int ixp4xx_pci_write_config(struc
1023 return PCIBIOS_SUCCESSFUL;
1024 }
1025
1026 -struct pci_ops ixp4xx_ops = {
1027 +const struct pci_ops ixp4xx_ops = {
1028 .read = ixp4xx_pci_read_config,
1029 .write = ixp4xx_pci_write_config,
1030 };
1031 diff -urNp linux-2.6.39.2/arch/arm/mach-kirkwood/pcie.c linux-2.6.39.2/arch/arm/mach-kirkwood/pcie.c
1032 --- linux-2.6.39.2/arch/arm/mach-kirkwood/pcie.c 2011-05-19 00:06:34.000000000 -0400
1033 +++ linux-2.6.39.2/arch/arm/mach-kirkwood/pcie.c 2011-05-22 19:36:30.000000000 -0400
1034 @@ -111,7 +111,7 @@ static int pcie_wr_conf(struct pci_bus *
1035 return ret;
1036 }
1037
1038 -static struct pci_ops pcie_ops = {
1039 +static const struct pci_ops pcie_ops = {
1040 .read = pcie_rd_conf,
1041 .write = pcie_wr_conf,
1042 };
1043 diff -urNp linux-2.6.39.2/arch/arm/mach-ks8695/pci.c linux-2.6.39.2/arch/arm/mach-ks8695/pci.c
1044 --- linux-2.6.39.2/arch/arm/mach-ks8695/pci.c 2011-05-19 00:06:34.000000000 -0400
1045 +++ linux-2.6.39.2/arch/arm/mach-ks8695/pci.c 2011-05-22 19:36:30.000000000 -0400
1046 @@ -136,7 +136,7 @@ static void ks8695_local_writeconfig(int
1047 __raw_writel(value, KS8695_PCI_VA + KS8695_PBCD);
1048 }
1049
1050 -static struct pci_ops ks8695_pci_ops = {
1051 +static const struct pci_ops ks8695_pci_ops = {
1052 .read = ks8695_pci_readconfig,
1053 .write = ks8695_pci_writeconfig,
1054 };
1055 diff -urNp linux-2.6.39.2/arch/arm/mach-mmp/clock.c linux-2.6.39.2/arch/arm/mach-mmp/clock.c
1056 --- linux-2.6.39.2/arch/arm/mach-mmp/clock.c 2011-05-19 00:06:34.000000000 -0400
1057 +++ linux-2.6.39.2/arch/arm/mach-mmp/clock.c 2011-05-22 19:36:30.000000000 -0400
1058 @@ -29,7 +29,7 @@ static void apbc_clk_disable(struct clk
1059 __raw_writel(0, clk->clk_rst);
1060 }
1061
1062 -struct clkops apbc_clk_ops = {
1063 +const struct clkops apbc_clk_ops = {
1064 .enable = apbc_clk_enable,
1065 .disable = apbc_clk_disable,
1066 };
1067 @@ -44,7 +44,7 @@ static void apmu_clk_disable(struct clk
1068 __raw_writel(0, clk->clk_rst);
1069 }
1070
1071 -struct clkops apmu_clk_ops = {
1072 +const struct clkops apmu_clk_ops = {
1073 .enable = apmu_clk_enable,
1074 .disable = apmu_clk_disable,
1075 };
1076 diff -urNp linux-2.6.39.2/arch/arm/mach-msm/iommu.c linux-2.6.39.2/arch/arm/mach-msm/iommu.c
1077 --- linux-2.6.39.2/arch/arm/mach-msm/iommu.c 2011-05-19 00:06:34.000000000 -0400
1078 +++ linux-2.6.39.2/arch/arm/mach-msm/iommu.c 2011-05-22 19:36:30.000000000 -0400
1079 @@ -669,7 +669,7 @@ fail:
1080 return 0;
1081 }
1082
1083 -static struct iommu_ops msm_iommu_ops = {
1084 +static const struct iommu_ops msm_iommu_ops = {
1085 .domain_init = msm_iommu_domain_init,
1086 .domain_destroy = msm_iommu_domain_destroy,
1087 .attach_dev = msm_iommu_attach_dev,
1088 diff -urNp linux-2.6.39.2/arch/arm/mach-msm/last_radio_log.c linux-2.6.39.2/arch/arm/mach-msm/last_radio_log.c
1089 --- linux-2.6.39.2/arch/arm/mach-msm/last_radio_log.c 2011-05-19 00:06:34.000000000 -0400
1090 +++ linux-2.6.39.2/arch/arm/mach-msm/last_radio_log.c 2011-05-22 19:36:30.000000000 -0400
1091 @@ -48,6 +48,7 @@ static ssize_t last_radio_log_read(struc
1092 }
1093
1094 static struct file_operations last_radio_log_fops = {
1095 + /* cannot be const, see msm_init_last_radio_log */
1096 .read = last_radio_log_read,
1097 .llseek = default_llseek,
1098 };
1099 diff -urNp linux-2.6.39.2/arch/arm/mach-mv78xx0/pcie.c linux-2.6.39.2/arch/arm/mach-mv78xx0/pcie.c
1100 --- linux-2.6.39.2/arch/arm/mach-mv78xx0/pcie.c 2011-05-19 00:06:34.000000000 -0400
1101 +++ linux-2.6.39.2/arch/arm/mach-mv78xx0/pcie.c 2011-05-22 19:36:30.000000000 -0400
1102 @@ -222,7 +222,7 @@ static int pcie_wr_conf(struct pci_bus *
1103 return ret;
1104 }
1105
1106 -static struct pci_ops pcie_ops = {
1107 +static const struct pci_ops pcie_ops = {
1108 .read = pcie_rd_conf,
1109 .write = pcie_wr_conf,
1110 };
1111 diff -urNp linux-2.6.39.2/arch/arm/mach-orion5x/pci.c linux-2.6.39.2/arch/arm/mach-orion5x/pci.c
1112 --- linux-2.6.39.2/arch/arm/mach-orion5x/pci.c 2011-05-19 00:06:34.000000000 -0400
1113 +++ linux-2.6.39.2/arch/arm/mach-orion5x/pci.c 2011-05-22 19:36:30.000000000 -0400
1114 @@ -130,7 +130,7 @@ static int pcie_wr_conf(struct pci_bus *
1115 return ret;
1116 }
1117
1118 -static struct pci_ops pcie_ops = {
1119 +static const struct pci_ops pcie_ops = {
1120 .read = pcie_rd_conf,
1121 .write = pcie_wr_conf,
1122 };
1123 @@ -368,7 +368,7 @@ static int orion5x_pci_wr_conf(struct pc
1124 PCI_FUNC(devfn), where, size, val);
1125 }
1126
1127 -static struct pci_ops pci_ops = {
1128 +static const struct pci_ops pci_ops = {
1129 .read = orion5x_pci_rd_conf,
1130 .write = orion5x_pci_wr_conf,
1131 };
1132 diff -urNp linux-2.6.39.2/arch/arm/mach-sa1100/pci-nanoengine.c linux-2.6.39.2/arch/arm/mach-sa1100/pci-nanoengine.c
1133 --- linux-2.6.39.2/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-19 00:06:34.000000000 -0400
1134 +++ linux-2.6.39.2/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-22 19:36:30.000000000 -0400
1135 @@ -117,7 +117,7 @@ static int nanoengine_write_config(struc
1136 return PCIBIOS_SUCCESSFUL;
1137 }
1138
1139 -static struct pci_ops pci_nano_ops = {
1140 +static const struct pci_ops pci_nano_ops = {
1141 .read = nanoengine_read_config,
1142 .write = nanoengine_write_config,
1143 };
1144 diff -urNp linux-2.6.39.2/arch/arm/mach-tegra/pcie.c linux-2.6.39.2/arch/arm/mach-tegra/pcie.c
1145 --- linux-2.6.39.2/arch/arm/mach-tegra/pcie.c 2011-05-19 00:06:34.000000000 -0400
1146 +++ linux-2.6.39.2/arch/arm/mach-tegra/pcie.c 2011-05-22 19:36:30.000000000 -0400
1147 @@ -336,7 +336,7 @@ static int tegra_pcie_write_conf(struct
1148 return PCIBIOS_SUCCESSFUL;
1149 }
1150
1151 -static struct pci_ops tegra_pcie_ops = {
1152 +static const struct pci_ops tegra_pcie_ops = {
1153 .read = tegra_pcie_read_conf,
1154 .write = tegra_pcie_write_conf,
1155 };
1156 diff -urNp linux-2.6.39.2/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.39.2/arch/arm/mach-ux500/mbox-db5500.c
1157 --- linux-2.6.39.2/arch/arm/mach-ux500/mbox-db5500.c 2011-05-19 00:06:34.000000000 -0400
1158 +++ linux-2.6.39.2/arch/arm/mach-ux500/mbox-db5500.c 2011-05-22 19:41:32.000000000 -0400
1159 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
1160 return sprintf(buf, "0x%X\n", mbox_value);
1161 }
1162
1163 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1164 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1165
1166 static int mbox_show(struct seq_file *s, void *data)
1167 {
1168 diff -urNp linux-2.6.39.2/arch/arm/mach-versatile/pci.c linux-2.6.39.2/arch/arm/mach-versatile/pci.c
1169 --- linux-2.6.39.2/arch/arm/mach-versatile/pci.c 2011-05-19 00:06:34.000000000 -0400
1170 +++ linux-2.6.39.2/arch/arm/mach-versatile/pci.c 2011-05-22 19:36:30.000000000 -0400
1171 @@ -165,7 +165,7 @@ static int versatile_write_config(struct
1172 return PCIBIOS_SUCCESSFUL;
1173 }
1174
1175 -static struct pci_ops pci_versatile_ops = {
1176 +static const struct pci_ops pci_versatile_ops = {
1177 .read = versatile_read_config,
1178 .write = versatile_write_config,
1179 };
1180 diff -urNp linux-2.6.39.2/arch/arm/mm/fault.c linux-2.6.39.2/arch/arm/mm/fault.c
1181 --- linux-2.6.39.2/arch/arm/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1182 +++ linux-2.6.39.2/arch/arm/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1183 @@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
1184 }
1185 #endif
1186
1187 +#ifdef CONFIG_PAX_PAGEEXEC
1188 + if (fsr & FSR_LNX_PF) {
1189 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
1190 + do_group_exit(SIGKILL);
1191 + }
1192 +#endif
1193 +
1194 tsk->thread.address = addr;
1195 tsk->thread.error_code = fsr;
1196 tsk->thread.trap_no = 14;
1197 @@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign
1198 }
1199 #endif /* CONFIG_MMU */
1200
1201 +#ifdef CONFIG_PAX_PAGEEXEC
1202 +void pax_report_insns(void *pc, void *sp)
1203 +{
1204 + long i;
1205 +
1206 + printk(KERN_ERR "PAX: bytes at PC: ");
1207 + for (i = 0; i < 20; i++) {
1208 + unsigned char c;
1209 + if (get_user(c, (__force unsigned char __user *)pc+i))
1210 + printk(KERN_CONT "?? ");
1211 + else
1212 + printk(KERN_CONT "%02x ", c);
1213 + }
1214 + printk("\n");
1215 +
1216 + printk(KERN_ERR "PAX: bytes at SP-4: ");
1217 + for (i = -1; i < 20; i++) {
1218 + unsigned long c;
1219 + if (get_user(c, (__force unsigned long __user *)sp+i))
1220 + printk(KERN_CONT "???????? ");
1221 + else
1222 + printk(KERN_CONT "%08lx ", c);
1223 + }
1224 + printk("\n");
1225 +}
1226 +#endif
1227 +
1228 /*
1229 * First Level Translation Fault Handler
1230 *
1231 diff -urNp linux-2.6.39.2/arch/arm/mm/mmap.c linux-2.6.39.2/arch/arm/mm/mmap.c
1232 --- linux-2.6.39.2/arch/arm/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
1233 +++ linux-2.6.39.2/arch/arm/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
1234 @@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
1235 if (len > TASK_SIZE)
1236 return -ENOMEM;
1237
1238 +#ifdef CONFIG_PAX_RANDMMAP
1239 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
1240 +#endif
1241 +
1242 if (addr) {
1243 if (do_align)
1244 addr = COLOUR_ALIGN(addr, pgoff);
1245 @@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
1246 addr = PAGE_ALIGN(addr);
1247
1248 vma = find_vma(mm, addr);
1249 - if (TASK_SIZE - len >= addr &&
1250 - (!vma || addr + len <= vma->vm_start))
1251 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1252 return addr;
1253 }
1254 if (len > mm->cached_hole_size) {
1255 - start_addr = addr = mm->free_area_cache;
1256 + start_addr = addr = mm->free_area_cache;
1257 } else {
1258 - start_addr = addr = TASK_UNMAPPED_BASE;
1259 - mm->cached_hole_size = 0;
1260 + start_addr = addr = mm->mmap_base;
1261 + mm->cached_hole_size = 0;
1262 }
1263 /* 8 bits of randomness in 20 address space bits */
1264 if ((current->flags & PF_RANDOMIZE) &&
1265 @@ -100,14 +103,14 @@ full_search:
1266 * Start a new search - just in case we missed
1267 * some holes.
1268 */
1269 - if (start_addr != TASK_UNMAPPED_BASE) {
1270 - start_addr = addr = TASK_UNMAPPED_BASE;
1271 + if (start_addr != mm->mmap_base) {
1272 + start_addr = addr = mm->mmap_base;
1273 mm->cached_hole_size = 0;
1274 goto full_search;
1275 }
1276 return -ENOMEM;
1277 }
1278 - if (!vma || addr + len <= vma->vm_start) {
1279 + if (check_heap_stack_gap(vma, addr, len)) {
1280 /*
1281 * Remember the place where we stopped the search:
1282 */
1283 diff -urNp linux-2.6.39.2/arch/arm/plat-iop/pci.c linux-2.6.39.2/arch/arm/plat-iop/pci.c
1284 --- linux-2.6.39.2/arch/arm/plat-iop/pci.c 2011-05-19 00:06:34.000000000 -0400
1285 +++ linux-2.6.39.2/arch/arm/plat-iop/pci.c 2011-05-22 19:36:30.000000000 -0400
1286 @@ -161,7 +161,7 @@ iop3xx_write_config(struct pci_bus *bus,
1287 return PCIBIOS_SUCCESSFUL;
1288 }
1289
1290 -static struct pci_ops iop3xx_ops = {
1291 +static const struct pci_ops iop3xx_ops = {
1292 .read = iop3xx_read_config,
1293 .write = iop3xx_write_config,
1294 };
1295 diff -urNp linux-2.6.39.2/arch/avr32/include/asm/elf.h linux-2.6.39.2/arch/avr32/include/asm/elf.h
1296 --- linux-2.6.39.2/arch/avr32/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1297 +++ linux-2.6.39.2/arch/avr32/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1298 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
1299 the loader. We need to make sure that it is out of the way of the program
1300 that it will "exec", and that there is sufficient room for the brk. */
1301
1302 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
1303 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1304
1305 +#ifdef CONFIG_PAX_ASLR
1306 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
1307 +
1308 +#define PAX_DELTA_MMAP_LEN 15
1309 +#define PAX_DELTA_STACK_LEN 15
1310 +#endif
1311
1312 /* This yields a mask that user programs can use to figure out what
1313 instruction set this CPU supports. This could be done in user space,
1314 diff -urNp linux-2.6.39.2/arch/avr32/include/asm/kmap_types.h linux-2.6.39.2/arch/avr32/include/asm/kmap_types.h
1315 --- linux-2.6.39.2/arch/avr32/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1316 +++ linux-2.6.39.2/arch/avr32/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1317 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
1318 D(11) KM_IRQ1,
1319 D(12) KM_SOFTIRQ0,
1320 D(13) KM_SOFTIRQ1,
1321 -D(14) KM_TYPE_NR
1322 +D(14) KM_CLEARPAGE,
1323 +D(15) KM_TYPE_NR
1324 };
1325
1326 #undef D
1327 diff -urNp linux-2.6.39.2/arch/avr32/mm/fault.c linux-2.6.39.2/arch/avr32/mm/fault.c
1328 --- linux-2.6.39.2/arch/avr32/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1329 +++ linux-2.6.39.2/arch/avr32/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1330 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
1331
1332 int exception_trace = 1;
1333
1334 +#ifdef CONFIG_PAX_PAGEEXEC
1335 +void pax_report_insns(void *pc, void *sp)
1336 +{
1337 + unsigned long i;
1338 +
1339 + printk(KERN_ERR "PAX: bytes at PC: ");
1340 + for (i = 0; i < 20; i++) {
1341 + unsigned char c;
1342 + if (get_user(c, (unsigned char *)pc+i))
1343 + printk(KERN_CONT "???????? ");
1344 + else
1345 + printk(KERN_CONT "%02x ", c);
1346 + }
1347 + printk("\n");
1348 +}
1349 +#endif
1350 +
1351 /*
1352 * This routine handles page faults. It determines the address and the
1353 * problem, and then passes it off to one of the appropriate routines.
1354 @@ -156,6 +173,16 @@ bad_area:
1355 up_read(&mm->mmap_sem);
1356
1357 if (user_mode(regs)) {
1358 +
1359 +#ifdef CONFIG_PAX_PAGEEXEC
1360 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1361 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1362 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1363 + do_group_exit(SIGKILL);
1364 + }
1365 + }
1366 +#endif
1367 +
1368 if (exception_trace && printk_ratelimit())
1369 printk("%s%s[%d]: segfault at %08lx pc %08lx "
1370 "sp %08lx ecr %lu\n",
1371 diff -urNp linux-2.6.39.2/arch/blackfin/kernel/kgdb.c linux-2.6.39.2/arch/blackfin/kernel/kgdb.c
1372 --- linux-2.6.39.2/arch/blackfin/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
1373 +++ linux-2.6.39.2/arch/blackfin/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
1374 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
1375 return -1; /* this means that we do not want to exit from the handler */
1376 }
1377
1378 -struct kgdb_arch arch_kgdb_ops = {
1379 +const struct kgdb_arch arch_kgdb_ops = {
1380 .gdb_bpt_instr = {0xa1},
1381 .flags = KGDB_HW_BREAKPOINT,
1382 .set_hw_breakpoint = bfin_set_hw_break,
1383 diff -urNp linux-2.6.39.2/arch/blackfin/mm/maccess.c linux-2.6.39.2/arch/blackfin/mm/maccess.c
1384 --- linux-2.6.39.2/arch/blackfin/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
1385 +++ linux-2.6.39.2/arch/blackfin/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
1386 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
1387 return bfin_mem_access_type(addr, size);
1388 }
1389
1390 -long probe_kernel_read(void *dst, void *src, size_t size)
1391 +long probe_kernel_read(void *dst, const void *src, size_t size)
1392 {
1393 unsigned long lsrc = (unsigned long)src;
1394 int mem_type;
1395 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
1396 return -EFAULT;
1397 }
1398
1399 -long probe_kernel_write(void *dst, void *src, size_t size)
1400 +long probe_kernel_write(void *dst, const void *src, size_t size)
1401 {
1402 unsigned long ldst = (unsigned long)dst;
1403 int mem_type;
1404 diff -urNp linux-2.6.39.2/arch/frv/include/asm/kmap_types.h linux-2.6.39.2/arch/frv/include/asm/kmap_types.h
1405 --- linux-2.6.39.2/arch/frv/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1406 +++ linux-2.6.39.2/arch/frv/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1407 @@ -23,6 +23,7 @@ enum km_type {
1408 KM_IRQ1,
1409 KM_SOFTIRQ0,
1410 KM_SOFTIRQ1,
1411 + KM_CLEARPAGE,
1412 KM_TYPE_NR
1413 };
1414
1415 diff -urNp linux-2.6.39.2/arch/frv/mb93090-mb00/pci-frv.h linux-2.6.39.2/arch/frv/mb93090-mb00/pci-frv.h
1416 --- linux-2.6.39.2/arch/frv/mb93090-mb00/pci-frv.h 2011-05-19 00:06:34.000000000 -0400
1417 +++ linux-2.6.39.2/arch/frv/mb93090-mb00/pci-frv.h 2011-05-22 19:36:30.000000000 -0400
1418 @@ -34,7 +34,7 @@ void pcibios_resource_survey(void);
1419
1420 extern int __nongpreldata pcibios_last_bus;
1421 extern struct pci_bus *__nongpreldata pci_root_bus;
1422 -extern struct pci_ops *__nongpreldata pci_root_ops;
1423 +extern const struct pci_ops *__nongpreldata pci_root_ops;
1424
1425 /* pci-irq.c */
1426 extern unsigned int pcibios_irq_mask;
1427 diff -urNp linux-2.6.39.2/arch/frv/mb93090-mb00/pci-vdk.c linux-2.6.39.2/arch/frv/mb93090-mb00/pci-vdk.c
1428 --- linux-2.6.39.2/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-19 00:06:34.000000000 -0400
1429 +++ linux-2.6.39.2/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-22 19:36:30.000000000 -0400
1430 @@ -27,7 +27,7 @@ unsigned int __nongpreldata pci_probe =
1431
1432 int __nongpreldata pcibios_last_bus = -1;
1433 struct pci_bus *__nongpreldata pci_root_bus;
1434 -struct pci_ops *__nongpreldata pci_root_ops;
1435 +const struct pci_ops *__nongpreldata pci_root_ops;
1436
1437 /*
1438 * The accessible PCI window does not cover the entire CPU address space, but
1439 @@ -169,7 +169,7 @@ static int pci_frv_write_config(struct p
1440 return PCIBIOS_SUCCESSFUL;
1441 }
1442
1443 -static struct pci_ops pci_direct_frv = {
1444 +static const struct pci_ops pci_direct_frv = {
1445 pci_frv_read_config,
1446 pci_frv_write_config,
1447 };
1448 @@ -356,7 +356,7 @@ void __init pcibios_fixup_bus(struct pci
1449
1450 int __init pcibios_init(void)
1451 {
1452 - struct pci_ops *dir = NULL;
1453 + const struct pci_ops *dir = NULL;
1454
1455 if (!mb93090_mb00_detected)
1456 return -ENXIO;
1457 diff -urNp linux-2.6.39.2/arch/frv/mm/elf-fdpic.c linux-2.6.39.2/arch/frv/mm/elf-fdpic.c
1458 --- linux-2.6.39.2/arch/frv/mm/elf-fdpic.c 2011-05-19 00:06:34.000000000 -0400
1459 +++ linux-2.6.39.2/arch/frv/mm/elf-fdpic.c 2011-05-22 19:36:30.000000000 -0400
1460 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
1461 if (addr) {
1462 addr = PAGE_ALIGN(addr);
1463 vma = find_vma(current->mm, addr);
1464 - if (TASK_SIZE - len >= addr &&
1465 - (!vma || addr + len <= vma->vm_start))
1466 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1467 goto success;
1468 }
1469
1470 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
1471 for (; vma; vma = vma->vm_next) {
1472 if (addr > limit)
1473 break;
1474 - if (addr + len <= vma->vm_start)
1475 + if (check_heap_stack_gap(vma, addr, len))
1476 goto success;
1477 addr = vma->vm_end;
1478 }
1479 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
1480 for (; vma; vma = vma->vm_next) {
1481 if (addr > limit)
1482 break;
1483 - if (addr + len <= vma->vm_start)
1484 + if (check_heap_stack_gap(vma, addr, len))
1485 goto success;
1486 addr = vma->vm_end;
1487 }
1488 diff -urNp linux-2.6.39.2/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.39.2/arch/ia64/hp/common/hwsw_iommu.c
1489 --- linux-2.6.39.2/arch/ia64/hp/common/hwsw_iommu.c 2011-05-19 00:06:34.000000000 -0400
1490 +++ linux-2.6.39.2/arch/ia64/hp/common/hwsw_iommu.c 2011-05-22 19:36:30.000000000 -0400
1491 @@ -17,7 +17,7 @@
1492 #include <linux/swiotlb.h>
1493 #include <asm/machvec.h>
1494
1495 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1496 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1497
1498 /* swiotlb declarations & definitions: */
1499 extern int swiotlb_late_init_with_default_size (size_t size);
1500 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
1501 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
1502 }
1503
1504 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1505 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1506 {
1507 if (use_swiotlb(dev))
1508 return &swiotlb_dma_ops;
1509 diff -urNp linux-2.6.39.2/arch/ia64/hp/common/sba_iommu.c linux-2.6.39.2/arch/ia64/hp/common/sba_iommu.c
1510 --- linux-2.6.39.2/arch/ia64/hp/common/sba_iommu.c 2011-05-19 00:06:34.000000000 -0400
1511 +++ linux-2.6.39.2/arch/ia64/hp/common/sba_iommu.c 2011-05-22 19:36:30.000000000 -0400
1512 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
1513 },
1514 };
1515
1516 -extern struct dma_map_ops swiotlb_dma_ops;
1517 +extern const struct dma_map_ops swiotlb_dma_ops;
1518
1519 static int __init
1520 sba_init(void)
1521 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
1522
1523 __setup("sbapagesize=",sba_page_override);
1524
1525 -struct dma_map_ops sba_dma_ops = {
1526 +const struct dma_map_ops sba_dma_ops = {
1527 .alloc_coherent = sba_alloc_coherent,
1528 .free_coherent = sba_free_coherent,
1529 .map_page = sba_map_page,
1530 diff -urNp linux-2.6.39.2/arch/ia64/include/asm/dma-mapping.h linux-2.6.39.2/arch/ia64/include/asm/dma-mapping.h
1531 --- linux-2.6.39.2/arch/ia64/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
1532 +++ linux-2.6.39.2/arch/ia64/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
1533 @@ -14,7 +14,7 @@
1534
1535 #define DMA_ERROR_CODE 0
1536
1537 -extern struct dma_map_ops *dma_ops;
1538 +extern const struct dma_map_ops *dma_ops;
1539 extern struct ia64_machine_vector ia64_mv;
1540 extern void set_iommu_machvec(void);
1541
1542 @@ -26,7 +26,7 @@ extern void machvec_dma_sync_sg(struct d
1543 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1544 dma_addr_t *daddr, gfp_t gfp)
1545 {
1546 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1547 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1548 void *caddr;
1549
1550 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
1551 @@ -37,7 +37,7 @@ static inline void *dma_alloc_coherent(s
1552 static inline void dma_free_coherent(struct device *dev, size_t size,
1553 void *caddr, dma_addr_t daddr)
1554 {
1555 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1556 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1557 debug_dma_free_coherent(dev, size, caddr, daddr);
1558 ops->free_coherent(dev, size, caddr, daddr);
1559 }
1560 @@ -51,13 +51,13 @@ static inline void dma_free_coherent(str
1561
1562 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
1563 {
1564 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1565 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1566 return ops->mapping_error(dev, daddr);
1567 }
1568
1569 static inline int dma_supported(struct device *dev, u64 mask)
1570 {
1571 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1572 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1573 return ops->dma_supported(dev, mask);
1574 }
1575
1576 diff -urNp linux-2.6.39.2/arch/ia64/include/asm/elf.h linux-2.6.39.2/arch/ia64/include/asm/elf.h
1577 --- linux-2.6.39.2/arch/ia64/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1578 +++ linux-2.6.39.2/arch/ia64/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1579 @@ -42,6 +42,13 @@
1580 */
1581 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1582
1583 +#ifdef CONFIG_PAX_ASLR
1584 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1585 +
1586 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1587 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1588 +#endif
1589 +
1590 #define PT_IA_64_UNWIND 0x70000001
1591
1592 /* IA-64 relocations: */
1593 diff -urNp linux-2.6.39.2/arch/ia64/include/asm/machvec.h linux-2.6.39.2/arch/ia64/include/asm/machvec.h
1594 --- linux-2.6.39.2/arch/ia64/include/asm/machvec.h 2011-05-19 00:06:34.000000000 -0400
1595 +++ linux-2.6.39.2/arch/ia64/include/asm/machvec.h 2011-05-22 19:36:30.000000000 -0400
1596 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1597 /* DMA-mapping interface: */
1598 typedef void ia64_mv_dma_init (void);
1599 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1600 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1601 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1602
1603 /*
1604 * WARNING: The legacy I/O space is _architected_. Platforms are
1605 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1606 # endif /* CONFIG_IA64_GENERIC */
1607
1608 extern void swiotlb_dma_init(void);
1609 -extern struct dma_map_ops *dma_get_ops(struct device *);
1610 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1611
1612 /*
1613 * Define default versions so we can extend machvec for new platforms without having
1614 diff -urNp linux-2.6.39.2/arch/ia64/include/asm/pgtable.h linux-2.6.39.2/arch/ia64/include/asm/pgtable.h
1615 --- linux-2.6.39.2/arch/ia64/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
1616 +++ linux-2.6.39.2/arch/ia64/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
1617 @@ -12,7 +12,7 @@
1618 * David Mosberger-Tang <davidm@hpl.hp.com>
1619 */
1620
1621 -
1622 +#include <linux/const.h>
1623 #include <asm/mman.h>
1624 #include <asm/page.h>
1625 #include <asm/processor.h>
1626 @@ -143,6 +143,17 @@
1627 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1628 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1629 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1630 +
1631 +#ifdef CONFIG_PAX_PAGEEXEC
1632 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1633 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1634 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1635 +#else
1636 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1637 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1638 +# define PAGE_COPY_NOEXEC PAGE_COPY
1639 +#endif
1640 +
1641 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1642 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1643 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1644 diff -urNp linux-2.6.39.2/arch/ia64/include/asm/spinlock.h linux-2.6.39.2/arch/ia64/include/asm/spinlock.h
1645 --- linux-2.6.39.2/arch/ia64/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
1646 +++ linux-2.6.39.2/arch/ia64/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
1647 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1648 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1649
1650 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1651 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1652 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1653 }
1654
1655 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
1656 diff -urNp linux-2.6.39.2/arch/ia64/include/asm/uaccess.h linux-2.6.39.2/arch/ia64/include/asm/uaccess.h
1657 --- linux-2.6.39.2/arch/ia64/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
1658 +++ linux-2.6.39.2/arch/ia64/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
1659 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1660 const void *__cu_from = (from); \
1661 long __cu_len = (n); \
1662 \
1663 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1664 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1665 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1666 __cu_len; \
1667 })
1668 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1669 long __cu_len = (n); \
1670 \
1671 __chk_user_ptr(__cu_from); \
1672 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1673 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1674 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1675 __cu_len; \
1676 })
1677 diff -urNp linux-2.6.39.2/arch/ia64/kernel/dma-mapping.c linux-2.6.39.2/arch/ia64/kernel/dma-mapping.c
1678 --- linux-2.6.39.2/arch/ia64/kernel/dma-mapping.c 2011-05-19 00:06:34.000000000 -0400
1679 +++ linux-2.6.39.2/arch/ia64/kernel/dma-mapping.c 2011-05-22 19:36:30.000000000 -0400
1680 @@ -3,7 +3,7 @@
1681 /* Set this to 1 if there is a HW IOMMU in the system */
1682 int iommu_detected __read_mostly;
1683
1684 -struct dma_map_ops *dma_ops;
1685 +const struct dma_map_ops *dma_ops;
1686 EXPORT_SYMBOL(dma_ops);
1687
1688 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1689 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1690 }
1691 fs_initcall(dma_init);
1692
1693 -struct dma_map_ops *dma_get_ops(struct device *dev)
1694 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1695 {
1696 return dma_ops;
1697 }
1698 diff -urNp linux-2.6.39.2/arch/ia64/kernel/module.c linux-2.6.39.2/arch/ia64/kernel/module.c
1699 --- linux-2.6.39.2/arch/ia64/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
1700 +++ linux-2.6.39.2/arch/ia64/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
1701 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1702 void
1703 module_free (struct module *mod, void *module_region)
1704 {
1705 - if (mod && mod->arch.init_unw_table &&
1706 - module_region == mod->module_init) {
1707 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1708 unw_remove_unwind_table(mod->arch.init_unw_table);
1709 mod->arch.init_unw_table = NULL;
1710 }
1711 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1712 }
1713
1714 static inline int
1715 +in_init_rx (const struct module *mod, uint64_t addr)
1716 +{
1717 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1718 +}
1719 +
1720 +static inline int
1721 +in_init_rw (const struct module *mod, uint64_t addr)
1722 +{
1723 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1724 +}
1725 +
1726 +static inline int
1727 in_init (const struct module *mod, uint64_t addr)
1728 {
1729 - return addr - (uint64_t) mod->module_init < mod->init_size;
1730 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1731 +}
1732 +
1733 +static inline int
1734 +in_core_rx (const struct module *mod, uint64_t addr)
1735 +{
1736 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1737 +}
1738 +
1739 +static inline int
1740 +in_core_rw (const struct module *mod, uint64_t addr)
1741 +{
1742 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1743 }
1744
1745 static inline int
1746 in_core (const struct module *mod, uint64_t addr)
1747 {
1748 - return addr - (uint64_t) mod->module_core < mod->core_size;
1749 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1750 }
1751
1752 static inline int
1753 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1754 break;
1755
1756 case RV_BDREL:
1757 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1758 + if (in_init_rx(mod, val))
1759 + val -= (uint64_t) mod->module_init_rx;
1760 + else if (in_init_rw(mod, val))
1761 + val -= (uint64_t) mod->module_init_rw;
1762 + else if (in_core_rx(mod, val))
1763 + val -= (uint64_t) mod->module_core_rx;
1764 + else if (in_core_rw(mod, val))
1765 + val -= (uint64_t) mod->module_core_rw;
1766 break;
1767
1768 case RV_LTV:
1769 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1770 * addresses have been selected...
1771 */
1772 uint64_t gp;
1773 - if (mod->core_size > MAX_LTOFF)
1774 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1775 /*
1776 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1777 * at the end of the module.
1778 */
1779 - gp = mod->core_size - MAX_LTOFF / 2;
1780 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1781 else
1782 - gp = mod->core_size / 2;
1783 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1784 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1785 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1786 mod->arch.gp = gp;
1787 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1788 }
1789 diff -urNp linux-2.6.39.2/arch/ia64/kernel/pci-dma.c linux-2.6.39.2/arch/ia64/kernel/pci-dma.c
1790 --- linux-2.6.39.2/arch/ia64/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
1791 +++ linux-2.6.39.2/arch/ia64/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
1792 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1793 .dma_mask = &fallback_dev.coherent_dma_mask,
1794 };
1795
1796 -extern struct dma_map_ops intel_dma_ops;
1797 +extern const struct dma_map_ops intel_dma_ops;
1798
1799 static int __init pci_iommu_init(void)
1800 {
1801 diff -urNp linux-2.6.39.2/arch/ia64/kernel/pci-swiotlb.c linux-2.6.39.2/arch/ia64/kernel/pci-swiotlb.c
1802 --- linux-2.6.39.2/arch/ia64/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
1803 +++ linux-2.6.39.2/arch/ia64/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
1804 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1805 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1806 }
1807
1808 -struct dma_map_ops swiotlb_dma_ops = {
1809 +const struct dma_map_ops swiotlb_dma_ops = {
1810 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1811 .free_coherent = swiotlb_free_coherent,
1812 .map_page = swiotlb_map_page,
1813 diff -urNp linux-2.6.39.2/arch/ia64/kernel/sys_ia64.c linux-2.6.39.2/arch/ia64/kernel/sys_ia64.c
1814 --- linux-2.6.39.2/arch/ia64/kernel/sys_ia64.c 2011-05-19 00:06:34.000000000 -0400
1815 +++ linux-2.6.39.2/arch/ia64/kernel/sys_ia64.c 2011-05-22 19:36:30.000000000 -0400
1816 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1817 if (REGION_NUMBER(addr) == RGN_HPAGE)
1818 addr = 0;
1819 #endif
1820 +
1821 +#ifdef CONFIG_PAX_RANDMMAP
1822 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1823 + addr = mm->free_area_cache;
1824 + else
1825 +#endif
1826 +
1827 if (!addr)
1828 addr = mm->free_area_cache;
1829
1830 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1831 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1832 /* At this point: (!vma || addr < vma->vm_end). */
1833 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1834 - if (start_addr != TASK_UNMAPPED_BASE) {
1835 + if (start_addr != mm->mmap_base) {
1836 /* Start a new search --- just in case we missed some holes. */
1837 - addr = TASK_UNMAPPED_BASE;
1838 + addr = mm->mmap_base;
1839 goto full_search;
1840 }
1841 return -ENOMEM;
1842 }
1843 - if (!vma || addr + len <= vma->vm_start) {
1844 + if (check_heap_stack_gap(vma, addr, len)) {
1845 /* Remember the address where we stopped this search: */
1846 mm->free_area_cache = addr + len;
1847 return addr;
1848 diff -urNp linux-2.6.39.2/arch/ia64/kernel/vmlinux.lds.S linux-2.6.39.2/arch/ia64/kernel/vmlinux.lds.S
1849 --- linux-2.6.39.2/arch/ia64/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
1850 +++ linux-2.6.39.2/arch/ia64/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
1851 @@ -199,7 +199,7 @@ SECTIONS {
1852 /* Per-cpu data: */
1853 . = ALIGN(PERCPU_PAGE_SIZE);
1854 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
1855 - __phys_per_cpu_start = __per_cpu_load;
1856 + __phys_per_cpu_start = per_cpu_load;
1857 /*
1858 * ensure percpu data fits
1859 * into percpu page size
1860 diff -urNp linux-2.6.39.2/arch/ia64/mm/fault.c linux-2.6.39.2/arch/ia64/mm/fault.c
1861 --- linux-2.6.39.2/arch/ia64/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1862 +++ linux-2.6.39.2/arch/ia64/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1863 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1864 return pte_present(pte);
1865 }
1866
1867 +#ifdef CONFIG_PAX_PAGEEXEC
1868 +void pax_report_insns(void *pc, void *sp)
1869 +{
1870 + unsigned long i;
1871 +
1872 + printk(KERN_ERR "PAX: bytes at PC: ");
1873 + for (i = 0; i < 8; i++) {
1874 + unsigned int c;
1875 + if (get_user(c, (unsigned int *)pc+i))
1876 + printk(KERN_CONT "???????? ");
1877 + else
1878 + printk(KERN_CONT "%08x ", c);
1879 + }
1880 + printk("\n");
1881 +}
1882 +#endif
1883 +
1884 void __kprobes
1885 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1886 {
1887 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1888 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1889 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1890
1891 - if ((vma->vm_flags & mask) != mask)
1892 + if ((vma->vm_flags & mask) != mask) {
1893 +
1894 +#ifdef CONFIG_PAX_PAGEEXEC
1895 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1896 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1897 + goto bad_area;
1898 +
1899 + up_read(&mm->mmap_sem);
1900 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1901 + do_group_exit(SIGKILL);
1902 + }
1903 +#endif
1904 +
1905 goto bad_area;
1906
1907 + }
1908 +
1909 /*
1910 * If for any reason at all we couldn't handle the fault, make
1911 * sure we exit gracefully rather than endlessly redo the
1912 diff -urNp linux-2.6.39.2/arch/ia64/mm/hugetlbpage.c linux-2.6.39.2/arch/ia64/mm/hugetlbpage.c
1913 --- linux-2.6.39.2/arch/ia64/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
1914 +++ linux-2.6.39.2/arch/ia64/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
1915 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1916 /* At this point: (!vmm || addr < vmm->vm_end). */
1917 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1918 return -ENOMEM;
1919 - if (!vmm || (addr + len) <= vmm->vm_start)
1920 + if (check_heap_stack_gap(vmm, addr, len))
1921 return addr;
1922 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1923 }
1924 diff -urNp linux-2.6.39.2/arch/ia64/mm/init.c linux-2.6.39.2/arch/ia64/mm/init.c
1925 --- linux-2.6.39.2/arch/ia64/mm/init.c 2011-05-19 00:06:34.000000000 -0400
1926 +++ linux-2.6.39.2/arch/ia64/mm/init.c 2011-05-22 19:36:30.000000000 -0400
1927 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1928 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1929 vma->vm_end = vma->vm_start + PAGE_SIZE;
1930 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1931 +
1932 +#ifdef CONFIG_PAX_PAGEEXEC
1933 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1934 + vma->vm_flags &= ~VM_EXEC;
1935 +
1936 +#ifdef CONFIG_PAX_MPROTECT
1937 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1938 + vma->vm_flags &= ~VM_MAYEXEC;
1939 +#endif
1940 +
1941 + }
1942 +#endif
1943 +
1944 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1945 down_write(&current->mm->mmap_sem);
1946 if (insert_vm_struct(current->mm, vma)) {
1947 diff -urNp linux-2.6.39.2/arch/ia64/pci/pci.c linux-2.6.39.2/arch/ia64/pci/pci.c
1948 --- linux-2.6.39.2/arch/ia64/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
1949 +++ linux-2.6.39.2/arch/ia64/pci/pci.c 2011-05-22 19:36:30.000000000 -0400
1950 @@ -109,7 +109,7 @@ static int pci_write(struct pci_bus *bus
1951 devfn, where, size, value);
1952 }
1953
1954 -struct pci_ops pci_root_ops = {
1955 +const struct pci_ops pci_root_ops = {
1956 .read = pci_read,
1957 .write = pci_write,
1958 };
1959 diff -urNp linux-2.6.39.2/arch/ia64/sn/pci/pci_dma.c linux-2.6.39.2/arch/ia64/sn/pci/pci_dma.c
1960 --- linux-2.6.39.2/arch/ia64/sn/pci/pci_dma.c 2011-05-19 00:06:34.000000000 -0400
1961 +++ linux-2.6.39.2/arch/ia64/sn/pci/pci_dma.c 2011-05-22 19:36:30.000000000 -0400
1962 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1963 return ret;
1964 }
1965
1966 -static struct dma_map_ops sn_dma_ops = {
1967 +static const struct dma_map_ops sn_dma_ops = {
1968 .alloc_coherent = sn_dma_alloc_coherent,
1969 .free_coherent = sn_dma_free_coherent,
1970 .map_page = sn_dma_map_page,
1971 diff -urNp linux-2.6.39.2/arch/m32r/lib/usercopy.c linux-2.6.39.2/arch/m32r/lib/usercopy.c
1972 --- linux-2.6.39.2/arch/m32r/lib/usercopy.c 2011-05-19 00:06:34.000000000 -0400
1973 +++ linux-2.6.39.2/arch/m32r/lib/usercopy.c 2011-05-22 19:36:30.000000000 -0400
1974 @@ -14,6 +14,9 @@
1975 unsigned long
1976 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1977 {
1978 + if ((long)n < 0)
1979 + return n;
1980 +
1981 prefetch(from);
1982 if (access_ok(VERIFY_WRITE, to, n))
1983 __copy_user(to,from,n);
1984 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1985 unsigned long
1986 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1987 {
1988 + if ((long)n < 0)
1989 + return n;
1990 +
1991 prefetchw(to);
1992 if (access_ok(VERIFY_READ, from, n))
1993 __copy_user_zeroing(to,from,n);
1994 diff -urNp linux-2.6.39.2/arch/microblaze/include/asm/device.h linux-2.6.39.2/arch/microblaze/include/asm/device.h
1995 --- linux-2.6.39.2/arch/microblaze/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
1996 +++ linux-2.6.39.2/arch/microblaze/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
1997 @@ -13,7 +13,7 @@ struct device_node;
1998
1999 struct dev_archdata {
2000 /* DMA operations on that device */
2001 - struct dma_map_ops *dma_ops;
2002 + const struct dma_map_ops *dma_ops;
2003 void *dma_data;
2004 };
2005
2006 diff -urNp linux-2.6.39.2/arch/microblaze/include/asm/dma-mapping.h linux-2.6.39.2/arch/microblaze/include/asm/dma-mapping.h
2007 --- linux-2.6.39.2/arch/microblaze/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2008 +++ linux-2.6.39.2/arch/microblaze/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2009 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
2010 return 0xfffffffful;
2011 }
2012
2013 -extern struct dma_map_ops *dma_ops;
2014 +extern const struct dma_map_ops *dma_ops;
2015
2016 /*
2017 * Available generic sets of operations
2018 */
2019 -extern struct dma_map_ops dma_direct_ops;
2020 +extern const struct dma_map_ops dma_direct_ops;
2021
2022 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2023 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2024 {
2025 /* We don't handle the NULL dev case for ISA for now. We could
2026 * do it via an out of line call but it is not needed for now. The
2027 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
2028 return dev->archdata.dma_ops;
2029 }
2030
2031 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2032 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2033 {
2034 dev->archdata.dma_ops = ops;
2035 }
2036
2037 static inline int dma_supported(struct device *dev, u64 mask)
2038 {
2039 - struct dma_map_ops *ops = get_dma_ops(dev);
2040 + const struct dma_map_ops *ops = get_dma_ops(dev);
2041
2042 if (unlikely(!ops))
2043 return 0;
2044 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
2045
2046 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2047 {
2048 - struct dma_map_ops *ops = get_dma_ops(dev);
2049 + const struct dma_map_ops *ops = get_dma_ops(dev);
2050
2051 if (unlikely(ops == NULL))
2052 return -EIO;
2053 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
2054
2055 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2056 {
2057 - struct dma_map_ops *ops = get_dma_ops(dev);
2058 + const struct dma_map_ops *ops = get_dma_ops(dev);
2059 if (ops->mapping_error)
2060 return ops->mapping_error(dev, dma_addr);
2061
2062 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
2063 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2064 dma_addr_t *dma_handle, gfp_t flag)
2065 {
2066 - struct dma_map_ops *ops = get_dma_ops(dev);
2067 + const struct dma_map_ops *ops = get_dma_ops(dev);
2068 void *memory;
2069
2070 BUG_ON(!ops);
2071 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
2072 static inline void dma_free_coherent(struct device *dev, size_t size,
2073 void *cpu_addr, dma_addr_t dma_handle)
2074 {
2075 - struct dma_map_ops *ops = get_dma_ops(dev);
2076 + const struct dma_map_ops *ops = get_dma_ops(dev);
2077
2078 BUG_ON(!ops);
2079 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
2080 diff -urNp linux-2.6.39.2/arch/microblaze/include/asm/pci.h linux-2.6.39.2/arch/microblaze/include/asm/pci.h
2081 --- linux-2.6.39.2/arch/microblaze/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
2082 +++ linux-2.6.39.2/arch/microblaze/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
2083 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
2084 }
2085
2086 #ifdef CONFIG_PCI
2087 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2088 -extern struct dma_map_ops *get_pci_dma_ops(void);
2089 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2090 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2091 #else /* CONFIG_PCI */
2092 #define set_pci_dma_ops(d)
2093 #define get_pci_dma_ops() NULL
2094 diff -urNp linux-2.6.39.2/arch/microblaze/kernel/dma.c linux-2.6.39.2/arch/microblaze/kernel/dma.c
2095 --- linux-2.6.39.2/arch/microblaze/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
2096 +++ linux-2.6.39.2/arch/microblaze/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
2097 @@ -134,7 +134,7 @@ static inline void dma_direct_unmap_page
2098 __dma_sync_page(dma_address, 0 , size, direction);
2099 }
2100
2101 -struct dma_map_ops dma_direct_ops = {
2102 +const struct dma_map_ops dma_direct_ops = {
2103 .alloc_coherent = dma_direct_alloc_coherent,
2104 .free_coherent = dma_direct_free_coherent,
2105 .map_sg = dma_direct_map_sg,
2106 diff -urNp linux-2.6.39.2/arch/microblaze/kernel/kgdb.c linux-2.6.39.2/arch/microblaze/kernel/kgdb.c
2107 --- linux-2.6.39.2/arch/microblaze/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2108 +++ linux-2.6.39.2/arch/microblaze/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2109 @@ -141,7 +141,7 @@ void kgdb_arch_exit(void)
2110 /*
2111 * Global data
2112 */
2113 -struct kgdb_arch arch_kgdb_ops = {
2114 +const struct kgdb_arch arch_kgdb_ops = {
2115 #ifdef __MICROBLAZEEL__
2116 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
2117 #else
2118 diff -urNp linux-2.6.39.2/arch/microblaze/pci/indirect_pci.c linux-2.6.39.2/arch/microblaze/pci/indirect_pci.c
2119 --- linux-2.6.39.2/arch/microblaze/pci/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
2120 +++ linux-2.6.39.2/arch/microblaze/pci/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
2121 @@ -140,7 +140,7 @@ indirect_write_config(struct pci_bus *bu
2122 return PCIBIOS_SUCCESSFUL;
2123 }
2124
2125 -static struct pci_ops indirect_pci_ops = {
2126 +static const struct pci_ops indirect_pci_ops = {
2127 .read = indirect_read_config,
2128 .write = indirect_write_config,
2129 };
2130 diff -urNp linux-2.6.39.2/arch/microblaze/pci/pci-common.c linux-2.6.39.2/arch/microblaze/pci/pci-common.c
2131 --- linux-2.6.39.2/arch/microblaze/pci/pci-common.c 2011-05-19 00:06:34.000000000 -0400
2132 +++ linux-2.6.39.2/arch/microblaze/pci/pci-common.c 2011-05-22 19:36:30.000000000 -0400
2133 @@ -48,14 +48,14 @@ resource_size_t isa_mem_base;
2134 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
2135 unsigned int pci_flags;
2136
2137 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2138 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2139
2140 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2141 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2142 {
2143 pci_dma_ops = dma_ops;
2144 }
2145
2146 -struct dma_map_ops *get_pci_dma_ops(void)
2147 +const struct dma_map_ops *get_pci_dma_ops(void)
2148 {
2149 return pci_dma_ops;
2150 }
2151 @@ -1583,7 +1583,7 @@ null_write_config(struct pci_bus *bus, u
2152 return PCIBIOS_DEVICE_NOT_FOUND;
2153 }
2154
2155 -static struct pci_ops null_pci_ops = {
2156 +static const struct pci_ops null_pci_ops = {
2157 .read = null_read_config,
2158 .write = null_write_config,
2159 };
2160 diff -urNp linux-2.6.39.2/arch/mips/alchemy/common/pci.c linux-2.6.39.2/arch/mips/alchemy/common/pci.c
2161 --- linux-2.6.39.2/arch/mips/alchemy/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2162 +++ linux-2.6.39.2/arch/mips/alchemy/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2163 @@ -51,7 +51,7 @@ static struct resource pci_mem_resource
2164 .flags = IORESOURCE_MEM
2165 };
2166
2167 -extern struct pci_ops au1x_pci_ops;
2168 +extern const struct pci_ops au1x_pci_ops;
2169
2170 static struct pci_controller au1x_controller = {
2171 .pci_ops = &au1x_pci_ops,
2172 diff -urNp linux-2.6.39.2/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.39.2/arch/mips/cavium-octeon/dma-octeon.c
2173 --- linux-2.6.39.2/arch/mips/cavium-octeon/dma-octeon.c 2011-05-19 00:06:34.000000000 -0400
2174 +++ linux-2.6.39.2/arch/mips/cavium-octeon/dma-octeon.c 2011-05-22 19:36:30.000000000 -0400
2175 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
2176 }
2177
2178 struct octeon_dma_map_ops {
2179 - struct dma_map_ops dma_map_ops;
2180 + const struct dma_map_ops dma_map_ops;
2181 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
2182 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
2183 };
2184 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
2185 },
2186 };
2187
2188 -struct dma_map_ops *octeon_pci_dma_map_ops;
2189 +const struct dma_map_ops *octeon_pci_dma_map_ops;
2190
2191 void __init octeon_pci_dma_init(void)
2192 {
2193 diff -urNp linux-2.6.39.2/arch/mips/cobalt/pci.c linux-2.6.39.2/arch/mips/cobalt/pci.c
2194 --- linux-2.6.39.2/arch/mips/cobalt/pci.c 2011-05-19 00:06:34.000000000 -0400
2195 +++ linux-2.6.39.2/arch/mips/cobalt/pci.c 2011-05-22 19:36:30.000000000 -0400
2196 @@ -14,7 +14,7 @@
2197
2198 #include <asm/gt64120.h>
2199
2200 -extern struct pci_ops gt64xxx_pci0_ops;
2201 +extern const struct pci_ops gt64xxx_pci0_ops;
2202
2203 static struct resource cobalt_mem_resource = {
2204 .start = GT_DEF_PCI0_MEM0_BASE,
2205 diff -urNp linux-2.6.39.2/arch/mips/include/asm/device.h linux-2.6.39.2/arch/mips/include/asm/device.h
2206 --- linux-2.6.39.2/arch/mips/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2207 +++ linux-2.6.39.2/arch/mips/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2208 @@ -10,7 +10,7 @@ struct dma_map_ops;
2209
2210 struct dev_archdata {
2211 /* DMA operations on that device */
2212 - struct dma_map_ops *dma_ops;
2213 + const struct dma_map_ops *dma_ops;
2214 };
2215
2216 struct pdev_archdata {
2217 diff -urNp linux-2.6.39.2/arch/mips/include/asm/dma-mapping.h linux-2.6.39.2/arch/mips/include/asm/dma-mapping.h
2218 --- linux-2.6.39.2/arch/mips/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2219 +++ linux-2.6.39.2/arch/mips/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2220 @@ -9,9 +9,9 @@
2221 #include <dma-coherence.h>
2222 #endif
2223
2224 -extern struct dma_map_ops *mips_dma_map_ops;
2225 +extern const struct dma_map_ops *mips_dma_map_ops;
2226
2227 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2228 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2229 {
2230 if (dev && dev->archdata.dma_ops)
2231 return dev->archdata.dma_ops;
2232 @@ -33,13 +33,13 @@ static inline void dma_mark_clean(void *
2233
2234 static inline int dma_supported(struct device *dev, u64 mask)
2235 {
2236 - struct dma_map_ops *ops = get_dma_ops(dev);
2237 + const struct dma_map_ops *ops = get_dma_ops(dev);
2238 return ops->dma_supported(dev, mask);
2239 }
2240
2241 static inline int dma_mapping_error(struct device *dev, u64 mask)
2242 {
2243 - struct dma_map_ops *ops = get_dma_ops(dev);
2244 + const struct dma_map_ops *ops = get_dma_ops(dev);
2245 return ops->mapping_error(dev, mask);
2246 }
2247
2248 @@ -61,7 +61,7 @@ static inline void *dma_alloc_coherent(s
2249 dma_addr_t *dma_handle, gfp_t gfp)
2250 {
2251 void *ret;
2252 - struct dma_map_ops *ops = get_dma_ops(dev);
2253 + const struct dma_map_ops *ops = get_dma_ops(dev);
2254
2255 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
2256
2257 @@ -73,7 +73,7 @@ static inline void *dma_alloc_coherent(s
2258 static inline void dma_free_coherent(struct device *dev, size_t size,
2259 void *vaddr, dma_addr_t dma_handle)
2260 {
2261 - struct dma_map_ops *ops = get_dma_ops(dev);
2262 + const struct dma_map_ops *ops = get_dma_ops(dev);
2263
2264 ops->free_coherent(dev, size, vaddr, dma_handle);
2265
2266 diff -urNp linux-2.6.39.2/arch/mips/include/asm/elf.h linux-2.6.39.2/arch/mips/include/asm/elf.h
2267 --- linux-2.6.39.2/arch/mips/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
2268 +++ linux-2.6.39.2/arch/mips/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
2269 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
2270 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
2271 #endif
2272
2273 +#ifdef CONFIG_PAX_ASLR
2274 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2275 +
2276 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2277 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2278 +#endif
2279 +
2280 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2281 struct linux_binprm;
2282 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
2283 int uses_interp);
2284
2285 -struct mm_struct;
2286 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2287 -#define arch_randomize_brk arch_randomize_brk
2288 -
2289 #endif /* _ASM_ELF_H */
2290 diff -urNp linux-2.6.39.2/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.39.2/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
2291 --- linux-2.6.39.2/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-19 00:06:34.000000000 -0400
2292 +++ linux-2.6.39.2/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-22 19:36:30.000000000 -0400
2293 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
2294 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
2295
2296 struct dma_map_ops;
2297 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
2298 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
2299 extern char *octeon_swiotlb;
2300
2301 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
2302 diff -urNp linux-2.6.39.2/arch/mips/include/asm/page.h linux-2.6.39.2/arch/mips/include/asm/page.h
2303 --- linux-2.6.39.2/arch/mips/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
2304 +++ linux-2.6.39.2/arch/mips/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
2305 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
2306 #ifdef CONFIG_CPU_MIPS32
2307 typedef struct { unsigned long pte_low, pte_high; } pte_t;
2308 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
2309 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
2310 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
2311 #else
2312 typedef struct { unsigned long long pte; } pte_t;
2313 #define pte_val(x) ((x).pte)
2314 diff -urNp linux-2.6.39.2/arch/mips/include/asm/pci/bridge.h linux-2.6.39.2/arch/mips/include/asm/pci/bridge.h
2315 --- linux-2.6.39.2/arch/mips/include/asm/pci/bridge.h 2011-05-19 00:06:34.000000000 -0400
2316 +++ linux-2.6.39.2/arch/mips/include/asm/pci/bridge.h 2011-05-22 19:36:30.000000000 -0400
2317 @@ -849,6 +849,6 @@ struct bridge_controller {
2318 extern void register_bridge_irq(unsigned int irq);
2319 extern int request_bridge_irq(struct bridge_controller *bc);
2320
2321 -extern struct pci_ops bridge_pci_ops;
2322 +extern const struct pci_ops bridge_pci_ops;
2323
2324 #endif /* _ASM_PCI_BRIDGE_H */
2325 diff -urNp linux-2.6.39.2/arch/mips/include/asm/system.h linux-2.6.39.2/arch/mips/include/asm/system.h
2326 --- linux-2.6.39.2/arch/mips/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
2327 +++ linux-2.6.39.2/arch/mips/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
2328 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
2329 */
2330 #define __ARCH_WANT_UNLOCKED_CTXSW
2331
2332 -extern unsigned long arch_align_stack(unsigned long sp);
2333 +#define arch_align_stack(x) ((x) & ~0xfUL)
2334
2335 #endif /* _ASM_SYSTEM_H */
2336 diff -urNp linux-2.6.39.2/arch/mips/kernel/binfmt_elfn32.c linux-2.6.39.2/arch/mips/kernel/binfmt_elfn32.c
2337 --- linux-2.6.39.2/arch/mips/kernel/binfmt_elfn32.c 2011-05-19 00:06:34.000000000 -0400
2338 +++ linux-2.6.39.2/arch/mips/kernel/binfmt_elfn32.c 2011-05-22 19:36:30.000000000 -0400
2339 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2340 #undef ELF_ET_DYN_BASE
2341 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2342
2343 +#ifdef CONFIG_PAX_ASLR
2344 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2345 +
2346 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2347 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2348 +#endif
2349 +
2350 #include <asm/processor.h>
2351 #include <linux/module.h>
2352 #include <linux/elfcore.h>
2353 diff -urNp linux-2.6.39.2/arch/mips/kernel/binfmt_elfo32.c linux-2.6.39.2/arch/mips/kernel/binfmt_elfo32.c
2354 --- linux-2.6.39.2/arch/mips/kernel/binfmt_elfo32.c 2011-05-19 00:06:34.000000000 -0400
2355 +++ linux-2.6.39.2/arch/mips/kernel/binfmt_elfo32.c 2011-05-22 19:36:30.000000000 -0400
2356 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2357 #undef ELF_ET_DYN_BASE
2358 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2359
2360 +#ifdef CONFIG_PAX_ASLR
2361 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2362 +
2363 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2364 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2365 +#endif
2366 +
2367 #include <asm/processor.h>
2368
2369 /*
2370 diff -urNp linux-2.6.39.2/arch/mips/kernel/kgdb.c linux-2.6.39.2/arch/mips/kernel/kgdb.c
2371 --- linux-2.6.39.2/arch/mips/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2372 +++ linux-2.6.39.2/arch/mips/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2373 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
2374 return -1;
2375 }
2376
2377 -struct kgdb_arch arch_kgdb_ops;
2378 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
2379
2380 /*
2381 * We use kgdb_early_setup so that functions we need to call now don't
2382 diff -urNp linux-2.6.39.2/arch/mips/kernel/process.c linux-2.6.39.2/arch/mips/kernel/process.c
2383 --- linux-2.6.39.2/arch/mips/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
2384 +++ linux-2.6.39.2/arch/mips/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
2385 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
2386 out:
2387 return pc;
2388 }
2389 -
2390 -/*
2391 - * Don't forget that the stack pointer must be aligned on a 8 bytes
2392 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
2393 - */
2394 -unsigned long arch_align_stack(unsigned long sp)
2395 -{
2396 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2397 - sp -= get_random_int() & ~PAGE_MASK;
2398 -
2399 - return sp & ALMASK;
2400 -}
2401 diff -urNp linux-2.6.39.2/arch/mips/kernel/syscall.c linux-2.6.39.2/arch/mips/kernel/syscall.c
2402 --- linux-2.6.39.2/arch/mips/kernel/syscall.c 2011-05-19 00:06:34.000000000 -0400
2403 +++ linux-2.6.39.2/arch/mips/kernel/syscall.c 2011-05-22 19:36:30.000000000 -0400
2404 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
2405 do_color_align = 0;
2406 if (filp || (flags & MAP_SHARED))
2407 do_color_align = 1;
2408 +
2409 +#ifdef CONFIG_PAX_RANDMMAP
2410 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
2411 +#endif
2412 +
2413 if (addr) {
2414 if (do_color_align)
2415 addr = COLOUR_ALIGN(addr, pgoff);
2416 else
2417 addr = PAGE_ALIGN(addr);
2418 vmm = find_vma(current->mm, addr);
2419 - if (task_size - len >= addr &&
2420 - (!vmm || addr + len <= vmm->vm_start))
2421 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
2422 return addr;
2423 }
2424 addr = current->mm->mmap_base;
2425 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
2426 /* At this point: (!vmm || addr < vmm->vm_end). */
2427 if (task_size - len < addr)
2428 return -ENOMEM;
2429 - if (!vmm || addr + len <= vmm->vm_start)
2430 + if (check_heap_stack_gap(vmm, addr, len))
2431 return addr;
2432 addr = vmm->vm_end;
2433 if (do_color_align)
2434 @@ -154,33 +158,6 @@ void arch_pick_mmap_layout(struct mm_str
2435 mm->unmap_area = arch_unmap_area;
2436 }
2437
2438 -static inline unsigned long brk_rnd(void)
2439 -{
2440 - unsigned long rnd = get_random_int();
2441 -
2442 - rnd = rnd << PAGE_SHIFT;
2443 - /* 8MB for 32bit, 256MB for 64bit */
2444 - if (TASK_IS_32BIT_ADDR)
2445 - rnd = rnd & 0x7ffffful;
2446 - else
2447 - rnd = rnd & 0xffffffful;
2448 -
2449 - return rnd;
2450 -}
2451 -
2452 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2453 -{
2454 - unsigned long base = mm->brk;
2455 - unsigned long ret;
2456 -
2457 - ret = PAGE_ALIGN(base + brk_rnd());
2458 -
2459 - if (ret < mm->brk)
2460 - return mm->brk;
2461 -
2462 - return ret;
2463 -}
2464 -
2465 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
2466 unsigned long, prot, unsigned long, flags, unsigned long,
2467 fd, off_t, offset)
2468 diff -urNp linux-2.6.39.2/arch/mips/mm/dma-default.c linux-2.6.39.2/arch/mips/mm/dma-default.c
2469 --- linux-2.6.39.2/arch/mips/mm/dma-default.c 2011-05-19 00:06:34.000000000 -0400
2470 +++ linux-2.6.39.2/arch/mips/mm/dma-default.c 2011-05-22 19:36:30.000000000 -0400
2471 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
2472
2473 EXPORT_SYMBOL(dma_cache_sync);
2474
2475 -static struct dma_map_ops mips_default_dma_map_ops = {
2476 +static const struct dma_map_ops mips_default_dma_map_ops = {
2477 .alloc_coherent = mips_dma_alloc_coherent,
2478 .free_coherent = mips_dma_free_coherent,
2479 .map_page = mips_dma_map_page,
2480 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
2481 .dma_supported = mips_dma_supported
2482 };
2483
2484 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2485 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2486 EXPORT_SYMBOL(mips_dma_map_ops);
2487
2488 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
2489 diff -urNp linux-2.6.39.2/arch/mips/mm/fault.c linux-2.6.39.2/arch/mips/mm/fault.c
2490 --- linux-2.6.39.2/arch/mips/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
2491 +++ linux-2.6.39.2/arch/mips/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
2492 @@ -28,6 +28,23 @@
2493 #include <asm/highmem.h> /* For VMALLOC_END */
2494 #include <linux/kdebug.h>
2495
2496 +#ifdef CONFIG_PAX_PAGEEXEC
2497 +void pax_report_insns(void *pc, void *sp)
2498 +{
2499 + unsigned long i;
2500 +
2501 + printk(KERN_ERR "PAX: bytes at PC: ");
2502 + for (i = 0; i < 5; i++) {
2503 + unsigned int c;
2504 + if (get_user(c, (unsigned int *)pc+i))
2505 + printk(KERN_CONT "???????? ");
2506 + else
2507 + printk(KERN_CONT "%08x ", c);
2508 + }
2509 + printk("\n");
2510 +}
2511 +#endif
2512 +
2513 /*
2514 * This routine handles page faults. It determines the address,
2515 * and the problem, and then passes it off to one of the appropriate
2516 diff -urNp linux-2.6.39.2/arch/mips/mti-malta/malta-pci.c linux-2.6.39.2/arch/mips/mti-malta/malta-pci.c
2517 --- linux-2.6.39.2/arch/mips/mti-malta/malta-pci.c 2011-05-19 00:06:34.000000000 -0400
2518 +++ linux-2.6.39.2/arch/mips/mti-malta/malta-pci.c 2011-05-22 19:36:30.000000000 -0400
2519 @@ -64,9 +64,9 @@ static struct resource msc_io_resource =
2520 .flags = IORESOURCE_IO,
2521 };
2522
2523 -extern struct pci_ops bonito64_pci_ops;
2524 -extern struct pci_ops gt64xxx_pci0_ops;
2525 -extern struct pci_ops msc_pci_ops;
2526 +extern const struct pci_ops bonito64_pci_ops;
2527 +extern const struct pci_ops gt64xxx_pci0_ops;
2528 +extern const struct pci_ops msc_pci_ops;
2529
2530 static struct pci_controller bonito64_controller = {
2531 .pci_ops = &bonito64_pci_ops,
2532 diff -urNp linux-2.6.39.2/arch/mips/nxp/pnx8550/common/pci.c linux-2.6.39.2/arch/mips/nxp/pnx8550/common/pci.c
2533 --- linux-2.6.39.2/arch/mips/nxp/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2534 +++ linux-2.6.39.2/arch/mips/nxp/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2535 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2536 .flags = IORESOURCE_MEM
2537 };
2538
2539 -extern struct pci_ops pnx8550_pci_ops;
2540 +extern const struct pci_ops pnx8550_pci_ops;
2541
2542 static struct pci_controller pnx8550_controller = {
2543 .pci_ops = &pnx8550_pci_ops,
2544 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-au1000.c linux-2.6.39.2/arch/mips/pci/ops-au1000.c
2545 --- linux-2.6.39.2/arch/mips/pci/ops-au1000.c 2011-05-19 00:06:34.000000000 -0400
2546 +++ linux-2.6.39.2/arch/mips/pci/ops-au1000.c 2011-05-22 19:36:30.000000000 -0400
2547 @@ -302,7 +302,7 @@ static int config_write(struct pci_bus *
2548 }
2549 }
2550
2551 -struct pci_ops au1x_pci_ops = {
2552 +const struct pci_ops au1x_pci_ops = {
2553 config_read,
2554 config_write
2555 };
2556 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-bcm63xx.c linux-2.6.39.2/arch/mips/pci/ops-bcm63xx.c
2557 --- linux-2.6.39.2/arch/mips/pci/ops-bcm63xx.c 2011-05-19 00:06:34.000000000 -0400
2558 +++ linux-2.6.39.2/arch/mips/pci/ops-bcm63xx.c 2011-05-22 19:36:30.000000000 -0400
2559 @@ -173,7 +173,7 @@ static int bcm63xx_pci_write(struct pci_
2560 where, size, val);
2561 }
2562
2563 -struct pci_ops bcm63xx_pci_ops = {
2564 +const struct pci_ops bcm63xx_pci_ops = {
2565 .read = bcm63xx_pci_read,
2566 .write = bcm63xx_pci_write
2567 };
2568 @@ -402,7 +402,7 @@ static int bcm63xx_cb_write(struct pci_b
2569 return PCIBIOS_DEVICE_NOT_FOUND;
2570 }
2571
2572 -struct pci_ops bcm63xx_cb_ops = {
2573 +const struct pci_ops bcm63xx_cb_ops = {
2574 .read = bcm63xx_cb_read,
2575 .write = bcm63xx_cb_write,
2576 };
2577 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-bonito64.c linux-2.6.39.2/arch/mips/pci/ops-bonito64.c
2578 --- linux-2.6.39.2/arch/mips/pci/ops-bonito64.c 2011-05-19 00:06:34.000000000 -0400
2579 +++ linux-2.6.39.2/arch/mips/pci/ops-bonito64.c 2011-05-22 19:36:30.000000000 -0400
2580 @@ -155,7 +155,7 @@ static int bonito64_pcibios_write(struct
2581 return PCIBIOS_SUCCESSFUL;
2582 }
2583
2584 -struct pci_ops bonito64_pci_ops = {
2585 +const struct pci_ops bonito64_pci_ops = {
2586 .read = bonito64_pcibios_read,
2587 .write = bonito64_pcibios_write
2588 };
2589 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-bridge.c linux-2.6.39.2/arch/mips/pci/ops-bridge.c
2590 --- linux-2.6.39.2/arch/mips/pci/ops-bridge.c 2011-05-19 00:06:34.000000000 -0400
2591 +++ linux-2.6.39.2/arch/mips/pci/ops-bridge.c 2011-05-22 19:36:30.000000000 -0400
2592 @@ -316,7 +316,7 @@ static int pci_write_config(struct pci_b
2593 return pci_conf0_write_config(bus, devfn, where, size, value);
2594 }
2595
2596 -struct pci_ops bridge_pci_ops = {
2597 +const struct pci_ops bridge_pci_ops = {
2598 .read = pci_read_config,
2599 .write = pci_write_config,
2600 };
2601 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-emma2rh.c linux-2.6.39.2/arch/mips/pci/ops-emma2rh.c
2602 --- linux-2.6.39.2/arch/mips/pci/ops-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2603 +++ linux-2.6.39.2/arch/mips/pci/ops-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2604 @@ -176,7 +176,7 @@ static int pci_config_write(struct pci_b
2605 return PCIBIOS_SUCCESSFUL;
2606 }
2607
2608 -struct pci_ops emma2rh_pci_ops = {
2609 +const struct pci_ops emma2rh_pci_ops = {
2610 .read = pci_config_read,
2611 .write = pci_config_write,
2612 };
2613 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-gt64xxx_pci0.c linux-2.6.39.2/arch/mips/pci/ops-gt64xxx_pci0.c
2614 --- linux-2.6.39.2/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-19 00:06:34.000000000 -0400
2615 +++ linux-2.6.39.2/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-22 19:36:30.000000000 -0400
2616 @@ -146,7 +146,7 @@ static int gt64xxx_pci0_pcibios_write(st
2617 return PCIBIOS_SUCCESSFUL;
2618 }
2619
2620 -struct pci_ops gt64xxx_pci0_ops = {
2621 +const struct pci_ops gt64xxx_pci0_ops = {
2622 .read = gt64xxx_pci0_pcibios_read,
2623 .write = gt64xxx_pci0_pcibios_write
2624 };
2625 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-loongson2.c linux-2.6.39.2/arch/mips/pci/ops-loongson2.c
2626 --- linux-2.6.39.2/arch/mips/pci/ops-loongson2.c 2011-05-19 00:06:34.000000000 -0400
2627 +++ linux-2.6.39.2/arch/mips/pci/ops-loongson2.c 2011-05-22 19:36:30.000000000 -0400
2628 @@ -174,7 +174,7 @@ static int loongson_pcibios_write(struct
2629 return PCIBIOS_SUCCESSFUL;
2630 }
2631
2632 -struct pci_ops loongson_pci_ops = {
2633 +const struct pci_ops loongson_pci_ops = {
2634 .read = loongson_pcibios_read,
2635 .write = loongson_pcibios_write
2636 };
2637 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-mace.c linux-2.6.39.2/arch/mips/pci/ops-mace.c
2638 --- linux-2.6.39.2/arch/mips/pci/ops-mace.c 2011-05-19 00:06:34.000000000 -0400
2639 +++ linux-2.6.39.2/arch/mips/pci/ops-mace.c 2011-05-22 19:36:30.000000000 -0400
2640 @@ -96,7 +96,7 @@ mace_pci_write_config(struct pci_bus *bu
2641 return PCIBIOS_SUCCESSFUL;
2642 }
2643
2644 -struct pci_ops mace_pci_ops = {
2645 +const struct pci_ops mace_pci_ops = {
2646 .read = mace_pci_read_config,
2647 .write = mace_pci_write_config,
2648 };
2649 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-msc.c linux-2.6.39.2/arch/mips/pci/ops-msc.c
2650 --- linux-2.6.39.2/arch/mips/pci/ops-msc.c 2011-05-19 00:06:34.000000000 -0400
2651 +++ linux-2.6.39.2/arch/mips/pci/ops-msc.c 2011-05-22 19:36:30.000000000 -0400
2652 @@ -142,7 +142,7 @@ static int msc_pcibios_write(struct pci_
2653 return PCIBIOS_SUCCESSFUL;
2654 }
2655
2656 -struct pci_ops msc_pci_ops = {
2657 +const struct pci_ops msc_pci_ops = {
2658 .read = msc_pcibios_read,
2659 .write = msc_pcibios_write
2660 };
2661 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-nile4.c linux-2.6.39.2/arch/mips/pci/ops-nile4.c
2662 --- linux-2.6.39.2/arch/mips/pci/ops-nile4.c 2011-05-19 00:06:34.000000000 -0400
2663 +++ linux-2.6.39.2/arch/mips/pci/ops-nile4.c 2011-05-22 19:36:30.000000000 -0400
2664 @@ -141,7 +141,7 @@ static int nile4_pcibios_write(struct pc
2665 return PCIBIOS_SUCCESSFUL;
2666 }
2667
2668 -struct pci_ops nile4_pci_ops = {
2669 +const struct pci_ops nile4_pci_ops = {
2670 .read = nile4_pcibios_read,
2671 .write = nile4_pcibios_write,
2672 };
2673 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-pmcmsp.c linux-2.6.39.2/arch/mips/pci/ops-pmcmsp.c
2674 --- linux-2.6.39.2/arch/mips/pci/ops-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
2675 +++ linux-2.6.39.2/arch/mips/pci/ops-pmcmsp.c 2011-05-22 19:36:30.000000000 -0400
2676 @@ -904,7 +904,7 @@ msp_pcibios_write_config(struct pci_bus
2677 * write - function for Linux to generate PCI Configuration writes.
2678 *
2679 ****************************************************************************/
2680 -struct pci_ops msp_pci_ops = {
2681 +const struct pci_ops msp_pci_ops = {
2682 .read = msp_pcibios_read_config,
2683 .write = msp_pcibios_write_config
2684 };
2685 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-pnx8550.c linux-2.6.39.2/arch/mips/pci/ops-pnx8550.c
2686 --- linux-2.6.39.2/arch/mips/pci/ops-pnx8550.c 2011-05-19 00:06:34.000000000 -0400
2687 +++ linux-2.6.39.2/arch/mips/pci/ops-pnx8550.c 2011-05-22 19:36:30.000000000 -0400
2688 @@ -276,7 +276,7 @@ static int config_write(struct pci_bus *
2689 }
2690 }
2691
2692 -struct pci_ops pnx8550_pci_ops = {
2693 +const struct pci_ops pnx8550_pci_ops = {
2694 config_read,
2695 config_write
2696 };
2697 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-rc32434.c linux-2.6.39.2/arch/mips/pci/ops-rc32434.c
2698 --- linux-2.6.39.2/arch/mips/pci/ops-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2699 +++ linux-2.6.39.2/arch/mips/pci/ops-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2700 @@ -201,7 +201,7 @@ static int pci_config_write(struct pci_b
2701 }
2702 }
2703
2704 -struct pci_ops rc32434_pci_ops = {
2705 +const struct pci_ops rc32434_pci_ops = {
2706 .read = pci_config_read,
2707 .write = pci_config_write,
2708 };
2709 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-sni.c linux-2.6.39.2/arch/mips/pci/ops-sni.c
2710 --- linux-2.6.39.2/arch/mips/pci/ops-sni.c 2011-05-19 00:06:34.000000000 -0400
2711 +++ linux-2.6.39.2/arch/mips/pci/ops-sni.c 2011-05-22 19:36:30.000000000 -0400
2712 @@ -83,7 +83,7 @@ static int pcimt_write(struct pci_bus *b
2713 return 0;
2714 }
2715
2716 -struct pci_ops sni_pcimt_ops = {
2717 +const struct pci_ops sni_pcimt_ops = {
2718 .read = pcimt_read,
2719 .write = pcimt_write,
2720 };
2721 @@ -158,7 +158,7 @@ static int pcit_write(struct pci_bus *bu
2722 }
2723
2724
2725 -struct pci_ops sni_pcit_ops = {
2726 +const struct pci_ops sni_pcit_ops = {
2727 .read = pcit_read,
2728 .write = pcit_write,
2729 };
2730 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-titan.c linux-2.6.39.2/arch/mips/pci/ops-titan.c
2731 --- linux-2.6.39.2/arch/mips/pci/ops-titan.c 2011-05-19 00:06:34.000000000 -0400
2732 +++ linux-2.6.39.2/arch/mips/pci/ops-titan.c 2011-05-22 19:36:30.000000000 -0400
2733 @@ -105,7 +105,7 @@ static int titan_write_config(struct pci
2734 /*
2735 * Titan PCI structure
2736 */
2737 -struct pci_ops titan_pci_ops = {
2738 +const struct pci_ops titan_pci_ops = {
2739 titan_read_config,
2740 titan_write_config,
2741 };
2742 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-titan-ht.c linux-2.6.39.2/arch/mips/pci/ops-titan-ht.c
2743 --- linux-2.6.39.2/arch/mips/pci/ops-titan-ht.c 2011-05-19 00:06:34.000000000 -0400
2744 +++ linux-2.6.39.2/arch/mips/pci/ops-titan-ht.c 2011-05-22 19:36:30.000000000 -0400
2745 @@ -118,7 +118,7 @@ static int titan_ht_config_write(struct
2746 return PCIBIOS_SUCCESSFUL;
2747 }
2748
2749 -struct pci_ops titan_ht_pci_ops = {
2750 +const struct pci_ops titan_ht_pci_ops = {
2751 .read = titan_ht_config_read,
2752 .write = titan_ht_config_write,
2753 };
2754 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-tx3927.c linux-2.6.39.2/arch/mips/pci/ops-tx3927.c
2755 --- linux-2.6.39.2/arch/mips/pci/ops-tx3927.c 2011-05-19 00:06:34.000000000 -0400
2756 +++ linux-2.6.39.2/arch/mips/pci/ops-tx3927.c 2011-05-22 19:36:30.000000000 -0400
2757 @@ -121,7 +121,7 @@ static int tx3927_pci_write_config(struc
2758 return check_abort();
2759 }
2760
2761 -static struct pci_ops tx3927_pci_ops = {
2762 +static const struct pci_ops tx3927_pci_ops = {
2763 .read = tx3927_pci_read_config,
2764 .write = tx3927_pci_write_config,
2765 };
2766 diff -urNp linux-2.6.39.2/arch/mips/pci/ops-vr41xx.c linux-2.6.39.2/arch/mips/pci/ops-vr41xx.c
2767 --- linux-2.6.39.2/arch/mips/pci/ops-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2768 +++ linux-2.6.39.2/arch/mips/pci/ops-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2769 @@ -120,7 +120,7 @@ static int pci_config_write(struct pci_b
2770 return PCIBIOS_SUCCESSFUL;
2771 }
2772
2773 -struct pci_ops vr41xx_pci_ops = {
2774 +const struct pci_ops vr41xx_pci_ops = {
2775 .read = pci_config_read,
2776 .write = pci_config_write,
2777 };
2778 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-bcm1480.c linux-2.6.39.2/arch/mips/pci/pci-bcm1480.c
2779 --- linux-2.6.39.2/arch/mips/pci/pci-bcm1480.c 2011-05-19 00:06:34.000000000 -0400
2780 +++ linux-2.6.39.2/arch/mips/pci/pci-bcm1480.c 2011-05-22 19:36:30.000000000 -0400
2781 @@ -171,7 +171,7 @@ static int bcm1480_pcibios_write(struct
2782 return PCIBIOS_SUCCESSFUL;
2783 }
2784
2785 -struct pci_ops bcm1480_pci_ops = {
2786 +const struct pci_ops bcm1480_pci_ops = {
2787 bcm1480_pcibios_read,
2788 bcm1480_pcibios_write,
2789 };
2790 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-bcm1480ht.c linux-2.6.39.2/arch/mips/pci/pci-bcm1480ht.c
2791 --- linux-2.6.39.2/arch/mips/pci/pci-bcm1480ht.c 2011-05-19 00:06:34.000000000 -0400
2792 +++ linux-2.6.39.2/arch/mips/pci/pci-bcm1480ht.c 2011-05-22 19:36:30.000000000 -0400
2793 @@ -166,7 +166,7 @@ static int bcm1480ht_pcibios_get_busno(v
2794 return 0;
2795 }
2796
2797 -struct pci_ops bcm1480ht_pci_ops = {
2798 +const struct pci_ops bcm1480ht_pci_ops = {
2799 .read = bcm1480ht_pcibios_read,
2800 .write = bcm1480ht_pcibios_write,
2801 };
2802 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-bcm63xx.h linux-2.6.39.2/arch/mips/pci/pci-bcm63xx.h
2803 --- linux-2.6.39.2/arch/mips/pci/pci-bcm63xx.h 2011-05-19 00:06:34.000000000 -0400
2804 +++ linux-2.6.39.2/arch/mips/pci/pci-bcm63xx.h 2011-05-22 19:36:30.000000000 -0400
2805 @@ -16,8 +16,8 @@
2806 /*
2807 * defined in ops-bcm63xx.c
2808 */
2809 -extern struct pci_ops bcm63xx_pci_ops;
2810 -extern struct pci_ops bcm63xx_cb_ops;
2811 +extern const struct pci_ops bcm63xx_pci_ops;
2812 +extern const struct pci_ops bcm63xx_cb_ops;
2813
2814 /*
2815 * defined in pci-bcm63xx.c
2816 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-emma2rh.c linux-2.6.39.2/arch/mips/pci/pci-emma2rh.c
2817 --- linux-2.6.39.2/arch/mips/pci/pci-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2818 +++ linux-2.6.39.2/arch/mips/pci/pci-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2819 @@ -43,7 +43,7 @@ static struct resource pci_mem_resource
2820 .flags = IORESOURCE_MEM,
2821 };
2822
2823 -extern struct pci_ops emma2rh_pci_ops;
2824 +extern const struct pci_ops emma2rh_pci_ops;
2825
2826 static struct pci_controller emma2rh_pci_controller = {
2827 .pci_ops = &emma2rh_pci_ops,
2828 diff -urNp linux-2.6.39.2/arch/mips/pci/pcie-octeon.c linux-2.6.39.2/arch/mips/pci/pcie-octeon.c
2829 --- linux-2.6.39.2/arch/mips/pci/pcie-octeon.c 2011-05-19 00:06:34.000000000 -0400
2830 +++ linux-2.6.39.2/arch/mips/pci/pcie-octeon.c 2011-05-22 19:36:30.000000000 -0400
2831 @@ -1237,7 +1237,7 @@ static int octeon_pcie1_write_config(str
2832 return octeon_pcie_write_config(1, bus, devfn, reg, size, val);
2833 }
2834
2835 -static struct pci_ops octeon_pcie0_ops = {
2836 +static const struct pci_ops octeon_pcie0_ops = {
2837 octeon_pcie0_read_config,
2838 octeon_pcie0_write_config,
2839 };
2840 @@ -1258,7 +1258,7 @@ static struct pci_controller octeon_pcie
2841 .io_resource = &octeon_pcie0_io_resource,
2842 };
2843
2844 -static struct pci_ops octeon_pcie1_ops = {
2845 +static const struct pci_ops octeon_pcie1_ops = {
2846 octeon_pcie1_read_config,
2847 octeon_pcie1_write_config,
2848 };
2849 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-ip27.c linux-2.6.39.2/arch/mips/pci/pci-ip27.c
2850 --- linux-2.6.39.2/arch/mips/pci/pci-ip27.c 2011-05-19 00:06:34.000000000 -0400
2851 +++ linux-2.6.39.2/arch/mips/pci/pci-ip27.c 2011-05-22 19:36:30.000000000 -0400
2852 @@ -39,7 +39,7 @@ static struct bridge_controller bridges[
2853 struct bridge_controller *irq_to_bridge[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2854 int irq_to_slot[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2855
2856 -extern struct pci_ops bridge_pci_ops;
2857 +extern const struct pci_ops bridge_pci_ops;
2858
2859 int __cpuinit bridge_probe(nasid_t nasid, int widget_id, int masterwid)
2860 {
2861 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-ip32.c linux-2.6.39.2/arch/mips/pci/pci-ip32.c
2862 --- linux-2.6.39.2/arch/mips/pci/pci-ip32.c 2011-05-19 00:06:34.000000000 -0400
2863 +++ linux-2.6.39.2/arch/mips/pci/pci-ip32.c 2011-05-22 19:36:30.000000000 -0400
2864 @@ -82,7 +82,7 @@ static irqreturn_t macepci_error(int irq
2865 }
2866
2867
2868 -extern struct pci_ops mace_pci_ops;
2869 +extern const struct pci_ops mace_pci_ops;
2870 #ifdef CONFIG_64BIT
2871 static struct resource mace_pci_mem_resource = {
2872 .name = "SGI O2 PCI MEM",
2873 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-lasat.c linux-2.6.39.2/arch/mips/pci/pci-lasat.c
2874 --- linux-2.6.39.2/arch/mips/pci/pci-lasat.c 2011-05-19 00:06:34.000000000 -0400
2875 +++ linux-2.6.39.2/arch/mips/pci/pci-lasat.c 2011-05-22 19:36:30.000000000 -0400
2876 @@ -14,8 +14,8 @@
2877
2878 #include <irq.h>
2879
2880 -extern struct pci_ops nile4_pci_ops;
2881 -extern struct pci_ops gt64xxx_pci0_ops;
2882 +extern const struct pci_ops nile4_pci_ops;
2883 +extern const struct pci_ops gt64xxx_pci0_ops;
2884 static struct resource lasat_pci_mem_resource = {
2885 .name = "LASAT PCI MEM",
2886 .start = 0x18000000,
2887 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-octeon.c linux-2.6.39.2/arch/mips/pci/pci-octeon.c
2888 --- linux-2.6.39.2/arch/mips/pci/pci-octeon.c 2011-05-19 00:06:34.000000000 -0400
2889 +++ linux-2.6.39.2/arch/mips/pci/pci-octeon.c 2011-05-22 19:36:30.000000000 -0400
2890 @@ -334,7 +334,7 @@ static int octeon_write_config(struct pc
2891 }
2892
2893
2894 -static struct pci_ops octeon_pci_ops = {
2895 +static const struct pci_ops octeon_pci_ops = {
2896 octeon_read_config,
2897 octeon_write_config,
2898 };
2899 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-rc32434.c linux-2.6.39.2/arch/mips/pci/pci-rc32434.c
2900 --- linux-2.6.39.2/arch/mips/pci/pci-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2901 +++ linux-2.6.39.2/arch/mips/pci/pci-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2902 @@ -75,7 +75,7 @@ static struct resource rc32434_res_pci_i
2903 .flags = IORESOURCE_IO,
2904 };
2905
2906 -extern struct pci_ops rc32434_pci_ops;
2907 +extern const struct pci_ops rc32434_pci_ops;
2908
2909 #define PCI_MEM1_START PCI_ADDR_START
2910 #define PCI_MEM1_END (PCI_ADDR_START + CPUTOPCI_MEM_WIN - 1)
2911 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-sb1250.c linux-2.6.39.2/arch/mips/pci/pci-sb1250.c
2912 --- linux-2.6.39.2/arch/mips/pci/pci-sb1250.c 2011-05-19 00:06:34.000000000 -0400
2913 +++ linux-2.6.39.2/arch/mips/pci/pci-sb1250.c 2011-05-22 19:36:30.000000000 -0400
2914 @@ -181,7 +181,7 @@ static int sb1250_pcibios_write(struct p
2915 return PCIBIOS_SUCCESSFUL;
2916 }
2917
2918 -struct pci_ops sb1250_pci_ops = {
2919 +const struct pci_ops sb1250_pci_ops = {
2920 .read = sb1250_pcibios_read,
2921 .write = sb1250_pcibios_write,
2922 };
2923 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-vr41xx.c linux-2.6.39.2/arch/mips/pci/pci-vr41xx.c
2924 --- linux-2.6.39.2/arch/mips/pci/pci-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2925 +++ linux-2.6.39.2/arch/mips/pci/pci-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2926 @@ -36,7 +36,7 @@
2927
2928 #include "pci-vr41xx.h"
2929
2930 -extern struct pci_ops vr41xx_pci_ops;
2931 +extern const struct pci_ops vr41xx_pci_ops;
2932
2933 static void __iomem *pciu_base;
2934
2935 diff -urNp linux-2.6.39.2/arch/mips/pci/pci-yosemite.c linux-2.6.39.2/arch/mips/pci/pci-yosemite.c
2936 --- linux-2.6.39.2/arch/mips/pci/pci-yosemite.c 2011-05-19 00:06:34.000000000 -0400
2937 +++ linux-2.6.39.2/arch/mips/pci/pci-yosemite.c 2011-05-22 19:36:30.000000000 -0400
2938 @@ -11,7 +11,7 @@
2939 #include <linux/pci.h>
2940 #include <asm/titan_dep.h>
2941
2942 -extern struct pci_ops titan_pci_ops;
2943 +extern const struct pci_ops titan_pci_ops;
2944
2945 static struct resource py_mem_resource = {
2946 .start = 0xe0000000UL,
2947 diff -urNp linux-2.6.39.2/arch/mips/pmc-sierra/yosemite/ht.c linux-2.6.39.2/arch/mips/pmc-sierra/yosemite/ht.c
2948 --- linux-2.6.39.2/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-19 00:06:34.000000000 -0400
2949 +++ linux-2.6.39.2/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-22 19:36:30.000000000 -0400
2950 @@ -366,7 +366,7 @@ resource_size_t pcibios_align_resource(v
2951 return start;
2952 }
2953
2954 -struct pci_ops titan_pci_ops = {
2955 +const struct pci_ops titan_pci_ops = {
2956 titan_ht_config_read_byte,
2957 titan_ht_config_read_word,
2958 titan_ht_config_read_dword,
2959 diff -urNp linux-2.6.39.2/arch/mips/pnx8550/common/pci.c linux-2.6.39.2/arch/mips/pnx8550/common/pci.c
2960 --- linux-2.6.39.2/arch/mips/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2961 +++ linux-2.6.39.2/arch/mips/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2962 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2963 .flags = IORESOURCE_MEM
2964 };
2965
2966 -extern struct pci_ops pnx8550_pci_ops;
2967 +extern const struct pci_ops pnx8550_pci_ops;
2968
2969 static struct pci_controller pnx8550_controller = {
2970 .pci_ops = &pnx8550_pci_ops,
2971 diff -urNp linux-2.6.39.2/arch/mips/sni/pcimt.c linux-2.6.39.2/arch/mips/sni/pcimt.c
2972 --- linux-2.6.39.2/arch/mips/sni/pcimt.c 2011-05-19 00:06:34.000000000 -0400
2973 +++ linux-2.6.39.2/arch/mips/sni/pcimt.c 2011-05-22 19:36:30.000000000 -0400
2974 @@ -183,7 +183,7 @@ static void __init sni_pcimt_resource_in
2975 request_resource(&sni_mem_resource, pcimt_mem_resources + i);
2976 }
2977
2978 -extern struct pci_ops sni_pcimt_ops;
2979 +extern const struct pci_ops sni_pcimt_ops;
2980
2981 static struct pci_controller sni_controller = {
2982 .pci_ops = &sni_pcimt_ops,
2983 diff -urNp linux-2.6.39.2/arch/mips/sni/pcit.c linux-2.6.39.2/arch/mips/sni/pcit.c
2984 --- linux-2.6.39.2/arch/mips/sni/pcit.c 2011-05-19 00:06:34.000000000 -0400
2985 +++ linux-2.6.39.2/arch/mips/sni/pcit.c 2011-05-22 19:36:30.000000000 -0400
2986 @@ -145,7 +145,7 @@ static void __init sni_pcit_resource_ini
2987 }
2988
2989
2990 -extern struct pci_ops sni_pcit_ops;
2991 +extern const struct pci_ops sni_pcit_ops;
2992
2993 static struct pci_controller sni_pcit_controller = {
2994 .pci_ops = &sni_pcit_ops,
2995 diff -urNp linux-2.6.39.2/arch/mips/wrppmc/pci.c linux-2.6.39.2/arch/mips/wrppmc/pci.c
2996 --- linux-2.6.39.2/arch/mips/wrppmc/pci.c 2011-05-19 00:06:34.000000000 -0400
2997 +++ linux-2.6.39.2/arch/mips/wrppmc/pci.c 2011-05-22 19:36:30.000000000 -0400
2998 @@ -14,7 +14,7 @@
2999
3000 #include <asm/gt64120.h>
3001
3002 -extern struct pci_ops gt64xxx_pci0_ops;
3003 +extern const struct pci_ops gt64xxx_pci0_ops;
3004
3005 static struct resource pci0_io_resource = {
3006 .name = "pci_0 io",
3007 diff -urNp linux-2.6.39.2/arch/mn10300/unit-asb2305/pci-asb2305.h linux-2.6.39.2/arch/mn10300/unit-asb2305/pci-asb2305.h
3008 --- linux-2.6.39.2/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-19 00:06:34.000000000 -0400
3009 +++ linux-2.6.39.2/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-22 19:36:30.000000000 -0400
3010 @@ -39,7 +39,7 @@ extern void pcibios_resource_survey(void
3011
3012 extern int pcibios_last_bus;
3013 extern struct pci_bus *pci_root_bus;
3014 -extern struct pci_ops *pci_root_ops;
3015 +extern const struct pci_ops *pci_root_ops;
3016
3017 extern struct irq_routing_table *pcibios_get_irq_routing_table(void);
3018 extern int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq);
3019 diff -urNp linux-2.6.39.2/arch/mn10300/unit-asb2305/pci.c linux-2.6.39.2/arch/mn10300/unit-asb2305/pci.c
3020 --- linux-2.6.39.2/arch/mn10300/unit-asb2305/pci.c 2011-05-19 00:06:34.000000000 -0400
3021 +++ linux-2.6.39.2/arch/mn10300/unit-asb2305/pci.c 2011-05-22 19:36:30.000000000 -0400
3022 @@ -24,7 +24,7 @@ unsigned int pci_probe = 1;
3023
3024 int pcibios_last_bus = -1;
3025 struct pci_bus *pci_root_bus;
3026 -struct pci_ops *pci_root_ops;
3027 +const struct pci_ops *pci_root_ops;
3028
3029 /*
3030 * The accessible PCI window does not cover the entire CPU address space, but
3031 @@ -274,7 +274,7 @@ static int pci_ampci_write_config(struct
3032 }
3033 }
3034
3035 -static struct pci_ops pci_direct_ampci = {
3036 +static const struct pci_ops pci_direct_ampci = {
3037 pci_ampci_read_config,
3038 pci_ampci_write_config,
3039 };
3040 @@ -289,7 +289,7 @@ static struct pci_ops pci_direct_ampci =
3041 * This should be close to trivial, but it isn't, because there are buggy
3042 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
3043 */
3044 -static int __init pci_sanity_check(struct pci_ops *o)
3045 +static int __init pci_sanity_check(const struct pci_ops *o)
3046 {
3047 struct pci_bus bus; /* Fake bus and device */
3048 u32 x;
3049 diff -urNp linux-2.6.39.2/arch/parisc/include/asm/elf.h linux-2.6.39.2/arch/parisc/include/asm/elf.h
3050 --- linux-2.6.39.2/arch/parisc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3051 +++ linux-2.6.39.2/arch/parisc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3052 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
3053
3054 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
3055
3056 +#ifdef CONFIG_PAX_ASLR
3057 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3058 +
3059 +#define PAX_DELTA_MMAP_LEN 16
3060 +#define PAX_DELTA_STACK_LEN 16
3061 +#endif
3062 +
3063 /* This yields a mask that user programs can use to figure out what
3064 instruction set this CPU supports. This could be done in user space,
3065 but it's not easy, and we've already done it here. */
3066 diff -urNp linux-2.6.39.2/arch/parisc/include/asm/pgtable.h linux-2.6.39.2/arch/parisc/include/asm/pgtable.h
3067 --- linux-2.6.39.2/arch/parisc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3068 +++ linux-2.6.39.2/arch/parisc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3069 @@ -207,6 +207,17 @@ struct vm_area_struct;
3070 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
3071 #define PAGE_COPY PAGE_EXECREAD
3072 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
3073 +
3074 +#ifdef CONFIG_PAX_PAGEEXEC
3075 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
3076 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3077 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3078 +#else
3079 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3080 +# define PAGE_COPY_NOEXEC PAGE_COPY
3081 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3082 +#endif
3083 +
3084 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
3085 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
3086 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
3087 diff -urNp linux-2.6.39.2/arch/parisc/kernel/module.c linux-2.6.39.2/arch/parisc/kernel/module.c
3088 --- linux-2.6.39.2/arch/parisc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
3089 +++ linux-2.6.39.2/arch/parisc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
3090 @@ -96,16 +96,38 @@
3091
3092 /* three functions to determine where in the module core
3093 * or init pieces the location is */
3094 +static inline int in_init_rx(struct module *me, void *loc)
3095 +{
3096 + return (loc >= me->module_init_rx &&
3097 + loc < (me->module_init_rx + me->init_size_rx));
3098 +}
3099 +
3100 +static inline int in_init_rw(struct module *me, void *loc)
3101 +{
3102 + return (loc >= me->module_init_rw &&
3103 + loc < (me->module_init_rw + me->init_size_rw));
3104 +}
3105 +
3106 static inline int in_init(struct module *me, void *loc)
3107 {
3108 - return (loc >= me->module_init &&
3109 - loc <= (me->module_init + me->init_size));
3110 + return in_init_rx(me, loc) || in_init_rw(me, loc);
3111 +}
3112 +
3113 +static inline int in_core_rx(struct module *me, void *loc)
3114 +{
3115 + return (loc >= me->module_core_rx &&
3116 + loc < (me->module_core_rx + me->core_size_rx));
3117 +}
3118 +
3119 +static inline int in_core_rw(struct module *me, void *loc)
3120 +{
3121 + return (loc >= me->module_core_rw &&
3122 + loc < (me->module_core_rw + me->core_size_rw));
3123 }
3124
3125 static inline int in_core(struct module *me, void *loc)
3126 {
3127 - return (loc >= me->module_core &&
3128 - loc <= (me->module_core + me->core_size));
3129 + return in_core_rx(me, loc) || in_core_rw(me, loc);
3130 }
3131
3132 static inline int in_local(struct module *me, void *loc)
3133 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
3134 }
3135
3136 /* align things a bit */
3137 - me->core_size = ALIGN(me->core_size, 16);
3138 - me->arch.got_offset = me->core_size;
3139 - me->core_size += gots * sizeof(struct got_entry);
3140 -
3141 - me->core_size = ALIGN(me->core_size, 16);
3142 - me->arch.fdesc_offset = me->core_size;
3143 - me->core_size += fdescs * sizeof(Elf_Fdesc);
3144 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3145 + me->arch.got_offset = me->core_size_rw;
3146 + me->core_size_rw += gots * sizeof(struct got_entry);
3147 +
3148 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3149 + me->arch.fdesc_offset = me->core_size_rw;
3150 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
3151
3152 me->arch.got_max = gots;
3153 me->arch.fdesc_max = fdescs;
3154 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
3155
3156 BUG_ON(value == 0);
3157
3158 - got = me->module_core + me->arch.got_offset;
3159 + got = me->module_core_rw + me->arch.got_offset;
3160 for (i = 0; got[i].addr; i++)
3161 if (got[i].addr == value)
3162 goto out;
3163 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
3164 #ifdef CONFIG_64BIT
3165 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
3166 {
3167 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
3168 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
3169
3170 if (!value) {
3171 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
3172 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
3173
3174 /* Create new one */
3175 fdesc->addr = value;
3176 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3177 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3178 return (Elf_Addr)fdesc;
3179 }
3180 #endif /* CONFIG_64BIT */
3181 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
3182
3183 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
3184 end = table + sechdrs[me->arch.unwind_section].sh_size;
3185 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3186 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3187
3188 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
3189 me->arch.unwind_section, table, end, gp);
3190 diff -urNp linux-2.6.39.2/arch/parisc/kernel/sys_parisc.c linux-2.6.39.2/arch/parisc/kernel/sys_parisc.c
3191 --- linux-2.6.39.2/arch/parisc/kernel/sys_parisc.c 2011-05-19 00:06:34.000000000 -0400
3192 +++ linux-2.6.39.2/arch/parisc/kernel/sys_parisc.c 2011-05-22 19:36:30.000000000 -0400
3193 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
3194 /* At this point: (!vma || addr < vma->vm_end). */
3195 if (TASK_SIZE - len < addr)
3196 return -ENOMEM;
3197 - if (!vma || addr + len <= vma->vm_start)
3198 + if (check_heap_stack_gap(vma, addr, len))
3199 return addr;
3200 addr = vma->vm_end;
3201 }
3202 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
3203 /* At this point: (!vma || addr < vma->vm_end). */
3204 if (TASK_SIZE - len < addr)
3205 return -ENOMEM;
3206 - if (!vma || addr + len <= vma->vm_start)
3207 + if (check_heap_stack_gap(vma, addr, len))
3208 return addr;
3209 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
3210 if (addr < vma->vm_end) /* handle wraparound */
3211 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
3212 if (flags & MAP_FIXED)
3213 return addr;
3214 if (!addr)
3215 - addr = TASK_UNMAPPED_BASE;
3216 + addr = current->mm->mmap_base;
3217
3218 if (filp) {
3219 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
3220 diff -urNp linux-2.6.39.2/arch/parisc/kernel/traps.c linux-2.6.39.2/arch/parisc/kernel/traps.c
3221 --- linux-2.6.39.2/arch/parisc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
3222 +++ linux-2.6.39.2/arch/parisc/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400
3223 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
3224
3225 down_read(&current->mm->mmap_sem);
3226 vma = find_vma(current->mm,regs->iaoq[0]);
3227 - if (vma && (regs->iaoq[0] >= vma->vm_start)
3228 - && (vma->vm_flags & VM_EXEC)) {
3229 -
3230 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
3231 fault_address = regs->iaoq[0];
3232 fault_space = regs->iasq[0];
3233
3234 diff -urNp linux-2.6.39.2/arch/parisc/mm/fault.c linux-2.6.39.2/arch/parisc/mm/fault.c
3235 --- linux-2.6.39.2/arch/parisc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
3236 +++ linux-2.6.39.2/arch/parisc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
3237 @@ -15,6 +15,7 @@
3238 #include <linux/sched.h>
3239 #include <linux/interrupt.h>
3240 #include <linux/module.h>
3241 +#include <linux/unistd.h>
3242
3243 #include <asm/uaccess.h>
3244 #include <asm/traps.h>
3245 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
3246 static unsigned long
3247 parisc_acctyp(unsigned long code, unsigned int inst)
3248 {
3249 - if (code == 6 || code == 16)
3250 + if (code == 6 || code == 7 || code == 16)
3251 return VM_EXEC;
3252
3253 switch (inst & 0xf0000000) {
3254 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
3255 }
3256 #endif
3257
3258 +#ifdef CONFIG_PAX_PAGEEXEC
3259 +/*
3260 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
3261 + *
3262 + * returns 1 when task should be killed
3263 + * 2 when rt_sigreturn trampoline was detected
3264 + * 3 when unpatched PLT trampoline was detected
3265 + */
3266 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3267 +{
3268 +
3269 +#ifdef CONFIG_PAX_EMUPLT
3270 + int err;
3271 +
3272 + do { /* PaX: unpatched PLT emulation */
3273 + unsigned int bl, depwi;
3274 +
3275 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
3276 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
3277 +
3278 + if (err)
3279 + break;
3280 +
3281 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
3282 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
3283 +
3284 + err = get_user(ldw, (unsigned int *)addr);
3285 + err |= get_user(bv, (unsigned int *)(addr+4));
3286 + err |= get_user(ldw2, (unsigned int *)(addr+8));
3287 +
3288 + if (err)
3289 + break;
3290 +
3291 + if (ldw == 0x0E801096U &&
3292 + bv == 0xEAC0C000U &&
3293 + ldw2 == 0x0E881095U)
3294 + {
3295 + unsigned int resolver, map;
3296 +
3297 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
3298 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
3299 + if (err)
3300 + break;
3301 +
3302 + regs->gr[20] = instruction_pointer(regs)+8;
3303 + regs->gr[21] = map;
3304 + regs->gr[22] = resolver;
3305 + regs->iaoq[0] = resolver | 3UL;
3306 + regs->iaoq[1] = regs->iaoq[0] + 4;
3307 + return 3;
3308 + }
3309 + }
3310 + } while (0);
3311 +#endif
3312 +
3313 +#ifdef CONFIG_PAX_EMUTRAMP
3314 +
3315 +#ifndef CONFIG_PAX_EMUSIGRT
3316 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
3317 + return 1;
3318 +#endif
3319 +
3320 + do { /* PaX: rt_sigreturn emulation */
3321 + unsigned int ldi1, ldi2, bel, nop;
3322 +
3323 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
3324 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
3325 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
3326 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
3327 +
3328 + if (err)
3329 + break;
3330 +
3331 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
3332 + ldi2 == 0x3414015AU &&
3333 + bel == 0xE4008200U &&
3334 + nop == 0x08000240U)
3335 + {
3336 + regs->gr[25] = (ldi1 & 2) >> 1;
3337 + regs->gr[20] = __NR_rt_sigreturn;
3338 + regs->gr[31] = regs->iaoq[1] + 16;
3339 + regs->sr[0] = regs->iasq[1];
3340 + regs->iaoq[0] = 0x100UL;
3341 + regs->iaoq[1] = regs->iaoq[0] + 4;
3342 + regs->iasq[0] = regs->sr[2];
3343 + regs->iasq[1] = regs->sr[2];
3344 + return 2;
3345 + }
3346 + } while (0);
3347 +#endif
3348 +
3349 + return 1;
3350 +}
3351 +
3352 +void pax_report_insns(void *pc, void *sp)
3353 +{
3354 + unsigned long i;
3355 +
3356 + printk(KERN_ERR "PAX: bytes at PC: ");
3357 + for (i = 0; i < 5; i++) {
3358 + unsigned int c;
3359 + if (get_user(c, (unsigned int *)pc+i))
3360 + printk(KERN_CONT "???????? ");
3361 + else
3362 + printk(KERN_CONT "%08x ", c);
3363 + }
3364 + printk("\n");
3365 +}
3366 +#endif
3367 +
3368 int fixup_exception(struct pt_regs *regs)
3369 {
3370 const struct exception_table_entry *fix;
3371 @@ -192,8 +303,33 @@ good_area:
3372
3373 acc_type = parisc_acctyp(code,regs->iir);
3374
3375 - if ((vma->vm_flags & acc_type) != acc_type)
3376 + if ((vma->vm_flags & acc_type) != acc_type) {
3377 +
3378 +#ifdef CONFIG_PAX_PAGEEXEC
3379 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
3380 + (address & ~3UL) == instruction_pointer(regs))
3381 + {
3382 + up_read(&mm->mmap_sem);
3383 + switch (pax_handle_fetch_fault(regs)) {
3384 +
3385 +#ifdef CONFIG_PAX_EMUPLT
3386 + case 3:
3387 + return;
3388 +#endif
3389 +
3390 +#ifdef CONFIG_PAX_EMUTRAMP
3391 + case 2:
3392 + return;
3393 +#endif
3394 +
3395 + }
3396 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
3397 + do_group_exit(SIGKILL);
3398 + }
3399 +#endif
3400 +
3401 goto bad_area;
3402 + }
3403
3404 /*
3405 * If for any reason at all we couldn't handle the fault, make
3406 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/device.h linux-2.6.39.2/arch/powerpc/include/asm/device.h
3407 --- linux-2.6.39.2/arch/powerpc/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
3408 +++ linux-2.6.39.2/arch/powerpc/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
3409 @@ -17,7 +17,7 @@ struct device_node;
3410 */
3411 struct dev_archdata {
3412 /* DMA operations on that device */
3413 - struct dma_map_ops *dma_ops;
3414 + const struct dma_map_ops *dma_ops;
3415
3416 /*
3417 * When an iommu is in use, dma_data is used as a ptr to the base of the
3418 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/dma-mapping.h linux-2.6.39.2/arch/powerpc/include/asm/dma-mapping.h
3419 --- linux-2.6.39.2/arch/powerpc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3420 +++ linux-2.6.39.2/arch/powerpc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
3421 @@ -67,12 +67,13 @@ static inline unsigned long device_to_ma
3422 /*
3423 * Available generic sets of operations
3424 */
3425 +/* cannot be const */
3426 #ifdef CONFIG_PPC64
3427 -extern struct dma_map_ops dma_iommu_ops;
3428 +extern const struct dma_map_ops dma_iommu_ops;
3429 #endif
3430 -extern struct dma_map_ops dma_direct_ops;
3431 +extern const struct dma_map_ops dma_direct_ops;
3432
3433 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3434 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3435 {
3436 /* We don't handle the NULL dev case for ISA for now. We could
3437 * do it via an out of line call but it is not needed for now. The
3438 @@ -85,7 +86,7 @@ static inline struct dma_map_ops *get_dm
3439 return dev->archdata.dma_ops;
3440 }
3441
3442 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
3443 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
3444 {
3445 dev->archdata.dma_ops = ops;
3446 }
3447 @@ -119,7 +120,7 @@ static inline void set_dma_offset(struct
3448
3449 static inline int dma_supported(struct device *dev, u64 mask)
3450 {
3451 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3452 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3453
3454 if (unlikely(dma_ops == NULL))
3455 return 0;
3456 @@ -133,7 +134,7 @@ extern int dma_set_mask(struct device *d
3457 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3458 dma_addr_t *dma_handle, gfp_t flag)
3459 {
3460 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3461 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3462 void *cpu_addr;
3463
3464 BUG_ON(!dma_ops);
3465 @@ -148,7 +149,7 @@ static inline void *dma_alloc_coherent(s
3466 static inline void dma_free_coherent(struct device *dev, size_t size,
3467 void *cpu_addr, dma_addr_t dma_handle)
3468 {
3469 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3470 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3471
3472 BUG_ON(!dma_ops);
3473
3474 @@ -159,7 +160,7 @@ static inline void dma_free_coherent(str
3475
3476 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3477 {
3478 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3479 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3480
3481 if (dma_ops->mapping_error)
3482 return dma_ops->mapping_error(dev, dma_addr);
3483 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/elf.h linux-2.6.39.2/arch/powerpc/include/asm/elf.h
3484 --- linux-2.6.39.2/arch/powerpc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3485 +++ linux-2.6.39.2/arch/powerpc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3486 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
3487 the loader. We need to make sure that it is out of the way of the program
3488 that it will "exec", and that there is sufficient room for the brk. */
3489
3490 -extern unsigned long randomize_et_dyn(unsigned long base);
3491 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
3492 +#define ELF_ET_DYN_BASE (0x20000000)
3493 +
3494 +#ifdef CONFIG_PAX_ASLR
3495 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
3496 +
3497 +#ifdef __powerpc64__
3498 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
3499 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
3500 +#else
3501 +#define PAX_DELTA_MMAP_LEN 15
3502 +#define PAX_DELTA_STACK_LEN 15
3503 +#endif
3504 +#endif
3505
3506 /*
3507 * Our registers are always unsigned longs, whether we're a 32 bit
3508 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
3509 (0x7ff >> (PAGE_SHIFT - 12)) : \
3510 (0x3ffff >> (PAGE_SHIFT - 12)))
3511
3512 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3513 -#define arch_randomize_brk arch_randomize_brk
3514 -
3515 #endif /* __KERNEL__ */
3516
3517 /*
3518 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/iommu.h linux-2.6.39.2/arch/powerpc/include/asm/iommu.h
3519 --- linux-2.6.39.2/arch/powerpc/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
3520 +++ linux-2.6.39.2/arch/powerpc/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
3521 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
3522 extern void iommu_init_early_dart(void);
3523 extern void iommu_init_early_pasemi(void);
3524
3525 +/* dma-iommu.c */
3526 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
3527 +
3528 #ifdef CONFIG_PCI
3529 extern void pci_iommu_init(void);
3530 extern void pci_direct_iommu_init(void);
3531 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/kmap_types.h linux-2.6.39.2/arch/powerpc/include/asm/kmap_types.h
3532 --- linux-2.6.39.2/arch/powerpc/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
3533 +++ linux-2.6.39.2/arch/powerpc/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
3534 @@ -27,6 +27,7 @@ enum km_type {
3535 KM_PPC_SYNC_PAGE,
3536 KM_PPC_SYNC_ICACHE,
3537 KM_KDB,
3538 + KM_CLEARPAGE,
3539 KM_TYPE_NR
3540 };
3541
3542 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/page_64.h linux-2.6.39.2/arch/powerpc/include/asm/page_64.h
3543 --- linux-2.6.39.2/arch/powerpc/include/asm/page_64.h 2011-05-19 00:06:34.000000000 -0400
3544 +++ linux-2.6.39.2/arch/powerpc/include/asm/page_64.h 2011-05-22 19:36:30.000000000 -0400
3545 @@ -172,15 +172,18 @@ do { \
3546 * stack by default, so in the absence of a PT_GNU_STACK program header
3547 * we turn execute permission off.
3548 */
3549 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3550 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3551 +#define VM_STACK_DEFAULT_FLAGS32 \
3552 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3553 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3554
3555 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3556 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3557
3558 +#ifndef CONFIG_PAX_PAGEEXEC
3559 #define VM_STACK_DEFAULT_FLAGS \
3560 (is_32bit_task() ? \
3561 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
3562 +#endif
3563
3564 #include <asm-generic/getorder.h>
3565
3566 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/page.h linux-2.6.39.2/arch/powerpc/include/asm/page.h
3567 --- linux-2.6.39.2/arch/powerpc/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
3568 +++ linux-2.6.39.2/arch/powerpc/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
3569 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
3570 * and needs to be executable. This means the whole heap ends
3571 * up being executable.
3572 */
3573 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3574 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3575 +#define VM_DATA_DEFAULT_FLAGS32 \
3576 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3577 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3578
3579 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3580 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3581 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
3582 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
3583 #endif
3584
3585 +#define ktla_ktva(addr) (addr)
3586 +#define ktva_ktla(addr) (addr)
3587 +
3588 #ifndef __ASSEMBLY__
3589
3590 #undef STRICT_MM_TYPECHECKS
3591 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/pci.h linux-2.6.39.2/arch/powerpc/include/asm/pci.h
3592 --- linux-2.6.39.2/arch/powerpc/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
3593 +++ linux-2.6.39.2/arch/powerpc/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
3594 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
3595 }
3596
3597 #ifdef CONFIG_PCI
3598 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
3599 -extern struct dma_map_ops *get_pci_dma_ops(void);
3600 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
3601 +extern const struct dma_map_ops *get_pci_dma_ops(void);
3602 #else /* CONFIG_PCI */
3603 #define set_pci_dma_ops(d)
3604 #define get_pci_dma_ops() NULL
3605 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/pgtable.h linux-2.6.39.2/arch/powerpc/include/asm/pgtable.h
3606 --- linux-2.6.39.2/arch/powerpc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3607 +++ linux-2.6.39.2/arch/powerpc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3608 @@ -2,6 +2,7 @@
3609 #define _ASM_POWERPC_PGTABLE_H
3610 #ifdef __KERNEL__
3611
3612 +#include <linux/const.h>
3613 #ifndef __ASSEMBLY__
3614 #include <asm/processor.h> /* For TASK_SIZE */
3615 #include <asm/mmu.h>
3616 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/pte-hash32.h linux-2.6.39.2/arch/powerpc/include/asm/pte-hash32.h
3617 --- linux-2.6.39.2/arch/powerpc/include/asm/pte-hash32.h 2011-05-19 00:06:34.000000000 -0400
3618 +++ linux-2.6.39.2/arch/powerpc/include/asm/pte-hash32.h 2011-05-22 19:36:30.000000000 -0400
3619 @@ -21,6 +21,7 @@
3620 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
3621 #define _PAGE_USER 0x004 /* usermode access allowed */
3622 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
3623 +#define _PAGE_EXEC _PAGE_GUARDED
3624 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
3625 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
3626 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
3627 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/reg.h linux-2.6.39.2/arch/powerpc/include/asm/reg.h
3628 --- linux-2.6.39.2/arch/powerpc/include/asm/reg.h 2011-05-19 00:06:34.000000000 -0400
3629 +++ linux-2.6.39.2/arch/powerpc/include/asm/reg.h 2011-05-22 19:36:30.000000000 -0400
3630 @@ -201,6 +201,7 @@
3631 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
3632 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
3633 #define DSISR_NOHPTE 0x40000000 /* no translation found */
3634 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
3635 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
3636 #define DSISR_ISSTORE 0x02000000 /* access was a store */
3637 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
3638 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/swiotlb.h linux-2.6.39.2/arch/powerpc/include/asm/swiotlb.h
3639 --- linux-2.6.39.2/arch/powerpc/include/asm/swiotlb.h 2011-05-19 00:06:34.000000000 -0400
3640 +++ linux-2.6.39.2/arch/powerpc/include/asm/swiotlb.h 2011-05-22 19:36:30.000000000 -0400
3641 @@ -13,7 +13,7 @@
3642
3643 #include <linux/swiotlb.h>
3644
3645 -extern struct dma_map_ops swiotlb_dma_ops;
3646 +extern const struct dma_map_ops swiotlb_dma_ops;
3647
3648 static inline void dma_mark_clean(void *addr, size_t size) {}
3649
3650 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/system.h linux-2.6.39.2/arch/powerpc/include/asm/system.h
3651 --- linux-2.6.39.2/arch/powerpc/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
3652 +++ linux-2.6.39.2/arch/powerpc/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
3653 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
3654 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
3655 #endif
3656
3657 -extern unsigned long arch_align_stack(unsigned long sp);
3658 +#define arch_align_stack(x) ((x) & ~0xfUL)
3659
3660 /* Used in very early kernel initialization. */
3661 extern unsigned long reloc_offset(void);
3662 diff -urNp linux-2.6.39.2/arch/powerpc/include/asm/uaccess.h linux-2.6.39.2/arch/powerpc/include/asm/uaccess.h
3663 --- linux-2.6.39.2/arch/powerpc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
3664 +++ linux-2.6.39.2/arch/powerpc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
3665 @@ -13,6 +13,8 @@
3666 #define VERIFY_READ 0
3667 #define VERIFY_WRITE 1
3668
3669 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3670 +
3671 /*
3672 * The fs value determines whether argument validity checking should be
3673 * performed or not. If get_fs() == USER_DS, checking is performed, with
3674 @@ -327,52 +329,6 @@ do { \
3675 extern unsigned long __copy_tofrom_user(void __user *to,
3676 const void __user *from, unsigned long size);
3677
3678 -#ifndef __powerpc64__
3679 -
3680 -static inline unsigned long copy_from_user(void *to,
3681 - const void __user *from, unsigned long n)
3682 -{
3683 - unsigned long over;
3684 -
3685 - if (access_ok(VERIFY_READ, from, n))
3686 - return __copy_tofrom_user((__force void __user *)to, from, n);
3687 - if ((unsigned long)from < TASK_SIZE) {
3688 - over = (unsigned long)from + n - TASK_SIZE;
3689 - return __copy_tofrom_user((__force void __user *)to, from,
3690 - n - over) + over;
3691 - }
3692 - return n;
3693 -}
3694 -
3695 -static inline unsigned long copy_to_user(void __user *to,
3696 - const void *from, unsigned long n)
3697 -{
3698 - unsigned long over;
3699 -
3700 - if (access_ok(VERIFY_WRITE, to, n))
3701 - return __copy_tofrom_user(to, (__force void __user *)from, n);
3702 - if ((unsigned long)to < TASK_SIZE) {
3703 - over = (unsigned long)to + n - TASK_SIZE;
3704 - return __copy_tofrom_user(to, (__force void __user *)from,
3705 - n - over) + over;
3706 - }
3707 - return n;
3708 -}
3709 -
3710 -#else /* __powerpc64__ */
3711 -
3712 -#define __copy_in_user(to, from, size) \
3713 - __copy_tofrom_user((to), (from), (size))
3714 -
3715 -extern unsigned long copy_from_user(void *to, const void __user *from,
3716 - unsigned long n);
3717 -extern unsigned long copy_to_user(void __user *to, const void *from,
3718 - unsigned long n);
3719 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
3720 - unsigned long n);
3721 -
3722 -#endif /* __powerpc64__ */
3723 -
3724 static inline unsigned long __copy_from_user_inatomic(void *to,
3725 const void __user *from, unsigned long n)
3726 {
3727 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
3728 if (ret == 0)
3729 return 0;
3730 }
3731 +
3732 + if (!__builtin_constant_p(n))
3733 + check_object_size(to, n, false);
3734 +
3735 return __copy_tofrom_user((__force void __user *)to, from, n);
3736 }
3737
3738 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
3739 if (ret == 0)
3740 return 0;
3741 }
3742 +
3743 + if (!__builtin_constant_p(n))
3744 + check_object_size(from, n, true);
3745 +
3746 return __copy_tofrom_user(to, (__force const void __user *)from, n);
3747 }
3748
3749 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
3750 return __copy_to_user_inatomic(to, from, size);
3751 }
3752
3753 +#ifndef __powerpc64__
3754 +
3755 +static inline unsigned long __must_check copy_from_user(void *to,
3756 + const void __user *from, unsigned long n)
3757 +{
3758 + unsigned long over;
3759 +
3760 + if ((long)n < 0)
3761 + return n;
3762 +
3763 + if (access_ok(VERIFY_READ, from, n)) {
3764 + if (!__builtin_constant_p(n))
3765 + check_object_size(to, n, false);
3766 + return __copy_tofrom_user((__force void __user *)to, from, n);
3767 + }
3768 + if ((unsigned long)from < TASK_SIZE) {
3769 + over = (unsigned long)from + n - TASK_SIZE;
3770 + if (!__builtin_constant_p(n - over))
3771 + check_object_size(to, n - over, false);
3772 + return __copy_tofrom_user((__force void __user *)to, from,
3773 + n - over) + over;
3774 + }
3775 + return n;
3776 +}
3777 +
3778 +static inline unsigned long __must_check copy_to_user(void __user *to,
3779 + const void *from, unsigned long n)
3780 +{
3781 + unsigned long over;
3782 +
3783 + if ((long)n < 0)
3784 + return n;
3785 +
3786 + if (access_ok(VERIFY_WRITE, to, n)) {
3787 + if (!__builtin_constant_p(n))
3788 + check_object_size(from, n, true);
3789 + return __copy_tofrom_user(to, (__force void __user *)from, n);
3790 + }
3791 + if ((unsigned long)to < TASK_SIZE) {
3792 + over = (unsigned long)to + n - TASK_SIZE;
3793 + if (!__builtin_constant_p(n))
3794 + check_object_size(from, n - over, true);
3795 + return __copy_tofrom_user(to, (__force void __user *)from,
3796 + n - over) + over;
3797 + }
3798 + return n;
3799 +}
3800 +
3801 +#else /* __powerpc64__ */
3802 +
3803 +#define __copy_in_user(to, from, size) \
3804 + __copy_tofrom_user((to), (from), (size))
3805 +
3806 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
3807 +{
3808 + if ((long)n < 0 || n > INT_MAX)
3809 + return n;
3810 +
3811 + if (!__builtin_constant_p(n))
3812 + check_object_size(to, n, false);
3813 +
3814 + if (likely(access_ok(VERIFY_READ, from, n)))
3815 + n = __copy_from_user(to, from, n);
3816 + else
3817 + memset(to, 0, n);
3818 + return n;
3819 +}
3820 +
3821 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
3822 +{
3823 + if ((long)n < 0 || n > INT_MAX)
3824 + return n;
3825 +
3826 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
3827 + if (!__builtin_constant_p(n))
3828 + check_object_size(from, n, true);
3829 + n = __copy_to_user(to, from, n);
3830 + }
3831 + return n;
3832 +}
3833 +
3834 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
3835 + unsigned long n);
3836 +
3837 +#endif /* __powerpc64__ */
3838 +
3839 extern unsigned long __clear_user(void __user *addr, unsigned long size);
3840
3841 static inline unsigned long clear_user(void __user *addr, unsigned long size)
3842 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/dma.c linux-2.6.39.2/arch/powerpc/kernel/dma.c
3843 --- linux-2.6.39.2/arch/powerpc/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
3844 +++ linux-2.6.39.2/arch/powerpc/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
3845 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
3846 }
3847 #endif
3848
3849 -struct dma_map_ops dma_direct_ops = {
3850 +const struct dma_map_ops dma_direct_ops = {
3851 .alloc_coherent = dma_direct_alloc_coherent,
3852 .free_coherent = dma_direct_free_coherent,
3853 .map_sg = dma_direct_map_sg,
3854 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
3855
3856 int dma_set_mask(struct device *dev, u64 dma_mask)
3857 {
3858 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3859 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3860
3861 if (ppc_md.dma_set_mask)
3862 return ppc_md.dma_set_mask(dev, dma_mask);
3863 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/dma-iommu.c linux-2.6.39.2/arch/powerpc/kernel/dma-iommu.c
3864 --- linux-2.6.39.2/arch/powerpc/kernel/dma-iommu.c 2011-05-19 00:06:34.000000000 -0400
3865 +++ linux-2.6.39.2/arch/powerpc/kernel/dma-iommu.c 2011-05-22 19:36:30.000000000 -0400
3866 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
3867 }
3868
3869 /* We support DMA to/from any memory page via the iommu */
3870 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
3871 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
3872 {
3873 struct iommu_table *tbl = get_iommu_table_base(dev);
3874
3875 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
3876 return 1;
3877 }
3878
3879 -struct dma_map_ops dma_iommu_ops = {
3880 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
3881 .alloc_coherent = dma_iommu_alloc_coherent,
3882 .free_coherent = dma_iommu_free_coherent,
3883 .map_sg = dma_iommu_map_sg,
3884 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.39.2/arch/powerpc/kernel/dma-swiotlb.c
3885 --- linux-2.6.39.2/arch/powerpc/kernel/dma-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
3886 +++ linux-2.6.39.2/arch/powerpc/kernel/dma-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
3887 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
3888 * map_page, and unmap_page on highmem, use normal dma_ops
3889 * for everything else.
3890 */
3891 -struct dma_map_ops swiotlb_dma_ops = {
3892 +const struct dma_map_ops swiotlb_dma_ops = {
3893 .alloc_coherent = dma_direct_alloc_coherent,
3894 .free_coherent = dma_direct_free_coherent,
3895 .map_sg = swiotlb_map_sg_attrs,
3896 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/exceptions-64e.S linux-2.6.39.2/arch/powerpc/kernel/exceptions-64e.S
3897 --- linux-2.6.39.2/arch/powerpc/kernel/exceptions-64e.S 2011-05-19 00:06:34.000000000 -0400
3898 +++ linux-2.6.39.2/arch/powerpc/kernel/exceptions-64e.S 2011-05-22 19:36:30.000000000 -0400
3899 @@ -495,6 +495,7 @@ storage_fault_common:
3900 std r14,_DAR(r1)
3901 std r15,_DSISR(r1)
3902 addi r3,r1,STACK_FRAME_OVERHEAD
3903 + bl .save_nvgprs
3904 mr r4,r14
3905 mr r5,r15
3906 ld r14,PACA_EXGEN+EX_R14(r13)
3907 @@ -504,8 +505,7 @@ storage_fault_common:
3908 cmpdi r3,0
3909 bne- 1f
3910 b .ret_from_except_lite
3911 -1: bl .save_nvgprs
3912 - mr r5,r3
3913 +1: mr r5,r3
3914 addi r3,r1,STACK_FRAME_OVERHEAD
3915 ld r4,_DAR(r1)
3916 bl .bad_page_fault
3917 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/exceptions-64s.S linux-2.6.39.2/arch/powerpc/kernel/exceptions-64s.S
3918 --- linux-2.6.39.2/arch/powerpc/kernel/exceptions-64s.S 2011-05-19 00:06:34.000000000 -0400
3919 +++ linux-2.6.39.2/arch/powerpc/kernel/exceptions-64s.S 2011-05-22 19:36:30.000000000 -0400
3920 @@ -848,10 +848,10 @@ handle_page_fault:
3921 11: ld r4,_DAR(r1)
3922 ld r5,_DSISR(r1)
3923 addi r3,r1,STACK_FRAME_OVERHEAD
3924 + bl .save_nvgprs
3925 bl .do_page_fault
3926 cmpdi r3,0
3927 beq+ 13f
3928 - bl .save_nvgprs
3929 mr r5,r3
3930 addi r3,r1,STACK_FRAME_OVERHEAD
3931 lwz r4,_DAR(r1)
3932 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/ibmebus.c linux-2.6.39.2/arch/powerpc/kernel/ibmebus.c
3933 --- linux-2.6.39.2/arch/powerpc/kernel/ibmebus.c 2011-05-19 00:06:34.000000000 -0400
3934 +++ linux-2.6.39.2/arch/powerpc/kernel/ibmebus.c 2011-05-22 19:36:30.000000000 -0400
3935 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
3936 return 1;
3937 }
3938
3939 -static struct dma_map_ops ibmebus_dma_ops = {
3940 +static const struct dma_map_ops ibmebus_dma_ops = {
3941 .alloc_coherent = ibmebus_alloc_coherent,
3942 .free_coherent = ibmebus_free_coherent,
3943 .map_sg = ibmebus_map_sg,
3944 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/kgdb.c linux-2.6.39.2/arch/powerpc/kernel/kgdb.c
3945 --- linux-2.6.39.2/arch/powerpc/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
3946 +++ linux-2.6.39.2/arch/powerpc/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
3947 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
3948 /*
3949 * Global data
3950 */
3951 -struct kgdb_arch arch_kgdb_ops = {
3952 +const struct kgdb_arch arch_kgdb_ops = {
3953 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
3954 };
3955
3956 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/module_32.c linux-2.6.39.2/arch/powerpc/kernel/module_32.c
3957 --- linux-2.6.39.2/arch/powerpc/kernel/module_32.c 2011-05-19 00:06:34.000000000 -0400
3958 +++ linux-2.6.39.2/arch/powerpc/kernel/module_32.c 2011-05-22 19:36:30.000000000 -0400
3959 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
3960 me->arch.core_plt_section = i;
3961 }
3962 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
3963 - printk("Module doesn't contain .plt or .init.plt sections.\n");
3964 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
3965 return -ENOEXEC;
3966 }
3967
3968 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
3969
3970 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
3971 /* Init, or core PLT? */
3972 - if (location >= mod->module_core
3973 - && location < mod->module_core + mod->core_size)
3974 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
3975 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
3976 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3977 - else
3978 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
3979 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
3980 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3981 + else {
3982 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
3983 + return ~0UL;
3984 + }
3985
3986 /* Find this entry, or if that fails, the next avail. entry */
3987 while (entry->jump[0]) {
3988 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/module.c linux-2.6.39.2/arch/powerpc/kernel/module.c
3989 --- linux-2.6.39.2/arch/powerpc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
3990 +++ linux-2.6.39.2/arch/powerpc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
3991 @@ -31,11 +31,24 @@
3992
3993 LIST_HEAD(module_bug_list);
3994
3995 +#ifdef CONFIG_PAX_KERNEXEC
3996 void *module_alloc(unsigned long size)
3997 {
3998 if (size == 0)
3999 return NULL;
4000
4001 + return vmalloc(size);
4002 +}
4003 +
4004 +void *module_alloc_exec(unsigned long size)
4005 +#else
4006 +void *module_alloc(unsigned long size)
4007 +#endif
4008 +
4009 +{
4010 + if (size == 0)
4011 + return NULL;
4012 +
4013 return vmalloc_exec(size);
4014 }
4015
4016 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
4017 vfree(module_region);
4018 }
4019
4020 +#ifdef CONFIG_PAX_KERNEXEC
4021 +void module_free_exec(struct module *mod, void *module_region)
4022 +{
4023 + module_free(mod, module_region);
4024 +}
4025 +#endif
4026 +
4027 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
4028 const Elf_Shdr *sechdrs,
4029 const char *name)
4030 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/pci-common.c linux-2.6.39.2/arch/powerpc/kernel/pci-common.c
4031 --- linux-2.6.39.2/arch/powerpc/kernel/pci-common.c 2011-05-19 00:06:34.000000000 -0400
4032 +++ linux-2.6.39.2/arch/powerpc/kernel/pci-common.c 2011-05-22 19:36:30.000000000 -0400
4033 @@ -53,14 +53,14 @@ resource_size_t isa_mem_base;
4034 unsigned int ppc_pci_flags = 0;
4035
4036
4037 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4038 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4039
4040 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
4041 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
4042 {
4043 pci_dma_ops = dma_ops;
4044 }
4045
4046 -struct dma_map_ops *get_pci_dma_ops(void)
4047 +const struct dma_map_ops *get_pci_dma_ops(void)
4048 {
4049 return pci_dma_ops;
4050 }
4051 @@ -1639,7 +1639,7 @@ null_write_config(struct pci_bus *bus, u
4052 return PCIBIOS_DEVICE_NOT_FOUND;
4053 }
4054
4055 -static struct pci_ops null_pci_ops =
4056 +static const struct pci_ops null_pci_ops =
4057 {
4058 .read = null_read_config,
4059 .write = null_write_config,
4060 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/process.c linux-2.6.39.2/arch/powerpc/kernel/process.c
4061 --- linux-2.6.39.2/arch/powerpc/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4062 +++ linux-2.6.39.2/arch/powerpc/kernel/process.c 2011-05-22 19:41:32.000000000 -0400
4063 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
4064 * Lookup NIP late so we have the best change of getting the
4065 * above info out without failing
4066 */
4067 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
4068 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
4069 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
4070 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
4071 #endif
4072 show_stack(current, (unsigned long *) regs->gpr[1]);
4073 if (!user_mode(regs))
4074 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
4075 newsp = stack[0];
4076 ip = stack[STACK_FRAME_LR_SAVE];
4077 if (!firstframe || ip != lr) {
4078 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
4079 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
4080 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4081 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
4082 - printk(" (%pS)",
4083 + printk(" (%pA)",
4084 (void *)current->ret_stack[curr_frame].ret);
4085 curr_frame--;
4086 }
4087 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
4088 struct pt_regs *regs = (struct pt_regs *)
4089 (sp + STACK_FRAME_OVERHEAD);
4090 lr = regs->link;
4091 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
4092 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
4093 regs->trap, (void *)regs->nip, (void *)lr);
4094 firstframe = 1;
4095 }
4096 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
4097 }
4098
4099 #endif /* THREAD_SHIFT < PAGE_SHIFT */
4100 -
4101 -unsigned long arch_align_stack(unsigned long sp)
4102 -{
4103 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4104 - sp -= get_random_int() & ~PAGE_MASK;
4105 - return sp & ~0xf;
4106 -}
4107 -
4108 -static inline unsigned long brk_rnd(void)
4109 -{
4110 - unsigned long rnd = 0;
4111 -
4112 - /* 8MB for 32bit, 1GB for 64bit */
4113 - if (is_32bit_task())
4114 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
4115 - else
4116 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
4117 -
4118 - return rnd << PAGE_SHIFT;
4119 -}
4120 -
4121 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4122 -{
4123 - unsigned long base = mm->brk;
4124 - unsigned long ret;
4125 -
4126 -#ifdef CONFIG_PPC_STD_MMU_64
4127 - /*
4128 - * If we are using 1TB segments and we are allowed to randomise
4129 - * the heap, we can put it above 1TB so it is backed by a 1TB
4130 - * segment. Otherwise the heap will be in the bottom 1TB
4131 - * which always uses 256MB segments and this may result in a
4132 - * performance penalty.
4133 - */
4134 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
4135 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
4136 -#endif
4137 -
4138 - ret = PAGE_ALIGN(base + brk_rnd());
4139 -
4140 - if (ret < mm->brk)
4141 - return mm->brk;
4142 -
4143 - return ret;
4144 -}
4145 -
4146 -unsigned long randomize_et_dyn(unsigned long base)
4147 -{
4148 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4149 -
4150 - if (ret < base)
4151 - return base;
4152 -
4153 - return ret;
4154 -}
4155 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/rtas_pci.c linux-2.6.39.2/arch/powerpc/kernel/rtas_pci.c
4156 --- linux-2.6.39.2/arch/powerpc/kernel/rtas_pci.c 2011-05-19 00:06:34.000000000 -0400
4157 +++ linux-2.6.39.2/arch/powerpc/kernel/rtas_pci.c 2011-05-22 19:36:30.000000000 -0400
4158 @@ -149,7 +149,7 @@ static int rtas_pci_write_config(struct
4159 return PCIBIOS_DEVICE_NOT_FOUND;
4160 }
4161
4162 -static struct pci_ops rtas_pci_ops = {
4163 +static const struct pci_ops rtas_pci_ops = {
4164 .read = rtas_pci_read_config,
4165 .write = rtas_pci_write_config,
4166 };
4167 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/signal_32.c linux-2.6.39.2/arch/powerpc/kernel/signal_32.c
4168 --- linux-2.6.39.2/arch/powerpc/kernel/signal_32.c 2011-05-19 00:06:34.000000000 -0400
4169 +++ linux-2.6.39.2/arch/powerpc/kernel/signal_32.c 2011-05-22 19:36:30.000000000 -0400
4170 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
4171 /* Save user registers on the stack */
4172 frame = &rt_sf->uc.uc_mcontext;
4173 addr = frame;
4174 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
4175 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4176 if (save_user_regs(regs, frame, 0, 1))
4177 goto badframe;
4178 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
4179 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/signal_64.c linux-2.6.39.2/arch/powerpc/kernel/signal_64.c
4180 --- linux-2.6.39.2/arch/powerpc/kernel/signal_64.c 2011-05-19 00:06:34.000000000 -0400
4181 +++ linux-2.6.39.2/arch/powerpc/kernel/signal_64.c 2011-05-22 19:36:30.000000000 -0400
4182 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
4183 current->thread.fpscr.val = 0;
4184
4185 /* Set up to return from userspace. */
4186 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
4187 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4188 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
4189 } else {
4190 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
4191 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/traps.c linux-2.6.39.2/arch/powerpc/kernel/traps.c
4192 --- linux-2.6.39.2/arch/powerpc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
4193 +++ linux-2.6.39.2/arch/powerpc/kernel/traps.c 2011-06-13 21:33:04.000000000 -0400
4194 @@ -96,6 +96,8 @@ static void pmac_backlight_unblank(void)
4195 static inline void pmac_backlight_unblank(void) { }
4196 #endif
4197
4198 +extern void gr_handle_kernel_exploit(void);
4199 +
4200 int die(const char *str, struct pt_regs *regs, long err)
4201 {
4202 static struct {
4203 @@ -170,6 +172,8 @@ int die(const char *str, struct pt_regs
4204 if (panic_on_oops)
4205 panic("Fatal exception");
4206
4207 + gr_handle_kernel_exploit();
4208 +
4209 oops_exit();
4210 do_exit(err);
4211
4212 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/vdso.c linux-2.6.39.2/arch/powerpc/kernel/vdso.c
4213 --- linux-2.6.39.2/arch/powerpc/kernel/vdso.c 2011-05-19 00:06:34.000000000 -0400
4214 +++ linux-2.6.39.2/arch/powerpc/kernel/vdso.c 2011-05-22 19:36:30.000000000 -0400
4215 @@ -36,6 +36,7 @@
4216 #include <asm/firmware.h>
4217 #include <asm/vdso.h>
4218 #include <asm/vdso_datapage.h>
4219 +#include <asm/mman.h>
4220
4221 #include "setup.h"
4222
4223 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
4224 vdso_base = VDSO32_MBASE;
4225 #endif
4226
4227 - current->mm->context.vdso_base = 0;
4228 + current->mm->context.vdso_base = ~0UL;
4229
4230 /* vDSO has a problem and was disabled, just don't "enable" it for the
4231 * process
4232 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
4233 vdso_base = get_unmapped_area(NULL, vdso_base,
4234 (vdso_pages << PAGE_SHIFT) +
4235 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
4236 - 0, 0);
4237 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
4238 if (IS_ERR_VALUE(vdso_base)) {
4239 rc = vdso_base;
4240 goto fail_mmapsem;
4241 diff -urNp linux-2.6.39.2/arch/powerpc/kernel/vio.c linux-2.6.39.2/arch/powerpc/kernel/vio.c
4242 --- linux-2.6.39.2/arch/powerpc/kernel/vio.c 2011-05-19 00:06:34.000000000 -0400
4243 +++ linux-2.6.39.2/arch/powerpc/kernel/vio.c 2011-05-22 19:36:30.000000000 -0400
4244 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
4245 return dma_iommu_ops.dma_supported(dev, mask);
4246 }
4247
4248 -struct dma_map_ops vio_dma_mapping_ops = {
4249 +const struct dma_map_ops vio_dma_mapping_ops = {
4250 .alloc_coherent = vio_dma_iommu_alloc_coherent,
4251 .free_coherent = vio_dma_iommu_free_coherent,
4252 .map_sg = vio_dma_iommu_map_sg,
4253 .unmap_sg = vio_dma_iommu_unmap_sg,
4254 + .dma_supported = dma_iommu_dma_supported,
4255 .map_page = vio_dma_iommu_map_page,
4256 .unmap_page = vio_dma_iommu_unmap_page,
4257 .dma_supported = vio_dma_iommu_dma_supported,
4258 diff -urNp linux-2.6.39.2/arch/powerpc/lib/usercopy_64.c linux-2.6.39.2/arch/powerpc/lib/usercopy_64.c
4259 --- linux-2.6.39.2/arch/powerpc/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
4260 +++ linux-2.6.39.2/arch/powerpc/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
4261 @@ -9,22 +9,6 @@
4262 #include <linux/module.h>
4263 #include <asm/uaccess.h>
4264
4265 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4266 -{
4267 - if (likely(access_ok(VERIFY_READ, from, n)))
4268 - n = __copy_from_user(to, from, n);
4269 - else
4270 - memset(to, 0, n);
4271 - return n;
4272 -}
4273 -
4274 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4275 -{
4276 - if (likely(access_ok(VERIFY_WRITE, to, n)))
4277 - n = __copy_to_user(to, from, n);
4278 - return n;
4279 -}
4280 -
4281 unsigned long copy_in_user(void __user *to, const void __user *from,
4282 unsigned long n)
4283 {
4284 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
4285 return n;
4286 }
4287
4288 -EXPORT_SYMBOL(copy_from_user);
4289 -EXPORT_SYMBOL(copy_to_user);
4290 EXPORT_SYMBOL(copy_in_user);
4291
4292 diff -urNp linux-2.6.39.2/arch/powerpc/mm/fault.c linux-2.6.39.2/arch/powerpc/mm/fault.c
4293 --- linux-2.6.39.2/arch/powerpc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
4294 +++ linux-2.6.39.2/arch/powerpc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
4295 @@ -31,6 +31,10 @@
4296 #include <linux/kdebug.h>
4297 #include <linux/perf_event.h>
4298 #include <linux/magic.h>
4299 +#include <linux/slab.h>
4300 +#include <linux/pagemap.h>
4301 +#include <linux/compiler.h>
4302 +#include <linux/unistd.h>
4303
4304 #include <asm/firmware.h>
4305 #include <asm/page.h>
4306 @@ -42,6 +46,7 @@
4307 #include <asm/tlbflush.h>
4308 #include <asm/siginfo.h>
4309 #include <mm/mmu_decl.h>
4310 +#include <asm/ptrace.h>
4311
4312 #ifdef CONFIG_KPROBES
4313 static inline int notify_page_fault(struct pt_regs *regs)
4314 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
4315 }
4316 #endif
4317
4318 +#ifdef CONFIG_PAX_PAGEEXEC
4319 +/*
4320 + * PaX: decide what to do with offenders (regs->nip = fault address)
4321 + *
4322 + * returns 1 when task should be killed
4323 + */
4324 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4325 +{
4326 + return 1;
4327 +}
4328 +
4329 +void pax_report_insns(void *pc, void *sp)
4330 +{
4331 + unsigned long i;
4332 +
4333 + printk(KERN_ERR "PAX: bytes at PC: ");
4334 + for (i = 0; i < 5; i++) {
4335 + unsigned int c;
4336 + if (get_user(c, (unsigned int __user *)pc+i))
4337 + printk(KERN_CONT "???????? ");
4338 + else
4339 + printk(KERN_CONT "%08x ", c);
4340 + }
4341 + printk("\n");
4342 +}
4343 +#endif
4344 +
4345 /*
4346 * Check whether the instruction at regs->nip is a store using
4347 * an update addressing form which will update r1.
4348 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
4349 * indicate errors in DSISR but can validly be set in SRR1.
4350 */
4351 if (trap == 0x400)
4352 - error_code &= 0x48200000;
4353 + error_code &= 0x58200000;
4354 else
4355 is_write = error_code & DSISR_ISSTORE;
4356 #else
4357 @@ -258,7 +290,7 @@ good_area:
4358 * "undefined". Of those that can be set, this is the only
4359 * one which seems bad.
4360 */
4361 - if (error_code & 0x10000000)
4362 + if (error_code & DSISR_GUARDED)
4363 /* Guarded storage error. */
4364 goto bad_area;
4365 #endif /* CONFIG_8xx */
4366 @@ -273,7 +305,7 @@ good_area:
4367 * processors use the same I/D cache coherency mechanism
4368 * as embedded.
4369 */
4370 - if (error_code & DSISR_PROTFAULT)
4371 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
4372 goto bad_area;
4373 #endif /* CONFIG_PPC_STD_MMU */
4374
4375 @@ -342,6 +374,23 @@ bad_area:
4376 bad_area_nosemaphore:
4377 /* User mode accesses cause a SIGSEGV */
4378 if (user_mode(regs)) {
4379 +
4380 +#ifdef CONFIG_PAX_PAGEEXEC
4381 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4382 +#ifdef CONFIG_PPC_STD_MMU
4383 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
4384 +#else
4385 + if (is_exec && regs->nip == address) {
4386 +#endif
4387 + switch (pax_handle_fetch_fault(regs)) {
4388 + }
4389 +
4390 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
4391 + do_group_exit(SIGKILL);
4392 + }
4393 + }
4394 +#endif
4395 +
4396 _exception(SIGSEGV, regs, code, address);
4397 return 0;
4398 }
4399 diff -urNp linux-2.6.39.2/arch/powerpc/mm/mmap_64.c linux-2.6.39.2/arch/powerpc/mm/mmap_64.c
4400 --- linux-2.6.39.2/arch/powerpc/mm/mmap_64.c 2011-05-19 00:06:34.000000000 -0400
4401 +++ linux-2.6.39.2/arch/powerpc/mm/mmap_64.c 2011-05-22 19:36:30.000000000 -0400
4402 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
4403 */
4404 if (mmap_is_legacy()) {
4405 mm->mmap_base = TASK_UNMAPPED_BASE;
4406 +
4407 +#ifdef CONFIG_PAX_RANDMMAP
4408 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4409 + mm->mmap_base += mm->delta_mmap;
4410 +#endif
4411 +
4412 mm->get_unmapped_area = arch_get_unmapped_area;
4413 mm->unmap_area = arch_unmap_area;
4414 } else {
4415 mm->mmap_base = mmap_base();
4416 +
4417 +#ifdef CONFIG_PAX_RANDMMAP
4418 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4419 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4420 +#endif
4421 +
4422 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4423 mm->unmap_area = arch_unmap_area_topdown;
4424 }
4425 diff -urNp linux-2.6.39.2/arch/powerpc/mm/slice.c linux-2.6.39.2/arch/powerpc/mm/slice.c
4426 --- linux-2.6.39.2/arch/powerpc/mm/slice.c 2011-05-19 00:06:34.000000000 -0400
4427 +++ linux-2.6.39.2/arch/powerpc/mm/slice.c 2011-05-22 19:36:30.000000000 -0400
4428 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
4429 if ((mm->task_size - len) < addr)
4430 return 0;
4431 vma = find_vma(mm, addr);
4432 - return (!vma || (addr + len) <= vma->vm_start);
4433 + return check_heap_stack_gap(vma, addr, len);
4434 }
4435
4436 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
4437 @@ -256,7 +256,7 @@ full_search:
4438 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
4439 continue;
4440 }
4441 - if (!vma || addr + len <= vma->vm_start) {
4442 + if (check_heap_stack_gap(vma, addr, len)) {
4443 /*
4444 * Remember the place where we stopped the search:
4445 */
4446 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
4447 }
4448 }
4449
4450 - addr = mm->mmap_base;
4451 - while (addr > len) {
4452 + if (mm->mmap_base < len)
4453 + addr = -ENOMEM;
4454 + else
4455 + addr = mm->mmap_base - len;
4456 +
4457 + while (!IS_ERR_VALUE(addr)) {
4458 /* Go down by chunk size */
4459 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
4460 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
4461
4462 /* Check for hit with different page size */
4463 mask = slice_range_to_mask(addr, len);
4464 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
4465 * return with success:
4466 */
4467 vma = find_vma(mm, addr);
4468 - if (!vma || (addr + len) <= vma->vm_start) {
4469 + if (check_heap_stack_gap(vma, addr, len)) {
4470 /* remember the address as a hint for next time */
4471 if (use_cache)
4472 mm->free_area_cache = addr;
4473 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
4474 mm->cached_hole_size = vma->vm_start - addr;
4475
4476 /* try just below the current vma->vm_start */
4477 - addr = vma->vm_start;
4478 + addr = skip_heap_stack_gap(vma, len);
4479 }
4480
4481 /*
4482 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
4483 if (fixed && addr > (mm->task_size - len))
4484 return -EINVAL;
4485
4486 +#ifdef CONFIG_PAX_RANDMMAP
4487 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
4488 + addr = 0;
4489 +#endif
4490 +
4491 /* If hint, make sure it matches our alignment restrictions */
4492 if (!fixed && addr) {
4493 addr = _ALIGN_UP(addr, 1ul << pshift);
4494 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/52xx/efika.c linux-2.6.39.2/arch/powerpc/platforms/52xx/efika.c
4495 --- linux-2.6.39.2/arch/powerpc/platforms/52xx/efika.c 2011-05-19 00:06:34.000000000 -0400
4496 +++ linux-2.6.39.2/arch/powerpc/platforms/52xx/efika.c 2011-05-22 19:36:30.000000000 -0400
4497 @@ -60,7 +60,7 @@ static int rtas_write_config(struct pci_
4498 return rval ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
4499 }
4500
4501 -static struct pci_ops rtas_pci_ops = {
4502 +static const struct pci_ops rtas_pci_ops = {
4503 .read = rtas_read_config,
4504 .write = rtas_write_config,
4505 };
4506 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_pci.c linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_pci.c
4507 --- linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-19 00:06:34.000000000 -0400
4508 +++ linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-22 19:36:30.000000000 -0400
4509 @@ -234,7 +234,7 @@ static int celleb_fake_pci_write_config(
4510 return PCIBIOS_SUCCESSFUL;
4511 }
4512
4513 -static struct pci_ops celleb_fake_pci_ops = {
4514 +static const struct pci_ops celleb_fake_pci_ops = {
4515 .read = celleb_fake_pci_read_config,
4516 .write = celleb_fake_pci_write_config,
4517 };
4518 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_epci.c linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_epci.c
4519 --- linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-19 00:06:34.000000000 -0400
4520 +++ linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-22 19:36:30.000000000 -0400
4521 @@ -245,7 +245,7 @@ static int celleb_epci_write_config(stru
4522 return celleb_epci_check_abort(hose, addr);
4523 }
4524
4525 -struct pci_ops celleb_epci_ops = {
4526 +const struct pci_ops celleb_epci_ops = {
4527 .read = celleb_epci_read_config,
4528 .write = celleb_epci_write_config,
4529 };
4530 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_pciex.c linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_pciex.c
4531 --- linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-19 00:06:34.000000000 -0400
4532 +++ linux-2.6.39.2/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-22 19:36:30.000000000 -0400
4533 @@ -399,7 +399,7 @@ static int scc_pciex_write_config(struct
4534 return PCIBIOS_SUCCESSFUL;
4535 }
4536
4537 -static struct pci_ops scc_pciex_pci_ops = {
4538 +static const struct pci_ops scc_pciex_pci_ops = {
4539 scc_pciex_read_config,
4540 scc_pciex_write_config,
4541 };
4542 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/cell/iommu.c linux-2.6.39.2/arch/powerpc/platforms/cell/iommu.c
4543 --- linux-2.6.39.2/arch/powerpc/platforms/cell/iommu.c 2011-05-19 00:06:34.000000000 -0400
4544 +++ linux-2.6.39.2/arch/powerpc/platforms/cell/iommu.c 2011-05-22 19:36:30.000000000 -0400
4545 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
4546
4547 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
4548
4549 -struct dma_map_ops dma_iommu_fixed_ops = {
4550 +const struct dma_map_ops dma_iommu_fixed_ops = {
4551 .alloc_coherent = dma_fixed_alloc_coherent,
4552 .free_coherent = dma_fixed_free_coherent,
4553 .map_sg = dma_fixed_map_sg,
4554 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/chrp/pci.c linux-2.6.39.2/arch/powerpc/platforms/chrp/pci.c
4555 --- linux-2.6.39.2/arch/powerpc/platforms/chrp/pci.c 2011-05-19 00:06:34.000000000 -0400
4556 +++ linux-2.6.39.2/arch/powerpc/platforms/chrp/pci.c 2011-05-22 19:36:30.000000000 -0400
4557 @@ -84,7 +84,7 @@ int gg2_write_config(struct pci_bus *bus
4558 return PCIBIOS_SUCCESSFUL;
4559 }
4560
4561 -static struct pci_ops gg2_pci_ops =
4562 +static const struct pci_ops gg2_pci_ops =
4563 {
4564 .read = gg2_read_config,
4565 .write = gg2_write_config,
4566 @@ -122,7 +122,7 @@ int rtas_write_config(struct pci_bus *bu
4567 return rval? PCIBIOS_DEVICE_NOT_FOUND: PCIBIOS_SUCCESSFUL;
4568 }
4569
4570 -static struct pci_ops rtas_pci_ops =
4571 +static const struct pci_ops rtas_pci_ops =
4572 {
4573 .read = rtas_read_config,
4574 .write = rtas_write_config,
4575 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/iseries/pci.c linux-2.6.39.2/arch/powerpc/platforms/iseries/pci.c
4576 --- linux-2.6.39.2/arch/powerpc/platforms/iseries/pci.c 2011-05-19 00:06:34.000000000 -0400
4577 +++ linux-2.6.39.2/arch/powerpc/platforms/iseries/pci.c 2011-05-22 19:36:30.000000000 -0400
4578 @@ -533,7 +533,7 @@ static int iSeries_pci_write_config(stru
4579 return 0;
4580 }
4581
4582 -static struct pci_ops iSeries_pci_ops = {
4583 +static const struct pci_ops iSeries_pci_ops = {
4584 .read = iSeries_pci_read_config,
4585 .write = iSeries_pci_write_config
4586 };
4587 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/maple/pci.c linux-2.6.39.2/arch/powerpc/platforms/maple/pci.c
4588 --- linux-2.6.39.2/arch/powerpc/platforms/maple/pci.c 2011-05-19 00:06:34.000000000 -0400
4589 +++ linux-2.6.39.2/arch/powerpc/platforms/maple/pci.c 2011-05-22 19:36:30.000000000 -0400
4590 @@ -180,7 +180,7 @@ static int u3_agp_write_config(struct pc
4591 return PCIBIOS_SUCCESSFUL;
4592 }
4593
4594 -static struct pci_ops u3_agp_pci_ops =
4595 +static const struct pci_ops u3_agp_pci_ops =
4596 {
4597 .read = u3_agp_read_config,
4598 .write = u3_agp_write_config,
4599 @@ -276,7 +276,7 @@ static int u3_ht_write_config(struct pci
4600 return PCIBIOS_SUCCESSFUL;
4601 }
4602
4603 -static struct pci_ops u3_ht_pci_ops =
4604 +static const struct pci_ops u3_ht_pci_ops =
4605 {
4606 .read = u3_ht_read_config,
4607 .write = u3_ht_write_config,
4608 @@ -381,7 +381,7 @@ static int u4_pcie_write_config(struct p
4609 return PCIBIOS_SUCCESSFUL;
4610 }
4611
4612 -static struct pci_ops u4_pcie_pci_ops =
4613 +static const struct pci_ops u4_pcie_pci_ops =
4614 {
4615 .read = u4_pcie_read_config,
4616 .write = u4_pcie_write_config,
4617 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/pasemi/pci.c linux-2.6.39.2/arch/powerpc/platforms/pasemi/pci.c
4618 --- linux-2.6.39.2/arch/powerpc/platforms/pasemi/pci.c 2011-05-19 00:06:34.000000000 -0400
4619 +++ linux-2.6.39.2/arch/powerpc/platforms/pasemi/pci.c 2011-05-22 19:36:30.000000000 -0400
4620 @@ -176,7 +176,7 @@ static int pa_pxp_write_config(struct pc
4621 return PCIBIOS_SUCCESSFUL;
4622 }
4623
4624 -static struct pci_ops pa_pxp_ops = {
4625 +static const struct pci_ops pa_pxp_ops = {
4626 .read = pa_pxp_read_config,
4627 .write = pa_pxp_write_config,
4628 };
4629 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/powermac/pci.c linux-2.6.39.2/arch/powerpc/platforms/powermac/pci.c
4630 --- linux-2.6.39.2/arch/powerpc/platforms/powermac/pci.c 2011-05-19 00:06:34.000000000 -0400
4631 +++ linux-2.6.39.2/arch/powerpc/platforms/powermac/pci.c 2011-05-22 19:36:30.000000000 -0400
4632 @@ -218,7 +218,7 @@ static int macrisc_write_config(struct p
4633 return PCIBIOS_SUCCESSFUL;
4634 }
4635
4636 -static struct pci_ops macrisc_pci_ops =
4637 +static const struct pci_ops macrisc_pci_ops =
4638 {
4639 .read = macrisc_read_config,
4640 .write = macrisc_write_config,
4641 @@ -273,7 +273,7 @@ chaos_write_config(struct pci_bus *bus,
4642 return macrisc_write_config(bus, devfn, offset, len, val);
4643 }
4644
4645 -static struct pci_ops chaos_pci_ops =
4646 +static const struct pci_ops chaos_pci_ops =
4647 {
4648 .read = chaos_read_config,
4649 .write = chaos_write_config,
4650 diff -urNp linux-2.6.39.2/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.39.2/arch/powerpc/platforms/ps3/system-bus.c
4651 --- linux-2.6.39.2/arch/powerpc/platforms/ps3/system-bus.c 2011-05-19 00:06:34.000000000 -0400
4652 +++ linux-2.6.39.2/arch/powerpc/platforms/ps3/system-bus.c 2011-05-22 19:36:30.000000000 -0400
4653 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
4654 return mask >= DMA_BIT_MASK(32);
4655 }
4656
4657 -static struct dma_map_ops ps3_sb_dma_ops = {
4658 +static const struct dma_map_ops ps3_sb_dma_ops = {
4659 .alloc_coherent = ps3_alloc_coherent,
4660 .free_coherent = ps3_free_coherent,
4661 .map_sg = ps3_sb_map_sg,
4662 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
4663 .unmap_page = ps3_unmap_page,
4664 };
4665
4666 -static struct dma_map_ops ps3_ioc0_dma_ops = {
4667 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
4668 .alloc_coherent = ps3_alloc_coherent,
4669 .free_coherent = ps3_free_coherent,
4670 .map_sg = ps3_ioc0_map_sg,
4671 diff -urNp linux-2.6.39.2/arch/powerpc/sysdev/fsl_pci.c linux-2.6.39.2/arch/powerpc/sysdev/fsl_pci.c
4672 --- linux-2.6.39.2/arch/powerpc/sysdev/fsl_pci.c 2011-05-19 00:06:34.000000000 -0400
4673 +++ linux-2.6.39.2/arch/powerpc/sysdev/fsl_pci.c 2011-05-22 19:36:30.000000000 -0400
4674 @@ -573,7 +573,7 @@ static int mpc83xx_pcie_write_config(str
4675 return PCIBIOS_SUCCESSFUL;
4676 }
4677
4678 -static struct pci_ops mpc83xx_pcie_ops = {
4679 +static const struct pci_ops mpc83xx_pcie_ops = {
4680 .read = mpc83xx_pcie_read_config,
4681 .write = mpc83xx_pcie_write_config,
4682 };
4683 diff -urNp linux-2.6.39.2/arch/powerpc/sysdev/indirect_pci.c linux-2.6.39.2/arch/powerpc/sysdev/indirect_pci.c
4684 --- linux-2.6.39.2/arch/powerpc/sysdev/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
4685 +++ linux-2.6.39.2/arch/powerpc/sysdev/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
4686 @@ -148,7 +148,7 @@ indirect_write_config(struct pci_bus *bu
4687 return PCIBIOS_SUCCESSFUL;
4688 }
4689
4690 -static struct pci_ops indirect_pci_ops =
4691 +static const struct pci_ops indirect_pci_ops =
4692 {
4693 .read = indirect_read_config,
4694 .write = indirect_write_config,
4695 diff -urNp linux-2.6.39.2/arch/powerpc/sysdev/ppc4xx_pci.c linux-2.6.39.2/arch/powerpc/sysdev/ppc4xx_pci.c
4696 --- linux-2.6.39.2/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-19 00:06:34.000000000 -0400
4697 +++ linux-2.6.39.2/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-22 19:36:30.000000000 -0400
4698 @@ -1514,7 +1514,7 @@ static int ppc4xx_pciex_write_config(str
4699 return PCIBIOS_SUCCESSFUL;
4700 }
4701
4702 -static struct pci_ops ppc4xx_pciex_pci_ops =
4703 +static const struct pci_ops ppc4xx_pciex_pci_ops =
4704 {
4705 .read = ppc4xx_pciex_read_config,
4706 .write = ppc4xx_pciex_write_config,
4707 diff -urNp linux-2.6.39.2/arch/powerpc/sysdev/tsi108_pci.c linux-2.6.39.2/arch/powerpc/sysdev/tsi108_pci.c
4708 --- linux-2.6.39.2/arch/powerpc/sysdev/tsi108_pci.c 2011-05-19 00:06:34.000000000 -0400
4709 +++ linux-2.6.39.2/arch/powerpc/sysdev/tsi108_pci.c 2011-05-22 19:36:30.000000000 -0400
4710 @@ -190,7 +190,7 @@ void tsi108_clear_pci_cfg_error(void)
4711 tsi108_clear_pci_error(tsi108_pci_cfg_phys);
4712 }
4713
4714 -static struct pci_ops tsi108_direct_pci_ops = {
4715 +static const struct pci_ops tsi108_direct_pci_ops = {
4716 .read = tsi108_direct_read_config,
4717 .write = tsi108_direct_write_config,
4718 };
4719 diff -urNp linux-2.6.39.2/arch/s390/include/asm/elf.h linux-2.6.39.2/arch/s390/include/asm/elf.h
4720 --- linux-2.6.39.2/arch/s390/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
4721 +++ linux-2.6.39.2/arch/s390/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
4722 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
4723 the loader. We need to make sure that it is out of the way of the program
4724 that it will "exec", and that there is sufficient room for the brk. */
4725
4726 -extern unsigned long randomize_et_dyn(unsigned long base);
4727 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
4728 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
4729 +
4730 +#ifdef CONFIG_PAX_ASLR
4731 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
4732 +
4733 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4734 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4735 +#endif
4736
4737 /* This yields a mask that user programs can use to figure out what
4738 instruction set this CPU supports. */
4739 @@ -222,7 +228,4 @@ struct linux_binprm;
4740 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
4741 int arch_setup_additional_pages(struct linux_binprm *, int);
4742
4743 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
4744 -#define arch_randomize_brk arch_randomize_brk
4745 -
4746 #endif
4747 diff -urNp linux-2.6.39.2/arch/s390/include/asm/system.h linux-2.6.39.2/arch/s390/include/asm/system.h
4748 --- linux-2.6.39.2/arch/s390/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
4749 +++ linux-2.6.39.2/arch/s390/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
4750 @@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co
4751 extern void (*_machine_halt)(void);
4752 extern void (*_machine_power_off)(void);
4753
4754 -extern unsigned long arch_align_stack(unsigned long sp);
4755 +#define arch_align_stack(x) ((x) & ~0xfUL)
4756
4757 static inline int tprot(unsigned long addr)
4758 {
4759 diff -urNp linux-2.6.39.2/arch/s390/include/asm/uaccess.h linux-2.6.39.2/arch/s390/include/asm/uaccess.h
4760 --- linux-2.6.39.2/arch/s390/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
4761 +++ linux-2.6.39.2/arch/s390/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
4762 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
4763 copy_to_user(void __user *to, const void *from, unsigned long n)
4764 {
4765 might_fault();
4766 +
4767 + if ((long)n < 0)
4768 + return n;
4769 +
4770 if (access_ok(VERIFY_WRITE, to, n))
4771 n = __copy_to_user(to, from, n);
4772 return n;
4773 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
4774 static inline unsigned long __must_check
4775 __copy_from_user(void *to, const void __user *from, unsigned long n)
4776 {
4777 + if ((long)n < 0)
4778 + return n;
4779 +
4780 if (__builtin_constant_p(n) && (n <= 256))
4781 return uaccess.copy_from_user_small(n, from, to);
4782 else
4783 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
4784 unsigned int sz = __compiletime_object_size(to);
4785
4786 might_fault();
4787 +
4788 + if ((long)n < 0)
4789 + return n;
4790 +
4791 if (unlikely(sz != -1 && sz < n)) {
4792 copy_from_user_overflow();
4793 return n;
4794 diff -urNp linux-2.6.39.2/arch/s390/Kconfig linux-2.6.39.2/arch/s390/Kconfig
4795 --- linux-2.6.39.2/arch/s390/Kconfig 2011-05-19 00:06:34.000000000 -0400
4796 +++ linux-2.6.39.2/arch/s390/Kconfig 2011-05-22 19:36:30.000000000 -0400
4797 @@ -234,11 +234,9 @@ config S390_EXEC_PROTECT
4798 prompt "Data execute protection"
4799 help
4800 This option allows to enable a buffer overflow protection for user
4801 - space programs and it also selects the addressing mode option above.
4802 - The kernel parameter noexec=on will enable this feature and also
4803 - switch the addressing modes, default is disabled. Enabling this (via
4804 - kernel parameter) on machines earlier than IBM System z9 this will
4805 - reduce system performance.
4806 + space programs.
4807 + Enabling this (via kernel parameter) on machines earlier than IBM
4808 + System z9 this will reduce system performance.
4809
4810 comment "Code generation options"
4811
4812 diff -urNp linux-2.6.39.2/arch/s390/kernel/module.c linux-2.6.39.2/arch/s390/kernel/module.c
4813 --- linux-2.6.39.2/arch/s390/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4814 +++ linux-2.6.39.2/arch/s390/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4815 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
4816
4817 /* Increase core size by size of got & plt and set start
4818 offsets for got and plt. */
4819 - me->core_size = ALIGN(me->core_size, 4);
4820 - me->arch.got_offset = me->core_size;
4821 - me->core_size += me->arch.got_size;
4822 - me->arch.plt_offset = me->core_size;
4823 - me->core_size += me->arch.plt_size;
4824 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
4825 + me->arch.got_offset = me->core_size_rw;
4826 + me->core_size_rw += me->arch.got_size;
4827 + me->arch.plt_offset = me->core_size_rx;
4828 + me->core_size_rx += me->arch.plt_size;
4829 return 0;
4830 }
4831
4832 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4833 if (info->got_initialized == 0) {
4834 Elf_Addr *gotent;
4835
4836 - gotent = me->module_core + me->arch.got_offset +
4837 + gotent = me->module_core_rw + me->arch.got_offset +
4838 info->got_offset;
4839 *gotent = val;
4840 info->got_initialized = 1;
4841 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4842 else if (r_type == R_390_GOTENT ||
4843 r_type == R_390_GOTPLTENT)
4844 *(unsigned int *) loc =
4845 - (val + (Elf_Addr) me->module_core - loc) >> 1;
4846 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
4847 else if (r_type == R_390_GOT64 ||
4848 r_type == R_390_GOTPLT64)
4849 *(unsigned long *) loc = val;
4850 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4851 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
4852 if (info->plt_initialized == 0) {
4853 unsigned int *ip;
4854 - ip = me->module_core + me->arch.plt_offset +
4855 + ip = me->module_core_rx + me->arch.plt_offset +
4856 info->plt_offset;
4857 #ifndef CONFIG_64BIT
4858 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
4859 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4860 val - loc + 0xffffUL < 0x1ffffeUL) ||
4861 (r_type == R_390_PLT32DBL &&
4862 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
4863 - val = (Elf_Addr) me->module_core +
4864 + val = (Elf_Addr) me->module_core_rx +
4865 me->arch.plt_offset +
4866 info->plt_offset;
4867 val += rela->r_addend - loc;
4868 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4869 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
4870 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
4871 val = val + rela->r_addend -
4872 - ((Elf_Addr) me->module_core + me->arch.got_offset);
4873 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
4874 if (r_type == R_390_GOTOFF16)
4875 *(unsigned short *) loc = val;
4876 else if (r_type == R_390_GOTOFF32)
4877 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4878 break;
4879 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
4880 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
4881 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
4882 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
4883 rela->r_addend - loc;
4884 if (r_type == R_390_GOTPC)
4885 *(unsigned int *) loc = val;
4886 diff -urNp linux-2.6.39.2/arch/s390/kernel/process.c linux-2.6.39.2/arch/s390/kernel/process.c
4887 --- linux-2.6.39.2/arch/s390/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4888 +++ linux-2.6.39.2/arch/s390/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
4889 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
4890 }
4891 return 0;
4892 }
4893 -
4894 -unsigned long arch_align_stack(unsigned long sp)
4895 -{
4896 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4897 - sp -= get_random_int() & ~PAGE_MASK;
4898 - return sp & ~0xf;
4899 -}
4900 -
4901 -static inline unsigned long brk_rnd(void)
4902 -{
4903 - /* 8MB for 32bit, 1GB for 64bit */
4904 - if (is_32bit_task())
4905 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
4906 - else
4907 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
4908 -}
4909 -
4910 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4911 -{
4912 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
4913 -
4914 - if (ret < mm->brk)
4915 - return mm->brk;
4916 - return ret;
4917 -}
4918 -
4919 -unsigned long randomize_et_dyn(unsigned long base)
4920 -{
4921 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4922 -
4923 - if (!(current->flags & PF_RANDOMIZE))
4924 - return base;
4925 - if (ret < base)
4926 - return base;
4927 - return ret;
4928 -}
4929 diff -urNp linux-2.6.39.2/arch/s390/kernel/setup.c linux-2.6.39.2/arch/s390/kernel/setup.c
4930 --- linux-2.6.39.2/arch/s390/kernel/setup.c 2011-05-19 00:06:34.000000000 -0400
4931 +++ linux-2.6.39.2/arch/s390/kernel/setup.c 2011-05-22 19:36:30.000000000 -0400
4932 @@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
4933 }
4934 early_param("mem", early_parse_mem);
4935
4936 -unsigned int user_mode = HOME_SPACE_MODE;
4937 +unsigned int user_mode = SECONDARY_SPACE_MODE;
4938 EXPORT_SYMBOL_GPL(user_mode);
4939
4940 static int set_amode_and_uaccess(unsigned long user_amode,
4941 @@ -300,17 +300,6 @@ static int set_amode_and_uaccess(unsigne
4942 }
4943 }
4944
4945 -/*
4946 - * Switch kernel/user addressing modes?
4947 - */
4948 -static int __init early_parse_switch_amode(char *p)
4949 -{
4950 - if (user_mode != SECONDARY_SPACE_MODE)
4951 - user_mode = PRIMARY_SPACE_MODE;
4952 - return 0;
4953 -}
4954 -early_param("switch_amode", early_parse_switch_amode);
4955 -
4956 static int __init early_parse_user_mode(char *p)
4957 {
4958 if (p && strcmp(p, "primary") == 0)
4959 @@ -327,20 +316,6 @@ static int __init early_parse_user_mode(
4960 }
4961 early_param("user_mode", early_parse_user_mode);
4962
4963 -#ifdef CONFIG_S390_EXEC_PROTECT
4964 -/*
4965 - * Enable execute protection?
4966 - */
4967 -static int __init early_parse_noexec(char *p)
4968 -{
4969 - if (!strncmp(p, "off", 3))
4970 - return 0;
4971 - user_mode = SECONDARY_SPACE_MODE;
4972 - return 0;
4973 -}
4974 -early_param("noexec", early_parse_noexec);
4975 -#endif /* CONFIG_S390_EXEC_PROTECT */
4976 -
4977 static void setup_addressing_mode(void)
4978 {
4979 if (user_mode == SECONDARY_SPACE_MODE) {
4980 diff -urNp linux-2.6.39.2/arch/s390/mm/maccess.c linux-2.6.39.2/arch/s390/mm/maccess.c
4981 --- linux-2.6.39.2/arch/s390/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
4982 +++ linux-2.6.39.2/arch/s390/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
4983 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
4984 return rc ? rc : count;
4985 }
4986
4987 -long probe_kernel_write(void *dst, void *src, size_t size)
4988 +long probe_kernel_write(void *dst, const void *src, size_t size)
4989 {
4990 long copied = 0;
4991
4992 diff -urNp linux-2.6.39.2/arch/s390/mm/mmap.c linux-2.6.39.2/arch/s390/mm/mmap.c
4993 --- linux-2.6.39.2/arch/s390/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
4994 +++ linux-2.6.39.2/arch/s390/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
4995 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
4996 */
4997 if (mmap_is_legacy()) {
4998 mm->mmap_base = TASK_UNMAPPED_BASE;
4999 +
5000 +#ifdef CONFIG_PAX_RANDMMAP
5001 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5002 + mm->mmap_base += mm->delta_mmap;
5003 +#endif
5004 +
5005 mm->get_unmapped_area = arch_get_unmapped_area;
5006 mm->unmap_area = arch_unmap_area;
5007 } else {
5008 mm->mmap_base = mmap_base();
5009 +
5010 +#ifdef CONFIG_PAX_RANDMMAP
5011 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5012 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5013 +#endif
5014 +
5015 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
5016 mm->unmap_area = arch_unmap_area_topdown;
5017 }
5018 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
5019 */
5020 if (mmap_is_legacy()) {
5021 mm->mmap_base = TASK_UNMAPPED_BASE;
5022 +
5023 +#ifdef CONFIG_PAX_RANDMMAP
5024 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5025 + mm->mmap_base += mm->delta_mmap;
5026 +#endif
5027 +
5028 mm->get_unmapped_area = s390_get_unmapped_area;
5029 mm->unmap_area = arch_unmap_area;
5030 } else {
5031 mm->mmap_base = mmap_base();
5032 +
5033 +#ifdef CONFIG_PAX_RANDMMAP
5034 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5035 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5036 +#endif
5037 +
5038 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
5039 mm->unmap_area = arch_unmap_area_topdown;
5040 }
5041 diff -urNp linux-2.6.39.2/arch/score/include/asm/system.h linux-2.6.39.2/arch/score/include/asm/system.h
5042 --- linux-2.6.39.2/arch/score/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
5043 +++ linux-2.6.39.2/arch/score/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
5044 @@ -17,7 +17,7 @@ do { \
5045 #define finish_arch_switch(prev) do {} while (0)
5046
5047 typedef void (*vi_handler_t)(void);
5048 -extern unsigned long arch_align_stack(unsigned long sp);
5049 +#define arch_align_stack(x) (x)
5050
5051 #define mb() barrier()
5052 #define rmb() barrier()
5053 diff -urNp linux-2.6.39.2/arch/score/kernel/process.c linux-2.6.39.2/arch/score/kernel/process.c
5054 --- linux-2.6.39.2/arch/score/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
5055 +++ linux-2.6.39.2/arch/score/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
5056 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
5057
5058 return task_pt_regs(task)->cp0_epc;
5059 }
5060 -
5061 -unsigned long arch_align_stack(unsigned long sp)
5062 -{
5063 - return sp;
5064 -}
5065 diff -urNp linux-2.6.39.2/arch/sh/drivers/pci/ops-dreamcast.c linux-2.6.39.2/arch/sh/drivers/pci/ops-dreamcast.c
5066 --- linux-2.6.39.2/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-19 00:06:34.000000000 -0400
5067 +++ linux-2.6.39.2/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-22 19:36:30.000000000 -0400
5068 @@ -76,7 +76,7 @@ static int gapspci_write(struct pci_bus
5069 return PCIBIOS_SUCCESSFUL;
5070 }
5071
5072 -struct pci_ops gapspci_pci_ops = {
5073 +const struct pci_ops gapspci_pci_ops = {
5074 .read = gapspci_read,
5075 .write = gapspci_write,
5076 };
5077 diff -urNp linux-2.6.39.2/arch/sh/drivers/pci/ops-sh4.c linux-2.6.39.2/arch/sh/drivers/pci/ops-sh4.c
5078 --- linux-2.6.39.2/arch/sh/drivers/pci/ops-sh4.c 2011-05-19 00:06:34.000000000 -0400
5079 +++ linux-2.6.39.2/arch/sh/drivers/pci/ops-sh4.c 2011-05-22 19:36:30.000000000 -0400
5080 @@ -96,7 +96,7 @@ static int sh4_pci_write(struct pci_bus
5081 return PCIBIOS_SUCCESSFUL;
5082 }
5083
5084 -struct pci_ops sh4_pci_ops = {
5085 +const struct pci_ops sh4_pci_ops = {
5086 .read = sh4_pci_read,
5087 .write = sh4_pci_write,
5088 };
5089 diff -urNp linux-2.6.39.2/arch/sh/drivers/pci/ops-sh5.c linux-2.6.39.2/arch/sh/drivers/pci/ops-sh5.c
5090 --- linux-2.6.39.2/arch/sh/drivers/pci/ops-sh5.c 2011-05-19 00:06:34.000000000 -0400
5091 +++ linux-2.6.39.2/arch/sh/drivers/pci/ops-sh5.c 2011-05-22 19:36:30.000000000 -0400
5092 @@ -62,7 +62,7 @@ static int sh5pci_write(struct pci_bus *
5093 return PCIBIOS_SUCCESSFUL;
5094 }
5095
5096 -struct pci_ops sh5_pci_ops = {
5097 +const struct pci_ops sh5_pci_ops = {
5098 .read = sh5pci_read,
5099 .write = sh5pci_write,
5100 };
5101 diff -urNp linux-2.6.39.2/arch/sh/drivers/pci/ops-sh7786.c linux-2.6.39.2/arch/sh/drivers/pci/ops-sh7786.c
5102 --- linux-2.6.39.2/arch/sh/drivers/pci/ops-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5103 +++ linux-2.6.39.2/arch/sh/drivers/pci/ops-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5104 @@ -165,7 +165,7 @@ out:
5105 return ret;
5106 }
5107
5108 -struct pci_ops sh7786_pci_ops = {
5109 +const struct pci_ops sh7786_pci_ops = {
5110 .read = sh7786_pcie_read,
5111 .write = sh7786_pcie_write,
5112 };
5113 diff -urNp linux-2.6.39.2/arch/sh/drivers/pci/pcie-sh7786.c linux-2.6.39.2/arch/sh/drivers/pci/pcie-sh7786.c
5114 --- linux-2.6.39.2/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5115 +++ linux-2.6.39.2/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5116 @@ -109,7 +109,7 @@ static struct resource sh7786_pci2_resou
5117 },
5118 };
5119
5120 -extern struct pci_ops sh7786_pci_ops;
5121 +extern const struct pci_ops sh7786_pci_ops;
5122
5123 #define DEFINE_CONTROLLER(start, idx) \
5124 { \
5125 diff -urNp linux-2.6.39.2/arch/sh/drivers/pci/pci-sh4.h linux-2.6.39.2/arch/sh/drivers/pci/pci-sh4.h
5126 --- linux-2.6.39.2/arch/sh/drivers/pci/pci-sh4.h 2011-05-19 00:06:34.000000000 -0400
5127 +++ linux-2.6.39.2/arch/sh/drivers/pci/pci-sh4.h 2011-05-22 19:36:30.000000000 -0400
5128 @@ -161,7 +161,7 @@
5129 #define SH4_PCIPDR 0x220 /* Port IO Data Register */
5130
5131 /* arch/sh/kernel/drivers/pci/ops-sh4.c */
5132 -extern struct pci_ops sh4_pci_ops;
5133 +extern const struct pci_ops sh4_pci_ops;
5134 int pci_fixup_pcic(struct pci_channel *chan);
5135
5136 struct sh4_pci_address_space {
5137 diff -urNp linux-2.6.39.2/arch/sh/drivers/pci/pci-sh5.h linux-2.6.39.2/arch/sh/drivers/pci/pci-sh5.h
5138 --- linux-2.6.39.2/arch/sh/drivers/pci/pci-sh5.h 2011-05-19 00:06:34.000000000 -0400
5139 +++ linux-2.6.39.2/arch/sh/drivers/pci/pci-sh5.h 2011-05-22 19:36:30.000000000 -0400
5140 @@ -105,6 +105,6 @@ extern unsigned long pcicr_virt;
5141 #define PCISH5_MEM_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5142 #define PCISH5_IO_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5143
5144 -extern struct pci_ops sh5_pci_ops;
5145 +extern const struct pci_ops sh5_pci_ops;
5146
5147 #endif /* __PCI_SH5_H */
5148 diff -urNp linux-2.6.39.2/arch/sh/include/asm/dma-mapping.h linux-2.6.39.2/arch/sh/include/asm/dma-mapping.h
5149 --- linux-2.6.39.2/arch/sh/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5150 +++ linux-2.6.39.2/arch/sh/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5151 @@ -1,10 +1,10 @@
5152 #ifndef __ASM_SH_DMA_MAPPING_H
5153 #define __ASM_SH_DMA_MAPPING_H
5154
5155 -extern struct dma_map_ops *dma_ops;
5156 +extern const struct dma_map_ops *dma_ops;
5157 extern void no_iommu_init(void);
5158
5159 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5160 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5161 {
5162 return dma_ops;
5163 }
5164 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
5165
5166 static inline int dma_supported(struct device *dev, u64 mask)
5167 {
5168 - struct dma_map_ops *ops = get_dma_ops(dev);
5169 + const struct dma_map_ops *ops = get_dma_ops(dev);
5170
5171 if (ops->dma_supported)
5172 return ops->dma_supported(dev, mask);
5173 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
5174
5175 static inline int dma_set_mask(struct device *dev, u64 mask)
5176 {
5177 - struct dma_map_ops *ops = get_dma_ops(dev);
5178 + const struct dma_map_ops *ops = get_dma_ops(dev);
5179
5180 if (!dev->dma_mask || !dma_supported(dev, mask))
5181 return -EIO;
5182 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
5183
5184 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
5185 {
5186 - struct dma_map_ops *ops = get_dma_ops(dev);
5187 + const struct dma_map_ops *ops = get_dma_ops(dev);
5188
5189 if (ops->mapping_error)
5190 return ops->mapping_error(dev, dma_addr);
5191 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
5192 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5193 dma_addr_t *dma_handle, gfp_t gfp)
5194 {
5195 - struct dma_map_ops *ops = get_dma_ops(dev);
5196 + const struct dma_map_ops *ops = get_dma_ops(dev);
5197 void *memory;
5198
5199 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
5200 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
5201 static inline void dma_free_coherent(struct device *dev, size_t size,
5202 void *vaddr, dma_addr_t dma_handle)
5203 {
5204 - struct dma_map_ops *ops = get_dma_ops(dev);
5205 + const struct dma_map_ops *ops = get_dma_ops(dev);
5206
5207 if (dma_release_from_coherent(dev, get_order(size), vaddr))
5208 return;
5209 diff -urNp linux-2.6.39.2/arch/sh/kernel/dma-nommu.c linux-2.6.39.2/arch/sh/kernel/dma-nommu.c
5210 --- linux-2.6.39.2/arch/sh/kernel/dma-nommu.c 2011-05-19 00:06:34.000000000 -0400
5211 +++ linux-2.6.39.2/arch/sh/kernel/dma-nommu.c 2011-05-22 19:36:30.000000000 -0400
5212 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
5213 }
5214 #endif
5215
5216 -struct dma_map_ops nommu_dma_ops = {
5217 +const struct dma_map_ops nommu_dma_ops = {
5218 .alloc_coherent = dma_generic_alloc_coherent,
5219 .free_coherent = dma_generic_free_coherent,
5220 .map_page = nommu_map_page,
5221 diff -urNp linux-2.6.39.2/arch/sh/kernel/kgdb.c linux-2.6.39.2/arch/sh/kernel/kgdb.c
5222 --- linux-2.6.39.2/arch/sh/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
5223 +++ linux-2.6.39.2/arch/sh/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
5224 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
5225 unregister_die_notifier(&kgdb_notifier);
5226 }
5227
5228 -struct kgdb_arch arch_kgdb_ops = {
5229 +const struct kgdb_arch arch_kgdb_ops = {
5230 /* Breakpoint instruction: trapa #0x3c */
5231 #ifdef CONFIG_CPU_LITTLE_ENDIAN
5232 .gdb_bpt_instr = { 0x3c, 0xc3 },
5233 diff -urNp linux-2.6.39.2/arch/sh/mm/consistent.c linux-2.6.39.2/arch/sh/mm/consistent.c
5234 --- linux-2.6.39.2/arch/sh/mm/consistent.c 2011-05-19 00:06:34.000000000 -0400
5235 +++ linux-2.6.39.2/arch/sh/mm/consistent.c 2011-05-22 19:36:30.000000000 -0400
5236 @@ -22,7 +22,7 @@
5237
5238 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
5239
5240 -struct dma_map_ops *dma_ops;
5241 +const struct dma_map_ops *dma_ops;
5242 EXPORT_SYMBOL(dma_ops);
5243
5244 static int __init dma_init(void)
5245 diff -urNp linux-2.6.39.2/arch/sh/mm/mmap.c linux-2.6.39.2/arch/sh/mm/mmap.c
5246 --- linux-2.6.39.2/arch/sh/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5247 +++ linux-2.6.39.2/arch/sh/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5248 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
5249 addr = PAGE_ALIGN(addr);
5250
5251 vma = find_vma(mm, addr);
5252 - if (TASK_SIZE - len >= addr &&
5253 - (!vma || addr + len <= vma->vm_start))
5254 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5255 return addr;
5256 }
5257
5258 @@ -106,7 +105,7 @@ full_search:
5259 }
5260 return -ENOMEM;
5261 }
5262 - if (likely(!vma || addr + len <= vma->vm_start)) {
5263 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5264 /*
5265 * Remember the place where we stopped the search:
5266 */
5267 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
5268 addr = PAGE_ALIGN(addr);
5269
5270 vma = find_vma(mm, addr);
5271 - if (TASK_SIZE - len >= addr &&
5272 - (!vma || addr + len <= vma->vm_start))
5273 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5274 return addr;
5275 }
5276
5277 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
5278 /* make sure it can fit in the remaining address space */
5279 if (likely(addr > len)) {
5280 vma = find_vma(mm, addr-len);
5281 - if (!vma || addr <= vma->vm_start) {
5282 + if (check_heap_stack_gap(vma, addr - len, len)) {
5283 /* remember the address as a hint for next time */
5284 return (mm->free_area_cache = addr-len);
5285 }
5286 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
5287 if (unlikely(mm->mmap_base < len))
5288 goto bottomup;
5289
5290 - addr = mm->mmap_base-len;
5291 - if (do_colour_align)
5292 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5293 + addr = mm->mmap_base - len;
5294
5295 do {
5296 + if (do_colour_align)
5297 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5298 /*
5299 * Lookup failure means no vma is above this address,
5300 * else if new region fits below vma->vm_start,
5301 * return with success:
5302 */
5303 vma = find_vma(mm, addr);
5304 - if (likely(!vma || addr+len <= vma->vm_start)) {
5305 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5306 /* remember the address as a hint for next time */
5307 return (mm->free_area_cache = addr);
5308 }
5309 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
5310 mm->cached_hole_size = vma->vm_start - addr;
5311
5312 /* try just below the current vma->vm_start */
5313 - addr = vma->vm_start-len;
5314 - if (do_colour_align)
5315 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5316 - } while (likely(len < vma->vm_start));
5317 + addr = skip_heap_stack_gap(vma, len);
5318 + } while (!IS_ERR_VALUE(addr));
5319
5320 bottomup:
5321 /*
5322 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/atomic_64.h linux-2.6.39.2/arch/sparc/include/asm/atomic_64.h
5323 --- linux-2.6.39.2/arch/sparc/include/asm/atomic_64.h 2011-05-19 00:06:34.000000000 -0400
5324 +++ linux-2.6.39.2/arch/sparc/include/asm/atomic_64.h 2011-05-22 19:36:30.000000000 -0400
5325 @@ -14,18 +14,40 @@
5326 #define ATOMIC64_INIT(i) { (i) }
5327
5328 #define atomic_read(v) (*(volatile int *)&(v)->counter)
5329 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5330 +{
5331 + return v->counter;
5332 +}
5333 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
5334 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
5335 +{
5336 + return v->counter;
5337 +}
5338
5339 #define atomic_set(v, i) (((v)->counter) = i)
5340 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5341 +{
5342 + v->counter = i;
5343 +}
5344 #define atomic64_set(v, i) (((v)->counter) = i)
5345 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
5346 +{
5347 + v->counter = i;
5348 +}
5349
5350 extern void atomic_add(int, atomic_t *);
5351 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
5352 extern void atomic64_add(long, atomic64_t *);
5353 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
5354 extern void atomic_sub(int, atomic_t *);
5355 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
5356 extern void atomic64_sub(long, atomic64_t *);
5357 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
5358
5359 extern int atomic_add_ret(int, atomic_t *);
5360 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
5361 extern long atomic64_add_ret(long, atomic64_t *);
5362 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
5363 extern int atomic_sub_ret(int, atomic_t *);
5364 extern long atomic64_sub_ret(long, atomic64_t *);
5365
5366 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
5367 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
5368
5369 #define atomic_inc_return(v) atomic_add_ret(1, v)
5370 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
5371 +{
5372 + return atomic_add_ret_unchecked(1, v);
5373 +}
5374 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
5375 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
5376 +{
5377 + return atomic64_add_ret_unchecked(1, v);
5378 +}
5379
5380 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
5381 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
5382
5383 #define atomic_add_return(i, v) atomic_add_ret(i, v)
5384 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5385 +{
5386 + return atomic_add_ret_unchecked(i, v);
5387 +}
5388 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
5389
5390 /*
5391 @@ -50,6 +84,7 @@ extern long atomic64_sub_ret(long, atomi
5392 * other cases.
5393 */
5394 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
5395 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
5396 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
5397
5398 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
5399 @@ -59,30 +94,59 @@ extern long atomic64_sub_ret(long, atomi
5400 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
5401
5402 #define atomic_inc(v) atomic_add(1, v)
5403 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5404 +{
5405 + atomic_add_unchecked(1, v);
5406 +}
5407 #define atomic64_inc(v) atomic64_add(1, v)
5408 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
5409 +{
5410 + atomic64_add_unchecked(1, v);
5411 +}
5412
5413 #define atomic_dec(v) atomic_sub(1, v)
5414 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
5415 +{
5416 + atomic_sub_unchecked(1, v);
5417 +}
5418 #define atomic64_dec(v) atomic64_sub(1, v)
5419 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
5420 +{
5421 + atomic64_sub_unchecked(1, v);
5422 +}
5423
5424 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
5425 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
5426
5427 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5428 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5429 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
5430 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
5431
5432 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5433 {
5434 - int c, old;
5435 + int c, old, new;
5436 c = atomic_read(v);
5437 for (;;) {
5438 - if (unlikely(c == (u)))
5439 + if (unlikely(c == u))
5440 break;
5441 - old = atomic_cmpxchg((v), c, c + (a));
5442 +
5443 + asm volatile("addcc %2, %0, %0\n"
5444 +
5445 +#ifdef CONFIG_PAX_REFCOUNT
5446 + "tvs %%icc, 6\n"
5447 +#endif
5448 +
5449 + : "=r" (new)
5450 + : "0" (c), "ir" (a)
5451 + : "cc");
5452 +
5453 + old = atomic_cmpxchg(v, c, new);
5454 if (likely(old == c))
5455 break;
5456 c = old;
5457 }
5458 - return c != (u);
5459 + return c != u;
5460 }
5461
5462 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5463 @@ -93,17 +157,28 @@ static inline int atomic_add_unless(atom
5464
5465 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
5466 {
5467 - long c, old;
5468 + long c, old, new;
5469 c = atomic64_read(v);
5470 for (;;) {
5471 - if (unlikely(c == (u)))
5472 + if (unlikely(c == u))
5473 break;
5474 - old = atomic64_cmpxchg((v), c, c + (a));
5475 +
5476 + asm volatile("addcc %2, %0, %0\n"
5477 +
5478 +#ifdef CONFIG_PAX_REFCOUNT
5479 + "tvs %%xcc, 6\n"
5480 +#endif
5481 +
5482 + : "=r" (new)
5483 + : "0" (c), "ir" (a)
5484 + : "cc");
5485 +
5486 + old = atomic64_cmpxchg(v, c, new);
5487 if (likely(old == c))
5488 break;
5489 c = old;
5490 }
5491 - return c != (u);
5492 + return c != u;
5493 }
5494
5495 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
5496 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/cache.h linux-2.6.39.2/arch/sparc/include/asm/cache.h
5497 --- linux-2.6.39.2/arch/sparc/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
5498 +++ linux-2.6.39.2/arch/sparc/include/asm/cache.h 2011-05-22 19:36:30.000000000 -0400
5499 @@ -10,7 +10,7 @@
5500 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
5501
5502 #define L1_CACHE_SHIFT 5
5503 -#define L1_CACHE_BYTES 32
5504 +#define L1_CACHE_BYTES 32U
5505
5506 #ifdef CONFIG_SPARC32
5507 #define SMP_CACHE_BYTES_SHIFT 5
5508 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/dma-mapping.h linux-2.6.39.2/arch/sparc/include/asm/dma-mapping.h
5509 --- linux-2.6.39.2/arch/sparc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5510 +++ linux-2.6.39.2/arch/sparc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5511 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
5512 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
5513 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
5514
5515 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
5516 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
5517 extern struct bus_type pci_bus_type;
5518
5519 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5520 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5521 {
5522 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
5523 if (dev->bus == &pci_bus_type)
5524 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
5525 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5526 dma_addr_t *dma_handle, gfp_t flag)
5527 {
5528 - struct dma_map_ops *ops = get_dma_ops(dev);
5529 + const struct dma_map_ops *ops = get_dma_ops(dev);
5530 void *cpu_addr;
5531
5532 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
5533 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
5534 static inline void dma_free_coherent(struct device *dev, size_t size,
5535 void *cpu_addr, dma_addr_t dma_handle)
5536 {
5537 - struct dma_map_ops *ops = get_dma_ops(dev);
5538 + const struct dma_map_ops *ops = get_dma_ops(dev);
5539
5540 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
5541 ops->free_coherent(dev, size, cpu_addr, dma_handle);
5542 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/elf_32.h linux-2.6.39.2/arch/sparc/include/asm/elf_32.h
5543 --- linux-2.6.39.2/arch/sparc/include/asm/elf_32.h 2011-05-19 00:06:34.000000000 -0400
5544 +++ linux-2.6.39.2/arch/sparc/include/asm/elf_32.h 2011-05-22 19:36:30.000000000 -0400
5545 @@ -114,6 +114,13 @@ typedef struct {
5546
5547 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
5548
5549 +#ifdef CONFIG_PAX_ASLR
5550 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
5551 +
5552 +#define PAX_DELTA_MMAP_LEN 16
5553 +#define PAX_DELTA_STACK_LEN 16
5554 +#endif
5555 +
5556 /* This yields a mask that user programs can use to figure out what
5557 instruction set this cpu supports. This can NOT be done in userspace
5558 on Sparc. */
5559 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/elf_64.h linux-2.6.39.2/arch/sparc/include/asm/elf_64.h
5560 --- linux-2.6.39.2/arch/sparc/include/asm/elf_64.h 2011-05-19 00:06:34.000000000 -0400
5561 +++ linux-2.6.39.2/arch/sparc/include/asm/elf_64.h 2011-05-22 19:36:30.000000000 -0400
5562 @@ -162,6 +162,12 @@ typedef struct {
5563 #define ELF_ET_DYN_BASE 0x0000010000000000UL
5564 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
5565
5566 +#ifdef CONFIG_PAX_ASLR
5567 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
5568 +
5569 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
5570 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
5571 +#endif
5572
5573 /* This yields a mask that user programs can use to figure out what
5574 instruction set this cpu supports. */
5575 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/pgtable_32.h linux-2.6.39.2/arch/sparc/include/asm/pgtable_32.h
5576 --- linux-2.6.39.2/arch/sparc/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
5577 +++ linux-2.6.39.2/arch/sparc/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
5578 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
5579 BTFIXUPDEF_INT(page_none)
5580 BTFIXUPDEF_INT(page_copy)
5581 BTFIXUPDEF_INT(page_readonly)
5582 +
5583 +#ifdef CONFIG_PAX_PAGEEXEC
5584 +BTFIXUPDEF_INT(page_shared_noexec)
5585 +BTFIXUPDEF_INT(page_copy_noexec)
5586 +BTFIXUPDEF_INT(page_readonly_noexec)
5587 +#endif
5588 +
5589 BTFIXUPDEF_INT(page_kernel)
5590
5591 #define PMD_SHIFT SUN4C_PMD_SHIFT
5592 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
5593 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
5594 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
5595
5596 +#ifdef CONFIG_PAX_PAGEEXEC
5597 +extern pgprot_t PAGE_SHARED_NOEXEC;
5598 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
5599 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
5600 +#else
5601 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
5602 +# define PAGE_COPY_NOEXEC PAGE_COPY
5603 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
5604 +#endif
5605 +
5606 extern unsigned long page_kernel;
5607
5608 #ifdef MODULE
5609 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.39.2/arch/sparc/include/asm/pgtsrmmu.h
5610 --- linux-2.6.39.2/arch/sparc/include/asm/pgtsrmmu.h 2011-05-19 00:06:34.000000000 -0400
5611 +++ linux-2.6.39.2/arch/sparc/include/asm/pgtsrmmu.h 2011-05-22 19:36:30.000000000 -0400
5612 @@ -115,6 +115,13 @@
5613 SRMMU_EXEC | SRMMU_REF)
5614 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
5615 SRMMU_EXEC | SRMMU_REF)
5616 +
5617 +#ifdef CONFIG_PAX_PAGEEXEC
5618 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
5619 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5620 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5621 +#endif
5622 +
5623 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
5624 SRMMU_DIRTY | SRMMU_REF)
5625
5626 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/spinlock_64.h linux-2.6.39.2/arch/sparc/include/asm/spinlock_64.h
5627 --- linux-2.6.39.2/arch/sparc/include/asm/spinlock_64.h 2011-05-19 00:06:34.000000000 -0400
5628 +++ linux-2.6.39.2/arch/sparc/include/asm/spinlock_64.h 2011-05-22 19:36:30.000000000 -0400
5629 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
5630
5631 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
5632
5633 -static void inline arch_read_lock(arch_rwlock_t *lock)
5634 +static inline void arch_read_lock(arch_rwlock_t *lock)
5635 {
5636 unsigned long tmp1, tmp2;
5637
5638 __asm__ __volatile__ (
5639 "1: ldsw [%2], %0\n"
5640 " brlz,pn %0, 2f\n"
5641 -"4: add %0, 1, %1\n"
5642 +"4: addcc %0, 1, %1\n"
5643 +
5644 +#ifdef CONFIG_PAX_REFCOUNT
5645 +" tvs %%icc, 6\n"
5646 +#endif
5647 +
5648 " cas [%2], %0, %1\n"
5649 " cmp %0, %1\n"
5650 " bne,pn %%icc, 1b\n"
5651 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
5652 " .previous"
5653 : "=&r" (tmp1), "=&r" (tmp2)
5654 : "r" (lock)
5655 - : "memory");
5656 + : "memory", "cc");
5657 }
5658
5659 -static int inline arch_read_trylock(arch_rwlock_t *lock)
5660 +static inline int arch_read_trylock(arch_rwlock_t *lock)
5661 {
5662 int tmp1, tmp2;
5663
5664 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
5665 "1: ldsw [%2], %0\n"
5666 " brlz,a,pn %0, 2f\n"
5667 " mov 0, %0\n"
5668 -" add %0, 1, %1\n"
5669 +" addcc %0, 1, %1\n"
5670 +
5671 +#ifdef CONFIG_PAX_REFCOUNT
5672 +" tvs %%icc, 6\n"
5673 +#endif
5674 +
5675 " cas [%2], %0, %1\n"
5676 " cmp %0, %1\n"
5677 " bne,pn %%icc, 1b\n"
5678 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
5679 return tmp1;
5680 }
5681
5682 -static void inline arch_read_unlock(arch_rwlock_t *lock)
5683 +static inline void arch_read_unlock(arch_rwlock_t *lock)
5684 {
5685 unsigned long tmp1, tmp2;
5686
5687 __asm__ __volatile__(
5688 "1: lduw [%2], %0\n"
5689 -" sub %0, 1, %1\n"
5690 +" subcc %0, 1, %1\n"
5691 +
5692 +#ifdef CONFIG_PAX_REFCOUNT
5693 +" tvs %%icc, 6\n"
5694 +#endif
5695 +
5696 " cas [%2], %0, %1\n"
5697 " cmp %0, %1\n"
5698 " bne,pn %%xcc, 1b\n"
5699 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
5700 : "memory");
5701 }
5702
5703 -static void inline arch_write_lock(arch_rwlock_t *lock)
5704 +static inline void arch_write_lock(arch_rwlock_t *lock)
5705 {
5706 unsigned long mask, tmp1, tmp2;
5707
5708 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
5709 : "memory");
5710 }
5711
5712 -static void inline arch_write_unlock(arch_rwlock_t *lock)
5713 +static inline void arch_write_unlock(arch_rwlock_t *lock)
5714 {
5715 __asm__ __volatile__(
5716 " stw %%g0, [%0]"
5717 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
5718 : "memory");
5719 }
5720
5721 -static int inline arch_write_trylock(arch_rwlock_t *lock)
5722 +static inline int arch_write_trylock(arch_rwlock_t *lock)
5723 {
5724 unsigned long mask, tmp1, tmp2, result;
5725
5726 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/thread_info_32.h linux-2.6.39.2/arch/sparc/include/asm/thread_info_32.h
5727 --- linux-2.6.39.2/arch/sparc/include/asm/thread_info_32.h 2011-05-19 00:06:34.000000000 -0400
5728 +++ linux-2.6.39.2/arch/sparc/include/asm/thread_info_32.h 2011-06-03 01:14:03.000000000 -0400
5729 @@ -50,6 +50,8 @@ struct thread_info {
5730 unsigned long w_saved;
5731
5732 struct restart_block restart_block;
5733 +
5734 + unsigned long lowest_stack;
5735 };
5736
5737 /*
5738 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/thread_info_64.h linux-2.6.39.2/arch/sparc/include/asm/thread_info_64.h
5739 --- linux-2.6.39.2/arch/sparc/include/asm/thread_info_64.h 2011-05-19 00:06:34.000000000 -0400
5740 +++ linux-2.6.39.2/arch/sparc/include/asm/thread_info_64.h 2011-06-03 01:14:21.000000000 -0400
5741 @@ -63,6 +63,8 @@ struct thread_info {
5742 struct pt_regs *kern_una_regs;
5743 unsigned int kern_una_insn;
5744
5745 + unsigned long lowest_stack;
5746 +
5747 unsigned long fpregs[0] __attribute__ ((aligned(64)));
5748 };
5749
5750 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/uaccess_32.h linux-2.6.39.2/arch/sparc/include/asm/uaccess_32.h
5751 --- linux-2.6.39.2/arch/sparc/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
5752 +++ linux-2.6.39.2/arch/sparc/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
5753 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
5754
5755 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
5756 {
5757 - if (n && __access_ok((unsigned long) to, n))
5758 + if ((long)n < 0)
5759 + return n;
5760 +
5761 + if (n && __access_ok((unsigned long) to, n)) {
5762 + if (!__builtin_constant_p(n))
5763 + check_object_size(from, n, true);
5764 return __copy_user(to, (__force void __user *) from, n);
5765 - else
5766 + } else
5767 return n;
5768 }
5769
5770 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
5771 {
5772 + if ((long)n < 0)
5773 + return n;
5774 +
5775 + if (!__builtin_constant_p(n))
5776 + check_object_size(from, n, true);
5777 +
5778 return __copy_user(to, (__force void __user *) from, n);
5779 }
5780
5781 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
5782 {
5783 - if (n && __access_ok((unsigned long) from, n))
5784 + if ((long)n < 0)
5785 + return n;
5786 +
5787 + if (n && __access_ok((unsigned long) from, n)) {
5788 + if (!__builtin_constant_p(n))
5789 + check_object_size(to, n, false);
5790 return __copy_user((__force void __user *) to, from, n);
5791 - else
5792 + } else
5793 return n;
5794 }
5795
5796 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
5797 {
5798 + if ((long)n < 0)
5799 + return n;
5800 +
5801 return __copy_user((__force void __user *) to, from, n);
5802 }
5803
5804 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/uaccess_64.h linux-2.6.39.2/arch/sparc/include/asm/uaccess_64.h
5805 --- linux-2.6.39.2/arch/sparc/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
5806 +++ linux-2.6.39.2/arch/sparc/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
5807 @@ -10,6 +10,7 @@
5808 #include <linux/compiler.h>
5809 #include <linux/string.h>
5810 #include <linux/thread_info.h>
5811 +#include <linux/kernel.h>
5812 #include <asm/asi.h>
5813 #include <asm/system.h>
5814 #include <asm/spitfire.h>
5815 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
5816 static inline unsigned long __must_check
5817 copy_from_user(void *to, const void __user *from, unsigned long size)
5818 {
5819 - unsigned long ret = ___copy_from_user(to, from, size);
5820 + unsigned long ret;
5821
5822 + if ((long)size < 0 || size > INT_MAX)
5823 + return size;
5824 +
5825 + if (!__builtin_constant_p(size))
5826 + check_object_size(to, size, false);
5827 +
5828 + ret = ___copy_from_user(to, from, size);
5829 if (unlikely(ret))
5830 ret = copy_from_user_fixup(to, from, size);
5831
5832 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
5833 static inline unsigned long __must_check
5834 copy_to_user(void __user *to, const void *from, unsigned long size)
5835 {
5836 - unsigned long ret = ___copy_to_user(to, from, size);
5837 + unsigned long ret;
5838 +
5839 + if ((long)size < 0 || size > INT_MAX)
5840 + return size;
5841 +
5842 + if (!__builtin_constant_p(size))
5843 + check_object_size(from, size, true);
5844
5845 + ret = ___copy_to_user(to, from, size);
5846 if (unlikely(ret))
5847 ret = copy_to_user_fixup(to, from, size);
5848 return ret;
5849 diff -urNp linux-2.6.39.2/arch/sparc/include/asm/uaccess.h linux-2.6.39.2/arch/sparc/include/asm/uaccess.h
5850 --- linux-2.6.39.2/arch/sparc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
5851 +++ linux-2.6.39.2/arch/sparc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
5852 @@ -1,5 +1,13 @@
5853 #ifndef ___ASM_SPARC_UACCESS_H
5854 #define ___ASM_SPARC_UACCESS_H
5855 +
5856 +#ifdef __KERNEL__
5857 +#ifndef __ASSEMBLY__
5858 +#include <linux/types.h>
5859 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
5860 +#endif
5861 +#endif
5862 +
5863 #if defined(__sparc__) && defined(__arch64__)
5864 #include <asm/uaccess_64.h>
5865 #else
5866 diff -urNp linux-2.6.39.2/arch/sparc/kernel/iommu.c linux-2.6.39.2/arch/sparc/kernel/iommu.c
5867 --- linux-2.6.39.2/arch/sparc/kernel/iommu.c 2011-05-19 00:06:34.000000000 -0400
5868 +++ linux-2.6.39.2/arch/sparc/kernel/iommu.c 2011-05-22 19:36:30.000000000 -0400
5869 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
5870 spin_unlock_irqrestore(&iommu->lock, flags);
5871 }
5872
5873 -static struct dma_map_ops sun4u_dma_ops = {
5874 +static const struct dma_map_ops sun4u_dma_ops = {
5875 .alloc_coherent = dma_4u_alloc_coherent,
5876 .free_coherent = dma_4u_free_coherent,
5877 .map_page = dma_4u_map_page,
5878 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
5879 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
5880 };
5881
5882 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5883 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5884 EXPORT_SYMBOL(dma_ops);
5885
5886 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
5887 diff -urNp linux-2.6.39.2/arch/sparc/kernel/ioport.c linux-2.6.39.2/arch/sparc/kernel/ioport.c
5888 --- linux-2.6.39.2/arch/sparc/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
5889 +++ linux-2.6.39.2/arch/sparc/kernel/ioport.c 2011-05-22 19:36:30.000000000 -0400
5890 @@ -402,7 +402,7 @@ static void sbus_sync_sg_for_device(stru
5891 BUG();
5892 }
5893
5894 -struct dma_map_ops sbus_dma_ops = {
5895 +const struct dma_map_ops sbus_dma_ops = {
5896 .alloc_coherent = sbus_alloc_coherent,
5897 .free_coherent = sbus_free_coherent,
5898 .map_page = sbus_map_page,
5899 @@ -653,7 +653,7 @@ static void pci32_sync_sg_for_device(str
5900 }
5901 }
5902
5903 -struct dma_map_ops pci32_dma_ops = {
5904 +const struct dma_map_ops pci32_dma_ops = {
5905 .alloc_coherent = pci32_alloc_coherent,
5906 .free_coherent = pci32_free_coherent,
5907 .map_page = pci32_map_page,
5908 diff -urNp linux-2.6.39.2/arch/sparc/kernel/kgdb_32.c linux-2.6.39.2/arch/sparc/kernel/kgdb_32.c
5909 --- linux-2.6.39.2/arch/sparc/kernel/kgdb_32.c 2011-05-19 00:06:34.000000000 -0400
5910 +++ linux-2.6.39.2/arch/sparc/kernel/kgdb_32.c 2011-05-22 19:36:30.000000000 -0400
5911 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5912 regs->npc = regs->pc + 4;
5913 }
5914
5915 -struct kgdb_arch arch_kgdb_ops = {
5916 +const struct kgdb_arch arch_kgdb_ops = {
5917 /* Breakpoint instruction: ta 0x7d */
5918 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
5919 };
5920 diff -urNp linux-2.6.39.2/arch/sparc/kernel/kgdb_64.c linux-2.6.39.2/arch/sparc/kernel/kgdb_64.c
5921 --- linux-2.6.39.2/arch/sparc/kernel/kgdb_64.c 2011-05-19 00:06:34.000000000 -0400
5922 +++ linux-2.6.39.2/arch/sparc/kernel/kgdb_64.c 2011-05-22 19:36:30.000000000 -0400
5923 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5924 regs->tnpc = regs->tpc + 4;
5925 }
5926
5927 -struct kgdb_arch arch_kgdb_ops = {
5928 +const struct kgdb_arch arch_kgdb_ops = {
5929 /* Breakpoint instruction: ta 0x72 */
5930 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
5931 };
5932 diff -urNp linux-2.6.39.2/arch/sparc/kernel/Makefile linux-2.6.39.2/arch/sparc/kernel/Makefile
5933 --- linux-2.6.39.2/arch/sparc/kernel/Makefile 2011-05-19 00:06:34.000000000 -0400
5934 +++ linux-2.6.39.2/arch/sparc/kernel/Makefile 2011-05-22 19:36:30.000000000 -0400
5935 @@ -3,7 +3,7 @@
5936 #
5937
5938 asflags-y := -ansi
5939 -ccflags-y := -Werror
5940 +#ccflags-y := -Werror
5941
5942 extra-y := head_$(BITS).o
5943 extra-y += init_task.o
5944 diff -urNp linux-2.6.39.2/arch/sparc/kernel/pcic.c linux-2.6.39.2/arch/sparc/kernel/pcic.c
5945 --- linux-2.6.39.2/arch/sparc/kernel/pcic.c 2011-05-19 00:06:34.000000000 -0400
5946 +++ linux-2.6.39.2/arch/sparc/kernel/pcic.c 2011-05-22 19:36:30.000000000 -0400
5947 @@ -268,7 +268,7 @@ static int pcic_write_config(struct pci_
5948 return -EINVAL;
5949 }
5950
5951 -static struct pci_ops pcic_ops = {
5952 +static const struct pci_ops pcic_ops = {
5953 .read = pcic_read_config,
5954 .write = pcic_write_config,
5955 };
5956 diff -urNp linux-2.6.39.2/arch/sparc/kernel/pci_common.c linux-2.6.39.2/arch/sparc/kernel/pci_common.c
5957 --- linux-2.6.39.2/arch/sparc/kernel/pci_common.c 2011-05-19 00:06:34.000000000 -0400
5958 +++ linux-2.6.39.2/arch/sparc/kernel/pci_common.c 2011-05-22 19:36:30.000000000 -0400
5959 @@ -249,7 +249,7 @@ static int sun4u_write_pci_cfg(struct pc
5960 return PCIBIOS_SUCCESSFUL;
5961 }
5962
5963 -struct pci_ops sun4u_pci_ops = {
5964 +const struct pci_ops sun4u_pci_ops = {
5965 .read = sun4u_read_pci_cfg,
5966 .write = sun4u_write_pci_cfg,
5967 };
5968 @@ -310,7 +310,7 @@ static int sun4v_write_pci_cfg(struct pc
5969 return PCIBIOS_SUCCESSFUL;
5970 }
5971
5972 -struct pci_ops sun4v_pci_ops = {
5973 +const struct pci_ops sun4v_pci_ops = {
5974 .read = sun4v_read_pci_cfg,
5975 .write = sun4v_write_pci_cfg,
5976 };
5977 diff -urNp linux-2.6.39.2/arch/sparc/kernel/pci_impl.h linux-2.6.39.2/arch/sparc/kernel/pci_impl.h
5978 --- linux-2.6.39.2/arch/sparc/kernel/pci_impl.h 2011-05-19 00:06:34.000000000 -0400
5979 +++ linux-2.6.39.2/arch/sparc/kernel/pci_impl.h 2011-05-22 19:36:30.000000000 -0400
5980 @@ -175,8 +175,8 @@ extern void pci_config_write8(u8 *addr,
5981 extern void pci_config_write16(u16 *addr, u16 val);
5982 extern void pci_config_write32(u32 *addr, u32 val);
5983
5984 -extern struct pci_ops sun4u_pci_ops;
5985 -extern struct pci_ops sun4v_pci_ops;
5986 +extern const struct pci_ops sun4u_pci_ops;
5987 +extern const struct pci_ops sun4v_pci_ops;
5988
5989 extern volatile int pci_poke_in_progress;
5990 extern volatile int pci_poke_cpu;
5991 diff -urNp linux-2.6.39.2/arch/sparc/kernel/pci_sun4v.c linux-2.6.39.2/arch/sparc/kernel/pci_sun4v.c
5992 --- linux-2.6.39.2/arch/sparc/kernel/pci_sun4v.c 2011-05-19 00:06:34.000000000 -0400
5993 +++ linux-2.6.39.2/arch/sparc/kernel/pci_sun4v.c 2011-05-22 19:36:30.000000000 -0400
5994 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
5995 spin_unlock_irqrestore(&iommu->lock, flags);
5996 }
5997
5998 -static struct dma_map_ops sun4v_dma_ops = {
5999 +static const struct dma_map_ops sun4v_dma_ops = {
6000 .alloc_coherent = dma_4v_alloc_coherent,
6001 .free_coherent = dma_4v_free_coherent,
6002 .map_page = dma_4v_map_page,
6003 diff -urNp linux-2.6.39.2/arch/sparc/kernel/process_32.c linux-2.6.39.2/arch/sparc/kernel/process_32.c
6004 --- linux-2.6.39.2/arch/sparc/kernel/process_32.c 2011-05-19 00:06:34.000000000 -0400
6005 +++ linux-2.6.39.2/arch/sparc/kernel/process_32.c 2011-05-22 19:41:32.000000000 -0400
6006 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
6007 rw->ins[4], rw->ins[5],
6008 rw->ins[6],
6009 rw->ins[7]);
6010 - printk("%pS\n", (void *) rw->ins[7]);
6011 + printk("%pA\n", (void *) rw->ins[7]);
6012 rw = (struct reg_window32 *) rw->ins[6];
6013 }
6014 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
6015 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
6016
6017 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
6018 r->psr, r->pc, r->npc, r->y, print_tainted());
6019 - printk("PC: <%pS>\n", (void *) r->pc);
6020 + printk("PC: <%pA>\n", (void *) r->pc);
6021 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6022 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
6023 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
6024 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6025 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
6026 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
6027 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
6028 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
6029
6030 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6031 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
6032 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
6033 rw = (struct reg_window32 *) fp;
6034 pc = rw->ins[7];
6035 printk("[%08lx : ", pc);
6036 - printk("%pS ] ", (void *) pc);
6037 + printk("%pA ] ", (void *) pc);
6038 fp = rw->ins[6];
6039 } while (++count < 16);
6040 printk("\n");
6041 diff -urNp linux-2.6.39.2/arch/sparc/kernel/process_64.c linux-2.6.39.2/arch/sparc/kernel/process_64.c
6042 --- linux-2.6.39.2/arch/sparc/kernel/process_64.c 2011-05-19 00:06:34.000000000 -0400
6043 +++ linux-2.6.39.2/arch/sparc/kernel/process_64.c 2011-05-22 19:41:32.000000000 -0400
6044 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
6045 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
6046 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
6047 if (regs->tstate & TSTATE_PRIV)
6048 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
6049 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
6050 }
6051
6052 void show_regs(struct pt_regs *regs)
6053 {
6054 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
6055 regs->tpc, regs->tnpc, regs->y, print_tainted());
6056 - printk("TPC: <%pS>\n", (void *) regs->tpc);
6057 + printk("TPC: <%pA>\n", (void *) regs->tpc);
6058 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
6059 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
6060 regs->u_regs[3]);
6061 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
6062 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
6063 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
6064 regs->u_regs[15]);
6065 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
6066 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
6067 show_regwindow(regs);
6068 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
6069 }
6070 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
6071 ((tp && tp->task) ? tp->task->pid : -1));
6072
6073 if (gp->tstate & TSTATE_PRIV) {
6074 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
6075 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
6076 (void *) gp->tpc,
6077 (void *) gp->o7,
6078 (void *) gp->i7,
6079 diff -urNp linux-2.6.39.2/arch/sparc/kernel/sys_sparc_32.c linux-2.6.39.2/arch/sparc/kernel/sys_sparc_32.c
6080 --- linux-2.6.39.2/arch/sparc/kernel/sys_sparc_32.c 2011-05-19 00:06:34.000000000 -0400
6081 +++ linux-2.6.39.2/arch/sparc/kernel/sys_sparc_32.c 2011-05-22 19:36:30.000000000 -0400
6082 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
6083 if (ARCH_SUN4C && len > 0x20000000)
6084 return -ENOMEM;
6085 if (!addr)
6086 - addr = TASK_UNMAPPED_BASE;
6087 + addr = current->mm->mmap_base;
6088
6089 if (flags & MAP_SHARED)
6090 addr = COLOUR_ALIGN(addr);
6091 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
6092 }
6093 if (TASK_SIZE - PAGE_SIZE - len < addr)
6094 return -ENOMEM;
6095 - if (!vmm || addr + len <= vmm->vm_start)
6096 + if (check_heap_stack_gap(vmm, addr, len))
6097 return addr;
6098 addr = vmm->vm_end;
6099 if (flags & MAP_SHARED)
6100 diff -urNp linux-2.6.39.2/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.2/arch/sparc/kernel/sys_sparc_64.c
6101 --- linux-2.6.39.2/arch/sparc/kernel/sys_sparc_64.c 2011-05-19 00:06:34.000000000 -0400
6102 +++ linux-2.6.39.2/arch/sparc/kernel/sys_sparc_64.c 2011-05-22 19:36:30.000000000 -0400
6103 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
6104 /* We do not accept a shared mapping if it would violate
6105 * cache aliasing constraints.
6106 */
6107 - if ((flags & MAP_SHARED) &&
6108 + if ((filp || (flags & MAP_SHARED)) &&
6109 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6110 return -EINVAL;
6111 return addr;
6112 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
6113 if (filp || (flags & MAP_SHARED))
6114 do_color_align = 1;
6115
6116 +#ifdef CONFIG_PAX_RANDMMAP
6117 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
6118 +#endif
6119 +
6120 if (addr) {
6121 if (do_color_align)
6122 addr = COLOUR_ALIGN(addr, pgoff);
6123 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
6124 addr = PAGE_ALIGN(addr);
6125
6126 vma = find_vma(mm, addr);
6127 - if (task_size - len >= addr &&
6128 - (!vma || addr + len <= vma->vm_start))
6129 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6130 return addr;
6131 }
6132
6133 if (len > mm->cached_hole_size) {
6134 - start_addr = addr = mm->free_area_cache;
6135 + start_addr = addr = mm->free_area_cache;
6136 } else {
6137 - start_addr = addr = TASK_UNMAPPED_BASE;
6138 + start_addr = addr = mm->mmap_base;
6139 mm->cached_hole_size = 0;
6140 }
6141
6142 @@ -174,14 +177,14 @@ full_search:
6143 vma = find_vma(mm, VA_EXCLUDE_END);
6144 }
6145 if (unlikely(task_size < addr)) {
6146 - if (start_addr != TASK_UNMAPPED_BASE) {
6147 - start_addr = addr = TASK_UNMAPPED_BASE;
6148 + if (start_addr != mm->mmap_base) {
6149 + start_addr = addr = mm->mmap_base;
6150 mm->cached_hole_size = 0;
6151 goto full_search;
6152 }
6153 return -ENOMEM;
6154 }
6155 - if (likely(!vma || addr + len <= vma->vm_start)) {
6156 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6157 /*
6158 * Remember the place where we stopped the search:
6159 */
6160 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
6161 /* We do not accept a shared mapping if it would violate
6162 * cache aliasing constraints.
6163 */
6164 - if ((flags & MAP_SHARED) &&
6165 + if ((filp || (flags & MAP_SHARED)) &&
6166 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6167 return -EINVAL;
6168 return addr;
6169 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
6170 addr = PAGE_ALIGN(addr);
6171
6172 vma = find_vma(mm, addr);
6173 - if (task_size - len >= addr &&
6174 - (!vma || addr + len <= vma->vm_start))
6175 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6176 return addr;
6177 }
6178
6179 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
6180 /* make sure it can fit in the remaining address space */
6181 if (likely(addr > len)) {
6182 vma = find_vma(mm, addr-len);
6183 - if (!vma || addr <= vma->vm_start) {
6184 + if (check_heap_stack_gap(vma, addr - len, len)) {
6185 /* remember the address as a hint for next time */
6186 return (mm->free_area_cache = addr-len);
6187 }
6188 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
6189 if (unlikely(mm->mmap_base < len))
6190 goto bottomup;
6191
6192 - addr = mm->mmap_base-len;
6193 - if (do_color_align)
6194 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6195 + addr = mm->mmap_base - len;
6196
6197 do {
6198 + if (do_color_align)
6199 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6200 /*
6201 * Lookup failure means no vma is above this address,
6202 * else if new region fits below vma->vm_start,
6203 * return with success:
6204 */
6205 vma = find_vma(mm, addr);
6206 - if (likely(!vma || addr+len <= vma->vm_start)) {
6207 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6208 /* remember the address as a hint for next time */
6209 return (mm->free_area_cache = addr);
6210 }
6211 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
6212 mm->cached_hole_size = vma->vm_start - addr;
6213
6214 /* try just below the current vma->vm_start */
6215 - addr = vma->vm_start-len;
6216 - if (do_color_align)
6217 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6218 - } while (likely(len < vma->vm_start));
6219 + addr = skip_heap_stack_gap(vma, len);
6220 + } while (!IS_ERR_VALUE(addr));
6221
6222 bottomup:
6223 /*
6224 @@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
6225 gap == RLIM_INFINITY ||
6226 sysctl_legacy_va_layout) {
6227 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
6228 +
6229 +#ifdef CONFIG_PAX_RANDMMAP
6230 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6231 + mm->mmap_base += mm->delta_mmap;
6232 +#endif
6233 +
6234 mm->get_unmapped_area = arch_get_unmapped_area;
6235 mm->unmap_area = arch_unmap_area;
6236 } else {
6237 @@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
6238 gap = (task_size / 6 * 5);
6239
6240 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
6241 +
6242 +#ifdef CONFIG_PAX_RANDMMAP
6243 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6244 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
6245 +#endif
6246 +
6247 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
6248 mm->unmap_area = arch_unmap_area_topdown;
6249 }
6250 diff -urNp linux-2.6.39.2/arch/sparc/kernel/traps_32.c linux-2.6.39.2/arch/sparc/kernel/traps_32.c
6251 --- linux-2.6.39.2/arch/sparc/kernel/traps_32.c 2011-05-19 00:06:34.000000000 -0400
6252 +++ linux-2.6.39.2/arch/sparc/kernel/traps_32.c 2011-06-13 21:29:23.000000000 -0400
6253 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
6254 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
6255 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
6256
6257 +extern void gr_handle_kernel_exploit(void);
6258 +
6259 void die_if_kernel(char *str, struct pt_regs *regs)
6260 {
6261 static int die_counter;
6262 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
6263 count++ < 30 &&
6264 (((unsigned long) rw) >= PAGE_OFFSET) &&
6265 !(((unsigned long) rw) & 0x7)) {
6266 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
6267 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
6268 (void *) rw->ins[7]);
6269 rw = (struct reg_window32 *)rw->ins[6];
6270 }
6271 }
6272 printk("Instruction DUMP:");
6273 instruction_dump ((unsigned long *) regs->pc);
6274 - if(regs->psr & PSR_PS)
6275 + if(regs->psr & PSR_PS) {
6276 + gr_handle_kernel_exploit();
6277 do_exit(SIGKILL);
6278 + }
6279 do_exit(SIGSEGV);
6280 }
6281
6282 diff -urNp linux-2.6.39.2/arch/sparc/kernel/traps_64.c linux-2.6.39.2/arch/sparc/kernel/traps_64.c
6283 --- linux-2.6.39.2/arch/sparc/kernel/traps_64.c 2011-05-19 00:06:34.000000000 -0400
6284 +++ linux-2.6.39.2/arch/sparc/kernel/traps_64.c 2011-06-13 21:28:54.000000000 -0400
6285 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
6286 i + 1,
6287 p->trapstack[i].tstate, p->trapstack[i].tpc,
6288 p->trapstack[i].tnpc, p->trapstack[i].tt);
6289 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
6290 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
6291 }
6292 }
6293
6294 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
6295
6296 lvl -= 0x100;
6297 if (regs->tstate & TSTATE_PRIV) {
6298 +
6299 +#ifdef CONFIG_PAX_REFCOUNT
6300 + if (lvl == 6)
6301 + pax_report_refcount_overflow(regs);
6302 +#endif
6303 +
6304 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
6305 die_if_kernel(buffer, regs);
6306 }
6307 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
6308 void bad_trap_tl1(struct pt_regs *regs, long lvl)
6309 {
6310 char buffer[32];
6311 -
6312 +
6313 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
6314 0, lvl, SIGTRAP) == NOTIFY_STOP)
6315 return;
6316
6317 +#ifdef CONFIG_PAX_REFCOUNT
6318 + if (lvl == 6)
6319 + pax_report_refcount_overflow(regs);
6320 +#endif
6321 +
6322 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
6323
6324 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
6325 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
6326 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
6327 printk("%s" "ERROR(%d): ",
6328 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
6329 - printk("TPC<%pS>\n", (void *) regs->tpc);
6330 + printk("TPC<%pA>\n", (void *) regs->tpc);
6331 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
6332 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
6333 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
6334 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
6335 smp_processor_id(),
6336 (type & 0x1) ? 'I' : 'D',
6337 regs->tpc);
6338 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
6339 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
6340 panic("Irrecoverable Cheetah+ parity error.");
6341 }
6342
6343 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
6344 smp_processor_id(),
6345 (type & 0x1) ? 'I' : 'D',
6346 regs->tpc);
6347 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
6348 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
6349 }
6350
6351 struct sun4v_error_entry {
6352 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
6353
6354 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
6355 regs->tpc, tl);
6356 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
6357 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
6358 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6359 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
6360 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
6361 (void *) regs->u_regs[UREG_I7]);
6362 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
6363 "pte[%lx] error[%lx]\n",
6364 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
6365
6366 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
6367 regs->tpc, tl);
6368 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
6369 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
6370 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6371 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
6372 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
6373 (void *) regs->u_regs[UREG_I7]);
6374 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
6375 "pte[%lx] error[%lx]\n",
6376 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
6377 fp = (unsigned long)sf->fp + STACK_BIAS;
6378 }
6379
6380 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6381 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6382 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
6383 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
6384 int index = tsk->curr_ret_stack;
6385 if (tsk->ret_stack && index >= graph) {
6386 pc = tsk->ret_stack[index - graph].ret;
6387 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6388 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6389 graph++;
6390 }
6391 }
6392 @@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
6393 return (struct reg_window *) (fp + STACK_BIAS);
6394 }
6395
6396 +extern void gr_handle_kernel_exploit(void);
6397 +
6398 void die_if_kernel(char *str, struct pt_regs *regs)
6399 {
6400 static int die_counter;
6401 @@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
6402 while (rw &&
6403 count++ < 30 &&
6404 kstack_valid(tp, (unsigned long) rw)) {
6405 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
6406 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
6407 (void *) rw->ins[7]);
6408
6409 rw = kernel_stack_up(rw);
6410 @@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
6411 }
6412 user_instruction_dump ((unsigned int __user *) regs->tpc);
6413 }
6414 - if (regs->tstate & TSTATE_PRIV)
6415 + if (regs->tstate & TSTATE_PRIV) {
6416 + gr_handle_kernel_exploit();
6417 do_exit(SIGKILL);
6418 + }
6419 do_exit(SIGSEGV);
6420 }
6421 EXPORT_SYMBOL(die_if_kernel);
6422 diff -urNp linux-2.6.39.2/arch/sparc/kernel/unaligned_64.c linux-2.6.39.2/arch/sparc/kernel/unaligned_64.c
6423 --- linux-2.6.39.2/arch/sparc/kernel/unaligned_64.c 2011-05-19 00:06:34.000000000 -0400
6424 +++ linux-2.6.39.2/arch/sparc/kernel/unaligned_64.c 2011-05-22 19:41:32.000000000 -0400
6425 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
6426 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
6427
6428 if (__ratelimit(&ratelimit)) {
6429 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
6430 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
6431 regs->tpc, (void *) regs->tpc);
6432 }
6433 }
6434 diff -urNp linux-2.6.39.2/arch/sparc/lib/atomic_64.S linux-2.6.39.2/arch/sparc/lib/atomic_64.S
6435 --- linux-2.6.39.2/arch/sparc/lib/atomic_64.S 2011-05-19 00:06:34.000000000 -0400
6436 +++ linux-2.6.39.2/arch/sparc/lib/atomic_64.S 2011-05-22 19:36:30.000000000 -0400
6437 @@ -18,7 +18,12 @@
6438 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
6439 BACKOFF_SETUP(%o2)
6440 1: lduw [%o1], %g1
6441 - add %g1, %o0, %g7
6442 + addcc %g1, %o0, %g7
6443 +
6444 +#ifdef CONFIG_PAX_REFCOUNT
6445 + tvs %icc, 6
6446 +#endif
6447 +
6448 cas [%o1], %g1, %g7
6449 cmp %g1, %g7
6450 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6451 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
6452 2: BACKOFF_SPIN(%o2, %o3, 1b)
6453 .size atomic_add, .-atomic_add
6454
6455 + .globl atomic_add_unchecked
6456 + .type atomic_add_unchecked,#function
6457 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6458 + BACKOFF_SETUP(%o2)
6459 +1: lduw [%o1], %g1
6460 + add %g1, %o0, %g7
6461 + cas [%o1], %g1, %g7
6462 + cmp %g1, %g7
6463 + bne,pn %icc, 2f
6464 + nop
6465 + retl
6466 + nop
6467 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6468 + .size atomic_add_unchecked, .-atomic_add_unchecked
6469 +
6470 .globl atomic_sub
6471 .type atomic_sub,#function
6472 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6473 BACKOFF_SETUP(%o2)
6474 1: lduw [%o1], %g1
6475 - sub %g1, %o0, %g7
6476 + subcc %g1, %o0, %g7
6477 +
6478 +#ifdef CONFIG_PAX_REFCOUNT
6479 + tvs %icc, 6
6480 +#endif
6481 +
6482 cas [%o1], %g1, %g7
6483 cmp %g1, %g7
6484 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6485 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
6486 2: BACKOFF_SPIN(%o2, %o3, 1b)
6487 .size atomic_sub, .-atomic_sub
6488
6489 + .globl atomic_sub_unchecked
6490 + .type atomic_sub_unchecked,#function
6491 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6492 + BACKOFF_SETUP(%o2)
6493 +1: lduw [%o1], %g1
6494 + sub %g1, %o0, %g7
6495 + cas [%o1], %g1, %g7
6496 + cmp %g1, %g7
6497 + bne,pn %icc, 2f
6498 + nop
6499 + retl
6500 + nop
6501 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6502 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
6503 +
6504 .globl atomic_add_ret
6505 .type atomic_add_ret,#function
6506 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6507 BACKOFF_SETUP(%o2)
6508 1: lduw [%o1], %g1
6509 - add %g1, %o0, %g7
6510 + addcc %g1, %o0, %g7
6511 +
6512 +#ifdef CONFIG_PAX_REFCOUNT
6513 + tvs %icc, 6
6514 +#endif
6515 +
6516 cas [%o1], %g1, %g7
6517 cmp %g1, %g7
6518 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6519 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
6520 2: BACKOFF_SPIN(%o2, %o3, 1b)
6521 .size atomic_add_ret, .-atomic_add_ret
6522
6523 + .globl atomic_add_ret_unchecked
6524 + .type atomic_add_ret_unchecked,#function
6525 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6526 + BACKOFF_SETUP(%o2)
6527 +1: lduw [%o1], %g1
6528 + addcc %g1, %o0, %g7
6529 + cas [%o1], %g1, %g7
6530 + cmp %g1, %g7
6531 + bne,pn %icc, 2f
6532 + add %g7, %o0, %g7
6533 + sra %g7, 0, %o0
6534 + retl
6535 + nop
6536 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6537 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
6538 +
6539 .globl atomic_sub_ret
6540 .type atomic_sub_ret,#function
6541 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6542 BACKOFF_SETUP(%o2)
6543 1: lduw [%o1], %g1
6544 - sub %g1, %o0, %g7
6545 + subcc %g1, %o0, %g7
6546 +
6547 +#ifdef CONFIG_PAX_REFCOUNT
6548 + tvs %icc, 6
6549 +#endif
6550 +
6551 cas [%o1], %g1, %g7
6552 cmp %g1, %g7
6553 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6554 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
6555 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
6556 BACKOFF_SETUP(%o2)
6557 1: ldx [%o1], %g1
6558 - add %g1, %o0, %g7
6559 + addcc %g1, %o0, %g7
6560 +
6561 +#ifdef CONFIG_PAX_REFCOUNT
6562 + tvs %xcc, 6
6563 +#endif
6564 +
6565 casx [%o1], %g1, %g7
6566 cmp %g1, %g7
6567 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6568 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
6569 2: BACKOFF_SPIN(%o2, %o3, 1b)
6570 .size atomic64_add, .-atomic64_add
6571
6572 + .globl atomic64_add_unchecked
6573 + .type atomic64_add_unchecked,#function
6574 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6575 + BACKOFF_SETUP(%o2)
6576 +1: ldx [%o1], %g1
6577 + addcc %g1, %o0, %g7
6578 + casx [%o1], %g1, %g7
6579 + cmp %g1, %g7
6580 + bne,pn %xcc, 2f
6581 + nop
6582 + retl
6583 + nop
6584 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6585 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
6586 +
6587 .globl atomic64_sub
6588 .type atomic64_sub,#function
6589 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6590 BACKOFF_SETUP(%o2)
6591 1: ldx [%o1], %g1
6592 - sub %g1, %o0, %g7
6593 + subcc %g1, %o0, %g7
6594 +
6595 +#ifdef CONFIG_PAX_REFCOUNT
6596 + tvs %xcc, 6
6597 +#endif
6598 +
6599 casx [%o1], %g1, %g7
6600 cmp %g1, %g7
6601 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6602 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
6603 2: BACKOFF_SPIN(%o2, %o3, 1b)
6604 .size atomic64_sub, .-atomic64_sub
6605
6606 + .globl atomic64_sub_unchecked
6607 + .type atomic64_sub_unchecked,#function
6608 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6609 + BACKOFF_SETUP(%o2)
6610 +1: ldx [%o1], %g1
6611 + subcc %g1, %o0, %g7
6612 + casx [%o1], %g1, %g7
6613 + cmp %g1, %g7
6614 + bne,pn %xcc, 2f
6615 + nop
6616 + retl
6617 + nop
6618 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6619 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
6620 +
6621 .globl atomic64_add_ret
6622 .type atomic64_add_ret,#function
6623 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6624 BACKOFF_SETUP(%o2)
6625 1: ldx [%o1], %g1
6626 - add %g1, %o0, %g7
6627 + addcc %g1, %o0, %g7
6628 +
6629 +#ifdef CONFIG_PAX_REFCOUNT
6630 + tvs %xcc, 6
6631 +#endif
6632 +
6633 casx [%o1], %g1, %g7
6634 cmp %g1, %g7
6635 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6636 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
6637 2: BACKOFF_SPIN(%o2, %o3, 1b)
6638 .size atomic64_add_ret, .-atomic64_add_ret
6639
6640 + .globl atomic64_add_ret_unchecked
6641 + .type atomic64_add_ret_unchecked,#function
6642 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6643 + BACKOFF_SETUP(%o2)
6644 +1: ldx [%o1], %g1
6645 + addcc %g1, %o0, %g7
6646 + casx [%o1], %g1, %g7
6647 + cmp %g1, %g7
6648 + bne,pn %xcc, 2f
6649 + add %g7, %o0, %g7
6650 + mov %g7, %o0
6651 + retl
6652 + nop
6653 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6654 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
6655 +
6656 .globl atomic64_sub_ret
6657 .type atomic64_sub_ret,#function
6658 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6659 BACKOFF_SETUP(%o2)
6660 1: ldx [%o1], %g1
6661 - sub %g1, %o0, %g7
6662 + subcc %g1, %o0, %g7
6663 +
6664 +#ifdef CONFIG_PAX_REFCOUNT
6665 + tvs %xcc, 6
6666 +#endif
6667 +
6668 casx [%o1], %g1, %g7
6669 cmp %g1, %g7
6670 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6671 diff -urNp linux-2.6.39.2/arch/sparc/lib/ksyms.c linux-2.6.39.2/arch/sparc/lib/ksyms.c
6672 --- linux-2.6.39.2/arch/sparc/lib/ksyms.c 2011-05-19 00:06:34.000000000 -0400
6673 +++ linux-2.6.39.2/arch/sparc/lib/ksyms.c 2011-05-22 19:36:30.000000000 -0400
6674 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
6675
6676 /* Atomic counter implementation. */
6677 EXPORT_SYMBOL(atomic_add);
6678 +EXPORT_SYMBOL(atomic_add_unchecked);
6679 EXPORT_SYMBOL(atomic_add_ret);
6680 EXPORT_SYMBOL(atomic_sub);
6681 +EXPORT_SYMBOL(atomic_sub_unchecked);
6682 EXPORT_SYMBOL(atomic_sub_ret);
6683 EXPORT_SYMBOL(atomic64_add);
6684 +EXPORT_SYMBOL(atomic64_add_unchecked);
6685 EXPORT_SYMBOL(atomic64_add_ret);
6686 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
6687 EXPORT_SYMBOL(atomic64_sub);
6688 +EXPORT_SYMBOL(atomic64_sub_unchecked);
6689 EXPORT_SYMBOL(atomic64_sub_ret);
6690
6691 /* Atomic bit operations. */
6692 diff -urNp linux-2.6.39.2/arch/sparc/lib/Makefile linux-2.6.39.2/arch/sparc/lib/Makefile
6693 --- linux-2.6.39.2/arch/sparc/lib/Makefile 2011-05-19 00:06:34.000000000 -0400
6694 +++ linux-2.6.39.2/arch/sparc/lib/Makefile 2011-05-22 19:36:30.000000000 -0400
6695 @@ -2,7 +2,7 @@
6696 #
6697
6698 asflags-y := -ansi -DST_DIV0=0x02
6699 -ccflags-y := -Werror
6700 +#ccflags-y := -Werror
6701
6702 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
6703 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
6704 diff -urNp linux-2.6.39.2/arch/sparc/Makefile linux-2.6.39.2/arch/sparc/Makefile
6705 --- linux-2.6.39.2/arch/sparc/Makefile 2011-05-19 00:06:34.000000000 -0400
6706 +++ linux-2.6.39.2/arch/sparc/Makefile 2011-05-22 19:41:32.000000000 -0400
6707 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
6708 # Export what is needed by arch/sparc/boot/Makefile
6709 export VMLINUX_INIT VMLINUX_MAIN
6710 VMLINUX_INIT := $(head-y) $(init-y)
6711 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
6712 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
6713 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
6714 VMLINUX_MAIN += $(drivers-y) $(net-y)
6715
6716 diff -urNp linux-2.6.39.2/arch/sparc/mm/fault_32.c linux-2.6.39.2/arch/sparc/mm/fault_32.c
6717 --- linux-2.6.39.2/arch/sparc/mm/fault_32.c 2011-05-19 00:06:34.000000000 -0400
6718 +++ linux-2.6.39.2/arch/sparc/mm/fault_32.c 2011-05-22 19:36:30.000000000 -0400
6719 @@ -22,6 +22,9 @@
6720 #include <linux/interrupt.h>
6721 #include <linux/module.h>
6722 #include <linux/kdebug.h>
6723 +#include <linux/slab.h>
6724 +#include <linux/pagemap.h>
6725 +#include <linux/compiler.h>
6726
6727 #include <asm/system.h>
6728 #include <asm/page.h>
6729 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
6730 return safe_compute_effective_address(regs, insn);
6731 }
6732
6733 +#ifdef CONFIG_PAX_PAGEEXEC
6734 +#ifdef CONFIG_PAX_DLRESOLVE
6735 +static void pax_emuplt_close(struct vm_area_struct *vma)
6736 +{
6737 + vma->vm_mm->call_dl_resolve = 0UL;
6738 +}
6739 +
6740 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
6741 +{
6742 + unsigned int *kaddr;
6743 +
6744 + vmf->page = alloc_page(GFP_HIGHUSER);
6745 + if (!vmf->page)
6746 + return VM_FAULT_OOM;
6747 +
6748 + kaddr = kmap(vmf->page);
6749 + memset(kaddr, 0, PAGE_SIZE);
6750 + kaddr[0] = 0x9DE3BFA8U; /* save */
6751 + flush_dcache_page(vmf->page);
6752 + kunmap(vmf->page);
6753 + return VM_FAULT_MAJOR;
6754 +}
6755 +
6756 +static const struct vm_operations_struct pax_vm_ops = {
6757 + .close = pax_emuplt_close,
6758 + .fault = pax_emuplt_fault
6759 +};
6760 +
6761 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
6762 +{
6763 + int ret;
6764 +
6765 + INIT_LIST_HEAD(&vma->anon_vma_chain);
6766 + vma->vm_mm = current->mm;
6767 + vma->vm_start = addr;
6768 + vma->vm_end = addr + PAGE_SIZE;
6769 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
6770 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
6771 + vma->vm_ops = &pax_vm_ops;
6772 +
6773 + ret = insert_vm_struct(current->mm, vma);
6774 + if (ret)
6775 + return ret;
6776 +
6777 + ++current->mm->total_vm;
6778 + return 0;
6779 +}
6780 +#endif
6781 +
6782 +/*
6783 + * PaX: decide what to do with offenders (regs->pc = fault address)
6784 + *
6785 + * returns 1 when task should be killed
6786 + * 2 when patched PLT trampoline was detected
6787 + * 3 when unpatched PLT trampoline was detected
6788 + */
6789 +static int pax_handle_fetch_fault(struct pt_regs *regs)
6790 +{
6791 +
6792 +#ifdef CONFIG_PAX_EMUPLT
6793 + int err;
6794 +
6795 + do { /* PaX: patched PLT emulation #1 */
6796 + unsigned int sethi1, sethi2, jmpl;
6797 +
6798 + err = get_user(sethi1, (unsigned int *)regs->pc);
6799 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
6800 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
6801 +
6802 + if (err)
6803 + break;
6804 +
6805 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
6806 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
6807 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
6808 + {
6809 + unsigned int addr;
6810 +
6811 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6812 + addr = regs->u_regs[UREG_G1];
6813 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6814 + regs->pc = addr;
6815 + regs->npc = addr+4;
6816 + return 2;
6817 + }
6818 + } while (0);
6819 +
6820 + { /* PaX: patched PLT emulation #2 */
6821 + unsigned int ba;
6822 +
6823 + err = get_user(ba, (unsigned int *)regs->pc);
6824 +
6825 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6826 + unsigned int addr;
6827 +
6828 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6829 + regs->pc = addr;
6830 + regs->npc = addr+4;
6831 + return 2;
6832 + }
6833 + }
6834 +
6835 + do { /* PaX: patched PLT emulation #3 */
6836 + unsigned int sethi, jmpl, nop;
6837 +
6838 + err = get_user(sethi, (unsigned int *)regs->pc);
6839 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
6840 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6841 +
6842 + if (err)
6843 + break;
6844 +
6845 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6846 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6847 + nop == 0x01000000U)
6848 + {
6849 + unsigned int addr;
6850 +
6851 + addr = (sethi & 0x003FFFFFU) << 10;
6852 + regs->u_regs[UREG_G1] = addr;
6853 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6854 + regs->pc = addr;
6855 + regs->npc = addr+4;
6856 + return 2;
6857 + }
6858 + } while (0);
6859 +
6860 + do { /* PaX: unpatched PLT emulation step 1 */
6861 + unsigned int sethi, ba, nop;
6862 +
6863 + err = get_user(sethi, (unsigned int *)regs->pc);
6864 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
6865 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6866 +
6867 + if (err)
6868 + break;
6869 +
6870 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6871 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
6872 + nop == 0x01000000U)
6873 + {
6874 + unsigned int addr, save, call;
6875 +
6876 + if ((ba & 0xFFC00000U) == 0x30800000U)
6877 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6878 + else
6879 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
6880 +
6881 + err = get_user(save, (unsigned int *)addr);
6882 + err |= get_user(call, (unsigned int *)(addr+4));
6883 + err |= get_user(nop, (unsigned int *)(addr+8));
6884 + if (err)
6885 + break;
6886 +
6887 +#ifdef CONFIG_PAX_DLRESOLVE
6888 + if (save == 0x9DE3BFA8U &&
6889 + (call & 0xC0000000U) == 0x40000000U &&
6890 + nop == 0x01000000U)
6891 + {
6892 + struct vm_area_struct *vma;
6893 + unsigned long call_dl_resolve;
6894 +
6895 + down_read(&current->mm->mmap_sem);
6896 + call_dl_resolve = current->mm->call_dl_resolve;
6897 + up_read(&current->mm->mmap_sem);
6898 + if (likely(call_dl_resolve))
6899 + goto emulate;
6900 +
6901 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
6902 +
6903 + down_write(&current->mm->mmap_sem);
6904 + if (current->mm->call_dl_resolve) {
6905 + call_dl_resolve = current->mm->call_dl_resolve;
6906 + up_write(&current->mm->mmap_sem);
6907 + if (vma)
6908 + kmem_cache_free(vm_area_cachep, vma);
6909 + goto emulate;
6910 + }
6911 +
6912 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
6913 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
6914 + up_write(&current->mm->mmap_sem);
6915 + if (vma)
6916 + kmem_cache_free(vm_area_cachep, vma);
6917 + return 1;
6918 + }
6919 +
6920 + if (pax_insert_vma(vma, call_dl_resolve)) {
6921 + up_write(&current->mm->mmap_sem);
6922 + kmem_cache_free(vm_area_cachep, vma);
6923 + return 1;
6924 + }
6925 +
6926 + current->mm->call_dl_resolve = call_dl_resolve;
6927 + up_write(&current->mm->mmap_sem);
6928 +
6929 +emulate:
6930 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6931 + regs->pc = call_dl_resolve;
6932 + regs->npc = addr+4;
6933 + return 3;
6934 + }
6935 +#endif
6936 +
6937 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
6938 + if ((save & 0xFFC00000U) == 0x05000000U &&
6939 + (call & 0xFFFFE000U) == 0x85C0A000U &&
6940 + nop == 0x01000000U)
6941 + {
6942 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6943 + regs->u_regs[UREG_G2] = addr + 4;
6944 + addr = (save & 0x003FFFFFU) << 10;
6945 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6946 + regs->pc = addr;
6947 + regs->npc = addr+4;
6948 + return 3;
6949 + }
6950 + }
6951 + } while (0);
6952 +
6953 + do { /* PaX: unpatched PLT emulation step 2 */
6954 + unsigned int save, call, nop;
6955 +
6956 + err = get_user(save, (unsigned int *)(regs->pc-4));
6957 + err |= get_user(call, (unsigned int *)regs->pc);
6958 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
6959 + if (err)
6960 + break;
6961 +
6962 + if (save == 0x9DE3BFA8U &&
6963 + (call & 0xC0000000U) == 0x40000000U &&
6964 + nop == 0x01000000U)
6965 + {
6966 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
6967 +
6968 + regs->u_regs[UREG_RETPC] = regs->pc;
6969 + regs->pc = dl_resolve;
6970 + regs->npc = dl_resolve+4;
6971 + return 3;
6972 + }
6973 + } while (0);
6974 +#endif
6975 +
6976 + return 1;
6977 +}
6978 +
6979 +void pax_report_insns(void *pc, void *sp)
6980 +{
6981 + unsigned long i;
6982 +
6983 + printk(KERN_ERR "PAX: bytes at PC: ");
6984 + for (i = 0; i < 8; i++) {
6985 + unsigned int c;
6986 + if (get_user(c, (unsigned int *)pc+i))
6987 + printk(KERN_CONT "???????? ");
6988 + else
6989 + printk(KERN_CONT "%08x ", c);
6990 + }
6991 + printk("\n");
6992 +}
6993 +#endif
6994 +
6995 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
6996 int text_fault)
6997 {
6998 @@ -281,6 +546,24 @@ good_area:
6999 if(!(vma->vm_flags & VM_WRITE))
7000 goto bad_area;
7001 } else {
7002 +
7003 +#ifdef CONFIG_PAX_PAGEEXEC
7004 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
7005 + up_read(&mm->mmap_sem);
7006 + switch (pax_handle_fetch_fault(regs)) {
7007 +
7008 +#ifdef CONFIG_PAX_EMUPLT
7009 + case 2:
7010 + case 3:
7011 + return;
7012 +#endif
7013 +
7014 + }
7015 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
7016 + do_group_exit(SIGKILL);
7017 + }
7018 +#endif
7019 +
7020 /* Allow reads even for write-only mappings */
7021 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
7022 goto bad_area;
7023 diff -urNp linux-2.6.39.2/arch/sparc/mm/fault_64.c linux-2.6.39.2/arch/sparc/mm/fault_64.c
7024 --- linux-2.6.39.2/arch/sparc/mm/fault_64.c 2011-05-19 00:06:34.000000000 -0400
7025 +++ linux-2.6.39.2/arch/sparc/mm/fault_64.c 2011-05-22 19:41:32.000000000 -0400
7026 @@ -21,6 +21,9 @@
7027 #include <linux/kprobes.h>
7028 #include <linux/kdebug.h>
7029 #include <linux/percpu.h>
7030 +#include <linux/slab.h>
7031 +#include <linux/pagemap.h>
7032 +#include <linux/compiler.h>
7033
7034 #include <asm/page.h>
7035 #include <asm/pgtable.h>
7036 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
7037 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
7038 regs->tpc);
7039 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
7040 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
7041 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
7042 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
7043 dump_stack();
7044 unhandled_fault(regs->tpc, current, regs);
7045 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
7046 show_regs(regs);
7047 }
7048
7049 +#ifdef CONFIG_PAX_PAGEEXEC
7050 +#ifdef CONFIG_PAX_DLRESOLVE
7051 +static void pax_emuplt_close(struct vm_area_struct *vma)
7052 +{
7053 + vma->vm_mm->call_dl_resolve = 0UL;
7054 +}
7055 +
7056 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
7057 +{
7058 + unsigned int *kaddr;
7059 +
7060 + vmf->page = alloc_page(GFP_HIGHUSER);
7061 + if (!vmf->page)
7062 + return VM_FAULT_OOM;
7063 +
7064 + kaddr = kmap(vmf->page);
7065 + memset(kaddr, 0, PAGE_SIZE);
7066 + kaddr[0] = 0x9DE3BFA8U; /* save */
7067 + flush_dcache_page(vmf->page);
7068 + kunmap(vmf->page);
7069 + return VM_FAULT_MAJOR;
7070 +}
7071 +
7072 +static const struct vm_operations_struct pax_vm_ops = {
7073 + .close = pax_emuplt_close,
7074 + .fault = pax_emuplt_fault
7075 +};
7076 +
7077 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
7078 +{
7079 + int ret;
7080 +
7081 + INIT_LIST_HEAD(&vma->anon_vma_chain);
7082 + vma->vm_mm = current->mm;
7083 + vma->vm_start = addr;
7084 + vma->vm_end = addr + PAGE_SIZE;
7085 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
7086 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
7087 + vma->vm_ops = &pax_vm_ops;
7088 +
7089 + ret = insert_vm_struct(current->mm, vma);
7090 + if (ret)
7091 + return ret;
7092 +
7093 + ++current->mm->total_vm;
7094 + return 0;
7095 +}
7096 +#endif
7097 +
7098 +/*
7099 + * PaX: decide what to do with offenders (regs->tpc = fault address)
7100 + *
7101 + * returns 1 when task should be killed
7102 + * 2 when patched PLT trampoline was detected
7103 + * 3 when unpatched PLT trampoline was detected
7104 + */
7105 +static int pax_handle_fetch_fault(struct pt_regs *regs)
7106 +{
7107 +
7108 +#ifdef CONFIG_PAX_EMUPLT
7109 + int err;
7110 +
7111 + do { /* PaX: patched PLT emulation #1 */
7112 + unsigned int sethi1, sethi2, jmpl;
7113 +
7114 + err = get_user(sethi1, (unsigned int *)regs->tpc);
7115 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
7116 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
7117 +
7118 + if (err)
7119 + break;
7120 +
7121 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
7122 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
7123 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
7124 + {
7125 + unsigned long addr;
7126 +
7127 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
7128 + addr = regs->u_regs[UREG_G1];
7129 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7130 +
7131 + if (test_thread_flag(TIF_32BIT))
7132 + addr &= 0xFFFFFFFFUL;
7133 +
7134 + regs->tpc = addr;
7135 + regs->tnpc = addr+4;
7136 + return 2;
7137 + }
7138 + } while (0);
7139 +
7140 + { /* PaX: patched PLT emulation #2 */
7141 + unsigned int ba;
7142 +
7143 + err = get_user(ba, (unsigned int *)regs->tpc);
7144 +
7145 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
7146 + unsigned long addr;
7147 +
7148 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7149 +
7150 + if (test_thread_flag(TIF_32BIT))
7151 + addr &= 0xFFFFFFFFUL;
7152 +
7153 + regs->tpc = addr;
7154 + regs->tnpc = addr+4;
7155 + return 2;
7156 + }
7157 + }
7158 +
7159 + do { /* PaX: patched PLT emulation #3 */
7160 + unsigned int sethi, jmpl, nop;
7161 +
7162 + err = get_user(sethi, (unsigned int *)regs->tpc);
7163 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
7164 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7165 +
7166 + if (err)
7167 + break;
7168 +
7169 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7170 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
7171 + nop == 0x01000000U)
7172 + {
7173 + unsigned long addr;
7174 +
7175 + addr = (sethi & 0x003FFFFFU) << 10;
7176 + regs->u_regs[UREG_G1] = addr;
7177 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7178 +
7179 + if (test_thread_flag(TIF_32BIT))
7180 + addr &= 0xFFFFFFFFUL;
7181 +
7182 + regs->tpc = addr;
7183 + regs->tnpc = addr+4;
7184 + return 2;
7185 + }
7186 + } while (0);
7187 +
7188 + do { /* PaX: patched PLT emulation #4 */
7189 + unsigned int sethi, mov1, call, mov2;
7190 +
7191 + err = get_user(sethi, (unsigned int *)regs->tpc);
7192 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
7193 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
7194 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
7195 +
7196 + if (err)
7197 + break;
7198 +
7199 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7200 + mov1 == 0x8210000FU &&
7201 + (call & 0xC0000000U) == 0x40000000U &&
7202 + mov2 == 0x9E100001U)
7203 + {
7204 + unsigned long addr;
7205 +
7206 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
7207 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7208 +
7209 + if (test_thread_flag(TIF_32BIT))
7210 + addr &= 0xFFFFFFFFUL;
7211 +
7212 + regs->tpc = addr;
7213 + regs->tnpc = addr+4;
7214 + return 2;
7215 + }
7216 + } while (0);
7217 +
7218 + do { /* PaX: patched PLT emulation #5 */
7219 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
7220 +
7221 + err = get_user(sethi, (unsigned int *)regs->tpc);
7222 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7223 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7224 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
7225 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
7226 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
7227 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
7228 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
7229 +
7230 + if (err)
7231 + break;
7232 +
7233 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7234 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7235 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7236 + (or1 & 0xFFFFE000U) == 0x82106000U &&
7237 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7238 + sllx == 0x83287020U &&
7239 + jmpl == 0x81C04005U &&
7240 + nop == 0x01000000U)
7241 + {
7242 + unsigned long addr;
7243 +
7244 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7245 + regs->u_regs[UREG_G1] <<= 32;
7246 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7247 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7248 + regs->tpc = addr;
7249 + regs->tnpc = addr+4;
7250 + return 2;
7251 + }
7252 + } while (0);
7253 +
7254 + do { /* PaX: patched PLT emulation #6 */
7255 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
7256 +
7257 + err = get_user(sethi, (unsigned int *)regs->tpc);
7258 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7259 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7260 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
7261 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
7262 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
7263 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
7264 +
7265 + if (err)
7266 + break;
7267 +
7268 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7269 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7270 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7271 + sllx == 0x83287020U &&
7272 + (or & 0xFFFFE000U) == 0x8A116000U &&
7273 + jmpl == 0x81C04005U &&
7274 + nop == 0x01000000U)
7275 + {
7276 + unsigned long addr;
7277 +
7278 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
7279 + regs->u_regs[UREG_G1] <<= 32;
7280 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
7281 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7282 + regs->tpc = addr;
7283 + regs->tnpc = addr+4;
7284 + return 2;
7285 + }
7286 + } while (0);
7287 +
7288 + do { /* PaX: unpatched PLT emulation step 1 */
7289 + unsigned int sethi, ba, nop;
7290 +
7291 + err = get_user(sethi, (unsigned int *)regs->tpc);
7292 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7293 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7294 +
7295 + if (err)
7296 + break;
7297 +
7298 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7299 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
7300 + nop == 0x01000000U)
7301 + {
7302 + unsigned long addr;
7303 + unsigned int save, call;
7304 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
7305 +
7306 + if ((ba & 0xFFC00000U) == 0x30800000U)
7307 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7308 + else
7309 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7310 +
7311 + if (test_thread_flag(TIF_32BIT))
7312 + addr &= 0xFFFFFFFFUL;
7313 +
7314 + err = get_user(save, (unsigned int *)addr);
7315 + err |= get_user(call, (unsigned int *)(addr+4));
7316 + err |= get_user(nop, (unsigned int *)(addr+8));
7317 + if (err)
7318 + break;
7319 +
7320 +#ifdef CONFIG_PAX_DLRESOLVE
7321 + if (save == 0x9DE3BFA8U &&
7322 + (call & 0xC0000000U) == 0x40000000U &&
7323 + nop == 0x01000000U)
7324 + {
7325 + struct vm_area_struct *vma;
7326 + unsigned long call_dl_resolve;
7327 +
7328 + down_read(&current->mm->mmap_sem);
7329 + call_dl_resolve = current->mm->call_dl_resolve;
7330 + up_read(&current->mm->mmap_sem);
7331 + if (likely(call_dl_resolve))
7332 + goto emulate;
7333 +
7334 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
7335 +
7336 + down_write(&current->mm->mmap_sem);
7337 + if (current->mm->call_dl_resolve) {
7338 + call_dl_resolve = current->mm->call_dl_resolve;
7339 + up_write(&current->mm->mmap_sem);
7340 + if (vma)
7341 + kmem_cache_free(vm_area_cachep, vma);
7342 + goto emulate;
7343 + }
7344 +
7345 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
7346 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
7347 + up_write(&current->mm->mmap_sem);
7348 + if (vma)
7349 + kmem_cache_free(vm_area_cachep, vma);
7350 + return 1;
7351 + }
7352 +
7353 + if (pax_insert_vma(vma, call_dl_resolve)) {
7354 + up_write(&current->mm->mmap_sem);
7355 + kmem_cache_free(vm_area_cachep, vma);
7356 + return 1;
7357 + }
7358 +
7359 + current->mm->call_dl_resolve = call_dl_resolve;
7360 + up_write(&current->mm->mmap_sem);
7361 +
7362 +emulate:
7363 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7364 + regs->tpc = call_dl_resolve;
7365 + regs->tnpc = addr+4;
7366 + return 3;
7367 + }
7368 +#endif
7369 +
7370 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
7371 + if ((save & 0xFFC00000U) == 0x05000000U &&
7372 + (call & 0xFFFFE000U) == 0x85C0A000U &&
7373 + nop == 0x01000000U)
7374 + {
7375 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7376 + regs->u_regs[UREG_G2] = addr + 4;
7377 + addr = (save & 0x003FFFFFU) << 10;
7378 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7379 +
7380 + if (test_thread_flag(TIF_32BIT))
7381 + addr &= 0xFFFFFFFFUL;
7382 +
7383 + regs->tpc = addr;
7384 + regs->tnpc = addr+4;
7385 + return 3;
7386 + }
7387 +
7388 + /* PaX: 64-bit PLT stub */
7389 + err = get_user(sethi1, (unsigned int *)addr);
7390 + err |= get_user(sethi2, (unsigned int *)(addr+4));
7391 + err |= get_user(or1, (unsigned int *)(addr+8));
7392 + err |= get_user(or2, (unsigned int *)(addr+12));
7393 + err |= get_user(sllx, (unsigned int *)(addr+16));
7394 + err |= get_user(add, (unsigned int *)(addr+20));
7395 + err |= get_user(jmpl, (unsigned int *)(addr+24));
7396 + err |= get_user(nop, (unsigned int *)(addr+28));
7397 + if (err)
7398 + break;
7399 +
7400 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
7401 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7402 + (or1 & 0xFFFFE000U) == 0x88112000U &&
7403 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7404 + sllx == 0x89293020U &&
7405 + add == 0x8A010005U &&
7406 + jmpl == 0x89C14000U &&
7407 + nop == 0x01000000U)
7408 + {
7409 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7410 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7411 + regs->u_regs[UREG_G4] <<= 32;
7412 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7413 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
7414 + regs->u_regs[UREG_G4] = addr + 24;
7415 + addr = regs->u_regs[UREG_G5];
7416 + regs->tpc = addr;
7417 + regs->tnpc = addr+4;
7418 + return 3;
7419 + }
7420 + }
7421 + } while (0);
7422 +
7423 +#ifdef CONFIG_PAX_DLRESOLVE
7424 + do { /* PaX: unpatched PLT emulation step 2 */
7425 + unsigned int save, call, nop;
7426 +
7427 + err = get_user(save, (unsigned int *)(regs->tpc-4));
7428 + err |= get_user(call, (unsigned int *)regs->tpc);
7429 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
7430 + if (err)
7431 + break;
7432 +
7433 + if (save == 0x9DE3BFA8U &&
7434 + (call & 0xC0000000U) == 0x40000000U &&
7435 + nop == 0x01000000U)
7436 + {
7437 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7438 +
7439 + if (test_thread_flag(TIF_32BIT))
7440 + dl_resolve &= 0xFFFFFFFFUL;
7441 +
7442 + regs->u_regs[UREG_RETPC] = regs->tpc;
7443 + regs->tpc = dl_resolve;
7444 + regs->tnpc = dl_resolve+4;
7445 + return 3;
7446 + }
7447 + } while (0);
7448 +#endif
7449 +
7450 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
7451 + unsigned int sethi, ba, nop;
7452 +
7453 + err = get_user(sethi, (unsigned int *)regs->tpc);
7454 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7455 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7456 +
7457 + if (err)
7458 + break;
7459 +
7460 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7461 + (ba & 0xFFF00000U) == 0x30600000U &&
7462 + nop == 0x01000000U)
7463 + {
7464 + unsigned long addr;
7465 +
7466 + addr = (sethi & 0x003FFFFFU) << 10;
7467 + regs->u_regs[UREG_G1] = addr;
7468 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7469 +
7470 + if (test_thread_flag(TIF_32BIT))
7471 + addr &= 0xFFFFFFFFUL;
7472 +
7473 + regs->tpc = addr;
7474 + regs->tnpc = addr+4;
7475 + return 2;
7476 + }
7477 + } while (0);
7478 +
7479 +#endif
7480 +
7481 + return 1;
7482 +}
7483 +
7484 +void pax_report_insns(void *pc, void *sp)
7485 +{
7486 + unsigned long i;
7487 +
7488 + printk(KERN_ERR "PAX: bytes at PC: ");
7489 + for (i = 0; i < 8; i++) {
7490 + unsigned int c;
7491 + if (get_user(c, (unsigned int *)pc+i))
7492 + printk(KERN_CONT "???????? ");
7493 + else
7494 + printk(KERN_CONT "%08x ", c);
7495 + }
7496 + printk("\n");
7497 +}
7498 +#endif
7499 +
7500 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
7501 {
7502 struct mm_struct *mm = current->mm;
7503 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
7504 if (!vma)
7505 goto bad_area;
7506
7507 +#ifdef CONFIG_PAX_PAGEEXEC
7508 + /* PaX: detect ITLB misses on non-exec pages */
7509 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
7510 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
7511 + {
7512 + if (address != regs->tpc)
7513 + goto good_area;
7514 +
7515 + up_read(&mm->mmap_sem);
7516 + switch (pax_handle_fetch_fault(regs)) {
7517 +
7518 +#ifdef CONFIG_PAX_EMUPLT
7519 + case 2:
7520 + case 3:
7521 + return;
7522 +#endif
7523 +
7524 + }
7525 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
7526 + do_group_exit(SIGKILL);
7527 + }
7528 +#endif
7529 +
7530 /* Pure DTLB misses do not tell us whether the fault causing
7531 * load/store/atomic was a write or not, it only says that there
7532 * was no match. So in such a case we (carefully) read the
7533 diff -urNp linux-2.6.39.2/arch/sparc/mm/hugetlbpage.c linux-2.6.39.2/arch/sparc/mm/hugetlbpage.c
7534 --- linux-2.6.39.2/arch/sparc/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
7535 +++ linux-2.6.39.2/arch/sparc/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
7536 @@ -68,7 +68,7 @@ full_search:
7537 }
7538 return -ENOMEM;
7539 }
7540 - if (likely(!vma || addr + len <= vma->vm_start)) {
7541 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7542 /*
7543 * Remember the place where we stopped the search:
7544 */
7545 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
7546 /* make sure it can fit in the remaining address space */
7547 if (likely(addr > len)) {
7548 vma = find_vma(mm, addr-len);
7549 - if (!vma || addr <= vma->vm_start) {
7550 + if (check_heap_stack_gap(vma, addr - len, len)) {
7551 /* remember the address as a hint for next time */
7552 return (mm->free_area_cache = addr-len);
7553 }
7554 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
7555 if (unlikely(mm->mmap_base < len))
7556 goto bottomup;
7557
7558 - addr = (mm->mmap_base-len) & HPAGE_MASK;
7559 + addr = mm->mmap_base - len;
7560
7561 do {
7562 + addr &= HPAGE_MASK;
7563 /*
7564 * Lookup failure means no vma is above this address,
7565 * else if new region fits below vma->vm_start,
7566 * return with success:
7567 */
7568 vma = find_vma(mm, addr);
7569 - if (likely(!vma || addr+len <= vma->vm_start)) {
7570 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7571 /* remember the address as a hint for next time */
7572 return (mm->free_area_cache = addr);
7573 }
7574 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
7575 mm->cached_hole_size = vma->vm_start - addr;
7576
7577 /* try just below the current vma->vm_start */
7578 - addr = (vma->vm_start-len) & HPAGE_MASK;
7579 - } while (likely(len < vma->vm_start));
7580 + addr = skip_heap_stack_gap(vma, len);
7581 + } while (!IS_ERR_VALUE(addr));
7582
7583 bottomup:
7584 /*
7585 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
7586 if (addr) {
7587 addr = ALIGN(addr, HPAGE_SIZE);
7588 vma = find_vma(mm, addr);
7589 - if (task_size - len >= addr &&
7590 - (!vma || addr + len <= vma->vm_start))
7591 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
7592 return addr;
7593 }
7594 if (mm->get_unmapped_area == arch_get_unmapped_area)
7595 diff -urNp linux-2.6.39.2/arch/sparc/mm/init_32.c linux-2.6.39.2/arch/sparc/mm/init_32.c
7596 --- linux-2.6.39.2/arch/sparc/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
7597 +++ linux-2.6.39.2/arch/sparc/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
7598 @@ -318,6 +318,9 @@ extern void device_scan(void);
7599 pgprot_t PAGE_SHARED __read_mostly;
7600 EXPORT_SYMBOL(PAGE_SHARED);
7601
7602 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
7603 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
7604 +
7605 void __init paging_init(void)
7606 {
7607 switch(sparc_cpu_model) {
7608 @@ -346,17 +349,17 @@ void __init paging_init(void)
7609
7610 /* Initialize the protection map with non-constant, MMU dependent values. */
7611 protection_map[0] = PAGE_NONE;
7612 - protection_map[1] = PAGE_READONLY;
7613 - protection_map[2] = PAGE_COPY;
7614 - protection_map[3] = PAGE_COPY;
7615 + protection_map[1] = PAGE_READONLY_NOEXEC;
7616 + protection_map[2] = PAGE_COPY_NOEXEC;
7617 + protection_map[3] = PAGE_COPY_NOEXEC;
7618 protection_map[4] = PAGE_READONLY;
7619 protection_map[5] = PAGE_READONLY;
7620 protection_map[6] = PAGE_COPY;
7621 protection_map[7] = PAGE_COPY;
7622 protection_map[8] = PAGE_NONE;
7623 - protection_map[9] = PAGE_READONLY;
7624 - protection_map[10] = PAGE_SHARED;
7625 - protection_map[11] = PAGE_SHARED;
7626 + protection_map[9] = PAGE_READONLY_NOEXEC;
7627 + protection_map[10] = PAGE_SHARED_NOEXEC;
7628 + protection_map[11] = PAGE_SHARED_NOEXEC;
7629 protection_map[12] = PAGE_READONLY;
7630 protection_map[13] = PAGE_READONLY;
7631 protection_map[14] = PAGE_SHARED;
7632 diff -urNp linux-2.6.39.2/arch/sparc/mm/Makefile linux-2.6.39.2/arch/sparc/mm/Makefile
7633 --- linux-2.6.39.2/arch/sparc/mm/Makefile 2011-05-19 00:06:34.000000000 -0400
7634 +++ linux-2.6.39.2/arch/sparc/mm/Makefile 2011-05-22 19:36:30.000000000 -0400
7635 @@ -2,7 +2,7 @@
7636 #
7637
7638 asflags-y := -ansi
7639 -ccflags-y := -Werror
7640 +#ccflags-y := -Werror
7641
7642 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
7643 obj-y += fault_$(BITS).o
7644 diff -urNp linux-2.6.39.2/arch/sparc/mm/srmmu.c linux-2.6.39.2/arch/sparc/mm/srmmu.c
7645 --- linux-2.6.39.2/arch/sparc/mm/srmmu.c 2011-05-19 00:06:34.000000000 -0400
7646 +++ linux-2.6.39.2/arch/sparc/mm/srmmu.c 2011-05-22 19:36:30.000000000 -0400
7647 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
7648 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
7649 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
7650 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
7651 +
7652 +#ifdef CONFIG_PAX_PAGEEXEC
7653 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
7654 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
7655 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
7656 +#endif
7657 +
7658 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
7659 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
7660
7661 diff -urNp linux-2.6.39.2/arch/tile/kernel/pci.c linux-2.6.39.2/arch/tile/kernel/pci.c
7662 --- linux-2.6.39.2/arch/tile/kernel/pci.c 2011-06-25 12:55:22.000000000 -0400
7663 +++ linux-2.6.39.2/arch/tile/kernel/pci.c 2011-06-25 13:00:25.000000000 -0400
7664 @@ -60,7 +60,7 @@ int __write_once tile_plx_gen1;
7665 static struct pci_controller controllers[TILE_NUM_PCIE];
7666 static int num_controllers;
7667
7668 -static struct pci_ops tile_cfg_ops;
7669 +static const struct pci_ops tile_cfg_ops;
7670
7671
7672 /*
7673 @@ -563,7 +563,7 @@ static int __devinit tile_cfg_write(stru
7674 }
7675
7676
7677 -static struct pci_ops tile_cfg_ops = {
7678 +static const struct pci_ops tile_cfg_ops = {
7679 .read = tile_cfg_read,
7680 .write = tile_cfg_write,
7681 };
7682 diff -urNp linux-2.6.39.2/arch/um/include/asm/kmap_types.h linux-2.6.39.2/arch/um/include/asm/kmap_types.h
7683 --- linux-2.6.39.2/arch/um/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
7684 +++ linux-2.6.39.2/arch/um/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
7685 @@ -23,6 +23,7 @@ enum km_type {
7686 KM_IRQ1,
7687 KM_SOFTIRQ0,
7688 KM_SOFTIRQ1,
7689 + KM_CLEARPAGE,
7690 KM_TYPE_NR
7691 };
7692
7693 diff -urNp linux-2.6.39.2/arch/um/include/asm/page.h linux-2.6.39.2/arch/um/include/asm/page.h
7694 --- linux-2.6.39.2/arch/um/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
7695 +++ linux-2.6.39.2/arch/um/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
7696 @@ -14,6 +14,9 @@
7697 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
7698 #define PAGE_MASK (~(PAGE_SIZE-1))
7699
7700 +#define ktla_ktva(addr) (addr)
7701 +#define ktva_ktla(addr) (addr)
7702 +
7703 #ifndef __ASSEMBLY__
7704
7705 struct page;
7706 diff -urNp linux-2.6.39.2/arch/um/kernel/process.c linux-2.6.39.2/arch/um/kernel/process.c
7707 --- linux-2.6.39.2/arch/um/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
7708 +++ linux-2.6.39.2/arch/um/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
7709 @@ -404,22 +404,6 @@ int singlestepping(void * t)
7710 return 2;
7711 }
7712
7713 -/*
7714 - * Only x86 and x86_64 have an arch_align_stack().
7715 - * All other arches have "#define arch_align_stack(x) (x)"
7716 - * in their asm/system.h
7717 - * As this is included in UML from asm-um/system-generic.h,
7718 - * we can use it to behave as the subarch does.
7719 - */
7720 -#ifndef arch_align_stack
7721 -unsigned long arch_align_stack(unsigned long sp)
7722 -{
7723 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7724 - sp -= get_random_int() % 8192;
7725 - return sp & ~0xf;
7726 -}
7727 -#endif
7728 -
7729 unsigned long get_wchan(struct task_struct *p)
7730 {
7731 unsigned long stack_page, sp, ip;
7732 diff -urNp linux-2.6.39.2/arch/um/sys-i386/syscalls.c linux-2.6.39.2/arch/um/sys-i386/syscalls.c
7733 --- linux-2.6.39.2/arch/um/sys-i386/syscalls.c 2011-05-19 00:06:34.000000000 -0400
7734 +++ linux-2.6.39.2/arch/um/sys-i386/syscalls.c 2011-05-22 19:36:30.000000000 -0400
7735 @@ -11,6 +11,21 @@
7736 #include "asm/uaccess.h"
7737 #include "asm/unistd.h"
7738
7739 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
7740 +{
7741 + unsigned long pax_task_size = TASK_SIZE;
7742 +
7743 +#ifdef CONFIG_PAX_SEGMEXEC
7744 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
7745 + pax_task_size = SEGMEXEC_TASK_SIZE;
7746 +#endif
7747 +
7748 + if (len > pax_task_size || addr > pax_task_size - len)
7749 + return -EINVAL;
7750 +
7751 + return 0;
7752 +}
7753 +
7754 /*
7755 * The prototype on i386 is:
7756 *
7757 diff -urNp linux-2.6.39.2/arch/unicore32/kernel/pci.c linux-2.6.39.2/arch/unicore32/kernel/pci.c
7758 --- linux-2.6.39.2/arch/unicore32/kernel/pci.c 2011-05-19 00:06:34.000000000 -0400
7759 +++ linux-2.6.39.2/arch/unicore32/kernel/pci.c 2011-05-22 19:36:30.000000000 -0400
7760 @@ -66,7 +66,7 @@ puv3_write_config(struct pci_bus *bus, u
7761 return PCIBIOS_SUCCESSFUL;
7762 }
7763
7764 -struct pci_ops pci_puv3_ops = {
7765 +const struct pci_ops pci_puv3_ops = {
7766 .read = puv3_read_config,
7767 .write = puv3_write_config,
7768 };
7769 diff -urNp linux-2.6.39.2/arch/x86/boot/bitops.h linux-2.6.39.2/arch/x86/boot/bitops.h
7770 --- linux-2.6.39.2/arch/x86/boot/bitops.h 2011-05-19 00:06:34.000000000 -0400
7771 +++ linux-2.6.39.2/arch/x86/boot/bitops.h 2011-05-22 19:36:30.000000000 -0400
7772 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
7773 u8 v;
7774 const u32 *p = (const u32 *)addr;
7775
7776 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7777 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7778 return v;
7779 }
7780
7781 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
7782
7783 static inline void set_bit(int nr, void *addr)
7784 {
7785 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7786 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7787 }
7788
7789 #endif /* BOOT_BITOPS_H */
7790 diff -urNp linux-2.6.39.2/arch/x86/boot/boot.h linux-2.6.39.2/arch/x86/boot/boot.h
7791 --- linux-2.6.39.2/arch/x86/boot/boot.h 2011-05-19 00:06:34.000000000 -0400
7792 +++ linux-2.6.39.2/arch/x86/boot/boot.h 2011-05-22 19:36:30.000000000 -0400
7793 @@ -85,7 +85,7 @@ static inline void io_delay(void)
7794 static inline u16 ds(void)
7795 {
7796 u16 seg;
7797 - asm("movw %%ds,%0" : "=rm" (seg));
7798 + asm volatile("movw %%ds,%0" : "=rm" (seg));
7799 return seg;
7800 }
7801
7802 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
7803 static inline int memcmp(const void *s1, const void *s2, size_t len)
7804 {
7805 u8 diff;
7806 - asm("repe; cmpsb; setnz %0"
7807 + asm volatile("repe; cmpsb; setnz %0"
7808 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
7809 return diff;
7810 }
7811 diff -urNp linux-2.6.39.2/arch/x86/boot/compressed/head_32.S linux-2.6.39.2/arch/x86/boot/compressed/head_32.S
7812 --- linux-2.6.39.2/arch/x86/boot/compressed/head_32.S 2011-05-19 00:06:34.000000000 -0400
7813 +++ linux-2.6.39.2/arch/x86/boot/compressed/head_32.S 2011-05-22 19:36:30.000000000 -0400
7814 @@ -76,7 +76,7 @@ ENTRY(startup_32)
7815 notl %eax
7816 andl %eax, %ebx
7817 #else
7818 - movl $LOAD_PHYSICAL_ADDR, %ebx
7819 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7820 #endif
7821
7822 /* Target address to relocate to for decompression */
7823 @@ -162,7 +162,7 @@ relocated:
7824 * and where it was actually loaded.
7825 */
7826 movl %ebp, %ebx
7827 - subl $LOAD_PHYSICAL_ADDR, %ebx
7828 + subl $____LOAD_PHYSICAL_ADDR, %ebx
7829 jz 2f /* Nothing to be done if loaded at compiled addr. */
7830 /*
7831 * Process relocations.
7832 @@ -170,8 +170,7 @@ relocated:
7833
7834 1: subl $4, %edi
7835 movl (%edi), %ecx
7836 - testl %ecx, %ecx
7837 - jz 2f
7838 + jecxz 2f
7839 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
7840 jmp 1b
7841 2:
7842 diff -urNp linux-2.6.39.2/arch/x86/boot/compressed/head_64.S linux-2.6.39.2/arch/x86/boot/compressed/head_64.S
7843 --- linux-2.6.39.2/arch/x86/boot/compressed/head_64.S 2011-05-19 00:06:34.000000000 -0400
7844 +++ linux-2.6.39.2/arch/x86/boot/compressed/head_64.S 2011-05-22 19:36:30.000000000 -0400
7845 @@ -91,7 +91,7 @@ ENTRY(startup_32)
7846 notl %eax
7847 andl %eax, %ebx
7848 #else
7849 - movl $LOAD_PHYSICAL_ADDR, %ebx
7850 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7851 #endif
7852
7853 /* Target address to relocate to for decompression */
7854 @@ -233,7 +233,7 @@ ENTRY(startup_64)
7855 notq %rax
7856 andq %rax, %rbp
7857 #else
7858 - movq $LOAD_PHYSICAL_ADDR, %rbp
7859 + movq $____LOAD_PHYSICAL_ADDR, %rbp
7860 #endif
7861
7862 /* Target address to relocate to for decompression */
7863 diff -urNp linux-2.6.39.2/arch/x86/boot/compressed/misc.c linux-2.6.39.2/arch/x86/boot/compressed/misc.c
7864 --- linux-2.6.39.2/arch/x86/boot/compressed/misc.c 2011-05-19 00:06:34.000000000 -0400
7865 +++ linux-2.6.39.2/arch/x86/boot/compressed/misc.c 2011-05-22 19:36:30.000000000 -0400
7866 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
7867 case PT_LOAD:
7868 #ifdef CONFIG_RELOCATABLE
7869 dest = output;
7870 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
7871 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
7872 #else
7873 dest = (void *)(phdr->p_paddr);
7874 #endif
7875 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
7876 error("Destination address too large");
7877 #endif
7878 #ifndef CONFIG_RELOCATABLE
7879 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
7880 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
7881 error("Wrong destination address");
7882 #endif
7883
7884 diff -urNp linux-2.6.39.2/arch/x86/boot/compressed/relocs.c linux-2.6.39.2/arch/x86/boot/compressed/relocs.c
7885 --- linux-2.6.39.2/arch/x86/boot/compressed/relocs.c 2011-05-19 00:06:34.000000000 -0400
7886 +++ linux-2.6.39.2/arch/x86/boot/compressed/relocs.c 2011-05-22 19:36:30.000000000 -0400
7887 @@ -13,8 +13,11 @@
7888
7889 static void die(char *fmt, ...);
7890
7891 +#include "../../../../include/generated/autoconf.h"
7892 +
7893 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
7894 static Elf32_Ehdr ehdr;
7895 +static Elf32_Phdr *phdr;
7896 static unsigned long reloc_count, reloc_idx;
7897 static unsigned long *relocs;
7898
7899 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
7900 }
7901 }
7902
7903 +static void read_phdrs(FILE *fp)
7904 +{
7905 + unsigned int i;
7906 +
7907 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
7908 + if (!phdr) {
7909 + die("Unable to allocate %d program headers\n",
7910 + ehdr.e_phnum);
7911 + }
7912 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
7913 + die("Seek to %d failed: %s\n",
7914 + ehdr.e_phoff, strerror(errno));
7915 + }
7916 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
7917 + die("Cannot read ELF program headers: %s\n",
7918 + strerror(errno));
7919 + }
7920 + for(i = 0; i < ehdr.e_phnum; i++) {
7921 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
7922 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
7923 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
7924 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
7925 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
7926 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
7927 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
7928 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
7929 + }
7930 +
7931 +}
7932 +
7933 static void read_shdrs(FILE *fp)
7934 {
7935 - int i;
7936 + unsigned int i;
7937 Elf32_Shdr shdr;
7938
7939 secs = calloc(ehdr.e_shnum, sizeof(struct section));
7940 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
7941
7942 static void read_strtabs(FILE *fp)
7943 {
7944 - int i;
7945 + unsigned int i;
7946 for (i = 0; i < ehdr.e_shnum; i++) {
7947 struct section *sec = &secs[i];
7948 if (sec->shdr.sh_type != SHT_STRTAB) {
7949 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
7950
7951 static void read_symtabs(FILE *fp)
7952 {
7953 - int i,j;
7954 + unsigned int i,j;
7955 for (i = 0; i < ehdr.e_shnum; i++) {
7956 struct section *sec = &secs[i];
7957 if (sec->shdr.sh_type != SHT_SYMTAB) {
7958 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
7959
7960 static void read_relocs(FILE *fp)
7961 {
7962 - int i,j;
7963 + unsigned int i,j;
7964 + uint32_t base;
7965 +
7966 for (i = 0; i < ehdr.e_shnum; i++) {
7967 struct section *sec = &secs[i];
7968 if (sec->shdr.sh_type != SHT_REL) {
7969 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
7970 die("Cannot read symbol table: %s\n",
7971 strerror(errno));
7972 }
7973 + base = 0;
7974 + for (j = 0; j < ehdr.e_phnum; j++) {
7975 + if (phdr[j].p_type != PT_LOAD )
7976 + continue;
7977 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
7978 + continue;
7979 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
7980 + break;
7981 + }
7982 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
7983 Elf32_Rel *rel = &sec->reltab[j];
7984 - rel->r_offset = elf32_to_cpu(rel->r_offset);
7985 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
7986 rel->r_info = elf32_to_cpu(rel->r_info);
7987 }
7988 }
7989 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
7990
7991 static void print_absolute_symbols(void)
7992 {
7993 - int i;
7994 + unsigned int i;
7995 printf("Absolute symbols\n");
7996 printf(" Num: Value Size Type Bind Visibility Name\n");
7997 for (i = 0; i < ehdr.e_shnum; i++) {
7998 struct section *sec = &secs[i];
7999 char *sym_strtab;
8000 Elf32_Sym *sh_symtab;
8001 - int j;
8002 + unsigned int j;
8003
8004 if (sec->shdr.sh_type != SHT_SYMTAB) {
8005 continue;
8006 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
8007
8008 static void print_absolute_relocs(void)
8009 {
8010 - int i, printed = 0;
8011 + unsigned int i, printed = 0;
8012
8013 for (i = 0; i < ehdr.e_shnum; i++) {
8014 struct section *sec = &secs[i];
8015 struct section *sec_applies, *sec_symtab;
8016 char *sym_strtab;
8017 Elf32_Sym *sh_symtab;
8018 - int j;
8019 + unsigned int j;
8020 if (sec->shdr.sh_type != SHT_REL) {
8021 continue;
8022 }
8023 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
8024
8025 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
8026 {
8027 - int i;
8028 + unsigned int i;
8029 /* Walk through the relocations */
8030 for (i = 0; i < ehdr.e_shnum; i++) {
8031 char *sym_strtab;
8032 Elf32_Sym *sh_symtab;
8033 struct section *sec_applies, *sec_symtab;
8034 - int j;
8035 + unsigned int j;
8036 struct section *sec = &secs[i];
8037
8038 if (sec->shdr.sh_type != SHT_REL) {
8039 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
8040 !is_rel_reloc(sym_name(sym_strtab, sym))) {
8041 continue;
8042 }
8043 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
8044 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
8045 + continue;
8046 +
8047 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
8048 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
8049 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
8050 + continue;
8051 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
8052 + continue;
8053 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
8054 + continue;
8055 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
8056 + continue;
8057 +#endif
8058 +
8059 switch (r_type) {
8060 case R_386_NONE:
8061 case R_386_PC32:
8062 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
8063
8064 static void emit_relocs(int as_text)
8065 {
8066 - int i;
8067 + unsigned int i;
8068 /* Count how many relocations I have and allocate space for them. */
8069 reloc_count = 0;
8070 walk_relocs(count_reloc);
8071 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
8072 fname, strerror(errno));
8073 }
8074 read_ehdr(fp);
8075 + read_phdrs(fp);
8076 read_shdrs(fp);
8077 read_strtabs(fp);
8078 read_symtabs(fp);
8079 diff -urNp linux-2.6.39.2/arch/x86/boot/cpucheck.c linux-2.6.39.2/arch/x86/boot/cpucheck.c
8080 --- linux-2.6.39.2/arch/x86/boot/cpucheck.c 2011-05-19 00:06:34.000000000 -0400
8081 +++ linux-2.6.39.2/arch/x86/boot/cpucheck.c 2011-05-22 19:36:30.000000000 -0400
8082 @@ -74,7 +74,7 @@ static int has_fpu(void)
8083 u16 fcw = -1, fsw = -1;
8084 u32 cr0;
8085
8086 - asm("movl %%cr0,%0" : "=r" (cr0));
8087 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
8088 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
8089 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
8090 asm volatile("movl %0,%%cr0" : : "r" (cr0));
8091 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
8092 {
8093 u32 f0, f1;
8094
8095 - asm("pushfl ; "
8096 + asm volatile("pushfl ; "
8097 "pushfl ; "
8098 "popl %0 ; "
8099 "movl %0,%1 ; "
8100 @@ -115,7 +115,7 @@ static void get_flags(void)
8101 set_bit(X86_FEATURE_FPU, cpu.flags);
8102
8103 if (has_eflag(X86_EFLAGS_ID)) {
8104 - asm("cpuid"
8105 + asm volatile("cpuid"
8106 : "=a" (max_intel_level),
8107 "=b" (cpu_vendor[0]),
8108 "=d" (cpu_vendor[1]),
8109 @@ -124,7 +124,7 @@ static void get_flags(void)
8110
8111 if (max_intel_level >= 0x00000001 &&
8112 max_intel_level <= 0x0000ffff) {
8113 - asm("cpuid"
8114 + asm volatile("cpuid"
8115 : "=a" (tfms),
8116 "=c" (cpu.flags[4]),
8117 "=d" (cpu.flags[0])
8118 @@ -136,7 +136,7 @@ static void get_flags(void)
8119 cpu.model += ((tfms >> 16) & 0xf) << 4;
8120 }
8121
8122 - asm("cpuid"
8123 + asm volatile("cpuid"
8124 : "=a" (max_amd_level)
8125 : "a" (0x80000000)
8126 : "ebx", "ecx", "edx");
8127 @@ -144,7 +144,7 @@ static void get_flags(void)
8128 if (max_amd_level >= 0x80000001 &&
8129 max_amd_level <= 0x8000ffff) {
8130 u32 eax = 0x80000001;
8131 - asm("cpuid"
8132 + asm volatile("cpuid"
8133 : "+a" (eax),
8134 "=c" (cpu.flags[6]),
8135 "=d" (cpu.flags[1])
8136 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8137 u32 ecx = MSR_K7_HWCR;
8138 u32 eax, edx;
8139
8140 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8141 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8142 eax &= ~(1 << 15);
8143 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8144 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8145
8146 get_flags(); /* Make sure it really did something */
8147 err = check_flags();
8148 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8149 u32 ecx = MSR_VIA_FCR;
8150 u32 eax, edx;
8151
8152 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8153 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8154 eax |= (1<<1)|(1<<7);
8155 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8156 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8157
8158 set_bit(X86_FEATURE_CX8, cpu.flags);
8159 err = check_flags();
8160 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
8161 u32 eax, edx;
8162 u32 level = 1;
8163
8164 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8165 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8166 - asm("cpuid"
8167 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8168 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8169 + asm volatile("cpuid"
8170 : "+a" (level), "=d" (cpu.flags[0])
8171 : : "ecx", "ebx");
8172 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8173 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8174
8175 err = check_flags();
8176 }
8177 diff -urNp linux-2.6.39.2/arch/x86/boot/header.S linux-2.6.39.2/arch/x86/boot/header.S
8178 --- linux-2.6.39.2/arch/x86/boot/header.S 2011-05-19 00:06:34.000000000 -0400
8179 +++ linux-2.6.39.2/arch/x86/boot/header.S 2011-05-22 19:36:30.000000000 -0400
8180 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
8181 # single linked list of
8182 # struct setup_data
8183
8184 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
8185 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
8186
8187 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
8188 #define VO_INIT_SIZE (VO__end - VO__text)
8189 diff -urNp linux-2.6.39.2/arch/x86/boot/memory.c linux-2.6.39.2/arch/x86/boot/memory.c
8190 --- linux-2.6.39.2/arch/x86/boot/memory.c 2011-05-19 00:06:34.000000000 -0400
8191 +++ linux-2.6.39.2/arch/x86/boot/memory.c 2011-05-22 19:36:30.000000000 -0400
8192 @@ -19,7 +19,7 @@
8193
8194 static int detect_memory_e820(void)
8195 {
8196 - int count = 0;
8197 + unsigned int count = 0;
8198 struct biosregs ireg, oreg;
8199 struct e820entry *desc = boot_params.e820_map;
8200 static struct e820entry buf; /* static so it is zeroed */
8201 diff -urNp linux-2.6.39.2/arch/x86/boot/video.c linux-2.6.39.2/arch/x86/boot/video.c
8202 --- linux-2.6.39.2/arch/x86/boot/video.c 2011-05-19 00:06:34.000000000 -0400
8203 +++ linux-2.6.39.2/arch/x86/boot/video.c 2011-05-22 19:36:30.000000000 -0400
8204 @@ -96,7 +96,7 @@ static void store_mode_params(void)
8205 static unsigned int get_entry(void)
8206 {
8207 char entry_buf[4];
8208 - int i, len = 0;
8209 + unsigned int i, len = 0;
8210 int key;
8211 unsigned int v;
8212
8213 diff -urNp linux-2.6.39.2/arch/x86/boot/video-vesa.c linux-2.6.39.2/arch/x86/boot/video-vesa.c
8214 --- linux-2.6.39.2/arch/x86/boot/video-vesa.c 2011-05-19 00:06:34.000000000 -0400
8215 +++ linux-2.6.39.2/arch/x86/boot/video-vesa.c 2011-05-22 19:36:30.000000000 -0400
8216 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
8217
8218 boot_params.screen_info.vesapm_seg = oreg.es;
8219 boot_params.screen_info.vesapm_off = oreg.di;
8220 + boot_params.screen_info.vesapm_size = oreg.cx;
8221 }
8222
8223 /*
8224 diff -urNp linux-2.6.39.2/arch/x86/ia32/ia32_aout.c linux-2.6.39.2/arch/x86/ia32/ia32_aout.c
8225 --- linux-2.6.39.2/arch/x86/ia32/ia32_aout.c 2011-05-19 00:06:34.000000000 -0400
8226 +++ linux-2.6.39.2/arch/x86/ia32/ia32_aout.c 2011-05-22 19:41:32.000000000 -0400
8227 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
8228 unsigned long dump_start, dump_size;
8229 struct user32 dump;
8230
8231 + memset(&dump, 0, sizeof(dump));
8232 +
8233 fs = get_fs();
8234 set_fs(KERNEL_DS);
8235 has_dumped = 1;
8236 diff -urNp linux-2.6.39.2/arch/x86/ia32/ia32entry.S linux-2.6.39.2/arch/x86/ia32/ia32entry.S
8237 --- linux-2.6.39.2/arch/x86/ia32/ia32entry.S 2011-05-19 00:06:34.000000000 -0400
8238 +++ linux-2.6.39.2/arch/x86/ia32/ia32entry.S 2011-05-23 17:16:01.000000000 -0400
8239 @@ -13,6 +13,7 @@
8240 #include <asm/thread_info.h>
8241 #include <asm/segment.h>
8242 #include <asm/irqflags.h>
8243 +#include <asm/pgtable.h>
8244 #include <linux/linkage.h>
8245
8246 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
8247 @@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit)
8248 ENDPROC(native_irq_enable_sysexit)
8249 #endif
8250
8251 + .macro pax_enter_kernel_user
8252 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8253 + call pax_enter_kernel_user
8254 +#endif
8255 + .endm
8256 +
8257 + .macro pax_exit_kernel_user
8258 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8259 + call pax_exit_kernel_user
8260 +#endif
8261 +#ifdef CONFIG_PAX_RANDKSTACK
8262 + pushq %rax
8263 + call pax_randomize_kstack
8264 + popq %rax
8265 +#endif
8266 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8267 + call pax_erase_kstack
8268 +#endif
8269 + .endm
8270 +
8271 + .macro pax_erase_kstack
8272 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8273 + call pax_erase_kstack
8274 +#endif
8275 + .endm
8276 +
8277 /*
8278 * 32bit SYSENTER instruction entry.
8279 *
8280 @@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target)
8281 CFI_REGISTER rsp,rbp
8282 SWAPGS_UNSAFE_STACK
8283 movq PER_CPU_VAR(kernel_stack), %rsp
8284 - addq $(KERNEL_STACK_OFFSET),%rsp
8285 + pax_enter_kernel_user
8286 /*
8287 * No need to follow this irqs on/off section: the syscall
8288 * disabled irqs, here we enable it straight after entry:
8289 @@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target)
8290 CFI_REL_OFFSET rsp,0
8291 pushfq_cfi
8292 /*CFI_REL_OFFSET rflags,0*/
8293 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
8294 + GET_THREAD_INFO(%r10)
8295 + movl TI_sysenter_return(%r10), %r10d
8296 CFI_REGISTER rip,r10
8297 pushq_cfi $__USER32_CS
8298 /*CFI_REL_OFFSET cs,0*/
8299 @@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target)
8300 SAVE_ARGS 0,0,1
8301 /* no need to do an access_ok check here because rbp has been
8302 32bit zero extended */
8303 +
8304 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8305 + mov $PAX_USER_SHADOW_BASE,%r10
8306 + add %r10,%rbp
8307 +#endif
8308 +
8309 1: movl (%rbp),%ebp
8310 .section __ex_table,"a"
8311 .quad 1b,ia32_badarg
8312 @@ -168,6 +202,7 @@ sysenter_dispatch:
8313 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8314 jnz sysexit_audit
8315 sysexit_from_sys_call:
8316 + pax_exit_kernel_user
8317 andl $~TS_COMPAT,TI_status(%r10)
8318 /* clear IF, that popfq doesn't enable interrupts early */
8319 andl $~0x200,EFLAGS-R11(%rsp)
8320 @@ -194,6 +229,9 @@ sysexit_from_sys_call:
8321 movl %eax,%esi /* 2nd arg: syscall number */
8322 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
8323 call audit_syscall_entry
8324 +
8325 + pax_erase_kstack
8326 +
8327 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
8328 cmpq $(IA32_NR_syscalls-1),%rax
8329 ja ia32_badsys
8330 @@ -246,6 +284,9 @@ sysenter_tracesys:
8331 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
8332 movq %rsp,%rdi /* &pt_regs -> arg1 */
8333 call syscall_trace_enter
8334 +
8335 + pax_erase_kstack
8336 +
8337 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8338 RESTORE_REST
8339 cmpq $(IA32_NR_syscalls-1),%rax
8340 @@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target)
8341 ENTRY(ia32_cstar_target)
8342 CFI_STARTPROC32 simple
8343 CFI_SIGNAL_FRAME
8344 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
8345 + CFI_DEF_CFA rsp,0
8346 CFI_REGISTER rip,rcx
8347 /*CFI_REGISTER rflags,r11*/
8348 SWAPGS_UNSAFE_STACK
8349 movl %esp,%r8d
8350 CFI_REGISTER rsp,r8
8351 movq PER_CPU_VAR(kernel_stack),%rsp
8352 +
8353 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8354 + pax_enter_kernel_user
8355 +#endif
8356 +
8357 /*
8358 * No need to follow this irqs on/off section: the syscall
8359 * disabled irqs and here we enable it straight after entry:
8360 */
8361 ENABLE_INTERRUPTS(CLBR_NONE)
8362 - SAVE_ARGS 8,1,1
8363 + SAVE_ARGS 8*6,1,1
8364 movl %eax,%eax /* zero extension */
8365 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
8366 movq %rcx,RIP-ARGOFFSET(%rsp)
8367 @@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target)
8368 /* no need to do an access_ok check here because r8 has been
8369 32bit zero extended */
8370 /* hardware stack frame is complete now */
8371 +
8372 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8373 + mov $PAX_USER_SHADOW_BASE,%r10
8374 + add %r10,%r8
8375 +#endif
8376 +
8377 1: movl (%r8),%r9d
8378 .section __ex_table,"a"
8379 .quad 1b,ia32_badarg
8380 @@ -327,6 +379,7 @@ cstar_dispatch:
8381 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8382 jnz sysretl_audit
8383 sysretl_from_sys_call:
8384 + pax_exit_kernel_user
8385 andl $~TS_COMPAT,TI_status(%r10)
8386 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
8387 movl RIP-ARGOFFSET(%rsp),%ecx
8388 @@ -364,6 +417,9 @@ cstar_tracesys:
8389 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8390 movq %rsp,%rdi /* &pt_regs -> arg1 */
8391 call syscall_trace_enter
8392 +
8393 + pax_erase_kstack
8394 +
8395 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
8396 RESTORE_REST
8397 xchgl %ebp,%r9d
8398 @@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
8399 CFI_REL_OFFSET rip,RIP-RIP
8400 PARAVIRT_ADJUST_EXCEPTION_FRAME
8401 SWAPGS
8402 + pax_enter_kernel_user
8403 /*
8404 * No need to follow this irqs on/off section: the syscall
8405 * disabled irqs and here we enable it straight after entry:
8406 @@ -441,6 +498,9 @@ ia32_tracesys:
8407 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8408 movq %rsp,%rdi /* &pt_regs -> arg1 */
8409 call syscall_trace_enter
8410 +
8411 + pax_erase_kstack
8412 +
8413 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8414 RESTORE_REST
8415 cmpq $(IA32_NR_syscalls-1),%rax
8416 diff -urNp linux-2.6.39.2/arch/x86/ia32/ia32_signal.c linux-2.6.39.2/arch/x86/ia32/ia32_signal.c
8417 --- linux-2.6.39.2/arch/x86/ia32/ia32_signal.c 2011-05-19 00:06:34.000000000 -0400
8418 +++ linux-2.6.39.2/arch/x86/ia32/ia32_signal.c 2011-05-22 19:36:30.000000000 -0400
8419 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
8420 sp -= frame_size;
8421 /* Align the stack pointer according to the i386 ABI,
8422 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
8423 - sp = ((sp + 4) & -16ul) - 4;
8424 + sp = ((sp - 12) & -16ul) - 4;
8425 return (void __user *) sp;
8426 }
8427
8428 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
8429 * These are actually not used anymore, but left because some
8430 * gdb versions depend on them as a marker.
8431 */
8432 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8433 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8434 } put_user_catch(err);
8435
8436 if (err)
8437 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
8438 0xb8,
8439 __NR_ia32_rt_sigreturn,
8440 0x80cd,
8441 - 0,
8442 + 0
8443 };
8444
8445 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
8446 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
8447
8448 if (ka->sa.sa_flags & SA_RESTORER)
8449 restorer = ka->sa.sa_restorer;
8450 + else if (current->mm->context.vdso)
8451 + /* Return stub is in 32bit vsyscall page */
8452 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
8453 else
8454 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
8455 - rt_sigreturn);
8456 + restorer = &frame->retcode;
8457 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
8458
8459 /*
8460 * Not actually used anymore, but left because some gdb
8461 * versions need it.
8462 */
8463 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8464 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8465 } put_user_catch(err);
8466
8467 if (err)
8468 diff -urNp linux-2.6.39.2/arch/x86/include/asm/alternative.h linux-2.6.39.2/arch/x86/include/asm/alternative.h
8469 --- linux-2.6.39.2/arch/x86/include/asm/alternative.h 2011-05-19 00:06:34.000000000 -0400
8470 +++ linux-2.6.39.2/arch/x86/include/asm/alternative.h 2011-05-22 19:36:30.000000000 -0400
8471 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
8472 ".section .discard,\"aw\",@progbits\n" \
8473 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
8474 ".previous\n" \
8475 - ".section .altinstr_replacement, \"ax\"\n" \
8476 + ".section .altinstr_replacement, \"a\"\n" \
8477 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
8478 ".previous"
8479
8480 diff -urNp linux-2.6.39.2/arch/x86/include/asm/apm.h linux-2.6.39.2/arch/x86/include/asm/apm.h
8481 --- linux-2.6.39.2/arch/x86/include/asm/apm.h 2011-05-19 00:06:34.000000000 -0400
8482 +++ linux-2.6.39.2/arch/x86/include/asm/apm.h 2011-05-22 19:36:30.000000000 -0400
8483 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
8484 __asm__ __volatile__(APM_DO_ZERO_SEGS
8485 "pushl %%edi\n\t"
8486 "pushl %%ebp\n\t"
8487 - "lcall *%%cs:apm_bios_entry\n\t"
8488 + "lcall *%%ss:apm_bios_entry\n\t"
8489 "setc %%al\n\t"
8490 "popl %%ebp\n\t"
8491 "popl %%edi\n\t"
8492 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
8493 __asm__ __volatile__(APM_DO_ZERO_SEGS
8494 "pushl %%edi\n\t"
8495 "pushl %%ebp\n\t"
8496 - "lcall *%%cs:apm_bios_entry\n\t"
8497 + "lcall *%%ss:apm_bios_entry\n\t"
8498 "setc %%bl\n\t"
8499 "popl %%ebp\n\t"
8500 "popl %%edi\n\t"
8501 diff -urNp linux-2.6.39.2/arch/x86/include/asm/atomic64_32.h linux-2.6.39.2/arch/x86/include/asm/atomic64_32.h
8502 --- linux-2.6.39.2/arch/x86/include/asm/atomic64_32.h 2011-05-19 00:06:34.000000000 -0400
8503 +++ linux-2.6.39.2/arch/x86/include/asm/atomic64_32.h 2011-05-22 19:36:30.000000000 -0400
8504 @@ -12,6 +12,14 @@ typedef struct {
8505 u64 __aligned(8) counter;
8506 } atomic64_t;
8507
8508 +#ifdef CONFIG_PAX_REFCOUNT
8509 +typedef struct {
8510 + u64 __aligned(8) counter;
8511 +} atomic64_unchecked_t;
8512 +#else
8513 +typedef atomic64_t atomic64_unchecked_t;
8514 +#endif
8515 +
8516 #define ATOMIC64_INIT(val) { (val) }
8517
8518 #ifdef CONFIG_X86_CMPXCHG64
8519 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
8520 }
8521
8522 /**
8523 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
8524 + * @p: pointer to type atomic64_unchecked_t
8525 + * @o: expected value
8526 + * @n: new value
8527 + *
8528 + * Atomically sets @v to @n if it was equal to @o and returns
8529 + * the old value.
8530 + */
8531 +
8532 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
8533 +{
8534 + return cmpxchg64(&v->counter, o, n);
8535 +}
8536 +
8537 +/**
8538 * atomic64_xchg - xchg atomic64 variable
8539 * @v: pointer to type atomic64_t
8540 * @n: value to assign
8541 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
8542 }
8543
8544 /**
8545 + * atomic64_set_unchecked - set atomic64 variable
8546 + * @v: pointer to type atomic64_unchecked_t
8547 + * @n: value to assign
8548 + *
8549 + * Atomically sets the value of @v to @n.
8550 + */
8551 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
8552 +{
8553 + unsigned high = (unsigned)(i >> 32);
8554 + unsigned low = (unsigned)i;
8555 + asm volatile(ATOMIC64_ALTERNATIVE(set)
8556 + : "+b" (low), "+c" (high)
8557 + : "S" (v)
8558 + : "eax", "edx", "memory"
8559 + );
8560 +}
8561 +
8562 +/**
8563 * atomic64_read - read atomic64 variable
8564 * @v: pointer to type atomic64_t
8565 *
8566 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
8567 }
8568
8569 /**
8570 + * atomic64_read_unchecked - read atomic64 variable
8571 + * @v: pointer to type atomic64_unchecked_t
8572 + *
8573 + * Atomically reads the value of @v and returns it.
8574 + */
8575 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
8576 +{
8577 + long long r;
8578 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
8579 + : "=A" (r), "+c" (v)
8580 + : : "memory"
8581 + );
8582 + return r;
8583 + }
8584 +
8585 +/**
8586 * atomic64_add_return - add and return
8587 * @i: integer value to add
8588 * @v: pointer to type atomic64_t
8589 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
8590 return i;
8591 }
8592
8593 +/**
8594 + * atomic64_add_return_unchecked - add and return
8595 + * @i: integer value to add
8596 + * @v: pointer to type atomic64_unchecked_t
8597 + *
8598 + * Atomically adds @i to @v and returns @i + *@v
8599 + */
8600 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
8601 +{
8602 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
8603 + : "+A" (i), "+c" (v)
8604 + : : "memory"
8605 + );
8606 + return i;
8607 +}
8608 +
8609 /*
8610 * Other variants with different arithmetic operators:
8611 */
8612 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
8613 return a;
8614 }
8615
8616 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8617 +{
8618 + long long a;
8619 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
8620 + : "=A" (a)
8621 + : "S" (v)
8622 + : "memory", "ecx"
8623 + );
8624 + return a;
8625 +}
8626 +
8627 static inline long long atomic64_dec_return(atomic64_t *v)
8628 {
8629 long long a;
8630 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
8631 }
8632
8633 /**
8634 + * atomic64_add_unchecked - add integer to atomic64 variable
8635 + * @i: integer value to add
8636 + * @v: pointer to type atomic64_unchecked_t
8637 + *
8638 + * Atomically adds @i to @v.
8639 + */
8640 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
8641 +{
8642 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
8643 + : "+A" (i), "+c" (v)
8644 + : : "memory"
8645 + );
8646 + return i;
8647 +}
8648 +
8649 +/**
8650 * atomic64_sub - subtract the atomic64 variable
8651 * @i: integer value to subtract
8652 * @v: pointer to type atomic64_t
8653 diff -urNp linux-2.6.39.2/arch/x86/include/asm/atomic64_64.h linux-2.6.39.2/arch/x86/include/asm/atomic64_64.h
8654 --- linux-2.6.39.2/arch/x86/include/asm/atomic64_64.h 2011-05-19 00:06:34.000000000 -0400
8655 +++ linux-2.6.39.2/arch/x86/include/asm/atomic64_64.h 2011-05-22 19:36:30.000000000 -0400
8656 @@ -18,7 +18,19 @@
8657 */
8658 static inline long atomic64_read(const atomic64_t *v)
8659 {
8660 - return (*(volatile long *)&(v)->counter);
8661 + return (*(volatile const long *)&(v)->counter);
8662 +}
8663 +
8664 +/**
8665 + * atomic64_read_unchecked - read atomic64 variable
8666 + * @v: pointer of type atomic64_unchecked_t
8667 + *
8668 + * Atomically reads the value of @v.
8669 + * Doesn't imply a read memory barrier.
8670 + */
8671 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8672 +{
8673 + return (*(volatile const long *)&(v)->counter);
8674 }
8675
8676 /**
8677 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
8678 }
8679
8680 /**
8681 + * atomic64_set_unchecked - set atomic64 variable
8682 + * @v: pointer to type atomic64_unchecked_t
8683 + * @i: required value
8684 + *
8685 + * Atomically sets the value of @v to @i.
8686 + */
8687 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8688 +{
8689 + v->counter = i;
8690 +}
8691 +
8692 +/**
8693 * atomic64_add - add integer to atomic64 variable
8694 * @i: integer value to add
8695 * @v: pointer to type atomic64_t
8696 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
8697 */
8698 static inline void atomic64_add(long i, atomic64_t *v)
8699 {
8700 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
8701 +
8702 +#ifdef CONFIG_PAX_REFCOUNT
8703 + "jno 0f\n"
8704 + LOCK_PREFIX "subq %1,%0\n"
8705 + "int $4\n0:\n"
8706 + _ASM_EXTABLE(0b, 0b)
8707 +#endif
8708 +
8709 + : "=m" (v->counter)
8710 + : "er" (i), "m" (v->counter));
8711 +}
8712 +
8713 +/**
8714 + * atomic64_add_unchecked - add integer to atomic64 variable
8715 + * @i: integer value to add
8716 + * @v: pointer to type atomic64_unchecked_t
8717 + *
8718 + * Atomically adds @i to @v.
8719 + */
8720 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8721 +{
8722 asm volatile(LOCK_PREFIX "addq %1,%0"
8723 : "=m" (v->counter)
8724 : "er" (i), "m" (v->counter));
8725 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
8726 */
8727 static inline void atomic64_sub(long i, atomic64_t *v)
8728 {
8729 - asm volatile(LOCK_PREFIX "subq %1,%0"
8730 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8731 +
8732 +#ifdef CONFIG_PAX_REFCOUNT
8733 + "jno 0f\n"
8734 + LOCK_PREFIX "addq %1,%0\n"
8735 + "int $4\n0:\n"
8736 + _ASM_EXTABLE(0b, 0b)
8737 +#endif
8738 +
8739 + : "=m" (v->counter)
8740 + : "er" (i), "m" (v->counter));
8741 +}
8742 +
8743 +/**
8744 + * atomic64_sub_unchecked - subtract the atomic64 variable
8745 + * @i: integer value to subtract
8746 + * @v: pointer to type atomic64_unchecked_t
8747 + *
8748 + * Atomically subtracts @i from @v.
8749 + */
8750 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
8751 +{
8752 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8753 : "=m" (v->counter)
8754 : "er" (i), "m" (v->counter));
8755 }
8756 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
8757 {
8758 unsigned char c;
8759
8760 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8761 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
8762 +
8763 +#ifdef CONFIG_PAX_REFCOUNT
8764 + "jno 0f\n"
8765 + LOCK_PREFIX "addq %2,%0\n"
8766 + "int $4\n0:\n"
8767 + _ASM_EXTABLE(0b, 0b)
8768 +#endif
8769 +
8770 + "sete %1\n"
8771 : "=m" (v->counter), "=qm" (c)
8772 : "er" (i), "m" (v->counter) : "memory");
8773 return c;
8774 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
8775 */
8776 static inline void atomic64_inc(atomic64_t *v)
8777 {
8778 + asm volatile(LOCK_PREFIX "incq %0\n"
8779 +
8780 +#ifdef CONFIG_PAX_REFCOUNT
8781 + "jno 0f\n"
8782 + LOCK_PREFIX "decq %0\n"
8783 + "int $4\n0:\n"
8784 + _ASM_EXTABLE(0b, 0b)
8785 +#endif
8786 +
8787 + : "=m" (v->counter)
8788 + : "m" (v->counter));
8789 +}
8790 +
8791 +/**
8792 + * atomic64_inc_unchecked - increment atomic64 variable
8793 + * @v: pointer to type atomic64_unchecked_t
8794 + *
8795 + * Atomically increments @v by 1.
8796 + */
8797 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8798 +{
8799 asm volatile(LOCK_PREFIX "incq %0"
8800 : "=m" (v->counter)
8801 : "m" (v->counter));
8802 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
8803 */
8804 static inline void atomic64_dec(atomic64_t *v)
8805 {
8806 - asm volatile(LOCK_PREFIX "decq %0"
8807 + asm volatile(LOCK_PREFIX "decq %0\n"
8808 +
8809 +#ifdef CONFIG_PAX_REFCOUNT
8810 + "jno 0f\n"
8811 + LOCK_PREFIX "incq %0\n"
8812 + "int $4\n0:\n"
8813 + _ASM_EXTABLE(0b, 0b)
8814 +#endif
8815 +
8816 + : "=m" (v->counter)
8817 + : "m" (v->counter));
8818 +}
8819 +
8820 +/**
8821 + * atomic64_dec_unchecked - decrement atomic64 variable
8822 + * @v: pointer to type atomic64_t
8823 + *
8824 + * Atomically decrements @v by 1.
8825 + */
8826 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8827 +{
8828 + asm volatile(LOCK_PREFIX "decq %0\n"
8829 : "=m" (v->counter)
8830 : "m" (v->counter));
8831 }
8832 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
8833 {
8834 unsigned char c;
8835
8836 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8837 + asm volatile(LOCK_PREFIX "decq %0\n"
8838 +
8839 +#ifdef CONFIG_PAX_REFCOUNT
8840 + "jno 0f\n"
8841 + LOCK_PREFIX "incq %0\n"
8842 + "int $4\n0:\n"
8843 + _ASM_EXTABLE(0b, 0b)
8844 +#endif
8845 +
8846 + "sete %1\n"
8847 : "=m" (v->counter), "=qm" (c)
8848 : "m" (v->counter) : "memory");
8849 return c != 0;
8850 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
8851 {
8852 unsigned char c;
8853
8854 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8855 + asm volatile(LOCK_PREFIX "incq %0\n"
8856 +
8857 +#ifdef CONFIG_PAX_REFCOUNT
8858 + "jno 0f\n"
8859 + LOCK_PREFIX "decq %0\n"
8860 + "int $4\n0:\n"
8861 + _ASM_EXTABLE(0b, 0b)
8862 +#endif
8863 +
8864 + "sete %1\n"
8865 : "=m" (v->counter), "=qm" (c)
8866 : "m" (v->counter) : "memory");
8867 return c != 0;
8868 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
8869 {
8870 unsigned char c;
8871
8872 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8873 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8874 +
8875 +#ifdef CONFIG_PAX_REFCOUNT
8876 + "jno 0f\n"
8877 + LOCK_PREFIX "subq %2,%0\n"
8878 + "int $4\n0:\n"
8879 + _ASM_EXTABLE(0b, 0b)
8880 +#endif
8881 +
8882 + "sets %1\n"
8883 : "=m" (v->counter), "=qm" (c)
8884 : "er" (i), "m" (v->counter) : "memory");
8885 return c;
8886 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
8887 static inline long atomic64_add_return(long i, atomic64_t *v)
8888 {
8889 long __i = i;
8890 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8891 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8892 +
8893 +#ifdef CONFIG_PAX_REFCOUNT
8894 + "jno 0f\n"
8895 + "movq %0, %1\n"
8896 + "int $4\n0:\n"
8897 + _ASM_EXTABLE(0b, 0b)
8898 +#endif
8899 +
8900 + : "+r" (i), "+m" (v->counter)
8901 + : : "memory");
8902 + return i + __i;
8903 +}
8904 +
8905 +/**
8906 + * atomic64_add_return_unchecked - add and return
8907 + * @i: integer value to add
8908 + * @v: pointer to type atomic64_unchecked_t
8909 + *
8910 + * Atomically adds @i to @v and returns @i + @v
8911 + */
8912 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8913 +{
8914 + long __i = i;
8915 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8916 : "+r" (i), "+m" (v->counter)
8917 : : "memory");
8918 return i + __i;
8919 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
8920 }
8921
8922 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8923 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8924 +{
8925 + return atomic64_add_return_unchecked(1, v);
8926 +}
8927 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8928
8929 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8930 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
8931 return cmpxchg(&v->counter, old, new);
8932 }
8933
8934 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8935 +{
8936 + return cmpxchg(&v->counter, old, new);
8937 +}
8938 +
8939 static inline long atomic64_xchg(atomic64_t *v, long new)
8940 {
8941 return xchg(&v->counter, new);
8942 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
8943 */
8944 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8945 {
8946 - long c, old;
8947 + long c, old, new;
8948 c = atomic64_read(v);
8949 for (;;) {
8950 - if (unlikely(c == (u)))
8951 + if (unlikely(c == u))
8952 break;
8953 - old = atomic64_cmpxchg((v), c, c + (a));
8954 +
8955 + asm volatile("add %2,%0\n"
8956 +
8957 +#ifdef CONFIG_PAX_REFCOUNT
8958 + "jno 0f\n"
8959 + "sub %2,%0\n"
8960 + "int $4\n0:\n"
8961 + _ASM_EXTABLE(0b, 0b)
8962 +#endif
8963 +
8964 + : "=r" (new)
8965 + : "0" (c), "ir" (a));
8966 +
8967 + old = atomic64_cmpxchg(v, c, new);
8968 if (likely(old == c))
8969 break;
8970 c = old;
8971 }
8972 - return c != (u);
8973 + return c != u;
8974 }
8975
8976 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
8977 diff -urNp linux-2.6.39.2/arch/x86/include/asm/atomic.h linux-2.6.39.2/arch/x86/include/asm/atomic.h
8978 --- linux-2.6.39.2/arch/x86/include/asm/atomic.h 2011-05-19 00:06:34.000000000 -0400
8979 +++ linux-2.6.39.2/arch/x86/include/asm/atomic.h 2011-05-22 19:36:30.000000000 -0400
8980 @@ -22,7 +22,18 @@
8981 */
8982 static inline int atomic_read(const atomic_t *v)
8983 {
8984 - return (*(volatile int *)&(v)->counter);
8985 + return (*(volatile const int *)&(v)->counter);
8986 +}
8987 +
8988 +/**
8989 + * atomic_read_unchecked - read atomic variable
8990 + * @v: pointer of type atomic_unchecked_t
8991 + *
8992 + * Atomically reads the value of @v.
8993 + */
8994 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
8995 +{
8996 + return (*(volatile const int *)&(v)->counter);
8997 }
8998
8999 /**
9000 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
9001 }
9002
9003 /**
9004 + * atomic_set_unchecked - set atomic variable
9005 + * @v: pointer of type atomic_unchecked_t
9006 + * @i: required value
9007 + *
9008 + * Atomically sets the value of @v to @i.
9009 + */
9010 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
9011 +{
9012 + v->counter = i;
9013 +}
9014 +
9015 +/**
9016 * atomic_add - add integer to atomic variable
9017 * @i: integer value to add
9018 * @v: pointer of type atomic_t
9019 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
9020 */
9021 static inline void atomic_add(int i, atomic_t *v)
9022 {
9023 - asm volatile(LOCK_PREFIX "addl %1,%0"
9024 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9025 +
9026 +#ifdef CONFIG_PAX_REFCOUNT
9027 + "jno 0f\n"
9028 + LOCK_PREFIX "subl %1,%0\n"
9029 + "int $4\n0:\n"
9030 + _ASM_EXTABLE(0b, 0b)
9031 +#endif
9032 +
9033 + : "+m" (v->counter)
9034 + : "ir" (i));
9035 +}
9036 +
9037 +/**
9038 + * atomic_add_unchecked - add integer to atomic variable
9039 + * @i: integer value to add
9040 + * @v: pointer of type atomic_unchecked_t
9041 + *
9042 + * Atomically adds @i to @v.
9043 + */
9044 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
9045 +{
9046 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9047 : "+m" (v->counter)
9048 : "ir" (i));
9049 }
9050 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
9051 */
9052 static inline void atomic_sub(int i, atomic_t *v)
9053 {
9054 - asm volatile(LOCK_PREFIX "subl %1,%0"
9055 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9056 +
9057 +#ifdef CONFIG_PAX_REFCOUNT
9058 + "jno 0f\n"
9059 + LOCK_PREFIX "addl %1,%0\n"
9060 + "int $4\n0:\n"
9061 + _ASM_EXTABLE(0b, 0b)
9062 +#endif
9063 +
9064 + : "+m" (v->counter)
9065 + : "ir" (i));
9066 +}
9067 +
9068 +/**
9069 + * atomic_sub_unchecked - subtract integer from atomic variable
9070 + * @i: integer value to subtract
9071 + * @v: pointer of type atomic_unchecked_t
9072 + *
9073 + * Atomically subtracts @i from @v.
9074 + */
9075 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
9076 +{
9077 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9078 : "+m" (v->counter)
9079 : "ir" (i));
9080 }
9081 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
9082 {
9083 unsigned char c;
9084
9085 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
9086 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
9087 +
9088 +#ifdef CONFIG_PAX_REFCOUNT
9089 + "jno 0f\n"
9090 + LOCK_PREFIX "addl %2,%0\n"
9091 + "int $4\n0:\n"
9092 + _ASM_EXTABLE(0b, 0b)
9093 +#endif
9094 +
9095 + "sete %1\n"
9096 : "+m" (v->counter), "=qm" (c)
9097 : "ir" (i) : "memory");
9098 return c;
9099 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
9100 */
9101 static inline void atomic_inc(atomic_t *v)
9102 {
9103 - asm volatile(LOCK_PREFIX "incl %0"
9104 + asm volatile(LOCK_PREFIX "incl %0\n"
9105 +
9106 +#ifdef CONFIG_PAX_REFCOUNT
9107 + "jno 0f\n"
9108 + LOCK_PREFIX "decl %0\n"
9109 + "int $4\n0:\n"
9110 + _ASM_EXTABLE(0b, 0b)
9111 +#endif
9112 +
9113 + : "+m" (v->counter));
9114 +}
9115 +
9116 +/**
9117 + * atomic_inc_unchecked - increment atomic variable
9118 + * @v: pointer of type atomic_unchecked_t
9119 + *
9120 + * Atomically increments @v by 1.
9121 + */
9122 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
9123 +{
9124 + asm volatile(LOCK_PREFIX "incl %0\n"
9125 : "+m" (v->counter));
9126 }
9127
9128 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
9129 */
9130 static inline void atomic_dec(atomic_t *v)
9131 {
9132 - asm volatile(LOCK_PREFIX "decl %0"
9133 + asm volatile(LOCK_PREFIX "decl %0\n"
9134 +
9135 +#ifdef CONFIG_PAX_REFCOUNT
9136 + "jno 0f\n"
9137 + LOCK_PREFIX "incl %0\n"
9138 + "int $4\n0:\n"
9139 + _ASM_EXTABLE(0b, 0b)
9140 +#endif
9141 +
9142 + : "+m" (v->counter));
9143 +}
9144 +
9145 +/**
9146 + * atomic_dec_unchecked - decrement atomic variable
9147 + * @v: pointer of type atomic_unchecked_t
9148 + *
9149 + * Atomically decrements @v by 1.
9150 + */
9151 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
9152 +{
9153 + asm volatile(LOCK_PREFIX "decl %0\n"
9154 : "+m" (v->counter));
9155 }
9156
9157 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
9158 {
9159 unsigned char c;
9160
9161 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
9162 + asm volatile(LOCK_PREFIX "decl %0\n"
9163 +
9164 +#ifdef CONFIG_PAX_REFCOUNT
9165 + "jno 0f\n"
9166 + LOCK_PREFIX "incl %0\n"
9167 + "int $4\n0:\n"
9168 + _ASM_EXTABLE(0b, 0b)
9169 +#endif
9170 +
9171 + "sete %1\n"
9172 : "+m" (v->counter), "=qm" (c)
9173 : : "memory");
9174 return c != 0;
9175 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
9176 {
9177 unsigned char c;
9178
9179 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
9180 + asm volatile(LOCK_PREFIX "incl %0\n"
9181 +
9182 +#ifdef CONFIG_PAX_REFCOUNT
9183 + "jno 0f\n"
9184 + LOCK_PREFIX "decl %0\n"
9185 + "int $4\n0:\n"
9186 + _ASM_EXTABLE(0b, 0b)
9187 +#endif
9188 +
9189 + "sete %1\n"
9190 + : "+m" (v->counter), "=qm" (c)
9191 + : : "memory");
9192 + return c != 0;
9193 +}
9194 +
9195 +/**
9196 + * atomic_inc_and_test_unchecked - increment and test
9197 + * @v: pointer of type atomic_unchecked_t
9198 + *
9199 + * Atomically increments @v by 1
9200 + * and returns true if the result is zero, or false for all
9201 + * other cases.
9202 + */
9203 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
9204 +{
9205 + unsigned char c;
9206 +
9207 + asm volatile(LOCK_PREFIX "incl %0\n"
9208 + "sete %1\n"
9209 : "+m" (v->counter), "=qm" (c)
9210 : : "memory");
9211 return c != 0;
9212 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
9213 {
9214 unsigned char c;
9215
9216 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
9217 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
9218 +
9219 +#ifdef CONFIG_PAX_REFCOUNT
9220 + "jno 0f\n"
9221 + LOCK_PREFIX "subl %2,%0\n"
9222 + "int $4\n0:\n"
9223 + _ASM_EXTABLE(0b, 0b)
9224 +#endif
9225 +
9226 + "sets %1\n"
9227 : "+m" (v->counter), "=qm" (c)
9228 : "ir" (i) : "memory");
9229 return c;
9230 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
9231 #endif
9232 /* Modern 486+ processor */
9233 __i = i;
9234 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
9235 +
9236 +#ifdef CONFIG_PAX_REFCOUNT
9237 + "jno 0f\n"
9238 + "movl %0, %1\n"
9239 + "int $4\n0:\n"
9240 + _ASM_EXTABLE(0b, 0b)
9241 +#endif
9242 +
9243 + : "+r" (i), "+m" (v->counter)
9244 + : : "memory");
9245 + return i + __i;
9246 +
9247 +#ifdef CONFIG_M386
9248 +no_xadd: /* Legacy 386 processor */
9249 + local_irq_save(flags);
9250 + __i = atomic_read(v);
9251 + atomic_set(v, i + __i);
9252 + local_irq_restore(flags);
9253 + return i + __i;
9254 +#endif
9255 +}
9256 +
9257 +/**
9258 + * atomic_add_return_unchecked - add integer and return
9259 + * @v: pointer of type atomic_unchecked_t
9260 + * @i: integer value to add
9261 + *
9262 + * Atomically adds @i to @v and returns @i + @v
9263 + */
9264 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
9265 +{
9266 + int __i;
9267 +#ifdef CONFIG_M386
9268 + unsigned long flags;
9269 + if (unlikely(boot_cpu_data.x86 <= 3))
9270 + goto no_xadd;
9271 +#endif
9272 + /* Modern 486+ processor */
9273 + __i = i;
9274 asm volatile(LOCK_PREFIX "xaddl %0, %1"
9275 : "+r" (i), "+m" (v->counter)
9276 : : "memory");
9277 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
9278 }
9279
9280 #define atomic_inc_return(v) (atomic_add_return(1, v))
9281 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
9282 +{
9283 + return atomic_add_return_unchecked(1, v);
9284 +}
9285 #define atomic_dec_return(v) (atomic_sub_return(1, v))
9286
9287 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
9288 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
9289 return cmpxchg(&v->counter, old, new);
9290 }
9291
9292 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
9293 +{
9294 + return cmpxchg(&v->counter, old, new);
9295 +}
9296 +
9297 static inline int atomic_xchg(atomic_t *v, int new)
9298 {
9299 return xchg(&v->counter, new);
9300 }
9301
9302 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
9303 +{
9304 + return xchg(&v->counter, new);
9305 +}
9306 +
9307 /**
9308 * atomic_add_unless - add unless the number is already a given value
9309 * @v: pointer of type atomic_t
9310 @@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
9311 */
9312 static inline int atomic_add_unless(atomic_t *v, int a, int u)
9313 {
9314 - int c, old;
9315 + int c, old, new;
9316 c = atomic_read(v);
9317 for (;;) {
9318 - if (unlikely(c == (u)))
9319 + if (unlikely(c == u))
9320 break;
9321 - old = atomic_cmpxchg((v), c, c + (a));
9322 +
9323 + asm volatile("addl %2,%0\n"
9324 +
9325 +#ifdef CONFIG_PAX_REFCOUNT
9326 + "jno 0f\n"
9327 + "subl %2,%0\n"
9328 + "int $4\n0:\n"
9329 + _ASM_EXTABLE(0b, 0b)
9330 +#endif
9331 +
9332 + : "=r" (new)
9333 + : "0" (c), "ir" (a));
9334 +
9335 + old = atomic_cmpxchg(v, c, new);
9336 if (likely(old == c))
9337 break;
9338 c = old;
9339 }
9340 - return c != (u);
9341 + return c != u;
9342 }
9343
9344 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
9345
9346 +/**
9347 + * atomic_inc_not_zero_hint - increment if not null
9348 + * @v: pointer of type atomic_t
9349 + * @hint: probable value of the atomic before the increment
9350 + *
9351 + * This version of atomic_inc_not_zero() gives a hint of probable
9352 + * value of the atomic. This helps processor to not read the memory
9353 + * before doing the atomic read/modify/write cycle, lowering
9354 + * number of bus transactions on some arches.
9355 + *
9356 + * Returns: 0 if increment was not done, 1 otherwise.
9357 + */
9358 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
9359 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
9360 +{
9361 + int val, c = hint, new;
9362 +
9363 + /* sanity test, should be removed by compiler if hint is a constant */
9364 + if (!hint)
9365 + return atomic_inc_not_zero(v);
9366 +
9367 + do {
9368 + asm volatile("incl %0\n"
9369 +
9370 +#ifdef CONFIG_PAX_REFCOUNT
9371 + "jno 0f\n"
9372 + "decl %0\n"
9373 + "int $4\n0:\n"
9374 + _ASM_EXTABLE(0b, 0b)
9375 +#endif
9376 +
9377 + : "=r" (new)
9378 + : "0" (c));
9379 +
9380 + val = atomic_cmpxchg(v, c, new);
9381 + if (val == c)
9382 + return 1;
9383 + c = val;
9384 + } while (c);
9385 +
9386 + return 0;
9387 +}
9388 +
9389 /*
9390 * atomic_dec_if_positive - decrement by 1 if old value positive
9391 * @v: pointer of type atomic_t
9392 diff -urNp linux-2.6.39.2/arch/x86/include/asm/bitops.h linux-2.6.39.2/arch/x86/include/asm/bitops.h
9393 --- linux-2.6.39.2/arch/x86/include/asm/bitops.h 2011-05-19 00:06:34.000000000 -0400
9394 +++ linux-2.6.39.2/arch/x86/include/asm/bitops.h 2011-05-22 19:36:30.000000000 -0400
9395 @@ -38,7 +38,7 @@
9396 * a mask operation on a byte.
9397 */
9398 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
9399 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
9400 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
9401 #define CONST_MASK(nr) (1 << ((nr) & 7))
9402
9403 /**
9404 diff -urNp linux-2.6.39.2/arch/x86/include/asm/boot.h linux-2.6.39.2/arch/x86/include/asm/boot.h
9405 --- linux-2.6.39.2/arch/x86/include/asm/boot.h 2011-05-19 00:06:34.000000000 -0400
9406 +++ linux-2.6.39.2/arch/x86/include/asm/boot.h 2011-05-22 19:36:30.000000000 -0400
9407 @@ -11,10 +11,15 @@
9408 #include <asm/pgtable_types.h>
9409
9410 /* Physical address where kernel should be loaded. */
9411 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9412 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9413 + (CONFIG_PHYSICAL_ALIGN - 1)) \
9414 & ~(CONFIG_PHYSICAL_ALIGN - 1))
9415
9416 +#ifndef __ASSEMBLY__
9417 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
9418 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
9419 +#endif
9420 +
9421 /* Minimum kernel alignment, as a power of two */
9422 #ifdef CONFIG_X86_64
9423 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
9424 diff -urNp linux-2.6.39.2/arch/x86/include/asm/cacheflush.h linux-2.6.39.2/arch/x86/include/asm/cacheflush.h
9425 --- linux-2.6.39.2/arch/x86/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
9426 +++ linux-2.6.39.2/arch/x86/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
9427 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
9428 unsigned long pg_flags = pg->flags & _PGMT_MASK;
9429
9430 if (pg_flags == _PGMT_DEFAULT)
9431 - return -1;
9432 + return ~0UL;
9433 else if (pg_flags == _PGMT_WC)
9434 return _PAGE_CACHE_WC;
9435 else if (pg_flags == _PGMT_UC_MINUS)
9436 diff -urNp linux-2.6.39.2/arch/x86/include/asm/cache.h linux-2.6.39.2/arch/x86/include/asm/cache.h
9437 --- linux-2.6.39.2/arch/x86/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
9438 +++ linux-2.6.39.2/arch/x86/include/asm/cache.h 2011-05-22 19:36:30.000000000 -0400
9439 @@ -5,12 +5,13 @@
9440
9441 /* L1 cache line size */
9442 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
9443 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9444 +#define L1_CACHE_BYTES (_AC(1,U) << L1_CACHE_SHIFT)
9445
9446 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9447 +#define __read_only __attribute__((__section__(".data..read_only")))
9448
9449 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
9450 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
9451 +#define INTERNODE_CACHE_BYTES (_AC(1,U) << INTERNODE_CACHE_SHIFT)
9452
9453 #ifdef CONFIG_X86_VSMP
9454 #ifdef CONFIG_SMP
9455 diff -urNp linux-2.6.39.2/arch/x86/include/asm/checksum_32.h linux-2.6.39.2/arch/x86/include/asm/checksum_32.h
9456 --- linux-2.6.39.2/arch/x86/include/asm/checksum_32.h 2011-05-19 00:06:34.000000000 -0400
9457 +++ linux-2.6.39.2/arch/x86/include/asm/checksum_32.h 2011-05-22 19:36:30.000000000 -0400
9458 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
9459 int len, __wsum sum,
9460 int *src_err_ptr, int *dst_err_ptr);
9461
9462 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
9463 + int len, __wsum sum,
9464 + int *src_err_ptr, int *dst_err_ptr);
9465 +
9466 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
9467 + int len, __wsum sum,
9468 + int *src_err_ptr, int *dst_err_ptr);
9469 +
9470 /*
9471 * Note: when you get a NULL pointer exception here this means someone
9472 * passed in an incorrect kernel address to one of these functions.
9473 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
9474 int *err_ptr)
9475 {
9476 might_sleep();
9477 - return csum_partial_copy_generic((__force void *)src, dst,
9478 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
9479 len, sum, err_ptr, NULL);
9480 }
9481
9482 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
9483 {
9484 might_sleep();
9485 if (access_ok(VERIFY_WRITE, dst, len))
9486 - return csum_partial_copy_generic(src, (__force void *)dst,
9487 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
9488 len, sum, NULL, err_ptr);
9489
9490 if (len)
9491 diff -urNp linux-2.6.39.2/arch/x86/include/asm/cpufeature.h linux-2.6.39.2/arch/x86/include/asm/cpufeature.h
9492 --- linux-2.6.39.2/arch/x86/include/asm/cpufeature.h 2011-06-03 00:04:13.000000000 -0400
9493 +++ linux-2.6.39.2/arch/x86/include/asm/cpufeature.h 2011-06-03 00:32:04.000000000 -0400
9494 @@ -351,7 +351,7 @@ static __always_inline __pure bool __sta
9495 ".section .discard,\"aw\",@progbits\n"
9496 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
9497 ".previous\n"
9498 - ".section .altinstr_replacement,\"ax\"\n"
9499 + ".section .altinstr_replacement,\"a\"\n"
9500 "3: movb $1,%0\n"
9501 "4:\n"
9502 ".previous\n"
9503 diff -urNp linux-2.6.39.2/arch/x86/include/asm/desc_defs.h linux-2.6.39.2/arch/x86/include/asm/desc_defs.h
9504 --- linux-2.6.39.2/arch/x86/include/asm/desc_defs.h 2011-05-19 00:06:34.000000000 -0400
9505 +++ linux-2.6.39.2/arch/x86/include/asm/desc_defs.h 2011-05-22 19:36:30.000000000 -0400
9506 @@ -31,6 +31,12 @@ struct desc_struct {
9507 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
9508 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
9509 };
9510 + struct {
9511 + u16 offset_low;
9512 + u16 seg;
9513 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
9514 + unsigned offset_high: 16;
9515 + } gate;
9516 };
9517 } __attribute__((packed));
9518
9519 diff -urNp linux-2.6.39.2/arch/x86/include/asm/desc.h linux-2.6.39.2/arch/x86/include/asm/desc.h
9520 --- linux-2.6.39.2/arch/x86/include/asm/desc.h 2011-05-19 00:06:34.000000000 -0400
9521 +++ linux-2.6.39.2/arch/x86/include/asm/desc.h 2011-05-22 19:36:30.000000000 -0400
9522 @@ -4,6 +4,7 @@
9523 #include <asm/desc_defs.h>
9524 #include <asm/ldt.h>
9525 #include <asm/mmu.h>
9526 +#include <asm/pgtable.h>
9527 #include <linux/smp.h>
9528
9529 static inline void fill_ldt(struct desc_struct *desc,
9530 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
9531 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
9532 desc->type = (info->read_exec_only ^ 1) << 1;
9533 desc->type |= info->contents << 2;
9534 + desc->type |= info->seg_not_present ^ 1;
9535 desc->s = 1;
9536 desc->dpl = 0x3;
9537 desc->p = info->seg_not_present ^ 1;
9538 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
9539 }
9540
9541 extern struct desc_ptr idt_descr;
9542 -extern gate_desc idt_table[];
9543 -
9544 -struct gdt_page {
9545 - struct desc_struct gdt[GDT_ENTRIES];
9546 -} __attribute__((aligned(PAGE_SIZE)));
9547 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
9548 +extern gate_desc idt_table[256];
9549
9550 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
9551 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
9552 {
9553 - return per_cpu(gdt_page, cpu).gdt;
9554 + return cpu_gdt_table[cpu];
9555 }
9556
9557 #ifdef CONFIG_X86_64
9558 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
9559 unsigned long base, unsigned dpl, unsigned flags,
9560 unsigned short seg)
9561 {
9562 - gate->a = (seg << 16) | (base & 0xffff);
9563 - gate->b = (base & 0xffff0000) |
9564 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
9565 + gate->gate.offset_low = base;
9566 + gate->gate.seg = seg;
9567 + gate->gate.reserved = 0;
9568 + gate->gate.type = type;
9569 + gate->gate.s = 0;
9570 + gate->gate.dpl = dpl;
9571 + gate->gate.p = 1;
9572 + gate->gate.offset_high = base >> 16;
9573 }
9574
9575 #endif
9576 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
9577 static inline void native_write_idt_entry(gate_desc *idt, int entry,
9578 const gate_desc *gate)
9579 {
9580 + pax_open_kernel();
9581 memcpy(&idt[entry], gate, sizeof(*gate));
9582 + pax_close_kernel();
9583 }
9584
9585 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
9586 const void *desc)
9587 {
9588 + pax_open_kernel();
9589 memcpy(&ldt[entry], desc, 8);
9590 + pax_close_kernel();
9591 }
9592
9593 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
9594 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
9595 size = sizeof(struct desc_struct);
9596 break;
9597 }
9598 +
9599 + pax_open_kernel();
9600 memcpy(&gdt[entry], desc, size);
9601 + pax_close_kernel();
9602 }
9603
9604 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
9605 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
9606
9607 static inline void native_load_tr_desc(void)
9608 {
9609 + pax_open_kernel();
9610 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
9611 + pax_close_kernel();
9612 }
9613
9614 static inline void native_load_gdt(const struct desc_ptr *dtr)
9615 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
9616 unsigned int i;
9617 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
9618
9619 + pax_open_kernel();
9620 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
9621 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
9622 + pax_close_kernel();
9623 }
9624
9625 #define _LDT_empty(info) \
9626 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
9627 desc->limit = (limit >> 16) & 0xf;
9628 }
9629
9630 -static inline void _set_gate(int gate, unsigned type, void *addr,
9631 +static inline void _set_gate(int gate, unsigned type, const void *addr,
9632 unsigned dpl, unsigned ist, unsigned seg)
9633 {
9634 gate_desc s;
9635 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
9636 * Pentium F0 0F bugfix can have resulted in the mapped
9637 * IDT being write-protected.
9638 */
9639 -static inline void set_intr_gate(unsigned int n, void *addr)
9640 +static inline void set_intr_gate(unsigned int n, const void *addr)
9641 {
9642 BUG_ON((unsigned)n > 0xFF);
9643 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
9644 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
9645 /*
9646 * This routine sets up an interrupt gate at directory privilege level 3.
9647 */
9648 -static inline void set_system_intr_gate(unsigned int n, void *addr)
9649 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
9650 {
9651 BUG_ON((unsigned)n > 0xFF);
9652 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
9653 }
9654
9655 -static inline void set_system_trap_gate(unsigned int n, void *addr)
9656 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
9657 {
9658 BUG_ON((unsigned)n > 0xFF);
9659 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
9660 }
9661
9662 -static inline void set_trap_gate(unsigned int n, void *addr)
9663 +static inline void set_trap_gate(unsigned int n, const void *addr)
9664 {
9665 BUG_ON((unsigned)n > 0xFF);
9666 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
9667 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
9668 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
9669 {
9670 BUG_ON((unsigned)n > 0xFF);
9671 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
9672 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
9673 }
9674
9675 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
9676 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
9677 {
9678 BUG_ON((unsigned)n > 0xFF);
9679 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
9680 }
9681
9682 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
9683 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
9684 {
9685 BUG_ON((unsigned)n > 0xFF);
9686 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
9687 }
9688
9689 +#ifdef CONFIG_X86_32
9690 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
9691 +{
9692 + struct desc_struct d;
9693 +
9694 + if (likely(limit))
9695 + limit = (limit - 1UL) >> PAGE_SHIFT;
9696 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
9697 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
9698 +}
9699 +#endif
9700 +
9701 #endif /* _ASM_X86_DESC_H */
9702 diff -urNp linux-2.6.39.2/arch/x86/include/asm/device.h linux-2.6.39.2/arch/x86/include/asm/device.h
9703 --- linux-2.6.39.2/arch/x86/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
9704 +++ linux-2.6.39.2/arch/x86/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
9705 @@ -6,7 +6,7 @@ struct dev_archdata {
9706 void *acpi_handle;
9707 #endif
9708 #ifdef CONFIG_X86_64
9709 -struct dma_map_ops *dma_ops;
9710 + const struct dma_map_ops *dma_ops;
9711 #endif
9712 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
9713 void *iommu; /* hook for IOMMU specific extension */
9714 diff -urNp linux-2.6.39.2/arch/x86/include/asm/dma-mapping.h linux-2.6.39.2/arch/x86/include/asm/dma-mapping.h
9715 --- linux-2.6.39.2/arch/x86/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
9716 +++ linux-2.6.39.2/arch/x86/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
9717 @@ -26,9 +26,9 @@ extern int iommu_merge;
9718 extern struct device x86_dma_fallback_dev;
9719 extern int panic_on_overflow;
9720
9721 -extern struct dma_map_ops *dma_ops;
9722 +extern const struct dma_map_ops *dma_ops;
9723
9724 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
9725 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
9726 {
9727 #ifdef CONFIG_X86_32
9728 return dma_ops;
9729 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
9730 /* Make sure we keep the same behaviour */
9731 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
9732 {
9733 - struct dma_map_ops *ops = get_dma_ops(dev);
9734 + const struct dma_map_ops *ops = get_dma_ops(dev);
9735 if (ops->mapping_error)
9736 return ops->mapping_error(dev, dma_addr);
9737
9738 @@ -115,7 +115,7 @@ static inline void *
9739 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
9740 gfp_t gfp)
9741 {
9742 - struct dma_map_ops *ops = get_dma_ops(dev);
9743 + const struct dma_map_ops *ops = get_dma_ops(dev);
9744 void *memory;
9745
9746 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
9747 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
9748 static inline void dma_free_coherent(struct device *dev, size_t size,
9749 void *vaddr, dma_addr_t bus)
9750 {
9751 - struct dma_map_ops *ops = get_dma_ops(dev);
9752 + const struct dma_map_ops *ops = get_dma_ops(dev);
9753
9754 WARN_ON(irqs_disabled()); /* for portability */
9755
9756 diff -urNp linux-2.6.39.2/arch/x86/include/asm/e820.h linux-2.6.39.2/arch/x86/include/asm/e820.h
9757 --- linux-2.6.39.2/arch/x86/include/asm/e820.h 2011-05-19 00:06:34.000000000 -0400
9758 +++ linux-2.6.39.2/arch/x86/include/asm/e820.h 2011-05-22 19:36:30.000000000 -0400
9759 @@ -69,7 +69,7 @@ struct e820map {
9760 #define ISA_START_ADDRESS 0xa0000
9761 #define ISA_END_ADDRESS 0x100000
9762
9763 -#define BIOS_BEGIN 0x000a0000
9764 +#define BIOS_BEGIN 0x000c0000
9765 #define BIOS_END 0x00100000
9766
9767 #define BIOS_ROM_BASE 0xffe00000
9768 diff -urNp linux-2.6.39.2/arch/x86/include/asm/elf.h linux-2.6.39.2/arch/x86/include/asm/elf.h
9769 --- linux-2.6.39.2/arch/x86/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
9770 +++ linux-2.6.39.2/arch/x86/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
9771 @@ -237,7 +237,25 @@ extern int force_personality32;
9772 the loader. We need to make sure that it is out of the way of the program
9773 that it will "exec", and that there is sufficient room for the brk. */
9774
9775 +#ifdef CONFIG_PAX_SEGMEXEC
9776 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
9777 +#else
9778 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
9779 +#endif
9780 +
9781 +#ifdef CONFIG_PAX_ASLR
9782 +#ifdef CONFIG_X86_32
9783 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
9784 +
9785 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9786 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9787 +#else
9788 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
9789 +
9790 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9791 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9792 +#endif
9793 +#endif
9794
9795 /* This yields a mask that user programs can use to figure out what
9796 instruction set this CPU supports. This could be done in user space,
9797 @@ -291,8 +309,7 @@ do { \
9798 #define ARCH_DLINFO \
9799 do { \
9800 if (vdso_enabled) \
9801 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
9802 - (unsigned long)current->mm->context.vdso); \
9803 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
9804 } while (0)
9805
9806 #define AT_SYSINFO 32
9807 @@ -303,7 +320,7 @@ do { \
9808
9809 #endif /* !CONFIG_X86_32 */
9810
9811 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
9812 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
9813
9814 #define VDSO_ENTRY \
9815 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
9816 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
9817 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
9818 #define compat_arch_setup_additional_pages syscall32_setup_pages
9819
9820 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
9821 -#define arch_randomize_brk arch_randomize_brk
9822 -
9823 #endif /* _ASM_X86_ELF_H */
9824 diff -urNp linux-2.6.39.2/arch/x86/include/asm/emergency-restart.h linux-2.6.39.2/arch/x86/include/asm/emergency-restart.h
9825 --- linux-2.6.39.2/arch/x86/include/asm/emergency-restart.h 2011-05-19 00:06:34.000000000 -0400
9826 +++ linux-2.6.39.2/arch/x86/include/asm/emergency-restart.h 2011-05-22 19:36:30.000000000 -0400
9827 @@ -15,6 +15,6 @@ enum reboot_type {
9828
9829 extern enum reboot_type reboot_type;
9830
9831 -extern void machine_emergency_restart(void);
9832 +extern void machine_emergency_restart(void) __noreturn;
9833
9834 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
9835 diff -urNp linux-2.6.39.2/arch/x86/include/asm/futex.h linux-2.6.39.2/arch/x86/include/asm/futex.h
9836 --- linux-2.6.39.2/arch/x86/include/asm/futex.h 2011-05-19 00:06:34.000000000 -0400
9837 +++ linux-2.6.39.2/arch/x86/include/asm/futex.h 2011-05-22 19:36:30.000000000 -0400
9838 @@ -12,16 +12,18 @@
9839 #include <asm/system.h>
9840
9841 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
9842 + typecheck(u32 *, uaddr); \
9843 asm volatile("1:\t" insn "\n" \
9844 "2:\t.section .fixup,\"ax\"\n" \
9845 "3:\tmov\t%3, %1\n" \
9846 "\tjmp\t2b\n" \
9847 "\t.previous\n" \
9848 _ASM_EXTABLE(1b, 3b) \
9849 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
9850 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
9851 : "i" (-EFAULT), "0" (oparg), "1" (0))
9852
9853 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
9854 + typecheck(u32 *, uaddr); \
9855 asm volatile("1:\tmovl %2, %0\n" \
9856 "\tmovl\t%0, %3\n" \
9857 "\t" insn "\n" \
9858 @@ -34,7 +36,7 @@
9859 _ASM_EXTABLE(1b, 4b) \
9860 _ASM_EXTABLE(2b, 4b) \
9861 : "=&a" (oldval), "=&r" (ret), \
9862 - "+m" (*uaddr), "=&r" (tem) \
9863 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
9864 : "r" (oparg), "i" (-EFAULT), "1" (0))
9865
9866 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
9867 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
9868
9869 switch (op) {
9870 case FUTEX_OP_SET:
9871 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
9872 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
9873 break;
9874 case FUTEX_OP_ADD:
9875 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
9876 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
9877 uaddr, oparg);
9878 break;
9879 case FUTEX_OP_OR:
9880 @@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
9881 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9882 return -EFAULT;
9883
9884 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
9885 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
9886 "2:\t.section .fixup, \"ax\"\n"
9887 "3:\tmov %3, %0\n"
9888 "\tjmp 2b\n"
9889 "\t.previous\n"
9890 _ASM_EXTABLE(1b, 3b)
9891 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
9892 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9893 : "i" (-EFAULT), "r" (newval), "1" (oldval)
9894 : "memory"
9895 );
9896 diff -urNp linux-2.6.39.2/arch/x86/include/asm/hw_irq.h linux-2.6.39.2/arch/x86/include/asm/hw_irq.h
9897 --- linux-2.6.39.2/arch/x86/include/asm/hw_irq.h 2011-05-19 00:06:34.000000000 -0400
9898 +++ linux-2.6.39.2/arch/x86/include/asm/hw_irq.h 2011-05-22 19:36:30.000000000 -0400
9899 @@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void);
9900 extern void enable_IO_APIC(void);
9901
9902 /* Statistics */
9903 -extern atomic_t irq_err_count;
9904 -extern atomic_t irq_mis_count;
9905 +extern atomic_unchecked_t irq_err_count;
9906 +extern atomic_unchecked_t irq_mis_count;
9907
9908 /* EISA */
9909 extern void eisa_set_level_irq(unsigned int irq);
9910 diff -urNp linux-2.6.39.2/arch/x86/include/asm/i387.h linux-2.6.39.2/arch/x86/include/asm/i387.h
9911 --- linux-2.6.39.2/arch/x86/include/asm/i387.h 2011-05-19 00:06:34.000000000 -0400
9912 +++ linux-2.6.39.2/arch/x86/include/asm/i387.h 2011-05-22 19:36:30.000000000 -0400
9913 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
9914 {
9915 int err;
9916
9917 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9918 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9919 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9920 +#endif
9921 +
9922 /* See comment in fxsave() below. */
9923 #ifdef CONFIG_AS_FXSAVEQ
9924 asm volatile("1: fxrstorq %[fx]\n\t"
9925 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
9926 {
9927 int err;
9928
9929 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9930 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9931 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9932 +#endif
9933 +
9934 /*
9935 * Clear the bytes not touched by the fxsave and reserved
9936 * for the SW usage.
9937 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
9938 #endif /* CONFIG_X86_64 */
9939
9940 /* We need a safe address that is cheap to find and that is already
9941 - in L1 during context switch. The best choices are unfortunately
9942 - different for UP and SMP */
9943 -#ifdef CONFIG_SMP
9944 -#define safe_address (__per_cpu_offset[0])
9945 -#else
9946 -#define safe_address (kstat_cpu(0).cpustat.user)
9947 -#endif
9948 + in L1 during context switch. */
9949 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9950
9951 /*
9952 * These must be called with preempt disabled
9953 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
9954 struct thread_info *me = current_thread_info();
9955 preempt_disable();
9956 if (me->status & TS_USEDFPU)
9957 - __save_init_fpu(me->task);
9958 + __save_init_fpu(current);
9959 else
9960 clts();
9961 }
9962 diff -urNp linux-2.6.39.2/arch/x86/include/asm/io.h linux-2.6.39.2/arch/x86/include/asm/io.h
9963 --- linux-2.6.39.2/arch/x86/include/asm/io.h 2011-05-19 00:06:34.000000000 -0400
9964 +++ linux-2.6.39.2/arch/x86/include/asm/io.h 2011-05-22 19:36:30.000000000 -0400
9965 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
9966
9967 #include <linux/vmalloc.h>
9968
9969 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9970 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9971 +{
9972 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9973 +}
9974 +
9975 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9976 +{
9977 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9978 +}
9979 +
9980 /*
9981 * Convert a virtual cached pointer to an uncached pointer
9982 */
9983 diff -urNp linux-2.6.39.2/arch/x86/include/asm/iommu.h linux-2.6.39.2/arch/x86/include/asm/iommu.h
9984 --- linux-2.6.39.2/arch/x86/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
9985 +++ linux-2.6.39.2/arch/x86/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
9986 @@ -1,7 +1,7 @@
9987 #ifndef _ASM_X86_IOMMU_H
9988 #define _ASM_X86_IOMMU_H
9989
9990 -extern struct dma_map_ops nommu_dma_ops;
9991 +extern const struct dma_map_ops nommu_dma_ops;
9992 extern int force_iommu, no_iommu;
9993 extern int iommu_detected;
9994 extern int iommu_pass_through;
9995 diff -urNp linux-2.6.39.2/arch/x86/include/asm/irqflags.h linux-2.6.39.2/arch/x86/include/asm/irqflags.h
9996 --- linux-2.6.39.2/arch/x86/include/asm/irqflags.h 2011-05-19 00:06:34.000000000 -0400
9997 +++ linux-2.6.39.2/arch/x86/include/asm/irqflags.h 2011-05-22 19:36:30.000000000 -0400
9998 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
9999 sti; \
10000 sysexit
10001
10002 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
10003 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
10004 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
10005 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
10006 +
10007 #else
10008 #define INTERRUPT_RETURN iret
10009 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
10010 diff -urNp linux-2.6.39.2/arch/x86/include/asm/kprobes.h linux-2.6.39.2/arch/x86/include/asm/kprobes.h
10011 --- linux-2.6.39.2/arch/x86/include/asm/kprobes.h 2011-05-19 00:06:34.000000000 -0400
10012 +++ linux-2.6.39.2/arch/x86/include/asm/kprobes.h 2011-05-22 19:36:30.000000000 -0400
10013 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
10014 #define RELATIVEJUMP_SIZE 5
10015 #define RELATIVECALL_OPCODE 0xe8
10016 #define RELATIVE_ADDR_SIZE 4
10017 -#define MAX_STACK_SIZE 64
10018 -#define MIN_STACK_SIZE(ADDR) \
10019 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
10020 - THREAD_SIZE - (unsigned long)(ADDR))) \
10021 - ? (MAX_STACK_SIZE) \
10022 - : (((unsigned long)current_thread_info()) + \
10023 - THREAD_SIZE - (unsigned long)(ADDR)))
10024 +#define MAX_STACK_SIZE 64UL
10025 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
10026
10027 #define flush_insn_slot(p) do { } while (0)
10028
10029 diff -urNp linux-2.6.39.2/arch/x86/include/asm/kvm_host.h linux-2.6.39.2/arch/x86/include/asm/kvm_host.h
10030 --- linux-2.6.39.2/arch/x86/include/asm/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
10031 +++ linux-2.6.39.2/arch/x86/include/asm/kvm_host.h 2011-05-22 19:36:30.000000000 -0400
10032 @@ -419,7 +419,7 @@ struct kvm_arch {
10033 unsigned int n_used_mmu_pages;
10034 unsigned int n_requested_mmu_pages;
10035 unsigned int n_max_mmu_pages;
10036 - atomic_t invlpg_counter;
10037 + atomic_unchecked_t invlpg_counter;
10038 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
10039 /*
10040 * Hash table of struct kvm_mmu_page.
10041 @@ -599,7 +599,7 @@ struct kvm_arch_async_pf {
10042 bool direct_map;
10043 };
10044
10045 -extern struct kvm_x86_ops *kvm_x86_ops;
10046 +extern const struct kvm_x86_ops *kvm_x86_ops;
10047
10048 int kvm_mmu_module_init(void);
10049 void kvm_mmu_module_exit(void);
10050 diff -urNp linux-2.6.39.2/arch/x86/include/asm/local.h linux-2.6.39.2/arch/x86/include/asm/local.h
10051 --- linux-2.6.39.2/arch/x86/include/asm/local.h 2011-05-19 00:06:34.000000000 -0400
10052 +++ linux-2.6.39.2/arch/x86/include/asm/local.h 2011-05-22 19:36:30.000000000 -0400
10053 @@ -18,26 +18,58 @@ typedef struct {
10054
10055 static inline void local_inc(local_t *l)
10056 {
10057 - asm volatile(_ASM_INC "%0"
10058 + asm volatile(_ASM_INC "%0\n"
10059 +
10060 +#ifdef CONFIG_PAX_REFCOUNT
10061 + "jno 0f\n"
10062 + _ASM_DEC "%0\n"
10063 + "int $4\n0:\n"
10064 + _ASM_EXTABLE(0b, 0b)
10065 +#endif
10066 +
10067 : "+m" (l->a.counter));
10068 }
10069
10070 static inline void local_dec(local_t *l)
10071 {
10072 - asm volatile(_ASM_DEC "%0"
10073 + asm volatile(_ASM_DEC "%0\n"
10074 +
10075 +#ifdef CONFIG_PAX_REFCOUNT
10076 + "jno 0f\n"
10077 + _ASM_INC "%0\n"
10078 + "int $4\n0:\n"
10079 + _ASM_EXTABLE(0b, 0b)
10080 +#endif
10081 +
10082 : "+m" (l->a.counter));
10083 }
10084
10085 static inline void local_add(long i, local_t *l)
10086 {
10087 - asm volatile(_ASM_ADD "%1,%0"
10088 + asm volatile(_ASM_ADD "%1,%0\n"
10089 +
10090 +#ifdef CONFIG_PAX_REFCOUNT
10091 + "jno 0f\n"
10092 + _ASM_SUB "%1,%0\n"
10093 + "int $4\n0:\n"
10094 + _ASM_EXTABLE(0b, 0b)
10095 +#endif
10096 +
10097 : "+m" (l->a.counter)
10098 : "ir" (i));
10099 }
10100
10101 static inline void local_sub(long i, local_t *l)
10102 {
10103 - asm volatile(_ASM_SUB "%1,%0"
10104 + asm volatile(_ASM_SUB "%1,%0\n"
10105 +
10106 +#ifdef CONFIG_PAX_REFCOUNT
10107 + "jno 0f\n"
10108 + _ASM_ADD "%1,%0\n"
10109 + "int $4\n0:\n"
10110 + _ASM_EXTABLE(0b, 0b)
10111 +#endif
10112 +
10113 : "+m" (l->a.counter)
10114 : "ir" (i));
10115 }
10116 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
10117 {
10118 unsigned char c;
10119
10120 - asm volatile(_ASM_SUB "%2,%0; sete %1"
10121 + asm volatile(_ASM_SUB "%2,%0\n"
10122 +
10123 +#ifdef CONFIG_PAX_REFCOUNT
10124 + "jno 0f\n"
10125 + _ASM_ADD "%2,%0\n"
10126 + "int $4\n0:\n"
10127 + _ASM_EXTABLE(0b, 0b)
10128 +#endif
10129 +
10130 + "sete %1\n"
10131 : "+m" (l->a.counter), "=qm" (c)
10132 : "ir" (i) : "memory");
10133 return c;
10134 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
10135 {
10136 unsigned char c;
10137
10138 - asm volatile(_ASM_DEC "%0; sete %1"
10139 + asm volatile(_ASM_DEC "%0\n"
10140 +
10141 +#ifdef CONFIG_PAX_REFCOUNT
10142 + "jno 0f\n"
10143 + _ASM_INC "%0\n"
10144 + "int $4\n0:\n"
10145 + _ASM_EXTABLE(0b, 0b)
10146 +#endif
10147 +
10148 + "sete %1\n"
10149 : "+m" (l->a.counter), "=qm" (c)
10150 : : "memory");
10151 return c != 0;
10152 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
10153 {
10154 unsigned char c;
10155
10156 - asm volatile(_ASM_INC "%0; sete %1"
10157 + asm volatile(_ASM_INC "%0\n"
10158 +
10159 +#ifdef CONFIG_PAX_REFCOUNT
10160 + "jno 0f\n"
10161 + _ASM_DEC "%0\n"
10162 + "int $4\n0:\n"
10163 + _ASM_EXTABLE(0b, 0b)
10164 +#endif
10165 +
10166 + "sete %1\n"
10167 : "+m" (l->a.counter), "=qm" (c)
10168 : : "memory");
10169 return c != 0;
10170 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
10171 {
10172 unsigned char c;
10173
10174 - asm volatile(_ASM_ADD "%2,%0; sets %1"
10175 + asm volatile(_ASM_ADD "%2,%0\n"
10176 +
10177 +#ifdef CONFIG_PAX_REFCOUNT
10178 + "jno 0f\n"
10179 + _ASM_SUB "%2,%0\n"
10180 + "int $4\n0:\n"
10181 + _ASM_EXTABLE(0b, 0b)
10182 +#endif
10183 +
10184 + "sets %1\n"
10185 : "+m" (l->a.counter), "=qm" (c)
10186 : "ir" (i) : "memory");
10187 return c;
10188 @@ -133,7 +201,15 @@ static inline long local_add_return(long
10189 #endif
10190 /* Modern 486+ processor */
10191 __i = i;
10192 - asm volatile(_ASM_XADD "%0, %1;"
10193 + asm volatile(_ASM_XADD "%0, %1\n"
10194 +
10195 +#ifdef CONFIG_PAX_REFCOUNT
10196 + "jno 0f\n"
10197 + _ASM_MOV "%0,%1\n"
10198 + "int $4\n0:\n"
10199 + _ASM_EXTABLE(0b, 0b)
10200 +#endif
10201 +
10202 : "+r" (i), "+m" (l->a.counter)
10203 : : "memory");
10204 return i + __i;
10205 diff -urNp linux-2.6.39.2/arch/x86/include/asm/mce.h linux-2.6.39.2/arch/x86/include/asm/mce.h
10206 --- linux-2.6.39.2/arch/x86/include/asm/mce.h 2011-05-19 00:06:34.000000000 -0400
10207 +++ linux-2.6.39.2/arch/x86/include/asm/mce.h 2011-05-22 19:36:30.000000000 -0400
10208 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
10209 void mce_notify_process(void);
10210
10211 DECLARE_PER_CPU(struct mce, injectm);
10212 -extern struct file_operations mce_chrdev_ops;
10213 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
10214
10215 /*
10216 * Exception handler
10217 diff -urNp linux-2.6.39.2/arch/x86/include/asm/microcode.h linux-2.6.39.2/arch/x86/include/asm/microcode.h
10218 --- linux-2.6.39.2/arch/x86/include/asm/microcode.h 2011-05-19 00:06:34.000000000 -0400
10219 +++ linux-2.6.39.2/arch/x86/include/asm/microcode.h 2011-05-22 19:36:30.000000000 -0400
10220 @@ -12,13 +12,13 @@ struct device;
10221 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
10222
10223 struct microcode_ops {
10224 - enum ucode_state (*request_microcode_user) (int cpu,
10225 + enum ucode_state (* const request_microcode_user) (int cpu,
10226 const void __user *buf, size_t size);
10227
10228 - enum ucode_state (*request_microcode_fw) (int cpu,
10229 + enum ucode_state (* const request_microcode_fw) (int cpu,
10230 struct device *device);
10231
10232 - void (*microcode_fini_cpu) (int cpu);
10233 + void (* const microcode_fini_cpu) (int cpu);
10234
10235 /*
10236 * The generic 'microcode_core' part guarantees that
10237 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
10238 extern struct ucode_cpu_info ucode_cpu_info[];
10239
10240 #ifdef CONFIG_MICROCODE_INTEL
10241 -extern struct microcode_ops * __init init_intel_microcode(void);
10242 +extern const struct microcode_ops * __init init_intel_microcode(void);
10243 #else
10244 -static inline struct microcode_ops * __init init_intel_microcode(void)
10245 +static inline const struct microcode_ops * __init init_intel_microcode(void)
10246 {
10247 return NULL;
10248 }
10249 #endif /* CONFIG_MICROCODE_INTEL */
10250
10251 #ifdef CONFIG_MICROCODE_AMD
10252 -extern struct microcode_ops * __init init_amd_microcode(void);
10253 +extern const struct microcode_ops * __init init_amd_microcode(void);
10254
10255 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
10256 {
10257 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
10258 }
10259
10260 #else
10261 -static inline struct microcode_ops * __init init_amd_microcode(void)
10262 +static inline const struct microcode_ops * __init init_amd_microcode(void)
10263 {
10264 return NULL;
10265 }
10266 diff -urNp linux-2.6.39.2/arch/x86/include/asm/mman.h linux-2.6.39.2/arch/x86/include/asm/mman.h
10267 --- linux-2.6.39.2/arch/x86/include/asm/mman.h 2011-05-19 00:06:34.000000000 -0400
10268 +++ linux-2.6.39.2/arch/x86/include/asm/mman.h 2011-05-22 19:36:30.000000000 -0400
10269 @@ -5,4 +5,14 @@
10270
10271 #include <asm-generic/mman.h>
10272
10273 +#ifdef __KERNEL__
10274 +#ifndef __ASSEMBLY__
10275 +#ifdef CONFIG_X86_32
10276 +#define arch_mmap_check i386_mmap_check
10277 +int i386_mmap_check(unsigned long addr, unsigned long len,
10278 + unsigned long flags);
10279 +#endif
10280 +#endif
10281 +#endif
10282 +
10283 #endif /* _ASM_X86_MMAN_H */
10284 diff -urNp linux-2.6.39.2/arch/x86/include/asm/mmu_context.h linux-2.6.39.2/arch/x86/include/asm/mmu_context.h
10285 --- linux-2.6.39.2/arch/x86/include/asm/mmu_context.h 2011-05-19 00:06:34.000000000 -0400
10286 +++ linux-2.6.39.2/arch/x86/include/asm/mmu_context.h 2011-05-22 19:36:30.000000000 -0400
10287 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
10288
10289 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
10290 {
10291 +
10292 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10293 + unsigned int i;
10294 + pgd_t *pgd;
10295 +
10296 + pax_open_kernel();
10297 + pgd = get_cpu_pgd(smp_processor_id());
10298 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
10299 + if (paravirt_enabled())
10300 + set_pgd(pgd+i, native_make_pgd(0));
10301 + else
10302 + pgd[i] = native_make_pgd(0);
10303 + pax_close_kernel();
10304 +#endif
10305 +
10306 #ifdef CONFIG_SMP
10307 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
10308 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
10309 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
10310 struct task_struct *tsk)
10311 {
10312 unsigned cpu = smp_processor_id();
10313 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
10314 + int tlbstate = TLBSTATE_OK;
10315 +#endif
10316
10317 if (likely(prev != next)) {
10318 #ifdef CONFIG_SMP
10319 +#ifdef CONFIG_X86_32
10320 + tlbstate = percpu_read(cpu_tlbstate.state);
10321 +#endif
10322 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10323 percpu_write(cpu_tlbstate.active_mm, next);
10324 #endif
10325 cpumask_set_cpu(cpu, mm_cpumask(next));
10326
10327 /* Re-load page tables */
10328 +#ifdef CONFIG_PAX_PER_CPU_PGD
10329 + pax_open_kernel();
10330 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10331 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10332 + pax_close_kernel();
10333 + load_cr3(get_cpu_pgd(cpu));
10334 +#else
10335 load_cr3(next->pgd);
10336 +#endif
10337
10338 /* stop flush ipis for the previous mm */
10339 cpumask_clear_cpu(cpu, mm_cpumask(prev));
10340 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
10341 */
10342 if (unlikely(prev->context.ldt != next->context.ldt))
10343 load_LDT_nolock(&next->context);
10344 - }
10345 +
10346 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10347 + if (!(__supported_pte_mask & _PAGE_NX)) {
10348 + smp_mb__before_clear_bit();
10349 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
10350 + smp_mb__after_clear_bit();
10351 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10352 + }
10353 +#endif
10354 +
10355 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10356 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
10357 + prev->context.user_cs_limit != next->context.user_cs_limit))
10358 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10359 #ifdef CONFIG_SMP
10360 + else if (unlikely(tlbstate != TLBSTATE_OK))
10361 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10362 +#endif
10363 +#endif
10364 +
10365 + }
10366 else {
10367 +
10368 +#ifdef CONFIG_PAX_PER_CPU_PGD
10369 + pax_open_kernel();
10370 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10371 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10372 + pax_close_kernel();
10373 + load_cr3(get_cpu_pgd(cpu));
10374 +#endif
10375 +
10376 +#ifdef CONFIG_SMP
10377 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10378 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
10379
10380 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
10381 * tlb flush IPI delivery. We must reload CR3
10382 * to make sure to use no freed page tables.
10383 */
10384 +
10385 +#ifndef CONFIG_PAX_PER_CPU_PGD
10386 load_cr3(next->pgd);
10387 +#endif
10388 +
10389 load_LDT_nolock(&next->context);
10390 +
10391 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
10392 + if (!(__supported_pte_mask & _PAGE_NX))
10393 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10394 +#endif
10395 +
10396 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10397 +#ifdef CONFIG_PAX_PAGEEXEC
10398 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
10399 +#endif
10400 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10401 +#endif
10402 +
10403 }
10404 - }
10405 #endif
10406 + }
10407 }
10408
10409 #define activate_mm(prev, next) \
10410 diff -urNp linux-2.6.39.2/arch/x86/include/asm/mmu.h linux-2.6.39.2/arch/x86/include/asm/mmu.h
10411 --- linux-2.6.39.2/arch/x86/include/asm/mmu.h 2011-05-19 00:06:34.000000000 -0400
10412 +++ linux-2.6.39.2/arch/x86/include/asm/mmu.h 2011-05-22 19:36:30.000000000 -0400
10413 @@ -9,10 +9,22 @@
10414 * we put the segment information here.
10415 */
10416 typedef struct {
10417 - void *ldt;
10418 + struct desc_struct *ldt;
10419 int size;
10420 struct mutex lock;
10421 - void *vdso;
10422 + unsigned long vdso;
10423 +
10424 +#ifdef CONFIG_X86_32
10425 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10426 + unsigned long user_cs_base;
10427 + unsigned long user_cs_limit;
10428 +
10429 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10430 + cpumask_t cpu_user_cs_mask;
10431 +#endif
10432 +
10433 +#endif
10434 +#endif
10435
10436 #ifdef CONFIG_X86_64
10437 /* True if mm supports a task running in 32 bit compatibility mode. */
10438 diff -urNp linux-2.6.39.2/arch/x86/include/asm/module.h linux-2.6.39.2/arch/x86/include/asm/module.h
10439 --- linux-2.6.39.2/arch/x86/include/asm/module.h 2011-05-19 00:06:34.000000000 -0400
10440 +++ linux-2.6.39.2/arch/x86/include/asm/module.h 2011-05-22 19:41:32.000000000 -0400
10441 @@ -5,6 +5,7 @@
10442
10443 #ifdef CONFIG_X86_64
10444 /* X86_64 does not define MODULE_PROC_FAMILY */
10445 +#define MODULE_PROC_FAMILY ""
10446 #elif defined CONFIG_M386
10447 #define MODULE_PROC_FAMILY "386 "
10448 #elif defined CONFIG_M486
10449 @@ -59,8 +60,30 @@
10450 #error unknown processor family
10451 #endif
10452
10453 -#ifdef CONFIG_X86_32
10454 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
10455 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10456 +#define MODULE_PAX_UDEREF "UDEREF "
10457 +#else
10458 +#define MODULE_PAX_UDEREF ""
10459 +#endif
10460 +
10461 +#ifdef CONFIG_PAX_KERNEXEC
10462 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
10463 +#else
10464 +#define MODULE_PAX_KERNEXEC ""
10465 #endif
10466
10467 +#ifdef CONFIG_PAX_REFCOUNT
10468 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
10469 +#else
10470 +#define MODULE_PAX_REFCOUNT ""
10471 +#endif
10472 +
10473 +#ifdef CONFIG_GRKERNSEC
10474 +#define MODULE_GRSEC "GRSECURITY "
10475 +#else
10476 +#define MODULE_GRSEC ""
10477 +#endif
10478 +
10479 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
10480 +
10481 #endif /* _ASM_X86_MODULE_H */
10482 diff -urNp linux-2.6.39.2/arch/x86/include/asm/page_64_types.h linux-2.6.39.2/arch/x86/include/asm/page_64_types.h
10483 --- linux-2.6.39.2/arch/x86/include/asm/page_64_types.h 2011-05-19 00:06:34.000000000 -0400
10484 +++ linux-2.6.39.2/arch/x86/include/asm/page_64_types.h 2011-05-22 19:36:30.000000000 -0400
10485 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
10486
10487 /* duplicated to the one in bootmem.h */
10488 extern unsigned long max_pfn;
10489 -extern unsigned long phys_base;
10490 +extern const unsigned long phys_base;
10491
10492 extern unsigned long __phys_addr(unsigned long);
10493 #define __phys_reloc_hide(x) (x)
10494 diff -urNp linux-2.6.39.2/arch/x86/include/asm/paravirt.h linux-2.6.39.2/arch/x86/include/asm/paravirt.h
10495 --- linux-2.6.39.2/arch/x86/include/asm/paravirt.h 2011-05-19 00:06:34.000000000 -0400
10496 +++ linux-2.6.39.2/arch/x86/include/asm/paravirt.h 2011-05-22 19:36:30.000000000 -0400
10497 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
10498 pv_mmu_ops.set_fixmap(idx, phys, flags);
10499 }
10500
10501 +#ifdef CONFIG_PAX_KERNEXEC
10502 +static inline unsigned long pax_open_kernel(void)
10503 +{
10504 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
10505 +}
10506 +
10507 +static inline unsigned long pax_close_kernel(void)
10508 +{
10509 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
10510 +}
10511 +#else
10512 +static inline unsigned long pax_open_kernel(void) { return 0; }
10513 +static inline unsigned long pax_close_kernel(void) { return 0; }
10514 +#endif
10515 +
10516 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
10517
10518 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
10519 @@ -955,7 +970,7 @@ extern void default_banner(void);
10520
10521 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
10522 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
10523 -#define PARA_INDIRECT(addr) *%cs:addr
10524 +#define PARA_INDIRECT(addr) *%ss:addr
10525 #endif
10526
10527 #define INTERRUPT_RETURN \
10528 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
10529 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
10530 CLBR_NONE, \
10531 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
10532 +
10533 +#define GET_CR0_INTO_RDI \
10534 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
10535 + mov %rax,%rdi
10536 +
10537 +#define SET_RDI_INTO_CR0 \
10538 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10539 +
10540 +#define GET_CR3_INTO_RDI \
10541 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
10542 + mov %rax,%rdi
10543 +
10544 +#define SET_RDI_INTO_CR3 \
10545 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
10546 +
10547 #endif /* CONFIG_X86_32 */
10548
10549 #endif /* __ASSEMBLY__ */
10550 diff -urNp linux-2.6.39.2/arch/x86/include/asm/paravirt_types.h linux-2.6.39.2/arch/x86/include/asm/paravirt_types.h
10551 --- linux-2.6.39.2/arch/x86/include/asm/paravirt_types.h 2011-05-19 00:06:34.000000000 -0400
10552 +++ linux-2.6.39.2/arch/x86/include/asm/paravirt_types.h 2011-05-22 19:36:30.000000000 -0400
10553 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
10554 an mfn. We can tell which is which from the index. */
10555 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
10556 phys_addr_t phys, pgprot_t flags);
10557 +
10558 +#ifdef CONFIG_PAX_KERNEXEC
10559 + unsigned long (*pax_open_kernel)(void);
10560 + unsigned long (*pax_close_kernel)(void);
10561 +#endif
10562 +
10563 };
10564
10565 struct arch_spinlock;
10566 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pci_x86.h linux-2.6.39.2/arch/x86/include/asm/pci_x86.h
10567 --- linux-2.6.39.2/arch/x86/include/asm/pci_x86.h 2011-05-19 00:06:34.000000000 -0400
10568 +++ linux-2.6.39.2/arch/x86/include/asm/pci_x86.h 2011-05-22 19:36:30.000000000 -0400
10569 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
10570 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
10571
10572 struct pci_raw_ops {
10573 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10574 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10575 int reg, int len, u32 *val);
10576 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10577 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10578 int reg, int len, u32 val);
10579 };
10580
10581 -extern struct pci_raw_ops *raw_pci_ops;
10582 -extern struct pci_raw_ops *raw_pci_ext_ops;
10583 +extern const struct pci_raw_ops *raw_pci_ops;
10584 +extern const struct pci_raw_ops *raw_pci_ext_ops;
10585
10586 -extern struct pci_raw_ops pci_direct_conf1;
10587 +extern const struct pci_raw_ops pci_direct_conf1;
10588 extern bool port_cf9_safe;
10589
10590 /* arch_initcall level */
10591 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgalloc.h linux-2.6.39.2/arch/x86/include/asm/pgalloc.h
10592 --- linux-2.6.39.2/arch/x86/include/asm/pgalloc.h 2011-05-19 00:06:34.000000000 -0400
10593 +++ linux-2.6.39.2/arch/x86/include/asm/pgalloc.h 2011-05-22 19:36:30.000000000 -0400
10594 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
10595 pmd_t *pmd, pte_t *pte)
10596 {
10597 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10598 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
10599 +}
10600 +
10601 +static inline void pmd_populate_user(struct mm_struct *mm,
10602 + pmd_t *pmd, pte_t *pte)
10603 +{
10604 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10605 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
10606 }
10607
10608 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable-2level.h linux-2.6.39.2/arch/x86/include/asm/pgtable-2level.h
10609 --- linux-2.6.39.2/arch/x86/include/asm/pgtable-2level.h 2011-05-19 00:06:34.000000000 -0400
10610 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable-2level.h 2011-05-22 19:36:30.000000000 -0400
10611 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
10612
10613 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10614 {
10615 + pax_open_kernel();
10616 *pmdp = pmd;
10617 + pax_close_kernel();
10618 }
10619
10620 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
10621 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable_32.h linux-2.6.39.2/arch/x86/include/asm/pgtable_32.h
10622 --- linux-2.6.39.2/arch/x86/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
10623 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
10624 @@ -25,9 +25,6 @@
10625 struct mm_struct;
10626 struct vm_area_struct;
10627
10628 -extern pgd_t swapper_pg_dir[1024];
10629 -extern pgd_t initial_page_table[1024];
10630 -
10631 static inline void pgtable_cache_init(void) { }
10632 static inline void check_pgt_cache(void) { }
10633 void paging_init(void);
10634 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
10635 # include <asm/pgtable-2level.h>
10636 #endif
10637
10638 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
10639 +extern pgd_t initial_page_table[PTRS_PER_PGD];
10640 +#ifdef CONFIG_X86_PAE
10641 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
10642 +#endif
10643 +
10644 #if defined(CONFIG_HIGHPTE)
10645 #define pte_offset_map(dir, address) \
10646 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
10647 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
10648 /* Clear a kernel PTE and flush it from the TLB */
10649 #define kpte_clear_flush(ptep, vaddr) \
10650 do { \
10651 + pax_open_kernel(); \
10652 pte_clear(&init_mm, (vaddr), (ptep)); \
10653 + pax_close_kernel(); \
10654 __flush_tlb_one((vaddr)); \
10655 } while (0)
10656
10657 @@ -74,6 +79,9 @@ do { \
10658
10659 #endif /* !__ASSEMBLY__ */
10660
10661 +#define HAVE_ARCH_UNMAPPED_AREA
10662 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
10663 +
10664 /*
10665 * kern_addr_valid() is (1) for FLATMEM and (0) for
10666 * SPARSEMEM and DISCONTIGMEM
10667 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable_32_types.h linux-2.6.39.2/arch/x86/include/asm/pgtable_32_types.h
10668 --- linux-2.6.39.2/arch/x86/include/asm/pgtable_32_types.h 2011-05-19 00:06:34.000000000 -0400
10669 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable_32_types.h 2011-05-22 19:36:30.000000000 -0400
10670 @@ -8,7 +8,7 @@
10671 */
10672 #ifdef CONFIG_X86_PAE
10673 # include <asm/pgtable-3level_types.h>
10674 -# define PMD_SIZE (1UL << PMD_SHIFT)
10675 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
10676 # define PMD_MASK (~(PMD_SIZE - 1))
10677 #else
10678 # include <asm/pgtable-2level_types.h>
10679 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
10680 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
10681 #endif
10682
10683 +#ifdef CONFIG_PAX_KERNEXEC
10684 +#ifndef __ASSEMBLY__
10685 +extern unsigned char MODULES_EXEC_VADDR[];
10686 +extern unsigned char MODULES_EXEC_END[];
10687 +#endif
10688 +#include <asm/boot.h>
10689 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
10690 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
10691 +#else
10692 +#define ktla_ktva(addr) (addr)
10693 +#define ktva_ktla(addr) (addr)
10694 +#endif
10695 +
10696 #define MODULES_VADDR VMALLOC_START
10697 #define MODULES_END VMALLOC_END
10698 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
10699 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable-3level.h linux-2.6.39.2/arch/x86/include/asm/pgtable-3level.h
10700 --- linux-2.6.39.2/arch/x86/include/asm/pgtable-3level.h 2011-05-19 00:06:34.000000000 -0400
10701 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable-3level.h 2011-05-22 19:36:30.000000000 -0400
10702 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
10703
10704 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10705 {
10706 + pax_open_kernel();
10707 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
10708 + pax_close_kernel();
10709 }
10710
10711 static inline void native_set_pud(pud_t *pudp, pud_t pud)
10712 {
10713 + pax_open_kernel();
10714 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
10715 + pax_close_kernel();
10716 }
10717
10718 /*
10719 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable_64.h linux-2.6.39.2/arch/x86/include/asm/pgtable_64.h
10720 --- linux-2.6.39.2/arch/x86/include/asm/pgtable_64.h 2011-05-19 00:06:34.000000000 -0400
10721 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable_64.h 2011-05-22 19:36:30.000000000 -0400
10722 @@ -16,10 +16,13 @@
10723
10724 extern pud_t level3_kernel_pgt[512];
10725 extern pud_t level3_ident_pgt[512];
10726 +extern pud_t level3_vmalloc_pgt[512];
10727 +extern pud_t level3_vmemmap_pgt[512];
10728 +extern pud_t level2_vmemmap_pgt[512];
10729 extern pmd_t level2_kernel_pgt[512];
10730 extern pmd_t level2_fixmap_pgt[512];
10731 -extern pmd_t level2_ident_pgt[512];
10732 -extern pgd_t init_level4_pgt[];
10733 +extern pmd_t level2_ident_pgt[512*2];
10734 +extern pgd_t init_level4_pgt[512];
10735
10736 #define swapper_pg_dir init_level4_pgt
10737
10738 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
10739
10740 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10741 {
10742 + pax_open_kernel();
10743 *pmdp = pmd;
10744 + pax_close_kernel();
10745 }
10746
10747 static inline void native_pmd_clear(pmd_t *pmd)
10748 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
10749
10750 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
10751 {
10752 + pax_open_kernel();
10753 *pgdp = pgd;
10754 + pax_close_kernel();
10755 }
10756
10757 static inline void native_pgd_clear(pgd_t *pgd)
10758 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable_64_types.h linux-2.6.39.2/arch/x86/include/asm/pgtable_64_types.h
10759 --- linux-2.6.39.2/arch/x86/include/asm/pgtable_64_types.h 2011-05-19 00:06:34.000000000 -0400
10760 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable_64_types.h 2011-05-22 19:36:30.000000000 -0400
10761 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
10762 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
10763 #define MODULES_END _AC(0xffffffffff000000, UL)
10764 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
10765 +#define MODULES_EXEC_VADDR MODULES_VADDR
10766 +#define MODULES_EXEC_END MODULES_END
10767 +
10768 +#define ktla_ktva(addr) (addr)
10769 +#define ktva_ktla(addr) (addr)
10770
10771 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
10772 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable.h linux-2.6.39.2/arch/x86/include/asm/pgtable.h
10773 --- linux-2.6.39.2/arch/x86/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
10774 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
10775 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
10776
10777 #define arch_end_context_switch(prev) do {} while(0)
10778
10779 +#define pax_open_kernel() native_pax_open_kernel()
10780 +#define pax_close_kernel() native_pax_close_kernel()
10781 #endif /* CONFIG_PARAVIRT */
10782
10783 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
10784 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10785 +
10786 +#ifdef CONFIG_PAX_KERNEXEC
10787 +static inline unsigned long native_pax_open_kernel(void)
10788 +{
10789 + unsigned long cr0;
10790 +
10791 + preempt_disable();
10792 + barrier();
10793 + cr0 = read_cr0() ^ X86_CR0_WP;
10794 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
10795 + write_cr0(cr0);
10796 + return cr0 ^ X86_CR0_WP;
10797 +}
10798 +
10799 +static inline unsigned long native_pax_close_kernel(void)
10800 +{
10801 + unsigned long cr0;
10802 +
10803 + cr0 = read_cr0() ^ X86_CR0_WP;
10804 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10805 + write_cr0(cr0);
10806 + barrier();
10807 + preempt_enable_no_resched();
10808 + return cr0 ^ X86_CR0_WP;
10809 +}
10810 +#else
10811 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
10812 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
10813 +#endif
10814 +
10815 /*
10816 * The following only work if pte_present() is true.
10817 * Undefined behaviour if not..
10818 */
10819 +static inline int pte_user(pte_t pte)
10820 +{
10821 + return pte_val(pte) & _PAGE_USER;
10822 +}
10823 +
10824 static inline int pte_dirty(pte_t pte)
10825 {
10826 return pte_flags(pte) & _PAGE_DIRTY;
10827 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
10828 return pte_clear_flags(pte, _PAGE_RW);
10829 }
10830
10831 +static inline pte_t pte_mkread(pte_t pte)
10832 +{
10833 + return __pte(pte_val(pte) | _PAGE_USER);
10834 +}
10835 +
10836 static inline pte_t pte_mkexec(pte_t pte)
10837 {
10838 - return pte_clear_flags(pte, _PAGE_NX);
10839 +#ifdef CONFIG_X86_PAE
10840 + if (__supported_pte_mask & _PAGE_NX)
10841 + return pte_clear_flags(pte, _PAGE_NX);
10842 + else
10843 +#endif
10844 + return pte_set_flags(pte, _PAGE_USER);
10845 +}
10846 +
10847 +static inline pte_t pte_exprotect(pte_t pte)
10848 +{
10849 +#ifdef CONFIG_X86_PAE
10850 + if (__supported_pte_mask & _PAGE_NX)
10851 + return pte_set_flags(pte, _PAGE_NX);
10852 + else
10853 +#endif
10854 + return pte_clear_flags(pte, _PAGE_USER);
10855 }
10856
10857 static inline pte_t pte_mkdirty(pte_t pte)
10858 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
10859 #endif
10860
10861 #ifndef __ASSEMBLY__
10862 +
10863 +#ifdef CONFIG_PAX_PER_CPU_PGD
10864 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10865 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10866 +{
10867 + return cpu_pgd[cpu];
10868 +}
10869 +#endif
10870 +
10871 #include <linux/mm_types.h>
10872
10873 static inline int pte_none(pte_t pte)
10874 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
10875
10876 static inline int pgd_bad(pgd_t pgd)
10877 {
10878 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10879 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10880 }
10881
10882 static inline int pgd_none(pgd_t pgd)
10883 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
10884 * pgd_offset() returns a (pgd_t *)
10885 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10886 */
10887 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10888 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10889 +
10890 +#ifdef CONFIG_PAX_PER_CPU_PGD
10891 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10892 +#endif
10893 +
10894 /*
10895 * a shortcut which implies the use of the kernel's pgd, instead
10896 * of a process's
10897 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
10898 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10899 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10900
10901 +#ifdef CONFIG_X86_32
10902 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10903 +#else
10904 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10905 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10906 +
10907 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10908 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10909 +#else
10910 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10911 +#endif
10912 +
10913 +#endif
10914 +
10915 #ifndef __ASSEMBLY__
10916
10917 extern int direct_gbpages;
10918 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
10919 * dst and src can be on the same page, but the range must not overlap,
10920 * and must not cross a page boundary.
10921 */
10922 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10923 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10924 {
10925 - memcpy(dst, src, count * sizeof(pgd_t));
10926 + pax_open_kernel();
10927 + while (count--)
10928 + *dst++ = *src++;
10929 + pax_close_kernel();
10930 }
10931
10932 +#ifdef CONFIG_PAX_PER_CPU_PGD
10933 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10934 +#endif
10935 +
10936 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10937 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10938 +#else
10939 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10940 +#endif
10941
10942 #include <asm-generic/pgtable.h>
10943 #endif /* __ASSEMBLY__ */
10944 diff -urNp linux-2.6.39.2/arch/x86/include/asm/pgtable_types.h linux-2.6.39.2/arch/x86/include/asm/pgtable_types.h
10945 --- linux-2.6.39.2/arch/x86/include/asm/pgtable_types.h 2011-05-19 00:06:34.000000000 -0400
10946 +++ linux-2.6.39.2/arch/x86/include/asm/pgtable_types.h 2011-05-22 19:36:30.000000000 -0400
10947 @@ -16,13 +16,12 @@
10948 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10949 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10950 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10951 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10952 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10953 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10954 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10955 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10956 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10957 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10958 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
10959 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10960 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
10961 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10962
10963 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10964 @@ -40,7 +39,6 @@
10965 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10966 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10967 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10968 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10969 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10970 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10971 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10972 @@ -57,8 +55,10 @@
10973
10974 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10975 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10976 -#else
10977 +#elif defined(CONFIG_KMEMCHECK)
10978 #define _PAGE_NX (_AT(pteval_t, 0))
10979 +#else
10980 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10981 #endif
10982
10983 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10984 @@ -96,6 +96,9 @@
10985 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
10986 _PAGE_ACCESSED)
10987
10988 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
10989 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
10990 +
10991 #define __PAGE_KERNEL_EXEC \
10992 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
10993 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
10994 @@ -106,8 +109,8 @@
10995 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
10996 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
10997 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
10998 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
10999 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
11000 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
11001 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
11002 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
11003 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
11004 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
11005 @@ -166,8 +169,8 @@
11006 * bits are combined, this will alow user to access the high address mapped
11007 * VDSO in the presence of CONFIG_COMPAT_VDSO
11008 */
11009 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
11010 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
11011 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11012 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11013 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
11014 #endif
11015
11016 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
11017 {
11018 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
11019 }
11020 +#endif
11021
11022 +#if PAGETABLE_LEVELS == 3
11023 +#include <asm-generic/pgtable-nopud.h>
11024 +#endif
11025 +
11026 +#if PAGETABLE_LEVELS == 2
11027 +#include <asm-generic/pgtable-nopmd.h>
11028 +#endif
11029 +
11030 +#ifndef __ASSEMBLY__
11031 #if PAGETABLE_LEVELS > 3
11032 typedef struct { pudval_t pud; } pud_t;
11033
11034 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
11035 return pud.pud;
11036 }
11037 #else
11038 -#include <asm-generic/pgtable-nopud.h>
11039 -
11040 static inline pudval_t native_pud_val(pud_t pud)
11041 {
11042 return native_pgd_val(pud.pgd);
11043 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
11044 return pmd.pmd;
11045 }
11046 #else
11047 -#include <asm-generic/pgtable-nopmd.h>
11048 -
11049 static inline pmdval_t native_pmd_val(pmd_t pmd)
11050 {
11051 return native_pgd_val(pmd.pud.pgd);
11052 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
11053
11054 extern pteval_t __supported_pte_mask;
11055 extern void set_nx(void);
11056 -extern int nx_enabled;
11057
11058 #define pgprot_writecombine pgprot_writecombine
11059 extern pgprot_t pgprot_writecombine(pgprot_t prot);
11060 diff -urNp linux-2.6.39.2/arch/x86/include/asm/processor.h linux-2.6.39.2/arch/x86/include/asm/processor.h
11061 --- linux-2.6.39.2/arch/x86/include/asm/processor.h 2011-05-19 00:06:34.000000000 -0400
11062 +++ linux-2.6.39.2/arch/x86/include/asm/processor.h 2011-05-22 19:36:30.000000000 -0400
11063 @@ -266,7 +266,7 @@ struct tss_struct {
11064
11065 } ____cacheline_aligned;
11066
11067 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
11068 +extern struct tss_struct init_tss[NR_CPUS];
11069
11070 /*
11071 * Save the original ist values for checking stack pointers during debugging
11072 @@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co
11073 */
11074 #define TASK_SIZE PAGE_OFFSET
11075 #define TASK_SIZE_MAX TASK_SIZE
11076 +
11077 +#ifdef CONFIG_PAX_SEGMEXEC
11078 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
11079 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
11080 +#else
11081 #define STACK_TOP TASK_SIZE
11082 -#define STACK_TOP_MAX STACK_TOP
11083 +#endif
11084 +
11085 +#define STACK_TOP_MAX TASK_SIZE
11086
11087 #define INIT_THREAD { \
11088 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11089 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11090 .vm86_info = NULL, \
11091 .sysenter_cs = __KERNEL_CS, \
11092 .io_bitmap_ptr = NULL, \
11093 @@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co
11094 */
11095 #define INIT_TSS { \
11096 .x86_tss = { \
11097 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11098 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11099 .ss0 = __KERNEL_DS, \
11100 .ss1 = __KERNEL_CS, \
11101 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
11102 @@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co
11103 extern unsigned long thread_saved_pc(struct task_struct *tsk);
11104
11105 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
11106 -#define KSTK_TOP(info) \
11107 -({ \
11108 - unsigned long *__ptr = (unsigned long *)(info); \
11109 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
11110 -})
11111 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
11112
11113 /*
11114 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
11115 @@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str
11116 #define task_pt_regs(task) \
11117 ({ \
11118 struct pt_regs *__regs__; \
11119 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
11120 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
11121 __regs__ - 1; \
11122 })
11123
11124 @@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str
11125 /*
11126 * User space process size. 47bits minus one guard page.
11127 */
11128 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
11129 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
11130
11131 /* This decides where the kernel will search for a free chunk of vm
11132 * space during mmap's.
11133 */
11134 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
11135 - 0xc0000000 : 0xFFFFe000)
11136 + 0xc0000000 : 0xFFFFf000)
11137
11138 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
11139 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
11140 @@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str
11141 #define STACK_TOP_MAX TASK_SIZE_MAX
11142
11143 #define INIT_THREAD { \
11144 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11145 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11146 }
11147
11148 #define INIT_TSS { \
11149 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11150 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11151 }
11152
11153 /*
11154 @@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs
11155 */
11156 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
11157
11158 +#ifdef CONFIG_PAX_SEGMEXEC
11159 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
11160 +#endif
11161 +
11162 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
11163
11164 /* Get/set a process' ability to use the timestamp counter instruction */
11165 diff -urNp linux-2.6.39.2/arch/x86/include/asm/ptrace.h linux-2.6.39.2/arch/x86/include/asm/ptrace.h
11166 --- linux-2.6.39.2/arch/x86/include/asm/ptrace.h 2011-05-19 00:06:34.000000000 -0400
11167 +++ linux-2.6.39.2/arch/x86/include/asm/ptrace.h 2011-05-22 19:36:30.000000000 -0400
11168 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
11169 }
11170
11171 /*
11172 - * user_mode_vm(regs) determines whether a register set came from user mode.
11173 + * user_mode(regs) determines whether a register set came from user mode.
11174 * This is true if V8086 mode was enabled OR if the register set was from
11175 * protected mode with RPL-3 CS value. This tricky test checks that with
11176 * one comparison. Many places in the kernel can bypass this full check
11177 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
11178 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
11179 + * be used.
11180 */
11181 -static inline int user_mode(struct pt_regs *regs)
11182 +static inline int user_mode_novm(struct pt_regs *regs)
11183 {
11184 #ifdef CONFIG_X86_32
11185 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
11186 #else
11187 - return !!(regs->cs & 3);
11188 + return !!(regs->cs & SEGMENT_RPL_MASK);
11189 #endif
11190 }
11191
11192 -static inline int user_mode_vm(struct pt_regs *regs)
11193 +static inline int user_mode(struct pt_regs *regs)
11194 {
11195 #ifdef CONFIG_X86_32
11196 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
11197 USER_RPL;
11198 #else
11199 - return user_mode(regs);
11200 + return user_mode_novm(regs);
11201 #endif
11202 }
11203
11204 diff -urNp linux-2.6.39.2/arch/x86/include/asm/reboot.h linux-2.6.39.2/arch/x86/include/asm/reboot.h
11205 --- linux-2.6.39.2/arch/x86/include/asm/reboot.h 2011-05-19 00:06:34.000000000 -0400
11206 +++ linux-2.6.39.2/arch/x86/include/asm/reboot.h 2011-05-22 19:36:30.000000000 -0400
11207 @@ -6,19 +6,19 @@
11208 struct pt_regs;
11209
11210 struct machine_ops {
11211 - void (*restart)(char *cmd);
11212 - void (*halt)(void);
11213 - void (*power_off)(void);
11214 + void (* __noreturn restart)(char *cmd);
11215 + void (* __noreturn halt)(void);
11216 + void (* __noreturn power_off)(void);
11217 void (*shutdown)(void);
11218 void (*crash_shutdown)(struct pt_regs *);
11219 - void (*emergency_restart)(void);
11220 + void (* __noreturn emergency_restart)(void);
11221 };
11222
11223 extern struct machine_ops machine_ops;
11224
11225 void native_machine_crash_shutdown(struct pt_regs *regs);
11226 void native_machine_shutdown(void);
11227 -void machine_real_restart(unsigned int type);
11228 +void machine_real_restart(unsigned int type) __noreturn;
11229 /* These must match dispatch_table in reboot_32.S */
11230 #define MRR_BIOS 0
11231 #define MRR_APM 1
11232 diff -urNp linux-2.6.39.2/arch/x86/include/asm/rwsem.h linux-2.6.39.2/arch/x86/include/asm/rwsem.h
11233 --- linux-2.6.39.2/arch/x86/include/asm/rwsem.h 2011-05-19 00:06:34.000000000 -0400
11234 +++ linux-2.6.39.2/arch/x86/include/asm/rwsem.h 2011-05-22 19:36:30.000000000 -0400
11235 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw
11236 {
11237 asm volatile("# beginning down_read\n\t"
11238 LOCK_PREFIX _ASM_INC "(%1)\n\t"
11239 +
11240 +#ifdef CONFIG_PAX_REFCOUNT
11241 + "jno 0f\n"
11242 + LOCK_PREFIX _ASM_DEC "(%1)\n"
11243 + "int $4\n0:\n"
11244 + _ASM_EXTABLE(0b, 0b)
11245 +#endif
11246 +
11247 /* adds 0x00000001 */
11248 " jns 1f\n"
11249 " call call_rwsem_down_read_failed\n"
11250 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
11251 "1:\n\t"
11252 " mov %1,%2\n\t"
11253 " add %3,%2\n\t"
11254 +
11255 +#ifdef CONFIG_PAX_REFCOUNT
11256 + "jno 0f\n"
11257 + "sub %3,%2\n"
11258 + "int $4\n0:\n"
11259 + _ASM_EXTABLE(0b, 0b)
11260 +#endif
11261 +
11262 " jle 2f\n\t"
11263 LOCK_PREFIX " cmpxchg %2,%0\n\t"
11264 " jnz 1b\n\t"
11265 @@ -104,6 +120,14 @@ static inline void __down_write_nested(s
11266 long tmp;
11267 asm volatile("# beginning down_write\n\t"
11268 LOCK_PREFIX " xadd %1,(%2)\n\t"
11269 +
11270 +#ifdef CONFIG_PAX_REFCOUNT
11271 + "jno 0f\n"
11272 + "mov %1,(%2)\n"
11273 + "int $4\n0:\n"
11274 + _ASM_EXTABLE(0b, 0b)
11275 +#endif
11276 +
11277 /* adds 0xffff0001, returns the old value */
11278 " test %1,%1\n\t"
11279 /* was the count 0 before? */
11280 @@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
11281 long tmp;
11282 asm volatile("# beginning __up_read\n\t"
11283 LOCK_PREFIX " xadd %1,(%2)\n\t"
11284 +
11285 +#ifdef CONFIG_PAX_REFCOUNT
11286 + "jno 0f\n"
11287 + "mov %1,(%2)\n"
11288 + "int $4\n0:\n"
11289 + _ASM_EXTABLE(0b, 0b)
11290 +#endif
11291 +
11292 /* subtracts 1, returns the old value */
11293 " jns 1f\n\t"
11294 " call call_rwsem_wake\n" /* expects old value in %edx */
11295 @@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
11296 long tmp;
11297 asm volatile("# beginning __up_write\n\t"
11298 LOCK_PREFIX " xadd %1,(%2)\n\t"
11299 +
11300 +#ifdef CONFIG_PAX_REFCOUNT
11301 + "jno 0f\n"
11302 + "mov %1,(%2)\n"
11303 + "int $4\n0:\n"
11304 + _ASM_EXTABLE(0b, 0b)
11305 +#endif
11306 +
11307 /* subtracts 0xffff0001, returns the old value */
11308 " jns 1f\n\t"
11309 " call call_rwsem_wake\n" /* expects old value in %edx */
11310 @@ -176,6 +216,14 @@ static inline void __downgrade_write(str
11311 {
11312 asm volatile("# beginning __downgrade_write\n\t"
11313 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
11314 +
11315 +#ifdef CONFIG_PAX_REFCOUNT
11316 + "jno 0f\n"
11317 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
11318 + "int $4\n0:\n"
11319 + _ASM_EXTABLE(0b, 0b)
11320 +#endif
11321 +
11322 /*
11323 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
11324 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
11325 @@ -194,7 +242,15 @@ static inline void __downgrade_write(str
11326 */
11327 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
11328 {
11329 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
11330 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
11331 +
11332 +#ifdef CONFIG_PAX_REFCOUNT
11333 + "jno 0f\n"
11334 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
11335 + "int $4\n0:\n"
11336 + _ASM_EXTABLE(0b, 0b)
11337 +#endif
11338 +
11339 : "+m" (sem->count)
11340 : "er" (delta));
11341 }
11342 @@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
11343 {
11344 long tmp = delta;
11345
11346 - asm volatile(LOCK_PREFIX "xadd %0,%1"
11347 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
11348 +
11349 +#ifdef CONFIG_PAX_REFCOUNT
11350 + "jno 0f\n"
11351 + "mov %0,%1\n"
11352 + "int $4\n0:\n"
11353 + _ASM_EXTABLE(0b, 0b)
11354 +#endif
11355 +
11356 : "+r" (tmp), "+m" (sem->count)
11357 : : "memory");
11358
11359 diff -urNp linux-2.6.39.2/arch/x86/include/asm/segment.h linux-2.6.39.2/arch/x86/include/asm/segment.h
11360 --- linux-2.6.39.2/arch/x86/include/asm/segment.h 2011-05-19 00:06:34.000000000 -0400
11361 +++ linux-2.6.39.2/arch/x86/include/asm/segment.h 2011-05-22 19:36:30.000000000 -0400
11362 @@ -64,8 +64,8 @@
11363 * 26 - ESPFIX small SS
11364 * 27 - per-cpu [ offset to per-cpu data area ]
11365 * 28 - stack_canary-20 [ for stack protector ]
11366 - * 29 - unused
11367 - * 30 - unused
11368 + * 29 - PCI BIOS CS
11369 + * 30 - PCI BIOS DS
11370 * 31 - TSS for double fault handler
11371 */
11372 #define GDT_ENTRY_TLS_MIN 6
11373 @@ -79,6 +79,8 @@
11374
11375 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
11376
11377 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
11378 +
11379 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
11380
11381 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
11382 @@ -104,6 +106,12 @@
11383 #define __KERNEL_STACK_CANARY 0
11384 #endif
11385
11386 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
11387 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
11388 +
11389 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
11390 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
11391 +
11392 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
11393
11394 /*
11395 @@ -141,7 +149,7 @@
11396 */
11397
11398 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
11399 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
11400 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
11401
11402
11403 #else
11404 @@ -165,6 +173,8 @@
11405 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
11406 #define __USER32_DS __USER_DS
11407
11408 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
11409 +
11410 #define GDT_ENTRY_TSS 8 /* needs two entries */
11411 #define GDT_ENTRY_LDT 10 /* needs two entries */
11412 #define GDT_ENTRY_TLS_MIN 12
11413 @@ -185,6 +195,7 @@
11414 #endif
11415
11416 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
11417 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
11418 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
11419 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
11420 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
11421 diff -urNp linux-2.6.39.2/arch/x86/include/asm/smp.h linux-2.6.39.2/arch/x86/include/asm/smp.h
11422 --- linux-2.6.39.2/arch/x86/include/asm/smp.h 2011-05-19 00:06:34.000000000 -0400
11423 +++ linux-2.6.39.2/arch/x86/include/asm/smp.h 2011-05-22 19:36:30.000000000 -0400
11424 @@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
11425 /* cpus sharing the last level cache: */
11426 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
11427 DECLARE_PER_CPU(u16, cpu_llc_id);
11428 -DECLARE_PER_CPU(int, cpu_number);
11429 +DECLARE_PER_CPU(unsigned int, cpu_number);
11430
11431 static inline struct cpumask *cpu_sibling_mask(int cpu)
11432 {
11433 @@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
11434 extern int safe_smp_processor_id(void);
11435
11436 #elif defined(CONFIG_X86_64_SMP)
11437 -#define raw_smp_processor_id() (percpu_read(cpu_number))
11438 -
11439 -#define stack_smp_processor_id() \
11440 -({ \
11441 - struct thread_info *ti; \
11442 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
11443 - ti->cpu; \
11444 -})
11445 +#define raw_smp_processor_id() (percpu_read(cpu_number))
11446 +#define stack_smp_processor_id() raw_smp_processor_id()
11447 #define safe_smp_processor_id() smp_processor_id()
11448
11449 #endif
11450 diff -urNp linux-2.6.39.2/arch/x86/include/asm/spinlock.h linux-2.6.39.2/arch/x86/include/asm/spinlock.h
11451 --- linux-2.6.39.2/arch/x86/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
11452 +++ linux-2.6.39.2/arch/x86/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
11453 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
11454 static inline void arch_read_lock(arch_rwlock_t *rw)
11455 {
11456 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
11457 +
11458 +#ifdef CONFIG_PAX_REFCOUNT
11459 + "jno 0f\n"
11460 + LOCK_PREFIX " addl $1,(%0)\n"
11461 + "int $4\n0:\n"
11462 + _ASM_EXTABLE(0b, 0b)
11463 +#endif
11464 +
11465 "jns 1f\n"
11466 "call __read_lock_failed\n\t"
11467 "1:\n"
11468 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
11469 static inline void arch_write_lock(arch_rwlock_t *rw)
11470 {
11471 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
11472 +
11473 +#ifdef CONFIG_PAX_REFCOUNT
11474 + "jno 0f\n"
11475 + LOCK_PREFIX " addl %1,(%0)\n"
11476 + "int $4\n0:\n"
11477 + _ASM_EXTABLE(0b, 0b)
11478 +#endif
11479 +
11480 "jz 1f\n"
11481 "call __write_lock_failed\n\t"
11482 "1:\n"
11483 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
11484
11485 static inline void arch_read_unlock(arch_rwlock_t *rw)
11486 {
11487 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
11488 + asm volatile(LOCK_PREFIX "incl %0\n"
11489 +
11490 +#ifdef CONFIG_PAX_REFCOUNT
11491 + "jno 0f\n"
11492 + LOCK_PREFIX "decl %0\n"
11493 + "int $4\n0:\n"
11494 + _ASM_EXTABLE(0b, 0b)
11495 +#endif
11496 +
11497 + :"+m" (rw->lock) : : "memory");
11498 }
11499
11500 static inline void arch_write_unlock(arch_rwlock_t *rw)
11501 {
11502 - asm volatile(LOCK_PREFIX "addl %1, %0"
11503 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
11504 +
11505 +#ifdef CONFIG_PAX_REFCOUNT
11506 + "jno 0f\n"
11507 + LOCK_PREFIX "subl %1, %0\n"
11508 + "int $4\n0:\n"
11509 + _ASM_EXTABLE(0b, 0b)
11510 +#endif
11511 +
11512 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
11513 }
11514
11515 diff -urNp linux-2.6.39.2/arch/x86/include/asm/stackprotector.h linux-2.6.39.2/arch/x86/include/asm/stackprotector.h
11516 --- linux-2.6.39.2/arch/x86/include/asm/stackprotector.h 2011-05-19 00:06:34.000000000 -0400
11517 +++ linux-2.6.39.2/arch/x86/include/asm/stackprotector.h 2011-05-22 19:36:30.000000000 -0400
11518 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
11519
11520 static inline void load_stack_canary_segment(void)
11521 {
11522 -#ifdef CONFIG_X86_32
11523 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
11524 asm volatile ("mov %0, %%gs" : : "r" (0));
11525 #endif
11526 }
11527 diff -urNp linux-2.6.39.2/arch/x86/include/asm/stacktrace.h linux-2.6.39.2/arch/x86/include/asm/stacktrace.h
11528 --- linux-2.6.39.2/arch/x86/include/asm/stacktrace.h 2011-05-19 00:06:34.000000000 -0400
11529 +++ linux-2.6.39.2/arch/x86/include/asm/stacktrace.h 2011-05-22 19:36:30.000000000 -0400
11530 @@ -11,28 +11,20 @@
11531
11532 extern int kstack_depth_to_print;
11533
11534 -struct thread_info;
11535 +struct task_struct;
11536 struct stacktrace_ops;
11537
11538 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
11539 - unsigned long *stack,
11540 - unsigned long bp,
11541 - const struct stacktrace_ops *ops,
11542 - void *data,
11543 - unsigned long *end,
11544 - int *graph);
11545 -
11546 -extern unsigned long
11547 -print_context_stack(struct thread_info *tinfo,
11548 - unsigned long *stack, unsigned long bp,
11549 - const struct stacktrace_ops *ops, void *data,
11550 - unsigned long *end, int *graph);
11551 -
11552 -extern unsigned long
11553 -print_context_stack_bp(struct thread_info *tinfo,
11554 - unsigned long *stack, unsigned long bp,
11555 - const struct stacktrace_ops *ops, void *data,
11556 - unsigned long *end, int *graph);
11557 +typedef unsigned long walk_stack_t(struct task_struct *task,
11558 + void *stack_start,
11559 + unsigned long *stack,
11560 + unsigned long bp,
11561 + const struct stacktrace_ops *ops,
11562 + void *data,
11563 + unsigned long *end,
11564 + int *graph);
11565 +
11566 +extern walk_stack_t print_context_stack;
11567 +extern walk_stack_t print_context_stack_bp;
11568
11569 /* Generic stack tracer with callbacks */
11570
11571 @@ -43,7 +35,7 @@ struct stacktrace_ops {
11572 void (*address)(void *data, unsigned long address, int reliable);
11573 /* On negative return stop dumping */
11574 int (*stack)(void *data, char *name);
11575 - walk_stack_t walk_stack;
11576 + walk_stack_t *walk_stack;
11577 };
11578
11579 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
11580 diff -urNp linux-2.6.39.2/arch/x86/include/asm/system.h linux-2.6.39.2/arch/x86/include/asm/system.h
11581 --- linux-2.6.39.2/arch/x86/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
11582 +++ linux-2.6.39.2/arch/x86/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
11583 @@ -129,7 +129,7 @@ do { \
11584 "call __switch_to\n\t" \
11585 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
11586 __switch_canary \
11587 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
11588 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
11589 "movq %%rax,%%rdi\n\t" \
11590 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
11591 "jnz ret_from_fork\n\t" \
11592 @@ -140,7 +140,7 @@ do { \
11593 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
11594 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
11595 [_tif_fork] "i" (_TIF_FORK), \
11596 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
11597 + [thread_info] "m" (current_tinfo), \
11598 [current_task] "m" (current_task) \
11599 __switch_canary_iparam \
11600 : "memory", "cc" __EXTRA_CLOBBER)
11601 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
11602 {
11603 unsigned long __limit;
11604 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
11605 - return __limit + 1;
11606 + return __limit;
11607 }
11608
11609 static inline void native_clts(void)
11610 @@ -340,12 +340,12 @@ void enable_hlt(void);
11611
11612 void cpu_idle_wait(void);
11613
11614 -extern unsigned long arch_align_stack(unsigned long sp);
11615 +#define arch_align_stack(x) ((x) & ~0xfUL)
11616 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
11617
11618 void default_idle(void);
11619
11620 -void stop_this_cpu(void *dummy);
11621 +void stop_this_cpu(void *dummy) __noreturn;
11622
11623 /*
11624 * Force strict CPU ordering.
11625 diff -urNp linux-2.6.39.2/arch/x86/include/asm/thread_info.h linux-2.6.39.2/arch/x86/include/asm/thread_info.h
11626 --- linux-2.6.39.2/arch/x86/include/asm/thread_info.h 2011-05-19 00:06:34.000000000 -0400
11627 +++ linux-2.6.39.2/arch/x86/include/asm/thread_info.h 2011-05-22 19:36:30.000000000 -0400
11628 @@ -10,6 +10,7 @@
11629 #include <linux/compiler.h>
11630 #include <asm/page.h>
11631 #include <asm/types.h>
11632 +#include <asm/percpu.h>
11633
11634 /*
11635 * low level task data that entry.S needs immediate access to
11636 @@ -24,7 +25,6 @@ struct exec_domain;
11637 #include <asm/atomic.h>
11638
11639 struct thread_info {
11640 - struct task_struct *task; /* main task structure */
11641 struct exec_domain *exec_domain; /* execution domain */
11642 __u32 flags; /* low level flags */
11643 __u32 status; /* thread synchronous flags */
11644 @@ -34,18 +34,12 @@ struct thread_info {
11645 mm_segment_t addr_limit;
11646 struct restart_block restart_block;
11647 void __user *sysenter_return;
11648 -#ifdef CONFIG_X86_32
11649 - unsigned long previous_esp; /* ESP of the previous stack in
11650 - case of nested (IRQ) stacks
11651 - */
11652 - __u8 supervisor_stack[0];
11653 -#endif
11654 + unsigned long lowest_stack;
11655 int uaccess_err;
11656 };
11657
11658 -#define INIT_THREAD_INFO(tsk) \
11659 +#define INIT_THREAD_INFO \
11660 { \
11661 - .task = &tsk, \
11662 .exec_domain = &default_exec_domain, \
11663 .flags = 0, \
11664 .cpu = 0, \
11665 @@ -56,7 +50,7 @@ struct thread_info {
11666 }, \
11667 }
11668
11669 -#define init_thread_info (init_thread_union.thread_info)
11670 +#define init_thread_info (init_thread_union.stack)
11671 #define init_stack (init_thread_union.stack)
11672
11673 #else /* !__ASSEMBLY__ */
11674 @@ -170,6 +164,23 @@ struct thread_info {
11675 ret; \
11676 })
11677
11678 +#ifdef __ASSEMBLY__
11679 +/* how to get the thread information struct from ASM */
11680 +#define GET_THREAD_INFO(reg) \
11681 + mov PER_CPU_VAR(current_tinfo), reg
11682 +
11683 +/* use this one if reg already contains %esp */
11684 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
11685 +#else
11686 +/* how to get the thread information struct from C */
11687 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
11688 +
11689 +static __always_inline struct thread_info *current_thread_info(void)
11690 +{
11691 + return percpu_read_stable(current_tinfo);
11692 +}
11693 +#endif
11694 +
11695 #ifdef CONFIG_X86_32
11696
11697 #define STACK_WARN (THREAD_SIZE/8)
11698 @@ -180,35 +191,13 @@ struct thread_info {
11699 */
11700 #ifndef __ASSEMBLY__
11701
11702 -
11703 /* how to get the current stack pointer from C */
11704 register unsigned long current_stack_pointer asm("esp") __used;
11705
11706 -/* how to get the thread information struct from C */
11707 -static inline struct thread_info *current_thread_info(void)
11708 -{
11709 - return (struct thread_info *)
11710 - (current_stack_pointer & ~(THREAD_SIZE - 1));
11711 -}
11712 -
11713 -#else /* !__ASSEMBLY__ */
11714 -
11715 -/* how to get the thread information struct from ASM */
11716 -#define GET_THREAD_INFO(reg) \
11717 - movl $-THREAD_SIZE, reg; \
11718 - andl %esp, reg
11719 -
11720 -/* use this one if reg already contains %esp */
11721 -#define GET_THREAD_INFO_WITH_ESP(reg) \
11722 - andl $-THREAD_SIZE, reg
11723 -
11724 #endif
11725
11726 #else /* X86_32 */
11727
11728 -#include <asm/percpu.h>
11729 -#define KERNEL_STACK_OFFSET (5*8)
11730 -
11731 /*
11732 * macros/functions for gaining access to the thread information structure
11733 * preempt_count needs to be 1 initially, until the scheduler is functional.
11734 @@ -216,21 +205,8 @@ static inline struct thread_info *curren
11735 #ifndef __ASSEMBLY__
11736 DECLARE_PER_CPU(unsigned long, kernel_stack);
11737
11738 -static inline struct thread_info *current_thread_info(void)
11739 -{
11740 - struct thread_info *ti;
11741 - ti = (void *)(percpu_read_stable(kernel_stack) +
11742 - KERNEL_STACK_OFFSET - THREAD_SIZE);
11743 - return ti;
11744 -}
11745 -
11746 -#else /* !__ASSEMBLY__ */
11747 -
11748 -/* how to get the thread information struct from ASM */
11749 -#define GET_THREAD_INFO(reg) \
11750 - movq PER_CPU_VAR(kernel_stack),reg ; \
11751 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
11752 -
11753 +/* how to get the current stack pointer from C */
11754 +register unsigned long current_stack_pointer asm("rsp") __used;
11755 #endif
11756
11757 #endif /* !X86_32 */
11758 @@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
11759 extern void free_thread_info(struct thread_info *ti);
11760 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
11761 #define arch_task_cache_init arch_task_cache_init
11762 +
11763 +#define __HAVE_THREAD_FUNCTIONS
11764 +#define task_thread_info(task) (&(task)->tinfo)
11765 +#define task_stack_page(task) ((task)->stack)
11766 +#define setup_thread_stack(p, org) do {} while (0)
11767 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
11768 +
11769 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
11770 +extern struct task_struct *alloc_task_struct_node(int node);
11771 +extern void free_task_struct(struct task_struct *);
11772 +
11773 #endif
11774 #endif /* _ASM_X86_THREAD_INFO_H */
11775 diff -urNp linux-2.6.39.2/arch/x86/include/asm/uaccess_32.h linux-2.6.39.2/arch/x86/include/asm/uaccess_32.h
11776 --- linux-2.6.39.2/arch/x86/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
11777 +++ linux-2.6.39.2/arch/x86/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
11778 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
11779 static __always_inline unsigned long __must_check
11780 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
11781 {
11782 + pax_track_stack();
11783 +
11784 + if ((long)n < 0)
11785 + return n;
11786 +
11787 if (__builtin_constant_p(n)) {
11788 unsigned long ret;
11789
11790 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
11791 return ret;
11792 }
11793 }
11794 + if (!__builtin_constant_p(n))
11795 + check_object_size(from, n, true);
11796 return __copy_to_user_ll(to, from, n);
11797 }
11798
11799 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
11800 __copy_to_user(void __user *to, const void *from, unsigned long n)
11801 {
11802 might_fault();
11803 +
11804 return __copy_to_user_inatomic(to, from, n);
11805 }
11806
11807 static __always_inline unsigned long
11808 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11809 {
11810 + if ((long)n < 0)
11811 + return n;
11812 +
11813 /* Avoid zeroing the tail if the copy fails..
11814 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11815 * but as the zeroing behaviour is only significant when n is not
11816 @@ -138,6 +149,12 @@ static __always_inline unsigned long
11817 __copy_from_user(void *to, const void __user *from, unsigned long n)
11818 {
11819 might_fault();
11820 +
11821 + pax_track_stack();
11822 +
11823 + if ((long)n < 0)
11824 + return n;
11825 +
11826 if (__builtin_constant_p(n)) {
11827 unsigned long ret;
11828
11829 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11830 return ret;
11831 }
11832 }
11833 + if (!__builtin_constant_p(n))
11834 + check_object_size(to, n, false);
11835 return __copy_from_user_ll(to, from, n);
11836 }
11837
11838 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11839 const void __user *from, unsigned long n)
11840 {
11841 might_fault();
11842 +
11843 + if ((long)n < 0)
11844 + return n;
11845 +
11846 if (__builtin_constant_p(n)) {
11847 unsigned long ret;
11848
11849 @@ -182,15 +205,19 @@ static __always_inline unsigned long
11850 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11851 unsigned long n)
11852 {
11853 - return __copy_from_user_ll_nocache_nozero(to, from, n);
11854 -}
11855 + if ((long)n < 0)
11856 + return n;
11857
11858 -unsigned long __must_check copy_to_user(void __user *to,
11859 - const void *from, unsigned long n);
11860 -unsigned long __must_check _copy_from_user(void *to,
11861 - const void __user *from,
11862 - unsigned long n);
11863 + return __copy_from_user_ll_nocache_nozero(to, from, n);
11864 +}
11865
11866 +extern void copy_to_user_overflow(void)
11867 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11868 + __compiletime_error("copy_to_user() buffer size is not provably correct")
11869 +#else
11870 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
11871 +#endif
11872 +;
11873
11874 extern void copy_from_user_overflow(void)
11875 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11876 @@ -200,17 +227,61 @@ extern void copy_from_user_overflow(void
11877 #endif
11878 ;
11879
11880 -static inline unsigned long __must_check copy_from_user(void *to,
11881 - const void __user *from,
11882 - unsigned long n)
11883 +/**
11884 + * copy_to_user: - Copy a block of data into user space.
11885 + * @to: Destination address, in user space.
11886 + * @from: Source address, in kernel space.
11887 + * @n: Number of bytes to copy.
11888 + *
11889 + * Context: User context only. This function may sleep.
11890 + *
11891 + * Copy data from kernel space to user space.
11892 + *
11893 + * Returns number of bytes that could not be copied.
11894 + * On success, this will be zero.
11895 + */
11896 +static inline unsigned long __must_check
11897 +copy_to_user(void __user *to, const void *from, unsigned long n)
11898 +{
11899 + int sz = __compiletime_object_size(from);
11900 +
11901 + if (unlikely(sz != -1 && sz < n))
11902 + copy_to_user_overflow();
11903 + else if (access_ok(VERIFY_WRITE, to, n))
11904 + n = __copy_to_user(to, from, n);
11905 + return n;
11906 +}
11907 +
11908 +/**
11909 + * copy_from_user: - Copy a block of data from user space.
11910 + * @to: Destination address, in kernel space.
11911 + * @from: Source address, in user space.
11912 + * @n: Number of bytes to copy.
11913 + *
11914 + * Context: User context only. This function may sleep.
11915 + *
11916 + * Copy data from user space to kernel space.
11917 + *
11918 + * Returns number of bytes that could not be copied.
11919 + * On success, this will be zero.
11920 + *
11921 + * If some data could not be copied, this function will pad the copied
11922 + * data to the requested size using zero bytes.
11923 + */
11924 +static inline unsigned long __must_check
11925 +copy_from_user(void *to, const void __user *from, unsigned long n)
11926 {
11927 int sz = __compiletime_object_size(to);
11928
11929 - if (likely(sz == -1 || sz >= n))
11930 - n = _copy_from_user(to, from, n);
11931 - else
11932 + if (unlikely(sz != -1 && sz < n))
11933 copy_from_user_overflow();
11934 -
11935 + else if (access_ok(VERIFY_READ, from, n))
11936 + n = __copy_from_user(to, from, n);
11937 + else if ((long)n > 0) {
11938 + if (!__builtin_constant_p(n))
11939 + check_object_size(to, n, false);
11940 + memset(to, 0, n);
11941 + }
11942 return n;
11943 }
11944
11945 diff -urNp linux-2.6.39.2/arch/x86/include/asm/uaccess_64.h linux-2.6.39.2/arch/x86/include/asm/uaccess_64.h
11946 --- linux-2.6.39.2/arch/x86/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
11947 +++ linux-2.6.39.2/arch/x86/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
11948 @@ -11,6 +11,9 @@
11949 #include <asm/alternative.h>
11950 #include <asm/cpufeature.h>
11951 #include <asm/page.h>
11952 +#include <asm/pgtable.h>
11953 +
11954 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
11955
11956 /*
11957 * Copy To/From Userspace
11958 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
11959 return ret;
11960 }
11961
11962 -__must_check unsigned long
11963 -_copy_to_user(void __user *to, const void *from, unsigned len);
11964 -__must_check unsigned long
11965 -_copy_from_user(void *to, const void __user *from, unsigned len);
11966 +static __always_inline __must_check unsigned long
11967 +__copy_to_user(void __user *to, const void *from, unsigned len);
11968 +static __always_inline __must_check unsigned long
11969 +__copy_from_user(void *to, const void __user *from, unsigned len);
11970 __must_check unsigned long
11971 copy_in_user(void __user *to, const void __user *from, unsigned len);
11972
11973 static inline unsigned long __must_check copy_from_user(void *to,
11974 const void __user *from,
11975 - unsigned long n)
11976 + unsigned n)
11977 {
11978 - int sz = __compiletime_object_size(to);
11979 -
11980 might_fault();
11981 - if (likely(sz == -1 || sz >= n))
11982 - n = _copy_from_user(to, from, n);
11983 -#ifdef CONFIG_DEBUG_VM
11984 - else
11985 - WARN(1, "Buffer overflow detected!\n");
11986 -#endif
11987 +
11988 + if (access_ok(VERIFY_READ, from, n))
11989 + n = __copy_from_user(to, from, n);
11990 + else if ((int)n > 0) {
11991 + if (!__builtin_constant_p(n))
11992 + check_object_size(to, n, false);
11993 + memset(to, 0, n);
11994 + }
11995 return n;
11996 }
11997
11998 @@ -65,110 +68,198 @@ int copy_to_user(void __user *dst, const
11999 {
12000 might_fault();
12001
12002 - return _copy_to_user(dst, src, size);
12003 + if (access_ok(VERIFY_WRITE, dst, size))
12004 + size = __copy_to_user(dst, src, size);
12005 + return size;
12006 }
12007
12008 static __always_inline __must_check
12009 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
12010 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
12011 {
12012 - int ret = 0;
12013 + int sz = __compiletime_object_size(dst);
12014 + unsigned ret = 0;
12015
12016 might_fault();
12017 - if (!__builtin_constant_p(size))
12018 - return copy_user_generic(dst, (__force void *)src, size);
12019 +
12020 + pax_track_stack();
12021 +
12022 + if ((int)size < 0)
12023 + return size;
12024 +
12025 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12026 + if (!__access_ok(VERIFY_READ, src, size))
12027 + return size;
12028 +#endif
12029 +
12030 + if (unlikely(sz != -1 && sz < size)) {
12031 +#ifdef CONFIG_DEBUG_VM
12032 + WARN(1, "Buffer overflow detected!\n");
12033 +#endif
12034 + return size;
12035 + }
12036 +
12037 + if (!__builtin_constant_p(size)) {
12038 + check_object_size(dst, size, false);
12039 +
12040 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12041 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12042 + src += PAX_USER_SHADOW_BASE;
12043 +#endif
12044 +
12045 + return copy_user_generic(dst, (__force const void *)src, size);
12046 + }
12047 switch (size) {
12048 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
12049 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
12050 ret, "b", "b", "=q", 1);
12051 return ret;
12052 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
12053 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
12054 ret, "w", "w", "=r", 2);
12055 return ret;
12056 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
12057 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
12058 ret, "l", "k", "=r", 4);
12059 return ret;
12060 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
12061 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12062 ret, "q", "", "=r", 8);
12063 return ret;
12064 case 10:
12065 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12066 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12067 ret, "q", "", "=r", 10);
12068 if (unlikely(ret))
12069 return ret;
12070 __get_user_asm(*(u16 *)(8 + (char *)dst),
12071 - (u16 __user *)(8 + (char __user *)src),
12072 + (const u16 __user *)(8 + (const char __user *)src),
12073 ret, "w", "w", "=r", 2);
12074 return ret;
12075 case 16:
12076 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12077 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12078 ret, "q", "", "=r", 16);
12079 if (unlikely(ret))
12080 return ret;
12081 __get_user_asm(*(u64 *)(8 + (char *)dst),
12082 - (u64 __user *)(8 + (char __user *)src),
12083 + (const u64 __user *)(8 + (const char __user *)src),
12084 ret, "q", "", "=r", 8);
12085 return ret;
12086 default:
12087 - return copy_user_generic(dst, (__force void *)src, size);
12088 +
12089 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12090 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12091 + src += PAX_USER_SHADOW_BASE;
12092 +#endif
12093 +
12094 + return copy_user_generic(dst, (__force const void *)src, size);
12095 }
12096 }
12097
12098 static __always_inline __must_check
12099 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
12100 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
12101 {
12102 - int ret = 0;
12103 + int sz = __compiletime_object_size(src);
12104 + unsigned ret = 0;
12105
12106 might_fault();
12107 - if (!__builtin_constant_p(size))
12108 +
12109 + pax_track_stack();
12110 +
12111 + if ((int)size < 0)
12112 + return size;
12113 +
12114 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12115 + if (!__access_ok(VERIFY_WRITE, dst, size))
12116 + return size;
12117 +#endif
12118 +
12119 + if (unlikely(sz != -1 && sz < size)) {
12120 +#ifdef CONFIG_DEBUG_VM
12121 + WARN(1, "Buffer overflow detected!\n");
12122 +#endif
12123 + return size;
12124 + }
12125 +
12126 + if (!__builtin_constant_p(size)) {
12127 + check_object_size(src, size, true);
12128 +
12129 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12130 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12131 + dst += PAX_USER_SHADOW_BASE;
12132 +#endif
12133 +
12134 return copy_user_generic((__force void *)dst, src, size);
12135 + }
12136 switch (size) {
12137 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
12138 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
12139 ret, "b", "b", "iq", 1);
12140 return ret;
12141 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
12142 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
12143 ret, "w", "w", "ir", 2);
12144 return ret;
12145 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
12146 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
12147 ret, "l", "k", "ir", 4);
12148 return ret;
12149 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
12150 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12151 ret, "q", "", "er", 8);
12152 return ret;
12153 case 10:
12154 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12155 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12156 ret, "q", "", "er", 10);
12157 if (unlikely(ret))
12158 return ret;
12159 asm("":::"memory");
12160 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
12161 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
12162 ret, "w", "w", "ir", 2);
12163 return ret;
12164 case 16:
12165 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12166 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12167 ret, "q", "", "er", 16);
12168 if (unlikely(ret))
12169 return ret;
12170 asm("":::"memory");
12171 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
12172 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
12173 ret, "q", "", "er", 8);
12174 return ret;
12175 default:
12176 +
12177 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12178 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12179 + dst += PAX_USER_SHADOW_BASE;
12180 +#endif
12181 +
12182 return copy_user_generic((__force void *)dst, src, size);
12183 }
12184 }
12185
12186 static __always_inline __must_check
12187 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12188 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12189 {
12190 - int ret = 0;
12191 + unsigned ret = 0;
12192
12193 might_fault();
12194 - if (!__builtin_constant_p(size))
12195 +
12196 + if ((int)size < 0)
12197 + return size;
12198 +
12199 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12200 + if (!__access_ok(VERIFY_READ, src, size))
12201 + return size;
12202 + if (!__access_ok(VERIFY_WRITE, dst, size))
12203 + return size;
12204 +#endif
12205 +
12206 + if (!__builtin_constant_p(size)) {
12207 +
12208 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12209 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12210 + src += PAX_USER_SHADOW_BASE;
12211 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12212 + dst += PAX_USER_SHADOW_BASE;
12213 +#endif
12214 +
12215 return copy_user_generic((__force void *)dst,
12216 - (__force void *)src, size);
12217 + (__force const void *)src, size);
12218 + }
12219 switch (size) {
12220 case 1: {
12221 u8 tmp;
12222 - __get_user_asm(tmp, (u8 __user *)src,
12223 + __get_user_asm(tmp, (const u8 __user *)src,
12224 ret, "b", "b", "=q", 1);
12225 if (likely(!ret))
12226 __put_user_asm(tmp, (u8 __user *)dst,
12227 @@ -177,7 +268,7 @@ int __copy_in_user(void __user *dst, con
12228 }
12229 case 2: {
12230 u16 tmp;
12231 - __get_user_asm(tmp, (u16 __user *)src,
12232 + __get_user_asm(tmp, (const u16 __user *)src,
12233 ret, "w", "w", "=r", 2);
12234 if (likely(!ret))
12235 __put_user_asm(tmp, (u16 __user *)dst,
12236 @@ -187,7 +278,7 @@ int __copy_in_user(void __user *dst, con
12237
12238 case 4: {
12239 u32 tmp;
12240 - __get_user_asm(tmp, (u32 __user *)src,
12241 + __get_user_asm(tmp, (const u32 __user *)src,
12242 ret, "l", "k", "=r", 4);
12243 if (likely(!ret))
12244 __put_user_asm(tmp, (u32 __user *)dst,
12245 @@ -196,7 +287,7 @@ int __copy_in_user(void __user *dst, con
12246 }
12247 case 8: {
12248 u64 tmp;
12249 - __get_user_asm(tmp, (u64 __user *)src,
12250 + __get_user_asm(tmp, (const u64 __user *)src,
12251 ret, "q", "", "=r", 8);
12252 if (likely(!ret))
12253 __put_user_asm(tmp, (u64 __user *)dst,
12254 @@ -204,8 +295,16 @@ int __copy_in_user(void __user *dst, con
12255 return ret;
12256 }
12257 default:
12258 +
12259 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12260 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12261 + src += PAX_USER_SHADOW_BASE;
12262 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12263 + dst += PAX_USER_SHADOW_BASE;
12264 +#endif
12265 +
12266 return copy_user_generic((__force void *)dst,
12267 - (__force void *)src, size);
12268 + (__force const void *)src, size);
12269 }
12270 }
12271
12272 @@ -222,33 +321,72 @@ __must_check unsigned long __clear_user(
12273 static __must_check __always_inline int
12274 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
12275 {
12276 + pax_track_stack();
12277 +
12278 + if ((int)size < 0)
12279 + return size;
12280 +
12281 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12282 + if (!__access_ok(VERIFY_READ, src, size))
12283 + return size;
12284 +
12285 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12286 + src += PAX_USER_SHADOW_BASE;
12287 +#endif
12288 +
12289 return copy_user_generic(dst, (__force const void *)src, size);
12290 }
12291
12292 -static __must_check __always_inline int
12293 +static __must_check __always_inline unsigned long
12294 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
12295 {
12296 + if ((int)size < 0)
12297 + return size;
12298 +
12299 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12300 + if (!__access_ok(VERIFY_WRITE, dst, size))
12301 + return size;
12302 +
12303 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12304 + dst += PAX_USER_SHADOW_BASE;
12305 +#endif
12306 +
12307 return copy_user_generic((__force void *)dst, src, size);
12308 }
12309
12310 -extern long __copy_user_nocache(void *dst, const void __user *src,
12311 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
12312 unsigned size, int zerorest);
12313
12314 -static inline int
12315 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12316 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12317 {
12318 might_sleep();
12319 +
12320 + if ((int)size < 0)
12321 + return size;
12322 +
12323 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12324 + if (!__access_ok(VERIFY_READ, src, size))
12325 + return size;
12326 +#endif
12327 +
12328 return __copy_user_nocache(dst, src, size, 1);
12329 }
12330
12331 -static inline int
12332 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12333 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12334 unsigned size)
12335 {
12336 + if ((int)size < 0)
12337 + return size;
12338 +
12339 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12340 + if (!__access_ok(VERIFY_READ, src, size))
12341 + return size;
12342 +#endif
12343 +
12344 return __copy_user_nocache(dst, src, size, 0);
12345 }
12346
12347 -unsigned long
12348 +extern unsigned long
12349 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
12350
12351 #endif /* _ASM_X86_UACCESS_64_H */
12352 diff -urNp linux-2.6.39.2/arch/x86/include/asm/uaccess.h linux-2.6.39.2/arch/x86/include/asm/uaccess.h
12353 --- linux-2.6.39.2/arch/x86/include/asm/uaccess.h 2011-06-03 00:04:13.000000000 -0400
12354 +++ linux-2.6.39.2/arch/x86/include/asm/uaccess.h 2011-06-03 00:32:04.000000000 -0400
12355 @@ -8,12 +8,15 @@
12356 #include <linux/thread_info.h>
12357 #include <linux/prefetch.h>
12358 #include <linux/string.h>
12359 +#include <linux/sched.h>
12360 #include <asm/asm.h>
12361 #include <asm/page.h>
12362
12363 #define VERIFY_READ 0
12364 #define VERIFY_WRITE 1
12365
12366 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
12367 +
12368 /*
12369 * The fs value determines whether argument validity checking should be
12370 * performed or not. If get_fs() == USER_DS, checking is performed, with
12371 @@ -29,7 +32,12 @@
12372
12373 #define get_ds() (KERNEL_DS)
12374 #define get_fs() (current_thread_info()->addr_limit)
12375 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12376 +void __set_fs(mm_segment_t x);
12377 +void set_fs(mm_segment_t x);
12378 +#else
12379 #define set_fs(x) (current_thread_info()->addr_limit = (x))
12380 +#endif
12381
12382 #define segment_eq(a, b) ((a).seg == (b).seg)
12383
12384 @@ -77,7 +85,33 @@
12385 * checks that the pointer is in the user space range - after calling
12386 * this function, memory access functions may still return -EFAULT.
12387 */
12388 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12389 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12390 +#define access_ok(type, addr, size) \
12391 +({ \
12392 + long __size = size; \
12393 + unsigned long __addr = (unsigned long)addr; \
12394 + unsigned long __addr_ao = __addr & PAGE_MASK; \
12395 + unsigned long __end_ao = __addr + __size - 1; \
12396 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
12397 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
12398 + while(__addr_ao <= __end_ao) { \
12399 + char __c_ao; \
12400 + __addr_ao += PAGE_SIZE; \
12401 + if (__size > PAGE_SIZE) \
12402 + cond_resched(); \
12403 + if (__get_user(__c_ao, (char __user *)__addr)) \
12404 + break; \
12405 + if (type != VERIFY_WRITE) { \
12406 + __addr = __addr_ao; \
12407 + continue; \
12408 + } \
12409 + if (__put_user(__c_ao, (char __user *)__addr)) \
12410 + break; \
12411 + __addr = __addr_ao; \
12412 + } \
12413 + } \
12414 + __ret_ao; \
12415 +})
12416
12417 /*
12418 * The exception table consists of pairs of addresses: the first is the
12419 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
12420 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
12421 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
12422
12423 -
12424 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12425 +#define __copyuser_seg "gs;"
12426 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
12427 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
12428 +#else
12429 +#define __copyuser_seg
12430 +#define __COPYUSER_SET_ES
12431 +#define __COPYUSER_RESTORE_ES
12432 +#endif
12433
12434 #ifdef CONFIG_X86_32
12435 #define __put_user_asm_u64(x, addr, err, errret) \
12436 - asm volatile("1: movl %%eax,0(%2)\n" \
12437 - "2: movl %%edx,4(%2)\n" \
12438 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
12439 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
12440 "3:\n" \
12441 ".section .fixup,\"ax\"\n" \
12442 "4: movl %3,%0\n" \
12443 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
12444 : "A" (x), "r" (addr), "i" (errret), "0" (err))
12445
12446 #define __put_user_asm_ex_u64(x, addr) \
12447 - asm volatile("1: movl %%eax,0(%1)\n" \
12448 - "2: movl %%edx,4(%1)\n" \
12449 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
12450 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
12451 "3:\n" \
12452 _ASM_EXTABLE(1b, 2b - 1b) \
12453 _ASM_EXTABLE(2b, 3b - 2b) \
12454 @@ -374,7 +416,7 @@ do { \
12455 } while (0)
12456
12457 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12458 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
12459 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
12460 "2:\n" \
12461 ".section .fixup,\"ax\"\n" \
12462 "3: mov %3,%0\n" \
12463 @@ -382,7 +424,7 @@ do { \
12464 " jmp 2b\n" \
12465 ".previous\n" \
12466 _ASM_EXTABLE(1b, 3b) \
12467 - : "=r" (err), ltype(x) \
12468 + : "=r" (err), ltype (x) \
12469 : "m" (__m(addr)), "i" (errret), "0" (err))
12470
12471 #define __get_user_size_ex(x, ptr, size) \
12472 @@ -407,7 +449,7 @@ do { \
12473 } while (0)
12474
12475 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
12476 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
12477 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
12478 "2:\n" \
12479 _ASM_EXTABLE(1b, 2b - 1b) \
12480 : ltype(x) : "m" (__m(addr)))
12481 @@ -424,13 +466,24 @@ do { \
12482 int __gu_err; \
12483 unsigned long __gu_val; \
12484 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
12485 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
12486 + (x) = (__typeof__(*(ptr)))__gu_val; \
12487 __gu_err; \
12488 })
12489
12490 /* FIXME: this hack is definitely wrong -AK */
12491 struct __large_struct { unsigned long buf[100]; };
12492 -#define __m(x) (*(struct __large_struct __user *)(x))
12493 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12494 +#define ____m(x) \
12495 +({ \
12496 + unsigned long ____x = (unsigned long)(x); \
12497 + if (____x < PAX_USER_SHADOW_BASE) \
12498 + ____x += PAX_USER_SHADOW_BASE; \
12499 + (void __user *)____x; \
12500 +})
12501 +#else
12502 +#define ____m(x) (x)
12503 +#endif
12504 +#define __m(x) (*(struct __large_struct __user *)____m(x))
12505
12506 /*
12507 * Tell gcc we read from memory instead of writing: this is because
12508 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
12509 * aliasing issues.
12510 */
12511 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12512 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
12513 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
12514 "2:\n" \
12515 ".section .fixup,\"ax\"\n" \
12516 "3: mov %3,%0\n" \
12517 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
12518 ".previous\n" \
12519 _ASM_EXTABLE(1b, 3b) \
12520 : "=r"(err) \
12521 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
12522 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
12523
12524 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
12525 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
12526 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
12527 "2:\n" \
12528 _ASM_EXTABLE(1b, 2b - 1b) \
12529 : : ltype(x), "m" (__m(addr)))
12530 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
12531 * On error, the variable @x is set to zero.
12532 */
12533
12534 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12535 +#define __get_user(x, ptr) get_user((x), (ptr))
12536 +#else
12537 #define __get_user(x, ptr) \
12538 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
12539 +#endif
12540
12541 /**
12542 * __put_user: - Write a simple value into user space, with less checking.
12543 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
12544 * Returns zero on success, or -EFAULT on error.
12545 */
12546
12547 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12548 +#define __put_user(x, ptr) put_user((x), (ptr))
12549 +#else
12550 #define __put_user(x, ptr) \
12551 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
12552 +#endif
12553
12554 #define __get_user_unaligned __get_user
12555 #define __put_user_unaligned __put_user
12556 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
12557 #define get_user_ex(x, ptr) do { \
12558 unsigned long __gue_val; \
12559 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
12560 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
12561 + (x) = (__typeof__(*(ptr)))__gue_val; \
12562 } while (0)
12563
12564 #ifdef CONFIG_X86_WP_WORKS_OK
12565 @@ -567,6 +628,7 @@ extern struct movsl_mask {
12566
12567 #define ARCH_HAS_NOCACHE_UACCESS 1
12568
12569 +#define ARCH_HAS_SORT_EXTABLE
12570 #ifdef CONFIG_X86_32
12571 # include "uaccess_32.h"
12572 #else
12573 diff -urNp linux-2.6.39.2/arch/x86/include/asm/vgtod.h linux-2.6.39.2/arch/x86/include/asm/vgtod.h
12574 --- linux-2.6.39.2/arch/x86/include/asm/vgtod.h 2011-05-19 00:06:34.000000000 -0400
12575 +++ linux-2.6.39.2/arch/x86/include/asm/vgtod.h 2011-05-22 19:36:30.000000000 -0400
12576 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
12577 int sysctl_enabled;
12578 struct timezone sys_tz;
12579 struct { /* extract of a clocksource struct */
12580 + char name[8];
12581 cycle_t (*vread)(void);
12582 cycle_t cycle_last;
12583 cycle_t mask;
12584 diff -urNp linux-2.6.39.2/arch/x86/include/asm/vsyscall.h linux-2.6.39.2/arch/x86/include/asm/vsyscall.h
12585 --- linux-2.6.39.2/arch/x86/include/asm/vsyscall.h 2011-05-19 00:06:34.000000000 -0400
12586 +++ linux-2.6.39.2/arch/x86/include/asm/vsyscall.h 2011-05-22 19:36:30.000000000 -0400
12587 @@ -15,9 +15,10 @@ enum vsyscall_num {
12588
12589 #ifdef __KERNEL__
12590 #include <linux/seqlock.h>
12591 +#include <linux/getcpu.h>
12592 +#include <linux/time.h>
12593
12594 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
12595 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
12596
12597 /* Definitions for CONFIG_GENERIC_TIME definitions */
12598 #define __section_vsyscall_gtod_data __attribute__ \
12599 @@ -31,7 +32,6 @@ enum vsyscall_num {
12600 #define VGETCPU_LSL 2
12601
12602 extern int __vgetcpu_mode;
12603 -extern volatile unsigned long __jiffies;
12604
12605 /* kernel space (writeable) */
12606 extern int vgetcpu_mode;
12607 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
12608
12609 extern void map_vsyscall(void);
12610
12611 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
12612 +extern time_t vtime(time_t *t);
12613 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
12614 #endif /* __KERNEL__ */
12615
12616 #endif /* _ASM_X86_VSYSCALL_H */
12617 diff -urNp linux-2.6.39.2/arch/x86/include/asm/xen/pci.h linux-2.6.39.2/arch/x86/include/asm/xen/pci.h
12618 --- linux-2.6.39.2/arch/x86/include/asm/xen/pci.h 2011-05-19 00:06:34.000000000 -0400
12619 +++ linux-2.6.39.2/arch/x86/include/asm/xen/pci.h 2011-05-22 19:36:30.000000000 -0400
12620 @@ -33,7 +33,7 @@ struct xen_pci_frontend_ops {
12621 void (*disable_msix)(struct pci_dev *dev);
12622 };
12623
12624 -extern struct xen_pci_frontend_ops *xen_pci_frontend;
12625 +extern const struct xen_pci_frontend_ops *xen_pci_frontend;
12626
12627 static inline int xen_pci_frontend_enable_msi(struct pci_dev *dev,
12628 int vectors[])
12629 diff -urNp linux-2.6.39.2/arch/x86/include/asm/xsave.h linux-2.6.39.2/arch/x86/include/asm/xsave.h
12630 --- linux-2.6.39.2/arch/x86/include/asm/xsave.h 2011-05-19 00:06:34.000000000 -0400
12631 +++ linux-2.6.39.2/arch/x86/include/asm/xsave.h 2011-05-22 19:36:30.000000000 -0400
12632 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
12633 {
12634 int err;
12635
12636 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12637 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
12638 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
12639 +#endif
12640 +
12641 /*
12642 * Clear the xsave header first, so that reserved fields are
12643 * initialized to zero.
12644 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
12645 u32 lmask = mask;
12646 u32 hmask = mask >> 32;
12647
12648 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12649 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
12650 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
12651 +#endif
12652 +
12653 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
12654 "2:\n"
12655 ".section .fixup,\"ax\"\n"
12656 diff -urNp linux-2.6.39.2/arch/x86/Kconfig linux-2.6.39.2/arch/x86/Kconfig
12657 --- linux-2.6.39.2/arch/x86/Kconfig 2011-05-19 00:06:34.000000000 -0400
12658 +++ linux-2.6.39.2/arch/x86/Kconfig 2011-05-22 19:41:32.000000000 -0400
12659 @@ -224,7 +224,7 @@ config X86_HT
12660
12661 config X86_32_LAZY_GS
12662 def_bool y
12663 - depends on X86_32 && !CC_STACKPROTECTOR
12664 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12665
12666 config ARCH_HWEIGHT_CFLAGS
12667 string
12668 @@ -1022,7 +1022,7 @@ choice
12669
12670 config NOHIGHMEM
12671 bool "off"
12672 - depends on !X86_NUMAQ
12673 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12674 ---help---
12675 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12676 However, the address space of 32-bit x86 processors is only 4
12677 @@ -1059,7 +1059,7 @@ config NOHIGHMEM
12678
12679 config HIGHMEM4G
12680 bool "4GB"
12681 - depends on !X86_NUMAQ
12682 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12683 ---help---
12684 Select this if you have a 32-bit processor and between 1 and 4
12685 gigabytes of physical RAM.
12686 @@ -1113,7 +1113,7 @@ config PAGE_OFFSET
12687 hex
12688 default 0xB0000000 if VMSPLIT_3G_OPT
12689 default 0x80000000 if VMSPLIT_2G
12690 - default 0x78000000 if VMSPLIT_2G_OPT
12691 + default 0x70000000 if VMSPLIT_2G_OPT
12692 default 0x40000000 if VMSPLIT_1G
12693 default 0xC0000000
12694 depends on X86_32
12695 @@ -1457,7 +1457,7 @@ config ARCH_USES_PG_UNCACHED
12696
12697 config EFI
12698 bool "EFI runtime service support"
12699 - depends on ACPI
12700 + depends on ACPI && !PAX_KERNEXEC
12701 ---help---
12702 This enables the kernel to use EFI runtime services that are
12703 available (such as the EFI variable services).
12704 @@ -1487,6 +1487,7 @@ config SECCOMP
12705
12706 config CC_STACKPROTECTOR
12707 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
12708 + depends on X86_64 || !PAX_MEMORY_UDEREF
12709 ---help---
12710 This option turns on the -fstack-protector GCC feature. This
12711 feature puts, at the beginning of functions, a canary value on
12712 @@ -1544,6 +1545,7 @@ config KEXEC_JUMP
12713 config PHYSICAL_START
12714 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
12715 default "0x1000000"
12716 + range 0x400000 0x40000000
12717 ---help---
12718 This gives the physical address where the kernel is loaded.
12719
12720 @@ -1607,6 +1609,7 @@ config X86_NEED_RELOCS
12721 config PHYSICAL_ALIGN
12722 hex "Alignment value to which kernel should be aligned" if X86_32
12723 default "0x1000000"
12724 + range 0x400000 0x1000000 if PAX_KERNEXEC
12725 range 0x2000 0x1000000
12726 ---help---
12727 This value puts the alignment restrictions on physical address
12728 @@ -1638,9 +1641,10 @@ config HOTPLUG_CPU
12729 Say N if you want to disable CPU hotplug.
12730
12731 config COMPAT_VDSO
12732 - def_bool y
12733 + def_bool n
12734 prompt "Compat VDSO support"
12735 depends on X86_32 || IA32_EMULATION
12736 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12737 ---help---
12738 Map the 32-bit VDSO to the predictable old-style address too.
12739
12740 diff -urNp linux-2.6.39.2/arch/x86/Kconfig.cpu linux-2.6.39.2/arch/x86/Kconfig.cpu
12741 --- linux-2.6.39.2/arch/x86/Kconfig.cpu 2011-05-19 00:06:34.000000000 -0400
12742 +++ linux-2.6.39.2/arch/x86/Kconfig.cpu 2011-05-22 19:36:30.000000000 -0400
12743 @@ -334,7 +334,7 @@ config X86_PPRO_FENCE
12744
12745 config X86_F00F_BUG
12746 def_bool y
12747 - depends on M586MMX || M586TSC || M586 || M486 || M386
12748 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12749
12750 config X86_INVD_BUG
12751 def_bool y
12752 @@ -358,7 +358,7 @@ config X86_POPAD_OK
12753
12754 config X86_ALIGNMENT_16
12755 def_bool y
12756 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12757 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12758
12759 config X86_INTEL_USERCOPY
12760 def_bool y
12761 @@ -404,7 +404,7 @@ config X86_CMPXCHG64
12762 # generates cmov.
12763 config X86_CMOV
12764 def_bool y
12765 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12766 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12767
12768 config X86_MINIMUM_CPU_FAMILY
12769 int
12770 diff -urNp linux-2.6.39.2/arch/x86/Kconfig.debug linux-2.6.39.2/arch/x86/Kconfig.debug
12771 --- linux-2.6.39.2/arch/x86/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
12772 +++ linux-2.6.39.2/arch/x86/Kconfig.debug 2011-05-22 19:36:30.000000000 -0400
12773 @@ -101,7 +101,7 @@ config X86_PTDUMP
12774 config DEBUG_RODATA
12775 bool "Write protect kernel read-only data structures"
12776 default y
12777 - depends on DEBUG_KERNEL
12778 + depends on DEBUG_KERNEL && BROKEN
12779 ---help---
12780 Mark the kernel read-only data as write-protected in the pagetables,
12781 in order to catch accidental (and incorrect) writes to such const
12782 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
12783
12784 config DEBUG_SET_MODULE_RONX
12785 bool "Set loadable kernel module data as NX and text as RO"
12786 - depends on MODULES
12787 + depends on MODULES && BROKEN
12788 ---help---
12789 This option helps catch unintended modifications to loadable
12790 kernel module's text and read-only data. It also prevents execution
12791 diff -urNp linux-2.6.39.2/arch/x86/kernel/acpi/sleep.c linux-2.6.39.2/arch/x86/kernel/acpi/sleep.c
12792 --- linux-2.6.39.2/arch/x86/kernel/acpi/sleep.c 2011-05-19 00:06:34.000000000 -0400
12793 +++ linux-2.6.39.2/arch/x86/kernel/acpi/sleep.c 2011-05-22 19:36:30.000000000 -0400
12794 @@ -88,8 +88,12 @@ int acpi_suspend_lowlevel(void)
12795 header->trampoline_segment = trampoline_address() >> 4;
12796 #ifdef CONFIG_SMP
12797 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12798 +
12799 + pax_open_kernel();
12800 early_gdt_descr.address =
12801 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12802 + pax_close_kernel();
12803 +
12804 initial_gs = per_cpu_offset(smp_processor_id());
12805 #endif
12806 initial_code = (unsigned long)wakeup_long64;
12807 diff -urNp linux-2.6.39.2/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.39.2/arch/x86/kernel/acpi/wakeup_32.S
12808 --- linux-2.6.39.2/arch/x86/kernel/acpi/wakeup_32.S 2011-05-19 00:06:34.000000000 -0400
12809 +++ linux-2.6.39.2/arch/x86/kernel/acpi/wakeup_32.S 2011-05-22 19:36:30.000000000 -0400
12810 @@ -30,13 +30,11 @@ wakeup_pmode_return:
12811 # and restore the stack ... but you need gdt for this to work
12812 movl saved_context_esp, %esp
12813
12814 - movl %cs:saved_magic, %eax
12815 - cmpl $0x12345678, %eax
12816 + cmpl $0x12345678, saved_magic
12817 jne bogus_magic
12818
12819 # jump to place where we left off
12820 - movl saved_eip, %eax
12821 - jmp *%eax
12822 + jmp *(saved_eip)
12823
12824 bogus_magic:
12825 jmp bogus_magic
12826 diff -urNp linux-2.6.39.2/arch/x86/kernel/alternative.c linux-2.6.39.2/arch/x86/kernel/alternative.c
12827 --- linux-2.6.39.2/arch/x86/kernel/alternative.c 2011-05-19 00:06:34.000000000 -0400
12828 +++ linux-2.6.39.2/arch/x86/kernel/alternative.c 2011-05-22 19:36:30.000000000 -0400
12829 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
12830 if (!*poff || ptr < text || ptr >= text_end)
12831 continue;
12832 /* turn DS segment override prefix into lock prefix */
12833 - if (*ptr == 0x3e)
12834 + if (*ktla_ktva(ptr) == 0x3e)
12835 text_poke(ptr, ((unsigned char []){0xf0}), 1);
12836 };
12837 mutex_unlock(&text_mutex);
12838 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
12839 if (!*poff || ptr < text || ptr >= text_end)
12840 continue;
12841 /* turn lock prefix into DS segment override prefix */
12842 - if (*ptr == 0xf0)
12843 + if (*ktla_ktva(ptr) == 0xf0)
12844 text_poke(ptr, ((unsigned char []){0x3E}), 1);
12845 };
12846 mutex_unlock(&text_mutex);
12847 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
12848
12849 BUG_ON(p->len > MAX_PATCH_LEN);
12850 /* prep the buffer with the original instructions */
12851 - memcpy(insnbuf, p->instr, p->len);
12852 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12853 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12854 (unsigned long)p->instr, p->len);
12855
12856 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
12857 if (smp_alt_once)
12858 free_init_pages("SMP alternatives",
12859 (unsigned long)__smp_locks,
12860 - (unsigned long)__smp_locks_end);
12861 + PAGE_ALIGN((unsigned long)__smp_locks_end));
12862
12863 restart_nmi();
12864 }
12865 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
12866 * instructions. And on the local CPU you need to be protected again NMI or MCE
12867 * handlers seeing an inconsistent instruction while you patch.
12868 */
12869 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
12870 +void *__kprobes text_poke_early(void *addr, const void *opcode,
12871 size_t len)
12872 {
12873 unsigned long flags;
12874 local_irq_save(flags);
12875 - memcpy(addr, opcode, len);
12876 +
12877 + pax_open_kernel();
12878 + memcpy(ktla_ktva(addr), opcode, len);
12879 sync_core();
12880 + pax_close_kernel();
12881 +
12882 local_irq_restore(flags);
12883 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12884 that causes hangs on some VIA CPUs. */
12885 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
12886 */
12887 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12888 {
12889 - unsigned long flags;
12890 - char *vaddr;
12891 + unsigned char *vaddr = ktla_ktva(addr);
12892 struct page *pages[2];
12893 - int i;
12894 + size_t i;
12895
12896 if (!core_kernel_text((unsigned long)addr)) {
12897 - pages[0] = vmalloc_to_page(addr);
12898 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12899 + pages[0] = vmalloc_to_page(vaddr);
12900 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12901 } else {
12902 - pages[0] = virt_to_page(addr);
12903 + pages[0] = virt_to_page(vaddr);
12904 WARN_ON(!PageReserved(pages[0]));
12905 - pages[1] = virt_to_page(addr + PAGE_SIZE);
12906 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12907 }
12908 BUG_ON(!pages[0]);
12909 - local_irq_save(flags);
12910 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12911 - if (pages[1])
12912 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12913 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12914 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12915 - clear_fixmap(FIX_TEXT_POKE0);
12916 - if (pages[1])
12917 - clear_fixmap(FIX_TEXT_POKE1);
12918 - local_flush_tlb();
12919 - sync_core();
12920 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12921 - that causes hangs on some VIA CPUs. */
12922 + text_poke_early(addr, opcode, len);
12923 for (i = 0; i < len; i++)
12924 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12925 - local_irq_restore(flags);
12926 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12927 return addr;
12928 }
12929
12930 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
12931 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
12932
12933 #ifdef CONFIG_X86_64
12934 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12935 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12936 #else
12937 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12938 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12939 #endif
12940
12941 void __init arch_init_ideal_nop5(void)
12942 diff -urNp linux-2.6.39.2/arch/x86/kernel/amd_iommu.c linux-2.6.39.2/arch/x86/kernel/amd_iommu.c
12943 --- linux-2.6.39.2/arch/x86/kernel/amd_iommu.c 2011-06-25 12:55:22.000000000 -0400
12944 +++ linux-2.6.39.2/arch/x86/kernel/amd_iommu.c 2011-06-25 13:00:25.000000000 -0400
12945 @@ -49,7 +49,7 @@ static DEFINE_SPINLOCK(iommu_pd_list_loc
12946 */
12947 static struct protection_domain *pt_domain;
12948
12949 -static struct iommu_ops amd_iommu_ops;
12950 +static const struct iommu_ops amd_iommu_ops;
12951
12952 /*
12953 * general struct to manage commands send to an IOMMU
12954 @@ -2307,7 +2307,7 @@ static void prealloc_protection_domains(
12955 }
12956 }
12957
12958 -static struct dma_map_ops amd_iommu_dma_ops = {
12959 +static const struct dma_map_ops amd_iommu_dma_ops = {
12960 .alloc_coherent = alloc_coherent,
12961 .free_coherent = free_coherent,
12962 .map_page = map_page,
12963 @@ -2624,7 +2624,7 @@ static int amd_iommu_domain_has_cap(stru
12964 return 0;
12965 }
12966
12967 -static struct iommu_ops amd_iommu_ops = {
12968 +static const struct iommu_ops amd_iommu_ops = {
12969 .domain_init = amd_iommu_domain_init,
12970 .domain_destroy = amd_iommu_domain_destroy,
12971 .attach_dev = amd_iommu_attach_device,
12972 diff -urNp linux-2.6.39.2/arch/x86/kernel/apic/apic.c linux-2.6.39.2/arch/x86/kernel/apic/apic.c
12973 --- linux-2.6.39.2/arch/x86/kernel/apic/apic.c 2011-05-19 00:06:34.000000000 -0400
12974 +++ linux-2.6.39.2/arch/x86/kernel/apic/apic.c 2011-05-22 19:36:30.000000000 -0400
12975 @@ -1821,7 +1821,7 @@ void smp_error_interrupt(struct pt_regs
12976 apic_write(APIC_ESR, 0);
12977 v1 = apic_read(APIC_ESR);
12978 ack_APIC_irq();
12979 - atomic_inc(&irq_err_count);
12980 + atomic_inc_unchecked(&irq_err_count);
12981
12982 /*
12983 * Here is what the APIC error bits mean:
12984 @@ -2204,6 +2204,8 @@ static int __cpuinit apic_cluster_num(vo
12985 u16 *bios_cpu_apicid;
12986 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
12987
12988 + pax_track_stack();
12989 +
12990 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
12991 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
12992
12993 diff -urNp linux-2.6.39.2/arch/x86/kernel/apic/io_apic.c linux-2.6.39.2/arch/x86/kernel/apic/io_apic.c
12994 --- linux-2.6.39.2/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:04:13.000000000 -0400
12995 +++ linux-2.6.39.2/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:42:37.000000000 -0400
12996 @@ -623,7 +623,7 @@ struct IO_APIC_route_entry **alloc_ioapi
12997 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
12998 GFP_ATOMIC);
12999 if (!ioapic_entries)
13000 - return 0;
13001 + return NULL;
13002
13003 for (apic = 0; apic < nr_ioapics; apic++) {
13004 ioapic_entries[apic] =
13005 @@ -640,7 +640,7 @@ nomem:
13006 kfree(ioapic_entries[apic]);
13007 kfree(ioapic_entries);
13008
13009 - return 0;
13010 + return NULL;
13011 }
13012
13013 /*
13014 @@ -1040,7 +1040,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
13015 }
13016 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
13017
13018 -void lock_vector_lock(void)
13019 +void lock_vector_lock(void) __acquires(vector_lock)
13020 {
13021 /* Used to the online set of cpus does not change
13022 * during assign_irq_vector.
13023 @@ -1048,7 +1048,7 @@ void lock_vector_lock(void)
13024 raw_spin_lock(&vector_lock);
13025 }
13026
13027 -void unlock_vector_lock(void)
13028 +void unlock_vector_lock(void) __releases(vector_lock)
13029 {
13030 raw_spin_unlock(&vector_lock);
13031 }
13032 @@ -2379,7 +2379,7 @@ static void ack_apic_edge(struct irq_dat
13033 ack_APIC_irq();
13034 }
13035
13036 -atomic_t irq_mis_count;
13037 +atomic_unchecked_t irq_mis_count;
13038
13039 /*
13040 * IO-APIC versions below 0x20 don't support EOI register.
13041 @@ -2487,7 +2487,7 @@ static void ack_apic_level(struct irq_da
13042 * at the cpu.
13043 */
13044 if (!(v & (1 << (i & 0x1f)))) {
13045 - atomic_inc(&irq_mis_count);
13046 + atomic_inc_unchecked(&irq_mis_count);
13047
13048 eoi_ioapic_irq(irq, cfg);
13049 }
13050 diff -urNp linux-2.6.39.2/arch/x86/kernel/apm_32.c linux-2.6.39.2/arch/x86/kernel/apm_32.c
13051 --- linux-2.6.39.2/arch/x86/kernel/apm_32.c 2011-05-19 00:06:34.000000000 -0400
13052 +++ linux-2.6.39.2/arch/x86/kernel/apm_32.c 2011-05-22 19:36:30.000000000 -0400
13053 @@ -412,7 +412,7 @@ static DEFINE_MUTEX(apm_mutex);
13054 * This is for buggy BIOS's that refer to (real mode) segment 0x40
13055 * even though they are called in protected mode.
13056 */
13057 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
13058 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
13059 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
13060
13061 static const char driver_version[] = "1.16ac"; /* no spaces */
13062 @@ -590,7 +590,10 @@ static long __apm_bios_call(void *_call)
13063 BUG_ON(cpu != 0);
13064 gdt = get_cpu_gdt_table(cpu);
13065 save_desc_40 = gdt[0x40 / 8];
13066 +
13067 + pax_open_kernel();
13068 gdt[0x40 / 8] = bad_bios_desc;
13069 + pax_close_kernel();
13070
13071 apm_irq_save(flags);
13072 APM_DO_SAVE_SEGS;
13073 @@ -599,7 +602,11 @@ static long __apm_bios_call(void *_call)
13074 &call->esi);
13075 APM_DO_RESTORE_SEGS;
13076 apm_irq_restore(flags);
13077 +
13078 + pax_open_kernel();
13079 gdt[0x40 / 8] = save_desc_40;
13080 + pax_close_kernel();
13081 +
13082 put_cpu();
13083
13084 return call->eax & 0xff;
13085 @@ -666,7 +673,10 @@ static long __apm_bios_call_simple(void
13086 BUG_ON(cpu != 0);
13087 gdt = get_cpu_gdt_table(cpu);
13088 save_desc_40 = gdt[0x40 / 8];
13089 +
13090 + pax_open_kernel();
13091 gdt[0x40 / 8] = bad_bios_desc;
13092 + pax_close_kernel();
13093
13094 apm_irq_save(flags);
13095 APM_DO_SAVE_SEGS;
13096 @@ -674,7 +684,11 @@ static long __apm_bios_call_simple(void
13097 &call->eax);
13098 APM_DO_RESTORE_SEGS;
13099 apm_irq_restore(flags);
13100 +
13101 + pax_open_kernel();
13102 gdt[0x40 / 8] = save_desc_40;
13103 + pax_close_kernel();
13104 +
13105 put_cpu();
13106 return error;
13107 }
13108 @@ -2351,12 +2365,15 @@ static int __init apm_init(void)
13109 * code to that CPU.
13110 */
13111 gdt = get_cpu_gdt_table(0);
13112 +
13113 + pax_open_kernel();
13114 set_desc_base(&gdt[APM_CS >> 3],
13115 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
13116 set_desc_base(&gdt[APM_CS_16 >> 3],
13117 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
13118 set_desc_base(&gdt[APM_DS >> 3],
13119 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
13120 + pax_close_kernel();
13121
13122 proc_create("apm", 0, NULL, &apm_file_ops);
13123
13124 diff -urNp linux-2.6.39.2/arch/x86/kernel/asm-offsets_64.c linux-2.6.39.2/arch/x86/kernel/asm-offsets_64.c
13125 --- linux-2.6.39.2/arch/x86/kernel/asm-offsets_64.c 2011-05-19 00:06:34.000000000 -0400
13126 +++ linux-2.6.39.2/arch/x86/kernel/asm-offsets_64.c 2011-05-22 19:36:30.000000000 -0400
13127 @@ -69,6 +69,7 @@ int main(void)
13128 BLANK();
13129 #undef ENTRY
13130
13131 + DEFINE(TSS_size, sizeof(struct tss_struct));
13132 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
13133 BLANK();
13134
13135 diff -urNp linux-2.6.39.2/arch/x86/kernel/asm-offsets.c linux-2.6.39.2/arch/x86/kernel/asm-offsets.c
13136 --- linux-2.6.39.2/arch/x86/kernel/asm-offsets.c 2011-05-19 00:06:34.000000000 -0400
13137 +++ linux-2.6.39.2/arch/x86/kernel/asm-offsets.c 2011-05-25 17:35:48.000000000 -0400
13138 @@ -33,6 +33,8 @@ void common(void) {
13139 OFFSET(TI_status, thread_info, status);
13140 OFFSET(TI_addr_limit, thread_info, addr_limit);
13141 OFFSET(TI_preempt_count, thread_info, preempt_count);
13142 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
13143 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
13144
13145 BLANK();
13146 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
13147 @@ -53,8 +55,26 @@ void common(void) {
13148 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
13149 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
13150 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
13151 +
13152 +#ifdef CONFIG_PAX_KERNEXEC
13153 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
13154 +#endif
13155 +
13156 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13157 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
13158 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
13159 +#ifdef CONFIG_X86_64
13160 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
13161 +#endif
13162 #endif
13163
13164 +#endif
13165 +
13166 + BLANK();
13167 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
13168 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
13169 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
13170 +
13171 #ifdef CONFIG_XEN
13172 BLANK();
13173 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
13174 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/amd.c linux-2.6.39.2/arch/x86/kernel/cpu/amd.c
13175 --- linux-2.6.39.2/arch/x86/kernel/cpu/amd.c 2011-06-03 00:04:13.000000000 -0400
13176 +++ linux-2.6.39.2/arch/x86/kernel/cpu/amd.c 2011-06-03 00:32:04.000000000 -0400
13177 @@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
13178 unsigned int size)
13179 {
13180 /* AMD errata T13 (order #21922) */
13181 - if ((c->x86 == 6)) {
13182 + if (c->x86 == 6) {
13183 /* Duron Rev A0 */
13184 if (c->x86_model == 3 && c->x86_mask == 0)
13185 size = 64;
13186 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/common.c linux-2.6.39.2/arch/x86/kernel/cpu/common.c
13187 --- linux-2.6.39.2/arch/x86/kernel/cpu/common.c 2011-06-03 00:04:13.000000000 -0400
13188 +++ linux-2.6.39.2/arch/x86/kernel/cpu/common.c 2011-06-03 00:32:04.000000000 -0400
13189 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
13190
13191 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
13192
13193 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
13194 -#ifdef CONFIG_X86_64
13195 - /*
13196 - * We need valid kernel segments for data and code in long mode too
13197 - * IRET will check the segment types kkeil 2000/10/28
13198 - * Also sysret mandates a special GDT layout
13199 - *
13200 - * TLS descriptors are currently at a different place compared to i386.
13201 - * Hopefully nobody expects them at a fixed place (Wine?)
13202 - */
13203 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
13204 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
13205 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
13206 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
13207 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
13208 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
13209 -#else
13210 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
13211 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13212 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
13213 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
13214 - /*
13215 - * Segments used for calling PnP BIOS have byte granularity.
13216 - * They code segments and data segments have fixed 64k limits,
13217 - * the transfer segment sizes are set at run time.
13218 - */
13219 - /* 32-bit code */
13220 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13221 - /* 16-bit code */
13222 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13223 - /* 16-bit data */
13224 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
13225 - /* 16-bit data */
13226 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
13227 - /* 16-bit data */
13228 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
13229 - /*
13230 - * The APM segments have byte granularity and their bases
13231 - * are set at run time. All have 64k limits.
13232 - */
13233 - /* 32-bit code */
13234 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13235 - /* 16-bit code */
13236 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13237 - /* data */
13238 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
13239 -
13240 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13241 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13242 - GDT_STACK_CANARY_INIT
13243 -#endif
13244 -} };
13245 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
13246 -
13247 static int __init x86_xsave_setup(char *s)
13248 {
13249 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
13250 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
13251 {
13252 struct desc_ptr gdt_descr;
13253
13254 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
13255 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13256 gdt_descr.size = GDT_SIZE - 1;
13257 load_gdt(&gdt_descr);
13258 /* Reload the per-cpu base */
13259 @@ -824,6 +770,10 @@ static void __cpuinit identify_cpu(struc
13260 /* Filter out anything that depends on CPUID levels we don't have */
13261 filter_cpuid_features(c, true);
13262
13263 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
13264 + setup_clear_cpu_cap(X86_FEATURE_SEP);
13265 +#endif
13266 +
13267 /* If the model name is still unset, do table lookup. */
13268 if (!c->x86_model_id[0]) {
13269 const char *p;
13270 @@ -1003,6 +953,9 @@ static __init int setup_disablecpuid(cha
13271 }
13272 __setup("clearcpuid=", setup_disablecpuid);
13273
13274 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
13275 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
13276 +
13277 #ifdef CONFIG_X86_64
13278 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
13279
13280 @@ -1018,7 +971,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
13281 EXPORT_PER_CPU_SYMBOL(current_task);
13282
13283 DEFINE_PER_CPU(unsigned long, kernel_stack) =
13284 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
13285 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
13286 EXPORT_PER_CPU_SYMBOL(kernel_stack);
13287
13288 DEFINE_PER_CPU(char *, irq_stack_ptr) =
13289 @@ -1083,7 +1036,7 @@ struct pt_regs * __cpuinit idle_regs(str
13290 {
13291 memset(regs, 0, sizeof(struct pt_regs));
13292 regs->fs = __KERNEL_PERCPU;
13293 - regs->gs = __KERNEL_STACK_CANARY;
13294 + savesegment(gs, regs->gs);
13295
13296 return regs;
13297 }
13298 @@ -1138,7 +1091,7 @@ void __cpuinit cpu_init(void)
13299 int i;
13300
13301 cpu = stack_smp_processor_id();
13302 - t = &per_cpu(init_tss, cpu);
13303 + t = init_tss + cpu;
13304 oist = &per_cpu(orig_ist, cpu);
13305
13306 #ifdef CONFIG_NUMA
13307 @@ -1164,7 +1117,7 @@ void __cpuinit cpu_init(void)
13308 switch_to_new_gdt(cpu);
13309 loadsegment(fs, 0);
13310
13311 - load_idt((const struct desc_ptr *)&idt_descr);
13312 + load_idt(&idt_descr);
13313
13314 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
13315 syscall_init();
13316 @@ -1173,7 +1126,6 @@ void __cpuinit cpu_init(void)
13317 wrmsrl(MSR_KERNEL_GS_BASE, 0);
13318 barrier();
13319
13320 - x86_configure_nx();
13321 if (cpu != 0)
13322 enable_x2apic();
13323
13324 @@ -1227,7 +1179,7 @@ void __cpuinit cpu_init(void)
13325 {
13326 int cpu = smp_processor_id();
13327 struct task_struct *curr = current;
13328 - struct tss_struct *t = &per_cpu(init_tss, cpu);
13329 + struct tss_struct *t = init_tss + cpu;
13330 struct thread_struct *thread = &curr->thread;
13331
13332 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
13333 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/intel.c linux-2.6.39.2/arch/x86/kernel/cpu/intel.c
13334 --- linux-2.6.39.2/arch/x86/kernel/cpu/intel.c 2011-05-19 00:06:34.000000000 -0400
13335 +++ linux-2.6.39.2/arch/x86/kernel/cpu/intel.c 2011-05-22 19:36:30.000000000 -0400
13336 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
13337 * Update the IDT descriptor and reload the IDT so that
13338 * it uses the read-only mapped virtual address.
13339 */
13340 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
13341 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
13342 load_idt(&idt_descr);
13343 }
13344 #endif
13345 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/Makefile linux-2.6.39.2/arch/x86/kernel/cpu/Makefile
13346 --- linux-2.6.39.2/arch/x86/kernel/cpu/Makefile 2011-05-19 00:06:34.000000000 -0400
13347 +++ linux-2.6.39.2/arch/x86/kernel/cpu/Makefile 2011-05-22 19:36:30.000000000 -0400
13348 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
13349 CFLAGS_REMOVE_perf_event.o = -pg
13350 endif
13351
13352 -# Make sure load_percpu_segment has no stackprotector
13353 -nostackp := $(call cc-option, -fno-stack-protector)
13354 -CFLAGS_common.o := $(nostackp)
13355 -
13356 obj-y := intel_cacheinfo.o scattered.o topology.o
13357 obj-y += proc.o capflags.o powerflags.o common.o
13358 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
13359 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.39.2/arch/x86/kernel/cpu/mcheck/mce.c
13360 --- linux-2.6.39.2/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-19 00:06:34.000000000 -0400
13361 +++ linux-2.6.39.2/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-22 19:36:30.000000000 -0400
13362 @@ -46,6 +46,7 @@
13363 #include <asm/ipi.h>
13364 #include <asm/mce.h>
13365 #include <asm/msr.h>
13366 +#include <asm/local.h>
13367
13368 #include "mce-internal.h"
13369
13370 @@ -220,7 +221,7 @@ static void print_mce(struct mce *m)
13371 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
13372 m->cs, m->ip);
13373
13374 - if (m->cs == __KERNEL_CS)
13375 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
13376 print_symbol("{%s}", m->ip);
13377 pr_cont("\n");
13378 }
13379 @@ -244,10 +245,10 @@ static void print_mce(struct mce *m)
13380
13381 #define PANIC_TIMEOUT 5 /* 5 seconds */
13382
13383 -static atomic_t mce_paniced;
13384 +static atomic_unchecked_t mce_paniced;
13385
13386 static int fake_panic;
13387 -static atomic_t mce_fake_paniced;
13388 +static atomic_unchecked_t mce_fake_paniced;
13389
13390 /* Panic in progress. Enable interrupts and wait for final IPI */
13391 static void wait_for_panic(void)
13392 @@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct
13393 /*
13394 * Make sure only one CPU runs in machine check panic
13395 */
13396 - if (atomic_inc_return(&mce_paniced) > 1)
13397 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
13398 wait_for_panic();
13399 barrier();
13400
13401 @@ -279,7 +280,7 @@ static void mce_panic(char *msg, struct
13402 console_verbose();
13403 } else {
13404 /* Don't log too much for fake panic */
13405 - if (atomic_inc_return(&mce_fake_paniced) > 1)
13406 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
13407 return;
13408 }
13409 /* First print corrected ones that are still unlogged */
13410 @@ -647,7 +648,7 @@ static int mce_timed_out(u64 *t)
13411 * might have been modified by someone else.
13412 */
13413 rmb();
13414 - if (atomic_read(&mce_paniced))
13415 + if (atomic_read_unchecked(&mce_paniced))
13416 wait_for_panic();
13417 if (!monarch_timeout)
13418 goto out;
13419 @@ -1461,14 +1462,14 @@ void __cpuinit mcheck_cpu_init(struct cp
13420 */
13421
13422 static DEFINE_SPINLOCK(mce_state_lock);
13423 -static int open_count; /* #times opened */
13424 +static local_t open_count; /* #times opened */
13425 static int open_exclu; /* already open exclusive? */
13426
13427 static int mce_open(struct inode *inode, struct file *file)
13428 {
13429 spin_lock(&mce_state_lock);
13430
13431 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
13432 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
13433 spin_unlock(&mce_state_lock);
13434
13435 return -EBUSY;
13436 @@ -1476,7 +1477,7 @@ static int mce_open(struct inode *inode,
13437
13438 if (file->f_flags & O_EXCL)
13439 open_exclu = 1;
13440 - open_count++;
13441 + local_inc(&open_count);
13442
13443 spin_unlock(&mce_state_lock);
13444
13445 @@ -1487,7 +1488,7 @@ static int mce_release(struct inode *ino
13446 {
13447 spin_lock(&mce_state_lock);
13448
13449 - open_count--;
13450 + local_dec(&open_count);
13451 open_exclu = 0;
13452
13453 spin_unlock(&mce_state_lock);
13454 @@ -2174,7 +2175,7 @@ struct dentry *mce_get_debugfs_dir(void)
13455 static void mce_reset(void)
13456 {
13457 cpu_missing = 0;
13458 - atomic_set(&mce_fake_paniced, 0);
13459 + atomic_set_unchecked(&mce_fake_paniced, 0);
13460 atomic_set(&mce_executing, 0);
13461 atomic_set(&mce_callin, 0);
13462 atomic_set(&global_nwo, 0);
13463 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/main.c
13464 --- linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/main.c 2011-05-19 00:06:34.000000000 -0400
13465 +++ linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/main.c 2011-05-22 19:36:30.000000000 -0400
13466 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
13467 u64 size_or_mask, size_and_mask;
13468 static bool mtrr_aps_delayed_init;
13469
13470 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
13471 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
13472
13473 const struct mtrr_ops *mtrr_if;
13474
13475 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/mtrr.h
13476 --- linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-19 00:06:34.000000000 -0400
13477 +++ linux-2.6.39.2/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-22 19:36:30.000000000 -0400
13478 @@ -12,19 +12,19 @@
13479 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
13480
13481 struct mtrr_ops {
13482 - u32 vendor;
13483 - u32 use_intel_if;
13484 - void (*set)(unsigned int reg, unsigned long base,
13485 + const u32 vendor;
13486 + const u32 use_intel_if;
13487 + void (* const set)(unsigned int reg, unsigned long base,
13488 unsigned long size, mtrr_type type);
13489 - void (*set_all)(void);
13490 + void (* const set_all)(void);
13491
13492 - void (*get)(unsigned int reg, unsigned long *base,
13493 + void (* const get)(unsigned int reg, unsigned long *base,
13494 unsigned long *size, mtrr_type *type);
13495 - int (*get_free_region)(unsigned long base, unsigned long size,
13496 + int (* const get_free_region)(unsigned long base, unsigned long size,
13497 int replace_reg);
13498 - int (*validate_add_page)(unsigned long base, unsigned long size,
13499 + int (* const validate_add_page)(unsigned long base, unsigned long size,
13500 unsigned int type);
13501 - int (*have_wrcomb)(void);
13502 + int (* const have_wrcomb)(void);
13503 };
13504
13505 extern int generic_get_free_region(unsigned long base, unsigned long size,
13506 diff -urNp linux-2.6.39.2/arch/x86/kernel/cpu/perf_event.c linux-2.6.39.2/arch/x86/kernel/cpu/perf_event.c
13507 --- linux-2.6.39.2/arch/x86/kernel/cpu/perf_event.c 2011-05-19 00:06:34.000000000 -0400
13508 +++ linux-2.6.39.2/arch/x86/kernel/cpu/perf_event.c 2011-05-22 19:36:30.000000000 -0400
13509 @@ -774,6 +774,8 @@ static int x86_schedule_events(struct cp
13510 int i, j, w, wmax, num = 0;
13511 struct hw_perf_event *hwc;
13512
13513 + pax_track_stack();
13514 +
13515 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
13516
13517 for (i = 0; i < n; i++) {
13518 @@ -1878,7 +1880,7 @@ perf_callchain_user(struct perf_callchai
13519 break;
13520
13521 perf_callchain_store(entry, frame.return_address);
13522 - fp = frame.next_frame;
13523 + fp = (__force const void __user *)frame.next_frame;
13524 }
13525 }
13526
13527 diff -urNp linux-2.6.39.2/arch/x86/kernel/crash.c linux-2.6.39.2/arch/x86/kernel/crash.c
13528 --- linux-2.6.39.2/arch/x86/kernel/crash.c 2011-05-19 00:06:34.000000000 -0400
13529 +++ linux-2.6.39.2/arch/x86/kernel/crash.c 2011-05-22 19:36:30.000000000 -0400
13530 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
13531 regs = args->regs;
13532
13533 #ifdef CONFIG_X86_32
13534 - if (!user_mode_vm(regs)) {
13535 + if (!user_mode(regs)) {
13536 crash_fixup_ss_esp(&fixed_regs, regs);
13537 regs = &fixed_regs;
13538 }
13539 diff -urNp linux-2.6.39.2/arch/x86/kernel/doublefault_32.c linux-2.6.39.2/arch/x86/kernel/doublefault_32.c
13540 --- linux-2.6.39.2/arch/x86/kernel/doublefault_32.c 2011-05-19 00:06:34.000000000 -0400
13541 +++ linux-2.6.39.2/arch/x86/kernel/doublefault_32.c 2011-05-22 19:36:30.000000000 -0400
13542 @@ -11,7 +11,7 @@
13543
13544 #define DOUBLEFAULT_STACKSIZE (1024)
13545 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13546 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13547 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13548
13549 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13550
13551 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
13552 unsigned long gdt, tss;
13553
13554 store_gdt(&gdt_desc);
13555 - gdt = gdt_desc.address;
13556 + gdt = (unsigned long)gdt_desc.address;
13557
13558 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13559
13560 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13561 /* 0x2 bit is always set */
13562 .flags = X86_EFLAGS_SF | 0x2,
13563 .sp = STACK_START,
13564 - .es = __USER_DS,
13565 + .es = __KERNEL_DS,
13566 .cs = __KERNEL_CS,
13567 .ss = __KERNEL_DS,
13568 - .ds = __USER_DS,
13569 + .ds = __KERNEL_DS,
13570 .fs = __KERNEL_PERCPU,
13571
13572 .__cr3 = __pa_nodebug(swapper_pg_dir),
13573 diff -urNp linux-2.6.39.2/arch/x86/kernel/dumpstack_32.c linux-2.6.39.2/arch/x86/kernel/dumpstack_32.c
13574 --- linux-2.6.39.2/arch/x86/kernel/dumpstack_32.c 2011-05-19 00:06:34.000000000 -0400
13575 +++ linux-2.6.39.2/arch/x86/kernel/dumpstack_32.c 2011-05-22 19:36:30.000000000 -0400
13576 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
13577 bp = stack_frame(task, regs);
13578
13579 for (;;) {
13580 - struct thread_info *context;
13581 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13582
13583 - context = (struct thread_info *)
13584 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13585 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
13586 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13587
13588 - stack = (unsigned long *)context->previous_esp;
13589 - if (!stack)
13590 + if (stack_start == task_stack_page(task))
13591 break;
13592 + stack = *(unsigned long **)stack_start;
13593 if (ops->stack(data, "IRQ") < 0)
13594 break;
13595 touch_nmi_watchdog();
13596 @@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
13597 * When in-kernel, we also print out the stack and code at the
13598 * time of the fault..
13599 */
13600 - if (!user_mode_vm(regs)) {
13601 + if (!user_mode(regs)) {
13602 unsigned int code_prologue = code_bytes * 43 / 64;
13603 unsigned int code_len = code_bytes;
13604 unsigned char c;
13605 u8 *ip;
13606 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13607
13608 printk(KERN_EMERG "Stack:\n");
13609 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
13610
13611 printk(KERN_EMERG "Code: ");
13612
13613 - ip = (u8 *)regs->ip - code_prologue;
13614 + ip = (u8 *)regs->ip - code_prologue + cs_base;
13615 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13616 /* try starting at IP */
13617 - ip = (u8 *)regs->ip;
13618 + ip = (u8 *)regs->ip + cs_base;
13619 code_len = code_len - code_prologue + 1;
13620 }
13621 for (i = 0; i < code_len; i++, ip++) {
13622 @@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
13623 printk(" Bad EIP value.");
13624 break;
13625 }
13626 - if (ip == (u8 *)regs->ip)
13627 + if (ip == (u8 *)regs->ip + cs_base)
13628 printk("<%02x> ", c);
13629 else
13630 printk("%02x ", c);
13631 @@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
13632 {
13633 unsigned short ud2;
13634
13635 + ip = ktla_ktva(ip);
13636 if (ip < PAGE_OFFSET)
13637 return 0;
13638 if (probe_kernel_address((unsigned short *)ip, ud2))
13639 diff -urNp linux-2.6.39.2/arch/x86/kernel/dumpstack_64.c linux-2.6.39.2/arch/x86/kernel/dumpstack_64.c
13640 --- linux-2.6.39.2/arch/x86/kernel/dumpstack_64.c 2011-05-19 00:06:34.000000000 -0400
13641 +++ linux-2.6.39.2/arch/x86/kernel/dumpstack_64.c 2011-05-22 19:36:30.000000000 -0400
13642 @@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task
13643 unsigned long *irq_stack_end =
13644 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13645 unsigned used = 0;
13646 - struct thread_info *tinfo;
13647 int graph = 0;
13648 unsigned long dummy;
13649 + void *stack_start;
13650
13651 if (!task)
13652 task = current;
13653 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
13654 * current stack address. If the stacks consist of nested
13655 * exceptions
13656 */
13657 - tinfo = task_thread_info(task);
13658 for (;;) {
13659 char *id;
13660 unsigned long *estack_end;
13661 +
13662 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13663 &used, &id);
13664
13665 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
13666 if (ops->stack(data, id) < 0)
13667 break;
13668
13669 - bp = ops->walk_stack(tinfo, stack, bp, ops,
13670 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13671 data, estack_end, &graph);
13672 ops->stack(data, "<EOE>");
13673 /*
13674 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
13675 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
13676 if (ops->stack(data, "IRQ") < 0)
13677 break;
13678 - bp = ops->walk_stack(tinfo, stack, bp,
13679 + bp = ops->walk_stack(task, irq_stack, stack, bp,
13680 ops, data, irq_stack_end, &graph);
13681 /*
13682 * We link to the next stack (which would be
13683 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
13684 /*
13685 * This handles the process stack:
13686 */
13687 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13688 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13689 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13690 put_cpu();
13691 }
13692 EXPORT_SYMBOL(dump_trace);
13693 diff -urNp linux-2.6.39.2/arch/x86/kernel/dumpstack.c linux-2.6.39.2/arch/x86/kernel/dumpstack.c
13694 --- linux-2.6.39.2/arch/x86/kernel/dumpstack.c 2011-05-19 00:06:34.000000000 -0400
13695 +++ linux-2.6.39.2/arch/x86/kernel/dumpstack.c 2011-05-22 19:41:32.000000000 -0400
13696 @@ -2,6 +2,9 @@
13697 * Copyright (C) 1991, 1992 Linus Torvalds
13698 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13699 */
13700 +#ifdef CONFIG_GRKERNSEC_HIDESYM
13701 +#define __INCLUDED_BY_HIDESYM 1
13702 +#endif
13703 #include <linux/kallsyms.h>
13704 #include <linux/kprobes.h>
13705 #include <linux/uaccess.h>
13706 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
13707 static void
13708 print_ftrace_graph_addr(unsigned long addr, void *data,
13709 const struct stacktrace_ops *ops,
13710 - struct thread_info *tinfo, int *graph)
13711 + struct task_struct *task, int *graph)
13712 {
13713 - struct task_struct *task = tinfo->task;
13714 unsigned long ret_addr;
13715 int index = task->curr_ret_stack;
13716
13717 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
13718 static inline void
13719 print_ftrace_graph_addr(unsigned long addr, void *data,
13720 const struct stacktrace_ops *ops,
13721 - struct thread_info *tinfo, int *graph)
13722 + struct task_struct *task, int *graph)
13723 { }
13724 #endif
13725
13726 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
13727 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13728 */
13729
13730 -static inline int valid_stack_ptr(struct thread_info *tinfo,
13731 - void *p, unsigned int size, void *end)
13732 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13733 {
13734 - void *t = tinfo;
13735 if (end) {
13736 if (p < end && p >= (end-THREAD_SIZE))
13737 return 1;
13738 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
13739 }
13740
13741 unsigned long
13742 -print_context_stack(struct thread_info *tinfo,
13743 +print_context_stack(struct task_struct *task, void *stack_start,
13744 unsigned long *stack, unsigned long bp,
13745 const struct stacktrace_ops *ops, void *data,
13746 unsigned long *end, int *graph)
13747 {
13748 struct stack_frame *frame = (struct stack_frame *)bp;
13749
13750 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13751 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13752 unsigned long addr;
13753
13754 addr = *stack;
13755 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
13756 } else {
13757 ops->address(data, addr, 0);
13758 }
13759 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13760 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13761 }
13762 stack++;
13763 }
13764 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
13765 EXPORT_SYMBOL_GPL(print_context_stack);
13766
13767 unsigned long
13768 -print_context_stack_bp(struct thread_info *tinfo,
13769 +print_context_stack_bp(struct task_struct *task, void *stack_start,
13770 unsigned long *stack, unsigned long bp,
13771 const struct stacktrace_ops *ops, void *data,
13772 unsigned long *end, int *graph)
13773 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
13774 struct stack_frame *frame = (struct stack_frame *)bp;
13775 unsigned long *ret_addr = &frame->return_address;
13776
13777 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
13778 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
13779 unsigned long addr = *ret_addr;
13780
13781 if (!__kernel_text_address(addr))
13782 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
13783 ops->address(data, addr, 1);
13784 frame = frame->next_frame;
13785 ret_addr = &frame->return_address;
13786 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13787 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13788 }
13789
13790 return (unsigned long)frame;
13791 @@ -202,7 +202,7 @@ void dump_stack(void)
13792
13793 bp = stack_frame(current, NULL);
13794 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13795 - current->pid, current->comm, print_tainted(),
13796 + task_pid_nr(current), current->comm, print_tainted(),
13797 init_utsname()->release,
13798 (int)strcspn(init_utsname()->version, " "),
13799 init_utsname()->version);
13800 @@ -238,6 +238,8 @@ unsigned __kprobes long oops_begin(void)
13801 }
13802 EXPORT_SYMBOL_GPL(oops_begin);
13803
13804 +extern void gr_handle_kernel_exploit(void);
13805 +
13806 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13807 {
13808 if (regs && kexec_should_crash(current))
13809 @@ -259,7 +261,10 @@ void __kprobes oops_end(unsigned long fl
13810 panic("Fatal exception in interrupt");
13811 if (panic_on_oops)
13812 panic("Fatal exception");
13813 - do_exit(signr);
13814 +
13815 + gr_handle_kernel_exploit();
13816 +
13817 + do_group_exit(signr);
13818 }
13819
13820 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13821 @@ -286,7 +291,7 @@ int __kprobes __die(const char *str, str
13822
13823 show_registers(regs);
13824 #ifdef CONFIG_X86_32
13825 - if (user_mode_vm(regs)) {
13826 + if (user_mode(regs)) {
13827 sp = regs->sp;
13828 ss = regs->ss & 0xffff;
13829 } else {
13830 @@ -314,7 +319,7 @@ void die(const char *str, struct pt_regs
13831 unsigned long flags = oops_begin();
13832 int sig = SIGSEGV;
13833
13834 - if (!user_mode_vm(regs))
13835 + if (!user_mode(regs))
13836 report_bug(regs->ip, regs);
13837
13838 if (__die(str, regs, err))
13839 diff -urNp linux-2.6.39.2/arch/x86/kernel/early_printk.c linux-2.6.39.2/arch/x86/kernel/early_printk.c
13840 --- linux-2.6.39.2/arch/x86/kernel/early_printk.c 2011-05-19 00:06:34.000000000 -0400
13841 +++ linux-2.6.39.2/arch/x86/kernel/early_printk.c 2011-05-22 19:36:30.000000000 -0400
13842 @@ -7,6 +7,7 @@
13843 #include <linux/pci_regs.h>
13844 #include <linux/pci_ids.h>
13845 #include <linux/errno.h>
13846 +#include <linux/sched.h>
13847 #include <asm/io.h>
13848 #include <asm/processor.h>
13849 #include <asm/fcntl.h>
13850 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
13851 int n;
13852 va_list ap;
13853
13854 + pax_track_stack();
13855 +
13856 va_start(ap, fmt);
13857 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13858 early_console->write(early_console, buf, n);
13859 diff -urNp linux-2.6.39.2/arch/x86/kernel/entry_32.S linux-2.6.39.2/arch/x86/kernel/entry_32.S
13860 --- linux-2.6.39.2/arch/x86/kernel/entry_32.S 2011-05-19 00:06:34.000000000 -0400
13861 +++ linux-2.6.39.2/arch/x86/kernel/entry_32.S 2011-05-23 17:07:00.000000000 -0400
13862 @@ -185,13 +185,146 @@
13863 /*CFI_REL_OFFSET gs, PT_GS*/
13864 .endm
13865 .macro SET_KERNEL_GS reg
13866 +
13867 +#ifdef CONFIG_CC_STACKPROTECTOR
13868 movl $(__KERNEL_STACK_CANARY), \reg
13869 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13870 + movl $(__USER_DS), \reg
13871 +#else
13872 + xorl \reg, \reg
13873 +#endif
13874 +
13875 movl \reg, %gs
13876 .endm
13877
13878 #endif /* CONFIG_X86_32_LAZY_GS */
13879
13880 -.macro SAVE_ALL
13881 +.macro pax_enter_kernel
13882 +#ifdef CONFIG_PAX_KERNEXEC
13883 + call pax_enter_kernel
13884 +#endif
13885 +.endm
13886 +
13887 +.macro pax_exit_kernel
13888 +#ifdef CONFIG_PAX_KERNEXEC
13889 + call pax_exit_kernel
13890 +#endif
13891 +.endm
13892 +
13893 +#ifdef CONFIG_PAX_KERNEXEC
13894 +ENTRY(pax_enter_kernel)
13895 +#ifdef CONFIG_PARAVIRT
13896 + pushl %eax
13897 + pushl %ecx
13898 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13899 + mov %eax, %esi
13900 +#else
13901 + mov %cr0, %esi
13902 +#endif
13903 + bts $16, %esi
13904 + jnc 1f
13905 + mov %cs, %esi
13906 + cmp $__KERNEL_CS, %esi
13907 + jz 3f
13908 + ljmp $__KERNEL_CS, $3f
13909 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13910 +2:
13911 +#ifdef CONFIG_PARAVIRT
13912 + mov %esi, %eax
13913 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13914 +#else
13915 + mov %esi, %cr0
13916 +#endif
13917 +3:
13918 +#ifdef CONFIG_PARAVIRT
13919 + popl %ecx
13920 + popl %eax
13921 +#endif
13922 + ret
13923 +ENDPROC(pax_enter_kernel)
13924 +
13925 +ENTRY(pax_exit_kernel)
13926 +#ifdef CONFIG_PARAVIRT
13927 + pushl %eax
13928 + pushl %ecx
13929 +#endif
13930 + mov %cs, %esi
13931 + cmp $__KERNEXEC_KERNEL_CS, %esi
13932 + jnz 2f
13933 +#ifdef CONFIG_PARAVIRT
13934 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13935 + mov %eax, %esi
13936 +#else
13937 + mov %cr0, %esi
13938 +#endif
13939 + btr $16, %esi
13940 + ljmp $__KERNEL_CS, $1f
13941 +1:
13942 +#ifdef CONFIG_PARAVIRT
13943 + mov %esi, %eax
13944 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13945 +#else
13946 + mov %esi, %cr0
13947 +#endif
13948 +2:
13949 +#ifdef CONFIG_PARAVIRT
13950 + popl %ecx
13951 + popl %eax
13952 +#endif
13953 + ret
13954 +ENDPROC(pax_exit_kernel)
13955 +#endif
13956 +
13957 +.macro pax_erase_kstack
13958 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13959 + call pax_erase_kstack
13960 +#endif
13961 +.endm
13962 +
13963 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13964 +/*
13965 + * ebp: thread_info
13966 + * ecx, edx: can be clobbered
13967 + */
13968 +ENTRY(pax_erase_kstack)
13969 + pushl %edi
13970 + pushl %eax
13971 +
13972 + mov TI_lowest_stack(%ebp), %edi
13973 + mov $-0xBEEF, %eax
13974 + std
13975 +
13976 +1: mov %edi, %ecx
13977 + and $THREAD_SIZE_asm - 1, %ecx
13978 + shr $2, %ecx
13979 + repne scasl
13980 + jecxz 2f
13981 +
13982 + cmp $2*16, %ecx
13983 + jc 2f
13984 +
13985 + mov $2*16, %ecx
13986 + repe scasl
13987 + jecxz 2f
13988 + jne 1b
13989 +
13990 +2: cld
13991 + mov %esp, %ecx
13992 + sub %edi, %ecx
13993 + shr $2, %ecx
13994 + rep stosl
13995 +
13996 + mov TI_task_thread_sp0(%ebp), %edi
13997 + sub $128, %edi
13998 + mov %edi, TI_lowest_stack(%ebp)
13999 +
14000 + popl %eax
14001 + popl %edi
14002 + ret
14003 +ENDPROC(pax_erase_kstack)
14004 +#endif
14005 +
14006 +.macro __SAVE_ALL _DS
14007 cld
14008 PUSH_GS
14009 pushl_cfi %fs
14010 @@ -214,7 +347,7 @@
14011 CFI_REL_OFFSET ecx, 0
14012 pushl_cfi %ebx
14013 CFI_REL_OFFSET ebx, 0
14014 - movl $(__USER_DS), %edx
14015 + movl $\_DS, %edx
14016 movl %edx, %ds
14017 movl %edx, %es
14018 movl $(__KERNEL_PERCPU), %edx
14019 @@ -222,6 +355,15 @@
14020 SET_KERNEL_GS %edx
14021 .endm
14022
14023 +.macro SAVE_ALL
14024 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
14025 + __SAVE_ALL __KERNEL_DS
14026 + pax_enter_kernel
14027 +#else
14028 + __SAVE_ALL __USER_DS
14029 +#endif
14030 +.endm
14031 +
14032 .macro RESTORE_INT_REGS
14033 popl_cfi %ebx
14034 CFI_RESTORE ebx
14035 @@ -332,7 +474,15 @@ check_userspace:
14036 movb PT_CS(%esp), %al
14037 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
14038 cmpl $USER_RPL, %eax
14039 +
14040 +#ifdef CONFIG_PAX_KERNEXEC
14041 + jae resume_userspace
14042 +
14043 + PAX_EXIT_KERNEL
14044 + jmp resume_kernel
14045 +#else
14046 jb resume_kernel # not returning to v8086 or userspace
14047 +#endif
14048
14049 ENTRY(resume_userspace)
14050 LOCKDEP_SYS_EXIT
14051 @@ -344,7 +494,7 @@ ENTRY(resume_userspace)
14052 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
14053 # int/exception return?
14054 jne work_pending
14055 - jmp restore_all
14056 + jmp restore_all_pax
14057 END(ret_from_exception)
14058
14059 #ifdef CONFIG_PREEMPT
14060 @@ -394,23 +544,34 @@ sysenter_past_esp:
14061 /*CFI_REL_OFFSET cs, 0*/
14062 /*
14063 * Push current_thread_info()->sysenter_return to the stack.
14064 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
14065 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
14066 */
14067 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
14068 + pushl_cfi $0
14069 CFI_REL_OFFSET eip, 0
14070
14071 pushl_cfi %eax
14072 SAVE_ALL
14073 + GET_THREAD_INFO(%ebp)
14074 + movl TI_sysenter_return(%ebp),%ebp
14075 + movl %ebp,PT_EIP(%esp)
14076 ENABLE_INTERRUPTS(CLBR_NONE)
14077
14078 /*
14079 * Load the potential sixth argument from user stack.
14080 * Careful about security.
14081 */
14082 + movl PT_OLDESP(%esp),%ebp
14083 +
14084 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14085 + mov PT_OLDSS(%esp),%ds
14086 +1: movl %ds:(%ebp),%ebp
14087 + push %ss
14088 + pop %ds
14089 +#else
14090 cmpl $__PAGE_OFFSET-3,%ebp
14091 jae syscall_fault
14092 1: movl (%ebp),%ebp
14093 +#endif
14094 +
14095 movl %ebp,PT_EBP(%esp)
14096 .section __ex_table,"a"
14097 .align 4
14098 @@ -433,12 +594,23 @@ sysenter_do_call:
14099 testl $_TIF_ALLWORK_MASK, %ecx
14100 jne sysexit_audit
14101 sysenter_exit:
14102 +
14103 +#ifdef CONFIG_PAX_RANDKSTACK
14104 + pushl_cfi %eax
14105 + call pax_randomize_kstack
14106 + popl_cfi %eax
14107 +#endif
14108 +
14109 + pax_erase_kstack
14110 +
14111 /* if something modifies registers it must also disable sysexit */
14112 movl PT_EIP(%esp), %edx
14113 movl PT_OLDESP(%esp), %ecx
14114 xorl %ebp,%ebp
14115 TRACE_IRQS_ON
14116 1: mov PT_FS(%esp), %fs
14117 +2: mov PT_DS(%esp), %ds
14118 +3: mov PT_ES(%esp), %es
14119 PTGS_TO_GS
14120 ENABLE_INTERRUPTS_SYSEXIT
14121
14122 @@ -455,6 +627,9 @@ sysenter_audit:
14123 movl %eax,%edx /* 2nd arg: syscall number */
14124 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
14125 call audit_syscall_entry
14126 +
14127 + pax_erase_kstack
14128 +
14129 pushl_cfi %ebx
14130 movl PT_EAX(%esp),%eax /* reload syscall number */
14131 jmp sysenter_do_call
14132 @@ -481,11 +656,17 @@ sysexit_audit:
14133
14134 CFI_ENDPROC
14135 .pushsection .fixup,"ax"
14136 -2: movl $0,PT_FS(%esp)
14137 +4: movl $0,PT_FS(%esp)
14138 + jmp 1b
14139 +5: movl $0,PT_DS(%esp)
14140 + jmp 1b
14141 +6: movl $0,PT_ES(%esp)
14142 jmp 1b
14143 .section __ex_table,"a"
14144 .align 4
14145 - .long 1b,2b
14146 + .long 1b,4b
14147 + .long 2b,5b
14148 + .long 3b,6b
14149 .popsection
14150 PTGS_TO_GS_EX
14151 ENDPROC(ia32_sysenter_target)
14152 @@ -518,6 +699,14 @@ syscall_exit:
14153 testl $_TIF_ALLWORK_MASK, %ecx # current->work
14154 jne syscall_exit_work
14155
14156 +restore_all_pax:
14157 +
14158 +#ifdef CONFIG_PAX_RANDKSTACK
14159 + call pax_randomize_kstack
14160 +#endif
14161 +
14162 + pax_erase_kstack
14163 +
14164 restore_all:
14165 TRACE_IRQS_IRET
14166 restore_all_notrace:
14167 @@ -577,14 +766,21 @@ ldt_ss:
14168 * compensating for the offset by changing to the ESPFIX segment with
14169 * a base address that matches for the difference.
14170 */
14171 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
14172 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
14173 mov %esp, %edx /* load kernel esp */
14174 mov PT_OLDESP(%esp), %eax /* load userspace esp */
14175 mov %dx, %ax /* eax: new kernel esp */
14176 sub %eax, %edx /* offset (low word is 0) */
14177 +#ifdef CONFIG_SMP
14178 + movl PER_CPU_VAR(cpu_number), %ebx
14179 + shll $PAGE_SHIFT_asm, %ebx
14180 + addl $cpu_gdt_table, %ebx
14181 +#else
14182 + movl $cpu_gdt_table, %ebx
14183 +#endif
14184 shr $16, %edx
14185 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
14186 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
14187 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
14188 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
14189 pushl_cfi $__ESPFIX_SS
14190 pushl_cfi %eax /* new kernel esp */
14191 /* Disable interrupts, but do not irqtrace this section: we
14192 @@ -613,29 +809,23 @@ work_resched:
14193 movl TI_flags(%ebp), %ecx
14194 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
14195 # than syscall tracing?
14196 - jz restore_all
14197 + jz restore_all_pax
14198 testb $_TIF_NEED_RESCHED, %cl
14199 jnz work_resched
14200
14201 work_notifysig: # deal with pending signals and
14202 # notify-resume requests
14203 + movl %esp, %eax
14204 #ifdef CONFIG_VM86
14205 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
14206 - movl %esp, %eax
14207 - jne work_notifysig_v86 # returning to kernel-space or
14208 + jz 1f # returning to kernel-space or
14209 # vm86-space
14210 - xorl %edx, %edx
14211 - call do_notify_resume
14212 - jmp resume_userspace_sig
14213
14214 - ALIGN
14215 -work_notifysig_v86:
14216 pushl_cfi %ecx # save ti_flags for do_notify_resume
14217 call save_v86_state # %eax contains pt_regs pointer
14218 popl_cfi %ecx
14219 movl %eax, %esp
14220 -#else
14221 - movl %esp, %eax
14222 +1:
14223 #endif
14224 xorl %edx, %edx
14225 call do_notify_resume
14226 @@ -648,6 +838,9 @@ syscall_trace_entry:
14227 movl $-ENOSYS,PT_EAX(%esp)
14228 movl %esp, %eax
14229 call syscall_trace_enter
14230 +
14231 + pax_erase_kstack
14232 +
14233 /* What it returned is what we'll actually use. */
14234 cmpl $(nr_syscalls), %eax
14235 jnae syscall_call
14236 @@ -670,6 +863,10 @@ END(syscall_exit_work)
14237
14238 RING0_INT_FRAME # can't unwind into user space anyway
14239 syscall_fault:
14240 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14241 + push %ss
14242 + pop %ds
14243 +#endif
14244 GET_THREAD_INFO(%ebp)
14245 movl $-EFAULT,PT_EAX(%esp)
14246 jmp resume_userspace
14247 @@ -752,6 +949,36 @@ ptregs_clone:
14248 CFI_ENDPROC
14249 ENDPROC(ptregs_clone)
14250
14251 + ALIGN;
14252 +ENTRY(kernel_execve)
14253 + CFI_STARTPROC
14254 + pushl_cfi %ebp
14255 + sub $PT_OLDSS+4,%esp
14256 + pushl_cfi %edi
14257 + pushl_cfi %ecx
14258 + pushl_cfi %eax
14259 + lea 3*4(%esp),%edi
14260 + mov $PT_OLDSS/4+1,%ecx
14261 + xorl %eax,%eax
14262 + rep stosl
14263 + popl_cfi %eax
14264 + popl_cfi %ecx
14265 + popl_cfi %edi
14266 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14267 + pushl_cfi %esp
14268 + call sys_execve
14269 + add $4,%esp
14270 + CFI_ADJUST_CFA_OFFSET -4
14271 + GET_THREAD_INFO(%ebp)
14272 + test %eax,%eax
14273 + jz syscall_exit
14274 + add $PT_OLDSS+4,%esp
14275 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
14276 + popl_cfi %ebp
14277 + ret
14278 + CFI_ENDPROC
14279 +ENDPROC(kernel_execve)
14280 +
14281 .macro FIXUP_ESPFIX_STACK
14282 /*
14283 * Switch back for ESPFIX stack to the normal zerobased stack
14284 @@ -761,8 +988,15 @@ ENDPROC(ptregs_clone)
14285 * normal stack and adjusts ESP with the matching offset.
14286 */
14287 /* fixup the stack */
14288 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
14289 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
14290 +#ifdef CONFIG_SMP
14291 + movl PER_CPU_VAR(cpu_number), %ebx
14292 + shll $PAGE_SHIFT_asm, %ebx
14293 + addl $cpu_gdt_table, %ebx
14294 +#else
14295 + movl $cpu_gdt_table, %ebx
14296 +#endif
14297 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
14298 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
14299 shl $16, %eax
14300 addl %esp, %eax /* the adjusted stack pointer */
14301 pushl_cfi $__KERNEL_DS
14302 @@ -1213,7 +1447,6 @@ return_to_handler:
14303 jmp *%ecx
14304 #endif
14305
14306 -.section .rodata,"a"
14307 #include "syscall_table_32.S"
14308
14309 syscall_table_size=(.-sys_call_table)
14310 @@ -1259,9 +1492,12 @@ error_code:
14311 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14312 REG_TO_PTGS %ecx
14313 SET_KERNEL_GS %ecx
14314 - movl $(__USER_DS), %ecx
14315 + movl $(__KERNEL_DS), %ecx
14316 movl %ecx, %ds
14317 movl %ecx, %es
14318 +
14319 + pax_enter_kernel
14320 +
14321 TRACE_IRQS_OFF
14322 movl %esp,%eax # pt_regs pointer
14323 call *%edi
14324 @@ -1346,6 +1582,9 @@ nmi_stack_correct:
14325 xorl %edx,%edx # zero error code
14326 movl %esp,%eax # pt_regs pointer
14327 call do_nmi
14328 +
14329 + pax_exit_kernel
14330 +
14331 jmp restore_all_notrace
14332 CFI_ENDPROC
14333
14334 @@ -1382,6 +1621,9 @@ nmi_espfix_stack:
14335 FIXUP_ESPFIX_STACK # %eax == %esp
14336 xorl %edx,%edx # zero error code
14337 call do_nmi
14338 +
14339 + pax_exit_kernel
14340 +
14341 RESTORE_REGS
14342 lss 12+4(%esp), %esp # back to espfix stack
14343 CFI_ADJUST_CFA_OFFSET -24
14344 diff -urNp linux-2.6.39.2/arch/x86/kernel/entry_64.S linux-2.6.39.2/arch/x86/kernel/entry_64.S
14345 --- linux-2.6.39.2/arch/x86/kernel/entry_64.S 2011-05-19 00:06:34.000000000 -0400
14346 +++ linux-2.6.39.2/arch/x86/kernel/entry_64.S 2011-05-23 17:10:49.000000000 -0400
14347 @@ -53,6 +53,7 @@
14348 #include <asm/paravirt.h>
14349 #include <asm/ftrace.h>
14350 #include <asm/percpu.h>
14351 +#include <asm/pgtable.h>
14352
14353 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14354 #include <linux/elf-em.h>
14355 @@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64)
14356 ENDPROC(native_usergs_sysret64)
14357 #endif /* CONFIG_PARAVIRT */
14358
14359 + .macro ljmpq sel, off
14360 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14361 + .byte 0x48; ljmp *1234f(%rip)
14362 + .pushsection .rodata
14363 + .align 16
14364 + 1234: .quad \off; .word \sel
14365 + .popsection
14366 +#else
14367 + pushq $\sel
14368 + pushq $\off
14369 + lretq
14370 +#endif
14371 + .endm
14372 +
14373 + .macro pax_enter_kernel
14374 +#ifdef CONFIG_PAX_KERNEXEC
14375 + call pax_enter_kernel
14376 +#endif
14377 + .endm
14378 +
14379 + .macro pax_exit_kernel
14380 +#ifdef CONFIG_PAX_KERNEXEC
14381 + call pax_exit_kernel
14382 +#endif
14383 + .endm
14384 +
14385 +#ifdef CONFIG_PAX_KERNEXEC
14386 +ENTRY(pax_enter_kernel)
14387 + pushq %rdi
14388 +
14389 +#ifdef CONFIG_PARAVIRT
14390 + PV_SAVE_REGS(CLBR_RDI)
14391 +#endif
14392 +
14393 + GET_CR0_INTO_RDI
14394 + bts $16,%rdi
14395 + jnc 1f
14396 + mov %cs,%edi
14397 + cmp $__KERNEL_CS,%edi
14398 + jz 3f
14399 + ljmpq __KERNEL_CS,3f
14400 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
14401 +2: SET_RDI_INTO_CR0
14402 +3:
14403 +
14404 +#ifdef CONFIG_PARAVIRT
14405 + PV_RESTORE_REGS(CLBR_RDI)
14406 +#endif
14407 +
14408 + popq %rdi
14409 + retq
14410 +ENDPROC(pax_enter_kernel)
14411 +
14412 +ENTRY(pax_exit_kernel)
14413 + pushq %rdi
14414 +
14415 +#ifdef CONFIG_PARAVIRT
14416 + PV_SAVE_REGS(CLBR_RDI)
14417 +#endif
14418 +
14419 + mov %cs,%rdi
14420 + cmp $__KERNEXEC_KERNEL_CS,%edi
14421 + jnz 2f
14422 + GET_CR0_INTO_RDI
14423 + btr $16,%rdi
14424 + ljmpq __KERNEL_CS,1f
14425 +1: SET_RDI_INTO_CR0
14426 +2:
14427 +
14428 +#ifdef CONFIG_PARAVIRT
14429 + PV_RESTORE_REGS(CLBR_RDI);
14430 +#endif
14431 +
14432 + popq %rdi
14433 + retq
14434 +ENDPROC(pax_exit_kernel)
14435 +#endif
14436 +
14437 + .macro pax_enter_kernel_user
14438 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14439 + call pax_enter_kernel_user
14440 +#endif
14441 + .endm
14442 +
14443 + .macro pax_exit_kernel_user
14444 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14445 + call pax_exit_kernel_user
14446 +#endif
14447 +#ifdef CONFIG_PAX_RANDKSTACK
14448 + push %rax
14449 + call pax_randomize_kstack
14450 + pop %rax
14451 +#endif
14452 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14453 + call pax_erase_kstack
14454 +#endif
14455 + .endm
14456 +
14457 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14458 +ENTRY(pax_enter_kernel_user)
14459 + pushq %rdi
14460 + pushq %rbx
14461 +
14462 +#ifdef CONFIG_PARAVIRT
14463 + PV_SAVE_REGS(CLBR_RDI)
14464 +#endif
14465 +
14466 + GET_CR3_INTO_RDI
14467 + mov %rdi,%rbx
14468 + add $__START_KERNEL_map,%rbx
14469 + sub phys_base(%rip),%rbx
14470 +
14471 +#ifdef CONFIG_PARAVIRT
14472 + pushq %rdi
14473 + cmpl $0, pv_info+PARAVIRT_enabled
14474 + jz 1f
14475 + i = 0
14476 + .rept USER_PGD_PTRS
14477 + mov i*8(%rbx),%rsi
14478 + mov $0,%sil
14479 + lea i*8(%rbx),%rdi
14480 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14481 + i = i + 1
14482 + .endr
14483 + jmp 2f
14484 +1:
14485 +#endif
14486 +
14487 + i = 0
14488 + .rept USER_PGD_PTRS
14489 + movb $0,i*8(%rbx)
14490 + i = i + 1
14491 + .endr
14492 +
14493 +#ifdef CONFIG_PARAVIRT
14494 +2: popq %rdi
14495 +#endif
14496 + SET_RDI_INTO_CR3
14497 +
14498 +#ifdef CONFIG_PAX_KERNEXEC
14499 + GET_CR0_INTO_RDI
14500 + bts $16,%rdi
14501 + SET_RDI_INTO_CR0
14502 +#endif
14503 +
14504 +#ifdef CONFIG_PARAVIRT
14505 + PV_RESTORE_REGS(CLBR_RDI)
14506 +#endif
14507 +
14508 + popq %rbx
14509 + popq %rdi
14510 + retq
14511 +ENDPROC(pax_enter_kernel_user)
14512 +
14513 +ENTRY(pax_exit_kernel_user)
14514 + push %rdi
14515 +
14516 +#ifdef CONFIG_PARAVIRT
14517 + pushq %rbx
14518 + PV_SAVE_REGS(CLBR_RDI)
14519 +#endif
14520 +
14521 +#ifdef CONFIG_PAX_KERNEXEC
14522 + GET_CR0_INTO_RDI
14523 + btr $16,%rdi
14524 + SET_RDI_INTO_CR0
14525 +#endif
14526 +
14527 + GET_CR3_INTO_RDI
14528 + add $__START_KERNEL_map,%rdi
14529 + sub phys_base(%rip),%rdi
14530 +
14531 +#ifdef CONFIG_PARAVIRT
14532 + cmpl $0, pv_info+PARAVIRT_enabled
14533 + jz 1f
14534 + mov %rdi,%rbx
14535 + i = 0
14536 + .rept USER_PGD_PTRS
14537 + mov i*8(%rbx),%rsi
14538 + mov $0x67,%sil
14539 + lea i*8(%rbx),%rdi
14540 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14541 + i = i + 1
14542 + .endr
14543 + jmp 2f
14544 +1:
14545 +#endif
14546 +
14547 + i = 0
14548 + .rept USER_PGD_PTRS
14549 + movb $0x67,i*8(%rdi)
14550 + i = i + 1
14551 + .endr
14552 +
14553 +#ifdef CONFIG_PARAVIRT
14554 +2: PV_RESTORE_REGS(CLBR_RDI)
14555 + popq %rbx
14556 +#endif
14557 +
14558 + popq %rdi
14559 + retq
14560 +ENDPROC(pax_exit_kernel_user)
14561 +#endif
14562 +
14563 + .macro pax_erase_kstack
14564 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14565 + call pax_erase_kstack
14566 +#endif
14567 + .endm
14568 +
14569 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14570 +/*
14571 + * r10: thread_info
14572 + * rcx, rdx: can be clobbered
14573 + */
14574 +ENTRY(pax_erase_kstack)
14575 + pushq %rdi
14576 + pushq %rax
14577 +
14578 + GET_THREAD_INFO(%r10)
14579 + mov TI_lowest_stack(%r10), %rdi
14580 + mov $-0xBEEF, %rax
14581 + std
14582 +
14583 +1: mov %edi, %ecx
14584 + and $THREAD_SIZE_asm - 1, %ecx
14585 + shr $3, %ecx
14586 + repne scasq
14587 + jecxz 2f
14588 +
14589 + cmp $2*8, %ecx
14590 + jc 2f
14591 +
14592 + mov $2*8, %ecx
14593 + repe scasq
14594 + jecxz 2f
14595 + jne 1b
14596 +
14597 +2: cld
14598 + mov %esp, %ecx
14599 + sub %edi, %ecx
14600 + shr $3, %ecx
14601 + rep stosq
14602 +
14603 + mov TI_task_thread_sp0(%r10), %rdi
14604 + sub $256, %rdi
14605 + mov %rdi, TI_lowest_stack(%r10)
14606 +
14607 + popq %rax
14608 + popq %rdi
14609 + ret
14610 +ENDPROC(pax_erase_kstack)
14611 +#endif
14612
14613 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14614 #ifdef CONFIG_TRACE_IRQFLAGS
14615 @@ -318,7 +572,7 @@ ENTRY(save_args)
14616 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
14617 movq_cfi rbp, 8 /* push %rbp */
14618 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14619 - testl $3, CS(%rdi)
14620 + testb $3, CS(%rdi)
14621 je 1f
14622 SWAPGS
14623 /*
14624 @@ -409,7 +663,7 @@ ENTRY(ret_from_fork)
14625
14626 RESTORE_REST
14627
14628 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14629 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14630 je int_ret_from_sys_call
14631
14632 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14633 @@ -455,7 +709,7 @@ END(ret_from_fork)
14634 ENTRY(system_call)
14635 CFI_STARTPROC simple
14636 CFI_SIGNAL_FRAME
14637 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14638 + CFI_DEF_CFA rsp,0
14639 CFI_REGISTER rip,rcx
14640 /*CFI_REGISTER rflags,r11*/
14641 SWAPGS_UNSAFE_STACK
14642 @@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs)
14643
14644 movq %rsp,PER_CPU_VAR(old_rsp)
14645 movq PER_CPU_VAR(kernel_stack),%rsp
14646 + pax_enter_kernel_user
14647 /*
14648 * No need to follow this irqs off/on section - it's straight
14649 * and short:
14650 */
14651 ENABLE_INTERRUPTS(CLBR_NONE)
14652 - SAVE_ARGS 8,1
14653 + SAVE_ARGS 8*6,1
14654 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14655 movq %rcx,RIP-ARGOFFSET(%rsp)
14656 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14657 @@ -502,6 +757,7 @@ sysret_check:
14658 andl %edi,%edx
14659 jnz sysret_careful
14660 CFI_REMEMBER_STATE
14661 + pax_exit_kernel_user
14662 /*
14663 * sysretq will re-enable interrupts:
14664 */
14665 @@ -560,6 +816,9 @@ auditsys:
14666 movq %rax,%rsi /* 2nd arg: syscall number */
14667 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14668 call audit_syscall_entry
14669 +
14670 + pax_erase_kstack
14671 +
14672 LOAD_ARGS 0 /* reload call-clobbered registers */
14673 jmp system_call_fastpath
14674
14675 @@ -590,6 +849,9 @@ tracesys:
14676 FIXUP_TOP_OF_STACK %rdi
14677 movq %rsp,%rdi
14678 call syscall_trace_enter
14679 +
14680 + pax_erase_kstack
14681 +
14682 /*
14683 * Reload arg registers from stack in case ptrace changed them.
14684 * We don't reload %rax because syscall_trace_enter() returned
14685 @@ -611,7 +873,7 @@ tracesys:
14686 GLOBAL(int_ret_from_sys_call)
14687 DISABLE_INTERRUPTS(CLBR_NONE)
14688 TRACE_IRQS_OFF
14689 - testl $3,CS-ARGOFFSET(%rsp)
14690 + testb $3,CS-ARGOFFSET(%rsp)
14691 je retint_restore_args
14692 movl $_TIF_ALLWORK_MASK,%edi
14693 /* edi: mask to check */
14694 @@ -793,6 +1055,16 @@ END(interrupt)
14695 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
14696 call save_args
14697 PARTIAL_FRAME 0
14698 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14699 + testb $3, CS(%rdi)
14700 + jnz 1f
14701 + pax_enter_kernel
14702 + jmp 2f
14703 +1: pax_enter_kernel_user
14704 +2:
14705 +#else
14706 + pax_enter_kernel
14707 +#endif
14708 call \func
14709 .endm
14710
14711 @@ -825,7 +1097,7 @@ ret_from_intr:
14712 CFI_ADJUST_CFA_OFFSET -8
14713 exit_intr:
14714 GET_THREAD_INFO(%rcx)
14715 - testl $3,CS-ARGOFFSET(%rsp)
14716 + testb $3,CS-ARGOFFSET(%rsp)
14717 je retint_kernel
14718
14719 /* Interrupt came from user space */
14720 @@ -847,12 +1119,14 @@ retint_swapgs: /* return to user-space
14721 * The iretq could re-enable interrupts:
14722 */
14723 DISABLE_INTERRUPTS(CLBR_ANY)
14724 + pax_exit_kernel_user
14725 TRACE_IRQS_IRETQ
14726 SWAPGS
14727 jmp restore_args
14728
14729 retint_restore_args: /* return to kernel space */
14730 DISABLE_INTERRUPTS(CLBR_ANY)
14731 + pax_exit_kernel
14732 /*
14733 * The iretq could re-enable interrupts:
14734 */
14735 @@ -1027,6 +1301,16 @@ ENTRY(\sym)
14736 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14737 call error_entry
14738 DEFAULT_FRAME 0
14739 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14740 + testb $3, CS(%rsp)
14741 + jnz 1f
14742 + pax_enter_kernel
14743 + jmp 2f
14744 +1: pax_enter_kernel_user
14745 +2:
14746 +#else
14747 + pax_enter_kernel
14748 +#endif
14749 movq %rsp,%rdi /* pt_regs pointer */
14750 xorl %esi,%esi /* no error code */
14751 call \do_sym
14752 @@ -1044,6 +1328,16 @@ ENTRY(\sym)
14753 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14754 call save_paranoid
14755 TRACE_IRQS_OFF
14756 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14757 + testb $3, CS(%rsp)
14758 + jnz 1f
14759 + pax_enter_kernel
14760 + jmp 2f
14761 +1: pax_enter_kernel_user
14762 +2:
14763 +#else
14764 + pax_enter_kernel
14765 +#endif
14766 movq %rsp,%rdi /* pt_regs pointer */
14767 xorl %esi,%esi /* no error code */
14768 call \do_sym
14769 @@ -1052,7 +1346,7 @@ ENTRY(\sym)
14770 END(\sym)
14771 .endm
14772
14773 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
14774 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
14775 .macro paranoidzeroentry_ist sym do_sym ist
14776 ENTRY(\sym)
14777 INTR_FRAME
14778 @@ -1062,8 +1356,24 @@ ENTRY(\sym)
14779 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14780 call save_paranoid
14781 TRACE_IRQS_OFF
14782 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14783 + testb $3, CS(%rsp)
14784 + jnz 1f
14785 + pax_enter_kernel
14786 + jmp 2f
14787 +1: pax_enter_kernel_user
14788 +2:
14789 +#else
14790 + pax_enter_kernel
14791 +#endif
14792 movq %rsp,%rdi /* pt_regs pointer */
14793 xorl %esi,%esi /* no error code */
14794 +#ifdef CONFIG_SMP
14795 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
14796 + lea init_tss(%r12), %r12
14797 +#else
14798 + lea init_tss(%rip), %r12
14799 +#endif
14800 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14801 call \do_sym
14802 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14803 @@ -1080,6 +1390,16 @@ ENTRY(\sym)
14804 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14805 call error_entry
14806 DEFAULT_FRAME 0
14807 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14808 + testb $3, CS(%rsp)
14809 + jnz 1f
14810 + pax_enter_kernel
14811 + jmp 2f
14812 +1: pax_enter_kernel_user
14813 +2:
14814 +#else
14815 + pax_enter_kernel
14816 +#endif
14817 movq %rsp,%rdi /* pt_regs pointer */
14818 movq ORIG_RAX(%rsp),%rsi /* get error code */
14819 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14820 @@ -1099,6 +1419,16 @@ ENTRY(\sym)
14821 call save_paranoid
14822 DEFAULT_FRAME 0
14823 TRACE_IRQS_OFF
14824 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14825 + testb $3, CS(%rsp)
14826 + jnz 1f
14827 + pax_enter_kernel
14828 + jmp 2f
14829 +1: pax_enter_kernel_user
14830 +2:
14831 +#else
14832 + pax_enter_kernel
14833 +#endif
14834 movq %rsp,%rdi /* pt_regs pointer */
14835 movq ORIG_RAX(%rsp),%rsi /* get error code */
14836 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14837 @@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit)
14838 TRACE_IRQS_OFF
14839 testl %ebx,%ebx /* swapgs needed? */
14840 jnz paranoid_restore
14841 - testl $3,CS(%rsp)
14842 + testb $3,CS(%rsp)
14843 jnz paranoid_userspace
14844 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14845 + pax_exit_kernel
14846 + TRACE_IRQS_IRETQ 0
14847 + SWAPGS_UNSAFE_STACK
14848 + RESTORE_ALL 8
14849 + jmp irq_return
14850 +#endif
14851 paranoid_swapgs:
14852 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14853 + pax_exit_kernel_user
14854 +#else
14855 + pax_exit_kernel
14856 +#endif
14857 TRACE_IRQS_IRETQ 0
14858 SWAPGS_UNSAFE_STACK
14859 RESTORE_ALL 8
14860 jmp irq_return
14861 paranoid_restore:
14862 + pax_exit_kernel
14863 TRACE_IRQS_IRETQ 0
14864 RESTORE_ALL 8
14865 jmp irq_return
14866 @@ -1426,7 +1769,7 @@ ENTRY(error_entry)
14867 movq_cfi r14, R14+8
14868 movq_cfi r15, R15+8
14869 xorl %ebx,%ebx
14870 - testl $3,CS+8(%rsp)
14871 + testb $3,CS+8(%rsp)
14872 je error_kernelspace
14873 error_swapgs:
14874 SWAPGS
14875 @@ -1490,6 +1833,16 @@ ENTRY(nmi)
14876 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14877 call save_paranoid
14878 DEFAULT_FRAME 0
14879 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14880 + testb $3, CS(%rsp)
14881 + jnz 1f
14882 + pax_enter_kernel
14883 + jmp 2f
14884 +1: pax_enter_kernel_user
14885 +2:
14886 +#else
14887 + pax_enter_kernel
14888 +#endif
14889 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14890 movq %rsp,%rdi
14891 movq $-1,%rsi
14892 @@ -1500,11 +1853,25 @@ ENTRY(nmi)
14893 DISABLE_INTERRUPTS(CLBR_NONE)
14894 testl %ebx,%ebx /* swapgs needed? */
14895 jnz nmi_restore
14896 - testl $3,CS(%rsp)
14897 + testb $3,CS(%rsp)
14898 jnz nmi_userspace
14899 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14900 + pax_exit_kernel
14901 + SWAPGS_UNSAFE_STACK
14902 + RESTORE_ALL 8
14903 + jmp irq_return
14904 +#endif
14905 nmi_swapgs:
14906 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14907 + pax_exit_kernel_user
14908 +#else
14909 + pax_exit_kernel
14910 +#endif
14911 SWAPGS_UNSAFE_STACK
14912 + RESTORE_ALL 8
14913 + jmp irq_return
14914 nmi_restore:
14915 + pax_exit_kernel
14916 RESTORE_ALL 8
14917 jmp irq_return
14918 nmi_userspace:
14919 diff -urNp linux-2.6.39.2/arch/x86/kernel/ftrace.c linux-2.6.39.2/arch/x86/kernel/ftrace.c
14920 --- linux-2.6.39.2/arch/x86/kernel/ftrace.c 2011-05-19 00:06:34.000000000 -0400
14921 +++ linux-2.6.39.2/arch/x86/kernel/ftrace.c 2011-05-22 19:36:30.000000000 -0400
14922 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
14923 static void *mod_code_newcode; /* holds the text to write to the IP */
14924
14925 static unsigned nmi_wait_count;
14926 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14927 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14928
14929 int ftrace_arch_read_dyn_info(char *buf, int size)
14930 {
14931 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14932
14933 r = snprintf(buf, size, "%u %u",
14934 nmi_wait_count,
14935 - atomic_read(&nmi_update_count));
14936 + atomic_read_unchecked(&nmi_update_count));
14937 return r;
14938 }
14939
14940 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
14941
14942 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14943 smp_rmb();
14944 + pax_open_kernel();
14945 ftrace_mod_code();
14946 - atomic_inc(&nmi_update_count);
14947 + pax_close_kernel();
14948 + atomic_inc_unchecked(&nmi_update_count);
14949 }
14950 /* Must have previous changes seen before executions */
14951 smp_mb();
14952 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
14953 {
14954 unsigned char replaced[MCOUNT_INSN_SIZE];
14955
14956 + ip = ktla_ktva(ip);
14957 +
14958 /*
14959 * Note: Due to modules and __init, code can
14960 * disappear and change, we need to protect against faulting
14961 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
14962 unsigned char old[MCOUNT_INSN_SIZE], *new;
14963 int ret;
14964
14965 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
14966 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
14967 new = ftrace_call_replace(ip, (unsigned long)func);
14968 ret = ftrace_modify_code(ip, old, new);
14969
14970 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
14971 {
14972 unsigned char code[MCOUNT_INSN_SIZE];
14973
14974 + ip = ktla_ktva(ip);
14975 +
14976 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
14977 return -EFAULT;
14978
14979 diff -urNp linux-2.6.39.2/arch/x86/kernel/head32.c linux-2.6.39.2/arch/x86/kernel/head32.c
14980 --- linux-2.6.39.2/arch/x86/kernel/head32.c 2011-05-19 00:06:34.000000000 -0400
14981 +++ linux-2.6.39.2/arch/x86/kernel/head32.c 2011-05-22 19:36:30.000000000 -0400
14982 @@ -19,6 +19,7 @@
14983 #include <asm/io_apic.h>
14984 #include <asm/bios_ebda.h>
14985 #include <asm/tlbflush.h>
14986 +#include <asm/boot.h>
14987
14988 static void __init i386_default_early_setup(void)
14989 {
14990 @@ -34,7 +35,7 @@ void __init i386_start_kernel(void)
14991 {
14992 memblock_init();
14993
14994 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14995 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14996
14997 #ifdef CONFIG_BLK_DEV_INITRD
14998 /* Reserve INITRD */
14999 diff -urNp linux-2.6.39.2/arch/x86/kernel/head_32.S linux-2.6.39.2/arch/x86/kernel/head_32.S
15000 --- linux-2.6.39.2/arch/x86/kernel/head_32.S 2011-05-19 00:06:34.000000000 -0400
15001 +++ linux-2.6.39.2/arch/x86/kernel/head_32.S 2011-05-22 19:36:30.000000000 -0400
15002 @@ -25,6 +25,12 @@
15003 /* Physical address */
15004 #define pa(X) ((X) - __PAGE_OFFSET)
15005
15006 +#ifdef CONFIG_PAX_KERNEXEC
15007 +#define ta(X) (X)
15008 +#else
15009 +#define ta(X) ((X) - __PAGE_OFFSET)
15010 +#endif
15011 +
15012 /*
15013 * References to members of the new_cpu_data structure.
15014 */
15015 @@ -54,11 +60,7 @@
15016 * and small than max_low_pfn, otherwise will waste some page table entries
15017 */
15018
15019 -#if PTRS_PER_PMD > 1
15020 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
15021 -#else
15022 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
15023 -#endif
15024 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
15025
15026 /* Number of possible pages in the lowmem region */
15027 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
15028 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
15029 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15030
15031 /*
15032 + * Real beginning of normal "text" segment
15033 + */
15034 +ENTRY(stext)
15035 +ENTRY(_stext)
15036 +
15037 +/*
15038 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
15039 * %esi points to the real-mode code as a 32-bit pointer.
15040 * CS and DS must be 4 GB flat segments, but we don't depend on
15041 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15042 * can.
15043 */
15044 __HEAD
15045 +
15046 +#ifdef CONFIG_PAX_KERNEXEC
15047 + jmp startup_32
15048 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
15049 +.fill PAGE_SIZE-5,1,0xcc
15050 +#endif
15051 +
15052 ENTRY(startup_32)
15053 movl pa(stack_start),%ecx
15054
15055 @@ -105,6 +120,57 @@ ENTRY(startup_32)
15056 2:
15057 leal -__PAGE_OFFSET(%ecx),%esp
15058
15059 +#ifdef CONFIG_SMP
15060 + movl $pa(cpu_gdt_table),%edi
15061 + movl $__per_cpu_load,%eax
15062 + movw %ax,__KERNEL_PERCPU + 2(%edi)
15063 + rorl $16,%eax
15064 + movb %al,__KERNEL_PERCPU + 4(%edi)
15065 + movb %ah,__KERNEL_PERCPU + 7(%edi)
15066 + movl $__per_cpu_end - 1,%eax
15067 + subl $__per_cpu_start,%eax
15068 + movw %ax,__KERNEL_PERCPU + 0(%edi)
15069 +#endif
15070 +
15071 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15072 + movl $NR_CPUS,%ecx
15073 + movl $pa(cpu_gdt_table),%edi
15074 +1:
15075 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
15076 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
15077 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
15078 + addl $PAGE_SIZE_asm,%edi
15079 + loop 1b
15080 +#endif
15081 +
15082 +#ifdef CONFIG_PAX_KERNEXEC
15083 + movl $pa(boot_gdt),%edi
15084 + movl $__LOAD_PHYSICAL_ADDR,%eax
15085 + movw %ax,__BOOT_CS + 2(%edi)
15086 + rorl $16,%eax
15087 + movb %al,__BOOT_CS + 4(%edi)
15088 + movb %ah,__BOOT_CS + 7(%edi)
15089 + rorl $16,%eax
15090 +
15091 + ljmp $(__BOOT_CS),$1f
15092 +1:
15093 +
15094 + movl $NR_CPUS,%ecx
15095 + movl $pa(cpu_gdt_table),%edi
15096 + addl $__PAGE_OFFSET,%eax
15097 +1:
15098 + movw %ax,__KERNEL_CS + 2(%edi)
15099 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
15100 + rorl $16,%eax
15101 + movb %al,__KERNEL_CS + 4(%edi)
15102 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
15103 + movb %ah,__KERNEL_CS + 7(%edi)
15104 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
15105 + rorl $16,%eax
15106 + addl $PAGE_SIZE_asm,%edi
15107 + loop 1b
15108 +#endif
15109 +
15110 /*
15111 * Clear BSS first so that there are no surprises...
15112 */
15113 @@ -195,8 +261,11 @@ ENTRY(startup_32)
15114 movl %eax, pa(max_pfn_mapped)
15115
15116 /* Do early initialization of the fixmap area */
15117 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15118 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
15119 +#ifdef CONFIG_COMPAT_VDSO
15120 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
15121 +#else
15122 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
15123 +#endif
15124 #else /* Not PAE */
15125
15126 page_pde_offset = (__PAGE_OFFSET >> 20);
15127 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15128 movl %eax, pa(max_pfn_mapped)
15129
15130 /* Do early initialization of the fixmap area */
15131 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15132 - movl %eax,pa(initial_page_table+0xffc)
15133 +#ifdef CONFIG_COMPAT_VDSO
15134 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
15135 +#else
15136 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
15137 +#endif
15138 #endif
15139
15140 #ifdef CONFIG_PARAVIRT
15141 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15142 cmpl $num_subarch_entries, %eax
15143 jae bad_subarch
15144
15145 - movl pa(subarch_entries)(,%eax,4), %eax
15146 - subl $__PAGE_OFFSET, %eax
15147 - jmp *%eax
15148 + jmp *pa(subarch_entries)(,%eax,4)
15149
15150 bad_subarch:
15151 WEAK(lguest_entry)
15152 @@ -255,10 +325,10 @@ WEAK(xen_entry)
15153 __INITDATA
15154
15155 subarch_entries:
15156 - .long default_entry /* normal x86/PC */
15157 - .long lguest_entry /* lguest hypervisor */
15158 - .long xen_entry /* Xen hypervisor */
15159 - .long default_entry /* Moorestown MID */
15160 + .long ta(default_entry) /* normal x86/PC */
15161 + .long ta(lguest_entry) /* lguest hypervisor */
15162 + .long ta(xen_entry) /* Xen hypervisor */
15163 + .long ta(default_entry) /* Moorestown MID */
15164 num_subarch_entries = (. - subarch_entries) / 4
15165 .previous
15166 #else
15167 @@ -312,6 +382,7 @@ default_entry:
15168 orl %edx,%eax
15169 movl %eax,%cr4
15170
15171 +#ifdef CONFIG_X86_PAE
15172 testb $X86_CR4_PAE, %al # check if PAE is enabled
15173 jz 6f
15174
15175 @@ -340,6 +411,9 @@ default_entry:
15176 /* Make changes effective */
15177 wrmsr
15178
15179 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15180 +#endif
15181 +
15182 6:
15183
15184 /*
15185 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
15186 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15187 movl %eax,%ss # after changing gdt.
15188
15189 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
15190 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15191 movl %eax,%ds
15192 movl %eax,%es
15193
15194 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
15195 */
15196 cmpb $0,ready
15197 jne 1f
15198 - movl $gdt_page,%eax
15199 + movl $cpu_gdt_table,%eax
15200 movl $stack_canary,%ecx
15201 +#ifdef CONFIG_SMP
15202 + addl $__per_cpu_load,%ecx
15203 +#endif
15204 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15205 shrl $16, %ecx
15206 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15207 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15208 1:
15209 -#endif
15210 movl $(__KERNEL_STACK_CANARY),%eax
15211 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15212 + movl $(__USER_DS),%eax
15213 +#else
15214 + xorl %eax,%eax
15215 +#endif
15216 movl %eax,%gs
15217
15218 xorl %eax,%eax # Clear LDT
15219 @@ -558,22 +639,22 @@ early_page_fault:
15220 jmp early_fault
15221
15222 early_fault:
15223 - cld
15224 #ifdef CONFIG_PRINTK
15225 + cmpl $1,%ss:early_recursion_flag
15226 + je hlt_loop
15227 + incl %ss:early_recursion_flag
15228 + cld
15229 pusha
15230 movl $(__KERNEL_DS),%eax
15231 movl %eax,%ds
15232 movl %eax,%es
15233 - cmpl $2,early_recursion_flag
15234 - je hlt_loop
15235 - incl early_recursion_flag
15236 movl %cr2,%eax
15237 pushl %eax
15238 pushl %edx /* trapno */
15239 pushl $fault_msg
15240 call printk
15241 +; call dump_stack
15242 #endif
15243 - call dump_stack
15244 hlt_loop:
15245 hlt
15246 jmp hlt_loop
15247 @@ -581,8 +662,11 @@ hlt_loop:
15248 /* This is the default interrupt "handler" :-) */
15249 ALIGN
15250 ignore_int:
15251 - cld
15252 #ifdef CONFIG_PRINTK
15253 + cmpl $2,%ss:early_recursion_flag
15254 + je hlt_loop
15255 + incl %ss:early_recursion_flag
15256 + cld
15257 pushl %eax
15258 pushl %ecx
15259 pushl %edx
15260 @@ -591,9 +675,6 @@ ignore_int:
15261 movl $(__KERNEL_DS),%eax
15262 movl %eax,%ds
15263 movl %eax,%es
15264 - cmpl $2,early_recursion_flag
15265 - je hlt_loop
15266 - incl early_recursion_flag
15267 pushl 16(%esp)
15268 pushl 24(%esp)
15269 pushl 32(%esp)
15270 @@ -622,29 +703,43 @@ ENTRY(initial_code)
15271 /*
15272 * BSS section
15273 */
15274 -__PAGE_ALIGNED_BSS
15275 - .align PAGE_SIZE
15276 #ifdef CONFIG_X86_PAE
15277 +.section .initial_pg_pmd,"a",@progbits
15278 initial_pg_pmd:
15279 .fill 1024*KPMDS,4,0
15280 #else
15281 +.section .initial_page_table,"a",@progbits
15282 ENTRY(initial_page_table)
15283 .fill 1024,4,0
15284 #endif
15285 +.section .initial_pg_fixmap,"a",@progbits
15286 initial_pg_fixmap:
15287 .fill 1024,4,0
15288 +.section .empty_zero_page,"a",@progbits
15289 ENTRY(empty_zero_page)
15290 .fill 4096,1,0
15291 +.section .swapper_pg_dir,"a",@progbits
15292 ENTRY(swapper_pg_dir)
15293 +#ifdef CONFIG_X86_PAE
15294 + .fill 4,8,0
15295 +#else
15296 .fill 1024,4,0
15297 +#endif
15298 +
15299 +/*
15300 + * The IDT has to be page-aligned to simplify the Pentium
15301 + * F0 0F bug workaround.. We have a special link segment
15302 + * for this.
15303 + */
15304 +.section .idt,"a",@progbits
15305 +ENTRY(idt_table)
15306 + .fill 256,8,0
15307
15308 /*
15309 * This starts the data section.
15310 */
15311 #ifdef CONFIG_X86_PAE
15312 -__PAGE_ALIGNED_DATA
15313 - /* Page-aligned for the benefit of paravirt? */
15314 - .align PAGE_SIZE
15315 +.section .initial_page_table,"a",@progbits
15316 ENTRY(initial_page_table)
15317 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15318 # if KPMDS == 3
15319 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
15320 # error "Kernel PMDs should be 1, 2 or 3"
15321 # endif
15322 .align PAGE_SIZE /* needs to be page-sized too */
15323 +
15324 +#ifdef CONFIG_PAX_PER_CPU_PGD
15325 +ENTRY(cpu_pgd)
15326 + .rept NR_CPUS
15327 + .fill 4,8,0
15328 + .endr
15329 +#endif
15330 +
15331 #endif
15332
15333 .data
15334 .balign 4
15335 ENTRY(stack_start)
15336 - .long init_thread_union+THREAD_SIZE
15337 + .long init_thread_union+THREAD_SIZE-8
15338 +
15339 +ready: .byte 0
15340
15341 +.section .rodata,"a",@progbits
15342 early_recursion_flag:
15343 .long 0
15344
15345 -ready: .byte 0
15346 -
15347 int_msg:
15348 .asciz "Unknown interrupt or fault at: %p %p %p\n"
15349
15350 @@ -707,7 +811,7 @@ fault_msg:
15351 .word 0 # 32 bit align gdt_desc.address
15352 boot_gdt_descr:
15353 .word __BOOT_DS+7
15354 - .long boot_gdt - __PAGE_OFFSET
15355 + .long pa(boot_gdt)
15356
15357 .word 0 # 32-bit align idt_desc.address
15358 idt_descr:
15359 @@ -718,7 +822,7 @@ idt_descr:
15360 .word 0 # 32 bit align gdt_desc.address
15361 ENTRY(early_gdt_descr)
15362 .word GDT_ENTRIES*8-1
15363 - .long gdt_page /* Overwritten for secondary CPUs */
15364 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
15365
15366 /*
15367 * The boot_gdt must mirror the equivalent in setup.S and is
15368 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
15369 .align L1_CACHE_BYTES
15370 ENTRY(boot_gdt)
15371 .fill GDT_ENTRY_BOOT_CS,8,0
15372 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
15373 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
15374 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
15375 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
15376 +
15377 + .align PAGE_SIZE_asm
15378 +ENTRY(cpu_gdt_table)
15379 + .rept NR_CPUS
15380 + .quad 0x0000000000000000 /* NULL descriptor */
15381 + .quad 0x0000000000000000 /* 0x0b reserved */
15382 + .quad 0x0000000000000000 /* 0x13 reserved */
15383 + .quad 0x0000000000000000 /* 0x1b reserved */
15384 +
15385 +#ifdef CONFIG_PAX_KERNEXEC
15386 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
15387 +#else
15388 + .quad 0x0000000000000000 /* 0x20 unused */
15389 +#endif
15390 +
15391 + .quad 0x0000000000000000 /* 0x28 unused */
15392 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
15393 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
15394 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
15395 + .quad 0x0000000000000000 /* 0x4b reserved */
15396 + .quad 0x0000000000000000 /* 0x53 reserved */
15397 + .quad 0x0000000000000000 /* 0x5b reserved */
15398 +
15399 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
15400 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
15401 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
15402 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
15403 +
15404 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
15405 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
15406 +
15407 + /*
15408 + * Segments used for calling PnP BIOS have byte granularity.
15409 + * The code segments and data segments have fixed 64k limits,
15410 + * the transfer segment sizes are set at run time.
15411 + */
15412 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
15413 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
15414 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
15415 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
15416 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
15417 +
15418 + /*
15419 + * The APM segments have byte granularity and their bases
15420 + * are set at run time. All have 64k limits.
15421 + */
15422 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
15423 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
15424 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
15425 +
15426 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
15427 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
15428 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
15429 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
15430 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
15431 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
15432 +
15433 + /* Be sure this is zeroed to avoid false validations in Xen */
15434 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
15435 + .endr
15436 diff -urNp linux-2.6.39.2/arch/x86/kernel/head_64.S linux-2.6.39.2/arch/x86/kernel/head_64.S
15437 --- linux-2.6.39.2/arch/x86/kernel/head_64.S 2011-05-19 00:06:34.000000000 -0400
15438 +++ linux-2.6.39.2/arch/x86/kernel/head_64.S 2011-05-22 19:36:30.000000000 -0400
15439 @@ -19,6 +19,7 @@
15440 #include <asm/cache.h>
15441 #include <asm/processor-flags.h>
15442 #include <asm/percpu.h>
15443 +#include <asm/cpufeature.h>
15444
15445 #ifdef CONFIG_PARAVIRT
15446 #include <asm/asm-offsets.h>
15447 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
15448 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
15449 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
15450 L3_START_KERNEL = pud_index(__START_KERNEL_map)
15451 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
15452 +L3_VMALLOC_START = pud_index(VMALLOC_START)
15453 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
15454 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
15455
15456 .text
15457 __HEAD
15458 @@ -85,35 +90,22 @@ startup_64:
15459 */
15460 addq %rbp, init_level4_pgt + 0(%rip)
15461 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
15462 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
15463 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
15464 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
15465
15466 addq %rbp, level3_ident_pgt + 0(%rip)
15467 +#ifndef CONFIG_XEN
15468 + addq %rbp, level3_ident_pgt + 8(%rip)
15469 +#endif
15470
15471 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
15472 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
15473 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
15474
15475 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15476 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
15477 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
15478
15479 - /* Add an Identity mapping if I am above 1G */
15480 - leaq _text(%rip), %rdi
15481 - andq $PMD_PAGE_MASK, %rdi
15482 -
15483 - movq %rdi, %rax
15484 - shrq $PUD_SHIFT, %rax
15485 - andq $(PTRS_PER_PUD - 1), %rax
15486 - jz ident_complete
15487 -
15488 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
15489 - leaq level3_ident_pgt(%rip), %rbx
15490 - movq %rdx, 0(%rbx, %rax, 8)
15491 -
15492 - movq %rdi, %rax
15493 - shrq $PMD_SHIFT, %rax
15494 - andq $(PTRS_PER_PMD - 1), %rax
15495 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
15496 - leaq level2_spare_pgt(%rip), %rbx
15497 - movq %rdx, 0(%rbx, %rax, 8)
15498 -ident_complete:
15499 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15500 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
15501
15502 /*
15503 * Fixup the kernel text+data virtual addresses. Note that
15504 @@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
15505 * after the boot processor executes this code.
15506 */
15507
15508 - /* Enable PAE mode and PGE */
15509 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
15510 + /* Enable PAE mode and PSE/PGE */
15511 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15512 movq %rax, %cr4
15513
15514 /* Setup early boot stage 4 level pagetables. */
15515 @@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
15516 movl $MSR_EFER, %ecx
15517 rdmsr
15518 btsl $_EFER_SCE, %eax /* Enable System Call */
15519 - btl $20,%edi /* No Execute supported? */
15520 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
15521 jnc 1f
15522 btsl $_EFER_NX, %eax
15523 + leaq init_level4_pgt(%rip), %rdi
15524 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
15525 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
15526 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
15527 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
15528 1: wrmsr /* Make changes effective */
15529
15530 /* Setup cr0 */
15531 @@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
15532 bad_address:
15533 jmp bad_address
15534
15535 - .section ".init.text","ax"
15536 + __INIT
15537 #ifdef CONFIG_EARLY_PRINTK
15538 .globl early_idt_handlers
15539 early_idt_handlers:
15540 @@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
15541 #endif /* EARLY_PRINTK */
15542 1: hlt
15543 jmp 1b
15544 + .previous
15545
15546 #ifdef CONFIG_EARLY_PRINTK
15547 + __INITDATA
15548 early_recursion_flag:
15549 .long 0
15550 + .previous
15551
15552 + .section .rodata,"a",@progbits
15553 early_idt_msg:
15554 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
15555 early_idt_ripmsg:
15556 .asciz "RIP %s\n"
15557 -#endif /* CONFIG_EARLY_PRINTK */
15558 .previous
15559 +#endif /* CONFIG_EARLY_PRINTK */
15560
15561 + .section .rodata,"a",@progbits
15562 #define NEXT_PAGE(name) \
15563 .balign PAGE_SIZE; \
15564 ENTRY(name)
15565 @@ -338,7 +340,6 @@ ENTRY(name)
15566 i = i + 1 ; \
15567 .endr
15568
15569 - .data
15570 /*
15571 * This default setting generates an ident mapping at address 0x100000
15572 * and a mapping for the kernel that precisely maps virtual address
15573 @@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
15574 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15575 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
15576 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15577 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
15578 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
15579 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
15580 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15581 .org init_level4_pgt + L4_START_KERNEL*8, 0
15582 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
15583 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
15584
15585 +#ifdef CONFIG_PAX_PER_CPU_PGD
15586 +NEXT_PAGE(cpu_pgd)
15587 + .rept NR_CPUS
15588 + .fill 512,8,0
15589 + .endr
15590 +#endif
15591 +
15592 NEXT_PAGE(level3_ident_pgt)
15593 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15594 +#ifdef CONFIG_XEN
15595 .fill 511,8,0
15596 +#else
15597 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
15598 + .fill 510,8,0
15599 +#endif
15600 +
15601 +NEXT_PAGE(level3_vmalloc_pgt)
15602 + .fill 512,8,0
15603 +
15604 +NEXT_PAGE(level3_vmemmap_pgt)
15605 + .fill L3_VMEMMAP_START,8,0
15606 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15607
15608 NEXT_PAGE(level3_kernel_pgt)
15609 .fill L3_START_KERNEL,8,0
15610 @@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
15611 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
15612 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15613
15614 +NEXT_PAGE(level2_vmemmap_pgt)
15615 + .fill 512,8,0
15616 +
15617 NEXT_PAGE(level2_fixmap_pgt)
15618 - .fill 506,8,0
15619 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15620 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
15621 - .fill 5,8,0
15622 + .fill 507,8,0
15623 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
15624 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
15625 + .fill 4,8,0
15626
15627 -NEXT_PAGE(level1_fixmap_pgt)
15628 +NEXT_PAGE(level1_vsyscall_pgt)
15629 .fill 512,8,0
15630
15631 -NEXT_PAGE(level2_ident_pgt)
15632 - /* Since I easily can, map the first 1G.
15633 + /* Since I easily can, map the first 2G.
15634 * Don't set NX because code runs from these pages.
15635 */
15636 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
15637 +NEXT_PAGE(level2_ident_pgt)
15638 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
15639
15640 NEXT_PAGE(level2_kernel_pgt)
15641 /*
15642 @@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
15643 * If you want to increase this then increase MODULES_VADDR
15644 * too.)
15645 */
15646 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
15647 - KERNEL_IMAGE_SIZE/PMD_SIZE)
15648 -
15649 -NEXT_PAGE(level2_spare_pgt)
15650 - .fill 512, 8, 0
15651 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
15652
15653 #undef PMDS
15654 #undef NEXT_PAGE
15655
15656 - .data
15657 + .align PAGE_SIZE
15658 +ENTRY(cpu_gdt_table)
15659 + .rept NR_CPUS
15660 + .quad 0x0000000000000000 /* NULL descriptor */
15661 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
15662 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
15663 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
15664 + .quad 0x00cffb000000ffff /* __USER32_CS */
15665 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15666 + .quad 0x00affb000000ffff /* __USER_CS */
15667 +
15668 +#ifdef CONFIG_PAX_KERNEXEC
15669 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15670 +#else
15671 + .quad 0x0 /* unused */
15672 +#endif
15673 +
15674 + .quad 0,0 /* TSS */
15675 + .quad 0,0 /* LDT */
15676 + .quad 0,0,0 /* three TLS descriptors */
15677 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15678 + /* asm/segment.h:GDT_ENTRIES must match this */
15679 +
15680 + /* zero the remaining page */
15681 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15682 + .endr
15683 +
15684 .align 16
15685 .globl early_gdt_descr
15686 early_gdt_descr:
15687 .word GDT_ENTRIES*8-1
15688 early_gdt_descr_base:
15689 - .quad INIT_PER_CPU_VAR(gdt_page)
15690 + .quad cpu_gdt_table
15691
15692 ENTRY(phys_base)
15693 /* This must match the first entry in level2_kernel_pgt */
15694 .quad 0x0000000000000000
15695
15696 #include "../../x86/xen/xen-head.S"
15697 -
15698 - .section .bss, "aw", @nobits
15699 +
15700 + .section .rodata,"a",@progbits
15701 .align L1_CACHE_BYTES
15702 ENTRY(idt_table)
15703 - .skip IDT_ENTRIES * 16
15704 + .fill 512,8,0
15705
15706 __PAGE_ALIGNED_BSS
15707 .align PAGE_SIZE
15708 diff -urNp linux-2.6.39.2/arch/x86/kernel/i386_ksyms_32.c linux-2.6.39.2/arch/x86/kernel/i386_ksyms_32.c
15709 --- linux-2.6.39.2/arch/x86/kernel/i386_ksyms_32.c 2011-05-19 00:06:34.000000000 -0400
15710 +++ linux-2.6.39.2/arch/x86/kernel/i386_ksyms_32.c 2011-05-22 19:36:30.000000000 -0400
15711 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15712 EXPORT_SYMBOL(cmpxchg8b_emu);
15713 #endif
15714
15715 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15716 +
15717 /* Networking helper routines. */
15718 EXPORT_SYMBOL(csum_partial_copy_generic);
15719 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15720 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15721
15722 EXPORT_SYMBOL(__get_user_1);
15723 EXPORT_SYMBOL(__get_user_2);
15724 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15725
15726 EXPORT_SYMBOL(csum_partial);
15727 EXPORT_SYMBOL(empty_zero_page);
15728 +
15729 +#ifdef CONFIG_PAX_KERNEXEC
15730 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15731 +#endif
15732 diff -urNp linux-2.6.39.2/arch/x86/kernel/i8259.c linux-2.6.39.2/arch/x86/kernel/i8259.c
15733 --- linux-2.6.39.2/arch/x86/kernel/i8259.c 2011-05-19 00:06:34.000000000 -0400
15734 +++ linux-2.6.39.2/arch/x86/kernel/i8259.c 2011-05-22 19:36:30.000000000 -0400
15735 @@ -210,7 +210,7 @@ spurious_8259A_irq:
15736 "spurious 8259A interrupt: IRQ%d.\n", irq);
15737 spurious_irq_mask |= irqmask;
15738 }
15739 - atomic_inc(&irq_err_count);
15740 + atomic_inc_unchecked(&irq_err_count);
15741 /*
15742 * Theoretically we do not have to handle this IRQ,
15743 * but in Linux this does not cause problems and is
15744 diff -urNp linux-2.6.39.2/arch/x86/kernel/init_task.c linux-2.6.39.2/arch/x86/kernel/init_task.c
15745 --- linux-2.6.39.2/arch/x86/kernel/init_task.c 2011-05-19 00:06:34.000000000 -0400
15746 +++ linux-2.6.39.2/arch/x86/kernel/init_task.c 2011-05-22 19:36:30.000000000 -0400
15747 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15748 * way process stacks are handled. This is done by having a special
15749 * "init_task" linker map entry..
15750 */
15751 -union thread_union init_thread_union __init_task_data =
15752 - { INIT_THREAD_INFO(init_task) };
15753 +union thread_union init_thread_union __init_task_data;
15754
15755 /*
15756 * Initial task structure.
15757 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15758 * section. Since TSS's are completely CPU-local, we want them
15759 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15760 */
15761 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15762 -
15763 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15764 +EXPORT_SYMBOL(init_tss);
15765 diff -urNp linux-2.6.39.2/arch/x86/kernel/ioport.c linux-2.6.39.2/arch/x86/kernel/ioport.c
15766 --- linux-2.6.39.2/arch/x86/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
15767 +++ linux-2.6.39.2/arch/x86/kernel/ioport.c 2011-05-22 19:41:32.000000000 -0400
15768 @@ -6,6 +6,7 @@
15769 #include <linux/sched.h>
15770 #include <linux/kernel.h>
15771 #include <linux/capability.h>
15772 +#include <linux/security.h>
15773 #include <linux/errno.h>
15774 #include <linux/types.h>
15775 #include <linux/ioport.h>
15776 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
15777
15778 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15779 return -EINVAL;
15780 +#ifdef CONFIG_GRKERNSEC_IO
15781 + if (turn_on && grsec_disable_privio) {
15782 + gr_handle_ioperm();
15783 + return -EPERM;
15784 + }
15785 +#endif
15786 if (turn_on && !capable(CAP_SYS_RAWIO))
15787 return -EPERM;
15788
15789 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
15790 * because the ->io_bitmap_max value must match the bitmap
15791 * contents:
15792 */
15793 - tss = &per_cpu(init_tss, get_cpu());
15794 + tss = init_tss + get_cpu();
15795
15796 if (turn_on)
15797 bitmap_clear(t->io_bitmap_ptr, from, num);
15798 @@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
15799 return -EINVAL;
15800 /* Trying to gain more privileges? */
15801 if (level > old) {
15802 +#ifdef CONFIG_GRKERNSEC_IO
15803 + if (grsec_disable_privio) {
15804 + gr_handle_iopl();
15805 + return -EPERM;
15806 + }
15807 +#endif
15808 if (!capable(CAP_SYS_RAWIO))
15809 return -EPERM;
15810 }
15811 diff -urNp linux-2.6.39.2/arch/x86/kernel/irq_32.c linux-2.6.39.2/arch/x86/kernel/irq_32.c
15812 --- linux-2.6.39.2/arch/x86/kernel/irq_32.c 2011-05-19 00:06:34.000000000 -0400
15813 +++ linux-2.6.39.2/arch/x86/kernel/irq_32.c 2011-05-22 19:36:30.000000000 -0400
15814 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
15815 __asm__ __volatile__("andl %%esp,%0" :
15816 "=r" (sp) : "0" (THREAD_SIZE - 1));
15817
15818 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15819 + return sp < STACK_WARN;
15820 }
15821
15822 static void print_stack_overflow(void)
15823 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
15824 * per-CPU IRQ handling contexts (thread information and stack)
15825 */
15826 union irq_ctx {
15827 - struct thread_info tinfo;
15828 - u32 stack[THREAD_SIZE/sizeof(u32)];
15829 + unsigned long previous_esp;
15830 + u32 stack[THREAD_SIZE/sizeof(u32)];
15831 } __attribute__((aligned(THREAD_SIZE)));
15832
15833 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15834 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
15835 static inline int
15836 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15837 {
15838 - union irq_ctx *curctx, *irqctx;
15839 + union irq_ctx *irqctx;
15840 u32 *isp, arg1, arg2;
15841
15842 - curctx = (union irq_ctx *) current_thread_info();
15843 irqctx = __this_cpu_read(hardirq_ctx);
15844
15845 /*
15846 @@ -87,21 +86,17 @@ execute_on_irq_stack(int overflow, struc
15847 * handler) we can't do that and just have to keep using the
15848 * current stack (which is the irq stack already after all)
15849 */
15850 - if (unlikely(curctx == irqctx))
15851 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15852 return 0;
15853
15854 /* build the stack frame on the IRQ stack */
15855 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15856 - irqctx->tinfo.task = curctx->tinfo.task;
15857 - irqctx->tinfo.previous_esp = current_stack_pointer;
15858 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15859 + irqctx->previous_esp = current_stack_pointer;
15860 + add_preempt_count(HARDIRQ_OFFSET);
15861
15862 - /*
15863 - * Copy the softirq bits in preempt_count so that the
15864 - * softirq checks work in the hardirq context.
15865 - */
15866 - irqctx->tinfo.preempt_count =
15867 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15868 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15869 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15870 + __set_fs(MAKE_MM_SEG(0));
15871 +#endif
15872
15873 if (unlikely(overflow))
15874 call_on_stack(print_stack_overflow, isp);
15875 @@ -113,6 +108,12 @@ execute_on_irq_stack(int overflow, struc
15876 : "0" (irq), "1" (desc), "2" (isp),
15877 "D" (desc->handle_irq)
15878 : "memory", "cc", "ecx");
15879 +
15880 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15881 + __set_fs(current_thread_info()->addr_limit);
15882 +#endif
15883 +
15884 + sub_preempt_count(HARDIRQ_OFFSET);
15885 return 1;
15886 }
15887
15888 @@ -121,29 +122,11 @@ execute_on_irq_stack(int overflow, struc
15889 */
15890 void __cpuinit irq_ctx_init(int cpu)
15891 {
15892 - union irq_ctx *irqctx;
15893 -
15894 if (per_cpu(hardirq_ctx, cpu))
15895 return;
15896
15897 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15898 - THREAD_FLAGS,
15899 - THREAD_ORDER));
15900 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15901 - irqctx->tinfo.cpu = cpu;
15902 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15903 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15904 -
15905 - per_cpu(hardirq_ctx, cpu) = irqctx;
15906 -
15907 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15908 - THREAD_FLAGS,
15909 - THREAD_ORDER));
15910 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15911 - irqctx->tinfo.cpu = cpu;
15912 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15913 -
15914 - per_cpu(softirq_ctx, cpu) = irqctx;
15915 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15916 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15917
15918 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15919 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15920 @@ -152,7 +135,6 @@ void __cpuinit irq_ctx_init(int cpu)
15921 asmlinkage void do_softirq(void)
15922 {
15923 unsigned long flags;
15924 - struct thread_info *curctx;
15925 union irq_ctx *irqctx;
15926 u32 *isp;
15927
15928 @@ -162,15 +144,22 @@ asmlinkage void do_softirq(void)
15929 local_irq_save(flags);
15930
15931 if (local_softirq_pending()) {
15932 - curctx = current_thread_info();
15933 irqctx = __this_cpu_read(softirq_ctx);
15934 - irqctx->tinfo.task = curctx->task;
15935 - irqctx->tinfo.previous_esp = current_stack_pointer;
15936 + irqctx->previous_esp = current_stack_pointer;
15937
15938 /* build the stack frame on the softirq stack */
15939 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15940 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15941 +
15942 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15943 + __set_fs(MAKE_MM_SEG(0));
15944 +#endif
15945
15946 call_on_stack(__do_softirq, isp);
15947 +
15948 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15949 + __set_fs(current_thread_info()->addr_limit);
15950 +#endif
15951 +
15952 /*
15953 * Shouldn't happen, we returned above if in_interrupt():
15954 */
15955 diff -urNp linux-2.6.39.2/arch/x86/kernel/irq.c linux-2.6.39.2/arch/x86/kernel/irq.c
15956 --- linux-2.6.39.2/arch/x86/kernel/irq.c 2011-05-19 00:06:34.000000000 -0400
15957 +++ linux-2.6.39.2/arch/x86/kernel/irq.c 2011-05-22 19:36:30.000000000 -0400
15958 @@ -17,7 +17,7 @@
15959 #include <asm/mce.h>
15960 #include <asm/hw_irq.h>
15961
15962 -atomic_t irq_err_count;
15963 +atomic_unchecked_t irq_err_count;
15964
15965 /* Function pointer for generic interrupt vector handling */
15966 void (*x86_platform_ipi_callback)(void) = NULL;
15967 @@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
15968 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
15969 seq_printf(p, " Machine check polls\n");
15970 #endif
15971 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
15972 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
15973 #if defined(CONFIG_X86_IO_APIC)
15974 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
15975 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
15976 #endif
15977 return 0;
15978 }
15979 @@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
15980
15981 u64 arch_irq_stat(void)
15982 {
15983 - u64 sum = atomic_read(&irq_err_count);
15984 + u64 sum = atomic_read_unchecked(&irq_err_count);
15985
15986 #ifdef CONFIG_X86_IO_APIC
15987 - sum += atomic_read(&irq_mis_count);
15988 + sum += atomic_read_unchecked(&irq_mis_count);
15989 #endif
15990 return sum;
15991 }
15992 diff -urNp linux-2.6.39.2/arch/x86/kernel/kgdb.c linux-2.6.39.2/arch/x86/kernel/kgdb.c
15993 --- linux-2.6.39.2/arch/x86/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
15994 +++ linux-2.6.39.2/arch/x86/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
15995 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
15996 #ifdef CONFIG_X86_32
15997 switch (regno) {
15998 case GDB_SS:
15999 - if (!user_mode_vm(regs))
16000 + if (!user_mode(regs))
16001 *(unsigned long *)mem = __KERNEL_DS;
16002 break;
16003 case GDB_SP:
16004 - if (!user_mode_vm(regs))
16005 + if (!user_mode(regs))
16006 *(unsigned long *)mem = kernel_stack_pointer(regs);
16007 break;
16008 case GDB_GS:
16009 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
16010 case 'k':
16011 /* clear the trace bit */
16012 linux_regs->flags &= ~X86_EFLAGS_TF;
16013 - atomic_set(&kgdb_cpu_doing_single_step, -1);
16014 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
16015
16016 /* set the trace bit if we're stepping */
16017 if (remcomInBuffer[0] == 's') {
16018 linux_regs->flags |= X86_EFLAGS_TF;
16019 - atomic_set(&kgdb_cpu_doing_single_step,
16020 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
16021 raw_smp_processor_id());
16022 }
16023
16024 @@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
16025 return NOTIFY_DONE;
16026
16027 case DIE_DEBUG:
16028 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
16029 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
16030 if (user_mode(regs))
16031 return single_step_cont(regs, args);
16032 break;
16033 @@ -710,7 +710,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
16034 regs->ip = ip;
16035 }
16036
16037 -struct kgdb_arch arch_kgdb_ops = {
16038 +const struct kgdb_arch arch_kgdb_ops = {
16039 /* Breakpoint instruction: */
16040 .gdb_bpt_instr = { 0xcc },
16041 .flags = KGDB_HW_BREAKPOINT,
16042 diff -urNp linux-2.6.39.2/arch/x86/kernel/kprobes.c linux-2.6.39.2/arch/x86/kernel/kprobes.c
16043 --- linux-2.6.39.2/arch/x86/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
16044 +++ linux-2.6.39.2/arch/x86/kernel/kprobes.c 2011-05-22 19:36:30.000000000 -0400
16045 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
16046 } __attribute__((packed)) *insn;
16047
16048 insn = (struct __arch_relative_insn *)from;
16049 +
16050 + pax_open_kernel();
16051 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
16052 insn->op = op;
16053 + pax_close_kernel();
16054 }
16055
16056 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
16057 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
16058 kprobe_opcode_t opcode;
16059 kprobe_opcode_t *orig_opcodes = opcodes;
16060
16061 - if (search_exception_tables((unsigned long)opcodes))
16062 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
16063 return 0; /* Page fault may occur on this address. */
16064
16065 retry:
16066 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
16067 }
16068 }
16069 insn_get_length(&insn);
16070 + pax_open_kernel();
16071 memcpy(dest, insn.kaddr, insn.length);
16072 + pax_close_kernel();
16073
16074 #ifdef CONFIG_X86_64
16075 if (insn_rip_relative(&insn)) {
16076 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
16077 (u8 *) dest;
16078 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
16079 disp = (u8 *) dest + insn_offset_displacement(&insn);
16080 + pax_open_kernel();
16081 *(s32 *) disp = (s32) newdisp;
16082 + pax_close_kernel();
16083 }
16084 #endif
16085 return insn.length;
16086 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
16087 */
16088 __copy_instruction(p->ainsn.insn, p->addr, 0);
16089
16090 - if (can_boost(p->addr))
16091 + if (can_boost(ktla_ktva(p->addr)))
16092 p->ainsn.boostable = 0;
16093 else
16094 p->ainsn.boostable = -1;
16095
16096 - p->opcode = *p->addr;
16097 + p->opcode = *(ktla_ktva(p->addr));
16098 }
16099
16100 int __kprobes arch_prepare_kprobe(struct kprobe *p)
16101 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
16102 * nor set current_kprobe, because it doesn't use single
16103 * stepping.
16104 */
16105 - regs->ip = (unsigned long)p->ainsn.insn;
16106 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16107 preempt_enable_no_resched();
16108 return;
16109 }
16110 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
16111 if (p->opcode == BREAKPOINT_INSTRUCTION)
16112 regs->ip = (unsigned long)p->addr;
16113 else
16114 - regs->ip = (unsigned long)p->ainsn.insn;
16115 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16116 }
16117
16118 /*
16119 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
16120 setup_singlestep(p, regs, kcb, 0);
16121 return 1;
16122 }
16123 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
16124 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16125 /*
16126 * The breakpoint instruction was removed right
16127 * after we hit it. Another cpu has removed
16128 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
16129 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16130 {
16131 unsigned long *tos = stack_addr(regs);
16132 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16133 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16134 unsigned long orig_ip = (unsigned long)p->addr;
16135 kprobe_opcode_t *insn = p->ainsn.insn;
16136
16137 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
16138 struct die_args *args = data;
16139 int ret = NOTIFY_DONE;
16140
16141 - if (args->regs && user_mode_vm(args->regs))
16142 + if (args->regs && user_mode(args->regs))
16143 return ret;
16144
16145 switch (val) {
16146 @@ -1381,7 +1388,7 @@ int __kprobes arch_prepare_optimized_kpr
16147 * Verify if the address gap is in 2GB range, because this uses
16148 * a relative jump.
16149 */
16150 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
16151 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
16152 if (abs(rel) > 0x7fffffff)
16153 return -ERANGE;
16154
16155 @@ -1402,11 +1409,11 @@ int __kprobes arch_prepare_optimized_kpr
16156 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
16157
16158 /* Set probe function call */
16159 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
16160 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
16161
16162 /* Set returning jmp instruction at the tail of out-of-line buffer */
16163 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
16164 - (u8 *)op->kp.addr + op->optinsn.size);
16165 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
16166
16167 flush_icache_range((unsigned long) buf,
16168 (unsigned long) buf + TMPL_END_IDX +
16169 @@ -1428,7 +1435,7 @@ static void __kprobes setup_optimize_kpr
16170 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
16171
16172 /* Backup instructions which will be replaced by jump address */
16173 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
16174 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
16175 RELATIVE_ADDR_SIZE);
16176
16177 insn_buf[0] = RELATIVEJUMP_OPCODE;
16178 diff -urNp linux-2.6.39.2/arch/x86/kernel/ldt.c linux-2.6.39.2/arch/x86/kernel/ldt.c
16179 --- linux-2.6.39.2/arch/x86/kernel/ldt.c 2011-05-19 00:06:34.000000000 -0400
16180 +++ linux-2.6.39.2/arch/x86/kernel/ldt.c 2011-05-22 19:36:30.000000000 -0400
16181 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
16182 if (reload) {
16183 #ifdef CONFIG_SMP
16184 preempt_disable();
16185 - load_LDT(pc);
16186 + load_LDT_nolock(pc);
16187 if (!cpumask_equal(mm_cpumask(current->mm),
16188 cpumask_of(smp_processor_id())))
16189 smp_call_function(flush_ldt, current->mm, 1);
16190 preempt_enable();
16191 #else
16192 - load_LDT(pc);
16193 + load_LDT_nolock(pc);
16194 #endif
16195 }
16196 if (oldsize) {
16197 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
16198 return err;
16199
16200 for (i = 0; i < old->size; i++)
16201 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16202 + write_ldt_entry(new->ldt, i, old->ldt + i);
16203 return 0;
16204 }
16205
16206 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
16207 retval = copy_ldt(&mm->context, &old_mm->context);
16208 mutex_unlock(&old_mm->context.lock);
16209 }
16210 +
16211 + if (tsk == current) {
16212 + mm->context.vdso = 0;
16213 +
16214 +#ifdef CONFIG_X86_32
16215 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16216 + mm->context.user_cs_base = 0UL;
16217 + mm->context.user_cs_limit = ~0UL;
16218 +
16219 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16220 + cpus_clear(mm->context.cpu_user_cs_mask);
16221 +#endif
16222 +
16223 +#endif
16224 +#endif
16225 +
16226 + }
16227 +
16228 return retval;
16229 }
16230
16231 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
16232 }
16233 }
16234
16235 +#ifdef CONFIG_PAX_SEGMEXEC
16236 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16237 + error = -EINVAL;
16238 + goto out_unlock;
16239 + }
16240 +#endif
16241 +
16242 fill_ldt(&ldt, &ldt_info);
16243 if (oldmode)
16244 ldt.avl = 0;
16245 diff -urNp linux-2.6.39.2/arch/x86/kernel/machine_kexec_32.c linux-2.6.39.2/arch/x86/kernel/machine_kexec_32.c
16246 --- linux-2.6.39.2/arch/x86/kernel/machine_kexec_32.c 2011-05-19 00:06:34.000000000 -0400
16247 +++ linux-2.6.39.2/arch/x86/kernel/machine_kexec_32.c 2011-05-22 19:36:30.000000000 -0400
16248 @@ -27,7 +27,7 @@
16249 #include <asm/cacheflush.h>
16250 #include <asm/debugreg.h>
16251
16252 -static void set_idt(void *newidt, __u16 limit)
16253 +static void set_idt(struct desc_struct *newidt, __u16 limit)
16254 {
16255 struct desc_ptr curidt;
16256
16257 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
16258 }
16259
16260
16261 -static void set_gdt(void *newgdt, __u16 limit)
16262 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16263 {
16264 struct desc_ptr curgdt;
16265
16266 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16267 }
16268
16269 control_page = page_address(image->control_code_page);
16270 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16271 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16272
16273 relocate_kernel_ptr = control_page;
16274 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16275 diff -urNp linux-2.6.39.2/arch/x86/kernel/microcode_amd.c linux-2.6.39.2/arch/x86/kernel/microcode_amd.c
16276 --- linux-2.6.39.2/arch/x86/kernel/microcode_amd.c 2011-05-19 00:06:34.000000000 -0400
16277 +++ linux-2.6.39.2/arch/x86/kernel/microcode_amd.c 2011-05-22 19:36:30.000000000 -0400
16278 @@ -339,7 +339,7 @@ static void microcode_fini_cpu_amd(int c
16279 uci->mc = NULL;
16280 }
16281
16282 -static struct microcode_ops microcode_amd_ops = {
16283 +static const struct microcode_ops microcode_amd_ops = {
16284 .request_microcode_user = request_microcode_user,
16285 .request_microcode_fw = request_microcode_amd,
16286 .collect_cpu_info = collect_cpu_info_amd,
16287 @@ -347,7 +347,7 @@ static struct microcode_ops microcode_am
16288 .microcode_fini_cpu = microcode_fini_cpu_amd,
16289 };
16290
16291 -struct microcode_ops * __init init_amd_microcode(void)
16292 +const struct microcode_ops * __init init_amd_microcode(void)
16293 {
16294 return &microcode_amd_ops;
16295 }
16296 diff -urNp linux-2.6.39.2/arch/x86/kernel/microcode_core.c linux-2.6.39.2/arch/x86/kernel/microcode_core.c
16297 --- linux-2.6.39.2/arch/x86/kernel/microcode_core.c 2011-05-19 00:06:34.000000000 -0400
16298 +++ linux-2.6.39.2/arch/x86/kernel/microcode_core.c 2011-05-22 19:36:30.000000000 -0400
16299 @@ -93,7 +93,7 @@ MODULE_LICENSE("GPL");
16300
16301 #define MICROCODE_VERSION "2.00"
16302
16303 -static struct microcode_ops *microcode_ops;
16304 +static const struct microcode_ops *microcode_ops;
16305
16306 /*
16307 * Synchronization.
16308 diff -urNp linux-2.6.39.2/arch/x86/kernel/microcode_intel.c linux-2.6.39.2/arch/x86/kernel/microcode_intel.c
16309 --- linux-2.6.39.2/arch/x86/kernel/microcode_intel.c 2011-05-19 00:06:34.000000000 -0400
16310 +++ linux-2.6.39.2/arch/x86/kernel/microcode_intel.c 2011-05-22 19:36:30.000000000 -0400
16311 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
16312
16313 static int get_ucode_user(void *to, const void *from, size_t n)
16314 {
16315 - return copy_from_user(to, from, n);
16316 + return copy_from_user(to, (__force const void __user *)from, n);
16317 }
16318
16319 static enum ucode_state
16320 request_microcode_user(int cpu, const void __user *buf, size_t size)
16321 {
16322 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16323 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
16324 }
16325
16326 static void microcode_fini_cpu(int cpu)
16327 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
16328 uci->mc = NULL;
16329 }
16330
16331 -static struct microcode_ops microcode_intel_ops = {
16332 +static const struct microcode_ops microcode_intel_ops = {
16333 .request_microcode_user = request_microcode_user,
16334 .request_microcode_fw = request_microcode_fw,
16335 .collect_cpu_info = collect_cpu_info,
16336 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
16337 .microcode_fini_cpu = microcode_fini_cpu,
16338 };
16339
16340 -struct microcode_ops * __init init_intel_microcode(void)
16341 +const struct microcode_ops * __init init_intel_microcode(void)
16342 {
16343 return &microcode_intel_ops;
16344 }
16345 diff -urNp linux-2.6.39.2/arch/x86/kernel/module.c linux-2.6.39.2/arch/x86/kernel/module.c
16346 --- linux-2.6.39.2/arch/x86/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
16347 +++ linux-2.6.39.2/arch/x86/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
16348 @@ -35,21 +35,66 @@
16349 #define DEBUGP(fmt...)
16350 #endif
16351
16352 -void *module_alloc(unsigned long size)
16353 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
16354 {
16355 if (PAGE_ALIGN(size) > MODULES_LEN)
16356 return NULL;
16357 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
16358 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
16359 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
16360 -1, __builtin_return_address(0));
16361 }
16362
16363 +void *module_alloc(unsigned long size)
16364 +{
16365 +
16366 +#ifdef CONFIG_PAX_KERNEXEC
16367 + return __module_alloc(size, PAGE_KERNEL);
16368 +#else
16369 + return __module_alloc(size, PAGE_KERNEL_EXEC);
16370 +#endif
16371 +
16372 +}
16373 +
16374 /* Free memory returned from module_alloc */
16375 void module_free(struct module *mod, void *module_region)
16376 {
16377 vfree(module_region);
16378 }
16379
16380 +#ifdef CONFIG_PAX_KERNEXEC
16381 +#ifdef CONFIG_X86_32
16382 +void *module_alloc_exec(unsigned long size)
16383 +{
16384 + struct vm_struct *area;
16385 +
16386 + if (size == 0)
16387 + return NULL;
16388 +
16389 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
16390 + return area ? area->addr : NULL;
16391 +}
16392 +EXPORT_SYMBOL(module_alloc_exec);
16393 +
16394 +void module_free_exec(struct module *mod, void *module_region)
16395 +{
16396 + vunmap(module_region);
16397 +}
16398 +EXPORT_SYMBOL(module_free_exec);
16399 +#else
16400 +void module_free_exec(struct module *mod, void *module_region)
16401 +{
16402 + module_free(mod, module_region);
16403 +}
16404 +EXPORT_SYMBOL(module_free_exec);
16405 +
16406 +void *module_alloc_exec(unsigned long size)
16407 +{
16408 + return __module_alloc(size, PAGE_KERNEL_RX);
16409 +}
16410 +EXPORT_SYMBOL(module_alloc_exec);
16411 +#endif
16412 +#endif
16413 +
16414 /* We don't need anything special. */
16415 int module_frob_arch_sections(Elf_Ehdr *hdr,
16416 Elf_Shdr *sechdrs,
16417 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16418 unsigned int i;
16419 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
16420 Elf32_Sym *sym;
16421 - uint32_t *location;
16422 + uint32_t *plocation, location;
16423
16424 DEBUGP("Applying relocate section %u to %u\n", relsec,
16425 sechdrs[relsec].sh_info);
16426 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
16427 /* This is where to make the change */
16428 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
16429 - + rel[i].r_offset;
16430 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
16431 + location = (uint32_t)plocation;
16432 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
16433 + plocation = ktla_ktva((void *)plocation);
16434 /* This is the symbol it is referring to. Note that all
16435 undefined symbols have been resolved. */
16436 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
16437 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16438 switch (ELF32_R_TYPE(rel[i].r_info)) {
16439 case R_386_32:
16440 /* We add the value into the location given */
16441 - *location += sym->st_value;
16442 + pax_open_kernel();
16443 + *plocation += sym->st_value;
16444 + pax_close_kernel();
16445 break;
16446 case R_386_PC32:
16447 /* Add the value, subtract its postition */
16448 - *location += sym->st_value - (uint32_t)location;
16449 + pax_open_kernel();
16450 + *plocation += sym->st_value - location;
16451 + pax_close_kernel();
16452 break;
16453 default:
16454 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
16455 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
16456 case R_X86_64_NONE:
16457 break;
16458 case R_X86_64_64:
16459 + pax_open_kernel();
16460 *(u64 *)loc = val;
16461 + pax_close_kernel();
16462 break;
16463 case R_X86_64_32:
16464 + pax_open_kernel();
16465 *(u32 *)loc = val;
16466 + pax_close_kernel();
16467 if (val != *(u32 *)loc)
16468 goto overflow;
16469 break;
16470 case R_X86_64_32S:
16471 + pax_open_kernel();
16472 *(s32 *)loc = val;
16473 + pax_close_kernel();
16474 if ((s64)val != *(s32 *)loc)
16475 goto overflow;
16476 break;
16477 case R_X86_64_PC32:
16478 val -= (u64)loc;
16479 + pax_open_kernel();
16480 *(u32 *)loc = val;
16481 + pax_close_kernel();
16482 +
16483 #if 0
16484 if ((s64)val != *(s32 *)loc)
16485 goto overflow;
16486 diff -urNp linux-2.6.39.2/arch/x86/kernel/paravirt.c linux-2.6.39.2/arch/x86/kernel/paravirt.c
16487 --- linux-2.6.39.2/arch/x86/kernel/paravirt.c 2011-05-19 00:06:34.000000000 -0400
16488 +++ linux-2.6.39.2/arch/x86/kernel/paravirt.c 2011-05-22 19:36:30.000000000 -0400
16489 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
16490 * corresponding structure. */
16491 static void *get_call_destination(u8 type)
16492 {
16493 - struct paravirt_patch_template tmpl = {
16494 + const struct paravirt_patch_template tmpl = {
16495 .pv_init_ops = pv_init_ops,
16496 .pv_time_ops = pv_time_ops,
16497 .pv_cpu_ops = pv_cpu_ops,
16498 @@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ
16499 .pv_lock_ops = pv_lock_ops,
16500 #endif
16501 };
16502 +
16503 + pax_track_stack();
16504 +
16505 return *((void **)&tmpl + type);
16506 }
16507
16508 @@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type,
16509 if (opfunc == NULL)
16510 /* If there's no function, patch it with a ud2a (BUG) */
16511 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
16512 - else if (opfunc == _paravirt_nop)
16513 + else if (opfunc == (void *)_paravirt_nop)
16514 /* If the operation is a nop, then nop the callsite */
16515 ret = paravirt_patch_nop();
16516
16517 /* identity functions just return their single argument */
16518 - else if (opfunc == _paravirt_ident_32)
16519 + else if (opfunc == (void *)_paravirt_ident_32)
16520 ret = paravirt_patch_ident_32(insnbuf, len);
16521 - else if (opfunc == _paravirt_ident_64)
16522 + else if (opfunc == (void *)_paravirt_ident_64)
16523 ret = paravirt_patch_ident_64(insnbuf, len);
16524
16525 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
16526 @@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn
16527 if (insn_len > len || start == NULL)
16528 insn_len = len;
16529 else
16530 - memcpy(insnbuf, start, insn_len);
16531 + memcpy(insnbuf, ktla_ktva(start), insn_len);
16532
16533 return insn_len;
16534 }
16535 @@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void)
16536 preempt_enable();
16537 }
16538
16539 -struct pv_info pv_info = {
16540 +struct pv_info pv_info __read_only = {
16541 .name = "bare hardware",
16542 .paravirt_enabled = 0,
16543 .kernel_rpl = 0,
16544 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
16545 };
16546
16547 -struct pv_init_ops pv_init_ops = {
16548 +struct pv_init_ops pv_init_ops __read_only = {
16549 .patch = native_patch,
16550 };
16551
16552 -struct pv_time_ops pv_time_ops = {
16553 +struct pv_time_ops pv_time_ops __read_only = {
16554 .sched_clock = native_sched_clock,
16555 };
16556
16557 -struct pv_irq_ops pv_irq_ops = {
16558 +struct pv_irq_ops pv_irq_ops __read_only = {
16559 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
16560 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
16561 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
16562 @@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops = {
16563 #endif
16564 };
16565
16566 -struct pv_cpu_ops pv_cpu_ops = {
16567 +struct pv_cpu_ops pv_cpu_ops __read_only = {
16568 .cpuid = native_cpuid,
16569 .get_debugreg = native_get_debugreg,
16570 .set_debugreg = native_set_debugreg,
16571 @@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops = {
16572 .end_context_switch = paravirt_nop,
16573 };
16574
16575 -struct pv_apic_ops pv_apic_ops = {
16576 +struct pv_apic_ops pv_apic_ops __read_only = {
16577 #ifdef CONFIG_X86_LOCAL_APIC
16578 .startup_ipi_hook = paravirt_nop,
16579 #endif
16580 @@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops = {
16581 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
16582 #endif
16583
16584 -struct pv_mmu_ops pv_mmu_ops = {
16585 +struct pv_mmu_ops pv_mmu_ops __read_only = {
16586
16587 .read_cr2 = native_read_cr2,
16588 .write_cr2 = native_write_cr2,
16589 @@ -465,6 +468,12 @@ struct pv_mmu_ops pv_mmu_ops = {
16590 },
16591
16592 .set_fixmap = native_set_fixmap,
16593 +
16594 +#ifdef CONFIG_PAX_KERNEXEC
16595 + .pax_open_kernel = native_pax_open_kernel,
16596 + .pax_close_kernel = native_pax_close_kernel,
16597 +#endif
16598 +
16599 };
16600
16601 EXPORT_SYMBOL_GPL(pv_time_ops);
16602 diff -urNp linux-2.6.39.2/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.39.2/arch/x86/kernel/paravirt-spinlocks.c
16603 --- linux-2.6.39.2/arch/x86/kernel/paravirt-spinlocks.c 2011-05-19 00:06:34.000000000 -0400
16604 +++ linux-2.6.39.2/arch/x86/kernel/paravirt-spinlocks.c 2011-05-22 19:36:30.000000000 -0400
16605 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
16606 arch_spin_lock(lock);
16607 }
16608
16609 -struct pv_lock_ops pv_lock_ops = {
16610 +struct pv_lock_ops pv_lock_ops __read_only = {
16611 #ifdef CONFIG_SMP
16612 .spin_is_locked = __ticket_spin_is_locked,
16613 .spin_is_contended = __ticket_spin_is_contended,
16614 diff -urNp linux-2.6.39.2/arch/x86/kernel/pci-calgary_64.c linux-2.6.39.2/arch/x86/kernel/pci-calgary_64.c
16615 --- linux-2.6.39.2/arch/x86/kernel/pci-calgary_64.c 2011-05-19 00:06:34.000000000 -0400
16616 +++ linux-2.6.39.2/arch/x86/kernel/pci-calgary_64.c 2011-05-22 19:36:30.000000000 -0400
16617 @@ -179,13 +179,13 @@ static void calioc2_dump_error_regs(stru
16618 static void calgary_init_bitmap_from_tce_table(struct iommu_table *tbl);
16619 static void get_tce_space_from_tar(void);
16620
16621 -static struct cal_chipset_ops calgary_chip_ops = {
16622 +static const struct cal_chipset_ops calgary_chip_ops = {
16623 .handle_quirks = calgary_handle_quirks,
16624 .tce_cache_blast = calgary_tce_cache_blast,
16625 .dump_error_regs = calgary_dump_error_regs
16626 };
16627
16628 -static struct cal_chipset_ops calioc2_chip_ops = {
16629 +static const struct cal_chipset_ops calioc2_chip_ops = {
16630 .handle_quirks = calioc2_handle_quirks,
16631 .tce_cache_blast = calioc2_tce_cache_blast,
16632 .dump_error_regs = calioc2_dump_error_regs
16633 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
16634 free_pages((unsigned long)vaddr, get_order(size));
16635 }
16636
16637 -static struct dma_map_ops calgary_dma_ops = {
16638 +static const struct dma_map_ops calgary_dma_ops = {
16639 .alloc_coherent = calgary_alloc_coherent,
16640 .free_coherent = calgary_free_coherent,
16641 .map_sg = calgary_map_sg,
16642 diff -urNp linux-2.6.39.2/arch/x86/kernel/pci-dma.c linux-2.6.39.2/arch/x86/kernel/pci-dma.c
16643 --- linux-2.6.39.2/arch/x86/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
16644 +++ linux-2.6.39.2/arch/x86/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
16645 @@ -16,7 +16,7 @@
16646
16647 static int forbid_dac __read_mostly;
16648
16649 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
16650 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
16651 EXPORT_SYMBOL(dma_ops);
16652
16653 static int iommu_sac_force __read_mostly;
16654 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
16655
16656 int dma_supported(struct device *dev, u64 mask)
16657 {
16658 - struct dma_map_ops *ops = get_dma_ops(dev);
16659 + const struct dma_map_ops *ops = get_dma_ops(dev);
16660
16661 #ifdef CONFIG_PCI
16662 if (mask > 0xffffffff && forbid_dac > 0) {
16663 diff -urNp linux-2.6.39.2/arch/x86/kernel/pci-gart_64.c linux-2.6.39.2/arch/x86/kernel/pci-gart_64.c
16664 --- linux-2.6.39.2/arch/x86/kernel/pci-gart_64.c 2011-05-19 00:06:34.000000000 -0400
16665 +++ linux-2.6.39.2/arch/x86/kernel/pci-gart_64.c 2011-05-22 19:36:30.000000000 -0400
16666 @@ -695,7 +695,7 @@ static __init int init_amd_gatt(struct a
16667 return -1;
16668 }
16669
16670 -static struct dma_map_ops gart_dma_ops = {
16671 +static const struct dma_map_ops gart_dma_ops = {
16672 .map_sg = gart_map_sg,
16673 .unmap_sg = gart_unmap_sg,
16674 .map_page = gart_map_page,
16675 diff -urNp linux-2.6.39.2/arch/x86/kernel/pci-iommu_table.c linux-2.6.39.2/arch/x86/kernel/pci-iommu_table.c
16676 --- linux-2.6.39.2/arch/x86/kernel/pci-iommu_table.c 2011-05-19 00:06:34.000000000 -0400
16677 +++ linux-2.6.39.2/arch/x86/kernel/pci-iommu_table.c 2011-05-22 19:36:30.000000000 -0400
16678 @@ -2,7 +2,7 @@
16679 #include <asm/iommu_table.h>
16680 #include <linux/string.h>
16681 #include <linux/kallsyms.h>
16682 -
16683 +#include <linux/sched.h>
16684
16685 #define DEBUG 1
16686
16687 @@ -53,6 +53,8 @@ void __init check_iommu_entries(struct i
16688 char sym_p[KSYM_SYMBOL_LEN];
16689 char sym_q[KSYM_SYMBOL_LEN];
16690
16691 + pax_track_stack();
16692 +
16693 /* Simple cyclic dependency checker. */
16694 for (p = start; p < finish; p++) {
16695 q = find_dependents_of(start, finish, p);
16696 diff -urNp linux-2.6.39.2/arch/x86/kernel/pci-nommu.c linux-2.6.39.2/arch/x86/kernel/pci-nommu.c
16697 --- linux-2.6.39.2/arch/x86/kernel/pci-nommu.c 2011-05-19 00:06:34.000000000 -0400
16698 +++ linux-2.6.39.2/arch/x86/kernel/pci-nommu.c 2011-05-22 19:36:30.000000000 -0400
16699 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
16700 flush_write_buffers();
16701 }
16702
16703 -struct dma_map_ops nommu_dma_ops = {
16704 +const struct dma_map_ops nommu_dma_ops = {
16705 .alloc_coherent = dma_generic_alloc_coherent,
16706 .free_coherent = nommu_free_coherent,
16707 .map_sg = nommu_map_sg,
16708 diff -urNp linux-2.6.39.2/arch/x86/kernel/pci-swiotlb.c linux-2.6.39.2/arch/x86/kernel/pci-swiotlb.c
16709 --- linux-2.6.39.2/arch/x86/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
16710 +++ linux-2.6.39.2/arch/x86/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
16711 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
16712 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
16713 }
16714
16715 -static struct dma_map_ops swiotlb_dma_ops = {
16716 +static const struct dma_map_ops swiotlb_dma_ops = {
16717 .mapping_error = swiotlb_dma_mapping_error,
16718 .alloc_coherent = x86_swiotlb_alloc_coherent,
16719 .free_coherent = swiotlb_free_coherent,
16720 diff -urNp linux-2.6.39.2/arch/x86/kernel/process_32.c linux-2.6.39.2/arch/x86/kernel/process_32.c
16721 --- linux-2.6.39.2/arch/x86/kernel/process_32.c 2011-06-25 12:55:22.000000000 -0400
16722 +++ linux-2.6.39.2/arch/x86/kernel/process_32.c 2011-06-25 13:00:25.000000000 -0400
16723 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
16724 unsigned long thread_saved_pc(struct task_struct *tsk)
16725 {
16726 return ((unsigned long *)tsk->thread.sp)[3];
16727 +//XXX return tsk->thread.eip;
16728 }
16729
16730 #ifndef CONFIG_SMP
16731 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
16732 unsigned long sp;
16733 unsigned short ss, gs;
16734
16735 - if (user_mode_vm(regs)) {
16736 + if (user_mode(regs)) {
16737 sp = regs->sp;
16738 ss = regs->ss & 0xffff;
16739 - gs = get_user_gs(regs);
16740 } else {
16741 sp = kernel_stack_pointer(regs);
16742 savesegment(ss, ss);
16743 - savesegment(gs, gs);
16744 }
16745 + gs = get_user_gs(regs);
16746
16747 show_regs_common();
16748
16749 @@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
16750 struct task_struct *tsk;
16751 int err;
16752
16753 - childregs = task_pt_regs(p);
16754 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16755 *childregs = *regs;
16756 childregs->ax = 0;
16757 childregs->sp = sp;
16758
16759 p->thread.sp = (unsigned long) childregs;
16760 p->thread.sp0 = (unsigned long) (childregs+1);
16761 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16762
16763 p->thread.ip = (unsigned long) ret_from_fork;
16764
16765 @@ -292,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
16766 struct thread_struct *prev = &prev_p->thread,
16767 *next = &next_p->thread;
16768 int cpu = smp_processor_id();
16769 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16770 + struct tss_struct *tss = init_tss + cpu;
16771 bool preload_fpu;
16772
16773 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16774 @@ -327,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
16775 */
16776 lazy_save_gs(prev->gs);
16777
16778 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16779 + __set_fs(task_thread_info(next_p)->addr_limit);
16780 +#endif
16781 +
16782 /*
16783 * Load the per-thread Thread-Local Storage descriptor.
16784 */
16785 @@ -362,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
16786 */
16787 arch_end_context_switch(next_p);
16788
16789 + percpu_write(current_task, next_p);
16790 + percpu_write(current_tinfo, &next_p->tinfo);
16791 +
16792 if (preload_fpu)
16793 __math_state_restore();
16794
16795 @@ -371,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
16796 if (prev->gs | next->gs)
16797 lazy_load_gs(next->gs);
16798
16799 - percpu_write(current_task, next_p);
16800 -
16801 return prev_p;
16802 }
16803
16804 @@ -402,4 +408,3 @@ unsigned long get_wchan(struct task_stru
16805 } while (count++ < 16);
16806 return 0;
16807 }
16808 -
16809 diff -urNp linux-2.6.39.2/arch/x86/kernel/process_64.c linux-2.6.39.2/arch/x86/kernel/process_64.c
16810 --- linux-2.6.39.2/arch/x86/kernel/process_64.c 2011-06-25 12:55:22.000000000 -0400
16811 +++ linux-2.6.39.2/arch/x86/kernel/process_64.c 2011-06-25 13:00:25.000000000 -0400
16812 @@ -87,7 +87,7 @@ static void __exit_idle(void)
16813 void exit_idle(void)
16814 {
16815 /* idle loop has pid 0 */
16816 - if (current->pid)
16817 + if (task_pid_nr(current))
16818 return;
16819 __exit_idle();
16820 }
16821 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
16822 struct pt_regs *childregs;
16823 struct task_struct *me = current;
16824
16825 - childregs = ((struct pt_regs *)
16826 - (THREAD_SIZE + task_stack_page(p))) - 1;
16827 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16828 *childregs = *regs;
16829
16830 childregs->ax = 0;
16831 @@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
16832 p->thread.sp = (unsigned long) childregs;
16833 p->thread.sp0 = (unsigned long) (childregs+1);
16834 p->thread.usersp = me->thread.usersp;
16835 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16836
16837 set_tsk_thread_flag(p, TIF_FORK);
16838
16839 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
16840 struct thread_struct *prev = &prev_p->thread;
16841 struct thread_struct *next = &next_p->thread;
16842 int cpu = smp_processor_id();
16843 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16844 + struct tss_struct *tss = init_tss + cpu;
16845 unsigned fsindex, gsindex;
16846 bool preload_fpu;
16847
16848 @@ -471,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
16849 prev->usersp = percpu_read(old_rsp);
16850 percpu_write(old_rsp, next->usersp);
16851 percpu_write(current_task, next_p);
16852 + percpu_write(current_tinfo, &next_p->tinfo);
16853
16854 - percpu_write(kernel_stack,
16855 - (unsigned long)task_stack_page(next_p) +
16856 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16857 + percpu_write(kernel_stack, next->sp0);
16858
16859 /*
16860 * Now maybe reload the debug registers and handle I/O bitmaps
16861 @@ -536,12 +535,11 @@ unsigned long get_wchan(struct task_stru
16862 if (!p || p == current || p->state == TASK_RUNNING)
16863 return 0;
16864 stack = (unsigned long)task_stack_page(p);
16865 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16866 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16867 return 0;
16868 fp = *(u64 *)(p->thread.sp);
16869 do {
16870 - if (fp < (unsigned long)stack ||
16871 - fp >= (unsigned long)stack+THREAD_SIZE)
16872 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16873 return 0;
16874 ip = *(u64 *)(fp+8);
16875 if (!in_sched_functions(ip))
16876 diff -urNp linux-2.6.39.2/arch/x86/kernel/process.c linux-2.6.39.2/arch/x86/kernel/process.c
16877 --- linux-2.6.39.2/arch/x86/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
16878 +++ linux-2.6.39.2/arch/x86/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
16879 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
16880
16881 void free_thread_info(struct thread_info *ti)
16882 {
16883 - free_thread_xstate(ti->task);
16884 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16885 }
16886
16887 +static struct kmem_cache *task_struct_cachep;
16888 +
16889 void arch_task_cache_init(void)
16890 {
16891 - task_xstate_cachep =
16892 - kmem_cache_create("task_xstate", xstate_size,
16893 + /* create a slab on which task_structs can be allocated */
16894 + task_struct_cachep =
16895 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16896 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16897 +
16898 + task_xstate_cachep =
16899 + kmem_cache_create("task_xstate", xstate_size,
16900 __alignof__(union thread_xstate),
16901 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16902 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16903 +}
16904 +
16905 +struct task_struct *alloc_task_struct_node(int node)
16906 +{
16907 + return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
16908 +}
16909 +
16910 +void free_task_struct(struct task_struct *task)
16911 +{
16912 + free_thread_xstate(task);
16913 + kmem_cache_free(task_struct_cachep, task);
16914 }
16915
16916 /*
16917 @@ -70,7 +87,7 @@ void exit_thread(void)
16918 unsigned long *bp = t->io_bitmap_ptr;
16919
16920 if (bp) {
16921 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16922 + struct tss_struct *tss = init_tss + get_cpu();
16923
16924 t->io_bitmap_ptr = NULL;
16925 clear_thread_flag(TIF_IO_BITMAP);
16926 @@ -106,7 +123,7 @@ void show_regs_common(void)
16927
16928 printk(KERN_CONT "\n");
16929 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
16930 - current->pid, current->comm, print_tainted(),
16931 + task_pid_nr(current), current->comm, print_tainted(),
16932 init_utsname()->release,
16933 (int)strcspn(init_utsname()->version, " "),
16934 init_utsname()->version);
16935 @@ -120,6 +137,9 @@ void flush_thread(void)
16936 {
16937 struct task_struct *tsk = current;
16938
16939 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16940 + loadsegment(gs, 0);
16941 +#endif
16942 flush_ptrace_hw_breakpoint(tsk);
16943 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
16944 /*
16945 @@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
16946 regs.di = (unsigned long) arg;
16947
16948 #ifdef CONFIG_X86_32
16949 - regs.ds = __USER_DS;
16950 - regs.es = __USER_DS;
16951 + regs.ds = __KERNEL_DS;
16952 + regs.es = __KERNEL_DS;
16953 regs.fs = __KERNEL_PERCPU;
16954 - regs.gs = __KERNEL_STACK_CANARY;
16955 + savesegment(gs, regs.gs);
16956 #else
16957 regs.ss = __KERNEL_DS;
16958 #endif
16959 @@ -401,7 +421,7 @@ void default_idle(void)
16960 EXPORT_SYMBOL(default_idle);
16961 #endif
16962
16963 -void stop_this_cpu(void *dummy)
16964 +__noreturn void stop_this_cpu(void *dummy)
16965 {
16966 local_irq_disable();
16967 /*
16968 @@ -665,16 +685,34 @@ static int __init idle_setup(char *str)
16969 }
16970 early_param("idle", idle_setup);
16971
16972 -unsigned long arch_align_stack(unsigned long sp)
16973 +#ifdef CONFIG_PAX_RANDKSTACK
16974 +asmlinkage void pax_randomize_kstack(void)
16975 {
16976 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
16977 - sp -= get_random_int() % 8192;
16978 - return sp & ~0xf;
16979 -}
16980 + struct thread_struct *thread = &current->thread;
16981 + unsigned long time;
16982
16983 -unsigned long arch_randomize_brk(struct mm_struct *mm)
16984 -{
16985 - unsigned long range_end = mm->brk + 0x02000000;
16986 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
16987 -}
16988 + if (!randomize_va_space)
16989 + return;
16990 +
16991 + rdtscl(time);
16992 +
16993 + /* P4 seems to return a 0 LSB, ignore it */
16994 +#ifdef CONFIG_MPENTIUM4
16995 + time &= 0x3EUL;
16996 + time <<= 2;
16997 +#elif defined(CONFIG_X86_64)
16998 + time &= 0xFUL;
16999 + time <<= 4;
17000 +#else
17001 + time &= 0x1FUL;
17002 + time <<= 3;
17003 +#endif
17004 +
17005 + thread->sp0 ^= time;
17006 + load_sp0(init_tss + smp_processor_id(), thread);
17007
17008 +#ifdef CONFIG_X86_64
17009 + percpu_write(kernel_stack, thread->sp0);
17010 +#endif
17011 +}
17012 +#endif
17013 diff -urNp linux-2.6.39.2/arch/x86/kernel/ptrace.c linux-2.6.39.2/arch/x86/kernel/ptrace.c
17014 --- linux-2.6.39.2/arch/x86/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
17015 +++ linux-2.6.39.2/arch/x86/kernel/ptrace.c 2011-05-22 19:36:30.000000000 -0400
17016 @@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi
17017 unsigned long addr, unsigned long data)
17018 {
17019 int ret;
17020 - unsigned long __user *datap = (unsigned long __user *)data;
17021 + unsigned long __user *datap = (__force unsigned long __user *)data;
17022
17023 switch (request) {
17024 /* read the word at location addr in the USER area. */
17025 @@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi
17026 if ((int) addr < 0)
17027 return -EIO;
17028 ret = do_get_thread_area(child, addr,
17029 - (struct user_desc __user *)data);
17030 + (__force struct user_desc __user *) data);
17031 break;
17032
17033 case PTRACE_SET_THREAD_AREA:
17034 if ((int) addr < 0)
17035 return -EIO;
17036 ret = do_set_thread_area(child, addr,
17037 - (struct user_desc __user *)data, 0);
17038 + (__force struct user_desc __user *) data, 0);
17039 break;
17040 #endif
17041
17042 @@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas
17043 memset(info, 0, sizeof(*info));
17044 info->si_signo = SIGTRAP;
17045 info->si_code = si_code;
17046 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
17047 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
17048 }
17049
17050 void user_single_step_siginfo(struct task_struct *tsk,
17051 @@ -1363,7 +1363,7 @@ void send_sigtrap(struct task_struct *ts
17052 * We must return the syscall number to actually look up in the table.
17053 * This can be -1L to skip running any syscall at all.
17054 */
17055 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
17056 +long syscall_trace_enter(struct pt_regs *regs)
17057 {
17058 long ret = 0;
17059
17060 @@ -1408,7 +1408,7 @@ asmregparm long syscall_trace_enter(stru
17061 return ret ?: regs->orig_ax;
17062 }
17063
17064 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
17065 +void syscall_trace_leave(struct pt_regs *regs)
17066 {
17067 bool step;
17068
17069 diff -urNp linux-2.6.39.2/arch/x86/kernel/pvclock.c linux-2.6.39.2/arch/x86/kernel/pvclock.c
17070 --- linux-2.6.39.2/arch/x86/kernel/pvclock.c 2011-05-19 00:06:34.000000000 -0400
17071 +++ linux-2.6.39.2/arch/x86/kernel/pvclock.c 2011-05-22 19:36:30.000000000 -0400
17072 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
17073 return pv_tsc_khz;
17074 }
17075
17076 -static atomic64_t last_value = ATOMIC64_INIT(0);
17077 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
17078
17079 void pvclock_resume(void)
17080 {
17081 - atomic64_set(&last_value, 0);
17082 + atomic64_set_unchecked(&last_value, 0);
17083 }
17084
17085 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
17086 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
17087 * updating at the same time, and one of them could be slightly behind,
17088 * making the assumption that last_value always go forward fail to hold.
17089 */
17090 - last = atomic64_read(&last_value);
17091 + last = atomic64_read_unchecked(&last_value);
17092 do {
17093 if (ret < last)
17094 return last;
17095 - last = atomic64_cmpxchg(&last_value, last, ret);
17096 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
17097 } while (unlikely(last != ret));
17098
17099 return ret;
17100 diff -urNp linux-2.6.39.2/arch/x86/kernel/reboot.c linux-2.6.39.2/arch/x86/kernel/reboot.c
17101 --- linux-2.6.39.2/arch/x86/kernel/reboot.c 2011-05-19 00:06:34.000000000 -0400
17102 +++ linux-2.6.39.2/arch/x86/kernel/reboot.c 2011-05-23 17:07:00.000000000 -0400
17103 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
17104 EXPORT_SYMBOL(pm_power_off);
17105
17106 static const struct desc_ptr no_idt = {};
17107 -static int reboot_mode;
17108 +static unsigned short reboot_mode;
17109 enum reboot_type reboot_type = BOOT_KBD;
17110 int reboot_force;
17111
17112 @@ -307,13 +307,17 @@ core_initcall(reboot_init);
17113 extern const unsigned char machine_real_restart_asm[];
17114 extern const u64 machine_real_restart_gdt[3];
17115
17116 -void machine_real_restart(unsigned int type)
17117 +__noreturn void machine_real_restart(unsigned int type)
17118 {
17119 void *restart_va;
17120 unsigned long restart_pa;
17121 - void (*restart_lowmem)(unsigned int);
17122 + void (* __noreturn restart_lowmem)(unsigned int);
17123 u64 *lowmem_gdt;
17124
17125 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17126 + struct desc_struct *gdt;
17127 +#endif
17128 +
17129 local_irq_disable();
17130
17131 /* Write zero to CMOS register number 0x0f, which the BIOS POST
17132 @@ -339,14 +343,14 @@ void machine_real_restart(unsigned int t
17133 boot)". This seems like a fairly standard thing that gets set by
17134 REBOOT.COM programs, and the previous reset routine did this
17135 too. */
17136 - *((unsigned short *)0x472) = reboot_mode;
17137 + *(unsigned short *)(__va(0x472)) = reboot_mode;
17138
17139 /* Patch the GDT in the low memory trampoline */
17140 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
17141
17142 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
17143 restart_pa = virt_to_phys(restart_va);
17144 - restart_lowmem = (void (*)(unsigned int))restart_pa;
17145 + restart_lowmem = (void *)restart_pa;
17146
17147 /* GDT[0]: GDT self-pointer */
17148 lowmem_gdt[0] =
17149 @@ -357,7 +361,33 @@ void machine_real_restart(unsigned int t
17150 GDT_ENTRY(0x009b, restart_pa, 0xffff);
17151
17152 /* Jump to the identity-mapped low memory code */
17153 +
17154 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17155 + gdt = get_cpu_gdt_table(smp_processor_id());
17156 + pax_open_kernel();
17157 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17158 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
17159 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
17160 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
17161 +#endif
17162 +#ifdef CONFIG_PAX_KERNEXEC
17163 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
17164 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
17165 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
17166 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
17167 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
17168 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
17169 +#endif
17170 + pax_close_kernel();
17171 +#endif
17172 +
17173 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17174 + asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
17175 + unreachable();
17176 +#else
17177 restart_lowmem(type);
17178 +#endif
17179 +
17180 }
17181 #ifdef CONFIG_APM_MODULE
17182 EXPORT_SYMBOL(machine_real_restart);
17183 @@ -478,7 +508,7 @@ void __attribute__((weak)) mach_reboot_f
17184 {
17185 }
17186
17187 -static void native_machine_emergency_restart(void)
17188 +__noreturn static void native_machine_emergency_restart(void)
17189 {
17190 int i;
17191
17192 @@ -593,13 +623,13 @@ void native_machine_shutdown(void)
17193 #endif
17194 }
17195
17196 -static void __machine_emergency_restart(int emergency)
17197 +static __noreturn void __machine_emergency_restart(int emergency)
17198 {
17199 reboot_emergency = emergency;
17200 machine_ops.emergency_restart();
17201 }
17202
17203 -static void native_machine_restart(char *__unused)
17204 +static __noreturn void native_machine_restart(char *__unused)
17205 {
17206 printk("machine restart\n");
17207
17208 @@ -608,7 +638,7 @@ static void native_machine_restart(char
17209 __machine_emergency_restart(0);
17210 }
17211
17212 -static void native_machine_halt(void)
17213 +static __noreturn void native_machine_halt(void)
17214 {
17215 /* stop other cpus and apics */
17216 machine_shutdown();
17217 @@ -619,7 +649,7 @@ static void native_machine_halt(void)
17218 stop_this_cpu(NULL);
17219 }
17220
17221 -static void native_machine_power_off(void)
17222 +__noreturn static void native_machine_power_off(void)
17223 {
17224 if (pm_power_off) {
17225 if (!reboot_force)
17226 @@ -628,6 +658,7 @@ static void native_machine_power_off(voi
17227 }
17228 /* a fallback in case there is no PM info available */
17229 tboot_shutdown(TB_SHUTDOWN_HALT);
17230 + unreachable();
17231 }
17232
17233 struct machine_ops machine_ops = {
17234 diff -urNp linux-2.6.39.2/arch/x86/kernel/setup.c linux-2.6.39.2/arch/x86/kernel/setup.c
17235 --- linux-2.6.39.2/arch/x86/kernel/setup.c 2011-06-25 12:55:22.000000000 -0400
17236 +++ linux-2.6.39.2/arch/x86/kernel/setup.c 2011-06-25 13:00:25.000000000 -0400
17237 @@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
17238 * area (640->1Mb) as ram even though it is not.
17239 * take them out.
17240 */
17241 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
17242 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
17243 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
17244 }
17245
17246 @@ -775,14 +775,14 @@ void __init setup_arch(char **cmdline_p)
17247
17248 if (!boot_params.hdr.root_flags)
17249 root_mountflags &= ~MS_RDONLY;
17250 - init_mm.start_code = (unsigned long) _text;
17251 - init_mm.end_code = (unsigned long) _etext;
17252 + init_mm.start_code = ktla_ktva((unsigned long) _text);
17253 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
17254 init_mm.end_data = (unsigned long) _edata;
17255 init_mm.brk = _brk_end;
17256
17257 - code_resource.start = virt_to_phys(_text);
17258 - code_resource.end = virt_to_phys(_etext)-1;
17259 - data_resource.start = virt_to_phys(_etext);
17260 + code_resource.start = virt_to_phys(ktla_ktva(_text));
17261 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17262 + data_resource.start = virt_to_phys(_sdata);
17263 data_resource.end = virt_to_phys(_edata)-1;
17264 bss_resource.start = virt_to_phys(&__bss_start);
17265 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17266 diff -urNp linux-2.6.39.2/arch/x86/kernel/setup_percpu.c linux-2.6.39.2/arch/x86/kernel/setup_percpu.c
17267 --- linux-2.6.39.2/arch/x86/kernel/setup_percpu.c 2011-05-19 00:06:34.000000000 -0400
17268 +++ linux-2.6.39.2/arch/x86/kernel/setup_percpu.c 2011-06-04 20:08:30.000000000 -0400
17269 @@ -21,19 +21,17 @@
17270 #include <asm/cpu.h>
17271 #include <asm/stackprotector.h>
17272
17273 -DEFINE_PER_CPU(int, cpu_number);
17274 +#ifdef CONFIG_SMP
17275 +DEFINE_PER_CPU(unsigned int, cpu_number);
17276 EXPORT_PER_CPU_SYMBOL(cpu_number);
17277 +#endif
17278
17279 -#ifdef CONFIG_X86_64
17280 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17281 -#else
17282 -#define BOOT_PERCPU_OFFSET 0
17283 -#endif
17284
17285 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17286 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17287
17288 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17289 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17290 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17291 };
17292 EXPORT_SYMBOL(__per_cpu_offset);
17293 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
17294 {
17295 #ifdef CONFIG_X86_32
17296 struct desc_struct gdt;
17297 + unsigned long base = per_cpu_offset(cpu);
17298
17299 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17300 - 0x2 | DESCTYPE_S, 0x8);
17301 - gdt.s = 1;
17302 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17303 + 0x83 | DESCTYPE_S, 0xC);
17304 write_gdt_entry(get_cpu_gdt_table(cpu),
17305 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17306 #endif
17307 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
17308 /* alrighty, percpu areas up and running */
17309 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17310 for_each_possible_cpu(cpu) {
17311 +#ifdef CONFIG_CC_STACKPROTECTOR
17312 +#ifdef CONFIG_X86_32
17313 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
17314 +#endif
17315 +#endif
17316 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17317 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17318 per_cpu(cpu_number, cpu) = cpu;
17319 @@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
17320 */
17321 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
17322 #endif
17323 +#ifdef CONFIG_CC_STACKPROTECTOR
17324 +#ifdef CONFIG_X86_32
17325 + if (!cpu)
17326 + per_cpu(stack_canary.canary, cpu) = canary;
17327 +#endif
17328 +#endif
17329 /*
17330 * Up to this point, the boot CPU has been using .init.data
17331 * area. Reload any changed state for the boot CPU.
17332 diff -urNp linux-2.6.39.2/arch/x86/kernel/signal.c linux-2.6.39.2/arch/x86/kernel/signal.c
17333 --- linux-2.6.39.2/arch/x86/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
17334 +++ linux-2.6.39.2/arch/x86/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
17335 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
17336 * Align the stack pointer according to the i386 ABI,
17337 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17338 */
17339 - sp = ((sp + 4) & -16ul) - 4;
17340 + sp = ((sp - 12) & -16ul) - 4;
17341 #else /* !CONFIG_X86_32 */
17342 sp = round_down(sp, 16) - 8;
17343 #endif
17344 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
17345 * Return an always-bogus address instead so we will die with SIGSEGV.
17346 */
17347 if (onsigstack && !likely(on_sig_stack(sp)))
17348 - return (void __user *)-1L;
17349 + return (__force void __user *)-1L;
17350
17351 /* save i387 state */
17352 if (used_math() && save_i387_xstate(*fpstate) < 0)
17353 - return (void __user *)-1L;
17354 + return (__force void __user *)-1L;
17355
17356 return (void __user *)sp;
17357 }
17358 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
17359 }
17360
17361 if (current->mm->context.vdso)
17362 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17363 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17364 else
17365 - restorer = &frame->retcode;
17366 + restorer = (void __user *)&frame->retcode;
17367 if (ka->sa.sa_flags & SA_RESTORER)
17368 restorer = ka->sa.sa_restorer;
17369
17370 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
17371 * reasons and because gdb uses it as a signature to notice
17372 * signal handler stack frames.
17373 */
17374 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17375 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17376
17377 if (err)
17378 return -EFAULT;
17379 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
17380 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17381
17382 /* Set up to return from userspace. */
17383 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17384 + if (current->mm->context.vdso)
17385 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17386 + else
17387 + restorer = (void __user *)&frame->retcode;
17388 if (ka->sa.sa_flags & SA_RESTORER)
17389 restorer = ka->sa.sa_restorer;
17390 put_user_ex(restorer, &frame->pretcode);
17391 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
17392 * reasons and because gdb uses it as a signature to notice
17393 * signal handler stack frames.
17394 */
17395 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
17396 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
17397 } put_user_catch(err);
17398
17399 if (err)
17400 @@ -773,6 +776,8 @@ static void do_signal(struct pt_regs *re
17401 int signr;
17402 sigset_t *oldset;
17403
17404 + pax_track_stack();
17405 +
17406 /*
17407 * We want the common case to go fast, which is why we may in certain
17408 * cases get here from kernel mode. Just return without doing anything
17409 @@ -780,7 +785,7 @@ static void do_signal(struct pt_regs *re
17410 * X86_32: vm86 regs switched out by assembly code before reaching
17411 * here, so testing against kernel CS suffices.
17412 */
17413 - if (!user_mode(regs))
17414 + if (!user_mode_novm(regs))
17415 return;
17416
17417 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
17418 diff -urNp linux-2.6.39.2/arch/x86/kernel/smpboot.c linux-2.6.39.2/arch/x86/kernel/smpboot.c
17419 --- linux-2.6.39.2/arch/x86/kernel/smpboot.c 2011-06-25 12:55:22.000000000 -0400
17420 +++ linux-2.6.39.2/arch/x86/kernel/smpboot.c 2011-06-25 13:00:25.000000000 -0400
17421 @@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
17422 set_idle_for_cpu(cpu, c_idle.idle);
17423 do_rest:
17424 per_cpu(current_task, cpu) = c_idle.idle;
17425 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
17426 #ifdef CONFIG_X86_32
17427 /* Stack for startup_32 can be just as for start_secondary onwards */
17428 irq_ctx_init(cpu);
17429 #else
17430 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
17431 initial_gs = per_cpu_offset(cpu);
17432 - per_cpu(kernel_stack, cpu) =
17433 - (unsigned long)task_stack_page(c_idle.idle) -
17434 - KERNEL_STACK_OFFSET + THREAD_SIZE;
17435 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
17436 #endif
17437 +
17438 + pax_open_kernel();
17439 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
17440 + pax_close_kernel();
17441 +
17442 initial_code = (unsigned long)start_secondary;
17443 stack_start = c_idle.idle->thread.sp;
17444
17445 @@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
17446
17447 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
17448
17449 +#ifdef CONFIG_PAX_PER_CPU_PGD
17450 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
17451 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17452 + KERNEL_PGD_PTRS);
17453 +#endif
17454 +
17455 err = do_boot_cpu(apicid, cpu);
17456 if (err) {
17457 pr_debug("do_boot_cpu failed %d\n", err);
17458 diff -urNp linux-2.6.39.2/arch/x86/kernel/step.c linux-2.6.39.2/arch/x86/kernel/step.c
17459 --- linux-2.6.39.2/arch/x86/kernel/step.c 2011-05-19 00:06:34.000000000 -0400
17460 +++ linux-2.6.39.2/arch/x86/kernel/step.c 2011-05-22 19:36:30.000000000 -0400
17461 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
17462 struct desc_struct *desc;
17463 unsigned long base;
17464
17465 - seg &= ~7UL;
17466 + seg >>= 3;
17467
17468 mutex_lock(&child->mm->context.lock);
17469 - if (unlikely((seg >> 3) >= child->mm->context.size))
17470 + if (unlikely(seg >= child->mm->context.size))
17471 addr = -1L; /* bogus selector, access would fault */
17472 else {
17473 desc = child->mm->context.ldt + seg;
17474 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
17475 addr += base;
17476 }
17477 mutex_unlock(&child->mm->context.lock);
17478 - }
17479 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
17480 + addr = ktla_ktva(addr);
17481
17482 return addr;
17483 }
17484 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
17485 unsigned char opcode[15];
17486 unsigned long addr = convert_ip_to_linear(child, regs);
17487
17488 + if (addr == -EINVAL)
17489 + return 0;
17490 +
17491 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
17492 for (i = 0; i < copied; i++) {
17493 switch (opcode[i]) {
17494 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
17495
17496 #ifdef CONFIG_X86_64
17497 case 0x40 ... 0x4f:
17498 - if (regs->cs != __USER_CS)
17499 + if ((regs->cs & 0xffff) != __USER_CS)
17500 /* 32-bit mode: register increment */
17501 return 0;
17502 /* 64-bit mode: REX prefix */
17503 diff -urNp linux-2.6.39.2/arch/x86/kernel/syscall_table_32.S linux-2.6.39.2/arch/x86/kernel/syscall_table_32.S
17504 --- linux-2.6.39.2/arch/x86/kernel/syscall_table_32.S 2011-05-19 00:06:34.000000000 -0400
17505 +++ linux-2.6.39.2/arch/x86/kernel/syscall_table_32.S 2011-05-22 19:36:30.000000000 -0400
17506 @@ -1,3 +1,4 @@
17507 +.section .rodata,"a",@progbits
17508 ENTRY(sys_call_table)
17509 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
17510 .long sys_exit
17511 diff -urNp linux-2.6.39.2/arch/x86/kernel/sys_i386_32.c linux-2.6.39.2/arch/x86/kernel/sys_i386_32.c
17512 --- linux-2.6.39.2/arch/x86/kernel/sys_i386_32.c 2011-05-19 00:06:34.000000000 -0400
17513 +++ linux-2.6.39.2/arch/x86/kernel/sys_i386_32.c 2011-05-22 19:36:30.000000000 -0400
17514 @@ -24,17 +24,224 @@
17515
17516 #include <asm/syscalls.h>
17517
17518 -/*
17519 - * Do a system call from kernel instead of calling sys_execve so we
17520 - * end up with proper pt_regs.
17521 - */
17522 -int kernel_execve(const char *filename,
17523 - const char *const argv[],
17524 - const char *const envp[])
17525 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
17526 {
17527 - long __res;
17528 - asm volatile ("int $0x80"
17529 - : "=a" (__res)
17530 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
17531 - return __res;
17532 + unsigned long pax_task_size = TASK_SIZE;
17533 +
17534 +#ifdef CONFIG_PAX_SEGMEXEC
17535 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
17536 + pax_task_size = SEGMEXEC_TASK_SIZE;
17537 +#endif
17538 +
17539 + if (len > pax_task_size || addr > pax_task_size - len)
17540 + return -EINVAL;
17541 +
17542 + return 0;
17543 +}
17544 +
17545 +unsigned long
17546 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
17547 + unsigned long len, unsigned long pgoff, unsigned long flags)
17548 +{
17549 + struct mm_struct *mm = current->mm;
17550 + struct vm_area_struct *vma;
17551 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17552 +
17553 +#ifdef CONFIG_PAX_SEGMEXEC
17554 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17555 + pax_task_size = SEGMEXEC_TASK_SIZE;
17556 +#endif
17557 +
17558 + pax_task_size -= PAGE_SIZE;
17559 +
17560 + if (len > pax_task_size)
17561 + return -ENOMEM;
17562 +
17563 + if (flags & MAP_FIXED)
17564 + return addr;
17565 +
17566 +#ifdef CONFIG_PAX_RANDMMAP
17567 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17568 +#endif
17569 +
17570 + if (addr) {
17571 + addr = PAGE_ALIGN(addr);
17572 + if (pax_task_size - len >= addr) {
17573 + vma = find_vma(mm, addr);
17574 + if (check_heap_stack_gap(vma, addr, len))
17575 + return addr;
17576 + }
17577 + }
17578 + if (len > mm->cached_hole_size) {
17579 + start_addr = addr = mm->free_area_cache;
17580 + } else {
17581 + start_addr = addr = mm->mmap_base;
17582 + mm->cached_hole_size = 0;
17583 + }
17584 +
17585 +#ifdef CONFIG_PAX_PAGEEXEC
17586 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
17587 + start_addr = 0x00110000UL;
17588 +
17589 +#ifdef CONFIG_PAX_RANDMMAP
17590 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17591 + start_addr += mm->delta_mmap & 0x03FFF000UL;
17592 +#endif
17593 +
17594 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
17595 + start_addr = addr = mm->mmap_base;
17596 + else
17597 + addr = start_addr;
17598 + }
17599 +#endif
17600 +
17601 +full_search:
17602 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17603 + /* At this point: (!vma || addr < vma->vm_end). */
17604 + if (pax_task_size - len < addr) {
17605 + /*
17606 + * Start a new search - just in case we missed
17607 + * some holes.
17608 + */
17609 + if (start_addr != mm->mmap_base) {
17610 + start_addr = addr = mm->mmap_base;
17611 + mm->cached_hole_size = 0;
17612 + goto full_search;
17613 + }
17614 + return -ENOMEM;
17615 + }
17616 + if (check_heap_stack_gap(vma, addr, len))
17617 + break;
17618 + if (addr + mm->cached_hole_size < vma->vm_start)
17619 + mm->cached_hole_size = vma->vm_start - addr;
17620 + addr = vma->vm_end;
17621 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
17622 + start_addr = addr = mm->mmap_base;
17623 + mm->cached_hole_size = 0;
17624 + goto full_search;
17625 + }
17626 + }
17627 +
17628 + /*
17629 + * Remember the place where we stopped the search:
17630 + */
17631 + mm->free_area_cache = addr + len;
17632 + return addr;
17633 +}
17634 +
17635 +unsigned long
17636 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
17637 + const unsigned long len, const unsigned long pgoff,
17638 + const unsigned long flags)
17639 +{
17640 + struct vm_area_struct *vma;
17641 + struct mm_struct *mm = current->mm;
17642 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
17643 +
17644 +#ifdef CONFIG_PAX_SEGMEXEC
17645 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17646 + pax_task_size = SEGMEXEC_TASK_SIZE;
17647 +#endif
17648 +
17649 + pax_task_size -= PAGE_SIZE;
17650 +
17651 + /* requested length too big for entire address space */
17652 + if (len > pax_task_size)
17653 + return -ENOMEM;
17654 +
17655 + if (flags & MAP_FIXED)
17656 + return addr;
17657 +
17658 +#ifdef CONFIG_PAX_PAGEEXEC
17659 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
17660 + goto bottomup;
17661 +#endif
17662 +
17663 +#ifdef CONFIG_PAX_RANDMMAP
17664 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17665 +#endif
17666 +
17667 + /* requesting a specific address */
17668 + if (addr) {
17669 + addr = PAGE_ALIGN(addr);
17670 + if (pax_task_size - len >= addr) {
17671 + vma = find_vma(mm, addr);
17672 + if (check_heap_stack_gap(vma, addr, len))
17673 + return addr;
17674 + }
17675 + }
17676 +
17677 + /* check if free_area_cache is useful for us */
17678 + if (len <= mm->cached_hole_size) {
17679 + mm->cached_hole_size = 0;
17680 + mm->free_area_cache = mm->mmap_base;
17681 + }
17682 +
17683 + /* either no address requested or can't fit in requested address hole */
17684 + addr = mm->free_area_cache;
17685 +
17686 + /* make sure it can fit in the remaining address space */
17687 + if (addr > len) {
17688 + vma = find_vma(mm, addr-len);
17689 + if (check_heap_stack_gap(vma, addr - len, len))
17690 + /* remember the address as a hint for next time */
17691 + return (mm->free_area_cache = addr-len);
17692 + }
17693 +
17694 + if (mm->mmap_base < len)
17695 + goto bottomup;
17696 +
17697 + addr = mm->mmap_base-len;
17698 +
17699 + do {
17700 + /*
17701 + * Lookup failure means no vma is above this address,
17702 + * else if new region fits below vma->vm_start,
17703 + * return with success:
17704 + */
17705 + vma = find_vma(mm, addr);
17706 + if (check_heap_stack_gap(vma, addr, len))
17707 + /* remember the address as a hint for next time */
17708 + return (mm->free_area_cache = addr);
17709 +
17710 + /* remember the largest hole we saw so far */
17711 + if (addr + mm->cached_hole_size < vma->vm_start)
17712 + mm->cached_hole_size = vma->vm_start - addr;
17713 +
17714 + /* try just below the current vma->vm_start */
17715 + addr = skip_heap_stack_gap(vma, len);
17716 + } while (!IS_ERR_VALUE(addr));
17717 +
17718 +bottomup:
17719 + /*
17720 + * A failed mmap() very likely causes application failure,
17721 + * so fall back to the bottom-up function here. This scenario
17722 + * can happen with large stack limits and large mmap()
17723 + * allocations.
17724 + */
17725 +
17726 +#ifdef CONFIG_PAX_SEGMEXEC
17727 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17728 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17729 + else
17730 +#endif
17731 +
17732 + mm->mmap_base = TASK_UNMAPPED_BASE;
17733 +
17734 +#ifdef CONFIG_PAX_RANDMMAP
17735 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17736 + mm->mmap_base += mm->delta_mmap;
17737 +#endif
17738 +
17739 + mm->free_area_cache = mm->mmap_base;
17740 + mm->cached_hole_size = ~0UL;
17741 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17742 + /*
17743 + * Restore the topdown base:
17744 + */
17745 + mm->mmap_base = base;
17746 + mm->free_area_cache = base;
17747 + mm->cached_hole_size = ~0UL;
17748 +
17749 + return addr;
17750 }
17751 diff -urNp linux-2.6.39.2/arch/x86/kernel/sys_x86_64.c linux-2.6.39.2/arch/x86/kernel/sys_x86_64.c
17752 --- linux-2.6.39.2/arch/x86/kernel/sys_x86_64.c 2011-05-19 00:06:34.000000000 -0400
17753 +++ linux-2.6.39.2/arch/x86/kernel/sys_x86_64.c 2011-05-22 19:36:30.000000000 -0400
17754 @@ -32,8 +32,8 @@ out:
17755 return error;
17756 }
17757
17758 -static void find_start_end(unsigned long flags, unsigned long *begin,
17759 - unsigned long *end)
17760 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17761 + unsigned long *begin, unsigned long *end)
17762 {
17763 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17764 unsigned long new_begin;
17765 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17766 *begin = new_begin;
17767 }
17768 } else {
17769 - *begin = TASK_UNMAPPED_BASE;
17770 + *begin = mm->mmap_base;
17771 *end = TASK_SIZE;
17772 }
17773 }
17774 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17775 if (flags & MAP_FIXED)
17776 return addr;
17777
17778 - find_start_end(flags, &begin, &end);
17779 + find_start_end(mm, flags, &begin, &end);
17780
17781 if (len > end)
17782 return -ENOMEM;
17783
17784 +#ifdef CONFIG_PAX_RANDMMAP
17785 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17786 +#endif
17787 +
17788 if (addr) {
17789 addr = PAGE_ALIGN(addr);
17790 vma = find_vma(mm, addr);
17791 - if (end - len >= addr &&
17792 - (!vma || addr + len <= vma->vm_start))
17793 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17794 return addr;
17795 }
17796 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17797 @@ -106,7 +109,7 @@ full_search:
17798 }
17799 return -ENOMEM;
17800 }
17801 - if (!vma || addr + len <= vma->vm_start) {
17802 + if (check_heap_stack_gap(vma, addr, len)) {
17803 /*
17804 * Remember the place where we stopped the search:
17805 */
17806 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17807 {
17808 struct vm_area_struct *vma;
17809 struct mm_struct *mm = current->mm;
17810 - unsigned long addr = addr0;
17811 + unsigned long base = mm->mmap_base, addr = addr0;
17812
17813 /* requested length too big for entire address space */
17814 if (len > TASK_SIZE)
17815 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17816 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17817 goto bottomup;
17818
17819 +#ifdef CONFIG_PAX_RANDMMAP
17820 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17821 +#endif
17822 +
17823 /* requesting a specific address */
17824 if (addr) {
17825 addr = PAGE_ALIGN(addr);
17826 - vma = find_vma(mm, addr);
17827 - if (TASK_SIZE - len >= addr &&
17828 - (!vma || addr + len <= vma->vm_start))
17829 - return addr;
17830 + if (TASK_SIZE - len >= addr) {
17831 + vma = find_vma(mm, addr);
17832 + if (check_heap_stack_gap(vma, addr, len))
17833 + return addr;
17834 + }
17835 }
17836
17837 /* check if free_area_cache is useful for us */
17838 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17839 /* make sure it can fit in the remaining address space */
17840 if (addr > len) {
17841 vma = find_vma(mm, addr-len);
17842 - if (!vma || addr <= vma->vm_start)
17843 + if (check_heap_stack_gap(vma, addr - len, len))
17844 /* remember the address as a hint for next time */
17845 return mm->free_area_cache = addr-len;
17846 }
17847 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17848 * return with success:
17849 */
17850 vma = find_vma(mm, addr);
17851 - if (!vma || addr+len <= vma->vm_start)
17852 + if (check_heap_stack_gap(vma, addr, len))
17853 /* remember the address as a hint for next time */
17854 return mm->free_area_cache = addr;
17855
17856 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17857 mm->cached_hole_size = vma->vm_start - addr;
17858
17859 /* try just below the current vma->vm_start */
17860 - addr = vma->vm_start-len;
17861 - } while (len < vma->vm_start);
17862 + addr = skip_heap_stack_gap(vma, len);
17863 + } while (!IS_ERR_VALUE(addr));
17864
17865 bottomup:
17866 /*
17867 @@ -198,13 +206,21 @@ bottomup:
17868 * can happen with large stack limits and large mmap()
17869 * allocations.
17870 */
17871 + mm->mmap_base = TASK_UNMAPPED_BASE;
17872 +
17873 +#ifdef CONFIG_PAX_RANDMMAP
17874 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17875 + mm->mmap_base += mm->delta_mmap;
17876 +#endif
17877 +
17878 + mm->free_area_cache = mm->mmap_base;
17879 mm->cached_hole_size = ~0UL;
17880 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17881 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17882 /*
17883 * Restore the topdown base:
17884 */
17885 - mm->free_area_cache = mm->mmap_base;
17886 + mm->mmap_base = base;
17887 + mm->free_area_cache = base;
17888 mm->cached_hole_size = ~0UL;
17889
17890 return addr;
17891 diff -urNp linux-2.6.39.2/arch/x86/kernel/tboot.c linux-2.6.39.2/arch/x86/kernel/tboot.c
17892 --- linux-2.6.39.2/arch/x86/kernel/tboot.c 2011-05-19 00:06:34.000000000 -0400
17893 +++ linux-2.6.39.2/arch/x86/kernel/tboot.c 2011-05-22 19:36:30.000000000 -0400
17894 @@ -218,7 +218,7 @@ static int tboot_setup_sleep(void)
17895
17896 void tboot_shutdown(u32 shutdown_type)
17897 {
17898 - void (*shutdown)(void);
17899 + void (* __noreturn shutdown)(void);
17900
17901 if (!tboot_enabled())
17902 return;
17903 @@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type)
17904
17905 switch_to_tboot_pt();
17906
17907 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17908 + shutdown = (void *)tboot->shutdown_entry;
17909 shutdown();
17910
17911 /* should not reach here */
17912 @@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17913 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17914 }
17915
17916 -static atomic_t ap_wfs_count;
17917 +static atomic_unchecked_t ap_wfs_count;
17918
17919 static int tboot_wait_for_aps(int num_aps)
17920 {
17921 @@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
17922 {
17923 switch (action) {
17924 case CPU_DYING:
17925 - atomic_inc(&ap_wfs_count);
17926 + atomic_inc_unchecked(&ap_wfs_count);
17927 if (num_online_cpus() == 1)
17928 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17929 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17930 return NOTIFY_BAD;
17931 break;
17932 }
17933 @@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
17934
17935 tboot_create_trampoline();
17936
17937 - atomic_set(&ap_wfs_count, 0);
17938 + atomic_set_unchecked(&ap_wfs_count, 0);
17939 register_hotcpu_notifier(&tboot_cpu_notifier);
17940 return 0;
17941 }
17942 diff -urNp linux-2.6.39.2/arch/x86/kernel/time.c linux-2.6.39.2/arch/x86/kernel/time.c
17943 --- linux-2.6.39.2/arch/x86/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
17944 +++ linux-2.6.39.2/arch/x86/kernel/time.c 2011-05-22 19:36:30.000000000 -0400
17945 @@ -22,17 +22,13 @@
17946 #include <asm/hpet.h>
17947 #include <asm/time.h>
17948
17949 -#ifdef CONFIG_X86_64
17950 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
17951 -#endif
17952 -
17953 unsigned long profile_pc(struct pt_regs *regs)
17954 {
17955 unsigned long pc = instruction_pointer(regs);
17956
17957 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
17958 + if (!user_mode(regs) && in_lock_functions(pc)) {
17959 #ifdef CONFIG_FRAME_POINTER
17960 - return *(unsigned long *)(regs->bp + sizeof(long));
17961 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
17962 #else
17963 unsigned long *sp =
17964 (unsigned long *)kernel_stack_pointer(regs);
17965 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
17966 * or above a saved flags. Eflags has bits 22-31 zero,
17967 * kernel addresses don't.
17968 */
17969 +
17970 +#ifdef CONFIG_PAX_KERNEXEC
17971 + return ktla_ktva(sp[0]);
17972 +#else
17973 if (sp[0] >> 22)
17974 return sp[0];
17975 if (sp[1] >> 22)
17976 return sp[1];
17977 #endif
17978 +
17979 +#endif
17980 }
17981 return pc;
17982 }
17983 diff -urNp linux-2.6.39.2/arch/x86/kernel/tls.c linux-2.6.39.2/arch/x86/kernel/tls.c
17984 --- linux-2.6.39.2/arch/x86/kernel/tls.c 2011-05-19 00:06:34.000000000 -0400
17985 +++ linux-2.6.39.2/arch/x86/kernel/tls.c 2011-05-22 19:36:30.000000000 -0400
17986 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
17987 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
17988 return -EINVAL;
17989
17990 +#ifdef CONFIG_PAX_SEGMEXEC
17991 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
17992 + return -EINVAL;
17993 +#endif
17994 +
17995 set_tls_desc(p, idx, &info, 1);
17996
17997 return 0;
17998 diff -urNp linux-2.6.39.2/arch/x86/kernel/trampoline_32.S linux-2.6.39.2/arch/x86/kernel/trampoline_32.S
17999 --- linux-2.6.39.2/arch/x86/kernel/trampoline_32.S 2011-05-19 00:06:34.000000000 -0400
18000 +++ linux-2.6.39.2/arch/x86/kernel/trampoline_32.S 2011-05-22 19:36:30.000000000 -0400
18001 @@ -32,6 +32,12 @@
18002 #include <asm/segment.h>
18003 #include <asm/page_types.h>
18004
18005 +#ifdef CONFIG_PAX_KERNEXEC
18006 +#define ta(X) (X)
18007 +#else
18008 +#define ta(X) ((X) - __PAGE_OFFSET)
18009 +#endif
18010 +
18011 #ifdef CONFIG_SMP
18012
18013 .section ".x86_trampoline","a"
18014 @@ -62,7 +68,7 @@ r_base = .
18015 inc %ax # protected mode (PE) bit
18016 lmsw %ax # into protected mode
18017 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
18018 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
18019 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
18020
18021 # These need to be in the same 64K segment as the above;
18022 # hence we don't use the boot_gdt_descr defined in head.S
18023 diff -urNp linux-2.6.39.2/arch/x86/kernel/trampoline_64.S linux-2.6.39.2/arch/x86/kernel/trampoline_64.S
18024 --- linux-2.6.39.2/arch/x86/kernel/trampoline_64.S 2011-05-19 00:06:34.000000000 -0400
18025 +++ linux-2.6.39.2/arch/x86/kernel/trampoline_64.S 2011-05-22 19:36:30.000000000 -0400
18026 @@ -90,7 +90,7 @@ startup_32:
18027 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
18028 movl %eax, %ds
18029
18030 - movl $X86_CR4_PAE, %eax
18031 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
18032 movl %eax, %cr4 # Enable PAE mode
18033
18034 # Setup trampoline 4 level pagetables
18035 @@ -138,7 +138,7 @@ tidt:
18036 # so the kernel can live anywhere
18037 .balign 4
18038 tgdt:
18039 - .short tgdt_end - tgdt # gdt limit
18040 + .short tgdt_end - tgdt - 1 # gdt limit
18041 .long tgdt - r_base
18042 .short 0
18043 .quad 0x00cf9b000000ffff # __KERNEL32_CS
18044 diff -urNp linux-2.6.39.2/arch/x86/kernel/traps.c linux-2.6.39.2/arch/x86/kernel/traps.c
18045 --- linux-2.6.39.2/arch/x86/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
18046 +++ linux-2.6.39.2/arch/x86/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400
18047 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
18048
18049 /* Do we ignore FPU interrupts ? */
18050 char ignore_fpu_irq;
18051 -
18052 -/*
18053 - * The IDT has to be page-aligned to simplify the Pentium
18054 - * F0 0F bug workaround.
18055 - */
18056 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
18057 #endif
18058
18059 DECLARE_BITMAP(used_vectors, NR_VECTORS);
18060 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
18061 }
18062
18063 static void __kprobes
18064 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18065 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18066 long error_code, siginfo_t *info)
18067 {
18068 struct task_struct *tsk = current;
18069
18070 #ifdef CONFIG_X86_32
18071 - if (regs->flags & X86_VM_MASK) {
18072 + if (v8086_mode(regs)) {
18073 /*
18074 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18075 * On nmi (interrupt 2), do_trap should not be called.
18076 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
18077 }
18078 #endif
18079
18080 - if (!user_mode(regs))
18081 + if (!user_mode_novm(regs))
18082 goto kernel_trap;
18083
18084 #ifdef CONFIG_X86_32
18085 @@ -157,7 +151,7 @@ trap_signal:
18086 printk_ratelimit()) {
18087 printk(KERN_INFO
18088 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18089 - tsk->comm, tsk->pid, str,
18090 + tsk->comm, task_pid_nr(tsk), str,
18091 regs->ip, regs->sp, error_code);
18092 print_vma_addr(" in ", regs->ip);
18093 printk("\n");
18094 @@ -174,8 +168,20 @@ kernel_trap:
18095 if (!fixup_exception(regs)) {
18096 tsk->thread.error_code = error_code;
18097 tsk->thread.trap_no = trapnr;
18098 +
18099 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18100 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18101 + str = "PAX: suspicious stack segment fault";
18102 +#endif
18103 +
18104 die(str, regs, error_code);
18105 }
18106 +
18107 +#ifdef CONFIG_PAX_REFCOUNT
18108 + if (trapnr == 4)
18109 + pax_report_refcount_overflow(regs);
18110 +#endif
18111 +
18112 return;
18113
18114 #ifdef CONFIG_X86_32
18115 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
18116 conditional_sti(regs);
18117
18118 #ifdef CONFIG_X86_32
18119 - if (regs->flags & X86_VM_MASK)
18120 + if (v8086_mode(regs))
18121 goto gp_in_vm86;
18122 #endif
18123
18124 tsk = current;
18125 - if (!user_mode(regs))
18126 + if (!user_mode_novm(regs))
18127 goto gp_in_kernel;
18128
18129 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18130 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18131 + struct mm_struct *mm = tsk->mm;
18132 + unsigned long limit;
18133 +
18134 + down_write(&mm->mmap_sem);
18135 + limit = mm->context.user_cs_limit;
18136 + if (limit < TASK_SIZE) {
18137 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18138 + up_write(&mm->mmap_sem);
18139 + return;
18140 + }
18141 + up_write(&mm->mmap_sem);
18142 + }
18143 +#endif
18144 +
18145 tsk->thread.error_code = error_code;
18146 tsk->thread.trap_no = 13;
18147
18148 @@ -304,6 +326,13 @@ gp_in_kernel:
18149 if (notify_die(DIE_GPF, "general protection fault", regs,
18150 error_code, 13, SIGSEGV) == NOTIFY_STOP)
18151 return;
18152 +
18153 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18154 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18155 + die("PAX: suspicious general protection fault", regs, error_code);
18156 + else
18157 +#endif
18158 +
18159 die("general protection fault", regs, error_code);
18160 }
18161
18162 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
18163 /* It's safe to allow irq's after DR6 has been saved */
18164 preempt_conditional_sti(regs);
18165
18166 - if (regs->flags & X86_VM_MASK) {
18167 + if (v8086_mode(regs)) {
18168 handle_vm86_trap((struct kernel_vm86_regs *) regs,
18169 error_code, 1);
18170 preempt_conditional_cli(regs);
18171 @@ -583,7 +612,7 @@ dotraplinkage void __kprobes do_debug(st
18172 * We already checked v86 mode above, so we can check for kernel mode
18173 * by just checking the CPL of CS.
18174 */
18175 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
18176 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
18177 tsk->thread.debugreg6 &= ~DR_STEP;
18178 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
18179 regs->flags &= ~X86_EFLAGS_TF;
18180 @@ -612,7 +641,7 @@ void math_error(struct pt_regs *regs, in
18181 return;
18182 conditional_sti(regs);
18183
18184 - if (!user_mode_vm(regs))
18185 + if (!user_mode(regs))
18186 {
18187 if (!fixup_exception(regs)) {
18188 task->thread.error_code = error_code;
18189 @@ -723,7 +752,7 @@ asmlinkage void __attribute__((weak)) sm
18190 void __math_state_restore(void)
18191 {
18192 struct thread_info *thread = current_thread_info();
18193 - struct task_struct *tsk = thread->task;
18194 + struct task_struct *tsk = current;
18195
18196 /*
18197 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18198 @@ -750,8 +779,7 @@ void __math_state_restore(void)
18199 */
18200 asmlinkage void math_state_restore(void)
18201 {
18202 - struct thread_info *thread = current_thread_info();
18203 - struct task_struct *tsk = thread->task;
18204 + struct task_struct *tsk = current;
18205
18206 if (!tsk_used_math(tsk)) {
18207 local_irq_enable();
18208 diff -urNp linux-2.6.39.2/arch/x86/kernel/vm86_32.c linux-2.6.39.2/arch/x86/kernel/vm86_32.c
18209 --- linux-2.6.39.2/arch/x86/kernel/vm86_32.c 2011-05-19 00:06:34.000000000 -0400
18210 +++ linux-2.6.39.2/arch/x86/kernel/vm86_32.c 2011-05-22 19:41:32.000000000 -0400
18211 @@ -41,6 +41,7 @@
18212 #include <linux/ptrace.h>
18213 #include <linux/audit.h>
18214 #include <linux/stddef.h>
18215 +#include <linux/grsecurity.h>
18216
18217 #include <asm/uaccess.h>
18218 #include <asm/io.h>
18219 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
18220 do_exit(SIGSEGV);
18221 }
18222
18223 - tss = &per_cpu(init_tss, get_cpu());
18224 + tss = init_tss + get_cpu();
18225 current->thread.sp0 = current->thread.saved_sp0;
18226 current->thread.sysenter_cs = __KERNEL_CS;
18227 load_sp0(tss, &current->thread);
18228 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
18229 struct task_struct *tsk;
18230 int tmp, ret = -EPERM;
18231
18232 +#ifdef CONFIG_GRKERNSEC_VM86
18233 + if (!capable(CAP_SYS_RAWIO)) {
18234 + gr_handle_vm86();
18235 + goto out;
18236 + }
18237 +#endif
18238 +
18239 tsk = current;
18240 if (tsk->thread.saved_sp0)
18241 goto out;
18242 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
18243 int tmp, ret;
18244 struct vm86plus_struct __user *v86;
18245
18246 +#ifdef CONFIG_GRKERNSEC_VM86
18247 + if (!capable(CAP_SYS_RAWIO)) {
18248 + gr_handle_vm86();
18249 + ret = -EPERM;
18250 + goto out;
18251 + }
18252 +#endif
18253 +
18254 tsk = current;
18255 switch (cmd) {
18256 case VM86_REQUEST_IRQ:
18257 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
18258 tsk->thread.saved_fs = info->regs32->fs;
18259 tsk->thread.saved_gs = get_user_gs(info->regs32);
18260
18261 - tss = &per_cpu(init_tss, get_cpu());
18262 + tss = init_tss + get_cpu();
18263 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
18264 if (cpu_has_sep)
18265 tsk->thread.sysenter_cs = 0;
18266 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
18267 goto cannot_handle;
18268 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
18269 goto cannot_handle;
18270 - intr_ptr = (unsigned long __user *) (i << 2);
18271 + intr_ptr = (__force unsigned long __user *) (i << 2);
18272 if (get_user(segoffs, intr_ptr))
18273 goto cannot_handle;
18274 if ((segoffs >> 16) == BIOSSEG)
18275 diff -urNp linux-2.6.39.2/arch/x86/kernel/vmlinux.lds.S linux-2.6.39.2/arch/x86/kernel/vmlinux.lds.S
18276 --- linux-2.6.39.2/arch/x86/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
18277 +++ linux-2.6.39.2/arch/x86/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
18278 @@ -26,6 +26,13 @@
18279 #include <asm/page_types.h>
18280 #include <asm/cache.h>
18281 #include <asm/boot.h>
18282 +#include <asm/segment.h>
18283 +
18284 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18285 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18286 +#else
18287 +#define __KERNEL_TEXT_OFFSET 0
18288 +#endif
18289
18290 #undef i386 /* in case the preprocessor is a 32bit one */
18291
18292 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18293 #ifdef CONFIG_X86_32
18294 OUTPUT_ARCH(i386)
18295 ENTRY(phys_startup_32)
18296 -jiffies = jiffies_64;
18297 #else
18298 OUTPUT_ARCH(i386:x86-64)
18299 ENTRY(phys_startup_64)
18300 -jiffies_64 = jiffies;
18301 #endif
18302
18303 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18304 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
18305
18306 PHDRS {
18307 text PT_LOAD FLAGS(5); /* R_E */
18308 +#ifdef CONFIG_X86_32
18309 + module PT_LOAD FLAGS(5); /* R_E */
18310 +#endif
18311 +#ifdef CONFIG_XEN
18312 + rodata PT_LOAD FLAGS(5); /* R_E */
18313 +#else
18314 + rodata PT_LOAD FLAGS(4); /* R__ */
18315 +#endif
18316 data PT_LOAD FLAGS(6); /* RW_ */
18317 #ifdef CONFIG_X86_64
18318 user PT_LOAD FLAGS(5); /* R_E */
18319 +#endif
18320 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18321 #ifdef CONFIG_SMP
18322 percpu PT_LOAD FLAGS(6); /* RW_ */
18323 #endif
18324 + text.init PT_LOAD FLAGS(5); /* R_E */
18325 + text.exit PT_LOAD FLAGS(5); /* R_E */
18326 init PT_LOAD FLAGS(7); /* RWE */
18327 -#endif
18328 note PT_NOTE FLAGS(0); /* ___ */
18329 }
18330
18331 SECTIONS
18332 {
18333 #ifdef CONFIG_X86_32
18334 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18335 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18336 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18337 #else
18338 - . = __START_KERNEL;
18339 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18340 + . = __START_KERNEL;
18341 #endif
18342
18343 /* Text and read-only data */
18344 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18345 - _text = .;
18346 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18347 /* bootstrapping code */
18348 +#ifdef CONFIG_X86_32
18349 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18350 +#else
18351 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18352 +#endif
18353 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18354 + _text = .;
18355 HEAD_TEXT
18356 #ifdef CONFIG_X86_32
18357 . = ALIGN(PAGE_SIZE);
18358 @@ -109,13 +129,47 @@ SECTIONS
18359 IRQENTRY_TEXT
18360 *(.fixup)
18361 *(.gnu.warning)
18362 - /* End of text section */
18363 - _etext = .;
18364 } :text = 0x9090
18365
18366 - NOTES :text :note
18367 + . += __KERNEL_TEXT_OFFSET;
18368 +
18369 +#ifdef CONFIG_X86_32
18370 + . = ALIGN(PAGE_SIZE);
18371 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18372 +
18373 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18374 + MODULES_EXEC_VADDR = .;
18375 + BYTE(0)
18376 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18377 + . = ALIGN(HPAGE_SIZE);
18378 + MODULES_EXEC_END = . - 1;
18379 +#endif
18380 +
18381 + } :module
18382 +#endif
18383 +
18384 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18385 + /* End of text section */
18386 + _etext = . - __KERNEL_TEXT_OFFSET;
18387 + }
18388
18389 - EXCEPTION_TABLE(16) :text = 0x9090
18390 +#ifdef CONFIG_X86_32
18391 + . = ALIGN(PAGE_SIZE);
18392 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18393 + *(.idt)
18394 + . = ALIGN(PAGE_SIZE);
18395 + *(.empty_zero_page)
18396 + *(.initial_pg_fixmap)
18397 + *(.initial_pg_pmd)
18398 + *(.initial_page_table)
18399 + *(.swapper_pg_dir)
18400 + } :rodata
18401 +#endif
18402 +
18403 + . = ALIGN(PAGE_SIZE);
18404 + NOTES :rodata :note
18405 +
18406 + EXCEPTION_TABLE(16) :rodata
18407
18408 #if defined(CONFIG_DEBUG_RODATA)
18409 /* .text should occupy whole number of pages */
18410 @@ -127,16 +181,20 @@ SECTIONS
18411
18412 /* Data */
18413 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18414 +
18415 +#ifdef CONFIG_PAX_KERNEXEC
18416 + . = ALIGN(HPAGE_SIZE);
18417 +#else
18418 + . = ALIGN(PAGE_SIZE);
18419 +#endif
18420 +
18421 /* Start of data section */
18422 _sdata = .;
18423
18424 /* init_task */
18425 INIT_TASK_DATA(THREAD_SIZE)
18426
18427 -#ifdef CONFIG_X86_32
18428 - /* 32 bit has nosave before _edata */
18429 NOSAVE_DATA
18430 -#endif
18431
18432 PAGE_ALIGNED_DATA(PAGE_SIZE)
18433
18434 @@ -145,6 +203,8 @@ SECTIONS
18435 DATA_DATA
18436 CONSTRUCTORS
18437
18438 + jiffies = jiffies_64;
18439 +
18440 /* rarely changed data like cpu maps */
18441 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
18442
18443 @@ -199,12 +259,6 @@ SECTIONS
18444 }
18445 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18446
18447 - . = ALIGN(L1_CACHE_BYTES);
18448 - .jiffies : AT(VLOAD(.jiffies)) {
18449 - *(.jiffies)
18450 - }
18451 - jiffies = VVIRT(.jiffies);
18452 -
18453 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18454 *(.vsyscall_3)
18455 }
18456 @@ -220,12 +274,19 @@ SECTIONS
18457 #endif /* CONFIG_X86_64 */
18458
18459 /* Init code and data - will be freed after init */
18460 - . = ALIGN(PAGE_SIZE);
18461 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18462 + BYTE(0)
18463 +
18464 +#ifdef CONFIG_PAX_KERNEXEC
18465 + . = ALIGN(HPAGE_SIZE);
18466 +#else
18467 + . = ALIGN(PAGE_SIZE);
18468 +#endif
18469 +
18470 __init_begin = .; /* paired with __init_end */
18471 - }
18472 + } :init.begin
18473
18474 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18475 +#ifdef CONFIG_SMP
18476 /*
18477 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18478 * output PHDR, so the next output section - .init.text - should
18479 @@ -234,12 +295,27 @@ SECTIONS
18480 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
18481 #endif
18482
18483 - INIT_TEXT_SECTION(PAGE_SIZE)
18484 -#ifdef CONFIG_X86_64
18485 - :init
18486 -#endif
18487 + . = ALIGN(PAGE_SIZE);
18488 + init_begin = .;
18489 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18490 + VMLINUX_SYMBOL(_sinittext) = .;
18491 + INIT_TEXT
18492 + VMLINUX_SYMBOL(_einittext) = .;
18493 + . = ALIGN(PAGE_SIZE);
18494 + } :text.init
18495
18496 - INIT_DATA_SECTION(16)
18497 + /*
18498 + * .exit.text is discard at runtime, not link time, to deal with
18499 + * references from .altinstructions and .eh_frame
18500 + */
18501 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18502 + EXIT_TEXT
18503 + . = ALIGN(16);
18504 + } :text.exit
18505 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18506 +
18507 + . = ALIGN(PAGE_SIZE);
18508 + INIT_DATA_SECTION(16) :init
18509
18510 /*
18511 * Code and data for a variety of lowlevel trampolines, to be
18512 @@ -306,19 +382,12 @@ SECTIONS
18513 }
18514
18515 . = ALIGN(8);
18516 - /*
18517 - * .exit.text is discard at runtime, not link time, to deal with
18518 - * references from .altinstructions and .eh_frame
18519 - */
18520 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18521 - EXIT_TEXT
18522 - }
18523
18524 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18525 EXIT_DATA
18526 }
18527
18528 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18529 +#ifndef CONFIG_SMP
18530 PERCPU(INTERNODE_CACHE_BYTES, PAGE_SIZE)
18531 #endif
18532
18533 @@ -337,16 +406,10 @@ SECTIONS
18534 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
18535 __smp_locks = .;
18536 *(.smp_locks)
18537 - . = ALIGN(PAGE_SIZE);
18538 __smp_locks_end = .;
18539 + . = ALIGN(PAGE_SIZE);
18540 }
18541
18542 -#ifdef CONFIG_X86_64
18543 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18544 - NOSAVE_DATA
18545 - }
18546 -#endif
18547 -
18548 /* BSS */
18549 . = ALIGN(PAGE_SIZE);
18550 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18551 @@ -362,6 +425,7 @@ SECTIONS
18552 __brk_base = .;
18553 . += 64 * 1024; /* 64k alignment slop space */
18554 *(.brk_reservation) /* areas brk users have reserved */
18555 + . = ALIGN(HPAGE_SIZE);
18556 __brk_limit = .;
18557 }
18558
18559 @@ -388,13 +452,12 @@ SECTIONS
18560 * for the boot processor.
18561 */
18562 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
18563 -INIT_PER_CPU(gdt_page);
18564 INIT_PER_CPU(irq_stack_union);
18565
18566 /*
18567 * Build-time check on the image size:
18568 */
18569 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18570 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18571 "kernel image bigger than KERNEL_IMAGE_SIZE");
18572
18573 #ifdef CONFIG_SMP
18574 diff -urNp linux-2.6.39.2/arch/x86/kernel/vsyscall_64.c linux-2.6.39.2/arch/x86/kernel/vsyscall_64.c
18575 --- linux-2.6.39.2/arch/x86/kernel/vsyscall_64.c 2011-05-19 00:06:34.000000000 -0400
18576 +++ linux-2.6.39.2/arch/x86/kernel/vsyscall_64.c 2011-05-22 19:36:30.000000000 -0400
18577 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18578
18579 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18580 /* copy vsyscall data */
18581 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18582 vsyscall_gtod_data.clock.vread = clock->vread;
18583 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18584 vsyscall_gtod_data.clock.mask = clock->mask;
18585 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18586 We do this here because otherwise user space would do it on
18587 its own in a likely inferior way (no access to jiffies).
18588 If you don't like it pass NULL. */
18589 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18590 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18591 p = tcache->blob[1];
18592 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18593 /* Load per CPU data from RDTSCP */
18594 diff -urNp linux-2.6.39.2/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.39.2/arch/x86/kernel/x8664_ksyms_64.c
18595 --- linux-2.6.39.2/arch/x86/kernel/x8664_ksyms_64.c 2011-05-19 00:06:34.000000000 -0400
18596 +++ linux-2.6.39.2/arch/x86/kernel/x8664_ksyms_64.c 2011-05-22 19:36:30.000000000 -0400
18597 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
18598 EXPORT_SYMBOL(copy_user_generic_string);
18599 EXPORT_SYMBOL(copy_user_generic_unrolled);
18600 EXPORT_SYMBOL(__copy_user_nocache);
18601 -EXPORT_SYMBOL(_copy_from_user);
18602 -EXPORT_SYMBOL(_copy_to_user);
18603
18604 EXPORT_SYMBOL(copy_page);
18605 EXPORT_SYMBOL(clear_page);
18606 diff -urNp linux-2.6.39.2/arch/x86/kernel/xsave.c linux-2.6.39.2/arch/x86/kernel/xsave.c
18607 --- linux-2.6.39.2/arch/x86/kernel/xsave.c 2011-05-19 00:06:34.000000000 -0400
18608 +++ linux-2.6.39.2/arch/x86/kernel/xsave.c 2011-05-22 19:36:30.000000000 -0400
18609 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
18610 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18611 return -EINVAL;
18612
18613 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18614 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18615 fx_sw_user->extended_size -
18616 FP_XSTATE_MAGIC2_SIZE));
18617 if (err)
18618 @@ -267,7 +267,7 @@ fx_only:
18619 * the other extended state.
18620 */
18621 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18622 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18623 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
18624 }
18625
18626 /*
18627 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
18628 if (use_xsave())
18629 err = restore_user_xstate(buf);
18630 else
18631 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
18632 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
18633 buf);
18634 if (unlikely(err)) {
18635 /*
18636 diff -urNp linux-2.6.39.2/arch/x86/kvm/emulate.c linux-2.6.39.2/arch/x86/kvm/emulate.c
18637 --- linux-2.6.39.2/arch/x86/kvm/emulate.c 2011-05-19 00:06:34.000000000 -0400
18638 +++ linux-2.6.39.2/arch/x86/kvm/emulate.c 2011-05-22 19:36:30.000000000 -0400
18639 @@ -89,7 +89,7 @@
18640 #define Src2ImmByte (2<<29)
18641 #define Src2One (3<<29)
18642 #define Src2Imm (4<<29)
18643 -#define Src2Mask (7<<29)
18644 +#define Src2Mask (7U<<29)
18645
18646 #define X2(x...) x, x
18647 #define X3(x...) X2(x), x
18648 @@ -190,6 +190,7 @@ struct group_dual {
18649
18650 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
18651 do { \
18652 + unsigned long _tmp; \
18653 __asm__ __volatile__ ( \
18654 _PRE_EFLAGS("0", "4", "2") \
18655 _op _suffix " %"_x"3,%1; " \
18656 @@ -203,8 +204,6 @@ struct group_dual {
18657 /* Raw emulation: instruction has two explicit operands. */
18658 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
18659 do { \
18660 - unsigned long _tmp; \
18661 - \
18662 switch ((_dst).bytes) { \
18663 case 2: \
18664 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
18665 @@ -220,7 +219,6 @@ struct group_dual {
18666
18667 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
18668 do { \
18669 - unsigned long _tmp; \
18670 switch ((_dst).bytes) { \
18671 case 1: \
18672 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
18673 diff -urNp linux-2.6.39.2/arch/x86/kvm/lapic.c linux-2.6.39.2/arch/x86/kvm/lapic.c
18674 --- linux-2.6.39.2/arch/x86/kvm/lapic.c 2011-05-19 00:06:34.000000000 -0400
18675 +++ linux-2.6.39.2/arch/x86/kvm/lapic.c 2011-05-22 19:36:30.000000000 -0400
18676 @@ -53,7 +53,7 @@
18677 #define APIC_BUS_CYCLE_NS 1
18678
18679 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
18680 -#define apic_debug(fmt, arg...)
18681 +#define apic_debug(fmt, arg...) do {} while (0)
18682
18683 #define APIC_LVT_NUM 6
18684 /* 14 is the version for Xeon and Pentium 8.4.8*/
18685 diff -urNp linux-2.6.39.2/arch/x86/kvm/mmu.c linux-2.6.39.2/arch/x86/kvm/mmu.c
18686 --- linux-2.6.39.2/arch/x86/kvm/mmu.c 2011-05-19 00:06:34.000000000 -0400
18687 +++ linux-2.6.39.2/arch/x86/kvm/mmu.c 2011-05-22 19:36:30.000000000 -0400
18688 @@ -3240,7 +3240,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18689
18690 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
18691
18692 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
18693 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
18694
18695 /*
18696 * Assume that the pte write on a page table of the same type
18697 @@ -3275,7 +3275,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18698 smp_rmb();
18699
18700 spin_lock(&vcpu->kvm->mmu_lock);
18701 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18702 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18703 gentry = 0;
18704 kvm_mmu_free_some_pages(vcpu);
18705 ++vcpu->kvm->stat.mmu_pte_write;
18706 diff -urNp linux-2.6.39.2/arch/x86/kvm/paging_tmpl.h linux-2.6.39.2/arch/x86/kvm/paging_tmpl.h
18707 --- linux-2.6.39.2/arch/x86/kvm/paging_tmpl.h 2011-05-19 00:06:34.000000000 -0400
18708 +++ linux-2.6.39.2/arch/x86/kvm/paging_tmpl.h 2011-05-22 19:36:30.000000000 -0400
18709 @@ -552,6 +552,8 @@ static int FNAME(page_fault)(struct kvm_
18710 unsigned long mmu_seq;
18711 bool map_writable;
18712
18713 + pax_track_stack();
18714 +
18715 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
18716
18717 r = mmu_topup_memory_caches(vcpu);
18718 @@ -672,7 +674,7 @@ static void FNAME(invlpg)(struct kvm_vcp
18719 if (need_flush)
18720 kvm_flush_remote_tlbs(vcpu->kvm);
18721
18722 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
18723 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
18724
18725 spin_unlock(&vcpu->kvm->mmu_lock);
18726
18727 diff -urNp linux-2.6.39.2/arch/x86/kvm/svm.c linux-2.6.39.2/arch/x86/kvm/svm.c
18728 --- linux-2.6.39.2/arch/x86/kvm/svm.c 2011-05-19 00:06:34.000000000 -0400
18729 +++ linux-2.6.39.2/arch/x86/kvm/svm.c 2011-05-22 19:36:30.000000000 -0400
18730 @@ -3278,7 +3278,11 @@ static void reload_tss(struct kvm_vcpu *
18731 int cpu = raw_smp_processor_id();
18732
18733 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
18734 +
18735 + pax_open_kernel();
18736 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
18737 + pax_close_kernel();
18738 +
18739 load_TR_desc();
18740 }
18741
18742 @@ -3656,6 +3660,10 @@ static void svm_vcpu_run(struct kvm_vcpu
18743 #endif
18744 #endif
18745
18746 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18747 + __set_fs(current_thread_info()->addr_limit);
18748 +#endif
18749 +
18750 reload_tss(vcpu);
18751
18752 local_irq_disable();
18753 @@ -3871,7 +3879,7 @@ static void svm_fpu_deactivate(struct kv
18754 update_cr0_intercept(svm);
18755 }
18756
18757 -static struct kvm_x86_ops svm_x86_ops = {
18758 +static const struct kvm_x86_ops svm_x86_ops = {
18759 .cpu_has_kvm_support = has_svm,
18760 .disabled_by_bios = is_disabled,
18761 .hardware_setup = svm_hardware_setup,
18762 diff -urNp linux-2.6.39.2/arch/x86/kvm/vmx.c linux-2.6.39.2/arch/x86/kvm/vmx.c
18763 --- linux-2.6.39.2/arch/x86/kvm/vmx.c 2011-05-19 00:06:34.000000000 -0400
18764 +++ linux-2.6.39.2/arch/x86/kvm/vmx.c 2011-05-22 19:36:30.000000000 -0400
18765 @@ -725,7 +725,11 @@ static void reload_tss(void)
18766 struct desc_struct *descs;
18767
18768 descs = (void *)gdt->address;
18769 +
18770 + pax_open_kernel();
18771 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
18772 + pax_close_kernel();
18773 +
18774 load_TR_desc();
18775 }
18776
18777 @@ -1648,8 +1652,11 @@ static __init int hardware_setup(void)
18778 if (!cpu_has_vmx_flexpriority())
18779 flexpriority_enabled = 0;
18780
18781 - if (!cpu_has_vmx_tpr_shadow())
18782 - kvm_x86_ops->update_cr8_intercept = NULL;
18783 + if (!cpu_has_vmx_tpr_shadow()) {
18784 + pax_open_kernel();
18785 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
18786 + pax_close_kernel();
18787 + }
18788
18789 if (enable_ept && !cpu_has_vmx_ept_2m_page())
18790 kvm_disable_largepages();
18791 @@ -2693,7 +2700,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
18792 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
18793
18794 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
18795 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
18796 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
18797 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
18798 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
18799 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
18800 @@ -4068,6 +4075,12 @@ static void __noclone vmx_vcpu_run(struc
18801 "jmp .Lkvm_vmx_return \n\t"
18802 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
18803 ".Lkvm_vmx_return: "
18804 +
18805 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18806 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
18807 + ".Lkvm_vmx_return2: "
18808 +#endif
18809 +
18810 /* Save guest registers, load host registers, keep flags */
18811 "mov %0, %c[wordsize](%%"R"sp) \n\t"
18812 "pop %0 \n\t"
18813 @@ -4116,6 +4129,11 @@ static void __noclone vmx_vcpu_run(struc
18814 #endif
18815 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
18816 [wordsize]"i"(sizeof(ulong))
18817 +
18818 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18819 + ,[cs]"i"(__KERNEL_CS)
18820 +#endif
18821 +
18822 : "cc", "memory"
18823 , R"ax", R"bx", R"di", R"si"
18824 #ifdef CONFIG_X86_64
18825 @@ -4130,7 +4148,16 @@ static void __noclone vmx_vcpu_run(struc
18826
18827 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
18828
18829 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
18830 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
18831 +
18832 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18833 + loadsegment(fs, __KERNEL_PERCPU);
18834 +#endif
18835 +
18836 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18837 + __set_fs(current_thread_info()->addr_limit);
18838 +#endif
18839 +
18840 vmx->launched = 1;
18841
18842 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
18843 @@ -4368,7 +4395,7 @@ static void vmx_set_supported_cpuid(u32
18844 {
18845 }
18846
18847 -static struct kvm_x86_ops vmx_x86_ops = {
18848 +static const struct kvm_x86_ops vmx_x86_ops = {
18849 .cpu_has_kvm_support = cpu_has_kvm_support,
18850 .disabled_by_bios = vmx_disabled_by_bios,
18851 .hardware_setup = hardware_setup,
18852 diff -urNp linux-2.6.39.2/arch/x86/kvm/x86.c linux-2.6.39.2/arch/x86/kvm/x86.c
18853 --- linux-2.6.39.2/arch/x86/kvm/x86.c 2011-05-19 00:06:34.000000000 -0400
18854 +++ linux-2.6.39.2/arch/x86/kvm/x86.c 2011-05-22 19:36:30.000000000 -0400
18855 @@ -94,7 +94,7 @@ static void update_cr8_intercept(struct
18856 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
18857 struct kvm_cpuid_entry2 __user *entries);
18858
18859 -struct kvm_x86_ops *kvm_x86_ops;
18860 +const struct kvm_x86_ops *kvm_x86_ops;
18861 EXPORT_SYMBOL_GPL(kvm_x86_ops);
18862
18863 int ignore_msrs = 0;
18864 @@ -2050,6 +2050,8 @@ long kvm_arch_dev_ioctl(struct file *fil
18865 if (n < msr_list.nmsrs)
18866 goto out;
18867 r = -EFAULT;
18868 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
18869 + goto out;
18870 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
18871 num_msrs_to_save * sizeof(u32)))
18872 goto out;
18873 @@ -2217,15 +2219,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
18874 struct kvm_cpuid2 *cpuid,
18875 struct kvm_cpuid_entry2 __user *entries)
18876 {
18877 - int r;
18878 + int r, i;
18879
18880 r = -E2BIG;
18881 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
18882 goto out;
18883 r = -EFAULT;
18884 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
18885 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18886 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18887 goto out;
18888 + for (i = 0; i < cpuid->nent; ++i) {
18889 + struct kvm_cpuid_entry2 cpuid_entry;
18890 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
18891 + goto out;
18892 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
18893 + }
18894 vcpu->arch.cpuid_nent = cpuid->nent;
18895 kvm_apic_set_version(vcpu);
18896 kvm_x86_ops->cpuid_update(vcpu);
18897 @@ -2240,15 +2247,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
18898 struct kvm_cpuid2 *cpuid,
18899 struct kvm_cpuid_entry2 __user *entries)
18900 {
18901 - int r;
18902 + int r, i;
18903
18904 r = -E2BIG;
18905 if (cpuid->nent < vcpu->arch.cpuid_nent)
18906 goto out;
18907 r = -EFAULT;
18908 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
18909 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18910 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18911 goto out;
18912 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
18913 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
18914 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
18915 + goto out;
18916 + }
18917 return 0;
18918
18919 out:
18920 @@ -2526,7 +2537,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
18921 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
18922 struct kvm_interrupt *irq)
18923 {
18924 - if (irq->irq < 0 || irq->irq >= 256)
18925 + if (irq->irq >= 256)
18926 return -EINVAL;
18927 if (irqchip_in_kernel(vcpu->kvm))
18928 return -ENXIO;
18929 @@ -4672,7 +4683,7 @@ static unsigned long kvm_get_guest_ip(vo
18930 return ip;
18931 }
18932
18933 -static struct perf_guest_info_callbacks kvm_guest_cbs = {
18934 +static const struct perf_guest_info_callbacks kvm_guest_cbs = {
18935 .is_in_guest = kvm_is_in_guest,
18936 .is_user_mode = kvm_is_user_mode,
18937 .get_guest_ip = kvm_get_guest_ip,
18938 @@ -4690,10 +4701,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
18939 }
18940 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
18941
18942 -int kvm_arch_init(void *opaque)
18943 +int kvm_arch_init(const void *opaque)
18944 {
18945 int r;
18946 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
18947 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
18948
18949 if (kvm_x86_ops) {
18950 printk(KERN_ERR "kvm: already loaded the other module\n");
18951 diff -urNp linux-2.6.39.2/arch/x86/lib/atomic64_32.c linux-2.6.39.2/arch/x86/lib/atomic64_32.c
18952 --- linux-2.6.39.2/arch/x86/lib/atomic64_32.c 2011-05-19 00:06:34.000000000 -0400
18953 +++ linux-2.6.39.2/arch/x86/lib/atomic64_32.c 2011-05-22 19:36:30.000000000 -0400
18954 @@ -8,18 +8,30 @@
18955
18956 long long atomic64_read_cx8(long long, const atomic64_t *v);
18957 EXPORT_SYMBOL(atomic64_read_cx8);
18958 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
18959 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
18960 long long atomic64_set_cx8(long long, const atomic64_t *v);
18961 EXPORT_SYMBOL(atomic64_set_cx8);
18962 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
18963 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
18964 long long atomic64_xchg_cx8(long long, unsigned high);
18965 EXPORT_SYMBOL(atomic64_xchg_cx8);
18966 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
18967 EXPORT_SYMBOL(atomic64_add_return_cx8);
18968 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18969 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
18970 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
18971 EXPORT_SYMBOL(atomic64_sub_return_cx8);
18972 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18973 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
18974 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
18975 EXPORT_SYMBOL(atomic64_inc_return_cx8);
18976 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18977 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
18978 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
18979 EXPORT_SYMBOL(atomic64_dec_return_cx8);
18980 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
18981 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
18982 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
18983 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
18984 int atomic64_inc_not_zero_cx8(atomic64_t *v);
18985 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
18986 #ifndef CONFIG_X86_CMPXCHG64
18987 long long atomic64_read_386(long long, const atomic64_t *v);
18988 EXPORT_SYMBOL(atomic64_read_386);
18989 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
18990 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
18991 long long atomic64_set_386(long long, const atomic64_t *v);
18992 EXPORT_SYMBOL(atomic64_set_386);
18993 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
18994 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
18995 long long atomic64_xchg_386(long long, unsigned high);
18996 EXPORT_SYMBOL(atomic64_xchg_386);
18997 long long atomic64_add_return_386(long long a, atomic64_t *v);
18998 EXPORT_SYMBOL(atomic64_add_return_386);
18999 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19000 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
19001 long long atomic64_sub_return_386(long long a, atomic64_t *v);
19002 EXPORT_SYMBOL(atomic64_sub_return_386);
19003 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19004 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
19005 long long atomic64_inc_return_386(long long a, atomic64_t *v);
19006 EXPORT_SYMBOL(atomic64_inc_return_386);
19007 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19008 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
19009 long long atomic64_dec_return_386(long long a, atomic64_t *v);
19010 EXPORT_SYMBOL(atomic64_dec_return_386);
19011 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19012 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
19013 long long atomic64_add_386(long long a, atomic64_t *v);
19014 EXPORT_SYMBOL(atomic64_add_386);
19015 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
19016 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
19017 long long atomic64_sub_386(long long a, atomic64_t *v);
19018 EXPORT_SYMBOL(atomic64_sub_386);
19019 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
19020 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
19021 long long atomic64_inc_386(long long a, atomic64_t *v);
19022 EXPORT_SYMBOL(atomic64_inc_386);
19023 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
19024 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
19025 long long atomic64_dec_386(long long a, atomic64_t *v);
19026 EXPORT_SYMBOL(atomic64_dec_386);
19027 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
19028 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
19029 long long atomic64_dec_if_positive_386(atomic64_t *v);
19030 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
19031 int atomic64_inc_not_zero_386(atomic64_t *v);
19032 diff -urNp linux-2.6.39.2/arch/x86/lib/atomic64_386_32.S linux-2.6.39.2/arch/x86/lib/atomic64_386_32.S
19033 --- linux-2.6.39.2/arch/x86/lib/atomic64_386_32.S 2011-05-19 00:06:34.000000000 -0400
19034 +++ linux-2.6.39.2/arch/x86/lib/atomic64_386_32.S 2011-05-22 19:36:30.000000000 -0400
19035 @@ -48,6 +48,10 @@ BEGIN(read)
19036 movl (v), %eax
19037 movl 4(v), %edx
19038 RET_ENDP
19039 +BEGIN(read_unchecked)
19040 + movl (v), %eax
19041 + movl 4(v), %edx
19042 +RET_ENDP
19043 #undef v
19044
19045 #define v %esi
19046 @@ -55,6 +59,10 @@ BEGIN(set)
19047 movl %ebx, (v)
19048 movl %ecx, 4(v)
19049 RET_ENDP
19050 +BEGIN(set_unchecked)
19051 + movl %ebx, (v)
19052 + movl %ecx, 4(v)
19053 +RET_ENDP
19054 #undef v
19055
19056 #define v %esi
19057 @@ -70,6 +78,20 @@ RET_ENDP
19058 BEGIN(add)
19059 addl %eax, (v)
19060 adcl %edx, 4(v)
19061 +
19062 +#ifdef CONFIG_PAX_REFCOUNT
19063 + jno 0f
19064 + subl %eax, (v)
19065 + sbbl %edx, 4(v)
19066 + int $4
19067 +0:
19068 + _ASM_EXTABLE(0b, 0b)
19069 +#endif
19070 +
19071 +RET_ENDP
19072 +BEGIN(add_unchecked)
19073 + addl %eax, (v)
19074 + adcl %edx, 4(v)
19075 RET_ENDP
19076 #undef v
19077
19078 @@ -77,6 +99,24 @@ RET_ENDP
19079 BEGIN(add_return)
19080 addl (v), %eax
19081 adcl 4(v), %edx
19082 +
19083 +#ifdef CONFIG_PAX_REFCOUNT
19084 + into
19085 +1234:
19086 + _ASM_EXTABLE(1234b, 2f)
19087 +#endif
19088 +
19089 + movl %eax, (v)
19090 + movl %edx, 4(v)
19091 +
19092 +#ifdef CONFIG_PAX_REFCOUNT
19093 +2:
19094 +#endif
19095 +
19096 +RET_ENDP
19097 +BEGIN(add_return_unchecked)
19098 + addl (v), %eax
19099 + adcl 4(v), %edx
19100 movl %eax, (v)
19101 movl %edx, 4(v)
19102 RET_ENDP
19103 @@ -86,6 +126,20 @@ RET_ENDP
19104 BEGIN(sub)
19105 subl %eax, (v)
19106 sbbl %edx, 4(v)
19107 +
19108 +#ifdef CONFIG_PAX_REFCOUNT
19109 + jno 0f
19110 + addl %eax, (v)
19111 + adcl %edx, 4(v)
19112 + int $4
19113 +0:
19114 + _ASM_EXTABLE(0b, 0b)
19115 +#endif
19116 +
19117 +RET_ENDP
19118 +BEGIN(sub_unchecked)
19119 + subl %eax, (v)
19120 + sbbl %edx, 4(v)
19121 RET_ENDP
19122 #undef v
19123
19124 @@ -96,6 +150,27 @@ BEGIN(sub_return)
19125 sbbl $0, %edx
19126 addl (v), %eax
19127 adcl 4(v), %edx
19128 +
19129 +#ifdef CONFIG_PAX_REFCOUNT
19130 + into
19131 +1234:
19132 + _ASM_EXTABLE(1234b, 2f)
19133 +#endif
19134 +
19135 + movl %eax, (v)
19136 + movl %edx, 4(v)
19137 +
19138 +#ifdef CONFIG_PAX_REFCOUNT
19139 +2:
19140 +#endif
19141 +
19142 +RET_ENDP
19143 +BEGIN(sub_return_unchecked)
19144 + negl %edx
19145 + negl %eax
19146 + sbbl $0, %edx
19147 + addl (v), %eax
19148 + adcl 4(v), %edx
19149 movl %eax, (v)
19150 movl %edx, 4(v)
19151 RET_ENDP
19152 @@ -105,6 +180,20 @@ RET_ENDP
19153 BEGIN(inc)
19154 addl $1, (v)
19155 adcl $0, 4(v)
19156 +
19157 +#ifdef CONFIG_PAX_REFCOUNT
19158 + jno 0f
19159 + subl $1, (v)
19160 + sbbl $0, 4(v)
19161 + int $4
19162 +0:
19163 + _ASM_EXTABLE(0b, 0b)
19164 +#endif
19165 +
19166 +RET_ENDP
19167 +BEGIN(inc_unchecked)
19168 + addl $1, (v)
19169 + adcl $0, 4(v)
19170 RET_ENDP
19171 #undef v
19172
19173 @@ -114,6 +203,26 @@ BEGIN(inc_return)
19174 movl 4(v), %edx
19175 addl $1, %eax
19176 adcl $0, %edx
19177 +
19178 +#ifdef CONFIG_PAX_REFCOUNT
19179 + into
19180 +1234:
19181 + _ASM_EXTABLE(1234b, 2f)
19182 +#endif
19183 +
19184 + movl %eax, (v)
19185 + movl %edx, 4(v)
19186 +
19187 +#ifdef CONFIG_PAX_REFCOUNT
19188 +2:
19189 +#endif
19190 +
19191 +RET_ENDP
19192 +BEGIN(inc_return_unchecked)
19193 + movl (v), %eax
19194 + movl 4(v), %edx
19195 + addl $1, %eax
19196 + adcl $0, %edx
19197 movl %eax, (v)
19198 movl %edx, 4(v)
19199 RET_ENDP
19200 @@ -123,6 +232,20 @@ RET_ENDP
19201 BEGIN(dec)
19202 subl $1, (v)
19203 sbbl $0, 4(v)
19204 +
19205 +#ifdef CONFIG_PAX_REFCOUNT
19206 + jno 0f
19207 + addl $1, (v)
19208 + adcl $0, 4(v)
19209 + int $4
19210 +0:
19211 + _ASM_EXTABLE(0b, 0b)
19212 +#endif
19213 +
19214 +RET_ENDP
19215 +BEGIN(dec_unchecked)
19216 + subl $1, (v)
19217 + sbbl $0, 4(v)
19218 RET_ENDP
19219 #undef v
19220
19221 @@ -132,6 +255,26 @@ BEGIN(dec_return)
19222 movl 4(v), %edx
19223 subl $1, %eax
19224 sbbl $0, %edx
19225 +
19226 +#ifdef CONFIG_PAX_REFCOUNT
19227 + into
19228 +1234:
19229 + _ASM_EXTABLE(1234b, 2f)
19230 +#endif
19231 +
19232 + movl %eax, (v)
19233 + movl %edx, 4(v)
19234 +
19235 +#ifdef CONFIG_PAX_REFCOUNT
19236 +2:
19237 +#endif
19238 +
19239 +RET_ENDP
19240 +BEGIN(dec_return_unchecked)
19241 + movl (v), %eax
19242 + movl 4(v), %edx
19243 + subl $1, %eax
19244 + sbbl $0, %edx
19245 movl %eax, (v)
19246 movl %edx, 4(v)
19247 RET_ENDP
19248 @@ -143,6 +286,13 @@ BEGIN(add_unless)
19249 adcl %edx, %edi
19250 addl (v), %eax
19251 adcl 4(v), %edx
19252 +
19253 +#ifdef CONFIG_PAX_REFCOUNT
19254 + into
19255 +1234:
19256 + _ASM_EXTABLE(1234b, 2f)
19257 +#endif
19258 +
19259 cmpl %eax, %esi
19260 je 3f
19261 1:
19262 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
19263 1:
19264 addl $1, %eax
19265 adcl $0, %edx
19266 +
19267 +#ifdef CONFIG_PAX_REFCOUNT
19268 + into
19269 +1234:
19270 + _ASM_EXTABLE(1234b, 2f)
19271 +#endif
19272 +
19273 movl %eax, (v)
19274 movl %edx, 4(v)
19275 movl $1, %eax
19276 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
19277 movl 4(v), %edx
19278 subl $1, %eax
19279 sbbl $0, %edx
19280 +
19281 +#ifdef CONFIG_PAX_REFCOUNT
19282 + into
19283 +1234:
19284 + _ASM_EXTABLE(1234b, 1f)
19285 +#endif
19286 +
19287 js 1f
19288 movl %eax, (v)
19289 movl %edx, 4(v)
19290 diff -urNp linux-2.6.39.2/arch/x86/lib/atomic64_cx8_32.S linux-2.6.39.2/arch/x86/lib/atomic64_cx8_32.S
19291 --- linux-2.6.39.2/arch/x86/lib/atomic64_cx8_32.S 2011-05-19 00:06:34.000000000 -0400
19292 +++ linux-2.6.39.2/arch/x86/lib/atomic64_cx8_32.S 2011-05-22 19:36:30.000000000 -0400
19293 @@ -39,6 +39,14 @@ ENTRY(atomic64_read_cx8)
19294 CFI_ENDPROC
19295 ENDPROC(atomic64_read_cx8)
19296
19297 +ENTRY(atomic64_read_unchecked_cx8)
19298 + CFI_STARTPROC
19299 +
19300 + read64 %ecx
19301 + ret
19302 + CFI_ENDPROC
19303 +ENDPROC(atomic64_read_unchecked_cx8)
19304 +
19305 ENTRY(atomic64_set_cx8)
19306 CFI_STARTPROC
19307
19308 @@ -52,6 +60,19 @@ ENTRY(atomic64_set_cx8)
19309 CFI_ENDPROC
19310 ENDPROC(atomic64_set_cx8)
19311
19312 +ENTRY(atomic64_set_unchecked_cx8)
19313 + CFI_STARTPROC
19314 +
19315 +1:
19316 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
19317 + * are atomic on 586 and newer */
19318 + cmpxchg8b (%esi)
19319 + jne 1b
19320 +
19321 + ret
19322 + CFI_ENDPROC
19323 +ENDPROC(atomic64_set_unchecked_cx8)
19324 +
19325 ENTRY(atomic64_xchg_cx8)
19326 CFI_STARTPROC
19327
19328 @@ -66,8 +87,8 @@ ENTRY(atomic64_xchg_cx8)
19329 CFI_ENDPROC
19330 ENDPROC(atomic64_xchg_cx8)
19331
19332 -.macro addsub_return func ins insc
19333 -ENTRY(atomic64_\func\()_return_cx8)
19334 +.macro addsub_return func ins insc unchecked=""
19335 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19336 CFI_STARTPROC
19337 SAVE ebp
19338 SAVE ebx
19339 @@ -84,27 +105,43 @@ ENTRY(atomic64_\func\()_return_cx8)
19340 movl %edx, %ecx
19341 \ins\()l %esi, %ebx
19342 \insc\()l %edi, %ecx
19343 +
19344 +.ifb \unchecked
19345 +#ifdef CONFIG_PAX_REFCOUNT
19346 + into
19347 +2:
19348 + _ASM_EXTABLE(2b, 3f)
19349 +#endif
19350 +.endif
19351 +
19352 LOCK_PREFIX
19353 cmpxchg8b (%ebp)
19354 jne 1b
19355 -
19356 -10:
19357 movl %ebx, %eax
19358 movl %ecx, %edx
19359 +
19360 +.ifb \unchecked
19361 +#ifdef CONFIG_PAX_REFCOUNT
19362 +3:
19363 +#endif
19364 +.endif
19365 +
19366 RESTORE edi
19367 RESTORE esi
19368 RESTORE ebx
19369 RESTORE ebp
19370 ret
19371 CFI_ENDPROC
19372 -ENDPROC(atomic64_\func\()_return_cx8)
19373 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19374 .endm
19375
19376 addsub_return add add adc
19377 addsub_return sub sub sbb
19378 +addsub_return add add adc _unchecked
19379 +addsub_return sub sub sbb _unchecked
19380
19381 -.macro incdec_return func ins insc
19382 -ENTRY(atomic64_\func\()_return_cx8)
19383 +.macro incdec_return func ins insc unchecked
19384 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19385 CFI_STARTPROC
19386 SAVE ebx
19387
19388 @@ -114,21 +151,38 @@ ENTRY(atomic64_\func\()_return_cx8)
19389 movl %edx, %ecx
19390 \ins\()l $1, %ebx
19391 \insc\()l $0, %ecx
19392 +
19393 +.ifb \unchecked
19394 +#ifdef CONFIG_PAX_REFCOUNT
19395 + into
19396 +2:
19397 + _ASM_EXTABLE(2b, 3f)
19398 +#endif
19399 +.endif
19400 +
19401 LOCK_PREFIX
19402 cmpxchg8b (%esi)
19403 jne 1b
19404
19405 -10:
19406 movl %ebx, %eax
19407 movl %ecx, %edx
19408 +
19409 +.ifb \unchecked
19410 +#ifdef CONFIG_PAX_REFCOUNT
19411 +3:
19412 +#endif
19413 +.endif
19414 +
19415 RESTORE ebx
19416 ret
19417 CFI_ENDPROC
19418 -ENDPROC(atomic64_\func\()_return_cx8)
19419 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19420 .endm
19421
19422 incdec_return inc add adc
19423 incdec_return dec sub sbb
19424 +incdec_return inc add adc _unchecked
19425 +incdec_return dec sub sbb _unchecked
19426
19427 ENTRY(atomic64_dec_if_positive_cx8)
19428 CFI_STARTPROC
19429 @@ -140,6 +194,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
19430 movl %edx, %ecx
19431 subl $1, %ebx
19432 sbb $0, %ecx
19433 +
19434 +#ifdef CONFIG_PAX_REFCOUNT
19435 + into
19436 +1234:
19437 + _ASM_EXTABLE(1234b, 2f)
19438 +#endif
19439 +
19440 js 2f
19441 LOCK_PREFIX
19442 cmpxchg8b (%esi)
19443 @@ -174,6 +235,13 @@ ENTRY(atomic64_add_unless_cx8)
19444 movl %edx, %ecx
19445 addl %esi, %ebx
19446 adcl %edi, %ecx
19447 +
19448 +#ifdef CONFIG_PAX_REFCOUNT
19449 + into
19450 +1234:
19451 + _ASM_EXTABLE(1234b, 3f)
19452 +#endif
19453 +
19454 LOCK_PREFIX
19455 cmpxchg8b (%ebp)
19456 jne 1b
19457 @@ -206,6 +274,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
19458 movl %edx, %ecx
19459 addl $1, %ebx
19460 adcl $0, %ecx
19461 +
19462 +#ifdef CONFIG_PAX_REFCOUNT
19463 + into
19464 +1234:
19465 + _ASM_EXTABLE(1234b, 3f)
19466 +#endif
19467 +
19468 LOCK_PREFIX
19469 cmpxchg8b (%esi)
19470 jne 1b
19471 diff -urNp linux-2.6.39.2/arch/x86/lib/checksum_32.S linux-2.6.39.2/arch/x86/lib/checksum_32.S
19472 --- linux-2.6.39.2/arch/x86/lib/checksum_32.S 2011-05-19 00:06:34.000000000 -0400
19473 +++ linux-2.6.39.2/arch/x86/lib/checksum_32.S 2011-05-22 19:36:30.000000000 -0400
19474 @@ -28,7 +28,8 @@
19475 #include <linux/linkage.h>
19476 #include <asm/dwarf2.h>
19477 #include <asm/errno.h>
19478 -
19479 +#include <asm/segment.h>
19480 +
19481 /*
19482 * computes a partial checksum, e.g. for TCP/UDP fragments
19483 */
19484 @@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
19485
19486 #define ARGBASE 16
19487 #define FP 12
19488 -
19489 -ENTRY(csum_partial_copy_generic)
19490 +
19491 +ENTRY(csum_partial_copy_generic_to_user)
19492 CFI_STARTPROC
19493 +
19494 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19495 + pushl_cfi %gs
19496 + popl_cfi %es
19497 + jmp csum_partial_copy_generic
19498 +#endif
19499 +
19500 +ENTRY(csum_partial_copy_generic_from_user)
19501 +
19502 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19503 + pushl_cfi %gs
19504 + popl_cfi %ds
19505 +#endif
19506 +
19507 +ENTRY(csum_partial_copy_generic)
19508 subl $4,%esp
19509 CFI_ADJUST_CFA_OFFSET 4
19510 pushl_cfi %edi
19511 @@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
19512 jmp 4f
19513 SRC(1: movw (%esi), %bx )
19514 addl $2, %esi
19515 -DST( movw %bx, (%edi) )
19516 +DST( movw %bx, %es:(%edi) )
19517 addl $2, %edi
19518 addw %bx, %ax
19519 adcl $0, %eax
19520 @@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
19521 SRC(1: movl (%esi), %ebx )
19522 SRC( movl 4(%esi), %edx )
19523 adcl %ebx, %eax
19524 -DST( movl %ebx, (%edi) )
19525 +DST( movl %ebx, %es:(%edi) )
19526 adcl %edx, %eax
19527 -DST( movl %edx, 4(%edi) )
19528 +DST( movl %edx, %es:4(%edi) )
19529
19530 SRC( movl 8(%esi), %ebx )
19531 SRC( movl 12(%esi), %edx )
19532 adcl %ebx, %eax
19533 -DST( movl %ebx, 8(%edi) )
19534 +DST( movl %ebx, %es:8(%edi) )
19535 adcl %edx, %eax
19536 -DST( movl %edx, 12(%edi) )
19537 +DST( movl %edx, %es:12(%edi) )
19538
19539 SRC( movl 16(%esi), %ebx )
19540 SRC( movl 20(%esi), %edx )
19541 adcl %ebx, %eax
19542 -DST( movl %ebx, 16(%edi) )
19543 +DST( movl %ebx, %es:16(%edi) )
19544 adcl %edx, %eax
19545 -DST( movl %edx, 20(%edi) )
19546 +DST( movl %edx, %es:20(%edi) )
19547
19548 SRC( movl 24(%esi), %ebx )
19549 SRC( movl 28(%esi), %edx )
19550 adcl %ebx, %eax
19551 -DST( movl %ebx, 24(%edi) )
19552 +DST( movl %ebx, %es:24(%edi) )
19553 adcl %edx, %eax
19554 -DST( movl %edx, 28(%edi) )
19555 +DST( movl %edx, %es:28(%edi) )
19556
19557 lea 32(%esi), %esi
19558 lea 32(%edi), %edi
19559 @@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
19560 shrl $2, %edx # This clears CF
19561 SRC(3: movl (%esi), %ebx )
19562 adcl %ebx, %eax
19563 -DST( movl %ebx, (%edi) )
19564 +DST( movl %ebx, %es:(%edi) )
19565 lea 4(%esi), %esi
19566 lea 4(%edi), %edi
19567 dec %edx
19568 @@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
19569 jb 5f
19570 SRC( movw (%esi), %cx )
19571 leal 2(%esi), %esi
19572 -DST( movw %cx, (%edi) )
19573 +DST( movw %cx, %es:(%edi) )
19574 leal 2(%edi), %edi
19575 je 6f
19576 shll $16,%ecx
19577 SRC(5: movb (%esi), %cl )
19578 -DST( movb %cl, (%edi) )
19579 +DST( movb %cl, %es:(%edi) )
19580 6: addl %ecx, %eax
19581 adcl $0, %eax
19582 7:
19583 @@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
19584
19585 6001:
19586 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19587 - movl $-EFAULT, (%ebx)
19588 + movl $-EFAULT, %ss:(%ebx)
19589
19590 # zero the complete destination - computing the rest
19591 # is too much work
19592 @@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
19593
19594 6002:
19595 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19596 - movl $-EFAULT,(%ebx)
19597 + movl $-EFAULT,%ss:(%ebx)
19598 jmp 5000b
19599
19600 .previous
19601
19602 + pushl_cfi %ss
19603 + popl_cfi %ds
19604 + pushl_cfi %ss
19605 + popl_cfi %es
19606 popl_cfi %ebx
19607 CFI_RESTORE ebx
19608 popl_cfi %esi
19609 @@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
19610 popl_cfi %ecx # equivalent to addl $4,%esp
19611 ret
19612 CFI_ENDPROC
19613 -ENDPROC(csum_partial_copy_generic)
19614 +ENDPROC(csum_partial_copy_generic_to_user)
19615
19616 #else
19617
19618 /* Version for PentiumII/PPro */
19619
19620 #define ROUND1(x) \
19621 + nop; nop; nop; \
19622 SRC(movl x(%esi), %ebx ) ; \
19623 addl %ebx, %eax ; \
19624 - DST(movl %ebx, x(%edi) ) ;
19625 + DST(movl %ebx, %es:x(%edi)) ;
19626
19627 #define ROUND(x) \
19628 + nop; nop; nop; \
19629 SRC(movl x(%esi), %ebx ) ; \
19630 adcl %ebx, %eax ; \
19631 - DST(movl %ebx, x(%edi) ) ;
19632 + DST(movl %ebx, %es:x(%edi)) ;
19633
19634 #define ARGBASE 12
19635 -
19636 -ENTRY(csum_partial_copy_generic)
19637 +
19638 +ENTRY(csum_partial_copy_generic_to_user)
19639 CFI_STARTPROC
19640 +
19641 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19642 + pushl_cfi %gs
19643 + popl_cfi %es
19644 + jmp csum_partial_copy_generic
19645 +#endif
19646 +
19647 +ENTRY(csum_partial_copy_generic_from_user)
19648 +
19649 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19650 + pushl_cfi %gs
19651 + popl_cfi %ds
19652 +#endif
19653 +
19654 +ENTRY(csum_partial_copy_generic)
19655 pushl_cfi %ebx
19656 CFI_REL_OFFSET ebx, 0
19657 pushl_cfi %edi
19658 @@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
19659 subl %ebx, %edi
19660 lea -1(%esi),%edx
19661 andl $-32,%edx
19662 - lea 3f(%ebx,%ebx), %ebx
19663 + lea 3f(%ebx,%ebx,2), %ebx
19664 testl %esi, %esi
19665 jmp *%ebx
19666 1: addl $64,%esi
19667 @@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
19668 jb 5f
19669 SRC( movw (%esi), %dx )
19670 leal 2(%esi), %esi
19671 -DST( movw %dx, (%edi) )
19672 +DST( movw %dx, %es:(%edi) )
19673 leal 2(%edi), %edi
19674 je 6f
19675 shll $16,%edx
19676 5:
19677 SRC( movb (%esi), %dl )
19678 -DST( movb %dl, (%edi) )
19679 +DST( movb %dl, %es:(%edi) )
19680 6: addl %edx, %eax
19681 adcl $0, %eax
19682 7:
19683 .section .fixup, "ax"
19684 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19685 - movl $-EFAULT, (%ebx)
19686 + movl $-EFAULT, %ss:(%ebx)
19687 # zero the complete destination (computing the rest is too much work)
19688 movl ARGBASE+8(%esp),%edi # dst
19689 movl ARGBASE+12(%esp),%ecx # len
19690 @@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
19691 rep; stosb
19692 jmp 7b
19693 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19694 - movl $-EFAULT, (%ebx)
19695 + movl $-EFAULT, %ss:(%ebx)
19696 jmp 7b
19697 .previous
19698
19699 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19700 + pushl_cfi %ss
19701 + popl_cfi %ds
19702 + pushl_cfi %ss
19703 + popl_cfi %es
19704 +#endif
19705 +
19706 popl_cfi %esi
19707 CFI_RESTORE esi
19708 popl_cfi %edi
19709 @@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
19710 CFI_RESTORE ebx
19711 ret
19712 CFI_ENDPROC
19713 -ENDPROC(csum_partial_copy_generic)
19714 +ENDPROC(csum_partial_copy_generic_to_user)
19715
19716 #undef ROUND
19717 #undef ROUND1
19718 diff -urNp linux-2.6.39.2/arch/x86/lib/clear_page_64.S linux-2.6.39.2/arch/x86/lib/clear_page_64.S
19719 --- linux-2.6.39.2/arch/x86/lib/clear_page_64.S 2011-05-19 00:06:34.000000000 -0400
19720 +++ linux-2.6.39.2/arch/x86/lib/clear_page_64.S 2011-05-22 19:36:30.000000000 -0400
19721 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
19722
19723 #include <asm/cpufeature.h>
19724
19725 - .section .altinstr_replacement,"ax"
19726 + .section .altinstr_replacement,"a"
19727 1: .byte 0xeb /* jmp <disp8> */
19728 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19729 2:
19730 diff -urNp linux-2.6.39.2/arch/x86/lib/copy_page_64.S linux-2.6.39.2/arch/x86/lib/copy_page_64.S
19731 --- linux-2.6.39.2/arch/x86/lib/copy_page_64.S 2011-05-19 00:06:34.000000000 -0400
19732 +++ linux-2.6.39.2/arch/x86/lib/copy_page_64.S 2011-05-22 19:36:30.000000000 -0400
19733 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
19734
19735 #include <asm/cpufeature.h>
19736
19737 - .section .altinstr_replacement,"ax"
19738 + .section .altinstr_replacement,"a"
19739 1: .byte 0xeb /* jmp <disp8> */
19740 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19741 2:
19742 diff -urNp linux-2.6.39.2/arch/x86/lib/copy_user_64.S linux-2.6.39.2/arch/x86/lib/copy_user_64.S
19743 --- linux-2.6.39.2/arch/x86/lib/copy_user_64.S 2011-06-03 00:04:13.000000000 -0400
19744 +++ linux-2.6.39.2/arch/x86/lib/copy_user_64.S 2011-06-03 00:32:05.000000000 -0400
19745 @@ -15,13 +15,14 @@
19746 #include <asm/asm-offsets.h>
19747 #include <asm/thread_info.h>
19748 #include <asm/cpufeature.h>
19749 +#include <asm/pgtable.h>
19750
19751 .macro ALTERNATIVE_JUMP feature,orig,alt
19752 0:
19753 .byte 0xe9 /* 32bit jump */
19754 .long \orig-1f /* by default jump to orig */
19755 1:
19756 - .section .altinstr_replacement,"ax"
19757 + .section .altinstr_replacement,"a"
19758 2: .byte 0xe9 /* near jump with 32bit immediate */
19759 .long \alt-1b /* offset */ /* or alternatively to alt */
19760 .previous
19761 @@ -64,37 +65,13 @@
19762 #endif
19763 .endm
19764
19765 -/* Standard copy_to_user with segment limit checking */
19766 -ENTRY(_copy_to_user)
19767 - CFI_STARTPROC
19768 - GET_THREAD_INFO(%rax)
19769 - movq %rdi,%rcx
19770 - addq %rdx,%rcx
19771 - jc bad_to_user
19772 - cmpq TI_addr_limit(%rax),%rcx
19773 - ja bad_to_user
19774 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19775 - CFI_ENDPROC
19776 -ENDPROC(_copy_to_user)
19777 -
19778 -/* Standard copy_from_user with segment limit checking */
19779 -ENTRY(_copy_from_user)
19780 - CFI_STARTPROC
19781 - GET_THREAD_INFO(%rax)
19782 - movq %rsi,%rcx
19783 - addq %rdx,%rcx
19784 - jc bad_from_user
19785 - cmpq TI_addr_limit(%rax),%rcx
19786 - ja bad_from_user
19787 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19788 - CFI_ENDPROC
19789 -ENDPROC(_copy_from_user)
19790 -
19791 .section .fixup,"ax"
19792 /* must zero dest */
19793 ENTRY(bad_from_user)
19794 bad_from_user:
19795 CFI_STARTPROC
19796 + testl %edx,%edx
19797 + js bad_to_user
19798 movl %edx,%ecx
19799 xorl %eax,%eax
19800 rep
19801 diff -urNp linux-2.6.39.2/arch/x86/lib/copy_user_nocache_64.S linux-2.6.39.2/arch/x86/lib/copy_user_nocache_64.S
19802 --- linux-2.6.39.2/arch/x86/lib/copy_user_nocache_64.S 2011-05-19 00:06:34.000000000 -0400
19803 +++ linux-2.6.39.2/arch/x86/lib/copy_user_nocache_64.S 2011-05-22 19:36:30.000000000 -0400
19804 @@ -14,6 +14,7 @@
19805 #include <asm/current.h>
19806 #include <asm/asm-offsets.h>
19807 #include <asm/thread_info.h>
19808 +#include <asm/pgtable.h>
19809
19810 .macro ALIGN_DESTINATION
19811 #ifdef FIX_ALIGNMENT
19812 @@ -50,6 +51,15 @@
19813 */
19814 ENTRY(__copy_user_nocache)
19815 CFI_STARTPROC
19816 +
19817 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19818 + mov $PAX_USER_SHADOW_BASE,%rcx
19819 + cmp %rcx,%rsi
19820 + jae 1f
19821 + add %rcx,%rsi
19822 +1:
19823 +#endif
19824 +
19825 cmpl $8,%edx
19826 jb 20f /* less then 8 bytes, go to byte copy loop */
19827 ALIGN_DESTINATION
19828 diff -urNp linux-2.6.39.2/arch/x86/lib/csum-wrappers_64.c linux-2.6.39.2/arch/x86/lib/csum-wrappers_64.c
19829 --- linux-2.6.39.2/arch/x86/lib/csum-wrappers_64.c 2011-05-19 00:06:34.000000000 -0400
19830 +++ linux-2.6.39.2/arch/x86/lib/csum-wrappers_64.c 2011-05-22 19:36:30.000000000 -0400
19831 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
19832 len -= 2;
19833 }
19834 }
19835 +
19836 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19837 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19838 + src += PAX_USER_SHADOW_BASE;
19839 +#endif
19840 +
19841 isum = csum_partial_copy_generic((__force const void *)src,
19842 dst, len, isum, errp, NULL);
19843 if (unlikely(*errp))
19844 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
19845 }
19846
19847 *errp = 0;
19848 +
19849 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19850 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
19851 + dst += PAX_USER_SHADOW_BASE;
19852 +#endif
19853 +
19854 return csum_partial_copy_generic(src, (void __force *)dst,
19855 len, isum, NULL, errp);
19856 }
19857 diff -urNp linux-2.6.39.2/arch/x86/lib/getuser.S linux-2.6.39.2/arch/x86/lib/getuser.S
19858 --- linux-2.6.39.2/arch/x86/lib/getuser.S 2011-05-19 00:06:34.000000000 -0400
19859 +++ linux-2.6.39.2/arch/x86/lib/getuser.S 2011-05-22 19:36:30.000000000 -0400
19860 @@ -33,14 +33,35 @@
19861 #include <asm/asm-offsets.h>
19862 #include <asm/thread_info.h>
19863 #include <asm/asm.h>
19864 +#include <asm/segment.h>
19865 +#include <asm/pgtable.h>
19866 +
19867 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19868 +#define __copyuser_seg gs;
19869 +#else
19870 +#define __copyuser_seg
19871 +#endif
19872
19873 .text
19874 ENTRY(__get_user_1)
19875 CFI_STARTPROC
19876 +
19877 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19878 GET_THREAD_INFO(%_ASM_DX)
19879 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19880 jae bad_get_user
19881 -1: movzb (%_ASM_AX),%edx
19882 +
19883 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19884 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19885 + cmp %_ASM_DX,%_ASM_AX
19886 + jae 1234f
19887 + add %_ASM_DX,%_ASM_AX
19888 +1234:
19889 +#endif
19890 +
19891 +#endif
19892 +
19893 +1: __copyuser_seg movzb (%_ASM_AX),%edx
19894 xor %eax,%eax
19895 ret
19896 CFI_ENDPROC
19897 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
19898 ENTRY(__get_user_2)
19899 CFI_STARTPROC
19900 add $1,%_ASM_AX
19901 +
19902 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19903 jc bad_get_user
19904 GET_THREAD_INFO(%_ASM_DX)
19905 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19906 jae bad_get_user
19907 -2: movzwl -1(%_ASM_AX),%edx
19908 +
19909 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19910 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19911 + cmp %_ASM_DX,%_ASM_AX
19912 + jae 1234f
19913 + add %_ASM_DX,%_ASM_AX
19914 +1234:
19915 +#endif
19916 +
19917 +#endif
19918 +
19919 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
19920 xor %eax,%eax
19921 ret
19922 CFI_ENDPROC
19923 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
19924 ENTRY(__get_user_4)
19925 CFI_STARTPROC
19926 add $3,%_ASM_AX
19927 +
19928 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19929 jc bad_get_user
19930 GET_THREAD_INFO(%_ASM_DX)
19931 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19932 jae bad_get_user
19933 -3: mov -3(%_ASM_AX),%edx
19934 +
19935 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19936 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19937 + cmp %_ASM_DX,%_ASM_AX
19938 + jae 1234f
19939 + add %_ASM_DX,%_ASM_AX
19940 +1234:
19941 +#endif
19942 +
19943 +#endif
19944 +
19945 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
19946 xor %eax,%eax
19947 ret
19948 CFI_ENDPROC
19949 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
19950 GET_THREAD_INFO(%_ASM_DX)
19951 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19952 jae bad_get_user
19953 +
19954 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19955 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19956 + cmp %_ASM_DX,%_ASM_AX
19957 + jae 1234f
19958 + add %_ASM_DX,%_ASM_AX
19959 +1234:
19960 +#endif
19961 +
19962 4: movq -7(%_ASM_AX),%_ASM_DX
19963 xor %eax,%eax
19964 ret
19965 diff -urNp linux-2.6.39.2/arch/x86/lib/insn.c linux-2.6.39.2/arch/x86/lib/insn.c
19966 --- linux-2.6.39.2/arch/x86/lib/insn.c 2011-05-19 00:06:34.000000000 -0400
19967 +++ linux-2.6.39.2/arch/x86/lib/insn.c 2011-05-22 19:36:30.000000000 -0400
19968 @@ -21,6 +21,11 @@
19969 #include <linux/string.h>
19970 #include <asm/inat.h>
19971 #include <asm/insn.h>
19972 +#ifdef __KERNEL__
19973 +#include <asm/pgtable_types.h>
19974 +#else
19975 +#define ktla_ktva(addr) addr
19976 +#endif
19977
19978 #define get_next(t, insn) \
19979 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
19980 @@ -40,8 +45,8 @@
19981 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
19982 {
19983 memset(insn, 0, sizeof(*insn));
19984 - insn->kaddr = kaddr;
19985 - insn->next_byte = kaddr;
19986 + insn->kaddr = ktla_ktva(kaddr);
19987 + insn->next_byte = ktla_ktva(kaddr);
19988 insn->x86_64 = x86_64 ? 1 : 0;
19989 insn->opnd_bytes = 4;
19990 if (x86_64)
19991 diff -urNp linux-2.6.39.2/arch/x86/lib/mmx_32.c linux-2.6.39.2/arch/x86/lib/mmx_32.c
19992 --- linux-2.6.39.2/arch/x86/lib/mmx_32.c 2011-05-19 00:06:34.000000000 -0400
19993 +++ linux-2.6.39.2/arch/x86/lib/mmx_32.c 2011-05-22 19:36:30.000000000 -0400
19994 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
19995 {
19996 void *p;
19997 int i;
19998 + unsigned long cr0;
19999
20000 if (unlikely(in_interrupt()))
20001 return __memcpy(to, from, len);
20002 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
20003 kernel_fpu_begin();
20004
20005 __asm__ __volatile__ (
20006 - "1: prefetch (%0)\n" /* This set is 28 bytes */
20007 - " prefetch 64(%0)\n"
20008 - " prefetch 128(%0)\n"
20009 - " prefetch 192(%0)\n"
20010 - " prefetch 256(%0)\n"
20011 + "1: prefetch (%1)\n" /* This set is 28 bytes */
20012 + " prefetch 64(%1)\n"
20013 + " prefetch 128(%1)\n"
20014 + " prefetch 192(%1)\n"
20015 + " prefetch 256(%1)\n"
20016 "2: \n"
20017 ".section .fixup, \"ax\"\n"
20018 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20019 + "3: \n"
20020 +
20021 +#ifdef CONFIG_PAX_KERNEXEC
20022 + " movl %%cr0, %0\n"
20023 + " movl %0, %%eax\n"
20024 + " andl $0xFFFEFFFF, %%eax\n"
20025 + " movl %%eax, %%cr0\n"
20026 +#endif
20027 +
20028 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20029 +
20030 +#ifdef CONFIG_PAX_KERNEXEC
20031 + " movl %0, %%cr0\n"
20032 +#endif
20033 +
20034 " jmp 2b\n"
20035 ".previous\n"
20036 _ASM_EXTABLE(1b, 3b)
20037 - : : "r" (from));
20038 + : "=&r" (cr0) : "r" (from) : "ax");
20039
20040 for ( ; i > 5; i--) {
20041 __asm__ __volatile__ (
20042 - "1: prefetch 320(%0)\n"
20043 - "2: movq (%0), %%mm0\n"
20044 - " movq 8(%0), %%mm1\n"
20045 - " movq 16(%0), %%mm2\n"
20046 - " movq 24(%0), %%mm3\n"
20047 - " movq %%mm0, (%1)\n"
20048 - " movq %%mm1, 8(%1)\n"
20049 - " movq %%mm2, 16(%1)\n"
20050 - " movq %%mm3, 24(%1)\n"
20051 - " movq 32(%0), %%mm0\n"
20052 - " movq 40(%0), %%mm1\n"
20053 - " movq 48(%0), %%mm2\n"
20054 - " movq 56(%0), %%mm3\n"
20055 - " movq %%mm0, 32(%1)\n"
20056 - " movq %%mm1, 40(%1)\n"
20057 - " movq %%mm2, 48(%1)\n"
20058 - " movq %%mm3, 56(%1)\n"
20059 + "1: prefetch 320(%1)\n"
20060 + "2: movq (%1), %%mm0\n"
20061 + " movq 8(%1), %%mm1\n"
20062 + " movq 16(%1), %%mm2\n"
20063 + " movq 24(%1), %%mm3\n"
20064 + " movq %%mm0, (%2)\n"
20065 + " movq %%mm1, 8(%2)\n"
20066 + " movq %%mm2, 16(%2)\n"
20067 + " movq %%mm3, 24(%2)\n"
20068 + " movq 32(%1), %%mm0\n"
20069 + " movq 40(%1), %%mm1\n"
20070 + " movq 48(%1), %%mm2\n"
20071 + " movq 56(%1), %%mm3\n"
20072 + " movq %%mm0, 32(%2)\n"
20073 + " movq %%mm1, 40(%2)\n"
20074 + " movq %%mm2, 48(%2)\n"
20075 + " movq %%mm3, 56(%2)\n"
20076 ".section .fixup, \"ax\"\n"
20077 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20078 + "3:\n"
20079 +
20080 +#ifdef CONFIG_PAX_KERNEXEC
20081 + " movl %%cr0, %0\n"
20082 + " movl %0, %%eax\n"
20083 + " andl $0xFFFEFFFF, %%eax\n"
20084 + " movl %%eax, %%cr0\n"
20085 +#endif
20086 +
20087 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20088 +
20089 +#ifdef CONFIG_PAX_KERNEXEC
20090 + " movl %0, %%cr0\n"
20091 +#endif
20092 +
20093 " jmp 2b\n"
20094 ".previous\n"
20095 _ASM_EXTABLE(1b, 3b)
20096 - : : "r" (from), "r" (to) : "memory");
20097 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20098
20099 from += 64;
20100 to += 64;
20101 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
20102 static void fast_copy_page(void *to, void *from)
20103 {
20104 int i;
20105 + unsigned long cr0;
20106
20107 kernel_fpu_begin();
20108
20109 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
20110 * but that is for later. -AV
20111 */
20112 __asm__ __volatile__(
20113 - "1: prefetch (%0)\n"
20114 - " prefetch 64(%0)\n"
20115 - " prefetch 128(%0)\n"
20116 - " prefetch 192(%0)\n"
20117 - " prefetch 256(%0)\n"
20118 + "1: prefetch (%1)\n"
20119 + " prefetch 64(%1)\n"
20120 + " prefetch 128(%1)\n"
20121 + " prefetch 192(%1)\n"
20122 + " prefetch 256(%1)\n"
20123 "2: \n"
20124 ".section .fixup, \"ax\"\n"
20125 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20126 + "3: \n"
20127 +
20128 +#ifdef CONFIG_PAX_KERNEXEC
20129 + " movl %%cr0, %0\n"
20130 + " movl %0, %%eax\n"
20131 + " andl $0xFFFEFFFF, %%eax\n"
20132 + " movl %%eax, %%cr0\n"
20133 +#endif
20134 +
20135 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20136 +
20137 +#ifdef CONFIG_PAX_KERNEXEC
20138 + " movl %0, %%cr0\n"
20139 +#endif
20140 +
20141 " jmp 2b\n"
20142 ".previous\n"
20143 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20144 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20145
20146 for (i = 0; i < (4096-320)/64; i++) {
20147 __asm__ __volatile__ (
20148 - "1: prefetch 320(%0)\n"
20149 - "2: movq (%0), %%mm0\n"
20150 - " movntq %%mm0, (%1)\n"
20151 - " movq 8(%0), %%mm1\n"
20152 - " movntq %%mm1, 8(%1)\n"
20153 - " movq 16(%0), %%mm2\n"
20154 - " movntq %%mm2, 16(%1)\n"
20155 - " movq 24(%0), %%mm3\n"
20156 - " movntq %%mm3, 24(%1)\n"
20157 - " movq 32(%0), %%mm4\n"
20158 - " movntq %%mm4, 32(%1)\n"
20159 - " movq 40(%0), %%mm5\n"
20160 - " movntq %%mm5, 40(%1)\n"
20161 - " movq 48(%0), %%mm6\n"
20162 - " movntq %%mm6, 48(%1)\n"
20163 - " movq 56(%0), %%mm7\n"
20164 - " movntq %%mm7, 56(%1)\n"
20165 + "1: prefetch 320(%1)\n"
20166 + "2: movq (%1), %%mm0\n"
20167 + " movntq %%mm0, (%2)\n"
20168 + " movq 8(%1), %%mm1\n"
20169 + " movntq %%mm1, 8(%2)\n"
20170 + " movq 16(%1), %%mm2\n"
20171 + " movntq %%mm2, 16(%2)\n"
20172 + " movq 24(%1), %%mm3\n"
20173 + " movntq %%mm3, 24(%2)\n"
20174 + " movq 32(%1), %%mm4\n"
20175 + " movntq %%mm4, 32(%2)\n"
20176 + " movq 40(%1), %%mm5\n"
20177 + " movntq %%mm5, 40(%2)\n"
20178 + " movq 48(%1), %%mm6\n"
20179 + " movntq %%mm6, 48(%2)\n"
20180 + " movq 56(%1), %%mm7\n"
20181 + " movntq %%mm7, 56(%2)\n"
20182 ".section .fixup, \"ax\"\n"
20183 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20184 + "3:\n"
20185 +
20186 +#ifdef CONFIG_PAX_KERNEXEC
20187 + " movl %%cr0, %0\n"
20188 + " movl %0, %%eax\n"
20189 + " andl $0xFFFEFFFF, %%eax\n"
20190 + " movl %%eax, %%cr0\n"
20191 +#endif
20192 +
20193 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20194 +
20195 +#ifdef CONFIG_PAX_KERNEXEC
20196 + " movl %0, %%cr0\n"
20197 +#endif
20198 +
20199 " jmp 2b\n"
20200 ".previous\n"
20201 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
20202 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20203
20204 from += 64;
20205 to += 64;
20206 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
20207 static void fast_copy_page(void *to, void *from)
20208 {
20209 int i;
20210 + unsigned long cr0;
20211
20212 kernel_fpu_begin();
20213
20214 __asm__ __volatile__ (
20215 - "1: prefetch (%0)\n"
20216 - " prefetch 64(%0)\n"
20217 - " prefetch 128(%0)\n"
20218 - " prefetch 192(%0)\n"
20219 - " prefetch 256(%0)\n"
20220 + "1: prefetch (%1)\n"
20221 + " prefetch 64(%1)\n"
20222 + " prefetch 128(%1)\n"
20223 + " prefetch 192(%1)\n"
20224 + " prefetch 256(%1)\n"
20225 "2: \n"
20226 ".section .fixup, \"ax\"\n"
20227 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20228 + "3: \n"
20229 +
20230 +#ifdef CONFIG_PAX_KERNEXEC
20231 + " movl %%cr0, %0\n"
20232 + " movl %0, %%eax\n"
20233 + " andl $0xFFFEFFFF, %%eax\n"
20234 + " movl %%eax, %%cr0\n"
20235 +#endif
20236 +
20237 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20238 +
20239 +#ifdef CONFIG_PAX_KERNEXEC
20240 + " movl %0, %%cr0\n"
20241 +#endif
20242 +
20243 " jmp 2b\n"
20244 ".previous\n"
20245 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20246 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20247
20248 for (i = 0; i < 4096/64; i++) {
20249 __asm__ __volatile__ (
20250 - "1: prefetch 320(%0)\n"
20251 - "2: movq (%0), %%mm0\n"
20252 - " movq 8(%0), %%mm1\n"
20253 - " movq 16(%0), %%mm2\n"
20254 - " movq 24(%0), %%mm3\n"
20255 - " movq %%mm0, (%1)\n"
20256 - " movq %%mm1, 8(%1)\n"
20257 - " movq %%mm2, 16(%1)\n"
20258 - " movq %%mm3, 24(%1)\n"
20259 - " movq 32(%0), %%mm0\n"
20260 - " movq 40(%0), %%mm1\n"
20261 - " movq 48(%0), %%mm2\n"
20262 - " movq 56(%0), %%mm3\n"
20263 - " movq %%mm0, 32(%1)\n"
20264 - " movq %%mm1, 40(%1)\n"
20265 - " movq %%mm2, 48(%1)\n"
20266 - " movq %%mm3, 56(%1)\n"
20267 + "1: prefetch 320(%1)\n"
20268 + "2: movq (%1), %%mm0\n"
20269 + " movq 8(%1), %%mm1\n"
20270 + " movq 16(%1), %%mm2\n"
20271 + " movq 24(%1), %%mm3\n"
20272 + " movq %%mm0, (%2)\n"
20273 + " movq %%mm1, 8(%2)\n"
20274 + " movq %%mm2, 16(%2)\n"
20275 + " movq %%mm3, 24(%2)\n"
20276 + " movq 32(%1), %%mm0\n"
20277 + " movq 40(%1), %%mm1\n"
20278 + " movq 48(%1), %%mm2\n"
20279 + " movq 56(%1), %%mm3\n"
20280 + " movq %%mm0, 32(%2)\n"
20281 + " movq %%mm1, 40(%2)\n"
20282 + " movq %%mm2, 48(%2)\n"
20283 + " movq %%mm3, 56(%2)\n"
20284 ".section .fixup, \"ax\"\n"
20285 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20286 + "3:\n"
20287 +
20288 +#ifdef CONFIG_PAX_KERNEXEC
20289 + " movl %%cr0, %0\n"
20290 + " movl %0, %%eax\n"
20291 + " andl $0xFFFEFFFF, %%eax\n"
20292 + " movl %%eax, %%cr0\n"
20293 +#endif
20294 +
20295 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20296 +
20297 +#ifdef CONFIG_PAX_KERNEXEC
20298 + " movl %0, %%cr0\n"
20299 +#endif
20300 +
20301 " jmp 2b\n"
20302 ".previous\n"
20303 _ASM_EXTABLE(1b, 3b)
20304 - : : "r" (from), "r" (to) : "memory");
20305 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20306
20307 from += 64;
20308 to += 64;
20309 diff -urNp linux-2.6.39.2/arch/x86/lib/putuser.S linux-2.6.39.2/arch/x86/lib/putuser.S
20310 --- linux-2.6.39.2/arch/x86/lib/putuser.S 2011-05-19 00:06:34.000000000 -0400
20311 +++ linux-2.6.39.2/arch/x86/lib/putuser.S 2011-05-22 19:36:30.000000000 -0400
20312 @@ -15,7 +15,8 @@
20313 #include <asm/thread_info.h>
20314 #include <asm/errno.h>
20315 #include <asm/asm.h>
20316 -
20317 +#include <asm/segment.h>
20318 +#include <asm/pgtable.h>
20319
20320 /*
20321 * __put_user_X
20322 @@ -29,52 +30,119 @@
20323 * as they get called from within inline assembly.
20324 */
20325
20326 -#define ENTER CFI_STARTPROC ; \
20327 - GET_THREAD_INFO(%_ASM_BX)
20328 +#define ENTER CFI_STARTPROC
20329 #define EXIT ret ; \
20330 CFI_ENDPROC
20331
20332 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20333 +#define _DEST %_ASM_CX,%_ASM_BX
20334 +#else
20335 +#define _DEST %_ASM_CX
20336 +#endif
20337 +
20338 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20339 +#define __copyuser_seg gs;
20340 +#else
20341 +#define __copyuser_seg
20342 +#endif
20343 +
20344 .text
20345 ENTRY(__put_user_1)
20346 ENTER
20347 +
20348 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20349 + GET_THREAD_INFO(%_ASM_BX)
20350 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
20351 jae bad_put_user
20352 -1: movb %al,(%_ASM_CX)
20353 +
20354 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20355 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20356 + cmp %_ASM_BX,%_ASM_CX
20357 + jb 1234f
20358 + xor %ebx,%ebx
20359 +1234:
20360 +#endif
20361 +
20362 +#endif
20363 +
20364 +1: __copyuser_seg movb %al,(_DEST)
20365 xor %eax,%eax
20366 EXIT
20367 ENDPROC(__put_user_1)
20368
20369 ENTRY(__put_user_2)
20370 ENTER
20371 +
20372 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20373 + GET_THREAD_INFO(%_ASM_BX)
20374 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20375 sub $1,%_ASM_BX
20376 cmp %_ASM_BX,%_ASM_CX
20377 jae bad_put_user
20378 -2: movw %ax,(%_ASM_CX)
20379 +
20380 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20381 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20382 + cmp %_ASM_BX,%_ASM_CX
20383 + jb 1234f
20384 + xor %ebx,%ebx
20385 +1234:
20386 +#endif
20387 +
20388 +#endif
20389 +
20390 +2: __copyuser_seg movw %ax,(_DEST)
20391 xor %eax,%eax
20392 EXIT
20393 ENDPROC(__put_user_2)
20394
20395 ENTRY(__put_user_4)
20396 ENTER
20397 +
20398 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20399 + GET_THREAD_INFO(%_ASM_BX)
20400 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20401 sub $3,%_ASM_BX
20402 cmp %_ASM_BX,%_ASM_CX
20403 jae bad_put_user
20404 -3: movl %eax,(%_ASM_CX)
20405 +
20406 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20407 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20408 + cmp %_ASM_BX,%_ASM_CX
20409 + jb 1234f
20410 + xor %ebx,%ebx
20411 +1234:
20412 +#endif
20413 +
20414 +#endif
20415 +
20416 +3: __copyuser_seg movl %eax,(_DEST)
20417 xor %eax,%eax
20418 EXIT
20419 ENDPROC(__put_user_4)
20420
20421 ENTRY(__put_user_8)
20422 ENTER
20423 +
20424 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20425 + GET_THREAD_INFO(%_ASM_BX)
20426 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20427 sub $7,%_ASM_BX
20428 cmp %_ASM_BX,%_ASM_CX
20429 jae bad_put_user
20430 -4: mov %_ASM_AX,(%_ASM_CX)
20431 +
20432 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20433 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20434 + cmp %_ASM_BX,%_ASM_CX
20435 + jb 1234f
20436 + xor %ebx,%ebx
20437 +1234:
20438 +#endif
20439 +
20440 +#endif
20441 +
20442 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
20443 #ifdef CONFIG_X86_32
20444 -5: movl %edx,4(%_ASM_CX)
20445 +5: __copyuser_seg movl %edx,4(_DEST)
20446 #endif
20447 xor %eax,%eax
20448 EXIT
20449 diff -urNp linux-2.6.39.2/arch/x86/lib/usercopy_32.c linux-2.6.39.2/arch/x86/lib/usercopy_32.c
20450 --- linux-2.6.39.2/arch/x86/lib/usercopy_32.c 2011-05-19 00:06:34.000000000 -0400
20451 +++ linux-2.6.39.2/arch/x86/lib/usercopy_32.c 2011-05-22 19:36:30.000000000 -0400
20452 @@ -43,7 +43,7 @@ do { \
20453 __asm__ __volatile__( \
20454 " testl %1,%1\n" \
20455 " jz 2f\n" \
20456 - "0: lodsb\n" \
20457 + "0: "__copyuser_seg"lodsb\n" \
20458 " stosb\n" \
20459 " testb %%al,%%al\n" \
20460 " jz 1f\n" \
20461 @@ -128,10 +128,12 @@ do { \
20462 int __d0; \
20463 might_fault(); \
20464 __asm__ __volatile__( \
20465 + __COPYUSER_SET_ES \
20466 "0: rep; stosl\n" \
20467 " movl %2,%0\n" \
20468 "1: rep; stosb\n" \
20469 "2:\n" \
20470 + __COPYUSER_RESTORE_ES \
20471 ".section .fixup,\"ax\"\n" \
20472 "3: lea 0(%2,%0,4),%0\n" \
20473 " jmp 2b\n" \
20474 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
20475 might_fault();
20476
20477 __asm__ __volatile__(
20478 + __COPYUSER_SET_ES
20479 " testl %0, %0\n"
20480 " jz 3f\n"
20481 " andl %0,%%ecx\n"
20482 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
20483 " subl %%ecx,%0\n"
20484 " addl %0,%%eax\n"
20485 "1:\n"
20486 + __COPYUSER_RESTORE_ES
20487 ".section .fixup,\"ax\"\n"
20488 "2: xorl %%eax,%%eax\n"
20489 " jmp 1b\n"
20490 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
20491
20492 #ifdef CONFIG_X86_INTEL_USERCOPY
20493 static unsigned long
20494 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
20495 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
20496 {
20497 int d0, d1;
20498 __asm__ __volatile__(
20499 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
20500 " .align 2,0x90\n"
20501 "3: movl 0(%4), %%eax\n"
20502 "4: movl 4(%4), %%edx\n"
20503 - "5: movl %%eax, 0(%3)\n"
20504 - "6: movl %%edx, 4(%3)\n"
20505 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
20506 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
20507 "7: movl 8(%4), %%eax\n"
20508 "8: movl 12(%4),%%edx\n"
20509 - "9: movl %%eax, 8(%3)\n"
20510 - "10: movl %%edx, 12(%3)\n"
20511 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
20512 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
20513 "11: movl 16(%4), %%eax\n"
20514 "12: movl 20(%4), %%edx\n"
20515 - "13: movl %%eax, 16(%3)\n"
20516 - "14: movl %%edx, 20(%3)\n"
20517 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
20518 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
20519 "15: movl 24(%4), %%eax\n"
20520 "16: movl 28(%4), %%edx\n"
20521 - "17: movl %%eax, 24(%3)\n"
20522 - "18: movl %%edx, 28(%3)\n"
20523 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
20524 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
20525 "19: movl 32(%4), %%eax\n"
20526 "20: movl 36(%4), %%edx\n"
20527 - "21: movl %%eax, 32(%3)\n"
20528 - "22: movl %%edx, 36(%3)\n"
20529 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20530 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20531 "23: movl 40(%4), %%eax\n"
20532 "24: movl 44(%4), %%edx\n"
20533 - "25: movl %%eax, 40(%3)\n"
20534 - "26: movl %%edx, 44(%3)\n"
20535 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20536 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20537 "27: movl 48(%4), %%eax\n"
20538 "28: movl 52(%4), %%edx\n"
20539 - "29: movl %%eax, 48(%3)\n"
20540 - "30: movl %%edx, 52(%3)\n"
20541 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20542 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20543 "31: movl 56(%4), %%eax\n"
20544 "32: movl 60(%4), %%edx\n"
20545 - "33: movl %%eax, 56(%3)\n"
20546 - "34: movl %%edx, 60(%3)\n"
20547 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20548 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20549 " addl $-64, %0\n"
20550 " addl $64, %4\n"
20551 " addl $64, %3\n"
20552 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20553 " shrl $2, %0\n"
20554 " andl $3, %%eax\n"
20555 " cld\n"
20556 + __COPYUSER_SET_ES
20557 "99: rep; movsl\n"
20558 "36: movl %%eax, %0\n"
20559 "37: rep; movsb\n"
20560 "100:\n"
20561 + __COPYUSER_RESTORE_ES
20562 + ".section .fixup,\"ax\"\n"
20563 + "101: lea 0(%%eax,%0,4),%0\n"
20564 + " jmp 100b\n"
20565 + ".previous\n"
20566 + ".section __ex_table,\"a\"\n"
20567 + " .align 4\n"
20568 + " .long 1b,100b\n"
20569 + " .long 2b,100b\n"
20570 + " .long 3b,100b\n"
20571 + " .long 4b,100b\n"
20572 + " .long 5b,100b\n"
20573 + " .long 6b,100b\n"
20574 + " .long 7b,100b\n"
20575 + " .long 8b,100b\n"
20576 + " .long 9b,100b\n"
20577 + " .long 10b,100b\n"
20578 + " .long 11b,100b\n"
20579 + " .long 12b,100b\n"
20580 + " .long 13b,100b\n"
20581 + " .long 14b,100b\n"
20582 + " .long 15b,100b\n"
20583 + " .long 16b,100b\n"
20584 + " .long 17b,100b\n"
20585 + " .long 18b,100b\n"
20586 + " .long 19b,100b\n"
20587 + " .long 20b,100b\n"
20588 + " .long 21b,100b\n"
20589 + " .long 22b,100b\n"
20590 + " .long 23b,100b\n"
20591 + " .long 24b,100b\n"
20592 + " .long 25b,100b\n"
20593 + " .long 26b,100b\n"
20594 + " .long 27b,100b\n"
20595 + " .long 28b,100b\n"
20596 + " .long 29b,100b\n"
20597 + " .long 30b,100b\n"
20598 + " .long 31b,100b\n"
20599 + " .long 32b,100b\n"
20600 + " .long 33b,100b\n"
20601 + " .long 34b,100b\n"
20602 + " .long 35b,100b\n"
20603 + " .long 36b,100b\n"
20604 + " .long 37b,100b\n"
20605 + " .long 99b,101b\n"
20606 + ".previous"
20607 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20608 + : "1"(to), "2"(from), "0"(size)
20609 + : "eax", "edx", "memory");
20610 + return size;
20611 +}
20612 +
20613 +static unsigned long
20614 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20615 +{
20616 + int d0, d1;
20617 + __asm__ __volatile__(
20618 + " .align 2,0x90\n"
20619 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20620 + " cmpl $67, %0\n"
20621 + " jbe 3f\n"
20622 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20623 + " .align 2,0x90\n"
20624 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20625 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20626 + "5: movl %%eax, 0(%3)\n"
20627 + "6: movl %%edx, 4(%3)\n"
20628 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20629 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20630 + "9: movl %%eax, 8(%3)\n"
20631 + "10: movl %%edx, 12(%3)\n"
20632 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20633 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20634 + "13: movl %%eax, 16(%3)\n"
20635 + "14: movl %%edx, 20(%3)\n"
20636 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20637 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20638 + "17: movl %%eax, 24(%3)\n"
20639 + "18: movl %%edx, 28(%3)\n"
20640 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20641 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20642 + "21: movl %%eax, 32(%3)\n"
20643 + "22: movl %%edx, 36(%3)\n"
20644 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20645 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20646 + "25: movl %%eax, 40(%3)\n"
20647 + "26: movl %%edx, 44(%3)\n"
20648 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20649 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20650 + "29: movl %%eax, 48(%3)\n"
20651 + "30: movl %%edx, 52(%3)\n"
20652 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20653 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20654 + "33: movl %%eax, 56(%3)\n"
20655 + "34: movl %%edx, 60(%3)\n"
20656 + " addl $-64, %0\n"
20657 + " addl $64, %4\n"
20658 + " addl $64, %3\n"
20659 + " cmpl $63, %0\n"
20660 + " ja 1b\n"
20661 + "35: movl %0, %%eax\n"
20662 + " shrl $2, %0\n"
20663 + " andl $3, %%eax\n"
20664 + " cld\n"
20665 + "99: rep; "__copyuser_seg" movsl\n"
20666 + "36: movl %%eax, %0\n"
20667 + "37: rep; "__copyuser_seg" movsb\n"
20668 + "100:\n"
20669 ".section .fixup,\"ax\"\n"
20670 "101: lea 0(%%eax,%0,4),%0\n"
20671 " jmp 100b\n"
20672 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20673 int d0, d1;
20674 __asm__ __volatile__(
20675 " .align 2,0x90\n"
20676 - "0: movl 32(%4), %%eax\n"
20677 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20678 " cmpl $67, %0\n"
20679 " jbe 2f\n"
20680 - "1: movl 64(%4), %%eax\n"
20681 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20682 " .align 2,0x90\n"
20683 - "2: movl 0(%4), %%eax\n"
20684 - "21: movl 4(%4), %%edx\n"
20685 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20686 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20687 " movl %%eax, 0(%3)\n"
20688 " movl %%edx, 4(%3)\n"
20689 - "3: movl 8(%4), %%eax\n"
20690 - "31: movl 12(%4),%%edx\n"
20691 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20692 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20693 " movl %%eax, 8(%3)\n"
20694 " movl %%edx, 12(%3)\n"
20695 - "4: movl 16(%4), %%eax\n"
20696 - "41: movl 20(%4), %%edx\n"
20697 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20698 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20699 " movl %%eax, 16(%3)\n"
20700 " movl %%edx, 20(%3)\n"
20701 - "10: movl 24(%4), %%eax\n"
20702 - "51: movl 28(%4), %%edx\n"
20703 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20704 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20705 " movl %%eax, 24(%3)\n"
20706 " movl %%edx, 28(%3)\n"
20707 - "11: movl 32(%4), %%eax\n"
20708 - "61: movl 36(%4), %%edx\n"
20709 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20710 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20711 " movl %%eax, 32(%3)\n"
20712 " movl %%edx, 36(%3)\n"
20713 - "12: movl 40(%4), %%eax\n"
20714 - "71: movl 44(%4), %%edx\n"
20715 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20716 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20717 " movl %%eax, 40(%3)\n"
20718 " movl %%edx, 44(%3)\n"
20719 - "13: movl 48(%4), %%eax\n"
20720 - "81: movl 52(%4), %%edx\n"
20721 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20722 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20723 " movl %%eax, 48(%3)\n"
20724 " movl %%edx, 52(%3)\n"
20725 - "14: movl 56(%4), %%eax\n"
20726 - "91: movl 60(%4), %%edx\n"
20727 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20728 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20729 " movl %%eax, 56(%3)\n"
20730 " movl %%edx, 60(%3)\n"
20731 " addl $-64, %0\n"
20732 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
20733 " shrl $2, %0\n"
20734 " andl $3, %%eax\n"
20735 " cld\n"
20736 - "6: rep; movsl\n"
20737 + "6: rep; "__copyuser_seg" movsl\n"
20738 " movl %%eax,%0\n"
20739 - "7: rep; movsb\n"
20740 + "7: rep; "__copyuser_seg" movsb\n"
20741 "8:\n"
20742 ".section .fixup,\"ax\"\n"
20743 "9: lea 0(%%eax,%0,4),%0\n"
20744 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
20745
20746 __asm__ __volatile__(
20747 " .align 2,0x90\n"
20748 - "0: movl 32(%4), %%eax\n"
20749 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20750 " cmpl $67, %0\n"
20751 " jbe 2f\n"
20752 - "1: movl 64(%4), %%eax\n"
20753 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20754 " .align 2,0x90\n"
20755 - "2: movl 0(%4), %%eax\n"
20756 - "21: movl 4(%4), %%edx\n"
20757 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20758 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20759 " movnti %%eax, 0(%3)\n"
20760 " movnti %%edx, 4(%3)\n"
20761 - "3: movl 8(%4), %%eax\n"
20762 - "31: movl 12(%4),%%edx\n"
20763 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20764 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20765 " movnti %%eax, 8(%3)\n"
20766 " movnti %%edx, 12(%3)\n"
20767 - "4: movl 16(%4), %%eax\n"
20768 - "41: movl 20(%4), %%edx\n"
20769 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20770 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20771 " movnti %%eax, 16(%3)\n"
20772 " movnti %%edx, 20(%3)\n"
20773 - "10: movl 24(%4), %%eax\n"
20774 - "51: movl 28(%4), %%edx\n"
20775 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20776 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20777 " movnti %%eax, 24(%3)\n"
20778 " movnti %%edx, 28(%3)\n"
20779 - "11: movl 32(%4), %%eax\n"
20780 - "61: movl 36(%4), %%edx\n"
20781 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20782 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20783 " movnti %%eax, 32(%3)\n"
20784 " movnti %%edx, 36(%3)\n"
20785 - "12: movl 40(%4), %%eax\n"
20786 - "71: movl 44(%4), %%edx\n"
20787 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20788 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20789 " movnti %%eax, 40(%3)\n"
20790 " movnti %%edx, 44(%3)\n"
20791 - "13: movl 48(%4), %%eax\n"
20792 - "81: movl 52(%4), %%edx\n"
20793 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20794 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20795 " movnti %%eax, 48(%3)\n"
20796 " movnti %%edx, 52(%3)\n"
20797 - "14: movl 56(%4), %%eax\n"
20798 - "91: movl 60(%4), %%edx\n"
20799 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20800 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20801 " movnti %%eax, 56(%3)\n"
20802 " movnti %%edx, 60(%3)\n"
20803 " addl $-64, %0\n"
20804 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
20805 " shrl $2, %0\n"
20806 " andl $3, %%eax\n"
20807 " cld\n"
20808 - "6: rep; movsl\n"
20809 + "6: rep; "__copyuser_seg" movsl\n"
20810 " movl %%eax,%0\n"
20811 - "7: rep; movsb\n"
20812 + "7: rep; "__copyuser_seg" movsb\n"
20813 "8:\n"
20814 ".section .fixup,\"ax\"\n"
20815 "9: lea 0(%%eax,%0,4),%0\n"
20816 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
20817
20818 __asm__ __volatile__(
20819 " .align 2,0x90\n"
20820 - "0: movl 32(%4), %%eax\n"
20821 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20822 " cmpl $67, %0\n"
20823 " jbe 2f\n"
20824 - "1: movl 64(%4), %%eax\n"
20825 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20826 " .align 2,0x90\n"
20827 - "2: movl 0(%4), %%eax\n"
20828 - "21: movl 4(%4), %%edx\n"
20829 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20830 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20831 " movnti %%eax, 0(%3)\n"
20832 " movnti %%edx, 4(%3)\n"
20833 - "3: movl 8(%4), %%eax\n"
20834 - "31: movl 12(%4),%%edx\n"
20835 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20836 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20837 " movnti %%eax, 8(%3)\n"
20838 " movnti %%edx, 12(%3)\n"
20839 - "4: movl 16(%4), %%eax\n"
20840 - "41: movl 20(%4), %%edx\n"
20841 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20842 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20843 " movnti %%eax, 16(%3)\n"
20844 " movnti %%edx, 20(%3)\n"
20845 - "10: movl 24(%4), %%eax\n"
20846 - "51: movl 28(%4), %%edx\n"
20847 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20848 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20849 " movnti %%eax, 24(%3)\n"
20850 " movnti %%edx, 28(%3)\n"
20851 - "11: movl 32(%4), %%eax\n"
20852 - "61: movl 36(%4), %%edx\n"
20853 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20854 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20855 " movnti %%eax, 32(%3)\n"
20856 " movnti %%edx, 36(%3)\n"
20857 - "12: movl 40(%4), %%eax\n"
20858 - "71: movl 44(%4), %%edx\n"
20859 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20860 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20861 " movnti %%eax, 40(%3)\n"
20862 " movnti %%edx, 44(%3)\n"
20863 - "13: movl 48(%4), %%eax\n"
20864 - "81: movl 52(%4), %%edx\n"
20865 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20866 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20867 " movnti %%eax, 48(%3)\n"
20868 " movnti %%edx, 52(%3)\n"
20869 - "14: movl 56(%4), %%eax\n"
20870 - "91: movl 60(%4), %%edx\n"
20871 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20872 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20873 " movnti %%eax, 56(%3)\n"
20874 " movnti %%edx, 60(%3)\n"
20875 " addl $-64, %0\n"
20876 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
20877 " shrl $2, %0\n"
20878 " andl $3, %%eax\n"
20879 " cld\n"
20880 - "6: rep; movsl\n"
20881 + "6: rep; "__copyuser_seg" movsl\n"
20882 " movl %%eax,%0\n"
20883 - "7: rep; movsb\n"
20884 + "7: rep; "__copyuser_seg" movsb\n"
20885 "8:\n"
20886 ".section .fixup,\"ax\"\n"
20887 "9: lea 0(%%eax,%0,4),%0\n"
20888 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
20889 */
20890 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
20891 unsigned long size);
20892 -unsigned long __copy_user_intel(void __user *to, const void *from,
20893 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
20894 + unsigned long size);
20895 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
20896 unsigned long size);
20897 unsigned long __copy_user_zeroing_intel_nocache(void *to,
20898 const void __user *from, unsigned long size);
20899 #endif /* CONFIG_X86_INTEL_USERCOPY */
20900
20901 /* Generic arbitrary sized copy. */
20902 -#define __copy_user(to, from, size) \
20903 +#define __copy_user(to, from, size, prefix, set, restore) \
20904 do { \
20905 int __d0, __d1, __d2; \
20906 __asm__ __volatile__( \
20907 + set \
20908 " cmp $7,%0\n" \
20909 " jbe 1f\n" \
20910 " movl %1,%0\n" \
20911 " negl %0\n" \
20912 " andl $7,%0\n" \
20913 " subl %0,%3\n" \
20914 - "4: rep; movsb\n" \
20915 + "4: rep; "prefix"movsb\n" \
20916 " movl %3,%0\n" \
20917 " shrl $2,%0\n" \
20918 " andl $3,%3\n" \
20919 " .align 2,0x90\n" \
20920 - "0: rep; movsl\n" \
20921 + "0: rep; "prefix"movsl\n" \
20922 " movl %3,%0\n" \
20923 - "1: rep; movsb\n" \
20924 + "1: rep; "prefix"movsb\n" \
20925 "2:\n" \
20926 + restore \
20927 ".section .fixup,\"ax\"\n" \
20928 "5: addl %3,%0\n" \
20929 " jmp 2b\n" \
20930 @@ -682,14 +799,14 @@ do { \
20931 " negl %0\n" \
20932 " andl $7,%0\n" \
20933 " subl %0,%3\n" \
20934 - "4: rep; movsb\n" \
20935 + "4: rep; "__copyuser_seg"movsb\n" \
20936 " movl %3,%0\n" \
20937 " shrl $2,%0\n" \
20938 " andl $3,%3\n" \
20939 " .align 2,0x90\n" \
20940 - "0: rep; movsl\n" \
20941 + "0: rep; "__copyuser_seg"movsl\n" \
20942 " movl %3,%0\n" \
20943 - "1: rep; movsb\n" \
20944 + "1: rep; "__copyuser_seg"movsb\n" \
20945 "2:\n" \
20946 ".section .fixup,\"ax\"\n" \
20947 "5: addl %3,%0\n" \
20948 @@ -775,9 +892,9 @@ survive:
20949 }
20950 #endif
20951 if (movsl_is_ok(to, from, n))
20952 - __copy_user(to, from, n);
20953 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
20954 else
20955 - n = __copy_user_intel(to, from, n);
20956 + n = __generic_copy_to_user_intel(to, from, n);
20957 return n;
20958 }
20959 EXPORT_SYMBOL(__copy_to_user_ll);
20960 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
20961 unsigned long n)
20962 {
20963 if (movsl_is_ok(to, from, n))
20964 - __copy_user(to, from, n);
20965 + __copy_user(to, from, n, __copyuser_seg, "", "");
20966 else
20967 - n = __copy_user_intel((void __user *)to,
20968 - (const void *)from, n);
20969 + n = __generic_copy_from_user_intel(to, from, n);
20970 return n;
20971 }
20972 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
20973 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
20974 if (n > 64 && cpu_has_xmm2)
20975 n = __copy_user_intel_nocache(to, from, n);
20976 else
20977 - __copy_user(to, from, n);
20978 + __copy_user(to, from, n, __copyuser_seg, "", "");
20979 #else
20980 - __copy_user(to, from, n);
20981 + __copy_user(to, from, n, __copyuser_seg, "", "");
20982 #endif
20983 return n;
20984 }
20985 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
20986
20987 -/**
20988 - * copy_to_user: - Copy a block of data into user space.
20989 - * @to: Destination address, in user space.
20990 - * @from: Source address, in kernel space.
20991 - * @n: Number of bytes to copy.
20992 - *
20993 - * Context: User context only. This function may sleep.
20994 - *
20995 - * Copy data from kernel space to user space.
20996 - *
20997 - * Returns number of bytes that could not be copied.
20998 - * On success, this will be zero.
20999 - */
21000 -unsigned long
21001 -copy_to_user(void __user *to, const void *from, unsigned long n)
21002 +void copy_from_user_overflow(void)
21003 {
21004 - if (access_ok(VERIFY_WRITE, to, n))
21005 - n = __copy_to_user(to, from, n);
21006 - return n;
21007 + WARN(1, "Buffer overflow detected!\n");
21008 }
21009 -EXPORT_SYMBOL(copy_to_user);
21010 +EXPORT_SYMBOL(copy_from_user_overflow);
21011
21012 -/**
21013 - * copy_from_user: - Copy a block of data from user space.
21014 - * @to: Destination address, in kernel space.
21015 - * @from: Source address, in user space.
21016 - * @n: Number of bytes to copy.
21017 - *
21018 - * Context: User context only. This function may sleep.
21019 - *
21020 - * Copy data from user space to kernel space.
21021 - *
21022 - * Returns number of bytes that could not be copied.
21023 - * On success, this will be zero.
21024 - *
21025 - * If some data could not be copied, this function will pad the copied
21026 - * data to the requested size using zero bytes.
21027 - */
21028 -unsigned long
21029 -_copy_from_user(void *to, const void __user *from, unsigned long n)
21030 +void copy_to_user_overflow(void)
21031 {
21032 - if (access_ok(VERIFY_READ, from, n))
21033 - n = __copy_from_user(to, from, n);
21034 - else
21035 - memset(to, 0, n);
21036 - return n;
21037 + WARN(1, "Buffer overflow detected!\n");
21038 }
21039 -EXPORT_SYMBOL(_copy_from_user);
21040 +EXPORT_SYMBOL(copy_to_user_overflow);
21041
21042 -void copy_from_user_overflow(void)
21043 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21044 +void __set_fs(mm_segment_t x)
21045 {
21046 - WARN(1, "Buffer overflow detected!\n");
21047 + switch (x.seg) {
21048 + case 0:
21049 + loadsegment(gs, 0);
21050 + break;
21051 + case TASK_SIZE_MAX:
21052 + loadsegment(gs, __USER_DS);
21053 + break;
21054 + case -1UL:
21055 + loadsegment(gs, __KERNEL_DS);
21056 + break;
21057 + default:
21058 + BUG();
21059 + }
21060 + return;
21061 }
21062 -EXPORT_SYMBOL(copy_from_user_overflow);
21063 +EXPORT_SYMBOL(__set_fs);
21064 +
21065 +void set_fs(mm_segment_t x)
21066 +{
21067 + current_thread_info()->addr_limit = x;
21068 + __set_fs(x);
21069 +}
21070 +EXPORT_SYMBOL(set_fs);
21071 +#endif
21072 diff -urNp linux-2.6.39.2/arch/x86/lib/usercopy_64.c linux-2.6.39.2/arch/x86/lib/usercopy_64.c
21073 --- linux-2.6.39.2/arch/x86/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
21074 +++ linux-2.6.39.2/arch/x86/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
21075 @@ -42,6 +42,12 @@ long
21076 __strncpy_from_user(char *dst, const char __user *src, long count)
21077 {
21078 long res;
21079 +
21080 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21081 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
21082 + src += PAX_USER_SHADOW_BASE;
21083 +#endif
21084 +
21085 __do_strncpy_from_user(dst, src, count, res);
21086 return res;
21087 }
21088 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
21089 {
21090 long __d0;
21091 might_fault();
21092 +
21093 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21094 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
21095 + addr += PAX_USER_SHADOW_BASE;
21096 +#endif
21097 +
21098 /* no memory constraint because it doesn't change any memory gcc knows
21099 about */
21100 asm volatile(
21101 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
21102
21103 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
21104 {
21105 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21106 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21107 +
21108 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21109 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
21110 + to += PAX_USER_SHADOW_BASE;
21111 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
21112 + from += PAX_USER_SHADOW_BASE;
21113 +#endif
21114 +
21115 return copy_user_generic((__force void *)to, (__force void *)from, len);
21116 - }
21117 - return len;
21118 + }
21119 + return len;
21120 }
21121 EXPORT_SYMBOL(copy_in_user);
21122
21123 diff -urNp linux-2.6.39.2/arch/x86/Makefile linux-2.6.39.2/arch/x86/Makefile
21124 --- linux-2.6.39.2/arch/x86/Makefile 2011-05-19 00:06:34.000000000 -0400
21125 +++ linux-2.6.39.2/arch/x86/Makefile 2011-05-22 19:36:30.000000000 -0400
21126 @@ -195,3 +195,12 @@ define archhelp
21127 echo ' FDARGS="..." arguments for the booted kernel'
21128 echo ' FDINITRD=file initrd for the booted kernel'
21129 endef
21130 +
21131 +define OLD_LD
21132 +
21133 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
21134 +*** Please upgrade your binutils to 2.18 or newer
21135 +endef
21136 +
21137 +archprepare:
21138 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
21139 diff -urNp linux-2.6.39.2/arch/x86/mm/extable.c linux-2.6.39.2/arch/x86/mm/extable.c
21140 --- linux-2.6.39.2/arch/x86/mm/extable.c 2011-05-19 00:06:34.000000000 -0400
21141 +++ linux-2.6.39.2/arch/x86/mm/extable.c 2011-05-22 19:36:30.000000000 -0400
21142 @@ -1,14 +1,71 @@
21143 #include <linux/module.h>
21144 #include <linux/spinlock.h>
21145 +#include <linux/sort.h>
21146 #include <asm/uaccess.h>
21147 +#include <asm/pgtable.h>
21148
21149 +/*
21150 + * The exception table needs to be sorted so that the binary
21151 + * search that we use to find entries in it works properly.
21152 + * This is used both for the kernel exception table and for
21153 + * the exception tables of modules that get loaded.
21154 + */
21155 +static int cmp_ex(const void *a, const void *b)
21156 +{
21157 + const struct exception_table_entry *x = a, *y = b;
21158 +
21159 + /* avoid overflow */
21160 + if (x->insn > y->insn)
21161 + return 1;
21162 + if (x->insn < y->insn)
21163 + return -1;
21164 + return 0;
21165 +}
21166 +
21167 +static void swap_ex(void *a, void *b, int size)
21168 +{
21169 + struct exception_table_entry t, *x = a, *y = b;
21170 +
21171 + t = *x;
21172 +
21173 + pax_open_kernel();
21174 + *x = *y;
21175 + *y = t;
21176 + pax_close_kernel();
21177 +}
21178 +
21179 +void sort_extable(struct exception_table_entry *start,
21180 + struct exception_table_entry *finish)
21181 +{
21182 + sort(start, finish - start, sizeof(struct exception_table_entry),
21183 + cmp_ex, swap_ex);
21184 +}
21185 +
21186 +#ifdef CONFIG_MODULES
21187 +/*
21188 + * If the exception table is sorted, any referring to the module init
21189 + * will be at the beginning or the end.
21190 + */
21191 +void trim_init_extable(struct module *m)
21192 +{
21193 + /*trim the beginning*/
21194 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
21195 + m->extable++;
21196 + m->num_exentries--;
21197 + }
21198 + /*trim the end*/
21199 + while (m->num_exentries &&
21200 + within_module_init(m->extable[m->num_exentries-1].insn, m))
21201 + m->num_exentries--;
21202 +}
21203 +#endif /* CONFIG_MODULES */
21204
21205 int fixup_exception(struct pt_regs *regs)
21206 {
21207 const struct exception_table_entry *fixup;
21208
21209 #ifdef CONFIG_PNPBIOS
21210 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
21211 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
21212 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
21213 extern u32 pnp_bios_is_utter_crap;
21214 pnp_bios_is_utter_crap = 1;
21215 diff -urNp linux-2.6.39.2/arch/x86/mm/fault.c linux-2.6.39.2/arch/x86/mm/fault.c
21216 --- linux-2.6.39.2/arch/x86/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
21217 +++ linux-2.6.39.2/arch/x86/mm/fault.c 2011-06-06 17:34:04.000000000 -0400
21218 @@ -12,10 +12,18 @@
21219 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
21220 #include <linux/perf_event.h> /* perf_sw_event */
21221 #include <linux/hugetlb.h> /* hstate_index_to_shift */
21222 +#include <linux/unistd.h>
21223 +#include <linux/compiler.h>
21224
21225 #include <asm/traps.h> /* dotraplinkage, ... */
21226 #include <asm/pgalloc.h> /* pgd_*(), ... */
21227 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
21228 +#include <asm/vsyscall.h>
21229 +#include <asm/tlbflush.h>
21230 +
21231 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21232 +#include <asm/stacktrace.h>
21233 +#endif
21234
21235 /*
21236 * Page fault error code bits:
21237 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
21238 int ret = 0;
21239
21240 /* kprobe_running() needs smp_processor_id() */
21241 - if (kprobes_built_in() && !user_mode_vm(regs)) {
21242 + if (kprobes_built_in() && !user_mode(regs)) {
21243 preempt_disable();
21244 if (kprobe_running() && kprobe_fault_handler(regs, 14))
21245 ret = 1;
21246 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
21247 return !instr_lo || (instr_lo>>1) == 1;
21248 case 0x00:
21249 /* Prefetch instruction is 0x0F0D or 0x0F18 */
21250 - if (probe_kernel_address(instr, opcode))
21251 + if (user_mode(regs)) {
21252 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21253 + return 0;
21254 + } else if (probe_kernel_address(instr, opcode))
21255 return 0;
21256
21257 *prefetch = (instr_lo == 0xF) &&
21258 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
21259 while (instr < max_instr) {
21260 unsigned char opcode;
21261
21262 - if (probe_kernel_address(instr, opcode))
21263 + if (user_mode(regs)) {
21264 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21265 + break;
21266 + } else if (probe_kernel_address(instr, opcode))
21267 break;
21268
21269 instr++;
21270 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
21271 force_sig_info(si_signo, &info, tsk);
21272 }
21273
21274 +#ifdef CONFIG_PAX_EMUTRAMP
21275 +static int pax_handle_fetch_fault(struct pt_regs *regs);
21276 +#endif
21277 +
21278 +#ifdef CONFIG_PAX_PAGEEXEC
21279 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
21280 +{
21281 + pgd_t *pgd;
21282 + pud_t *pud;
21283 + pmd_t *pmd;
21284 +
21285 + pgd = pgd_offset(mm, address);
21286 + if (!pgd_present(*pgd))
21287 + return NULL;
21288 + pud = pud_offset(pgd, address);
21289 + if (!pud_present(*pud))
21290 + return NULL;
21291 + pmd = pmd_offset(pud, address);
21292 + if (!pmd_present(*pmd))
21293 + return NULL;
21294 + return pmd;
21295 +}
21296 +#endif
21297 +
21298 DEFINE_SPINLOCK(pgd_lock);
21299 LIST_HEAD(pgd_list);
21300
21301 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
21302 for (address = VMALLOC_START & PMD_MASK;
21303 address >= TASK_SIZE && address < FIXADDR_TOP;
21304 address += PMD_SIZE) {
21305 +
21306 +#ifdef CONFIG_PAX_PER_CPU_PGD
21307 + unsigned long cpu;
21308 +#else
21309 struct page *page;
21310 +#endif
21311
21312 spin_lock(&pgd_lock);
21313 +
21314 +#ifdef CONFIG_PAX_PER_CPU_PGD
21315 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21316 + pgd_t *pgd = get_cpu_pgd(cpu);
21317 + pmd_t *ret;
21318 +#else
21319 list_for_each_entry(page, &pgd_list, lru) {
21320 + pgd_t *pgd = page_address(page);
21321 spinlock_t *pgt_lock;
21322 pmd_t *ret;
21323
21324 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
21325 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
21326
21327 spin_lock(pgt_lock);
21328 - ret = vmalloc_sync_one(page_address(page), address);
21329 +#endif
21330 +
21331 + ret = vmalloc_sync_one(pgd, address);
21332 +
21333 +#ifndef CONFIG_PAX_PER_CPU_PGD
21334 spin_unlock(pgt_lock);
21335 +#endif
21336
21337 if (!ret)
21338 break;
21339 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
21340 * an interrupt in the middle of a task switch..
21341 */
21342 pgd_paddr = read_cr3();
21343 +
21344 +#ifdef CONFIG_PAX_PER_CPU_PGD
21345 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
21346 +#endif
21347 +
21348 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
21349 if (!pmd_k)
21350 return -1;
21351 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
21352 * happen within a race in page table update. In the later
21353 * case just flush:
21354 */
21355 +
21356 +#ifdef CONFIG_PAX_PER_CPU_PGD
21357 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
21358 + pgd = pgd_offset_cpu(smp_processor_id(), address);
21359 +#else
21360 pgd = pgd_offset(current->active_mm, address);
21361 +#endif
21362 +
21363 pgd_ref = pgd_offset_k(address);
21364 if (pgd_none(*pgd_ref))
21365 return -1;
21366 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
21367 static int is_errata100(struct pt_regs *regs, unsigned long address)
21368 {
21369 #ifdef CONFIG_X86_64
21370 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
21371 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
21372 return 1;
21373 #endif
21374 return 0;
21375 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
21376 }
21377
21378 static const char nx_warning[] = KERN_CRIT
21379 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
21380 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
21381
21382 static void
21383 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
21384 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
21385 if (!oops_may_print())
21386 return;
21387
21388 - if (error_code & PF_INSTR) {
21389 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
21390 unsigned int level;
21391
21392 pte_t *pte = lookup_address(address, &level);
21393
21394 if (pte && pte_present(*pte) && !pte_exec(*pte))
21395 - printk(nx_warning, current_uid());
21396 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
21397 }
21398
21399 +#ifdef CONFIG_PAX_KERNEXEC
21400 + if (init_mm.start_code <= address && address < init_mm.end_code) {
21401 + if (current->signal->curr_ip)
21402 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21403 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
21404 + else
21405 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21406 + current->comm, task_pid_nr(current), current_uid(), current_euid());
21407 + }
21408 +#endif
21409 +
21410 printk(KERN_ALERT "BUG: unable to handle kernel ");
21411 if (address < PAGE_SIZE)
21412 printk(KERN_CONT "NULL pointer dereference");
21413 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
21414 unsigned long address, int si_code)
21415 {
21416 struct task_struct *tsk = current;
21417 + struct mm_struct *mm = tsk->mm;
21418 +
21419 +#ifdef CONFIG_X86_64
21420 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
21421 + if (regs->ip == (unsigned long)vgettimeofday) {
21422 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
21423 + return;
21424 + } else if (regs->ip == (unsigned long)vtime) {
21425 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
21426 + return;
21427 + } else if (regs->ip == (unsigned long)vgetcpu) {
21428 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
21429 + return;
21430 + }
21431 + }
21432 +#endif
21433 +
21434 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21435 + if (mm && (error_code & PF_USER)) {
21436 + unsigned long ip = regs->ip;
21437 +
21438 + if (v8086_mode(regs))
21439 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
21440 +
21441 + /*
21442 + * It's possible to have interrupts off here:
21443 + */
21444 + local_irq_enable();
21445 +
21446 +#ifdef CONFIG_PAX_PAGEEXEC
21447 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
21448 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
21449 +
21450 +#ifdef CONFIG_PAX_EMUTRAMP
21451 + switch (pax_handle_fetch_fault(regs)) {
21452 + case 2:
21453 + return;
21454 + }
21455 +#endif
21456 +
21457 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21458 + do_group_exit(SIGKILL);
21459 + }
21460 +#endif
21461 +
21462 +#ifdef CONFIG_PAX_SEGMEXEC
21463 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
21464 +
21465 +#ifdef CONFIG_PAX_EMUTRAMP
21466 + switch (pax_handle_fetch_fault(regs)) {
21467 + case 2:
21468 + return;
21469 + }
21470 +#endif
21471 +
21472 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21473 + do_group_exit(SIGKILL);
21474 + }
21475 +#endif
21476 +
21477 + }
21478 +#endif
21479
21480 /* User mode accesses just cause a SIGSEGV */
21481 if (error_code & PF_USER) {
21482 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
21483 return 1;
21484 }
21485
21486 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21487 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
21488 +{
21489 + pte_t *pte;
21490 + pmd_t *pmd;
21491 + spinlock_t *ptl;
21492 + unsigned char pte_mask;
21493 +
21494 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
21495 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
21496 + return 0;
21497 +
21498 + /* PaX: it's our fault, let's handle it if we can */
21499 +
21500 + /* PaX: take a look at read faults before acquiring any locks */
21501 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
21502 + /* instruction fetch attempt from a protected page in user mode */
21503 + up_read(&mm->mmap_sem);
21504 +
21505 +#ifdef CONFIG_PAX_EMUTRAMP
21506 + switch (pax_handle_fetch_fault(regs)) {
21507 + case 2:
21508 + return 1;
21509 + }
21510 +#endif
21511 +
21512 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
21513 + do_group_exit(SIGKILL);
21514 + }
21515 +
21516 + pmd = pax_get_pmd(mm, address);
21517 + if (unlikely(!pmd))
21518 + return 0;
21519 +
21520 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21521 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21522 + pte_unmap_unlock(pte, ptl);
21523 + return 0;
21524 + }
21525 +
21526 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21527 + /* write attempt to a protected page in user mode */
21528 + pte_unmap_unlock(pte, ptl);
21529 + return 0;
21530 + }
21531 +
21532 +#ifdef CONFIG_SMP
21533 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21534 +#else
21535 + if (likely(address > get_limit(regs->cs)))
21536 +#endif
21537 + {
21538 + set_pte(pte, pte_mkread(*pte));
21539 + __flush_tlb_one(address);
21540 + pte_unmap_unlock(pte, ptl);
21541 + up_read(&mm->mmap_sem);
21542 + return 1;
21543 + }
21544 +
21545 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21546 +
21547 + /*
21548 + * PaX: fill DTLB with user rights and retry
21549 + */
21550 + __asm__ __volatile__ (
21551 + "orb %2,(%1)\n"
21552 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21553 +/*
21554 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21555 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21556 + * page fault when examined during a TLB load attempt. this is true not only
21557 + * for PTEs holding a non-present entry but also present entries that will
21558 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21559 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21560 + * for our target pages since their PTEs are simply not in the TLBs at all.
21561 +
21562 + * the best thing in omitting it is that we gain around 15-20% speed in the
21563 + * fast path of the page fault handler and can get rid of tracing since we
21564 + * can no longer flush unintended entries.
21565 + */
21566 + "invlpg (%0)\n"
21567 +#endif
21568 + __copyuser_seg"testb $0,(%0)\n"
21569 + "xorb %3,(%1)\n"
21570 + :
21571 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21572 + : "memory", "cc");
21573 + pte_unmap_unlock(pte, ptl);
21574 + up_read(&mm->mmap_sem);
21575 + return 1;
21576 +}
21577 +#endif
21578 +
21579 /*
21580 * Handle a spurious fault caused by a stale TLB entry.
21581 *
21582 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
21583 static inline int
21584 access_error(unsigned long error_code, struct vm_area_struct *vma)
21585 {
21586 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21587 + return 1;
21588 +
21589 if (error_code & PF_WRITE) {
21590 /* write, present and write, not present: */
21591 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21592 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
21593 {
21594 struct vm_area_struct *vma;
21595 struct task_struct *tsk;
21596 - unsigned long address;
21597 struct mm_struct *mm;
21598 int fault;
21599 int write = error_code & PF_WRITE;
21600 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
21601 (write ? FAULT_FLAG_WRITE : 0);
21602
21603 + /* Get the faulting address: */
21604 + unsigned long address = read_cr2();
21605 +
21606 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21607 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21608 + if (!search_exception_tables(regs->ip)) {
21609 + bad_area_nosemaphore(regs, error_code, address);
21610 + return;
21611 + }
21612 + if (address < PAX_USER_SHADOW_BASE) {
21613 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21614 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21615 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21616 + } else
21617 + address -= PAX_USER_SHADOW_BASE;
21618 + }
21619 +#endif
21620 +
21621 tsk = current;
21622 mm = tsk->mm;
21623
21624 - /* Get the faulting address: */
21625 - address = read_cr2();
21626 -
21627 /*
21628 * Detect and handle instructions that would cause a page fault for
21629 * both a tracked kernel page and a userspace page.
21630 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
21631 * User-mode registers count as a user access even for any
21632 * potential system fault or CPU buglet:
21633 */
21634 - if (user_mode_vm(regs)) {
21635 + if (user_mode(regs)) {
21636 local_irq_enable();
21637 error_code |= PF_USER;
21638 } else {
21639 @@ -1087,6 +1337,11 @@ retry:
21640 might_sleep();
21641 }
21642
21643 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21644 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21645 + return;
21646 +#endif
21647 +
21648 vma = find_vma(mm, address);
21649 if (unlikely(!vma)) {
21650 bad_area(regs, error_code, address);
21651 @@ -1098,18 +1353,24 @@ retry:
21652 bad_area(regs, error_code, address);
21653 return;
21654 }
21655 - if (error_code & PF_USER) {
21656 - /*
21657 - * Accessing the stack below %sp is always a bug.
21658 - * The large cushion allows instructions like enter
21659 - * and pusha to work. ("enter $65535, $31" pushes
21660 - * 32 pointers and then decrements %sp by 65535.)
21661 - */
21662 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
21663 - bad_area(regs, error_code, address);
21664 - return;
21665 - }
21666 + /*
21667 + * Accessing the stack below %sp is always a bug.
21668 + * The large cushion allows instructions like enter
21669 + * and pusha to work. ("enter $65535, $31" pushes
21670 + * 32 pointers and then decrements %sp by 65535.)
21671 + */
21672 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
21673 + bad_area(regs, error_code, address);
21674 + return;
21675 }
21676 +
21677 +#ifdef CONFIG_PAX_SEGMEXEC
21678 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
21679 + bad_area(regs, error_code, address);
21680 + return;
21681 + }
21682 +#endif
21683 +
21684 if (unlikely(expand_stack(vma, address))) {
21685 bad_area(regs, error_code, address);
21686 return;
21687 @@ -1164,3 +1425,199 @@ good_area:
21688
21689 up_read(&mm->mmap_sem);
21690 }
21691 +
21692 +#ifdef CONFIG_PAX_EMUTRAMP
21693 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
21694 +{
21695 + int err;
21696 +
21697 + do { /* PaX: gcc trampoline emulation #1 */
21698 + unsigned char mov1, mov2;
21699 + unsigned short jmp;
21700 + unsigned int addr1, addr2;
21701 +
21702 +#ifdef CONFIG_X86_64
21703 + if ((regs->ip + 11) >> 32)
21704 + break;
21705 +#endif
21706 +
21707 + err = get_user(mov1, (unsigned char __user *)regs->ip);
21708 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21709 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
21710 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21711 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
21712 +
21713 + if (err)
21714 + break;
21715 +
21716 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
21717 + regs->cx = addr1;
21718 + regs->ax = addr2;
21719 + regs->ip = addr2;
21720 + return 2;
21721 + }
21722 + } while (0);
21723 +
21724 + do { /* PaX: gcc trampoline emulation #2 */
21725 + unsigned char mov, jmp;
21726 + unsigned int addr1, addr2;
21727 +
21728 +#ifdef CONFIG_X86_64
21729 + if ((regs->ip + 9) >> 32)
21730 + break;
21731 +#endif
21732 +
21733 + err = get_user(mov, (unsigned char __user *)regs->ip);
21734 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21735 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
21736 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21737 +
21738 + if (err)
21739 + break;
21740 +
21741 + if (mov == 0xB9 && jmp == 0xE9) {
21742 + regs->cx = addr1;
21743 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
21744 + return 2;
21745 + }
21746 + } while (0);
21747 +
21748 + return 1; /* PaX in action */
21749 +}
21750 +
21751 +#ifdef CONFIG_X86_64
21752 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
21753 +{
21754 + int err;
21755 +
21756 + do { /* PaX: gcc trampoline emulation #1 */
21757 + unsigned short mov1, mov2, jmp1;
21758 + unsigned char jmp2;
21759 + unsigned int addr1;
21760 + unsigned long addr2;
21761 +
21762 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21763 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
21764 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
21765 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
21766 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
21767 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
21768 +
21769 + if (err)
21770 + break;
21771 +
21772 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21773 + regs->r11 = addr1;
21774 + regs->r10 = addr2;
21775 + regs->ip = addr1;
21776 + return 2;
21777 + }
21778 + } while (0);
21779 +
21780 + do { /* PaX: gcc trampoline emulation #2 */
21781 + unsigned short mov1, mov2, jmp1;
21782 + unsigned char jmp2;
21783 + unsigned long addr1, addr2;
21784 +
21785 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21786 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
21787 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
21788 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
21789 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
21790 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
21791 +
21792 + if (err)
21793 + break;
21794 +
21795 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21796 + regs->r11 = addr1;
21797 + regs->r10 = addr2;
21798 + regs->ip = addr1;
21799 + return 2;
21800 + }
21801 + } while (0);
21802 +
21803 + return 1; /* PaX in action */
21804 +}
21805 +#endif
21806 +
21807 +/*
21808 + * PaX: decide what to do with offenders (regs->ip = fault address)
21809 + *
21810 + * returns 1 when task should be killed
21811 + * 2 when gcc trampoline was detected
21812 + */
21813 +static int pax_handle_fetch_fault(struct pt_regs *regs)
21814 +{
21815 + if (v8086_mode(regs))
21816 + return 1;
21817 +
21818 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
21819 + return 1;
21820 +
21821 +#ifdef CONFIG_X86_32
21822 + return pax_handle_fetch_fault_32(regs);
21823 +#else
21824 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
21825 + return pax_handle_fetch_fault_32(regs);
21826 + else
21827 + return pax_handle_fetch_fault_64(regs);
21828 +#endif
21829 +}
21830 +#endif
21831 +
21832 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21833 +void pax_report_insns(void *pc, void *sp)
21834 +{
21835 + long i;
21836 +
21837 + printk(KERN_ERR "PAX: bytes at PC: ");
21838 + for (i = 0; i < 20; i++) {
21839 + unsigned char c;
21840 + if (get_user(c, (__force unsigned char __user *)pc+i))
21841 + printk(KERN_CONT "?? ");
21842 + else
21843 + printk(KERN_CONT "%02x ", c);
21844 + }
21845 + printk("\n");
21846 +
21847 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
21848 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
21849 + unsigned long c;
21850 + if (get_user(c, (__force unsigned long __user *)sp+i))
21851 +#ifdef CONFIG_X86_32
21852 + printk(KERN_CONT "???????? ");
21853 +#else
21854 + printk(KERN_CONT "???????????????? ");
21855 +#endif
21856 + else
21857 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
21858 + }
21859 + printk("\n");
21860 +}
21861 +#endif
21862 +
21863 +/**
21864 + * probe_kernel_write(): safely attempt to write to a location
21865 + * @dst: address to write to
21866 + * @src: pointer to the data that shall be written
21867 + * @size: size of the data chunk
21868 + *
21869 + * Safely write to address @dst from the buffer at @src. If a kernel fault
21870 + * happens, handle that and return -EFAULT.
21871 + */
21872 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
21873 +{
21874 + long ret;
21875 + mm_segment_t old_fs = get_fs();
21876 +
21877 + set_fs(KERNEL_DS);
21878 + pagefault_disable();
21879 + pax_open_kernel();
21880 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
21881 + pax_close_kernel();
21882 + pagefault_enable();
21883 + set_fs(old_fs);
21884 +
21885 + return ret ? -EFAULT : 0;
21886 +}
21887 diff -urNp linux-2.6.39.2/arch/x86/mm/gup.c linux-2.6.39.2/arch/x86/mm/gup.c
21888 --- linux-2.6.39.2/arch/x86/mm/gup.c 2011-05-19 00:06:34.000000000 -0400
21889 +++ linux-2.6.39.2/arch/x86/mm/gup.c 2011-05-22 19:36:30.000000000 -0400
21890 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
21891 addr = start;
21892 len = (unsigned long) nr_pages << PAGE_SHIFT;
21893 end = start + len;
21894 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21895 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21896 (void __user *)start, len)))
21897 return 0;
21898
21899 diff -urNp linux-2.6.39.2/arch/x86/mm/highmem_32.c linux-2.6.39.2/arch/x86/mm/highmem_32.c
21900 --- linux-2.6.39.2/arch/x86/mm/highmem_32.c 2011-05-19 00:06:34.000000000 -0400
21901 +++ linux-2.6.39.2/arch/x86/mm/highmem_32.c 2011-05-22 19:36:30.000000000 -0400
21902 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
21903 idx = type + KM_TYPE_NR*smp_processor_id();
21904 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21905 BUG_ON(!pte_none(*(kmap_pte-idx)));
21906 +
21907 + pax_open_kernel();
21908 set_pte(kmap_pte-idx, mk_pte(page, prot));
21909 + pax_close_kernel();
21910
21911 return (void *)vaddr;
21912 }
21913 diff -urNp linux-2.6.39.2/arch/x86/mm/hugetlbpage.c linux-2.6.39.2/arch/x86/mm/hugetlbpage.c
21914 --- linux-2.6.39.2/arch/x86/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
21915 +++ linux-2.6.39.2/arch/x86/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
21916 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
21917 struct hstate *h = hstate_file(file);
21918 struct mm_struct *mm = current->mm;
21919 struct vm_area_struct *vma;
21920 - unsigned long start_addr;
21921 + unsigned long start_addr, pax_task_size = TASK_SIZE;
21922 +
21923 +#ifdef CONFIG_PAX_SEGMEXEC
21924 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21925 + pax_task_size = SEGMEXEC_TASK_SIZE;
21926 +#endif
21927 +
21928 + pax_task_size -= PAGE_SIZE;
21929
21930 if (len > mm->cached_hole_size) {
21931 - start_addr = mm->free_area_cache;
21932 + start_addr = mm->free_area_cache;
21933 } else {
21934 - start_addr = TASK_UNMAPPED_BASE;
21935 - mm->cached_hole_size = 0;
21936 + start_addr = mm->mmap_base;
21937 + mm->cached_hole_size = 0;
21938 }
21939
21940 full_search:
21941 @@ -280,26 +287,27 @@ full_search:
21942
21943 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
21944 /* At this point: (!vma || addr < vma->vm_end). */
21945 - if (TASK_SIZE - len < addr) {
21946 + if (pax_task_size - len < addr) {
21947 /*
21948 * Start a new search - just in case we missed
21949 * some holes.
21950 */
21951 - if (start_addr != TASK_UNMAPPED_BASE) {
21952 - start_addr = TASK_UNMAPPED_BASE;
21953 + if (start_addr != mm->mmap_base) {
21954 + start_addr = mm->mmap_base;
21955 mm->cached_hole_size = 0;
21956 goto full_search;
21957 }
21958 return -ENOMEM;
21959 }
21960 - if (!vma || addr + len <= vma->vm_start) {
21961 - mm->free_area_cache = addr + len;
21962 - return addr;
21963 - }
21964 + if (check_heap_stack_gap(vma, addr, len))
21965 + break;
21966 if (addr + mm->cached_hole_size < vma->vm_start)
21967 mm->cached_hole_size = vma->vm_start - addr;
21968 addr = ALIGN(vma->vm_end, huge_page_size(h));
21969 }
21970 +
21971 + mm->free_area_cache = addr + len;
21972 + return addr;
21973 }
21974
21975 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
21976 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
21977 {
21978 struct hstate *h = hstate_file(file);
21979 struct mm_struct *mm = current->mm;
21980 - struct vm_area_struct *vma, *prev_vma;
21981 - unsigned long base = mm->mmap_base, addr = addr0;
21982 + struct vm_area_struct *vma;
21983 + unsigned long base = mm->mmap_base, addr;
21984 unsigned long largest_hole = mm->cached_hole_size;
21985 - int first_time = 1;
21986
21987 /* don't allow allocations above current base */
21988 if (mm->free_area_cache > base)
21989 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
21990 largest_hole = 0;
21991 mm->free_area_cache = base;
21992 }
21993 -try_again:
21994 +
21995 /* make sure it can fit in the remaining address space */
21996 if (mm->free_area_cache < len)
21997 goto fail;
21998
21999 /* either no address requested or can't fit in requested address hole */
22000 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
22001 + addr = (mm->free_area_cache - len);
22002 do {
22003 + addr &= huge_page_mask(h);
22004 + vma = find_vma(mm, addr);
22005 /*
22006 * Lookup failure means no vma is above this address,
22007 * i.e. return with success:
22008 - */
22009 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
22010 - return addr;
22011 -
22012 - /*
22013 * new region fits between prev_vma->vm_end and
22014 * vma->vm_start, use it:
22015 */
22016 - if (addr + len <= vma->vm_start &&
22017 - (!prev_vma || (addr >= prev_vma->vm_end))) {
22018 + if (check_heap_stack_gap(vma, addr, len)) {
22019 /* remember the address as a hint for next time */
22020 - mm->cached_hole_size = largest_hole;
22021 - return (mm->free_area_cache = addr);
22022 - } else {
22023 - /* pull free_area_cache down to the first hole */
22024 - if (mm->free_area_cache == vma->vm_end) {
22025 - mm->free_area_cache = vma->vm_start;
22026 - mm->cached_hole_size = largest_hole;
22027 - }
22028 + mm->cached_hole_size = largest_hole;
22029 + return (mm->free_area_cache = addr);
22030 + }
22031 + /* pull free_area_cache down to the first hole */
22032 + if (mm->free_area_cache == vma->vm_end) {
22033 + mm->free_area_cache = vma->vm_start;
22034 + mm->cached_hole_size = largest_hole;
22035 }
22036
22037 /* remember the largest hole we saw so far */
22038 if (addr + largest_hole < vma->vm_start)
22039 - largest_hole = vma->vm_start - addr;
22040 + largest_hole = vma->vm_start - addr;
22041
22042 /* try just below the current vma->vm_start */
22043 - addr = (vma->vm_start - len) & huge_page_mask(h);
22044 - } while (len <= vma->vm_start);
22045 + addr = skip_heap_stack_gap(vma, len);
22046 + } while (!IS_ERR_VALUE(addr));
22047
22048 fail:
22049 /*
22050 - * if hint left us with no space for the requested
22051 - * mapping then try again:
22052 - */
22053 - if (first_time) {
22054 - mm->free_area_cache = base;
22055 - largest_hole = 0;
22056 - first_time = 0;
22057 - goto try_again;
22058 - }
22059 - /*
22060 * A failed mmap() very likely causes application failure,
22061 * so fall back to the bottom-up function here. This scenario
22062 * can happen with large stack limits and large mmap()
22063 * allocations.
22064 */
22065 - mm->free_area_cache = TASK_UNMAPPED_BASE;
22066 +
22067 +#ifdef CONFIG_PAX_SEGMEXEC
22068 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22069 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
22070 + else
22071 +#endif
22072 +
22073 + mm->mmap_base = TASK_UNMAPPED_BASE;
22074 +
22075 +#ifdef CONFIG_PAX_RANDMMAP
22076 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22077 + mm->mmap_base += mm->delta_mmap;
22078 +#endif
22079 +
22080 + mm->free_area_cache = mm->mmap_base;
22081 mm->cached_hole_size = ~0UL;
22082 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
22083 len, pgoff, flags);
22084 @@ -386,6 +392,7 @@ fail:
22085 /*
22086 * Restore the topdown base:
22087 */
22088 + mm->mmap_base = base;
22089 mm->free_area_cache = base;
22090 mm->cached_hole_size = ~0UL;
22091
22092 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
22093 struct hstate *h = hstate_file(file);
22094 struct mm_struct *mm = current->mm;
22095 struct vm_area_struct *vma;
22096 + unsigned long pax_task_size = TASK_SIZE;
22097
22098 if (len & ~huge_page_mask(h))
22099 return -EINVAL;
22100 - if (len > TASK_SIZE)
22101 +
22102 +#ifdef CONFIG_PAX_SEGMEXEC
22103 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22104 + pax_task_size = SEGMEXEC_TASK_SIZE;
22105 +#endif
22106 +
22107 + pax_task_size -= PAGE_SIZE;
22108 +
22109 + if (len > pax_task_size)
22110 return -ENOMEM;
22111
22112 if (flags & MAP_FIXED) {
22113 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
22114 if (addr) {
22115 addr = ALIGN(addr, huge_page_size(h));
22116 vma = find_vma(mm, addr);
22117 - if (TASK_SIZE - len >= addr &&
22118 - (!vma || addr + len <= vma->vm_start))
22119 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
22120 return addr;
22121 }
22122 if (mm->get_unmapped_area == arch_get_unmapped_area)
22123 diff -urNp linux-2.6.39.2/arch/x86/mm/init_32.c linux-2.6.39.2/arch/x86/mm/init_32.c
22124 --- linux-2.6.39.2/arch/x86/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
22125 +++ linux-2.6.39.2/arch/x86/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
22126 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
22127 }
22128
22129 /*
22130 - * Creates a middle page table and puts a pointer to it in the
22131 - * given global directory entry. This only returns the gd entry
22132 - * in non-PAE compilation mode, since the middle layer is folded.
22133 - */
22134 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
22135 -{
22136 - pud_t *pud;
22137 - pmd_t *pmd_table;
22138 -
22139 -#ifdef CONFIG_X86_PAE
22140 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
22141 - if (after_bootmem)
22142 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
22143 - else
22144 - pmd_table = (pmd_t *)alloc_low_page();
22145 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
22146 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
22147 - pud = pud_offset(pgd, 0);
22148 - BUG_ON(pmd_table != pmd_offset(pud, 0));
22149 -
22150 - return pmd_table;
22151 - }
22152 -#endif
22153 - pud = pud_offset(pgd, 0);
22154 - pmd_table = pmd_offset(pud, 0);
22155 -
22156 - return pmd_table;
22157 -}
22158 -
22159 -/*
22160 * Create a page table and place a pointer to it in a middle page
22161 * directory entry:
22162 */
22163 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
22164 page_table = (pte_t *)alloc_low_page();
22165
22166 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
22167 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22168 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
22169 +#else
22170 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
22171 +#endif
22172 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
22173 }
22174
22175 return pte_offset_kernel(pmd, 0);
22176 }
22177
22178 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
22179 +{
22180 + pud_t *pud;
22181 + pmd_t *pmd_table;
22182 +
22183 + pud = pud_offset(pgd, 0);
22184 + pmd_table = pmd_offset(pud, 0);
22185 +
22186 + return pmd_table;
22187 +}
22188 +
22189 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
22190 {
22191 int pgd_idx = pgd_index(vaddr);
22192 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
22193 int pgd_idx, pmd_idx;
22194 unsigned long vaddr;
22195 pgd_t *pgd;
22196 + pud_t *pud;
22197 pmd_t *pmd;
22198 pte_t *pte = NULL;
22199
22200 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
22201 pgd = pgd_base + pgd_idx;
22202
22203 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
22204 - pmd = one_md_table_init(pgd);
22205 - pmd = pmd + pmd_index(vaddr);
22206 + pud = pud_offset(pgd, vaddr);
22207 + pmd = pmd_offset(pud, vaddr);
22208 +
22209 +#ifdef CONFIG_X86_PAE
22210 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22211 +#endif
22212 +
22213 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
22214 pmd++, pmd_idx++) {
22215 pte = page_table_kmap_check(one_page_table_init(pmd),
22216 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
22217 }
22218 }
22219
22220 -static inline int is_kernel_text(unsigned long addr)
22221 +static inline int is_kernel_text(unsigned long start, unsigned long end)
22222 {
22223 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
22224 - return 1;
22225 - return 0;
22226 + if ((start > ktla_ktva((unsigned long)_etext) ||
22227 + end <= ktla_ktva((unsigned long)_stext)) &&
22228 + (start > ktla_ktva((unsigned long)_einittext) ||
22229 + end <= ktla_ktva((unsigned long)_sinittext)) &&
22230 +
22231 +#ifdef CONFIG_ACPI_SLEEP
22232 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
22233 +#endif
22234 +
22235 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
22236 + return 0;
22237 + return 1;
22238 }
22239
22240 /*
22241 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
22242 unsigned long last_map_addr = end;
22243 unsigned long start_pfn, end_pfn;
22244 pgd_t *pgd_base = swapper_pg_dir;
22245 - int pgd_idx, pmd_idx, pte_ofs;
22246 + unsigned int pgd_idx, pmd_idx, pte_ofs;
22247 unsigned long pfn;
22248 pgd_t *pgd;
22249 + pud_t *pud;
22250 pmd_t *pmd;
22251 pte_t *pte;
22252 unsigned pages_2m, pages_4k;
22253 @@ -281,8 +282,13 @@ repeat:
22254 pfn = start_pfn;
22255 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22256 pgd = pgd_base + pgd_idx;
22257 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
22258 - pmd = one_md_table_init(pgd);
22259 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
22260 + pud = pud_offset(pgd, 0);
22261 + pmd = pmd_offset(pud, 0);
22262 +
22263 +#ifdef CONFIG_X86_PAE
22264 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22265 +#endif
22266
22267 if (pfn >= end_pfn)
22268 continue;
22269 @@ -294,14 +300,13 @@ repeat:
22270 #endif
22271 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
22272 pmd++, pmd_idx++) {
22273 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
22274 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
22275
22276 /*
22277 * Map with big pages if possible, otherwise
22278 * create normal page tables:
22279 */
22280 if (use_pse) {
22281 - unsigned int addr2;
22282 pgprot_t prot = PAGE_KERNEL_LARGE;
22283 /*
22284 * first pass will use the same initial
22285 @@ -311,11 +316,7 @@ repeat:
22286 __pgprot(PTE_IDENT_ATTR |
22287 _PAGE_PSE);
22288
22289 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
22290 - PAGE_OFFSET + PAGE_SIZE-1;
22291 -
22292 - if (is_kernel_text(addr) ||
22293 - is_kernel_text(addr2))
22294 + if (is_kernel_text(address, address + PMD_SIZE))
22295 prot = PAGE_KERNEL_LARGE_EXEC;
22296
22297 pages_2m++;
22298 @@ -332,7 +333,7 @@ repeat:
22299 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22300 pte += pte_ofs;
22301 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
22302 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
22303 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
22304 pgprot_t prot = PAGE_KERNEL;
22305 /*
22306 * first pass will use the same initial
22307 @@ -340,7 +341,7 @@ repeat:
22308 */
22309 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
22310
22311 - if (is_kernel_text(addr))
22312 + if (is_kernel_text(address, address + PAGE_SIZE))
22313 prot = PAGE_KERNEL_EXEC;
22314
22315 pages_4k++;
22316 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
22317
22318 pud = pud_offset(pgd, va);
22319 pmd = pmd_offset(pud, va);
22320 - if (!pmd_present(*pmd))
22321 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
22322 break;
22323
22324 pte = pte_offset_kernel(pmd, va);
22325 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
22326
22327 static void __init pagetable_init(void)
22328 {
22329 - pgd_t *pgd_base = swapper_pg_dir;
22330 -
22331 - permanent_kmaps_init(pgd_base);
22332 + permanent_kmaps_init(swapper_pg_dir);
22333 }
22334
22335 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22336 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22337 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22338
22339 /* user-defined highmem size */
22340 @@ -754,6 +753,12 @@ void __init mem_init(void)
22341
22342 pci_iommu_alloc();
22343
22344 +#ifdef CONFIG_PAX_PER_CPU_PGD
22345 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22346 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22347 + KERNEL_PGD_PTRS);
22348 +#endif
22349 +
22350 #ifdef CONFIG_FLATMEM
22351 BUG_ON(!mem_map);
22352 #endif
22353 @@ -771,7 +776,7 @@ void __init mem_init(void)
22354 set_highmem_pages_init();
22355
22356 codesize = (unsigned long) &_etext - (unsigned long) &_text;
22357 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
22358 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
22359 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
22360
22361 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
22362 @@ -812,10 +817,10 @@ void __init mem_init(void)
22363 ((unsigned long)&__init_end -
22364 (unsigned long)&__init_begin) >> 10,
22365
22366 - (unsigned long)&_etext, (unsigned long)&_edata,
22367 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
22368 + (unsigned long)&_sdata, (unsigned long)&_edata,
22369 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
22370
22371 - (unsigned long)&_text, (unsigned long)&_etext,
22372 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
22373 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
22374
22375 /*
22376 @@ -893,6 +898,7 @@ void set_kernel_text_rw(void)
22377 if (!kernel_set_to_readonly)
22378 return;
22379
22380 + start = ktla_ktva(start);
22381 pr_debug("Set kernel text: %lx - %lx for read write\n",
22382 start, start+size);
22383
22384 @@ -907,6 +913,7 @@ void set_kernel_text_ro(void)
22385 if (!kernel_set_to_readonly)
22386 return;
22387
22388 + start = ktla_ktva(start);
22389 pr_debug("Set kernel text: %lx - %lx for read only\n",
22390 start, start+size);
22391
22392 @@ -935,6 +942,7 @@ void mark_rodata_ro(void)
22393 unsigned long start = PFN_ALIGN(_text);
22394 unsigned long size = PFN_ALIGN(_etext) - start;
22395
22396 + start = ktla_ktva(start);
22397 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
22398 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
22399 size >> 10);
22400 diff -urNp linux-2.6.39.2/arch/x86/mm/init_64.c linux-2.6.39.2/arch/x86/mm/init_64.c
22401 --- linux-2.6.39.2/arch/x86/mm/init_64.c 2011-05-19 00:06:34.000000000 -0400
22402 +++ linux-2.6.39.2/arch/x86/mm/init_64.c 2011-05-22 19:36:30.000000000 -0400
22403 @@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpa
22404 * around without checking the pgd every time.
22405 */
22406
22407 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
22408 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
22409 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22410
22411 int force_personality32;
22412 @@ -107,12 +107,22 @@ void sync_global_pgds(unsigned long star
22413
22414 for (address = start; address <= end; address += PGDIR_SIZE) {
22415 const pgd_t *pgd_ref = pgd_offset_k(address);
22416 +
22417 +#ifdef CONFIG_PAX_PER_CPU_PGD
22418 + unsigned long cpu;
22419 +#else
22420 struct page *page;
22421 +#endif
22422
22423 if (pgd_none(*pgd_ref))
22424 continue;
22425
22426 spin_lock(&pgd_lock);
22427 +
22428 +#ifdef CONFIG_PAX_PER_CPU_PGD
22429 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22430 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
22431 +#else
22432 list_for_each_entry(page, &pgd_list, lru) {
22433 pgd_t *pgd;
22434 spinlock_t *pgt_lock;
22435 @@ -121,6 +131,7 @@ void sync_global_pgds(unsigned long star
22436 /* the pgt_lock only for Xen */
22437 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
22438 spin_lock(pgt_lock);
22439 +#endif
22440
22441 if (pgd_none(*pgd))
22442 set_pgd(pgd, *pgd_ref);
22443 @@ -128,7 +139,10 @@ void sync_global_pgds(unsigned long star
22444 BUG_ON(pgd_page_vaddr(*pgd)
22445 != pgd_page_vaddr(*pgd_ref));
22446
22447 +#ifndef CONFIG_PAX_PER_CPU_PGD
22448 spin_unlock(pgt_lock);
22449 +#endif
22450 +
22451 }
22452 spin_unlock(&pgd_lock);
22453 }
22454 @@ -202,7 +216,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
22455 pmd = fill_pmd(pud, vaddr);
22456 pte = fill_pte(pmd, vaddr);
22457
22458 + pax_open_kernel();
22459 set_pte(pte, new_pte);
22460 + pax_close_kernel();
22461
22462 /*
22463 * It's enough to flush this one mapping.
22464 @@ -261,14 +277,12 @@ static void __init __init_extra_mapping(
22465 pgd = pgd_offset_k((unsigned long)__va(phys));
22466 if (pgd_none(*pgd)) {
22467 pud = (pud_t *) spp_getpage();
22468 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
22469 - _PAGE_USER));
22470 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
22471 }
22472 pud = pud_offset(pgd, (unsigned long)__va(phys));
22473 if (pud_none(*pud)) {
22474 pmd = (pmd_t *) spp_getpage();
22475 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
22476 - _PAGE_USER));
22477 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
22478 }
22479 pmd = pmd_offset(pud, phys);
22480 BUG_ON(!pmd_none(*pmd));
22481 @@ -698,6 +712,12 @@ void __init mem_init(void)
22482
22483 pci_iommu_alloc();
22484
22485 +#ifdef CONFIG_PAX_PER_CPU_PGD
22486 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22487 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22488 + KERNEL_PGD_PTRS);
22489 +#endif
22490 +
22491 /* clear_bss() already clear the empty_zero_page */
22492
22493 reservedpages = 0;
22494 @@ -858,8 +878,8 @@ int kern_addr_valid(unsigned long addr)
22495 static struct vm_area_struct gate_vma = {
22496 .vm_start = VSYSCALL_START,
22497 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
22498 - .vm_page_prot = PAGE_READONLY_EXEC,
22499 - .vm_flags = VM_READ | VM_EXEC
22500 + .vm_page_prot = PAGE_READONLY,
22501 + .vm_flags = VM_READ
22502 };
22503
22504 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
22505 @@ -893,7 +913,7 @@ int in_gate_area_no_mm(unsigned long add
22506
22507 const char *arch_vma_name(struct vm_area_struct *vma)
22508 {
22509 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22510 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22511 return "[vdso]";
22512 if (vma == &gate_vma)
22513 return "[vsyscall]";
22514 diff -urNp linux-2.6.39.2/arch/x86/mm/init.c linux-2.6.39.2/arch/x86/mm/init.c
22515 --- linux-2.6.39.2/arch/x86/mm/init.c 2011-05-19 00:06:34.000000000 -0400
22516 +++ linux-2.6.39.2/arch/x86/mm/init.c 2011-06-07 19:41:11.000000000 -0400
22517 @@ -33,7 +33,7 @@ int direct_gbpages
22518 static void __init find_early_table_space(unsigned long end, int use_pse,
22519 int use_gbpages)
22520 {
22521 - unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
22522 + unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
22523 phys_addr_t base;
22524
22525 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
22526 @@ -315,12 +315,34 @@ unsigned long __init_refok init_memory_m
22527 */
22528 int devmem_is_allowed(unsigned long pagenr)
22529 {
22530 - if (pagenr <= 256)
22531 +#ifdef CONFIG_GRKERNSEC_KMEM
22532 + /* allow BDA */
22533 + if (!pagenr)
22534 + return 1;
22535 + /* allow EBDA */
22536 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22537 + return 1;
22538 +#else
22539 + if (!pagenr)
22540 + return 1;
22541 +#ifdef CONFIG_VM86
22542 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
22543 + return 1;
22544 +#endif
22545 +#endif
22546 +
22547 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22548 return 1;
22549 +#ifdef CONFIG_GRKERNSEC_KMEM
22550 + /* throw out everything else below 1MB */
22551 + if (pagenr <= 256)
22552 + return 0;
22553 +#endif
22554 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22555 return 0;
22556 if (!page_is_ram(pagenr))
22557 return 1;
22558 +
22559 return 0;
22560 }
22561
22562 @@ -375,6 +397,86 @@ void free_init_pages(char *what, unsigne
22563
22564 void free_initmem(void)
22565 {
22566 +
22567 +#ifdef CONFIG_PAX_KERNEXEC
22568 +#ifdef CONFIG_X86_32
22569 + /* PaX: limit KERNEL_CS to actual size */
22570 + unsigned long addr, limit;
22571 + struct desc_struct d;
22572 + int cpu;
22573 +
22574 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22575 + limit = (limit - 1UL) >> PAGE_SHIFT;
22576 +
22577 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22578 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22579 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22580 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22581 + }
22582 +
22583 + /* PaX: make KERNEL_CS read-only */
22584 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22585 + if (!paravirt_enabled())
22586 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22587 +/*
22588 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22589 + pgd = pgd_offset_k(addr);
22590 + pud = pud_offset(pgd, addr);
22591 + pmd = pmd_offset(pud, addr);
22592 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22593 + }
22594 +*/
22595 +#ifdef CONFIG_X86_PAE
22596 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22597 +/*
22598 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22599 + pgd = pgd_offset_k(addr);
22600 + pud = pud_offset(pgd, addr);
22601 + pmd = pmd_offset(pud, addr);
22602 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22603 + }
22604 +*/
22605 +#endif
22606 +
22607 +#ifdef CONFIG_MODULES
22608 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22609 +#endif
22610 +
22611 +#else
22612 + pgd_t *pgd;
22613 + pud_t *pud;
22614 + pmd_t *pmd;
22615 + unsigned long addr, end;
22616 +
22617 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22618 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22619 + pgd = pgd_offset_k(addr);
22620 + pud = pud_offset(pgd, addr);
22621 + pmd = pmd_offset(pud, addr);
22622 + if (!pmd_present(*pmd))
22623 + continue;
22624 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22625 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22626 + else
22627 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22628 + }
22629 +
22630 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22631 + end = addr + KERNEL_IMAGE_SIZE;
22632 + for (; addr < end; addr += PMD_SIZE) {
22633 + pgd = pgd_offset_k(addr);
22634 + pud = pud_offset(pgd, addr);
22635 + pmd = pmd_offset(pud, addr);
22636 + if (!pmd_present(*pmd))
22637 + continue;
22638 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22639 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22640 + }
22641 +#endif
22642 +
22643 + flush_tlb_all();
22644 +#endif
22645 +
22646 free_init_pages("unused kernel memory",
22647 (unsigned long)(&__init_begin),
22648 (unsigned long)(&__init_end));
22649 diff -urNp linux-2.6.39.2/arch/x86/mm/iomap_32.c linux-2.6.39.2/arch/x86/mm/iomap_32.c
22650 --- linux-2.6.39.2/arch/x86/mm/iomap_32.c 2011-05-19 00:06:34.000000000 -0400
22651 +++ linux-2.6.39.2/arch/x86/mm/iomap_32.c 2011-05-22 19:36:30.000000000 -0400
22652 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22653 type = kmap_atomic_idx_push();
22654 idx = type + KM_TYPE_NR * smp_processor_id();
22655 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22656 +
22657 + pax_open_kernel();
22658 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22659 + pax_close_kernel();
22660 +
22661 arch_flush_lazy_mmu_mode();
22662
22663 return (void *)vaddr;
22664 diff -urNp linux-2.6.39.2/arch/x86/mm/ioremap.c linux-2.6.39.2/arch/x86/mm/ioremap.c
22665 --- linux-2.6.39.2/arch/x86/mm/ioremap.c 2011-05-19 00:06:34.000000000 -0400
22666 +++ linux-2.6.39.2/arch/x86/mm/ioremap.c 2011-05-22 19:36:30.000000000 -0400
22667 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
22668 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
22669 int is_ram = page_is_ram(pfn);
22670
22671 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
22672 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
22673 return NULL;
22674 WARN_ON_ONCE(is_ram);
22675 }
22676 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
22677 early_param("early_ioremap_debug", early_ioremap_debug_setup);
22678
22679 static __initdata int after_paging_init;
22680 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
22681 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
22682
22683 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
22684 {
22685 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
22686 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
22687
22688 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
22689 - memset(bm_pte, 0, sizeof(bm_pte));
22690 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
22691 + pmd_populate_user(&init_mm, pmd, bm_pte);
22692
22693 /*
22694 * The boot-ioremap range spans multiple pmds, for which
22695 diff -urNp linux-2.6.39.2/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.39.2/arch/x86/mm/kmemcheck/kmemcheck.c
22696 --- linux-2.6.39.2/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-19 00:06:34.000000000 -0400
22697 +++ linux-2.6.39.2/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-22 19:36:30.000000000 -0400
22698 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
22699 * memory (e.g. tracked pages)? For now, we need this to avoid
22700 * invoking kmemcheck for PnP BIOS calls.
22701 */
22702 - if (regs->flags & X86_VM_MASK)
22703 + if (v8086_mode(regs))
22704 return false;
22705 - if (regs->cs != __KERNEL_CS)
22706 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
22707 return false;
22708
22709 pte = kmemcheck_pte_lookup(address);
22710 diff -urNp linux-2.6.39.2/arch/x86/mm/mmap.c linux-2.6.39.2/arch/x86/mm/mmap.c
22711 --- linux-2.6.39.2/arch/x86/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
22712 +++ linux-2.6.39.2/arch/x86/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
22713 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
22714 * Leave an at least ~128 MB hole with possible stack randomization.
22715 */
22716 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
22717 -#define MAX_GAP (TASK_SIZE/6*5)
22718 +#define MAX_GAP (pax_task_size/6*5)
22719
22720 /*
22721 * True on X86_32 or when emulating IA32 on X86_64
22722 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
22723 return rnd << PAGE_SHIFT;
22724 }
22725
22726 -static unsigned long mmap_base(void)
22727 +static unsigned long mmap_base(struct mm_struct *mm)
22728 {
22729 unsigned long gap = rlimit(RLIMIT_STACK);
22730 + unsigned long pax_task_size = TASK_SIZE;
22731 +
22732 +#ifdef CONFIG_PAX_SEGMEXEC
22733 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22734 + pax_task_size = SEGMEXEC_TASK_SIZE;
22735 +#endif
22736
22737 if (gap < MIN_GAP)
22738 gap = MIN_GAP;
22739 else if (gap > MAX_GAP)
22740 gap = MAX_GAP;
22741
22742 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
22743 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
22744 }
22745
22746 /*
22747 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
22748 * does, but not when emulating X86_32
22749 */
22750 -static unsigned long mmap_legacy_base(void)
22751 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
22752 {
22753 - if (mmap_is_ia32())
22754 + if (mmap_is_ia32()) {
22755 +
22756 +#ifdef CONFIG_PAX_SEGMEXEC
22757 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22758 + return SEGMEXEC_TASK_UNMAPPED_BASE;
22759 + else
22760 +#endif
22761 +
22762 return TASK_UNMAPPED_BASE;
22763 - else
22764 + } else
22765 return TASK_UNMAPPED_BASE + mmap_rnd();
22766 }
22767
22768 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
22769 void arch_pick_mmap_layout(struct mm_struct *mm)
22770 {
22771 if (mmap_is_legacy()) {
22772 - mm->mmap_base = mmap_legacy_base();
22773 + mm->mmap_base = mmap_legacy_base(mm);
22774 +
22775 +#ifdef CONFIG_PAX_RANDMMAP
22776 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22777 + mm->mmap_base += mm->delta_mmap;
22778 +#endif
22779 +
22780 mm->get_unmapped_area = arch_get_unmapped_area;
22781 mm->unmap_area = arch_unmap_area;
22782 } else {
22783 - mm->mmap_base = mmap_base();
22784 + mm->mmap_base = mmap_base(mm);
22785 +
22786 +#ifdef CONFIG_PAX_RANDMMAP
22787 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22788 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
22789 +#endif
22790 +
22791 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
22792 mm->unmap_area = arch_unmap_area_topdown;
22793 }
22794 diff -urNp linux-2.6.39.2/arch/x86/mm/mmio-mod.c linux-2.6.39.2/arch/x86/mm/mmio-mod.c
22795 --- linux-2.6.39.2/arch/x86/mm/mmio-mod.c 2011-05-19 00:06:34.000000000 -0400
22796 +++ linux-2.6.39.2/arch/x86/mm/mmio-mod.c 2011-05-22 19:36:30.000000000 -0400
22797 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
22798 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
22799 void __iomem *addr)
22800 {
22801 - static atomic_t next_id;
22802 + static atomic_unchecked_t next_id;
22803 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
22804 /* These are page-unaligned. */
22805 struct mmiotrace_map map = {
22806 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
22807 .private = trace
22808 },
22809 .phys = offset,
22810 - .id = atomic_inc_return(&next_id)
22811 + .id = atomic_inc_return_unchecked(&next_id)
22812 };
22813 map.map_id = trace->id;
22814
22815 diff -urNp linux-2.6.39.2/arch/x86/mm/numa_32.c linux-2.6.39.2/arch/x86/mm/numa_32.c
22816 --- linux-2.6.39.2/arch/x86/mm/numa_32.c 2011-05-19 00:06:34.000000000 -0400
22817 +++ linux-2.6.39.2/arch/x86/mm/numa_32.c 2011-05-22 19:36:30.000000000 -0400
22818 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
22819 }
22820 #endif
22821
22822 -extern unsigned long find_max_low_pfn(void);
22823 extern unsigned long highend_pfn, highstart_pfn;
22824
22825 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
22826 diff -urNp linux-2.6.39.2/arch/x86/mm/pageattr.c linux-2.6.39.2/arch/x86/mm/pageattr.c
22827 --- linux-2.6.39.2/arch/x86/mm/pageattr.c 2011-05-19 00:06:34.000000000 -0400
22828 +++ linux-2.6.39.2/arch/x86/mm/pageattr.c 2011-05-22 19:36:30.000000000 -0400
22829 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
22830 */
22831 #ifdef CONFIG_PCI_BIOS
22832 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
22833 - pgprot_val(forbidden) |= _PAGE_NX;
22834 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22835 #endif
22836
22837 /*
22838 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
22839 * Does not cover __inittext since that is gone later on. On
22840 * 64bit we do not enforce !NX on the low mapping
22841 */
22842 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
22843 - pgprot_val(forbidden) |= _PAGE_NX;
22844 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
22845 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22846
22847 +#ifdef CONFIG_DEBUG_RODATA
22848 /*
22849 * The .rodata section needs to be read-only. Using the pfn
22850 * catches all aliases.
22851 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
22852 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
22853 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
22854 pgprot_val(forbidden) |= _PAGE_RW;
22855 +#endif
22856
22857 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
22858 /*
22859 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
22860 }
22861 #endif
22862
22863 +#ifdef CONFIG_PAX_KERNEXEC
22864 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
22865 + pgprot_val(forbidden) |= _PAGE_RW;
22866 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22867 + }
22868 +#endif
22869 +
22870 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
22871
22872 return prot;
22873 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
22874 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
22875 {
22876 /* change init_mm */
22877 + pax_open_kernel();
22878 set_pte_atomic(kpte, pte);
22879 +
22880 #ifdef CONFIG_X86_32
22881 if (!SHARED_KERNEL_PMD) {
22882 +
22883 +#ifdef CONFIG_PAX_PER_CPU_PGD
22884 + unsigned long cpu;
22885 +#else
22886 struct page *page;
22887 +#endif
22888
22889 +#ifdef CONFIG_PAX_PER_CPU_PGD
22890 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22891 + pgd_t *pgd = get_cpu_pgd(cpu);
22892 +#else
22893 list_for_each_entry(page, &pgd_list, lru) {
22894 - pgd_t *pgd;
22895 + pgd_t *pgd = (pgd_t *)page_address(page);
22896 +#endif
22897 +
22898 pud_t *pud;
22899 pmd_t *pmd;
22900
22901 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
22902 + pgd += pgd_index(address);
22903 pud = pud_offset(pgd, address);
22904 pmd = pmd_offset(pud, address);
22905 set_pte_atomic((pte_t *)pmd, pte);
22906 }
22907 }
22908 #endif
22909 + pax_close_kernel();
22910 }
22911
22912 static int
22913 diff -urNp linux-2.6.39.2/arch/x86/mm/pageattr-test.c linux-2.6.39.2/arch/x86/mm/pageattr-test.c
22914 --- linux-2.6.39.2/arch/x86/mm/pageattr-test.c 2011-05-19 00:06:34.000000000 -0400
22915 +++ linux-2.6.39.2/arch/x86/mm/pageattr-test.c 2011-05-22 19:36:30.000000000 -0400
22916 @@ -36,7 +36,7 @@ enum {
22917
22918 static int pte_testbit(pte_t pte)
22919 {
22920 - return pte_flags(pte) & _PAGE_UNUSED1;
22921 + return pte_flags(pte) & _PAGE_CPA_TEST;
22922 }
22923
22924 struct split_state {
22925 diff -urNp linux-2.6.39.2/arch/x86/mm/pat.c linux-2.6.39.2/arch/x86/mm/pat.c
22926 --- linux-2.6.39.2/arch/x86/mm/pat.c 2011-05-19 00:06:34.000000000 -0400
22927 +++ linux-2.6.39.2/arch/x86/mm/pat.c 2011-05-22 19:36:30.000000000 -0400
22928 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
22929
22930 if (!entry) {
22931 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
22932 - current->comm, current->pid, start, end);
22933 + current->comm, task_pid_nr(current), start, end);
22934 return -EINVAL;
22935 }
22936
22937 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
22938 while (cursor < to) {
22939 if (!devmem_is_allowed(pfn)) {
22940 printk(KERN_INFO
22941 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
22942 - current->comm, from, to);
22943 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
22944 + current->comm, from, to, cursor);
22945 return 0;
22946 }
22947 cursor += PAGE_SIZE;
22948 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
22949 printk(KERN_INFO
22950 "%s:%d ioremap_change_attr failed %s "
22951 "for %Lx-%Lx\n",
22952 - current->comm, current->pid,
22953 + current->comm, task_pid_nr(current),
22954 cattr_name(flags),
22955 base, (unsigned long long)(base + size));
22956 return -EINVAL;
22957 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
22958 if (want_flags != flags) {
22959 printk(KERN_WARNING
22960 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
22961 - current->comm, current->pid,
22962 + current->comm, task_pid_nr(current),
22963 cattr_name(want_flags),
22964 (unsigned long long)paddr,
22965 (unsigned long long)(paddr + size),
22966 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
22967 free_memtype(paddr, paddr + size);
22968 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
22969 " for %Lx-%Lx, got %s\n",
22970 - current->comm, current->pid,
22971 + current->comm, task_pid_nr(current),
22972 cattr_name(want_flags),
22973 (unsigned long long)paddr,
22974 (unsigned long long)(paddr + size),
22975 diff -urNp linux-2.6.39.2/arch/x86/mm/pgtable_32.c linux-2.6.39.2/arch/x86/mm/pgtable_32.c
22976 --- linux-2.6.39.2/arch/x86/mm/pgtable_32.c 2011-05-19 00:06:34.000000000 -0400
22977 +++ linux-2.6.39.2/arch/x86/mm/pgtable_32.c 2011-05-22 19:36:30.000000000 -0400
22978 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
22979 return;
22980 }
22981 pte = pte_offset_kernel(pmd, vaddr);
22982 +
22983 + pax_open_kernel();
22984 if (pte_val(pteval))
22985 set_pte_at(&init_mm, vaddr, pte, pteval);
22986 else
22987 pte_clear(&init_mm, vaddr, pte);
22988 + pax_close_kernel();
22989
22990 /*
22991 * It's enough to flush this one mapping.
22992 diff -urNp linux-2.6.39.2/arch/x86/mm/pgtable.c linux-2.6.39.2/arch/x86/mm/pgtable.c
22993 --- linux-2.6.39.2/arch/x86/mm/pgtable.c 2011-05-19 00:06:34.000000000 -0400
22994 +++ linux-2.6.39.2/arch/x86/mm/pgtable.c 2011-05-22 19:36:30.000000000 -0400
22995 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
22996 list_del(&page->lru);
22997 }
22998
22999 -#define UNSHARED_PTRS_PER_PGD \
23000 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23001 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23002 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
23003
23004 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23005 +{
23006 + while (count--)
23007 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
23008 +}
23009 +#endif
23010 +
23011 +#ifdef CONFIG_PAX_PER_CPU_PGD
23012 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23013 +{
23014 + while (count--)
23015 +
23016 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23017 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
23018 +#else
23019 + *dst++ = *src++;
23020 +#endif
23021
23022 +}
23023 +#endif
23024 +
23025 +#ifdef CONFIG_X86_64
23026 +#define pxd_t pud_t
23027 +#define pyd_t pgd_t
23028 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
23029 +#define pxd_free(mm, pud) pud_free((mm), (pud))
23030 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
23031 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
23032 +#define PYD_SIZE PGDIR_SIZE
23033 +#else
23034 +#define pxd_t pmd_t
23035 +#define pyd_t pud_t
23036 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
23037 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
23038 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
23039 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
23040 +#define PYD_SIZE PUD_SIZE
23041 +#endif
23042 +
23043 +#ifdef CONFIG_PAX_PER_CPU_PGD
23044 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
23045 +static inline void pgd_dtor(pgd_t *pgd) {}
23046 +#else
23047 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
23048 {
23049 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
23050 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
23051 pgd_list_del(pgd);
23052 spin_unlock(&pgd_lock);
23053 }
23054 +#endif
23055
23056 /*
23057 * List of all pgd's needed for non-PAE so it can invalidate entries
23058 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
23059 * -- wli
23060 */
23061
23062 -#ifdef CONFIG_X86_PAE
23063 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23064 /*
23065 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
23066 * updating the top-level pagetable entries to guarantee the
23067 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
23068 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
23069 * and initialize the kernel pmds here.
23070 */
23071 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
23072 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23073
23074 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
23075 {
23076 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
23077 */
23078 flush_tlb_mm(mm);
23079 }
23080 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
23081 +#define PREALLOCATED_PXDS USER_PGD_PTRS
23082 #else /* !CONFIG_X86_PAE */
23083
23084 /* No need to prepopulate any pagetable entries in non-PAE modes. */
23085 -#define PREALLOCATED_PMDS 0
23086 +#define PREALLOCATED_PXDS 0
23087
23088 #endif /* CONFIG_X86_PAE */
23089
23090 -static void free_pmds(pmd_t *pmds[])
23091 +static void free_pxds(pxd_t *pxds[])
23092 {
23093 int i;
23094
23095 - for(i = 0; i < PREALLOCATED_PMDS; i++)
23096 - if (pmds[i])
23097 - free_page((unsigned long)pmds[i]);
23098 + for(i = 0; i < PREALLOCATED_PXDS; i++)
23099 + if (pxds[i])
23100 + free_page((unsigned long)pxds[i]);
23101 }
23102
23103 -static int preallocate_pmds(pmd_t *pmds[])
23104 +static int preallocate_pxds(pxd_t *pxds[])
23105 {
23106 int i;
23107 bool failed = false;
23108
23109 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23110 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
23111 - if (pmd == NULL)
23112 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23113 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
23114 + if (pxd == NULL)
23115 failed = true;
23116 - pmds[i] = pmd;
23117 + pxds[i] = pxd;
23118 }
23119
23120 if (failed) {
23121 - free_pmds(pmds);
23122 + free_pxds(pxds);
23123 return -ENOMEM;
23124 }
23125
23126 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
23127 * preallocate which never got a corresponding vma will need to be
23128 * freed manually.
23129 */
23130 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
23131 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
23132 {
23133 int i;
23134
23135 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23136 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23137 pgd_t pgd = pgdp[i];
23138
23139 if (pgd_val(pgd) != 0) {
23140 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
23141 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
23142
23143 - pgdp[i] = native_make_pgd(0);
23144 + set_pgd(pgdp + i, native_make_pgd(0));
23145
23146 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
23147 - pmd_free(mm, pmd);
23148 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
23149 + pxd_free(mm, pxd);
23150 }
23151 }
23152 }
23153
23154 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
23155 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
23156 {
23157 - pud_t *pud;
23158 + pyd_t *pyd;
23159 unsigned long addr;
23160 int i;
23161
23162 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
23163 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
23164 return;
23165
23166 - pud = pud_offset(pgd, 0);
23167 +#ifdef CONFIG_X86_64
23168 + pyd = pyd_offset(mm, 0L);
23169 +#else
23170 + pyd = pyd_offset(pgd, 0L);
23171 +#endif
23172
23173 - for (addr = i = 0; i < PREALLOCATED_PMDS;
23174 - i++, pud++, addr += PUD_SIZE) {
23175 - pmd_t *pmd = pmds[i];
23176 + for (addr = i = 0; i < PREALLOCATED_PXDS;
23177 + i++, pyd++, addr += PYD_SIZE) {
23178 + pxd_t *pxd = pxds[i];
23179
23180 if (i >= KERNEL_PGD_BOUNDARY)
23181 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23182 - sizeof(pmd_t) * PTRS_PER_PMD);
23183 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23184 + sizeof(pxd_t) * PTRS_PER_PMD);
23185
23186 - pud_populate(mm, pud, pmd);
23187 + pyd_populate(mm, pyd, pxd);
23188 }
23189 }
23190
23191 pgd_t *pgd_alloc(struct mm_struct *mm)
23192 {
23193 pgd_t *pgd;
23194 - pmd_t *pmds[PREALLOCATED_PMDS];
23195 + pxd_t *pxds[PREALLOCATED_PXDS];
23196
23197 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
23198
23199 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23200
23201 mm->pgd = pgd;
23202
23203 - if (preallocate_pmds(pmds) != 0)
23204 + if (preallocate_pxds(pxds) != 0)
23205 goto out_free_pgd;
23206
23207 if (paravirt_pgd_alloc(mm) != 0)
23208 - goto out_free_pmds;
23209 + goto out_free_pxds;
23210
23211 /*
23212 * Make sure that pre-populating the pmds is atomic with
23213 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23214 spin_lock(&pgd_lock);
23215
23216 pgd_ctor(mm, pgd);
23217 - pgd_prepopulate_pmd(mm, pgd, pmds);
23218 + pgd_prepopulate_pxd(mm, pgd, pxds);
23219
23220 spin_unlock(&pgd_lock);
23221
23222 return pgd;
23223
23224 -out_free_pmds:
23225 - free_pmds(pmds);
23226 +out_free_pxds:
23227 + free_pxds(pxds);
23228 out_free_pgd:
23229 free_page((unsigned long)pgd);
23230 out:
23231 @@ -295,7 +344,7 @@ out:
23232
23233 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
23234 {
23235 - pgd_mop_up_pmds(mm, pgd);
23236 + pgd_mop_up_pxds(mm, pgd);
23237 pgd_dtor(pgd);
23238 paravirt_pgd_free(mm, pgd);
23239 free_page((unsigned long)pgd);
23240 diff -urNp linux-2.6.39.2/arch/x86/mm/setup_nx.c linux-2.6.39.2/arch/x86/mm/setup_nx.c
23241 --- linux-2.6.39.2/arch/x86/mm/setup_nx.c 2011-05-19 00:06:34.000000000 -0400
23242 +++ linux-2.6.39.2/arch/x86/mm/setup_nx.c 2011-05-22 19:36:30.000000000 -0400
23243 @@ -5,8 +5,10 @@
23244 #include <asm/pgtable.h>
23245 #include <asm/proto.h>
23246
23247 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23248 static int disable_nx __cpuinitdata;
23249
23250 +#ifndef CONFIG_PAX_PAGEEXEC
23251 /*
23252 * noexec = on|off
23253 *
23254 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
23255 return 0;
23256 }
23257 early_param("noexec", noexec_setup);
23258 +#endif
23259 +
23260 +#endif
23261
23262 void __cpuinit x86_configure_nx(void)
23263 {
23264 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23265 if (cpu_has_nx && !disable_nx)
23266 __supported_pte_mask |= _PAGE_NX;
23267 else
23268 +#endif
23269 __supported_pte_mask &= ~_PAGE_NX;
23270 }
23271
23272 diff -urNp linux-2.6.39.2/arch/x86/mm/tlb.c linux-2.6.39.2/arch/x86/mm/tlb.c
23273 --- linux-2.6.39.2/arch/x86/mm/tlb.c 2011-05-19 00:06:34.000000000 -0400
23274 +++ linux-2.6.39.2/arch/x86/mm/tlb.c 2011-05-22 19:36:30.000000000 -0400
23275 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
23276 BUG();
23277 cpumask_clear_cpu(cpu,
23278 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
23279 +
23280 +#ifndef CONFIG_PAX_PER_CPU_PGD
23281 load_cr3(swapper_pg_dir);
23282 +#endif
23283 +
23284 }
23285 EXPORT_SYMBOL_GPL(leave_mm);
23286
23287 diff -urNp linux-2.6.39.2/arch/x86/oprofile/backtrace.c linux-2.6.39.2/arch/x86/oprofile/backtrace.c
23288 --- linux-2.6.39.2/arch/x86/oprofile/backtrace.c 2011-05-19 00:06:34.000000000 -0400
23289 +++ linux-2.6.39.2/arch/x86/oprofile/backtrace.c 2011-05-22 19:36:30.000000000 -0400
23290 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
23291 struct stack_frame_ia32 *fp;
23292
23293 /* Also check accessibility of one struct frame_head beyond */
23294 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
23295 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
23296 return NULL;
23297 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
23298 return NULL;
23299 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
23300 {
23301 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
23302
23303 - if (!user_mode_vm(regs)) {
23304 + if (!user_mode(regs)) {
23305 unsigned long stack = kernel_stack_pointer(regs);
23306 if (depth)
23307 dump_trace(NULL, regs, (unsigned long *)stack, 0,
23308 diff -urNp linux-2.6.39.2/arch/x86/pci/ce4100.c linux-2.6.39.2/arch/x86/pci/ce4100.c
23309 --- linux-2.6.39.2/arch/x86/pci/ce4100.c 2011-05-19 00:06:34.000000000 -0400
23310 +++ linux-2.6.39.2/arch/x86/pci/ce4100.c 2011-05-22 19:36:30.000000000 -0400
23311 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
23312 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
23313 }
23314
23315 -struct pci_raw_ops ce4100_pci_conf = {
23316 +const struct pci_raw_ops ce4100_pci_conf = {
23317 .read = ce4100_conf_read,
23318 .write = ce4100_conf_write,
23319 };
23320 diff -urNp linux-2.6.39.2/arch/x86/pci/common.c linux-2.6.39.2/arch/x86/pci/common.c
23321 --- linux-2.6.39.2/arch/x86/pci/common.c 2011-05-19 00:06:34.000000000 -0400
23322 +++ linux-2.6.39.2/arch/x86/pci/common.c 2011-05-22 19:36:30.000000000 -0400
23323 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
23324 int pcibios_last_bus = -1;
23325 unsigned long pirq_table_addr;
23326 struct pci_bus *pci_root_bus;
23327 -struct pci_raw_ops *raw_pci_ops;
23328 -struct pci_raw_ops *raw_pci_ext_ops;
23329 +const struct pci_raw_ops *raw_pci_ops;
23330 +const struct pci_raw_ops *raw_pci_ext_ops;
23331
23332 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
23333 int reg, int len, u32 *val)
23334 diff -urNp linux-2.6.39.2/arch/x86/pci/direct.c linux-2.6.39.2/arch/x86/pci/direct.c
23335 --- linux-2.6.39.2/arch/x86/pci/direct.c 2011-05-19 00:06:34.000000000 -0400
23336 +++ linux-2.6.39.2/arch/x86/pci/direct.c 2011-05-22 19:36:30.000000000 -0400
23337 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
23338
23339 #undef PCI_CONF1_ADDRESS
23340
23341 -struct pci_raw_ops pci_direct_conf1 = {
23342 +const struct pci_raw_ops pci_direct_conf1 = {
23343 .read = pci_conf1_read,
23344 .write = pci_conf1_write,
23345 };
23346 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
23347
23348 #undef PCI_CONF2_ADDRESS
23349
23350 -struct pci_raw_ops pci_direct_conf2 = {
23351 +const struct pci_raw_ops pci_direct_conf2 = {
23352 .read = pci_conf2_read,
23353 .write = pci_conf2_write,
23354 };
23355 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
23356 * This should be close to trivial, but it isn't, because there are buggy
23357 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
23358 */
23359 -static int __init pci_sanity_check(struct pci_raw_ops *o)
23360 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
23361 {
23362 u32 x = 0;
23363 int year, devfn;
23364 diff -urNp linux-2.6.39.2/arch/x86/pci/fixup.c linux-2.6.39.2/arch/x86/pci/fixup.c
23365 --- linux-2.6.39.2/arch/x86/pci/fixup.c 2011-05-19 00:06:34.000000000 -0400
23366 +++ linux-2.6.39.2/arch/x86/pci/fixup.c 2011-05-22 19:36:30.000000000 -0400
23367 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
23368 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
23369 },
23370 },
23371 - { }
23372 + {}
23373 };
23374
23375 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
23376 diff -urNp linux-2.6.39.2/arch/x86/pci/mmconfig_32.c linux-2.6.39.2/arch/x86/pci/mmconfig_32.c
23377 --- linux-2.6.39.2/arch/x86/pci/mmconfig_32.c 2011-05-19 00:06:34.000000000 -0400
23378 +++ linux-2.6.39.2/arch/x86/pci/mmconfig_32.c 2011-05-22 19:36:30.000000000 -0400
23379 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
23380 return 0;
23381 }
23382
23383 -static struct pci_raw_ops pci_mmcfg = {
23384 +static const struct pci_raw_ops pci_mmcfg = {
23385 .read = pci_mmcfg_read,
23386 .write = pci_mmcfg_write,
23387 };
23388 diff -urNp linux-2.6.39.2/arch/x86/pci/mmconfig_64.c linux-2.6.39.2/arch/x86/pci/mmconfig_64.c
23389 --- linux-2.6.39.2/arch/x86/pci/mmconfig_64.c 2011-05-19 00:06:34.000000000 -0400
23390 +++ linux-2.6.39.2/arch/x86/pci/mmconfig_64.c 2011-05-22 19:36:30.000000000 -0400
23391 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
23392 return 0;
23393 }
23394
23395 -static struct pci_raw_ops pci_mmcfg = {
23396 +static const struct pci_raw_ops pci_mmcfg = {
23397 .read = pci_mmcfg_read,
23398 .write = pci_mmcfg_write,
23399 };
23400 diff -urNp linux-2.6.39.2/arch/x86/pci/mrst.c linux-2.6.39.2/arch/x86/pci/mrst.c
23401 --- linux-2.6.39.2/arch/x86/pci/mrst.c 2011-05-19 00:06:34.000000000 -0400
23402 +++ linux-2.6.39.2/arch/x86/pci/mrst.c 2011-05-22 19:36:30.000000000 -0400
23403 @@ -218,7 +218,7 @@ static int mrst_pci_irq_enable(struct pc
23404 return 0;
23405 }
23406
23407 -struct pci_ops pci_mrst_ops = {
23408 +const struct pci_ops pci_mrst_ops = {
23409 .read = pci_read,
23410 .write = pci_write,
23411 };
23412 diff -urNp linux-2.6.39.2/arch/x86/pci/numaq_32.c linux-2.6.39.2/arch/x86/pci/numaq_32.c
23413 --- linux-2.6.39.2/arch/x86/pci/numaq_32.c 2011-05-19 00:06:34.000000000 -0400
23414 +++ linux-2.6.39.2/arch/x86/pci/numaq_32.c 2011-05-22 19:36:30.000000000 -0400
23415 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
23416
23417 #undef PCI_CONF1_MQ_ADDRESS
23418
23419 -static struct pci_raw_ops pci_direct_conf1_mq = {
23420 +static const struct pci_raw_ops pci_direct_conf1_mq = {
23421 .read = pci_conf1_mq_read,
23422 .write = pci_conf1_mq_write
23423 };
23424 diff -urNp linux-2.6.39.2/arch/x86/pci/olpc.c linux-2.6.39.2/arch/x86/pci/olpc.c
23425 --- linux-2.6.39.2/arch/x86/pci/olpc.c 2011-05-19 00:06:34.000000000 -0400
23426 +++ linux-2.6.39.2/arch/x86/pci/olpc.c 2011-05-22 19:36:30.000000000 -0400
23427 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
23428 return 0;
23429 }
23430
23431 -static struct pci_raw_ops pci_olpc_conf = {
23432 +static const struct pci_raw_ops pci_olpc_conf = {
23433 .read = pci_olpc_read,
23434 .write = pci_olpc_write,
23435 };
23436 diff -urNp linux-2.6.39.2/arch/x86/pci/pcbios.c linux-2.6.39.2/arch/x86/pci/pcbios.c
23437 --- linux-2.6.39.2/arch/x86/pci/pcbios.c 2011-05-19 00:06:34.000000000 -0400
23438 +++ linux-2.6.39.2/arch/x86/pci/pcbios.c 2011-05-22 19:36:30.000000000 -0400
23439 @@ -79,50 +79,93 @@ union bios32 {
23440 static struct {
23441 unsigned long address;
23442 unsigned short segment;
23443 -} bios32_indirect = { 0, __KERNEL_CS };
23444 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
23445
23446 /*
23447 * Returns the entry point for the given service, NULL on error
23448 */
23449
23450 -static unsigned long bios32_service(unsigned long service)
23451 +static unsigned long __devinit bios32_service(unsigned long service)
23452 {
23453 unsigned char return_code; /* %al */
23454 unsigned long address; /* %ebx */
23455 unsigned long length; /* %ecx */
23456 unsigned long entry; /* %edx */
23457 unsigned long flags;
23458 + struct desc_struct d, *gdt;
23459
23460 local_irq_save(flags);
23461 - __asm__("lcall *(%%edi); cld"
23462 +
23463 + gdt = get_cpu_gdt_table(smp_processor_id());
23464 +
23465 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23466 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23467 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23468 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23469 +
23470 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23471 : "=a" (return_code),
23472 "=b" (address),
23473 "=c" (length),
23474 "=d" (entry)
23475 : "0" (service),
23476 "1" (0),
23477 - "D" (&bios32_indirect));
23478 + "D" (&bios32_indirect),
23479 + "r"(__PCIBIOS_DS)
23480 + : "memory");
23481 +
23482 + pax_open_kernel();
23483 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23484 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23485 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23486 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23487 + pax_close_kernel();
23488 +
23489 local_irq_restore(flags);
23490
23491 switch (return_code) {
23492 - case 0:
23493 - return address + entry;
23494 - case 0x80: /* Not present */
23495 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23496 - return 0;
23497 - default: /* Shouldn't happen */
23498 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23499 - service, return_code);
23500 + case 0: {
23501 + int cpu;
23502 + unsigned char flags;
23503 +
23504 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23505 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23506 + printk(KERN_WARNING "bios32_service: not valid\n");
23507 return 0;
23508 + }
23509 + address = address + PAGE_OFFSET;
23510 + length += 16UL; /* some BIOSs underreport this... */
23511 + flags = 4;
23512 + if (length >= 64*1024*1024) {
23513 + length >>= PAGE_SHIFT;
23514 + flags |= 8;
23515 + }
23516 +
23517 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23518 + gdt = get_cpu_gdt_table(cpu);
23519 + pack_descriptor(&d, address, length, 0x9b, flags);
23520 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23521 + pack_descriptor(&d, address, length, 0x93, flags);
23522 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23523 + }
23524 + return entry;
23525 + }
23526 + case 0x80: /* Not present */
23527 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23528 + return 0;
23529 + default: /* Shouldn't happen */
23530 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23531 + service, return_code);
23532 + return 0;
23533 }
23534 }
23535
23536 static struct {
23537 unsigned long address;
23538 unsigned short segment;
23539 -} pci_indirect = { 0, __KERNEL_CS };
23540 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23541
23542 -static int pci_bios_present;
23543 +static int pci_bios_present __read_only;
23544
23545 static int __devinit check_pcibios(void)
23546 {
23547 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
23548 unsigned long flags, pcibios_entry;
23549
23550 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23551 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23552 + pci_indirect.address = pcibios_entry;
23553
23554 local_irq_save(flags);
23555 - __asm__(
23556 - "lcall *(%%edi); cld\n\t"
23557 + __asm__("movw %w6, %%ds\n\t"
23558 + "lcall *%%ss:(%%edi); cld\n\t"
23559 + "push %%ss\n\t"
23560 + "pop %%ds\n\t"
23561 "jc 1f\n\t"
23562 "xor %%ah, %%ah\n"
23563 "1:"
23564 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
23565 "=b" (ebx),
23566 "=c" (ecx)
23567 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23568 - "D" (&pci_indirect)
23569 + "D" (&pci_indirect),
23570 + "r" (__PCIBIOS_DS)
23571 : "memory");
23572 local_irq_restore(flags);
23573
23574 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
23575
23576 switch (len) {
23577 case 1:
23578 - __asm__("lcall *(%%esi); cld\n\t"
23579 + __asm__("movw %w6, %%ds\n\t"
23580 + "lcall *%%ss:(%%esi); cld\n\t"
23581 + "push %%ss\n\t"
23582 + "pop %%ds\n\t"
23583 "jc 1f\n\t"
23584 "xor %%ah, %%ah\n"
23585 "1:"
23586 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
23587 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23588 "b" (bx),
23589 "D" ((long)reg),
23590 - "S" (&pci_indirect));
23591 + "S" (&pci_indirect),
23592 + "r" (__PCIBIOS_DS));
23593 /*
23594 * Zero-extend the result beyond 8 bits, do not trust the
23595 * BIOS having done it:
23596 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
23597 *value &= 0xff;
23598 break;
23599 case 2:
23600 - __asm__("lcall *(%%esi); cld\n\t"
23601 + __asm__("movw %w6, %%ds\n\t"
23602 + "lcall *%%ss:(%%esi); cld\n\t"
23603 + "push %%ss\n\t"
23604 + "pop %%ds\n\t"
23605 "jc 1f\n\t"
23606 "xor %%ah, %%ah\n"
23607 "1:"
23608 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
23609 : "1" (PCIBIOS_READ_CONFIG_WORD),
23610 "b" (bx),
23611 "D" ((long)reg),
23612 - "S" (&pci_indirect));
23613 + "S" (&pci_indirect),
23614 + "r" (__PCIBIOS_DS));
23615 /*
23616 * Zero-extend the result beyond 16 bits, do not trust the
23617 * BIOS having done it:
23618 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
23619 *value &= 0xffff;
23620 break;
23621 case 4:
23622 - __asm__("lcall *(%%esi); cld\n\t"
23623 + __asm__("movw %w6, %%ds\n\t"
23624 + "lcall *%%ss:(%%esi); cld\n\t"
23625 + "push %%ss\n\t"
23626 + "pop %%ds\n\t"
23627 "jc 1f\n\t"
23628 "xor %%ah, %%ah\n"
23629 "1:"
23630 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
23631 : "1" (PCIBIOS_READ_CONFIG_DWORD),
23632 "b" (bx),
23633 "D" ((long)reg),
23634 - "S" (&pci_indirect));
23635 + "S" (&pci_indirect),
23636 + "r" (__PCIBIOS_DS));
23637 break;
23638 }
23639
23640 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
23641
23642 switch (len) {
23643 case 1:
23644 - __asm__("lcall *(%%esi); cld\n\t"
23645 + __asm__("movw %w6, %%ds\n\t"
23646 + "lcall *%%ss:(%%esi); cld\n\t"
23647 + "push %%ss\n\t"
23648 + "pop %%ds\n\t"
23649 "jc 1f\n\t"
23650 "xor %%ah, %%ah\n"
23651 "1:"
23652 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
23653 "c" (value),
23654 "b" (bx),
23655 "D" ((long)reg),
23656 - "S" (&pci_indirect));
23657 + "S" (&pci_indirect),
23658 + "r" (__PCIBIOS_DS));
23659 break;
23660 case 2:
23661 - __asm__("lcall *(%%esi); cld\n\t"
23662 + __asm__("movw %w6, %%ds\n\t"
23663 + "lcall *%%ss:(%%esi); cld\n\t"
23664 + "push %%ss\n\t"
23665 + "pop %%ds\n\t"
23666 "jc 1f\n\t"
23667 "xor %%ah, %%ah\n"
23668 "1:"
23669 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
23670 "c" (value),
23671 "b" (bx),
23672 "D" ((long)reg),
23673 - "S" (&pci_indirect));
23674 + "S" (&pci_indirect),
23675 + "r" (__PCIBIOS_DS));
23676 break;
23677 case 4:
23678 - __asm__("lcall *(%%esi); cld\n\t"
23679 + __asm__("movw %w6, %%ds\n\t"
23680 + "lcall *%%ss:(%%esi); cld\n\t"
23681 + "push %%ss\n\t"
23682 + "pop %%ds\n\t"
23683 "jc 1f\n\t"
23684 "xor %%ah, %%ah\n"
23685 "1:"
23686 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
23687 "c" (value),
23688 "b" (bx),
23689 "D" ((long)reg),
23690 - "S" (&pci_indirect));
23691 + "S" (&pci_indirect),
23692 + "r" (__PCIBIOS_DS));
23693 break;
23694 }
23695
23696 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
23697 * Function table for BIOS32 access
23698 */
23699
23700 -static struct pci_raw_ops pci_bios_access = {
23701 +static const struct pci_raw_ops pci_bios_access = {
23702 .read = pci_bios_read,
23703 .write = pci_bios_write
23704 };
23705 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
23706 * Try to find PCI BIOS.
23707 */
23708
23709 -static struct pci_raw_ops * __devinit pci_find_bios(void)
23710 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
23711 {
23712 union bios32 *check;
23713 unsigned char sum;
23714 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
23715
23716 DBG("PCI: Fetching IRQ routing table... ");
23717 __asm__("push %%es\n\t"
23718 + "movw %w8, %%ds\n\t"
23719 "push %%ds\n\t"
23720 "pop %%es\n\t"
23721 - "lcall *(%%esi); cld\n\t"
23722 + "lcall *%%ss:(%%esi); cld\n\t"
23723 "pop %%es\n\t"
23724 + "push %%ss\n\t"
23725 + "pop %%ds\n"
23726 "jc 1f\n\t"
23727 "xor %%ah, %%ah\n"
23728 "1:"
23729 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
23730 "1" (0),
23731 "D" ((long) &opt),
23732 "S" (&pci_indirect),
23733 - "m" (opt)
23734 + "m" (opt),
23735 + "r" (__PCIBIOS_DS)
23736 : "memory");
23737 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
23738 if (ret & 0xff00)
23739 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
23740 {
23741 int ret;
23742
23743 - __asm__("lcall *(%%esi); cld\n\t"
23744 + __asm__("movw %w5, %%ds\n\t"
23745 + "lcall *%%ss:(%%esi); cld\n\t"
23746 + "push %%ss\n\t"
23747 + "pop %%ds\n"
23748 "jc 1f\n\t"
23749 "xor %%ah, %%ah\n"
23750 "1:"
23751 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
23752 : "0" (PCIBIOS_SET_PCI_HW_INT),
23753 "b" ((dev->bus->number << 8) | dev->devfn),
23754 "c" ((irq << 8) | (pin + 10)),
23755 - "S" (&pci_indirect));
23756 + "S" (&pci_indirect),
23757 + "r" (__PCIBIOS_DS));
23758 return !(ret & 0xff00);
23759 }
23760 EXPORT_SYMBOL(pcibios_set_irq_routing);
23761 diff -urNp linux-2.6.39.2/arch/x86/pci/xen.c linux-2.6.39.2/arch/x86/pci/xen.c
23762 --- linux-2.6.39.2/arch/x86/pci/xen.c 2011-05-19 00:06:34.000000000 -0400
23763 +++ linux-2.6.39.2/arch/x86/pci/xen.c 2011-05-22 19:36:30.000000000 -0400
23764 @@ -62,7 +62,7 @@ static int acpi_register_gsi_xen_hvm(str
23765 #include <linux/msi.h>
23766 #include <asm/msidef.h>
23767
23768 -struct xen_pci_frontend_ops *xen_pci_frontend;
23769 +const struct xen_pci_frontend_ops *xen_pci_frontend;
23770 EXPORT_SYMBOL_GPL(xen_pci_frontend);
23771
23772 #define XEN_PIRQ_MSI_DATA (MSI_DATA_TRIGGER_EDGE | \
23773 diff -urNp linux-2.6.39.2/arch/x86/platform/efi/efi_32.c linux-2.6.39.2/arch/x86/platform/efi/efi_32.c
23774 --- linux-2.6.39.2/arch/x86/platform/efi/efi_32.c 2011-05-19 00:06:34.000000000 -0400
23775 +++ linux-2.6.39.2/arch/x86/platform/efi/efi_32.c 2011-05-22 19:36:30.000000000 -0400
23776 @@ -38,70 +38,37 @@
23777 */
23778
23779 static unsigned long efi_rt_eflags;
23780 -static pgd_t efi_bak_pg_dir_pointer[2];
23781 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
23782
23783 -void efi_call_phys_prelog(void)
23784 +void __init efi_call_phys_prelog(void)
23785 {
23786 - unsigned long cr4;
23787 - unsigned long temp;
23788 struct desc_ptr gdt_descr;
23789
23790 local_irq_save(efi_rt_eflags);
23791
23792 - /*
23793 - * If I don't have PAE, I should just duplicate two entries in page
23794 - * directory. If I have PAE, I just need to duplicate one entry in
23795 - * page directory.
23796 - */
23797 - cr4 = read_cr4_safe();
23798 -
23799 - if (cr4 & X86_CR4_PAE) {
23800 - efi_bak_pg_dir_pointer[0].pgd =
23801 - swapper_pg_dir[pgd_index(0)].pgd;
23802 - swapper_pg_dir[0].pgd =
23803 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23804 - } else {
23805 - efi_bak_pg_dir_pointer[0].pgd =
23806 - swapper_pg_dir[pgd_index(0)].pgd;
23807 - efi_bak_pg_dir_pointer[1].pgd =
23808 - swapper_pg_dir[pgd_index(0x400000)].pgd;
23809 - swapper_pg_dir[pgd_index(0)].pgd =
23810 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23811 - temp = PAGE_OFFSET + 0x400000;
23812 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23813 - swapper_pg_dir[pgd_index(temp)].pgd;
23814 - }
23815 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
23816 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23817 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
23818
23819 /*
23820 * After the lock is released, the original page table is restored.
23821 */
23822 __flush_tlb_all();
23823
23824 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
23825 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
23826 gdt_descr.size = GDT_SIZE - 1;
23827 load_gdt(&gdt_descr);
23828 }
23829
23830 -void efi_call_phys_epilog(void)
23831 +void __init efi_call_phys_epilog(void)
23832 {
23833 - unsigned long cr4;
23834 struct desc_ptr gdt_descr;
23835
23836 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
23837 + gdt_descr.address = get_cpu_gdt_table(0);
23838 gdt_descr.size = GDT_SIZE - 1;
23839 load_gdt(&gdt_descr);
23840
23841 - cr4 = read_cr4_safe();
23842 -
23843 - if (cr4 & X86_CR4_PAE) {
23844 - swapper_pg_dir[pgd_index(0)].pgd =
23845 - efi_bak_pg_dir_pointer[0].pgd;
23846 - } else {
23847 - swapper_pg_dir[pgd_index(0)].pgd =
23848 - efi_bak_pg_dir_pointer[0].pgd;
23849 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23850 - efi_bak_pg_dir_pointer[1].pgd;
23851 - }
23852 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
23853
23854 /*
23855 * After the lock is released, the original page table is restored.
23856 diff -urNp linux-2.6.39.2/arch/x86/platform/efi/efi_stub_32.S linux-2.6.39.2/arch/x86/platform/efi/efi_stub_32.S
23857 --- linux-2.6.39.2/arch/x86/platform/efi/efi_stub_32.S 2011-05-19 00:06:34.000000000 -0400
23858 +++ linux-2.6.39.2/arch/x86/platform/efi/efi_stub_32.S 2011-05-22 19:36:30.000000000 -0400
23859 @@ -6,6 +6,7 @@
23860 */
23861
23862 #include <linux/linkage.h>
23863 +#include <linux/init.h>
23864 #include <asm/page_types.h>
23865
23866 /*
23867 @@ -20,7 +21,7 @@
23868 * service functions will comply with gcc calling convention, too.
23869 */
23870
23871 -.text
23872 +__INIT
23873 ENTRY(efi_call_phys)
23874 /*
23875 * 0. The function can only be called in Linux kernel. So CS has been
23876 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
23877 * The mapping of lower virtual memory has been created in prelog and
23878 * epilog.
23879 */
23880 - movl $1f, %edx
23881 - subl $__PAGE_OFFSET, %edx
23882 - jmp *%edx
23883 + jmp 1f-__PAGE_OFFSET
23884 1:
23885
23886 /*
23887 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
23888 * parameter 2, ..., param n. To make things easy, we save the return
23889 * address of efi_call_phys in a global variable.
23890 */
23891 - popl %edx
23892 - movl %edx, saved_return_addr
23893 - /* get the function pointer into ECX*/
23894 - popl %ecx
23895 - movl %ecx, efi_rt_function_ptr
23896 - movl $2f, %edx
23897 - subl $__PAGE_OFFSET, %edx
23898 - pushl %edx
23899 + popl (saved_return_addr)
23900 + popl (efi_rt_function_ptr)
23901
23902 /*
23903 * 3. Clear PG bit in %CR0.
23904 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
23905 /*
23906 * 5. Call the physical function.
23907 */
23908 - jmp *%ecx
23909 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
23910
23911 -2:
23912 /*
23913 * 6. After EFI runtime service returns, control will return to
23914 * following instruction. We'd better readjust stack pointer first.
23915 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
23916 movl %cr0, %edx
23917 orl $0x80000000, %edx
23918 movl %edx, %cr0
23919 - jmp 1f
23920 -1:
23921 +
23922 /*
23923 * 8. Now restore the virtual mode from flat mode by
23924 * adding EIP with PAGE_OFFSET.
23925 */
23926 - movl $1f, %edx
23927 - jmp *%edx
23928 + jmp 1f+__PAGE_OFFSET
23929 1:
23930
23931 /*
23932 * 9. Balance the stack. And because EAX contain the return value,
23933 * we'd better not clobber it.
23934 */
23935 - leal efi_rt_function_ptr, %edx
23936 - movl (%edx), %ecx
23937 - pushl %ecx
23938 + pushl (efi_rt_function_ptr)
23939
23940 /*
23941 - * 10. Push the saved return address onto the stack and return.
23942 + * 10. Return to the saved return address.
23943 */
23944 - leal saved_return_addr, %edx
23945 - movl (%edx), %ecx
23946 - pushl %ecx
23947 - ret
23948 + jmpl *(saved_return_addr)
23949 ENDPROC(efi_call_phys)
23950 .previous
23951
23952 -.data
23953 +__INITDATA
23954 saved_return_addr:
23955 .long 0
23956 efi_rt_function_ptr:
23957 diff -urNp linux-2.6.39.2/arch/x86/platform/olpc/olpc_dt.c linux-2.6.39.2/arch/x86/platform/olpc/olpc_dt.c
23958 --- linux-2.6.39.2/arch/x86/platform/olpc/olpc_dt.c 2011-05-19 00:06:34.000000000 -0400
23959 +++ linux-2.6.39.2/arch/x86/platform/olpc/olpc_dt.c 2011-05-22 19:36:30.000000000 -0400
23960 @@ -154,7 +154,7 @@ void * __init prom_early_alloc(unsigned
23961 return res;
23962 }
23963
23964 -static struct of_pdt_ops prom_olpc_ops __initdata = {
23965 +static const struct of_pdt_ops prom_olpc_ops = {
23966 .nextprop = olpc_dt_nextprop,
23967 .getproplen = olpc_dt_getproplen,
23968 .getproperty = olpc_dt_getproperty,
23969 diff -urNp linux-2.6.39.2/arch/x86/platform/uv/tlb_uv.c linux-2.6.39.2/arch/x86/platform/uv/tlb_uv.c
23970 --- linux-2.6.39.2/arch/x86/platform/uv/tlb_uv.c 2011-05-19 00:06:34.000000000 -0400
23971 +++ linux-2.6.39.2/arch/x86/platform/uv/tlb_uv.c 2011-05-22 19:36:30.000000000 -0400
23972 @@ -342,6 +342,8 @@ static void uv_reset_with_ipi(struct bau
23973 cpumask_t mask;
23974 struct reset_args reset_args;
23975
23976 + pax_track_stack();
23977 +
23978 reset_args.sender = sender;
23979
23980 cpus_clear(mask);
23981 diff -urNp linux-2.6.39.2/arch/x86/power/cpu.c linux-2.6.39.2/arch/x86/power/cpu.c
23982 --- linux-2.6.39.2/arch/x86/power/cpu.c 2011-05-19 00:06:34.000000000 -0400
23983 +++ linux-2.6.39.2/arch/x86/power/cpu.c 2011-05-22 19:36:30.000000000 -0400
23984 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
23985 static void fix_processor_context(void)
23986 {
23987 int cpu = smp_processor_id();
23988 - struct tss_struct *t = &per_cpu(init_tss, cpu);
23989 + struct tss_struct *t = init_tss + cpu;
23990
23991 set_tss_desc(cpu, t); /*
23992 * This just modifies memory; should not be
23993 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
23994 */
23995
23996 #ifdef CONFIG_X86_64
23997 + pax_open_kernel();
23998 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
23999 + pax_close_kernel();
24000
24001 syscall_init(); /* This sets MSR_*STAR and related */
24002 #endif
24003 diff -urNp linux-2.6.39.2/arch/x86/vdso/Makefile linux-2.6.39.2/arch/x86/vdso/Makefile
24004 --- linux-2.6.39.2/arch/x86/vdso/Makefile 2011-05-19 00:06:34.000000000 -0400
24005 +++ linux-2.6.39.2/arch/x86/vdso/Makefile 2011-05-22 19:36:30.000000000 -0400
24006 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
24007 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
24008 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
24009
24010 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24011 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24012 GCOV_PROFILE := n
24013
24014 #
24015 diff -urNp linux-2.6.39.2/arch/x86/vdso/vclock_gettime.c linux-2.6.39.2/arch/x86/vdso/vclock_gettime.c
24016 --- linux-2.6.39.2/arch/x86/vdso/vclock_gettime.c 2011-05-19 00:06:34.000000000 -0400
24017 +++ linux-2.6.39.2/arch/x86/vdso/vclock_gettime.c 2011-05-22 19:36:30.000000000 -0400
24018 @@ -22,24 +22,48 @@
24019 #include <asm/hpet.h>
24020 #include <asm/unistd.h>
24021 #include <asm/io.h>
24022 +#include <asm/fixmap.h>
24023 #include "vextern.h"
24024
24025 #define gtod vdso_vsyscall_gtod_data
24026
24027 +notrace noinline long __vdso_fallback_time(long *t)
24028 +{
24029 + long secs;
24030 + asm volatile("syscall"
24031 + : "=a" (secs)
24032 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
24033 + return secs;
24034 +}
24035 +
24036 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
24037 {
24038 long ret;
24039 asm("syscall" : "=a" (ret) :
24040 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
24041 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
24042 return ret;
24043 }
24044
24045 +notrace static inline cycle_t __vdso_vread_hpet(void)
24046 +{
24047 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
24048 +}
24049 +
24050 +notrace static inline cycle_t __vdso_vread_tsc(void)
24051 +{
24052 + cycle_t ret = (cycle_t)vget_cycles();
24053 +
24054 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
24055 +}
24056 +
24057 notrace static inline long vgetns(void)
24058 {
24059 long v;
24060 - cycles_t (*vread)(void);
24061 - vread = gtod->clock.vread;
24062 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
24063 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
24064 + v = __vdso_vread_tsc();
24065 + else
24066 + v = __vdso_vread_hpet();
24067 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
24068 return (v * gtod->clock.mult) >> gtod->clock.shift;
24069 }
24070
24071 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
24072
24073 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
24074 {
24075 - if (likely(gtod->sysctl_enabled))
24076 + if (likely(gtod->sysctl_enabled &&
24077 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24078 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24079 switch (clock) {
24080 case CLOCK_REALTIME:
24081 if (likely(gtod->clock.vread))
24082 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
24083 int clock_gettime(clockid_t, struct timespec *)
24084 __attribute__((weak, alias("__vdso_clock_gettime")));
24085
24086 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24087 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
24088 {
24089 long ret;
24090 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
24091 + asm("syscall" : "=a" (ret) :
24092 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
24093 + return ret;
24094 +}
24095 +
24096 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24097 +{
24098 + if (likely(gtod->sysctl_enabled &&
24099 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24100 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24101 + {
24102 if (likely(tv != NULL)) {
24103 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
24104 offsetof(struct timespec, tv_nsec) ||
24105 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
24106 }
24107 return 0;
24108 }
24109 - asm("syscall" : "=a" (ret) :
24110 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
24111 - return ret;
24112 + return __vdso_fallback_gettimeofday(tv, tz);
24113 }
24114 int gettimeofday(struct timeval *, struct timezone *)
24115 __attribute__((weak, alias("__vdso_gettimeofday")));
24116 diff -urNp linux-2.6.39.2/arch/x86/vdso/vdso32-setup.c linux-2.6.39.2/arch/x86/vdso/vdso32-setup.c
24117 --- linux-2.6.39.2/arch/x86/vdso/vdso32-setup.c 2011-05-19 00:06:34.000000000 -0400
24118 +++ linux-2.6.39.2/arch/x86/vdso/vdso32-setup.c 2011-05-22 19:36:30.000000000 -0400
24119 @@ -25,6 +25,7 @@
24120 #include <asm/tlbflush.h>
24121 #include <asm/vdso.h>
24122 #include <asm/proto.h>
24123 +#include <asm/mman.h>
24124
24125 enum {
24126 VDSO_DISABLED = 0,
24127 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
24128 void enable_sep_cpu(void)
24129 {
24130 int cpu = get_cpu();
24131 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
24132 + struct tss_struct *tss = init_tss + cpu;
24133
24134 if (!boot_cpu_has(X86_FEATURE_SEP)) {
24135 put_cpu();
24136 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
24137 gate_vma.vm_start = FIXADDR_USER_START;
24138 gate_vma.vm_end = FIXADDR_USER_END;
24139 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
24140 - gate_vma.vm_page_prot = __P101;
24141 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
24142 /*
24143 * Make sure the vDSO gets into every core dump.
24144 * Dumping its contents makes post-mortem fully interpretable later
24145 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
24146 if (compat)
24147 addr = VDSO_HIGH_BASE;
24148 else {
24149 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
24150 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
24151 if (IS_ERR_VALUE(addr)) {
24152 ret = addr;
24153 goto up_fail;
24154 }
24155 }
24156
24157 - current->mm->context.vdso = (void *)addr;
24158 + current->mm->context.vdso = addr;
24159
24160 if (compat_uses_vma || !compat) {
24161 /*
24162 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
24163 }
24164
24165 current_thread_info()->sysenter_return =
24166 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24167 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24168
24169 up_fail:
24170 if (ret)
24171 - current->mm->context.vdso = NULL;
24172 + current->mm->context.vdso = 0;
24173
24174 up_write(&mm->mmap_sem);
24175
24176 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
24177
24178 const char *arch_vma_name(struct vm_area_struct *vma)
24179 {
24180 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
24181 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
24182 return "[vdso]";
24183 +
24184 +#ifdef CONFIG_PAX_SEGMEXEC
24185 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
24186 + return "[vdso]";
24187 +#endif
24188 +
24189 return NULL;
24190 }
24191
24192 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
24193 * Check to see if the corresponding task was created in compat vdso
24194 * mode.
24195 */
24196 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
24197 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
24198 return &gate_vma;
24199 return NULL;
24200 }
24201 diff -urNp linux-2.6.39.2/arch/x86/vdso/vdso.lds.S linux-2.6.39.2/arch/x86/vdso/vdso.lds.S
24202 --- linux-2.6.39.2/arch/x86/vdso/vdso.lds.S 2011-05-19 00:06:34.000000000 -0400
24203 +++ linux-2.6.39.2/arch/x86/vdso/vdso.lds.S 2011-06-06 17:34:26.000000000 -0400
24204 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
24205 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
24206 #include "vextern.h"
24207 #undef VEXTERN
24208 +
24209 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
24210 +VEXTERN(fallback_gettimeofday)
24211 +VEXTERN(fallback_time)
24212 +VEXTERN(getcpu)
24213 +#undef VEXTERN
24214 diff -urNp linux-2.6.39.2/arch/x86/vdso/vextern.h linux-2.6.39.2/arch/x86/vdso/vextern.h
24215 --- linux-2.6.39.2/arch/x86/vdso/vextern.h 2011-05-19 00:06:34.000000000 -0400
24216 +++ linux-2.6.39.2/arch/x86/vdso/vextern.h 2011-05-22 19:36:30.000000000 -0400
24217 @@ -11,6 +11,5 @@
24218 put into vextern.h and be referenced as a pointer with vdso prefix.
24219 The main kernel later fills in the values. */
24220
24221 -VEXTERN(jiffies)
24222 VEXTERN(vgetcpu_mode)
24223 VEXTERN(vsyscall_gtod_data)
24224 diff -urNp linux-2.6.39.2/arch/x86/vdso/vma.c linux-2.6.39.2/arch/x86/vdso/vma.c
24225 --- linux-2.6.39.2/arch/x86/vdso/vma.c 2011-05-19 00:06:34.000000000 -0400
24226 +++ linux-2.6.39.2/arch/x86/vdso/vma.c 2011-05-22 19:36:30.000000000 -0400
24227 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
24228 if (!vbase)
24229 goto oom;
24230
24231 - if (memcmp(vbase, "\177ELF", 4)) {
24232 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
24233 printk("VDSO: I'm broken; not ELF\n");
24234 vdso_enabled = 0;
24235 }
24236 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
24237 goto up_fail;
24238 }
24239
24240 - current->mm->context.vdso = (void *)addr;
24241 + current->mm->context.vdso = addr;
24242
24243 ret = install_special_mapping(mm, addr, vdso_size,
24244 VM_READ|VM_EXEC|
24245 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
24246 VM_ALWAYSDUMP,
24247 vdso_pages);
24248 if (ret) {
24249 - current->mm->context.vdso = NULL;
24250 + current->mm->context.vdso = 0;
24251 goto up_fail;
24252 }
24253
24254 @@ -134,10 +134,3 @@ up_fail:
24255 up_write(&mm->mmap_sem);
24256 return ret;
24257 }
24258 -
24259 -static __init int vdso_setup(char *s)
24260 -{
24261 - vdso_enabled = simple_strtoul(s, NULL, 0);
24262 - return 0;
24263 -}
24264 -__setup("vdso=", vdso_setup);
24265 diff -urNp linux-2.6.39.2/arch/x86/xen/enlighten.c linux-2.6.39.2/arch/x86/xen/enlighten.c
24266 --- linux-2.6.39.2/arch/x86/xen/enlighten.c 2011-05-19 00:06:34.000000000 -0400
24267 +++ linux-2.6.39.2/arch/x86/xen/enlighten.c 2011-05-22 19:36:30.000000000 -0400
24268 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
24269
24270 struct shared_info xen_dummy_shared_info;
24271
24272 -void *xen_initial_gdt;
24273 -
24274 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
24275 __read_mostly int xen_have_vector_callback;
24276 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
24277 @@ -1010,7 +1008,7 @@ static const struct pv_apic_ops xen_apic
24278 #endif
24279 };
24280
24281 -static void xen_reboot(int reason)
24282 +static __noreturn void xen_reboot(int reason)
24283 {
24284 struct sched_shutdown r = { .reason = reason };
24285
24286 @@ -1018,17 +1016,17 @@ static void xen_reboot(int reason)
24287 BUG();
24288 }
24289
24290 -static void xen_restart(char *msg)
24291 +static __noreturn void xen_restart(char *msg)
24292 {
24293 xen_reboot(SHUTDOWN_reboot);
24294 }
24295
24296 -static void xen_emergency_restart(void)
24297 +static __noreturn void xen_emergency_restart(void)
24298 {
24299 xen_reboot(SHUTDOWN_reboot);
24300 }
24301
24302 -static void xen_machine_halt(void)
24303 +static __noreturn void xen_machine_halt(void)
24304 {
24305 xen_reboot(SHUTDOWN_poweroff);
24306 }
24307 @@ -1127,7 +1125,17 @@ asmlinkage void __init xen_start_kernel(
24308 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
24309
24310 /* Work out if we support NX */
24311 - x86_configure_nx();
24312 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24313 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
24314 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
24315 + unsigned l, h;
24316 +
24317 + __supported_pte_mask |= _PAGE_NX;
24318 + rdmsr(MSR_EFER, l, h);
24319 + l |= EFER_NX;
24320 + wrmsr(MSR_EFER, l, h);
24321 + }
24322 +#endif
24323
24324 xen_setup_features();
24325
24326 @@ -1158,13 +1166,6 @@ asmlinkage void __init xen_start_kernel(
24327
24328 machine_ops = xen_machine_ops;
24329
24330 - /*
24331 - * The only reliable way to retain the initial address of the
24332 - * percpu gdt_page is to remember it here, so we can go and
24333 - * mark it RW later, when the initial percpu area is freed.
24334 - */
24335 - xen_initial_gdt = &per_cpu(gdt_page, 0);
24336 -
24337 xen_smp_init();
24338
24339 #ifdef CONFIG_ACPI_NUMA
24340 diff -urNp linux-2.6.39.2/arch/x86/xen/mmu.c linux-2.6.39.2/arch/x86/xen/mmu.c
24341 --- linux-2.6.39.2/arch/x86/xen/mmu.c 2011-06-03 00:04:13.000000000 -0400
24342 +++ linux-2.6.39.2/arch/x86/xen/mmu.c 2011-06-03 00:32:05.000000000 -0400
24343 @@ -1791,6 +1791,8 @@ __init pgd_t *xen_setup_kernel_pagetable
24344 convert_pfn_mfn(init_level4_pgt);
24345 convert_pfn_mfn(level3_ident_pgt);
24346 convert_pfn_mfn(level3_kernel_pgt);
24347 + convert_pfn_mfn(level3_vmalloc_pgt);
24348 + convert_pfn_mfn(level3_vmemmap_pgt);
24349
24350 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
24351 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
24352 @@ -1809,7 +1811,10 @@ __init pgd_t *xen_setup_kernel_pagetable
24353 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
24354 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
24355 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
24356 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
24357 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
24358 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
24359 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
24360 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
24361 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
24362
24363 diff -urNp linux-2.6.39.2/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.39.2/arch/x86/xen/pci-swiotlb-xen.c
24364 --- linux-2.6.39.2/arch/x86/xen/pci-swiotlb-xen.c 2011-05-19 00:06:34.000000000 -0400
24365 +++ linux-2.6.39.2/arch/x86/xen/pci-swiotlb-xen.c 2011-05-22 19:36:30.000000000 -0400
24366 @@ -10,7 +10,7 @@
24367
24368 int xen_swiotlb __read_mostly;
24369
24370 -static struct dma_map_ops xen_swiotlb_dma_ops = {
24371 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
24372 .mapping_error = xen_swiotlb_dma_mapping_error,
24373 .alloc_coherent = xen_swiotlb_alloc_coherent,
24374 .free_coherent = xen_swiotlb_free_coherent,
24375 diff -urNp linux-2.6.39.2/arch/x86/xen/smp.c linux-2.6.39.2/arch/x86/xen/smp.c
24376 --- linux-2.6.39.2/arch/x86/xen/smp.c 2011-05-19 00:06:34.000000000 -0400
24377 +++ linux-2.6.39.2/arch/x86/xen/smp.c 2011-05-22 19:36:30.000000000 -0400
24378 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
24379 {
24380 BUG_ON(smp_processor_id() != 0);
24381 native_smp_prepare_boot_cpu();
24382 -
24383 - /* We've switched to the "real" per-cpu gdt, so make sure the
24384 - old memory can be recycled */
24385 - make_lowmem_page_readwrite(xen_initial_gdt);
24386 -
24387 xen_filter_cpu_maps();
24388 xen_setup_vcpu_info_placement();
24389 }
24390 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
24391 gdt = get_cpu_gdt_table(cpu);
24392
24393 ctxt->flags = VGCF_IN_KERNEL;
24394 - ctxt->user_regs.ds = __USER_DS;
24395 - ctxt->user_regs.es = __USER_DS;
24396 + ctxt->user_regs.ds = __KERNEL_DS;
24397 + ctxt->user_regs.es = __KERNEL_DS;
24398 ctxt->user_regs.ss = __KERNEL_DS;
24399 #ifdef CONFIG_X86_32
24400 ctxt->user_regs.fs = __KERNEL_PERCPU;
24401 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
24402 + savesegment(gs, ctxt->user_regs.gs);
24403 #else
24404 ctxt->gs_base_kernel = per_cpu_offset(cpu);
24405 #endif
24406 @@ -315,13 +310,12 @@ static int __cpuinit xen_cpu_up(unsigned
24407 int rc;
24408
24409 per_cpu(current_task, cpu) = idle;
24410 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24411 #ifdef CONFIG_X86_32
24412 irq_ctx_init(cpu);
24413 #else
24414 clear_tsk_thread_flag(idle, TIF_FORK);
24415 - per_cpu(kernel_stack, cpu) =
24416 - (unsigned long)task_stack_page(idle) -
24417 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24418 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24419 #endif
24420 xen_setup_runstate_info(cpu);
24421 xen_setup_timer(cpu);
24422 diff -urNp linux-2.6.39.2/arch/x86/xen/xen-asm_32.S linux-2.6.39.2/arch/x86/xen/xen-asm_32.S
24423 --- linux-2.6.39.2/arch/x86/xen/xen-asm_32.S 2011-05-19 00:06:34.000000000 -0400
24424 +++ linux-2.6.39.2/arch/x86/xen/xen-asm_32.S 2011-05-22 19:36:30.000000000 -0400
24425 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
24426 ESP_OFFSET=4 # bytes pushed onto stack
24427
24428 /*
24429 - * Store vcpu_info pointer for easy access. Do it this way to
24430 - * avoid having to reload %fs
24431 + * Store vcpu_info pointer for easy access.
24432 */
24433 #ifdef CONFIG_SMP
24434 - GET_THREAD_INFO(%eax)
24435 - movl TI_cpu(%eax), %eax
24436 - movl __per_cpu_offset(,%eax,4), %eax
24437 - mov xen_vcpu(%eax), %eax
24438 + push %fs
24439 + mov $(__KERNEL_PERCPU), %eax
24440 + mov %eax, %fs
24441 + mov PER_CPU_VAR(xen_vcpu), %eax
24442 + pop %fs
24443 #else
24444 movl xen_vcpu, %eax
24445 #endif
24446 diff -urNp linux-2.6.39.2/arch/x86/xen/xen-head.S linux-2.6.39.2/arch/x86/xen/xen-head.S
24447 --- linux-2.6.39.2/arch/x86/xen/xen-head.S 2011-05-19 00:06:34.000000000 -0400
24448 +++ linux-2.6.39.2/arch/x86/xen/xen-head.S 2011-05-22 19:36:30.000000000 -0400
24449 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
24450 #ifdef CONFIG_X86_32
24451 mov %esi,xen_start_info
24452 mov $init_thread_union+THREAD_SIZE,%esp
24453 +#ifdef CONFIG_SMP
24454 + movl $cpu_gdt_table,%edi
24455 + movl $__per_cpu_load,%eax
24456 + movw %ax,__KERNEL_PERCPU + 2(%edi)
24457 + rorl $16,%eax
24458 + movb %al,__KERNEL_PERCPU + 4(%edi)
24459 + movb %ah,__KERNEL_PERCPU + 7(%edi)
24460 + movl $__per_cpu_end - 1,%eax
24461 + subl $__per_cpu_start,%eax
24462 + movw %ax,__KERNEL_PERCPU + 0(%edi)
24463 +#endif
24464 #else
24465 mov %rsi,xen_start_info
24466 mov $init_thread_union+THREAD_SIZE,%rsp
24467 diff -urNp linux-2.6.39.2/arch/x86/xen/xen-ops.h linux-2.6.39.2/arch/x86/xen/xen-ops.h
24468 --- linux-2.6.39.2/arch/x86/xen/xen-ops.h 2011-05-19 00:06:34.000000000 -0400
24469 +++ linux-2.6.39.2/arch/x86/xen/xen-ops.h 2011-05-22 19:36:30.000000000 -0400
24470 @@ -10,8 +10,6 @@
24471 extern const char xen_hypervisor_callback[];
24472 extern const char xen_failsafe_callback[];
24473
24474 -extern void *xen_initial_gdt;
24475 -
24476 struct trap_info;
24477 void xen_copy_trap_info(struct trap_info *traps);
24478
24479 diff -urNp linux-2.6.39.2/block/blk-iopoll.c linux-2.6.39.2/block/blk-iopoll.c
24480 --- linux-2.6.39.2/block/blk-iopoll.c 2011-05-19 00:06:34.000000000 -0400
24481 +++ linux-2.6.39.2/block/blk-iopoll.c 2011-05-22 19:36:30.000000000 -0400
24482 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
24483 }
24484 EXPORT_SYMBOL(blk_iopoll_complete);
24485
24486 -static void blk_iopoll_softirq(struct softirq_action *h)
24487 +static void blk_iopoll_softirq(void)
24488 {
24489 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
24490 int rearm = 0, budget = blk_iopoll_budget;
24491 diff -urNp linux-2.6.39.2/block/blk-map.c linux-2.6.39.2/block/blk-map.c
24492 --- linux-2.6.39.2/block/blk-map.c 2011-05-19 00:06:34.000000000 -0400
24493 +++ linux-2.6.39.2/block/blk-map.c 2011-05-22 19:36:30.000000000 -0400
24494 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
24495 if (!len || !kbuf)
24496 return -EINVAL;
24497
24498 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
24499 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
24500 if (do_copy)
24501 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
24502 else
24503 diff -urNp linux-2.6.39.2/block/blk-softirq.c linux-2.6.39.2/block/blk-softirq.c
24504 --- linux-2.6.39.2/block/blk-softirq.c 2011-05-19 00:06:34.000000000 -0400
24505 +++ linux-2.6.39.2/block/blk-softirq.c 2011-05-22 19:36:30.000000000 -0400
24506 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
24507 * Softirq action handler - move entries to local list and loop over them
24508 * while passing them to the queue registered handler.
24509 */
24510 -static void blk_done_softirq(struct softirq_action *h)
24511 +static void blk_done_softirq(void)
24512 {
24513 struct list_head *cpu_list, local_list;
24514
24515 diff -urNp linux-2.6.39.2/block/bsg.c linux-2.6.39.2/block/bsg.c
24516 --- linux-2.6.39.2/block/bsg.c 2011-05-19 00:06:34.000000000 -0400
24517 +++ linux-2.6.39.2/block/bsg.c 2011-05-22 19:36:30.000000000 -0400
24518 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
24519 struct sg_io_v4 *hdr, struct bsg_device *bd,
24520 fmode_t has_write_perm)
24521 {
24522 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24523 + unsigned char *cmdptr;
24524 +
24525 if (hdr->request_len > BLK_MAX_CDB) {
24526 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
24527 if (!rq->cmd)
24528 return -ENOMEM;
24529 - }
24530 + cmdptr = rq->cmd;
24531 + } else
24532 + cmdptr = tmpcmd;
24533
24534 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
24535 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
24536 hdr->request_len))
24537 return -EFAULT;
24538
24539 + if (cmdptr != rq->cmd)
24540 + memcpy(rq->cmd, cmdptr, hdr->request_len);
24541 +
24542 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
24543 if (blk_verify_command(rq->cmd, has_write_perm))
24544 return -EPERM;
24545 diff -urNp linux-2.6.39.2/block/scsi_ioctl.c linux-2.6.39.2/block/scsi_ioctl.c
24546 --- linux-2.6.39.2/block/scsi_ioctl.c 2011-05-19 00:06:34.000000000 -0400
24547 +++ linux-2.6.39.2/block/scsi_ioctl.c 2011-05-22 19:36:30.000000000 -0400
24548 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
24549 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
24550 struct sg_io_hdr *hdr, fmode_t mode)
24551 {
24552 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
24553 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24554 + unsigned char *cmdptr;
24555 +
24556 + if (rq->cmd != rq->__cmd)
24557 + cmdptr = rq->cmd;
24558 + else
24559 + cmdptr = tmpcmd;
24560 +
24561 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
24562 return -EFAULT;
24563 +
24564 + if (cmdptr != rq->cmd)
24565 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
24566 +
24567 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
24568 return -EPERM;
24569
24570 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
24571 int err;
24572 unsigned int in_len, out_len, bytes, opcode, cmdlen;
24573 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
24574 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24575 + unsigned char *cmdptr;
24576
24577 if (!sic)
24578 return -EINVAL;
24579 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
24580 */
24581 err = -EFAULT;
24582 rq->cmd_len = cmdlen;
24583 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
24584 +
24585 + if (rq->cmd != rq->__cmd)
24586 + cmdptr = rq->cmd;
24587 + else
24588 + cmdptr = tmpcmd;
24589 +
24590 + if (copy_from_user(cmdptr, sic->data, cmdlen))
24591 goto error;
24592
24593 + if (rq->cmd != cmdptr)
24594 + memcpy(rq->cmd, cmdptr, cmdlen);
24595 +
24596 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
24597 goto error;
24598
24599 diff -urNp linux-2.6.39.2/crypto/serpent.c linux-2.6.39.2/crypto/serpent.c
24600 --- linux-2.6.39.2/crypto/serpent.c 2011-05-19 00:06:34.000000000 -0400
24601 +++ linux-2.6.39.2/crypto/serpent.c 2011-05-22 19:36:30.000000000 -0400
24602 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
24603 u32 r0,r1,r2,r3,r4;
24604 int i;
24605
24606 + pax_track_stack();
24607 +
24608 /* Copy key, add padding */
24609
24610 for (i = 0; i < keylen; ++i)
24611 diff -urNp linux-2.6.39.2/Documentation/dontdiff linux-2.6.39.2/Documentation/dontdiff
24612 --- linux-2.6.39.2/Documentation/dontdiff 2011-05-19 00:06:34.000000000 -0400
24613 +++ linux-2.6.39.2/Documentation/dontdiff 2011-05-22 19:36:30.000000000 -0400
24614 @@ -1,13 +1,16 @@
24615 *.a
24616 *.aux
24617 *.bin
24618 +*.cis
24619 *.cpio
24620 *.csp
24621 +*.dbg
24622 *.dsp
24623 *.dvi
24624 *.elf
24625 *.eps
24626 *.fw
24627 +*.gcno
24628 *.gen.S
24629 *.gif
24630 *.grep
24631 @@ -38,8 +41,10 @@
24632 *.tab.h
24633 *.tex
24634 *.ver
24635 +*.vim
24636 *.xml
24637 *_MODULES
24638 +*_reg_safe.h
24639 *_vga16.c
24640 *~
24641 *.9
24642 @@ -49,11 +54,16 @@
24643 53c700_d.h
24644 CVS
24645 ChangeSet
24646 +GPATH
24647 +GRTAGS
24648 +GSYMS
24649 +GTAGS
24650 Image
24651 Kerntypes
24652 Module.markers
24653 Module.symvers
24654 PENDING
24655 +PERF*
24656 SCCS
24657 System.map*
24658 TAGS
24659 @@ -80,8 +90,11 @@ btfixupprep
24660 build
24661 bvmlinux
24662 bzImage*
24663 +capability_names.h
24664 capflags.c
24665 classlist.h*
24666 +clut_vga16.c
24667 +common-cmds.h
24668 comp*.log
24669 compile.h*
24670 conf
24671 @@ -106,16 +119,19 @@ fore200e_mkfirm
24672 fore200e_pca_fw.c*
24673 gconf
24674 gen-devlist
24675 +gen-kdb_cmds.c
24676 gen_crc32table
24677 gen_init_cpio
24678 generated
24679 genheaders
24680 genksyms
24681 *_gray256.c
24682 +hash
24683 ihex2fw
24684 ikconfig.h*
24685 inat-tables.c
24686 initramfs_data.cpio
24687 +initramfs_data.cpio.bz2
24688 initramfs_data.cpio.gz
24689 initramfs_list
24690 int16.c
24691 @@ -125,7 +141,6 @@ int32.c
24692 int4.c
24693 int8.c
24694 kallsyms
24695 -kconfig
24696 keywords.c
24697 ksym.c*
24698 ksym.h*
24699 @@ -149,7 +164,9 @@ mkboot
24700 mkbugboot
24701 mkcpustr
24702 mkdep
24703 +mkpiggy
24704 mkprep
24705 +mkregtable
24706 mktables
24707 mktree
24708 modpost
24709 @@ -165,6 +182,7 @@ parse.h
24710 patches*
24711 pca200e.bin
24712 pca200e_ecd.bin2
24713 +perf-archive
24714 piggy.gz
24715 piggyback
24716 piggy.S
24717 @@ -180,7 +198,9 @@ r600_reg_safe.h
24718 raid6altivec*.c
24719 raid6int*.c
24720 raid6tables.c
24721 +regdb.c
24722 relocs
24723 +rlim_names.h
24724 rn50_reg_safe.h
24725 rs600_reg_safe.h
24726 rv515_reg_safe.h
24727 @@ -189,6 +209,7 @@ setup
24728 setup.bin
24729 setup.elf
24730 sImage
24731 +slabinfo
24732 sm_tbl*
24733 split-include
24734 syscalltab.h
24735 @@ -213,13 +234,17 @@ version.h*
24736 vmlinux
24737 vmlinux-*
24738 vmlinux.aout
24739 +vmlinux.bin.all
24740 +vmlinux.bin.bz2
24741 vmlinux.lds
24742 +vmlinux.relocs
24743 voffset.h
24744 vsyscall.lds
24745 vsyscall_32.lds
24746 wanxlfw.inc
24747 uImage
24748 unifdef
24749 +utsrelease.h
24750 wakeup.bin
24751 wakeup.elf
24752 wakeup.lds
24753 diff -urNp linux-2.6.39.2/Documentation/filesystems/configfs/configfs_example_macros.c linux-2.6.39.2/Documentation/filesystems/configfs/configfs_example_macros.c
24754 --- linux-2.6.39.2/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-19 00:06:34.000000000 -0400
24755 +++ linux-2.6.39.2/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-22 19:36:30.000000000 -0400
24756 @@ -368,7 +368,7 @@ static struct configfs_item_operations g
24757 * Note that, since no extra work is required on ->drop_item(),
24758 * no ->drop_item() is provided.
24759 */
24760 -static struct configfs_group_operations group_children_group_ops = {
24761 +static const struct configfs_group_operations group_children_group_ops = {
24762 .make_group = group_children_make_group,
24763 };
24764
24765 diff -urNp linux-2.6.39.2/Documentation/filesystems/sysfs.txt linux-2.6.39.2/Documentation/filesystems/sysfs.txt
24766 --- linux-2.6.39.2/Documentation/filesystems/sysfs.txt 2011-05-19 00:06:34.000000000 -0400
24767 +++ linux-2.6.39.2/Documentation/filesystems/sysfs.txt 2011-05-22 19:36:30.000000000 -0400
24768 @@ -125,8 +125,8 @@ set of sysfs operations for forwarding r
24769 show and store methods of the attribute owners.
24770
24771 struct sysfs_ops {
24772 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
24773 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
24774 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
24775 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
24776 };
24777
24778 [ Subsystems should have already defined a struct kobj_type as a
24779 diff -urNp linux-2.6.39.2/Documentation/kernel-parameters.txt linux-2.6.39.2/Documentation/kernel-parameters.txt
24780 --- linux-2.6.39.2/Documentation/kernel-parameters.txt 2011-06-25 12:55:22.000000000 -0400
24781 +++ linux-2.6.39.2/Documentation/kernel-parameters.txt 2011-06-25 13:00:25.000000000 -0400
24782 @@ -1879,6 +1879,13 @@ bytes respectively. Such letter suffixes
24783 the specified number of seconds. This is to be used if
24784 your oopses keep scrolling off the screen.
24785
24786 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
24787 + virtualization environments that don't cope well with the
24788 + expand down segment used by UDEREF on X86-32 or the frequent
24789 + page table updates on X86-64.
24790 +
24791 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
24792 +
24793 pcbit= [HW,ISDN]
24794
24795 pcd. [PARIDE]
24796 diff -urNp linux-2.6.39.2/drivers/acpi/acpi_ipmi.c linux-2.6.39.2/drivers/acpi/acpi_ipmi.c
24797 --- linux-2.6.39.2/drivers/acpi/acpi_ipmi.c 2011-05-19 00:06:34.000000000 -0400
24798 +++ linux-2.6.39.2/drivers/acpi/acpi_ipmi.c 2011-05-22 19:36:30.000000000 -0400
24799 @@ -70,7 +70,7 @@ struct acpi_ipmi_device {
24800 struct ipmi_driver_data {
24801 struct list_head ipmi_devices;
24802 struct ipmi_smi_watcher bmc_events;
24803 - struct ipmi_user_hndl ipmi_hndlrs;
24804 + const struct ipmi_user_hndl ipmi_hndlrs;
24805 struct mutex ipmi_lock;
24806 };
24807
24808 diff -urNp linux-2.6.39.2/drivers/acpi/apei/cper.c linux-2.6.39.2/drivers/acpi/apei/cper.c
24809 --- linux-2.6.39.2/drivers/acpi/apei/cper.c 2011-05-19 00:06:34.000000000 -0400
24810 +++ linux-2.6.39.2/drivers/acpi/apei/cper.c 2011-05-22 19:36:30.000000000 -0400
24811 @@ -38,12 +38,12 @@
24812 */
24813 u64 cper_next_record_id(void)
24814 {
24815 - static atomic64_t seq;
24816 + static atomic64_unchecked_t seq;
24817
24818 - if (!atomic64_read(&seq))
24819 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
24820 + if (!atomic64_read_unchecked(&seq))
24821 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
24822
24823 - return atomic64_inc_return(&seq);
24824 + return atomic64_inc_return_unchecked(&seq);
24825 }
24826 EXPORT_SYMBOL_GPL(cper_next_record_id);
24827
24828 diff -urNp linux-2.6.39.2/drivers/acpi/battery.c linux-2.6.39.2/drivers/acpi/battery.c
24829 --- linux-2.6.39.2/drivers/acpi/battery.c 2011-05-19 00:06:34.000000000 -0400
24830 +++ linux-2.6.39.2/drivers/acpi/battery.c 2011-05-22 19:36:30.000000000 -0400
24831 @@ -864,7 +864,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
24832 }
24833
24834 static struct battery_file {
24835 - struct file_operations ops;
24836 + const struct file_operations ops;
24837 mode_t mode;
24838 const char *name;
24839 } acpi_battery_file[] = {
24840 diff -urNp linux-2.6.39.2/drivers/acpi/dock.c linux-2.6.39.2/drivers/acpi/dock.c
24841 --- linux-2.6.39.2/drivers/acpi/dock.c 2011-05-19 00:06:34.000000000 -0400
24842 +++ linux-2.6.39.2/drivers/acpi/dock.c 2011-05-22 19:36:30.000000000 -0400
24843 @@ -77,7 +77,7 @@ struct dock_dependent_device {
24844 struct list_head list;
24845 struct list_head hotplug_list;
24846 acpi_handle handle;
24847 - struct acpi_dock_ops *ops;
24848 + const struct acpi_dock_ops *ops;
24849 void *context;
24850 };
24851
24852 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
24853 * the dock driver after _DCK is executed.
24854 */
24855 int
24856 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
24857 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
24858 void *context)
24859 {
24860 struct dock_dependent_device *dd;
24861 diff -urNp linux-2.6.39.2/drivers/acpi/ec_sys.c linux-2.6.39.2/drivers/acpi/ec_sys.c
24862 --- linux-2.6.39.2/drivers/acpi/ec_sys.c 2011-05-19 00:06:34.000000000 -0400
24863 +++ linux-2.6.39.2/drivers/acpi/ec_sys.c 2011-05-22 19:36:30.000000000 -0400
24864 @@ -92,7 +92,7 @@ static ssize_t acpi_ec_write_io(struct f
24865 return count;
24866 }
24867
24868 -static struct file_operations acpi_ec_io_ops = {
24869 +static const struct file_operations acpi_ec_io_ops = {
24870 .owner = THIS_MODULE,
24871 .open = acpi_ec_open_io,
24872 .read = acpi_ec_read_io,
24873 diff -urNp linux-2.6.39.2/drivers/acpi/fan.c linux-2.6.39.2/drivers/acpi/fan.c
24874 --- linux-2.6.39.2/drivers/acpi/fan.c 2011-05-19 00:06:34.000000000 -0400
24875 +++ linux-2.6.39.2/drivers/acpi/fan.c 2011-05-22 19:36:30.000000000 -0400
24876 @@ -110,7 +110,7 @@ fan_set_cur_state(struct thermal_cooling
24877 return result;
24878 }
24879
24880 -static struct thermal_cooling_device_ops fan_cooling_ops = {
24881 +static const struct thermal_cooling_device_ops fan_cooling_ops = {
24882 .get_max_state = fan_get_max_state,
24883 .get_cur_state = fan_get_cur_state,
24884 .set_cur_state = fan_set_cur_state,
24885 diff -urNp linux-2.6.39.2/drivers/acpi/power_meter.c linux-2.6.39.2/drivers/acpi/power_meter.c
24886 --- linux-2.6.39.2/drivers/acpi/power_meter.c 2011-05-19 00:06:34.000000000 -0400
24887 +++ linux-2.6.39.2/drivers/acpi/power_meter.c 2011-05-22 19:36:30.000000000 -0400
24888 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
24889 return res;
24890
24891 temp /= 1000;
24892 - if (temp < 0)
24893 - return -EINVAL;
24894
24895 mutex_lock(&resource->lock);
24896 resource->trip[attr->index - 7] = temp;
24897 diff -urNp linux-2.6.39.2/drivers/acpi/proc.c linux-2.6.39.2/drivers/acpi/proc.c
24898 --- linux-2.6.39.2/drivers/acpi/proc.c 2011-05-19 00:06:34.000000000 -0400
24899 +++ linux-2.6.39.2/drivers/acpi/proc.c 2011-05-22 19:36:30.000000000 -0400
24900 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
24901 size_t count, loff_t * ppos)
24902 {
24903 struct list_head *node, *next;
24904 - char strbuf[5];
24905 - char str[5] = "";
24906 - unsigned int len = count;
24907 -
24908 - if (len > 4)
24909 - len = 4;
24910 - if (len < 0)
24911 - return -EFAULT;
24912 + char strbuf[5] = {0};
24913
24914 - if (copy_from_user(strbuf, buffer, len))
24915 + if (count > 4)
24916 + count = 4;
24917 + if (copy_from_user(strbuf, buffer, count))
24918 return -EFAULT;
24919 - strbuf[len] = '\0';
24920 - sscanf(strbuf, "%s", str);
24921 + strbuf[count] = '\0';
24922
24923 mutex_lock(&acpi_device_lock);
24924 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
24925 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
24926 if (!dev->wakeup.flags.valid)
24927 continue;
24928
24929 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
24930 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
24931 if (device_can_wakeup(&dev->dev)) {
24932 bool enable = !device_may_wakeup(&dev->dev);
24933 device_set_wakeup_enable(&dev->dev, enable);
24934 diff -urNp linux-2.6.39.2/drivers/acpi/processor_driver.c linux-2.6.39.2/drivers/acpi/processor_driver.c
24935 --- linux-2.6.39.2/drivers/acpi/processor_driver.c 2011-05-19 00:06:34.000000000 -0400
24936 +++ linux-2.6.39.2/drivers/acpi/processor_driver.c 2011-05-22 19:36:30.000000000 -0400
24937 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
24938 return 0;
24939 #endif
24940
24941 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
24942 + BUG_ON(pr->id >= nr_cpu_ids);
24943
24944 /*
24945 * Buggy BIOS check
24946 diff -urNp linux-2.6.39.2/drivers/acpi/processor_idle.c linux-2.6.39.2/drivers/acpi/processor_idle.c
24947 --- linux-2.6.39.2/drivers/acpi/processor_idle.c 2011-05-19 00:06:34.000000000 -0400
24948 +++ linux-2.6.39.2/drivers/acpi/processor_idle.c 2011-05-22 19:36:30.000000000 -0400
24949 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
24950 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
24951 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
24952 (void *)1},
24953 - {},
24954 + {}
24955 };
24956
24957
24958 diff -urNp linux-2.6.39.2/drivers/acpi/processor_thermal.c linux-2.6.39.2/drivers/acpi/processor_thermal.c
24959 --- linux-2.6.39.2/drivers/acpi/processor_thermal.c 2011-05-19 00:06:34.000000000 -0400
24960 +++ linux-2.6.39.2/drivers/acpi/processor_thermal.c 2011-05-22 19:36:30.000000000 -0400
24961 @@ -244,7 +244,7 @@ processor_set_cur_state(struct thermal_c
24962 return result;
24963 }
24964
24965 -struct thermal_cooling_device_ops processor_cooling_ops = {
24966 +const struct thermal_cooling_device_ops processor_cooling_ops = {
24967 .get_max_state = processor_get_max_state,
24968 .get_cur_state = processor_get_cur_state,
24969 .set_cur_state = processor_set_cur_state,
24970 diff -urNp linux-2.6.39.2/drivers/acpi/sysfs.c linux-2.6.39.2/drivers/acpi/sysfs.c
24971 --- linux-2.6.39.2/drivers/acpi/sysfs.c 2011-05-19 00:06:34.000000000 -0400
24972 +++ linux-2.6.39.2/drivers/acpi/sysfs.c 2011-05-22 19:36:30.000000000 -0400
24973 @@ -149,12 +149,12 @@ static int param_get_debug_level(char *b
24974 return result;
24975 }
24976
24977 -static struct kernel_param_ops param_ops_debug_layer = {
24978 +static const struct kernel_param_ops param_ops_debug_layer = {
24979 .set = param_set_uint,
24980 .get = param_get_debug_layer,
24981 };
24982
24983 -static struct kernel_param_ops param_ops_debug_level = {
24984 +static const struct kernel_param_ops param_ops_debug_level = {
24985 .set = param_set_uint,
24986 .get = param_get_debug_level,
24987 };
24988 diff -urNp linux-2.6.39.2/drivers/acpi/thermal.c linux-2.6.39.2/drivers/acpi/thermal.c
24989 --- linux-2.6.39.2/drivers/acpi/thermal.c 2011-05-19 00:06:34.000000000 -0400
24990 +++ linux-2.6.39.2/drivers/acpi/thermal.c 2011-05-22 19:36:30.000000000 -0400
24991 @@ -812,7 +812,7 @@ acpi_thermal_unbind_cooling_device(struc
24992 thermal_zone_unbind_cooling_device);
24993 }
24994
24995 -static struct thermal_zone_device_ops acpi_thermal_zone_ops = {
24996 +static const struct thermal_zone_device_ops acpi_thermal_zone_ops = {
24997 .bind = acpi_thermal_bind_cooling_device,
24998 .unbind = acpi_thermal_unbind_cooling_device,
24999 .get_temp = thermal_get_temp,
25000 diff -urNp linux-2.6.39.2/drivers/acpi/video.c linux-2.6.39.2/drivers/acpi/video.c
25001 --- linux-2.6.39.2/drivers/acpi/video.c 2011-05-19 00:06:34.000000000 -0400
25002 +++ linux-2.6.39.2/drivers/acpi/video.c 2011-05-22 19:36:30.000000000 -0400
25003 @@ -308,7 +308,7 @@ video_set_cur_state(struct thermal_cooli
25004 return acpi_video_device_lcd_set_level(video, level);
25005 }
25006
25007 -static struct thermal_cooling_device_ops video_cooling_ops = {
25008 +static const struct thermal_cooling_device_ops video_cooling_ops = {
25009 .get_max_state = video_get_max_state,
25010 .get_cur_state = video_get_cur_state,
25011 .set_cur_state = video_set_cur_state,
25012 diff -urNp linux-2.6.39.2/drivers/ata/acard-ahci.c linux-2.6.39.2/drivers/ata/acard-ahci.c
25013 --- linux-2.6.39.2/drivers/ata/acard-ahci.c 2011-05-19 00:06:34.000000000 -0400
25014 +++ linux-2.6.39.2/drivers/ata/acard-ahci.c 2011-05-22 19:36:30.000000000 -0400
25015 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
25016 AHCI_SHT("acard-ahci"),
25017 };
25018
25019 -static struct ata_port_operations acard_ops = {
25020 +static const struct ata_port_operations acard_ops = {
25021 .inherits = &ahci_ops,
25022 .qc_prep = acard_ahci_qc_prep,
25023 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
25024 diff -urNp linux-2.6.39.2/drivers/ata/ahci.c linux-2.6.39.2/drivers/ata/ahci.c
25025 --- linux-2.6.39.2/drivers/ata/ahci.c 2011-05-19 00:06:34.000000000 -0400
25026 +++ linux-2.6.39.2/drivers/ata/ahci.c 2011-05-22 19:36:30.000000000 -0400
25027 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
25028 AHCI_SHT("ahci"),
25029 };
25030
25031 -static struct ata_port_operations ahci_vt8251_ops = {
25032 +static const struct ata_port_operations ahci_vt8251_ops = {
25033 .inherits = &ahci_ops,
25034 .hardreset = ahci_vt8251_hardreset,
25035 };
25036
25037 -static struct ata_port_operations ahci_p5wdh_ops = {
25038 +static const struct ata_port_operations ahci_p5wdh_ops = {
25039 .inherits = &ahci_ops,
25040 .hardreset = ahci_p5wdh_hardreset,
25041 };
25042
25043 -static struct ata_port_operations ahci_sb600_ops = {
25044 +static const struct ata_port_operations ahci_sb600_ops = {
25045 .inherits = &ahci_ops,
25046 .softreset = ahci_sb600_softreset,
25047 .pmp_softreset = ahci_sb600_softreset,
25048 diff -urNp linux-2.6.39.2/drivers/ata/ahci.h linux-2.6.39.2/drivers/ata/ahci.h
25049 --- linux-2.6.39.2/drivers/ata/ahci.h 2011-05-19 00:06:34.000000000 -0400
25050 +++ linux-2.6.39.2/drivers/ata/ahci.h 2011-05-22 19:36:30.000000000 -0400
25051 @@ -311,7 +311,7 @@ extern struct device_attribute *ahci_sde
25052 .shost_attrs = ahci_shost_attrs, \
25053 .sdev_attrs = ahci_sdev_attrs
25054
25055 -extern struct ata_port_operations ahci_ops;
25056 +extern const struct ata_port_operations ahci_ops;
25057
25058 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
25059 u32 opts);
25060 diff -urNp linux-2.6.39.2/drivers/ata/ata_generic.c linux-2.6.39.2/drivers/ata/ata_generic.c
25061 --- linux-2.6.39.2/drivers/ata/ata_generic.c 2011-05-19 00:06:34.000000000 -0400
25062 +++ linux-2.6.39.2/drivers/ata/ata_generic.c 2011-05-22 19:36:30.000000000 -0400
25063 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
25064 ATA_BMDMA_SHT(DRV_NAME),
25065 };
25066
25067 -static struct ata_port_operations generic_port_ops = {
25068 +static const struct ata_port_operations generic_port_ops = {
25069 .inherits = &ata_bmdma_port_ops,
25070 .cable_detect = ata_cable_unknown,
25071 .set_mode = generic_set_mode,
25072 diff -urNp linux-2.6.39.2/drivers/ata/ata_piix.c linux-2.6.39.2/drivers/ata/ata_piix.c
25073 --- linux-2.6.39.2/drivers/ata/ata_piix.c 2011-05-19 00:06:34.000000000 -0400
25074 +++ linux-2.6.39.2/drivers/ata/ata_piix.c 2011-05-22 19:36:30.000000000 -0400
25075 @@ -335,12 +335,12 @@ static struct scsi_host_template piix_sh
25076 ATA_BMDMA_SHT(DRV_NAME),
25077 };
25078
25079 -static struct ata_port_operations piix_sata_ops = {
25080 +static const struct ata_port_operations piix_sata_ops = {
25081 .inherits = &ata_bmdma32_port_ops,
25082 .sff_irq_check = piix_irq_check,
25083 };
25084
25085 -static struct ata_port_operations piix_pata_ops = {
25086 +static const struct ata_port_operations piix_pata_ops = {
25087 .inherits = &piix_sata_ops,
25088 .cable_detect = ata_cable_40wire,
25089 .set_piomode = piix_set_piomode,
25090 @@ -348,12 +348,12 @@ static struct ata_port_operations piix_p
25091 .prereset = piix_pata_prereset,
25092 };
25093
25094 -static struct ata_port_operations piix_vmw_ops = {
25095 +static const struct ata_port_operations piix_vmw_ops = {
25096 .inherits = &piix_pata_ops,
25097 .bmdma_status = piix_vmw_bmdma_status,
25098 };
25099
25100 -static struct ata_port_operations ich_pata_ops = {
25101 +static const struct ata_port_operations ich_pata_ops = {
25102 .inherits = &piix_pata_ops,
25103 .cable_detect = ich_pata_cable_detect,
25104 .set_dmamode = ich_set_dmamode,
25105 @@ -369,7 +369,7 @@ static struct scsi_host_template piix_si
25106 .shost_attrs = piix_sidpr_shost_attrs,
25107 };
25108
25109 -static struct ata_port_operations piix_sidpr_sata_ops = {
25110 +static const struct ata_port_operations piix_sidpr_sata_ops = {
25111 .inherits = &piix_sata_ops,
25112 .hardreset = sata_std_hardreset,
25113 .scr_read = piix_sidpr_scr_read,
25114 diff -urNp linux-2.6.39.2/drivers/ata/libahci.c linux-2.6.39.2/drivers/ata/libahci.c
25115 --- linux-2.6.39.2/drivers/ata/libahci.c 2011-05-19 00:06:34.000000000 -0400
25116 +++ linux-2.6.39.2/drivers/ata/libahci.c 2011-05-22 19:36:30.000000000 -0400
25117 @@ -141,7 +141,7 @@ struct device_attribute *ahci_sdev_attrs
25118 };
25119 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
25120
25121 -struct ata_port_operations ahci_ops = {
25122 +const struct ata_port_operations ahci_ops = {
25123 .inherits = &sata_pmp_port_ops,
25124
25125 .qc_defer = ahci_pmp_qc_defer,
25126 diff -urNp linux-2.6.39.2/drivers/ata/libata-acpi.c linux-2.6.39.2/drivers/ata/libata-acpi.c
25127 --- linux-2.6.39.2/drivers/ata/libata-acpi.c 2011-05-19 00:06:34.000000000 -0400
25128 +++ linux-2.6.39.2/drivers/ata/libata-acpi.c 2011-05-22 19:36:30.000000000 -0400
25129 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
25130 ata_acpi_uevent(dev->link->ap, dev, event);
25131 }
25132
25133 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25134 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25135 .handler = ata_acpi_dev_notify_dock,
25136 .uevent = ata_acpi_dev_uevent,
25137 };
25138
25139 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25140 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25141 .handler = ata_acpi_ap_notify_dock,
25142 .uevent = ata_acpi_ap_uevent,
25143 };
25144 diff -urNp linux-2.6.39.2/drivers/ata/libata-core.c linux-2.6.39.2/drivers/ata/libata-core.c
25145 --- linux-2.6.39.2/drivers/ata/libata-core.c 2011-05-19 00:06:34.000000000 -0400
25146 +++ linux-2.6.39.2/drivers/ata/libata-core.c 2011-05-22 19:36:30.000000000 -0400
25147 @@ -4747,7 +4747,7 @@ void ata_qc_free(struct ata_queued_cmd *
25148 struct ata_port *ap;
25149 unsigned int tag;
25150
25151 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25152 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25153 ap = qc->ap;
25154
25155 qc->flags = 0;
25156 @@ -4763,7 +4763,7 @@ void __ata_qc_complete(struct ata_queued
25157 struct ata_port *ap;
25158 struct ata_link *link;
25159
25160 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25161 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25162 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
25163 ap = qc->ap;
25164 link = qc->dev->link;
25165 @@ -5756,7 +5756,7 @@ static void ata_host_stop(struct device
25166 * LOCKING:
25167 * None.
25168 */
25169 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
25170 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
25171 {
25172 static DEFINE_SPINLOCK(lock);
25173 const struct ata_port_operations *cur;
25174 @@ -5768,6 +5768,7 @@ static void ata_finalize_port_ops(struct
25175 return;
25176
25177 spin_lock(&lock);
25178 + pax_open_kernel();
25179
25180 for (cur = ops->inherits; cur; cur = cur->inherits) {
25181 void **inherit = (void **)cur;
25182 @@ -5781,8 +5782,9 @@ static void ata_finalize_port_ops(struct
25183 if (IS_ERR(*pp))
25184 *pp = NULL;
25185
25186 - ops->inherits = NULL;
25187 + ((struct ata_port_operations *)ops)->inherits = NULL;
25188
25189 + pax_close_kernel();
25190 spin_unlock(&lock);
25191 }
25192
25193 @@ -5879,7 +5881,7 @@ int ata_host_start(struct ata_host *host
25194 */
25195 /* KILLME - the only user left is ipr */
25196 void ata_host_init(struct ata_host *host, struct device *dev,
25197 - unsigned long flags, struct ata_port_operations *ops)
25198 + unsigned long flags, const struct ata_port_operations *ops)
25199 {
25200 spin_lock_init(&host->lock);
25201 mutex_init(&host->eh_mutex);
25202 @@ -6583,7 +6585,7 @@ static void ata_dummy_error_handler(stru
25203 /* truly dummy */
25204 }
25205
25206 -struct ata_port_operations ata_dummy_port_ops = {
25207 +const struct ata_port_operations ata_dummy_port_ops = {
25208 .qc_prep = ata_noop_qc_prep,
25209 .qc_issue = ata_dummy_qc_issue,
25210 .error_handler = ata_dummy_error_handler,
25211 diff -urNp linux-2.6.39.2/drivers/ata/libata-eh.c linux-2.6.39.2/drivers/ata/libata-eh.c
25212 --- linux-2.6.39.2/drivers/ata/libata-eh.c 2011-05-19 00:06:34.000000000 -0400
25213 +++ linux-2.6.39.2/drivers/ata/libata-eh.c 2011-05-22 19:36:30.000000000 -0400
25214 @@ -2518,6 +2518,8 @@ void ata_eh_report(struct ata_port *ap)
25215 {
25216 struct ata_link *link;
25217
25218 + pax_track_stack();
25219 +
25220 ata_for_each_link(link, ap, HOST_FIRST)
25221 ata_eh_link_report(link);
25222 }
25223 @@ -3922,7 +3924,7 @@ void ata_do_eh(struct ata_port *ap, ata_
25224 */
25225 void ata_std_error_handler(struct ata_port *ap)
25226 {
25227 - struct ata_port_operations *ops = ap->ops;
25228 + const struct ata_port_operations *ops = ap->ops;
25229 ata_reset_fn_t hardreset = ops->hardreset;
25230
25231 /* ignore built-in hardreset if SCR access is not available */
25232 diff -urNp linux-2.6.39.2/drivers/ata/libata-pmp.c linux-2.6.39.2/drivers/ata/libata-pmp.c
25233 --- linux-2.6.39.2/drivers/ata/libata-pmp.c 2011-05-19 00:06:34.000000000 -0400
25234 +++ linux-2.6.39.2/drivers/ata/libata-pmp.c 2011-05-22 19:36:30.000000000 -0400
25235 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
25236 */
25237 static int sata_pmp_eh_recover(struct ata_port *ap)
25238 {
25239 - struct ata_port_operations *ops = ap->ops;
25240 + const struct ata_port_operations *ops = ap->ops;
25241 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
25242 struct ata_link *pmp_link = &ap->link;
25243 struct ata_device *pmp_dev = pmp_link->device;
25244 diff -urNp linux-2.6.39.2/drivers/ata/pata_acpi.c linux-2.6.39.2/drivers/ata/pata_acpi.c
25245 --- linux-2.6.39.2/drivers/ata/pata_acpi.c 2011-05-19 00:06:34.000000000 -0400
25246 +++ linux-2.6.39.2/drivers/ata/pata_acpi.c 2011-05-22 19:36:30.000000000 -0400
25247 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
25248 ATA_BMDMA_SHT(DRV_NAME),
25249 };
25250
25251 -static struct ata_port_operations pacpi_ops = {
25252 +static const struct ata_port_operations pacpi_ops = {
25253 .inherits = &ata_bmdma_port_ops,
25254 .qc_issue = pacpi_qc_issue,
25255 .cable_detect = pacpi_cable_detect,
25256 diff -urNp linux-2.6.39.2/drivers/ata/pata_ali.c linux-2.6.39.2/drivers/ata/pata_ali.c
25257 --- linux-2.6.39.2/drivers/ata/pata_ali.c 2011-05-19 00:06:34.000000000 -0400
25258 +++ linux-2.6.39.2/drivers/ata/pata_ali.c 2011-05-22 19:36:30.000000000 -0400
25259 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
25260 * Port operations for PIO only ALi
25261 */
25262
25263 -static struct ata_port_operations ali_early_port_ops = {
25264 +static const struct ata_port_operations ali_early_port_ops = {
25265 .inherits = &ata_sff_port_ops,
25266 .cable_detect = ata_cable_40wire,
25267 .set_piomode = ali_set_piomode,
25268 @@ -380,7 +380,7 @@ static const struct ata_port_operations
25269 * Port operations for DMA capable ALi without cable
25270 * detect
25271 */
25272 -static struct ata_port_operations ali_20_port_ops = {
25273 +static const struct ata_port_operations ali_20_port_ops = {
25274 .inherits = &ali_dma_base_ops,
25275 .cable_detect = ata_cable_40wire,
25276 .mode_filter = ali_20_filter,
25277 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
25278 /*
25279 * Port operations for DMA capable ALi with cable detect
25280 */
25281 -static struct ata_port_operations ali_c2_port_ops = {
25282 +static const struct ata_port_operations ali_c2_port_ops = {
25283 .inherits = &ali_dma_base_ops,
25284 .check_atapi_dma = ali_check_atapi_dma,
25285 .cable_detect = ali_c2_cable_detect,
25286 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
25287 /*
25288 * Port operations for DMA capable ALi with cable detect
25289 */
25290 -static struct ata_port_operations ali_c4_port_ops = {
25291 +static const struct ata_port_operations ali_c4_port_ops = {
25292 .inherits = &ali_dma_base_ops,
25293 .check_atapi_dma = ali_check_atapi_dma,
25294 .cable_detect = ali_c2_cable_detect,
25295 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
25296 /*
25297 * Port operations for DMA capable ALi with cable detect and LBA48
25298 */
25299 -static struct ata_port_operations ali_c5_port_ops = {
25300 +static const struct ata_port_operations ali_c5_port_ops = {
25301 .inherits = &ali_dma_base_ops,
25302 .check_atapi_dma = ali_check_atapi_dma,
25303 .dev_config = ali_warn_atapi_dma,
25304 diff -urNp linux-2.6.39.2/drivers/ata/pata_amd.c linux-2.6.39.2/drivers/ata/pata_amd.c
25305 --- linux-2.6.39.2/drivers/ata/pata_amd.c 2011-05-19 00:06:34.000000000 -0400
25306 +++ linux-2.6.39.2/drivers/ata/pata_amd.c 2011-05-22 19:36:31.000000000 -0400
25307 @@ -397,28 +397,28 @@ static const struct ata_port_operations
25308 .prereset = amd_pre_reset,
25309 };
25310
25311 -static struct ata_port_operations amd33_port_ops = {
25312 +static const struct ata_port_operations amd33_port_ops = {
25313 .inherits = &amd_base_port_ops,
25314 .cable_detect = ata_cable_40wire,
25315 .set_piomode = amd33_set_piomode,
25316 .set_dmamode = amd33_set_dmamode,
25317 };
25318
25319 -static struct ata_port_operations amd66_port_ops = {
25320 +static const struct ata_port_operations amd66_port_ops = {
25321 .inherits = &amd_base_port_ops,
25322 .cable_detect = ata_cable_unknown,
25323 .set_piomode = amd66_set_piomode,
25324 .set_dmamode = amd66_set_dmamode,
25325 };
25326
25327 -static struct ata_port_operations amd100_port_ops = {
25328 +static const struct ata_port_operations amd100_port_ops = {
25329 .inherits = &amd_base_port_ops,
25330 .cable_detect = ata_cable_unknown,
25331 .set_piomode = amd100_set_piomode,
25332 .set_dmamode = amd100_set_dmamode,
25333 };
25334
25335 -static struct ata_port_operations amd133_port_ops = {
25336 +static const struct ata_port_operations amd133_port_ops = {
25337 .inherits = &amd_base_port_ops,
25338 .cable_detect = amd_cable_detect,
25339 .set_piomode = amd133_set_piomode,
25340 @@ -433,13 +433,13 @@ static const struct ata_port_operations
25341 .host_stop = nv_host_stop,
25342 };
25343
25344 -static struct ata_port_operations nv100_port_ops = {
25345 +static const struct ata_port_operations nv100_port_ops = {
25346 .inherits = &nv_base_port_ops,
25347 .set_piomode = nv100_set_piomode,
25348 .set_dmamode = nv100_set_dmamode,
25349 };
25350
25351 -static struct ata_port_operations nv133_port_ops = {
25352 +static const struct ata_port_operations nv133_port_ops = {
25353 .inherits = &nv_base_port_ops,
25354 .set_piomode = nv133_set_piomode,
25355 .set_dmamode = nv133_set_dmamode,
25356 diff -urNp linux-2.6.39.2/drivers/ata/pata_arasan_cf.c linux-2.6.39.2/drivers/ata/pata_arasan_cf.c
25357 --- linux-2.6.39.2/drivers/ata/pata_arasan_cf.c 2011-05-19 00:06:34.000000000 -0400
25358 +++ linux-2.6.39.2/drivers/ata/pata_arasan_cf.c 2011-05-22 19:36:31.000000000 -0400
25359 @@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
25360 /* Handle platform specific quirks */
25361 if (pdata->quirk) {
25362 if (pdata->quirk & CF_BROKEN_PIO) {
25363 - ap->ops->set_piomode = NULL;
25364 + pax_open_kernel();
25365 + *(void**)&ap->ops->set_piomode = NULL;
25366 + pax_close_kernel();
25367 ap->pio_mask = 0;
25368 }
25369 if (pdata->quirk & CF_BROKEN_MWDMA)
25370 diff -urNp linux-2.6.39.2/drivers/ata/pata_artop.c linux-2.6.39.2/drivers/ata/pata_artop.c
25371 --- linux-2.6.39.2/drivers/ata/pata_artop.c 2011-05-19 00:06:34.000000000 -0400
25372 +++ linux-2.6.39.2/drivers/ata/pata_artop.c 2011-05-22 19:36:31.000000000 -0400
25373 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
25374 ATA_BMDMA_SHT(DRV_NAME),
25375 };
25376
25377 -static struct ata_port_operations artop6210_ops = {
25378 +static const struct ata_port_operations artop6210_ops = {
25379 .inherits = &ata_bmdma_port_ops,
25380 .cable_detect = ata_cable_40wire,
25381 .set_piomode = artop6210_set_piomode,
25382 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
25383 .qc_defer = artop6210_qc_defer,
25384 };
25385
25386 -static struct ata_port_operations artop6260_ops = {
25387 +static const struct ata_port_operations artop6260_ops = {
25388 .inherits = &ata_bmdma_port_ops,
25389 .cable_detect = artop6260_cable_detect,
25390 .set_piomode = artop6260_set_piomode,
25391 diff -urNp linux-2.6.39.2/drivers/ata/pata_at32.c linux-2.6.39.2/drivers/ata/pata_at32.c
25392 --- linux-2.6.39.2/drivers/ata/pata_at32.c 2011-05-19 00:06:34.000000000 -0400
25393 +++ linux-2.6.39.2/drivers/ata/pata_at32.c 2011-05-22 19:36:31.000000000 -0400
25394 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
25395 ATA_PIO_SHT(DRV_NAME),
25396 };
25397
25398 -static struct ata_port_operations at32_port_ops = {
25399 +static const struct ata_port_operations at32_port_ops = {
25400 .inherits = &ata_sff_port_ops,
25401 .cable_detect = ata_cable_40wire,
25402 .set_piomode = pata_at32_set_piomode,
25403 diff -urNp linux-2.6.39.2/drivers/ata/pata_at91.c linux-2.6.39.2/drivers/ata/pata_at91.c
25404 --- linux-2.6.39.2/drivers/ata/pata_at91.c 2011-05-19 00:06:34.000000000 -0400
25405 +++ linux-2.6.39.2/drivers/ata/pata_at91.c 2011-05-22 19:36:31.000000000 -0400
25406 @@ -212,7 +212,7 @@ static struct scsi_host_template pata_at
25407 ATA_PIO_SHT(DRV_NAME),
25408 };
25409
25410 -static struct ata_port_operations pata_at91_port_ops = {
25411 +static const struct ata_port_operations pata_at91_port_ops = {
25412 .inherits = &ata_sff_port_ops,
25413
25414 .sff_data_xfer = pata_at91_data_xfer_noirq,
25415 diff -urNp linux-2.6.39.2/drivers/ata/pata_atiixp.c linux-2.6.39.2/drivers/ata/pata_atiixp.c
25416 --- linux-2.6.39.2/drivers/ata/pata_atiixp.c 2011-05-19 00:06:34.000000000 -0400
25417 +++ linux-2.6.39.2/drivers/ata/pata_atiixp.c 2011-05-22 19:36:31.000000000 -0400
25418 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
25419 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25420 };
25421
25422 -static struct ata_port_operations atiixp_port_ops = {
25423 +static const struct ata_port_operations atiixp_port_ops = {
25424 .inherits = &ata_bmdma_port_ops,
25425
25426 .qc_prep = ata_bmdma_dumb_qc_prep,
25427 diff -urNp linux-2.6.39.2/drivers/ata/pata_atp867x.c linux-2.6.39.2/drivers/ata/pata_atp867x.c
25428 --- linux-2.6.39.2/drivers/ata/pata_atp867x.c 2011-05-19 00:06:34.000000000 -0400
25429 +++ linux-2.6.39.2/drivers/ata/pata_atp867x.c 2011-05-22 19:36:31.000000000 -0400
25430 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
25431 ATA_BMDMA_SHT(DRV_NAME),
25432 };
25433
25434 -static struct ata_port_operations atp867x_ops = {
25435 +static const struct ata_port_operations atp867x_ops = {
25436 .inherits = &ata_bmdma_port_ops,
25437 .cable_detect = atp867x_cable_detect,
25438 .set_piomode = atp867x_set_piomode,
25439 diff -urNp linux-2.6.39.2/drivers/ata/pata_bf54x.c linux-2.6.39.2/drivers/ata/pata_bf54x.c
25440 --- linux-2.6.39.2/drivers/ata/pata_bf54x.c 2011-05-19 00:06:34.000000000 -0400
25441 +++ linux-2.6.39.2/drivers/ata/pata_bf54x.c 2011-05-22 19:36:31.000000000 -0400
25442 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
25443 .dma_boundary = ATA_DMA_BOUNDARY,
25444 };
25445
25446 -static struct ata_port_operations bfin_pata_ops = {
25447 +static const struct ata_port_operations bfin_pata_ops = {
25448 .inherits = &ata_bmdma_port_ops,
25449
25450 .set_piomode = bfin_set_piomode,
25451 diff -urNp linux-2.6.39.2/drivers/ata/pata_cmd640.c linux-2.6.39.2/drivers/ata/pata_cmd640.c
25452 --- linux-2.6.39.2/drivers/ata/pata_cmd640.c 2011-05-19 00:06:34.000000000 -0400
25453 +++ linux-2.6.39.2/drivers/ata/pata_cmd640.c 2011-05-22 19:36:31.000000000 -0400
25454 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
25455 ATA_PIO_SHT(DRV_NAME),
25456 };
25457
25458 -static struct ata_port_operations cmd640_port_ops = {
25459 +static const struct ata_port_operations cmd640_port_ops = {
25460 .inherits = &ata_sff_port_ops,
25461 /* In theory xfer_noirq is not needed once we kill the prefetcher */
25462 .sff_data_xfer = ata_sff_data_xfer_noirq,
25463 diff -urNp linux-2.6.39.2/drivers/ata/pata_cmd64x.c linux-2.6.39.2/drivers/ata/pata_cmd64x.c
25464 --- linux-2.6.39.2/drivers/ata/pata_cmd64x.c 2011-06-03 00:04:13.000000000 -0400
25465 +++ linux-2.6.39.2/drivers/ata/pata_cmd64x.c 2011-06-03 00:32:05.000000000 -0400
25466 @@ -271,18 +271,18 @@ static const struct ata_port_operations
25467 .set_dmamode = cmd64x_set_dmamode,
25468 };
25469
25470 -static struct ata_port_operations cmd64x_port_ops = {
25471 +static const struct ata_port_operations cmd64x_port_ops = {
25472 .inherits = &cmd64x_base_ops,
25473 .cable_detect = ata_cable_40wire,
25474 };
25475
25476 -static struct ata_port_operations cmd646r1_port_ops = {
25477 +static const struct ata_port_operations cmd646r1_port_ops = {
25478 .inherits = &cmd64x_base_ops,
25479 .bmdma_stop = cmd646r1_bmdma_stop,
25480 .cable_detect = ata_cable_40wire,
25481 };
25482
25483 -static struct ata_port_operations cmd648_port_ops = {
25484 +static const struct ata_port_operations cmd648_port_ops = {
25485 .inherits = &cmd64x_base_ops,
25486 .bmdma_stop = cmd648_bmdma_stop,
25487 .cable_detect = cmd648_cable_detect,
25488 diff -urNp linux-2.6.39.2/drivers/ata/pata_cs5520.c linux-2.6.39.2/drivers/ata/pata_cs5520.c
25489 --- linux-2.6.39.2/drivers/ata/pata_cs5520.c 2011-05-19 00:06:34.000000000 -0400
25490 +++ linux-2.6.39.2/drivers/ata/pata_cs5520.c 2011-05-22 19:36:31.000000000 -0400
25491 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
25492 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25493 };
25494
25495 -static struct ata_port_operations cs5520_port_ops = {
25496 +static const struct ata_port_operations cs5520_port_ops = {
25497 .inherits = &ata_bmdma_port_ops,
25498 .qc_prep = ata_bmdma_dumb_qc_prep,
25499 .cable_detect = ata_cable_40wire,
25500 diff -urNp linux-2.6.39.2/drivers/ata/pata_cs5530.c linux-2.6.39.2/drivers/ata/pata_cs5530.c
25501 --- linux-2.6.39.2/drivers/ata/pata_cs5530.c 2011-05-19 00:06:34.000000000 -0400
25502 +++ linux-2.6.39.2/drivers/ata/pata_cs5530.c 2011-05-22 19:36:31.000000000 -0400
25503 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
25504 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25505 };
25506
25507 -static struct ata_port_operations cs5530_port_ops = {
25508 +static const struct ata_port_operations cs5530_port_ops = {
25509 .inherits = &ata_bmdma_port_ops,
25510
25511 .qc_prep = ata_bmdma_dumb_qc_prep,
25512 diff -urNp linux-2.6.39.2/drivers/ata/pata_cs5535.c linux-2.6.39.2/drivers/ata/pata_cs5535.c
25513 --- linux-2.6.39.2/drivers/ata/pata_cs5535.c 2011-05-19 00:06:34.000000000 -0400
25514 +++ linux-2.6.39.2/drivers/ata/pata_cs5535.c 2011-05-22 19:36:31.000000000 -0400
25515 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
25516 ATA_BMDMA_SHT(DRV_NAME),
25517 };
25518
25519 -static struct ata_port_operations cs5535_port_ops = {
25520 +static const struct ata_port_operations cs5535_port_ops = {
25521 .inherits = &ata_bmdma_port_ops,
25522 .cable_detect = cs5535_cable_detect,
25523 .set_piomode = cs5535_set_piomode,
25524 diff -urNp linux-2.6.39.2/drivers/ata/pata_cs5536.c linux-2.6.39.2/drivers/ata/pata_cs5536.c
25525 --- linux-2.6.39.2/drivers/ata/pata_cs5536.c 2011-05-19 00:06:34.000000000 -0400
25526 +++ linux-2.6.39.2/drivers/ata/pata_cs5536.c 2011-05-22 19:36:31.000000000 -0400
25527 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
25528 ATA_BMDMA_SHT(DRV_NAME),
25529 };
25530
25531 -static struct ata_port_operations cs5536_port_ops = {
25532 +static const struct ata_port_operations cs5536_port_ops = {
25533 .inherits = &ata_bmdma32_port_ops,
25534 .cable_detect = cs5536_cable_detect,
25535 .set_piomode = cs5536_set_piomode,
25536 diff -urNp linux-2.6.39.2/drivers/ata/pata_cypress.c linux-2.6.39.2/drivers/ata/pata_cypress.c
25537 --- linux-2.6.39.2/drivers/ata/pata_cypress.c 2011-05-19 00:06:34.000000000 -0400
25538 +++ linux-2.6.39.2/drivers/ata/pata_cypress.c 2011-05-22 19:36:31.000000000 -0400
25539 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
25540 ATA_BMDMA_SHT(DRV_NAME),
25541 };
25542
25543 -static struct ata_port_operations cy82c693_port_ops = {
25544 +static const struct ata_port_operations cy82c693_port_ops = {
25545 .inherits = &ata_bmdma_port_ops,
25546 .cable_detect = ata_cable_40wire,
25547 .set_piomode = cy82c693_set_piomode,
25548 diff -urNp linux-2.6.39.2/drivers/ata/pata_efar.c linux-2.6.39.2/drivers/ata/pata_efar.c
25549 --- linux-2.6.39.2/drivers/ata/pata_efar.c 2011-05-19 00:06:34.000000000 -0400
25550 +++ linux-2.6.39.2/drivers/ata/pata_efar.c 2011-05-22 19:36:31.000000000 -0400
25551 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
25552 ATA_BMDMA_SHT(DRV_NAME),
25553 };
25554
25555 -static struct ata_port_operations efar_ops = {
25556 +static const struct ata_port_operations efar_ops = {
25557 .inherits = &ata_bmdma_port_ops,
25558 .cable_detect = efar_cable_detect,
25559 .set_piomode = efar_set_piomode,
25560 diff -urNp linux-2.6.39.2/drivers/ata/pata_hpt366.c linux-2.6.39.2/drivers/ata/pata_hpt366.c
25561 --- linux-2.6.39.2/drivers/ata/pata_hpt366.c 2011-05-19 00:06:34.000000000 -0400
25562 +++ linux-2.6.39.2/drivers/ata/pata_hpt366.c 2011-05-22 19:36:31.000000000 -0400
25563 @@ -276,7 +276,7 @@ static struct scsi_host_template hpt36x_
25564 * Configuration for HPT366/68
25565 */
25566
25567 -static struct ata_port_operations hpt366_port_ops = {
25568 +static const struct ata_port_operations hpt366_port_ops = {
25569 .inherits = &ata_bmdma_port_ops,
25570 .cable_detect = hpt36x_cable_detect,
25571 .mode_filter = hpt366_filter,
25572 diff -urNp linux-2.6.39.2/drivers/ata/pata_hpt37x.c linux-2.6.39.2/drivers/ata/pata_hpt37x.c
25573 --- linux-2.6.39.2/drivers/ata/pata_hpt37x.c 2011-05-19 00:06:34.000000000 -0400
25574 +++ linux-2.6.39.2/drivers/ata/pata_hpt37x.c 2011-05-22 19:36:31.000000000 -0400
25575 @@ -589,7 +589,7 @@ static struct scsi_host_template hpt37x_
25576 * Configuration for HPT370
25577 */
25578
25579 -static struct ata_port_operations hpt370_port_ops = {
25580 +static const struct ata_port_operations hpt370_port_ops = {
25581 .inherits = &ata_bmdma_port_ops,
25582
25583 .bmdma_stop = hpt370_bmdma_stop,
25584 @@ -605,7 +605,7 @@ static struct ata_port_operations hpt370
25585 * Configuration for HPT370A. Close to 370 but less filters
25586 */
25587
25588 -static struct ata_port_operations hpt370a_port_ops = {
25589 +static const struct ata_port_operations hpt370a_port_ops = {
25590 .inherits = &hpt370_port_ops,
25591 .mode_filter = hpt370a_filter,
25592 };
25593 @@ -615,7 +615,7 @@ static struct ata_port_operations hpt370
25594 * mode setting functionality.
25595 */
25596
25597 -static struct ata_port_operations hpt302_port_ops = {
25598 +static const struct ata_port_operations hpt302_port_ops = {
25599 .inherits = &ata_bmdma_port_ops,
25600
25601 .bmdma_stop = hpt37x_bmdma_stop,
25602 @@ -631,7 +631,7 @@ static struct ata_port_operations hpt302
25603 * but we have a mode filter.
25604 */
25605
25606 -static struct ata_port_operations hpt372_port_ops = {
25607 +static const struct ata_port_operations hpt372_port_ops = {
25608 .inherits = &hpt302_port_ops,
25609 .mode_filter = hpt372_filter,
25610 };
25611 @@ -641,7 +641,7 @@ static struct ata_port_operations hpt372
25612 * but we have a different cable detection procedure for function 1.
25613 */
25614
25615 -static struct ata_port_operations hpt374_fn1_port_ops = {
25616 +static const struct ata_port_operations hpt374_fn1_port_ops = {
25617 .inherits = &hpt372_port_ops,
25618 .cable_detect = hpt374_fn1_cable_detect,
25619 };
25620 diff -urNp linux-2.6.39.2/drivers/ata/pata_hpt3x2n.c linux-2.6.39.2/drivers/ata/pata_hpt3x2n.c
25621 --- linux-2.6.39.2/drivers/ata/pata_hpt3x2n.c 2011-05-19 00:06:34.000000000 -0400
25622 +++ linux-2.6.39.2/drivers/ata/pata_hpt3x2n.c 2011-05-22 19:36:31.000000000 -0400
25623 @@ -350,7 +350,7 @@ static struct scsi_host_template hpt3x2n
25624 * Configuration for HPT302N/371N.
25625 */
25626
25627 -static struct ata_port_operations hpt3xxn_port_ops = {
25628 +static const struct ata_port_operations hpt3xxn_port_ops = {
25629 .inherits = &ata_bmdma_port_ops,
25630
25631 .bmdma_stop = hpt3x2n_bmdma_stop,
25632 @@ -368,7 +368,7 @@ static struct ata_port_operations hpt3xx
25633 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
25634 */
25635
25636 -static struct ata_port_operations hpt372n_port_ops = {
25637 +static const struct ata_port_operations hpt372n_port_ops = {
25638 .inherits = &hpt3xxn_port_ops,
25639 .mode_filter = &hpt372n_filter,
25640 };
25641 diff -urNp linux-2.6.39.2/drivers/ata/pata_hpt3x3.c linux-2.6.39.2/drivers/ata/pata_hpt3x3.c
25642 --- linux-2.6.39.2/drivers/ata/pata_hpt3x3.c 2011-05-19 00:06:34.000000000 -0400
25643 +++ linux-2.6.39.2/drivers/ata/pata_hpt3x3.c 2011-05-22 19:36:31.000000000 -0400
25644 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
25645 ATA_BMDMA_SHT(DRV_NAME),
25646 };
25647
25648 -static struct ata_port_operations hpt3x3_port_ops = {
25649 +static const struct ata_port_operations hpt3x3_port_ops = {
25650 .inherits = &ata_bmdma_port_ops,
25651 .cable_detect = ata_cable_40wire,
25652 .set_piomode = hpt3x3_set_piomode,
25653 diff -urNp linux-2.6.39.2/drivers/ata/pata_icside.c linux-2.6.39.2/drivers/ata/pata_icside.c
25654 --- linux-2.6.39.2/drivers/ata/pata_icside.c 2011-05-19 00:06:34.000000000 -0400
25655 +++ linux-2.6.39.2/drivers/ata/pata_icside.c 2011-05-22 19:36:31.000000000 -0400
25656 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
25657 }
25658 }
25659
25660 -static struct ata_port_operations pata_icside_port_ops = {
25661 +static const struct ata_port_operations pata_icside_port_ops = {
25662 .inherits = &ata_bmdma_port_ops,
25663 /* no need to build any PRD tables for DMA */
25664 .qc_prep = ata_noop_qc_prep,
25665 diff -urNp linux-2.6.39.2/drivers/ata/pata_isapnp.c linux-2.6.39.2/drivers/ata/pata_isapnp.c
25666 --- linux-2.6.39.2/drivers/ata/pata_isapnp.c 2011-05-19 00:06:34.000000000 -0400
25667 +++ linux-2.6.39.2/drivers/ata/pata_isapnp.c 2011-05-22 19:36:31.000000000 -0400
25668 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
25669 ATA_PIO_SHT(DRV_NAME),
25670 };
25671
25672 -static struct ata_port_operations isapnp_port_ops = {
25673 +static const struct ata_port_operations isapnp_port_ops = {
25674 .inherits = &ata_sff_port_ops,
25675 .cable_detect = ata_cable_40wire,
25676 };
25677
25678 -static struct ata_port_operations isapnp_noalt_port_ops = {
25679 +static const struct ata_port_operations isapnp_noalt_port_ops = {
25680 .inherits = &ata_sff_port_ops,
25681 .cable_detect = ata_cable_40wire,
25682 /* No altstatus so we don't want to use the lost interrupt poll */
25683 diff -urNp linux-2.6.39.2/drivers/ata/pata_it8213.c linux-2.6.39.2/drivers/ata/pata_it8213.c
25684 --- linux-2.6.39.2/drivers/ata/pata_it8213.c 2011-05-19 00:06:34.000000000 -0400
25685 +++ linux-2.6.39.2/drivers/ata/pata_it8213.c 2011-05-22 19:36:31.000000000 -0400
25686 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
25687 };
25688
25689
25690 -static struct ata_port_operations it8213_ops = {
25691 +static const struct ata_port_operations it8213_ops = {
25692 .inherits = &ata_bmdma_port_ops,
25693 .cable_detect = it8213_cable_detect,
25694 .set_piomode = it8213_set_piomode,
25695 diff -urNp linux-2.6.39.2/drivers/ata/pata_it821x.c linux-2.6.39.2/drivers/ata/pata_it821x.c
25696 --- linux-2.6.39.2/drivers/ata/pata_it821x.c 2011-05-19 00:06:34.000000000 -0400
25697 +++ linux-2.6.39.2/drivers/ata/pata_it821x.c 2011-05-22 19:36:31.000000000 -0400
25698 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
25699 ATA_BMDMA_SHT(DRV_NAME),
25700 };
25701
25702 -static struct ata_port_operations it821x_smart_port_ops = {
25703 +static const struct ata_port_operations it821x_smart_port_ops = {
25704 .inherits = &ata_bmdma_port_ops,
25705
25706 .check_atapi_dma= it821x_check_atapi_dma,
25707 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
25708 .port_start = it821x_port_start,
25709 };
25710
25711 -static struct ata_port_operations it821x_passthru_port_ops = {
25712 +static const struct ata_port_operations it821x_passthru_port_ops = {
25713 .inherits = &ata_bmdma_port_ops,
25714
25715 .check_atapi_dma= it821x_check_atapi_dma,
25716 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
25717 .port_start = it821x_port_start,
25718 };
25719
25720 -static struct ata_port_operations it821x_rdc_port_ops = {
25721 +static const struct ata_port_operations it821x_rdc_port_ops = {
25722 .inherits = &ata_bmdma_port_ops,
25723
25724 .check_atapi_dma= it821x_check_atapi_dma,
25725 diff -urNp linux-2.6.39.2/drivers/ata/pata_ixp4xx_cf.c linux-2.6.39.2/drivers/ata/pata_ixp4xx_cf.c
25726 --- linux-2.6.39.2/drivers/ata/pata_ixp4xx_cf.c 2011-05-19 00:06:34.000000000 -0400
25727 +++ linux-2.6.39.2/drivers/ata/pata_ixp4xx_cf.c 2011-05-22 19:36:31.000000000 -0400
25728 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
25729 ATA_PIO_SHT(DRV_NAME),
25730 };
25731
25732 -static struct ata_port_operations ixp4xx_port_ops = {
25733 +static const struct ata_port_operations ixp4xx_port_ops = {
25734 .inherits = &ata_sff_port_ops,
25735 .sff_data_xfer = ixp4xx_mmio_data_xfer,
25736 .cable_detect = ata_cable_40wire,
25737 diff -urNp linux-2.6.39.2/drivers/ata/pata_jmicron.c linux-2.6.39.2/drivers/ata/pata_jmicron.c
25738 --- linux-2.6.39.2/drivers/ata/pata_jmicron.c 2011-05-19 00:06:34.000000000 -0400
25739 +++ linux-2.6.39.2/drivers/ata/pata_jmicron.c 2011-05-22 19:36:31.000000000 -0400
25740 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
25741 ATA_BMDMA_SHT(DRV_NAME),
25742 };
25743
25744 -static struct ata_port_operations jmicron_ops = {
25745 +static const struct ata_port_operations jmicron_ops = {
25746 .inherits = &ata_bmdma_port_ops,
25747 .prereset = jmicron_pre_reset,
25748 };
25749 diff -urNp linux-2.6.39.2/drivers/ata/pata_legacy.c linux-2.6.39.2/drivers/ata/pata_legacy.c
25750 --- linux-2.6.39.2/drivers/ata/pata_legacy.c 2011-05-19 00:06:34.000000000 -0400
25751 +++ linux-2.6.39.2/drivers/ata/pata_legacy.c 2011-05-22 19:36:31.000000000 -0400
25752 @@ -116,7 +116,7 @@ struct legacy_probe {
25753
25754 struct legacy_controller {
25755 const char *name;
25756 - struct ata_port_operations *ops;
25757 + const struct ata_port_operations *ops;
25758 unsigned int pio_mask;
25759 unsigned int flags;
25760 unsigned int pflags;
25761 @@ -239,12 +239,12 @@ static const struct ata_port_operations
25762 * pio_mask as well.
25763 */
25764
25765 -static struct ata_port_operations simple_port_ops = {
25766 +static const struct ata_port_operations simple_port_ops = {
25767 .inherits = &legacy_base_port_ops,
25768 .sff_data_xfer = ata_sff_data_xfer_noirq,
25769 };
25770
25771 -static struct ata_port_operations legacy_port_ops = {
25772 +static const struct ata_port_operations legacy_port_ops = {
25773 .inherits = &legacy_base_port_ops,
25774 .sff_data_xfer = ata_sff_data_xfer_noirq,
25775 .set_mode = legacy_set_mode,
25776 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
25777 return buflen;
25778 }
25779
25780 -static struct ata_port_operations pdc20230_port_ops = {
25781 +static const struct ata_port_operations pdc20230_port_ops = {
25782 .inherits = &legacy_base_port_ops,
25783 .set_piomode = pdc20230_set_piomode,
25784 .sff_data_xfer = pdc_data_xfer_vlb,
25785 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
25786 ioread8(ap->ioaddr.status_addr);
25787 }
25788
25789 -static struct ata_port_operations ht6560a_port_ops = {
25790 +static const struct ata_port_operations ht6560a_port_ops = {
25791 .inherits = &legacy_base_port_ops,
25792 .set_piomode = ht6560a_set_piomode,
25793 };
25794 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
25795 ioread8(ap->ioaddr.status_addr);
25796 }
25797
25798 -static struct ata_port_operations ht6560b_port_ops = {
25799 +static const struct ata_port_operations ht6560b_port_ops = {
25800 .inherits = &legacy_base_port_ops,
25801 .set_piomode = ht6560b_set_piomode,
25802 };
25803 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
25804 }
25805
25806
25807 -static struct ata_port_operations opti82c611a_port_ops = {
25808 +static const struct ata_port_operations opti82c611a_port_ops = {
25809 .inherits = &legacy_base_port_ops,
25810 .set_piomode = opti82c611a_set_piomode,
25811 };
25812 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
25813 return ata_sff_qc_issue(qc);
25814 }
25815
25816 -static struct ata_port_operations opti82c46x_port_ops = {
25817 +static const struct ata_port_operations opti82c46x_port_ops = {
25818 .inherits = &legacy_base_port_ops,
25819 .set_piomode = opti82c46x_set_piomode,
25820 .qc_issue = opti82c46x_qc_issue,
25821 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
25822 return 0;
25823 }
25824
25825 -static struct ata_port_operations qdi6500_port_ops = {
25826 +static const struct ata_port_operations qdi6500_port_ops = {
25827 .inherits = &legacy_base_port_ops,
25828 .set_piomode = qdi6500_set_piomode,
25829 .qc_issue = qdi_qc_issue,
25830 .sff_data_xfer = vlb32_data_xfer,
25831 };
25832
25833 -static struct ata_port_operations qdi6580_port_ops = {
25834 +static const struct ata_port_operations qdi6580_port_ops = {
25835 .inherits = &legacy_base_port_ops,
25836 .set_piomode = qdi6580_set_piomode,
25837 .sff_data_xfer = vlb32_data_xfer,
25838 };
25839
25840 -static struct ata_port_operations qdi6580dp_port_ops = {
25841 +static const struct ata_port_operations qdi6580dp_port_ops = {
25842 .inherits = &legacy_base_port_ops,
25843 .set_piomode = qdi6580dp_set_piomode,
25844 .qc_issue = qdi_qc_issue,
25845 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
25846 return 0;
25847 }
25848
25849 -static struct ata_port_operations winbond_port_ops = {
25850 +static const struct ata_port_operations winbond_port_ops = {
25851 .inherits = &legacy_base_port_ops,
25852 .set_piomode = winbond_set_piomode,
25853 .sff_data_xfer = vlb32_data_xfer,
25854 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
25855 int pio_modes = controller->pio_mask;
25856 unsigned long io = probe->port;
25857 u32 mask = (1 << probe->slot);
25858 - struct ata_port_operations *ops = controller->ops;
25859 + const struct ata_port_operations *ops = controller->ops;
25860 struct legacy_data *ld = &legacy_data[probe->slot];
25861 struct ata_host *host = NULL;
25862 struct ata_port *ap;
25863 diff -urNp linux-2.6.39.2/drivers/ata/pata_macio.c linux-2.6.39.2/drivers/ata/pata_macio.c
25864 --- linux-2.6.39.2/drivers/ata/pata_macio.c 2011-05-19 00:06:34.000000000 -0400
25865 +++ linux-2.6.39.2/drivers/ata/pata_macio.c 2011-05-22 19:36:31.000000000 -0400
25866 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
25867 .slave_configure = pata_macio_slave_config,
25868 };
25869
25870 -static struct ata_port_operations pata_macio_ops = {
25871 +static const struct ata_port_operations pata_macio_ops = {
25872 .inherits = &ata_bmdma_port_ops,
25873 -
25874 .freeze = pata_macio_freeze,
25875 .set_piomode = pata_macio_set_timings,
25876 .set_dmamode = pata_macio_set_timings,
25877 diff -urNp linux-2.6.39.2/drivers/ata/pata_marvell.c linux-2.6.39.2/drivers/ata/pata_marvell.c
25878 --- linux-2.6.39.2/drivers/ata/pata_marvell.c 2011-05-19 00:06:34.000000000 -0400
25879 +++ linux-2.6.39.2/drivers/ata/pata_marvell.c 2011-05-22 19:36:31.000000000 -0400
25880 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
25881 ATA_BMDMA_SHT(DRV_NAME),
25882 };
25883
25884 -static struct ata_port_operations marvell_ops = {
25885 +static const struct ata_port_operations marvell_ops = {
25886 .inherits = &ata_bmdma_port_ops,
25887 .cable_detect = marvell_cable_detect,
25888 .prereset = marvell_pre_reset,
25889 diff -urNp linux-2.6.39.2/drivers/ata/pata_mpc52xx.c linux-2.6.39.2/drivers/ata/pata_mpc52xx.c
25890 --- linux-2.6.39.2/drivers/ata/pata_mpc52xx.c 2011-05-19 00:06:34.000000000 -0400
25891 +++ linux-2.6.39.2/drivers/ata/pata_mpc52xx.c 2011-05-22 19:36:31.000000000 -0400
25892 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
25893 ATA_PIO_SHT(DRV_NAME),
25894 };
25895
25896 -static struct ata_port_operations mpc52xx_ata_port_ops = {
25897 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
25898 .inherits = &ata_bmdma_port_ops,
25899 .sff_dev_select = mpc52xx_ata_dev_select,
25900 .set_piomode = mpc52xx_ata_set_piomode,
25901 diff -urNp linux-2.6.39.2/drivers/ata/pata_mpiix.c linux-2.6.39.2/drivers/ata/pata_mpiix.c
25902 --- linux-2.6.39.2/drivers/ata/pata_mpiix.c 2011-05-19 00:06:34.000000000 -0400
25903 +++ linux-2.6.39.2/drivers/ata/pata_mpiix.c 2011-05-22 19:36:31.000000000 -0400
25904 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
25905 ATA_PIO_SHT(DRV_NAME),
25906 };
25907
25908 -static struct ata_port_operations mpiix_port_ops = {
25909 +static const struct ata_port_operations mpiix_port_ops = {
25910 .inherits = &ata_sff_port_ops,
25911 .qc_issue = mpiix_qc_issue,
25912 .cable_detect = ata_cable_40wire,
25913 diff -urNp linux-2.6.39.2/drivers/ata/pata_netcell.c linux-2.6.39.2/drivers/ata/pata_netcell.c
25914 --- linux-2.6.39.2/drivers/ata/pata_netcell.c 2011-05-19 00:06:34.000000000 -0400
25915 +++ linux-2.6.39.2/drivers/ata/pata_netcell.c 2011-05-22 19:36:31.000000000 -0400
25916 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
25917 ATA_BMDMA_SHT(DRV_NAME),
25918 };
25919
25920 -static struct ata_port_operations netcell_ops = {
25921 +static const struct ata_port_operations netcell_ops = {
25922 .inherits = &ata_bmdma_port_ops,
25923 .cable_detect = ata_cable_80wire,
25924 .read_id = netcell_read_id,
25925 diff -urNp linux-2.6.39.2/drivers/ata/pata_ninja32.c linux-2.6.39.2/drivers/ata/pata_ninja32.c
25926 --- linux-2.6.39.2/drivers/ata/pata_ninja32.c 2011-05-19 00:06:34.000000000 -0400
25927 +++ linux-2.6.39.2/drivers/ata/pata_ninja32.c 2011-05-22 19:36:31.000000000 -0400
25928 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
25929 ATA_BMDMA_SHT(DRV_NAME),
25930 };
25931
25932 -static struct ata_port_operations ninja32_port_ops = {
25933 +static const struct ata_port_operations ninja32_port_ops = {
25934 .inherits = &ata_bmdma_port_ops,
25935 .sff_dev_select = ninja32_dev_select,
25936 .cable_detect = ata_cable_40wire,
25937 diff -urNp linux-2.6.39.2/drivers/ata/pata_ns87410.c linux-2.6.39.2/drivers/ata/pata_ns87410.c
25938 --- linux-2.6.39.2/drivers/ata/pata_ns87410.c 2011-05-19 00:06:34.000000000 -0400
25939 +++ linux-2.6.39.2/drivers/ata/pata_ns87410.c 2011-05-22 19:36:31.000000000 -0400
25940 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
25941 ATA_PIO_SHT(DRV_NAME),
25942 };
25943
25944 -static struct ata_port_operations ns87410_port_ops = {
25945 +static const struct ata_port_operations ns87410_port_ops = {
25946 .inherits = &ata_sff_port_ops,
25947 .qc_issue = ns87410_qc_issue,
25948 .cable_detect = ata_cable_40wire,
25949 diff -urNp linux-2.6.39.2/drivers/ata/pata_ns87415.c linux-2.6.39.2/drivers/ata/pata_ns87415.c
25950 --- linux-2.6.39.2/drivers/ata/pata_ns87415.c 2011-05-19 00:06:34.000000000 -0400
25951 +++ linux-2.6.39.2/drivers/ata/pata_ns87415.c 2011-05-22 19:36:31.000000000 -0400
25952 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
25953 }
25954 #endif /* 87560 SuperIO Support */
25955
25956 -static struct ata_port_operations ns87415_pata_ops = {
25957 +static const struct ata_port_operations ns87415_pata_ops = {
25958 .inherits = &ata_bmdma_port_ops,
25959
25960 .check_atapi_dma = ns87415_check_atapi_dma,
25961 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
25962 };
25963
25964 #if defined(CONFIG_SUPERIO)
25965 -static struct ata_port_operations ns87560_pata_ops = {
25966 +static const struct ata_port_operations ns87560_pata_ops = {
25967 .inherits = &ns87415_pata_ops,
25968 .sff_tf_read = ns87560_tf_read,
25969 .sff_check_status = ns87560_check_status,
25970 diff -urNp linux-2.6.39.2/drivers/ata/pata_octeon_cf.c linux-2.6.39.2/drivers/ata/pata_octeon_cf.c
25971 --- linux-2.6.39.2/drivers/ata/pata_octeon_cf.c 2011-05-19 00:06:34.000000000 -0400
25972 +++ linux-2.6.39.2/drivers/ata/pata_octeon_cf.c 2011-05-22 19:36:31.000000000 -0400
25973 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
25974 return 0;
25975 }
25976
25977 -static struct ata_port_operations octeon_cf_ops = {
25978 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
25979 .inherits = &ata_sff_port_ops,
25980 .check_atapi_dma = octeon_cf_check_atapi_dma,
25981 .qc_prep = ata_noop_qc_prep,
25982 diff -urNp linux-2.6.39.2/drivers/ata/pata_oldpiix.c linux-2.6.39.2/drivers/ata/pata_oldpiix.c
25983 --- linux-2.6.39.2/drivers/ata/pata_oldpiix.c 2011-05-19 00:06:34.000000000 -0400
25984 +++ linux-2.6.39.2/drivers/ata/pata_oldpiix.c 2011-05-22 19:36:31.000000000 -0400
25985 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
25986 ATA_BMDMA_SHT(DRV_NAME),
25987 };
25988
25989 -static struct ata_port_operations oldpiix_pata_ops = {
25990 +static const struct ata_port_operations oldpiix_pata_ops = {
25991 .inherits = &ata_bmdma_port_ops,
25992 .qc_issue = oldpiix_qc_issue,
25993 .cable_detect = ata_cable_40wire,
25994 diff -urNp linux-2.6.39.2/drivers/ata/pata_opti.c linux-2.6.39.2/drivers/ata/pata_opti.c
25995 --- linux-2.6.39.2/drivers/ata/pata_opti.c 2011-05-19 00:06:34.000000000 -0400
25996 +++ linux-2.6.39.2/drivers/ata/pata_opti.c 2011-05-22 19:36:31.000000000 -0400
25997 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
25998 ATA_PIO_SHT(DRV_NAME),
25999 };
26000
26001 -static struct ata_port_operations opti_port_ops = {
26002 +static const struct ata_port_operations opti_port_ops = {
26003 .inherits = &ata_sff_port_ops,
26004 .cable_detect = ata_cable_40wire,
26005 .set_piomode = opti_set_piomode,
26006 diff -urNp linux-2.6.39.2/drivers/ata/pata_optidma.c linux-2.6.39.2/drivers/ata/pata_optidma.c
26007 --- linux-2.6.39.2/drivers/ata/pata_optidma.c 2011-05-19 00:06:34.000000000 -0400
26008 +++ linux-2.6.39.2/drivers/ata/pata_optidma.c 2011-05-22 19:36:31.000000000 -0400
26009 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
26010 ATA_BMDMA_SHT(DRV_NAME),
26011 };
26012
26013 -static struct ata_port_operations optidma_port_ops = {
26014 +static const struct ata_port_operations optidma_port_ops = {
26015 .inherits = &ata_bmdma_port_ops,
26016 .cable_detect = ata_cable_40wire,
26017 .set_piomode = optidma_set_pio_mode,
26018 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
26019 .prereset = optidma_pre_reset,
26020 };
26021
26022 -static struct ata_port_operations optiplus_port_ops = {
26023 +static const struct ata_port_operations optiplus_port_ops = {
26024 .inherits = &optidma_port_ops,
26025 .set_piomode = optiplus_set_pio_mode,
26026 .set_dmamode = optiplus_set_dma_mode,
26027 diff -urNp linux-2.6.39.2/drivers/ata/pata_palmld.c linux-2.6.39.2/drivers/ata/pata_palmld.c
26028 --- linux-2.6.39.2/drivers/ata/pata_palmld.c 2011-05-19 00:06:34.000000000 -0400
26029 +++ linux-2.6.39.2/drivers/ata/pata_palmld.c 2011-05-22 19:36:31.000000000 -0400
26030 @@ -42,7 +42,7 @@ static struct scsi_host_template palmld_
26031 ATA_PIO_SHT(DRV_NAME),
26032 };
26033
26034 -static struct ata_port_operations palmld_port_ops = {
26035 +static const struct ata_port_operations palmld_port_ops = {
26036 .inherits = &ata_sff_port_ops,
26037 .sff_data_xfer = ata_sff_data_xfer_noirq,
26038 .cable_detect = ata_cable_40wire,
26039 diff -urNp linux-2.6.39.2/drivers/ata/pata_pcmcia.c linux-2.6.39.2/drivers/ata/pata_pcmcia.c
26040 --- linux-2.6.39.2/drivers/ata/pata_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
26041 +++ linux-2.6.39.2/drivers/ata/pata_pcmcia.c 2011-05-22 19:36:31.000000000 -0400
26042 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
26043 ATA_PIO_SHT(DRV_NAME),
26044 };
26045
26046 -static struct ata_port_operations pcmcia_port_ops = {
26047 +static const struct ata_port_operations pcmcia_port_ops = {
26048 .inherits = &ata_sff_port_ops,
26049 .sff_data_xfer = ata_sff_data_xfer_noirq,
26050 .cable_detect = ata_cable_40wire,
26051 .set_mode = pcmcia_set_mode,
26052 };
26053
26054 -static struct ata_port_operations pcmcia_8bit_port_ops = {
26055 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
26056 .inherits = &ata_sff_port_ops,
26057 .sff_data_xfer = ata_data_xfer_8bit,
26058 .cable_detect = ata_cable_40wire,
26059 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
26060 unsigned long io_base, ctl_base;
26061 void __iomem *io_addr, *ctl_addr;
26062 int n_ports = 1;
26063 - struct ata_port_operations *ops = &pcmcia_port_ops;
26064 + const struct ata_port_operations *ops = &pcmcia_port_ops;
26065
26066 /* Set up attributes in order to probe card and get resources */
26067 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
26068 diff -urNp linux-2.6.39.2/drivers/ata/pata_pdc2027x.c linux-2.6.39.2/drivers/ata/pata_pdc2027x.c
26069 --- linux-2.6.39.2/drivers/ata/pata_pdc2027x.c 2011-05-19 00:06:34.000000000 -0400
26070 +++ linux-2.6.39.2/drivers/ata/pata_pdc2027x.c 2011-05-22 19:36:31.000000000 -0400
26071 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
26072 ATA_BMDMA_SHT(DRV_NAME),
26073 };
26074
26075 -static struct ata_port_operations pdc2027x_pata100_ops = {
26076 +static const struct ata_port_operations pdc2027x_pata100_ops = {
26077 .inherits = &ata_bmdma_port_ops,
26078 .check_atapi_dma = pdc2027x_check_atapi_dma,
26079 .cable_detect = pdc2027x_cable_detect,
26080 .prereset = pdc2027x_prereset,
26081 };
26082
26083 -static struct ata_port_operations pdc2027x_pata133_ops = {
26084 +static const struct ata_port_operations pdc2027x_pata133_ops = {
26085 .inherits = &pdc2027x_pata100_ops,
26086 .mode_filter = pdc2027x_mode_filter,
26087 .set_piomode = pdc2027x_set_piomode,
26088 diff -urNp linux-2.6.39.2/drivers/ata/pata_pdc202xx_old.c linux-2.6.39.2/drivers/ata/pata_pdc202xx_old.c
26089 --- linux-2.6.39.2/drivers/ata/pata_pdc202xx_old.c 2011-05-19 00:06:34.000000000 -0400
26090 +++ linux-2.6.39.2/drivers/ata/pata_pdc202xx_old.c 2011-05-22 19:36:31.000000000 -0400
26091 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
26092 ATA_BMDMA_SHT(DRV_NAME),
26093 };
26094
26095 -static struct ata_port_operations pdc2024x_port_ops = {
26096 +static const struct ata_port_operations pdc2024x_port_ops = {
26097 .inherits = &ata_bmdma_port_ops,
26098
26099 .cable_detect = ata_cable_40wire,
26100 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
26101 .sff_irq_check = pdc202xx_irq_check,
26102 };
26103
26104 -static struct ata_port_operations pdc2026x_port_ops = {
26105 +static const struct ata_port_operations pdc2026x_port_ops = {
26106 .inherits = &pdc2024x_port_ops,
26107
26108 .check_atapi_dma = pdc2026x_check_atapi_dma,
26109 diff -urNp linux-2.6.39.2/drivers/ata/pata_piccolo.c linux-2.6.39.2/drivers/ata/pata_piccolo.c
26110 --- linux-2.6.39.2/drivers/ata/pata_piccolo.c 2011-05-19 00:06:34.000000000 -0400
26111 +++ linux-2.6.39.2/drivers/ata/pata_piccolo.c 2011-05-22 19:36:31.000000000 -0400
26112 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
26113 ATA_BMDMA_SHT(DRV_NAME),
26114 };
26115
26116 -static struct ata_port_operations tosh_port_ops = {
26117 +static const struct ata_port_operations tosh_port_ops = {
26118 .inherits = &ata_bmdma_port_ops,
26119 .cable_detect = ata_cable_unknown,
26120 .set_piomode = tosh_set_piomode,
26121 diff -urNp linux-2.6.39.2/drivers/ata/pata_platform.c linux-2.6.39.2/drivers/ata/pata_platform.c
26122 --- linux-2.6.39.2/drivers/ata/pata_platform.c 2011-05-19 00:06:34.000000000 -0400
26123 +++ linux-2.6.39.2/drivers/ata/pata_platform.c 2011-05-22 19:36:31.000000000 -0400
26124 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
26125 ATA_PIO_SHT(DRV_NAME),
26126 };
26127
26128 -static struct ata_port_operations pata_platform_port_ops = {
26129 +static const struct ata_port_operations pata_platform_port_ops = {
26130 .inherits = &ata_sff_port_ops,
26131 .sff_data_xfer = ata_sff_data_xfer_noirq,
26132 .cable_detect = ata_cable_unknown,
26133 diff -urNp linux-2.6.39.2/drivers/ata/pata_pxa.c linux-2.6.39.2/drivers/ata/pata_pxa.c
26134 --- linux-2.6.39.2/drivers/ata/pata_pxa.c 2011-05-19 00:06:34.000000000 -0400
26135 +++ linux-2.6.39.2/drivers/ata/pata_pxa.c 2011-05-22 19:36:31.000000000 -0400
26136 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
26137 ATA_BMDMA_SHT(DRV_NAME),
26138 };
26139
26140 -static struct ata_port_operations pxa_ata_port_ops = {
26141 +static const struct ata_port_operations pxa_ata_port_ops = {
26142 .inherits = &ata_bmdma_port_ops,
26143 .cable_detect = ata_cable_40wire,
26144
26145 diff -urNp linux-2.6.39.2/drivers/ata/pata_qdi.c linux-2.6.39.2/drivers/ata/pata_qdi.c
26146 --- linux-2.6.39.2/drivers/ata/pata_qdi.c 2011-05-19 00:06:34.000000000 -0400
26147 +++ linux-2.6.39.2/drivers/ata/pata_qdi.c 2011-05-22 19:36:31.000000000 -0400
26148 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
26149 ATA_PIO_SHT(DRV_NAME),
26150 };
26151
26152 -static struct ata_port_operations qdi6500_port_ops = {
26153 +static const struct ata_port_operations qdi6500_port_ops = {
26154 .inherits = &ata_sff_port_ops,
26155 .qc_issue = qdi_qc_issue,
26156 .sff_data_xfer = qdi_data_xfer,
26157 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
26158 .set_piomode = qdi6500_set_piomode,
26159 };
26160
26161 -static struct ata_port_operations qdi6580_port_ops = {
26162 +static const struct ata_port_operations qdi6580_port_ops = {
26163 .inherits = &qdi6500_port_ops,
26164 .set_piomode = qdi6580_set_piomode,
26165 };
26166 diff -urNp linux-2.6.39.2/drivers/ata/pata_radisys.c linux-2.6.39.2/drivers/ata/pata_radisys.c
26167 --- linux-2.6.39.2/drivers/ata/pata_radisys.c 2011-05-19 00:06:34.000000000 -0400
26168 +++ linux-2.6.39.2/drivers/ata/pata_radisys.c 2011-05-22 19:36:31.000000000 -0400
26169 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
26170 ATA_BMDMA_SHT(DRV_NAME),
26171 };
26172
26173 -static struct ata_port_operations radisys_pata_ops = {
26174 +static const struct ata_port_operations radisys_pata_ops = {
26175 .inherits = &ata_bmdma_port_ops,
26176 .qc_issue = radisys_qc_issue,
26177 .cable_detect = ata_cable_unknown,
26178 diff -urNp linux-2.6.39.2/drivers/ata/pata_rb532_cf.c linux-2.6.39.2/drivers/ata/pata_rb532_cf.c
26179 --- linux-2.6.39.2/drivers/ata/pata_rb532_cf.c 2011-05-19 00:06:34.000000000 -0400
26180 +++ linux-2.6.39.2/drivers/ata/pata_rb532_cf.c 2011-05-22 19:36:31.000000000 -0400
26181 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
26182 return IRQ_HANDLED;
26183 }
26184
26185 -static struct ata_port_operations rb532_pata_port_ops = {
26186 +static const struct ata_port_operations rb532_pata_port_ops = {
26187 .inherits = &ata_sff_port_ops,
26188 .sff_data_xfer = ata_sff_data_xfer32,
26189 };
26190 diff -urNp linux-2.6.39.2/drivers/ata/pata_rdc.c linux-2.6.39.2/drivers/ata/pata_rdc.c
26191 --- linux-2.6.39.2/drivers/ata/pata_rdc.c 2011-05-19 00:06:34.000000000 -0400
26192 +++ linux-2.6.39.2/drivers/ata/pata_rdc.c 2011-05-22 19:36:31.000000000 -0400
26193 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
26194 pci_write_config_byte(dev, 0x48, udma_enable);
26195 }
26196
26197 -static struct ata_port_operations rdc_pata_ops = {
26198 +static const struct ata_port_operations rdc_pata_ops = {
26199 .inherits = &ata_bmdma32_port_ops,
26200 .cable_detect = rdc_pata_cable_detect,
26201 .set_piomode = rdc_set_piomode,
26202 diff -urNp linux-2.6.39.2/drivers/ata/pata_rz1000.c linux-2.6.39.2/drivers/ata/pata_rz1000.c
26203 --- linux-2.6.39.2/drivers/ata/pata_rz1000.c 2011-05-19 00:06:34.000000000 -0400
26204 +++ linux-2.6.39.2/drivers/ata/pata_rz1000.c 2011-05-22 19:36:31.000000000 -0400
26205 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
26206 ATA_PIO_SHT(DRV_NAME),
26207 };
26208
26209 -static struct ata_port_operations rz1000_port_ops = {
26210 +static const struct ata_port_operations rz1000_port_ops = {
26211 .inherits = &ata_sff_port_ops,
26212 .cable_detect = ata_cable_40wire,
26213 .set_mode = rz1000_set_mode,
26214 diff -urNp linux-2.6.39.2/drivers/ata/pata_samsung_cf.c linux-2.6.39.2/drivers/ata/pata_samsung_cf.c
26215 --- linux-2.6.39.2/drivers/ata/pata_samsung_cf.c 2011-05-19 00:06:34.000000000 -0400
26216 +++ linux-2.6.39.2/drivers/ata/pata_samsung_cf.c 2011-05-22 19:36:31.000000000 -0400
26217 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
26218 ATA_PIO_SHT(DRV_NAME),
26219 };
26220
26221 -static struct ata_port_operations pata_s3c_port_ops = {
26222 +static const struct ata_port_operations pata_s3c_port_ops = {
26223 .inherits = &ata_sff_port_ops,
26224 .sff_check_status = pata_s3c_check_status,
26225 .sff_check_altstatus = pata_s3c_check_altstatus,
26226 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
26227 .set_piomode = pata_s3c_set_piomode,
26228 };
26229
26230 -static struct ata_port_operations pata_s5p_port_ops = {
26231 +static const struct ata_port_operations pata_s5p_port_ops = {
26232 .inherits = &ata_sff_port_ops,
26233 .set_piomode = pata_s3c_set_piomode,
26234 };
26235 diff -urNp linux-2.6.39.2/drivers/ata/pata_sc1200.c linux-2.6.39.2/drivers/ata/pata_sc1200.c
26236 --- linux-2.6.39.2/drivers/ata/pata_sc1200.c 2011-05-19 00:06:34.000000000 -0400
26237 +++ linux-2.6.39.2/drivers/ata/pata_sc1200.c 2011-05-22 19:36:31.000000000 -0400
26238 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
26239 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26240 };
26241
26242 -static struct ata_port_operations sc1200_port_ops = {
26243 +static const struct ata_port_operations sc1200_port_ops = {
26244 .inherits = &ata_bmdma_port_ops,
26245 .qc_prep = ata_bmdma_dumb_qc_prep,
26246 .qc_issue = sc1200_qc_issue,
26247 diff -urNp linux-2.6.39.2/drivers/ata/pata_scc.c linux-2.6.39.2/drivers/ata/pata_scc.c
26248 --- linux-2.6.39.2/drivers/ata/pata_scc.c 2011-05-19 00:06:34.000000000 -0400
26249 +++ linux-2.6.39.2/drivers/ata/pata_scc.c 2011-05-22 19:36:31.000000000 -0400
26250 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
26251 ATA_BMDMA_SHT(DRV_NAME),
26252 };
26253
26254 -static struct ata_port_operations scc_pata_ops = {
26255 +static const struct ata_port_operations scc_pata_ops = {
26256 .inherits = &ata_bmdma_port_ops,
26257
26258 .set_piomode = scc_set_piomode,
26259 diff -urNp linux-2.6.39.2/drivers/ata/pata_sch.c linux-2.6.39.2/drivers/ata/pata_sch.c
26260 --- linux-2.6.39.2/drivers/ata/pata_sch.c 2011-05-19 00:06:34.000000000 -0400
26261 +++ linux-2.6.39.2/drivers/ata/pata_sch.c 2011-05-22 19:36:31.000000000 -0400
26262 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
26263 ATA_BMDMA_SHT(DRV_NAME),
26264 };
26265
26266 -static struct ata_port_operations sch_pata_ops = {
26267 +static const struct ata_port_operations sch_pata_ops = {
26268 .inherits = &ata_bmdma_port_ops,
26269 .cable_detect = ata_cable_unknown,
26270 .set_piomode = sch_set_piomode,
26271 diff -urNp linux-2.6.39.2/drivers/ata/pata_serverworks.c linux-2.6.39.2/drivers/ata/pata_serverworks.c
26272 --- linux-2.6.39.2/drivers/ata/pata_serverworks.c 2011-05-19 00:06:34.000000000 -0400
26273 +++ linux-2.6.39.2/drivers/ata/pata_serverworks.c 2011-05-22 19:36:31.000000000 -0400
26274 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
26275 ATA_BMDMA_SHT(DRV_NAME),
26276 };
26277
26278 -static struct ata_port_operations serverworks_osb4_port_ops = {
26279 +static const struct ata_port_operations serverworks_osb4_port_ops = {
26280 .inherits = &ata_bmdma_port_ops,
26281 .cable_detect = serverworks_cable_detect,
26282 .mode_filter = serverworks_osb4_filter,
26283 @@ -308,7 +308,7 @@ static struct ata_port_operations server
26284 .set_dmamode = serverworks_set_dmamode,
26285 };
26286
26287 -static struct ata_port_operations serverworks_csb_port_ops = {
26288 +static const struct ata_port_operations serverworks_csb_port_ops = {
26289 .inherits = &serverworks_osb4_port_ops,
26290 .mode_filter = serverworks_csb_filter,
26291 };
26292 diff -urNp linux-2.6.39.2/drivers/ata/pata_sil680.c linux-2.6.39.2/drivers/ata/pata_sil680.c
26293 --- linux-2.6.39.2/drivers/ata/pata_sil680.c 2011-05-19 00:06:34.000000000 -0400
26294 +++ linux-2.6.39.2/drivers/ata/pata_sil680.c 2011-05-22 19:36:31.000000000 -0400
26295 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
26296 ATA_BMDMA_SHT(DRV_NAME),
26297 };
26298
26299 -
26300 -static struct ata_port_operations sil680_port_ops = {
26301 +static const struct ata_port_operations sil680_port_ops = {
26302 .inherits = &ata_bmdma32_port_ops,
26303 .sff_exec_command = sil680_sff_exec_command,
26304 .sff_irq_check = sil680_sff_irq_check,
26305 diff -urNp linux-2.6.39.2/drivers/ata/pata_sis.c linux-2.6.39.2/drivers/ata/pata_sis.c
26306 --- linux-2.6.39.2/drivers/ata/pata_sis.c 2011-05-19 00:06:34.000000000 -0400
26307 +++ linux-2.6.39.2/drivers/ata/pata_sis.c 2011-05-22 19:36:31.000000000 -0400
26308 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
26309 ATA_BMDMA_SHT(DRV_NAME),
26310 };
26311
26312 -static struct ata_port_operations sis_133_for_sata_ops = {
26313 +static const struct ata_port_operations sis_133_for_sata_ops = {
26314 .inherits = &ata_bmdma_port_ops,
26315 .set_piomode = sis_133_set_piomode,
26316 .set_dmamode = sis_133_set_dmamode,
26317 .cable_detect = sis_133_cable_detect,
26318 };
26319
26320 -static struct ata_port_operations sis_base_ops = {
26321 +static const struct ata_port_operations sis_base_ops = {
26322 .inherits = &ata_bmdma_port_ops,
26323 .prereset = sis_pre_reset,
26324 };
26325
26326 -static struct ata_port_operations sis_133_ops = {
26327 +static const struct ata_port_operations sis_133_ops = {
26328 .inherits = &sis_base_ops,
26329 .set_piomode = sis_133_set_piomode,
26330 .set_dmamode = sis_133_set_dmamode,
26331 .cable_detect = sis_133_cable_detect,
26332 };
26333
26334 -static struct ata_port_operations sis_133_early_ops = {
26335 +static const struct ata_port_operations sis_133_early_ops = {
26336 .inherits = &sis_base_ops,
26337 .set_piomode = sis_100_set_piomode,
26338 .set_dmamode = sis_133_early_set_dmamode,
26339 .cable_detect = sis_66_cable_detect,
26340 };
26341
26342 -static struct ata_port_operations sis_100_ops = {
26343 +static const struct ata_port_operations sis_100_ops = {
26344 .inherits = &sis_base_ops,
26345 .set_piomode = sis_100_set_piomode,
26346 .set_dmamode = sis_100_set_dmamode,
26347 .cable_detect = sis_66_cable_detect,
26348 };
26349
26350 -static struct ata_port_operations sis_66_ops = {
26351 +static const struct ata_port_operations sis_66_ops = {
26352 .inherits = &sis_base_ops,
26353 .set_piomode = sis_old_set_piomode,
26354 .set_dmamode = sis_66_set_dmamode,
26355 .cable_detect = sis_66_cable_detect,
26356 };
26357
26358 -static struct ata_port_operations sis_old_ops = {
26359 +static const struct ata_port_operations sis_old_ops = {
26360 .inherits = &sis_base_ops,
26361 .set_piomode = sis_old_set_piomode,
26362 .set_dmamode = sis_old_set_dmamode,
26363 diff -urNp linux-2.6.39.2/drivers/ata/pata_sl82c105.c linux-2.6.39.2/drivers/ata/pata_sl82c105.c
26364 --- linux-2.6.39.2/drivers/ata/pata_sl82c105.c 2011-05-19 00:06:34.000000000 -0400
26365 +++ linux-2.6.39.2/drivers/ata/pata_sl82c105.c 2011-05-22 19:36:31.000000000 -0400
26366 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
26367 ATA_BMDMA_SHT(DRV_NAME),
26368 };
26369
26370 -static struct ata_port_operations sl82c105_port_ops = {
26371 +static const struct ata_port_operations sl82c105_port_ops = {
26372 .inherits = &ata_bmdma_port_ops,
26373 .qc_defer = sl82c105_qc_defer,
26374 .bmdma_start = sl82c105_bmdma_start,
26375 diff -urNp linux-2.6.39.2/drivers/ata/pata_triflex.c linux-2.6.39.2/drivers/ata/pata_triflex.c
26376 --- linux-2.6.39.2/drivers/ata/pata_triflex.c 2011-05-19 00:06:34.000000000 -0400
26377 +++ linux-2.6.39.2/drivers/ata/pata_triflex.c 2011-05-22 19:36:31.000000000 -0400
26378 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
26379 ATA_BMDMA_SHT(DRV_NAME),
26380 };
26381
26382 -static struct ata_port_operations triflex_port_ops = {
26383 +static const struct ata_port_operations triflex_port_ops = {
26384 .inherits = &ata_bmdma_port_ops,
26385 .bmdma_start = triflex_bmdma_start,
26386 .bmdma_stop = triflex_bmdma_stop,
26387 diff -urNp linux-2.6.39.2/drivers/ata/pata_via.c linux-2.6.39.2/drivers/ata/pata_via.c
26388 --- linux-2.6.39.2/drivers/ata/pata_via.c 2011-05-19 00:06:34.000000000 -0400
26389 +++ linux-2.6.39.2/drivers/ata/pata_via.c 2011-05-22 19:36:31.000000000 -0400
26390 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
26391 ATA_BMDMA_SHT(DRV_NAME),
26392 };
26393
26394 -static struct ata_port_operations via_port_ops = {
26395 +static const struct ata_port_operations via_port_ops = {
26396 .inherits = &ata_bmdma_port_ops,
26397 .cable_detect = via_cable_detect,
26398 .set_piomode = via_set_piomode,
26399 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
26400 .mode_filter = via_mode_filter,
26401 };
26402
26403 -static struct ata_port_operations via_port_ops_noirq = {
26404 +static const struct ata_port_operations via_port_ops_noirq = {
26405 .inherits = &via_port_ops,
26406 .sff_data_xfer = ata_sff_data_xfer_noirq,
26407 };
26408 diff -urNp linux-2.6.39.2/drivers/ata/pdc_adma.c linux-2.6.39.2/drivers/ata/pdc_adma.c
26409 --- linux-2.6.39.2/drivers/ata/pdc_adma.c 2011-05-19 00:06:34.000000000 -0400
26410 +++ linux-2.6.39.2/drivers/ata/pdc_adma.c 2011-05-22 19:36:31.000000000 -0400
26411 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
26412 .dma_boundary = ADMA_DMA_BOUNDARY,
26413 };
26414
26415 -static struct ata_port_operations adma_ata_ops = {
26416 +static const struct ata_port_operations adma_ata_ops = {
26417 .inherits = &ata_sff_port_ops,
26418
26419 .lost_interrupt = ATA_OP_NULL,
26420 diff -urNp linux-2.6.39.2/drivers/ata/sata_dwc_460ex.c linux-2.6.39.2/drivers/ata/sata_dwc_460ex.c
26421 --- linux-2.6.39.2/drivers/ata/sata_dwc_460ex.c 2011-05-19 00:06:34.000000000 -0400
26422 +++ linux-2.6.39.2/drivers/ata/sata_dwc_460ex.c 2011-05-22 19:36:31.000000000 -0400
26423 @@ -1598,7 +1598,7 @@ static struct scsi_host_template sata_dw
26424 .dma_boundary = ATA_DMA_BOUNDARY,
26425 };
26426
26427 -static struct ata_port_operations sata_dwc_ops = {
26428 +static const struct ata_port_operations sata_dwc_ops = {
26429 .inherits = &ata_sff_port_ops,
26430
26431 .error_handler = sata_dwc_error_handler,
26432 diff -urNp linux-2.6.39.2/drivers/ata/sata_fsl.c linux-2.6.39.2/drivers/ata/sata_fsl.c
26433 --- linux-2.6.39.2/drivers/ata/sata_fsl.c 2011-05-19 00:06:34.000000000 -0400
26434 +++ linux-2.6.39.2/drivers/ata/sata_fsl.c 2011-05-22 19:36:31.000000000 -0400
26435 @@ -1268,7 +1268,7 @@ static struct scsi_host_template sata_fs
26436 .dma_boundary = ATA_DMA_BOUNDARY,
26437 };
26438
26439 -static struct ata_port_operations sata_fsl_ops = {
26440 +static const struct ata_port_operations sata_fsl_ops = {
26441 .inherits = &sata_pmp_port_ops,
26442
26443 .qc_defer = ata_std_qc_defer,
26444 diff -urNp linux-2.6.39.2/drivers/ata/sata_inic162x.c linux-2.6.39.2/drivers/ata/sata_inic162x.c
26445 --- linux-2.6.39.2/drivers/ata/sata_inic162x.c 2011-05-19 00:06:34.000000000 -0400
26446 +++ linux-2.6.39.2/drivers/ata/sata_inic162x.c 2011-05-22 19:36:31.000000000 -0400
26447 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
26448 return 0;
26449 }
26450
26451 -static struct ata_port_operations inic_port_ops = {
26452 +static const struct ata_port_operations inic_port_ops = {
26453 .inherits = &sata_port_ops,
26454
26455 .check_atapi_dma = inic_check_atapi_dma,
26456 diff -urNp linux-2.6.39.2/drivers/ata/sata_mv.c linux-2.6.39.2/drivers/ata/sata_mv.c
26457 --- linux-2.6.39.2/drivers/ata/sata_mv.c 2011-05-19 00:06:34.000000000 -0400
26458 +++ linux-2.6.39.2/drivers/ata/sata_mv.c 2011-05-22 19:36:31.000000000 -0400
26459 @@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
26460 .dma_boundary = MV_DMA_BOUNDARY,
26461 };
26462
26463 -static struct ata_port_operations mv5_ops = {
26464 +static const struct ata_port_operations mv5_ops = {
26465 .inherits = &ata_sff_port_ops,
26466
26467 .lost_interrupt = ATA_OP_NULL,
26468 @@ -682,7 +682,7 @@ static struct ata_port_operations mv5_op
26469 .port_stop = mv_port_stop,
26470 };
26471
26472 -static struct ata_port_operations mv6_ops = {
26473 +static const struct ata_port_operations mv6_ops = {
26474 .inherits = &ata_bmdma_port_ops,
26475
26476 .lost_interrupt = ATA_OP_NULL,
26477 @@ -716,7 +716,7 @@ static struct ata_port_operations mv6_op
26478 .port_stop = mv_port_stop,
26479 };
26480
26481 -static struct ata_port_operations mv_iie_ops = {
26482 +static const struct ata_port_operations mv_iie_ops = {
26483 .inherits = &mv6_ops,
26484 .dev_config = ATA_OP_NULL,
26485 .qc_prep = mv_qc_prep_iie,
26486 diff -urNp linux-2.6.39.2/drivers/ata/sata_nv.c linux-2.6.39.2/drivers/ata/sata_nv.c
26487 --- linux-2.6.39.2/drivers/ata/sata_nv.c 2011-05-19 00:06:34.000000000 -0400
26488 +++ linux-2.6.39.2/drivers/ata/sata_nv.c 2011-05-22 19:36:31.000000000 -0400
26489 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
26490 * cases. Define nv_hardreset() which only kicks in for post-boot
26491 * probing and use it for all variants.
26492 */
26493 -static struct ata_port_operations nv_generic_ops = {
26494 +static const struct ata_port_operations nv_generic_ops = {
26495 .inherits = &ata_bmdma_port_ops,
26496 .lost_interrupt = ATA_OP_NULL,
26497 .scr_read = nv_scr_read,
26498 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
26499 .hardreset = nv_hardreset,
26500 };
26501
26502 -static struct ata_port_operations nv_nf2_ops = {
26503 +static const struct ata_port_operations nv_nf2_ops = {
26504 .inherits = &nv_generic_ops,
26505 .freeze = nv_nf2_freeze,
26506 .thaw = nv_nf2_thaw,
26507 };
26508
26509 -static struct ata_port_operations nv_ck804_ops = {
26510 +static const struct ata_port_operations nv_ck804_ops = {
26511 .inherits = &nv_generic_ops,
26512 .freeze = nv_ck804_freeze,
26513 .thaw = nv_ck804_thaw,
26514 .host_stop = nv_ck804_host_stop,
26515 };
26516
26517 -static struct ata_port_operations nv_adma_ops = {
26518 +static const struct ata_port_operations nv_adma_ops = {
26519 .inherits = &nv_ck804_ops,
26520
26521 .check_atapi_dma = nv_adma_check_atapi_dma,
26522 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
26523 .host_stop = nv_adma_host_stop,
26524 };
26525
26526 -static struct ata_port_operations nv_swncq_ops = {
26527 +static const struct ata_port_operations nv_swncq_ops = {
26528 .inherits = &nv_generic_ops,
26529
26530 .qc_defer = ata_std_qc_defer,
26531 diff -urNp linux-2.6.39.2/drivers/ata/sata_promise.c linux-2.6.39.2/drivers/ata/sata_promise.c
26532 --- linux-2.6.39.2/drivers/ata/sata_promise.c 2011-05-19 00:06:34.000000000 -0400
26533 +++ linux-2.6.39.2/drivers/ata/sata_promise.c 2011-05-22 19:36:31.000000000 -0400
26534 @@ -194,7 +194,7 @@ static const struct ata_port_operations
26535 .error_handler = pdc_error_handler,
26536 };
26537
26538 -static struct ata_port_operations pdc_sata_ops = {
26539 +static const struct ata_port_operations pdc_sata_ops = {
26540 .inherits = &pdc_common_ops,
26541 .cable_detect = pdc_sata_cable_detect,
26542 .freeze = pdc_sata_freeze,
26543 @@ -207,14 +207,14 @@ static struct ata_port_operations pdc_sa
26544
26545 /* First-generation chips need a more restrictive ->check_atapi_dma op,
26546 and ->freeze/thaw that ignore the hotplug controls. */
26547 -static struct ata_port_operations pdc_old_sata_ops = {
26548 +static const struct ata_port_operations pdc_old_sata_ops = {
26549 .inherits = &pdc_sata_ops,
26550 .freeze = pdc_freeze,
26551 .thaw = pdc_thaw,
26552 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
26553 };
26554
26555 -static struct ata_port_operations pdc_pata_ops = {
26556 +static const struct ata_port_operations pdc_pata_ops = {
26557 .inherits = &pdc_common_ops,
26558 .cable_detect = pdc_pata_cable_detect,
26559 .freeze = pdc_freeze,
26560 diff -urNp linux-2.6.39.2/drivers/ata/sata_qstor.c linux-2.6.39.2/drivers/ata/sata_qstor.c
26561 --- linux-2.6.39.2/drivers/ata/sata_qstor.c 2011-05-19 00:06:34.000000000 -0400
26562 +++ linux-2.6.39.2/drivers/ata/sata_qstor.c 2011-05-22 19:36:31.000000000 -0400
26563 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
26564 .dma_boundary = QS_DMA_BOUNDARY,
26565 };
26566
26567 -static struct ata_port_operations qs_ata_ops = {
26568 +static const struct ata_port_operations qs_ata_ops = {
26569 .inherits = &ata_sff_port_ops,
26570
26571 .check_atapi_dma = qs_check_atapi_dma,
26572 diff -urNp linux-2.6.39.2/drivers/ata/sata_sil24.c linux-2.6.39.2/drivers/ata/sata_sil24.c
26573 --- linux-2.6.39.2/drivers/ata/sata_sil24.c 2011-05-19 00:06:34.000000000 -0400
26574 +++ linux-2.6.39.2/drivers/ata/sata_sil24.c 2011-05-22 19:36:31.000000000 -0400
26575 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
26576 .dma_boundary = ATA_DMA_BOUNDARY,
26577 };
26578
26579 -static struct ata_port_operations sil24_ops = {
26580 +static const struct ata_port_operations sil24_ops = {
26581 .inherits = &sata_pmp_port_ops,
26582
26583 .qc_defer = sil24_qc_defer,
26584 diff -urNp linux-2.6.39.2/drivers/ata/sata_sil.c linux-2.6.39.2/drivers/ata/sata_sil.c
26585 --- linux-2.6.39.2/drivers/ata/sata_sil.c 2011-05-19 00:06:34.000000000 -0400
26586 +++ linux-2.6.39.2/drivers/ata/sata_sil.c 2011-05-22 19:36:31.000000000 -0400
26587 @@ -181,7 +181,7 @@ static struct scsi_host_template sil_sht
26588 .sg_tablesize = ATA_MAX_PRD
26589 };
26590
26591 -static struct ata_port_operations sil_ops = {
26592 +static const struct ata_port_operations sil_ops = {
26593 .inherits = &ata_bmdma32_port_ops,
26594 .dev_config = sil_dev_config,
26595 .set_mode = sil_set_mode,
26596 diff -urNp linux-2.6.39.2/drivers/ata/sata_sis.c linux-2.6.39.2/drivers/ata/sata_sis.c
26597 --- linux-2.6.39.2/drivers/ata/sata_sis.c 2011-05-19 00:06:34.000000000 -0400
26598 +++ linux-2.6.39.2/drivers/ata/sata_sis.c 2011-05-22 19:36:31.000000000 -0400
26599 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
26600 ATA_BMDMA_SHT(DRV_NAME),
26601 };
26602
26603 -static struct ata_port_operations sis_ops = {
26604 +static const struct ata_port_operations sis_ops = {
26605 .inherits = &ata_bmdma_port_ops,
26606 .scr_read = sis_scr_read,
26607 .scr_write = sis_scr_write,
26608 diff -urNp linux-2.6.39.2/drivers/ata/sata_svw.c linux-2.6.39.2/drivers/ata/sata_svw.c
26609 --- linux-2.6.39.2/drivers/ata/sata_svw.c 2011-05-19 00:06:34.000000000 -0400
26610 +++ linux-2.6.39.2/drivers/ata/sata_svw.c 2011-05-22 19:36:31.000000000 -0400
26611 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
26612 };
26613
26614
26615 -static struct ata_port_operations k2_sata_ops = {
26616 +static const struct ata_port_operations k2_sata_ops = {
26617 .inherits = &ata_bmdma_port_ops,
26618 .sff_tf_load = k2_sata_tf_load,
26619 .sff_tf_read = k2_sata_tf_read,
26620 diff -urNp linux-2.6.39.2/drivers/ata/sata_sx4.c linux-2.6.39.2/drivers/ata/sata_sx4.c
26621 --- linux-2.6.39.2/drivers/ata/sata_sx4.c 2011-05-19 00:06:34.000000000 -0400
26622 +++ linux-2.6.39.2/drivers/ata/sata_sx4.c 2011-05-22 19:36:31.000000000 -0400
26623 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
26624 };
26625
26626 /* TODO: inherit from base port_ops after converting to new EH */
26627 -static struct ata_port_operations pdc_20621_ops = {
26628 +static const struct ata_port_operations pdc_20621_ops = {
26629 .inherits = &ata_sff_port_ops,
26630
26631 .check_atapi_dma = pdc_check_atapi_dma,
26632 diff -urNp linux-2.6.39.2/drivers/ata/sata_uli.c linux-2.6.39.2/drivers/ata/sata_uli.c
26633 --- linux-2.6.39.2/drivers/ata/sata_uli.c 2011-05-19 00:06:34.000000000 -0400
26634 +++ linux-2.6.39.2/drivers/ata/sata_uli.c 2011-05-22 19:36:31.000000000 -0400
26635 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
26636 ATA_BMDMA_SHT(DRV_NAME),
26637 };
26638
26639 -static struct ata_port_operations uli_ops = {
26640 +static const struct ata_port_operations uli_ops = {
26641 .inherits = &ata_bmdma_port_ops,
26642 .scr_read = uli_scr_read,
26643 .scr_write = uli_scr_write,
26644 diff -urNp linux-2.6.39.2/drivers/ata/sata_via.c linux-2.6.39.2/drivers/ata/sata_via.c
26645 --- linux-2.6.39.2/drivers/ata/sata_via.c 2011-05-19 00:06:34.000000000 -0400
26646 +++ linux-2.6.39.2/drivers/ata/sata_via.c 2011-05-22 19:36:31.000000000 -0400
26647 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
26648 ATA_BMDMA_SHT(DRV_NAME),
26649 };
26650
26651 -static struct ata_port_operations svia_base_ops = {
26652 +static const struct ata_port_operations svia_base_ops = {
26653 .inherits = &ata_bmdma_port_ops,
26654 .sff_tf_load = svia_tf_load,
26655 };
26656
26657 -static struct ata_port_operations vt6420_sata_ops = {
26658 +static const struct ata_port_operations vt6420_sata_ops = {
26659 .inherits = &svia_base_ops,
26660 .freeze = svia_noop_freeze,
26661 .prereset = vt6420_prereset,
26662 .bmdma_start = vt6420_bmdma_start,
26663 };
26664
26665 -static struct ata_port_operations vt6421_pata_ops = {
26666 +static const struct ata_port_operations vt6421_pata_ops = {
26667 .inherits = &svia_base_ops,
26668 .cable_detect = vt6421_pata_cable_detect,
26669 .set_piomode = vt6421_set_pio_mode,
26670 .set_dmamode = vt6421_set_dma_mode,
26671 };
26672
26673 -static struct ata_port_operations vt6421_sata_ops = {
26674 +static const struct ata_port_operations vt6421_sata_ops = {
26675 .inherits = &svia_base_ops,
26676 .scr_read = svia_scr_read,
26677 .scr_write = svia_scr_write,
26678 };
26679
26680 -static struct ata_port_operations vt8251_ops = {
26681 +static const struct ata_port_operations vt8251_ops = {
26682 .inherits = &svia_base_ops,
26683 .hardreset = sata_std_hardreset,
26684 .scr_read = vt8251_scr_read,
26685 diff -urNp linux-2.6.39.2/drivers/ata/sata_vsc.c linux-2.6.39.2/drivers/ata/sata_vsc.c
26686 --- linux-2.6.39.2/drivers/ata/sata_vsc.c 2011-05-19 00:06:34.000000000 -0400
26687 +++ linux-2.6.39.2/drivers/ata/sata_vsc.c 2011-05-22 19:36:31.000000000 -0400
26688 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
26689 };
26690
26691
26692 -static struct ata_port_operations vsc_sata_ops = {
26693 +static const struct ata_port_operations vsc_sata_ops = {
26694 .inherits = &ata_bmdma_port_ops,
26695 /* The IRQ handling is not quite standard SFF behaviour so we
26696 cannot use the default lost interrupt handler */
26697 diff -urNp linux-2.6.39.2/drivers/atm/adummy.c linux-2.6.39.2/drivers/atm/adummy.c
26698 --- linux-2.6.39.2/drivers/atm/adummy.c 2011-05-19 00:06:34.000000000 -0400
26699 +++ linux-2.6.39.2/drivers/atm/adummy.c 2011-05-22 19:36:31.000000000 -0400
26700 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
26701 vcc->pop(vcc, skb);
26702 else
26703 dev_kfree_skb_any(skb);
26704 - atomic_inc(&vcc->stats->tx);
26705 + atomic_inc_unchecked(&vcc->stats->tx);
26706
26707 return 0;
26708 }
26709 diff -urNp linux-2.6.39.2/drivers/atm/ambassador.c linux-2.6.39.2/drivers/atm/ambassador.c
26710 --- linux-2.6.39.2/drivers/atm/ambassador.c 2011-05-19 00:06:34.000000000 -0400
26711 +++ linux-2.6.39.2/drivers/atm/ambassador.c 2011-05-22 19:36:31.000000000 -0400
26712 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
26713 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
26714
26715 // VC layer stats
26716 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26717 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26718
26719 // free the descriptor
26720 kfree (tx_descr);
26721 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
26722 dump_skb ("<<<", vc, skb);
26723
26724 // VC layer stats
26725 - atomic_inc(&atm_vcc->stats->rx);
26726 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26727 __net_timestamp(skb);
26728 // end of our responsibility
26729 atm_vcc->push (atm_vcc, skb);
26730 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
26731 } else {
26732 PRINTK (KERN_INFO, "dropped over-size frame");
26733 // should we count this?
26734 - atomic_inc(&atm_vcc->stats->rx_drop);
26735 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26736 }
26737
26738 } else {
26739 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
26740 }
26741
26742 if (check_area (skb->data, skb->len)) {
26743 - atomic_inc(&atm_vcc->stats->tx_err);
26744 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
26745 return -ENOMEM; // ?
26746 }
26747
26748 diff -urNp linux-2.6.39.2/drivers/atm/atmtcp.c linux-2.6.39.2/drivers/atm/atmtcp.c
26749 --- linux-2.6.39.2/drivers/atm/atmtcp.c 2011-05-19 00:06:34.000000000 -0400
26750 +++ linux-2.6.39.2/drivers/atm/atmtcp.c 2011-05-22 19:36:31.000000000 -0400
26751 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
26752 if (vcc->pop) vcc->pop(vcc,skb);
26753 else dev_kfree_skb(skb);
26754 if (dev_data) return 0;
26755 - atomic_inc(&vcc->stats->tx_err);
26756 + atomic_inc_unchecked(&vcc->stats->tx_err);
26757 return -ENOLINK;
26758 }
26759 size = skb->len+sizeof(struct atmtcp_hdr);
26760 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
26761 if (!new_skb) {
26762 if (vcc->pop) vcc->pop(vcc,skb);
26763 else dev_kfree_skb(skb);
26764 - atomic_inc(&vcc->stats->tx_err);
26765 + atomic_inc_unchecked(&vcc->stats->tx_err);
26766 return -ENOBUFS;
26767 }
26768 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26769 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
26770 if (vcc->pop) vcc->pop(vcc,skb);
26771 else dev_kfree_skb(skb);
26772 out_vcc->push(out_vcc,new_skb);
26773 - atomic_inc(&vcc->stats->tx);
26774 - atomic_inc(&out_vcc->stats->rx);
26775 + atomic_inc_unchecked(&vcc->stats->tx);
26776 + atomic_inc_unchecked(&out_vcc->stats->rx);
26777 return 0;
26778 }
26779
26780 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
26781 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26782 read_unlock(&vcc_sklist_lock);
26783 if (!out_vcc) {
26784 - atomic_inc(&vcc->stats->tx_err);
26785 + atomic_inc_unchecked(&vcc->stats->tx_err);
26786 goto done;
26787 }
26788 skb_pull(skb,sizeof(struct atmtcp_hdr));
26789 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
26790 __net_timestamp(new_skb);
26791 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
26792 out_vcc->push(out_vcc,new_skb);
26793 - atomic_inc(&vcc->stats->tx);
26794 - atomic_inc(&out_vcc->stats->rx);
26795 + atomic_inc_unchecked(&vcc->stats->tx);
26796 + atomic_inc_unchecked(&out_vcc->stats->rx);
26797 done:
26798 if (vcc->pop) vcc->pop(vcc,skb);
26799 else dev_kfree_skb(skb);
26800 diff -urNp linux-2.6.39.2/drivers/atm/eni.c linux-2.6.39.2/drivers/atm/eni.c
26801 --- linux-2.6.39.2/drivers/atm/eni.c 2011-05-19 00:06:34.000000000 -0400
26802 +++ linux-2.6.39.2/drivers/atm/eni.c 2011-05-22 19:36:31.000000000 -0400
26803 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
26804 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
26805 vcc->dev->number);
26806 length = 0;
26807 - atomic_inc(&vcc->stats->rx_err);
26808 + atomic_inc_unchecked(&vcc->stats->rx_err);
26809 }
26810 else {
26811 length = ATM_CELL_SIZE-1; /* no HEC */
26812 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26813 size);
26814 }
26815 eff = length = 0;
26816 - atomic_inc(&vcc->stats->rx_err);
26817 + atomic_inc_unchecked(&vcc->stats->rx_err);
26818 }
26819 else {
26820 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
26821 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26822 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
26823 vcc->dev->number,vcc->vci,length,size << 2,descr);
26824 length = eff = 0;
26825 - atomic_inc(&vcc->stats->rx_err);
26826 + atomic_inc_unchecked(&vcc->stats->rx_err);
26827 }
26828 }
26829 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
26830 @@ -771,7 +771,7 @@ rx_dequeued++;
26831 vcc->push(vcc,skb);
26832 pushed++;
26833 }
26834 - atomic_inc(&vcc->stats->rx);
26835 + atomic_inc_unchecked(&vcc->stats->rx);
26836 }
26837 wake_up(&eni_dev->rx_wait);
26838 }
26839 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
26840 PCI_DMA_TODEVICE);
26841 if (vcc->pop) vcc->pop(vcc,skb);
26842 else dev_kfree_skb_irq(skb);
26843 - atomic_inc(&vcc->stats->tx);
26844 + atomic_inc_unchecked(&vcc->stats->tx);
26845 wake_up(&eni_dev->tx_wait);
26846 dma_complete++;
26847 }
26848 diff -urNp linux-2.6.39.2/drivers/atm/firestream.c linux-2.6.39.2/drivers/atm/firestream.c
26849 --- linux-2.6.39.2/drivers/atm/firestream.c 2011-05-19 00:06:34.000000000 -0400
26850 +++ linux-2.6.39.2/drivers/atm/firestream.c 2011-05-22 19:36:31.000000000 -0400
26851 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
26852 }
26853 }
26854
26855 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26856 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26857
26858 fs_dprintk (FS_DEBUG_TXMEM, "i");
26859 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
26860 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
26861 #endif
26862 skb_put (skb, qe->p1 & 0xffff);
26863 ATM_SKB(skb)->vcc = atm_vcc;
26864 - atomic_inc(&atm_vcc->stats->rx);
26865 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26866 __net_timestamp(skb);
26867 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
26868 atm_vcc->push (atm_vcc, skb);
26869 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
26870 kfree (pe);
26871 }
26872 if (atm_vcc)
26873 - atomic_inc(&atm_vcc->stats->rx_drop);
26874 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26875 break;
26876 case 0x1f: /* Reassembly abort: no buffers. */
26877 /* Silently increment error counter. */
26878 if (atm_vcc)
26879 - atomic_inc(&atm_vcc->stats->rx_drop);
26880 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26881 break;
26882 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
26883 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
26884 diff -urNp linux-2.6.39.2/drivers/atm/fore200e.c linux-2.6.39.2/drivers/atm/fore200e.c
26885 --- linux-2.6.39.2/drivers/atm/fore200e.c 2011-05-19 00:06:34.000000000 -0400
26886 +++ linux-2.6.39.2/drivers/atm/fore200e.c 2011-05-22 19:36:31.000000000 -0400
26887 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
26888 #endif
26889 /* check error condition */
26890 if (*entry->status & STATUS_ERROR)
26891 - atomic_inc(&vcc->stats->tx_err);
26892 + atomic_inc_unchecked(&vcc->stats->tx_err);
26893 else
26894 - atomic_inc(&vcc->stats->tx);
26895 + atomic_inc_unchecked(&vcc->stats->tx);
26896 }
26897 }
26898
26899 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
26900 if (skb == NULL) {
26901 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
26902
26903 - atomic_inc(&vcc->stats->rx_drop);
26904 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26905 return -ENOMEM;
26906 }
26907
26908 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
26909
26910 dev_kfree_skb_any(skb);
26911
26912 - atomic_inc(&vcc->stats->rx_drop);
26913 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26914 return -ENOMEM;
26915 }
26916
26917 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26918
26919 vcc->push(vcc, skb);
26920 - atomic_inc(&vcc->stats->rx);
26921 + atomic_inc_unchecked(&vcc->stats->rx);
26922
26923 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26924
26925 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
26926 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
26927 fore200e->atm_dev->number,
26928 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
26929 - atomic_inc(&vcc->stats->rx_err);
26930 + atomic_inc_unchecked(&vcc->stats->rx_err);
26931 }
26932 }
26933
26934 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
26935 goto retry_here;
26936 }
26937
26938 - atomic_inc(&vcc->stats->tx_err);
26939 + atomic_inc_unchecked(&vcc->stats->tx_err);
26940
26941 fore200e->tx_sat++;
26942 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
26943 diff -urNp linux-2.6.39.2/drivers/atm/he.c linux-2.6.39.2/drivers/atm/he.c
26944 --- linux-2.6.39.2/drivers/atm/he.c 2011-05-19 00:06:34.000000000 -0400
26945 +++ linux-2.6.39.2/drivers/atm/he.c 2011-05-22 19:36:31.000000000 -0400
26946 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26947
26948 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
26949 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
26950 - atomic_inc(&vcc->stats->rx_drop);
26951 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26952 goto return_host_buffers;
26953 }
26954
26955 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26956 RBRQ_LEN_ERR(he_dev->rbrq_head)
26957 ? "LEN_ERR" : "",
26958 vcc->vpi, vcc->vci);
26959 - atomic_inc(&vcc->stats->rx_err);
26960 + atomic_inc_unchecked(&vcc->stats->rx_err);
26961 goto return_host_buffers;
26962 }
26963
26964 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26965 vcc->push(vcc, skb);
26966 spin_lock(&he_dev->global_lock);
26967
26968 - atomic_inc(&vcc->stats->rx);
26969 + atomic_inc_unchecked(&vcc->stats->rx);
26970
26971 return_host_buffers:
26972 ++pdus_assembled;
26973 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
26974 tpd->vcc->pop(tpd->vcc, tpd->skb);
26975 else
26976 dev_kfree_skb_any(tpd->skb);
26977 - atomic_inc(&tpd->vcc->stats->tx_err);
26978 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
26979 }
26980 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
26981 return;
26982 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26983 vcc->pop(vcc, skb);
26984 else
26985 dev_kfree_skb_any(skb);
26986 - atomic_inc(&vcc->stats->tx_err);
26987 + atomic_inc_unchecked(&vcc->stats->tx_err);
26988 return -EINVAL;
26989 }
26990
26991 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26992 vcc->pop(vcc, skb);
26993 else
26994 dev_kfree_skb_any(skb);
26995 - atomic_inc(&vcc->stats->tx_err);
26996 + atomic_inc_unchecked(&vcc->stats->tx_err);
26997 return -EINVAL;
26998 }
26999 #endif
27000 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27001 vcc->pop(vcc, skb);
27002 else
27003 dev_kfree_skb_any(skb);
27004 - atomic_inc(&vcc->stats->tx_err);
27005 + atomic_inc_unchecked(&vcc->stats->tx_err);
27006 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27007 return -ENOMEM;
27008 }
27009 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27010 vcc->pop(vcc, skb);
27011 else
27012 dev_kfree_skb_any(skb);
27013 - atomic_inc(&vcc->stats->tx_err);
27014 + atomic_inc_unchecked(&vcc->stats->tx_err);
27015 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27016 return -ENOMEM;
27017 }
27018 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27019 __enqueue_tpd(he_dev, tpd, cid);
27020 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27021
27022 - atomic_inc(&vcc->stats->tx);
27023 + atomic_inc_unchecked(&vcc->stats->tx);
27024
27025 return 0;
27026 }
27027 diff -urNp linux-2.6.39.2/drivers/atm/horizon.c linux-2.6.39.2/drivers/atm/horizon.c
27028 --- linux-2.6.39.2/drivers/atm/horizon.c 2011-05-19 00:06:34.000000000 -0400
27029 +++ linux-2.6.39.2/drivers/atm/horizon.c 2011-05-22 19:36:31.000000000 -0400
27030 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
27031 {
27032 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
27033 // VC layer stats
27034 - atomic_inc(&vcc->stats->rx);
27035 + atomic_inc_unchecked(&vcc->stats->rx);
27036 __net_timestamp(skb);
27037 // end of our responsibility
27038 vcc->push (vcc, skb);
27039 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
27040 dev->tx_iovec = NULL;
27041
27042 // VC layer stats
27043 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27044 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27045
27046 // free the skb
27047 hrz_kfree_skb (skb);
27048 diff -urNp linux-2.6.39.2/drivers/atm/idt77252.c linux-2.6.39.2/drivers/atm/idt77252.c
27049 --- linux-2.6.39.2/drivers/atm/idt77252.c 2011-05-19 00:06:34.000000000 -0400
27050 +++ linux-2.6.39.2/drivers/atm/idt77252.c 2011-05-22 19:36:31.000000000 -0400
27051 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
27052 else
27053 dev_kfree_skb(skb);
27054
27055 - atomic_inc(&vcc->stats->tx);
27056 + atomic_inc_unchecked(&vcc->stats->tx);
27057 }
27058
27059 atomic_dec(&scq->used);
27060 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
27061 if ((sb = dev_alloc_skb(64)) == NULL) {
27062 printk("%s: Can't allocate buffers for aal0.\n",
27063 card->name);
27064 - atomic_add(i, &vcc->stats->rx_drop);
27065 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27066 break;
27067 }
27068 if (!atm_charge(vcc, sb->truesize)) {
27069 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
27070 card->name);
27071 - atomic_add(i - 1, &vcc->stats->rx_drop);
27072 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
27073 dev_kfree_skb(sb);
27074 break;
27075 }
27076 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
27077 ATM_SKB(sb)->vcc = vcc;
27078 __net_timestamp(sb);
27079 vcc->push(vcc, sb);
27080 - atomic_inc(&vcc->stats->rx);
27081 + atomic_inc_unchecked(&vcc->stats->rx);
27082
27083 cell += ATM_CELL_PAYLOAD;
27084 }
27085 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
27086 "(CDC: %08x)\n",
27087 card->name, len, rpp->len, readl(SAR_REG_CDC));
27088 recycle_rx_pool_skb(card, rpp);
27089 - atomic_inc(&vcc->stats->rx_err);
27090 + atomic_inc_unchecked(&vcc->stats->rx_err);
27091 return;
27092 }
27093 if (stat & SAR_RSQE_CRC) {
27094 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
27095 recycle_rx_pool_skb(card, rpp);
27096 - atomic_inc(&vcc->stats->rx_err);
27097 + atomic_inc_unchecked(&vcc->stats->rx_err);
27098 return;
27099 }
27100 if (skb_queue_len(&rpp->queue) > 1) {
27101 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
27102 RXPRINTK("%s: Can't alloc RX skb.\n",
27103 card->name);
27104 recycle_rx_pool_skb(card, rpp);
27105 - atomic_inc(&vcc->stats->rx_err);
27106 + atomic_inc_unchecked(&vcc->stats->rx_err);
27107 return;
27108 }
27109 if (!atm_charge(vcc, skb->truesize)) {
27110 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
27111 __net_timestamp(skb);
27112
27113 vcc->push(vcc, skb);
27114 - atomic_inc(&vcc->stats->rx);
27115 + atomic_inc_unchecked(&vcc->stats->rx);
27116
27117 return;
27118 }
27119 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
27120 __net_timestamp(skb);
27121
27122 vcc->push(vcc, skb);
27123 - atomic_inc(&vcc->stats->rx);
27124 + atomic_inc_unchecked(&vcc->stats->rx);
27125
27126 if (skb->truesize > SAR_FB_SIZE_3)
27127 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
27128 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
27129 if (vcc->qos.aal != ATM_AAL0) {
27130 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
27131 card->name, vpi, vci);
27132 - atomic_inc(&vcc->stats->rx_drop);
27133 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27134 goto drop;
27135 }
27136
27137 if ((sb = dev_alloc_skb(64)) == NULL) {
27138 printk("%s: Can't allocate buffers for AAL0.\n",
27139 card->name);
27140 - atomic_inc(&vcc->stats->rx_err);
27141 + atomic_inc_unchecked(&vcc->stats->rx_err);
27142 goto drop;
27143 }
27144
27145 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
27146 ATM_SKB(sb)->vcc = vcc;
27147 __net_timestamp(sb);
27148 vcc->push(vcc, sb);
27149 - atomic_inc(&vcc->stats->rx);
27150 + atomic_inc_unchecked(&vcc->stats->rx);
27151
27152 drop:
27153 skb_pull(queue, 64);
27154 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27155
27156 if (vc == NULL) {
27157 printk("%s: NULL connection in send().\n", card->name);
27158 - atomic_inc(&vcc->stats->tx_err);
27159 + atomic_inc_unchecked(&vcc->stats->tx_err);
27160 dev_kfree_skb(skb);
27161 return -EINVAL;
27162 }
27163 if (!test_bit(VCF_TX, &vc->flags)) {
27164 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
27165 - atomic_inc(&vcc->stats->tx_err);
27166 + atomic_inc_unchecked(&vcc->stats->tx_err);
27167 dev_kfree_skb(skb);
27168 return -EINVAL;
27169 }
27170 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27171 break;
27172 default:
27173 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
27174 - atomic_inc(&vcc->stats->tx_err);
27175 + atomic_inc_unchecked(&vcc->stats->tx_err);
27176 dev_kfree_skb(skb);
27177 return -EINVAL;
27178 }
27179
27180 if (skb_shinfo(skb)->nr_frags != 0) {
27181 printk("%s: No scatter-gather yet.\n", card->name);
27182 - atomic_inc(&vcc->stats->tx_err);
27183 + atomic_inc_unchecked(&vcc->stats->tx_err);
27184 dev_kfree_skb(skb);
27185 return -EINVAL;
27186 }
27187 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27188
27189 err = queue_skb(card, vc, skb, oam);
27190 if (err) {
27191 - atomic_inc(&vcc->stats->tx_err);
27192 + atomic_inc_unchecked(&vcc->stats->tx_err);
27193 dev_kfree_skb(skb);
27194 return err;
27195 }
27196 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
27197 skb = dev_alloc_skb(64);
27198 if (!skb) {
27199 printk("%s: Out of memory in send_oam().\n", card->name);
27200 - atomic_inc(&vcc->stats->tx_err);
27201 + atomic_inc_unchecked(&vcc->stats->tx_err);
27202 return -ENOMEM;
27203 }
27204 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
27205 diff -urNp linux-2.6.39.2/drivers/atm/iphase.c linux-2.6.39.2/drivers/atm/iphase.c
27206 --- linux-2.6.39.2/drivers/atm/iphase.c 2011-05-19 00:06:34.000000000 -0400
27207 +++ linux-2.6.39.2/drivers/atm/iphase.c 2011-05-22 19:36:31.000000000 -0400
27208 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
27209 status = (u_short) (buf_desc_ptr->desc_mode);
27210 if (status & (RX_CER | RX_PTE | RX_OFL))
27211 {
27212 - atomic_inc(&vcc->stats->rx_err);
27213 + atomic_inc_unchecked(&vcc->stats->rx_err);
27214 IF_ERR(printk("IA: bad packet, dropping it");)
27215 if (status & RX_CER) {
27216 IF_ERR(printk(" cause: packet CRC error\n");)
27217 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
27218 len = dma_addr - buf_addr;
27219 if (len > iadev->rx_buf_sz) {
27220 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
27221 - atomic_inc(&vcc->stats->rx_err);
27222 + atomic_inc_unchecked(&vcc->stats->rx_err);
27223 goto out_free_desc;
27224 }
27225
27226 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
27227 ia_vcc = INPH_IA_VCC(vcc);
27228 if (ia_vcc == NULL)
27229 {
27230 - atomic_inc(&vcc->stats->rx_err);
27231 + atomic_inc_unchecked(&vcc->stats->rx_err);
27232 dev_kfree_skb_any(skb);
27233 atm_return(vcc, atm_guess_pdu2truesize(len));
27234 goto INCR_DLE;
27235 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
27236 if ((length > iadev->rx_buf_sz) || (length >
27237 (skb->len - sizeof(struct cpcs_trailer))))
27238 {
27239 - atomic_inc(&vcc->stats->rx_err);
27240 + atomic_inc_unchecked(&vcc->stats->rx_err);
27241 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
27242 length, skb->len);)
27243 dev_kfree_skb_any(skb);
27244 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
27245
27246 IF_RX(printk("rx_dle_intr: skb push");)
27247 vcc->push(vcc,skb);
27248 - atomic_inc(&vcc->stats->rx);
27249 + atomic_inc_unchecked(&vcc->stats->rx);
27250 iadev->rx_pkt_cnt++;
27251 }
27252 INCR_DLE:
27253 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
27254 {
27255 struct k_sonet_stats *stats;
27256 stats = &PRIV(_ia_dev[board])->sonet_stats;
27257 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
27258 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
27259 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
27260 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
27261 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
27262 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
27263 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
27264 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
27265 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
27266 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
27267 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
27268 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
27269 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
27270 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
27271 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
27272 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
27273 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
27274 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
27275 }
27276 ia_cmds.status = 0;
27277 break;
27278 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
27279 if ((desc == 0) || (desc > iadev->num_tx_desc))
27280 {
27281 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
27282 - atomic_inc(&vcc->stats->tx);
27283 + atomic_inc_unchecked(&vcc->stats->tx);
27284 if (vcc->pop)
27285 vcc->pop(vcc, skb);
27286 else
27287 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
27288 ATM_DESC(skb) = vcc->vci;
27289 skb_queue_tail(&iadev->tx_dma_q, skb);
27290
27291 - atomic_inc(&vcc->stats->tx);
27292 + atomic_inc_unchecked(&vcc->stats->tx);
27293 iadev->tx_pkt_cnt++;
27294 /* Increment transaction counter */
27295 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
27296
27297 #if 0
27298 /* add flow control logic */
27299 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
27300 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
27301 if (iavcc->vc_desc_cnt > 10) {
27302 vcc->tx_quota = vcc->tx_quota * 3 / 4;
27303 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
27304 diff -urNp linux-2.6.39.2/drivers/atm/lanai.c linux-2.6.39.2/drivers/atm/lanai.c
27305 --- linux-2.6.39.2/drivers/atm/lanai.c 2011-05-19 00:06:34.000000000 -0400
27306 +++ linux-2.6.39.2/drivers/atm/lanai.c 2011-05-22 19:36:31.000000000 -0400
27307 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
27308 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
27309 lanai_endtx(lanai, lvcc);
27310 lanai_free_skb(lvcc->tx.atmvcc, skb);
27311 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
27312 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
27313 }
27314
27315 /* Try to fill the buffer - don't call unless there is backlog */
27316 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
27317 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
27318 __net_timestamp(skb);
27319 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
27320 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
27321 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
27322 out:
27323 lvcc->rx.buf.ptr = end;
27324 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
27325 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
27326 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
27327 "vcc %d\n", lanai->number, (unsigned int) s, vci);
27328 lanai->stats.service_rxnotaal5++;
27329 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27330 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27331 return 0;
27332 }
27333 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
27334 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
27335 int bytes;
27336 read_unlock(&vcc_sklist_lock);
27337 DPRINTK("got trashed rx pdu on vci %d\n", vci);
27338 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27339 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27340 lvcc->stats.x.aal5.service_trash++;
27341 bytes = (SERVICE_GET_END(s) * 16) -
27342 (((unsigned long) lvcc->rx.buf.ptr) -
27343 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
27344 }
27345 if (s & SERVICE_STREAM) {
27346 read_unlock(&vcc_sklist_lock);
27347 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27348 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27349 lvcc->stats.x.aal5.service_stream++;
27350 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
27351 "PDU on VCI %d!\n", lanai->number, vci);
27352 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
27353 return 0;
27354 }
27355 DPRINTK("got rx crc error on vci %d\n", vci);
27356 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27357 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27358 lvcc->stats.x.aal5.service_rxcrc++;
27359 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
27360 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
27361 diff -urNp linux-2.6.39.2/drivers/atm/nicstar.c linux-2.6.39.2/drivers/atm/nicstar.c
27362 --- linux-2.6.39.2/drivers/atm/nicstar.c 2011-05-19 00:06:34.000000000 -0400
27363 +++ linux-2.6.39.2/drivers/atm/nicstar.c 2011-05-22 19:36:31.000000000 -0400
27364 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
27365 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
27366 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
27367 card->index);
27368 - atomic_inc(&vcc->stats->tx_err);
27369 + atomic_inc_unchecked(&vcc->stats->tx_err);
27370 dev_kfree_skb_any(skb);
27371 return -EINVAL;
27372 }
27373 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
27374 if (!vc->tx) {
27375 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
27376 card->index);
27377 - atomic_inc(&vcc->stats->tx_err);
27378 + atomic_inc_unchecked(&vcc->stats->tx_err);
27379 dev_kfree_skb_any(skb);
27380 return -EINVAL;
27381 }
27382 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
27383 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
27384 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
27385 card->index);
27386 - atomic_inc(&vcc->stats->tx_err);
27387 + atomic_inc_unchecked(&vcc->stats->tx_err);
27388 dev_kfree_skb_any(skb);
27389 return -EINVAL;
27390 }
27391
27392 if (skb_shinfo(skb)->nr_frags != 0) {
27393 printk("nicstar%d: No scatter-gather yet.\n", card->index);
27394 - atomic_inc(&vcc->stats->tx_err);
27395 + atomic_inc_unchecked(&vcc->stats->tx_err);
27396 dev_kfree_skb_any(skb);
27397 return -EINVAL;
27398 }
27399 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
27400 }
27401
27402 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
27403 - atomic_inc(&vcc->stats->tx_err);
27404 + atomic_inc_unchecked(&vcc->stats->tx_err);
27405 dev_kfree_skb_any(skb);
27406 return -EIO;
27407 }
27408 - atomic_inc(&vcc->stats->tx);
27409 + atomic_inc_unchecked(&vcc->stats->tx);
27410
27411 return 0;
27412 }
27413 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
27414 printk
27415 ("nicstar%d: Can't allocate buffers for aal0.\n",
27416 card->index);
27417 - atomic_add(i, &vcc->stats->rx_drop);
27418 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27419 break;
27420 }
27421 if (!atm_charge(vcc, sb->truesize)) {
27422 RXPRINTK
27423 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
27424 card->index);
27425 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27426 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27427 dev_kfree_skb_any(sb);
27428 break;
27429 }
27430 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
27431 ATM_SKB(sb)->vcc = vcc;
27432 __net_timestamp(sb);
27433 vcc->push(vcc, sb);
27434 - atomic_inc(&vcc->stats->rx);
27435 + atomic_inc_unchecked(&vcc->stats->rx);
27436 cell += ATM_CELL_PAYLOAD;
27437 }
27438
27439 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
27440 if (iovb == NULL) {
27441 printk("nicstar%d: Out of iovec buffers.\n",
27442 card->index);
27443 - atomic_inc(&vcc->stats->rx_drop);
27444 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27445 recycle_rx_buf(card, skb);
27446 return;
27447 }
27448 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
27449 small or large buffer itself. */
27450 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
27451 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
27452 - atomic_inc(&vcc->stats->rx_err);
27453 + atomic_inc_unchecked(&vcc->stats->rx_err);
27454 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27455 NS_MAX_IOVECS);
27456 NS_PRV_IOVCNT(iovb) = 0;
27457 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
27458 ("nicstar%d: Expected a small buffer, and this is not one.\n",
27459 card->index);
27460 which_list(card, skb);
27461 - atomic_inc(&vcc->stats->rx_err);
27462 + atomic_inc_unchecked(&vcc->stats->rx_err);
27463 recycle_rx_buf(card, skb);
27464 vc->rx_iov = NULL;
27465 recycle_iov_buf(card, iovb);
27466 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
27467 ("nicstar%d: Expected a large buffer, and this is not one.\n",
27468 card->index);
27469 which_list(card, skb);
27470 - atomic_inc(&vcc->stats->rx_err);
27471 + atomic_inc_unchecked(&vcc->stats->rx_err);
27472 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27473 NS_PRV_IOVCNT(iovb));
27474 vc->rx_iov = NULL;
27475 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
27476 printk(" - PDU size mismatch.\n");
27477 else
27478 printk(".\n");
27479 - atomic_inc(&vcc->stats->rx_err);
27480 + atomic_inc_unchecked(&vcc->stats->rx_err);
27481 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27482 NS_PRV_IOVCNT(iovb));
27483 vc->rx_iov = NULL;
27484 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
27485 /* skb points to a small buffer */
27486 if (!atm_charge(vcc, skb->truesize)) {
27487 push_rxbufs(card, skb);
27488 - atomic_inc(&vcc->stats->rx_drop);
27489 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27490 } else {
27491 skb_put(skb, len);
27492 dequeue_sm_buf(card, skb);
27493 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
27494 ATM_SKB(skb)->vcc = vcc;
27495 __net_timestamp(skb);
27496 vcc->push(vcc, skb);
27497 - atomic_inc(&vcc->stats->rx);
27498 + atomic_inc_unchecked(&vcc->stats->rx);
27499 }
27500 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
27501 struct sk_buff *sb;
27502 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
27503 if (len <= NS_SMBUFSIZE) {
27504 if (!atm_charge(vcc, sb->truesize)) {
27505 push_rxbufs(card, sb);
27506 - atomic_inc(&vcc->stats->rx_drop);
27507 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27508 } else {
27509 skb_put(sb, len);
27510 dequeue_sm_buf(card, sb);
27511 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
27512 ATM_SKB(sb)->vcc = vcc;
27513 __net_timestamp(sb);
27514 vcc->push(vcc, sb);
27515 - atomic_inc(&vcc->stats->rx);
27516 + atomic_inc_unchecked(&vcc->stats->rx);
27517 }
27518
27519 push_rxbufs(card, skb);
27520 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
27521
27522 if (!atm_charge(vcc, skb->truesize)) {
27523 push_rxbufs(card, skb);
27524 - atomic_inc(&vcc->stats->rx_drop);
27525 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27526 } else {
27527 dequeue_lg_buf(card, skb);
27528 #ifdef NS_USE_DESTRUCTORS
27529 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
27530 ATM_SKB(skb)->vcc = vcc;
27531 __net_timestamp(skb);
27532 vcc->push(vcc, skb);
27533 - atomic_inc(&vcc->stats->rx);
27534 + atomic_inc_unchecked(&vcc->stats->rx);
27535 }
27536
27537 push_rxbufs(card, sb);
27538 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
27539 printk
27540 ("nicstar%d: Out of huge buffers.\n",
27541 card->index);
27542 - atomic_inc(&vcc->stats->rx_drop);
27543 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27544 recycle_iovec_rx_bufs(card,
27545 (struct iovec *)
27546 iovb->data,
27547 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
27548 card->hbpool.count++;
27549 } else
27550 dev_kfree_skb_any(hb);
27551 - atomic_inc(&vcc->stats->rx_drop);
27552 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27553 } else {
27554 /* Copy the small buffer to the huge buffer */
27555 sb = (struct sk_buff *)iov->iov_base;
27556 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
27557 #endif /* NS_USE_DESTRUCTORS */
27558 __net_timestamp(hb);
27559 vcc->push(vcc, hb);
27560 - atomic_inc(&vcc->stats->rx);
27561 + atomic_inc_unchecked(&vcc->stats->rx);
27562 }
27563 }
27564
27565 diff -urNp linux-2.6.39.2/drivers/atm/solos-pci.c linux-2.6.39.2/drivers/atm/solos-pci.c
27566 --- linux-2.6.39.2/drivers/atm/solos-pci.c 2011-05-19 00:06:34.000000000 -0400
27567 +++ linux-2.6.39.2/drivers/atm/solos-pci.c 2011-05-22 19:36:31.000000000 -0400
27568 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
27569 }
27570 atm_charge(vcc, skb->truesize);
27571 vcc->push(vcc, skb);
27572 - atomic_inc(&vcc->stats->rx);
27573 + atomic_inc_unchecked(&vcc->stats->rx);
27574 break;
27575
27576 case PKT_STATUS:
27577 @@ -900,6 +900,8 @@ static int print_buffer(struct sk_buff *
27578 char msg[500];
27579 char item[10];
27580
27581 + pax_track_stack();
27582 +
27583 len = buf->len;
27584 for (i = 0; i < len; i++){
27585 if(i % 8 == 0)
27586 @@ -1009,7 +1011,7 @@ static uint32_t fpga_tx(struct solos_car
27587 vcc = SKB_CB(oldskb)->vcc;
27588
27589 if (vcc) {
27590 - atomic_inc(&vcc->stats->tx);
27591 + atomic_inc_unchecked(&vcc->stats->tx);
27592 solos_pop(vcc, oldskb);
27593 } else
27594 dev_kfree_skb_irq(oldskb);
27595 diff -urNp linux-2.6.39.2/drivers/atm/suni.c linux-2.6.39.2/drivers/atm/suni.c
27596 --- linux-2.6.39.2/drivers/atm/suni.c 2011-05-19 00:06:34.000000000 -0400
27597 +++ linux-2.6.39.2/drivers/atm/suni.c 2011-05-22 19:36:31.000000000 -0400
27598 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
27599
27600
27601 #define ADD_LIMITED(s,v) \
27602 - atomic_add((v),&stats->s); \
27603 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
27604 + atomic_add_unchecked((v),&stats->s); \
27605 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
27606
27607
27608 static void suni_hz(unsigned long from_timer)
27609 diff -urNp linux-2.6.39.2/drivers/atm/uPD98402.c linux-2.6.39.2/drivers/atm/uPD98402.c
27610 --- linux-2.6.39.2/drivers/atm/uPD98402.c 2011-05-19 00:06:34.000000000 -0400
27611 +++ linux-2.6.39.2/drivers/atm/uPD98402.c 2011-05-22 19:36:31.000000000 -0400
27612 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
27613 struct sonet_stats tmp;
27614 int error = 0;
27615
27616 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27617 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27618 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
27619 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
27620 if (zero && !error) {
27621 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
27622
27623
27624 #define ADD_LIMITED(s,v) \
27625 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
27626 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
27627 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27628 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
27629 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
27630 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27631
27632
27633 static void stat_event(struct atm_dev *dev)
27634 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
27635 if (reason & uPD98402_INT_PFM) stat_event(dev);
27636 if (reason & uPD98402_INT_PCO) {
27637 (void) GET(PCOCR); /* clear interrupt cause */
27638 - atomic_add(GET(HECCT),
27639 + atomic_add_unchecked(GET(HECCT),
27640 &PRIV(dev)->sonet_stats.uncorr_hcs);
27641 }
27642 if ((reason & uPD98402_INT_RFO) &&
27643 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
27644 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
27645 uPD98402_INT_LOS),PIMR); /* enable them */
27646 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
27647 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27648 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
27649 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
27650 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27651 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
27652 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
27653 return 0;
27654 }
27655
27656 diff -urNp linux-2.6.39.2/drivers/atm/zatm.c linux-2.6.39.2/drivers/atm/zatm.c
27657 --- linux-2.6.39.2/drivers/atm/zatm.c 2011-05-19 00:06:34.000000000 -0400
27658 +++ linux-2.6.39.2/drivers/atm/zatm.c 2011-05-22 19:36:31.000000000 -0400
27659 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27660 }
27661 if (!size) {
27662 dev_kfree_skb_irq(skb);
27663 - if (vcc) atomic_inc(&vcc->stats->rx_err);
27664 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
27665 continue;
27666 }
27667 if (!atm_charge(vcc,skb->truesize)) {
27668 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27669 skb->len = size;
27670 ATM_SKB(skb)->vcc = vcc;
27671 vcc->push(vcc,skb);
27672 - atomic_inc(&vcc->stats->rx);
27673 + atomic_inc_unchecked(&vcc->stats->rx);
27674 }
27675 zout(pos & 0xffff,MTA(mbx));
27676 #if 0 /* probably a stupid idea */
27677 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
27678 skb_queue_head(&zatm_vcc->backlog,skb);
27679 break;
27680 }
27681 - atomic_inc(&vcc->stats->tx);
27682 + atomic_inc_unchecked(&vcc->stats->tx);
27683 wake_up(&zatm_vcc->tx_wait);
27684 }
27685
27686 diff -urNp linux-2.6.39.2/drivers/base/iommu.c linux-2.6.39.2/drivers/base/iommu.c
27687 --- linux-2.6.39.2/drivers/base/iommu.c 2011-05-19 00:06:34.000000000 -0400
27688 +++ linux-2.6.39.2/drivers/base/iommu.c 2011-05-22 19:36:31.000000000 -0400
27689 @@ -23,9 +23,8 @@
27690 #include <linux/errno.h>
27691 #include <linux/iommu.h>
27692
27693 -static struct iommu_ops *iommu_ops;
27694 -
27695 -void register_iommu(struct iommu_ops *ops)
27696 +static const struct iommu_ops *iommu_ops;
27697 +void register_iommu(const struct iommu_ops *ops)
27698 {
27699 if (iommu_ops)
27700 BUG();
27701 diff -urNp linux-2.6.39.2/drivers/base/power/generic_ops.c linux-2.6.39.2/drivers/base/power/generic_ops.c
27702 --- linux-2.6.39.2/drivers/base/power/generic_ops.c 2011-05-19 00:06:34.000000000 -0400
27703 +++ linux-2.6.39.2/drivers/base/power/generic_ops.c 2011-05-22 19:36:31.000000000 -0400
27704 @@ -215,7 +215,7 @@ int pm_generic_restore(struct device *de
27705 EXPORT_SYMBOL_GPL(pm_generic_restore);
27706 #endif /* CONFIG_PM_SLEEP */
27707
27708 -struct dev_pm_ops generic_subsys_pm_ops = {
27709 +const struct dev_pm_ops generic_subsys_pm_ops = {
27710 #ifdef CONFIG_PM_SLEEP
27711 .suspend = pm_generic_suspend,
27712 .resume = pm_generic_resume,
27713 diff -urNp linux-2.6.39.2/drivers/base/power/wakeup.c linux-2.6.39.2/drivers/base/power/wakeup.c
27714 --- linux-2.6.39.2/drivers/base/power/wakeup.c 2011-05-19 00:06:34.000000000 -0400
27715 +++ linux-2.6.39.2/drivers/base/power/wakeup.c 2011-05-22 19:36:31.000000000 -0400
27716 @@ -29,14 +29,14 @@ bool events_check_enabled;
27717 * They need to be modified together atomically, so it's better to use one
27718 * atomic variable to hold them both.
27719 */
27720 -static atomic_t combined_event_count = ATOMIC_INIT(0);
27721 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
27722
27723 #define IN_PROGRESS_BITS (sizeof(int) * 4)
27724 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
27725
27726 static void split_counters(unsigned int *cnt, unsigned int *inpr)
27727 {
27728 - unsigned int comb = atomic_read(&combined_event_count);
27729 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
27730
27731 *cnt = (comb >> IN_PROGRESS_BITS);
27732 *inpr = comb & MAX_IN_PROGRESS;
27733 @@ -351,7 +351,7 @@ static void wakeup_source_activate(struc
27734 ws->last_time = ktime_get();
27735
27736 /* Increment the counter of events in progress. */
27737 - atomic_inc(&combined_event_count);
27738 + atomic_inc_unchecked(&combined_event_count);
27739 }
27740
27741 /**
27742 @@ -441,7 +441,7 @@ static void wakeup_source_deactivate(str
27743 * Increment the counter of registered wakeup events and decrement the
27744 * couter of wakeup events in progress simultaneously.
27745 */
27746 - atomic_add(MAX_IN_PROGRESS, &combined_event_count);
27747 + atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
27748 }
27749
27750 /**
27751 diff -urNp linux-2.6.39.2/drivers/block/cciss.c linux-2.6.39.2/drivers/block/cciss.c
27752 --- linux-2.6.39.2/drivers/block/cciss.c 2011-05-19 00:06:34.000000000 -0400
27753 +++ linux-2.6.39.2/drivers/block/cciss.c 2011-05-22 19:41:32.000000000 -0400
27754 @@ -103,7 +103,7 @@ MODULE_DEVICE_TABLE(pci, cciss_pci_devic
27755 * product = Marketing Name for the board
27756 * access = Address of the struct of function pointers
27757 */
27758 -static struct board_type products[] = {
27759 +static const struct board_type products[] = {
27760 {0x40700E11, "Smart Array 5300", &SA5_access},
27761 {0x40800E11, "Smart Array 5i", &SA5B_access},
27762 {0x40820E11, "Smart Array 532", &SA5B_access},
27763 @@ -1151,6 +1151,8 @@ static int cciss_ioctl32_passthru(struct
27764 int err;
27765 u32 cp;
27766
27767 + memset(&arg64, 0, sizeof(arg64));
27768 +
27769 err = 0;
27770 err |=
27771 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27772 diff -urNp linux-2.6.39.2/drivers/block/cciss.h linux-2.6.39.2/drivers/block/cciss.h
27773 --- linux-2.6.39.2/drivers/block/cciss.h 2011-05-19 00:06:34.000000000 -0400
27774 +++ linux-2.6.39.2/drivers/block/cciss.h 2011-05-22 19:36:31.000000000 -0400
27775 @@ -393,7 +393,7 @@ static bool SA5_performant_intr_pending(
27776 return register_value & SA5_OUTDB_STATUS_PERF_BIT;
27777 }
27778
27779 -static struct access_method SA5_access = {
27780 +static const struct access_method SA5_access = {
27781 SA5_submit_command,
27782 SA5_intr_mask,
27783 SA5_fifo_full,
27784 @@ -401,7 +401,7 @@ static struct access_method SA5_access =
27785 SA5_completed,
27786 };
27787
27788 -static struct access_method SA5B_access = {
27789 +static const struct access_method SA5B_access = {
27790 SA5_submit_command,
27791 SA5B_intr_mask,
27792 SA5_fifo_full,
27793 @@ -409,7 +409,7 @@ static struct access_method SA5B_access
27794 SA5_completed,
27795 };
27796
27797 -static struct access_method SA5_performant_access = {
27798 +static const struct access_method SA5_performant_access = {
27799 SA5_submit_command,
27800 SA5_performant_intr_mask,
27801 SA5_fifo_full,
27802 @@ -420,7 +420,7 @@ static struct access_method SA5_performa
27803 struct board_type {
27804 __u32 board_id;
27805 char *product_name;
27806 - struct access_method *access;
27807 + const struct access_method *access;
27808 int nr_cmds; /* Max cmds this kind of ctlr can handle. */
27809 };
27810
27811 diff -urNp linux-2.6.39.2/drivers/block/cpqarray.c linux-2.6.39.2/drivers/block/cpqarray.c
27812 --- linux-2.6.39.2/drivers/block/cpqarray.c 2011-05-19 00:06:34.000000000 -0400
27813 +++ linux-2.6.39.2/drivers/block/cpqarray.c 2011-05-22 19:36:31.000000000 -0400
27814 @@ -80,7 +80,7 @@ static int eisa[8];
27815 * product = Marketing Name for the board
27816 * access = Address of the struct of function pointers
27817 */
27818 -static struct board_type products[] = {
27819 +static const struct board_type products[] = {
27820 { 0x0040110E, "IDA", &smart1_access },
27821 { 0x0140110E, "IDA-2", &smart1_access },
27822 { 0x1040110E, "IAES", &smart1_access },
27823 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
27824 struct scatterlist tmp_sg[SG_MAX];
27825 int i, dir, seg;
27826
27827 + pax_track_stack();
27828 +
27829 queue_next:
27830 creq = blk_peek_request(q);
27831 if (!creq)
27832 diff -urNp linux-2.6.39.2/drivers/block/cpqarray.h linux-2.6.39.2/drivers/block/cpqarray.h
27833 --- linux-2.6.39.2/drivers/block/cpqarray.h 2011-05-19 00:06:34.000000000 -0400
27834 +++ linux-2.6.39.2/drivers/block/cpqarray.h 2011-05-22 19:36:31.000000000 -0400
27835 @@ -69,7 +69,7 @@ struct access_method {
27836 struct board_type {
27837 __u32 board_id;
27838 char *product_name;
27839 - struct access_method *access;
27840 + const struct access_method *access;
27841 };
27842
27843 struct ctlr_info {
27844 diff -urNp linux-2.6.39.2/drivers/block/DAC960.c linux-2.6.39.2/drivers/block/DAC960.c
27845 --- linux-2.6.39.2/drivers/block/DAC960.c 2011-05-19 00:06:34.000000000 -0400
27846 +++ linux-2.6.39.2/drivers/block/DAC960.c 2011-05-22 19:36:31.000000000 -0400
27847 @@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
27848 unsigned long flags;
27849 int Channel, TargetID;
27850
27851 + pax_track_stack();
27852 +
27853 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
27854 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
27855 sizeof(DAC960_SCSI_Inquiry_T) +
27856 diff -urNp linux-2.6.39.2/drivers/block/drbd/drbd_int.h linux-2.6.39.2/drivers/block/drbd/drbd_int.h
27857 --- linux-2.6.39.2/drivers/block/drbd/drbd_int.h 2011-05-19 00:06:34.000000000 -0400
27858 +++ linux-2.6.39.2/drivers/block/drbd/drbd_int.h 2011-05-22 19:36:31.000000000 -0400
27859 @@ -736,7 +736,7 @@ struct drbd_request;
27860 struct drbd_epoch {
27861 struct list_head list;
27862 unsigned int barrier_nr;
27863 - atomic_t epoch_size; /* increased on every request added. */
27864 + atomic_unchecked_t epoch_size; /* increased on every request added. */
27865 atomic_t active; /* increased on every req. added, and dec on every finished. */
27866 unsigned long flags;
27867 };
27868 @@ -1108,7 +1108,7 @@ struct drbd_conf {
27869 void *int_dig_in;
27870 void *int_dig_vv;
27871 wait_queue_head_t seq_wait;
27872 - atomic_t packet_seq;
27873 + atomic_unchecked_t packet_seq;
27874 unsigned int peer_seq;
27875 spinlock_t peer_seq_lock;
27876 unsigned int minor;
27877 diff -urNp linux-2.6.39.2/drivers/block/drbd/drbd_main.c linux-2.6.39.2/drivers/block/drbd/drbd_main.c
27878 --- linux-2.6.39.2/drivers/block/drbd/drbd_main.c 2011-05-19 00:06:34.000000000 -0400
27879 +++ linux-2.6.39.2/drivers/block/drbd/drbd_main.c 2011-05-22 19:36:31.000000000 -0400
27880 @@ -2387,7 +2387,7 @@ static int _drbd_send_ack(struct drbd_co
27881 p.sector = sector;
27882 p.block_id = block_id;
27883 p.blksize = blksize;
27884 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
27885 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
27886
27887 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
27888 return false;
27889 @@ -2686,7 +2686,7 @@ int drbd_send_dblock(struct drbd_conf *m
27890 p.sector = cpu_to_be64(req->sector);
27891 p.block_id = (unsigned long)req;
27892 p.seq_num = cpu_to_be32(req->seq_num =
27893 - atomic_add_return(1, &mdev->packet_seq));
27894 + atomic_add_return_unchecked(1, &mdev->packet_seq));
27895
27896 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
27897
27898 @@ -2971,7 +2971,7 @@ void drbd_init_set_defaults(struct drbd_
27899 atomic_set(&mdev->unacked_cnt, 0);
27900 atomic_set(&mdev->local_cnt, 0);
27901 atomic_set(&mdev->net_cnt, 0);
27902 - atomic_set(&mdev->packet_seq, 0);
27903 + atomic_set_unchecked(&mdev->packet_seq, 0);
27904 atomic_set(&mdev->pp_in_use, 0);
27905 atomic_set(&mdev->pp_in_use_by_net, 0);
27906 atomic_set(&mdev->rs_sect_in, 0);
27907 @@ -3051,8 +3051,8 @@ void drbd_mdev_cleanup(struct drbd_conf
27908 mdev->receiver.t_state);
27909
27910 /* no need to lock it, I'm the only thread alive */
27911 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
27912 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
27913 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
27914 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
27915 mdev->al_writ_cnt =
27916 mdev->bm_writ_cnt =
27917 mdev->read_cnt =
27918 diff -urNp linux-2.6.39.2/drivers/block/drbd/drbd_nl.c linux-2.6.39.2/drivers/block/drbd/drbd_nl.c
27919 --- linux-2.6.39.2/drivers/block/drbd/drbd_nl.c 2011-05-19 00:06:34.000000000 -0400
27920 +++ linux-2.6.39.2/drivers/block/drbd/drbd_nl.c 2011-05-22 19:36:31.000000000 -0400
27921 @@ -2298,7 +2298,7 @@ static void drbd_connector_callback(stru
27922 module_put(THIS_MODULE);
27923 }
27924
27925 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
27926 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
27927
27928 static unsigned short *
27929 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
27930 @@ -2369,7 +2369,7 @@ void drbd_bcast_state(struct drbd_conf *
27931 cn_reply->id.idx = CN_IDX_DRBD;
27932 cn_reply->id.val = CN_VAL_DRBD;
27933
27934 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
27935 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
27936 cn_reply->ack = 0; /* not used here. */
27937 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27938 (int)((char *)tl - (char *)reply->tag_list);
27939 @@ -2401,7 +2401,7 @@ void drbd_bcast_ev_helper(struct drbd_co
27940 cn_reply->id.idx = CN_IDX_DRBD;
27941 cn_reply->id.val = CN_VAL_DRBD;
27942
27943 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
27944 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
27945 cn_reply->ack = 0; /* not used here. */
27946 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27947 (int)((char *)tl - (char *)reply->tag_list);
27948 @@ -2479,7 +2479,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
27949 cn_reply->id.idx = CN_IDX_DRBD;
27950 cn_reply->id.val = CN_VAL_DRBD;
27951
27952 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
27953 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
27954 cn_reply->ack = 0; // not used here.
27955 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27956 (int)((char*)tl - (char*)reply->tag_list);
27957 @@ -2518,7 +2518,7 @@ void drbd_bcast_sync_progress(struct drb
27958 cn_reply->id.idx = CN_IDX_DRBD;
27959 cn_reply->id.val = CN_VAL_DRBD;
27960
27961 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
27962 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
27963 cn_reply->ack = 0; /* not used here. */
27964 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
27965 (int)((char *)tl - (char *)reply->tag_list);
27966 diff -urNp linux-2.6.39.2/drivers/block/drbd/drbd_receiver.c linux-2.6.39.2/drivers/block/drbd/drbd_receiver.c
27967 --- linux-2.6.39.2/drivers/block/drbd/drbd_receiver.c 2011-05-19 00:06:34.000000000 -0400
27968 +++ linux-2.6.39.2/drivers/block/drbd/drbd_receiver.c 2011-05-22 19:36:31.000000000 -0400
27969 @@ -894,7 +894,7 @@ retry:
27970 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
27971 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
27972
27973 - atomic_set(&mdev->packet_seq, 0);
27974 + atomic_set_unchecked(&mdev->packet_seq, 0);
27975 mdev->peer_seq = 0;
27976
27977 drbd_thread_start(&mdev->asender);
27978 @@ -990,7 +990,7 @@ static enum finish_epoch drbd_may_finish
27979 do {
27980 next_epoch = NULL;
27981
27982 - epoch_size = atomic_read(&epoch->epoch_size);
27983 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
27984
27985 switch (ev & ~EV_CLEANUP) {
27986 case EV_PUT:
27987 @@ -1025,7 +1025,7 @@ static enum finish_epoch drbd_may_finish
27988 rv = FE_DESTROYED;
27989 } else {
27990 epoch->flags = 0;
27991 - atomic_set(&epoch->epoch_size, 0);
27992 + atomic_set_unchecked(&epoch->epoch_size, 0);
27993 /* atomic_set(&epoch->active, 0); is already zero */
27994 if (rv == FE_STILL_LIVE)
27995 rv = FE_RECYCLED;
27996 @@ -1196,14 +1196,14 @@ static int receive_Barrier(struct drbd_c
27997 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
27998 drbd_flush(mdev);
27999
28000 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28001 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28002 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
28003 if (epoch)
28004 break;
28005 }
28006
28007 epoch = mdev->current_epoch;
28008 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
28009 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
28010
28011 D_ASSERT(atomic_read(&epoch->active) == 0);
28012 D_ASSERT(epoch->flags == 0);
28013 @@ -1215,11 +1215,11 @@ static int receive_Barrier(struct drbd_c
28014 }
28015
28016 epoch->flags = 0;
28017 - atomic_set(&epoch->epoch_size, 0);
28018 + atomic_set_unchecked(&epoch->epoch_size, 0);
28019 atomic_set(&epoch->active, 0);
28020
28021 spin_lock(&mdev->epoch_lock);
28022 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28023 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28024 list_add(&epoch->list, &mdev->current_epoch->list);
28025 mdev->current_epoch = epoch;
28026 mdev->epochs++;
28027 @@ -1668,7 +1668,7 @@ static int receive_Data(struct drbd_conf
28028 spin_unlock(&mdev->peer_seq_lock);
28029
28030 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
28031 - atomic_inc(&mdev->current_epoch->epoch_size);
28032 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
28033 return drbd_drain_block(mdev, data_size);
28034 }
28035
28036 @@ -1694,7 +1694,7 @@ static int receive_Data(struct drbd_conf
28037
28038 spin_lock(&mdev->epoch_lock);
28039 e->epoch = mdev->current_epoch;
28040 - atomic_inc(&e->epoch->epoch_size);
28041 + atomic_inc_unchecked(&e->epoch->epoch_size);
28042 atomic_inc(&e->epoch->active);
28043 spin_unlock(&mdev->epoch_lock);
28044
28045 @@ -3905,7 +3905,7 @@ static void drbd_disconnect(struct drbd_
28046 D_ASSERT(list_empty(&mdev->done_ee));
28047
28048 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
28049 - atomic_set(&mdev->current_epoch->epoch_size, 0);
28050 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
28051 D_ASSERT(list_empty(&mdev->current_epoch->list));
28052 }
28053
28054 diff -urNp linux-2.6.39.2/drivers/block/nbd.c linux-2.6.39.2/drivers/block/nbd.c
28055 --- linux-2.6.39.2/drivers/block/nbd.c 2011-06-25 12:55:22.000000000 -0400
28056 +++ linux-2.6.39.2/drivers/block/nbd.c 2011-06-25 13:00:25.000000000 -0400
28057 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
28058 struct kvec iov;
28059 sigset_t blocked, oldset;
28060
28061 + pax_track_stack();
28062 +
28063 if (unlikely(!sock)) {
28064 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
28065 lo->disk->disk_name, (send ? "send" : "recv"));
28066 @@ -571,6 +573,8 @@ static void do_nbd_request(struct reques
28067 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
28068 unsigned int cmd, unsigned long arg)
28069 {
28070 + pax_track_stack();
28071 +
28072 switch (cmd) {
28073 case NBD_DISCONNECT: {
28074 struct request sreq;
28075 diff -urNp linux-2.6.39.2/drivers/block/smart1,2.h linux-2.6.39.2/drivers/block/smart1,2.h
28076 --- linux-2.6.39.2/drivers/block/smart1,2.h 2011-05-19 00:06:34.000000000 -0400
28077 +++ linux-2.6.39.2/drivers/block/smart1,2.h 2011-05-22 19:36:31.000000000 -0400
28078 @@ -107,7 +107,7 @@ static unsigned long smart4_intr_pending
28079 return 0 ;
28080 }
28081
28082 -static struct access_method smart4_access = {
28083 +static const struct access_method smart4_access = {
28084 smart4_submit_command,
28085 smart4_intr_mask,
28086 smart4_fifo_full,
28087 @@ -143,7 +143,7 @@ static unsigned long smart2_intr_pending
28088 return readl(h->vaddr + INTR_PENDING);
28089 }
28090
28091 -static struct access_method smart2_access = {
28092 +static const struct access_method smart2_access = {
28093 smart2_submit_command,
28094 smart2_intr_mask,
28095 smart2_fifo_full,
28096 @@ -179,7 +179,7 @@ static unsigned long smart2e_intr_pendin
28097 return inl(h->io_mem_addr + INTR_PENDING);
28098 }
28099
28100 -static struct access_method smart2e_access = {
28101 +static const struct access_method smart2e_access = {
28102 smart2e_submit_command,
28103 smart2e_intr_mask,
28104 smart2e_fifo_full,
28105 @@ -269,7 +269,7 @@ static unsigned long smart1_intr_pending
28106 return chan;
28107 }
28108
28109 -static struct access_method smart1_access = {
28110 +static const struct access_method smart1_access = {
28111 smart1_submit_command,
28112 smart1_intr_mask,
28113 smart1_fifo_full,
28114 diff -urNp linux-2.6.39.2/drivers/block/xsysace.c linux-2.6.39.2/drivers/block/xsysace.c
28115 --- linux-2.6.39.2/drivers/block/xsysace.c 2011-05-19 00:06:34.000000000 -0400
28116 +++ linux-2.6.39.2/drivers/block/xsysace.c 2011-05-22 19:36:31.000000000 -0400
28117 @@ -262,7 +262,7 @@ static void ace_dataout_8(struct ace_dev
28118 ace->data_ptr = src;
28119 }
28120
28121 -static struct ace_reg_ops ace_reg_8_ops = {
28122 +static const struct ace_reg_ops ace_reg_8_ops = {
28123 .in = ace_in_8,
28124 .out = ace_out_8,
28125 .datain = ace_datain_8,
28126 @@ -327,14 +327,14 @@ static void ace_dataout_le16(struct ace_
28127 ace->data_ptr = src;
28128 }
28129
28130 -static struct ace_reg_ops ace_reg_be16_ops = {
28131 +static const struct ace_reg_ops ace_reg_be16_ops = {
28132 .in = ace_in_be16,
28133 .out = ace_out_be16,
28134 .datain = ace_datain_be16,
28135 .dataout = ace_dataout_be16,
28136 };
28137
28138 -static struct ace_reg_ops ace_reg_le16_ops = {
28139 +static const struct ace_reg_ops ace_reg_le16_ops = {
28140 .in = ace_in_le16,
28141 .out = ace_out_le16,
28142 .datain = ace_datain_le16,
28143 diff -urNp linux-2.6.39.2/drivers/char/agp/frontend.c linux-2.6.39.2/drivers/char/agp/frontend.c
28144 --- linux-2.6.39.2/drivers/char/agp/frontend.c 2011-05-19 00:06:34.000000000 -0400
28145 +++ linux-2.6.39.2/drivers/char/agp/frontend.c 2011-05-22 19:36:31.000000000 -0400
28146 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
28147 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
28148 return -EFAULT;
28149
28150 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
28151 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
28152 return -EFAULT;
28153
28154 client = agp_find_client_by_pid(reserve.pid);
28155 diff -urNp linux-2.6.39.2/drivers/char/briq_panel.c linux-2.6.39.2/drivers/char/briq_panel.c
28156 --- linux-2.6.39.2/drivers/char/briq_panel.c 2011-05-19 00:06:34.000000000 -0400
28157 +++ linux-2.6.39.2/drivers/char/briq_panel.c 2011-05-22 19:41:32.000000000 -0400
28158 @@ -9,6 +9,7 @@
28159 #include <linux/types.h>
28160 #include <linux/errno.h>
28161 #include <linux/tty.h>
28162 +#include <linux/mutex.h>
28163 #include <linux/timer.h>
28164 #include <linux/kernel.h>
28165 #include <linux/wait.h>
28166 @@ -34,6 +35,7 @@ static int vfd_is_open;
28167 static unsigned char vfd[40];
28168 static int vfd_cursor;
28169 static unsigned char ledpb, led;
28170 +static DEFINE_MUTEX(vfd_mutex);
28171
28172 static void update_vfd(void)
28173 {
28174 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
28175 if (!vfd_is_open)
28176 return -EBUSY;
28177
28178 + mutex_lock(&vfd_mutex);
28179 for (;;) {
28180 char c;
28181 if (!indx)
28182 break;
28183 - if (get_user(c, buf))
28184 + if (get_user(c, buf)) {
28185 + mutex_unlock(&vfd_mutex);
28186 return -EFAULT;
28187 + }
28188 if (esc) {
28189 set_led(c);
28190 esc = 0;
28191 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
28192 buf++;
28193 }
28194 update_vfd();
28195 + mutex_unlock(&vfd_mutex);
28196
28197 return len;
28198 }
28199 diff -urNp linux-2.6.39.2/drivers/char/genrtc.c linux-2.6.39.2/drivers/char/genrtc.c
28200 --- linux-2.6.39.2/drivers/char/genrtc.c 2011-05-19 00:06:34.000000000 -0400
28201 +++ linux-2.6.39.2/drivers/char/genrtc.c 2011-05-22 19:41:32.000000000 -0400
28202 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
28203 switch (cmd) {
28204
28205 case RTC_PLL_GET:
28206 + memset(&pll, 0, sizeof(pll));
28207 if (get_rtc_pll(&pll))
28208 return -EINVAL;
28209 else
28210 diff -urNp linux-2.6.39.2/drivers/char/hpet.c linux-2.6.39.2/drivers/char/hpet.c
28211 --- linux-2.6.39.2/drivers/char/hpet.c 2011-05-19 00:06:34.000000000 -0400
28212 +++ linux-2.6.39.2/drivers/char/hpet.c 2011-05-22 19:36:31.000000000 -0400
28213 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
28214 }
28215
28216 static int
28217 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
28218 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
28219 struct hpet_info *info)
28220 {
28221 struct hpet_timer __iomem *timer;
28222 diff -urNp linux-2.6.39.2/drivers/char/ipmi/ipmi_devintf.c linux-2.6.39.2/drivers/char/ipmi/ipmi_devintf.c
28223 --- linux-2.6.39.2/drivers/char/ipmi/ipmi_devintf.c 2011-05-19 00:06:34.000000000 -0400
28224 +++ linux-2.6.39.2/drivers/char/ipmi/ipmi_devintf.c 2011-05-22 19:36:31.000000000 -0400
28225 @@ -109,8 +109,7 @@ static int ipmi_fasync(int fd, struct fi
28226 return (result);
28227 }
28228
28229 -static struct ipmi_user_hndl ipmi_hndlrs =
28230 -{
28231 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28232 .ipmi_recv_hndl = file_receive_handler,
28233 };
28234
28235 diff -urNp linux-2.6.39.2/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.39.2/drivers/char/ipmi/ipmi_msghandler.c
28236 --- linux-2.6.39.2/drivers/char/ipmi/ipmi_msghandler.c 2011-05-19 00:06:34.000000000 -0400
28237 +++ linux-2.6.39.2/drivers/char/ipmi/ipmi_msghandler.c 2011-05-22 19:36:31.000000000 -0400
28238 @@ -82,7 +82,7 @@ struct ipmi_user {
28239 struct kref refcount;
28240
28241 /* The upper layer that handles receive messages. */
28242 - struct ipmi_user_hndl *handler;
28243 + const struct ipmi_user_hndl *handler;
28244 void *handler_data;
28245
28246 /* The interface this user is bound to. */
28247 @@ -414,7 +414,7 @@ struct ipmi_smi {
28248 struct proc_dir_entry *proc_dir;
28249 char proc_dir_name[10];
28250
28251 - atomic_t stats[IPMI_NUM_STATS];
28252 + atomic_unchecked_t stats[IPMI_NUM_STATS];
28253
28254 /*
28255 * run_to_completion duplicate of smb_info, smi_info
28256 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
28257
28258
28259 #define ipmi_inc_stat(intf, stat) \
28260 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
28261 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
28262 #define ipmi_get_stat(intf, stat) \
28263 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
28264 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
28265
28266 static int is_lan_addr(struct ipmi_addr *addr)
28267 {
28268 @@ -875,7 +875,7 @@ static int intf_err_seq(ipmi_smi_t int
28269
28270
28271 int ipmi_create_user(unsigned int if_num,
28272 - struct ipmi_user_hndl *handler,
28273 + const struct ipmi_user_hndl *handler,
28274 void *handler_data,
28275 ipmi_user_t *user)
28276 {
28277 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
28278 INIT_LIST_HEAD(&intf->cmd_rcvrs);
28279 init_waitqueue_head(&intf->waitq);
28280 for (i = 0; i < IPMI_NUM_STATS; i++)
28281 - atomic_set(&intf->stats[i], 0);
28282 + atomic_set_unchecked(&intf->stats[i], 0);
28283
28284 intf->proc_dir = NULL;
28285
28286 @@ -4196,6 +4196,8 @@ static void send_panic_events(char *str)
28287 struct ipmi_smi_msg smi_msg;
28288 struct ipmi_recv_msg recv_msg;
28289
28290 + pax_track_stack();
28291 +
28292 si = (struct ipmi_system_interface_addr *) &addr;
28293 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
28294 si->channel = IPMI_BMC_CHANNEL;
28295 diff -urNp linux-2.6.39.2/drivers/char/ipmi/ipmi_poweroff.c linux-2.6.39.2/drivers/char/ipmi/ipmi_poweroff.c
28296 --- linux-2.6.39.2/drivers/char/ipmi/ipmi_poweroff.c 2011-05-19 00:06:34.000000000 -0400
28297 +++ linux-2.6.39.2/drivers/char/ipmi/ipmi_poweroff.c 2011-05-22 19:36:31.000000000 -0400
28298 @@ -133,7 +133,7 @@ static void receive_handler(struct ipmi_
28299 complete(comp);
28300 }
28301
28302 -static struct ipmi_user_hndl ipmi_poweroff_handler = {
28303 +static const struct ipmi_user_hndl ipmi_poweroff_handler = {
28304 .ipmi_recv_hndl = receive_handler
28305 };
28306
28307 diff -urNp linux-2.6.39.2/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.39.2/drivers/char/ipmi/ipmi_si_intf.c
28308 --- linux-2.6.39.2/drivers/char/ipmi/ipmi_si_intf.c 2011-05-19 00:06:34.000000000 -0400
28309 +++ linux-2.6.39.2/drivers/char/ipmi/ipmi_si_intf.c 2011-05-22 19:36:31.000000000 -0400
28310 @@ -276,7 +276,7 @@ struct smi_info {
28311 unsigned char slave_addr;
28312
28313 /* Counters and things for the proc filesystem. */
28314 - atomic_t stats[SI_NUM_STATS];
28315 + atomic_unchecked_t stats[SI_NUM_STATS];
28316
28317 struct task_struct *thread;
28318
28319 @@ -285,9 +285,9 @@ struct smi_info {
28320 };
28321
28322 #define smi_inc_stat(smi, stat) \
28323 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
28324 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
28325 #define smi_get_stat(smi, stat) \
28326 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
28327 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
28328
28329 #define SI_MAX_PARMS 4
28330
28331 @@ -3198,7 +3198,7 @@ static int try_smi_init(struct smi_info
28332 atomic_set(&new_smi->req_events, 0);
28333 new_smi->run_to_completion = 0;
28334 for (i = 0; i < SI_NUM_STATS; i++)
28335 - atomic_set(&new_smi->stats[i], 0);
28336 + atomic_set_unchecked(&new_smi->stats[i], 0);
28337
28338 new_smi->interrupt_disabled = 1;
28339 atomic_set(&new_smi->stop_operation, 0);
28340 diff -urNp linux-2.6.39.2/drivers/char/ipmi/ipmi_watchdog.c linux-2.6.39.2/drivers/char/ipmi/ipmi_watchdog.c
28341 --- linux-2.6.39.2/drivers/char/ipmi/ipmi_watchdog.c 2011-05-19 00:06:34.000000000 -0400
28342 +++ linux-2.6.39.2/drivers/char/ipmi/ipmi_watchdog.c 2011-05-22 19:36:31.000000000 -0400
28343 @@ -216,7 +216,7 @@ static int set_param_timeout(const char
28344 return rv;
28345 }
28346
28347 -static struct kernel_param_ops param_ops_timeout = {
28348 +static const struct kernel_param_ops param_ops_timeout = {
28349 .set = set_param_timeout,
28350 .get = param_get_int,
28351 };
28352 @@ -278,14 +278,14 @@ static int set_param_wdog_ifnum(const ch
28353 return 0;
28354 }
28355
28356 -static struct kernel_param_ops param_ops_wdog_ifnum = {
28357 +static const struct kernel_param_ops param_ops_wdog_ifnum = {
28358 .set = set_param_wdog_ifnum,
28359 .get = param_get_int,
28360 };
28361
28362 #define param_check_wdog_ifnum param_check_int
28363
28364 -static struct kernel_param_ops param_ops_str = {
28365 +static const struct kernel_param_ops param_ops_str = {
28366 .set = set_param_str,
28367 .get = get_param_str,
28368 };
28369 @@ -953,7 +953,7 @@ static void ipmi_wdog_pretimeout_handler
28370 pretimeout_since_last_heartbeat = 1;
28371 }
28372
28373 -static struct ipmi_user_hndl ipmi_hndlrs = {
28374 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28375 .ipmi_recv_hndl = ipmi_wdog_msg_handler,
28376 .ipmi_watchdog_pretimeout = ipmi_wdog_pretimeout_handler
28377 };
28378 diff -urNp linux-2.6.39.2/drivers/char/Kconfig linux-2.6.39.2/drivers/char/Kconfig
28379 --- linux-2.6.39.2/drivers/char/Kconfig 2011-05-19 00:06:34.000000000 -0400
28380 +++ linux-2.6.39.2/drivers/char/Kconfig 2011-05-22 19:41:37.000000000 -0400
28381 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
28382
28383 config DEVKMEM
28384 bool "/dev/kmem virtual device support"
28385 - default y
28386 + default n
28387 + depends on !GRKERNSEC_KMEM
28388 help
28389 Say Y here if you want to support the /dev/kmem device. The
28390 /dev/kmem device is rarely used, but can be used for certain
28391 @@ -596,6 +597,7 @@ config DEVPORT
28392 bool
28393 depends on !M68K
28394 depends on ISA || PCI
28395 + depends on !GRKERNSEC_KMEM
28396 default y
28397
28398 source "drivers/s390/char/Kconfig"
28399 diff -urNp linux-2.6.39.2/drivers/char/mem.c linux-2.6.39.2/drivers/char/mem.c
28400 --- linux-2.6.39.2/drivers/char/mem.c 2011-05-19 00:06:34.000000000 -0400
28401 +++ linux-2.6.39.2/drivers/char/mem.c 2011-05-22 19:41:37.000000000 -0400
28402 @@ -18,6 +18,7 @@
28403 #include <linux/raw.h>
28404 #include <linux/tty.h>
28405 #include <linux/capability.h>
28406 +#include <linux/security.h>
28407 #include <linux/ptrace.h>
28408 #include <linux/device.h>
28409 #include <linux/highmem.h>
28410 @@ -34,6 +35,10 @@
28411 # include <linux/efi.h>
28412 #endif
28413
28414 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28415 +extern struct file_operations grsec_fops;
28416 +#endif
28417 +
28418 static inline unsigned long size_inside_page(unsigned long start,
28419 unsigned long size)
28420 {
28421 @@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
28422
28423 while (cursor < to) {
28424 if (!devmem_is_allowed(pfn)) {
28425 +#ifdef CONFIG_GRKERNSEC_KMEM
28426 + gr_handle_mem_readwrite(from, to);
28427 +#else
28428 printk(KERN_INFO
28429 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
28430 current->comm, from, to);
28431 +#endif
28432 return 0;
28433 }
28434 cursor += PAGE_SIZE;
28435 @@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
28436 }
28437 return 1;
28438 }
28439 +#elif defined(CONFIG_GRKERNSEC_KMEM)
28440 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28441 +{
28442 + return 0;
28443 +}
28444 #else
28445 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28446 {
28447 @@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
28448
28449 while (count > 0) {
28450 unsigned long remaining;
28451 + char *temp;
28452
28453 sz = size_inside_page(p, count);
28454
28455 @@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
28456 if (!ptr)
28457 return -EFAULT;
28458
28459 - remaining = copy_to_user(buf, ptr, sz);
28460 +#ifdef CONFIG_PAX_USERCOPY
28461 + temp = kmalloc(sz, GFP_KERNEL);
28462 + if (!temp) {
28463 + unxlate_dev_mem_ptr(p, ptr);
28464 + return -ENOMEM;
28465 + }
28466 + memcpy(temp, ptr, sz);
28467 +#else
28468 + temp = ptr;
28469 +#endif
28470 +
28471 + remaining = copy_to_user(buf, temp, sz);
28472 +
28473 +#ifdef CONFIG_PAX_USERCOPY
28474 + kfree(temp);
28475 +#endif
28476 +
28477 unxlate_dev_mem_ptr(p, ptr);
28478 if (remaining)
28479 return -EFAULT;
28480 @@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
28481 size_t count, loff_t *ppos)
28482 {
28483 unsigned long p = *ppos;
28484 - ssize_t low_count, read, sz;
28485 + ssize_t low_count, read, sz, err = 0;
28486 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
28487 - int err = 0;
28488
28489 read = 0;
28490 if (p < (unsigned long) high_memory) {
28491 @@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
28492 }
28493 #endif
28494 while (low_count > 0) {
28495 + char *temp;
28496 +
28497 sz = size_inside_page(p, low_count);
28498
28499 /*
28500 @@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
28501 */
28502 kbuf = xlate_dev_kmem_ptr((char *)p);
28503
28504 - if (copy_to_user(buf, kbuf, sz))
28505 +#ifdef CONFIG_PAX_USERCOPY
28506 + temp = kmalloc(sz, GFP_KERNEL);
28507 + if (!temp)
28508 + return -ENOMEM;
28509 + memcpy(temp, kbuf, sz);
28510 +#else
28511 + temp = kbuf;
28512 +#endif
28513 +
28514 + err = copy_to_user(buf, temp, sz);
28515 +
28516 +#ifdef CONFIG_PAX_USERCOPY
28517 + kfree(temp);
28518 +#endif
28519 +
28520 + if (err)
28521 return -EFAULT;
28522 buf += sz;
28523 p += sz;
28524 @@ -854,6 +901,9 @@ static const struct memdev {
28525 #ifdef CONFIG_CRASH_DUMP
28526 [12] = { "oldmem", 0, &oldmem_fops, NULL },
28527 #endif
28528 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28529 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
28530 +#endif
28531 };
28532
28533 static int memory_open(struct inode *inode, struct file *filp)
28534 diff -urNp linux-2.6.39.2/drivers/char/mmtimer.c linux-2.6.39.2/drivers/char/mmtimer.c
28535 --- linux-2.6.39.2/drivers/char/mmtimer.c 2011-05-19 00:06:34.000000000 -0400
28536 +++ linux-2.6.39.2/drivers/char/mmtimer.c 2011-05-22 19:36:31.000000000 -0400
28537 @@ -53,7 +53,7 @@ MODULE_LICENSE("GPL");
28538
28539 #define RTC_BITS 55 /* 55 bits for this implementation */
28540
28541 -static struct k_clock sgi_clock;
28542 +static const struct k_clock sgi_clock;
28543
28544 extern unsigned long sn_rtc_cycles_per_second;
28545
28546 @@ -772,7 +772,7 @@ static int sgi_clock_getres(const clocki
28547 return 0;
28548 }
28549
28550 -static struct k_clock sgi_clock = {
28551 +static const struct k_clock sgi_clock = {
28552 .clock_set = sgi_clock_set,
28553 .clock_get = sgi_clock_get,
28554 .clock_getres = sgi_clock_getres,
28555 diff -urNp linux-2.6.39.2/drivers/char/nvram.c linux-2.6.39.2/drivers/char/nvram.c
28556 --- linux-2.6.39.2/drivers/char/nvram.c 2011-05-19 00:06:34.000000000 -0400
28557 +++ linux-2.6.39.2/drivers/char/nvram.c 2011-05-22 19:36:31.000000000 -0400
28558 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
28559
28560 spin_unlock_irq(&rtc_lock);
28561
28562 - if (copy_to_user(buf, contents, tmp - contents))
28563 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
28564 return -EFAULT;
28565
28566 *ppos = i;
28567 diff -urNp linux-2.6.39.2/drivers/char/random.c linux-2.6.39.2/drivers/char/random.c
28568 --- linux-2.6.39.2/drivers/char/random.c 2011-05-19 00:06:34.000000000 -0400
28569 +++ linux-2.6.39.2/drivers/char/random.c 2011-05-22 19:41:37.000000000 -0400
28570 @@ -261,8 +261,13 @@
28571 /*
28572 * Configuration information
28573 */
28574 +#ifdef CONFIG_GRKERNSEC_RANDNET
28575 +#define INPUT_POOL_WORDS 512
28576 +#define OUTPUT_POOL_WORDS 128
28577 +#else
28578 #define INPUT_POOL_WORDS 128
28579 #define OUTPUT_POOL_WORDS 32
28580 +#endif
28581 #define SEC_XFER_SIZE 512
28582 #define EXTRACT_SIZE 10
28583
28584 @@ -300,10 +305,17 @@ static struct poolinfo {
28585 int poolwords;
28586 int tap1, tap2, tap3, tap4, tap5;
28587 } poolinfo_table[] = {
28588 +#ifdef CONFIG_GRKERNSEC_RANDNET
28589 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
28590 + { 512, 411, 308, 208, 104, 1 },
28591 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
28592 + { 128, 103, 76, 51, 25, 1 },
28593 +#else
28594 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
28595 { 128, 103, 76, 51, 25, 1 },
28596 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
28597 { 32, 26, 20, 14, 7, 1 },
28598 +#endif
28599 #if 0
28600 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
28601 { 2048, 1638, 1231, 819, 411, 1 },
28602 @@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
28603
28604 extract_buf(r, tmp);
28605 i = min_t(int, nbytes, EXTRACT_SIZE);
28606 - if (copy_to_user(buf, tmp, i)) {
28607 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
28608 ret = -EFAULT;
28609 break;
28610 }
28611 @@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
28612 #include <linux/sysctl.h>
28613
28614 static int min_read_thresh = 8, min_write_thresh;
28615 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
28616 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
28617 static int max_write_thresh = INPUT_POOL_WORDS * 32;
28618 static char sysctl_bootid[16];
28619
28620 diff -urNp linux-2.6.39.2/drivers/char/sonypi.c linux-2.6.39.2/drivers/char/sonypi.c
28621 --- linux-2.6.39.2/drivers/char/sonypi.c 2011-05-19 00:06:34.000000000 -0400
28622 +++ linux-2.6.39.2/drivers/char/sonypi.c 2011-05-22 19:36:31.000000000 -0400
28623 @@ -55,6 +55,7 @@
28624 #include <asm/uaccess.h>
28625 #include <asm/io.h>
28626 #include <asm/system.h>
28627 +#include <asm/local.h>
28628
28629 #include <linux/sonypi.h>
28630
28631 @@ -491,7 +492,7 @@ static struct sonypi_device {
28632 spinlock_t fifo_lock;
28633 wait_queue_head_t fifo_proc_list;
28634 struct fasync_struct *fifo_async;
28635 - int open_count;
28636 + local_t open_count;
28637 int model;
28638 struct input_dev *input_jog_dev;
28639 struct input_dev *input_key_dev;
28640 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
28641 static int sonypi_misc_release(struct inode *inode, struct file *file)
28642 {
28643 mutex_lock(&sonypi_device.lock);
28644 - sonypi_device.open_count--;
28645 + local_dec(&sonypi_device.open_count);
28646 mutex_unlock(&sonypi_device.lock);
28647 return 0;
28648 }
28649 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
28650 {
28651 mutex_lock(&sonypi_device.lock);
28652 /* Flush input queue on first open */
28653 - if (!sonypi_device.open_count)
28654 + if (!local_read(&sonypi_device.open_count))
28655 kfifo_reset(&sonypi_device.fifo);
28656 - sonypi_device.open_count++;
28657 + local_inc(&sonypi_device.open_count);
28658 mutex_unlock(&sonypi_device.lock);
28659
28660 return 0;
28661 diff -urNp linux-2.6.39.2/drivers/char/tpm/tpm_bios.c linux-2.6.39.2/drivers/char/tpm/tpm_bios.c
28662 --- linux-2.6.39.2/drivers/char/tpm/tpm_bios.c 2011-05-19 00:06:34.000000000 -0400
28663 +++ linux-2.6.39.2/drivers/char/tpm/tpm_bios.c 2011-05-22 19:36:31.000000000 -0400
28664 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
28665 event = addr;
28666
28667 if ((event->event_type == 0 && event->event_size == 0) ||
28668 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
28669 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
28670 return NULL;
28671
28672 return addr;
28673 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
28674 return NULL;
28675
28676 if ((event->event_type == 0 && event->event_size == 0) ||
28677 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
28678 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
28679 return NULL;
28680
28681 (*pos)++;
28682 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
28683 int i;
28684
28685 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
28686 - seq_putc(m, data[i]);
28687 + if (!seq_putc(m, data[i]))
28688 + return -EFAULT;
28689
28690 return 0;
28691 }
28692 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
28693 log->bios_event_log_end = log->bios_event_log + len;
28694
28695 virt = acpi_os_map_memory(start, len);
28696 + if (!virt) {
28697 + kfree(log->bios_event_log);
28698 + log->bios_event_log = NULL;
28699 + return -EFAULT;
28700 + }
28701
28702 memcpy(log->bios_event_log, virt, len);
28703
28704 diff -urNp linux-2.6.39.2/drivers/char/tpm/tpm.c linux-2.6.39.2/drivers/char/tpm/tpm.c
28705 --- linux-2.6.39.2/drivers/char/tpm/tpm.c 2011-05-19 00:06:34.000000000 -0400
28706 +++ linux-2.6.39.2/drivers/char/tpm/tpm.c 2011-05-22 19:36:31.000000000 -0400
28707 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
28708 chip->vendor.req_complete_val)
28709 goto out_recv;
28710
28711 - if ((status == chip->vendor.req_canceled)) {
28712 + if (status == chip->vendor.req_canceled) {
28713 dev_err(chip->dev, "Operation Canceled\n");
28714 rc = -ECANCELED;
28715 goto out;
28716 @@ -844,6 +844,8 @@ ssize_t tpm_show_pubek(struct device *de
28717
28718 struct tpm_chip *chip = dev_get_drvdata(dev);
28719
28720 + pax_track_stack();
28721 +
28722 tpm_cmd.header.in = tpm_readpubek_header;
28723 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
28724 "attempting to read the PUBEK");
28725 diff -urNp linux-2.6.39.2/drivers/char/ttyprintk.c linux-2.6.39.2/drivers/char/ttyprintk.c
28726 --- linux-2.6.39.2/drivers/char/ttyprintk.c 2011-05-19 00:06:34.000000000 -0400
28727 +++ linux-2.6.39.2/drivers/char/ttyprintk.c 2011-05-22 19:36:31.000000000 -0400
28728 @@ -170,7 +170,7 @@ static const struct tty_operations ttypr
28729 .ioctl = tpk_ioctl,
28730 };
28731
28732 -struct tty_port_operations null_ops = { };
28733 +const struct tty_port_operations null_ops = { };
28734
28735 static struct tty_driver *ttyprintk_driver;
28736
28737 diff -urNp linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c
28738 --- linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-19 00:06:34.000000000 -0400
28739 +++ linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-22 19:36:31.000000000 -0400
28740 @@ -678,14 +678,14 @@ static int __devinit hwicap_setup(struct
28741 return retval;
28742 }
28743
28744 -static struct hwicap_driver_config buffer_icap_config = {
28745 +static const struct hwicap_driver_config buffer_icap_config = {
28746 .get_configuration = buffer_icap_get_configuration,
28747 .set_configuration = buffer_icap_set_configuration,
28748 .get_status = buffer_icap_get_status,
28749 .reset = buffer_icap_reset,
28750 };
28751
28752 -static struct hwicap_driver_config fifo_icap_config = {
28753 +static const struct hwicap_driver_config fifo_icap_config = {
28754 .get_configuration = fifo_icap_get_configuration,
28755 .set_configuration = fifo_icap_set_configuration,
28756 .get_status = fifo_icap_get_status,
28757 diff -urNp linux-2.6.39.2/drivers/crypto/hifn_795x.c linux-2.6.39.2/drivers/crypto/hifn_795x.c
28758 --- linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400
28759 +++ linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400
28760 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
28761 0xCA, 0x34, 0x2B, 0x2E};
28762 struct scatterlist sg;
28763
28764 + pax_track_stack();
28765 +
28766 memset(src, 0, sizeof(src));
28767 memset(ctx.key, 0, sizeof(ctx.key));
28768
28769 diff -urNp linux-2.6.39.2/drivers/crypto/padlock-aes.c linux-2.6.39.2/drivers/crypto/padlock-aes.c
28770 --- linux-2.6.39.2/drivers/crypto/padlock-aes.c 2011-05-19 00:06:34.000000000 -0400
28771 +++ linux-2.6.39.2/drivers/crypto/padlock-aes.c 2011-05-22 19:36:31.000000000 -0400
28772 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
28773 struct crypto_aes_ctx gen_aes;
28774 int cpu;
28775
28776 + pax_track_stack();
28777 +
28778 if (key_len % 8) {
28779 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
28780 return -EINVAL;
28781 diff -urNp linux-2.6.39.2/drivers/dca/dca-core.c linux-2.6.39.2/drivers/dca/dca-core.c
28782 --- linux-2.6.39.2/drivers/dca/dca-core.c 2011-05-19 00:06:34.000000000 -0400
28783 +++ linux-2.6.39.2/drivers/dca/dca-core.c 2011-05-22 19:36:31.000000000 -0400
28784 @@ -325,7 +325,7 @@ EXPORT_SYMBOL_GPL(dca_get_tag);
28785 * @ops - pointer to struct of dca operation function pointers
28786 * @priv_size - size of extra mem to be added for provider's needs
28787 */
28788 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size)
28789 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size)
28790 {
28791 struct dca_provider *dca;
28792 int alloc_size;
28793 diff -urNp linux-2.6.39.2/drivers/dma/ioat/dca.c linux-2.6.39.2/drivers/dma/ioat/dca.c
28794 --- linux-2.6.39.2/drivers/dma/ioat/dca.c 2011-05-19 00:06:34.000000000 -0400
28795 +++ linux-2.6.39.2/drivers/dma/ioat/dca.c 2011-05-22 19:36:31.000000000 -0400
28796 @@ -234,7 +234,7 @@ static int ioat_dca_dev_managed(struct d
28797 return 0;
28798 }
28799
28800 -static struct dca_ops ioat_dca_ops = {
28801 +static const struct dca_ops ioat_dca_ops = {
28802 .add_requester = ioat_dca_add_requester,
28803 .remove_requester = ioat_dca_remove_requester,
28804 .get_tag = ioat_dca_get_tag,
28805 @@ -384,7 +384,7 @@ static u8 ioat2_dca_get_tag(struct dca_p
28806 return tag;
28807 }
28808
28809 -static struct dca_ops ioat2_dca_ops = {
28810 +static const struct dca_ops ioat2_dca_ops = {
28811 .add_requester = ioat2_dca_add_requester,
28812 .remove_requester = ioat2_dca_remove_requester,
28813 .get_tag = ioat2_dca_get_tag,
28814 @@ -579,7 +579,7 @@ static u8 ioat3_dca_get_tag(struct dca_p
28815 return tag;
28816 }
28817
28818 -static struct dca_ops ioat3_dca_ops = {
28819 +static const struct dca_ops ioat3_dca_ops = {
28820 .add_requester = ioat3_dca_add_requester,
28821 .remove_requester = ioat3_dca_remove_requester,
28822 .get_tag = ioat3_dca_get_tag,
28823 diff -urNp linux-2.6.39.2/drivers/edac/amd64_edac.h linux-2.6.39.2/drivers/edac/amd64_edac.h
28824 --- linux-2.6.39.2/drivers/edac/amd64_edac.h 2011-05-19 00:06:34.000000000 -0400
28825 +++ linux-2.6.39.2/drivers/edac/amd64_edac.h 2011-05-22 19:36:31.000000000 -0400
28826 @@ -333,7 +333,7 @@ struct chip_select {
28827 };
28828
28829 struct amd64_pvt {
28830 - struct low_ops *ops;
28831 + const struct low_ops *ops;
28832
28833 /* pci_device handles which we utilize */
28834 struct pci_dev *F1, *F2, *F3;
28835 @@ -443,7 +443,7 @@ struct low_ops {
28836 struct amd64_family_type {
28837 const char *ctl_name;
28838 u16 f1_id, f3_id;
28839 - struct low_ops ops;
28840 + const struct low_ops ops;
28841 };
28842
28843 int __amd64_write_pci_cfg_dword(struct pci_dev *pdev, int offset,
28844 diff -urNp linux-2.6.39.2/drivers/edac/edac_mc_sysfs.c linux-2.6.39.2/drivers/edac/edac_mc_sysfs.c
28845 --- linux-2.6.39.2/drivers/edac/edac_mc_sysfs.c 2011-05-19 00:06:34.000000000 -0400
28846 +++ linux-2.6.39.2/drivers/edac/edac_mc_sysfs.c 2011-05-22 19:36:31.000000000 -0400
28847 @@ -760,7 +760,7 @@ static void edac_inst_grp_release(struct
28848 }
28849
28850 /* Intermediate show/store table */
28851 -static struct sysfs_ops inst_grp_ops = {
28852 +static const struct sysfs_ops inst_grp_ops = {
28853 .show = inst_grp_show,
28854 .store = inst_grp_store
28855 };
28856 diff -urNp linux-2.6.39.2/drivers/edac/edac_pci_sysfs.c linux-2.6.39.2/drivers/edac/edac_pci_sysfs.c
28857 --- linux-2.6.39.2/drivers/edac/edac_pci_sysfs.c 2011-05-19 00:06:34.000000000 -0400
28858 +++ linux-2.6.39.2/drivers/edac/edac_pci_sysfs.c 2011-05-22 19:36:31.000000000 -0400
28859 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
28860 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
28861 static int edac_pci_poll_msec = 1000; /* one second workq period */
28862
28863 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
28864 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
28865 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
28866 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
28867
28868 static struct kobject *edac_pci_top_main_kobj;
28869 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
28870 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
28871 edac_printk(KERN_CRIT, EDAC_PCI,
28872 "Signaled System Error on %s\n",
28873 pci_name(dev));
28874 - atomic_inc(&pci_nonparity_count);
28875 + atomic_inc_unchecked(&pci_nonparity_count);
28876 }
28877
28878 if (status & (PCI_STATUS_PARITY)) {
28879 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
28880 "Master Data Parity Error on %s\n",
28881 pci_name(dev));
28882
28883 - atomic_inc(&pci_parity_count);
28884 + atomic_inc_unchecked(&pci_parity_count);
28885 }
28886
28887 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28888 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
28889 "Detected Parity Error on %s\n",
28890 pci_name(dev));
28891
28892 - atomic_inc(&pci_parity_count);
28893 + atomic_inc_unchecked(&pci_parity_count);
28894 }
28895 }
28896
28897 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
28898 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
28899 "Signaled System Error on %s\n",
28900 pci_name(dev));
28901 - atomic_inc(&pci_nonparity_count);
28902 + atomic_inc_unchecked(&pci_nonparity_count);
28903 }
28904
28905 if (status & (PCI_STATUS_PARITY)) {
28906 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
28907 "Master Data Parity Error on "
28908 "%s\n", pci_name(dev));
28909
28910 - atomic_inc(&pci_parity_count);
28911 + atomic_inc_unchecked(&pci_parity_count);
28912 }
28913
28914 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28915 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
28916 "Detected Parity Error on %s\n",
28917 pci_name(dev));
28918
28919 - atomic_inc(&pci_parity_count);
28920 + atomic_inc_unchecked(&pci_parity_count);
28921 }
28922 }
28923 }
28924 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
28925 if (!check_pci_errors)
28926 return;
28927
28928 - before_count = atomic_read(&pci_parity_count);
28929 + before_count = atomic_read_unchecked(&pci_parity_count);
28930
28931 /* scan all PCI devices looking for a Parity Error on devices and
28932 * bridges.
28933 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
28934 /* Only if operator has selected panic on PCI Error */
28935 if (edac_pci_get_panic_on_pe()) {
28936 /* If the count is different 'after' from 'before' */
28937 - if (before_count != atomic_read(&pci_parity_count))
28938 + if (before_count != atomic_read_unchecked(&pci_parity_count))
28939 panic("EDAC: PCI Parity Error");
28940 }
28941 }
28942 diff -urNp linux-2.6.39.2/drivers/firewire/core-cdev.c linux-2.6.39.2/drivers/firewire/core-cdev.c
28943 --- linux-2.6.39.2/drivers/firewire/core-cdev.c 2011-05-19 00:06:34.000000000 -0400
28944 +++ linux-2.6.39.2/drivers/firewire/core-cdev.c 2011-05-22 19:36:31.000000000 -0400
28945 @@ -1312,8 +1312,7 @@ static int init_iso_resource(struct clie
28946 int ret;
28947
28948 if ((request->channels == 0 && request->bandwidth == 0) ||
28949 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
28950 - request->bandwidth < 0)
28951 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
28952 return -EINVAL;
28953
28954 r = kmalloc(sizeof(*r), GFP_KERNEL);
28955 diff -urNp linux-2.6.39.2/drivers/firewire/core-transaction.c linux-2.6.39.2/drivers/firewire/core-transaction.c
28956 --- linux-2.6.39.2/drivers/firewire/core-transaction.c 2011-05-19 00:06:34.000000000 -0400
28957 +++ linux-2.6.39.2/drivers/firewire/core-transaction.c 2011-05-22 19:36:31.000000000 -0400
28958 @@ -36,6 +36,7 @@
28959 #include <linux/string.h>
28960 #include <linux/timer.h>
28961 #include <linux/types.h>
28962 +#include <linux/sched.h>
28963
28964 #include <asm/byteorder.h>
28965
28966 @@ -420,6 +421,8 @@ int fw_run_transaction(struct fw_card *c
28967 struct transaction_callback_data d;
28968 struct fw_transaction t;
28969
28970 + pax_track_stack();
28971 +
28972 init_timer_on_stack(&t.split_timeout_timer);
28973 init_completion(&d.done);
28974 d.payload = payload;
28975 diff -urNp linux-2.6.39.2/drivers/firmware/dmi_scan.c linux-2.6.39.2/drivers/firmware/dmi_scan.c
28976 --- linux-2.6.39.2/drivers/firmware/dmi_scan.c 2011-05-19 00:06:34.000000000 -0400
28977 +++ linux-2.6.39.2/drivers/firmware/dmi_scan.c 2011-05-22 19:36:31.000000000 -0400
28978 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
28979 }
28980 }
28981 else {
28982 - /*
28983 - * no iounmap() for that ioremap(); it would be a no-op, but
28984 - * it's so early in setup that sucker gets confused into doing
28985 - * what it shouldn't if we actually call it.
28986 - */
28987 p = dmi_ioremap(0xF0000, 0x10000);
28988 if (p == NULL)
28989 goto error;
28990 diff -urNp linux-2.6.39.2/drivers/gpio/vr41xx_giu.c linux-2.6.39.2/drivers/gpio/vr41xx_giu.c
28991 --- linux-2.6.39.2/drivers/gpio/vr41xx_giu.c 2011-05-19 00:06:34.000000000 -0400
28992 +++ linux-2.6.39.2/drivers/gpio/vr41xx_giu.c 2011-05-22 19:36:31.000000000 -0400
28993 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
28994 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
28995 maskl, pendl, maskh, pendh);
28996
28997 - atomic_inc(&irq_err_count);
28998 + atomic_inc_unchecked(&irq_err_count);
28999
29000 return -EINVAL;
29001 }
29002 diff -urNp linux-2.6.39.2/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.39.2/drivers/gpu/drm/drm_crtc_helper.c
29003 --- linux-2.6.39.2/drivers/gpu/drm/drm_crtc_helper.c 2011-05-19 00:06:34.000000000 -0400
29004 +++ linux-2.6.39.2/drivers/gpu/drm/drm_crtc_helper.c 2011-05-22 19:36:31.000000000 -0400
29005 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
29006 struct drm_crtc *tmp;
29007 int crtc_mask = 1;
29008
29009 - WARN(!crtc, "checking null crtc?\n");
29010 + BUG_ON(!crtc);
29011
29012 dev = crtc->dev;
29013
29014 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
29015 struct drm_encoder *encoder;
29016 bool ret = true;
29017
29018 + pax_track_stack();
29019 +
29020 crtc->enabled = drm_helper_crtc_in_use(crtc);
29021 if (!crtc->enabled)
29022 return true;
29023 diff -urNp linux-2.6.39.2/drivers/gpu/drm/drm_drv.c linux-2.6.39.2/drivers/gpu/drm/drm_drv.c
29024 --- linux-2.6.39.2/drivers/gpu/drm/drm_drv.c 2011-05-19 00:06:34.000000000 -0400
29025 +++ linux-2.6.39.2/drivers/gpu/drm/drm_drv.c 2011-05-22 19:36:31.000000000 -0400
29026 @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
29027
29028 dev = file_priv->minor->dev;
29029 atomic_inc(&dev->ioctl_count);
29030 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
29031 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
29032 ++file_priv->ioctl_count;
29033
29034 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
29035 diff -urNp linux-2.6.39.2/drivers/gpu/drm/drm_fops.c linux-2.6.39.2/drivers/gpu/drm/drm_fops.c
29036 --- linux-2.6.39.2/drivers/gpu/drm/drm_fops.c 2011-05-19 00:06:34.000000000 -0400
29037 +++ linux-2.6.39.2/drivers/gpu/drm/drm_fops.c 2011-05-22 19:36:31.000000000 -0400
29038 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
29039 }
29040
29041 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
29042 - atomic_set(&dev->counts[i], 0);
29043 + atomic_set_unchecked(&dev->counts[i], 0);
29044
29045 dev->sigdata.lock = NULL;
29046
29047 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
29048
29049 retcode = drm_open_helper(inode, filp, dev);
29050 if (!retcode) {
29051 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
29052 - if (!dev->open_count++)
29053 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
29054 + if (local_inc_return(&dev->open_count) == 1)
29055 retcode = drm_setup(dev);
29056 }
29057 if (!retcode) {
29058 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
29059
29060 mutex_lock(&drm_global_mutex);
29061
29062 - DRM_DEBUG("open_count = %d\n", dev->open_count);
29063 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
29064
29065 if (dev->driver->preclose)
29066 dev->driver->preclose(dev, file_priv);
29067 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
29068 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
29069 task_pid_nr(current),
29070 (long)old_encode_dev(file_priv->minor->device),
29071 - dev->open_count);
29072 + local_read(&dev->open_count));
29073
29074 /* if the master has gone away we can't do anything with the lock */
29075 if (file_priv->minor->master)
29076 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
29077 * End inline drm_release
29078 */
29079
29080 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
29081 - if (!--dev->open_count) {
29082 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
29083 + if (local_dec_and_test(&dev->open_count)) {
29084 if (atomic_read(&dev->ioctl_count)) {
29085 DRM_ERROR("Device busy: %d\n",
29086 atomic_read(&dev->ioctl_count));
29087 diff -urNp linux-2.6.39.2/drivers/gpu/drm/drm_global.c linux-2.6.39.2/drivers/gpu/drm/drm_global.c
29088 --- linux-2.6.39.2/drivers/gpu/drm/drm_global.c 2011-05-19 00:06:34.000000000 -0400
29089 +++ linux-2.6.39.2/drivers/gpu/drm/drm_global.c 2011-05-22 19:36:31.000000000 -0400
29090 @@ -36,7 +36,7 @@
29091 struct drm_global_item {
29092 struct mutex mutex;
29093 void *object;
29094 - int refcount;
29095 + atomic_t refcount;
29096 };
29097
29098 static struct drm_global_item glob[DRM_GLOBAL_NUM];
29099 @@ -49,7 +49,7 @@ void drm_global_init(void)
29100 struct drm_global_item *item = &glob[i];
29101 mutex_init(&item->mutex);
29102 item->object = NULL;
29103 - item->refcount = 0;
29104 + atomic_set(&item->refcount, 0);
29105 }
29106 }
29107
29108 @@ -59,7 +59,7 @@ void drm_global_release(void)
29109 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
29110 struct drm_global_item *item = &glob[i];
29111 BUG_ON(item->object != NULL);
29112 - BUG_ON(item->refcount != 0);
29113 + BUG_ON(atomic_read(&item->refcount) != 0);
29114 }
29115 }
29116
29117 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
29118 void *object;
29119
29120 mutex_lock(&item->mutex);
29121 - if (item->refcount == 0) {
29122 + if (atomic_read(&item->refcount) == 0) {
29123 item->object = kzalloc(ref->size, GFP_KERNEL);
29124 if (unlikely(item->object == NULL)) {
29125 ret = -ENOMEM;
29126 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
29127 goto out_err;
29128
29129 }
29130 - ++item->refcount;
29131 + atomic_inc(&item->refcount);
29132 ref->object = item->object;
29133 object = item->object;
29134 mutex_unlock(&item->mutex);
29135 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
29136 struct drm_global_item *item = &glob[ref->global_type];
29137
29138 mutex_lock(&item->mutex);
29139 - BUG_ON(item->refcount == 0);
29140 + BUG_ON(atomic_read(&item->refcount) == 0);
29141 BUG_ON(ref->object != item->object);
29142 - if (--item->refcount == 0) {
29143 + if (atomic_dec_and_test(&item->refcount)) {
29144 ref->release(ref);
29145 item->object = NULL;
29146 }
29147 diff -urNp linux-2.6.39.2/drivers/gpu/drm/drm_info.c linux-2.6.39.2/drivers/gpu/drm/drm_info.c
29148 --- linux-2.6.39.2/drivers/gpu/drm/drm_info.c 2011-05-19 00:06:34.000000000 -0400
29149 +++ linux-2.6.39.2/drivers/gpu/drm/drm_info.c 2011-05-22 19:41:37.000000000 -0400
29150 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
29151 struct drm_local_map *map;
29152 struct drm_map_list *r_list;
29153
29154 - /* Hardcoded from _DRM_FRAME_BUFFER,
29155 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
29156 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
29157 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
29158 + static const char * const types[] = {
29159 + [_DRM_FRAME_BUFFER] = "FB",
29160 + [_DRM_REGISTERS] = "REG",
29161 + [_DRM_SHM] = "SHM",
29162 + [_DRM_AGP] = "AGP",
29163 + [_DRM_SCATTER_GATHER] = "SG",
29164 + [_DRM_CONSISTENT] = "PCI",
29165 + [_DRM_GEM] = "GEM" };
29166 const char *type;
29167 int i;
29168
29169 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
29170 map = r_list->map;
29171 if (!map)
29172 continue;
29173 - if (map->type < 0 || map->type > 5)
29174 + if (map->type >= ARRAY_SIZE(types))
29175 type = "??";
29176 else
29177 type = types[map->type];
29178 @@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
29179 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
29180 vma->vm_flags & VM_LOCKED ? 'l' : '-',
29181 vma->vm_flags & VM_IO ? 'i' : '-',
29182 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29183 + 0);
29184 +#else
29185 vma->vm_pgoff);
29186 +#endif
29187
29188 #if defined(__i386__)
29189 pgprot = pgprot_val(vma->vm_page_prot);
29190 diff -urNp linux-2.6.39.2/drivers/gpu/drm/drm_ioctl.c linux-2.6.39.2/drivers/gpu/drm/drm_ioctl.c
29191 --- linux-2.6.39.2/drivers/gpu/drm/drm_ioctl.c 2011-05-19 00:06:34.000000000 -0400
29192 +++ linux-2.6.39.2/drivers/gpu/drm/drm_ioctl.c 2011-05-22 19:36:31.000000000 -0400
29193 @@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
29194 stats->data[i].value =
29195 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
29196 else
29197 - stats->data[i].value = atomic_read(&dev->counts[i]);
29198 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
29199 stats->data[i].type = dev->types[i];
29200 }
29201
29202 diff -urNp linux-2.6.39.2/drivers/gpu/drm/drm_lock.c linux-2.6.39.2/drivers/gpu/drm/drm_lock.c
29203 --- linux-2.6.39.2/drivers/gpu/drm/drm_lock.c 2011-05-19 00:06:34.000000000 -0400
29204 +++ linux-2.6.39.2/drivers/gpu/drm/drm_lock.c 2011-05-22 19:36:31.000000000 -0400
29205 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
29206 if (drm_lock_take(&master->lock, lock->context)) {
29207 master->lock.file_priv = file_priv;
29208 master->lock.lock_time = jiffies;
29209 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
29210 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
29211 break; /* Got lock */
29212 }
29213
29214 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
29215 return -EINVAL;
29216 }
29217
29218 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
29219 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
29220
29221 if (drm_lock_free(&master->lock, lock->context)) {
29222 /* FIXME: Should really bail out here. */
29223 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i810/i810_dma.c linux-2.6.39.2/drivers/gpu/drm/i810/i810_dma.c
29224 --- linux-2.6.39.2/drivers/gpu/drm/i810/i810_dma.c 2011-05-19 00:06:34.000000000 -0400
29225 +++ linux-2.6.39.2/drivers/gpu/drm/i810/i810_dma.c 2011-05-22 19:36:31.000000000 -0400
29226 @@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
29227 dma->buflist[vertex->idx],
29228 vertex->discard, vertex->used);
29229
29230 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29231 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29232 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29233 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29234 sarea_priv->last_enqueue = dev_priv->counter - 1;
29235 sarea_priv->last_dispatch = (int)hw_status[5];
29236
29237 @@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
29238 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
29239 mc->last_render);
29240
29241 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29242 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29243 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29244 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29245 sarea_priv->last_enqueue = dev_priv->counter - 1;
29246 sarea_priv->last_dispatch = (int)hw_status[5];
29247
29248 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i810/i810_drv.h linux-2.6.39.2/drivers/gpu/drm/i810/i810_drv.h
29249 --- linux-2.6.39.2/drivers/gpu/drm/i810/i810_drv.h 2011-05-19 00:06:34.000000000 -0400
29250 +++ linux-2.6.39.2/drivers/gpu/drm/i810/i810_drv.h 2011-05-22 19:36:31.000000000 -0400
29251 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
29252 int page_flipping;
29253
29254 wait_queue_head_t irq_queue;
29255 - atomic_t irq_received;
29256 - atomic_t irq_emitted;
29257 + atomic_unchecked_t irq_received;
29258 + atomic_unchecked_t irq_emitted;
29259
29260 int front_offset;
29261 } drm_i810_private_t;
29262 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7017.c
29263 --- linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-19 00:06:34.000000000 -0400
29264 +++ linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-22 19:36:31.000000000 -0400
29265 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
29266 }
29267 }
29268
29269 -struct intel_dvo_dev_ops ch7017_ops = {
29270 +const struct intel_dvo_dev_ops ch7017_ops = {
29271 .init = ch7017_init,
29272 .detect = ch7017_detect,
29273 .mode_valid = ch7017_mode_valid,
29274 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7xxx.c
29275 --- linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-19 00:06:34.000000000 -0400
29276 +++ linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-22 19:36:31.000000000 -0400
29277 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
29278 }
29279 }
29280
29281 -struct intel_dvo_dev_ops ch7xxx_ops = {
29282 +const struct intel_dvo_dev_ops ch7xxx_ops = {
29283 .init = ch7xxx_init,
29284 .detect = ch7xxx_detect,
29285 .mode_valid = ch7xxx_mode_valid,
29286 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/dvo.h linux-2.6.39.2/drivers/gpu/drm/i915/dvo.h
29287 --- linux-2.6.39.2/drivers/gpu/drm/i915/dvo.h 2011-05-19 00:06:34.000000000 -0400
29288 +++ linux-2.6.39.2/drivers/gpu/drm/i915/dvo.h 2011-05-22 19:36:31.000000000 -0400
29289 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
29290 *
29291 * \return singly-linked list of modes or NULL if no modes found.
29292 */
29293 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
29294 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
29295
29296 /**
29297 * Clean up driver-specific bits of the output
29298 */
29299 - void (*destroy) (struct intel_dvo_device *dvo);
29300 + void (* const destroy) (struct intel_dvo_device *dvo);
29301
29302 /**
29303 * Debugging hook to dump device registers to log file
29304 */
29305 - void (*dump_regs)(struct intel_dvo_device *dvo);
29306 + void (* const dump_regs)(struct intel_dvo_device *dvo);
29307 };
29308
29309 -extern struct intel_dvo_dev_ops sil164_ops;
29310 -extern struct intel_dvo_dev_ops ch7xxx_ops;
29311 -extern struct intel_dvo_dev_ops ivch_ops;
29312 -extern struct intel_dvo_dev_ops tfp410_ops;
29313 -extern struct intel_dvo_dev_ops ch7017_ops;
29314 +extern const struct intel_dvo_dev_ops sil164_ops;
29315 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
29316 +extern const struct intel_dvo_dev_ops ivch_ops;
29317 +extern const struct intel_dvo_dev_ops tfp410_ops;
29318 +extern const struct intel_dvo_dev_ops ch7017_ops;
29319
29320 #endif /* _INTEL_DVO_H */
29321 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ivch.c
29322 --- linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-19 00:06:34.000000000 -0400
29323 +++ linux-2.6.39.2/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-22 19:36:31.000000000 -0400
29324 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
29325 }
29326 }
29327
29328 -struct intel_dvo_dev_ops ivch_ops= {
29329 +const struct intel_dvo_dev_ops ivch_ops= {
29330 .init = ivch_init,
29331 .dpms = ivch_dpms,
29332 .mode_valid = ivch_mode_valid,
29333 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.39.2/drivers/gpu/drm/i915/dvo_sil164.c
29334 --- linux-2.6.39.2/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-19 00:06:34.000000000 -0400
29335 +++ linux-2.6.39.2/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-22 19:36:31.000000000 -0400
29336 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
29337 }
29338 }
29339
29340 -struct intel_dvo_dev_ops sil164_ops = {
29341 +const struct intel_dvo_dev_ops sil164_ops = {
29342 .init = sil164_init,
29343 .detect = sil164_detect,
29344 .mode_valid = sil164_mode_valid,
29345 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.39.2/drivers/gpu/drm/i915/dvo_tfp410.c
29346 --- linux-2.6.39.2/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-19 00:06:34.000000000 -0400
29347 +++ linux-2.6.39.2/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-22 19:36:31.000000000 -0400
29348 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
29349 }
29350 }
29351
29352 -struct intel_dvo_dev_ops tfp410_ops = {
29353 +const struct intel_dvo_dev_ops tfp410_ops = {
29354 .init = tfp410_init,
29355 .detect = tfp410_detect,
29356 .mode_valid = tfp410_mode_valid,
29357 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.39.2/drivers/gpu/drm/i915/i915_debugfs.c
29358 --- linux-2.6.39.2/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-19 00:06:34.000000000 -0400
29359 +++ linux-2.6.39.2/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-22 19:36:31.000000000 -0400
29360 @@ -496,7 +496,7 @@ static int i915_interrupt_info(struct se
29361 I915_READ(GTIMR));
29362 }
29363 seq_printf(m, "Interrupts received: %d\n",
29364 - atomic_read(&dev_priv->irq_received));
29365 + atomic_read_unchecked(&dev_priv->irq_received));
29366 for (i = 0; i < I915_NUM_RINGS; i++) {
29367 if (IS_GEN6(dev)) {
29368 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
29369 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/i915_dma.c linux-2.6.39.2/drivers/gpu/drm/i915/i915_dma.c
29370 --- linux-2.6.39.2/drivers/gpu/drm/i915/i915_dma.c 2011-05-19 00:06:34.000000000 -0400
29371 +++ linux-2.6.39.2/drivers/gpu/drm/i915/i915_dma.c 2011-05-22 19:36:31.000000000 -0400
29372 @@ -1171,7 +1171,7 @@ static bool i915_switcheroo_can_switch(s
29373 bool can_switch;
29374
29375 spin_lock(&dev->count_lock);
29376 - can_switch = (dev->open_count == 0);
29377 + can_switch = (local_read(&dev->open_count) == 0);
29378 spin_unlock(&dev->count_lock);
29379 return can_switch;
29380 }
29381 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.c linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.c
29382 --- linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.c 2011-05-19 00:06:34.000000000 -0400
29383 +++ linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.c 2011-05-22 19:36:31.000000000 -0400
29384 @@ -679,7 +679,7 @@ static const struct dev_pm_ops i915_pm_o
29385 .restore = i915_pm_resume,
29386 };
29387
29388 -static struct vm_operations_struct i915_gem_vm_ops = {
29389 +static const struct vm_operations_struct i915_gem_vm_ops = {
29390 .fault = i915_gem_fault,
29391 .open = drm_gem_vm_open,
29392 .close = drm_gem_vm_close,
29393 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.h linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.h
29394 --- linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.h 2011-05-19 00:06:34.000000000 -0400
29395 +++ linux-2.6.39.2/drivers/gpu/drm/i915/i915_drv.h 2011-05-22 19:36:31.000000000 -0400
29396 @@ -287,7 +287,7 @@ typedef struct drm_i915_private {
29397 int current_page;
29398 int page_flipping;
29399
29400 - atomic_t irq_received;
29401 + atomic_unchecked_t irq_received;
29402
29403 /* protects the irq masks */
29404 spinlock_t irq_lock;
29405 @@ -848,7 +848,7 @@ struct drm_i915_gem_object {
29406 * will be page flipped away on the next vblank. When it
29407 * reaches 0, dev_priv->pending_flip_queue will be woken up.
29408 */
29409 - atomic_t pending_flip;
29410 + atomic_unchecked_t pending_flip;
29411 };
29412
29413 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
29414 @@ -1232,7 +1232,7 @@ extern int intel_setup_gmbus(struct drm_
29415 extern void intel_teardown_gmbus(struct drm_device *dev);
29416 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
29417 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
29418 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29419 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29420 {
29421 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
29422 }
29423 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-2.6.39.2/drivers/gpu/drm/i915/i915_gem_execbuffer.c
29424 --- linux-2.6.39.2/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-19 00:06:34.000000000 -0400
29425 +++ linux-2.6.39.2/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-22 19:36:31.000000000 -0400
29426 @@ -192,7 +192,7 @@ i915_gem_object_set_to_gpu_domain(struct
29427 i915_gem_release_mmap(obj);
29428
29429 if (obj->base.pending_write_domain)
29430 - cd->flips |= atomic_read(&obj->pending_flip);
29431 + cd->flips |= atomic_read_unchecked(&obj->pending_flip);
29432
29433 /* The actual obj->write_domain will be updated with
29434 * pending_write_domain after we emit the accumulated flush for all
29435 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/i915_irq.c linux-2.6.39.2/drivers/gpu/drm/i915/i915_irq.c
29436 --- linux-2.6.39.2/drivers/gpu/drm/i915/i915_irq.c 2011-05-19 00:06:34.000000000 -0400
29437 +++ linux-2.6.39.2/drivers/gpu/drm/i915/i915_irq.c 2011-05-22 19:36:31.000000000 -0400
29438 @@ -1101,7 +1101,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
29439 int ret = IRQ_NONE, pipe;
29440 bool blc_event = false;
29441
29442 - atomic_inc(&dev_priv->irq_received);
29443 + atomic_inc_unchecked(&dev_priv->irq_received);
29444
29445 if (HAS_PCH_SPLIT(dev))
29446 return ironlake_irq_handler(dev);
29447 @@ -1655,7 +1655,7 @@ void i915_driver_irq_preinstall(struct d
29448 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
29449 int pipe;
29450
29451 - atomic_set(&dev_priv->irq_received, 0);
29452 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29453
29454 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
29455 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
29456 diff -urNp linux-2.6.39.2/drivers/gpu/drm/i915/intel_display.c linux-2.6.39.2/drivers/gpu/drm/i915/intel_display.c
29457 --- linux-2.6.39.2/drivers/gpu/drm/i915/intel_display.c 2011-05-19 00:06:34.000000000 -0400
29458 +++ linux-2.6.39.2/drivers/gpu/drm/i915/intel_display.c 2011-05-22 19:36:31.000000000 -0400
29459 @@ -2244,7 +2244,7 @@ intel_pipe_set_base(struct drm_crtc *crt
29460
29461 wait_event(dev_priv->pending_flip_queue,
29462 atomic_read(&dev_priv->mm.wedged) ||
29463 - atomic_read(&obj->pending_flip) == 0);
29464 + atomic_read_unchecked(&obj->pending_flip) == 0);
29465
29466 /* Big Hammer, we also need to ensure that any pending
29467 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
29468 @@ -2712,7 +2712,7 @@ static void intel_crtc_wait_for_pending_
29469 obj = to_intel_framebuffer(crtc->fb)->obj;
29470 dev_priv = crtc->dev->dev_private;
29471 wait_event(dev_priv->pending_flip_queue,
29472 - atomic_read(&obj->pending_flip) == 0);
29473 + atomic_read_unchecked(&obj->pending_flip) == 0);
29474 }
29475
29476 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
29477 @@ -6016,7 +6016,7 @@ static void do_intel_finish_page_flip(st
29478
29479 atomic_clear_mask(1 << intel_crtc->plane,
29480 &obj->pending_flip.counter);
29481 - if (atomic_read(&obj->pending_flip) == 0)
29482 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
29483 wake_up(&dev_priv->pending_flip_queue);
29484
29485 schedule_work(&work->work);
29486 @@ -6145,7 +6145,7 @@ static int intel_crtc_page_flip(struct d
29487 /* Block clients from rendering to the new back buffer until
29488 * the flip occurs and the object is no longer visible.
29489 */
29490 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29491 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29492
29493 switch (INTEL_INFO(dev)->gen) {
29494 case 2:
29495 diff -urNp linux-2.6.39.2/drivers/gpu/drm/mga/mga_drv.h linux-2.6.39.2/drivers/gpu/drm/mga/mga_drv.h
29496 --- linux-2.6.39.2/drivers/gpu/drm/mga/mga_drv.h 2011-05-19 00:06:34.000000000 -0400
29497 +++ linux-2.6.39.2/drivers/gpu/drm/mga/mga_drv.h 2011-05-22 19:36:31.000000000 -0400
29498 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
29499 u32 clear_cmd;
29500 u32 maccess;
29501
29502 - atomic_t vbl_received; /**< Number of vblanks received. */
29503 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
29504 wait_queue_head_t fence_queue;
29505 - atomic_t last_fence_retired;
29506 + atomic_unchecked_t last_fence_retired;
29507 u32 next_fence_to_post;
29508
29509 unsigned int fb_cpp;
29510 diff -urNp linux-2.6.39.2/drivers/gpu/drm/mga/mga_irq.c linux-2.6.39.2/drivers/gpu/drm/mga/mga_irq.c
29511 --- linux-2.6.39.2/drivers/gpu/drm/mga/mga_irq.c 2011-05-19 00:06:34.000000000 -0400
29512 +++ linux-2.6.39.2/drivers/gpu/drm/mga/mga_irq.c 2011-05-22 19:36:31.000000000 -0400
29513 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
29514 if (crtc != 0)
29515 return 0;
29516
29517 - return atomic_read(&dev_priv->vbl_received);
29518 + return atomic_read_unchecked(&dev_priv->vbl_received);
29519 }
29520
29521
29522 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29523 /* VBLANK interrupt */
29524 if (status & MGA_VLINEPEN) {
29525 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
29526 - atomic_inc(&dev_priv->vbl_received);
29527 + atomic_inc_unchecked(&dev_priv->vbl_received);
29528 drm_handle_vblank(dev, 0);
29529 handled = 1;
29530 }
29531 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29532 if ((prim_start & ~0x03) != (prim_end & ~0x03))
29533 MGA_WRITE(MGA_PRIMEND, prim_end);
29534
29535 - atomic_inc(&dev_priv->last_fence_retired);
29536 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
29537 DRM_WAKEUP(&dev_priv->fence_queue);
29538 handled = 1;
29539 }
29540 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
29541 * using fences.
29542 */
29543 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
29544 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
29545 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
29546 - *sequence) <= (1 << 23)));
29547
29548 *sequence = cur_fence;
29549 diff -urNp linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_acpi.c linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_acpi.c
29550 --- linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-19 00:06:34.000000000 -0400
29551 +++ linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-22 19:36:31.000000000 -0400
29552 @@ -141,7 +141,7 @@ static int nouveau_dsm_get_client_id(str
29553 return VGA_SWITCHEROO_DIS;
29554 }
29555
29556 -static struct vga_switcheroo_handler nouveau_dsm_handler = {
29557 +static const struct vga_switcheroo_handler nouveau_dsm_handler = {
29558 .switchto = nouveau_dsm_switchto,
29559 .power_state = nouveau_dsm_power_state,
29560 .init = nouveau_dsm_init,
29561 diff -urNp linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_drv.h linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_drv.h
29562 --- linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-05-19 00:06:34.000000000 -0400
29563 +++ linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-06-07 18:07:24.000000000 -0400
29564 @@ -228,7 +228,7 @@ struct nouveau_channel {
29565 struct list_head pending;
29566 uint32_t sequence;
29567 uint32_t sequence_ack;
29568 - atomic_t last_sequence_irq;
29569 + atomic_unchecked_t last_sequence_irq;
29570 } fence;
29571
29572 /* DMA push buffer */
29573 @@ -662,7 +662,7 @@ struct drm_nouveau_private {
29574 struct drm_global_reference mem_global_ref;
29575 struct ttm_bo_global_ref bo_global_ref;
29576 struct ttm_bo_device bdev;
29577 - atomic_t validate_sequence;
29578 + atomic_unchecked_t validate_sequence;
29579 } ttm;
29580
29581 struct {
29582 diff -urNp linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_fence.c linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_fence.c
29583 --- linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-19 00:06:34.000000000 -0400
29584 +++ linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-22 19:36:31.000000000 -0400
29585 @@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
29586 if (USE_REFCNT(dev))
29587 sequence = nvchan_rd32(chan, 0x48);
29588 else
29589 - sequence = atomic_read(&chan->fence.last_sequence_irq);
29590 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
29591
29592 if (chan->fence.sequence_ack == sequence)
29593 goto out;
29594 @@ -553,7 +553,7 @@ nouveau_fence_channel_init(struct nouvea
29595 out_initialised:
29596 INIT_LIST_HEAD(&chan->fence.pending);
29597 spin_lock_init(&chan->fence.lock);
29598 - atomic_set(&chan->fence.last_sequence_irq, 0);
29599 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
29600 return 0;
29601 }
29602
29603 diff -urNp linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_gem.c linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_gem.c
29604 --- linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-19 00:06:34.000000000 -0400
29605 +++ linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-22 19:36:31.000000000 -0400
29606 @@ -249,7 +249,7 @@ validate_init(struct nouveau_channel *ch
29607 int trycnt = 0;
29608 int ret, i;
29609
29610 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
29611 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
29612 retry:
29613 if (++trycnt > 100000) {
29614 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
29615 diff -urNp linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_state.c
29616 --- linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-19 00:06:34.000000000 -0400
29617 +++ linux-2.6.39.2/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-22 19:36:31.000000000 -0400
29618 @@ -583,7 +583,7 @@ static bool nouveau_switcheroo_can_switc
29619 bool can_switch;
29620
29621 spin_lock(&dev->count_lock);
29622 - can_switch = (dev->open_count == 0);
29623 + can_switch = (local_read(&dev->open_count) == 0);
29624 spin_unlock(&dev->count_lock);
29625 return can_switch;
29626 }
29627 diff -urNp linux-2.6.39.2/drivers/gpu/drm/nouveau/nv04_graph.c linux-2.6.39.2/drivers/gpu/drm/nouveau/nv04_graph.c
29628 --- linux-2.6.39.2/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-19 00:06:34.000000000 -0400
29629 +++ linux-2.6.39.2/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-22 19:36:31.000000000 -0400
29630 @@ -552,7 +552,7 @@ static int
29631 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
29632 u32 class, u32 mthd, u32 data)
29633 {
29634 - atomic_set(&chan->fence.last_sequence_irq, data);
29635 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
29636 return 0;
29637 }
29638
29639 diff -urNp linux-2.6.39.2/drivers/gpu/drm/r128/r128_cce.c linux-2.6.39.2/drivers/gpu/drm/r128/r128_cce.c
29640 --- linux-2.6.39.2/drivers/gpu/drm/r128/r128_cce.c 2011-05-19 00:06:34.000000000 -0400
29641 +++ linux-2.6.39.2/drivers/gpu/drm/r128/r128_cce.c 2011-05-22 19:36:31.000000000 -0400
29642 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
29643
29644 /* GH: Simple idle check.
29645 */
29646 - atomic_set(&dev_priv->idle_count, 0);
29647 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29648
29649 /* We don't support anything other than bus-mastering ring mode,
29650 * but the ring can be in either AGP or PCI space for the ring
29651 diff -urNp linux-2.6.39.2/drivers/gpu/drm/r128/r128_drv.h linux-2.6.39.2/drivers/gpu/drm/r128/r128_drv.h
29652 --- linux-2.6.39.2/drivers/gpu/drm/r128/r128_drv.h 2011-05-19 00:06:34.000000000 -0400
29653 +++ linux-2.6.39.2/drivers/gpu/drm/r128/r128_drv.h 2011-05-22 19:36:31.000000000 -0400
29654 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
29655 int is_pci;
29656 unsigned long cce_buffers_offset;
29657
29658 - atomic_t idle_count;
29659 + atomic_unchecked_t idle_count;
29660
29661 int page_flipping;
29662 int current_page;
29663 u32 crtc_offset;
29664 u32 crtc_offset_cntl;
29665
29666 - atomic_t vbl_received;
29667 + atomic_unchecked_t vbl_received;
29668
29669 u32 color_fmt;
29670 unsigned int front_offset;
29671 diff -urNp linux-2.6.39.2/drivers/gpu/drm/r128/r128_irq.c linux-2.6.39.2/drivers/gpu/drm/r128/r128_irq.c
29672 --- linux-2.6.39.2/drivers/gpu/drm/r128/r128_irq.c 2011-05-19 00:06:34.000000000 -0400
29673 +++ linux-2.6.39.2/drivers/gpu/drm/r128/r128_irq.c 2011-05-22 19:36:31.000000000 -0400
29674 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
29675 if (crtc != 0)
29676 return 0;
29677
29678 - return atomic_read(&dev_priv->vbl_received);
29679 + return atomic_read_unchecked(&dev_priv->vbl_received);
29680 }
29681
29682 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
29683 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
29684 /* VBLANK interrupt */
29685 if (status & R128_CRTC_VBLANK_INT) {
29686 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
29687 - atomic_inc(&dev_priv->vbl_received);
29688 + atomic_inc_unchecked(&dev_priv->vbl_received);
29689 drm_handle_vblank(dev, 0);
29690 return IRQ_HANDLED;
29691 }
29692 diff -urNp linux-2.6.39.2/drivers/gpu/drm/r128/r128_state.c linux-2.6.39.2/drivers/gpu/drm/r128/r128_state.c
29693 --- linux-2.6.39.2/drivers/gpu/drm/r128/r128_state.c 2011-05-19 00:06:34.000000000 -0400
29694 +++ linux-2.6.39.2/drivers/gpu/drm/r128/r128_state.c 2011-05-22 19:36:31.000000000 -0400
29695 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
29696
29697 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
29698 {
29699 - if (atomic_read(&dev_priv->idle_count) == 0)
29700 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
29701 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
29702 else
29703 - atomic_set(&dev_priv->idle_count, 0);
29704 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29705 }
29706
29707 #endif
29708 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/atom.c linux-2.6.39.2/drivers/gpu/drm/radeon/atom.c
29709 --- linux-2.6.39.2/drivers/gpu/drm/radeon/atom.c 2011-05-19 00:06:34.000000000 -0400
29710 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/atom.c 2011-05-22 19:36:31.000000000 -0400
29711 @@ -1245,6 +1245,8 @@ struct atom_context *atom_parse(struct c
29712 char name[512];
29713 int i;
29714
29715 + pax_track_stack();
29716 +
29717 ctx->card = card;
29718 ctx->bios = bios;
29719
29720 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.39.2/drivers/gpu/drm/radeon/mkregtable.c
29721 --- linux-2.6.39.2/drivers/gpu/drm/radeon/mkregtable.c 2011-05-19 00:06:34.000000000 -0400
29722 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/mkregtable.c 2011-05-22 19:36:31.000000000 -0400
29723 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
29724 regex_t mask_rex;
29725 regmatch_t match[4];
29726 char buf[1024];
29727 - size_t end;
29728 + long end;
29729 int len;
29730 int done = 0;
29731 int r;
29732 unsigned o;
29733 struct offset *offset;
29734 char last_reg_s[10];
29735 - int last_reg;
29736 + unsigned long last_reg;
29737
29738 if (regcomp
29739 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
29740 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atombios.c
29741 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-19 00:06:34.000000000 -0400
29742 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-22 19:36:31.000000000 -0400
29743 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
29744 struct radeon_gpio_rec gpio;
29745 struct radeon_hpd hpd;
29746
29747 + pax_track_stack();
29748 +
29749 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
29750 return false;
29751
29752 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atpx_handler.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atpx_handler.c
29753 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-19 00:06:34.000000000 -0400
29754 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-22 19:36:31.000000000 -0400
29755 @@ -234,7 +234,7 @@ static int radeon_atpx_get_client_id(str
29756 return VGA_SWITCHEROO_DIS;
29757 }
29758
29759 -static struct vga_switcheroo_handler radeon_atpx_handler = {
29760 +static const struct vga_switcheroo_handler radeon_atpx_handler = {
29761 .switchto = radeon_atpx_switchto,
29762 .power_state = radeon_atpx_power_state,
29763 .init = radeon_atpx_init,
29764 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_device.c
29765 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 12:55:22.000000000 -0400
29766 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 13:00:25.000000000 -0400
29767 @@ -674,7 +674,7 @@ static bool radeon_switcheroo_can_switch
29768 bool can_switch;
29769
29770 spin_lock(&dev->count_lock);
29771 - can_switch = (dev->open_count == 0);
29772 + can_switch = (local_read(&dev->open_count) == 0);
29773 spin_unlock(&dev->count_lock);
29774 return can_switch;
29775 }
29776 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_display.c
29777 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_display.c 2011-05-19 00:06:34.000000000 -0400
29778 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_display.c 2011-05-22 19:36:31.000000000 -0400
29779 @@ -934,6 +934,8 @@ void radeon_compute_pll_legacy(struct ra
29780 uint32_t post_div;
29781 u32 pll_out_min, pll_out_max;
29782
29783 + pax_track_stack();
29784 +
29785 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
29786 freq = freq * 1000;
29787
29788 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_drv.h
29789 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-19 00:06:34.000000000 -0400
29790 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-22 19:36:31.000000000 -0400
29791 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
29792
29793 /* SW interrupt */
29794 wait_queue_head_t swi_queue;
29795 - atomic_t swi_emitted;
29796 + atomic_unchecked_t swi_emitted;
29797 int vblank_crtc;
29798 uint32_t irq_enable_reg;
29799 uint32_t r500_disp_irq_reg;
29800 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_fence.c
29801 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-19 00:06:34.000000000 -0400
29802 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-22 19:36:31.000000000 -0400
29803 @@ -49,7 +49,7 @@ int radeon_fence_emit(struct radeon_devi
29804 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
29805 return 0;
29806 }
29807 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
29808 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
29809 if (!rdev->cp.ready) {
29810 /* FIXME: cp is not running assume everythings is done right
29811 * away
29812 @@ -352,7 +352,7 @@ int radeon_fence_driver_init(struct rade
29813 return r;
29814 }
29815 WREG32(rdev->fence_drv.scratch_reg, 0);
29816 - atomic_set(&rdev->fence_drv.seq, 0);
29817 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
29818 INIT_LIST_HEAD(&rdev->fence_drv.created);
29819 INIT_LIST_HEAD(&rdev->fence_drv.emited);
29820 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
29821 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon.h linux-2.6.39.2/drivers/gpu/drm/radeon/radeon.h
29822 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon.h 2011-05-19 00:06:34.000000000 -0400
29823 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon.h 2011-05-22 19:36:31.000000000 -0400
29824 @@ -189,7 +189,7 @@ extern int sumo_get_temp(struct radeon_d
29825 */
29826 struct radeon_fence_driver {
29827 uint32_t scratch_reg;
29828 - atomic_t seq;
29829 + atomic_unchecked_t seq;
29830 uint32_t last_seq;
29831 unsigned long last_jiffies;
29832 unsigned long last_timeout;
29833 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ioc32.c
29834 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-19 00:06:34.000000000 -0400
29835 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-22 19:36:31.000000000 -0400
29836 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
29837 request = compat_alloc_user_space(sizeof(*request));
29838 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
29839 || __put_user(req32.param, &request->param)
29840 - || __put_user((void __user *)(unsigned long)req32.value,
29841 + || __put_user((unsigned long)req32.value,
29842 &request->value))
29843 return -EFAULT;
29844
29845 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_irq.c
29846 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-19 00:06:34.000000000 -0400
29847 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-22 19:36:31.000000000 -0400
29848 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
29849 unsigned int ret;
29850 RING_LOCALS;
29851
29852 - atomic_inc(&dev_priv->swi_emitted);
29853 - ret = atomic_read(&dev_priv->swi_emitted);
29854 + atomic_inc_unchecked(&dev_priv->swi_emitted);
29855 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
29856
29857 BEGIN_RING(4);
29858 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
29859 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
29860 drm_radeon_private_t *dev_priv =
29861 (drm_radeon_private_t *) dev->dev_private;
29862
29863 - atomic_set(&dev_priv->swi_emitted, 0);
29864 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
29865 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
29866
29867 dev->max_vblank_count = 0x001fffff;
29868 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_state.c
29869 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_state.c 2011-05-19 00:06:34.000000000 -0400
29870 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_state.c 2011-05-22 19:36:31.000000000 -0400
29871 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
29872 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
29873 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
29874
29875 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
29876 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
29877 sarea_priv->nbox * sizeof(depth_boxes[0])))
29878 return -EFAULT;
29879
29880 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
29881 {
29882 drm_radeon_private_t *dev_priv = dev->dev_private;
29883 drm_radeon_getparam_t *param = data;
29884 - int value;
29885 + int value = 0;
29886
29887 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
29888
29889 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ttm.c
29890 --- linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-19 00:06:34.000000000 -0400
29891 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-22 19:36:31.000000000 -0400
29892 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
29893 man->size = size >> PAGE_SHIFT;
29894 }
29895
29896 -static struct vm_operations_struct radeon_ttm_vm_ops;
29897 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
29898 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
29899 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
29900 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
29901
29902 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29903 {
29904 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
29905 struct radeon_device *rdev;
29906 int r;
29907
29908 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
29909 - if (bo == NULL) {
29910 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
29911 + if (!bo)
29912 return VM_FAULT_NOPAGE;
29913 - }
29914 rdev = radeon_get_rdev(bo->bdev);
29915 mutex_lock(&rdev->vram_mutex);
29916 - r = ttm_vm_ops->fault(vma, vmf);
29917 + r = ttm_bo_vm_fault(vma, vmf);
29918 mutex_unlock(&rdev->vram_mutex);
29919 return r;
29920 }
29921
29922 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
29923 + .fault = radeon_ttm_fault,
29924 + .open = ttm_bo_vm_open,
29925 + .close = ttm_bo_vm_close
29926 +};
29927 +
29928 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
29929 {
29930 struct drm_file *file_priv;
29931 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
29932
29933 file_priv = filp->private_data;
29934 rdev = file_priv->minor->dev->dev_private;
29935 - if (rdev == NULL) {
29936 + if (!rdev)
29937 return -EINVAL;
29938 - }
29939 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
29940 - if (unlikely(r != 0)) {
29941 + if (r)
29942 return r;
29943 - }
29944 - if (unlikely(ttm_vm_ops == NULL)) {
29945 - ttm_vm_ops = vma->vm_ops;
29946 - radeon_ttm_vm_ops = *ttm_vm_ops;
29947 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
29948 - }
29949 vma->vm_ops = &radeon_ttm_vm_ops;
29950 return 0;
29951 }
29952 diff -urNp linux-2.6.39.2/drivers/gpu/drm/radeon/rs690.c linux-2.6.39.2/drivers/gpu/drm/radeon/rs690.c
29953 --- linux-2.6.39.2/drivers/gpu/drm/radeon/rs690.c 2011-05-19 00:06:34.000000000 -0400
29954 +++ linux-2.6.39.2/drivers/gpu/drm/radeon/rs690.c 2011-05-22 19:36:31.000000000 -0400
29955 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
29956 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
29957 rdev->pm.sideport_bandwidth.full)
29958 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
29959 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
29960 + read_delay_latency.full = dfixed_const(800 * 1000);
29961 read_delay_latency.full = dfixed_div(read_delay_latency,
29962 rdev->pm.igp_sideport_mclk);
29963 + a.full = dfixed_const(370);
29964 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
29965 } else {
29966 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
29967 rdev->pm.k8_bandwidth.full)
29968 diff -urNp linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_bo_vm.c
29969 --- linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-19 00:06:34.000000000 -0400
29970 +++ linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-22 19:36:31.000000000 -0400
29971 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
29972 return best_bo;
29973 }
29974
29975 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29976 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29977 {
29978 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
29979 vma->vm_private_data;
29980 - struct ttm_bo_device *bdev = bo->bdev;
29981 + struct ttm_bo_device *bdev;
29982 unsigned long page_offset;
29983 unsigned long page_last;
29984 unsigned long pfn;
29985 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
29986 int i;
29987 unsigned long address = (unsigned long)vmf->virtual_address;
29988 int retval = VM_FAULT_NOPAGE;
29989 - struct ttm_mem_type_manager *man =
29990 - &bdev->man[bo->mem.mem_type];
29991 + struct ttm_mem_type_manager *man;
29992 +
29993 + if (!bo)
29994 + return VM_FAULT_NOPAGE;
29995 + bdev = bo->bdev;
29996 + man = &bdev->man[bo->mem.mem_type];
29997
29998 /*
29999 * Work around locking order reversal in fault / nopfn
30000 @@ -219,22 +223,25 @@ out_unlock:
30001 ttm_bo_unreserve(bo);
30002 return retval;
30003 }
30004 +EXPORT_SYMBOL(ttm_bo_vm_fault);
30005
30006 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
30007 +void ttm_bo_vm_open(struct vm_area_struct *vma)
30008 {
30009 struct ttm_buffer_object *bo =
30010 (struct ttm_buffer_object *)vma->vm_private_data;
30011
30012 (void)ttm_bo_reference(bo);
30013 }
30014 +EXPORT_SYMBOL(ttm_bo_vm_open);
30015
30016 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
30017 +void ttm_bo_vm_close(struct vm_area_struct *vma)
30018 {
30019 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
30020
30021 ttm_bo_unref(&bo);
30022 vma->vm_private_data = NULL;
30023 }
30024 +EXPORT_SYMBOL(ttm_bo_vm_close);
30025
30026 static const struct vm_operations_struct ttm_bo_vm_ops = {
30027 .fault = ttm_bo_vm_fault,
30028 diff -urNp linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_page_alloc.c
30029 --- linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-19 00:06:34.000000000 -0400
30030 +++ linux-2.6.39.2/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-22 19:36:31.000000000 -0400
30031 @@ -397,9 +397,9 @@ static int ttm_pool_get_num_unused_pages
30032 */
30033 static int ttm_pool_mm_shrink(struct shrinker *shrink, int shrink_pages, gfp_t gfp_mask)
30034 {
30035 - static atomic_t start_pool = ATOMIC_INIT(0);
30036 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
30037 unsigned i;
30038 - unsigned pool_offset = atomic_add_return(1, &start_pool);
30039 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
30040 struct ttm_page_pool *pool;
30041
30042 pool_offset = pool_offset % NUM_POOLS;
30043 diff -urNp linux-2.6.39.2/drivers/gpu/drm/via/via_drv.h linux-2.6.39.2/drivers/gpu/drm/via/via_drv.h
30044 --- linux-2.6.39.2/drivers/gpu/drm/via/via_drv.h 2011-05-19 00:06:34.000000000 -0400
30045 +++ linux-2.6.39.2/drivers/gpu/drm/via/via_drv.h 2011-05-22 19:36:31.000000000 -0400
30046 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
30047 typedef uint32_t maskarray_t[5];
30048
30049 typedef struct drm_via_irq {
30050 - atomic_t irq_received;
30051 + atomic_unchecked_t irq_received;
30052 uint32_t pending_mask;
30053 uint32_t enable_mask;
30054 wait_queue_head_t irq_queue;
30055 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
30056 struct timeval last_vblank;
30057 int last_vblank_valid;
30058 unsigned usec_per_vblank;
30059 - atomic_t vbl_received;
30060 + atomic_unchecked_t vbl_received;
30061 drm_via_state_t hc_state;
30062 char pci_buf[VIA_PCI_BUF_SIZE];
30063 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
30064 diff -urNp linux-2.6.39.2/drivers/gpu/drm/via/via_irq.c linux-2.6.39.2/drivers/gpu/drm/via/via_irq.c
30065 --- linux-2.6.39.2/drivers/gpu/drm/via/via_irq.c 2011-05-19 00:06:34.000000000 -0400
30066 +++ linux-2.6.39.2/drivers/gpu/drm/via/via_irq.c 2011-05-22 19:36:31.000000000 -0400
30067 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
30068 if (crtc != 0)
30069 return 0;
30070
30071 - return atomic_read(&dev_priv->vbl_received);
30072 + return atomic_read_unchecked(&dev_priv->vbl_received);
30073 }
30074
30075 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
30076 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
30077
30078 status = VIA_READ(VIA_REG_INTERRUPT);
30079 if (status & VIA_IRQ_VBLANK_PENDING) {
30080 - atomic_inc(&dev_priv->vbl_received);
30081 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
30082 + atomic_inc_unchecked(&dev_priv->vbl_received);
30083 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
30084 do_gettimeofday(&cur_vblank);
30085 if (dev_priv->last_vblank_valid) {
30086 dev_priv->usec_per_vblank =
30087 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30088 dev_priv->last_vblank = cur_vblank;
30089 dev_priv->last_vblank_valid = 1;
30090 }
30091 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
30092 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
30093 DRM_DEBUG("US per vblank is: %u\n",
30094 dev_priv->usec_per_vblank);
30095 }
30096 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30097
30098 for (i = 0; i < dev_priv->num_irqs; ++i) {
30099 if (status & cur_irq->pending_mask) {
30100 - atomic_inc(&cur_irq->irq_received);
30101 + atomic_inc_unchecked(&cur_irq->irq_received);
30102 DRM_WAKEUP(&cur_irq->irq_queue);
30103 handled = 1;
30104 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
30105 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
30106 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30107 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
30108 masks[irq][4]));
30109 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
30110 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
30111 } else {
30112 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30113 (((cur_irq_sequence =
30114 - atomic_read(&cur_irq->irq_received)) -
30115 + atomic_read_unchecked(&cur_irq->irq_received)) -
30116 *sequence) <= (1 << 23)));
30117 }
30118 *sequence = cur_irq_sequence;
30119 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
30120 }
30121
30122 for (i = 0; i < dev_priv->num_irqs; ++i) {
30123 - atomic_set(&cur_irq->irq_received, 0);
30124 + atomic_set_unchecked(&cur_irq->irq_received, 0);
30125 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
30126 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
30127 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
30128 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
30129 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
30130 case VIA_IRQ_RELATIVE:
30131 irqwait->request.sequence +=
30132 - atomic_read(&cur_irq->irq_received);
30133 + atomic_read_unchecked(&cur_irq->irq_received);
30134 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
30135 case VIA_IRQ_ABSOLUTE:
30136 break;
30137 diff -urNp linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
30138 --- linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-19 00:06:34.000000000 -0400
30139 +++ linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-22 19:36:31.000000000 -0400
30140 @@ -240,7 +240,7 @@ struct vmw_private {
30141 * Fencing and IRQs.
30142 */
30143
30144 - atomic_t fence_seq;
30145 + atomic_unchecked_t fence_seq;
30146 wait_queue_head_t fence_queue;
30147 wait_queue_head_t fifo_queue;
30148 atomic_t fence_queue_waiters;
30149 diff -urNp linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
30150 --- linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-19 00:06:34.000000000 -0400
30151 +++ linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-22 19:36:31.000000000 -0400
30152 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
30153 while (!vmw_lag_lt(queue, us)) {
30154 spin_lock(&queue->lock);
30155 if (list_empty(&queue->head))
30156 - sequence = atomic_read(&dev_priv->fence_seq);
30157 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30158 else {
30159 fence = list_first_entry(&queue->head,
30160 struct vmw_fence, head);
30161 diff -urNp linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
30162 --- linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-19 00:06:34.000000000 -0400
30163 +++ linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-22 19:36:31.000000000 -0400
30164 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
30165 (unsigned int) min,
30166 (unsigned int) fifo->capabilities);
30167
30168 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30169 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30170 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
30171 vmw_fence_queue_init(&fifo->fence_queue);
30172 return vmw_fifo_send_fence(dev_priv, &dummy);
30173 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30174
30175 fm = vmw_fifo_reserve(dev_priv, bytes);
30176 if (unlikely(fm == NULL)) {
30177 - *sequence = atomic_read(&dev_priv->fence_seq);
30178 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30179 ret = -ENOMEM;
30180 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
30181 false, 3*HZ);
30182 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30183 }
30184
30185 do {
30186 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
30187 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
30188 } while (*sequence == 0);
30189
30190 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
30191 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
30192 return VM_FAULT_SIGBUS;
30193 }
30194
30195 -static struct vm_operations_struct vmw_fifo_vm_ops = {
30196 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
30197 .fault = vmw_fifo_vm_fault,
30198 .open = NULL,
30199 .close = NULL
30200 diff -urNp linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
30201 --- linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-19 00:06:34.000000000 -0400
30202 +++ linux-2.6.39.2/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-22 19:36:31.000000000 -0400
30203 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
30204 * emitted. Then the fence is stale and signaled.
30205 */
30206
30207 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
30208 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
30209 > VMW_FENCE_WRAP);
30210
30211 return ret;
30212 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
30213
30214 if (fifo_idle)
30215 down_read(&fifo_state->rwsem);
30216 - signal_seq = atomic_read(&dev_priv->fence_seq);
30217 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
30218 ret = 0;
30219
30220 for (;;) {
30221 diff -urNp linux-2.6.39.2/drivers/gpu/vga/vga_switcheroo.c linux-2.6.39.2/drivers/gpu/vga/vga_switcheroo.c
30222 --- linux-2.6.39.2/drivers/gpu/vga/vga_switcheroo.c 2011-05-19 00:06:34.000000000 -0400
30223 +++ linux-2.6.39.2/drivers/gpu/vga/vga_switcheroo.c 2011-05-22 19:36:31.000000000 -0400
30224 @@ -53,7 +53,7 @@ struct vgasr_priv {
30225 int registered_clients;
30226 struct vga_switcheroo_client clients[VGA_SWITCHEROO_MAX_CLIENTS];
30227
30228 - struct vga_switcheroo_handler *handler;
30229 + const struct vga_switcheroo_handler *handler;
30230 };
30231
30232 static int vga_switcheroo_debugfs_init(struct vgasr_priv *priv);
30233 @@ -62,7 +62,7 @@ static void vga_switcheroo_debugfs_fini(
30234 /* only one switcheroo per system */
30235 static struct vgasr_priv vgasr_priv;
30236
30237 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler)
30238 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler)
30239 {
30240 mutex_lock(&vgasr_mutex);
30241 if (vgasr_priv.handler) {
30242 diff -urNp linux-2.6.39.2/drivers/hid/hid-core.c linux-2.6.39.2/drivers/hid/hid-core.c
30243 --- linux-2.6.39.2/drivers/hid/hid-core.c 2011-05-19 00:06:34.000000000 -0400
30244 +++ linux-2.6.39.2/drivers/hid/hid-core.c 2011-05-22 19:36:31.000000000 -0400
30245 @@ -1888,7 +1888,7 @@ static bool hid_ignore(struct hid_device
30246
30247 int hid_add_device(struct hid_device *hdev)
30248 {
30249 - static atomic_t id = ATOMIC_INIT(0);
30250 + static atomic_unchecked_t id = ATOMIC_INIT(0);
30251 int ret;
30252
30253 if (WARN_ON(hdev->status & HID_STAT_ADDED))
30254 @@ -1903,7 +1903,7 @@ int hid_add_device(struct hid_device *hd
30255 /* XXX hack, any other cleaner solution after the driver core
30256 * is converted to allow more than 20 bytes as the device name? */
30257 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
30258 - hdev->vendor, hdev->product, atomic_inc_return(&id));
30259 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
30260
30261 hid_debug_register(hdev, dev_name(&hdev->dev));
30262 ret = device_add(&hdev->dev);
30263 diff -urNp linux-2.6.39.2/drivers/hid/hid-picolcd.c linux-2.6.39.2/drivers/hid/hid-picolcd.c
30264 --- linux-2.6.39.2/drivers/hid/hid-picolcd.c 2011-05-19 00:06:34.000000000 -0400
30265 +++ linux-2.6.39.2/drivers/hid/hid-picolcd.c 2011-05-22 19:36:31.000000000 -0400
30266 @@ -1037,7 +1037,7 @@ static int picolcd_check_lcd_fb(struct l
30267 return fb && fb == picolcd_fbinfo((struct picolcd_data *)lcd_get_data(ldev));
30268 }
30269
30270 -static struct lcd_ops picolcd_lcdops = {
30271 +static const struct lcd_ops picolcd_lcdops = {
30272 .get_contrast = picolcd_get_contrast,
30273 .set_contrast = picolcd_set_contrast,
30274 .check_fb = picolcd_check_lcd_fb,
30275 diff -urNp linux-2.6.39.2/drivers/hid/usbhid/hiddev.c linux-2.6.39.2/drivers/hid/usbhid/hiddev.c
30276 --- linux-2.6.39.2/drivers/hid/usbhid/hiddev.c 2011-05-19 00:06:34.000000000 -0400
30277 +++ linux-2.6.39.2/drivers/hid/usbhid/hiddev.c 2011-05-22 19:36:31.000000000 -0400
30278 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
30279 break;
30280
30281 case HIDIOCAPPLICATION:
30282 - if (arg < 0 || arg >= hid->maxapplication)
30283 + if (arg >= hid->maxapplication)
30284 break;
30285
30286 for (i = 0; i < hid->maxcollection; i++)
30287 diff -urNp linux-2.6.39.2/drivers/hwmon/ibmaem.c linux-2.6.39.2/drivers/hwmon/ibmaem.c
30288 --- linux-2.6.39.2/drivers/hwmon/ibmaem.c 2011-05-19 00:06:34.000000000 -0400
30289 +++ linux-2.6.39.2/drivers/hwmon/ibmaem.c 2011-05-22 19:36:31.000000000 -0400
30290 @@ -238,7 +238,7 @@ struct aem_read_sensor_resp {
30291 struct aem_driver_data {
30292 struct list_head aem_devices;
30293 struct ipmi_smi_watcher bmc_events;
30294 - struct ipmi_user_hndl ipmi_hndlrs;
30295 + const struct ipmi_user_hndl ipmi_hndlrs;
30296 };
30297
30298 static void aem_register_bmc(int iface, struct device *dev);
30299 diff -urNp linux-2.6.39.2/drivers/hwmon/ibmpex.c linux-2.6.39.2/drivers/hwmon/ibmpex.c
30300 --- linux-2.6.39.2/drivers/hwmon/ibmpex.c 2011-05-19 00:06:34.000000000 -0400
30301 +++ linux-2.6.39.2/drivers/hwmon/ibmpex.c 2011-05-22 19:36:31.000000000 -0400
30302 @@ -110,7 +110,7 @@ struct ibmpex_bmc_data {
30303 struct ibmpex_driver_data {
30304 struct list_head bmc_data;
30305 struct ipmi_smi_watcher bmc_events;
30306 - struct ipmi_user_hndl ipmi_hndlrs;
30307 + const struct ipmi_user_hndl ipmi_hndlrs;
30308 };
30309
30310 static struct ibmpex_driver_data driver_data = {
30311 diff -urNp linux-2.6.39.2/drivers/hwmon/sht15.c linux-2.6.39.2/drivers/hwmon/sht15.c
30312 --- linux-2.6.39.2/drivers/hwmon/sht15.c 2011-05-19 00:06:34.000000000 -0400
30313 +++ linux-2.6.39.2/drivers/hwmon/sht15.c 2011-05-22 19:36:31.000000000 -0400
30314 @@ -113,7 +113,7 @@ struct sht15_data {
30315 int supply_uV;
30316 int supply_uV_valid;
30317 struct work_struct update_supply_work;
30318 - atomic_t interrupt_handled;
30319 + atomic_unchecked_t interrupt_handled;
30320 };
30321
30322 /**
30323 @@ -246,13 +246,13 @@ static inline int sht15_update_single_va
30324 return ret;
30325
30326 gpio_direction_input(data->pdata->gpio_data);
30327 - atomic_set(&data->interrupt_handled, 0);
30328 + atomic_set_unchecked(&data->interrupt_handled, 0);
30329
30330 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30331 if (gpio_get_value(data->pdata->gpio_data) == 0) {
30332 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
30333 /* Only relevant if the interrupt hasn't occurred. */
30334 - if (!atomic_read(&data->interrupt_handled))
30335 + if (!atomic_read_unchecked(&data->interrupt_handled))
30336 schedule_work(&data->read_work);
30337 }
30338 ret = wait_event_timeout(data->wait_queue,
30339 @@ -399,7 +399,7 @@ static irqreturn_t sht15_interrupt_fired
30340 struct sht15_data *data = d;
30341 /* First disable the interrupt */
30342 disable_irq_nosync(irq);
30343 - atomic_inc(&data->interrupt_handled);
30344 + atomic_inc_unchecked(&data->interrupt_handled);
30345 /* Then schedule a reading work struct */
30346 if (data->flag != SHT15_READING_NOTHING)
30347 schedule_work(&data->read_work);
30348 @@ -450,11 +450,11 @@ static void sht15_bh_read_data(struct wo
30349 here as could have gone low in meantime so verify
30350 it hasn't!
30351 */
30352 - atomic_set(&data->interrupt_handled, 0);
30353 + atomic_set_unchecked(&data->interrupt_handled, 0);
30354 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30355 /* If still not occurred or another handler has been scheduled */
30356 if (gpio_get_value(data->pdata->gpio_data)
30357 - || atomic_read(&data->interrupt_handled))
30358 + || atomic_read_unchecked(&data->interrupt_handled))
30359 return;
30360 }
30361 /* Read the data back from the device */
30362 diff -urNp linux-2.6.39.2/drivers/hwmon/w83791d.c linux-2.6.39.2/drivers/hwmon/w83791d.c
30363 --- linux-2.6.39.2/drivers/hwmon/w83791d.c 2011-05-19 00:06:34.000000000 -0400
30364 +++ linux-2.6.39.2/drivers/hwmon/w83791d.c 2011-05-22 19:36:31.000000000 -0400
30365 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
30366 struct i2c_board_info *info);
30367 static int w83791d_remove(struct i2c_client *client);
30368
30369 -static int w83791d_read(struct i2c_client *client, u8 register);
30370 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
30371 +static int w83791d_read(struct i2c_client *client, u8 reg);
30372 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
30373 static struct w83791d_data *w83791d_update_device(struct device *dev);
30374
30375 #ifdef DEBUG
30376 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-at91.c linux-2.6.39.2/drivers/i2c/busses/i2c-at91.c
30377 --- linux-2.6.39.2/drivers/i2c/busses/i2c-at91.c 2011-05-19 00:06:34.000000000 -0400
30378 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-at91.c 2011-05-22 19:36:31.000000000 -0400
30379 @@ -181,7 +181,7 @@ static u32 at91_func(struct i2c_adapter
30380 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30381 }
30382
30383 -static struct i2c_algorithm at91_algorithm = {
30384 +static const struct i2c_algorithm at91_algorithm = {
30385 .master_xfer = at91_xfer,
30386 .functionality = at91_func,
30387 };
30388 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-bfin-twi.c linux-2.6.39.2/drivers/i2c/busses/i2c-bfin-twi.c
30389 --- linux-2.6.39.2/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-19 00:06:34.000000000 -0400
30390 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-22 19:36:31.000000000 -0400
30391 @@ -599,7 +599,7 @@ static u32 bfin_twi_functionality(struct
30392 I2C_FUNC_I2C | I2C_FUNC_SMBUS_I2C_BLOCK;
30393 }
30394
30395 -static struct i2c_algorithm bfin_twi_algorithm = {
30396 +static const struct i2c_algorithm bfin_twi_algorithm = {
30397 .master_xfer = bfin_twi_master_xfer,
30398 .smbus_xfer = bfin_twi_smbus_xfer,
30399 .functionality = bfin_twi_functionality,
30400 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-davinci.c linux-2.6.39.2/drivers/i2c/busses/i2c-davinci.c
30401 --- linux-2.6.39.2/drivers/i2c/busses/i2c-davinci.c 2011-05-19 00:06:34.000000000 -0400
30402 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-davinci.c 2011-05-22 19:36:31.000000000 -0400
30403 @@ -630,7 +630,7 @@ static inline void i2c_davinci_cpufreq_d
30404 }
30405 #endif
30406
30407 -static struct i2c_algorithm i2c_davinci_algo = {
30408 +static const struct i2c_algorithm i2c_davinci_algo = {
30409 .master_xfer = i2c_davinci_xfer,
30410 .functionality = i2c_davinci_func,
30411 };
30412 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-designware.c linux-2.6.39.2/drivers/i2c/busses/i2c-designware.c
30413 --- linux-2.6.39.2/drivers/i2c/busses/i2c-designware.c 2011-05-19 00:06:34.000000000 -0400
30414 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-designware.c 2011-05-22 19:36:31.000000000 -0400
30415 @@ -689,7 +689,7 @@ tx_aborted:
30416 return IRQ_HANDLED;
30417 }
30418
30419 -static struct i2c_algorithm i2c_dw_algo = {
30420 +static const struct i2c_algorithm i2c_dw_algo = {
30421 .master_xfer = i2c_dw_xfer,
30422 .functionality = i2c_dw_func,
30423 };
30424 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-eg20t.c linux-2.6.39.2/drivers/i2c/busses/i2c-eg20t.c
30425 --- linux-2.6.39.2/drivers/i2c/busses/i2c-eg20t.c 2011-05-19 00:06:34.000000000 -0400
30426 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-eg20t.c 2011-05-22 19:36:31.000000000 -0400
30427 @@ -708,7 +708,7 @@ static u32 pch_i2c_func(struct i2c_adapt
30428 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL | I2C_FUNC_10BIT_ADDR;
30429 }
30430
30431 -static struct i2c_algorithm pch_algorithm = {
30432 +static const struct i2c_algorithm pch_algorithm = {
30433 .master_xfer = pch_i2c_xfer,
30434 .functionality = pch_i2c_func
30435 };
30436 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-imx.c linux-2.6.39.2/drivers/i2c/busses/i2c-imx.c
30437 --- linux-2.6.39.2/drivers/i2c/busses/i2c-imx.c 2011-05-19 00:06:34.000000000 -0400
30438 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-imx.c 2011-05-22 19:36:31.000000000 -0400
30439 @@ -457,7 +457,7 @@ static u32 i2c_imx_func(struct i2c_adapt
30440 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30441 }
30442
30443 -static struct i2c_algorithm i2c_imx_algo = {
30444 +static const struct i2c_algorithm i2c_imx_algo = {
30445 .master_xfer = i2c_imx_xfer,
30446 .functionality = i2c_imx_func,
30447 };
30448 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-intel-mid.c linux-2.6.39.2/drivers/i2c/busses/i2c-intel-mid.c
30449 --- linux-2.6.39.2/drivers/i2c/busses/i2c-intel-mid.c 2011-05-19 00:06:34.000000000 -0400
30450 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-intel-mid.c 2011-05-22 19:36:31.000000000 -0400
30451 @@ -917,7 +917,7 @@ err:
30452 return IRQ_HANDLED;
30453 }
30454
30455 -static struct i2c_algorithm intel_mid_i2c_algorithm = {
30456 +static const struct i2c_algorithm intel_mid_i2c_algorithm = {
30457 .master_xfer = intel_mid_i2c_xfer,
30458 .functionality = intel_mid_i2c_func,
30459 };
30460 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-nforce2.c linux-2.6.39.2/drivers/i2c/busses/i2c-nforce2.c
30461 --- linux-2.6.39.2/drivers/i2c/busses/i2c-nforce2.c 2011-05-19 00:06:34.000000000 -0400
30462 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-nforce2.c 2011-05-22 19:36:31.000000000 -0400
30463 @@ -303,7 +303,7 @@ static u32 nforce2_func(struct i2c_adapt
30464 I2C_FUNC_SMBUS_BLOCK_DATA : 0);
30465 }
30466
30467 -static struct i2c_algorithm smbus_algorithm = {
30468 +static const struct i2c_algorithm smbus_algorithm = {
30469 .smbus_xfer = nforce2_access,
30470 .functionality = nforce2_func,
30471 };
30472 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-pmcmsp.c linux-2.6.39.2/drivers/i2c/busses/i2c-pmcmsp.c
30473 --- linux-2.6.39.2/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
30474 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-22 19:36:31.000000000 -0400
30475 @@ -615,7 +615,7 @@ static u32 pmcmsptwi_i2c_func(struct i2c
30476
30477 /* -- Initialization -- */
30478
30479 -static struct i2c_algorithm pmcmsptwi_algo = {
30480 +static const struct i2c_algorithm pmcmsptwi_algo = {
30481 .master_xfer = pmcmsptwi_master_xfer,
30482 .functionality = pmcmsptwi_i2c_func,
30483 };
30484 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-pnx.c linux-2.6.39.2/drivers/i2c/busses/i2c-pnx.c
30485 --- linux-2.6.39.2/drivers/i2c/busses/i2c-pnx.c 2011-05-19 00:06:34.000000000 -0400
30486 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-pnx.c 2011-05-22 19:36:31.000000000 -0400
30487 @@ -535,7 +535,7 @@ static u32 i2c_pnx_func(struct i2c_adapt
30488 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30489 }
30490
30491 -static struct i2c_algorithm pnx_algorithm = {
30492 +static const struct i2c_algorithm pnx_algorithm = {
30493 .master_xfer = i2c_pnx_xfer,
30494 .functionality = i2c_pnx_func,
30495 };
30496 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-puv3.c linux-2.6.39.2/drivers/i2c/busses/i2c-puv3.c
30497 --- linux-2.6.39.2/drivers/i2c/busses/i2c-puv3.c 2011-05-19 00:06:34.000000000 -0400
30498 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-puv3.c 2011-05-22 19:36:31.000000000 -0400
30499 @@ -176,7 +176,7 @@ static u32 puv3_i2c_func(struct i2c_adap
30500 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30501 }
30502
30503 -static struct i2c_algorithm puv3_i2c_algorithm = {
30504 +static const struct i2c_algorithm puv3_i2c_algorithm = {
30505 .master_xfer = puv3_i2c_xfer,
30506 .functionality = puv3_i2c_func,
30507 };
30508 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-s6000.c linux-2.6.39.2/drivers/i2c/busses/i2c-s6000.c
30509 --- linux-2.6.39.2/drivers/i2c/busses/i2c-s6000.c 2011-05-19 00:06:34.000000000 -0400
30510 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-s6000.c 2011-05-22 19:36:31.000000000 -0400
30511 @@ -243,7 +243,7 @@ static u32 s6i2c_functionality(struct i2
30512 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30513 }
30514
30515 -static struct i2c_algorithm s6i2c_algorithm = {
30516 +static const struct i2c_algorithm s6i2c_algorithm = {
30517 .master_xfer = s6i2c_master_xfer,
30518 .functionality = s6i2c_functionality,
30519 };
30520 diff -urNp linux-2.6.39.2/drivers/i2c/busses/i2c-sh_mobile.c linux-2.6.39.2/drivers/i2c/busses/i2c-sh_mobile.c
30521 --- linux-2.6.39.2/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-19 00:06:34.000000000 -0400
30522 +++ linux-2.6.39.2/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-22 19:36:31.000000000 -0400
30523 @@ -529,7 +529,7 @@ static u32 sh_mobile_i2c_func(struct i2c
30524 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30525 }
30526
30527 -static struct i2c_algorithm sh_mobile_i2c_algorithm = {
30528 +static const struct i2c_algorithm sh_mobile_i2c_algorithm = {
30529 .functionality = sh_mobile_i2c_func,
30530 .master_xfer = sh_mobile_i2c_xfer,
30531 };
30532 diff -urNp linux-2.6.39.2/drivers/ide/ide-cd.c linux-2.6.39.2/drivers/ide/ide-cd.c
30533 --- linux-2.6.39.2/drivers/ide/ide-cd.c 2011-06-03 00:04:14.000000000 -0400
30534 +++ linux-2.6.39.2/drivers/ide/ide-cd.c 2011-06-03 00:32:05.000000000 -0400
30535 @@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
30536 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
30537 if ((unsigned long)buf & alignment
30538 || blk_rq_bytes(rq) & q->dma_pad_mask
30539 - || object_is_on_stack(buf))
30540 + || object_starts_on_stack(buf))
30541 drive->dma = 0;
30542 }
30543 }
30544 diff -urNp linux-2.6.39.2/drivers/ide/ide-floppy.c linux-2.6.39.2/drivers/ide/ide-floppy.c
30545 --- linux-2.6.39.2/drivers/ide/ide-floppy.c 2011-05-19 00:06:34.000000000 -0400
30546 +++ linux-2.6.39.2/drivers/ide/ide-floppy.c 2011-05-22 19:36:31.000000000 -0400
30547 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
30548 u8 pc_buf[256], header_len, desc_cnt;
30549 int i, rc = 1, blocks, length;
30550
30551 + pax_track_stack();
30552 +
30553 ide_debug_log(IDE_DBG_FUNC, "enter");
30554
30555 drive->bios_cyl = 0;
30556 diff -urNp linux-2.6.39.2/drivers/ide/it821x.c linux-2.6.39.2/drivers/ide/it821x.c
30557 --- linux-2.6.39.2/drivers/ide/it821x.c 2011-05-19 00:06:34.000000000 -0400
30558 +++ linux-2.6.39.2/drivers/ide/it821x.c 2011-05-22 19:36:31.000000000 -0400
30559 @@ -508,7 +508,7 @@ static void it821x_quirkproc(ide_drive_t
30560
30561 }
30562
30563 -static struct ide_dma_ops it821x_pass_through_dma_ops = {
30564 +static const struct ide_dma_ops it821x_pass_through_dma_ops = {
30565 .dma_host_set = ide_dma_host_set,
30566 .dma_setup = ide_dma_setup,
30567 .dma_start = it821x_dma_start,
30568 diff -urNp linux-2.6.39.2/drivers/ide/setup-pci.c linux-2.6.39.2/drivers/ide/setup-pci.c
30569 --- linux-2.6.39.2/drivers/ide/setup-pci.c 2011-05-19 00:06:34.000000000 -0400
30570 +++ linux-2.6.39.2/drivers/ide/setup-pci.c 2011-05-22 19:36:31.000000000 -0400
30571 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
30572 int ret, i, n_ports = dev2 ? 4 : 2;
30573 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
30574
30575 + pax_track_stack();
30576 +
30577 for (i = 0; i < n_ports / 2; i++) {
30578 ret = ide_setup_pci_controller(pdev[i], d, !i);
30579 if (ret < 0)
30580 diff -urNp linux-2.6.39.2/drivers/ide/trm290.c linux-2.6.39.2/drivers/ide/trm290.c
30581 --- linux-2.6.39.2/drivers/ide/trm290.c 2011-05-19 00:06:34.000000000 -0400
30582 +++ linux-2.6.39.2/drivers/ide/trm290.c 2011-05-22 19:36:31.000000000 -0400
30583 @@ -314,7 +314,7 @@ static const struct ide_tp_ops trm290_tp
30584 .output_data = ide_output_data,
30585 };
30586
30587 -static struct ide_dma_ops trm290_dma_ops = {
30588 +static const struct ide_dma_ops trm290_dma_ops = {
30589 .dma_host_set = trm290_dma_host_set,
30590 .dma_setup = trm290_dma_setup,
30591 .dma_start = trm290_dma_start,
30592 diff -urNp linux-2.6.39.2/drivers/infiniband/core/cm.c linux-2.6.39.2/drivers/infiniband/core/cm.c
30593 --- linux-2.6.39.2/drivers/infiniband/core/cm.c 2011-05-19 00:06:34.000000000 -0400
30594 +++ linux-2.6.39.2/drivers/infiniband/core/cm.c 2011-05-22 19:36:31.000000000 -0400
30595 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
30596
30597 struct cm_counter_group {
30598 struct kobject obj;
30599 - atomic_long_t counter[CM_ATTR_COUNT];
30600 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
30601 };
30602
30603 struct cm_counter_attribute {
30604 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
30605 struct ib_mad_send_buf *msg = NULL;
30606 int ret;
30607
30608 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30609 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30610 counter[CM_REQ_COUNTER]);
30611
30612 /* Quick state check to discard duplicate REQs. */
30613 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
30614 if (!cm_id_priv)
30615 return;
30616
30617 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30618 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30619 counter[CM_REP_COUNTER]);
30620 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
30621 if (ret)
30622 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
30623 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
30624 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
30625 spin_unlock_irq(&cm_id_priv->lock);
30626 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30627 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30628 counter[CM_RTU_COUNTER]);
30629 goto out;
30630 }
30631 @@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
30632 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
30633 dreq_msg->local_comm_id);
30634 if (!cm_id_priv) {
30635 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30636 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30637 counter[CM_DREQ_COUNTER]);
30638 cm_issue_drep(work->port, work->mad_recv_wc);
30639 return -EINVAL;
30640 @@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
30641 case IB_CM_MRA_REP_RCVD:
30642 break;
30643 case IB_CM_TIMEWAIT:
30644 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30645 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30646 counter[CM_DREQ_COUNTER]);
30647 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30648 goto unlock;
30649 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
30650 cm_free_msg(msg);
30651 goto deref;
30652 case IB_CM_DREQ_RCVD:
30653 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30654 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30655 counter[CM_DREQ_COUNTER]);
30656 goto unlock;
30657 default:
30658 @@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
30659 ib_modify_mad(cm_id_priv->av.port->mad_agent,
30660 cm_id_priv->msg, timeout)) {
30661 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
30662 - atomic_long_inc(&work->port->
30663 + atomic_long_inc_unchecked(&work->port->
30664 counter_group[CM_RECV_DUPLICATES].
30665 counter[CM_MRA_COUNTER]);
30666 goto out;
30667 @@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
30668 break;
30669 case IB_CM_MRA_REQ_RCVD:
30670 case IB_CM_MRA_REP_RCVD:
30671 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30672 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30673 counter[CM_MRA_COUNTER]);
30674 /* fall through */
30675 default:
30676 @@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
30677 case IB_CM_LAP_IDLE:
30678 break;
30679 case IB_CM_MRA_LAP_SENT:
30680 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30681 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30682 counter[CM_LAP_COUNTER]);
30683 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30684 goto unlock;
30685 @@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
30686 cm_free_msg(msg);
30687 goto deref;
30688 case IB_CM_LAP_RCVD:
30689 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30690 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30691 counter[CM_LAP_COUNTER]);
30692 goto unlock;
30693 default:
30694 @@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
30695 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
30696 if (cur_cm_id_priv) {
30697 spin_unlock_irq(&cm.lock);
30698 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30699 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30700 counter[CM_SIDR_REQ_COUNTER]);
30701 goto out; /* Duplicate message. */
30702 }
30703 @@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
30704 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
30705 msg->retries = 1;
30706
30707 - atomic_long_add(1 + msg->retries,
30708 + atomic_long_add_unchecked(1 + msg->retries,
30709 &port->counter_group[CM_XMIT].counter[attr_index]);
30710 if (msg->retries)
30711 - atomic_long_add(msg->retries,
30712 + atomic_long_add_unchecked(msg->retries,
30713 &port->counter_group[CM_XMIT_RETRIES].
30714 counter[attr_index]);
30715
30716 @@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
30717 }
30718
30719 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
30720 - atomic_long_inc(&port->counter_group[CM_RECV].
30721 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
30722 counter[attr_id - CM_ATTR_ID_OFFSET]);
30723
30724 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
30725 @@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
30726 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
30727
30728 return sprintf(buf, "%ld\n",
30729 - atomic_long_read(&group->counter[cm_attr->index]));
30730 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
30731 }
30732
30733 static const struct sysfs_ops cm_counter_ops = {
30734 diff -urNp linux-2.6.39.2/drivers/infiniband/core/fmr_pool.c linux-2.6.39.2/drivers/infiniband/core/fmr_pool.c
30735 --- linux-2.6.39.2/drivers/infiniband/core/fmr_pool.c 2011-05-19 00:06:34.000000000 -0400
30736 +++ linux-2.6.39.2/drivers/infiniband/core/fmr_pool.c 2011-05-22 19:36:31.000000000 -0400
30737 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
30738
30739 struct task_struct *thread;
30740
30741 - atomic_t req_ser;
30742 - atomic_t flush_ser;
30743 + atomic_unchecked_t req_ser;
30744 + atomic_unchecked_t flush_ser;
30745
30746 wait_queue_head_t force_wait;
30747 };
30748 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
30749 struct ib_fmr_pool *pool = pool_ptr;
30750
30751 do {
30752 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
30753 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
30754 ib_fmr_batch_release(pool);
30755
30756 - atomic_inc(&pool->flush_ser);
30757 + atomic_inc_unchecked(&pool->flush_ser);
30758 wake_up_interruptible(&pool->force_wait);
30759
30760 if (pool->flush_function)
30761 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
30762 }
30763
30764 set_current_state(TASK_INTERRUPTIBLE);
30765 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
30766 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
30767 !kthread_should_stop())
30768 schedule();
30769 __set_current_state(TASK_RUNNING);
30770 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
30771 pool->dirty_watermark = params->dirty_watermark;
30772 pool->dirty_len = 0;
30773 spin_lock_init(&pool->pool_lock);
30774 - atomic_set(&pool->req_ser, 0);
30775 - atomic_set(&pool->flush_ser, 0);
30776 + atomic_set_unchecked(&pool->req_ser, 0);
30777 + atomic_set_unchecked(&pool->flush_ser, 0);
30778 init_waitqueue_head(&pool->force_wait);
30779
30780 pool->thread = kthread_run(ib_fmr_cleanup_thread,
30781 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
30782 }
30783 spin_unlock_irq(&pool->pool_lock);
30784
30785 - serial = atomic_inc_return(&pool->req_ser);
30786 + serial = atomic_inc_return_unchecked(&pool->req_ser);
30787 wake_up_process(pool->thread);
30788
30789 if (wait_event_interruptible(pool->force_wait,
30790 - atomic_read(&pool->flush_ser) - serial >= 0))
30791 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
30792 return -EINTR;
30793
30794 return 0;
30795 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
30796 } else {
30797 list_add_tail(&fmr->list, &pool->dirty_list);
30798 if (++pool->dirty_len >= pool->dirty_watermark) {
30799 - atomic_inc(&pool->req_ser);
30800 + atomic_inc_unchecked(&pool->req_ser);
30801 wake_up_process(pool->thread);
30802 }
30803 }
30804 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/cxgb4/mem.c linux-2.6.39.2/drivers/infiniband/hw/cxgb4/mem.c
30805 --- linux-2.6.39.2/drivers/infiniband/hw/cxgb4/mem.c 2011-05-19 00:06:34.000000000 -0400
30806 +++ linux-2.6.39.2/drivers/infiniband/hw/cxgb4/mem.c 2011-05-22 19:36:31.000000000 -0400
30807 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
30808 int err;
30809 struct fw_ri_tpte tpt;
30810 u32 stag_idx;
30811 - static atomic_t key;
30812 + static atomic_unchecked_t key;
30813
30814 if (c4iw_fatal_error(rdev))
30815 return -EIO;
30816 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
30817 &rdev->resource.tpt_fifo_lock);
30818 if (!stag_idx)
30819 return -ENOMEM;
30820 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
30821 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
30822 }
30823 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
30824 __func__, stag_state, type, pdid, stag_idx);
30825 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_dma.c linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_dma.c
30826 --- linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-19 00:06:34.000000000 -0400
30827 +++ linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-22 19:36:31.000000000 -0400
30828 @@ -175,7 +175,7 @@ static void ipath_dma_free_coherent(stru
30829 free_pages((unsigned long) cpu_addr, get_order(size));
30830 }
30831
30832 -struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30833 +const struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30834 ipath_mapping_error,
30835 ipath_dma_map_single,
30836 ipath_dma_unmap_single,
30837 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_fs.c
30838 --- linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-19 00:06:34.000000000 -0400
30839 +++ linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-22 19:36:31.000000000 -0400
30840 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
30841 struct infinipath_counters counters;
30842 struct ipath_devdata *dd;
30843
30844 + pax_track_stack();
30845 +
30846 dd = file->f_path.dentry->d_inode->i_private;
30847 dd->ipath_f_read_counters(dd, &counters);
30848
30849 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_rc.c linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_rc.c
30850 --- linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-19 00:06:34.000000000 -0400
30851 +++ linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-22 19:36:31.000000000 -0400
30852 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
30853 struct ib_atomic_eth *ateth;
30854 struct ipath_ack_entry *e;
30855 u64 vaddr;
30856 - atomic64_t *maddr;
30857 + atomic64_unchecked_t *maddr;
30858 u64 sdata;
30859 u32 rkey;
30860 u8 next;
30861 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
30862 IB_ACCESS_REMOTE_ATOMIC)))
30863 goto nack_acc_unlck;
30864 /* Perform atomic OP and save result. */
30865 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
30866 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
30867 sdata = be64_to_cpu(ateth->swap_data);
30868 e = &qp->s_ack_queue[qp->r_head_ack_queue];
30869 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
30870 - (u64) atomic64_add_return(sdata, maddr) - sdata :
30871 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
30872 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
30873 be64_to_cpu(ateth->compare_data),
30874 sdata);
30875 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_ruc.c linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_ruc.c
30876 --- linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-19 00:06:34.000000000 -0400
30877 +++ linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-22 19:36:31.000000000 -0400
30878 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
30879 unsigned long flags;
30880 struct ib_wc wc;
30881 u64 sdata;
30882 - atomic64_t *maddr;
30883 + atomic64_unchecked_t *maddr;
30884 enum ib_wc_status send_status;
30885
30886 /*
30887 @@ -382,11 +382,11 @@ again:
30888 IB_ACCESS_REMOTE_ATOMIC)))
30889 goto acc_err;
30890 /* Perform atomic OP and save result. */
30891 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
30892 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
30893 sdata = wqe->wr.wr.atomic.compare_add;
30894 *(u64 *) sqp->s_sge.sge.vaddr =
30895 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
30896 - (u64) atomic64_add_return(sdata, maddr) - sdata :
30897 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
30898 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
30899 sdata, wqe->wr.wr.atomic.swap);
30900 goto send_comp;
30901 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_verbs.h linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_verbs.h
30902 --- linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-19 00:06:34.000000000 -0400
30903 +++ linux-2.6.39.2/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-22 19:36:31.000000000 -0400
30904 @@ -931,6 +931,6 @@ extern unsigned int ib_ipath_max_srq_wrs
30905
30906 extern const u32 ib_ipath_rnr_table[];
30907
30908 -extern struct ib_dma_mapping_ops ipath_dma_mapping_ops;
30909 +extern const struct ib_dma_mapping_ops ipath_dma_mapping_ops;
30910
30911 #endif /* IPATH_VERBS_H */
30912 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/nes/nes.c linux-2.6.39.2/drivers/infiniband/hw/nes/nes.c
30913 --- linux-2.6.39.2/drivers/infiniband/hw/nes/nes.c 2011-05-19 00:06:34.000000000 -0400
30914 +++ linux-2.6.39.2/drivers/infiniband/hw/nes/nes.c 2011-05-22 19:36:31.000000000 -0400
30915 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
30916 LIST_HEAD(nes_adapter_list);
30917 static LIST_HEAD(nes_dev_list);
30918
30919 -atomic_t qps_destroyed;
30920 +atomic_unchecked_t qps_destroyed;
30921
30922 static unsigned int ee_flsh_adapter;
30923 static unsigned int sysfs_nonidx_addr;
30924 @@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
30925 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
30926 struct nes_adapter *nesadapter = nesdev->nesadapter;
30927
30928 - atomic_inc(&qps_destroyed);
30929 + atomic_inc_unchecked(&qps_destroyed);
30930
30931 /* Free the control structures */
30932
30933 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.39.2/drivers/infiniband/hw/nes/nes_cm.c
30934 --- linux-2.6.39.2/drivers/infiniband/hw/nes/nes_cm.c 2011-05-19 00:06:34.000000000 -0400
30935 +++ linux-2.6.39.2/drivers/infiniband/hw/nes/nes_cm.c 2011-05-22 19:36:31.000000000 -0400
30936 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
30937 u32 cm_packets_retrans;
30938 u32 cm_packets_created;
30939 u32 cm_packets_received;
30940 -atomic_t cm_listens_created;
30941 -atomic_t cm_listens_destroyed;
30942 +atomic_unchecked_t cm_listens_created;
30943 +atomic_unchecked_t cm_listens_destroyed;
30944 u32 cm_backlog_drops;
30945 -atomic_t cm_loopbacks;
30946 -atomic_t cm_nodes_created;
30947 -atomic_t cm_nodes_destroyed;
30948 -atomic_t cm_accel_dropped_pkts;
30949 -atomic_t cm_resets_recvd;
30950 +atomic_unchecked_t cm_loopbacks;
30951 +atomic_unchecked_t cm_nodes_created;
30952 +atomic_unchecked_t cm_nodes_destroyed;
30953 +atomic_unchecked_t cm_accel_dropped_pkts;
30954 +atomic_unchecked_t cm_resets_recvd;
30955
30956 static inline int mini_cm_accelerated(struct nes_cm_core *,
30957 struct nes_cm_node *);
30958 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
30959
30960 static struct nes_cm_core *g_cm_core;
30961
30962 -atomic_t cm_connects;
30963 -atomic_t cm_accepts;
30964 -atomic_t cm_disconnects;
30965 -atomic_t cm_closes;
30966 -atomic_t cm_connecteds;
30967 -atomic_t cm_connect_reqs;
30968 -atomic_t cm_rejects;
30969 +atomic_unchecked_t cm_connects;
30970 +atomic_unchecked_t cm_accepts;
30971 +atomic_unchecked_t cm_disconnects;
30972 +atomic_unchecked_t cm_closes;
30973 +atomic_unchecked_t cm_connecteds;
30974 +atomic_unchecked_t cm_connect_reqs;
30975 +atomic_unchecked_t cm_rejects;
30976
30977
30978 /**
30979 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
30980 kfree(listener);
30981 listener = NULL;
30982 ret = 0;
30983 - atomic_inc(&cm_listens_destroyed);
30984 + atomic_inc_unchecked(&cm_listens_destroyed);
30985 } else {
30986 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
30987 }
30988 @@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
30989 cm_node->rem_mac);
30990
30991 add_hte_node(cm_core, cm_node);
30992 - atomic_inc(&cm_nodes_created);
30993 + atomic_inc_unchecked(&cm_nodes_created);
30994
30995 return cm_node;
30996 }
30997 @@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
30998 }
30999
31000 atomic_dec(&cm_core->node_cnt);
31001 - atomic_inc(&cm_nodes_destroyed);
31002 + atomic_inc_unchecked(&cm_nodes_destroyed);
31003 nesqp = cm_node->nesqp;
31004 if (nesqp) {
31005 nesqp->cm_node = NULL;
31006 @@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
31007
31008 static void drop_packet(struct sk_buff *skb)
31009 {
31010 - atomic_inc(&cm_accel_dropped_pkts);
31011 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31012 dev_kfree_skb_any(skb);
31013 }
31014
31015 @@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
31016 {
31017
31018 int reset = 0; /* whether to send reset in case of err.. */
31019 - atomic_inc(&cm_resets_recvd);
31020 + atomic_inc_unchecked(&cm_resets_recvd);
31021 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
31022 " refcnt=%d\n", cm_node, cm_node->state,
31023 atomic_read(&cm_node->ref_count));
31024 @@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
31025 rem_ref_cm_node(cm_node->cm_core, cm_node);
31026 return NULL;
31027 }
31028 - atomic_inc(&cm_loopbacks);
31029 + atomic_inc_unchecked(&cm_loopbacks);
31030 loopbackremotenode->loopbackpartner = cm_node;
31031 loopbackremotenode->tcp_cntxt.rcv_wscale =
31032 NES_CM_DEFAULT_RCV_WND_SCALE;
31033 @@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
31034 add_ref_cm_node(cm_node);
31035 } else if (cm_node->state == NES_CM_STATE_TSA) {
31036 rem_ref_cm_node(cm_core, cm_node);
31037 - atomic_inc(&cm_accel_dropped_pkts);
31038 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31039 dev_kfree_skb_any(skb);
31040 break;
31041 }
31042 @@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
31043
31044 if ((cm_id) && (cm_id->event_handler)) {
31045 if (issue_disconn) {
31046 - atomic_inc(&cm_disconnects);
31047 + atomic_inc_unchecked(&cm_disconnects);
31048 cm_event.event = IW_CM_EVENT_DISCONNECT;
31049 cm_event.status = disconn_status;
31050 cm_event.local_addr = cm_id->local_addr;
31051 @@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
31052 }
31053
31054 if (issue_close) {
31055 - atomic_inc(&cm_closes);
31056 + atomic_inc_unchecked(&cm_closes);
31057 nes_disconnect(nesqp, 1);
31058
31059 cm_id->provider_data = nesqp;
31060 @@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
31061
31062 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
31063 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
31064 - atomic_inc(&cm_accepts);
31065 + atomic_inc_unchecked(&cm_accepts);
31066
31067 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
31068 netdev_refcnt_read(nesvnic->netdev));
31069 @@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
31070
31071 struct nes_cm_core *cm_core;
31072
31073 - atomic_inc(&cm_rejects);
31074 + atomic_inc_unchecked(&cm_rejects);
31075 cm_node = (struct nes_cm_node *) cm_id->provider_data;
31076 loopback = cm_node->loopbackpartner;
31077 cm_core = cm_node->cm_core;
31078 @@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
31079 ntohl(cm_id->local_addr.sin_addr.s_addr),
31080 ntohs(cm_id->local_addr.sin_port));
31081
31082 - atomic_inc(&cm_connects);
31083 + atomic_inc_unchecked(&cm_connects);
31084 nesqp->active_conn = 1;
31085
31086 /* cache the cm_id in the qp */
31087 @@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
31088 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
31089 return err;
31090 }
31091 - atomic_inc(&cm_listens_created);
31092 + atomic_inc_unchecked(&cm_listens_created);
31093 }
31094
31095 cm_id->add_ref(cm_id);
31096 @@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
31097 if (nesqp->destroyed) {
31098 return;
31099 }
31100 - atomic_inc(&cm_connecteds);
31101 + atomic_inc_unchecked(&cm_connecteds);
31102 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
31103 " local port 0x%04X. jiffies = %lu.\n",
31104 nesqp->hwqp.qp_id,
31105 @@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
31106
31107 cm_id->add_ref(cm_id);
31108 ret = cm_id->event_handler(cm_id, &cm_event);
31109 - atomic_inc(&cm_closes);
31110 + atomic_inc_unchecked(&cm_closes);
31111 cm_event.event = IW_CM_EVENT_CLOSE;
31112 cm_event.status = IW_CM_EVENT_STATUS_OK;
31113 cm_event.provider_data = cm_id->provider_data;
31114 @@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
31115 return;
31116 cm_id = cm_node->cm_id;
31117
31118 - atomic_inc(&cm_connect_reqs);
31119 + atomic_inc_unchecked(&cm_connect_reqs);
31120 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31121 cm_node, cm_id, jiffies);
31122
31123 @@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
31124 return;
31125 cm_id = cm_node->cm_id;
31126
31127 - atomic_inc(&cm_connect_reqs);
31128 + atomic_inc_unchecked(&cm_connect_reqs);
31129 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31130 cm_node, cm_id, jiffies);
31131
31132 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/nes/nes.h linux-2.6.39.2/drivers/infiniband/hw/nes/nes.h
31133 --- linux-2.6.39.2/drivers/infiniband/hw/nes/nes.h 2011-05-19 00:06:34.000000000 -0400
31134 +++ linux-2.6.39.2/drivers/infiniband/hw/nes/nes.h 2011-05-22 19:36:31.000000000 -0400
31135 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
31136 extern unsigned int wqm_quanta;
31137 extern struct list_head nes_adapter_list;
31138
31139 -extern atomic_t cm_connects;
31140 -extern atomic_t cm_accepts;
31141 -extern atomic_t cm_disconnects;
31142 -extern atomic_t cm_closes;
31143 -extern atomic_t cm_connecteds;
31144 -extern atomic_t cm_connect_reqs;
31145 -extern atomic_t cm_rejects;
31146 -extern atomic_t mod_qp_timouts;
31147 -extern atomic_t qps_created;
31148 -extern atomic_t qps_destroyed;
31149 -extern atomic_t sw_qps_destroyed;
31150 +extern atomic_unchecked_t cm_connects;
31151 +extern atomic_unchecked_t cm_accepts;
31152 +extern atomic_unchecked_t cm_disconnects;
31153 +extern atomic_unchecked_t cm_closes;
31154 +extern atomic_unchecked_t cm_connecteds;
31155 +extern atomic_unchecked_t cm_connect_reqs;
31156 +extern atomic_unchecked_t cm_rejects;
31157 +extern atomic_unchecked_t mod_qp_timouts;
31158 +extern atomic_unchecked_t qps_created;
31159 +extern atomic_unchecked_t qps_destroyed;
31160 +extern atomic_unchecked_t sw_qps_destroyed;
31161 extern u32 mh_detected;
31162 extern u32 mh_pauses_sent;
31163 extern u32 cm_packets_sent;
31164 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
31165 extern u32 cm_packets_received;
31166 extern u32 cm_packets_dropped;
31167 extern u32 cm_packets_retrans;
31168 -extern atomic_t cm_listens_created;
31169 -extern atomic_t cm_listens_destroyed;
31170 +extern atomic_unchecked_t cm_listens_created;
31171 +extern atomic_unchecked_t cm_listens_destroyed;
31172 extern u32 cm_backlog_drops;
31173 -extern atomic_t cm_loopbacks;
31174 -extern atomic_t cm_nodes_created;
31175 -extern atomic_t cm_nodes_destroyed;
31176 -extern atomic_t cm_accel_dropped_pkts;
31177 -extern atomic_t cm_resets_recvd;
31178 +extern atomic_unchecked_t cm_loopbacks;
31179 +extern atomic_unchecked_t cm_nodes_created;
31180 +extern atomic_unchecked_t cm_nodes_destroyed;
31181 +extern atomic_unchecked_t cm_accel_dropped_pkts;
31182 +extern atomic_unchecked_t cm_resets_recvd;
31183
31184 extern u32 int_mod_timer_init;
31185 extern u32 int_mod_cq_depth_256;
31186 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.39.2/drivers/infiniband/hw/nes/nes_nic.c
31187 --- linux-2.6.39.2/drivers/infiniband/hw/nes/nes_nic.c 2011-05-19 00:06:34.000000000 -0400
31188 +++ linux-2.6.39.2/drivers/infiniband/hw/nes/nes_nic.c 2011-05-22 19:36:31.000000000 -0400
31189 @@ -1302,31 +1302,31 @@ static void nes_netdev_get_ethtool_stats
31190 target_stat_values[++index] = mh_detected;
31191 target_stat_values[++index] = mh_pauses_sent;
31192 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
31193 - target_stat_values[++index] = atomic_read(&cm_connects);
31194 - target_stat_values[++index] = atomic_read(&cm_accepts);
31195 - target_stat_values[++index] = atomic_read(&cm_disconnects);
31196 - target_stat_values[++index] = atomic_read(&cm_connecteds);
31197 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
31198 - target_stat_values[++index] = atomic_read(&cm_rejects);
31199 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
31200 - target_stat_values[++index] = atomic_read(&qps_created);
31201 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
31202 - target_stat_values[++index] = atomic_read(&qps_destroyed);
31203 - target_stat_values[++index] = atomic_read(&cm_closes);
31204 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
31205 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
31206 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
31207 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
31208 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
31209 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
31210 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
31211 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
31212 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
31213 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
31214 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
31215 target_stat_values[++index] = cm_packets_sent;
31216 target_stat_values[++index] = cm_packets_bounced;
31217 target_stat_values[++index] = cm_packets_created;
31218 target_stat_values[++index] = cm_packets_received;
31219 target_stat_values[++index] = cm_packets_dropped;
31220 target_stat_values[++index] = cm_packets_retrans;
31221 - target_stat_values[++index] = atomic_read(&cm_listens_created);
31222 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
31223 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
31224 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
31225 target_stat_values[++index] = cm_backlog_drops;
31226 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
31227 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
31228 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
31229 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
31230 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
31231 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
31232 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
31233 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
31234 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
31235 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
31236 target_stat_values[++index] = nesadapter->free_4kpbl;
31237 target_stat_values[++index] = nesadapter->free_256pbl;
31238 target_stat_values[++index] = int_mod_timer_init;
31239 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.39.2/drivers/infiniband/hw/nes/nes_verbs.c
31240 --- linux-2.6.39.2/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-19 00:06:34.000000000 -0400
31241 +++ linux-2.6.39.2/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-22 19:36:31.000000000 -0400
31242 @@ -46,9 +46,9 @@
31243
31244 #include <rdma/ib_umem.h>
31245
31246 -atomic_t mod_qp_timouts;
31247 -atomic_t qps_created;
31248 -atomic_t sw_qps_destroyed;
31249 +atomic_unchecked_t mod_qp_timouts;
31250 +atomic_unchecked_t qps_created;
31251 +atomic_unchecked_t sw_qps_destroyed;
31252
31253 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
31254
31255 @@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
31256 if (init_attr->create_flags)
31257 return ERR_PTR(-EINVAL);
31258
31259 - atomic_inc(&qps_created);
31260 + atomic_inc_unchecked(&qps_created);
31261 switch (init_attr->qp_type) {
31262 case IB_QPT_RC:
31263 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
31264 @@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
31265 struct iw_cm_event cm_event;
31266 int ret;
31267
31268 - atomic_inc(&sw_qps_destroyed);
31269 + atomic_inc_unchecked(&sw_qps_destroyed);
31270 nesqp->destroyed = 1;
31271
31272 /* Blow away the connection if it exists. */
31273 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/qib/qib.h linux-2.6.39.2/drivers/infiniband/hw/qib/qib.h
31274 --- linux-2.6.39.2/drivers/infiniband/hw/qib/qib.h 2011-05-19 00:06:34.000000000 -0400
31275 +++ linux-2.6.39.2/drivers/infiniband/hw/qib/qib.h 2011-05-22 19:36:31.000000000 -0400
31276 @@ -51,6 +51,7 @@
31277 #include <linux/completion.h>
31278 #include <linux/kref.h>
31279 #include <linux/sched.h>
31280 +#include <linux/slab.h>
31281
31282 #include "qib_common.h"
31283 #include "qib_verbs.h"
31284 @@ -87,7 +88,7 @@ struct qlogic_ib_stats {
31285 };
31286
31287 extern struct qlogic_ib_stats qib_stats;
31288 -extern struct pci_error_handlers qib_pci_err_handler;
31289 +extern const struct pci_error_handlers qib_pci_err_handler;
31290 extern struct pci_driver qib_driver;
31291
31292 #define QIB_CHIP_SWVERSION QIB_CHIP_VERS_MAJ
31293 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/qib/qib_mmap.c linux-2.6.39.2/drivers/infiniband/hw/qib/qib_mmap.c
31294 --- linux-2.6.39.2/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-19 00:06:34.000000000 -0400
31295 +++ linux-2.6.39.2/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-22 19:36:31.000000000 -0400
31296 @@ -75,7 +75,7 @@ static void qib_vma_close(struct vm_area
31297 kref_put(&ip->ref, qib_release_mmap_info);
31298 }
31299
31300 -static struct vm_operations_struct qib_vm_ops = {
31301 +static const struct vm_operations_struct qib_vm_ops = {
31302 .open = qib_vma_open,
31303 .close = qib_vma_close,
31304 };
31305 diff -urNp linux-2.6.39.2/drivers/infiniband/hw/qib/qib_pcie.c linux-2.6.39.2/drivers/infiniband/hw/qib/qib_pcie.c
31306 --- linux-2.6.39.2/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-19 00:06:34.000000000 -0400
31307 +++ linux-2.6.39.2/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-22 19:36:31.000000000 -0400
31308 @@ -735,7 +735,7 @@ qib_pci_resume(struct pci_dev *pdev)
31309 qib_init(dd, 1); /* same as re-init after reset */
31310 }
31311
31312 -struct pci_error_handlers qib_pci_err_handler = {
31313 +const struct pci_error_handlers qib_pci_err_handler = {
31314 .error_detected = qib_pci_error_detected,
31315 .mmio_enabled = qib_pci_mmio_enabled,
31316 .link_reset = qib_pci_link_reset,
31317 diff -urNp linux-2.6.39.2/drivers/input/gameport/gameport.c linux-2.6.39.2/drivers/input/gameport/gameport.c
31318 --- linux-2.6.39.2/drivers/input/gameport/gameport.c 2011-05-19 00:06:34.000000000 -0400
31319 +++ linux-2.6.39.2/drivers/input/gameport/gameport.c 2011-05-22 19:36:31.000000000 -0400
31320 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
31321 */
31322 static void gameport_init_port(struct gameport *gameport)
31323 {
31324 - static atomic_t gameport_no = ATOMIC_INIT(0);
31325 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
31326
31327 __module_get(THIS_MODULE);
31328
31329 mutex_init(&gameport->drv_mutex);
31330 device_initialize(&gameport->dev);
31331 dev_set_name(&gameport->dev, "gameport%lu",
31332 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
31333 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
31334 gameport->dev.bus = &gameport_bus;
31335 gameport->dev.release = gameport_release_port;
31336 if (gameport->parent)
31337 diff -urNp linux-2.6.39.2/drivers/input/input.c linux-2.6.39.2/drivers/input/input.c
31338 --- linux-2.6.39.2/drivers/input/input.c 2011-05-19 00:06:34.000000000 -0400
31339 +++ linux-2.6.39.2/drivers/input/input.c 2011-05-22 19:36:31.000000000 -0400
31340 @@ -1815,7 +1815,7 @@ static void input_cleanse_bitmasks(struc
31341 */
31342 int input_register_device(struct input_dev *dev)
31343 {
31344 - static atomic_t input_no = ATOMIC_INIT(0);
31345 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
31346 struct input_handler *handler;
31347 const char *path;
31348 int error;
31349 @@ -1852,7 +1852,7 @@ int input_register_device(struct input_d
31350 dev->setkeycode = input_default_setkeycode;
31351
31352 dev_set_name(&dev->dev, "input%ld",
31353 - (unsigned long) atomic_inc_return(&input_no) - 1);
31354 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
31355
31356 error = device_add(&dev->dev);
31357 if (error)
31358 diff -urNp linux-2.6.39.2/drivers/input/joystick/sidewinder.c linux-2.6.39.2/drivers/input/joystick/sidewinder.c
31359 --- linux-2.6.39.2/drivers/input/joystick/sidewinder.c 2011-05-19 00:06:34.000000000 -0400
31360 +++ linux-2.6.39.2/drivers/input/joystick/sidewinder.c 2011-05-22 19:36:31.000000000 -0400
31361 @@ -30,6 +30,7 @@
31362 #include <linux/kernel.h>
31363 #include <linux/module.h>
31364 #include <linux/slab.h>
31365 +#include <linux/sched.h>
31366 #include <linux/init.h>
31367 #include <linux/input.h>
31368 #include <linux/gameport.h>
31369 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
31370 unsigned char buf[SW_LENGTH];
31371 int i;
31372
31373 + pax_track_stack();
31374 +
31375 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
31376
31377 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
31378 diff -urNp linux-2.6.39.2/drivers/input/joystick/xpad.c linux-2.6.39.2/drivers/input/joystick/xpad.c
31379 --- linux-2.6.39.2/drivers/input/joystick/xpad.c 2011-05-19 00:06:34.000000000 -0400
31380 +++ linux-2.6.39.2/drivers/input/joystick/xpad.c 2011-05-22 19:36:31.000000000 -0400
31381 @@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
31382
31383 static int xpad_led_probe(struct usb_xpad *xpad)
31384 {
31385 - static atomic_t led_seq = ATOMIC_INIT(0);
31386 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
31387 long led_no;
31388 struct xpad_led *led;
31389 struct led_classdev *led_cdev;
31390 @@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
31391 if (!led)
31392 return -ENOMEM;
31393
31394 - led_no = (long)atomic_inc_return(&led_seq) - 1;
31395 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
31396
31397 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
31398 led->xpad = xpad;
31399 diff -urNp linux-2.6.39.2/drivers/input/mousedev.c linux-2.6.39.2/drivers/input/mousedev.c
31400 --- linux-2.6.39.2/drivers/input/mousedev.c 2011-05-19 00:06:34.000000000 -0400
31401 +++ linux-2.6.39.2/drivers/input/mousedev.c 2011-05-22 19:36:31.000000000 -0400
31402 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
31403
31404 spin_unlock_irq(&client->packet_lock);
31405
31406 - if (copy_to_user(buffer, data, count))
31407 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
31408 return -EFAULT;
31409
31410 return count;
31411 diff -urNp linux-2.6.39.2/drivers/input/serio/serio.c linux-2.6.39.2/drivers/input/serio/serio.c
31412 --- linux-2.6.39.2/drivers/input/serio/serio.c 2011-05-19 00:06:34.000000000 -0400
31413 +++ linux-2.6.39.2/drivers/input/serio/serio.c 2011-05-22 19:36:31.000000000 -0400
31414 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
31415 */
31416 static void serio_init_port(struct serio *serio)
31417 {
31418 - static atomic_t serio_no = ATOMIC_INIT(0);
31419 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
31420
31421 __module_get(THIS_MODULE);
31422
31423 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
31424 mutex_init(&serio->drv_mutex);
31425 device_initialize(&serio->dev);
31426 dev_set_name(&serio->dev, "serio%ld",
31427 - (long)atomic_inc_return(&serio_no) - 1);
31428 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
31429 serio->dev.bus = &serio_bus;
31430 serio->dev.release = serio_release_port;
31431 serio->dev.groups = serio_device_attr_groups;
31432 diff -urNp linux-2.6.39.2/drivers/isdn/capi/capi.c linux-2.6.39.2/drivers/isdn/capi/capi.c
31433 --- linux-2.6.39.2/drivers/isdn/capi/capi.c 2011-05-19 00:06:34.000000000 -0400
31434 +++ linux-2.6.39.2/drivers/isdn/capi/capi.c 2011-05-22 19:36:31.000000000 -0400
31435 @@ -89,8 +89,8 @@ struct capiminor {
31436
31437 struct capi20_appl *ap;
31438 u32 ncci;
31439 - atomic_t datahandle;
31440 - atomic_t msgid;
31441 + atomic_unchecked_t datahandle;
31442 + atomic_unchecked_t msgid;
31443
31444 struct tty_port port;
31445 int ttyinstop;
31446 @@ -414,7 +414,7 @@ gen_data_b3_resp_for(struct capiminor *m
31447 capimsg_setu16(s, 2, mp->ap->applid);
31448 capimsg_setu8 (s, 4, CAPI_DATA_B3);
31449 capimsg_setu8 (s, 5, CAPI_RESP);
31450 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
31451 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
31452 capimsg_setu32(s, 8, mp->ncci);
31453 capimsg_setu16(s, 12, datahandle);
31454 }
31455 @@ -547,14 +547,14 @@ static void handle_minor_send(struct cap
31456 mp->outbytes -= len;
31457 spin_unlock_bh(&mp->outlock);
31458
31459 - datahandle = atomic_inc_return(&mp->datahandle);
31460 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
31461 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
31462 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31463 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31464 capimsg_setu16(skb->data, 2, mp->ap->applid);
31465 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
31466 capimsg_setu8 (skb->data, 5, CAPI_REQ);
31467 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
31468 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
31469 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
31470 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
31471 capimsg_setu16(skb->data, 16, len); /* Data length */
31472 diff -urNp linux-2.6.39.2/drivers/isdn/gigaset/common.c linux-2.6.39.2/drivers/isdn/gigaset/common.c
31473 --- linux-2.6.39.2/drivers/isdn/gigaset/common.c 2011-05-19 00:06:34.000000000 -0400
31474 +++ linux-2.6.39.2/drivers/isdn/gigaset/common.c 2011-05-22 19:36:31.000000000 -0400
31475 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
31476 cs->commands_pending = 0;
31477 cs->cur_at_seq = 0;
31478 cs->gotfwver = -1;
31479 - cs->open_count = 0;
31480 + local_set(&cs->open_count, 0);
31481 cs->dev = NULL;
31482 cs->tty = NULL;
31483 cs->tty_dev = NULL;
31484 diff -urNp linux-2.6.39.2/drivers/isdn/gigaset/gigaset.h linux-2.6.39.2/drivers/isdn/gigaset/gigaset.h
31485 --- linux-2.6.39.2/drivers/isdn/gigaset/gigaset.h 2011-05-19 00:06:34.000000000 -0400
31486 +++ linux-2.6.39.2/drivers/isdn/gigaset/gigaset.h 2011-05-22 19:36:31.000000000 -0400
31487 @@ -35,6 +35,7 @@
31488 #include <linux/tty_driver.h>
31489 #include <linux/list.h>
31490 #include <asm/atomic.h>
31491 +#include <asm/local.h>
31492
31493 #define GIG_VERSION {0, 5, 0, 0}
31494 #define GIG_COMPAT {0, 4, 0, 0}
31495 @@ -433,7 +434,7 @@ struct cardstate {
31496 spinlock_t cmdlock;
31497 unsigned curlen, cmdbytes;
31498
31499 - unsigned open_count;
31500 + local_t open_count;
31501 struct tty_struct *tty;
31502 struct tasklet_struct if_wake_tasklet;
31503 unsigned control_state;
31504 diff -urNp linux-2.6.39.2/drivers/isdn/gigaset/interface.c linux-2.6.39.2/drivers/isdn/gigaset/interface.c
31505 --- linux-2.6.39.2/drivers/isdn/gigaset/interface.c 2011-05-19 00:06:34.000000000 -0400
31506 +++ linux-2.6.39.2/drivers/isdn/gigaset/interface.c 2011-05-22 19:36:31.000000000 -0400
31507 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
31508 return -ERESTARTSYS;
31509 tty->driver_data = cs;
31510
31511 - ++cs->open_count;
31512 -
31513 - if (cs->open_count == 1) {
31514 + if (local_inc_return(&cs->open_count) == 1) {
31515 spin_lock_irqsave(&cs->lock, flags);
31516 cs->tty = tty;
31517 spin_unlock_irqrestore(&cs->lock, flags);
31518 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
31519
31520 if (!cs->connected)
31521 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31522 - else if (!cs->open_count)
31523 + else if (!local_read(&cs->open_count))
31524 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31525 else {
31526 - if (!--cs->open_count) {
31527 + if (!local_dec_return(&cs->open_count)) {
31528 spin_lock_irqsave(&cs->lock, flags);
31529 cs->tty = NULL;
31530 spin_unlock_irqrestore(&cs->lock, flags);
31531 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
31532 if (!cs->connected) {
31533 gig_dbg(DEBUG_IF, "not connected");
31534 retval = -ENODEV;
31535 - } else if (!cs->open_count)
31536 + } else if (!local_read(&cs->open_count))
31537 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31538 else {
31539 retval = 0;
31540 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
31541 retval = -ENODEV;
31542 goto done;
31543 }
31544 - if (!cs->open_count) {
31545 + if (!local_read(&cs->open_count)) {
31546 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31547 retval = -ENODEV;
31548 goto done;
31549 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
31550 if (!cs->connected) {
31551 gig_dbg(DEBUG_IF, "not connected");
31552 retval = -ENODEV;
31553 - } else if (!cs->open_count)
31554 + } else if (!local_read(&cs->open_count))
31555 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31556 else if (cs->mstate != MS_LOCKED) {
31557 dev_warn(cs->dev, "can't write to unlocked device\n");
31558 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
31559
31560 if (!cs->connected)
31561 gig_dbg(DEBUG_IF, "not connected");
31562 - else if (!cs->open_count)
31563 + else if (!local_read(&cs->open_count))
31564 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31565 else if (cs->mstate != MS_LOCKED)
31566 dev_warn(cs->dev, "can't write to unlocked device\n");
31567 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
31568
31569 if (!cs->connected)
31570 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31571 - else if (!cs->open_count)
31572 + else if (!local_read(&cs->open_count))
31573 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31574 else
31575 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31576 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
31577
31578 if (!cs->connected)
31579 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31580 - else if (!cs->open_count)
31581 + else if (!local_read(&cs->open_count))
31582 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31583 else
31584 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31585 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
31586 goto out;
31587 }
31588
31589 - if (!cs->open_count) {
31590 + if (!local_read(&cs->open_count)) {
31591 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31592 goto out;
31593 }
31594 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/avm/b1.c linux-2.6.39.2/drivers/isdn/hardware/avm/b1.c
31595 --- linux-2.6.39.2/drivers/isdn/hardware/avm/b1.c 2011-05-19 00:06:34.000000000 -0400
31596 +++ linux-2.6.39.2/drivers/isdn/hardware/avm/b1.c 2011-05-22 19:36:31.000000000 -0400
31597 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
31598 }
31599 if (left) {
31600 if (t4file->user) {
31601 - if (copy_from_user(buf, dp, left))
31602 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31603 return -EFAULT;
31604 } else {
31605 memcpy(buf, dp, left);
31606 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
31607 }
31608 if (left) {
31609 if (config->user) {
31610 - if (copy_from_user(buf, dp, left))
31611 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31612 return -EFAULT;
31613 } else {
31614 memcpy(buf, dp, left);
31615 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.39.2/drivers/isdn/hardware/eicon/capidtmf.c
31616 --- linux-2.6.39.2/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-19 00:06:34.000000000 -0400
31617 +++ linux-2.6.39.2/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-22 19:36:31.000000000 -0400
31618 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
31619 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
31620 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
31621
31622 + pax_track_stack();
31623
31624 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
31625 {
31626 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.39.2/drivers/isdn/hardware/eicon/capifunc.c
31627 --- linux-2.6.39.2/drivers/isdn/hardware/eicon/capifunc.c 2011-05-19 00:06:34.000000000 -0400
31628 +++ linux-2.6.39.2/drivers/isdn/hardware/eicon/capifunc.c 2011-05-22 19:36:31.000000000 -0400
31629 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
31630 IDI_SYNC_REQ req;
31631 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31632
31633 + pax_track_stack();
31634 +
31635 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31636
31637 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31638 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.39.2/drivers/isdn/hardware/eicon/diddfunc.c
31639 --- linux-2.6.39.2/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-19 00:06:34.000000000 -0400
31640 +++ linux-2.6.39.2/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-22 19:36:31.000000000 -0400
31641 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
31642 IDI_SYNC_REQ req;
31643 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31644
31645 + pax_track_stack();
31646 +
31647 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31648
31649 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31650 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.39.2/drivers/isdn/hardware/eicon/divasfunc.c
31651 --- linux-2.6.39.2/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-19 00:06:34.000000000 -0400
31652 +++ linux-2.6.39.2/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-22 19:36:31.000000000 -0400
31653 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
31654 IDI_SYNC_REQ req;
31655 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31656
31657 + pax_track_stack();
31658 +
31659 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31660
31661 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31662 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.39.2/drivers/isdn/hardware/eicon/idifunc.c
31663 --- linux-2.6.39.2/drivers/isdn/hardware/eicon/idifunc.c 2011-05-19 00:06:34.000000000 -0400
31664 +++ linux-2.6.39.2/drivers/isdn/hardware/eicon/idifunc.c 2011-05-22 19:36:31.000000000 -0400
31665 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
31666 IDI_SYNC_REQ req;
31667 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31668
31669 + pax_track_stack();
31670 +
31671 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31672
31673 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31674 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/eicon/message.c linux-2.6.39.2/drivers/isdn/hardware/eicon/message.c
31675 --- linux-2.6.39.2/drivers/isdn/hardware/eicon/message.c 2011-05-19 00:06:34.000000000 -0400
31676 +++ linux-2.6.39.2/drivers/isdn/hardware/eicon/message.c 2011-05-22 19:36:31.000000000 -0400
31677 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
31678 dword d;
31679 word w;
31680
31681 + pax_track_stack();
31682 +
31683 a = plci->adapter;
31684 Id = ((word)plci->Id<<8)|a->Id;
31685 PUT_WORD(&SS_Ind[4],0x0000);
31686 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
31687 word j, n, w;
31688 dword d;
31689
31690 + pax_track_stack();
31691 +
31692
31693 for(i=0;i<8;i++) bp_parms[i].length = 0;
31694 for(i=0;i<2;i++) global_config[i].length = 0;
31695 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
31696 const byte llc3[] = {4,3,2,2,6,6,0};
31697 const byte header[] = {0,2,3,3,0,0,0};
31698
31699 + pax_track_stack();
31700 +
31701 for(i=0;i<8;i++) bp_parms[i].length = 0;
31702 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
31703 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
31704 @@ -14760,6 +14766,8 @@ static void group_optimization(DIVA_CAPI
31705 word appl_number_group_type[MAX_APPL];
31706 PLCI *auxplci;
31707
31708 + pax_track_stack();
31709 +
31710 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
31711
31712 if(!a->group_optimization_enabled)
31713 diff -urNp linux-2.6.39.2/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.39.2/drivers/isdn/hardware/eicon/mntfunc.c
31714 --- linux-2.6.39.2/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-19 00:06:34.000000000 -0400
31715 +++ linux-2.6.39.2/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-22 19:36:31.000000000 -0400
31716 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
31717 IDI_SYNC_REQ req;
31718 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31719
31720 + pax_track_stack();
31721 +
31722 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31723
31724 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31725 diff -urNp linux-2.6.39.2/drivers/isdn/i4l/isdn_common.c linux-2.6.39.2/drivers/isdn/i4l/isdn_common.c
31726 --- linux-2.6.39.2/drivers/isdn/i4l/isdn_common.c 2011-05-19 00:06:34.000000000 -0400
31727 +++ linux-2.6.39.2/drivers/isdn/i4l/isdn_common.c 2011-05-22 19:36:31.000000000 -0400
31728 @@ -1292,6 +1292,8 @@ isdn_ioctl(struct file *file, uint cmd,
31729 } iocpar;
31730 void __user *argp = (void __user *)arg;
31731
31732 + pax_track_stack();
31733 +
31734 #define name iocpar.name
31735 #define bname iocpar.bname
31736 #define iocts iocpar.iocts
31737 diff -urNp linux-2.6.39.2/drivers/isdn/i4l/isdn_net.c linux-2.6.39.2/drivers/isdn/i4l/isdn_net.c
31738 --- linux-2.6.39.2/drivers/isdn/i4l/isdn_net.c 2011-05-19 00:06:34.000000000 -0400
31739 +++ linux-2.6.39.2/drivers/isdn/i4l/isdn_net.c 2011-05-22 19:36:31.000000000 -0400
31740 @@ -400,7 +400,7 @@ isdn_net_stat_callback(int idx, isdn_ctr
31741 isdn_net_local *lp = p->local;
31742 #ifdef CONFIG_ISDN_X25
31743 struct concap_proto *cprot = lp->netdev->cprot;
31744 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31745 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31746 #endif
31747 switch (cmd) {
31748 case ISDN_STAT_BSENT:
31749 @@ -831,7 +831,7 @@ isdn_net_hangup(struct net_device *d)
31750 isdn_ctrl cmd;
31751 #ifdef CONFIG_ISDN_X25
31752 struct concap_proto *cprot = lp->netdev->cprot;
31753 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31754 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31755 #endif
31756
31757 if (lp->flags & ISDN_NET_CONNECTED) {
31758 diff -urNp linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.c linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.c
31759 --- linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.c 2011-05-19 00:06:34.000000000 -0400
31760 +++ linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.c 2011-05-22 19:36:31.000000000 -0400
31761 @@ -52,7 +52,7 @@ static int isdn_x25iface_connect_ind( st
31762 static int isdn_x25iface_disconn_ind( struct concap_proto * );
31763
31764
31765 -static struct concap_proto_ops ix25_pops = {
31766 +static const struct concap_proto_ops ix25_pops = {
31767 &isdn_x25iface_proto_new,
31768 &isdn_x25iface_proto_del,
31769 &isdn_x25iface_proto_restart,
31770 diff -urNp linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.h linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.h
31771 --- linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.h 2011-05-19 00:06:34.000000000 -0400
31772 +++ linux-2.6.39.2/drivers/isdn/i4l/isdn_x25iface.h 2011-05-22 19:36:31.000000000 -0400
31773 @@ -23,7 +23,7 @@
31774 #include <linux/isdn.h>
31775 #include <linux/concap.h>
31776
31777 -extern struct concap_proto_ops * isdn_x25iface_concap_proto_ops_pt;
31778 +extern const struct concap_proto_ops *isdn_x25iface_concap_proto_ops_pt;
31779 extern struct concap_proto * isdn_x25iface_proto_new(void);
31780
31781
31782 diff -urNp linux-2.6.39.2/drivers/isdn/icn/icn.c linux-2.6.39.2/drivers/isdn/icn/icn.c
31783 --- linux-2.6.39.2/drivers/isdn/icn/icn.c 2011-05-19 00:06:34.000000000 -0400
31784 +++ linux-2.6.39.2/drivers/isdn/icn/icn.c 2011-05-22 19:36:31.000000000 -0400
31785 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
31786 if (count > len)
31787 count = len;
31788 if (user) {
31789 - if (copy_from_user(msg, buf, count))
31790 + if (count > sizeof msg || copy_from_user(msg, buf, count))
31791 return -EFAULT;
31792 } else
31793 memcpy(msg, buf, count);
31794 diff -urNp linux-2.6.39.2/drivers/lguest/core.c linux-2.6.39.2/drivers/lguest/core.c
31795 --- linux-2.6.39.2/drivers/lguest/core.c 2011-05-19 00:06:34.000000000 -0400
31796 +++ linux-2.6.39.2/drivers/lguest/core.c 2011-05-22 19:36:31.000000000 -0400
31797 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
31798 * it's worked so far. The end address needs +1 because __get_vm_area
31799 * allocates an extra guard page, so we need space for that.
31800 */
31801 +
31802 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
31803 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31804 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
31805 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31806 +#else
31807 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31808 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
31809 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31810 +#endif
31811 +
31812 if (!switcher_vma) {
31813 err = -ENOMEM;
31814 printk("lguest: could not map switcher pages high\n");
31815 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
31816 * Now the Switcher is mapped at the right address, we can't fail!
31817 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
31818 */
31819 - memcpy(switcher_vma->addr, start_switcher_text,
31820 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
31821 end_switcher_text - start_switcher_text);
31822
31823 printk(KERN_INFO "lguest: mapped switcher at %p\n",
31824 diff -urNp linux-2.6.39.2/drivers/lguest/lguest_device.c linux-2.6.39.2/drivers/lguest/lguest_device.c
31825 --- linux-2.6.39.2/drivers/lguest/lguest_device.c 2011-05-19 00:06:34.000000000 -0400
31826 +++ linux-2.6.39.2/drivers/lguest/lguest_device.c 2011-05-22 19:36:31.000000000 -0400
31827 @@ -374,7 +374,7 @@ error:
31828 }
31829
31830 /* The ops structure which hooks everything together. */
31831 -static struct virtio_config_ops lguest_config_ops = {
31832 +static const struct virtio_config_ops lguest_config_ops = {
31833 .get_features = lg_get_features,
31834 .finalize_features = lg_finalize_features,
31835 .get = lg_get,
31836 diff -urNp linux-2.6.39.2/drivers/lguest/x86/core.c linux-2.6.39.2/drivers/lguest/x86/core.c
31837 --- linux-2.6.39.2/drivers/lguest/x86/core.c 2011-05-19 00:06:34.000000000 -0400
31838 +++ linux-2.6.39.2/drivers/lguest/x86/core.c 2011-05-22 19:36:31.000000000 -0400
31839 @@ -59,7 +59,7 @@ static struct {
31840 /* Offset from where switcher.S was compiled to where we've copied it */
31841 static unsigned long switcher_offset(void)
31842 {
31843 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
31844 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
31845 }
31846
31847 /* This cpu's struct lguest_pages. */
31848 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
31849 * These copies are pretty cheap, so we do them unconditionally: */
31850 /* Save the current Host top-level page directory.
31851 */
31852 +
31853 +#ifdef CONFIG_PAX_PER_CPU_PGD
31854 + pages->state.host_cr3 = read_cr3();
31855 +#else
31856 pages->state.host_cr3 = __pa(current->mm->pgd);
31857 +#endif
31858 +
31859 /*
31860 * Set up the Guest's page tables to see this CPU's pages (and no
31861 * other CPU's pages).
31862 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
31863 * compiled-in switcher code and the high-mapped copy we just made.
31864 */
31865 for (i = 0; i < IDT_ENTRIES; i++)
31866 - default_idt_entries[i] += switcher_offset();
31867 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
31868
31869 /*
31870 * Set up the Switcher's per-cpu areas.
31871 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
31872 * it will be undisturbed when we switch. To change %cs and jump we
31873 * need this structure to feed to Intel's "lcall" instruction.
31874 */
31875 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
31876 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
31877 lguest_entry.segment = LGUEST_CS;
31878
31879 /*
31880 diff -urNp linux-2.6.39.2/drivers/lguest/x86/switcher_32.S linux-2.6.39.2/drivers/lguest/x86/switcher_32.S
31881 --- linux-2.6.39.2/drivers/lguest/x86/switcher_32.S 2011-05-19 00:06:34.000000000 -0400
31882 +++ linux-2.6.39.2/drivers/lguest/x86/switcher_32.S 2011-05-22 19:36:31.000000000 -0400
31883 @@ -87,6 +87,7 @@
31884 #include <asm/page.h>
31885 #include <asm/segment.h>
31886 #include <asm/lguest.h>
31887 +#include <asm/processor-flags.h>
31888
31889 // We mark the start of the code to copy
31890 // It's placed in .text tho it's never run here
31891 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
31892 // Changes type when we load it: damn Intel!
31893 // For after we switch over our page tables
31894 // That entry will be read-only: we'd crash.
31895 +
31896 +#ifdef CONFIG_PAX_KERNEXEC
31897 + mov %cr0, %edx
31898 + xor $X86_CR0_WP, %edx
31899 + mov %edx, %cr0
31900 +#endif
31901 +
31902 movl $(GDT_ENTRY_TSS*8), %edx
31903 ltr %dx
31904
31905 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
31906 // Let's clear it again for our return.
31907 // The GDT descriptor of the Host
31908 // Points to the table after two "size" bytes
31909 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
31910 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
31911 // Clear "used" from type field (byte 5, bit 2)
31912 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
31913 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
31914 +
31915 +#ifdef CONFIG_PAX_KERNEXEC
31916 + mov %cr0, %eax
31917 + xor $X86_CR0_WP, %eax
31918 + mov %eax, %cr0
31919 +#endif
31920
31921 // Once our page table's switched, the Guest is live!
31922 // The Host fades as we run this final step.
31923 @@ -295,13 +309,12 @@ deliver_to_host:
31924 // I consulted gcc, and it gave
31925 // These instructions, which I gladly credit:
31926 leal (%edx,%ebx,8), %eax
31927 - movzwl (%eax),%edx
31928 - movl 4(%eax), %eax
31929 - xorw %ax, %ax
31930 - orl %eax, %edx
31931 + movl 4(%eax), %edx
31932 + movw (%eax), %dx
31933 // Now the address of the handler's in %edx
31934 // We call it now: its "iret" drops us home.
31935 - jmp *%edx
31936 + ljmp $__KERNEL_CS, $1f
31937 +1: jmp *%edx
31938
31939 // Every interrupt can come to us here
31940 // But we must truly tell each apart.
31941 diff -urNp linux-2.6.39.2/drivers/md/dm.c linux-2.6.39.2/drivers/md/dm.c
31942 --- linux-2.6.39.2/drivers/md/dm.c 2011-05-19 00:06:34.000000000 -0400
31943 +++ linux-2.6.39.2/drivers/md/dm.c 2011-05-22 19:36:31.000000000 -0400
31944 @@ -162,9 +162,9 @@ struct mapped_device {
31945 /*
31946 * Event handling.
31947 */
31948 - atomic_t event_nr;
31949 + atomic_unchecked_t event_nr;
31950 wait_queue_head_t eventq;
31951 - atomic_t uevent_seq;
31952 + atomic_unchecked_t uevent_seq;
31953 struct list_head uevent_list;
31954 spinlock_t uevent_lock; /* Protect access to uevent_list */
31955
31956 @@ -1836,8 +1836,8 @@ static struct mapped_device *alloc_dev(i
31957 rwlock_init(&md->map_lock);
31958 atomic_set(&md->holders, 1);
31959 atomic_set(&md->open_count, 0);
31960 - atomic_set(&md->event_nr, 0);
31961 - atomic_set(&md->uevent_seq, 0);
31962 + atomic_set_unchecked(&md->event_nr, 0);
31963 + atomic_set_unchecked(&md->uevent_seq, 0);
31964 INIT_LIST_HEAD(&md->uevent_list);
31965 spin_lock_init(&md->uevent_lock);
31966
31967 @@ -1971,7 +1971,7 @@ static void event_callback(void *context
31968
31969 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
31970
31971 - atomic_inc(&md->event_nr);
31972 + atomic_inc_unchecked(&md->event_nr);
31973 wake_up(&md->eventq);
31974 }
31975
31976 @@ -2547,18 +2547,18 @@ int dm_kobject_uevent(struct mapped_devi
31977
31978 uint32_t dm_next_uevent_seq(struct mapped_device *md)
31979 {
31980 - return atomic_add_return(1, &md->uevent_seq);
31981 + return atomic_add_return_unchecked(1, &md->uevent_seq);
31982 }
31983
31984 uint32_t dm_get_event_nr(struct mapped_device *md)
31985 {
31986 - return atomic_read(&md->event_nr);
31987 + return atomic_read_unchecked(&md->event_nr);
31988 }
31989
31990 int dm_wait_event(struct mapped_device *md, int event_nr)
31991 {
31992 return wait_event_interruptible(md->eventq,
31993 - (event_nr != atomic_read(&md->event_nr)));
31994 + (event_nr != atomic_read_unchecked(&md->event_nr)));
31995 }
31996
31997 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
31998 diff -urNp linux-2.6.39.2/drivers/md/dm-crypt.c linux-2.6.39.2/drivers/md/dm-crypt.c
31999 --- linux-2.6.39.2/drivers/md/dm-crypt.c 2011-05-19 00:06:34.000000000 -0400
32000 +++ linux-2.6.39.2/drivers/md/dm-crypt.c 2011-05-22 19:36:31.000000000 -0400
32001 @@ -138,7 +138,7 @@ struct crypt_config {
32002 char *cipher;
32003 char *cipher_string;
32004
32005 - struct crypt_iv_operations *iv_gen_ops;
32006 + const struct crypt_iv_operations *iv_gen_ops;
32007 union {
32008 struct iv_essiv_private essiv;
32009 struct iv_benbi_private benbi;
32010 @@ -620,15 +620,15 @@ static int crypt_iv_lmk_post(struct cryp
32011 return r;
32012 }
32013
32014 -static struct crypt_iv_operations crypt_iv_plain_ops = {
32015 +static const struct crypt_iv_operations crypt_iv_plain_ops = {
32016 .generator = crypt_iv_plain_gen
32017 };
32018
32019 -static struct crypt_iv_operations crypt_iv_plain64_ops = {
32020 +static const struct crypt_iv_operations crypt_iv_plain64_ops = {
32021 .generator = crypt_iv_plain64_gen
32022 };
32023
32024 -static struct crypt_iv_operations crypt_iv_essiv_ops = {
32025 +static const struct crypt_iv_operations crypt_iv_essiv_ops = {
32026 .ctr = crypt_iv_essiv_ctr,
32027 .dtr = crypt_iv_essiv_dtr,
32028 .init = crypt_iv_essiv_init,
32029 @@ -636,17 +636,17 @@ static struct crypt_iv_operations crypt_
32030 .generator = crypt_iv_essiv_gen
32031 };
32032
32033 -static struct crypt_iv_operations crypt_iv_benbi_ops = {
32034 +static const struct crypt_iv_operations crypt_iv_benbi_ops = {
32035 .ctr = crypt_iv_benbi_ctr,
32036 .dtr = crypt_iv_benbi_dtr,
32037 .generator = crypt_iv_benbi_gen
32038 };
32039
32040 -static struct crypt_iv_operations crypt_iv_null_ops = {
32041 +static const struct crypt_iv_operations crypt_iv_null_ops = {
32042 .generator = crypt_iv_null_gen
32043 };
32044
32045 -static struct crypt_iv_operations crypt_iv_lmk_ops = {
32046 +static const struct crypt_iv_operations crypt_iv_lmk_ops = {
32047 .ctr = crypt_iv_lmk_ctr,
32048 .dtr = crypt_iv_lmk_dtr,
32049 .init = crypt_iv_lmk_init,
32050 diff -urNp linux-2.6.39.2/drivers/md/dm-ioctl.c linux-2.6.39.2/drivers/md/dm-ioctl.c
32051 --- linux-2.6.39.2/drivers/md/dm-ioctl.c 2011-05-19 00:06:34.000000000 -0400
32052 +++ linux-2.6.39.2/drivers/md/dm-ioctl.c 2011-05-22 19:36:31.000000000 -0400
32053 @@ -1551,7 +1551,7 @@ static int validate_params(uint cmd, str
32054 cmd == DM_LIST_VERSIONS_CMD)
32055 return 0;
32056
32057 - if ((cmd == DM_DEV_CREATE_CMD)) {
32058 + if (cmd == DM_DEV_CREATE_CMD) {
32059 if (!*param->name) {
32060 DMWARN("name not supplied when creating device");
32061 return -EINVAL;
32062 diff -urNp linux-2.6.39.2/drivers/md/dm-raid1.c linux-2.6.39.2/drivers/md/dm-raid1.c
32063 --- linux-2.6.39.2/drivers/md/dm-raid1.c 2011-05-19 00:06:34.000000000 -0400
32064 +++ linux-2.6.39.2/drivers/md/dm-raid1.c 2011-05-22 19:36:31.000000000 -0400
32065 @@ -42,7 +42,7 @@ enum dm_raid1_error {
32066
32067 struct mirror {
32068 struct mirror_set *ms;
32069 - atomic_t error_count;
32070 + atomic_unchecked_t error_count;
32071 unsigned long error_type;
32072 struct dm_dev *dev;
32073 sector_t offset;
32074 @@ -187,7 +187,7 @@ static struct mirror *get_valid_mirror(s
32075 struct mirror *m;
32076
32077 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
32078 - if (!atomic_read(&m->error_count))
32079 + if (!atomic_read_unchecked(&m->error_count))
32080 return m;
32081
32082 return NULL;
32083 @@ -219,7 +219,7 @@ static void fail_mirror(struct mirror *m
32084 * simple way to tell if a device has encountered
32085 * errors.
32086 */
32087 - atomic_inc(&m->error_count);
32088 + atomic_inc_unchecked(&m->error_count);
32089
32090 if (test_and_set_bit(error_type, &m->error_type))
32091 return;
32092 @@ -410,7 +410,7 @@ static struct mirror *choose_mirror(stru
32093 struct mirror *m = get_default_mirror(ms);
32094
32095 do {
32096 - if (likely(!atomic_read(&m->error_count)))
32097 + if (likely(!atomic_read_unchecked(&m->error_count)))
32098 return m;
32099
32100 if (m-- == ms->mirror)
32101 @@ -424,7 +424,7 @@ static int default_ok(struct mirror *m)
32102 {
32103 struct mirror *default_mirror = get_default_mirror(m->ms);
32104
32105 - return !atomic_read(&default_mirror->error_count);
32106 + return !atomic_read_unchecked(&default_mirror->error_count);
32107 }
32108
32109 static int mirror_available(struct mirror_set *ms, struct bio *bio)
32110 @@ -561,7 +561,7 @@ static void do_reads(struct mirror_set *
32111 */
32112 if (likely(region_in_sync(ms, region, 1)))
32113 m = choose_mirror(ms, bio->bi_sector);
32114 - else if (m && atomic_read(&m->error_count))
32115 + else if (m && atomic_read_unchecked(&m->error_count))
32116 m = NULL;
32117
32118 if (likely(m))
32119 @@ -939,7 +939,7 @@ static int get_mirror(struct mirror_set
32120 }
32121
32122 ms->mirror[mirror].ms = ms;
32123 - atomic_set(&(ms->mirror[mirror].error_count), 0);
32124 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
32125 ms->mirror[mirror].error_type = 0;
32126 ms->mirror[mirror].offset = offset;
32127
32128 @@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
32129 */
32130 static char device_status_char(struct mirror *m)
32131 {
32132 - if (!atomic_read(&(m->error_count)))
32133 + if (!atomic_read_unchecked(&(m->error_count)))
32134 return 'A';
32135
32136 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
32137 diff -urNp linux-2.6.39.2/drivers/md/dm-stripe.c linux-2.6.39.2/drivers/md/dm-stripe.c
32138 --- linux-2.6.39.2/drivers/md/dm-stripe.c 2011-05-19 00:06:34.000000000 -0400
32139 +++ linux-2.6.39.2/drivers/md/dm-stripe.c 2011-05-22 19:36:31.000000000 -0400
32140 @@ -20,7 +20,7 @@ struct stripe {
32141 struct dm_dev *dev;
32142 sector_t physical_start;
32143
32144 - atomic_t error_count;
32145 + atomic_unchecked_t error_count;
32146 };
32147
32148 struct stripe_c {
32149 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
32150 kfree(sc);
32151 return r;
32152 }
32153 - atomic_set(&(sc->stripe[i].error_count), 0);
32154 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
32155 }
32156
32157 ti->private = sc;
32158 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
32159 DMEMIT("%d ", sc->stripes);
32160 for (i = 0; i < sc->stripes; i++) {
32161 DMEMIT("%s ", sc->stripe[i].dev->name);
32162 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
32163 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
32164 'D' : 'A';
32165 }
32166 buffer[i] = '\0';
32167 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
32168 */
32169 for (i = 0; i < sc->stripes; i++)
32170 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
32171 - atomic_inc(&(sc->stripe[i].error_count));
32172 - if (atomic_read(&(sc->stripe[i].error_count)) <
32173 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
32174 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
32175 DM_IO_ERROR_THRESHOLD)
32176 schedule_work(&sc->trigger_event);
32177 }
32178 diff -urNp linux-2.6.39.2/drivers/md/dm-table.c linux-2.6.39.2/drivers/md/dm-table.c
32179 --- linux-2.6.39.2/drivers/md/dm-table.c 2011-06-03 00:04:14.000000000 -0400
32180 +++ linux-2.6.39.2/drivers/md/dm-table.c 2011-06-03 00:32:05.000000000 -0400
32181 @@ -390,7 +390,7 @@ static int device_area_is_invalid(struct
32182 if (!dev_size)
32183 return 0;
32184
32185 - if ((start >= dev_size) || (start + len > dev_size)) {
32186 + if ((start >= dev_size) || (len > dev_size - start)) {
32187 DMWARN("%s: %s too small for target: "
32188 "start=%llu, len=%llu, dev_size=%llu",
32189 dm_device_name(ti->table->md), bdevname(bdev, b),
32190 diff -urNp linux-2.6.39.2/drivers/md/md.c linux-2.6.39.2/drivers/md/md.c
32191 --- linux-2.6.39.2/drivers/md/md.c 2011-06-25 12:55:22.000000000 -0400
32192 +++ linux-2.6.39.2/drivers/md/md.c 2011-06-25 13:00:25.000000000 -0400
32193 @@ -226,10 +226,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
32194 * start build, activate spare
32195 */
32196 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
32197 -static atomic_t md_event_count;
32198 +static atomic_unchecked_t md_event_count;
32199 void md_new_event(mddev_t *mddev)
32200 {
32201 - atomic_inc(&md_event_count);
32202 + atomic_inc_unchecked(&md_event_count);
32203 wake_up(&md_event_waiters);
32204 }
32205 EXPORT_SYMBOL_GPL(md_new_event);
32206 @@ -239,7 +239,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
32207 */
32208 static void md_new_event_inintr(mddev_t *mddev)
32209 {
32210 - atomic_inc(&md_event_count);
32211 + atomic_inc_unchecked(&md_event_count);
32212 wake_up(&md_event_waiters);
32213 }
32214
32215 @@ -1454,7 +1454,7 @@ static int super_1_load(mdk_rdev_t *rdev
32216
32217 rdev->preferred_minor = 0xffff;
32218 rdev->data_offset = le64_to_cpu(sb->data_offset);
32219 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32220 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32221
32222 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
32223 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
32224 @@ -1632,7 +1632,7 @@ static void super_1_sync(mddev_t *mddev,
32225 else
32226 sb->resync_offset = cpu_to_le64(0);
32227
32228 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
32229 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
32230
32231 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
32232 sb->size = cpu_to_le64(mddev->dev_sectors);
32233 @@ -2414,7 +2414,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
32234 static ssize_t
32235 errors_show(mdk_rdev_t *rdev, char *page)
32236 {
32237 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
32238 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
32239 }
32240
32241 static ssize_t
32242 @@ -2423,7 +2423,7 @@ errors_store(mdk_rdev_t *rdev, const cha
32243 char *e;
32244 unsigned long n = simple_strtoul(buf, &e, 10);
32245 if (*buf && (*e == 0 || *e == '\n')) {
32246 - atomic_set(&rdev->corrected_errors, n);
32247 + atomic_set_unchecked(&rdev->corrected_errors, n);
32248 return len;
32249 }
32250 return -EINVAL;
32251 @@ -2779,8 +2779,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
32252 rdev->last_read_error.tv_sec = 0;
32253 rdev->last_read_error.tv_nsec = 0;
32254 atomic_set(&rdev->nr_pending, 0);
32255 - atomic_set(&rdev->read_errors, 0);
32256 - atomic_set(&rdev->corrected_errors, 0);
32257 + atomic_set_unchecked(&rdev->read_errors, 0);
32258 + atomic_set_unchecked(&rdev->corrected_errors, 0);
32259
32260 INIT_LIST_HEAD(&rdev->same_set);
32261 init_waitqueue_head(&rdev->blocked_wait);
32262 @@ -6388,7 +6388,7 @@ static int md_seq_show(struct seq_file *
32263
32264 spin_unlock(&pers_lock);
32265 seq_printf(seq, "\n");
32266 - mi->event = atomic_read(&md_event_count);
32267 + mi->event = atomic_read_unchecked(&md_event_count);
32268 return 0;
32269 }
32270 if (v == (void*)2) {
32271 @@ -6477,7 +6477,7 @@ static int md_seq_show(struct seq_file *
32272 chunk_kb ? "KB" : "B");
32273 if (bitmap->file) {
32274 seq_printf(seq, ", file: ");
32275 - seq_path(seq, &bitmap->file->f_path, " \t\n");
32276 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
32277 }
32278
32279 seq_printf(seq, "\n");
32280 @@ -6511,7 +6511,7 @@ static int md_seq_open(struct inode *ino
32281 else {
32282 struct seq_file *p = file->private_data;
32283 p->private = mi;
32284 - mi->event = atomic_read(&md_event_count);
32285 + mi->event = atomic_read_unchecked(&md_event_count);
32286 }
32287 return error;
32288 }
32289 @@ -6527,7 +6527,7 @@ static unsigned int mdstat_poll(struct f
32290 /* always allow read */
32291 mask = POLLIN | POLLRDNORM;
32292
32293 - if (mi->event != atomic_read(&md_event_count))
32294 + if (mi->event != atomic_read_unchecked(&md_event_count))
32295 mask |= POLLERR | POLLPRI;
32296 return mask;
32297 }
32298 @@ -6571,7 +6571,7 @@ static int is_mddev_idle(mddev_t *mddev,
32299 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
32300 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
32301 (int)part_stat_read(&disk->part0, sectors[1]) -
32302 - atomic_read(&disk->sync_io);
32303 + atomic_read_unchecked(&disk->sync_io);
32304 /* sync IO will cause sync_io to increase before the disk_stats
32305 * as sync_io is counted when a request starts, and
32306 * disk_stats is counted when it completes.
32307 diff -urNp linux-2.6.39.2/drivers/md/md.h linux-2.6.39.2/drivers/md/md.h
32308 --- linux-2.6.39.2/drivers/md/md.h 2011-05-19 00:06:34.000000000 -0400
32309 +++ linux-2.6.39.2/drivers/md/md.h 2011-05-22 19:36:31.000000000 -0400
32310 @@ -97,13 +97,13 @@ struct mdk_rdev_s
32311 * only maintained for arrays that
32312 * support hot removal
32313 */
32314 - atomic_t read_errors; /* number of consecutive read errors that
32315 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
32316 * we have tried to ignore.
32317 */
32318 struct timespec last_read_error; /* monotonic time since our
32319 * last read error
32320 */
32321 - atomic_t corrected_errors; /* number of corrected read errors,
32322 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
32323 * for reporting to userspace and storing
32324 * in superblock.
32325 */
32326 @@ -342,7 +342,7 @@ static inline void rdev_dec_pending(mdk_
32327
32328 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
32329 {
32330 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32331 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32332 }
32333
32334 struct mdk_personality
32335 diff -urNp linux-2.6.39.2/drivers/md/raid10.c linux-2.6.39.2/drivers/md/raid10.c
32336 --- linux-2.6.39.2/drivers/md/raid10.c 2011-05-19 00:06:34.000000000 -0400
32337 +++ linux-2.6.39.2/drivers/md/raid10.c 2011-05-22 19:36:31.000000000 -0400
32338 @@ -1209,7 +1209,7 @@ static void end_sync_read(struct bio *bi
32339 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
32340 set_bit(R10BIO_Uptodate, &r10_bio->state);
32341 else {
32342 - atomic_add(r10_bio->sectors,
32343 + atomic_add_unchecked(r10_bio->sectors,
32344 &conf->mirrors[d].rdev->corrected_errors);
32345 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
32346 md_error(r10_bio->mddev,
32347 @@ -1417,7 +1417,7 @@ static void check_decay_read_errors(mdde
32348 {
32349 struct timespec cur_time_mon;
32350 unsigned long hours_since_last;
32351 - unsigned int read_errors = atomic_read(&rdev->read_errors);
32352 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
32353
32354 ktime_get_ts(&cur_time_mon);
32355
32356 @@ -1439,9 +1439,9 @@ static void check_decay_read_errors(mdde
32357 * overflowing the shift of read_errors by hours_since_last.
32358 */
32359 if (hours_since_last >= 8 * sizeof(read_errors))
32360 - atomic_set(&rdev->read_errors, 0);
32361 + atomic_set_unchecked(&rdev->read_errors, 0);
32362 else
32363 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
32364 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
32365 }
32366
32367 /*
32368 @@ -1476,8 +1476,8 @@ static void fix_read_error(conf_t *conf,
32369 }
32370
32371 check_decay_read_errors(mddev, rdev);
32372 - atomic_inc(&rdev->read_errors);
32373 - cur_read_error_count = atomic_read(&rdev->read_errors);
32374 + atomic_inc_unchecked(&rdev->read_errors);
32375 + cur_read_error_count = atomic_read_unchecked(&rdev->read_errors);
32376 if (cur_read_error_count > max_read_errors) {
32377 rcu_read_unlock();
32378 printk(KERN_NOTICE
32379 @@ -1550,7 +1550,7 @@ static void fix_read_error(conf_t *conf,
32380 test_bit(In_sync, &rdev->flags)) {
32381 atomic_inc(&rdev->nr_pending);
32382 rcu_read_unlock();
32383 - atomic_add(s, &rdev->corrected_errors);
32384 + atomic_add_unchecked(s, &rdev->corrected_errors);
32385 if (sync_page_io(rdev,
32386 r10_bio->devs[sl].addr +
32387 sect,
32388 diff -urNp linux-2.6.39.2/drivers/md/raid1.c linux-2.6.39.2/drivers/md/raid1.c
32389 --- linux-2.6.39.2/drivers/md/raid1.c 2011-05-19 00:06:34.000000000 -0400
32390 +++ linux-2.6.39.2/drivers/md/raid1.c 2011-05-22 19:36:31.000000000 -0400
32391 @@ -1342,7 +1342,7 @@ static void sync_request_write(mddev_t *
32392 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
32393 continue;
32394 rdev = conf->mirrors[d].rdev;
32395 - atomic_add(s, &rdev->corrected_errors);
32396 + atomic_add_unchecked(s, &rdev->corrected_errors);
32397 if (sync_page_io(rdev,
32398 sect,
32399 s<<9,
32400 @@ -1488,7 +1488,7 @@ static void fix_read_error(conf_t *conf,
32401 /* Well, this device is dead */
32402 md_error(mddev, rdev);
32403 else {
32404 - atomic_add(s, &rdev->corrected_errors);
32405 + atomic_add_unchecked(s, &rdev->corrected_errors);
32406 printk(KERN_INFO
32407 "md/raid1:%s: read error corrected "
32408 "(%d sectors at %llu on %s)\n",
32409 diff -urNp linux-2.6.39.2/drivers/md/raid5.c linux-2.6.39.2/drivers/md/raid5.c
32410 --- linux-2.6.39.2/drivers/md/raid5.c 2011-06-25 12:55:22.000000000 -0400
32411 +++ linux-2.6.39.2/drivers/md/raid5.c 2011-06-25 13:01:13.000000000 -0400
32412 @@ -550,7 +550,7 @@ static void ops_run_io(struct stripe_hea
32413 bi->bi_next = NULL;
32414 if ((rw & WRITE) &&
32415 test_bit(R5_ReWrite, &sh->dev[i].flags))
32416 - atomic_add(STRIPE_SECTORS,
32417 + atomic_add_unchecked(STRIPE_SECTORS,
32418 &rdev->corrected_errors);
32419 generic_make_request(bi);
32420 } else {
32421 @@ -1596,15 +1596,15 @@ static void raid5_end_read_request(struc
32422 clear_bit(R5_ReadError, &sh->dev[i].flags);
32423 clear_bit(R5_ReWrite, &sh->dev[i].flags);
32424 }
32425 - if (atomic_read(&conf->disks[i].rdev->read_errors))
32426 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
32427 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
32428 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
32429 } else {
32430 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
32431 int retry = 0;
32432 rdev = conf->disks[i].rdev;
32433
32434 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
32435 - atomic_inc(&rdev->read_errors);
32436 + atomic_inc_unchecked(&rdev->read_errors);
32437 if (conf->mddev->degraded >= conf->max_degraded)
32438 printk_rl(KERN_WARNING
32439 "md/raid:%s: read error not correctable "
32440 @@ -1622,7 +1622,7 @@ static void raid5_end_read_request(struc
32441 (unsigned long long)(sh->sector
32442 + rdev->data_offset),
32443 bdn);
32444 - else if (atomic_read(&rdev->read_errors)
32445 + else if (atomic_read_unchecked(&rdev->read_errors)
32446 > conf->max_nr_stripes)
32447 printk(KERN_WARNING
32448 "md/raid:%s: Too many read errors, failing device %s.\n",
32449 @@ -1947,6 +1947,7 @@ static sector_t compute_blocknr(struct s
32450 sector_t r_sector;
32451 struct stripe_head sh2;
32452
32453 + pax_track_stack();
32454
32455 chunk_offset = sector_div(new_sector, sectors_per_chunk);
32456 stripe = new_sector;
32457 diff -urNp linux-2.6.39.2/drivers/media/common/saa7146_hlp.c linux-2.6.39.2/drivers/media/common/saa7146_hlp.c
32458 --- linux-2.6.39.2/drivers/media/common/saa7146_hlp.c 2011-05-19 00:06:34.000000000 -0400
32459 +++ linux-2.6.39.2/drivers/media/common/saa7146_hlp.c 2011-05-22 19:36:31.000000000 -0400
32460 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
32461
32462 int x[32], y[32], w[32], h[32];
32463
32464 + pax_track_stack();
32465 +
32466 /* clear out memory */
32467 memset(&line_list[0], 0x00, sizeof(u32)*32);
32468 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
32469 diff -urNp linux-2.6.39.2/drivers/media/common/saa7146_vbi.c linux-2.6.39.2/drivers/media/common/saa7146_vbi.c
32470 --- linux-2.6.39.2/drivers/media/common/saa7146_vbi.c 2011-05-19 00:06:34.000000000 -0400
32471 +++ linux-2.6.39.2/drivers/media/common/saa7146_vbi.c 2011-05-22 19:36:31.000000000 -0400
32472 @@ -501,7 +501,7 @@ static ssize_t vbi_read(struct file *fil
32473 return ret;
32474 }
32475
32476 -struct saa7146_use_ops saa7146_vbi_uops = {
32477 +const struct saa7146_use_ops saa7146_vbi_uops = {
32478 .init = vbi_init,
32479 .open = vbi_open,
32480 .release = vbi_close,
32481 diff -urNp linux-2.6.39.2/drivers/media/common/saa7146_video.c linux-2.6.39.2/drivers/media/common/saa7146_video.c
32482 --- linux-2.6.39.2/drivers/media/common/saa7146_video.c 2011-05-19 00:06:34.000000000 -0400
32483 +++ linux-2.6.39.2/drivers/media/common/saa7146_video.c 2011-05-22 19:36:31.000000000 -0400
32484 @@ -1420,7 +1420,7 @@ out:
32485 return ret;
32486 }
32487
32488 -struct saa7146_use_ops saa7146_video_uops = {
32489 +const struct saa7146_use_ops saa7146_video_uops = {
32490 .init = video_init,
32491 .open = video_open,
32492 .release = video_close,
32493 diff -urNp linux-2.6.39.2/drivers/media/dvb/dm1105/dm1105.c linux-2.6.39.2/drivers/media/dvb/dm1105/dm1105.c
32494 --- linux-2.6.39.2/drivers/media/dvb/dm1105/dm1105.c 2011-05-19 00:06:34.000000000 -0400
32495 +++ linux-2.6.39.2/drivers/media/dvb/dm1105/dm1105.c 2011-05-22 19:36:31.000000000 -0400
32496 @@ -418,7 +418,7 @@ static u32 functionality(struct i2c_adap
32497 return I2C_FUNC_I2C;
32498 }
32499
32500 -static struct i2c_algorithm dm1105_algo = {
32501 +static const struct i2c_algorithm dm1105_algo = {
32502 .master_xfer = dm1105_i2c_xfer,
32503 .functionality = functionality,
32504 };
32505 diff -urNp linux-2.6.39.2/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.39.2/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
32506 --- linux-2.6.39.2/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-19 00:06:34.000000000 -0400
32507 +++ linux-2.6.39.2/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-22 19:36:31.000000000 -0400
32508 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
32509 u8 buf[HOST_LINK_BUF_SIZE];
32510 int i;
32511
32512 + pax_track_stack();
32513 +
32514 dprintk("%s\n", __func__);
32515
32516 /* check if we have space for a link buf in the rx_buffer */
32517 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
32518 unsigned long timeout;
32519 int written;
32520
32521 + pax_track_stack();
32522 +
32523 dprintk("%s\n", __func__);
32524
32525 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
32526 diff -urNp linux-2.6.39.2/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.39.2/drivers/media/dvb/dvb-core/dvbdev.c
32527 --- linux-2.6.39.2/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-19 00:06:34.000000000 -0400
32528 +++ linux-2.6.39.2/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-22 19:36:31.000000000 -0400
32529 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
32530 const struct dvb_device *template, void *priv, int type)
32531 {
32532 struct dvb_device *dvbdev;
32533 - struct file_operations *dvbdevfops;
32534 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
32535 struct device *clsdev;
32536 int minor;
32537 int id;
32538 diff -urNp linux-2.6.39.2/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.39.2/drivers/media/dvb/dvb-usb/dib0700_core.c
32539 --- linux-2.6.39.2/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-19 00:06:34.000000000 -0400
32540 +++ linux-2.6.39.2/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-22 19:36:31.000000000 -0400
32541 @@ -391,6 +391,8 @@ int dib0700_download_firmware(struct usb
32542
32543 u8 buf[260];
32544
32545 + pax_track_stack();
32546 +
32547 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
32548 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
32549 hx.addr, hx.len, hx.chk);
32550 diff -urNp linux-2.6.39.2/drivers/media/dvb/dvb-usb/lmedm04.c linux-2.6.39.2/drivers/media/dvb/dvb-usb/lmedm04.c
32551 --- linux-2.6.39.2/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-19 00:06:34.000000000 -0400
32552 +++ linux-2.6.39.2/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-22 19:36:31.000000000 -0400
32553 @@ -663,6 +663,7 @@ static int lme2510_download_firmware(str
32554 packet_size = 0x31;
32555 len_in = 1;
32556
32557 + pax_track_stack();
32558
32559 info("FRM Starting Firmware Download");
32560
32561 @@ -715,6 +716,8 @@ static void lme_coldreset(struct usb_dev
32562 int ret = 0, len_in;
32563 u8 data[512] = {0};
32564
32565 + pax_track_stack();
32566 +
32567 data[0] = 0x0a;
32568 len_in = 1;
32569 info("FRM Firmware Cold Reset");
32570 diff -urNp linux-2.6.39.2/drivers/media/dvb/frontends/dib7000p.c linux-2.6.39.2/drivers/media/dvb/frontends/dib7000p.c
32571 --- linux-2.6.39.2/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:04:14.000000000 -0400
32572 +++ linux-2.6.39.2/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:32:05.000000000 -0400
32573 @@ -1945,7 +1945,7 @@ static u32 dib7000p_i2c_func(struct i2c_
32574 return I2C_FUNC_I2C;
32575 }
32576
32577 -static struct i2c_algorithm dib7090_tuner_xfer_algo = {
32578 +static const struct i2c_algorithm dib7090_tuner_xfer_algo = {
32579 .master_xfer = dib7090_tuner_xfer,
32580 .functionality = dib7000p_i2c_func,
32581 };
32582 diff -urNp linux-2.6.39.2/drivers/media/dvb/frontends/dib9000.c linux-2.6.39.2/drivers/media/dvb/frontends/dib9000.c
32583 --- linux-2.6.39.2/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:04:14.000000000 -0400
32584 +++ linux-2.6.39.2/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:32:05.000000000 -0400
32585 @@ -1676,12 +1676,12 @@ static u32 dib9000_i2c_func(struct i2c_a
32586 return I2C_FUNC_I2C;
32587 }
32588
32589 -static struct i2c_algorithm dib9000_tuner_algo = {
32590 +static const struct i2c_algorithm dib9000_tuner_algo = {
32591 .master_xfer = dib9000_tuner_xfer,
32592 .functionality = dib9000_i2c_func,
32593 };
32594
32595 -static struct i2c_algorithm dib9000_component_bus_algo = {
32596 +static const struct i2c_algorithm dib9000_component_bus_algo = {
32597 .master_xfer = dib9000_fw_component_bus_xfer,
32598 .functionality = dib9000_i2c_func,
32599 };
32600 diff -urNp linux-2.6.39.2/drivers/media/dvb/frontends/dibx000_common.c linux-2.6.39.2/drivers/media/dvb/frontends/dibx000_common.c
32601 --- linux-2.6.39.2/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:04:14.000000000 -0400
32602 +++ linux-2.6.39.2/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:37:36.000000000 -0400
32603 @@ -221,12 +221,12 @@ static int dibx000_i2c_master_xfer_gpio3
32604 return num;
32605 }
32606
32607 -static struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32608 +static const struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32609 .master_xfer = dibx000_i2c_master_xfer_gpio12,
32610 .functionality = dibx000_i2c_func,
32611 };
32612
32613 -static struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32614 +static const struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32615 .master_xfer = dibx000_i2c_master_xfer_gpio34,
32616 .functionality = dibx000_i2c_func,
32617 };
32618 @@ -285,7 +285,7 @@ static int dibx000_i2c_gated_gpio67_xfer
32619 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32620 }
32621
32622 -static struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32623 +static const struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32624 .master_xfer = dibx000_i2c_gated_gpio67_xfer,
32625 .functionality = dibx000_i2c_func,
32626 };
32627 @@ -322,7 +322,7 @@ static int dibx000_i2c_gated_tuner_xfer(
32628 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32629 }
32630
32631 -static struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32632 +static const struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32633 .master_xfer = dibx000_i2c_gated_tuner_xfer,
32634 .functionality = dibx000_i2c_func,
32635 };
32636 @@ -375,7 +375,7 @@ void dibx000_reset_i2c_master(struct dib
32637 EXPORT_SYMBOL(dibx000_reset_i2c_master);
32638
32639 static int i2c_adapter_init(struct i2c_adapter *i2c_adap,
32640 - struct i2c_algorithm *algo, const char *name,
32641 + const struct i2c_algorithm *algo, const char *name,
32642 struct dibx000_i2c_master *mst)
32643 {
32644 strncpy(i2c_adap->name, name, sizeof(i2c_adap->name));
32645 diff -urNp linux-2.6.39.2/drivers/media/dvb/frontends/mb86a16.c linux-2.6.39.2/drivers/media/dvb/frontends/mb86a16.c
32646 --- linux-2.6.39.2/drivers/media/dvb/frontends/mb86a16.c 2011-05-19 00:06:34.000000000 -0400
32647 +++ linux-2.6.39.2/drivers/media/dvb/frontends/mb86a16.c 2011-05-22 19:36:31.000000000 -0400
32648 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
32649 int ret = -1;
32650 int sync;
32651
32652 + pax_track_stack();
32653 +
32654 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
32655
32656 fcp = 3000;
32657 diff -urNp linux-2.6.39.2/drivers/media/dvb/frontends/or51211.c linux-2.6.39.2/drivers/media/dvb/frontends/or51211.c
32658 --- linux-2.6.39.2/drivers/media/dvb/frontends/or51211.c 2011-05-19 00:06:34.000000000 -0400
32659 +++ linux-2.6.39.2/drivers/media/dvb/frontends/or51211.c 2011-05-22 19:36:31.000000000 -0400
32660 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
32661 u8 tudata[585];
32662 int i;
32663
32664 + pax_track_stack();
32665 +
32666 dprintk("Firmware is %zd bytes\n",fw->size);
32667
32668 /* Get eprom data */
32669 diff -urNp linux-2.6.39.2/drivers/media/dvb/frontends/s5h1420.c linux-2.6.39.2/drivers/media/dvb/frontends/s5h1420.c
32670 --- linux-2.6.39.2/drivers/media/dvb/frontends/s5h1420.c 2011-05-19 00:06:34.000000000 -0400
32671 +++ linux-2.6.39.2/drivers/media/dvb/frontends/s5h1420.c 2011-05-22 19:36:31.000000000 -0400
32672 @@ -870,7 +870,7 @@ static int s5h1420_tuner_i2c_tuner_xfer(
32673 return i2c_transfer(state->i2c, m, 1+num) == 1 + num ? num : -EIO;
32674 }
32675
32676 -static struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32677 +static const struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32678 .master_xfer = s5h1420_tuner_i2c_tuner_xfer,
32679 .functionality = s5h1420_tuner_i2c_func,
32680 };
32681 diff -urNp linux-2.6.39.2/drivers/media/dvb/mantis/mantis_i2c.c linux-2.6.39.2/drivers/media/dvb/mantis/mantis_i2c.c
32682 --- linux-2.6.39.2/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-19 00:06:34.000000000 -0400
32683 +++ linux-2.6.39.2/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-22 19:36:31.000000000 -0400
32684 @@ -212,7 +212,7 @@ static u32 mantis_i2c_func(struct i2c_ad
32685 return I2C_FUNC_SMBUS_EMUL;
32686 }
32687
32688 -static struct i2c_algorithm mantis_algo = {
32689 +static const struct i2c_algorithm mantis_algo = {
32690 .master_xfer = mantis_i2c_xfer,
32691 .functionality = mantis_i2c_func,
32692 };
32693 diff -urNp linux-2.6.39.2/drivers/media/dvb/ttusb-dec/ttusb_dec.c linux-2.6.39.2/drivers/media/dvb/ttusb-dec/ttusb_dec.c
32694 --- linux-2.6.39.2/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-19 00:06:34.000000000 -0400
32695 +++ linux-2.6.39.2/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-22 19:36:31.000000000 -0400
32696 @@ -1614,7 +1614,7 @@ static int fe_send_command(struct dvb_fr
32697 return ttusb_dec_send_command(dec, command, param_length, params, result_length, cmd_result);
32698 }
32699
32700 -static struct ttusbdecfe_config fe_config = {
32701 +static const struct ttusbdecfe_config fe_config = {
32702 .send_command = fe_send_command
32703 };
32704
32705 diff -urNp linux-2.6.39.2/drivers/media/radio/radio-cadet.c linux-2.6.39.2/drivers/media/radio/radio-cadet.c
32706 --- linux-2.6.39.2/drivers/media/radio/radio-cadet.c 2011-05-19 00:06:34.000000000 -0400
32707 +++ linux-2.6.39.2/drivers/media/radio/radio-cadet.c 2011-05-22 19:36:31.000000000 -0400
32708 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
32709 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
32710 mutex_unlock(&dev->lock);
32711
32712 - if (copy_to_user(data, readbuf, i))
32713 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
32714 return -EFAULT;
32715 return i;
32716 }
32717 diff -urNp linux-2.6.39.2/drivers/media/radio/radio-si4713.c linux-2.6.39.2/drivers/media/radio/radio-si4713.c
32718 --- linux-2.6.39.2/drivers/media/radio/radio-si4713.c 2011-05-19 00:06:34.000000000 -0400
32719 +++ linux-2.6.39.2/drivers/media/radio/radio-si4713.c 2011-05-22 19:36:31.000000000 -0400
32720 @@ -231,7 +231,7 @@ static long radio_si4713_default(struct
32721 ioctl, cmd, arg);
32722 }
32723
32724 -static struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32725 +static const struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32726 .vidioc_enumaudout = radio_si4713_enumaudout,
32727 .vidioc_g_audout = radio_si4713_g_audout,
32728 .vidioc_s_audout = radio_si4713_s_audout,
32729 diff -urNp linux-2.6.39.2/drivers/media/rc/ir-lirc-codec.c linux-2.6.39.2/drivers/media/rc/ir-lirc-codec.c
32730 --- linux-2.6.39.2/drivers/media/rc/ir-lirc-codec.c 2011-05-19 00:06:34.000000000 -0400
32731 +++ linux-2.6.39.2/drivers/media/rc/ir-lirc-codec.c 2011-05-22 19:36:31.000000000 -0400
32732 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
32733 return;
32734 }
32735
32736 -static struct file_operations lirc_fops = {
32737 +static const struct file_operations lirc_fops = {
32738 .owner = THIS_MODULE,
32739 .write = ir_lirc_transmit_ir,
32740 .unlocked_ioctl = ir_lirc_ioctl,
32741 diff -urNp linux-2.6.39.2/drivers/media/rc/lirc_dev.c linux-2.6.39.2/drivers/media/rc/lirc_dev.c
32742 --- linux-2.6.39.2/drivers/media/rc/lirc_dev.c 2011-05-19 00:06:34.000000000 -0400
32743 +++ linux-2.6.39.2/drivers/media/rc/lirc_dev.c 2011-05-22 19:36:31.000000000 -0400
32744 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
32745 }
32746
32747
32748 -static struct file_operations lirc_dev_fops = {
32749 +static const struct file_operations lirc_dev_fops = {
32750 .owner = THIS_MODULE,
32751 .read = lirc_dev_fop_read,
32752 .write = lirc_dev_fop_write,
32753 diff -urNp linux-2.6.39.2/drivers/media/rc/rc-main.c linux-2.6.39.2/drivers/media/rc/rc-main.c
32754 --- linux-2.6.39.2/drivers/media/rc/rc-main.c 2011-05-19 00:06:34.000000000 -0400
32755 +++ linux-2.6.39.2/drivers/media/rc/rc-main.c 2011-05-22 19:36:31.000000000 -0400
32756 @@ -996,7 +996,7 @@ EXPORT_SYMBOL_GPL(rc_free_device);
32757
32758 int rc_register_device(struct rc_dev *dev)
32759 {
32760 - static atomic_t devno = ATOMIC_INIT(0);
32761 + static atomic_unchecked_t devno = ATOMIC_INIT(0);
32762 struct rc_map *rc_map;
32763 const char *path;
32764 int rc;
32765 @@ -1019,7 +1019,7 @@ int rc_register_device(struct rc_dev *de
32766 if (dev->close)
32767 dev->input_dev->close = ir_close;
32768
32769 - dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1);
32770 + dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1);
32771 dev_set_name(&dev->dev, "rc%ld", dev->devno);
32772 dev_set_drvdata(&dev->dev, dev);
32773 rc = device_add(&dev->dev);
32774 diff -urNp linux-2.6.39.2/drivers/media/video/cafe_ccic.c linux-2.6.39.2/drivers/media/video/cafe_ccic.c
32775 --- linux-2.6.39.2/drivers/media/video/cafe_ccic.c 2011-05-19 00:06:34.000000000 -0400
32776 +++ linux-2.6.39.2/drivers/media/video/cafe_ccic.c 2011-05-22 19:36:31.000000000 -0400
32777 @@ -520,7 +520,7 @@ static u32 cafe_smbus_func(struct i2c_ad
32778 I2C_FUNC_SMBUS_WRITE_BYTE_DATA;
32779 }
32780
32781 -static struct i2c_algorithm cafe_smbus_algo = {
32782 +static const struct i2c_algorithm cafe_smbus_algo = {
32783 .smbus_xfer = cafe_smbus_xfer,
32784 .functionality = cafe_smbus_func
32785 };
32786 diff -urNp linux-2.6.39.2/drivers/media/video/cx18/cx18-alsa-pcm.c linux-2.6.39.2/drivers/media/video/cx18/cx18-alsa-pcm.c
32787 --- linux-2.6.39.2/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-19 00:06:34.000000000 -0400
32788 +++ linux-2.6.39.2/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-22 19:36:31.000000000 -0400
32789 @@ -314,7 +314,7 @@ static struct page *snd_pcm_get_vmalloc_
32790 return vmalloc_to_page(pageptr);
32791 }
32792
32793 -static struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32794 +static const struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32795 .open = snd_cx18_pcm_capture_open,
32796 .close = snd_cx18_pcm_capture_close,
32797 .ioctl = snd_cx18_pcm_ioctl,
32798 diff -urNp linux-2.6.39.2/drivers/media/video/cx18/cx18-driver.c linux-2.6.39.2/drivers/media/video/cx18/cx18-driver.c
32799 --- linux-2.6.39.2/drivers/media/video/cx18/cx18-driver.c 2011-05-19 00:06:34.000000000 -0400
32800 +++ linux-2.6.39.2/drivers/media/video/cx18/cx18-driver.c 2011-05-22 19:36:31.000000000 -0400
32801 @@ -61,7 +61,7 @@ static struct pci_device_id cx18_pci_tbl
32802
32803 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
32804
32805 -static atomic_t cx18_instance = ATOMIC_INIT(0);
32806 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
32807
32808 /* Parameter declarations */
32809 static int cardtype[CX18_MAX_CARDS];
32810 @@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
32811 struct i2c_client c;
32812 u8 eedata[256];
32813
32814 + pax_track_stack();
32815 +
32816 memset(&c, 0, sizeof(c));
32817 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
32818 c.adapter = &cx->i2c_adap[0];
32819 @@ -892,7 +894,7 @@ static int __devinit cx18_probe(struct p
32820 struct cx18 *cx;
32821
32822 /* FIXME - module parameter arrays constrain max instances */
32823 - i = atomic_inc_return(&cx18_instance) - 1;
32824 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
32825 if (i >= CX18_MAX_CARDS) {
32826 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
32827 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
32828 diff -urNp linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-audio.c linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-audio.c
32829 --- linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-19 00:06:34.000000000 -0400
32830 +++ linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-22 19:36:31.000000000 -0400
32831 @@ -613,7 +613,7 @@ static struct page *snd_pcm_get_vmalloc_
32832 return vmalloc_to_page(pageptr);
32833 }
32834
32835 -static struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32836 +static const struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32837 .open = snd_cx231xx_capture_open,
32838 .close = snd_cx231xx_pcm_close,
32839 .ioctl = snd_pcm_lib_ioctl,
32840 diff -urNp linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-i2c.c linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-i2c.c
32841 --- linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
32842 +++ linux-2.6.39.2/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
32843 @@ -435,7 +435,7 @@ static u32 functionality(struct i2c_adap
32844 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
32845 }
32846
32847 -static struct i2c_algorithm cx231xx_algo = {
32848 +static const struct i2c_algorithm cx231xx_algo = {
32849 .master_xfer = cx231xx_i2c_xfer,
32850 .functionality = functionality,
32851 };
32852 diff -urNp linux-2.6.39.2/drivers/media/video/cx23885/cx23885-input.c linux-2.6.39.2/drivers/media/video/cx23885/cx23885-input.c
32853 --- linux-2.6.39.2/drivers/media/video/cx23885/cx23885-input.c 2011-05-19 00:06:34.000000000 -0400
32854 +++ linux-2.6.39.2/drivers/media/video/cx23885/cx23885-input.c 2011-05-22 19:36:31.000000000 -0400
32855 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
32856 bool handle = false;
32857 struct ir_raw_event ir_core_event[64];
32858
32859 + pax_track_stack();
32860 +
32861 do {
32862 num = 0;
32863 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
32864 diff -urNp linux-2.6.39.2/drivers/media/video/cx88/cx88-alsa.c linux-2.6.39.2/drivers/media/video/cx88/cx88-alsa.c
32865 --- linux-2.6.39.2/drivers/media/video/cx88/cx88-alsa.c 2011-05-19 00:06:34.000000000 -0400
32866 +++ linux-2.6.39.2/drivers/media/video/cx88/cx88-alsa.c 2011-05-22 19:36:31.000000000 -0400
32867 @@ -519,7 +519,7 @@ static struct page *snd_cx88_page(struct
32868 /*
32869 * operators
32870 */
32871 -static struct snd_pcm_ops snd_cx88_pcm_ops = {
32872 +static const struct snd_pcm_ops snd_cx88_pcm_ops = {
32873 .open = snd_cx88_pcm_open,
32874 .close = snd_cx88_close,
32875 .ioctl = snd_pcm_lib_ioctl,
32876 diff -urNp linux-2.6.39.2/drivers/media/video/davinci/ccdc_hw_device.h linux-2.6.39.2/drivers/media/video/davinci/ccdc_hw_device.h
32877 --- linux-2.6.39.2/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-19 00:06:34.000000000 -0400
32878 +++ linux-2.6.39.2/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-22 19:36:31.000000000 -0400
32879 @@ -99,7 +99,7 @@ struct ccdc_hw_device {
32880 /* module owner */
32881 struct module *owner;
32882 /* hw ops */
32883 - struct ccdc_hw_ops hw_ops;
32884 + const struct ccdc_hw_ops hw_ops;
32885 };
32886
32887 /* Used by CCDC module to register & unregister with vpfe capture driver */
32888 diff -urNp linux-2.6.39.2/drivers/media/video/davinci/vpss.c linux-2.6.39.2/drivers/media/video/davinci/vpss.c
32889 --- linux-2.6.39.2/drivers/media/video/davinci/vpss.c 2011-05-19 00:06:34.000000000 -0400
32890 +++ linux-2.6.39.2/drivers/media/video/davinci/vpss.c 2011-05-22 19:36:31.000000000 -0400
32891 @@ -103,7 +103,7 @@ struct vpss_oper_config {
32892 __iomem void *vpss_regs_base1;
32893 enum vpss_platform_type platform;
32894 spinlock_t vpss_lock;
32895 - struct vpss_hw_ops hw_ops;
32896 + const struct vpss_hw_ops hw_ops;
32897 };
32898
32899 static struct vpss_oper_config oper_cfg;
32900 diff -urNp linux-2.6.39.2/drivers/media/video/em28xx/em28xx-audio.c linux-2.6.39.2/drivers/media/video/em28xx/em28xx-audio.c
32901 --- linux-2.6.39.2/drivers/media/video/em28xx/em28xx-audio.c 2011-05-19 00:06:34.000000000 -0400
32902 +++ linux-2.6.39.2/drivers/media/video/em28xx/em28xx-audio.c 2011-05-22 19:36:31.000000000 -0400
32903 @@ -432,7 +432,7 @@ static struct page *snd_pcm_get_vmalloc_
32904 return vmalloc_to_page(pageptr);
32905 }
32906
32907 -static struct snd_pcm_ops snd_em28xx_pcm_capture = {
32908 +static const struct snd_pcm_ops snd_em28xx_pcm_capture = {
32909 .open = snd_em28xx_capture_open,
32910 .close = snd_em28xx_pcm_close,
32911 .ioctl = snd_pcm_lib_ioctl,
32912 diff -urNp linux-2.6.39.2/drivers/media/video/em28xx/em28xx-i2c.c linux-2.6.39.2/drivers/media/video/em28xx/em28xx-i2c.c
32913 --- linux-2.6.39.2/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
32914 +++ linux-2.6.39.2/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
32915 @@ -451,7 +451,7 @@ static u32 functionality(struct i2c_adap
32916 return I2C_FUNC_SMBUS_EMUL;
32917 }
32918
32919 -static struct i2c_algorithm em28xx_algo = {
32920 +static const struct i2c_algorithm em28xx_algo = {
32921 .master_xfer = em28xx_i2c_xfer,
32922 .functionality = functionality,
32923 };
32924 diff -urNp linux-2.6.39.2/drivers/media/video/hdpvr/hdpvr-i2c.c linux-2.6.39.2/drivers/media/video/hdpvr/hdpvr-i2c.c
32925 --- linux-2.6.39.2/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-19 00:06:34.000000000 -0400
32926 +++ linux-2.6.39.2/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-22 19:36:31.000000000 -0400
32927 @@ -179,7 +179,7 @@ static u32 hdpvr_functionality(struct i2
32928 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
32929 }
32930
32931 -static struct i2c_algorithm hdpvr_algo = {
32932 +static const struct i2c_algorithm hdpvr_algo = {
32933 .master_xfer = hdpvr_transfer,
32934 .functionality = hdpvr_functionality,
32935 };
32936 diff -urNp linux-2.6.39.2/drivers/media/video/imx074.c linux-2.6.39.2/drivers/media/video/imx074.c
32937 --- linux-2.6.39.2/drivers/media/video/imx074.c 2011-05-19 00:06:34.000000000 -0400
32938 +++ linux-2.6.39.2/drivers/media/video/imx074.c 2011-05-22 19:36:31.000000000 -0400
32939 @@ -267,7 +267,7 @@ static int imx074_g_chip_ident(struct v4
32940 return 0;
32941 }
32942
32943 -static struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
32944 +static const struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
32945 .s_stream = imx074_s_stream,
32946 .s_mbus_fmt = imx074_s_fmt,
32947 .g_mbus_fmt = imx074_g_fmt,
32948 @@ -277,7 +277,7 @@ static struct v4l2_subdev_video_ops imx0
32949 .cropcap = imx074_cropcap,
32950 };
32951
32952 -static struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
32953 +static const struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
32954 .g_chip_ident = imx074_g_chip_ident,
32955 };
32956
32957 diff -urNp linux-2.6.39.2/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.39.2/drivers/media/video/ivtv/ivtv-driver.c
32958 --- linux-2.6.39.2/drivers/media/video/ivtv/ivtv-driver.c 2011-05-19 00:06:34.000000000 -0400
32959 +++ linux-2.6.39.2/drivers/media/video/ivtv/ivtv-driver.c 2011-05-22 19:36:31.000000000 -0400
32960 @@ -80,7 +80,7 @@ static struct pci_device_id ivtv_pci_tbl
32961 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
32962
32963 /* ivtv instance counter */
32964 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
32965 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
32966
32967 /* Parameter declarations */
32968 static int cardtype[IVTV_MAX_CARDS];
32969 diff -urNp linux-2.6.39.2/drivers/media/video/mt9m001.c linux-2.6.39.2/drivers/media/video/mt9m001.c
32970 --- linux-2.6.39.2/drivers/media/video/mt9m001.c 2011-05-19 00:06:34.000000000 -0400
32971 +++ linux-2.6.39.2/drivers/media/video/mt9m001.c 2011-05-22 19:36:31.000000000 -0400
32972 @@ -691,7 +691,7 @@ static int mt9m001_g_skip_top_lines(stru
32973 return 0;
32974 }
32975
32976 -static struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
32977 +static const struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
32978 .g_ctrl = mt9m001_g_ctrl,
32979 .s_ctrl = mt9m001_s_ctrl,
32980 .g_chip_ident = mt9m001_g_chip_ident,
32981 @@ -714,7 +714,7 @@ static int mt9m001_enum_fmt(struct v4l2_
32982 return 0;
32983 }
32984
32985 -static struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
32986 +static const struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
32987 .s_stream = mt9m001_s_stream,
32988 .s_mbus_fmt = mt9m001_s_fmt,
32989 .g_mbus_fmt = mt9m001_g_fmt,
32990 @@ -725,7 +725,7 @@ static struct v4l2_subdev_video_ops mt9m
32991 .enum_mbus_fmt = mt9m001_enum_fmt,
32992 };
32993
32994 -static struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
32995 +static const struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
32996 .g_skip_top_lines = mt9m001_g_skip_top_lines,
32997 };
32998
32999 diff -urNp linux-2.6.39.2/drivers/media/video/mt9t031.c linux-2.6.39.2/drivers/media/video/mt9t031.c
33000 --- linux-2.6.39.2/drivers/media/video/mt9t031.c 2011-05-19 00:06:34.000000000 -0400
33001 +++ linux-2.6.39.2/drivers/media/video/mt9t031.c 2011-05-22 19:36:31.000000000 -0400
33002 @@ -725,7 +725,7 @@ static int mt9t031_runtime_resume(struct
33003 return 0;
33004 }
33005
33006 -static struct dev_pm_ops mt9t031_dev_pm_ops = {
33007 +static const struct dev_pm_ops mt9t031_dev_pm_ops = {
33008 .runtime_suspend = mt9t031_runtime_suspend,
33009 .runtime_resume = mt9t031_runtime_resume,
33010 };
33011 @@ -788,7 +788,7 @@ static int mt9t031_g_skip_top_lines(stru
33012 return 0;
33013 }
33014
33015 -static struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33016 +static const struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33017 .g_ctrl = mt9t031_g_ctrl,
33018 .s_ctrl = mt9t031_s_ctrl,
33019 .g_chip_ident = mt9t031_g_chip_ident,
33020 @@ -808,7 +808,7 @@ static int mt9t031_enum_fmt(struct v4l2_
33021 return 0;
33022 }
33023
33024 -static struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33025 +static const struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33026 .s_stream = mt9t031_s_stream,
33027 .s_mbus_fmt = mt9t031_s_fmt,
33028 .g_mbus_fmt = mt9t031_g_fmt,
33029 @@ -819,7 +819,7 @@ static struct v4l2_subdev_video_ops mt9t
33030 .enum_mbus_fmt = mt9t031_enum_fmt,
33031 };
33032
33033 -static struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33034 +static const struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33035 .g_skip_top_lines = mt9t031_g_skip_top_lines,
33036 };
33037
33038 diff -urNp linux-2.6.39.2/drivers/media/video/mt9v022.c linux-2.6.39.2/drivers/media/video/mt9v022.c
33039 --- linux-2.6.39.2/drivers/media/video/mt9v022.c 2011-05-19 00:06:34.000000000 -0400
33040 +++ linux-2.6.39.2/drivers/media/video/mt9v022.c 2011-05-22 19:36:31.000000000 -0400
33041 @@ -825,7 +825,7 @@ static int mt9v022_g_skip_top_lines(stru
33042 return 0;
33043 }
33044
33045 -static struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33046 +static const struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33047 .g_ctrl = mt9v022_g_ctrl,
33048 .s_ctrl = mt9v022_s_ctrl,
33049 .g_chip_ident = mt9v022_g_chip_ident,
33050 @@ -848,7 +848,7 @@ static int mt9v022_enum_fmt(struct v4l2_
33051 return 0;
33052 }
33053
33054 -static struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33055 +static const struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33056 .s_stream = mt9v022_s_stream,
33057 .s_mbus_fmt = mt9v022_s_fmt,
33058 .g_mbus_fmt = mt9v022_g_fmt,
33059 @@ -859,7 +859,7 @@ static struct v4l2_subdev_video_ops mt9v
33060 .enum_mbus_fmt = mt9v022_enum_fmt,
33061 };
33062
33063 -static struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33064 +static const struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33065 .g_skip_top_lines = mt9v022_g_skip_top_lines,
33066 };
33067
33068 diff -urNp linux-2.6.39.2/drivers/media/video/mx2_camera.c linux-2.6.39.2/drivers/media/video/mx2_camera.c
33069 --- linux-2.6.39.2/drivers/media/video/mx2_camera.c 2011-05-19 00:06:34.000000000 -0400
33070 +++ linux-2.6.39.2/drivers/media/video/mx2_camera.c 2011-05-22 19:36:31.000000000 -0400
33071 @@ -668,7 +668,7 @@ static void mx2_videobuf_release(struct
33072 free_buffer(vq, buf);
33073 }
33074
33075 -static struct videobuf_queue_ops mx2_videobuf_ops = {
33076 +static const struct videobuf_queue_ops mx2_videobuf_ops = {
33077 .buf_setup = mx2_videobuf_setup,
33078 .buf_prepare = mx2_videobuf_prepare,
33079 .buf_queue = mx2_videobuf_queue,
33080 diff -urNp linux-2.6.39.2/drivers/media/video/omap24xxcam.c linux-2.6.39.2/drivers/media/video/omap24xxcam.c
33081 --- linux-2.6.39.2/drivers/media/video/omap24xxcam.c 2011-05-19 00:06:34.000000000 -0400
33082 +++ linux-2.6.39.2/drivers/media/video/omap24xxcam.c 2011-05-22 19:36:31.000000000 -0400
33083 @@ -403,7 +403,7 @@ static void omap24xxcam_vbq_complete(str
33084 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
33085
33086 do_gettimeofday(&vb->ts);
33087 - vb->field_count = atomic_add_return(2, &fh->field_count);
33088 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
33089 if (csr & csr_error) {
33090 vb->state = VIDEOBUF_ERROR;
33091 if (!atomic_read(&fh->cam->in_reset)) {
33092 diff -urNp linux-2.6.39.2/drivers/media/video/omap24xxcam.h linux-2.6.39.2/drivers/media/video/omap24xxcam.h
33093 --- linux-2.6.39.2/drivers/media/video/omap24xxcam.h 2011-05-19 00:06:34.000000000 -0400
33094 +++ linux-2.6.39.2/drivers/media/video/omap24xxcam.h 2011-05-22 19:36:31.000000000 -0400
33095 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
33096 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
33097 struct videobuf_queue vbq;
33098 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
33099 - atomic_t field_count; /* field counter for videobuf_buffer */
33100 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
33101 /* accessing cam here doesn't need serialisation: it's constant */
33102 struct omap24xxcam_device *cam;
33103 };
33104 diff -urNp linux-2.6.39.2/drivers/media/video/omap3isp/isp.h linux-2.6.39.2/drivers/media/video/omap3isp/isp.h
33105 --- linux-2.6.39.2/drivers/media/video/omap3isp/isp.h 2011-05-19 00:06:34.000000000 -0400
33106 +++ linux-2.6.39.2/drivers/media/video/omap3isp/isp.h 2011-05-22 19:36:31.000000000 -0400
33107 @@ -290,7 +290,7 @@ struct isp_device {
33108
33109 struct iommu *iommu;
33110
33111 - struct isp_platform_callback platform_cb;
33112 + const struct isp_platform_callback platform_cb;
33113 };
33114
33115 #define v4l2_dev_to_isp_device(dev) \
33116 diff -urNp linux-2.6.39.2/drivers/media/video/ov2640.c linux-2.6.39.2/drivers/media/video/ov2640.c
33117 --- linux-2.6.39.2/drivers/media/video/ov2640.c 2011-05-19 00:06:34.000000000 -0400
33118 +++ linux-2.6.39.2/drivers/media/video/ov2640.c 2011-05-22 19:36:31.000000000 -0400
33119 @@ -1080,7 +1080,7 @@ static struct soc_camera_ops ov2640_ops
33120 .num_controls = ARRAY_SIZE(ov2640_controls),
33121 };
33122
33123 -static struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33124 +static const struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33125 .g_ctrl = ov2640_g_ctrl,
33126 .s_ctrl = ov2640_s_ctrl,
33127 .g_chip_ident = ov2640_g_chip_ident,
33128 @@ -1090,7 +1090,7 @@ static struct v4l2_subdev_core_ops ov264
33129 #endif
33130 };
33131
33132 -static struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33133 +static const struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33134 .s_stream = ov2640_s_stream,
33135 .g_mbus_fmt = ov2640_g_fmt,
33136 .s_mbus_fmt = ov2640_s_fmt,
33137 diff -urNp linux-2.6.39.2/drivers/media/video/ov772x.c linux-2.6.39.2/drivers/media/video/ov772x.c
33138 --- linux-2.6.39.2/drivers/media/video/ov772x.c 2011-05-19 00:06:34.000000000 -0400
33139 +++ linux-2.6.39.2/drivers/media/video/ov772x.c 2011-05-22 19:36:31.000000000 -0400
33140 @@ -1079,7 +1079,7 @@ static struct soc_camera_ops ov772x_ops
33141 .num_controls = ARRAY_SIZE(ov772x_controls),
33142 };
33143
33144 -static struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33145 +static const struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33146 .g_ctrl = ov772x_g_ctrl,
33147 .s_ctrl = ov772x_s_ctrl,
33148 .g_chip_ident = ov772x_g_chip_ident,
33149 @@ -1099,7 +1099,7 @@ static int ov772x_enum_fmt(struct v4l2_s
33150 return 0;
33151 }
33152
33153 -static struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33154 +static const struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33155 .s_stream = ov772x_s_stream,
33156 .g_mbus_fmt = ov772x_g_fmt,
33157 .s_mbus_fmt = ov772x_s_fmt,
33158 diff -urNp linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
33159 --- linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-19 00:06:34.000000000 -0400
33160 +++ linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-22 19:36:31.000000000 -0400
33161 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
33162 u8 *eeprom;
33163 struct tveeprom tvdata;
33164
33165 + pax_track_stack();
33166 +
33167 memset(&tvdata,0,sizeof(tvdata));
33168
33169 eeprom = pvr2_eeprom_fetch(hdw);
33170 diff -urNp linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c
33171 --- linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-19 00:06:34.000000000 -0400
33172 +++ linux-2.6.39.2/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-22 19:36:31.000000000 -0400
33173 @@ -527,7 +527,7 @@ static u32 pvr2_i2c_functionality(struct
33174 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
33175 }
33176
33177 -static struct i2c_algorithm pvr2_i2c_algo_template = {
33178 +static const struct i2c_algorithm pvr2_i2c_algo_template = {
33179 .master_xfer = pvr2_i2c_xfer,
33180 .functionality = pvr2_i2c_functionality,
33181 };
33182 diff -urNp linux-2.6.39.2/drivers/media/video/rj54n1cb0c.c linux-2.6.39.2/drivers/media/video/rj54n1cb0c.c
33183 --- linux-2.6.39.2/drivers/media/video/rj54n1cb0c.c 2011-05-19 00:06:34.000000000 -0400
33184 +++ linux-2.6.39.2/drivers/media/video/rj54n1cb0c.c 2011-05-22 19:36:31.000000000 -0400
33185 @@ -1327,7 +1327,7 @@ static int rj54n1_s_ctrl(struct v4l2_sub
33186 return 0;
33187 }
33188
33189 -static struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33190 +static const struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33191 .g_ctrl = rj54n1_g_ctrl,
33192 .s_ctrl = rj54n1_s_ctrl,
33193 .g_chip_ident = rj54n1_g_chip_ident,
33194 @@ -1337,7 +1337,7 @@ static struct v4l2_subdev_core_ops rj54n
33195 #endif
33196 };
33197
33198 -static struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33199 +static const struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33200 .s_stream = rj54n1_s_stream,
33201 .s_mbus_fmt = rj54n1_s_fmt,
33202 .g_mbus_fmt = rj54n1_g_fmt,
33203 diff -urNp linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-capture.c linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-capture.c
33204 --- linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-19 00:06:34.000000000 -0400
33205 +++ linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-22 19:36:31.000000000 -0400
33206 @@ -376,7 +376,7 @@ static void fimc_unlock(struct vb2_queue
33207 mutex_unlock(&ctx->fimc_dev->lock);
33208 }
33209
33210 -static struct vb2_ops fimc_capture_qops = {
33211 +static const struct vb2_ops fimc_capture_qops = {
33212 .queue_setup = queue_setup,
33213 .buf_prepare = buffer_prepare,
33214 .buf_queue = buffer_queue,
33215 diff -urNp linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-core.c linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-core.c
33216 --- linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-19 00:06:34.000000000 -0400
33217 +++ linux-2.6.39.2/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-22 19:36:31.000000000 -0400
33218 @@ -768,7 +768,7 @@ static void fimc_unlock(struct vb2_queue
33219 mutex_unlock(&ctx->fimc_dev->lock);
33220 }
33221
33222 -static struct vb2_ops fimc_qops = {
33223 +static const struct vb2_ops fimc_qops = {
33224 .queue_setup = fimc_queue_setup,
33225 .buf_prepare = fimc_buf_prepare,
33226 .buf_queue = fimc_buf_queue,
33227 diff -urNp linux-2.6.39.2/drivers/media/video/saa7134/saa6752hs.c linux-2.6.39.2/drivers/media/video/saa7134/saa6752hs.c
33228 --- linux-2.6.39.2/drivers/media/video/saa7134/saa6752hs.c 2011-05-19 00:06:34.000000000 -0400
33229 +++ linux-2.6.39.2/drivers/media/video/saa7134/saa6752hs.c 2011-05-22 19:36:31.000000000 -0400
33230 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
33231 unsigned char localPAT[256];
33232 unsigned char localPMT[256];
33233
33234 + pax_track_stack();
33235 +
33236 /* Set video format - must be done first as it resets other settings */
33237 set_reg8(client, 0x41, h->video_format);
33238
33239 diff -urNp linux-2.6.39.2/drivers/media/video/saa7134/saa7134-alsa.c linux-2.6.39.2/drivers/media/video/saa7134/saa7134-alsa.c
33240 --- linux-2.6.39.2/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-19 00:06:34.000000000 -0400
33241 +++ linux-2.6.39.2/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-22 19:36:31.000000000 -0400
33242 @@ -808,7 +808,7 @@ static struct page *snd_card_saa7134_pag
33243 * ALSA capture callbacks definition
33244 */
33245
33246 -static struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33247 +static const struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33248 .open = snd_card_saa7134_capture_open,
33249 .close = snd_card_saa7134_capture_close,
33250 .ioctl = snd_pcm_lib_ioctl,
33251 diff -urNp linux-2.6.39.2/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.39.2/drivers/media/video/saa7164/saa7164-cmd.c
33252 --- linux-2.6.39.2/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-19 00:06:34.000000000 -0400
33253 +++ linux-2.6.39.2/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-22 19:36:31.000000000 -0400
33254 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
33255 u8 tmp[512];
33256 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33257
33258 + pax_track_stack();
33259 +
33260 /* While any outstand message on the bus exists... */
33261 do {
33262
33263 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
33264 u8 tmp[512];
33265 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33266
33267 + pax_track_stack();
33268 +
33269 while (loop) {
33270
33271 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
33272 diff -urNp linux-2.6.39.2/drivers/media/video/sh_mobile_csi2.c linux-2.6.39.2/drivers/media/video/sh_mobile_csi2.c
33273 --- linux-2.6.39.2/drivers/media/video/sh_mobile_csi2.c 2011-05-19 00:06:34.000000000 -0400
33274 +++ linux-2.6.39.2/drivers/media/video/sh_mobile_csi2.c 2011-05-22 19:36:31.000000000 -0400
33275 @@ -127,12 +127,12 @@ static int sh_csi2_s_fmt(struct v4l2_sub
33276 return 0;
33277 }
33278
33279 -static struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33280 +static const struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33281 .s_mbus_fmt = sh_csi2_s_fmt,
33282 .try_mbus_fmt = sh_csi2_try_fmt,
33283 };
33284
33285 -static struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33286 +static const struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33287
33288 static struct v4l2_subdev_ops sh_csi2_subdev_ops = {
33289 .core = &sh_csi2_subdev_core_ops,
33290 diff -urNp linux-2.6.39.2/drivers/media/video/soc_camera_platform.c linux-2.6.39.2/drivers/media/video/soc_camera_platform.c
33291 --- linux-2.6.39.2/drivers/media/video/soc_camera_platform.c 2011-05-19 00:06:34.000000000 -0400
33292 +++ linux-2.6.39.2/drivers/media/video/soc_camera_platform.c 2011-05-22 19:36:31.000000000 -0400
33293 @@ -70,7 +70,7 @@ static int soc_camera_platform_fill_fmt(
33294 return 0;
33295 }
33296
33297 -static struct v4l2_subdev_core_ops platform_subdev_core_ops;
33298 +static const struct v4l2_subdev_core_ops platform_subdev_core_ops;
33299
33300 static int soc_camera_platform_enum_fmt(struct v4l2_subdev *sd, unsigned int index,
33301 enum v4l2_mbus_pixelcode *code)
33302 @@ -115,7 +115,7 @@ static int soc_camera_platform_cropcap(s
33303 return 0;
33304 }
33305
33306 -static struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33307 +static const struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33308 .s_stream = soc_camera_platform_s_stream,
33309 .enum_mbus_fmt = soc_camera_platform_enum_fmt,
33310 .cropcap = soc_camera_platform_cropcap,
33311 diff -urNp linux-2.6.39.2/drivers/media/video/tlg2300/pd-alsa.c linux-2.6.39.2/drivers/media/video/tlg2300/pd-alsa.c
33312 --- linux-2.6.39.2/drivers/media/video/tlg2300/pd-alsa.c 2011-05-19 00:06:34.000000000 -0400
33313 +++ linux-2.6.39.2/drivers/media/video/tlg2300/pd-alsa.c 2011-05-22 19:36:31.000000000 -0400
33314 @@ -265,7 +265,7 @@ static struct page *snd_pcm_pd_get_page(
33315 return vmalloc_to_page(pageptr);
33316 }
33317
33318 -static struct snd_pcm_ops pcm_capture_ops = {
33319 +static const struct snd_pcm_ops pcm_capture_ops = {
33320 .open = snd_pd_capture_open,
33321 .close = snd_pd_pcm_close,
33322 .ioctl = snd_pcm_lib_ioctl,
33323 diff -urNp linux-2.6.39.2/drivers/media/video/tw9910.c linux-2.6.39.2/drivers/media/video/tw9910.c
33324 --- linux-2.6.39.2/drivers/media/video/tw9910.c 2011-05-19 00:06:34.000000000 -0400
33325 +++ linux-2.6.39.2/drivers/media/video/tw9910.c 2011-05-22 19:36:31.000000000 -0400
33326 @@ -894,7 +894,7 @@ static struct soc_camera_ops tw9910_ops
33327 .enum_input = tw9910_enum_input,
33328 };
33329
33330 -static struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33331 +static const struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33332 .g_chip_ident = tw9910_g_chip_ident,
33333 .s_std = tw9910_s_std,
33334 #ifdef CONFIG_VIDEO_ADV_DEBUG
33335 @@ -913,7 +913,7 @@ static int tw9910_enum_fmt(struct v4l2_s
33336 return 0;
33337 }
33338
33339 -static struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33340 +static const struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33341 .s_stream = tw9910_s_stream,
33342 .g_mbus_fmt = tw9910_g_fmt,
33343 .s_mbus_fmt = tw9910_s_fmt,
33344 diff -urNp linux-2.6.39.2/drivers/media/video/usbvision/usbvision-core.c linux-2.6.39.2/drivers/media/video/usbvision/usbvision-core.c
33345 --- linux-2.6.39.2/drivers/media/video/usbvision/usbvision-core.c 2011-05-19 00:06:34.000000000 -0400
33346 +++ linux-2.6.39.2/drivers/media/video/usbvision/usbvision-core.c 2011-05-22 19:36:31.000000000 -0400
33347 @@ -799,6 +799,8 @@ static enum parse_state usbvision_parse_
33348 unsigned char rv, gv, bv;
33349 static unsigned char *Y, *U, *V;
33350
33351 + pax_track_stack();
33352 +
33353 frame = usbvision->cur_frame;
33354 image_size = frame->frmwidth * frame->frmheight;
33355 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
33356 diff -urNp linux-2.6.39.2/drivers/media/video/usbvision/usbvision-i2c.c linux-2.6.39.2/drivers/media/video/usbvision/usbvision-i2c.c
33357 --- linux-2.6.39.2/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-19 00:06:34.000000000 -0400
33358 +++ linux-2.6.39.2/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-22 19:36:31.000000000 -0400
33359 @@ -189,7 +189,7 @@ static u32 functionality(struct i2c_adap
33360
33361 /* -----exported algorithm data: ------------------------------------- */
33362
33363 -static struct i2c_algorithm usbvision_algo = {
33364 +static const struct i2c_algorithm usbvision_algo = {
33365 .master_xfer = usbvision_i2c_xfer,
33366 .smbus_xfer = NULL,
33367 .functionality = functionality,
33368 diff -urNp linux-2.6.39.2/drivers/media/video/v4l2-device.c linux-2.6.39.2/drivers/media/video/v4l2-device.c
33369 --- linux-2.6.39.2/drivers/media/video/v4l2-device.c 2011-05-19 00:06:34.000000000 -0400
33370 +++ linux-2.6.39.2/drivers/media/video/v4l2-device.c 2011-05-22 19:36:31.000000000 -0400
33371 @@ -71,9 +71,9 @@ int v4l2_device_put(struct v4l2_device *
33372 EXPORT_SYMBOL_GPL(v4l2_device_put);
33373
33374 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
33375 - atomic_t *instance)
33376 + atomic_unchecked_t *instance)
33377 {
33378 - int num = atomic_inc_return(instance) - 1;
33379 + int num = atomic_inc_return_unchecked(instance) - 1;
33380 int len = strlen(basename);
33381
33382 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
33383 diff -urNp linux-2.6.39.2/drivers/media/video/videobuf-dma-sg.c linux-2.6.39.2/drivers/media/video/videobuf-dma-sg.c
33384 --- linux-2.6.39.2/drivers/media/video/videobuf-dma-sg.c 2011-05-19 00:06:34.000000000 -0400
33385 +++ linux-2.6.39.2/drivers/media/video/videobuf-dma-sg.c 2011-05-22 19:36:31.000000000 -0400
33386 @@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
33387 {
33388 struct videobuf_queue q;
33389
33390 + pax_track_stack();
33391 +
33392 /* Required to make generic handler to call __videobuf_alloc */
33393 q.int_ops = &sg_ops;
33394
33395 diff -urNp linux-2.6.39.2/drivers/message/fusion/mptbase.c linux-2.6.39.2/drivers/message/fusion/mptbase.c
33396 --- linux-2.6.39.2/drivers/message/fusion/mptbase.c 2011-05-19 00:06:34.000000000 -0400
33397 +++ linux-2.6.39.2/drivers/message/fusion/mptbase.c 2011-05-22 19:41:37.000000000 -0400
33398 @@ -143,7 +143,7 @@ static int MptDriverClass[MPT_MAX_PRO
33399 static MPT_EVHANDLER MptEvHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33400 /* Reset handler lookup table */
33401 static MPT_RESETHANDLER MptResetHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33402 -static struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33403 +static const struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33404
33405 #ifdef CONFIG_PROC_FS
33406 static struct proc_dir_entry *mpt_proc_root_dir;
33407 @@ -772,7 +772,7 @@ mpt_reset_deregister(u8 cb_idx)
33408 * @cb_idx: MPT protocol driver index
33409 */
33410 int
33411 -mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33412 +mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33413 {
33414 MPT_ADAPTER *ioc;
33415 const struct pci_device_id *id;
33416 @@ -801,7 +801,7 @@ mpt_device_driver_register(struct mpt_pc
33417 void
33418 mpt_device_driver_deregister(u8 cb_idx)
33419 {
33420 - struct mpt_pci_driver *dd_cbfunc;
33421 + const struct mpt_pci_driver *dd_cbfunc;
33422 MPT_ADAPTER *ioc;
33423
33424 if (!cb_idx || cb_idx >= MPT_MAX_PROTOCOL_DRIVERS)
33425 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
33426 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
33427 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
33428
33429 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33430 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
33431 +#else
33432 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
33433 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
33434 +#endif
33435 +
33436 /*
33437 * Rounding UP to nearest 4-kB boundary here...
33438 */
33439 diff -urNp linux-2.6.39.2/drivers/message/fusion/mptbase.h linux-2.6.39.2/drivers/message/fusion/mptbase.h
33440 --- linux-2.6.39.2/drivers/message/fusion/mptbase.h 2011-05-19 00:06:34.000000000 -0400
33441 +++ linux-2.6.39.2/drivers/message/fusion/mptbase.h 2011-05-22 19:36:31.000000000 -0400
33442 @@ -908,7 +908,7 @@ extern int mpt_event_register(u8 cb_idx
33443 extern void mpt_event_deregister(u8 cb_idx);
33444 extern int mpt_reset_register(u8 cb_idx, MPT_RESETHANDLER reset_func);
33445 extern void mpt_reset_deregister(u8 cb_idx);
33446 -extern int mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33447 +extern int mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33448 extern void mpt_device_driver_deregister(u8 cb_idx);
33449 extern MPT_FRAME_HDR *mpt_get_msg_frame(u8 cb_idx, MPT_ADAPTER *ioc);
33450 extern void mpt_free_msg_frame(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf);
33451 diff -urNp linux-2.6.39.2/drivers/message/fusion/mptctl.c linux-2.6.39.2/drivers/message/fusion/mptctl.c
33452 --- linux-2.6.39.2/drivers/message/fusion/mptctl.c 2011-05-19 00:06:34.000000000 -0400
33453 +++ linux-2.6.39.2/drivers/message/fusion/mptctl.c 2011-05-22 19:36:31.000000000 -0400
33454 @@ -3000,7 +3000,7 @@ mptctl_remove(struct pci_dev *pdev)
33455 {
33456 }
33457
33458 -static struct mpt_pci_driver mptctl_driver = {
33459 +static const struct mpt_pci_driver mptctl_driver = {
33460 .probe = mptctl_probe,
33461 .remove = mptctl_remove,
33462 };
33463 diff -urNp linux-2.6.39.2/drivers/message/fusion/mptsas.c linux-2.6.39.2/drivers/message/fusion/mptsas.c
33464 --- linux-2.6.39.2/drivers/message/fusion/mptsas.c 2011-05-19 00:06:34.000000000 -0400
33465 +++ linux-2.6.39.2/drivers/message/fusion/mptsas.c 2011-05-22 19:36:31.000000000 -0400
33466 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
33467 return 0;
33468 }
33469
33470 +static inline void
33471 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33472 +{
33473 + if (phy_info->port_details) {
33474 + phy_info->port_details->rphy = rphy;
33475 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33476 + ioc->name, rphy));
33477 + }
33478 +
33479 + if (rphy) {
33480 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33481 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33482 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33483 + ioc->name, rphy, rphy->dev.release));
33484 + }
33485 +}
33486 +
33487 /* no mutex */
33488 static void
33489 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
33490 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
33491 return NULL;
33492 }
33493
33494 -static inline void
33495 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33496 -{
33497 - if (phy_info->port_details) {
33498 - phy_info->port_details->rphy = rphy;
33499 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33500 - ioc->name, rphy));
33501 - }
33502 -
33503 - if (rphy) {
33504 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33505 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33506 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33507 - ioc->name, rphy, rphy->dev.release));
33508 - }
33509 -}
33510 -
33511 static inline struct sas_port *
33512 mptsas_get_port(struct mptsas_phyinfo *phy_info)
33513 {
33514 diff -urNp linux-2.6.39.2/drivers/message/fusion/mptscsih.c linux-2.6.39.2/drivers/message/fusion/mptscsih.c
33515 --- linux-2.6.39.2/drivers/message/fusion/mptscsih.c 2011-05-19 00:06:34.000000000 -0400
33516 +++ linux-2.6.39.2/drivers/message/fusion/mptscsih.c 2011-05-22 19:36:31.000000000 -0400
33517 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
33518
33519 h = shost_priv(SChost);
33520
33521 - if (h) {
33522 - if (h->info_kbuf == NULL)
33523 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33524 - return h->info_kbuf;
33525 - h->info_kbuf[0] = '\0';
33526 + if (!h)
33527 + return NULL;
33528
33529 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33530 - h->info_kbuf[size-1] = '\0';
33531 - }
33532 + if (h->info_kbuf == NULL)
33533 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33534 + return h->info_kbuf;
33535 + h->info_kbuf[0] = '\0';
33536 +
33537 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33538 + h->info_kbuf[size-1] = '\0';
33539
33540 return h->info_kbuf;
33541 }
33542 diff -urNp linux-2.6.39.2/drivers/message/i2o/i2o_config.c linux-2.6.39.2/drivers/message/i2o/i2o_config.c
33543 --- linux-2.6.39.2/drivers/message/i2o/i2o_config.c 2011-05-19 00:06:34.000000000 -0400
33544 +++ linux-2.6.39.2/drivers/message/i2o/i2o_config.c 2011-05-22 19:36:31.000000000 -0400
33545 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
33546 struct i2o_message *msg;
33547 unsigned int iop;
33548
33549 + pax_track_stack();
33550 +
33551 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
33552 return -EFAULT;
33553
33554 diff -urNp linux-2.6.39.2/drivers/message/i2o/i2o_proc.c linux-2.6.39.2/drivers/message/i2o/i2o_proc.c
33555 --- linux-2.6.39.2/drivers/message/i2o/i2o_proc.c 2011-05-19 00:06:34.000000000 -0400
33556 +++ linux-2.6.39.2/drivers/message/i2o/i2o_proc.c 2011-05-22 19:36:31.000000000 -0400
33557 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
33558 "Array Controller Device"
33559 };
33560
33561 -static char *chtostr(u8 * chars, int n)
33562 -{
33563 - char tmp[256];
33564 - tmp[0] = 0;
33565 - return strncat(tmp, (char *)chars, n);
33566 -}
33567 -
33568 static int i2o_report_query_status(struct seq_file *seq, int block_status,
33569 char *group)
33570 {
33571 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
33572
33573 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
33574 seq_printf(seq, "%-#8x", ddm_table.module_id);
33575 - seq_printf(seq, "%-29s",
33576 - chtostr(ddm_table.module_name_version, 28));
33577 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
33578 seq_printf(seq, "%9d ", ddm_table.data_size);
33579 seq_printf(seq, "%8d", ddm_table.code_size);
33580
33581 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
33582
33583 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
33584 seq_printf(seq, "%-#8x", dst->module_id);
33585 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
33586 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
33587 + seq_printf(seq, "%-.28s", dst->module_name_version);
33588 + seq_printf(seq, "%-.8s", dst->date);
33589 seq_printf(seq, "%8d ", dst->module_size);
33590 seq_printf(seq, "%8d ", dst->mpb_size);
33591 seq_printf(seq, "0x%04x", dst->module_flags);
33592 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
33593 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
33594 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
33595 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
33596 - seq_printf(seq, "Vendor info : %s\n",
33597 - chtostr((u8 *) (work32 + 2), 16));
33598 - seq_printf(seq, "Product info : %s\n",
33599 - chtostr((u8 *) (work32 + 6), 16));
33600 - seq_printf(seq, "Description : %s\n",
33601 - chtostr((u8 *) (work32 + 10), 16));
33602 - seq_printf(seq, "Product rev. : %s\n",
33603 - chtostr((u8 *) (work32 + 14), 8));
33604 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
33605 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
33606 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
33607 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
33608
33609 seq_printf(seq, "Serial number : ");
33610 print_serial_number(seq, (u8 *) (work32 + 16),
33611 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
33612 }
33613
33614 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
33615 - seq_printf(seq, "Module name : %s\n",
33616 - chtostr(result.module_name, 24));
33617 - seq_printf(seq, "Module revision : %s\n",
33618 - chtostr(result.module_rev, 8));
33619 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
33620 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
33621
33622 seq_printf(seq, "Serial number : ");
33623 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
33624 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
33625 return 0;
33626 }
33627
33628 - seq_printf(seq, "Device name : %s\n",
33629 - chtostr(result.device_name, 64));
33630 - seq_printf(seq, "Service name : %s\n",
33631 - chtostr(result.service_name, 64));
33632 - seq_printf(seq, "Physical name : %s\n",
33633 - chtostr(result.physical_location, 64));
33634 - seq_printf(seq, "Instance number : %s\n",
33635 - chtostr(result.instance_number, 4));
33636 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
33637 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
33638 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
33639 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
33640
33641 return 0;
33642 }
33643 diff -urNp linux-2.6.39.2/drivers/message/i2o/iop.c linux-2.6.39.2/drivers/message/i2o/iop.c
33644 --- linux-2.6.39.2/drivers/message/i2o/iop.c 2011-05-19 00:06:34.000000000 -0400
33645 +++ linux-2.6.39.2/drivers/message/i2o/iop.c 2011-05-22 19:36:31.000000000 -0400
33646 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
33647
33648 spin_lock_irqsave(&c->context_list_lock, flags);
33649
33650 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
33651 - atomic_inc(&c->context_list_counter);
33652 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
33653 + atomic_inc_unchecked(&c->context_list_counter);
33654
33655 - entry->context = atomic_read(&c->context_list_counter);
33656 + entry->context = atomic_read_unchecked(&c->context_list_counter);
33657
33658 list_add(&entry->list, &c->context_list);
33659
33660 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
33661
33662 #if BITS_PER_LONG == 64
33663 spin_lock_init(&c->context_list_lock);
33664 - atomic_set(&c->context_list_counter, 0);
33665 + atomic_set_unchecked(&c->context_list_counter, 0);
33666 INIT_LIST_HEAD(&c->context_list);
33667 #endif
33668
33669 diff -urNp linux-2.6.39.2/drivers/mfd/ab3100-core.c linux-2.6.39.2/drivers/mfd/ab3100-core.c
33670 --- linux-2.6.39.2/drivers/mfd/ab3100-core.c 2011-05-19 00:06:34.000000000 -0400
33671 +++ linux-2.6.39.2/drivers/mfd/ab3100-core.c 2011-05-22 19:36:31.000000000 -0400
33672 @@ -385,7 +385,7 @@ static int ab3100_event_registers_startu
33673 return 0;
33674 }
33675
33676 -static struct abx500_ops ab3100_ops = {
33677 +static const struct abx500_ops ab3100_ops = {
33678 .get_chip_id = ab3100_get_chip_id,
33679 .set_register = set_register_interruptible,
33680 .get_register = get_register_interruptible,
33681 diff -urNp linux-2.6.39.2/drivers/mfd/ab3550-core.c linux-2.6.39.2/drivers/mfd/ab3550-core.c
33682 --- linux-2.6.39.2/drivers/mfd/ab3550-core.c 2011-05-19 00:06:34.000000000 -0400
33683 +++ linux-2.6.39.2/drivers/mfd/ab3550-core.c 2011-05-22 19:36:31.000000000 -0400
33684 @@ -676,7 +676,7 @@ static int ab3550_startup_irq_enabled(st
33685 return val;
33686 }
33687
33688 -static struct abx500_ops ab3550_ops = {
33689 +static const struct abx500_ops ab3550_ops = {
33690 .get_chip_id = ab3550_get_chip_id,
33691 .get_register = ab3550_get_register_interruptible,
33692 .set_register = ab3550_set_register_interruptible,
33693 diff -urNp linux-2.6.39.2/drivers/mfd/ab8500-core.c linux-2.6.39.2/drivers/mfd/ab8500-core.c
33694 --- linux-2.6.39.2/drivers/mfd/ab8500-core.c 2011-05-19 00:06:34.000000000 -0400
33695 +++ linux-2.6.39.2/drivers/mfd/ab8500-core.c 2011-05-22 19:36:31.000000000 -0400
33696 @@ -223,7 +223,7 @@ static int ab8500_mask_and_set_register(
33697
33698 }
33699
33700 -static struct abx500_ops ab8500_ops = {
33701 +static const struct abx500_ops ab8500_ops = {
33702 .get_chip_id = ab8500_get_chip_id,
33703 .get_register = ab8500_get_register,
33704 .set_register = ab8500_set_register,
33705 diff -urNp linux-2.6.39.2/drivers/mfd/abx500-core.c linux-2.6.39.2/drivers/mfd/abx500-core.c
33706 --- linux-2.6.39.2/drivers/mfd/abx500-core.c 2011-05-19 00:06:34.000000000 -0400
33707 +++ linux-2.6.39.2/drivers/mfd/abx500-core.c 2011-05-22 19:36:31.000000000 -0400
33708 @@ -18,7 +18,7 @@ struct abx500_device_entry {
33709 struct device *dev;
33710 };
33711
33712 -static void lookup_ops(struct device *dev, struct abx500_ops **ops)
33713 +static void lookup_ops(struct device *dev, const struct abx500_ops **ops)
33714 {
33715 struct abx500_device_entry *dev_entry;
33716
33717 @@ -31,7 +31,7 @@ static void lookup_ops(struct device *de
33718 }
33719 }
33720
33721 -int abx500_register_ops(struct device *dev, struct abx500_ops *ops)
33722 +int abx500_register_ops(struct device *dev, const struct abx500_ops *ops)
33723 {
33724 struct abx500_device_entry *dev_entry;
33725
33726 @@ -65,7 +65,7 @@ EXPORT_SYMBOL(abx500_remove_ops);
33727 int abx500_set_register_interruptible(struct device *dev, u8 bank, u8 reg,
33728 u8 value)
33729 {
33730 - struct abx500_ops *ops;
33731 + const struct abx500_ops *ops;
33732
33733 lookup_ops(dev->parent, &ops);
33734 if ((ops != NULL) && (ops->set_register != NULL))
33735 @@ -78,7 +78,7 @@ EXPORT_SYMBOL(abx500_set_register_interr
33736 int abx500_get_register_interruptible(struct device *dev, u8 bank, u8 reg,
33737 u8 *value)
33738 {
33739 - struct abx500_ops *ops;
33740 + const struct abx500_ops *ops;
33741
33742 lookup_ops(dev->parent, &ops);
33743 if ((ops != NULL) && (ops->get_register != NULL))
33744 @@ -91,7 +91,7 @@ EXPORT_SYMBOL(abx500_get_register_interr
33745 int abx500_get_register_page_interruptible(struct device *dev, u8 bank,
33746 u8 first_reg, u8 *regvals, u8 numregs)
33747 {
33748 - struct abx500_ops *ops;
33749 + const struct abx500_ops *ops;
33750
33751 lookup_ops(dev->parent, &ops);
33752 if ((ops != NULL) && (ops->get_register_page != NULL))
33753 @@ -105,7 +105,7 @@ EXPORT_SYMBOL(abx500_get_register_page_i
33754 int abx500_mask_and_set_register_interruptible(struct device *dev, u8 bank,
33755 u8 reg, u8 bitmask, u8 bitvalues)
33756 {
33757 - struct abx500_ops *ops;
33758 + const struct abx500_ops *ops;
33759
33760 lookup_ops(dev->parent, &ops);
33761 if ((ops != NULL) && (ops->mask_and_set_register != NULL))
33762 @@ -118,7 +118,7 @@ EXPORT_SYMBOL(abx500_mask_and_set_regist
33763
33764 int abx500_get_chip_id(struct device *dev)
33765 {
33766 - struct abx500_ops *ops;
33767 + const struct abx500_ops *ops;
33768
33769 lookup_ops(dev->parent, &ops);
33770 if ((ops != NULL) && (ops->get_chip_id != NULL))
33771 @@ -130,7 +130,7 @@ EXPORT_SYMBOL(abx500_get_chip_id);
33772
33773 int abx500_event_registers_startup_state_get(struct device *dev, u8 *event)
33774 {
33775 - struct abx500_ops *ops;
33776 + const struct abx500_ops *ops;
33777
33778 lookup_ops(dev->parent, &ops);
33779 if ((ops != NULL) && (ops->event_registers_startup_state_get != NULL))
33780 @@ -142,7 +142,7 @@ EXPORT_SYMBOL(abx500_event_registers_sta
33781
33782 int abx500_startup_irq_enabled(struct device *dev, unsigned int irq)
33783 {
33784 - struct abx500_ops *ops;
33785 + const struct abx500_ops *ops;
33786
33787 lookup_ops(dev->parent, &ops);
33788 if ((ops != NULL) && (ops->startup_irq_enabled != NULL))
33789 diff -urNp linux-2.6.39.2/drivers/mfd/janz-cmodio.c linux-2.6.39.2/drivers/mfd/janz-cmodio.c
33790 --- linux-2.6.39.2/drivers/mfd/janz-cmodio.c 2011-05-19 00:06:34.000000000 -0400
33791 +++ linux-2.6.39.2/drivers/mfd/janz-cmodio.c 2011-05-22 19:36:31.000000000 -0400
33792 @@ -13,6 +13,7 @@
33793
33794 #include <linux/kernel.h>
33795 #include <linux/module.h>
33796 +#include <linux/slab.h>
33797 #include <linux/init.h>
33798 #include <linux/pci.h>
33799 #include <linux/interrupt.h>
33800 diff -urNp linux-2.6.39.2/drivers/mfd/mcp-sa11x0.c linux-2.6.39.2/drivers/mfd/mcp-sa11x0.c
33801 --- linux-2.6.39.2/drivers/mfd/mcp-sa11x0.c 2011-05-19 00:06:34.000000000 -0400
33802 +++ linux-2.6.39.2/drivers/mfd/mcp-sa11x0.c 2011-05-22 19:36:31.000000000 -0400
33803 @@ -128,7 +128,7 @@ static void mcp_sa11x0_disable(struct mc
33804 /*
33805 * Our methods.
33806 */
33807 -static struct mcp_ops mcp_sa11x0 = {
33808 +static const struct mcp_ops mcp_sa11x0 = {
33809 .set_telecom_divisor = mcp_sa11x0_set_telecom_divisor,
33810 .set_audio_divisor = mcp_sa11x0_set_audio_divisor,
33811 .reg_write = mcp_sa11x0_write,
33812 diff -urNp linux-2.6.39.2/drivers/mfd/wm8350-i2c.c linux-2.6.39.2/drivers/mfd/wm8350-i2c.c
33813 --- linux-2.6.39.2/drivers/mfd/wm8350-i2c.c 2011-05-19 00:06:34.000000000 -0400
33814 +++ linux-2.6.39.2/drivers/mfd/wm8350-i2c.c 2011-05-22 19:36:31.000000000 -0400
33815 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
33816 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
33817 int ret;
33818
33819 + pax_track_stack();
33820 +
33821 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
33822 return -EINVAL;
33823
33824 diff -urNp linux-2.6.39.2/drivers/misc/enclosure.c linux-2.6.39.2/drivers/misc/enclosure.c
33825 --- linux-2.6.39.2/drivers/misc/enclosure.c 2011-05-19 00:06:34.000000000 -0400
33826 +++ linux-2.6.39.2/drivers/misc/enclosure.c 2011-05-22 19:36:31.000000000 -0400
33827 @@ -161,7 +161,7 @@ enclosure_register(struct device *dev, c
33828 }
33829 EXPORT_SYMBOL_GPL(enclosure_register);
33830
33831 -static struct enclosure_component_callbacks enclosure_null_callbacks;
33832 +static const struct enclosure_component_callbacks enclosure_null_callbacks;
33833
33834 /**
33835 * enclosure_unregister - remove an enclosure
33836 diff -urNp linux-2.6.39.2/drivers/misc/kgdbts.c linux-2.6.39.2/drivers/misc/kgdbts.c
33837 --- linux-2.6.39.2/drivers/misc/kgdbts.c 2011-05-19 00:06:34.000000000 -0400
33838 +++ linux-2.6.39.2/drivers/misc/kgdbts.c 2011-05-22 19:36:31.000000000 -0400
33839 @@ -118,7 +118,7 @@
33840 } while (0)
33841 #define MAX_CONFIG_LEN 40
33842
33843 -static struct kgdb_io kgdbts_io_ops;
33844 +static const struct kgdb_io kgdbts_io_ops;
33845 static char get_buf[BUFMAX];
33846 static int get_buf_cnt;
33847 static char put_buf[BUFMAX];
33848 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
33849 module_put(THIS_MODULE);
33850 }
33851
33852 -static struct kgdb_io kgdbts_io_ops = {
33853 +static const struct kgdb_io kgdbts_io_ops = {
33854 .name = "kgdbts",
33855 .read_char = kgdbts_get_char,
33856 .write_char = kgdbts_put_char,
33857 diff -urNp linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.c linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.c
33858 --- linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-19 00:06:34.000000000 -0400
33859 +++ linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-22 19:36:31.000000000 -0400
33860 @@ -435,7 +435,7 @@ static irqreturn_t lis302dl_interrupt(in
33861 * the lid is closed. This leads to interrupts as soon as a little move
33862 * is done.
33863 */
33864 - atomic_inc(&lis3_dev.count);
33865 + atomic_inc_unchecked(&lis3_dev.count);
33866
33867 wake_up_interruptible(&lis3_dev.misc_wait);
33868 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
33869 @@ -518,7 +518,7 @@ static int lis3lv02d_misc_open(struct in
33870 if (lis3_dev.pm_dev)
33871 pm_runtime_get_sync(lis3_dev.pm_dev);
33872
33873 - atomic_set(&lis3_dev.count, 0);
33874 + atomic_set_unchecked(&lis3_dev.count, 0);
33875 return 0;
33876 }
33877
33878 @@ -545,7 +545,7 @@ static ssize_t lis3lv02d_misc_read(struc
33879 add_wait_queue(&lis3_dev.misc_wait, &wait);
33880 while (true) {
33881 set_current_state(TASK_INTERRUPTIBLE);
33882 - data = atomic_xchg(&lis3_dev.count, 0);
33883 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
33884 if (data)
33885 break;
33886
33887 @@ -583,7 +583,7 @@ out:
33888 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
33889 {
33890 poll_wait(file, &lis3_dev.misc_wait, wait);
33891 - if (atomic_read(&lis3_dev.count))
33892 + if (atomic_read_unchecked(&lis3_dev.count))
33893 return POLLIN | POLLRDNORM;
33894 return 0;
33895 }
33896 diff -urNp linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.h linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.h
33897 --- linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-19 00:06:34.000000000 -0400
33898 +++ linux-2.6.39.2/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-22 19:36:31.000000000 -0400
33899 @@ -265,7 +265,7 @@ struct lis3lv02d {
33900 struct input_polled_dev *idev; /* input device */
33901 struct platform_device *pdev; /* platform device */
33902 struct regulator_bulk_data regulators[2];
33903 - atomic_t count; /* interrupt count after last read */
33904 + atomic_unchecked_t count; /* interrupt count after last read */
33905 union axis_conversion ac; /* hw -> logical axis */
33906 int mapped_btns[3];
33907
33908 diff -urNp linux-2.6.39.2/drivers/misc/sgi-gru/gruhandles.c linux-2.6.39.2/drivers/misc/sgi-gru/gruhandles.c
33909 --- linux-2.6.39.2/drivers/misc/sgi-gru/gruhandles.c 2011-05-19 00:06:34.000000000 -0400
33910 +++ linux-2.6.39.2/drivers/misc/sgi-gru/gruhandles.c 2011-05-22 19:36:31.000000000 -0400
33911 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
33912 unsigned long nsec;
33913
33914 nsec = CLKS2NSEC(clks);
33915 - atomic_long_inc(&mcs_op_statistics[op].count);
33916 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
33917 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
33918 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
33919 if (mcs_op_statistics[op].max < nsec)
33920 mcs_op_statistics[op].max = nsec;
33921 }
33922 diff -urNp linux-2.6.39.2/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.39.2/drivers/misc/sgi-gru/gruprocfs.c
33923 --- linux-2.6.39.2/drivers/misc/sgi-gru/gruprocfs.c 2011-05-19 00:06:34.000000000 -0400
33924 +++ linux-2.6.39.2/drivers/misc/sgi-gru/gruprocfs.c 2011-05-22 19:36:31.000000000 -0400
33925 @@ -32,9 +32,9 @@
33926
33927 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
33928
33929 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
33930 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
33931 {
33932 - unsigned long val = atomic_long_read(v);
33933 + unsigned long val = atomic_long_read_unchecked(v);
33934
33935 seq_printf(s, "%16lu %s\n", val, id);
33936 }
33937 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
33938
33939 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
33940 for (op = 0; op < mcsop_last; op++) {
33941 - count = atomic_long_read(&mcs_op_statistics[op].count);
33942 - total = atomic_long_read(&mcs_op_statistics[op].total);
33943 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
33944 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
33945 max = mcs_op_statistics[op].max;
33946 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
33947 count ? total / count : 0, max);
33948 diff -urNp linux-2.6.39.2/drivers/misc/sgi-gru/grutables.h linux-2.6.39.2/drivers/misc/sgi-gru/grutables.h
33949 --- linux-2.6.39.2/drivers/misc/sgi-gru/grutables.h 2011-05-19 00:06:34.000000000 -0400
33950 +++ linux-2.6.39.2/drivers/misc/sgi-gru/grutables.h 2011-05-22 19:36:31.000000000 -0400
33951 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
33952 * GRU statistics.
33953 */
33954 struct gru_stats_s {
33955 - atomic_long_t vdata_alloc;
33956 - atomic_long_t vdata_free;
33957 - atomic_long_t gts_alloc;
33958 - atomic_long_t gts_free;
33959 - atomic_long_t gms_alloc;
33960 - atomic_long_t gms_free;
33961 - atomic_long_t gts_double_allocate;
33962 - atomic_long_t assign_context;
33963 - atomic_long_t assign_context_failed;
33964 - atomic_long_t free_context;
33965 - atomic_long_t load_user_context;
33966 - atomic_long_t load_kernel_context;
33967 - atomic_long_t lock_kernel_context;
33968 - atomic_long_t unlock_kernel_context;
33969 - atomic_long_t steal_user_context;
33970 - atomic_long_t steal_kernel_context;
33971 - atomic_long_t steal_context_failed;
33972 - atomic_long_t nopfn;
33973 - atomic_long_t asid_new;
33974 - atomic_long_t asid_next;
33975 - atomic_long_t asid_wrap;
33976 - atomic_long_t asid_reuse;
33977 - atomic_long_t intr;
33978 - atomic_long_t intr_cbr;
33979 - atomic_long_t intr_tfh;
33980 - atomic_long_t intr_spurious;
33981 - atomic_long_t intr_mm_lock_failed;
33982 - atomic_long_t call_os;
33983 - atomic_long_t call_os_wait_queue;
33984 - atomic_long_t user_flush_tlb;
33985 - atomic_long_t user_unload_context;
33986 - atomic_long_t user_exception;
33987 - atomic_long_t set_context_option;
33988 - atomic_long_t check_context_retarget_intr;
33989 - atomic_long_t check_context_unload;
33990 - atomic_long_t tlb_dropin;
33991 - atomic_long_t tlb_preload_page;
33992 - atomic_long_t tlb_dropin_fail_no_asid;
33993 - atomic_long_t tlb_dropin_fail_upm;
33994 - atomic_long_t tlb_dropin_fail_invalid;
33995 - atomic_long_t tlb_dropin_fail_range_active;
33996 - atomic_long_t tlb_dropin_fail_idle;
33997 - atomic_long_t tlb_dropin_fail_fmm;
33998 - atomic_long_t tlb_dropin_fail_no_exception;
33999 - atomic_long_t tfh_stale_on_fault;
34000 - atomic_long_t mmu_invalidate_range;
34001 - atomic_long_t mmu_invalidate_page;
34002 - atomic_long_t flush_tlb;
34003 - atomic_long_t flush_tlb_gru;
34004 - atomic_long_t flush_tlb_gru_tgh;
34005 - atomic_long_t flush_tlb_gru_zero_asid;
34006 -
34007 - atomic_long_t copy_gpa;
34008 - atomic_long_t read_gpa;
34009 -
34010 - atomic_long_t mesq_receive;
34011 - atomic_long_t mesq_receive_none;
34012 - atomic_long_t mesq_send;
34013 - atomic_long_t mesq_send_failed;
34014 - atomic_long_t mesq_noop;
34015 - atomic_long_t mesq_send_unexpected_error;
34016 - atomic_long_t mesq_send_lb_overflow;
34017 - atomic_long_t mesq_send_qlimit_reached;
34018 - atomic_long_t mesq_send_amo_nacked;
34019 - atomic_long_t mesq_send_put_nacked;
34020 - atomic_long_t mesq_page_overflow;
34021 - atomic_long_t mesq_qf_locked;
34022 - atomic_long_t mesq_qf_noop_not_full;
34023 - atomic_long_t mesq_qf_switch_head_failed;
34024 - atomic_long_t mesq_qf_unexpected_error;
34025 - atomic_long_t mesq_noop_unexpected_error;
34026 - atomic_long_t mesq_noop_lb_overflow;
34027 - atomic_long_t mesq_noop_qlimit_reached;
34028 - atomic_long_t mesq_noop_amo_nacked;
34029 - atomic_long_t mesq_noop_put_nacked;
34030 - atomic_long_t mesq_noop_page_overflow;
34031 + atomic_long_unchecked_t vdata_alloc;
34032 + atomic_long_unchecked_t vdata_free;
34033 + atomic_long_unchecked_t gts_alloc;
34034 + atomic_long_unchecked_t gts_free;
34035 + atomic_long_unchecked_t gms_alloc;
34036 + atomic_long_unchecked_t gms_free;
34037 + atomic_long_unchecked_t gts_double_allocate;
34038 + atomic_long_unchecked_t assign_context;
34039 + atomic_long_unchecked_t assign_context_failed;
34040 + atomic_long_unchecked_t free_context;
34041 + atomic_long_unchecked_t load_user_context;
34042 + atomic_long_unchecked_t load_kernel_context;
34043 + atomic_long_unchecked_t lock_kernel_context;
34044 + atomic_long_unchecked_t unlock_kernel_context;
34045 + atomic_long_unchecked_t steal_user_context;
34046 + atomic_long_unchecked_t steal_kernel_context;
34047 + atomic_long_unchecked_t steal_context_failed;
34048 + atomic_long_unchecked_t nopfn;
34049 + atomic_long_unchecked_t asid_new;
34050 + atomic_long_unchecked_t asid_next;
34051 + atomic_long_unchecked_t asid_wrap;
34052 + atomic_long_unchecked_t asid_reuse;
34053 + atomic_long_unchecked_t intr;
34054 + atomic_long_unchecked_t intr_cbr;
34055 + atomic_long_unchecked_t intr_tfh;
34056 + atomic_long_unchecked_t intr_spurious;
34057 + atomic_long_unchecked_t intr_mm_lock_failed;
34058 + atomic_long_unchecked_t call_os;
34059 + atomic_long_unchecked_t call_os_wait_queue;
34060 + atomic_long_unchecked_t user_flush_tlb;
34061 + atomic_long_unchecked_t user_unload_context;
34062 + atomic_long_unchecked_t user_exception;
34063 + atomic_long_unchecked_t set_context_option;
34064 + atomic_long_unchecked_t check_context_retarget_intr;
34065 + atomic_long_unchecked_t check_context_unload;
34066 + atomic_long_unchecked_t tlb_dropin;
34067 + atomic_long_unchecked_t tlb_preload_page;
34068 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
34069 + atomic_long_unchecked_t tlb_dropin_fail_upm;
34070 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
34071 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
34072 + atomic_long_unchecked_t tlb_dropin_fail_idle;
34073 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
34074 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
34075 + atomic_long_unchecked_t tfh_stale_on_fault;
34076 + atomic_long_unchecked_t mmu_invalidate_range;
34077 + atomic_long_unchecked_t mmu_invalidate_page;
34078 + atomic_long_unchecked_t flush_tlb;
34079 + atomic_long_unchecked_t flush_tlb_gru;
34080 + atomic_long_unchecked_t flush_tlb_gru_tgh;
34081 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
34082 +
34083 + atomic_long_unchecked_t copy_gpa;
34084 + atomic_long_unchecked_t read_gpa;
34085 +
34086 + atomic_long_unchecked_t mesq_receive;
34087 + atomic_long_unchecked_t mesq_receive_none;
34088 + atomic_long_unchecked_t mesq_send;
34089 + atomic_long_unchecked_t mesq_send_failed;
34090 + atomic_long_unchecked_t mesq_noop;
34091 + atomic_long_unchecked_t mesq_send_unexpected_error;
34092 + atomic_long_unchecked_t mesq_send_lb_overflow;
34093 + atomic_long_unchecked_t mesq_send_qlimit_reached;
34094 + atomic_long_unchecked_t mesq_send_amo_nacked;
34095 + atomic_long_unchecked_t mesq_send_put_nacked;
34096 + atomic_long_unchecked_t mesq_page_overflow;
34097 + atomic_long_unchecked_t mesq_qf_locked;
34098 + atomic_long_unchecked_t mesq_qf_noop_not_full;
34099 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
34100 + atomic_long_unchecked_t mesq_qf_unexpected_error;
34101 + atomic_long_unchecked_t mesq_noop_unexpected_error;
34102 + atomic_long_unchecked_t mesq_noop_lb_overflow;
34103 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
34104 + atomic_long_unchecked_t mesq_noop_amo_nacked;
34105 + atomic_long_unchecked_t mesq_noop_put_nacked;
34106 + atomic_long_unchecked_t mesq_noop_page_overflow;
34107
34108 };
34109
34110 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
34111 tghop_invalidate, mcsop_last};
34112
34113 struct mcs_op_statistic {
34114 - atomic_long_t count;
34115 - atomic_long_t total;
34116 + atomic_long_unchecked_t count;
34117 + atomic_long_unchecked_t total;
34118 unsigned long max;
34119 };
34120
34121 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
34122
34123 #define STAT(id) do { \
34124 if (gru_options & OPT_STATS) \
34125 - atomic_long_inc(&gru_stats.id); \
34126 + atomic_long_inc_unchecked(&gru_stats.id); \
34127 } while (0)
34128
34129 #ifdef CONFIG_SGI_GRU_DEBUG
34130 diff -urNp linux-2.6.39.2/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.39.2/drivers/misc/sgi-xp/xpc_sn2.c
34131 --- linux-2.6.39.2/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-19 00:06:34.000000000 -0400
34132 +++ linux-2.6.39.2/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-22 19:36:31.000000000 -0400
34133 @@ -2351,7 +2351,7 @@ xpc_received_payload_sn2(struct xpc_chan
34134 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
34135 }
34136
34137 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
34138 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
34139 .setup_partitions = xpc_setup_partitions_sn2,
34140 .teardown_partitions = xpc_teardown_partitions_sn2,
34141 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
34142 diff -urNp linux-2.6.39.2/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.39.2/drivers/misc/sgi-xp/xpc_uv.c
34143 --- linux-2.6.39.2/drivers/misc/sgi-xp/xpc_uv.c 2011-05-19 00:06:34.000000000 -0400
34144 +++ linux-2.6.39.2/drivers/misc/sgi-xp/xpc_uv.c 2011-05-22 19:36:31.000000000 -0400
34145 @@ -1674,7 +1674,7 @@ xpc_received_payload_uv(struct xpc_chann
34146 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
34147 }
34148
34149 -static struct xpc_arch_operations xpc_arch_ops_uv = {
34150 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
34151 .setup_partitions = xpc_setup_partitions_uv,
34152 .teardown_partitions = xpc_teardown_partitions_uv,
34153 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
34154 diff -urNp linux-2.6.39.2/drivers/misc/spear13xx_pcie_gadget.c linux-2.6.39.2/drivers/misc/spear13xx_pcie_gadget.c
34155 --- linux-2.6.39.2/drivers/misc/spear13xx_pcie_gadget.c 2011-05-19 00:06:34.000000000 -0400
34156 +++ linux-2.6.39.2/drivers/misc/spear13xx_pcie_gadget.c 2011-05-22 19:36:31.000000000 -0400
34157 @@ -644,7 +644,7 @@ static ssize_t pcie_gadget_target_attr_s
34158 return ret;
34159 }
34160
34161 -static struct configfs_item_operations pcie_gadget_target_item_ops = {
34162 +static const struct configfs_item_operations pcie_gadget_target_item_ops = {
34163 .show_attribute = pcie_gadget_target_attr_show,
34164 .store_attribute = pcie_gadget_target_attr_store,
34165 };
34166 diff -urNp linux-2.6.39.2/drivers/mmc/host/davinci_mmc.c linux-2.6.39.2/drivers/mmc/host/davinci_mmc.c
34167 --- linux-2.6.39.2/drivers/mmc/host/davinci_mmc.c 2011-05-19 00:06:34.000000000 -0400
34168 +++ linux-2.6.39.2/drivers/mmc/host/davinci_mmc.c 2011-05-22 19:36:31.000000000 -0400
34169 @@ -1133,7 +1133,7 @@ static void mmc_davinci_enable_sdio_irq(
34170 }
34171 }
34172
34173 -static struct mmc_host_ops mmc_davinci_ops = {
34174 +static const struct mmc_host_ops mmc_davinci_ops = {
34175 .request = mmc_davinci_request,
34176 .set_ios = mmc_davinci_set_ios,
34177 .get_cd = mmc_davinci_get_cd,
34178 diff -urNp linux-2.6.39.2/drivers/mmc/host/dw_mmc.c linux-2.6.39.2/drivers/mmc/host/dw_mmc.c
34179 --- linux-2.6.39.2/drivers/mmc/host/dw_mmc.c 2011-05-19 00:06:34.000000000 -0400
34180 +++ linux-2.6.39.2/drivers/mmc/host/dw_mmc.c 2011-05-22 19:36:31.000000000 -0400
34181 @@ -417,7 +417,7 @@ static int dw_mci_idmac_init(struct dw_m
34182 return 0;
34183 }
34184
34185 -static struct dw_mci_dma_ops dw_mci_idmac_ops = {
34186 +static const struct dw_mci_dma_ops dw_mci_idmac_ops = {
34187 .init = dw_mci_idmac_init,
34188 .start = dw_mci_idmac_start_dma,
34189 .stop = dw_mci_idmac_stop_dma,
34190 diff -urNp linux-2.6.39.2/drivers/mmc/host/s3cmci.c linux-2.6.39.2/drivers/mmc/host/s3cmci.c
34191 --- linux-2.6.39.2/drivers/mmc/host/s3cmci.c 2011-05-19 00:06:34.000000000 -0400
34192 +++ linux-2.6.39.2/drivers/mmc/host/s3cmci.c 2011-05-22 19:36:31.000000000 -0400
34193 @@ -1349,7 +1349,7 @@ static void s3cmci_enable_sdio_irq(struc
34194 s3cmci_check_sdio_irq(host);
34195 }
34196
34197 -static struct mmc_host_ops s3cmci_ops = {
34198 +static const struct mmc_host_ops s3cmci_ops = {
34199 .request = s3cmci_request,
34200 .set_ios = s3cmci_set_ios,
34201 .get_ro = s3cmci_get_ro,
34202 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-cns3xxx.c linux-2.6.39.2/drivers/mmc/host/sdhci-cns3xxx.c
34203 --- linux-2.6.39.2/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-19 00:06:34.000000000 -0400
34204 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-22 19:36:31.000000000 -0400
34205 @@ -81,7 +81,7 @@ out:
34206 host->clock = clock;
34207 }
34208
34209 -static struct sdhci_ops sdhci_cns3xxx_ops = {
34210 +static const struct sdhci_ops sdhci_cns3xxx_ops = {
34211 .get_max_clock = sdhci_cns3xxx_get_max_clk,
34212 .set_clock = sdhci_cns3xxx_set_clock,
34213 };
34214 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-dove.c linux-2.6.39.2/drivers/mmc/host/sdhci-dove.c
34215 --- linux-2.6.39.2/drivers/mmc/host/sdhci-dove.c 2011-05-19 00:06:34.000000000 -0400
34216 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-dove.c 2011-05-22 19:36:31.000000000 -0400
34217 @@ -56,7 +56,7 @@ static u32 sdhci_dove_readl(struct sdhci
34218 return ret;
34219 }
34220
34221 -static struct sdhci_ops sdhci_dove_ops = {
34222 +static const struct sdhci_ops sdhci_dove_ops = {
34223 .read_w = sdhci_dove_readw,
34224 .read_l = sdhci_dove_readl,
34225 };
34226 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-esdhc-imx.c linux-2.6.39.2/drivers/mmc/host/sdhci-esdhc-imx.c
34227 --- linux-2.6.39.2/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-19 00:06:34.000000000 -0400
34228 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-22 19:36:31.000000000 -0400
34229 @@ -201,7 +201,7 @@ static unsigned int esdhc_pltfm_get_ro(s
34230 return -ENOSYS;
34231 }
34232
34233 -static struct sdhci_ops sdhci_esdhc_ops = {
34234 +static const struct sdhci_ops sdhci_esdhc_ops = {
34235 .read_l = esdhc_readl_le,
34236 .read_w = esdhc_readw_le,
34237 .write_l = esdhc_writel_le,
34238 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-of.h linux-2.6.39.2/drivers/mmc/host/sdhci-of.h
34239 --- linux-2.6.39.2/drivers/mmc/host/sdhci-of.h 2011-05-19 00:06:34.000000000 -0400
34240 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-of.h 2011-05-22 19:36:31.000000000 -0400
34241 @@ -21,7 +21,7 @@
34242
34243 struct sdhci_of_data {
34244 unsigned int quirks;
34245 - struct sdhci_ops ops;
34246 + const struct sdhci_ops ops;
34247 };
34248
34249 struct sdhci_of_host {
34250 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-pci.c linux-2.6.39.2/drivers/mmc/host/sdhci-pci.c
34251 --- linux-2.6.39.2/drivers/mmc/host/sdhci-pci.c 2011-05-19 00:06:34.000000000 -0400
34252 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-pci.c 2011-05-22 19:36:31.000000000 -0400
34253 @@ -786,7 +786,7 @@ static int sdhci_pci_enable_dma(struct s
34254 return 0;
34255 }
34256
34257 -static struct sdhci_ops sdhci_pci_ops = {
34258 +static const struct sdhci_ops sdhci_pci_ops = {
34259 .enable_dma = sdhci_pci_enable_dma,
34260 };
34261
34262 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-pltfm.c linux-2.6.39.2/drivers/mmc/host/sdhci-pltfm.c
34263 --- linux-2.6.39.2/drivers/mmc/host/sdhci-pltfm.c 2011-05-19 00:06:34.000000000 -0400
34264 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-pltfm.c 2011-05-22 19:36:31.000000000 -0400
34265 @@ -41,7 +41,7 @@
34266 * *
34267 \*****************************************************************************/
34268
34269 -static struct sdhci_ops sdhci_pltfm_ops = {
34270 +static const struct sdhci_ops sdhci_pltfm_ops = {
34271 };
34272
34273 /*****************************************************************************\
34274 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-pxa.c linux-2.6.39.2/drivers/mmc/host/sdhci-pxa.c
34275 --- linux-2.6.39.2/drivers/mmc/host/sdhci-pxa.c 2011-05-19 00:06:34.000000000 -0400
34276 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-pxa.c 2011-05-22 19:36:31.000000000 -0400
34277 @@ -69,7 +69,7 @@ static void set_clock(struct sdhci_host
34278 }
34279 }
34280
34281 -static struct sdhci_ops sdhci_pxa_ops = {
34282 +static const struct sdhci_ops sdhci_pxa_ops = {
34283 .set_clock = set_clock,
34284 };
34285
34286 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-s3c.c linux-2.6.39.2/drivers/mmc/host/sdhci-s3c.c
34287 --- linux-2.6.39.2/drivers/mmc/host/sdhci-s3c.c 2011-05-19 00:06:34.000000000 -0400
34288 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-s3c.c 2011-05-22 19:36:31.000000000 -0400
34289 @@ -309,7 +309,7 @@ static int sdhci_s3c_platform_8bit_width
34290 return 0;
34291 }
34292
34293 -static struct sdhci_ops sdhci_s3c_ops = {
34294 +static const struct sdhci_ops sdhci_s3c_ops = {
34295 .get_max_clock = sdhci_s3c_get_max_clk,
34296 .set_clock = sdhci_s3c_set_clock,
34297 .get_min_clock = sdhci_s3c_get_min_clock,
34298 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-spear.c linux-2.6.39.2/drivers/mmc/host/sdhci-spear.c
34299 --- linux-2.6.39.2/drivers/mmc/host/sdhci-spear.c 2011-05-19 00:06:34.000000000 -0400
34300 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-spear.c 2011-05-22 19:36:31.000000000 -0400
34301 @@ -32,7 +32,7 @@ struct spear_sdhci {
34302 };
34303
34304 /* sdhci ops */
34305 -static struct sdhci_ops sdhci_pltfm_ops = {
34306 +static const struct sdhci_ops sdhci_pltfm_ops = {
34307 /* Nothing to do for now. */
34308 };
34309
34310 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdhci-tegra.c linux-2.6.39.2/drivers/mmc/host/sdhci-tegra.c
34311 --- linux-2.6.39.2/drivers/mmc/host/sdhci-tegra.c 2011-05-19 00:06:34.000000000 -0400
34312 +++ linux-2.6.39.2/drivers/mmc/host/sdhci-tegra.c 2011-05-22 19:36:31.000000000 -0400
34313 @@ -242,7 +242,7 @@ static void tegra_sdhci_pltfm_exit(struc
34314 clk_put(pltfm_host->clk);
34315 }
34316
34317 -static struct sdhci_ops tegra_sdhci_ops = {
34318 +static const struct sdhci_ops tegra_sdhci_ops = {
34319 .get_ro = tegra_sdhci_get_ro,
34320 .read_l = tegra_sdhci_readl,
34321 .read_w = tegra_sdhci_readw,
34322 diff -urNp linux-2.6.39.2/drivers/mmc/host/sdricoh_cs.c linux-2.6.39.2/drivers/mmc/host/sdricoh_cs.c
34323 --- linux-2.6.39.2/drivers/mmc/host/sdricoh_cs.c 2011-05-19 00:06:34.000000000 -0400
34324 +++ linux-2.6.39.2/drivers/mmc/host/sdricoh_cs.c 2011-05-22 19:36:31.000000000 -0400
34325 @@ -387,7 +387,7 @@ static int sdricoh_get_ro(struct mmc_hos
34326 return (status & STATUS_CARD_LOCKED);
34327 }
34328
34329 -static struct mmc_host_ops sdricoh_ops = {
34330 +static const struct mmc_host_ops sdricoh_ops = {
34331 .request = sdricoh_request,
34332 .set_ios = sdricoh_set_ios,
34333 .get_ro = sdricoh_get_ro,
34334 diff -urNp linux-2.6.39.2/drivers/mmc/host/sh_mmcif.c linux-2.6.39.2/drivers/mmc/host/sh_mmcif.c
34335 --- linux-2.6.39.2/drivers/mmc/host/sh_mmcif.c 2011-05-19 00:06:34.000000000 -0400
34336 +++ linux-2.6.39.2/drivers/mmc/host/sh_mmcif.c 2011-05-22 19:36:31.000000000 -0400
34337 @@ -872,7 +872,7 @@ static int sh_mmcif_get_cd(struct mmc_ho
34338 return p->get_cd(host->pd);
34339 }
34340
34341 -static struct mmc_host_ops sh_mmcif_ops = {
34342 +static const struct mmc_host_ops sh_mmcif_ops = {
34343 .request = sh_mmcif_request,
34344 .set_ios = sh_mmcif_set_ios,
34345 .get_cd = sh_mmcif_get_cd,
34346 diff -urNp linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0001.c
34347 --- linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-19 00:06:34.000000000 -0400
34348 +++ linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-22 19:36:31.000000000 -0400
34349 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
34350 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
34351 unsigned long timeo = jiffies + HZ;
34352
34353 + pax_track_stack();
34354 +
34355 /* Prevent setting state FL_SYNCING for chip in suspended state. */
34356 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
34357 goto sleep;
34358 @@ -1657,6 +1659,8 @@ static int __xipram do_write_buffer(stru
34359 unsigned long initial_adr;
34360 int initial_len = len;
34361
34362 + pax_track_stack();
34363 +
34364 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
34365 adr += chip->start;
34366 initial_adr = adr;
34367 @@ -1875,6 +1879,8 @@ static int __xipram do_erase_oneblock(st
34368 int retries = 3;
34369 int ret;
34370
34371 + pax_track_stack();
34372 +
34373 adr += chip->start;
34374
34375 retry:
34376 diff -urNp linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0020.c
34377 --- linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-19 00:06:34.000000000 -0400
34378 +++ linux-2.6.39.2/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-22 19:36:31.000000000 -0400
34379 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
34380 unsigned long cmd_addr;
34381 struct cfi_private *cfi = map->fldrv_priv;
34382
34383 + pax_track_stack();
34384 +
34385 adr += chip->start;
34386
34387 /* Ensure cmd read/writes are aligned. */
34388 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
34389 DECLARE_WAITQUEUE(wait, current);
34390 int wbufsize, z;
34391
34392 + pax_track_stack();
34393 +
34394 /* M58LW064A requires bus alignment for buffer wriets -- saw */
34395 if (adr & (map_bankwidth(map)-1))
34396 return -EINVAL;
34397 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
34398 DECLARE_WAITQUEUE(wait, current);
34399 int ret = 0;
34400
34401 + pax_track_stack();
34402 +
34403 adr += chip->start;
34404
34405 /* Let's determine this according to the interleave only once */
34406 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
34407 unsigned long timeo = jiffies + HZ;
34408 DECLARE_WAITQUEUE(wait, current);
34409
34410 + pax_track_stack();
34411 +
34412 adr += chip->start;
34413
34414 /* Let's determine this according to the interleave only once */
34415 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
34416 unsigned long timeo = jiffies + HZ;
34417 DECLARE_WAITQUEUE(wait, current);
34418
34419 + pax_track_stack();
34420 +
34421 adr += chip->start;
34422
34423 /* Let's determine this according to the interleave only once */
34424 diff -urNp linux-2.6.39.2/drivers/mtd/devices/doc2000.c linux-2.6.39.2/drivers/mtd/devices/doc2000.c
34425 --- linux-2.6.39.2/drivers/mtd/devices/doc2000.c 2011-05-19 00:06:34.000000000 -0400
34426 +++ linux-2.6.39.2/drivers/mtd/devices/doc2000.c 2011-05-22 19:36:31.000000000 -0400
34427 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
34428
34429 /* The ECC will not be calculated correctly if less than 512 is written */
34430 /* DBB-
34431 - if (len != 0x200 && eccbuf)
34432 + if (len != 0x200)
34433 printk(KERN_WARNING
34434 "ECC needs a full sector write (adr: %lx size %lx)\n",
34435 (long) to, (long) len);
34436 diff -urNp linux-2.6.39.2/drivers/mtd/devices/doc2001.c linux-2.6.39.2/drivers/mtd/devices/doc2001.c
34437 --- linux-2.6.39.2/drivers/mtd/devices/doc2001.c 2011-05-19 00:06:34.000000000 -0400
34438 +++ linux-2.6.39.2/drivers/mtd/devices/doc2001.c 2011-05-22 19:36:31.000000000 -0400
34439 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
34440 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
34441
34442 /* Don't allow read past end of device */
34443 - if (from >= this->totlen)
34444 + if (from >= this->totlen || !len)
34445 return -EINVAL;
34446
34447 /* Don't allow a single read to cross a 512-byte block boundary */
34448 diff -urNp linux-2.6.39.2/drivers/mtd/ftl.c linux-2.6.39.2/drivers/mtd/ftl.c
34449 --- linux-2.6.39.2/drivers/mtd/ftl.c 2011-05-19 00:06:34.000000000 -0400
34450 +++ linux-2.6.39.2/drivers/mtd/ftl.c 2011-05-22 19:36:31.000000000 -0400
34451 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
34452 loff_t offset;
34453 uint16_t srcunitswap = cpu_to_le16(srcunit);
34454
34455 + pax_track_stack();
34456 +
34457 eun = &part->EUNInfo[srcunit];
34458 xfer = &part->XferInfo[xferunit];
34459 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
34460 diff -urNp linux-2.6.39.2/drivers/mtd/inftlcore.c linux-2.6.39.2/drivers/mtd/inftlcore.c
34461 --- linux-2.6.39.2/drivers/mtd/inftlcore.c 2011-05-19 00:06:34.000000000 -0400
34462 +++ linux-2.6.39.2/drivers/mtd/inftlcore.c 2011-05-22 19:36:31.000000000 -0400
34463 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
34464 struct inftl_oob oob;
34465 size_t retlen;
34466
34467 + pax_track_stack();
34468 +
34469 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
34470 "pending=%d)\n", inftl, thisVUC, pendingblock);
34471
34472 diff -urNp linux-2.6.39.2/drivers/mtd/inftlmount.c linux-2.6.39.2/drivers/mtd/inftlmount.c
34473 --- linux-2.6.39.2/drivers/mtd/inftlmount.c 2011-05-19 00:06:34.000000000 -0400
34474 +++ linux-2.6.39.2/drivers/mtd/inftlmount.c 2011-05-22 19:36:31.000000000 -0400
34475 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
34476 struct INFTLPartition *ip;
34477 size_t retlen;
34478
34479 + pax_track_stack();
34480 +
34481 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
34482
34483 /*
34484 diff -urNp linux-2.6.39.2/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.39.2/drivers/mtd/lpddr/qinfo_probe.c
34485 --- linux-2.6.39.2/drivers/mtd/lpddr/qinfo_probe.c 2011-05-19 00:06:34.000000000 -0400
34486 +++ linux-2.6.39.2/drivers/mtd/lpddr/qinfo_probe.c 2011-05-22 19:36:31.000000000 -0400
34487 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
34488 {
34489 map_word pfow_val[4];
34490
34491 + pax_track_stack();
34492 +
34493 /* Check identification string */
34494 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
34495 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
34496 diff -urNp linux-2.6.39.2/drivers/mtd/mtdchar.c linux-2.6.39.2/drivers/mtd/mtdchar.c
34497 --- linux-2.6.39.2/drivers/mtd/mtdchar.c 2011-05-19 00:06:34.000000000 -0400
34498 +++ linux-2.6.39.2/drivers/mtd/mtdchar.c 2011-05-22 19:36:31.000000000 -0400
34499 @@ -560,6 +560,8 @@ static int mtd_ioctl(struct file *file,
34500 u_long size;
34501 struct mtd_info_user info;
34502
34503 + pax_track_stack();
34504 +
34505 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
34506
34507 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
34508 diff -urNp linux-2.6.39.2/drivers/mtd/nand/denali.c linux-2.6.39.2/drivers/mtd/nand/denali.c
34509 --- linux-2.6.39.2/drivers/mtd/nand/denali.c 2011-05-19 00:06:34.000000000 -0400
34510 +++ linux-2.6.39.2/drivers/mtd/nand/denali.c 2011-05-22 19:36:31.000000000 -0400
34511 @@ -25,6 +25,7 @@
34512 #include <linux/pci.h>
34513 #include <linux/mtd/mtd.h>
34514 #include <linux/module.h>
34515 +#include <linux/slab.h>
34516
34517 #include "denali.h"
34518
34519 diff -urNp linux-2.6.39.2/drivers/mtd/nftlcore.c linux-2.6.39.2/drivers/mtd/nftlcore.c
34520 --- linux-2.6.39.2/drivers/mtd/nftlcore.c 2011-05-19 00:06:34.000000000 -0400
34521 +++ linux-2.6.39.2/drivers/mtd/nftlcore.c 2011-05-22 19:36:31.000000000 -0400
34522 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
34523 int inplace = 1;
34524 size_t retlen;
34525
34526 + pax_track_stack();
34527 +
34528 memset(BlockMap, 0xff, sizeof(BlockMap));
34529 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
34530
34531 diff -urNp linux-2.6.39.2/drivers/mtd/nftlmount.c linux-2.6.39.2/drivers/mtd/nftlmount.c
34532 --- linux-2.6.39.2/drivers/mtd/nftlmount.c 2011-05-19 00:06:34.000000000 -0400
34533 +++ linux-2.6.39.2/drivers/mtd/nftlmount.c 2011-05-22 19:36:31.000000000 -0400
34534 @@ -24,6 +24,7 @@
34535 #include <asm/errno.h>
34536 #include <linux/delay.h>
34537 #include <linux/slab.h>
34538 +#include <linux/sched.h>
34539 #include <linux/mtd/mtd.h>
34540 #include <linux/mtd/nand.h>
34541 #include <linux/mtd/nftl.h>
34542 @@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
34543 struct mtd_info *mtd = nftl->mbd.mtd;
34544 unsigned int i;
34545
34546 + pax_track_stack();
34547 +
34548 /* Assume logical EraseSize == physical erasesize for starting the scan.
34549 We'll sort it out later if we find a MediaHeader which says otherwise */
34550 /* Actually, we won't. The new DiskOnChip driver has already scanned
34551 diff -urNp linux-2.6.39.2/drivers/mtd/ubi/build.c linux-2.6.39.2/drivers/mtd/ubi/build.c
34552 --- linux-2.6.39.2/drivers/mtd/ubi/build.c 2011-05-19 00:06:34.000000000 -0400
34553 +++ linux-2.6.39.2/drivers/mtd/ubi/build.c 2011-05-22 19:36:31.000000000 -0400
34554 @@ -1287,7 +1287,7 @@ module_exit(ubi_exit);
34555 static int __init bytes_str_to_int(const char *str)
34556 {
34557 char *endp;
34558 - unsigned long result;
34559 + unsigned long result, scale = 1;
34560
34561 result = simple_strtoul(str, &endp, 0);
34562 if (str == endp || result >= INT_MAX) {
34563 @@ -1298,11 +1298,11 @@ static int __init bytes_str_to_int(const
34564
34565 switch (*endp) {
34566 case 'G':
34567 - result *= 1024;
34568 + scale *= 1024;
34569 case 'M':
34570 - result *= 1024;
34571 + scale *= 1024;
34572 case 'K':
34573 - result *= 1024;
34574 + scale *= 1024;
34575 if (endp[1] == 'i' && endp[2] == 'B')
34576 endp += 2;
34577 case '\0':
34578 @@ -1313,7 +1313,13 @@ static int __init bytes_str_to_int(const
34579 return -EINVAL;
34580 }
34581
34582 - return result;
34583 + if ((intoverflow_t)result*scale >= INT_MAX) {
34584 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
34585 + str);
34586 + return -EINVAL;
34587 + }
34588 +
34589 + return result*scale;
34590 }
34591
34592 /**
34593 diff -urNp linux-2.6.39.2/drivers/net/bcm63xx_enet.c linux-2.6.39.2/drivers/net/bcm63xx_enet.c
34594 --- linux-2.6.39.2/drivers/net/bcm63xx_enet.c 2011-05-19 00:06:34.000000000 -0400
34595 +++ linux-2.6.39.2/drivers/net/bcm63xx_enet.c 2011-05-22 19:36:31.000000000 -0400
34596 @@ -1469,7 +1469,7 @@ static int bcm_enet_set_pauseparam(struc
34597 return 0;
34598 }
34599
34600 -static struct ethtool_ops bcm_enet_ethtool_ops = {
34601 +static const struct ethtool_ops bcm_enet_ethtool_ops = {
34602 .get_strings = bcm_enet_get_strings,
34603 .get_sset_count = bcm_enet_get_sset_count,
34604 .get_ethtool_stats = bcm_enet_get_ethtool_stats,
34605 diff -urNp linux-2.6.39.2/drivers/net/bna/bnad_ethtool.c linux-2.6.39.2/drivers/net/bna/bnad_ethtool.c
34606 --- linux-2.6.39.2/drivers/net/bna/bnad_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34607 +++ linux-2.6.39.2/drivers/net/bna/bnad_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34608 @@ -1242,7 +1242,7 @@ bnad_get_sset_count(struct net_device *n
34609 }
34610 }
34611
34612 -static struct ethtool_ops bnad_ethtool_ops = {
34613 +static const struct ethtool_ops bnad_ethtool_ops = {
34614 .get_settings = bnad_get_settings,
34615 .set_settings = bnad_set_settings,
34616 .get_drvinfo = bnad_get_drvinfo,
34617 diff -urNp linux-2.6.39.2/drivers/net/bnx2.c linux-2.6.39.2/drivers/net/bnx2.c
34618 --- linux-2.6.39.2/drivers/net/bnx2.c 2011-05-19 00:06:34.000000000 -0400
34619 +++ linux-2.6.39.2/drivers/net/bnx2.c 2011-05-22 19:36:31.000000000 -0400
34620 @@ -5828,6 +5828,8 @@ bnx2_test_nvram(struct bnx2 *bp)
34621 int rc = 0;
34622 u32 magic, csum;
34623
34624 + pax_track_stack();
34625 +
34626 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
34627 goto test_nvram_done;
34628
34629 diff -urNp linux-2.6.39.2/drivers/net/bnx2x/bnx2x_ethtool.c linux-2.6.39.2/drivers/net/bnx2x/bnx2x_ethtool.c
34630 --- linux-2.6.39.2/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34631 +++ linux-2.6.39.2/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34632 @@ -1788,6 +1788,8 @@ static int bnx2x_test_nvram(struct bnx2x
34633 int i, rc;
34634 u32 magic, crc;
34635
34636 + pax_track_stack();
34637 +
34638 if (BP_NOMCP(bp))
34639 return 0;
34640
34641 diff -urNp linux-2.6.39.2/drivers/net/chelsio/pm3393.c linux-2.6.39.2/drivers/net/chelsio/pm3393.c
34642 --- linux-2.6.39.2/drivers/net/chelsio/pm3393.c 2011-05-19 00:06:34.000000000 -0400
34643 +++ linux-2.6.39.2/drivers/net/chelsio/pm3393.c 2011-05-22 19:36:31.000000000 -0400
34644 @@ -571,7 +571,7 @@ static void pm3393_destroy(struct cmac *
34645 kfree(cmac);
34646 }
34647
34648 -static struct cmac_ops pm3393_ops = {
34649 +static const struct cmac_ops pm3393_ops = {
34650 .destroy = pm3393_destroy,
34651 .reset = pm3393_reset,
34652 .interrupt_enable = pm3393_interrupt_enable,
34653 diff -urNp linux-2.6.39.2/drivers/net/chelsio/vsc7326.c linux-2.6.39.2/drivers/net/chelsio/vsc7326.c
34654 --- linux-2.6.39.2/drivers/net/chelsio/vsc7326.c 2011-05-19 00:06:34.000000000 -0400
34655 +++ linux-2.6.39.2/drivers/net/chelsio/vsc7326.c 2011-05-22 19:36:31.000000000 -0400
34656 @@ -666,7 +666,7 @@ static void mac_destroy(struct cmac *mac
34657 kfree(mac);
34658 }
34659
34660 -static struct cmac_ops vsc7326_ops = {
34661 +static const struct cmac_ops vsc7326_ops = {
34662 .destroy = mac_destroy,
34663 .reset = mac_reset,
34664 .interrupt_handler = mac_intr_handler,
34665 diff -urNp linux-2.6.39.2/drivers/net/cxgb4/cxgb4_main.c linux-2.6.39.2/drivers/net/cxgb4/cxgb4_main.c
34666 --- linux-2.6.39.2/drivers/net/cxgb4/cxgb4_main.c 2011-05-19 00:06:34.000000000 -0400
34667 +++ linux-2.6.39.2/drivers/net/cxgb4/cxgb4_main.c 2011-05-22 19:36:31.000000000 -0400
34668 @@ -3428,6 +3428,8 @@ static int __devinit enable_msix(struct
34669 unsigned int nchan = adap->params.nports;
34670 struct msix_entry entries[MAX_INGQ + 1];
34671
34672 + pax_track_stack();
34673 +
34674 for (i = 0; i < ARRAY_SIZE(entries); ++i)
34675 entries[i].entry = i;
34676
34677 diff -urNp linux-2.6.39.2/drivers/net/cxgb4/t4_hw.c linux-2.6.39.2/drivers/net/cxgb4/t4_hw.c
34678 --- linux-2.6.39.2/drivers/net/cxgb4/t4_hw.c 2011-05-19 00:06:34.000000000 -0400
34679 +++ linux-2.6.39.2/drivers/net/cxgb4/t4_hw.c 2011-05-22 19:36:31.000000000 -0400
34680 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
34681 u8 vpd[VPD_LEN], csum;
34682 unsigned int vpdr_len, kw_offset, id_len;
34683
34684 + pax_track_stack();
34685 +
34686 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
34687 if (ret < 0)
34688 return ret;
34689 diff -urNp linux-2.6.39.2/drivers/net/cxgb4vf/cxgb4vf_main.c linux-2.6.39.2/drivers/net/cxgb4vf/cxgb4vf_main.c
34690 --- linux-2.6.39.2/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-19 00:06:34.000000000 -0400
34691 +++ linux-2.6.39.2/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-22 19:36:31.000000000 -0400
34692 @@ -1572,7 +1572,7 @@ static int cxgb4vf_set_tso(struct net_de
34693 return 0;
34694 }
34695
34696 -static struct ethtool_ops cxgb4vf_ethtool_ops = {
34697 +static const struct ethtool_ops cxgb4vf_ethtool_ops = {
34698 .get_settings = cxgb4vf_get_settings,
34699 .get_drvinfo = cxgb4vf_get_drvinfo,
34700 .get_msglevel = cxgb4vf_get_msglevel,
34701 diff -urNp linux-2.6.39.2/drivers/net/e1000e/82571.c linux-2.6.39.2/drivers/net/e1000e/82571.c
34702 --- linux-2.6.39.2/drivers/net/e1000e/82571.c 2011-05-19 00:06:34.000000000 -0400
34703 +++ linux-2.6.39.2/drivers/net/e1000e/82571.c 2011-05-22 19:36:31.000000000 -0400
34704 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
34705 {
34706 struct e1000_hw *hw = &adapter->hw;
34707 struct e1000_mac_info *mac = &hw->mac;
34708 - struct e1000_mac_operations *func = &mac->ops;
34709 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34710 u32 swsm = 0;
34711 u32 swsm2 = 0;
34712 bool force_clear_smbi = false;
34713 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
34714 er32(ICRXDMTC);
34715 }
34716
34717 -static struct e1000_mac_operations e82571_mac_ops = {
34718 +static const struct e1000_mac_operations e82571_mac_ops = {
34719 /* .check_mng_mode: mac type dependent */
34720 /* .check_for_link: media type dependent */
34721 .id_led_init = e1000e_id_led_init,
34722 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
34723 .read_mac_addr = e1000_read_mac_addr_82571,
34724 };
34725
34726 -static struct e1000_phy_operations e82_phy_ops_igp = {
34727 +static const struct e1000_phy_operations e82_phy_ops_igp = {
34728 .acquire = e1000_get_hw_semaphore_82571,
34729 .check_polarity = e1000_check_polarity_igp,
34730 .check_reset_block = e1000e_check_reset_block_generic,
34731 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
34732 .cfg_on_link_up = NULL,
34733 };
34734
34735 -static struct e1000_phy_operations e82_phy_ops_m88 = {
34736 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
34737 .acquire = e1000_get_hw_semaphore_82571,
34738 .check_polarity = e1000_check_polarity_m88,
34739 .check_reset_block = e1000e_check_reset_block_generic,
34740 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
34741 .cfg_on_link_up = NULL,
34742 };
34743
34744 -static struct e1000_phy_operations e82_phy_ops_bm = {
34745 +static const struct e1000_phy_operations e82_phy_ops_bm = {
34746 .acquire = e1000_get_hw_semaphore_82571,
34747 .check_polarity = e1000_check_polarity_m88,
34748 .check_reset_block = e1000e_check_reset_block_generic,
34749 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
34750 .cfg_on_link_up = NULL,
34751 };
34752
34753 -static struct e1000_nvm_operations e82571_nvm_ops = {
34754 +static const struct e1000_nvm_operations e82571_nvm_ops = {
34755 .acquire = e1000_acquire_nvm_82571,
34756 .read = e1000e_read_nvm_eerd,
34757 .release = e1000_release_nvm_82571,
34758 diff -urNp linux-2.6.39.2/drivers/net/e1000e/e1000.h linux-2.6.39.2/drivers/net/e1000e/e1000.h
34759 --- linux-2.6.39.2/drivers/net/e1000e/e1000.h 2011-05-19 00:06:34.000000000 -0400
34760 +++ linux-2.6.39.2/drivers/net/e1000e/e1000.h 2011-05-22 19:36:31.000000000 -0400
34761 @@ -409,9 +409,9 @@ struct e1000_info {
34762 u32 pba;
34763 u32 max_hw_frame_size;
34764 s32 (*get_variants)(struct e1000_adapter *);
34765 - struct e1000_mac_operations *mac_ops;
34766 - struct e1000_phy_operations *phy_ops;
34767 - struct e1000_nvm_operations *nvm_ops;
34768 + const struct e1000_mac_operations *mac_ops;
34769 + const struct e1000_phy_operations *phy_ops;
34770 + const struct e1000_nvm_operations *nvm_ops;
34771 };
34772
34773 /* hardware capability, feature, and workaround flags */
34774 diff -urNp linux-2.6.39.2/drivers/net/e1000e/es2lan.c linux-2.6.39.2/drivers/net/e1000e/es2lan.c
34775 --- linux-2.6.39.2/drivers/net/e1000e/es2lan.c 2011-05-19 00:06:34.000000000 -0400
34776 +++ linux-2.6.39.2/drivers/net/e1000e/es2lan.c 2011-05-22 19:36:31.000000000 -0400
34777 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
34778 {
34779 struct e1000_hw *hw = &adapter->hw;
34780 struct e1000_mac_info *mac = &hw->mac;
34781 - struct e1000_mac_operations *func = &mac->ops;
34782 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34783
34784 /* Set media type */
34785 switch (adapter->pdev->device) {
34786 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
34787 er32(ICRXDMTC);
34788 }
34789
34790 -static struct e1000_mac_operations es2_mac_ops = {
34791 +static const struct e1000_mac_operations es2_mac_ops = {
34792 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
34793 .id_led_init = e1000e_id_led_init,
34794 .check_mng_mode = e1000e_check_mng_mode_generic,
34795 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
34796 .setup_led = e1000e_setup_led_generic,
34797 };
34798
34799 -static struct e1000_phy_operations es2_phy_ops = {
34800 +static const struct e1000_phy_operations es2_phy_ops = {
34801 .acquire = e1000_acquire_phy_80003es2lan,
34802 .check_polarity = e1000_check_polarity_m88,
34803 .check_reset_block = e1000e_check_reset_block_generic,
34804 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
34805 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
34806 };
34807
34808 -static struct e1000_nvm_operations es2_nvm_ops = {
34809 +static const struct e1000_nvm_operations es2_nvm_ops = {
34810 .acquire = e1000_acquire_nvm_80003es2lan,
34811 .read = e1000e_read_nvm_eerd,
34812 .release = e1000_release_nvm_80003es2lan,
34813 diff -urNp linux-2.6.39.2/drivers/net/e1000e/hw.h linux-2.6.39.2/drivers/net/e1000e/hw.h
34814 --- linux-2.6.39.2/drivers/net/e1000e/hw.h 2011-05-19 00:06:34.000000000 -0400
34815 +++ linux-2.6.39.2/drivers/net/e1000e/hw.h 2011-05-22 19:36:31.000000000 -0400
34816 @@ -811,6 +811,7 @@ struct e1000_nvm_operations {
34817 };
34818
34819 struct e1000_mac_info {
34820 + /* cannot be const see e1000_init_mac_params_ich8lan */
34821 struct e1000_mac_operations ops;
34822 u8 addr[ETH_ALEN];
34823 u8 perm_addr[ETH_ALEN];
34824 @@ -852,6 +853,7 @@ struct e1000_mac_info {
34825 };
34826
34827 struct e1000_phy_info {
34828 + /* Cannot be const see e1000_init_phy_params_82571() */
34829 struct e1000_phy_operations ops;
34830
34831 enum e1000_phy_type type;
34832 @@ -886,6 +888,7 @@ struct e1000_phy_info {
34833 };
34834
34835 struct e1000_nvm_info {
34836 + /* cannot be const */
34837 struct e1000_nvm_operations ops;
34838
34839 enum e1000_nvm_type type;
34840 diff -urNp linux-2.6.39.2/drivers/net/e1000e/ich8lan.c linux-2.6.39.2/drivers/net/e1000e/ich8lan.c
34841 --- linux-2.6.39.2/drivers/net/e1000e/ich8lan.c 2011-05-19 00:06:34.000000000 -0400
34842 +++ linux-2.6.39.2/drivers/net/e1000e/ich8lan.c 2011-05-22 19:36:31.000000000 -0400
34843 @@ -3866,7 +3866,7 @@ static void e1000_clear_hw_cntrs_ich8lan
34844 }
34845 }
34846
34847 -static struct e1000_mac_operations ich8_mac_ops = {
34848 +static const struct e1000_mac_operations ich8_mac_ops = {
34849 .id_led_init = e1000e_id_led_init,
34850 /* check_mng_mode dependent on mac type */
34851 .check_for_link = e1000_check_for_copper_link_ich8lan,
34852 @@ -3885,7 +3885,7 @@ static struct e1000_mac_operations ich8_
34853 /* id_led_init dependent on mac type */
34854 };
34855
34856 -static struct e1000_phy_operations ich8_phy_ops = {
34857 +static const struct e1000_phy_operations ich8_phy_ops = {
34858 .acquire = e1000_acquire_swflag_ich8lan,
34859 .check_reset_block = e1000_check_reset_block_ich8lan,
34860 .commit = NULL,
34861 @@ -3899,7 +3899,7 @@ static struct e1000_phy_operations ich8_
34862 .write_reg = e1000e_write_phy_reg_igp,
34863 };
34864
34865 -static struct e1000_nvm_operations ich8_nvm_ops = {
34866 +static const struct e1000_nvm_operations ich8_nvm_ops = {
34867 .acquire = e1000_acquire_nvm_ich8lan,
34868 .read = e1000_read_nvm_ich8lan,
34869 .release = e1000_release_nvm_ich8lan,
34870 diff -urNp linux-2.6.39.2/drivers/net/greth.c linux-2.6.39.2/drivers/net/greth.c
34871 --- linux-2.6.39.2/drivers/net/greth.c 2011-05-19 00:06:34.000000000 -0400
34872 +++ linux-2.6.39.2/drivers/net/greth.c 2011-05-22 19:36:31.000000000 -0400
34873 @@ -1192,7 +1192,7 @@ static const struct ethtool_ops greth_et
34874 .get_link = ethtool_op_get_link,
34875 };
34876
34877 -static struct net_device_ops greth_netdev_ops = {
34878 +static const struct net_device_ops greth_netdev_ops = {
34879 .ndo_open = greth_open,
34880 .ndo_stop = greth_close,
34881 .ndo_start_xmit = greth_start_xmit,
34882 diff -urNp linux-2.6.39.2/drivers/net/hamradio/6pack.c linux-2.6.39.2/drivers/net/hamradio/6pack.c
34883 --- linux-2.6.39.2/drivers/net/hamradio/6pack.c 2011-05-19 00:06:34.000000000 -0400
34884 +++ linux-2.6.39.2/drivers/net/hamradio/6pack.c 2011-05-22 19:36:31.000000000 -0400
34885 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
34886 unsigned char buf[512];
34887 int count1;
34888
34889 + pax_track_stack();
34890 +
34891 if (!count)
34892 return;
34893
34894 diff -urNp linux-2.6.39.2/drivers/net/ibm_newemac/phy.c linux-2.6.39.2/drivers/net/ibm_newemac/phy.c
34895 --- linux-2.6.39.2/drivers/net/ibm_newemac/phy.c 2011-05-19 00:06:34.000000000 -0400
34896 +++ linux-2.6.39.2/drivers/net/ibm_newemac/phy.c 2011-05-22 19:36:31.000000000 -0400
34897 @@ -273,7 +273,7 @@ static int genmii_read_link(struct mii_p
34898 }
34899
34900 /* Generic implementation for most 10/100/1000 PHYs */
34901 -static struct mii_phy_ops generic_phy_ops = {
34902 +static const struct mii_phy_ops generic_phy_ops = {
34903 .setup_aneg = genmii_setup_aneg,
34904 .setup_forced = genmii_setup_forced,
34905 .poll_link = genmii_poll_link,
34906 @@ -337,7 +337,7 @@ static int cis8201_init(struct mii_phy *
34907 return 0;
34908 }
34909
34910 -static struct mii_phy_ops cis8201_phy_ops = {
34911 +static const struct mii_phy_ops cis8201_phy_ops = {
34912 .init = cis8201_init,
34913 .setup_aneg = genmii_setup_aneg,
34914 .setup_forced = genmii_setup_forced,
34915 @@ -417,7 +417,7 @@ static int et1011c_init(struct mii_phy *
34916 return 0;
34917 }
34918
34919 -static struct mii_phy_ops et1011c_phy_ops = {
34920 +static const struct mii_phy_ops et1011c_phy_ops = {
34921 .init = et1011c_init,
34922 .setup_aneg = genmii_setup_aneg,
34923 .setup_forced = genmii_setup_forced,
34924 @@ -436,7 +436,7 @@ static struct mii_phy_def et1011c_phy_de
34925
34926
34927
34928 -static struct mii_phy_ops m88e1111_phy_ops = {
34929 +static const struct mii_phy_ops m88e1111_phy_ops = {
34930 .init = m88e1111_init,
34931 .setup_aneg = genmii_setup_aneg,
34932 .setup_forced = genmii_setup_forced,
34933 @@ -452,7 +452,7 @@ static struct mii_phy_def m88e1111_phy_d
34934 .ops = &m88e1111_phy_ops,
34935 };
34936
34937 -static struct mii_phy_ops m88e1112_phy_ops = {
34938 +static const struct mii_phy_ops m88e1112_phy_ops = {
34939 .init = m88e1112_init,
34940 .setup_aneg = genmii_setup_aneg,
34941 .setup_forced = genmii_setup_forced,
34942 diff -urNp linux-2.6.39.2/drivers/net/ibmveth.c linux-2.6.39.2/drivers/net/ibmveth.c
34943 --- linux-2.6.39.2/drivers/net/ibmveth.c 2011-05-19 00:06:34.000000000 -0400
34944 +++ linux-2.6.39.2/drivers/net/ibmveth.c 2011-05-22 19:36:31.000000000 -0400
34945 @@ -1625,7 +1625,7 @@ static struct vio_device_id ibmveth_devi
34946 };
34947 MODULE_DEVICE_TABLE(vio, ibmveth_device_table);
34948
34949 -static struct dev_pm_ops ibmveth_pm_ops = {
34950 +static const struct dev_pm_ops ibmveth_pm_ops = {
34951 .resume = ibmveth_resume
34952 };
34953
34954 diff -urNp linux-2.6.39.2/drivers/net/igb/e1000_82575.c linux-2.6.39.2/drivers/net/igb/e1000_82575.c
34955 --- linux-2.6.39.2/drivers/net/igb/e1000_82575.c 2011-05-19 00:06:34.000000000 -0400
34956 +++ linux-2.6.39.2/drivers/net/igb/e1000_82575.c 2011-05-22 19:36:31.000000000 -0400
34957 @@ -2029,7 +2029,7 @@ out:
34958 return ret_val;
34959 }
34960
34961 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
34962 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
34963 .init_hw = igb_init_hw_82575,
34964 .check_for_link = igb_check_for_link_82575,
34965 .rar_set = igb_rar_set,
34966 @@ -2037,13 +2037,13 @@ static struct e1000_mac_operations e1000
34967 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
34968 };
34969
34970 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
34971 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
34972 .acquire = igb_acquire_phy_82575,
34973 .get_cfg_done = igb_get_cfg_done_82575,
34974 .release = igb_release_phy_82575,
34975 };
34976
34977 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
34978 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
34979 .acquire = igb_acquire_nvm_82575,
34980 .read = igb_read_nvm_eerd,
34981 .release = igb_release_nvm_82575,
34982 diff -urNp linux-2.6.39.2/drivers/net/igb/e1000_hw.h linux-2.6.39.2/drivers/net/igb/e1000_hw.h
34983 --- linux-2.6.39.2/drivers/net/igb/e1000_hw.h 2011-05-19 00:06:34.000000000 -0400
34984 +++ linux-2.6.39.2/drivers/net/igb/e1000_hw.h 2011-05-22 19:36:31.000000000 -0400
34985 @@ -342,14 +342,15 @@ struct e1000_nvm_operations {
34986
34987 struct e1000_info {
34988 s32 (*get_invariants)(struct e1000_hw *);
34989 - struct e1000_mac_operations *mac_ops;
34990 - struct e1000_phy_operations *phy_ops;
34991 - struct e1000_nvm_operations *nvm_ops;
34992 + const struct e1000_mac_operations *mac_ops;
34993 + const struct e1000_phy_operations *phy_ops;
34994 + const struct e1000_nvm_operations *nvm_ops;
34995 };
34996
34997 extern const struct e1000_info e1000_82575_info;
34998
34999 struct e1000_mac_info {
35000 + /* cannot be const see igb_get_invariants_82575() */
35001 struct e1000_mac_operations ops;
35002
35003 u8 addr[6];
35004 @@ -388,6 +389,7 @@ struct e1000_mac_info {
35005 };
35006
35007 struct e1000_phy_info {
35008 + /* cannot be const see igb_get_invariants_82575() */
35009 struct e1000_phy_operations ops;
35010
35011 enum e1000_phy_type type;
35012 @@ -423,6 +425,7 @@ struct e1000_phy_info {
35013 };
35014
35015 struct e1000_nvm_info {
35016 + /* cannot be const */
35017 struct e1000_nvm_operations ops;
35018 enum e1000_nvm_type type;
35019 enum e1000_nvm_override override;
35020 diff -urNp linux-2.6.39.2/drivers/net/igbvf/vf.h linux-2.6.39.2/drivers/net/igbvf/vf.h
35021 --- linux-2.6.39.2/drivers/net/igbvf/vf.h 2011-05-19 00:06:34.000000000 -0400
35022 +++ linux-2.6.39.2/drivers/net/igbvf/vf.h 2011-05-22 19:36:31.000000000 -0400
35023 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
35024 };
35025
35026 struct e1000_mac_info {
35027 + /* cannot be const see e1000_init_mac_params_vf() */
35028 struct e1000_mac_operations ops;
35029 u8 addr[6];
35030 u8 perm_addr[6];
35031 diff -urNp linux-2.6.39.2/drivers/net/irda/sh_irda.c linux-2.6.39.2/drivers/net/irda/sh_irda.c
35032 --- linux-2.6.39.2/drivers/net/irda/sh_irda.c 2011-05-19 00:06:34.000000000 -0400
35033 +++ linux-2.6.39.2/drivers/net/irda/sh_irda.c 2011-05-22 19:36:31.000000000 -0400
35034 @@ -307,7 +307,7 @@ static int xir_fte(struct sh_irda_self *
35035 return 0;
35036 }
35037
35038 -static struct sh_irda_xir_func xir_func = {
35039 +static const struct sh_irda_xir_func xir_func = {
35040 .xir_fre = xir_fre,
35041 .xir_trov = xir_trov,
35042 .xir_9 = xir_9,
35043 @@ -321,7 +321,7 @@ static struct sh_irda_xir_func xir_func
35044 *
35045 * MIR/FIR are not supported now
35046 *=====================================*/
35047 -static struct sh_irda_xir_func mfir_func = {
35048 +static const struct sh_irda_xir_func mfir_func = {
35049 .xir_fre = xir_fre,
35050 .xir_trov = xir_trov,
35051 .xir_9 = xir_9,
35052 @@ -400,7 +400,7 @@ static int sir_fte(struct sh_irda_self *
35053 return 0;
35054 }
35055
35056 -static struct sh_irda_xir_func sir_func = {
35057 +static const struct sh_irda_xir_func sir_func = {
35058 .xir_fre = sir_fre,
35059 .xir_trov = sir_trov,
35060 .xir_9 = sir_tot,
35061 @@ -411,7 +411,7 @@ static struct sh_irda_xir_func sir_func
35062 static void sh_irda_set_mode(struct sh_irda_self *self, enum sh_irda_mode mode)
35063 {
35064 struct device *dev = &self->ndev->dev;
35065 - struct sh_irda_xir_func *func;
35066 + const struct sh_irda_xir_func *func;
35067 const char *name;
35068 u16 data;
35069
35070 diff -urNp linux-2.6.39.2/drivers/net/ixgb/ixgb_main.c linux-2.6.39.2/drivers/net/ixgb/ixgb_main.c
35071 --- linux-2.6.39.2/drivers/net/ixgb/ixgb_main.c 2011-05-19 00:06:34.000000000 -0400
35072 +++ linux-2.6.39.2/drivers/net/ixgb/ixgb_main.c 2011-05-22 19:36:31.000000000 -0400
35073 @@ -1069,6 +1069,8 @@ ixgb_set_multi(struct net_device *netdev
35074 u32 rctl;
35075 int i;
35076
35077 + pax_track_stack();
35078 +
35079 /* Check for Promiscuous and All Multicast modes */
35080
35081 rctl = IXGB_READ_REG(hw, RCTL);
35082 diff -urNp linux-2.6.39.2/drivers/net/ixgb/ixgb_param.c linux-2.6.39.2/drivers/net/ixgb/ixgb_param.c
35083 --- linux-2.6.39.2/drivers/net/ixgb/ixgb_param.c 2011-05-19 00:06:34.000000000 -0400
35084 +++ linux-2.6.39.2/drivers/net/ixgb/ixgb_param.c 2011-05-22 19:36:31.000000000 -0400
35085 @@ -261,6 +261,9 @@ void __devinit
35086 ixgb_check_options(struct ixgb_adapter *adapter)
35087 {
35088 int bd = adapter->bd_number;
35089 +
35090 + pax_track_stack();
35091 +
35092 if (bd >= IXGB_MAX_NIC) {
35093 pr_notice("Warning: no configuration for board #%i\n", bd);
35094 pr_notice("Using defaults for all values\n");
35095 diff -urNp linux-2.6.39.2/drivers/net/ixgbe/ixgbe_82599.c linux-2.6.39.2/drivers/net/ixgbe/ixgbe_82599.c
35096 --- linux-2.6.39.2/drivers/net/ixgbe/ixgbe_82599.c 2011-05-19 00:06:34.000000000 -0400
35097 +++ linux-2.6.39.2/drivers/net/ixgbe/ixgbe_82599.c 2011-05-22 19:36:31.000000000 -0400
35098 @@ -2099,7 +2099,7 @@ static struct ixgbe_phy_operations phy_o
35099 .check_overtemp = &ixgbe_tn_check_overtemp,
35100 };
35101
35102 -struct ixgbe_info ixgbe_82599_info = {
35103 +const struct ixgbe_info ixgbe_82599_info = {
35104 .mac = ixgbe_mac_82599EB,
35105 .get_invariants = &ixgbe_get_invariants_82599,
35106 .mac_ops = &mac_ops_82599,
35107 diff -urNp linux-2.6.39.2/drivers/net/ixgbe/ixgbe.h linux-2.6.39.2/drivers/net/ixgbe/ixgbe.h
35108 --- linux-2.6.39.2/drivers/net/ixgbe/ixgbe.h 2011-05-19 00:06:34.000000000 -0400
35109 +++ linux-2.6.39.2/drivers/net/ixgbe/ixgbe.h 2011-05-22 19:36:31.000000000 -0400
35110 @@ -493,8 +493,8 @@ enum ixgbe_boards {
35111 };
35112
35113 extern struct ixgbe_info ixgbe_82598_info;
35114 -extern struct ixgbe_info ixgbe_82599_info;
35115 -extern struct ixgbe_info ixgbe_X540_info;
35116 +extern const struct ixgbe_info ixgbe_82599_info;
35117 +extern const struct ixgbe_info ixgbe_X540_info;
35118 #ifdef CONFIG_IXGBE_DCB
35119 extern const struct dcbnl_rtnl_ops dcbnl_ops;
35120 extern int ixgbe_copy_dcb_cfg(struct ixgbe_dcb_config *src_dcb_cfg,
35121 diff -urNp linux-2.6.39.2/drivers/net/ixgbe/ixgbe_x540.c linux-2.6.39.2/drivers/net/ixgbe/ixgbe_x540.c
35122 --- linux-2.6.39.2/drivers/net/ixgbe/ixgbe_x540.c 2011-05-19 00:06:34.000000000 -0400
35123 +++ linux-2.6.39.2/drivers/net/ixgbe/ixgbe_x540.c 2011-05-22 19:36:31.000000000 -0400
35124 @@ -727,7 +727,7 @@ static struct ixgbe_phy_operations phy_o
35125 .check_overtemp = &ixgbe_tn_check_overtemp,
35126 };
35127
35128 -struct ixgbe_info ixgbe_X540_info = {
35129 +const struct ixgbe_info ixgbe_X540_info = {
35130 .mac = ixgbe_mac_X540,
35131 .get_invariants = &ixgbe_get_invariants_X540,
35132 .mac_ops = &mac_ops_X540,
35133 diff -urNp linux-2.6.39.2/drivers/net/ixgbevf/ethtool.c linux-2.6.39.2/drivers/net/ixgbevf/ethtool.c
35134 --- linux-2.6.39.2/drivers/net/ixgbevf/ethtool.c 2011-05-19 00:06:34.000000000 -0400
35135 +++ linux-2.6.39.2/drivers/net/ixgbevf/ethtool.c 2011-05-22 19:36:31.000000000 -0400
35136 @@ -709,7 +709,7 @@ static int ixgbevf_nway_reset(struct net
35137 return 0;
35138 }
35139
35140 -static struct ethtool_ops ixgbevf_ethtool_ops = {
35141 +static const struct ethtool_ops ixgbevf_ethtool_ops = {
35142 .get_settings = ixgbevf_get_settings,
35143 .get_drvinfo = ixgbevf_get_drvinfo,
35144 .get_regs_len = ixgbevf_get_regs_len,
35145 diff -urNp linux-2.6.39.2/drivers/net/ixgbevf/ixgbevf.h linux-2.6.39.2/drivers/net/ixgbevf/ixgbevf.h
35146 --- linux-2.6.39.2/drivers/net/ixgbevf/ixgbevf.h 2011-05-19 00:06:34.000000000 -0400
35147 +++ linux-2.6.39.2/drivers/net/ixgbevf/ixgbevf.h 2011-05-22 19:36:31.000000000 -0400
35148 @@ -279,7 +279,7 @@ enum ixgbevf_boards {
35149
35150 extern struct ixgbevf_info ixgbevf_82599_vf_info;
35151 extern struct ixgbevf_info ixgbevf_X540_vf_info;
35152 -extern struct ixgbe_mac_operations ixgbevf_mbx_ops;
35153 +extern const struct ixgbe_mac_operations ixgbevf_mbx_ops;
35154
35155 /* needed by ethtool.c */
35156 extern char ixgbevf_driver_name[];
35157 diff -urNp linux-2.6.39.2/drivers/net/ixgbevf/vf.c linux-2.6.39.2/drivers/net/ixgbevf/vf.c
35158 --- linux-2.6.39.2/drivers/net/ixgbevf/vf.c 2011-05-19 00:06:34.000000000 -0400
35159 +++ linux-2.6.39.2/drivers/net/ixgbevf/vf.c 2011-05-22 19:36:31.000000000 -0400
35160 @@ -368,7 +368,7 @@ static s32 ixgbevf_check_mac_link_vf(str
35161 return 0;
35162 }
35163
35164 -static struct ixgbe_mac_operations ixgbevf_mac_ops = {
35165 +static const struct ixgbe_mac_operations ixgbevf_mac_ops = {
35166 .init_hw = ixgbevf_init_hw_vf,
35167 .reset_hw = ixgbevf_reset_hw_vf,
35168 .start_hw = ixgbevf_start_hw_vf,
35169 @@ -381,12 +381,12 @@ static struct ixgbe_mac_operations ixgbe
35170 .set_vfta = ixgbevf_set_vfta_vf,
35171 };
35172
35173 -struct ixgbevf_info ixgbevf_82599_vf_info = {
35174 +const struct ixgbevf_info ixgbevf_82599_vf_info = {
35175 .mac = ixgbe_mac_82599_vf,
35176 .mac_ops = &ixgbevf_mac_ops,
35177 };
35178
35179 -struct ixgbevf_info ixgbevf_X540_vf_info = {
35180 +const struct ixgbevf_info ixgbevf_X540_vf_info = {
35181 .mac = ixgbe_mac_X540_vf,
35182 .mac_ops = &ixgbevf_mac_ops,
35183 };
35184 diff -urNp linux-2.6.39.2/drivers/net/ixgbevf/vf.h linux-2.6.39.2/drivers/net/ixgbevf/vf.h
35185 --- linux-2.6.39.2/drivers/net/ixgbevf/vf.h 2011-05-19 00:06:34.000000000 -0400
35186 +++ linux-2.6.39.2/drivers/net/ixgbevf/vf.h 2011-05-22 19:36:31.000000000 -0400
35187 @@ -166,7 +166,7 @@ struct ixgbevf_hw_stats {
35188
35189 struct ixgbevf_info {
35190 enum ixgbe_mac_type mac;
35191 - struct ixgbe_mac_operations *mac_ops;
35192 + const struct ixgbe_mac_operations *mac_ops;
35193 };
35194
35195 #endif /* __IXGBE_VF_H__ */
35196 diff -urNp linux-2.6.39.2/drivers/net/ksz884x.c linux-2.6.39.2/drivers/net/ksz884x.c
35197 --- linux-2.6.39.2/drivers/net/ksz884x.c 2011-05-19 00:06:34.000000000 -0400
35198 +++ linux-2.6.39.2/drivers/net/ksz884x.c 2011-05-22 19:36:31.000000000 -0400
35199 @@ -6536,6 +6536,8 @@ static void netdev_get_ethtool_stats(str
35200 int rc;
35201 u64 counter[TOTAL_PORT_COUNTER_NUM];
35202
35203 + pax_track_stack();
35204 +
35205 mutex_lock(&hw_priv->lock);
35206 n = SWITCH_PORT_NUM;
35207 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
35208 @@ -6637,7 +6639,7 @@ static int netdev_set_rx_csum(struct net
35209 return 0;
35210 }
35211
35212 -static struct ethtool_ops netdev_ethtool_ops = {
35213 +static const struct ethtool_ops netdev_ethtool_ops = {
35214 .get_settings = netdev_get_settings,
35215 .set_settings = netdev_set_settings,
35216 .nway_reset = netdev_nway_reset,
35217 diff -urNp linux-2.6.39.2/drivers/net/mlx4/main.c linux-2.6.39.2/drivers/net/mlx4/main.c
35218 --- linux-2.6.39.2/drivers/net/mlx4/main.c 2011-05-19 00:06:34.000000000 -0400
35219 +++ linux-2.6.39.2/drivers/net/mlx4/main.c 2011-05-22 19:36:31.000000000 -0400
35220 @@ -40,6 +40,7 @@
35221 #include <linux/dma-mapping.h>
35222 #include <linux/slab.h>
35223 #include <linux/io-mapping.h>
35224 +#include <linux/sched.h>
35225
35226 #include <linux/mlx4/device.h>
35227 #include <linux/mlx4/doorbell.h>
35228 @@ -764,6 +765,8 @@ static int mlx4_init_hca(struct mlx4_dev
35229 u64 icm_size;
35230 int err;
35231
35232 + pax_track_stack();
35233 +
35234 err = mlx4_QUERY_FW(dev);
35235 if (err) {
35236 if (err == -EACCES)
35237 diff -urNp linux-2.6.39.2/drivers/net/netconsole.c linux-2.6.39.2/drivers/net/netconsole.c
35238 --- linux-2.6.39.2/drivers/net/netconsole.c 2011-05-19 00:06:34.000000000 -0400
35239 +++ linux-2.6.39.2/drivers/net/netconsole.c 2011-05-22 19:36:31.000000000 -0400
35240 @@ -634,7 +634,7 @@ static void drop_netconsole_target(struc
35241 config_item_put(&nt->item);
35242 }
35243
35244 -static struct configfs_group_operations netconsole_subsys_group_ops = {
35245 +static const struct configfs_group_operations netconsole_subsys_group_ops = {
35246 .make_item = make_netconsole_target,
35247 .drop_item = drop_netconsole_target,
35248 };
35249 diff -urNp linux-2.6.39.2/drivers/net/niu.c linux-2.6.39.2/drivers/net/niu.c
35250 --- linux-2.6.39.2/drivers/net/niu.c 2011-05-19 00:06:34.000000000 -0400
35251 +++ linux-2.6.39.2/drivers/net/niu.c 2011-05-22 19:36:31.000000000 -0400
35252 @@ -9067,6 +9067,8 @@ static void __devinit niu_try_msix(struc
35253 int i, num_irqs, err;
35254 u8 first_ldg;
35255
35256 + pax_track_stack();
35257 +
35258 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
35259 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
35260 ldg_num_map[i] = first_ldg + i;
35261 diff -urNp linux-2.6.39.2/drivers/net/pcnet32.c linux-2.6.39.2/drivers/net/pcnet32.c
35262 --- linux-2.6.39.2/drivers/net/pcnet32.c 2011-05-19 00:06:34.000000000 -0400
35263 +++ linux-2.6.39.2/drivers/net/pcnet32.c 2011-05-22 19:36:31.000000000 -0400
35264 @@ -82,7 +82,7 @@ static int cards_found;
35265 /*
35266 * VLB I/O addresses
35267 */
35268 -static unsigned int pcnet32_portlist[] __initdata =
35269 +static unsigned int pcnet32_portlist[] __devinitdata =
35270 { 0x300, 0x320, 0x340, 0x360, 0 };
35271
35272 static int pcnet32_debug;
35273 @@ -379,7 +379,7 @@ static int pcnet32_wio_check(unsigned lo
35274 return inw(addr + PCNET32_WIO_RAP) == 88;
35275 }
35276
35277 -static struct pcnet32_access pcnet32_wio = {
35278 +static const struct pcnet32_access pcnet32_wio = {
35279 .read_csr = pcnet32_wio_read_csr,
35280 .write_csr = pcnet32_wio_write_csr,
35281 .read_bcr = pcnet32_wio_read_bcr,
35282 @@ -434,7 +434,7 @@ static int pcnet32_dwio_check(unsigned l
35283 return (inl(addr + PCNET32_DWIO_RAP) & 0xffff) == 88;
35284 }
35285
35286 -static struct pcnet32_access pcnet32_dwio = {
35287 +static const struct pcnet32_access pcnet32_dwio = {
35288 .read_csr = pcnet32_dwio_read_csr,
35289 .write_csr = pcnet32_dwio_write_csr,
35290 .read_bcr = pcnet32_dwio_read_bcr,
35291 @@ -1546,7 +1546,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35292 int chip_version;
35293 char *chipname;
35294 struct net_device *dev;
35295 - struct pcnet32_access *a = NULL;
35296 + const struct pcnet32_access *a = NULL;
35297 u8 promaddr[6];
35298 int ret = -ENODEV;
35299
35300 diff -urNp linux-2.6.39.2/drivers/net/ppp_generic.c linux-2.6.39.2/drivers/net/ppp_generic.c
35301 --- linux-2.6.39.2/drivers/net/ppp_generic.c 2011-05-19 00:06:34.000000000 -0400
35302 +++ linux-2.6.39.2/drivers/net/ppp_generic.c 2011-05-22 19:36:31.000000000 -0400
35303 @@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
35304 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
35305 struct ppp_stats stats;
35306 struct ppp_comp_stats cstats;
35307 - char *vers;
35308
35309 switch (cmd) {
35310 case SIOCGPPPSTATS:
35311 @@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
35312 break;
35313
35314 case SIOCGPPPVER:
35315 - vers = PPP_VERSION;
35316 - if (copy_to_user(addr, vers, strlen(vers) + 1))
35317 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
35318 break;
35319 err = 0;
35320 break;
35321 diff -urNp linux-2.6.39.2/drivers/net/qlcnic/qlcnic.h linux-2.6.39.2/drivers/net/qlcnic/qlcnic.h
35322 --- linux-2.6.39.2/drivers/net/qlcnic/qlcnic.h 2011-05-19 00:06:34.000000000 -0400
35323 +++ linux-2.6.39.2/drivers/net/qlcnic/qlcnic.h 2011-05-22 19:36:31.000000000 -0400
35324 @@ -1037,7 +1037,7 @@ struct qlcnic_adapter {
35325 struct vlan_group *vlgrp;
35326 struct qlcnic_npar_info *npars;
35327 struct qlcnic_eswitch *eswitch;
35328 - struct qlcnic_nic_template *nic_ops;
35329 + const struct qlcnic_nic_template *nic_ops;
35330
35331 struct qlcnic_adapter_stats stats;
35332
35333 diff -urNp linux-2.6.39.2/drivers/net/qlcnic/qlcnic_main.c linux-2.6.39.2/drivers/net/qlcnic/qlcnic_main.c
35334 --- linux-2.6.39.2/drivers/net/qlcnic/qlcnic_main.c 2011-05-19 00:06:34.000000000 -0400
35335 +++ linux-2.6.39.2/drivers/net/qlcnic/qlcnic_main.c 2011-05-22 19:36:31.000000000 -0400
35336 @@ -340,13 +340,13 @@ static const struct net_device_ops qlcni
35337 #endif
35338 };
35339
35340 -static struct qlcnic_nic_template qlcnic_ops = {
35341 +static const struct qlcnic_nic_template qlcnic_ops = {
35342 .config_bridged_mode = qlcnic_config_bridged_mode,
35343 .config_led = qlcnic_config_led,
35344 .start_firmware = qlcnic_start_firmware
35345 };
35346
35347 -static struct qlcnic_nic_template qlcnic_vf_ops = {
35348 +static const struct qlcnic_nic_template qlcnic_vf_ops = {
35349 .config_bridged_mode = qlcnicvf_config_bridged_mode,
35350 .config_led = qlcnicvf_config_led,
35351 .start_firmware = qlcnicvf_start_firmware
35352 diff -urNp linux-2.6.39.2/drivers/net/qlge/qlge.h linux-2.6.39.2/drivers/net/qlge/qlge.h
35353 --- linux-2.6.39.2/drivers/net/qlge/qlge.h 2011-05-19 00:06:34.000000000 -0400
35354 +++ linux-2.6.39.2/drivers/net/qlge/qlge.h 2011-05-22 19:36:31.000000000 -0400
35355 @@ -2134,7 +2134,7 @@ struct ql_adapter {
35356 struct delayed_work mpi_idc_work;
35357 struct delayed_work mpi_core_to_log;
35358 struct completion ide_completion;
35359 - struct nic_operations *nic_ops;
35360 + const struct nic_operations *nic_ops;
35361 u16 device_id;
35362 struct timer_list timer;
35363 atomic_t lb_count;
35364 diff -urNp linux-2.6.39.2/drivers/net/qlge/qlge_main.c linux-2.6.39.2/drivers/net/qlge/qlge_main.c
35365 --- linux-2.6.39.2/drivers/net/qlge/qlge_main.c 2011-05-19 00:06:34.000000000 -0400
35366 +++ linux-2.6.39.2/drivers/net/qlge/qlge_main.c 2011-05-22 19:36:31.000000000 -0400
35367 @@ -4412,12 +4412,12 @@ error:
35368 rtnl_unlock();
35369 }
35370
35371 -static struct nic_operations qla8012_nic_ops = {
35372 +static const struct nic_operations qla8012_nic_ops = {
35373 .get_flash = ql_get_8012_flash_params,
35374 .port_initialize = ql_8012_port_initialize,
35375 };
35376
35377 -static struct nic_operations qla8000_nic_ops = {
35378 +static const struct nic_operations qla8000_nic_ops = {
35379 .get_flash = ql_get_8000_flash_params,
35380 .port_initialize = ql_8000_port_initialize,
35381 };
35382 diff -urNp linux-2.6.39.2/drivers/net/sfc/falcon.c linux-2.6.39.2/drivers/net/sfc/falcon.c
35383 --- linux-2.6.39.2/drivers/net/sfc/falcon.c 2011-05-19 00:06:34.000000000 -0400
35384 +++ linux-2.6.39.2/drivers/net/sfc/falcon.c 2011-05-22 19:36:31.000000000 -0400
35385 @@ -1703,7 +1703,7 @@ static int falcon_set_wol(struct efx_nic
35386 **************************************************************************
35387 */
35388
35389 -struct efx_nic_type falcon_a1_nic_type = {
35390 +const struct efx_nic_type falcon_a1_nic_type = {
35391 .probe = falcon_probe_nic,
35392 .remove = falcon_remove_nic,
35393 .init = falcon_init_nic,
35394 @@ -1744,7 +1744,7 @@ struct efx_nic_type falcon_a1_nic_type =
35395 .reset_world_flags = ETH_RESET_IRQ,
35396 };
35397
35398 -struct efx_nic_type falcon_b0_nic_type = {
35399 +const struct efx_nic_type falcon_b0_nic_type = {
35400 .probe = falcon_probe_nic,
35401 .remove = falcon_remove_nic,
35402 .init = falcon_init_nic,
35403 diff -urNp linux-2.6.39.2/drivers/net/sfc/mtd.c linux-2.6.39.2/drivers/net/sfc/mtd.c
35404 --- linux-2.6.39.2/drivers/net/sfc/mtd.c 2011-05-19 00:06:34.000000000 -0400
35405 +++ linux-2.6.39.2/drivers/net/sfc/mtd.c 2011-05-22 19:36:31.000000000 -0400
35406 @@ -382,7 +382,7 @@ static int falcon_mtd_sync(struct mtd_in
35407 return rc;
35408 }
35409
35410 -static struct efx_mtd_ops falcon_mtd_ops = {
35411 +static const struct efx_mtd_ops falcon_mtd_ops = {
35412 .read = falcon_mtd_read,
35413 .erase = falcon_mtd_erase,
35414 .write = falcon_mtd_write,
35415 @@ -560,7 +560,7 @@ static int siena_mtd_sync(struct mtd_inf
35416 return rc;
35417 }
35418
35419 -static struct efx_mtd_ops siena_mtd_ops = {
35420 +static const struct efx_mtd_ops siena_mtd_ops = {
35421 .read = siena_mtd_read,
35422 .erase = siena_mtd_erase,
35423 .write = siena_mtd_write,
35424 diff -urNp linux-2.6.39.2/drivers/net/sfc/nic.h linux-2.6.39.2/drivers/net/sfc/nic.h
35425 --- linux-2.6.39.2/drivers/net/sfc/nic.h 2011-05-19 00:06:34.000000000 -0400
35426 +++ linux-2.6.39.2/drivers/net/sfc/nic.h 2011-05-22 19:36:31.000000000 -0400
35427 @@ -152,9 +152,9 @@ struct siena_nic_data {
35428 int wol_filter_id;
35429 };
35430
35431 -extern struct efx_nic_type falcon_a1_nic_type;
35432 -extern struct efx_nic_type falcon_b0_nic_type;
35433 -extern struct efx_nic_type siena_a0_nic_type;
35434 +extern const struct efx_nic_type falcon_a1_nic_type;
35435 +extern const struct efx_nic_type falcon_b0_nic_type;
35436 +extern const struct efx_nic_type siena_a0_nic_type;
35437
35438 /**************************************************************************
35439 *
35440 diff -urNp linux-2.6.39.2/drivers/net/sfc/siena.c linux-2.6.39.2/drivers/net/sfc/siena.c
35441 --- linux-2.6.39.2/drivers/net/sfc/siena.c 2011-05-19 00:06:34.000000000 -0400
35442 +++ linux-2.6.39.2/drivers/net/sfc/siena.c 2011-05-22 19:36:31.000000000 -0400
35443 @@ -599,7 +599,7 @@ static void siena_init_wol(struct efx_ni
35444 **************************************************************************
35445 */
35446
35447 -struct efx_nic_type siena_a0_nic_type = {
35448 +const struct efx_nic_type siena_a0_nic_type = {
35449 .probe = siena_probe_nic,
35450 .remove = siena_remove_nic,
35451 .init = siena_init_nic,
35452 diff -urNp linux-2.6.39.2/drivers/net/sh_eth.c linux-2.6.39.2/drivers/net/sh_eth.c
35453 --- linux-2.6.39.2/drivers/net/sh_eth.c 2011-05-19 00:06:34.000000000 -0400
35454 +++ linux-2.6.39.2/drivers/net/sh_eth.c 2011-05-22 19:36:31.000000000 -0400
35455 @@ -1360,7 +1360,7 @@ static void sh_eth_get_strings(struct ne
35456 }
35457 }
35458
35459 -static struct ethtool_ops sh_eth_ethtool_ops = {
35460 +static const struct ethtool_ops sh_eth_ethtool_ops = {
35461 .get_settings = sh_eth_get_settings,
35462 .set_settings = sh_eth_set_settings,
35463 .nway_reset = sh_eth_nway_reset,
35464 diff -urNp linux-2.6.39.2/drivers/net/stmmac/stmmac_ethtool.c linux-2.6.39.2/drivers/net/stmmac/stmmac_ethtool.c
35465 --- linux-2.6.39.2/drivers/net/stmmac/stmmac_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35466 +++ linux-2.6.39.2/drivers/net/stmmac/stmmac_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35467 @@ -348,7 +348,7 @@ static int stmmac_set_wol(struct net_dev
35468 return 0;
35469 }
35470
35471 -static struct ethtool_ops stmmac_ethtool_ops = {
35472 +static const struct ethtool_ops stmmac_ethtool_ops = {
35473 .begin = stmmac_check_if_running,
35474 .get_drvinfo = stmmac_ethtool_getdrvinfo,
35475 .get_settings = stmmac_ethtool_getsettings,
35476 diff -urNp linux-2.6.39.2/drivers/net/sungem_phy.c linux-2.6.39.2/drivers/net/sungem_phy.c
35477 --- linux-2.6.39.2/drivers/net/sungem_phy.c 2011-05-19 00:06:34.000000000 -0400
35478 +++ linux-2.6.39.2/drivers/net/sungem_phy.c 2011-05-22 19:36:31.000000000 -0400
35479 @@ -886,7 +886,7 @@ static int marvell_read_link(struct mii_
35480 SUPPORTED_1000baseT_Half | SUPPORTED_1000baseT_Full)
35481
35482 /* Broadcom BCM 5201 */
35483 -static struct mii_phy_ops bcm5201_phy_ops = {
35484 +static const struct mii_phy_ops bcm5201_phy_ops = {
35485 .init = bcm5201_init,
35486 .suspend = bcm5201_suspend,
35487 .setup_aneg = genmii_setup_aneg,
35488 @@ -905,7 +905,7 @@ static struct mii_phy_def bcm5201_phy_de
35489 };
35490
35491 /* Broadcom BCM 5221 */
35492 -static struct mii_phy_ops bcm5221_phy_ops = {
35493 +static const struct mii_phy_ops bcm5221_phy_ops = {
35494 .suspend = bcm5221_suspend,
35495 .init = bcm5221_init,
35496 .setup_aneg = genmii_setup_aneg,
35497 @@ -924,7 +924,7 @@ static struct mii_phy_def bcm5221_phy_de
35498 };
35499
35500 /* Broadcom BCM 5241 */
35501 -static struct mii_phy_ops bcm5241_phy_ops = {
35502 +static const struct mii_phy_ops bcm5241_phy_ops = {
35503 .suspend = bcm5241_suspend,
35504 .init = bcm5241_init,
35505 .setup_aneg = genmii_setup_aneg,
35506 @@ -942,7 +942,7 @@ static struct mii_phy_def bcm5241_phy_de
35507 };
35508
35509 /* Broadcom BCM 5400 */
35510 -static struct mii_phy_ops bcm5400_phy_ops = {
35511 +static const struct mii_phy_ops bcm5400_phy_ops = {
35512 .init = bcm5400_init,
35513 .suspend = bcm5400_suspend,
35514 .setup_aneg = bcm54xx_setup_aneg,
35515 @@ -961,7 +961,7 @@ static struct mii_phy_def bcm5400_phy_de
35516 };
35517
35518 /* Broadcom BCM 5401 */
35519 -static struct mii_phy_ops bcm5401_phy_ops = {
35520 +static const struct mii_phy_ops bcm5401_phy_ops = {
35521 .init = bcm5401_init,
35522 .suspend = bcm5401_suspend,
35523 .setup_aneg = bcm54xx_setup_aneg,
35524 @@ -980,7 +980,7 @@ static struct mii_phy_def bcm5401_phy_de
35525 };
35526
35527 /* Broadcom BCM 5411 */
35528 -static struct mii_phy_ops bcm5411_phy_ops = {
35529 +static const struct mii_phy_ops bcm5411_phy_ops = {
35530 .init = bcm5411_init,
35531 .suspend = generic_suspend,
35532 .setup_aneg = bcm54xx_setup_aneg,
35533 @@ -999,7 +999,7 @@ static struct mii_phy_def bcm5411_phy_de
35534 };
35535
35536 /* Broadcom BCM 5421 */
35537 -static struct mii_phy_ops bcm5421_phy_ops = {
35538 +static const struct mii_phy_ops bcm5421_phy_ops = {
35539 .init = bcm5421_init,
35540 .suspend = generic_suspend,
35541 .setup_aneg = bcm54xx_setup_aneg,
35542 @@ -1019,7 +1019,7 @@ static struct mii_phy_def bcm5421_phy_de
35543 };
35544
35545 /* Broadcom BCM 5421 built-in K2 */
35546 -static struct mii_phy_ops bcm5421k2_phy_ops = {
35547 +static const struct mii_phy_ops bcm5421k2_phy_ops = {
35548 .init = bcm5421_init,
35549 .suspend = generic_suspend,
35550 .setup_aneg = bcm54xx_setup_aneg,
35551 @@ -1037,7 +1037,7 @@ static struct mii_phy_def bcm5421k2_phy_
35552 .ops = &bcm5421k2_phy_ops
35553 };
35554
35555 -static struct mii_phy_ops bcm5461_phy_ops = {
35556 +static const struct mii_phy_ops bcm5461_phy_ops = {
35557 .init = bcm5421_init,
35558 .suspend = generic_suspend,
35559 .setup_aneg = bcm54xx_setup_aneg,
35560 @@ -1057,7 +1057,7 @@ static struct mii_phy_def bcm5461_phy_de
35561 };
35562
35563 /* Broadcom BCM 5462 built-in Vesta */
35564 -static struct mii_phy_ops bcm5462V_phy_ops = {
35565 +static const struct mii_phy_ops bcm5462V_phy_ops = {
35566 .init = bcm5421_init,
35567 .suspend = generic_suspend,
35568 .setup_aneg = bcm54xx_setup_aneg,
35569 @@ -1076,7 +1076,7 @@ static struct mii_phy_def bcm5462V_phy_d
35570 };
35571
35572 /* Marvell 88E1101 amd 88E1111 */
35573 -static struct mii_phy_ops marvell88e1101_phy_ops = {
35574 +static const struct mii_phy_ops marvell88e1101_phy_ops = {
35575 .suspend = generic_suspend,
35576 .setup_aneg = marvell_setup_aneg,
35577 .setup_forced = marvell_setup_forced,
35578 @@ -1084,7 +1084,7 @@ static struct mii_phy_ops marvell88e1101
35579 .read_link = marvell_read_link
35580 };
35581
35582 -static struct mii_phy_ops marvell88e1111_phy_ops = {
35583 +static const struct mii_phy_ops marvell88e1111_phy_ops = {
35584 .init = marvell88e1111_init,
35585 .suspend = generic_suspend,
35586 .setup_aneg = marvell_setup_aneg,
35587 @@ -1122,7 +1122,7 @@ static struct mii_phy_def marvell88e1111
35588 };
35589
35590 /* Generic implementation for most 10/100 PHYs */
35591 -static struct mii_phy_ops generic_phy_ops = {
35592 +static const struct mii_phy_ops generic_phy_ops = {
35593 .setup_aneg = genmii_setup_aneg,
35594 .setup_forced = genmii_setup_forced,
35595 .poll_link = genmii_poll_link,
35596 diff -urNp linux-2.6.39.2/drivers/net/tg3.h linux-2.6.39.2/drivers/net/tg3.h
35597 --- linux-2.6.39.2/drivers/net/tg3.h 2011-05-19 00:06:34.000000000 -0400
35598 +++ linux-2.6.39.2/drivers/net/tg3.h 2011-05-22 19:36:31.000000000 -0400
35599 @@ -131,6 +131,7 @@
35600 #define CHIPREV_ID_5750_A0 0x4000
35601 #define CHIPREV_ID_5750_A1 0x4001
35602 #define CHIPREV_ID_5750_A3 0x4003
35603 +#define CHIPREV_ID_5750_C1 0x4201
35604 #define CHIPREV_ID_5750_C2 0x4202
35605 #define CHIPREV_ID_5752_A0_HW 0x5000
35606 #define CHIPREV_ID_5752_A0 0x6000
35607 diff -urNp linux-2.6.39.2/drivers/net/tile/tilepro.c linux-2.6.39.2/drivers/net/tile/tilepro.c
35608 --- linux-2.6.39.2/drivers/net/tile/tilepro.c 2011-05-19 00:06:34.000000000 -0400
35609 +++ linux-2.6.39.2/drivers/net/tile/tilepro.c 2011-05-22 19:36:31.000000000 -0400
35610 @@ -2263,7 +2263,7 @@ static int tile_net_get_mac(struct net_d
35611 }
35612
35613
35614 -static struct net_device_ops tile_net_ops = {
35615 +static const struct net_device_ops tile_net_ops = {
35616 .ndo_open = tile_net_open,
35617 .ndo_stop = tile_net_stop,
35618 .ndo_start_xmit = tile_net_tx,
35619 diff -urNp linux-2.6.39.2/drivers/net/tulip/de2104x.c linux-2.6.39.2/drivers/net/tulip/de2104x.c
35620 --- linux-2.6.39.2/drivers/net/tulip/de2104x.c 2011-05-19 00:06:34.000000000 -0400
35621 +++ linux-2.6.39.2/drivers/net/tulip/de2104x.c 2011-05-22 19:36:31.000000000 -0400
35622 @@ -1817,6 +1817,8 @@ static void __devinit de21041_get_srom_i
35623 struct de_srom_info_leaf *il;
35624 void *bufp;
35625
35626 + pax_track_stack();
35627 +
35628 /* download entire eeprom */
35629 for (i = 0; i < DE_EEPROM_WORDS; i++)
35630 ((__le16 *)ee_data)[i] =
35631 diff -urNp linux-2.6.39.2/drivers/net/tulip/de4x5.c linux-2.6.39.2/drivers/net/tulip/de4x5.c
35632 --- linux-2.6.39.2/drivers/net/tulip/de4x5.c 2011-05-19 00:06:34.000000000 -0400
35633 +++ linux-2.6.39.2/drivers/net/tulip/de4x5.c 2011-05-22 19:36:31.000000000 -0400
35634 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
35635 for (i=0; i<ETH_ALEN; i++) {
35636 tmp.addr[i] = dev->dev_addr[i];
35637 }
35638 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35639 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35640 break;
35641
35642 case DE4X5_SET_HWADDR: /* Set the hardware address */
35643 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
35644 spin_lock_irqsave(&lp->lock, flags);
35645 memcpy(&statbuf, &lp->pktStats, ioc->len);
35646 spin_unlock_irqrestore(&lp->lock, flags);
35647 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
35648 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
35649 return -EFAULT;
35650 break;
35651 }
35652 diff -urNp linux-2.6.39.2/drivers/net/usb/asix.c linux-2.6.39.2/drivers/net/usb/asix.c
35653 --- linux-2.6.39.2/drivers/net/usb/asix.c 2011-05-19 00:06:34.000000000 -0400
35654 +++ linux-2.6.39.2/drivers/net/usb/asix.c 2011-05-22 19:36:31.000000000 -0400
35655 @@ -1098,7 +1098,7 @@ out:
35656 return ret;
35657 }
35658
35659 -static struct ethtool_ops ax88178_ethtool_ops = {
35660 +static const struct ethtool_ops ax88178_ethtool_ops = {
35661 .get_drvinfo = asix_get_drvinfo,
35662 .get_link = asix_get_link,
35663 .get_msglevel = usbnet_get_msglevel,
35664 diff -urNp linux-2.6.39.2/drivers/net/usb/cdc_ncm.c linux-2.6.39.2/drivers/net/usb/cdc_ncm.c
35665 --- linux-2.6.39.2/drivers/net/usb/cdc_ncm.c 2011-06-25 12:55:22.000000000 -0400
35666 +++ linux-2.6.39.2/drivers/net/usb/cdc_ncm.c 2011-06-25 13:00:26.000000000 -0400
35667 @@ -141,7 +141,7 @@ struct cdc_ncm_ctx {
35668 static void cdc_ncm_tx_timeout(unsigned long arg);
35669 static const struct driver_info cdc_ncm_info;
35670 static struct usb_driver cdc_ncm_driver;
35671 -static struct ethtool_ops cdc_ncm_ethtool_ops;
35672 +static const struct ethtool_ops cdc_ncm_ethtool_ops;
35673
35674 static const struct usb_device_id cdc_devs[] = {
35675 { USB_INTERFACE_INFO(USB_CLASS_COMM,
35676 @@ -1258,7 +1258,7 @@ static struct usb_driver cdc_ncm_driver
35677 .supports_autosuspend = 1,
35678 };
35679
35680 -static struct ethtool_ops cdc_ncm_ethtool_ops = {
35681 +static const struct ethtool_ops cdc_ncm_ethtool_ops = {
35682 .get_drvinfo = cdc_ncm_get_drvinfo,
35683 .get_link = usbnet_get_link,
35684 .get_msglevel = usbnet_get_msglevel,
35685 diff -urNp linux-2.6.39.2/drivers/net/usb/hso.c linux-2.6.39.2/drivers/net/usb/hso.c
35686 --- linux-2.6.39.2/drivers/net/usb/hso.c 2011-05-19 00:06:34.000000000 -0400
35687 +++ linux-2.6.39.2/drivers/net/usb/hso.c 2011-05-22 19:36:31.000000000 -0400
35688 @@ -71,7 +71,7 @@
35689 #include <asm/byteorder.h>
35690 #include <linux/serial_core.h>
35691 #include <linux/serial.h>
35692 -
35693 +#include <asm/local.h>
35694
35695 #define MOD_AUTHOR "Option Wireless"
35696 #define MOD_DESCRIPTION "USB High Speed Option driver"
35697 @@ -257,7 +257,7 @@ struct hso_serial {
35698
35699 /* from usb_serial_port */
35700 struct tty_struct *tty;
35701 - int open_count;
35702 + local_t open_count;
35703 spinlock_t serial_lock;
35704
35705 int (*write_data) (struct hso_serial *serial);
35706 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
35707 struct urb *urb;
35708
35709 urb = serial->rx_urb[0];
35710 - if (serial->open_count > 0) {
35711 + if (local_read(&serial->open_count) > 0) {
35712 count = put_rxbuf_data(urb, serial);
35713 if (count == -1)
35714 return;
35715 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
35716 DUMP1(urb->transfer_buffer, urb->actual_length);
35717
35718 /* Anyone listening? */
35719 - if (serial->open_count == 0)
35720 + if (local_read(&serial->open_count) == 0)
35721 return;
35722
35723 if (status == 0) {
35724 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
35725 spin_unlock_irq(&serial->serial_lock);
35726
35727 /* check for port already opened, if not set the termios */
35728 - serial->open_count++;
35729 - if (serial->open_count == 1) {
35730 + if (local_inc_return(&serial->open_count) == 1) {
35731 serial->rx_state = RX_IDLE;
35732 /* Force default termio settings */
35733 _hso_serial_set_termios(tty, NULL);
35734 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
35735 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
35736 if (result) {
35737 hso_stop_serial_device(serial->parent);
35738 - serial->open_count--;
35739 + local_dec(&serial->open_count);
35740 kref_put(&serial->parent->ref, hso_serial_ref_free);
35741 }
35742 } else {
35743 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
35744
35745 /* reset the rts and dtr */
35746 /* do the actual close */
35747 - serial->open_count--;
35748 + local_dec(&serial->open_count);
35749
35750 - if (serial->open_count <= 0) {
35751 - serial->open_count = 0;
35752 + if (local_read(&serial->open_count) <= 0) {
35753 + local_set(&serial->open_count, 0);
35754 spin_lock_irq(&serial->serial_lock);
35755 if (serial->tty == tty) {
35756 serial->tty->driver_data = NULL;
35757 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
35758
35759 /* the actual setup */
35760 spin_lock_irqsave(&serial->serial_lock, flags);
35761 - if (serial->open_count)
35762 + if (local_read(&serial->open_count))
35763 _hso_serial_set_termios(tty, old);
35764 else
35765 tty->termios = old;
35766 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
35767 D1("Pending read interrupt on port %d\n", i);
35768 spin_lock(&serial->serial_lock);
35769 if (serial->rx_state == RX_IDLE &&
35770 - serial->open_count > 0) {
35771 + local_read(&serial->open_count) > 0) {
35772 /* Setup and send a ctrl req read on
35773 * port i */
35774 if (!serial->rx_urb_filled[0]) {
35775 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
35776 /* Start all serial ports */
35777 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
35778 if (serial_table[i] && (serial_table[i]->interface == iface)) {
35779 - if (dev2ser(serial_table[i])->open_count) {
35780 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
35781 result =
35782 hso_start_serial_device(serial_table[i], GFP_NOIO);
35783 hso_kick_transmit(dev2ser(serial_table[i]));
35784 diff -urNp linux-2.6.39.2/drivers/net/usb/ipheth.c linux-2.6.39.2/drivers/net/usb/ipheth.c
35785 --- linux-2.6.39.2/drivers/net/usb/ipheth.c 2011-05-19 00:06:34.000000000 -0400
35786 +++ linux-2.6.39.2/drivers/net/usb/ipheth.c 2011-05-22 19:36:31.000000000 -0400
35787 @@ -421,7 +421,7 @@ static u32 ipheth_ethtool_op_get_link(st
35788 return netif_carrier_ok(dev->net);
35789 }
35790
35791 -static struct ethtool_ops ops = {
35792 +static const struct ethtool_ops ops = {
35793 .get_link = ipheth_ethtool_op_get_link
35794 };
35795
35796 diff -urNp linux-2.6.39.2/drivers/net/usb/sierra_net.c linux-2.6.39.2/drivers/net/usb/sierra_net.c
35797 --- linux-2.6.39.2/drivers/net/usb/sierra_net.c 2011-05-19 00:06:34.000000000 -0400
35798 +++ linux-2.6.39.2/drivers/net/usb/sierra_net.c 2011-05-22 19:36:31.000000000 -0400
35799 @@ -618,7 +618,7 @@ static u32 sierra_net_get_link(struct ne
35800 return sierra_net_get_private(dev)->link_up && netif_running(net);
35801 }
35802
35803 -static struct ethtool_ops sierra_net_ethtool_ops = {
35804 +static const struct ethtool_ops sierra_net_ethtool_ops = {
35805 .get_drvinfo = sierra_net_get_drvinfo,
35806 .get_link = sierra_net_get_link,
35807 .get_msglevel = usbnet_get_msglevel,
35808 diff -urNp linux-2.6.39.2/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.39.2/drivers/net/vmxnet3/vmxnet3_ethtool.c
35809 --- linux-2.6.39.2/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35810 +++ linux-2.6.39.2/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35811 @@ -631,8 +631,7 @@ vmxnet3_set_rss_indir(struct net_device
35812 * Return with error code if any of the queue indices
35813 * is out of range
35814 */
35815 - if (p->ring_index[i] < 0 ||
35816 - p->ring_index[i] >= adapter->num_rx_queues)
35817 + if (p->ring_index[i] >= adapter->num_rx_queues)
35818 return -EINVAL;
35819 }
35820
35821 diff -urNp linux-2.6.39.2/drivers/net/vxge/vxge-main.c linux-2.6.39.2/drivers/net/vxge/vxge-main.c
35822 --- linux-2.6.39.2/drivers/net/vxge/vxge-main.c 2011-05-19 00:06:34.000000000 -0400
35823 +++ linux-2.6.39.2/drivers/net/vxge/vxge-main.c 2011-05-22 19:36:31.000000000 -0400
35824 @@ -97,6 +97,8 @@ static inline void VXGE_COMPLETE_VPATH_T
35825 struct sk_buff *completed[NR_SKB_COMPLETED];
35826 int more;
35827
35828 + pax_track_stack();
35829 +
35830 do {
35831 more = 0;
35832 skb_ptr = completed;
35833 @@ -1927,6 +1929,8 @@ static enum vxge_hw_status vxge_rth_conf
35834 u8 mtable[256] = {0}; /* CPU to vpath mapping */
35835 int index;
35836
35837 + pax_track_stack();
35838 +
35839 /*
35840 * Filling
35841 * - itable with bucket numbers
35842 diff -urNp linux-2.6.39.2/drivers/net/wan/cycx_x25.c linux-2.6.39.2/drivers/net/wan/cycx_x25.c
35843 --- linux-2.6.39.2/drivers/net/wan/cycx_x25.c 2011-05-19 00:06:34.000000000 -0400
35844 +++ linux-2.6.39.2/drivers/net/wan/cycx_x25.c 2011-05-22 19:36:31.000000000 -0400
35845 @@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
35846 unsigned char hex[1024],
35847 * phex = hex;
35848
35849 + pax_track_stack();
35850 +
35851 if (len >= (sizeof(hex) / 2))
35852 len = (sizeof(hex) / 2) - 1;
35853
35854 diff -urNp linux-2.6.39.2/drivers/net/wan/lapbether.c linux-2.6.39.2/drivers/net/wan/lapbether.c
35855 --- linux-2.6.39.2/drivers/net/wan/lapbether.c 2011-05-19 00:06:34.000000000 -0400
35856 +++ linux-2.6.39.2/drivers/net/wan/lapbether.c 2011-05-22 19:36:31.000000000 -0400
35857 @@ -259,7 +259,7 @@ static int lapbeth_set_mac_address(struc
35858 }
35859
35860
35861 -static struct lapb_register_struct lapbeth_callbacks = {
35862 +static const struct lapb_register_struct lapbeth_callbacks = {
35863 .connect_confirmation = lapbeth_connected,
35864 .connect_indication = lapbeth_connected,
35865 .disconnect_confirmation = lapbeth_disconnected,
35866 diff -urNp linux-2.6.39.2/drivers/net/wan/x25_asy.c linux-2.6.39.2/drivers/net/wan/x25_asy.c
35867 --- linux-2.6.39.2/drivers/net/wan/x25_asy.c 2011-05-19 00:06:34.000000000 -0400
35868 +++ linux-2.6.39.2/drivers/net/wan/x25_asy.c 2011-05-22 19:36:31.000000000 -0400
35869 @@ -434,7 +434,7 @@ static void x25_asy_disconnected(struct
35870 netif_rx(skb);
35871 }
35872
35873 -static struct lapb_register_struct x25_asy_callbacks = {
35874 +static const struct lapb_register_struct x25_asy_callbacks = {
35875 .connect_confirmation = x25_asy_connected,
35876 .connect_indication = x25_asy_connected,
35877 .disconnect_confirmation = x25_asy_disconnected,
35878 diff -urNp linux-2.6.39.2/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.39.2/drivers/net/wimax/i2400m/usb-fw.c
35879 --- linux-2.6.39.2/drivers/net/wimax/i2400m/usb-fw.c 2011-05-19 00:06:34.000000000 -0400
35880 +++ linux-2.6.39.2/drivers/net/wimax/i2400m/usb-fw.c 2011-05-22 19:36:31.000000000 -0400
35881 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
35882 int do_autopm = 1;
35883 DECLARE_COMPLETION_ONSTACK(notif_completion);
35884
35885 + pax_track_stack();
35886 +
35887 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
35888 i2400m, ack, ack_size);
35889 BUG_ON(_ack == i2400m->bm_ack_buf);
35890 diff -urNp linux-2.6.39.2/drivers/net/wireless/airo.c linux-2.6.39.2/drivers/net/wireless/airo.c
35891 --- linux-2.6.39.2/drivers/net/wireless/airo.c 2011-05-19 00:06:34.000000000 -0400
35892 +++ linux-2.6.39.2/drivers/net/wireless/airo.c 2011-05-22 19:36:31.000000000 -0400
35893 @@ -3001,6 +3001,8 @@ static void airo_process_scan_results (s
35894 BSSListElement * loop_net;
35895 BSSListElement * tmp_net;
35896
35897 + pax_track_stack();
35898 +
35899 /* Blow away current list of scan results */
35900 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
35901 list_move_tail (&loop_net->list, &ai->network_free_list);
35902 @@ -3792,6 +3794,8 @@ static u16 setup_card(struct airo_info *
35903 WepKeyRid wkr;
35904 int rc;
35905
35906 + pax_track_stack();
35907 +
35908 memset( &mySsid, 0, sizeof( mySsid ) );
35909 kfree (ai->flash);
35910 ai->flash = NULL;
35911 @@ -4760,6 +4764,8 @@ static int proc_stats_rid_open( struct i
35912 __le32 *vals = stats.vals;
35913 int len;
35914
35915 + pax_track_stack();
35916 +
35917 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35918 return -ENOMEM;
35919 data = file->private_data;
35920 @@ -5483,6 +5489,8 @@ static int proc_BSSList_open( struct ino
35921 /* If doLoseSync is not 1, we won't do a Lose Sync */
35922 int doLoseSync = -1;
35923
35924 + pax_track_stack();
35925 +
35926 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35927 return -ENOMEM;
35928 data = file->private_data;
35929 @@ -7190,6 +7198,8 @@ static int airo_get_aplist(struct net_de
35930 int i;
35931 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
35932
35933 + pax_track_stack();
35934 +
35935 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
35936 if (!qual)
35937 return -ENOMEM;
35938 @@ -7750,6 +7760,8 @@ static void airo_read_wireless_stats(str
35939 CapabilityRid cap_rid;
35940 __le32 *vals = stats_rid.vals;
35941
35942 + pax_track_stack();
35943 +
35944 /* Get stats out of the card */
35945 clear_bit(JOB_WSTATS, &local->jobs);
35946 if (local->power.event) {
35947 diff -urNp linux-2.6.39.2/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.39.2/drivers/net/wireless/ath/ath5k/debug.c
35948 --- linux-2.6.39.2/drivers/net/wireless/ath/ath5k/debug.c 2011-05-19 00:06:34.000000000 -0400
35949 +++ linux-2.6.39.2/drivers/net/wireless/ath/ath5k/debug.c 2011-05-22 19:36:31.000000000 -0400
35950 @@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
35951 unsigned int v;
35952 u64 tsf;
35953
35954 + pax_track_stack();
35955 +
35956 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
35957 len += snprintf(buf+len, sizeof(buf)-len,
35958 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
35959 @@ -323,6 +325,8 @@ static ssize_t read_file_debug(struct fi
35960 unsigned int len = 0;
35961 unsigned int i;
35962
35963 + pax_track_stack();
35964 +
35965 len += snprintf(buf+len, sizeof(buf)-len,
35966 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
35967
35968 @@ -384,6 +388,8 @@ static ssize_t read_file_antenna(struct
35969 unsigned int i;
35970 unsigned int v;
35971
35972 + pax_track_stack();
35973 +
35974 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
35975 sc->ah->ah_ant_mode);
35976 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
35977 @@ -494,6 +500,8 @@ static ssize_t read_file_misc(struct fil
35978 unsigned int len = 0;
35979 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
35980
35981 + pax_track_stack();
35982 +
35983 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
35984 sc->bssidmask);
35985 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
35986 @@ -550,6 +558,8 @@ static ssize_t read_file_frameerrors(str
35987 unsigned int len = 0;
35988 int i;
35989
35990 + pax_track_stack();
35991 +
35992 len += snprintf(buf+len, sizeof(buf)-len,
35993 "RX\n---------------------\n");
35994 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
35995 @@ -667,6 +677,8 @@ static ssize_t read_file_ani(struct file
35996 char buf[700];
35997 unsigned int len = 0;
35998
35999 + pax_track_stack();
36000 +
36001 len += snprintf(buf+len, sizeof(buf)-len,
36002 "HW has PHY error counters:\t%s\n",
36003 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
36004 @@ -827,6 +839,8 @@ static ssize_t read_file_queue(struct fi
36005 struct ath5k_buf *bf, *bf0;
36006 int i, n;
36007
36008 + pax_track_stack();
36009 +
36010 len += snprintf(buf+len, sizeof(buf)-len,
36011 "available txbuffers: %d\n", sc->txbuf_len);
36012
36013 diff -urNp linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_calib.c
36014 --- linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-19 00:06:34.000000000 -0400
36015 +++ linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-22 19:36:31.000000000 -0400
36016 @@ -734,6 +734,8 @@ static void ar9003_hw_tx_iq_cal(struct a
36017 s32 i, j, ip, im, nmeasurement;
36018 u8 nchains = get_streams(common->tx_chainmask);
36019
36020 + pax_track_stack();
36021 +
36022 for (ip = 0; ip < MPASS; ip++) {
36023 REG_RMW_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_1,
36024 AR_PHY_TX_IQCAQL_CONTROL_1_IQCORR_I_Q_COFF_DELPT,
36025 @@ -856,6 +858,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
36026 int i, ip, im, j;
36027 int nmeasurement;
36028
36029 + pax_track_stack();
36030 +
36031 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
36032 if (ah->txchainmask & (1 << i))
36033 num_chains++;
36034 diff -urNp linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
36035 --- linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-19 00:06:34.000000000 -0400
36036 +++ linux-2.6.39.2/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-22 19:36:31.000000000 -0400
36037 @@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
36038 int theta_low_bin = 0;
36039 int i;
36040
36041 + pax_track_stack();
36042 +
36043 /* disregard any bin that contains <= 16 samples */
36044 thresh_accum_cnt = 16;
36045 scale_factor = 5;
36046 diff -urNp linux-2.6.39.2/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.39.2/drivers/net/wireless/ath/ath9k/debug.c
36047 --- linux-2.6.39.2/drivers/net/wireless/ath/ath9k/debug.c 2011-05-19 00:06:34.000000000 -0400
36048 +++ linux-2.6.39.2/drivers/net/wireless/ath/ath9k/debug.c 2011-05-22 19:36:31.000000000 -0400
36049 @@ -335,6 +335,8 @@ static ssize_t read_file_interrupt(struc
36050 char buf[512];
36051 unsigned int len = 0;
36052
36053 + pax_track_stack();
36054 +
36055 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
36056 len += snprintf(buf + len, sizeof(buf) - len,
36057 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
36058 @@ -422,6 +424,8 @@ static ssize_t read_file_wiphy(struct fi
36059 u8 addr[ETH_ALEN];
36060 u32 tmp;
36061
36062 + pax_track_stack();
36063 +
36064 len += snprintf(buf + len, sizeof(buf) - len,
36065 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
36066 wiphy_name(sc->hw->wiphy),
36067 diff -urNp linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc_drv_main.c linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc_drv_main.c
36068 --- linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-19 00:06:34.000000000 -0400
36069 +++ linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-22 19:36:31.000000000 -0400
36070 @@ -737,6 +737,8 @@ static ssize_t read_file_tgt_stats(struc
36071 unsigned int len = 0;
36072 int ret = 0;
36073
36074 + pax_track_stack();
36075 +
36076 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
36077
36078 WMI_CMD(WMI_TGT_STATS_CMDID);
36079 @@ -782,6 +784,8 @@ static ssize_t read_file_xmit(struct fil
36080 char buf[512];
36081 unsigned int len = 0;
36082
36083 + pax_track_stack();
36084 +
36085 len += snprintf(buf + len, sizeof(buf) - len,
36086 "%20s : %10u\n", "Buffers queued",
36087 priv->debug.tx_stats.buf_queued);
36088 @@ -831,6 +835,8 @@ static ssize_t read_file_recv(struct fil
36089 char buf[512];
36090 unsigned int len = 0;
36091
36092 + pax_track_stack();
36093 +
36094 len += snprintf(buf + len, sizeof(buf) - len,
36095 "%20s : %10u\n", "SKBs allocated",
36096 priv->debug.rx_stats.skb_allocated);
36097 @@ -1816,7 +1822,7 @@ static void ath9k_htc_set_coverage_class
36098 mutex_unlock(&priv->mutex);
36099 }
36100
36101 -struct ieee80211_ops ath9k_htc_ops = {
36102 +const struct ieee80211_ops ath9k_htc_ops = {
36103 .tx = ath9k_htc_tx,
36104 .start = ath9k_htc_start,
36105 .stop = ath9k_htc_stop,
36106 diff -urNp linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc.h linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc.h
36107 --- linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc.h 2011-05-19 00:06:34.000000000 -0400
36108 +++ linux-2.6.39.2/drivers/net/wireless/ath/ath9k/htc.h 2011-05-22 19:36:31.000000000 -0400
36109 @@ -42,7 +42,7 @@
36110 #define TSF_TO_TU(_h, _l) \
36111 ((((u32)(_h)) << 22) | (((u32)(_l)) >> 10))
36112
36113 -extern struct ieee80211_ops ath9k_htc_ops;
36114 +extern const struct ieee80211_ops ath9k_htc_ops;
36115 extern int htc_modparam_nohwcrypt;
36116
36117 enum htc_phymode {
36118 diff -urNp linux-2.6.39.2/drivers/net/wireless/b43/debugfs.c linux-2.6.39.2/drivers/net/wireless/b43/debugfs.c
36119 --- linux-2.6.39.2/drivers/net/wireless/b43/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36120 +++ linux-2.6.39.2/drivers/net/wireless/b43/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36121 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
36122 struct b43_debugfs_fops {
36123 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
36124 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
36125 - struct file_operations fops;
36126 + const struct file_operations fops;
36127 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
36128 size_t file_struct_offset;
36129 };
36130 diff -urNp linux-2.6.39.2/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.39.2/drivers/net/wireless/b43legacy/debugfs.c
36131 --- linux-2.6.39.2/drivers/net/wireless/b43legacy/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36132 +++ linux-2.6.39.2/drivers/net/wireless/b43legacy/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36133 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
36134 struct b43legacy_debugfs_fops {
36135 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
36136 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
36137 - struct file_operations fops;
36138 + const struct file_operations fops;
36139 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
36140 size_t file_struct_offset;
36141 /* Take wl->irq_lock before calling read/write? */
36142 diff -urNp linux-2.6.39.2/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.39.2/drivers/net/wireless/ipw2x00/ipw2100.c
36143 --- linux-2.6.39.2/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-19 00:06:34.000000000 -0400
36144 +++ linux-2.6.39.2/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-22 19:36:31.000000000 -0400
36145 @@ -2100,6 +2100,8 @@ static int ipw2100_set_essid(struct ipw2
36146 int err;
36147 DECLARE_SSID_BUF(ssid);
36148
36149 + pax_track_stack();
36150 +
36151 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
36152
36153 if (ssid_len)
36154 @@ -5449,6 +5451,8 @@ static int ipw2100_set_key(struct ipw210
36155 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
36156 int err;
36157
36158 + pax_track_stack();
36159 +
36160 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
36161 idx, keylen, len);
36162
36163 diff -urNp linux-2.6.39.2/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.39.2/drivers/net/wireless/ipw2x00/libipw_rx.c
36164 --- linux-2.6.39.2/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-19 00:06:34.000000000 -0400
36165 +++ linux-2.6.39.2/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-22 19:36:31.000000000 -0400
36166 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
36167 unsigned long flags;
36168 DECLARE_SSID_BUF(ssid);
36169
36170 + pax_track_stack();
36171 +
36172 LIBIPW_DEBUG_SCAN("'%s' (%pM"
36173 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
36174 print_ssid(ssid, info_element->data, info_element->len),
36175 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-3945.c linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-3945.c
36176 --- linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-19 00:06:34.000000000 -0400
36177 +++ linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-22 19:36:31.000000000 -0400
36178 @@ -2630,7 +2630,7 @@ static int iwl3945_load_bsm(struct iwl_p
36179 return 0;
36180 }
36181
36182 -static struct iwl_hcmd_ops iwl3945_hcmd = {
36183 +static const struct iwl_hcmd_ops iwl3945_hcmd = {
36184 .rxon_assoc = iwl3945_send_rxon_assoc,
36185 .commit_rxon = iwl3945_commit_rxon,
36186 };
36187 @@ -2675,7 +2675,7 @@ static const struct iwl_legacy_ops iwl39
36188 .manage_ibss_station = iwl3945_manage_ibss_station,
36189 };
36190
36191 -static struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36192 +static const struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36193 .get_hcmd_size = iwl3945_get_hcmd_size,
36194 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
36195 .request_scan = iwl3945_request_scan,
36196 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.c linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.c
36197 --- linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 12:55:22.000000000 -0400
36198 +++ linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 13:00:26.000000000 -0400
36199 @@ -1902,7 +1902,7 @@ static void iwl4965_rx_handler_setup(str
36200 priv->rx_handlers[BEACON_NOTIFICATION] = iwl4965_rx_beacon_notif;
36201 }
36202
36203 -static struct iwl_hcmd_ops iwl4965_hcmd = {
36204 +static const struct iwl_hcmd_ops iwl4965_hcmd = {
36205 .rxon_assoc = iwl4965_send_rxon_assoc,
36206 .commit_rxon = iwl4965_commit_rxon,
36207 .set_rxon_chain = iwl4965_set_rxon_chain,
36208 @@ -2054,7 +2054,7 @@ static void iwl4965_config_ap(struct iwl
36209 iwl4965_send_beacon_cmd(priv);
36210 }
36211
36212 -static struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36213 +static const struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36214 .get_hcmd_size = iwl4965_get_hcmd_size,
36215 .build_addsta_hcmd = iwl4965_build_addsta_hcmd,
36216 .request_scan = iwl4965_request_scan,
36217 @@ -2112,7 +2112,7 @@ static const struct iwl_legacy_ops iwl49
36218 .update_bcast_stations = iwl4965_update_bcast_stations,
36219 };
36220
36221 -struct ieee80211_ops iwl4965_hw_ops = {
36222 +const struct ieee80211_ops iwl4965_hw_ops = {
36223 .tx = iwl4965_mac_tx,
36224 .start = iwl4965_mac_start,
36225 .stop = iwl4965_mac_stop,
36226 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.h linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.h
36227 --- linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-19 00:06:34.000000000 -0400
36228 +++ linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-22 19:36:32.000000000 -0400
36229 @@ -70,7 +70,7 @@ extern struct iwl_cfg iwl4965_cfg;
36230
36231 extern struct iwl_mod_params iwl4965_mod_params;
36232
36233 -extern struct ieee80211_ops iwl4965_hw_ops;
36234 +extern const struct ieee80211_ops iwl4965_hw_ops;
36235
36236 /* tx queue */
36237 void iwl4965_free_tfds_in_queue(struct iwl_priv *priv,
36238 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-core.h linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-core.h
36239 --- linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36240 +++ linux-2.6.39.2/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36241 @@ -150,7 +150,7 @@ struct iwl_lib_ops {
36242 int (*set_channel_switch)(struct iwl_priv *priv,
36243 struct ieee80211_channel_switch *ch_switch);
36244 /* power management */
36245 - struct iwl_apm_ops apm_ops;
36246 + const struct iwl_apm_ops apm_ops;
36247
36248 /* power */
36249 int (*send_tx_power) (struct iwl_priv *priv);
36250 @@ -160,12 +160,12 @@ struct iwl_lib_ops {
36251 struct iwl_eeprom_ops eeprom_ops;
36252
36253 /* temperature */
36254 - struct iwl_temp_ops temp_ops;
36255 + const struct iwl_temp_ops temp_ops;
36256 /* check for plcp health */
36257 bool (*check_plcp_health)(struct iwl_priv *priv,
36258 struct iwl_rx_packet *pkt);
36259
36260 - struct iwl_debugfs_ops debugfs_ops;
36261 + const struct iwl_debugfs_ops debugfs_ops;
36262
36263 };
36264
36265 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-6000.c
36266 --- linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 12:55:22.000000000 -0400
36267 +++ linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 13:00:26.000000000 -0400
36268 @@ -420,11 +420,11 @@ static struct iwl_lib_ops iwl6030_lib =
36269 }
36270 };
36271
36272 -static struct iwl_nic_ops iwl6050_nic_ops = {
36273 +static const struct iwl_nic_ops iwl6050_nic_ops = {
36274 .additional_nic_config = &iwl6050_additional_nic_config,
36275 };
36276
36277 -static struct iwl_nic_ops iwl6150_nic_ops = {
36278 +static const struct iwl_nic_ops iwl6150_nic_ops = {
36279 .additional_nic_config = &iwl6150_additional_nic_config,
36280 };
36281
36282 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn.h linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn.h
36283 --- linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-19 00:06:34.000000000 -0400
36284 +++ linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-22 19:36:32.000000000 -0400
36285 @@ -109,9 +109,9 @@ extern struct iwl_cfg iwl230_bg_cfg;
36286 extern struct iwl_cfg iwl230_bgn_cfg;
36287
36288 extern struct iwl_mod_params iwlagn_mod_params;
36289 -extern struct iwl_hcmd_ops iwlagn_hcmd;
36290 -extern struct iwl_hcmd_ops iwlagn_bt_hcmd;
36291 -extern struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36292 +extern const struct iwl_hcmd_ops iwlagn_hcmd;
36293 +extern const struct iwl_hcmd_ops iwlagn_bt_hcmd;
36294 +extern const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36295
36296 extern struct ieee80211_ops iwlagn_hw_ops;
36297 extern struct ieee80211_ops iwl4965_hw_ops;
36298 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c
36299 --- linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 12:55:22.000000000 -0400
36300 +++ linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 13:00:26.000000000 -0400
36301 @@ -355,7 +355,7 @@ static int iwlagn_set_pan_params(struct
36302 return ret;
36303 }
36304
36305 -struct iwl_hcmd_ops iwlagn_hcmd = {
36306 +const struct iwl_hcmd_ops iwlagn_hcmd = {
36307 .rxon_assoc = iwlagn_send_rxon_assoc,
36308 .commit_rxon = iwlagn_commit_rxon,
36309 .set_rxon_chain = iwlagn_set_rxon_chain,
36310 @@ -364,7 +364,7 @@ struct iwl_hcmd_ops iwlagn_hcmd = {
36311 .set_pan_params = iwlagn_set_pan_params,
36312 };
36313
36314 -struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36315 +const struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36316 .rxon_assoc = iwlagn_send_rxon_assoc,
36317 .commit_rxon = iwlagn_commit_rxon,
36318 .set_rxon_chain = iwlagn_set_rxon_chain,
36319 @@ -373,7 +373,7 @@ struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36320 .set_pan_params = iwlagn_set_pan_params,
36321 };
36322
36323 -struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36324 +const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36325 .get_hcmd_size = iwlagn_get_hcmd_size,
36326 .build_addsta_hcmd = iwlagn_build_addsta_hcmd,
36327 .gain_computation = iwlagn_gain_computation,
36328 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
36329 --- linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-19 00:06:34.000000000 -0400
36330 +++ linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-22 19:36:32.000000000 -0400
36331 @@ -883,6 +883,8 @@ static void rs_tx_status(void *priv_r, s
36332 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
36333 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
36334
36335 + pax_track_stack();
36336 +
36337 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
36338
36339 /* Treat uninitialized rate scaling data same as non-existing. */
36340 @@ -2894,6 +2896,8 @@ static void rs_fill_link_cmd(struct iwl_
36341 container_of(lq_sta, struct iwl_station_priv, lq_sta);
36342 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
36343
36344 + pax_track_stack();
36345 +
36346 /* Override starting rate (index 0) if needed for debug purposes */
36347 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
36348
36349 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-core.h linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-core.h
36350 --- linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36351 +++ linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36352 @@ -198,28 +198,25 @@ struct iwl_lib_ops {
36353 int (*set_channel_switch)(struct iwl_priv *priv,
36354 struct ieee80211_channel_switch *ch_switch);
36355 /* power management */
36356 - struct iwl_apm_ops apm_ops;
36357 + const struct iwl_apm_ops apm_ops;
36358
36359 /* power */
36360 int (*send_tx_power) (struct iwl_priv *priv);
36361 void (*update_chain_flags)(struct iwl_priv *priv);
36362
36363 /* isr */
36364 - struct iwl_isr_ops isr_ops;
36365 + const struct iwl_isr_ops isr_ops;
36366
36367 /* eeprom operations (as defined in iwl-eeprom.h) */
36368 struct iwl_eeprom_ops eeprom_ops;
36369
36370 /* temperature */
36371 - struct iwl_temp_ops temp_ops;
36372 + const struct iwl_temp_ops temp_ops;
36373
36374 int (*txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36375 void (*dev_txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36376
36377 - struct iwl_debugfs_ops debugfs_ops;
36378 -
36379 - /* thermal throttling */
36380 - struct iwl_tt_ops tt_ops;
36381 + const struct iwl_debugfs_ops debugfs_ops;const struct iwl_tt_ops tt_ops;
36382 };
36383
36384 struct iwl_led_ops {
36385 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debugfs.c
36386 --- linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-19 00:06:34.000000000 -0400
36387 +++ linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-22 19:36:32.000000000 -0400
36388 @@ -549,6 +549,8 @@ static ssize_t iwl_dbgfs_status_read(str
36389 int pos = 0;
36390 const size_t bufsz = sizeof(buf);
36391
36392 + pax_track_stack();
36393 +
36394 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
36395 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
36396 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
36397 @@ -681,6 +683,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
36398 char buf[256 * NUM_IWL_RXON_CTX];
36399 const size_t bufsz = sizeof(buf);
36400
36401 + pax_track_stack();
36402 +
36403 for_each_context(priv, ctx) {
36404 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
36405 ctx->ctxid);
36406 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debug.h
36407 --- linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-19 00:06:34.000000000 -0400
36408 +++ linux-2.6.39.2/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-22 19:36:32.000000000 -0400
36409 @@ -68,8 +68,8 @@ do {
36410 } while (0)
36411
36412 #else
36413 -#define IWL_DEBUG(__priv, level, fmt, args...)
36414 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
36415 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
36416 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
36417 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
36418 const void *p, u32 len)
36419 {}
36420 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/cfg80211.c linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/cfg80211.c
36421 --- linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
36422 +++ linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
36423 @@ -763,7 +763,7 @@ static int iwm_cfg80211_flush_pmksa(stru
36424 }
36425
36426
36427 -static struct cfg80211_ops iwm_cfg80211_ops = {
36428 +static const struct cfg80211_ops iwm_cfg80211_ops = {
36429 .change_virtual_intf = iwm_cfg80211_change_iface,
36430 .add_key = iwm_cfg80211_add_key,
36431 .get_key = iwm_cfg80211_get_key,
36432 diff -urNp linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/debugfs.c
36433 --- linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36434 +++ linux-2.6.39.2/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36435 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
36436 int buf_len = 512;
36437 size_t len = 0;
36438
36439 + pax_track_stack();
36440 +
36441 if (*ppos != 0)
36442 return 0;
36443 if (count < sizeof(buf))
36444 diff -urNp linux-2.6.39.2/drivers/net/wireless/libertas/cfg.c linux-2.6.39.2/drivers/net/wireless/libertas/cfg.c
36445 --- linux-2.6.39.2/drivers/net/wireless/libertas/cfg.c 2011-05-19 00:06:34.000000000 -0400
36446 +++ linux-2.6.39.2/drivers/net/wireless/libertas/cfg.c 2011-05-22 19:36:32.000000000 -0400
36447 @@ -2003,7 +2003,7 @@ static int lbs_leave_ibss(struct wiphy *
36448 * Initialization
36449 */
36450
36451 -static struct cfg80211_ops lbs_cfg80211_ops = {
36452 +static const struct cfg80211_ops lbs_cfg80211_ops = {
36453 .set_channel = lbs_cfg_set_channel,
36454 .scan = lbs_cfg_scan,
36455 .connect = lbs_cfg_connect,
36456 diff -urNp linux-2.6.39.2/drivers/net/wireless/libertas/debugfs.c linux-2.6.39.2/drivers/net/wireless/libertas/debugfs.c
36457 --- linux-2.6.39.2/drivers/net/wireless/libertas/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36458 +++ linux-2.6.39.2/drivers/net/wireless/libertas/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36459 @@ -702,7 +702,7 @@ out_unlock:
36460 struct lbs_debugfs_files {
36461 const char *name;
36462 int perm;
36463 - struct file_operations fops;
36464 + const struct file_operations fops;
36465 };
36466
36467 static const struct lbs_debugfs_files debugfs_files[] = {
36468 diff -urNp linux-2.6.39.2/drivers/net/wireless/rndis_wlan.c linux-2.6.39.2/drivers/net/wireless/rndis_wlan.c
36469 --- linux-2.6.39.2/drivers/net/wireless/rndis_wlan.c 2011-05-19 00:06:34.000000000 -0400
36470 +++ linux-2.6.39.2/drivers/net/wireless/rndis_wlan.c 2011-05-22 19:36:32.000000000 -0400
36471 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
36472
36473 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
36474
36475 - if (rts_threshold < 0 || rts_threshold > 2347)
36476 + if (rts_threshold > 2347)
36477 rts_threshold = 2347;
36478
36479 tmp = cpu_to_le32(rts_threshold);
36480 diff -urNp linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.c linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.c
36481 --- linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.c 2011-05-19 00:06:34.000000000 -0400
36482 +++ linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.c 2011-05-22 19:36:32.000000000 -0400
36483 @@ -1869,7 +1869,7 @@ int rtl_pci_resume(struct pci_dev *pdev)
36484 }
36485 EXPORT_SYMBOL(rtl_pci_resume);
36486
36487 -struct rtl_intf_ops rtl_pci_ops = {
36488 +const struct rtl_intf_ops rtl_pci_ops = {
36489 .adapter_start = rtl_pci_start,
36490 .adapter_stop = rtl_pci_stop,
36491 .adapter_tx = rtl_pci_tx,
36492 diff -urNp linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.h linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.h
36493 --- linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.h 2011-05-19 00:06:34.000000000 -0400
36494 +++ linux-2.6.39.2/drivers/net/wireless/rtlwifi/pci.h 2011-05-22 19:36:32.000000000 -0400
36495 @@ -234,7 +234,7 @@ struct rtl_pci_priv {
36496
36497 int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw);
36498
36499 -extern struct rtl_intf_ops rtl_pci_ops;
36500 +extern const struct rtl_intf_ops rtl_pci_ops;
36501
36502 int __devinit rtl_pci_probe(struct pci_dev *pdev,
36503 const struct pci_device_id *id);
36504 diff -urNp linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
36505 --- linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-19 00:06:34.000000000 -0400
36506 +++ linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-22 19:36:32.000000000 -0400
36507 @@ -827,6 +827,8 @@ static bool _rtl92c_phy_sw_chnl_step_by_
36508 u8 rfpath;
36509 u8 num_total_rfpath = rtlphy->num_total_rfpath;
36510
36511 + pax_track_stack();
36512 +
36513 precommoncmdcnt = 0;
36514 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
36515 MAX_PRECMD_CNT,
36516 diff -urNp linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
36517 --- linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-19 00:06:34.000000000 -0400
36518 +++ linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-22 19:36:32.000000000 -0400
36519 @@ -96,7 +96,7 @@ void rtl92c_deinit_sw_vars(struct ieee80
36520 }
36521 }
36522
36523 -static struct rtl_hal_ops rtl8192ce_hal_ops = {
36524 +static const struct rtl_hal_ops rtl8192ce_hal_ops = {
36525 .init_sw_vars = rtl92c_init_sw_vars,
36526 .deinit_sw_vars = rtl92c_deinit_sw_vars,
36527 .read_eeprom_info = rtl92ce_read_eeprom_info,
36528 @@ -151,7 +151,7 @@ static struct rtl_mod_params rtl92ce_mod
36529 .sw_crypto = 0,
36530 };
36531
36532 -static struct rtl_hal_cfg rtl92ce_hal_cfg = {
36533 +static const struct rtl_hal_cfg rtl92ce_hal_cfg = {
36534 .name = "rtl92c_pci",
36535 .fw_name = "rtlwifi/rtl8192cfw.bin",
36536 .ops = &rtl8192ce_hal_ops,
36537 diff -urNp linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
36538 --- linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-19 00:06:34.000000000 -0400
36539 +++ linux-2.6.39.2/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-22 19:36:32.000000000 -0400
36540 @@ -77,7 +77,7 @@ static void rtl92cu_deinit_sw_vars(struc
36541 }
36542 }
36543
36544 -static struct rtl_hal_ops rtl8192cu_hal_ops = {
36545 +static const struct rtl_hal_ops rtl8192cu_hal_ops = {
36546 .init_sw_vars = rtl92cu_init_sw_vars,
36547 .deinit_sw_vars = rtl92cu_deinit_sw_vars,
36548 .read_chip_version = rtl92c_read_chip_version,
36549 @@ -147,7 +147,7 @@ static struct rtl_hal_usbint_cfg rtl92cu
36550 .usb_mq_to_hwq = rtl8192cu_mq_to_hwq,
36551 };
36552
36553 -static struct rtl_hal_cfg rtl92cu_hal_cfg = {
36554 +static const struct rtl_hal_cfg rtl92cu_hal_cfg = {
36555 .name = "rtl92c_usb",
36556 .fw_name = "rtlwifi/rtl8192cufw.bin",
36557 .ops = &rtl8192cu_hal_ops,
36558 diff -urNp linux-2.6.39.2/drivers/net/wireless/rtlwifi/usb.c linux-2.6.39.2/drivers/net/wireless/rtlwifi/usb.c
36559 --- linux-2.6.39.2/drivers/net/wireless/rtlwifi/usb.c 2011-05-19 00:06:34.000000000 -0400
36560 +++ linux-2.6.39.2/drivers/net/wireless/rtlwifi/usb.c 2011-05-22 19:36:32.000000000 -0400
36561 @@ -913,7 +913,7 @@ static bool rtl_usb_tx_chk_waitq_insert(
36562 return false;
36563 }
36564
36565 -static struct rtl_intf_ops rtl_usb_ops = {
36566 +static const struct rtl_intf_ops rtl_usb_ops = {
36567 .adapter_start = rtl_usb_start,
36568 .adapter_stop = rtl_usb_stop,
36569 .adapter_tx = rtl_usb_tx,
36570 diff -urNp linux-2.6.39.2/drivers/net/wireless/rtlwifi/wifi.h linux-2.6.39.2/drivers/net/wireless/rtlwifi/wifi.h
36571 --- linux-2.6.39.2/drivers/net/wireless/rtlwifi/wifi.h 2011-05-19 00:06:34.000000000 -0400
36572 +++ linux-2.6.39.2/drivers/net/wireless/rtlwifi/wifi.h 2011-05-22 19:36:32.000000000 -0400
36573 @@ -1447,7 +1447,7 @@ struct rtl_hal_cfg {
36574 u8 bar_id;
36575 char *name;
36576 char *fw_name;
36577 - struct rtl_hal_ops *ops;
36578 + const struct rtl_hal_ops *ops;
36579 struct rtl_mod_params *mod_params;
36580 struct rtl_hal_usbint_cfg *usb_interface_cfg;
36581
36582 @@ -1533,7 +1533,7 @@ struct rtl_priv {
36583 *intf_ops : for diff interrface usb/pcie
36584 */
36585 struct rtl_hal_cfg *cfg;
36586 - struct rtl_intf_ops *intf_ops;
36587 + const struct rtl_intf_ops *intf_ops;
36588
36589 /*this var will be set by set_bit,
36590 and was used to indicate status of
36591 diff -urNp linux-2.6.39.2/drivers/net/wireless/wl12xx/spi.c linux-2.6.39.2/drivers/net/wireless/wl12xx/spi.c
36592 --- linux-2.6.39.2/drivers/net/wireless/wl12xx/spi.c 2011-05-19 00:06:34.000000000 -0400
36593 +++ linux-2.6.39.2/drivers/net/wireless/wl12xx/spi.c 2011-05-22 19:36:32.000000000 -0400
36594 @@ -280,6 +280,8 @@ static void wl1271_spi_raw_write(struct
36595 u32 chunk_len;
36596 int i;
36597
36598 + pax_track_stack();
36599 +
36600 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
36601
36602 spi_message_init(&m);
36603 diff -urNp linux-2.6.39.2/drivers/net/xen-netback/interface.c linux-2.6.39.2/drivers/net/xen-netback/interface.c
36604 --- linux-2.6.39.2/drivers/net/xen-netback/interface.c 2011-05-19 00:06:34.000000000 -0400
36605 +++ linux-2.6.39.2/drivers/net/xen-netback/interface.c 2011-05-22 19:36:32.000000000 -0400
36606 @@ -273,7 +273,7 @@ static void xenvif_get_strings(struct ne
36607 }
36608 }
36609
36610 -static struct ethtool_ops xenvif_ethtool_ops = {
36611 +static const struct ethtool_ops xenvif_ethtool_ops = {
36612 .get_tx_csum = ethtool_op_get_tx_csum,
36613 .set_tx_csum = xenvif_set_tx_csum,
36614 .get_sg = ethtool_op_get_sg,
36615 diff -urNp linux-2.6.39.2/drivers/net/xilinx_emaclite.c linux-2.6.39.2/drivers/net/xilinx_emaclite.c
36616 --- linux-2.6.39.2/drivers/net/xilinx_emaclite.c 2011-05-19 00:06:34.000000000 -0400
36617 +++ linux-2.6.39.2/drivers/net/xilinx_emaclite.c 2011-05-22 19:36:32.000000000 -0400
36618 @@ -1085,7 +1085,7 @@ static bool get_bool(struct platform_dev
36619 }
36620 }
36621
36622 -static struct net_device_ops xemaclite_netdev_ops;
36623 +static const struct net_device_ops xemaclite_netdev_ops;
36624
36625 /**
36626 * xemaclite_of_probe - Probe method for the Emaclite device.
36627 @@ -1264,7 +1264,7 @@ xemaclite_poll_controller(struct net_dev
36628 }
36629 #endif
36630
36631 -static struct net_device_ops xemaclite_netdev_ops = {
36632 +static const struct net_device_ops xemaclite_netdev_ops = {
36633 .ndo_open = xemaclite_open,
36634 .ndo_stop = xemaclite_close,
36635 .ndo_start_xmit = xemaclite_send,
36636 diff -urNp linux-2.6.39.2/drivers/nfc/pn544.c linux-2.6.39.2/drivers/nfc/pn544.c
36637 --- linux-2.6.39.2/drivers/nfc/pn544.c 2011-05-19 00:06:34.000000000 -0400
36638 +++ linux-2.6.39.2/drivers/nfc/pn544.c 2011-05-22 19:36:32.000000000 -0400
36639 @@ -89,7 +89,7 @@ static ssize_t pn544_test(struct device
36640
36641 static int pn544_enable(struct pn544_info *info, int mode)
36642 {
36643 - struct pn544_nfc_platform_data *pdata;
36644 + const struct pn544_nfc_platform_data *pdata;
36645 struct i2c_client *client = info->i2c_dev;
36646
36647 int r;
36648 @@ -118,7 +118,7 @@ static int pn544_enable(struct pn544_inf
36649
36650 static void pn544_disable(struct pn544_info *info)
36651 {
36652 - struct pn544_nfc_platform_data *pdata;
36653 + const struct pn544_nfc_platform_data *pdata;
36654 struct i2c_client *client = info->i2c_dev;
36655
36656 pdata = client->dev.platform_data;
36657 @@ -509,7 +509,7 @@ static long pn544_ioctl(struct file *fil
36658 struct pn544_info *info = container_of(file->private_data,
36659 struct pn544_info, miscdev);
36660 struct i2c_client *client = info->i2c_dev;
36661 - struct pn544_nfc_platform_data *pdata;
36662 + const struct pn544_nfc_platform_data *pdata;
36663 unsigned int val;
36664 int r = 0;
36665
36666 @@ -715,7 +715,7 @@ static int __devinit pn544_probe(struct
36667 const struct i2c_device_id *id)
36668 {
36669 struct pn544_info *info;
36670 - struct pn544_nfc_platform_data *pdata;
36671 + const struct pn544_nfc_platform_data *pdata;
36672 int r = 0;
36673
36674 dev_dbg(&client->dev, "%s\n", __func__);
36675 diff -urNp linux-2.6.39.2/drivers/of/pdt.c linux-2.6.39.2/drivers/of/pdt.c
36676 --- linux-2.6.39.2/drivers/of/pdt.c 2011-05-19 00:06:34.000000000 -0400
36677 +++ linux-2.6.39.2/drivers/of/pdt.c 2011-05-22 19:36:32.000000000 -0400
36678 @@ -24,7 +24,7 @@
36679 #include <linux/of_pdt.h>
36680 #include <asm/prom.h>
36681
36682 -static struct of_pdt_ops *of_pdt_prom_ops __initdata;
36683 +static const struct of_pdt_ops *of_pdt_prom_ops;
36684
36685 void __initdata (*of_pdt_build_more)(struct device_node *dp,
36686 struct device_node ***nextp);
36687 diff -urNp linux-2.6.39.2/drivers/oprofile/buffer_sync.c linux-2.6.39.2/drivers/oprofile/buffer_sync.c
36688 --- linux-2.6.39.2/drivers/oprofile/buffer_sync.c 2011-06-25 12:55:22.000000000 -0400
36689 +++ linux-2.6.39.2/drivers/oprofile/buffer_sync.c 2011-06-25 13:00:26.000000000 -0400
36690 @@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
36691 if (cookie == NO_COOKIE)
36692 offset = pc;
36693 if (cookie == INVALID_COOKIE) {
36694 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36695 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36696 offset = pc;
36697 }
36698 if (cookie != last_cookie) {
36699 @@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
36700 /* add userspace sample */
36701
36702 if (!mm) {
36703 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
36704 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
36705 return 0;
36706 }
36707
36708 cookie = lookup_dcookie(mm, s->eip, &offset);
36709
36710 if (cookie == INVALID_COOKIE) {
36711 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36712 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36713 return 0;
36714 }
36715
36716 @@ -563,7 +563,7 @@ void sync_buffer(int cpu)
36717 /* ignore backtraces if failed to add a sample */
36718 if (state == sb_bt_start) {
36719 state = sb_bt_ignore;
36720 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
36721 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
36722 }
36723 }
36724 release_mm(mm);
36725 diff -urNp linux-2.6.39.2/drivers/oprofile/event_buffer.c linux-2.6.39.2/drivers/oprofile/event_buffer.c
36726 --- linux-2.6.39.2/drivers/oprofile/event_buffer.c 2011-05-19 00:06:34.000000000 -0400
36727 +++ linux-2.6.39.2/drivers/oprofile/event_buffer.c 2011-05-22 19:36:32.000000000 -0400
36728 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
36729 }
36730
36731 if (buffer_pos == buffer_size) {
36732 - atomic_inc(&oprofile_stats.event_lost_overflow);
36733 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
36734 return;
36735 }
36736
36737 diff -urNp linux-2.6.39.2/drivers/oprofile/oprof.c linux-2.6.39.2/drivers/oprofile/oprof.c
36738 --- linux-2.6.39.2/drivers/oprofile/oprof.c 2011-05-19 00:06:34.000000000 -0400
36739 +++ linux-2.6.39.2/drivers/oprofile/oprof.c 2011-05-22 19:36:32.000000000 -0400
36740 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
36741 if (oprofile_ops.switch_events())
36742 return;
36743
36744 - atomic_inc(&oprofile_stats.multiplex_counter);
36745 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
36746 start_switch_worker();
36747 }
36748
36749 diff -urNp linux-2.6.39.2/drivers/oprofile/oprofilefs.c linux-2.6.39.2/drivers/oprofile/oprofilefs.c
36750 --- linux-2.6.39.2/drivers/oprofile/oprofilefs.c 2011-05-19 00:06:34.000000000 -0400
36751 +++ linux-2.6.39.2/drivers/oprofile/oprofilefs.c 2011-05-22 19:36:32.000000000 -0400
36752 @@ -186,7 +186,7 @@ static const struct file_operations atom
36753
36754
36755 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
36756 - char const *name, atomic_t *val)
36757 + char const *name, atomic_unchecked_t *val)
36758 {
36759 return __oprofilefs_create_file(sb, root, name,
36760 &atomic_ro_fops, 0444, val);
36761 diff -urNp linux-2.6.39.2/drivers/oprofile/oprofile_stats.c linux-2.6.39.2/drivers/oprofile/oprofile_stats.c
36762 --- linux-2.6.39.2/drivers/oprofile/oprofile_stats.c 2011-05-19 00:06:34.000000000 -0400
36763 +++ linux-2.6.39.2/drivers/oprofile/oprofile_stats.c 2011-05-22 19:36:32.000000000 -0400
36764 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
36765 cpu_buf->sample_invalid_eip = 0;
36766 }
36767
36768 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
36769 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
36770 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
36771 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
36772 - atomic_set(&oprofile_stats.multiplex_counter, 0);
36773 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
36774 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
36775 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
36776 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
36777 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
36778 }
36779
36780
36781 diff -urNp linux-2.6.39.2/drivers/oprofile/oprofile_stats.h linux-2.6.39.2/drivers/oprofile/oprofile_stats.h
36782 --- linux-2.6.39.2/drivers/oprofile/oprofile_stats.h 2011-05-19 00:06:34.000000000 -0400
36783 +++ linux-2.6.39.2/drivers/oprofile/oprofile_stats.h 2011-05-22 19:36:32.000000000 -0400
36784 @@ -13,11 +13,11 @@
36785 #include <asm/atomic.h>
36786
36787 struct oprofile_stat_struct {
36788 - atomic_t sample_lost_no_mm;
36789 - atomic_t sample_lost_no_mapping;
36790 - atomic_t bt_lost_no_mapping;
36791 - atomic_t event_lost_overflow;
36792 - atomic_t multiplex_counter;
36793 + atomic_unchecked_t sample_lost_no_mm;
36794 + atomic_unchecked_t sample_lost_no_mapping;
36795 + atomic_unchecked_t bt_lost_no_mapping;
36796 + atomic_unchecked_t event_lost_overflow;
36797 + atomic_unchecked_t multiplex_counter;
36798 };
36799
36800 extern struct oprofile_stat_struct oprofile_stats;
36801 diff -urNp linux-2.6.39.2/drivers/parisc/dino.c linux-2.6.39.2/drivers/parisc/dino.c
36802 --- linux-2.6.39.2/drivers/parisc/dino.c 2011-05-19 00:06:34.000000000 -0400
36803 +++ linux-2.6.39.2/drivers/parisc/dino.c 2011-05-22 19:36:32.000000000 -0400
36804 @@ -238,7 +238,7 @@ static int dino_cfg_write(struct pci_bus
36805 return 0;
36806 }
36807
36808 -static struct pci_ops dino_cfg_ops = {
36809 +static const struct pci_ops dino_cfg_ops = {
36810 .read = dino_cfg_read,
36811 .write = dino_cfg_write,
36812 };
36813 diff -urNp linux-2.6.39.2/drivers/parisc/lba_pci.c linux-2.6.39.2/drivers/parisc/lba_pci.c
36814 --- linux-2.6.39.2/drivers/parisc/lba_pci.c 2011-05-19 00:06:34.000000000 -0400
36815 +++ linux-2.6.39.2/drivers/parisc/lba_pci.c 2011-05-22 19:36:32.000000000 -0400
36816 @@ -468,7 +468,7 @@ static int elroy_cfg_write(struct pci_bu
36817 }
36818
36819
36820 -static struct pci_ops elroy_cfg_ops = {
36821 +static const struct pci_ops elroy_cfg_ops = {
36822 .read = elroy_cfg_read,
36823 .write = elroy_cfg_write,
36824 };
36825 @@ -541,7 +541,7 @@ static int mercury_cfg_write(struct pci_
36826 return 0;
36827 }
36828
36829 -static struct pci_ops mercury_cfg_ops = {
36830 +static const struct pci_ops mercury_cfg_ops = {
36831 .read = mercury_cfg_read,
36832 .write = mercury_cfg_write,
36833 };
36834 @@ -1405,7 +1405,7 @@ lba_driver_probe(struct parisc_device *d
36835 {
36836 struct lba_device *lba_dev;
36837 struct pci_bus *lba_bus;
36838 - struct pci_ops *cfg_ops;
36839 + const struct pci_ops *cfg_ops;
36840 u32 func_class;
36841 void *tmp_obj;
36842 char *version;
36843 diff -urNp linux-2.6.39.2/drivers/parport/procfs.c linux-2.6.39.2/drivers/parport/procfs.c
36844 --- linux-2.6.39.2/drivers/parport/procfs.c 2011-05-19 00:06:34.000000000 -0400
36845 +++ linux-2.6.39.2/drivers/parport/procfs.c 2011-05-22 19:36:32.000000000 -0400
36846 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
36847
36848 *ppos += len;
36849
36850 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
36851 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
36852 }
36853
36854 #ifdef CONFIG_PARPORT_1284
36855 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
36856
36857 *ppos += len;
36858
36859 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
36860 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
36861 }
36862 #endif /* IEEE1284.3 support. */
36863
36864 diff -urNp linux-2.6.39.2/drivers/pci/access.c linux-2.6.39.2/drivers/pci/access.c
36865 --- linux-2.6.39.2/drivers/pci/access.c 2011-05-19 00:06:34.000000000 -0400
36866 +++ linux-2.6.39.2/drivers/pci/access.c 2011-05-22 19:36:32.000000000 -0400
36867 @@ -74,9 +74,9 @@ EXPORT_SYMBOL(pci_bus_write_config_dword
36868 *
36869 * Return previous raw operations
36870 */
36871 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops)
36872 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops)
36873 {
36874 - struct pci_ops *old_ops;
36875 + const struct pci_ops *old_ops;
36876 unsigned long flags;
36877
36878 raw_spin_lock_irqsave(&pci_lock, flags);
36879 diff -urNp linux-2.6.39.2/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.39.2/drivers/pci/hotplug/acpiphp_glue.c
36880 --- linux-2.6.39.2/drivers/pci/hotplug/acpiphp_glue.c 2011-05-19 00:06:34.000000000 -0400
36881 +++ linux-2.6.39.2/drivers/pci/hotplug/acpiphp_glue.c 2011-05-22 19:36:32.000000000 -0400
36882 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
36883 }
36884
36885
36886 -static struct acpi_dock_ops acpiphp_dock_ops = {
36887 +static const struct acpi_dock_ops acpiphp_dock_ops = {
36888 .handler = handle_hotplug_event_func,
36889 };
36890
36891 diff -urNp linux-2.6.39.2/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.39.2/drivers/pci/hotplug/cpqphp_nvram.c
36892 --- linux-2.6.39.2/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-19 00:06:34.000000000 -0400
36893 +++ linux-2.6.39.2/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-22 19:36:32.000000000 -0400
36894 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
36895
36896 void compaq_nvram_init (void __iomem *rom_start)
36897 {
36898 +
36899 +#ifndef CONFIG_PAX_KERNEXEC
36900 if (rom_start) {
36901 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
36902 }
36903 +#endif
36904 +
36905 dbg("int15 entry = %p\n", compaq_int15_entry_point);
36906
36907 /* initialize our int15 lock */
36908 diff -urNp linux-2.6.39.2/drivers/pci/hotplug/shpchp.h linux-2.6.39.2/drivers/pci/hotplug/shpchp.h
36909 --- linux-2.6.39.2/drivers/pci/hotplug/shpchp.h 2011-05-19 00:06:34.000000000 -0400
36910 +++ linux-2.6.39.2/drivers/pci/hotplug/shpchp.h 2011-05-22 19:36:32.000000000 -0400
36911 @@ -86,7 +86,7 @@ struct slot {
36912 u8 presence_save;
36913 u8 pwr_save;
36914 struct controller *ctrl;
36915 - struct hpc_ops *hpc_ops;
36916 + const struct hpc_ops *hpc_ops;
36917 struct hotplug_slot *hotplug_slot;
36918 struct list_head slot_list;
36919 struct delayed_work work; /* work for button event */
36920 @@ -107,7 +107,7 @@ struct controller {
36921 int slot_num_inc; /* 1 or -1 */
36922 struct pci_dev *pci_dev;
36923 struct list_head slot_list;
36924 - struct hpc_ops *hpc_ops;
36925 + const struct hpc_ops *hpc_ops;
36926 wait_queue_head_t queue; /* sleep & wake process */
36927 u8 slot_device_offset;
36928 u32 pcix_misc2_reg; /* for amd pogo errata */
36929 diff -urNp linux-2.6.39.2/drivers/pci/hotplug/shpchp_hpc.c linux-2.6.39.2/drivers/pci/hotplug/shpchp_hpc.c
36930 --- linux-2.6.39.2/drivers/pci/hotplug/shpchp_hpc.c 2011-05-19 00:06:34.000000000 -0400
36931 +++ linux-2.6.39.2/drivers/pci/hotplug/shpchp_hpc.c 2011-05-22 19:36:32.000000000 -0400
36932 @@ -910,7 +910,7 @@ static int shpc_get_max_bus_speed(struct
36933 return retval;
36934 }
36935
36936 -static struct hpc_ops shpchp_hpc_ops = {
36937 +static const struct hpc_ops shpchp_hpc_ops = {
36938 .power_on_slot = hpc_power_on_slot,
36939 .slot_enable = hpc_slot_enable,
36940 .slot_disable = hpc_slot_disable,
36941 diff -urNp linux-2.6.39.2/drivers/pci/intel-iommu.c linux-2.6.39.2/drivers/pci/intel-iommu.c
36942 --- linux-2.6.39.2/drivers/pci/intel-iommu.c 2011-06-25 12:55:22.000000000 -0400
36943 +++ linux-2.6.39.2/drivers/pci/intel-iommu.c 2011-06-25 13:00:26.000000000 -0400
36944 @@ -393,7 +393,7 @@ static int intel_iommu_strict;
36945 static DEFINE_SPINLOCK(device_domain_lock);
36946 static LIST_HEAD(device_domain_list);
36947
36948 -static struct iommu_ops intel_iommu_ops;
36949 +static const struct iommu_ops intel_iommu_ops;
36950
36951 static int __init intel_iommu_setup(char *str)
36952 {
36953 @@ -2964,7 +2964,7 @@ static int intel_mapping_error(struct de
36954 return !dma_addr;
36955 }
36956
36957 -struct dma_map_ops intel_dma_ops = {
36958 +const struct dma_map_ops intel_dma_ops = {
36959 .alloc_coherent = intel_alloc_coherent,
36960 .free_coherent = intel_free_coherent,
36961 .map_sg = intel_map_sg,
36962 @@ -3761,7 +3761,7 @@ static int intel_iommu_domain_has_cap(st
36963 return 0;
36964 }
36965
36966 -static struct iommu_ops intel_iommu_ops = {
36967 +static const struct iommu_ops intel_iommu_ops = {
36968 .domain_init = intel_iommu_domain_init,
36969 .domain_destroy = intel_iommu_domain_destroy,
36970 .attach_dev = intel_iommu_attach_device,
36971 diff -urNp linux-2.6.39.2/drivers/pci/pci-acpi.c linux-2.6.39.2/drivers/pci/pci-acpi.c
36972 --- linux-2.6.39.2/drivers/pci/pci-acpi.c 2011-05-19 00:06:34.000000000 -0400
36973 +++ linux-2.6.39.2/drivers/pci/pci-acpi.c 2011-05-22 19:36:32.000000000 -0400
36974 @@ -332,7 +332,7 @@ static int acpi_pci_run_wake(struct pci_
36975 return 0;
36976 }
36977
36978 -static struct pci_platform_pm_ops acpi_pci_platform_pm = {
36979 +static const struct pci_platform_pm_ops acpi_pci_platform_pm = {
36980 .is_manageable = acpi_pci_power_manageable,
36981 .set_state = acpi_pci_set_power_state,
36982 .choose_state = acpi_pci_choose_state,
36983 diff -urNp linux-2.6.39.2/drivers/pci/pci.c linux-2.6.39.2/drivers/pci/pci.c
36984 --- linux-2.6.39.2/drivers/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
36985 +++ linux-2.6.39.2/drivers/pci/pci.c 2011-05-22 19:36:32.000000000 -0400
36986 @@ -480,9 +480,9 @@ pci_restore_bars(struct pci_dev *dev)
36987 pci_update_resource(dev, i);
36988 }
36989
36990 -static struct pci_platform_pm_ops *pci_platform_pm;
36991 +static const struct pci_platform_pm_ops *pci_platform_pm;
36992
36993 -int pci_set_platform_pm(struct pci_platform_pm_ops *ops)
36994 +int pci_set_platform_pm(const struct pci_platform_pm_ops *ops)
36995 {
36996 if (!ops->is_manageable || !ops->set_state || !ops->choose_state
36997 || !ops->sleep_wake || !ops->can_wakeup)
36998 diff -urNp linux-2.6.39.2/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.39.2/drivers/pci/pcie/aer/aerdrv_core.c
36999 --- linux-2.6.39.2/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-19 00:06:34.000000000 -0400
37000 +++ linux-2.6.39.2/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-22 19:36:32.000000000 -0400
37001 @@ -239,7 +239,7 @@ static bool find_source_device(struct pc
37002 static int report_error_detected(struct pci_dev *dev, void *data)
37003 {
37004 pci_ers_result_t vote;
37005 - struct pci_error_handlers *err_handler;
37006 + const struct pci_error_handlers *err_handler;
37007 struct aer_broadcast_data *result_data;
37008 result_data = (struct aer_broadcast_data *) data;
37009
37010 @@ -273,7 +273,7 @@ static int report_error_detected(struct
37011 static int report_mmio_enabled(struct pci_dev *dev, void *data)
37012 {
37013 pci_ers_result_t vote;
37014 - struct pci_error_handlers *err_handler;
37015 + const struct pci_error_handlers *err_handler;
37016 struct aer_broadcast_data *result_data;
37017 result_data = (struct aer_broadcast_data *) data;
37018
37019 @@ -291,7 +291,7 @@ static int report_mmio_enabled(struct pc
37020 static int report_slot_reset(struct pci_dev *dev, void *data)
37021 {
37022 pci_ers_result_t vote;
37023 - struct pci_error_handlers *err_handler;
37024 + const struct pci_error_handlers *err_handler;
37025 struct aer_broadcast_data *result_data;
37026 result_data = (struct aer_broadcast_data *) data;
37027
37028 @@ -308,7 +308,7 @@ static int report_slot_reset(struct pci_
37029
37030 static int report_resume(struct pci_dev *dev, void *data)
37031 {
37032 - struct pci_error_handlers *err_handler;
37033 + const struct pci_error_handlers *err_handler;
37034
37035 dev->error_state = pci_channel_io_normal;
37036
37037 diff -urNp linux-2.6.39.2/drivers/pci/pcie/aer/aer_inject.c linux-2.6.39.2/drivers/pci/pcie/aer/aer_inject.c
37038 --- linux-2.6.39.2/drivers/pci/pcie/aer/aer_inject.c 2011-05-19 00:06:34.000000000 -0400
37039 +++ linux-2.6.39.2/drivers/pci/pcie/aer/aer_inject.c 2011-05-22 19:36:32.000000000 -0400
37040 @@ -64,7 +64,7 @@ struct aer_error {
37041 struct pci_bus_ops {
37042 struct list_head list;
37043 struct pci_bus *bus;
37044 - struct pci_ops *ops;
37045 + const struct pci_ops *ops;
37046 };
37047
37048 static LIST_HEAD(einjected);
37049 @@ -110,7 +110,7 @@ static struct aer_error *__find_aer_erro
37050 }
37051
37052 /* inject_lock must be held before calling */
37053 -static struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37054 +static const struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37055 {
37056 struct pci_bus_ops *bus_ops;
37057
37058 @@ -187,7 +187,7 @@ static int pci_read_aer(struct pci_bus *
37059 u32 *sim;
37060 struct aer_error *err;
37061 unsigned long flags;
37062 - struct pci_ops *ops;
37063 + const struct pci_ops *ops;
37064 int domain;
37065
37066 spin_lock_irqsave(&inject_lock, flags);
37067 @@ -219,7 +219,7 @@ int pci_write_aer(struct pci_bus *bus, u
37068 struct aer_error *err;
37069 unsigned long flags;
37070 int rw1cs;
37071 - struct pci_ops *ops;
37072 + const struct pci_ops *ops;
37073 int domain;
37074
37075 spin_lock_irqsave(&inject_lock, flags);
37076 @@ -254,7 +254,7 @@ static struct pci_ops pci_ops_aer = {
37077
37078 static void pci_bus_ops_init(struct pci_bus_ops *bus_ops,
37079 struct pci_bus *bus,
37080 - struct pci_ops *ops)
37081 + const struct pci_ops *ops)
37082 {
37083 INIT_LIST_HEAD(&bus_ops->list);
37084 bus_ops->bus = bus;
37085 @@ -263,7 +263,7 @@ static void pci_bus_ops_init(struct pci_
37086
37087 static int pci_bus_set_aer_ops(struct pci_bus *bus)
37088 {
37089 - struct pci_ops *ops;
37090 + const struct pci_ops *ops;
37091 struct pci_bus_ops *bus_ops;
37092 unsigned long flags;
37093
37094 diff -urNp linux-2.6.39.2/drivers/pci/pcie/aspm.c linux-2.6.39.2/drivers/pci/pcie/aspm.c
37095 --- linux-2.6.39.2/drivers/pci/pcie/aspm.c 2011-05-19 00:06:34.000000000 -0400
37096 +++ linux-2.6.39.2/drivers/pci/pcie/aspm.c 2011-05-22 19:36:32.000000000 -0400
37097 @@ -27,9 +27,9 @@
37098 #define MODULE_PARAM_PREFIX "pcie_aspm."
37099
37100 /* Note: those are not register definitions */
37101 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
37102 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
37103 -#define ASPM_STATE_L1 (4) /* L1 state */
37104 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
37105 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
37106 +#define ASPM_STATE_L1 (4U) /* L1 state */
37107 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
37108 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
37109
37110 diff -urNp linux-2.6.39.2/drivers/pci/pci.h linux-2.6.39.2/drivers/pci/pci.h
37111 --- linux-2.6.39.2/drivers/pci/pci.h 2011-05-19 00:06:34.000000000 -0400
37112 +++ linux-2.6.39.2/drivers/pci/pci.h 2011-05-22 19:36:32.000000000 -0400
37113 @@ -65,7 +65,7 @@ struct pci_platform_pm_ops {
37114 int (*run_wake)(struct pci_dev *dev, bool enable);
37115 };
37116
37117 -extern int pci_set_platform_pm(struct pci_platform_pm_ops *ops);
37118 +extern int pci_set_platform_pm(const struct pci_platform_pm_ops *ops);
37119 extern void pci_update_current_state(struct pci_dev *dev, pci_power_t state);
37120 extern void pci_disable_enabled_device(struct pci_dev *dev);
37121 extern int pci_finish_runtime_suspend(struct pci_dev *dev);
37122 diff -urNp linux-2.6.39.2/drivers/pci/probe.c linux-2.6.39.2/drivers/pci/probe.c
37123 --- linux-2.6.39.2/drivers/pci/probe.c 2011-05-19 00:06:34.000000000 -0400
37124 +++ linux-2.6.39.2/drivers/pci/probe.c 2011-05-22 19:36:32.000000000 -0400
37125 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
37126 return ret;
37127 }
37128
37129 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
37130 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
37131 struct device_attribute *attr,
37132 char *buf)
37133 {
37134 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
37135 }
37136
37137 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
37138 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
37139 struct device_attribute *attr,
37140 char *buf)
37141 {
37142 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
37143 u32 l, sz, mask;
37144 u16 orig_cmd;
37145
37146 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
37147 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
37148
37149 if (!dev->mmio_always_on) {
37150 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
37151 @@ -1407,7 +1407,7 @@ unsigned int __devinit pci_scan_child_bu
37152 }
37153
37154 struct pci_bus * pci_create_bus(struct device *parent,
37155 - int bus, struct pci_ops *ops, void *sysdata)
37156 + int bus, const struct pci_ops *ops, void *sysdata)
37157 {
37158 int error;
37159 struct pci_bus *b, *b2;
37160 @@ -1483,7 +1483,7 @@ err_out:
37161 }
37162
37163 struct pci_bus * __devinit pci_scan_bus_parented(struct device *parent,
37164 - int bus, struct pci_ops *ops, void *sysdata)
37165 + int bus, const struct pci_ops *ops, void *sysdata)
37166 {
37167 struct pci_bus *b;
37168
37169 diff -urNp linux-2.6.39.2/drivers/pci/proc.c linux-2.6.39.2/drivers/pci/proc.c
37170 --- linux-2.6.39.2/drivers/pci/proc.c 2011-05-19 00:06:34.000000000 -0400
37171 +++ linux-2.6.39.2/drivers/pci/proc.c 2011-05-22 19:41:37.000000000 -0400
37172 @@ -476,7 +476,16 @@ static const struct file_operations proc
37173 static int __init pci_proc_init(void)
37174 {
37175 struct pci_dev *dev = NULL;
37176 +
37177 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
37178 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37179 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
37180 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37181 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
37182 +#endif
37183 +#else
37184 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
37185 +#endif
37186 proc_create("devices", 0, proc_bus_pci_dir,
37187 &proc_bus_pci_dev_operations);
37188 proc_initialized = 1;
37189 diff -urNp linux-2.6.39.2/drivers/pci/xen-pcifront.c linux-2.6.39.2/drivers/pci/xen-pcifront.c
37190 --- linux-2.6.39.2/drivers/pci/xen-pcifront.c 2011-05-19 00:06:34.000000000 -0400
37191 +++ linux-2.6.39.2/drivers/pci/xen-pcifront.c 2011-05-22 19:36:32.000000000 -0400
37192 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
37193 struct pcifront_sd *sd = bus->sysdata;
37194 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37195
37196 + pax_track_stack();
37197 +
37198 if (verbose_request)
37199 dev_info(&pdev->xdev->dev,
37200 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
37201 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
37202 struct pcifront_sd *sd = bus->sysdata;
37203 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37204
37205 + pax_track_stack();
37206 +
37207 if (verbose_request)
37208 dev_info(&pdev->xdev->dev,
37209 "write dev=%04x:%02x:%02x.%01x - "
37210 @@ -236,7 +240,7 @@ static int pcifront_bus_write(struct pci
37211 return errno_to_pcibios_err(do_pci_op(pdev, &op));
37212 }
37213
37214 -struct pci_ops pcifront_bus_ops = {
37215 +const struct pci_ops pcifront_bus_ops = {
37216 .read = pcifront_bus_read,
37217 .write = pcifront_bus_write,
37218 };
37219 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
37220 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37221 struct msi_desc *entry;
37222
37223 + pax_track_stack();
37224 +
37225 if (nvec > SH_INFO_MAX_VEC) {
37226 dev_err(&dev->dev, "too much vector for pci frontend: %x."
37227 " Increase SH_INFO_MAX_VEC.\n", nvec);
37228 @@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
37229 struct pcifront_sd *sd = dev->bus->sysdata;
37230 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37231
37232 + pax_track_stack();
37233 +
37234 err = do_pci_op(pdev, &op);
37235
37236 /* What should do for error ? */
37237 @@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
37238 struct pcifront_sd *sd = dev->bus->sysdata;
37239 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37240
37241 + pax_track_stack();
37242 +
37243 err = do_pci_op(pdev, &op);
37244 if (likely(!err)) {
37245 vector[0] = op.value;
37246 @@ -368,7 +378,7 @@ static void pci_frontend_disable_msi(str
37247 printk(KERN_DEBUG "get fake response frombackend\n");
37248 }
37249
37250 -static struct xen_pci_frontend_ops pci_frontend_ops = {
37251 +static const struct xen_pci_frontend_ops pci_frontend_ops = {
37252 .enable_msi = pci_frontend_enable_msi,
37253 .disable_msi = pci_frontend_disable_msi,
37254 .enable_msix = pci_frontend_enable_msix,
37255 diff -urNp linux-2.6.39.2/drivers/pcmcia/at91_cf.c linux-2.6.39.2/drivers/pcmcia/at91_cf.c
37256 --- linux-2.6.39.2/drivers/pcmcia/at91_cf.c 2011-05-19 00:06:34.000000000 -0400
37257 +++ linux-2.6.39.2/drivers/pcmcia/at91_cf.c 2011-05-22 19:36:32.000000000 -0400
37258 @@ -203,7 +203,7 @@ at91_cf_set_mem_map(struct pcmcia_socket
37259 return 0;
37260 }
37261
37262 -static struct pccard_operations at91_cf_ops = {
37263 +static const struct pccard_operations at91_cf_ops = {
37264 .init = at91_cf_ss_init,
37265 .suspend = at91_cf_ss_suspend,
37266 .get_status = at91_cf_get_status,
37267 diff -urNp linux-2.6.39.2/drivers/pcmcia/bfin_cf_pcmcia.c linux-2.6.39.2/drivers/pcmcia/bfin_cf_pcmcia.c
37268 --- linux-2.6.39.2/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37269 +++ linux-2.6.39.2/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37270 @@ -184,7 +184,7 @@ bfin_cf_set_mem_map(struct pcmcia_socket
37271 return 0;
37272 }
37273
37274 -static struct pccard_operations bfin_cf_ops = {
37275 +static const struct pccard_operations bfin_cf_ops = {
37276 .init = bfin_cf_ss_init,
37277 .suspend = bfin_cf_ss_suspend,
37278 .get_status = bfin_cf_get_status,
37279 diff -urNp linux-2.6.39.2/drivers/pcmcia/db1xxx_ss.c linux-2.6.39.2/drivers/pcmcia/db1xxx_ss.c
37280 --- linux-2.6.39.2/drivers/pcmcia/db1xxx_ss.c 2011-05-19 00:06:34.000000000 -0400
37281 +++ linux-2.6.39.2/drivers/pcmcia/db1xxx_ss.c 2011-05-22 19:36:32.000000000 -0400
37282 @@ -384,7 +384,7 @@ static int au1x00_pcmcia_set_mem_map(str
37283 return 0;
37284 }
37285
37286 -static struct pccard_operations db1x_pcmcia_operations = {
37287 +static const struct pccard_operations db1x_pcmcia_operations = {
37288 .init = db1x_pcmcia_sock_init,
37289 .suspend = db1x_pcmcia_sock_suspend,
37290 .get_status = db1x_pcmcia_get_status,
37291 diff -urNp linux-2.6.39.2/drivers/pcmcia/electra_cf.c linux-2.6.39.2/drivers/pcmcia/electra_cf.c
37292 --- linux-2.6.39.2/drivers/pcmcia/electra_cf.c 2011-05-19 00:06:34.000000000 -0400
37293 +++ linux-2.6.39.2/drivers/pcmcia/electra_cf.c 2011-05-22 19:36:32.000000000 -0400
37294 @@ -173,7 +173,7 @@ static int electra_cf_set_mem_map(struct
37295 return 0;
37296 }
37297
37298 -static struct pccard_operations electra_cf_ops = {
37299 +static const struct pccard_operations electra_cf_ops = {
37300 .init = electra_cf_ss_init,
37301 .get_status = electra_cf_get_status,
37302 .set_socket = electra_cf_set_socket,
37303 diff -urNp linux-2.6.39.2/drivers/pcmcia/m32r_cfc.c linux-2.6.39.2/drivers/pcmcia/m32r_cfc.c
37304 --- linux-2.6.39.2/drivers/pcmcia/m32r_cfc.c 2011-05-19 00:06:34.000000000 -0400
37305 +++ linux-2.6.39.2/drivers/pcmcia/m32r_cfc.c 2011-05-22 19:36:32.000000000 -0400
37306 @@ -674,7 +674,7 @@ static int pcc_init(struct pcmcia_socket
37307 return 0;
37308 }
37309
37310 -static struct pccard_operations pcc_operations = {
37311 +static const struct pccard_operations pcc_operations = {
37312 .init = pcc_init,
37313 .get_status = pcc_get_status,
37314 .set_socket = pcc_set_socket,
37315 diff -urNp linux-2.6.39.2/drivers/pcmcia/m32r_pcc.c linux-2.6.39.2/drivers/pcmcia/m32r_pcc.c
37316 --- linux-2.6.39.2/drivers/pcmcia/m32r_pcc.c 2011-05-19 00:06:34.000000000 -0400
37317 +++ linux-2.6.39.2/drivers/pcmcia/m32r_pcc.c 2011-05-22 19:36:32.000000000 -0400
37318 @@ -652,7 +652,7 @@ static int pcc_init(struct pcmcia_socket
37319 return 0;
37320 }
37321
37322 -static struct pccard_operations pcc_operations = {
37323 +static const struct pccard_operations pcc_operations = {
37324 .init = pcc_init,
37325 .get_status = pcc_get_status,
37326 .set_socket = pcc_set_socket,
37327 diff -urNp linux-2.6.39.2/drivers/pcmcia/m8xx_pcmcia.c linux-2.6.39.2/drivers/pcmcia/m8xx_pcmcia.c
37328 --- linux-2.6.39.2/drivers/pcmcia/m8xx_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37329 +++ linux-2.6.39.2/drivers/pcmcia/m8xx_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37330 @@ -1139,7 +1139,7 @@ static int m8xx_sock_suspend(struct pcmc
37331 return m8xx_set_socket(sock, &dead_socket);
37332 }
37333
37334 -static struct pccard_operations m8xx_services = {
37335 +static const struct pccard_operations m8xx_services = {
37336 .init = m8xx_sock_init,
37337 .suspend = m8xx_sock_suspend,
37338 .get_status = m8xx_get_status,
37339 diff -urNp linux-2.6.39.2/drivers/pcmcia/omap_cf.c linux-2.6.39.2/drivers/pcmcia/omap_cf.c
37340 --- linux-2.6.39.2/drivers/pcmcia/omap_cf.c 2011-05-19 00:06:34.000000000 -0400
37341 +++ linux-2.6.39.2/drivers/pcmcia/omap_cf.c 2011-05-22 19:36:32.000000000 -0400
37342 @@ -185,7 +185,7 @@ omap_cf_set_mem_map(struct pcmcia_socket
37343 return 0;
37344 }
37345
37346 -static struct pccard_operations omap_cf_ops = {
37347 +static const struct pccard_operations omap_cf_ops = {
37348 .init = omap_cf_ss_init,
37349 .suspend = omap_cf_ss_suspend,
37350 .get_status = omap_cf_get_status,
37351 diff -urNp linux-2.6.39.2/drivers/pcmcia/rsrc_iodyn.c linux-2.6.39.2/drivers/pcmcia/rsrc_iodyn.c
37352 --- linux-2.6.39.2/drivers/pcmcia/rsrc_iodyn.c 2011-05-19 00:06:34.000000000 -0400
37353 +++ linux-2.6.39.2/drivers/pcmcia/rsrc_iodyn.c 2011-05-22 19:36:32.000000000 -0400
37354 @@ -161,7 +161,7 @@ static int iodyn_find_io(struct pcmcia_s
37355 }
37356
37357
37358 -struct pccard_resource_ops pccard_iodyn_ops = {
37359 +const struct pccard_resource_ops pccard_iodyn_ops = {
37360 .validate_mem = NULL,
37361 .find_io = iodyn_find_io,
37362 .find_mem = NULL,
37363 diff -urNp linux-2.6.39.2/drivers/pcmcia/rsrc_mgr.c linux-2.6.39.2/drivers/pcmcia/rsrc_mgr.c
37364 --- linux-2.6.39.2/drivers/pcmcia/rsrc_mgr.c 2011-05-19 00:06:34.000000000 -0400
37365 +++ linux-2.6.39.2/drivers/pcmcia/rsrc_mgr.c 2011-05-22 19:36:32.000000000 -0400
37366 @@ -57,7 +57,7 @@ static int static_find_io(struct pcmcia_
37367 }
37368
37369
37370 -struct pccard_resource_ops pccard_static_ops = {
37371 +const struct pccard_resource_ops pccard_static_ops = {
37372 .validate_mem = NULL,
37373 .find_io = static_find_io,
37374 .find_mem = NULL,
37375 diff -urNp linux-2.6.39.2/drivers/pcmcia/vrc4171_card.c linux-2.6.39.2/drivers/pcmcia/vrc4171_card.c
37376 --- linux-2.6.39.2/drivers/pcmcia/vrc4171_card.c 2011-05-19 00:06:34.000000000 -0400
37377 +++ linux-2.6.39.2/drivers/pcmcia/vrc4171_card.c 2011-05-22 19:36:32.000000000 -0400
37378 @@ -479,7 +479,7 @@ static int pccard_set_mem_map(struct pcm
37379 return 0;
37380 }
37381
37382 -static struct pccard_operations vrc4171_pccard_operations = {
37383 +static const struct pccard_operations vrc4171_pccard_operations = {
37384 .init = pccard_init,
37385 .get_status = pccard_get_status,
37386 .set_socket = pccard_set_socket,
37387 diff -urNp linux-2.6.39.2/drivers/pcmcia/vrc4173_cardu.c linux-2.6.39.2/drivers/pcmcia/vrc4173_cardu.c
37388 --- linux-2.6.39.2/drivers/pcmcia/vrc4173_cardu.c 2011-05-19 00:06:34.000000000 -0400
37389 +++ linux-2.6.39.2/drivers/pcmcia/vrc4173_cardu.c 2011-05-22 19:36:32.000000000 -0400
37390 @@ -384,7 +384,7 @@ static void cardu_proc_setup(unsigned in
37391 {
37392 }
37393
37394 -static struct pccard_operations cardu_operations = {
37395 +static const struct pccard_operations cardu_operations = {
37396 .init = cardu_init,
37397 .register_callback = cardu_register_callback,
37398 .inquire_socket = cardu_inquire_socket,
37399 diff -urNp linux-2.6.39.2/drivers/pcmcia/xxs1500_ss.c linux-2.6.39.2/drivers/pcmcia/xxs1500_ss.c
37400 --- linux-2.6.39.2/drivers/pcmcia/xxs1500_ss.c 2011-05-19 00:06:34.000000000 -0400
37401 +++ linux-2.6.39.2/drivers/pcmcia/xxs1500_ss.c 2011-05-22 19:36:32.000000000 -0400
37402 @@ -196,7 +196,7 @@ static int au1x00_pcmcia_set_mem_map(str
37403 return 0;
37404 }
37405
37406 -static struct pccard_operations xxs1500_pcmcia_operations = {
37407 +static const struct pccard_operations xxs1500_pcmcia_operations = {
37408 .init = xxs1500_pcmcia_sock_init,
37409 .suspend = xxs1500_pcmcia_sock_suspend,
37410 .get_status = xxs1500_pcmcia_get_status,
37411 diff -urNp linux-2.6.39.2/drivers/platform/x86/acerhdf.c linux-2.6.39.2/drivers/platform/x86/acerhdf.c
37412 --- linux-2.6.39.2/drivers/platform/x86/acerhdf.c 2011-05-19 00:06:34.000000000 -0400
37413 +++ linux-2.6.39.2/drivers/platform/x86/acerhdf.c 2011-05-22 19:36:32.000000000 -0400
37414 @@ -406,7 +406,7 @@ static int acerhdf_get_crit_temp(struct
37415 }
37416
37417 /* bind callback functions to thermalzone */
37418 -static struct thermal_zone_device_ops acerhdf_dev_ops = {
37419 +static const struct thermal_zone_device_ops acerhdf_dev_ops = {
37420 .bind = acerhdf_bind,
37421 .unbind = acerhdf_unbind,
37422 .get_temp = acerhdf_get_ec_temp,
37423 @@ -481,7 +481,7 @@ err_out:
37424 }
37425
37426 /* bind fan callbacks to fan device */
37427 -static struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37428 +static const struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37429 .get_max_state = acerhdf_get_max_state,
37430 .get_cur_state = acerhdf_get_cur_state,
37431 .set_cur_state = acerhdf_set_cur_state,
37432 diff -urNp linux-2.6.39.2/drivers/platform/x86/ideapad-laptop.c linux-2.6.39.2/drivers/platform/x86/ideapad-laptop.c
37433 --- linux-2.6.39.2/drivers/platform/x86/ideapad-laptop.c 2011-05-19 00:06:34.000000000 -0400
37434 +++ linux-2.6.39.2/drivers/platform/x86/ideapad-laptop.c 2011-05-22 19:36:32.000000000 -0400
37435 @@ -207,7 +207,7 @@ static int ideapad_rfk_set(void *data, b
37436 return write_ec_cmd(ideapad_handle, opcode, !blocked);
37437 }
37438
37439 -static struct rfkill_ops ideapad_rfk_ops = {
37440 +static const struct rfkill_ops ideapad_rfk_ops = {
37441 .set_block = ideapad_rfk_set,
37442 };
37443
37444 diff -urNp linux-2.6.39.2/drivers/platform/x86/intel_menlow.c linux-2.6.39.2/drivers/platform/x86/intel_menlow.c
37445 --- linux-2.6.39.2/drivers/platform/x86/intel_menlow.c 2011-05-19 00:06:34.000000000 -0400
37446 +++ linux-2.6.39.2/drivers/platform/x86/intel_menlow.c 2011-05-22 19:36:32.000000000 -0400
37447 @@ -143,7 +143,7 @@ static int memory_set_cur_bandwidth(stru
37448 return 0;
37449 }
37450
37451 -static struct thermal_cooling_device_ops memory_cooling_ops = {
37452 +static const struct thermal_cooling_device_ops memory_cooling_ops = {
37453 .get_max_state = memory_get_max_bandwidth,
37454 .get_cur_state = memory_get_cur_bandwidth,
37455 .set_cur_state = memory_set_cur_bandwidth,
37456 diff -urNp linux-2.6.39.2/drivers/platform/x86/intel_mid_thermal.c linux-2.6.39.2/drivers/platform/x86/intel_mid_thermal.c
37457 --- linux-2.6.39.2/drivers/platform/x86/intel_mid_thermal.c 2011-05-19 00:06:34.000000000 -0400
37458 +++ linux-2.6.39.2/drivers/platform/x86/intel_mid_thermal.c 2011-05-22 19:36:32.000000000 -0400
37459 @@ -458,7 +458,7 @@ static int read_curr_temp(struct thermal
37460 }
37461
37462 /* Can't be const */
37463 -static struct thermal_zone_device_ops tzd_ops = {
37464 +static const struct thermal_zone_device_ops tzd_ops = {
37465 .get_temp = read_curr_temp,
37466 };
37467
37468 diff -urNp linux-2.6.39.2/drivers/platform/x86/samsung-laptop.c linux-2.6.39.2/drivers/platform/x86/samsung-laptop.c
37469 --- linux-2.6.39.2/drivers/platform/x86/samsung-laptop.c 2011-05-19 00:06:34.000000000 -0400
37470 +++ linux-2.6.39.2/drivers/platform/x86/samsung-laptop.c 2011-05-22 19:36:32.000000000 -0400
37471 @@ -419,7 +419,7 @@ static int rfkill_set(void *data, bool b
37472 return 0;
37473 }
37474
37475 -static struct rfkill_ops rfkill_ops = {
37476 +static const struct rfkill_ops rfkill_ops = {
37477 .set_block = rfkill_set,
37478 };
37479
37480 diff -urNp linux-2.6.39.2/drivers/pnp/pnpbios/bioscalls.c linux-2.6.39.2/drivers/pnp/pnpbios/bioscalls.c
37481 --- linux-2.6.39.2/drivers/pnp/pnpbios/bioscalls.c 2011-05-19 00:06:34.000000000 -0400
37482 +++ linux-2.6.39.2/drivers/pnp/pnpbios/bioscalls.c 2011-05-22 19:36:32.000000000 -0400
37483 @@ -59,7 +59,7 @@ do { \
37484 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
37485 } while(0)
37486
37487 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
37488 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
37489 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
37490
37491 /*
37492 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
37493
37494 cpu = get_cpu();
37495 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
37496 +
37497 + pax_open_kernel();
37498 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
37499 + pax_close_kernel();
37500
37501 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
37502 spin_lock_irqsave(&pnp_bios_lock, flags);
37503 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
37504 :"memory");
37505 spin_unlock_irqrestore(&pnp_bios_lock, flags);
37506
37507 + pax_open_kernel();
37508 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
37509 + pax_close_kernel();
37510 +
37511 put_cpu();
37512
37513 /* If we get here and this is set then the PnP BIOS faulted on us. */
37514 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
37515 return status;
37516 }
37517
37518 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
37519 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
37520 {
37521 int i;
37522
37523 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
37524 pnp_bios_callpoint.offset = header->fields.pm16offset;
37525 pnp_bios_callpoint.segment = PNP_CS16;
37526
37527 + pax_open_kernel();
37528 +
37529 for_each_possible_cpu(i) {
37530 struct desc_struct *gdt = get_cpu_gdt_table(i);
37531 if (!gdt)
37532 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
37533 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
37534 (unsigned long)__va(header->fields.pm16dseg));
37535 }
37536 +
37537 + pax_close_kernel();
37538 }
37539 diff -urNp linux-2.6.39.2/drivers/pnp/resource.c linux-2.6.39.2/drivers/pnp/resource.c
37540 --- linux-2.6.39.2/drivers/pnp/resource.c 2011-05-19 00:06:34.000000000 -0400
37541 +++ linux-2.6.39.2/drivers/pnp/resource.c 2011-05-22 19:36:32.000000000 -0400
37542 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
37543 return 1;
37544
37545 /* check if the resource is valid */
37546 - if (*irq < 0 || *irq > 15)
37547 + if (*irq > 15)
37548 return 0;
37549
37550 /* check if the resource is reserved */
37551 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
37552 return 1;
37553
37554 /* check if the resource is valid */
37555 - if (*dma < 0 || *dma == 4 || *dma > 7)
37556 + if (*dma == 4 || *dma > 7)
37557 return 0;
37558
37559 /* check if the resource is reserved */
37560 diff -urNp linux-2.6.39.2/drivers/power/max8925_power.c linux-2.6.39.2/drivers/power/max8925_power.c
37561 --- linux-2.6.39.2/drivers/power/max8925_power.c 2011-05-19 00:06:34.000000000 -0400
37562 +++ linux-2.6.39.2/drivers/power/max8925_power.c 2011-05-22 19:36:32.000000000 -0400
37563 @@ -426,7 +426,7 @@ static __devinit int max8925_power_probe
37564 {
37565 struct max8925_chip *chip = dev_get_drvdata(pdev->dev.parent);
37566 struct max8925_platform_data *max8925_pdata;
37567 - struct max8925_power_pdata *pdata = NULL;
37568 + const struct max8925_power_pdata *pdata = NULL;
37569 struct max8925_power_info *info;
37570 int ret;
37571
37572 diff -urNp linux-2.6.39.2/drivers/regulator/core.c linux-2.6.39.2/drivers/regulator/core.c
37573 --- linux-2.6.39.2/drivers/regulator/core.c 2011-05-19 00:06:34.000000000 -0400
37574 +++ linux-2.6.39.2/drivers/regulator/core.c 2011-05-22 19:36:32.000000000 -0400
37575 @@ -2883,7 +2883,7 @@ core_initcall(regulator_init);
37576 static int __init regulator_init_complete(void)
37577 {
37578 struct regulator_dev *rdev;
37579 - struct regulator_ops *ops;
37580 + const struct regulator_ops *ops;
37581 struct regulation_constraints *c;
37582 int enabled, ret;
37583
37584 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-at32ap700x.c linux-2.6.39.2/drivers/rtc/rtc-at32ap700x.c
37585 --- linux-2.6.39.2/drivers/rtc/rtc-at32ap700x.c 2011-05-19 00:06:34.000000000 -0400
37586 +++ linux-2.6.39.2/drivers/rtc/rtc-at32ap700x.c 2011-05-22 19:36:32.000000000 -0400
37587 @@ -187,7 +187,7 @@ static irqreturn_t at32_rtc_interrupt(in
37588 return ret;
37589 }
37590
37591 -static struct rtc_class_ops at32_rtc_ops = {
37592 +static const struct rtc_class_ops at32_rtc_ops = {
37593 .read_time = at32_rtc_readtime,
37594 .set_time = at32_rtc_settime,
37595 .read_alarm = at32_rtc_readalarm,
37596 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-au1xxx.c linux-2.6.39.2/drivers/rtc/rtc-au1xxx.c
37597 --- linux-2.6.39.2/drivers/rtc/rtc-au1xxx.c 2011-05-19 00:06:34.000000000 -0400
37598 +++ linux-2.6.39.2/drivers/rtc/rtc-au1xxx.c 2011-05-22 19:36:32.000000000 -0400
37599 @@ -57,7 +57,7 @@ static int au1xtoy_rtc_set_time(struct d
37600 return 0;
37601 }
37602
37603 -static struct rtc_class_ops au1xtoy_rtc_ops = {
37604 +static const struct rtc_class_ops au1xtoy_rtc_ops = {
37605 .read_time = au1xtoy_rtc_read_time,
37606 .set_time = au1xtoy_rtc_set_time,
37607 };
37608 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-bfin.c linux-2.6.39.2/drivers/rtc/rtc-bfin.c
37609 --- linux-2.6.39.2/drivers/rtc/rtc-bfin.c 2011-05-19 00:06:34.000000000 -0400
37610 +++ linux-2.6.39.2/drivers/rtc/rtc-bfin.c 2011-05-22 19:36:32.000000000 -0400
37611 @@ -333,7 +333,7 @@ static int bfin_rtc_proc(struct device *
37612 #undef yesno
37613 }
37614
37615 -static struct rtc_class_ops bfin_rtc_ops = {
37616 +static const struct rtc_class_ops bfin_rtc_ops = {
37617 .read_time = bfin_rtc_read_time,
37618 .set_time = bfin_rtc_set_time,
37619 .read_alarm = bfin_rtc_read_alarm,
37620 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-coh901331.c linux-2.6.39.2/drivers/rtc/rtc-coh901331.c
37621 --- linux-2.6.39.2/drivers/rtc/rtc-coh901331.c 2011-05-19 00:06:34.000000000 -0400
37622 +++ linux-2.6.39.2/drivers/rtc/rtc-coh901331.c 2011-05-22 19:36:32.000000000 -0400
37623 @@ -142,7 +142,7 @@ static int coh901331_alarm_irq_enable(st
37624 return 0;
37625 }
37626
37627 -static struct rtc_class_ops coh901331_ops = {
37628 +static const struct rtc_class_ops coh901331_ops = {
37629 .read_time = coh901331_read_time,
37630 .set_mmss = coh901331_set_mmss,
37631 .read_alarm = coh901331_read_alarm,
37632 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-davinci.c linux-2.6.39.2/drivers/rtc/rtc-davinci.c
37633 --- linux-2.6.39.2/drivers/rtc/rtc-davinci.c 2011-05-19 00:06:34.000000000 -0400
37634 +++ linux-2.6.39.2/drivers/rtc/rtc-davinci.c 2011-05-22 19:36:32.000000000 -0400
37635 @@ -469,7 +469,7 @@ static int davinci_rtc_set_alarm(struct
37636 return 0;
37637 }
37638
37639 -static struct rtc_class_ops davinci_rtc_ops = {
37640 +static const struct rtc_class_ops davinci_rtc_ops = {
37641 .ioctl = davinci_rtc_ioctl,
37642 .read_time = davinci_rtc_read_time,
37643 .set_time = davinci_rtc_set_time,
37644 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-dev.c linux-2.6.39.2/drivers/rtc/rtc-dev.c
37645 --- linux-2.6.39.2/drivers/rtc/rtc-dev.c 2011-05-19 00:06:34.000000000 -0400
37646 +++ linux-2.6.39.2/drivers/rtc/rtc-dev.c 2011-05-22 19:41:37.000000000 -0400
37647 @@ -14,6 +14,7 @@
37648 #include <linux/module.h>
37649 #include <linux/rtc.h>
37650 #include <linux/sched.h>
37651 +#include <linux/grsecurity.h>
37652 #include "rtc-core.h"
37653
37654 static dev_t rtc_devt;
37655 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
37656 if (copy_from_user(&tm, uarg, sizeof(tm)))
37657 return -EFAULT;
37658
37659 + gr_log_timechange();
37660 +
37661 return rtc_set_time(rtc, &tm);
37662
37663 case RTC_PIE_ON:
37664 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-dm355evm.c linux-2.6.39.2/drivers/rtc/rtc-dm355evm.c
37665 --- linux-2.6.39.2/drivers/rtc/rtc-dm355evm.c 2011-05-19 00:06:34.000000000 -0400
37666 +++ linux-2.6.39.2/drivers/rtc/rtc-dm355evm.c 2011-05-22 19:36:32.000000000 -0400
37667 @@ -115,7 +115,7 @@ static int dm355evm_rtc_set_time(struct
37668 return 0;
37669 }
37670
37671 -static struct rtc_class_ops dm355evm_rtc_ops = {
37672 +static const struct rtc_class_ops dm355evm_rtc_ops = {
37673 .read_time = dm355evm_rtc_read_time,
37674 .set_time = dm355evm_rtc_set_time,
37675 };
37676 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-ds1302.c linux-2.6.39.2/drivers/rtc/rtc-ds1302.c
37677 --- linux-2.6.39.2/drivers/rtc/rtc-ds1302.c 2011-05-19 00:06:34.000000000 -0400
37678 +++ linux-2.6.39.2/drivers/rtc/rtc-ds1302.c 2011-05-22 19:36:32.000000000 -0400
37679 @@ -199,7 +199,7 @@ static int ds1302_rtc_ioctl(struct devic
37680 return -ENOIOCTLCMD;
37681 }
37682
37683 -static struct rtc_class_ops ds1302_rtc_ops = {
37684 +static const struct rtc_class_ops ds1302_rtc_ops = {
37685 .read_time = ds1302_rtc_read_time,
37686 .set_time = ds1302_rtc_set_time,
37687 .ioctl = ds1302_rtc_ioctl,
37688 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-imxdi.c linux-2.6.39.2/drivers/rtc/rtc-imxdi.c
37689 --- linux-2.6.39.2/drivers/rtc/rtc-imxdi.c 2011-05-19 00:06:34.000000000 -0400
37690 +++ linux-2.6.39.2/drivers/rtc/rtc-imxdi.c 2011-05-22 19:36:32.000000000 -0400
37691 @@ -290,7 +290,7 @@ static int dryice_rtc_set_alarm(struct d
37692 return 0;
37693 }
37694
37695 -static struct rtc_class_ops dryice_rtc_ops = {
37696 +static const struct rtc_class_ops dryice_rtc_ops = {
37697 .read_time = dryice_rtc_read_time,
37698 .set_mmss = dryice_rtc_set_mmss,
37699 .alarm_irq_enable = dryice_rtc_alarm_irq_enable,
37700 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-jz4740.c linux-2.6.39.2/drivers/rtc/rtc-jz4740.c
37701 --- linux-2.6.39.2/drivers/rtc/rtc-jz4740.c 2011-05-19 00:06:34.000000000 -0400
37702 +++ linux-2.6.39.2/drivers/rtc/rtc-jz4740.c 2011-05-22 19:36:32.000000000 -0400
37703 @@ -174,7 +174,7 @@ static int jz4740_rtc_alarm_irq_enable(s
37704 return jz4740_rtc_ctrl_set_bits(rtc, JZ_RTC_CTRL_AF_IRQ, enable);
37705 }
37706
37707 -static struct rtc_class_ops jz4740_rtc_ops = {
37708 +static const struct rtc_class_ops jz4740_rtc_ops = {
37709 .read_time = jz4740_rtc_read_time,
37710 .set_mmss = jz4740_rtc_set_mmss,
37711 .read_alarm = jz4740_rtc_read_alarm,
37712 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-m41t80.c linux-2.6.39.2/drivers/rtc/rtc-m41t80.c
37713 --- linux-2.6.39.2/drivers/rtc/rtc-m41t80.c 2011-05-19 00:06:34.000000000 -0400
37714 +++ linux-2.6.39.2/drivers/rtc/rtc-m41t80.c 2011-05-22 19:36:32.000000000 -0400
37715 @@ -354,7 +354,7 @@ static int m41t80_rtc_read_alarm(struct
37716 return 0;
37717 }
37718
37719 -static struct rtc_class_ops m41t80_rtc_ops = {
37720 +static const struct rtc_class_ops m41t80_rtc_ops = {
37721 .read_time = m41t80_rtc_read_time,
37722 .set_time = m41t80_rtc_set_time,
37723 .read_alarm = m41t80_rtc_read_alarm,
37724 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-mxc.c linux-2.6.39.2/drivers/rtc/rtc-mxc.c
37725 --- linux-2.6.39.2/drivers/rtc/rtc-mxc.c 2011-05-19 00:06:34.000000000 -0400
37726 +++ linux-2.6.39.2/drivers/rtc/rtc-mxc.c 2011-05-22 19:36:32.000000000 -0400
37727 @@ -355,7 +355,7 @@ static int mxc_rtc_set_alarm(struct devi
37728 }
37729
37730 /* RTC layer */
37731 -static struct rtc_class_ops mxc_rtc_ops = {
37732 +static const struct rtc_class_ops mxc_rtc_ops = {
37733 .release = mxc_rtc_release,
37734 .read_time = mxc_rtc_read_time,
37735 .set_mmss = mxc_rtc_set_mmss,
37736 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-nuc900.c linux-2.6.39.2/drivers/rtc/rtc-nuc900.c
37737 --- linux-2.6.39.2/drivers/rtc/rtc-nuc900.c 2011-05-19 00:06:34.000000000 -0400
37738 +++ linux-2.6.39.2/drivers/rtc/rtc-nuc900.c 2011-05-22 19:36:32.000000000 -0400
37739 @@ -214,7 +214,7 @@ static int nuc900_rtc_set_alarm(struct d
37740 return 0;
37741 }
37742
37743 -static struct rtc_class_ops nuc900_rtc_ops = {
37744 +static const struct rtc_class_ops nuc900_rtc_ops = {
37745 .read_time = nuc900_rtc_read_time,
37746 .set_time = nuc900_rtc_set_time,
37747 .read_alarm = nuc900_rtc_read_alarm,
37748 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-omap.c linux-2.6.39.2/drivers/rtc/rtc-omap.c
37749 --- linux-2.6.39.2/drivers/rtc/rtc-omap.c 2011-05-19 00:06:34.000000000 -0400
37750 +++ linux-2.6.39.2/drivers/rtc/rtc-omap.c 2011-05-22 19:36:32.000000000 -0400
37751 @@ -274,7 +274,7 @@ static int omap_rtc_set_alarm(struct dev
37752 return 0;
37753 }
37754
37755 -static struct rtc_class_ops omap_rtc_ops = {
37756 +static const struct rtc_class_ops omap_rtc_ops = {
37757 .read_time = omap_rtc_read_time,
37758 .set_time = omap_rtc_set_time,
37759 .read_alarm = omap_rtc_read_alarm,
37760 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-pcf50633.c linux-2.6.39.2/drivers/rtc/rtc-pcf50633.c
37761 --- linux-2.6.39.2/drivers/rtc/rtc-pcf50633.c 2011-05-19 00:06:34.000000000 -0400
37762 +++ linux-2.6.39.2/drivers/rtc/rtc-pcf50633.c 2011-05-22 19:36:32.000000000 -0400
37763 @@ -238,7 +238,7 @@ static int pcf50633_rtc_set_alarm(struct
37764 return ret;
37765 }
37766
37767 -static struct rtc_class_ops pcf50633_rtc_ops = {
37768 +static const struct rtc_class_ops pcf50633_rtc_ops = {
37769 .read_time = pcf50633_rtc_read_time,
37770 .set_time = pcf50633_rtc_set_time,
37771 .read_alarm = pcf50633_rtc_read_alarm,
37772 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-pl031.c linux-2.6.39.2/drivers/rtc/rtc-pl031.c
37773 --- linux-2.6.39.2/drivers/rtc/rtc-pl031.c 2011-05-19 00:06:34.000000000 -0400
37774 +++ linux-2.6.39.2/drivers/rtc/rtc-pl031.c 2011-05-22 19:36:32.000000000 -0400
37775 @@ -374,7 +374,7 @@ err_req:
37776 }
37777
37778 /* Operations for the original ARM version */
37779 -static struct rtc_class_ops arm_pl031_ops = {
37780 +static const struct rtc_class_ops arm_pl031_ops = {
37781 .read_time = pl031_read_time,
37782 .set_time = pl031_set_time,
37783 .read_alarm = pl031_read_alarm,
37784 @@ -383,7 +383,7 @@ static struct rtc_class_ops arm_pl031_op
37785 };
37786
37787 /* The First ST derivative */
37788 -static struct rtc_class_ops stv1_pl031_ops = {
37789 +static const struct rtc_class_ops stv1_pl031_ops = {
37790 .read_time = pl031_read_time,
37791 .set_time = pl031_set_time,
37792 .read_alarm = pl031_read_alarm,
37793 @@ -392,7 +392,7 @@ static struct rtc_class_ops stv1_pl031_o
37794 };
37795
37796 /* And the second ST derivative */
37797 -static struct rtc_class_ops stv2_pl031_ops = {
37798 +static const struct rtc_class_ops stv2_pl031_ops = {
37799 .read_time = pl031_stv2_read_time,
37800 .set_time = pl031_stv2_set_time,
37801 .read_alarm = pl031_stv2_read_alarm,
37802 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-rx8025.c linux-2.6.39.2/drivers/rtc/rtc-rx8025.c
37803 --- linux-2.6.39.2/drivers/rtc/rtc-rx8025.c 2011-05-19 00:06:34.000000000 -0400
37804 +++ linux-2.6.39.2/drivers/rtc/rtc-rx8025.c 2011-05-22 19:36:32.000000000 -0400
37805 @@ -424,7 +424,7 @@ static int rx8025_alarm_irq_enable(struc
37806 return 0;
37807 }
37808
37809 -static struct rtc_class_ops rx8025_rtc_ops = {
37810 +static const struct rtc_class_ops rx8025_rtc_ops = {
37811 .read_time = rx8025_get_time,
37812 .set_time = rx8025_set_time,
37813 .read_alarm = rx8025_read_alarm,
37814 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-sh.c linux-2.6.39.2/drivers/rtc/rtc-sh.c
37815 --- linux-2.6.39.2/drivers/rtc/rtc-sh.c 2011-05-19 00:06:34.000000000 -0400
37816 +++ linux-2.6.39.2/drivers/rtc/rtc-sh.c 2011-05-22 19:36:32.000000000 -0400
37817 @@ -576,7 +576,7 @@ static int sh_rtc_set_alarm(struct devic
37818 return 0;
37819 }
37820
37821 -static struct rtc_class_ops sh_rtc_ops = {
37822 +static const struct rtc_class_ops sh_rtc_ops = {
37823 .read_time = sh_rtc_read_time,
37824 .set_time = sh_rtc_set_time,
37825 .read_alarm = sh_rtc_read_alarm,
37826 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-stmp3xxx.c linux-2.6.39.2/drivers/rtc/rtc-stmp3xxx.c
37827 --- linux-2.6.39.2/drivers/rtc/rtc-stmp3xxx.c 2011-05-19 00:06:34.000000000 -0400
37828 +++ linux-2.6.39.2/drivers/rtc/rtc-stmp3xxx.c 2011-05-22 19:36:32.000000000 -0400
37829 @@ -133,7 +133,7 @@ static int stmp3xxx_rtc_set_alarm(struct
37830 return 0;
37831 }
37832
37833 -static struct rtc_class_ops stmp3xxx_rtc_ops = {
37834 +static const struct rtc_class_ops stmp3xxx_rtc_ops = {
37835 .alarm_irq_enable =
37836 stmp3xxx_alarm_irq_enable,
37837 .read_time = stmp3xxx_rtc_gettime,
37838 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-tegra.c linux-2.6.39.2/drivers/rtc/rtc-tegra.c
37839 --- linux-2.6.39.2/drivers/rtc/rtc-tegra.c 2011-05-19 00:06:34.000000000 -0400
37840 +++ linux-2.6.39.2/drivers/rtc/rtc-tegra.c 2011-05-22 19:36:32.000000000 -0400
37841 @@ -294,7 +294,7 @@ static irqreturn_t tegra_rtc_irq_handler
37842 return IRQ_HANDLED;
37843 }
37844
37845 -static struct rtc_class_ops tegra_rtc_ops = {
37846 +static const struct rtc_class_ops tegra_rtc_ops = {
37847 .read_time = tegra_rtc_read_time,
37848 .set_time = tegra_rtc_set_time,
37849 .read_alarm = tegra_rtc_read_alarm,
37850 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-twl.c linux-2.6.39.2/drivers/rtc/rtc-twl.c
37851 --- linux-2.6.39.2/drivers/rtc/rtc-twl.c 2011-05-19 00:06:34.000000000 -0400
37852 +++ linux-2.6.39.2/drivers/rtc/rtc-twl.c 2011-05-22 19:36:32.000000000 -0400
37853 @@ -415,7 +415,7 @@ out:
37854 return ret;
37855 }
37856
37857 -static struct rtc_class_ops twl_rtc_ops = {
37858 +static const struct rtc_class_ops twl_rtc_ops = {
37859 .read_time = twl_rtc_read_time,
37860 .set_time = twl_rtc_set_time,
37861 .read_alarm = twl_rtc_read_alarm,
37862 diff -urNp linux-2.6.39.2/drivers/rtc/rtc-v3020.c linux-2.6.39.2/drivers/rtc/rtc-v3020.c
37863 --- linux-2.6.39.2/drivers/rtc/rtc-v3020.c 2011-05-19 00:06:34.000000000 -0400
37864 +++ linux-2.6.39.2/drivers/rtc/rtc-v3020.c 2011-05-22 19:36:32.000000000 -0400
37865 @@ -62,7 +62,7 @@ struct v3020 {
37866 /* GPIO access */
37867 struct v3020_gpio *gpio;
37868
37869 - struct v3020_chip_ops *ops;
37870 + const struct v3020_chip_ops *ops;
37871
37872 struct rtc_device *rtc;
37873 };
37874 @@ -100,7 +100,7 @@ static unsigned char v3020_mmio_read_bit
37875 return !!(readl(chip->ioaddress) & (1 << chip->leftshift));
37876 }
37877
37878 -static struct v3020_chip_ops v3020_mmio_ops = {
37879 +static const struct v3020_chip_ops v3020_mmio_ops = {
37880 .map_io = v3020_mmio_map,
37881 .unmap_io = v3020_mmio_unmap,
37882 .read_bit = v3020_mmio_read_bit,
37883 @@ -177,7 +177,7 @@ static unsigned char v3020_gpio_read_bit
37884 return bit;
37885 }
37886
37887 -static struct v3020_chip_ops v3020_gpio_ops = {
37888 +static const struct v3020_chip_ops v3020_gpio_ops = {
37889 .map_io = v3020_gpio_map,
37890 .unmap_io = v3020_gpio_unmap,
37891 .read_bit = v3020_gpio_read_bit,
37892 diff -urNp linux-2.6.39.2/drivers/s390/char/con3270.c linux-2.6.39.2/drivers/s390/char/con3270.c
37893 --- linux-2.6.39.2/drivers/s390/char/con3270.c 2011-05-19 00:06:34.000000000 -0400
37894 +++ linux-2.6.39.2/drivers/s390/char/con3270.c 2011-05-22 19:36:32.000000000 -0400
37895 @@ -28,7 +28,7 @@
37896 #define CON3270_OUTPUT_BUFFER_SIZE 1024
37897 #define CON3270_STRING_PAGES 4
37898
37899 -static struct raw3270_fn con3270_fn;
37900 +static const struct raw3270_fn con3270_fn;
37901
37902 /*
37903 * Main 3270 console view data structure.
37904 @@ -413,7 +413,7 @@ con3270_irq(struct con3270 *cp, struct r
37905 }
37906
37907 /* Console view to a 3270 device. */
37908 -static struct raw3270_fn con3270_fn = {
37909 +static const struct raw3270_fn con3270_fn = {
37910 .activate = con3270_activate,
37911 .deactivate = con3270_deactivate,
37912 .intv = (void *) con3270_irq
37913 diff -urNp linux-2.6.39.2/drivers/s390/char/fs3270.c linux-2.6.39.2/drivers/s390/char/fs3270.c
37914 --- linux-2.6.39.2/drivers/s390/char/fs3270.c 2011-05-19 00:06:34.000000000 -0400
37915 +++ linux-2.6.39.2/drivers/s390/char/fs3270.c 2011-05-22 19:36:32.000000000 -0400
37916 @@ -24,7 +24,7 @@
37917 #include "raw3270.h"
37918 #include "ctrlchar.h"
37919
37920 -static struct raw3270_fn fs3270_fn;
37921 +static const struct raw3270_fn fs3270_fn;
37922
37923 struct fs3270 {
37924 struct raw3270_view view;
37925 @@ -413,7 +413,7 @@ fs3270_release(struct raw3270_view *view
37926 }
37927
37928 /* View to a 3270 device. Can be console, tty or fullscreen. */
37929 -static struct raw3270_fn fs3270_fn = {
37930 +static const struct raw3270_fn fs3270_fn = {
37931 .activate = fs3270_activate,
37932 .deactivate = fs3270_deactivate,
37933 .intv = (void *) fs3270_irq,
37934 diff -urNp linux-2.6.39.2/drivers/s390/char/raw3270.c linux-2.6.39.2/drivers/s390/char/raw3270.c
37935 --- linux-2.6.39.2/drivers/s390/char/raw3270.c 2011-05-19 00:06:34.000000000 -0400
37936 +++ linux-2.6.39.2/drivers/s390/char/raw3270.c 2011-05-22 19:36:32.000000000 -0400
37937 @@ -488,7 +488,7 @@ raw3270_init_irq(struct raw3270_view *vi
37938 return RAW3270_IO_DONE;
37939 }
37940
37941 -static struct raw3270_fn raw3270_init_fn = {
37942 +static const struct raw3270_fn raw3270_init_fn = {
37943 .intv = raw3270_init_irq
37944 };
37945
37946 diff -urNp linux-2.6.39.2/drivers/s390/char/tty3270.c linux-2.6.39.2/drivers/s390/char/tty3270.c
37947 --- linux-2.6.39.2/drivers/s390/char/tty3270.c 2011-05-19 00:06:34.000000000 -0400
37948 +++ linux-2.6.39.2/drivers/s390/char/tty3270.c 2011-05-22 19:36:32.000000000 -0400
37949 @@ -37,7 +37,7 @@
37950 struct tty_driver *tty3270_driver;
37951 static int tty3270_max_index;
37952
37953 -static struct raw3270_fn tty3270_fn;
37954 +static const struct raw3270_fn tty3270_fn;
37955
37956 struct tty3270_cell {
37957 unsigned char character;
37958 @@ -834,7 +834,7 @@ tty3270_del_views(void)
37959 }
37960 }
37961
37962 -static struct raw3270_fn tty3270_fn = {
37963 +static const struct raw3270_fn tty3270_fn = {
37964 .activate = tty3270_activate,
37965 .deactivate = tty3270_deactivate,
37966 .intv = (void *) tty3270_irq,
37967 diff -urNp linux-2.6.39.2/drivers/s390/cio/qdio_debug.c linux-2.6.39.2/drivers/s390/cio/qdio_debug.c
37968 --- linux-2.6.39.2/drivers/s390/cio/qdio_debug.c 2011-05-19 00:06:34.000000000 -0400
37969 +++ linux-2.6.39.2/drivers/s390/cio/qdio_debug.c 2011-05-22 19:36:32.000000000 -0400
37970 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
37971 filp->f_path.dentry->d_inode->i_private);
37972 }
37973
37974 -static struct file_operations debugfs_perf_fops = {
37975 +static const struct file_operations debugfs_perf_fops = {
37976 .owner = THIS_MODULE,
37977 .open = qperf_seq_open,
37978 .read = seq_read,
37979 diff -urNp linux-2.6.39.2/drivers/s390/crypto/zcrypt_cex2a.c linux-2.6.39.2/drivers/s390/crypto/zcrypt_cex2a.c
37980 --- linux-2.6.39.2/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-19 00:06:34.000000000 -0400
37981 +++ linux-2.6.39.2/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-22 19:36:32.000000000 -0400
37982 @@ -415,7 +415,7 @@ out_free:
37983 /**
37984 * The crypto operations for a CEX2A card.
37985 */
37986 -static struct zcrypt_ops zcrypt_cex2a_ops = {
37987 +static const struct zcrypt_ops zcrypt_cex2a_ops = {
37988 .rsa_modexpo = zcrypt_cex2a_modexpo,
37989 .rsa_modexpo_crt = zcrypt_cex2a_modexpo_crt,
37990 };
37991 diff -urNp linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcica.c linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcica.c
37992 --- linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcica.c 2011-05-19 00:06:34.000000000 -0400
37993 +++ linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcica.c 2011-05-22 19:36:32.000000000 -0400
37994 @@ -347,7 +347,7 @@ out_free:
37995 /**
37996 * The crypto operations for a PCICA card.
37997 */
37998 -static struct zcrypt_ops zcrypt_pcica_ops = {
37999 +static const struct zcrypt_ops zcrypt_pcica_ops = {
38000 .rsa_modexpo = zcrypt_pcica_modexpo,
38001 .rsa_modexpo_crt = zcrypt_pcica_modexpo_crt,
38002 };
38003 diff -urNp linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcicc.c linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcicc.c
38004 --- linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-19 00:06:34.000000000 -0400
38005 +++ linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-22 19:36:32.000000000 -0400
38006 @@ -553,7 +553,7 @@ out_free:
38007 /**
38008 * The crypto operations for a PCICC card.
38009 */
38010 -static struct zcrypt_ops zcrypt_pcicc_ops = {
38011 +static const struct zcrypt_ops zcrypt_pcicc_ops = {
38012 .rsa_modexpo = zcrypt_pcicc_modexpo,
38013 .rsa_modexpo_crt = zcrypt_pcicc_modexpo_crt,
38014 };
38015 diff -urNp linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcixcc.c linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcixcc.c
38016 --- linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-19 00:06:34.000000000 -0400
38017 +++ linux-2.6.39.2/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-22 19:36:32.000000000 -0400
38018 @@ -851,13 +851,13 @@ static long zcrypt_pcixcc_rng(struct zcr
38019 /**
38020 * The crypto operations for a PCIXCC/CEX2C card.
38021 */
38022 -static struct zcrypt_ops zcrypt_pcixcc_ops = {
38023 +static const struct zcrypt_ops zcrypt_pcixcc_ops = {
38024 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38025 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38026 .send_cprb = zcrypt_pcixcc_send_cprb,
38027 };
38028
38029 -static struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38030 +static const struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38031 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38032 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38033 .send_cprb = zcrypt_pcixcc_send_cprb,
38034 diff -urNp linux-2.6.39.2/drivers/s390/kvm/kvm_virtio.c linux-2.6.39.2/drivers/s390/kvm/kvm_virtio.c
38035 --- linux-2.6.39.2/drivers/s390/kvm/kvm_virtio.c 2011-05-19 00:06:34.000000000 -0400
38036 +++ linux-2.6.39.2/drivers/s390/kvm/kvm_virtio.c 2011-05-22 19:36:32.000000000 -0400
38037 @@ -266,7 +266,7 @@ error:
38038 /*
38039 * The config ops structure as defined by virtio config
38040 */
38041 -static struct virtio_config_ops kvm_vq_configspace_ops = {
38042 +static const struct virtio_config_ops kvm_vq_configspace_ops = {
38043 .get_features = kvm_get_features,
38044 .finalize_features = kvm_finalize_features,
38045 .get = kvm_get,
38046 diff -urNp linux-2.6.39.2/drivers/s390/net/qeth_core.h linux-2.6.39.2/drivers/s390/net/qeth_core.h
38047 --- linux-2.6.39.2/drivers/s390/net/qeth_core.h 2011-05-19 00:06:34.000000000 -0400
38048 +++ linux-2.6.39.2/drivers/s390/net/qeth_core.h 2011-05-22 19:36:32.000000000 -0400
38049 @@ -743,7 +743,7 @@ struct qeth_card {
38050 struct qeth_qdio_info qdio;
38051 struct qeth_perf_stats perf_stats;
38052 int read_or_write_problem;
38053 - struct qeth_osn_info osn_info;
38054 + const struct qeth_osn_info osn_info;
38055 struct qeth_discipline discipline;
38056 atomic_t force_alloc_skb;
38057 struct service_level qeth_service_level;
38058 diff -urNp linux-2.6.39.2/drivers/scsi/53c700.c linux-2.6.39.2/drivers/scsi/53c700.c
38059 --- linux-2.6.39.2/drivers/scsi/53c700.c 2011-05-19 00:06:34.000000000 -0400
38060 +++ linux-2.6.39.2/drivers/scsi/53c700.c 2011-05-22 19:36:32.000000000 -0400
38061 @@ -2153,7 +2153,7 @@ EXPORT_SYMBOL(NCR_700_detect);
38062 EXPORT_SYMBOL(NCR_700_release);
38063 EXPORT_SYMBOL(NCR_700_intr);
38064
38065 -static struct spi_function_template NCR_700_transport_functions = {
38066 +static struct spi_function_template NCR_700_transport_functions = {
38067 .set_period = NCR_700_set_period,
38068 .show_period = 1,
38069 .set_offset = NCR_700_set_offset,
38070 diff -urNp linux-2.6.39.2/drivers/scsi/aacraid/commctrl.c linux-2.6.39.2/drivers/scsi/aacraid/commctrl.c
38071 --- linux-2.6.39.2/drivers/scsi/aacraid/commctrl.c 2011-05-19 00:06:34.000000000 -0400
38072 +++ linux-2.6.39.2/drivers/scsi/aacraid/commctrl.c 2011-05-22 19:36:32.000000000 -0400
38073 @@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
38074 u32 actual_fibsize64, actual_fibsize = 0;
38075 int i;
38076
38077 + pax_track_stack();
38078
38079 if (dev->in_reset) {
38080 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
38081 diff -urNp linux-2.6.39.2/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.39.2/drivers/scsi/aic94xx/aic94xx_init.c
38082 --- linux-2.6.39.2/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-19 00:06:34.000000000 -0400
38083 +++ linux-2.6.39.2/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-22 19:41:37.000000000 -0400
38084 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
38085 flash_error_table[i].reason);
38086 }
38087
38088 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
38089 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
38090 asd_show_update_bios, asd_store_update_bios);
38091
38092 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
38093 diff -urNp linux-2.6.39.2/drivers/scsi/bfa/bfa_core.c linux-2.6.39.2/drivers/scsi/bfa/bfa_core.c
38094 --- linux-2.6.39.2/drivers/scsi/bfa/bfa_core.c 2011-05-19 00:06:34.000000000 -0400
38095 +++ linux-2.6.39.2/drivers/scsi/bfa/bfa_core.c 2011-05-22 19:36:32.000000000 -0400
38096 @@ -24,7 +24,7 @@ BFA_TRC_FILE(HAL, CORE);
38097 /*
38098 * BFA module list terminated by NULL
38099 */
38100 -static struct bfa_module_s *hal_mods[] = {
38101 +static const struct bfa_module_s *hal_mods[] = {
38102 &hal_mod_sgpg,
38103 &hal_mod_fcport,
38104 &hal_mod_fcxp,
38105 diff -urNp linux-2.6.39.2/drivers/scsi/bfa/bfad.c linux-2.6.39.2/drivers/scsi/bfa/bfad.c
38106 --- linux-2.6.39.2/drivers/scsi/bfa/bfad.c 2011-05-19 00:06:34.000000000 -0400
38107 +++ linux-2.6.39.2/drivers/scsi/bfa/bfad.c 2011-05-22 19:36:32.000000000 -0400
38108 @@ -1027,6 +1027,8 @@ bfad_start_ops(struct bfad_s *bfad) {
38109 struct bfad_vport_s *vport, *vport_new;
38110 struct bfa_fcs_driver_info_s driver_info;
38111
38112 + pax_track_stack();
38113 +
38114 /* Fill the driver_info info to fcs*/
38115 memset(&driver_info, 0, sizeof(driver_info));
38116 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
38117 diff -urNp linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs.c linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs.c
38118 --- linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs.c 2011-05-19 00:06:34.000000000 -0400
38119 +++ linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs.c 2011-05-22 19:36:32.000000000 -0400
38120 @@ -70,7 +70,7 @@ bfa_fcs_attach(struct bfa_fcs_s *fcs, st
38121 bfa_boolean_t min_cfg)
38122 {
38123 int i;
38124 - struct bfa_fcs_mod_s *mod;
38125 + const struct bfa_fcs_mod_s *mod;
38126
38127 fcs->bfa = bfa;
38128 fcs->bfad = bfad;
38129 @@ -93,7 +93,7 @@ void
38130 bfa_fcs_init(struct bfa_fcs_s *fcs)
38131 {
38132 int i, npbc_vports;
38133 - struct bfa_fcs_mod_s *mod;
38134 + const struct bfa_fcs_mod_s *mod;
38135 struct bfi_pbc_vport_s pbc_vports[BFI_PBC_MAX_VPORTS];
38136
38137 for (i = 0; i < sizeof(fcs_modules) / sizeof(fcs_modules[0]); i++) {
38138 @@ -140,7 +140,7 @@ bfa_fcs_driver_info_init(struct bfa_fcs_
38139 void
38140 bfa_fcs_exit(struct bfa_fcs_s *fcs)
38141 {
38142 - struct bfa_fcs_mod_s *mod;
38143 + const struct bfa_fcs_mod_s *mod;
38144 int nmods, i;
38145
38146 bfa_wc_init(&fcs->wc, bfa_fcs_exit_comp, fcs);
38147 diff -urNp linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_lport.c linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_lport.c
38148 --- linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-19 00:06:34.000000000 -0400
38149 +++ linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-22 19:36:32.000000000 -0400
38150 @@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
38151 u16 len, count;
38152 u16 templen;
38153
38154 + pax_track_stack();
38155 +
38156 /*
38157 * get hba attributes
38158 */
38159 @@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
38160 u8 count = 0;
38161 u16 templen;
38162
38163 + pax_track_stack();
38164 +
38165 /*
38166 * get port attributes
38167 */
38168 diff -urNp linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_rport.c linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_rport.c
38169 --- linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-19 00:06:34.000000000 -0400
38170 +++ linux-2.6.39.2/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-22 19:36:32.000000000 -0400
38171 @@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
38172 struct fc_rpsc_speed_info_s speeds;
38173 struct bfa_port_attr_s pport_attr;
38174
38175 + pax_track_stack();
38176 +
38177 bfa_trc(port->fcs, rx_fchs->s_id);
38178 bfa_trc(port->fcs, rx_fchs->d_id);
38179
38180 diff -urNp linux-2.6.39.2/drivers/scsi/bfa/bfa_modules.h linux-2.6.39.2/drivers/scsi/bfa/bfa_modules.h
38181 --- linux-2.6.39.2/drivers/scsi/bfa/bfa_modules.h 2011-05-19 00:06:34.000000000 -0400
38182 +++ linux-2.6.39.2/drivers/scsi/bfa/bfa_modules.h 2011-05-22 19:36:32.000000000 -0400
38183 @@ -68,8 +68,8 @@ enum {
38184 static void bfa_ ## __mod ## _stop(struct bfa_s *bfa); \
38185 static void bfa_ ## __mod ## _iocdisable(struct bfa_s *bfa); \
38186 \
38187 - extern struct bfa_module_s hal_mod_ ## __mod; \
38188 - struct bfa_module_s hal_mod_ ## __mod = { \
38189 + extern const struct bfa_module_s hal_mod_ ## __mod; \
38190 + const struct bfa_module_s hal_mod_ ## __mod = { \
38191 bfa_ ## __mod ## _meminfo, \
38192 bfa_ ## __mod ## _attach, \
38193 bfa_ ## __mod ## _detach, \
38194 @@ -116,12 +116,12 @@ struct bfa_s {
38195 };
38196
38197 extern bfa_boolean_t bfa_auto_recover;
38198 -extern struct bfa_module_s hal_mod_sgpg;
38199 -extern struct bfa_module_s hal_mod_fcport;
38200 -extern struct bfa_module_s hal_mod_fcxp;
38201 -extern struct bfa_module_s hal_mod_lps;
38202 -extern struct bfa_module_s hal_mod_uf;
38203 -extern struct bfa_module_s hal_mod_rport;
38204 -extern struct bfa_module_s hal_mod_fcpim;
38205 +extern const struct bfa_module_s hal_mod_sgpg;
38206 +extern const struct bfa_module_s hal_mod_fcport;
38207 +extern const struct bfa_module_s hal_mod_fcxp;
38208 +extern const struct bfa_module_s hal_mod_lps;
38209 +extern const struct bfa_module_s hal_mod_uf;
38210 +extern const struct bfa_module_s hal_mod_rport;
38211 +extern const struct bfa_module_s hal_mod_fcpim;
38212
38213 #endif /* __BFA_MODULES_H__ */
38214 diff -urNp linux-2.6.39.2/drivers/scsi/BusLogic.c linux-2.6.39.2/drivers/scsi/BusLogic.c
38215 --- linux-2.6.39.2/drivers/scsi/BusLogic.c 2011-05-19 00:06:34.000000000 -0400
38216 +++ linux-2.6.39.2/drivers/scsi/BusLogic.c 2011-05-22 19:36:32.000000000 -0400
38217 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
38218 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
38219 *PrototypeHostAdapter)
38220 {
38221 + pax_track_stack();
38222 +
38223 /*
38224 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
38225 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
38226 diff -urNp linux-2.6.39.2/drivers/scsi/dpt_i2o.c linux-2.6.39.2/drivers/scsi/dpt_i2o.c
38227 --- linux-2.6.39.2/drivers/scsi/dpt_i2o.c 2011-05-19 00:06:34.000000000 -0400
38228 +++ linux-2.6.39.2/drivers/scsi/dpt_i2o.c 2011-05-22 19:36:32.000000000 -0400
38229 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
38230 dma_addr_t addr;
38231 ulong flags = 0;
38232
38233 + pax_track_stack();
38234 +
38235 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
38236 // get user msg size in u32s
38237 if(get_user(size, &user_msg[0])){
38238 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
38239 s32 rcode;
38240 dma_addr_t addr;
38241
38242 + pax_track_stack();
38243 +
38244 memset(msg, 0 , sizeof(msg));
38245 len = scsi_bufflen(cmd);
38246 direction = 0x00000000;
38247 diff -urNp linux-2.6.39.2/drivers/scsi/eata.c linux-2.6.39.2/drivers/scsi/eata.c
38248 --- linux-2.6.39.2/drivers/scsi/eata.c 2011-05-19 00:06:34.000000000 -0400
38249 +++ linux-2.6.39.2/drivers/scsi/eata.c 2011-05-22 19:36:32.000000000 -0400
38250 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
38251 struct hostdata *ha;
38252 char name[16];
38253
38254 + pax_track_stack();
38255 +
38256 sprintf(name, "%s%d", driver_name, j);
38257
38258 if (!request_region(port_base, REGION_SIZE, driver_name)) {
38259 diff -urNp linux-2.6.39.2/drivers/scsi/esp_scsi.c linux-2.6.39.2/drivers/scsi/esp_scsi.c
38260 --- linux-2.6.39.2/drivers/scsi/esp_scsi.c 2011-05-19 00:06:34.000000000 -0400
38261 +++ linux-2.6.39.2/drivers/scsi/esp_scsi.c 2011-05-22 19:36:32.000000000 -0400
38262 @@ -2680,7 +2680,7 @@ static void esp_set_width(struct scsi_ta
38263 tp->flags |= ESP_TGT_CHECK_NEGO;
38264 }
38265
38266 -static struct spi_function_template esp_transport_ops = {
38267 +static const struct spi_function_template esp_transport_ops = {
38268 .set_offset = esp_set_offset,
38269 .show_offset = 1,
38270 .set_period = esp_set_period,
38271 diff -urNp linux-2.6.39.2/drivers/scsi/fcoe/fcoe.c linux-2.6.39.2/drivers/scsi/fcoe/fcoe.c
38272 --- linux-2.6.39.2/drivers/scsi/fcoe/fcoe.c 2011-05-19 00:06:34.000000000 -0400
38273 +++ linux-2.6.39.2/drivers/scsi/fcoe/fcoe.c 2011-05-22 19:36:32.000000000 -0400
38274 @@ -138,7 +138,7 @@ static int fcoe_vport_disable(struct fc_
38275 static void fcoe_set_vport_symbolic_name(struct fc_vport *);
38276 static void fcoe_set_port_id(struct fc_lport *, u32, struct fc_frame *);
38277
38278 -static struct libfc_function_template fcoe_libfc_fcn_templ = {
38279 +static const struct libfc_function_template fcoe_libfc_fcn_templ = {
38280 .frame_send = fcoe_xmit,
38281 .ddp_setup = fcoe_ddp_setup,
38282 .ddp_done = fcoe_ddp_done,
38283 diff -urNp linux-2.6.39.2/drivers/scsi/fcoe/fcoe_ctlr.c linux-2.6.39.2/drivers/scsi/fcoe/fcoe_ctlr.c
38284 --- linux-2.6.39.2/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-19 00:06:34.000000000 -0400
38285 +++ linux-2.6.39.2/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-22 19:36:32.000000000 -0400
38286 @@ -1912,7 +1912,7 @@ static void fcoe_ctlr_vn_rport_callback(
38287 mutex_unlock(&fip->ctlr_mutex);
38288 }
38289
38290 -static struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38291 +static const struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38292 .event_callback = fcoe_ctlr_vn_rport_callback,
38293 };
38294
38295 @@ -2458,6 +2458,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
38296 } buf;
38297 int rc;
38298
38299 + pax_track_stack();
38300 +
38301 fiph = (struct fip_header *)skb->data;
38302 sub = fiph->fip_subcode;
38303
38304 diff -urNp linux-2.6.39.2/drivers/scsi/fnic/fnic_main.c linux-2.6.39.2/drivers/scsi/fnic/fnic_main.c
38305 --- linux-2.6.39.2/drivers/scsi/fnic/fnic_main.c 2011-05-19 00:06:34.000000000 -0400
38306 +++ linux-2.6.39.2/drivers/scsi/fnic/fnic_main.c 2011-05-22 19:36:32.000000000 -0400
38307 @@ -69,7 +69,7 @@ module_param(fnic_log_level, int, S_IRUG
38308 MODULE_PARM_DESC(fnic_log_level, "bit mask of fnic logging levels");
38309
38310
38311 -static struct libfc_function_template fnic_transport_template = {
38312 +static const struct libfc_function_template fnic_transport_template = {
38313 .frame_send = fnic_send,
38314 .lport_set_port_id = fnic_set_port_id,
38315 .fcp_abort_io = fnic_empty_scsi_cleanup,
38316 diff -urNp linux-2.6.39.2/drivers/scsi/gdth.c linux-2.6.39.2/drivers/scsi/gdth.c
38317 --- linux-2.6.39.2/drivers/scsi/gdth.c 2011-05-19 00:06:34.000000000 -0400
38318 +++ linux-2.6.39.2/drivers/scsi/gdth.c 2011-05-22 19:36:32.000000000 -0400
38319 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
38320 unsigned long flags;
38321 gdth_ha_str *ha;
38322
38323 + pax_track_stack();
38324 +
38325 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
38326 return -EFAULT;
38327 ha = gdth_find_ha(ldrv.ionode);
38328 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
38329 gdth_ha_str *ha;
38330 int rval;
38331
38332 + pax_track_stack();
38333 +
38334 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
38335 res.number >= MAX_HDRIVES)
38336 return -EFAULT;
38337 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
38338 gdth_ha_str *ha;
38339 int rval;
38340
38341 + pax_track_stack();
38342 +
38343 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
38344 return -EFAULT;
38345 ha = gdth_find_ha(gen.ionode);
38346 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
38347 int i;
38348 gdth_cmd_str gdtcmd;
38349 char cmnd[MAX_COMMAND_SIZE];
38350 +
38351 + pax_track_stack();
38352 +
38353 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
38354
38355 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
38356 diff -urNp linux-2.6.39.2/drivers/scsi/gdth_proc.c linux-2.6.39.2/drivers/scsi/gdth_proc.c
38357 --- linux-2.6.39.2/drivers/scsi/gdth_proc.c 2011-05-19 00:06:34.000000000 -0400
38358 +++ linux-2.6.39.2/drivers/scsi/gdth_proc.c 2011-05-22 19:36:32.000000000 -0400
38359 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
38360 u64 paddr;
38361
38362 char cmnd[MAX_COMMAND_SIZE];
38363 +
38364 + pax_track_stack();
38365 +
38366 memset(cmnd, 0xff, 12);
38367 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
38368
38369 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
38370 gdth_hget_str *phg;
38371 char cmnd[MAX_COMMAND_SIZE];
38372
38373 + pax_track_stack();
38374 +
38375 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
38376 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
38377 if (!gdtcmd || !estr)
38378 diff -urNp linux-2.6.39.2/drivers/scsi/hosts.c linux-2.6.39.2/drivers/scsi/hosts.c
38379 --- linux-2.6.39.2/drivers/scsi/hosts.c 2011-05-19 00:06:34.000000000 -0400
38380 +++ linux-2.6.39.2/drivers/scsi/hosts.c 2011-05-22 19:36:32.000000000 -0400
38381 @@ -42,7 +42,7 @@
38382 #include "scsi_logging.h"
38383
38384
38385 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
38386 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
38387
38388
38389 static void scsi_host_cls_release(struct device *dev)
38390 @@ -354,7 +354,7 @@ struct Scsi_Host *scsi_host_alloc(struct
38391 * subtract one because we increment first then return, but we need to
38392 * know what the next host number was before increment
38393 */
38394 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
38395 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
38396 shost->dma_channel = 0xff;
38397
38398 /* These three are default values which can be overridden */
38399 diff -urNp linux-2.6.39.2/drivers/scsi/hpsa.h linux-2.6.39.2/drivers/scsi/hpsa.h
38400 --- linux-2.6.39.2/drivers/scsi/hpsa.h 2011-05-19 00:06:34.000000000 -0400
38401 +++ linux-2.6.39.2/drivers/scsi/hpsa.h 2011-05-22 19:36:32.000000000 -0400
38402 @@ -347,7 +347,7 @@ static struct access_method SA5_access =
38403 SA5_completed,
38404 };
38405
38406 -static struct access_method SA5_performant_access = {
38407 +static const struct access_method SA5_performant_access = {
38408 SA5_submit_command,
38409 SA5_performant_intr_mask,
38410 SA5_fifo_full,
38411 diff -urNp linux-2.6.39.2/drivers/scsi/hptiop.c linux-2.6.39.2/drivers/scsi/hptiop.c
38412 --- linux-2.6.39.2/drivers/scsi/hptiop.c 2011-05-19 00:06:34.000000000 -0400
38413 +++ linux-2.6.39.2/drivers/scsi/hptiop.c 2011-05-22 19:36:32.000000000 -0400
38414 @@ -1226,7 +1226,7 @@ static void hptiop_remove(struct pci_dev
38415 scsi_host_put(host);
38416 }
38417
38418 -static struct hptiop_adapter_ops hptiop_itl_ops = {
38419 +static const struct hptiop_adapter_ops hptiop_itl_ops = {
38420 .iop_wait_ready = iop_wait_ready_itl,
38421 .internal_memalloc = NULL,
38422 .internal_memfree = NULL,
38423 @@ -1241,7 +1241,7 @@ static struct hptiop_adapter_ops hptiop_
38424 .post_req = hptiop_post_req_itl,
38425 };
38426
38427 -static struct hptiop_adapter_ops hptiop_mv_ops = {
38428 +static const struct hptiop_adapter_ops hptiop_mv_ops = {
38429 .iop_wait_ready = iop_wait_ready_mv,
38430 .internal_memalloc = hptiop_internal_memalloc_mv,
38431 .internal_memfree = hptiop_internal_memfree_mv,
38432 diff -urNp linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvfc.c linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvfc.c
38433 --- linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-19 00:06:34.000000000 -0400
38434 +++ linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-22 19:36:32.000000000 -0400
38435 @@ -4881,7 +4881,7 @@ static struct vio_device_id ibmvfc_devic
38436 };
38437 MODULE_DEVICE_TABLE(vio, ibmvfc_device_table);
38438
38439 -static struct dev_pm_ops ibmvfc_pm_ops = {
38440 +static const struct dev_pm_ops ibmvfc_pm_ops = {
38441 .resume = ibmvfc_resume
38442 };
38443
38444 diff -urNp linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.c linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.c
38445 --- linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-19 00:06:34.000000000 -0400
38446 +++ linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-22 19:36:32.000000000 -0400
38447 @@ -104,7 +104,7 @@ static struct scsi_transport_template *i
38448
38449 #define IBMVSCSI_VERSION "1.5.9"
38450
38451 -static struct ibmvscsi_ops *ibmvscsi_ops;
38452 +static const struct ibmvscsi_ops *ibmvscsi_ops;
38453
38454 MODULE_DESCRIPTION("IBM Virtual SCSI");
38455 MODULE_AUTHOR("Dave Boutcher");
38456 @@ -2059,7 +2059,7 @@ static struct vio_device_id ibmvscsi_dev
38457 };
38458 MODULE_DEVICE_TABLE(vio, ibmvscsi_device_table);
38459
38460 -static struct dev_pm_ops ibmvscsi_pm_ops = {
38461 +static const struct dev_pm_ops ibmvscsi_pm_ops = {
38462 .resume = ibmvscsi_resume
38463 };
38464
38465 @@ -2075,7 +2075,7 @@ static struct vio_driver ibmvscsi_driver
38466 }
38467 };
38468
38469 -static struct srp_function_template ibmvscsi_transport_functions = {
38470 +static const struct srp_function_template ibmvscsi_transport_functions = {
38471 };
38472
38473 int __init ibmvscsi_module_init(void)
38474 diff -urNp linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.h linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.h
38475 --- linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-19 00:06:34.000000000 -0400
38476 +++ linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-22 19:36:32.000000000 -0400
38477 @@ -127,7 +127,7 @@ struct ibmvscsi_ops {
38478 int (*resume) (struct ibmvscsi_host_data *hostdata);
38479 };
38480
38481 -extern struct ibmvscsi_ops iseriesvscsi_ops;
38482 -extern struct ibmvscsi_ops rpavscsi_ops;
38483 +extern const struct ibmvscsi_ops iseriesvscsi_ops;
38484 +extern const struct ibmvscsi_ops rpavscsi_ops;
38485
38486 #endif /* IBMVSCSI_H */
38487 diff -urNp linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvstgt.c linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvstgt.c
38488 --- linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-19 00:06:34.000000000 -0400
38489 +++ linux-2.6.39.2/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-22 19:36:32.000000000 -0400
38490 @@ -951,7 +951,7 @@ static int get_system_info(void)
38491 return 0;
38492 }
38493
38494 -static struct srp_function_template ibmvstgt_transport_functions = {
38495 +static const struct srp_function_template ibmvstgt_transport_functions = {
38496 .tsk_mgmt_response = ibmvstgt_tsk_mgmt_response,
38497 .it_nexus_response = ibmvstgt_it_nexus_response,
38498 };
38499 diff -urNp linux-2.6.39.2/drivers/scsi/ibmvscsi/iseries_vscsi.c linux-2.6.39.2/drivers/scsi/ibmvscsi/iseries_vscsi.c
38500 --- linux-2.6.39.2/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38501 +++ linux-2.6.39.2/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38502 @@ -163,7 +163,7 @@ static int iseriesvscsi_resume(struct ib
38503 return 0;
38504 }
38505
38506 -struct ibmvscsi_ops iseriesvscsi_ops = {
38507 +const struct ibmvscsi_ops iseriesvscsi_ops = {
38508 .init_crq_queue = iseriesvscsi_init_crq_queue,
38509 .release_crq_queue = iseriesvscsi_release_crq_queue,
38510 .reset_crq_queue = iseriesvscsi_reset_crq_queue,
38511 diff -urNp linux-2.6.39.2/drivers/scsi/ibmvscsi/rpa_vscsi.c linux-2.6.39.2/drivers/scsi/ibmvscsi/rpa_vscsi.c
38512 --- linux-2.6.39.2/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38513 +++ linux-2.6.39.2/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38514 @@ -358,7 +358,7 @@ static int rpavscsi_resume(struct ibmvsc
38515 return 0;
38516 }
38517
38518 -struct ibmvscsi_ops rpavscsi_ops = {
38519 +const struct ibmvscsi_ops rpavscsi_ops = {
38520 .init_crq_queue = rpavscsi_init_crq_queue,
38521 .release_crq_queue = rpavscsi_release_crq_queue,
38522 .reset_crq_queue = rpavscsi_reset_crq_queue,
38523 diff -urNp linux-2.6.39.2/drivers/scsi/ipr.c linux-2.6.39.2/drivers/scsi/ipr.c
38524 --- linux-2.6.39.2/drivers/scsi/ipr.c 2011-05-19 00:06:34.000000000 -0400
38525 +++ linux-2.6.39.2/drivers/scsi/ipr.c 2011-05-22 19:36:32.000000000 -0400
38526 @@ -6210,7 +6210,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
38527 return true;
38528 }
38529
38530 -static struct ata_port_operations ipr_sata_ops = {
38531 +static const struct ata_port_operations ipr_sata_ops = {
38532 .phy_reset = ipr_ata_phy_reset,
38533 .hardreset = ipr_sata_reset,
38534 .post_internal_cmd = ipr_ata_post_internal,
38535 diff -urNp linux-2.6.39.2/drivers/scsi/libfc/fc_exch.c linux-2.6.39.2/drivers/scsi/libfc/fc_exch.c
38536 --- linux-2.6.39.2/drivers/scsi/libfc/fc_exch.c 2011-05-19 00:06:34.000000000 -0400
38537 +++ linux-2.6.39.2/drivers/scsi/libfc/fc_exch.c 2011-05-22 19:36:32.000000000 -0400
38538 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
38539 * all together if not used XXX
38540 */
38541 struct {
38542 - atomic_t no_free_exch;
38543 - atomic_t no_free_exch_xid;
38544 - atomic_t xid_not_found;
38545 - atomic_t xid_busy;
38546 - atomic_t seq_not_found;
38547 - atomic_t non_bls_resp;
38548 + atomic_unchecked_t no_free_exch;
38549 + atomic_unchecked_t no_free_exch_xid;
38550 + atomic_unchecked_t xid_not_found;
38551 + atomic_unchecked_t xid_busy;
38552 + atomic_unchecked_t seq_not_found;
38553 + atomic_unchecked_t non_bls_resp;
38554 } stats;
38555 };
38556
38557 @@ -700,7 +700,7 @@ static struct fc_exch *fc_exch_em_alloc(
38558 /* allocate memory for exchange */
38559 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
38560 if (!ep) {
38561 - atomic_inc(&mp->stats.no_free_exch);
38562 + atomic_inc_unchecked(&mp->stats.no_free_exch);
38563 goto out;
38564 }
38565 memset(ep, 0, sizeof(*ep));
38566 @@ -761,7 +761,7 @@ out:
38567 return ep;
38568 err:
38569 spin_unlock_bh(&pool->lock);
38570 - atomic_inc(&mp->stats.no_free_exch_xid);
38571 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
38572 mempool_free(ep, mp->ep_pool);
38573 return NULL;
38574 }
38575 @@ -906,7 +906,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38576 xid = ntohs(fh->fh_ox_id); /* we originated exch */
38577 ep = fc_exch_find(mp, xid);
38578 if (!ep) {
38579 - atomic_inc(&mp->stats.xid_not_found);
38580 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38581 reject = FC_RJT_OX_ID;
38582 goto out;
38583 }
38584 @@ -936,7 +936,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38585 ep = fc_exch_find(mp, xid);
38586 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
38587 if (ep) {
38588 - atomic_inc(&mp->stats.xid_busy);
38589 + atomic_inc_unchecked(&mp->stats.xid_busy);
38590 reject = FC_RJT_RX_ID;
38591 goto rel;
38592 }
38593 @@ -947,7 +947,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38594 }
38595 xid = ep->xid; /* get our XID */
38596 } else if (!ep) {
38597 - atomic_inc(&mp->stats.xid_not_found);
38598 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38599 reject = FC_RJT_RX_ID; /* XID not found */
38600 goto out;
38601 }
38602 @@ -964,7 +964,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38603 } else {
38604 sp = &ep->seq;
38605 if (sp->id != fh->fh_seq_id) {
38606 - atomic_inc(&mp->stats.seq_not_found);
38607 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38608 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
38609 goto rel;
38610 }
38611 @@ -1392,22 +1392,22 @@ static void fc_exch_recv_seq_resp(struct
38612
38613 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
38614 if (!ep) {
38615 - atomic_inc(&mp->stats.xid_not_found);
38616 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38617 goto out;
38618 }
38619 if (ep->esb_stat & ESB_ST_COMPLETE) {
38620 - atomic_inc(&mp->stats.xid_not_found);
38621 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38622 goto rel;
38623 }
38624 if (ep->rxid == FC_XID_UNKNOWN)
38625 ep->rxid = ntohs(fh->fh_rx_id);
38626 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
38627 - atomic_inc(&mp->stats.xid_not_found);
38628 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38629 goto rel;
38630 }
38631 if (ep->did != ntoh24(fh->fh_s_id) &&
38632 ep->did != FC_FID_FLOGI) {
38633 - atomic_inc(&mp->stats.xid_not_found);
38634 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38635 goto rel;
38636 }
38637 sof = fr_sof(fp);
38638 @@ -1416,7 +1416,7 @@ static void fc_exch_recv_seq_resp(struct
38639 sp->ssb_stat |= SSB_ST_RESP;
38640 sp->id = fh->fh_seq_id;
38641 } else if (sp->id != fh->fh_seq_id) {
38642 - atomic_inc(&mp->stats.seq_not_found);
38643 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38644 goto rel;
38645 }
38646
38647 @@ -1479,9 +1479,9 @@ static void fc_exch_recv_resp(struct fc_
38648 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
38649
38650 if (!sp)
38651 - atomic_inc(&mp->stats.xid_not_found);
38652 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38653 else
38654 - atomic_inc(&mp->stats.non_bls_resp);
38655 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
38656
38657 fc_frame_free(fp);
38658 }
38659 diff -urNp linux-2.6.39.2/drivers/scsi/libfc/fc_lport.c linux-2.6.39.2/drivers/scsi/libfc/fc_lport.c
38660 --- linux-2.6.39.2/drivers/scsi/libfc/fc_lport.c 2011-05-19 00:06:34.000000000 -0400
38661 +++ linux-2.6.39.2/drivers/scsi/libfc/fc_lport.c 2011-05-22 19:36:32.000000000 -0400
38662 @@ -1299,7 +1299,7 @@ static void fc_lport_enter_ns(struct fc_
38663 fc_lport_error(lport, fp);
38664 }
38665
38666 -static struct fc_rport_operations fc_lport_rport_ops = {
38667 +static const struct fc_rport_operations fc_lport_rport_ops = {
38668 .event_callback = fc_lport_rport_callback,
38669 };
38670
38671 diff -urNp linux-2.6.39.2/drivers/scsi/libfc/fc_rport.c linux-2.6.39.2/drivers/scsi/libfc/fc_rport.c
38672 --- linux-2.6.39.2/drivers/scsi/libfc/fc_rport.c 2011-05-19 00:06:34.000000000 -0400
38673 +++ linux-2.6.39.2/drivers/scsi/libfc/fc_rport.c 2011-05-22 19:36:32.000000000 -0400
38674 @@ -256,7 +256,7 @@ static void fc_rport_work(struct work_st
38675 struct fc_rport_libfc_priv *rpriv;
38676 enum fc_rport_event event;
38677 struct fc_lport *lport = rdata->local_port;
38678 - struct fc_rport_operations *rport_ops;
38679 + const struct fc_rport_operations *rport_ops;
38680 struct fc_rport_identifiers ids;
38681 struct fc_rport *rport;
38682 struct fc4_prov *prov;
38683 diff -urNp linux-2.6.39.2/drivers/scsi/libsas/sas_ata.c linux-2.6.39.2/drivers/scsi/libsas/sas_ata.c
38684 --- linux-2.6.39.2/drivers/scsi/libsas/sas_ata.c 2011-05-19 00:06:34.000000000 -0400
38685 +++ linux-2.6.39.2/drivers/scsi/libsas/sas_ata.c 2011-05-22 19:36:32.000000000 -0400
38686 @@ -307,14 +307,14 @@ static void sas_ata_post_internal(struct
38687 }
38688 }
38689
38690 -static struct ata_port_operations sas_sata_ops = {
38691 +static const struct ata_port_operations sas_sata_ops = {
38692 .prereset = ata_std_prereset,
38693 .softreset = NULL,
38694 .hardreset = sas_ata_hard_reset,
38695 .postreset = ata_std_postreset,
38696 .error_handler = ata_std_error_handler,
38697 .post_internal_cmd = sas_ata_post_internal,
38698 - .qc_defer = ata_std_qc_defer,
38699 + .qc_defer = ata_std_qc_defer,
38700 .qc_prep = ata_noop_qc_prep,
38701 .qc_issue = sas_ata_qc_issue,
38702 .qc_fill_rtf = sas_ata_qc_fill_rtf,
38703 diff -urNp linux-2.6.39.2/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.39.2/drivers/scsi/lpfc/lpfc_debugfs.c
38704 --- linux-2.6.39.2/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-19 00:06:34.000000000 -0400
38705 +++ linux-2.6.39.2/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-22 19:36:32.000000000 -0400
38706 @@ -104,7 +104,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
38707
38708 #include <linux/debugfs.h>
38709
38710 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38711 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38712 static unsigned long lpfc_debugfs_start_time = 0L;
38713
38714 /* iDiag */
38715 @@ -141,7 +141,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38716 lpfc_debugfs_enable = 0;
38717
38718 len = 0;
38719 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38720 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38721 (lpfc_debugfs_max_disc_trc - 1);
38722 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38723 dtp = vport->disc_trc + i;
38724 @@ -202,7 +202,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38725 lpfc_debugfs_enable = 0;
38726
38727 len = 0;
38728 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38729 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38730 (lpfc_debugfs_max_slow_ring_trc - 1);
38731 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38732 dtp = phba->slow_ring_trc + i;
38733 @@ -380,6 +380,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38734 uint32_t *ptr;
38735 char buffer[1024];
38736
38737 + pax_track_stack();
38738 +
38739 off = 0;
38740 spin_lock_irq(&phba->hbalock);
38741
38742 @@ -617,14 +619,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
38743 !vport || !vport->disc_trc)
38744 return;
38745
38746 - index = atomic_inc_return(&vport->disc_trc_cnt) &
38747 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
38748 (lpfc_debugfs_max_disc_trc - 1);
38749 dtp = vport->disc_trc + index;
38750 dtp->fmt = fmt;
38751 dtp->data1 = data1;
38752 dtp->data2 = data2;
38753 dtp->data3 = data3;
38754 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38755 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38756 dtp->jif = jiffies;
38757 #endif
38758 return;
38759 @@ -655,14 +657,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
38760 !phba || !phba->slow_ring_trc)
38761 return;
38762
38763 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
38764 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
38765 (lpfc_debugfs_max_slow_ring_trc - 1);
38766 dtp = phba->slow_ring_trc + index;
38767 dtp->fmt = fmt;
38768 dtp->data1 = data1;
38769 dtp->data2 = data2;
38770 dtp->data3 = data3;
38771 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38772 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38773 dtp->jif = jiffies;
38774 #endif
38775 return;
38776 @@ -2145,7 +2147,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38777 "slow_ring buffer\n");
38778 goto debug_failed;
38779 }
38780 - atomic_set(&phba->slow_ring_trc_cnt, 0);
38781 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
38782 memset(phba->slow_ring_trc, 0,
38783 (sizeof(struct lpfc_debugfs_trc) *
38784 lpfc_debugfs_max_slow_ring_trc));
38785 @@ -2191,7 +2193,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38786 "buffer\n");
38787 goto debug_failed;
38788 }
38789 - atomic_set(&vport->disc_trc_cnt, 0);
38790 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
38791
38792 snprintf(name, sizeof(name), "discovery_trace");
38793 vport->debug_disc_trc =
38794 diff -urNp linux-2.6.39.2/drivers/scsi/lpfc/lpfc.h linux-2.6.39.2/drivers/scsi/lpfc/lpfc.h
38795 --- linux-2.6.39.2/drivers/scsi/lpfc/lpfc.h 2011-05-19 00:06:34.000000000 -0400
38796 +++ linux-2.6.39.2/drivers/scsi/lpfc/lpfc.h 2011-05-22 19:36:32.000000000 -0400
38797 @@ -419,7 +419,7 @@ struct lpfc_vport {
38798 struct dentry *debug_nodelist;
38799 struct dentry *vport_debugfs_root;
38800 struct lpfc_debugfs_trc *disc_trc;
38801 - atomic_t disc_trc_cnt;
38802 + atomic_unchecked_t disc_trc_cnt;
38803 #endif
38804 uint8_t stat_data_enabled;
38805 uint8_t stat_data_blocked;
38806 @@ -785,8 +785,8 @@ struct lpfc_hba {
38807 struct timer_list fabric_block_timer;
38808 unsigned long bit_flags;
38809 #define FABRIC_COMANDS_BLOCKED 0
38810 - atomic_t num_rsrc_err;
38811 - atomic_t num_cmd_success;
38812 + atomic_unchecked_t num_rsrc_err;
38813 + atomic_unchecked_t num_cmd_success;
38814 unsigned long last_rsrc_error_time;
38815 unsigned long last_ramp_down_time;
38816 unsigned long last_ramp_up_time;
38817 @@ -800,7 +800,7 @@ struct lpfc_hba {
38818 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
38819 struct dentry *debug_slow_ring_trc;
38820 struct lpfc_debugfs_trc *slow_ring_trc;
38821 - atomic_t slow_ring_trc_cnt;
38822 + atomic_unchecked_t slow_ring_trc_cnt;
38823 /* iDiag debugfs sub-directory */
38824 struct dentry *idiag_root;
38825 struct dentry *idiag_pci_cfg;
38826 diff -urNp linux-2.6.39.2/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.39.2/drivers/scsi/lpfc/lpfc_scsi.c
38827 --- linux-2.6.39.2/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-19 00:06:34.000000000 -0400
38828 +++ linux-2.6.39.2/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-22 19:36:32.000000000 -0400
38829 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
38830 uint32_t evt_posted;
38831
38832 spin_lock_irqsave(&phba->hbalock, flags);
38833 - atomic_inc(&phba->num_rsrc_err);
38834 + atomic_inc_unchecked(&phba->num_rsrc_err);
38835 phba->last_rsrc_error_time = jiffies;
38836
38837 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
38838 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
38839 unsigned long flags;
38840 struct lpfc_hba *phba = vport->phba;
38841 uint32_t evt_posted;
38842 - atomic_inc(&phba->num_cmd_success);
38843 + atomic_inc_unchecked(&phba->num_cmd_success);
38844
38845 if (vport->cfg_lun_queue_depth <= queue_depth)
38846 return;
38847 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
38848 unsigned long num_rsrc_err, num_cmd_success;
38849 int i;
38850
38851 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
38852 - num_cmd_success = atomic_read(&phba->num_cmd_success);
38853 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
38854 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
38855
38856 vports = lpfc_create_vport_work_array(phba);
38857 if (vports != NULL)
38858 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
38859 }
38860 }
38861 lpfc_destroy_vport_work_array(phba, vports);
38862 - atomic_set(&phba->num_rsrc_err, 0);
38863 - atomic_set(&phba->num_cmd_success, 0);
38864 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
38865 + atomic_set_unchecked(&phba->num_cmd_success, 0);
38866 }
38867
38868 /**
38869 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
38870 }
38871 }
38872 lpfc_destroy_vport_work_array(phba, vports);
38873 - atomic_set(&phba->num_rsrc_err, 0);
38874 - atomic_set(&phba->num_cmd_success, 0);
38875 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
38876 + atomic_set_unchecked(&phba->num_cmd_success, 0);
38877 }
38878
38879 /**
38880 diff -urNp linux-2.6.39.2/drivers/scsi/mac_esp.c linux-2.6.39.2/drivers/scsi/mac_esp.c
38881 --- linux-2.6.39.2/drivers/scsi/mac_esp.c 2011-05-19 00:06:34.000000000 -0400
38882 +++ linux-2.6.39.2/drivers/scsi/mac_esp.c 2011-05-22 19:36:32.000000000 -0400
38883 @@ -473,7 +473,7 @@ static irqreturn_t mac_scsi_esp_intr(int
38884 return IRQ_HANDLED;
38885 }
38886
38887 -static struct esp_driver_ops mac_esp_ops = {
38888 +static const struct esp_driver_ops mac_esp_ops = {
38889 .esp_write8 = mac_esp_write8,
38890 .esp_read8 = mac_esp_read8,
38891 .map_single = mac_esp_map_single,
38892 diff -urNp linux-2.6.39.2/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.39.2/drivers/scsi/megaraid/megaraid_mbox.c
38893 --- linux-2.6.39.2/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-19 00:06:34.000000000 -0400
38894 +++ linux-2.6.39.2/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-22 19:36:32.000000000 -0400
38895 @@ -3510,6 +3510,8 @@ megaraid_cmm_register(adapter_t *adapter
38896 int rval;
38897 int i;
38898
38899 + pax_track_stack();
38900 +
38901 // Allocate memory for the base list of scb for management module.
38902 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
38903
38904 diff -urNp linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_base.c linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_base.c
38905 --- linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-19 00:06:34.000000000 -0400
38906 +++ linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-22 19:36:32.000000000 -0400
38907 @@ -366,7 +366,7 @@ megasas_check_reset_xscale(struct megasa
38908 return 0;
38909 }
38910
38911 -static struct megasas_instance_template megasas_instance_template_xscale = {
38912 +static const struct megasas_instance_template megasas_instance_template_xscale = {
38913
38914 .fire_cmd = megasas_fire_cmd_xscale,
38915 .enable_intr = megasas_enable_intr_xscale,
38916 @@ -497,7 +497,7 @@ megasas_check_reset_ppc(struct megasas_i
38917 {
38918 return 0;
38919 }
38920 -static struct megasas_instance_template megasas_instance_template_ppc = {
38921 +static const struct megasas_instance_template megasas_instance_template_ppc = {
38922
38923 .fire_cmd = megasas_fire_cmd_ppc,
38924 .enable_intr = megasas_enable_intr_ppc,
38925 @@ -623,7 +623,7 @@ megasas_check_reset_skinny(struct megasa
38926 return 0;
38927 }
38928
38929 -static struct megasas_instance_template megasas_instance_template_skinny = {
38930 +static const struct megasas_instance_template megasas_instance_template_skinny = {
38931
38932 .fire_cmd = megasas_fire_cmd_skinny,
38933 .enable_intr = megasas_enable_intr_skinny,
38934 @@ -810,7 +810,7 @@ megasas_check_reset_gen2(struct megasas_
38935 return 0;
38936 }
38937
38938 -static struct megasas_instance_template megasas_instance_template_gen2 = {
38939 +static const struct megasas_instance_template megasas_instance_template_gen2 = {
38940
38941 .fire_cmd = megasas_fire_cmd_gen2,
38942 .enable_intr = megasas_enable_intr_gen2,
38943 @@ -834,7 +834,7 @@ static struct megasas_instance_template
38944 /*
38945 * Template added for TB (Fusion)
38946 */
38947 -extern struct megasas_instance_template megasas_instance_template_fusion;
38948 +extern const struct megasas_instance_template megasas_instance_template_fusion;
38949
38950 /**
38951 * megasas_issue_polled - Issues a polling command
38952 diff -urNp linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_fusion.c linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_fusion.c
38953 --- linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-19 00:06:34.000000000 -0400
38954 +++ linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-22 19:36:32.000000000 -0400
38955 @@ -2236,7 +2236,7 @@ void megasas_fusion_ocr_wq(struct work_s
38956 megasas_reset_fusion(instance->host);
38957 }
38958
38959 -struct megasas_instance_template megasas_instance_template_fusion = {
38960 +const struct megasas_instance_template megasas_instance_template_fusion = {
38961 .fire_cmd = megasas_fire_cmd_fusion,
38962 .enable_intr = megasas_enable_intr_fusion,
38963 .disable_intr = megasas_disable_intr_fusion,
38964 diff -urNp linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas.h linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas.h
38965 --- linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas.h 2011-05-19 00:06:34.000000000 -0400
38966 +++ linux-2.6.39.2/drivers/scsi/megaraid/megaraid_sas.h 2011-05-22 19:36:32.000000000 -0400
38967 @@ -1330,7 +1330,7 @@ struct megasas_instance {
38968 atomic_t fw_outstanding;
38969 atomic_t fw_reset_no_pci_access;
38970
38971 - struct megasas_instance_template *instancet;
38972 + const struct megasas_instance_template *instancet;
38973 struct tasklet_struct isr_tasklet;
38974 struct work_struct work_init;
38975
38976 diff -urNp linux-2.6.39.2/drivers/scsi/ncr53c8xx.c linux-2.6.39.2/drivers/scsi/ncr53c8xx.c
38977 --- linux-2.6.39.2/drivers/scsi/ncr53c8xx.c 2011-05-19 00:06:34.000000000 -0400
38978 +++ linux-2.6.39.2/drivers/scsi/ncr53c8xx.c 2011-05-22 19:36:32.000000000 -0400
38979 @@ -8606,7 +8606,7 @@ static void ncr53c8xx_get_signalling(str
38980 spi_signalling(shost) = type;
38981 }
38982
38983 -static struct spi_function_template ncr53c8xx_transport_functions = {
38984 +static struct spi_function_template ncr53c8xx_transport_functions = {
38985 .set_period = ncr53c8xx_set_period,
38986 .show_period = 1,
38987 .set_offset = ncr53c8xx_set_offset,
38988 diff -urNp linux-2.6.39.2/drivers/scsi/osd/osd_initiator.c linux-2.6.39.2/drivers/scsi/osd/osd_initiator.c
38989 --- linux-2.6.39.2/drivers/scsi/osd/osd_initiator.c 2011-05-19 00:06:34.000000000 -0400
38990 +++ linux-2.6.39.2/drivers/scsi/osd/osd_initiator.c 2011-05-22 19:36:32.000000000 -0400
38991 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
38992 int nelem = ARRAY_SIZE(get_attrs), a = 0;
38993 int ret;
38994
38995 + pax_track_stack();
38996 +
38997 or = osd_start_request(od, GFP_KERNEL);
38998 if (!or)
38999 return -ENOMEM;
39000 diff -urNp linux-2.6.39.2/drivers/scsi/pmcraid.c linux-2.6.39.2/drivers/scsi/pmcraid.c
39001 --- linux-2.6.39.2/drivers/scsi/pmcraid.c 2011-05-19 00:06:34.000000000 -0400
39002 +++ linux-2.6.39.2/drivers/scsi/pmcraid.c 2011-05-22 19:36:32.000000000 -0400
39003 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
39004 res->scsi_dev = scsi_dev;
39005 scsi_dev->hostdata = res;
39006 res->change_detected = 0;
39007 - atomic_set(&res->read_failures, 0);
39008 - atomic_set(&res->write_failures, 0);
39009 + atomic_set_unchecked(&res->read_failures, 0);
39010 + atomic_set_unchecked(&res->write_failures, 0);
39011 rc = 0;
39012 }
39013 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
39014 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
39015
39016 /* If this was a SCSI read/write command keep count of errors */
39017 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
39018 - atomic_inc(&res->read_failures);
39019 + atomic_inc_unchecked(&res->read_failures);
39020 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
39021 - atomic_inc(&res->write_failures);
39022 + atomic_inc_unchecked(&res->write_failures);
39023
39024 if (!RES_IS_GSCSI(res->cfg_entry) &&
39025 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
39026 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
39027 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39028 * hrrq_id assigned here in queuecommand
39029 */
39030 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39031 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39032 pinstance->num_hrrq;
39033 cmd->cmd_done = pmcraid_io_done;
39034
39035 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
39036 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39037 * hrrq_id assigned here in queuecommand
39038 */
39039 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39040 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39041 pinstance->num_hrrq;
39042
39043 if (request_size) {
39044 @@ -4495,7 +4495,7 @@ static void pmcraid_worker_function(stru
39045
39046 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
39047 /* add resources only after host is added into system */
39048 - if (!atomic_read(&pinstance->expose_resources))
39049 + if (!atomic_read_unchecked(&pinstance->expose_resources))
39050 return;
39051
39052 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
39053 @@ -5329,8 +5329,8 @@ static int __devinit pmcraid_init_instan
39054 init_waitqueue_head(&pinstance->reset_wait_q);
39055
39056 atomic_set(&pinstance->outstanding_cmds, 0);
39057 - atomic_set(&pinstance->last_message_id, 0);
39058 - atomic_set(&pinstance->expose_resources, 0);
39059 + atomic_set_unchecked(&pinstance->last_message_id, 0);
39060 + atomic_set_unchecked(&pinstance->expose_resources, 0);
39061
39062 INIT_LIST_HEAD(&pinstance->free_res_q);
39063 INIT_LIST_HEAD(&pinstance->used_res_q);
39064 @@ -6045,7 +6045,7 @@ static int __devinit pmcraid_probe(
39065 /* Schedule worker thread to handle CCN and take care of adding and
39066 * removing devices to OS
39067 */
39068 - atomic_set(&pinstance->expose_resources, 1);
39069 + atomic_set_unchecked(&pinstance->expose_resources, 1);
39070 schedule_work(&pinstance->worker_q);
39071 return rc;
39072
39073 diff -urNp linux-2.6.39.2/drivers/scsi/pmcraid.h linux-2.6.39.2/drivers/scsi/pmcraid.h
39074 --- linux-2.6.39.2/drivers/scsi/pmcraid.h 2011-05-19 00:06:34.000000000 -0400
39075 +++ linux-2.6.39.2/drivers/scsi/pmcraid.h 2011-05-22 19:36:32.000000000 -0400
39076 @@ -750,7 +750,7 @@ struct pmcraid_instance {
39077 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
39078
39079 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
39080 - atomic_t last_message_id;
39081 + atomic_unchecked_t last_message_id;
39082
39083 /* configuration table */
39084 struct pmcraid_config_table *cfg_table;
39085 @@ -779,7 +779,7 @@ struct pmcraid_instance {
39086 atomic_t outstanding_cmds;
39087
39088 /* should add/delete resources to mid-layer now ?*/
39089 - atomic_t expose_resources;
39090 + atomic_unchecked_t expose_resources;
39091
39092
39093
39094 @@ -815,8 +815,8 @@ struct pmcraid_resource_entry {
39095 struct pmcraid_config_table_entry_ext cfg_entry_ext;
39096 };
39097 struct scsi_device *scsi_dev; /* Link scsi_device structure */
39098 - atomic_t read_failures; /* count of failed READ commands */
39099 - atomic_t write_failures; /* count of failed WRITE commands */
39100 + atomic_unchecked_t read_failures; /* count of failed READ commands */
39101 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
39102
39103 /* To indicate add/delete/modify during CCN */
39104 u8 change_detected;
39105 diff -urNp linux-2.6.39.2/drivers/scsi/qla2xxx/qla_os.c linux-2.6.39.2/drivers/scsi/qla2xxx/qla_os.c
39106 --- linux-2.6.39.2/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:04:14.000000000 -0400
39107 +++ linux-2.6.39.2/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:32:06.000000000 -0400
39108 @@ -4103,7 +4103,7 @@ static struct pci_driver qla2xxx_pci_dri
39109 .err_handler = &qla2xxx_err_handler,
39110 };
39111
39112 -static struct file_operations apidev_fops = {
39113 +static const struct file_operations apidev_fops = {
39114 .owner = THIS_MODULE,
39115 .llseek = noop_llseek,
39116 };
39117 diff -urNp linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_def.h
39118 --- linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_def.h 2011-05-19 00:06:34.000000000 -0400
39119 +++ linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_def.h 2011-05-22 19:36:32.000000000 -0400
39120 @@ -256,7 +256,7 @@ struct ddb_entry {
39121 atomic_t retry_relogin_timer; /* Min Time between relogins
39122 * (4000 only) */
39123 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
39124 - atomic_t relogin_retry_count; /* Num of times relogin has been
39125 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
39126 * retried */
39127
39128 uint16_t port;
39129 diff -urNp linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_init.c
39130 --- linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_init.c 2011-05-19 00:06:34.000000000 -0400
39131 +++ linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_init.c 2011-05-22 19:36:32.000000000 -0400
39132 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
39133 ddb_entry->fw_ddb_index = fw_ddb_index;
39134 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
39135 atomic_set(&ddb_entry->relogin_timer, 0);
39136 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39137 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39138 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39139 list_add_tail(&ddb_entry->list, &ha->ddb_list);
39140 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
39141 @@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
39142 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
39143 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
39144 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39145 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39146 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39147 atomic_set(&ddb_entry->relogin_timer, 0);
39148 clear_bit(DF_RELOGIN, &ddb_entry->flags);
39149 iscsi_unblock_session(ddb_entry->sess);
39150 diff -urNp linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_os.c
39151 --- linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_os.c 2011-05-19 00:06:34.000000000 -0400
39152 +++ linux-2.6.39.2/drivers/scsi/qla4xxx/ql4_os.c 2011-05-22 19:36:32.000000000 -0400
39153 @@ -802,13 +802,13 @@ static void qla4xxx_timer(struct scsi_ql
39154 ddb_entry->fw_ddb_device_state ==
39155 DDB_DS_SESSION_FAILED) {
39156 /* Reset retry relogin timer */
39157 - atomic_inc(&ddb_entry->relogin_retry_count);
39158 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
39159 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
39160 " timed out-retrying"
39161 " relogin (%d)\n",
39162 ha->host_no,
39163 ddb_entry->fw_ddb_index,
39164 - atomic_read(&ddb_entry->
39165 + atomic_read_unchecked(&ddb_entry->
39166 relogin_retry_count))
39167 );
39168 start_dpc++;
39169 diff -urNp linux-2.6.39.2/drivers/scsi/scsi.c linux-2.6.39.2/drivers/scsi/scsi.c
39170 --- linux-2.6.39.2/drivers/scsi/scsi.c 2011-05-19 00:06:34.000000000 -0400
39171 +++ linux-2.6.39.2/drivers/scsi/scsi.c 2011-05-22 19:36:32.000000000 -0400
39172 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
39173 unsigned long timeout;
39174 int rtn = 0;
39175
39176 - atomic_inc(&cmd->device->iorequest_cnt);
39177 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39178
39179 /* check if the device is still usable */
39180 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
39181 diff -urNp linux-2.6.39.2/drivers/scsi/scsi_debug.c linux-2.6.39.2/drivers/scsi/scsi_debug.c
39182 --- linux-2.6.39.2/drivers/scsi/scsi_debug.c 2011-05-19 00:06:34.000000000 -0400
39183 +++ linux-2.6.39.2/drivers/scsi/scsi_debug.c 2011-05-22 19:36:32.000000000 -0400
39184 @@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
39185 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
39186 unsigned char *cmd = (unsigned char *)scp->cmnd;
39187
39188 + pax_track_stack();
39189 +
39190 if ((errsts = check_readiness(scp, 1, devip)))
39191 return errsts;
39192 memset(arr, 0, sizeof(arr));
39193 @@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
39194 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
39195 unsigned char *cmd = (unsigned char *)scp->cmnd;
39196
39197 + pax_track_stack();
39198 +
39199 if ((errsts = check_readiness(scp, 1, devip)))
39200 return errsts;
39201 memset(arr, 0, sizeof(arr));
39202 diff -urNp linux-2.6.39.2/drivers/scsi/scsi_lib.c linux-2.6.39.2/drivers/scsi/scsi_lib.c
39203 --- linux-2.6.39.2/drivers/scsi/scsi_lib.c 2011-05-19 00:06:34.000000000 -0400
39204 +++ linux-2.6.39.2/drivers/scsi/scsi_lib.c 2011-05-22 19:36:32.000000000 -0400
39205 @@ -1410,7 +1410,7 @@ static void scsi_kill_request(struct req
39206 shost = sdev->host;
39207 scsi_init_cmd_errh(cmd);
39208 cmd->result = DID_NO_CONNECT << 16;
39209 - atomic_inc(&cmd->device->iorequest_cnt);
39210 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39211
39212 /*
39213 * SCSI request completion path will do scsi_device_unbusy(),
39214 @@ -1436,9 +1436,9 @@ static void scsi_softirq_done(struct req
39215
39216 INIT_LIST_HEAD(&cmd->eh_entry);
39217
39218 - atomic_inc(&cmd->device->iodone_cnt);
39219 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
39220 if (cmd->result)
39221 - atomic_inc(&cmd->device->ioerr_cnt);
39222 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
39223
39224 disposition = scsi_decide_disposition(cmd);
39225 if (disposition != SUCCESS &&
39226 diff -urNp linux-2.6.39.2/drivers/scsi/scsi_sysfs.c linux-2.6.39.2/drivers/scsi/scsi_sysfs.c
39227 --- linux-2.6.39.2/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:22.000000000 -0400
39228 +++ linux-2.6.39.2/drivers/scsi/scsi_sysfs.c 2011-06-25 13:00:26.000000000 -0400
39229 @@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
39230 char *buf) \
39231 { \
39232 struct scsi_device *sdev = to_scsi_device(dev); \
39233 - unsigned long long count = atomic_read(&sdev->field); \
39234 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
39235 return snprintf(buf, 20, "0x%llx\n", count); \
39236 } \
39237 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
39238 diff -urNp linux-2.6.39.2/drivers/scsi/scsi_transport_fc.c linux-2.6.39.2/drivers/scsi/scsi_transport_fc.c
39239 --- linux-2.6.39.2/drivers/scsi/scsi_transport_fc.c 2011-05-19 00:06:34.000000000 -0400
39240 +++ linux-2.6.39.2/drivers/scsi/scsi_transport_fc.c 2011-05-22 19:36:32.000000000 -0400
39241 @@ -485,7 +485,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
39242 * Netlink Infrastructure
39243 */
39244
39245 -static atomic_t fc_event_seq;
39246 +static atomic_unchecked_t fc_event_seq;
39247
39248 /**
39249 * fc_get_event_number - Obtain the next sequential FC event number
39250 @@ -498,7 +498,7 @@ static atomic_t fc_event_seq;
39251 u32
39252 fc_get_event_number(void)
39253 {
39254 - return atomic_add_return(1, &fc_event_seq);
39255 + return atomic_add_return_unchecked(1, &fc_event_seq);
39256 }
39257 EXPORT_SYMBOL(fc_get_event_number);
39258
39259 @@ -646,7 +646,7 @@ static __init int fc_transport_init(void
39260 {
39261 int error;
39262
39263 - atomic_set(&fc_event_seq, 0);
39264 + atomic_set_unchecked(&fc_event_seq, 0);
39265
39266 error = transport_class_register(&fc_host_class);
39267 if (error)
39268 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
39269 char *cp;
39270
39271 *val = simple_strtoul(buf, &cp, 0);
39272 - if ((*cp && (*cp != '\n')) || (*val < 0))
39273 + if (*cp && (*cp != '\n'))
39274 return -EINVAL;
39275 /*
39276 * Check for overflow; dev_loss_tmo is u32
39277 diff -urNp linux-2.6.39.2/drivers/scsi/scsi_transport_iscsi.c linux-2.6.39.2/drivers/scsi/scsi_transport_iscsi.c
39278 --- linux-2.6.39.2/drivers/scsi/scsi_transport_iscsi.c 2011-05-19 00:06:34.000000000 -0400
39279 +++ linux-2.6.39.2/drivers/scsi/scsi_transport_iscsi.c 2011-05-22 19:36:32.000000000 -0400
39280 @@ -83,7 +83,7 @@ struct iscsi_internal {
39281 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
39282 };
39283
39284 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
39285 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
39286 static struct workqueue_struct *iscsi_eh_timer_workq;
39287
39288 /*
39289 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
39290 int err;
39291
39292 ihost = shost->shost_data;
39293 - session->sid = atomic_add_return(1, &iscsi_session_nr);
39294 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
39295
39296 if (id == ISCSI_MAX_TARGET) {
39297 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
39298 @@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
39299 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
39300 ISCSI_TRANSPORT_VERSION);
39301
39302 - atomic_set(&iscsi_session_nr, 0);
39303 + atomic_set_unchecked(&iscsi_session_nr, 0);
39304
39305 err = class_register(&iscsi_transport_class);
39306 if (err)
39307 diff -urNp linux-2.6.39.2/drivers/scsi/scsi_transport_srp.c linux-2.6.39.2/drivers/scsi/scsi_transport_srp.c
39308 --- linux-2.6.39.2/drivers/scsi/scsi_transport_srp.c 2011-05-19 00:06:34.000000000 -0400
39309 +++ linux-2.6.39.2/drivers/scsi/scsi_transport_srp.c 2011-05-22 19:36:32.000000000 -0400
39310 @@ -33,7 +33,7 @@
39311 #include "scsi_transport_srp_internal.h"
39312
39313 struct srp_host_attrs {
39314 - atomic_t next_port_id;
39315 + atomic_unchecked_t next_port_id;
39316 };
39317 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
39318
39319 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
39320 struct Scsi_Host *shost = dev_to_shost(dev);
39321 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
39322
39323 - atomic_set(&srp_host->next_port_id, 0);
39324 + atomic_set_unchecked(&srp_host->next_port_id, 0);
39325 return 0;
39326 }
39327
39328 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
39329 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
39330 rport->roles = ids->roles;
39331
39332 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
39333 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
39334 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
39335
39336 transport_setup_device(&rport->dev);
39337 diff -urNp linux-2.6.39.2/drivers/scsi/sg.c linux-2.6.39.2/drivers/scsi/sg.c
39338 --- linux-2.6.39.2/drivers/scsi/sg.c 2011-05-19 00:06:34.000000000 -0400
39339 +++ linux-2.6.39.2/drivers/scsi/sg.c 2011-05-22 19:36:32.000000000 -0400
39340 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
39341 const struct file_operations * fops;
39342 };
39343
39344 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
39345 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
39346 {"allow_dio", &adio_fops},
39347 {"debug", &debug_fops},
39348 {"def_reserved_size", &dressz_fops},
39349 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
39350 {
39351 int k, mask;
39352 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
39353 - struct sg_proc_leaf * leaf;
39354 + const struct sg_proc_leaf * leaf;
39355
39356 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
39357 if (!sg_proc_sgp)
39358 diff -urNp linux-2.6.39.2/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.39.2/drivers/scsi/sym53c8xx_2/sym_glue.c
39359 --- linux-2.6.39.2/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-19 00:06:34.000000000 -0400
39360 +++ linux-2.6.39.2/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-22 19:36:32.000000000 -0400
39361 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
39362 int do_iounmap = 0;
39363 int do_disable_device = 1;
39364
39365 + pax_track_stack();
39366 +
39367 memset(&sym_dev, 0, sizeof(sym_dev));
39368 memset(&nvram, 0, sizeof(nvram));
39369 sym_dev.pdev = pdev;
39370 diff -urNp linux-2.6.39.2/drivers/scsi/vmw_pvscsi.c linux-2.6.39.2/drivers/scsi/vmw_pvscsi.c
39371 --- linux-2.6.39.2/drivers/scsi/vmw_pvscsi.c 2011-05-19 00:06:34.000000000 -0400
39372 +++ linux-2.6.39.2/drivers/scsi/vmw_pvscsi.c 2011-05-22 19:36:32.000000000 -0400
39373 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
39374 dma_addr_t base;
39375 unsigned i;
39376
39377 + pax_track_stack();
39378 +
39379 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
39380 cmd.reqRingNumPages = adapter->req_pages;
39381 cmd.cmpRingNumPages = adapter->cmp_pages;
39382 diff -urNp linux-2.6.39.2/drivers/sh/clk/cpg.c linux-2.6.39.2/drivers/sh/clk/cpg.c
39383 --- linux-2.6.39.2/drivers/sh/clk/cpg.c 2011-06-03 00:04:14.000000000 -0400
39384 +++ linux-2.6.39.2/drivers/sh/clk/cpg.c 2011-06-03 00:32:06.000000000 -0400
39385 @@ -26,7 +26,7 @@ static void sh_clk_mstp32_disable(struct
39386 clk->enable_reg);
39387 }
39388
39389 -static struct clk_ops sh_clk_mstp32_clk_ops = {
39390 +static const struct clk_ops sh_clk_mstp32_clk_ops = {
39391 .enable = sh_clk_mstp32_enable,
39392 .disable = sh_clk_mstp32_disable,
39393 .recalc = followparent_recalc,
39394 @@ -150,7 +150,7 @@ static void sh_clk_div6_disable(struct c
39395 __raw_writel(value, clk->enable_reg);
39396 }
39397
39398 -static struct clk_ops sh_clk_div6_clk_ops = {
39399 +static const struct clk_ops sh_clk_div6_clk_ops = {
39400 .recalc = sh_clk_div6_recalc,
39401 .round_rate = sh_clk_div_round_rate,
39402 .set_rate = sh_clk_div6_set_rate,
39403 @@ -158,7 +158,7 @@ static struct clk_ops sh_clk_div6_clk_op
39404 .disable = sh_clk_div6_disable,
39405 };
39406
39407 -static struct clk_ops sh_clk_div6_reparent_clk_ops = {
39408 +static const struct clk_ops sh_clk_div6_reparent_clk_ops = {
39409 .recalc = sh_clk_div6_recalc,
39410 .round_rate = sh_clk_div_round_rate,
39411 .set_rate = sh_clk_div6_set_rate,
39412 @@ -282,13 +282,13 @@ static void sh_clk_div4_disable(struct c
39413 __raw_writel(__raw_readl(clk->enable_reg) | (1 << 8), clk->enable_reg);
39414 }
39415
39416 -static struct clk_ops sh_clk_div4_clk_ops = {
39417 +static const struct clk_ops sh_clk_div4_clk_ops = {
39418 .recalc = sh_clk_div4_recalc,
39419 .set_rate = sh_clk_div4_set_rate,
39420 .round_rate = sh_clk_div_round_rate,
39421 };
39422
39423 -static struct clk_ops sh_clk_div4_enable_clk_ops = {
39424 +static const struct clk_ops sh_clk_div4_enable_clk_ops = {
39425 .recalc = sh_clk_div4_recalc,
39426 .set_rate = sh_clk_div4_set_rate,
39427 .round_rate = sh_clk_div_round_rate,
39428 @@ -296,7 +296,7 @@ static struct clk_ops sh_clk_div4_enable
39429 .disable = sh_clk_div4_disable,
39430 };
39431
39432 -static struct clk_ops sh_clk_div4_reparent_clk_ops = {
39433 +static const struct clk_ops sh_clk_div4_reparent_clk_ops = {
39434 .recalc = sh_clk_div4_recalc,
39435 .set_rate = sh_clk_div4_set_rate,
39436 .round_rate = sh_clk_div_round_rate,
39437 diff -urNp linux-2.6.39.2/drivers/spi/dw_spi.h linux-2.6.39.2/drivers/spi/dw_spi.h
39438 --- linux-2.6.39.2/drivers/spi/dw_spi.h 2011-05-19 00:06:34.000000000 -0400
39439 +++ linux-2.6.39.2/drivers/spi/dw_spi.h 2011-05-22 19:36:32.000000000 -0400
39440 @@ -151,7 +151,7 @@ struct dw_spi {
39441 int dma_chan_done;
39442 struct device *dma_dev;
39443 dma_addr_t dma_addr; /* phy address of the Data register */
39444 - struct dw_spi_dma_ops *dma_ops;
39445 + const struct dw_spi_dma_ops *dma_ops;
39446 void *dma_priv; /* platform relate info */
39447 struct pci_dev *dmac;
39448
39449 diff -urNp linux-2.6.39.2/drivers/spi/dw_spi_mid.c linux-2.6.39.2/drivers/spi/dw_spi_mid.c
39450 --- linux-2.6.39.2/drivers/spi/dw_spi_mid.c 2011-05-19 00:06:34.000000000 -0400
39451 +++ linux-2.6.39.2/drivers/spi/dw_spi_mid.c 2011-05-22 19:36:32.000000000 -0400
39452 @@ -180,7 +180,7 @@ static int mid_spi_dma_transfer(struct d
39453 return 0;
39454 }
39455
39456 -static struct dw_spi_dma_ops mid_dma_ops = {
39457 +static const struct dw_spi_dma_ops mid_dma_ops = {
39458 .dma_init = mid_spi_dma_init,
39459 .dma_exit = mid_spi_dma_exit,
39460 .dma_transfer = mid_spi_dma_transfer,
39461 diff -urNp linux-2.6.39.2/drivers/spi/spi.c linux-2.6.39.2/drivers/spi/spi.c
39462 --- linux-2.6.39.2/drivers/spi/spi.c 2011-05-19 00:06:34.000000000 -0400
39463 +++ linux-2.6.39.2/drivers/spi/spi.c 2011-05-22 19:36:32.000000000 -0400
39464 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
39465 EXPORT_SYMBOL_GPL(spi_bus_unlock);
39466
39467 /* portable code must never pass more than 32 bytes */
39468 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
39469 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
39470
39471 static u8 *buf;
39472
39473 diff -urNp linux-2.6.39.2/drivers/ssb/driver_pcicore.c linux-2.6.39.2/drivers/ssb/driver_pcicore.c
39474 --- linux-2.6.39.2/drivers/ssb/driver_pcicore.c 2011-05-19 00:06:34.000000000 -0400
39475 +++ linux-2.6.39.2/drivers/ssb/driver_pcicore.c 2011-05-22 19:36:32.000000000 -0400
39476 @@ -223,7 +223,7 @@ static int ssb_pcicore_write_config(stru
39477 return err ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
39478 }
39479
39480 -static struct pci_ops ssb_pcicore_pciops = {
39481 +static const struct pci_ops ssb_pcicore_pciops = {
39482 .read = ssb_pcicore_read_config,
39483 .write = ssb_pcicore_write_config,
39484 };
39485 diff -urNp linux-2.6.39.2/drivers/staging/ath6kl/os/linux/cfg80211.c linux-2.6.39.2/drivers/staging/ath6kl/os/linux/cfg80211.c
39486 --- linux-2.6.39.2/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39487 +++ linux-2.6.39.2/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39488 @@ -1391,8 +1391,7 @@ u32 cipher_suites[] = {
39489 WLAN_CIPHER_SUITE_CCMP,
39490 };
39491
39492 -static struct
39493 -cfg80211_ops ar6k_cfg80211_ops = {
39494 +static const struct cfg80211_ops ar6k_cfg80211_ops = {
39495 .change_virtual_intf = ar6k_cfg80211_change_iface,
39496 .add_virtual_intf = ar6k_cfg80211_add_virtual_intf,
39497 .del_virtual_intf = ar6k_cfg80211_del_virtual_intf,
39498 diff -urNp linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
39499 --- linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-19 00:06:34.000000000 -0400
39500 +++ linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-22 19:36:32.000000000 -0400
39501 @@ -857,14 +857,14 @@ static void dhd_op_if(dhd_if_t *ifp)
39502 free_netdev(ifp->net);
39503 }
39504 /* Allocate etherdev, including space for private structure */
39505 - ifp->net = alloc_etherdev(sizeof(dhd));
39506 + ifp->net = alloc_etherdev(sizeof(*dhd));
39507 if (!ifp->net) {
39508 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39509 ret = -ENOMEM;
39510 }
39511 if (ret == 0) {
39512 strcpy(ifp->net->name, ifp->name);
39513 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
39514 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
39515 err = dhd_net_attach(&dhd->pub, ifp->idx);
39516 if (err != 0) {
39517 DHD_ERROR(("%s: dhd_net_attach failed, "
39518 @@ -1500,7 +1500,7 @@ static void dhd_ethtool_get_drvinfo(stru
39519 sprintf(info->bus_info, "%s", dev_name(&wl_cfg80211_get_sdio_func()->dev));
39520 }
39521
39522 -struct ethtool_ops dhd_ethtool_ops = {
39523 +const struct ethtool_ops dhd_ethtool_ops = {
39524 .get_drvinfo = dhd_ethtool_get_drvinfo
39525 };
39526
39527 @@ -1923,7 +1923,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39528 strcpy(nv_path, nvram_path);
39529
39530 /* Allocate etherdev, including space for private structure */
39531 - net = alloc_etherdev(sizeof(dhd));
39532 + net = alloc_etherdev(sizeof(*dhd));
39533 if (!net) {
39534 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39535 goto fail;
39536 @@ -1939,7 +1939,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39537 /*
39538 * Save the dhd_info into the priv
39539 */
39540 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39541 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39542
39543 /* Set network interface name if it was provided as module parameter */
39544 if (iface_name[0]) {
39545 @@ -2056,7 +2056,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39546 /*
39547 * Save the dhd_info into the priv
39548 */
39549 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39550 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39551
39552 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
39553 g_bus = bus;
39554 @@ -2206,7 +2206,7 @@ dhd_iovar(dhd_pub_t *pub, int ifidx, cha
39555 return ret;
39556 }
39557
39558 -static struct net_device_ops dhd_ops_pri = {
39559 +static const struct net_device_ops dhd_ops_pri = {
39560 .ndo_open = dhd_open,
39561 .ndo_stop = dhd_stop,
39562 .ndo_get_stats = dhd_get_stats,
39563 diff -urNp linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c
39564 --- linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39565 +++ linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39566 @@ -2109,7 +2109,7 @@ wl_cfg80211_flush_pmksa(struct wiphy *wi
39567
39568 }
39569
39570 -static struct cfg80211_ops wl_cfg80211_ops = {
39571 +static const struct cfg80211_ops wl_cfg80211_ops = {
39572 .change_virtual_intf = wl_cfg80211_change_iface,
39573 .scan = wl_cfg80211_scan,
39574 .set_wiphy_params = wl_cfg80211_set_wiphy_params,
39575 diff -urNp linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_iw.c
39576 --- linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-19 00:06:34.000000000 -0400
39577 +++ linux-2.6.39.2/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-22 19:36:32.000000000 -0400
39578 @@ -495,7 +495,7 @@ wl_iw_get_range(struct net_device *dev,
39579 list = (wl_u32_list_t *) channels;
39580
39581 dwrq->length = sizeof(struct iw_range);
39582 - memset(range, 0, sizeof(range));
39583 + memset(range, 0, sizeof(*range));
39584
39585 range->min_nwid = range->max_nwid = 0;
39586
39587 diff -urNp linux-2.6.39.2/drivers/staging/comedi/comedi_fops.c linux-2.6.39.2/drivers/staging/comedi/comedi_fops.c
39588 --- linux-2.6.39.2/drivers/staging/comedi/comedi_fops.c 2011-05-19 00:06:34.000000000 -0400
39589 +++ linux-2.6.39.2/drivers/staging/comedi/comedi_fops.c 2011-05-22 19:36:32.000000000 -0400
39590 @@ -1445,7 +1445,7 @@ static void comedi_unmap(struct vm_area_
39591 mutex_unlock(&dev->mutex);
39592 }
39593
39594 -static struct vm_operations_struct comedi_vm_ops = {
39595 +static const struct vm_operations_struct comedi_vm_ops = {
39596 .close = comedi_unmap,
39597 };
39598
39599 diff -urNp linux-2.6.39.2/drivers/staging/cx25821/cx25821-alsa.c linux-2.6.39.2/drivers/staging/cx25821/cx25821-alsa.c
39600 --- linux-2.6.39.2/drivers/staging/cx25821/cx25821-alsa.c 2011-05-19 00:06:34.000000000 -0400
39601 +++ linux-2.6.39.2/drivers/staging/cx25821/cx25821-alsa.c 2011-05-22 19:36:32.000000000 -0400
39602 @@ -586,7 +586,7 @@ static struct page *snd_cx25821_page(str
39603 /*
39604 * operators
39605 */
39606 -static struct snd_pcm_ops snd_cx25821_pcm_ops = {
39607 +static const struct snd_pcm_ops snd_cx25821_pcm_ops = {
39608 .open = snd_cx25821_pcm_open,
39609 .close = snd_cx25821_close,
39610 .ioctl = snd_pcm_lib_ioctl,
39611 diff -urNp linux-2.6.39.2/drivers/staging/cx25821/cx25821-i2c.c linux-2.6.39.2/drivers/staging/cx25821/cx25821-i2c.c
39612 --- linux-2.6.39.2/drivers/staging/cx25821/cx25821-i2c.c 2011-05-19 00:06:34.000000000 -0400
39613 +++ linux-2.6.39.2/drivers/staging/cx25821/cx25821-i2c.c 2011-05-22 19:36:32.000000000 -0400
39614 @@ -282,7 +282,7 @@ static u32 cx25821_functionality(struct
39615 I2C_FUNC_SMBUS_READ_WORD_DATA | I2C_FUNC_SMBUS_WRITE_WORD_DATA;
39616 }
39617
39618 -static struct i2c_algorithm cx25821_i2c_algo_template = {
39619 +static const struct i2c_algorithm cx25821_i2c_algo_template = {
39620 .master_xfer = i2c_xfer,
39621 .functionality = cx25821_functionality,
39622 #ifdef NEED_ALGO_CONTROL
39623 diff -urNp linux-2.6.39.2/drivers/staging/et131x/et1310_tx.c linux-2.6.39.2/drivers/staging/et131x/et1310_tx.c
39624 --- linux-2.6.39.2/drivers/staging/et131x/et1310_tx.c 2011-05-19 00:06:34.000000000 -0400
39625 +++ linux-2.6.39.2/drivers/staging/et131x/et1310_tx.c 2011-05-22 19:36:32.000000000 -0400
39626 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
39627 struct net_device_stats *stats = &etdev->net_stats;
39628
39629 if (tcb->flags & fMP_DEST_BROAD)
39630 - atomic_inc(&etdev->Stats.brdcstxmt);
39631 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
39632 else if (tcb->flags & fMP_DEST_MULTI)
39633 - atomic_inc(&etdev->Stats.multixmt);
39634 + atomic_inc_unchecked(&etdev->Stats.multixmt);
39635 else
39636 - atomic_inc(&etdev->Stats.unixmt);
39637 + atomic_inc_unchecked(&etdev->Stats.unixmt);
39638
39639 if (tcb->skb) {
39640 stats->tx_bytes += tcb->skb->len;
39641 diff -urNp linux-2.6.39.2/drivers/staging/et131x/et131x_adapter.h linux-2.6.39.2/drivers/staging/et131x/et131x_adapter.h
39642 --- linux-2.6.39.2/drivers/staging/et131x/et131x_adapter.h 2011-05-19 00:06:34.000000000 -0400
39643 +++ linux-2.6.39.2/drivers/staging/et131x/et131x_adapter.h 2011-05-22 19:36:32.000000000 -0400
39644 @@ -110,11 +110,11 @@ typedef struct _ce_stats_t {
39645 * operations
39646 */
39647 u32 unircv; /* # multicast packets received */
39648 - atomic_t unixmt; /* # multicast packets for Tx */
39649 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
39650 u32 multircv; /* # multicast packets received */
39651 - atomic_t multixmt; /* # multicast packets for Tx */
39652 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
39653 u32 brdcstrcv; /* # broadcast packets received */
39654 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
39655 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
39656 u32 norcvbuf; /* # Rx packets discarded */
39657 u32 noxmtbuf; /* # Tx packets discarded */
39658
39659 diff -urNp linux-2.6.39.2/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.39.2/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
39660 --- linux-2.6.39.2/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-19 00:06:34.000000000 -0400
39661 +++ linux-2.6.39.2/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-22 19:36:32.000000000 -0400
39662 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
39663 //
39664 // Table of entry-point routines for char device
39665 //
39666 -static struct file_operations ft1000fops =
39667 +static const struct file_operations ft1000fops =
39668 {
39669 .unlocked_ioctl = ft1000_ioctl,
39670 .poll = ft1000_poll_dev,
39671 diff -urNp linux-2.6.39.2/drivers/staging/generic_serial/rio/rio_linux.c linux-2.6.39.2/drivers/staging/generic_serial/rio/rio_linux.c
39672 --- linux-2.6.39.2/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-19 00:06:34.000000000 -0400
39673 +++ linux-2.6.39.2/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-22 19:36:32.000000000 -0400
39674 @@ -221,7 +221,7 @@ module_param(rio_poll, int, 0);
39675 module_param(rio_debug, int, 0644);
39676 module_param(rio_irqmask, long, 0);
39677
39678 -static struct real_driver rio_real_driver = {
39679 +static const struct real_driver rio_real_driver = {
39680 rio_disable_tx_interrupts,
39681 rio_enable_tx_interrupts,
39682 rio_disable_rx_interrupts,
39683 diff -urNp linux-2.6.39.2/drivers/staging/generic_serial/ser_a2232.c linux-2.6.39.2/drivers/staging/generic_serial/ser_a2232.c
39684 --- linux-2.6.39.2/drivers/staging/generic_serial/ser_a2232.c 2011-05-19 00:06:34.000000000 -0400
39685 +++ linux-2.6.39.2/drivers/staging/generic_serial/ser_a2232.c 2011-05-22 19:36:32.000000000 -0400
39686 @@ -144,7 +144,7 @@ static int a2232_open(struct tty_struct
39687 /*---------------------------------------------------------------------------
39688 * Interface from generic_serial.c back here
39689 *--------------------------------------------------------------------------*/
39690 -static struct real_driver a2232_real_driver = {
39691 +static const struct real_driver a2232_real_driver = {
39692 a2232_disable_tx_interrupts,
39693 a2232_enable_tx_interrupts,
39694 a2232_disable_rx_interrupts,
39695 diff -urNp linux-2.6.39.2/drivers/staging/generic_serial/sx.c linux-2.6.39.2/drivers/staging/generic_serial/sx.c
39696 --- linux-2.6.39.2/drivers/staging/generic_serial/sx.c 2011-05-19 00:06:34.000000000 -0400
39697 +++ linux-2.6.39.2/drivers/staging/generic_serial/sx.c 2011-05-22 19:36:32.000000000 -0400
39698 @@ -355,7 +355,7 @@ module_param(sx_irqmask, int, 0);
39699
39700 MODULE_LICENSE("GPL");
39701
39702 -static struct real_driver sx_real_driver = {
39703 +static const struct real_driver sx_real_driver = {
39704 sx_disable_tx_interrupts,
39705 sx_enable_tx_interrupts,
39706 sx_disable_rx_interrupts,
39707 diff -urNp linux-2.6.39.2/drivers/staging/generic_serial/vme_scc.c linux-2.6.39.2/drivers/staging/generic_serial/vme_scc.c
39708 --- linux-2.6.39.2/drivers/staging/generic_serial/vme_scc.c 2011-05-19 00:06:34.000000000 -0400
39709 +++ linux-2.6.39.2/drivers/staging/generic_serial/vme_scc.c 2011-05-22 19:36:32.000000000 -0400
39710 @@ -94,7 +94,7 @@ static struct scc_port scc_ports[2];
39711 * Interface from generic_serial.c back here
39712 *--------------------------------------------------------------------------*/
39713
39714 -static struct real_driver scc_real_driver = {
39715 +static const struct real_driver scc_real_driver = {
39716 scc_disable_tx_interrupts,
39717 scc_enable_tx_interrupts,
39718 scc_disable_rx_interrupts,
39719 diff -urNp linux-2.6.39.2/drivers/staging/gma500/psb_fb.c linux-2.6.39.2/drivers/staging/gma500/psb_fb.c
39720 --- linux-2.6.39.2/drivers/staging/gma500/psb_fb.c 2011-06-25 12:55:22.000000000 -0400
39721 +++ linux-2.6.39.2/drivers/staging/gma500/psb_fb.c 2011-06-25 13:00:26.000000000 -0400
39722 @@ -230,7 +230,7 @@ static void psbfb_vm_close(struct vm_are
39723 DRM_DEBUG("vm_close\n");
39724 }
39725
39726 -static struct vm_operations_struct psbfb_vm_ops = {
39727 +static const struct vm_operations_struct psbfb_vm_ops = {
39728 .fault = psbfb_vm_fault,
39729 .open = psbfb_vm_open,
39730 .close = psbfb_vm_close
39731 diff -urNp linux-2.6.39.2/drivers/staging/go7007/go7007-i2c.c linux-2.6.39.2/drivers/staging/go7007/go7007-i2c.c
39732 --- linux-2.6.39.2/drivers/staging/go7007/go7007-i2c.c 2011-05-19 00:06:34.000000000 -0400
39733 +++ linux-2.6.39.2/drivers/staging/go7007/go7007-i2c.c 2011-05-22 19:36:32.000000000 -0400
39734 @@ -198,7 +198,7 @@ static u32 go7007_functionality(struct i
39735 return I2C_FUNC_SMBUS_BYTE_DATA;
39736 }
39737
39738 -static struct i2c_algorithm go7007_algo = {
39739 +static const struct i2c_algorithm go7007_algo = {
39740 .smbus_xfer = go7007_smbus_xfer,
39741 .master_xfer = go7007_i2c_master_xfer,
39742 .functionality = go7007_functionality,
39743 diff -urNp linux-2.6.39.2/drivers/staging/go7007/go7007-usb.c linux-2.6.39.2/drivers/staging/go7007/go7007-usb.c
39744 --- linux-2.6.39.2/drivers/staging/go7007/go7007-usb.c 2011-05-19 00:06:34.000000000 -0400
39745 +++ linux-2.6.39.2/drivers/staging/go7007/go7007-usb.c 2011-05-22 19:36:32.000000000 -0400
39746 @@ -849,7 +849,7 @@ static int go7007_usb_send_firmware(stru
39747 &transferred, timeout);
39748 }
39749
39750 -static struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39751 +static const struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39752 .interface_reset = go7007_usb_interface_reset,
39753 .write_interrupt = go7007_usb_ezusb_write_interrupt,
39754 .read_interrupt = go7007_usb_read_interrupt,
39755 @@ -858,7 +858,7 @@ static struct go7007_hpi_ops go7007_usb_
39756 .send_firmware = go7007_usb_send_firmware,
39757 };
39758
39759 -static struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39760 +static const struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39761 .interface_reset = go7007_usb_interface_reset,
39762 .write_interrupt = go7007_usb_onboard_write_interrupt,
39763 .read_interrupt = go7007_usb_read_interrupt,
39764 @@ -950,7 +950,7 @@ static u32 go7007_usb_functionality(stru
39765 return (I2C_FUNC_SMBUS_EMUL) & ~I2C_FUNC_SMBUS_QUICK;
39766 }
39767
39768 -static struct i2c_algorithm go7007_usb_algo = {
39769 +static const struct i2c_algorithm go7007_usb_algo = {
39770 .master_xfer = go7007_usb_i2c_master_xfer,
39771 .functionality = go7007_usb_functionality,
39772 };
39773 diff -urNp linux-2.6.39.2/drivers/staging/go7007/go7007-v4l2.c linux-2.6.39.2/drivers/staging/go7007/go7007-v4l2.c
39774 --- linux-2.6.39.2/drivers/staging/go7007/go7007-v4l2.c 2011-05-19 00:06:34.000000000 -0400
39775 +++ linux-2.6.39.2/drivers/staging/go7007/go7007-v4l2.c 2011-05-22 19:36:32.000000000 -0400
39776 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
39777 return 0;
39778 }
39779
39780 -static struct vm_operations_struct go7007_vm_ops = {
39781 +static const struct vm_operations_struct go7007_vm_ops = {
39782 .open = go7007_vm_open,
39783 .close = go7007_vm_close,
39784 .fault = go7007_vm_fault,
39785 diff -urNp linux-2.6.39.2/drivers/staging/go7007/saa7134-go7007.c linux-2.6.39.2/drivers/staging/go7007/saa7134-go7007.c
39786 --- linux-2.6.39.2/drivers/staging/go7007/saa7134-go7007.c 2011-05-19 00:06:34.000000000 -0400
39787 +++ linux-2.6.39.2/drivers/staging/go7007/saa7134-go7007.c 2011-05-22 19:36:32.000000000 -0400
39788 @@ -421,7 +421,7 @@ static int saa7134_go7007_send_command(s
39789
39790 }
39791
39792 -static struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39793 +static const struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39794 .interface_reset = saa7134_go7007_interface_reset,
39795 .write_interrupt = saa7134_go7007_write_interrupt,
39796 .read_interrupt = saa7134_go7007_read_interrupt,
39797 diff -urNp linux-2.6.39.2/drivers/staging/go7007/snd-go7007.c linux-2.6.39.2/drivers/staging/go7007/snd-go7007.c
39798 --- linux-2.6.39.2/drivers/staging/go7007/snd-go7007.c 2011-05-19 00:06:34.000000000 -0400
39799 +++ linux-2.6.39.2/drivers/staging/go7007/snd-go7007.c 2011-05-22 19:36:32.000000000 -0400
39800 @@ -204,7 +204,7 @@ static struct page *go7007_snd_pcm_page(
39801 return vmalloc_to_page(substream->runtime->dma_area + offset);
39802 }
39803
39804 -static struct snd_pcm_ops go7007_snd_capture_ops = {
39805 +static const struct snd_pcm_ops go7007_snd_capture_ops = {
39806 .open = go7007_snd_capture_open,
39807 .close = go7007_snd_capture_close,
39808 .ioctl = snd_pcm_lib_ioctl,
39809 @@ -227,7 +227,7 @@ static int go7007_snd_free(struct snd_de
39810 return 0;
39811 }
39812
39813 -static struct snd_device_ops go7007_snd_device_ops = {
39814 +static const struct snd_device_ops go7007_snd_device_ops = {
39815 .dev_free = go7007_snd_free,
39816 };
39817
39818 diff -urNp linux-2.6.39.2/drivers/staging/hv/channel.c linux-2.6.39.2/drivers/staging/hv/channel.c
39819 --- linux-2.6.39.2/drivers/staging/hv/channel.c 2011-05-19 00:06:34.000000000 -0400
39820 +++ linux-2.6.39.2/drivers/staging/hv/channel.c 2011-05-22 19:36:32.000000000 -0400
39821 @@ -509,8 +509,8 @@ int vmbus_establish_gpadl(struct vmbus_c
39822 unsigned long flags;
39823 int ret = 0;
39824
39825 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
39826 - atomic_inc(&vmbus_connection.next_gpadl_handle);
39827 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
39828 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
39829
39830 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
39831 if (ret)
39832 diff -urNp linux-2.6.39.2/drivers/staging/hv/hv.c linux-2.6.39.2/drivers/staging/hv/hv.c
39833 --- linux-2.6.39.2/drivers/staging/hv/hv.c 2011-05-19 00:06:34.000000000 -0400
39834 +++ linux-2.6.39.2/drivers/staging/hv/hv.c 2011-05-22 19:36:32.000000000 -0400
39835 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
39836 u64 output_address = (output) ? virt_to_phys(output) : 0;
39837 u32 output_address_hi = output_address >> 32;
39838 u32 output_address_lo = output_address & 0xFFFFFFFF;
39839 - volatile void *hypercall_page = hv_context.hypercall_page;
39840 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
39841
39842 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
39843 control, input, output);
39844 diff -urNp linux-2.6.39.2/drivers/staging/hv/rndis_filter.c linux-2.6.39.2/drivers/staging/hv/rndis_filter.c
39845 --- linux-2.6.39.2/drivers/staging/hv/rndis_filter.c 2011-05-19 00:06:34.000000000 -0400
39846 +++ linux-2.6.39.2/drivers/staging/hv/rndis_filter.c 2011-05-22 19:36:32.000000000 -0400
39847 @@ -49,7 +49,7 @@ struct rndis_device {
39848
39849 enum rndis_device_state state;
39850 u32 link_stat;
39851 - atomic_t new_req_id;
39852 + atomic_unchecked_t new_req_id;
39853
39854 spinlock_t request_lock;
39855 struct list_head req_list;
39856 @@ -144,7 +144,7 @@ static struct rndis_request *get_rndis_r
39857 * template
39858 */
39859 set = &rndis_msg->msg.set_req;
39860 - set->req_id = atomic_inc_return(&dev->new_req_id);
39861 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
39862
39863 /* Add to the request list */
39864 spin_lock_irqsave(&dev->request_lock, flags);
39865 @@ -709,7 +709,7 @@ static void rndis_filter_halt_device(str
39866
39867 /* Setup the rndis set */
39868 halt = &request->request_msg.msg.halt_req;
39869 - halt->req_id = atomic_inc_return(&dev->new_req_id);
39870 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
39871
39872 /* Ignore return since this msg is optional. */
39873 rndis_filter_send_request(dev, request);
39874 diff -urNp linux-2.6.39.2/drivers/staging/hv/vmbus_drv.c linux-2.6.39.2/drivers/staging/hv/vmbus_drv.c
39875 --- linux-2.6.39.2/drivers/staging/hv/vmbus_drv.c 2011-05-19 00:06:34.000000000 -0400
39876 +++ linux-2.6.39.2/drivers/staging/hv/vmbus_drv.c 2011-05-22 19:36:32.000000000 -0400
39877 @@ -661,14 +661,14 @@ int vmbus_child_device_register(struct h
39878 {
39879 int ret = 0;
39880
39881 - static atomic_t device_num = ATOMIC_INIT(0);
39882 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
39883
39884 DPRINT_DBG(VMBUS_DRV, "child device (%p) registering",
39885 child_device_obj);
39886
39887 /* Set the device name. Otherwise, device_register() will fail. */
39888 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
39889 - atomic_inc_return(&device_num));
39890 + atomic_inc_return_unchecked(&device_num));
39891
39892 /* The new device belongs to this bus */
39893 child_device_obj->device.bus = &vmbus_drv.bus; /* device->dev.bus; */
39894 diff -urNp linux-2.6.39.2/drivers/staging/hv/vmbus_private.h linux-2.6.39.2/drivers/staging/hv/vmbus_private.h
39895 --- linux-2.6.39.2/drivers/staging/hv/vmbus_private.h 2011-05-19 00:06:34.000000000 -0400
39896 +++ linux-2.6.39.2/drivers/staging/hv/vmbus_private.h 2011-05-22 19:36:32.000000000 -0400
39897 @@ -58,7 +58,7 @@ enum vmbus_connect_state {
39898 struct vmbus_connection {
39899 enum vmbus_connect_state conn_state;
39900
39901 - atomic_t next_gpadl_handle;
39902 + atomic_unchecked_t next_gpadl_handle;
39903
39904 /*
39905 * Represents channel interrupts. Each bit position represents a
39906 diff -urNp linux-2.6.39.2/drivers/staging/iio/ring_generic.h linux-2.6.39.2/drivers/staging/iio/ring_generic.h
39907 --- linux-2.6.39.2/drivers/staging/iio/ring_generic.h 2011-05-19 00:06:34.000000000 -0400
39908 +++ linux-2.6.39.2/drivers/staging/iio/ring_generic.h 2011-05-25 16:55:27.000000000 -0400
39909 @@ -134,7 +134,7 @@ struct iio_ring_buffer {
39910 struct iio_handler access_handler;
39911 struct iio_event_interface ev_int;
39912 struct iio_shared_ev_pointer shared_ev_pointer;
39913 - struct iio_ring_access_funcs access;
39914 + struct iio_ring_access_funcs access;
39915 int (*preenable)(struct iio_dev *);
39916 int (*postenable)(struct iio_dev *);
39917 int (*predisable)(struct iio_dev *);
39918 diff -urNp linux-2.6.39.2/drivers/staging/intel_sst/intelmid_ctrl.c linux-2.6.39.2/drivers/staging/intel_sst/intelmid_ctrl.c
39919 --- linux-2.6.39.2/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-19 00:06:34.000000000 -0400
39920 +++ linux-2.6.39.2/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-22 19:36:32.000000000 -0400
39921 @@ -494,7 +494,7 @@ static int snd_intelmad_device_set(struc
39922 struct snd_intelmad *intelmaddata;
39923 struct snd_pmic_ops *scard_ops;
39924 int ret_val = 0, vendor, status;
39925 - struct intel_sst_pcm_control *pcm_control;
39926 + const struct intel_sst_pcm_control *pcm_control;
39927
39928 pr_debug("snd_intelmad_device_set called\n");
39929
39930 diff -urNp linux-2.6.39.2/drivers/staging/intel_sst/intel_sst_drv_interface.c linux-2.6.39.2/drivers/staging/intel_sst/intel_sst_drv_interface.c
39931 --- linux-2.6.39.2/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-19 00:06:34.000000000 -0400
39932 +++ linux-2.6.39.2/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-22 19:36:32.000000000 -0400
39933 @@ -470,7 +470,7 @@ int sst_device_control(int cmd, void *ar
39934 }
39935
39936
39937 -struct intel_sst_pcm_control pcm_ops = {
39938 +const struct intel_sst_pcm_control pcm_ops = {
39939 .open = sst_open_pcm_stream,
39940 .device_control = sst_device_control,
39941 .close = sst_close_pcm_stream,
39942 diff -urNp linux-2.6.39.2/drivers/staging/line6/capture.c linux-2.6.39.2/drivers/staging/line6/capture.c
39943 --- linux-2.6.39.2/drivers/staging/line6/capture.c 2011-05-19 00:06:34.000000000 -0400
39944 +++ linux-2.6.39.2/drivers/staging/line6/capture.c 2011-05-22 19:36:32.000000000 -0400
39945 @@ -378,7 +378,7 @@ snd_line6_capture_pointer(struct snd_pcm
39946 }
39947
39948 /* capture operators */
39949 -struct snd_pcm_ops snd_line6_capture_ops = {
39950 +const struct snd_pcm_ops snd_line6_capture_ops = {
39951 .open = snd_line6_capture_open,
39952 .close = snd_line6_capture_close,
39953 .ioctl = snd_pcm_lib_ioctl,
39954 diff -urNp linux-2.6.39.2/drivers/staging/line6/capture.h linux-2.6.39.2/drivers/staging/line6/capture.h
39955 --- linux-2.6.39.2/drivers/staging/line6/capture.h 2011-05-19 00:06:34.000000000 -0400
39956 +++ linux-2.6.39.2/drivers/staging/line6/capture.h 2011-05-22 19:36:32.000000000 -0400
39957 @@ -17,7 +17,7 @@
39958 #include "driver.h"
39959 #include "pcm.h"
39960
39961 -extern struct snd_pcm_ops snd_line6_capture_ops;
39962 +extern const struct snd_pcm_ops snd_line6_capture_ops;
39963
39964 extern void line6_capture_copy(struct snd_line6_pcm *line6pcm, char *fbuf,
39965 int fsize);
39966 diff -urNp linux-2.6.39.2/drivers/staging/line6/midi.c linux-2.6.39.2/drivers/staging/line6/midi.c
39967 --- linux-2.6.39.2/drivers/staging/line6/midi.c 2011-05-19 00:06:34.000000000 -0400
39968 +++ linux-2.6.39.2/drivers/staging/line6/midi.c 2011-05-22 19:36:32.000000000 -0400
39969 @@ -239,14 +239,14 @@ static void line6_midi_input_trigger(str
39970 line6->line6midi->substream_receive = 0;
39971 }
39972
39973 -static struct snd_rawmidi_ops line6_midi_output_ops = {
39974 +static const struct snd_rawmidi_ops line6_midi_output_ops = {
39975 .open = line6_midi_output_open,
39976 .close = line6_midi_output_close,
39977 .trigger = line6_midi_output_trigger,
39978 .drain = line6_midi_output_drain,
39979 };
39980
39981 -static struct snd_rawmidi_ops line6_midi_input_ops = {
39982 +static const struct snd_rawmidi_ops line6_midi_input_ops = {
39983 .open = line6_midi_input_open,
39984 .close = line6_midi_input_close,
39985 .trigger = line6_midi_input_trigger,
39986 @@ -373,7 +373,7 @@ static int snd_line6_midi_free(struct sn
39987 */
39988 int line6_init_midi(struct usb_line6 *line6)
39989 {
39990 - static struct snd_device_ops midi_ops = {
39991 + static const struct snd_device_ops midi_ops = {
39992 .dev_free = snd_line6_midi_free,
39993 };
39994
39995 diff -urNp linux-2.6.39.2/drivers/staging/line6/pcm.c linux-2.6.39.2/drivers/staging/line6/pcm.c
39996 --- linux-2.6.39.2/drivers/staging/line6/pcm.c 2011-05-19 00:06:34.000000000 -0400
39997 +++ linux-2.6.39.2/drivers/staging/line6/pcm.c 2011-05-22 19:36:32.000000000 -0400
39998 @@ -384,7 +384,7 @@ void line6_pcm_disconnect(struct snd_lin
39999 int line6_init_pcm(struct usb_line6 *line6,
40000 struct line6_pcm_properties *properties)
40001 {
40002 - static struct snd_device_ops pcm_ops = {
40003 + static const struct snd_device_ops pcm_ops = {
40004 .dev_free = snd_line6_pcm_free,
40005 };
40006
40007 diff -urNp linux-2.6.39.2/drivers/staging/line6/playback.c linux-2.6.39.2/drivers/staging/line6/playback.c
40008 --- linux-2.6.39.2/drivers/staging/line6/playback.c 2011-05-19 00:06:34.000000000 -0400
40009 +++ linux-2.6.39.2/drivers/staging/line6/playback.c 2011-05-22 19:36:32.000000000 -0400
40010 @@ -536,7 +536,7 @@ snd_line6_playback_pointer(struct snd_pc
40011 }
40012
40013 /* playback operators */
40014 -struct snd_pcm_ops snd_line6_playback_ops = {
40015 +const struct snd_pcm_ops snd_line6_playback_ops = {
40016 .open = snd_line6_playback_open,
40017 .close = snd_line6_playback_close,
40018 .ioctl = snd_pcm_lib_ioctl,
40019 diff -urNp linux-2.6.39.2/drivers/staging/line6/playback.h linux-2.6.39.2/drivers/staging/line6/playback.h
40020 --- linux-2.6.39.2/drivers/staging/line6/playback.h 2011-05-19 00:06:34.000000000 -0400
40021 +++ linux-2.6.39.2/drivers/staging/line6/playback.h 2011-05-22 19:36:32.000000000 -0400
40022 @@ -27,7 +27,7 @@
40023 */
40024 #define USE_CLEAR_BUFFER_WORKAROUND 1
40025
40026 -extern struct snd_pcm_ops snd_line6_playback_ops;
40027 +extern const struct snd_pcm_ops snd_line6_playback_ops;
40028
40029 extern int line6_create_audio_out_urbs(struct snd_line6_pcm *line6pcm);
40030 extern int line6_submit_audio_out_all_urbs(struct snd_line6_pcm *line6pcm);
40031 diff -urNp linux-2.6.39.2/drivers/staging/msm/staging-devices.c linux-2.6.39.2/drivers/staging/msm/staging-devices.c
40032 --- linux-2.6.39.2/drivers/staging/msm/staging-devices.c 2011-05-19 00:06:34.000000000 -0400
40033 +++ linux-2.6.39.2/drivers/staging/msm/staging-devices.c 2011-05-22 19:36:32.000000000 -0400
40034 @@ -211,7 +211,7 @@ static int msm_fb_lcdc_gpio_config(int o
40035 }
40036
40037
40038 -static struct lcdc_platform_data lcdc_pdata = {
40039 +static const struct lcdc_platform_data lcdc_pdata = {
40040 .lcdc_gpio_config = msm_fb_lcdc_gpio_config,
40041 };
40042
40043 diff -urNp linux-2.6.39.2/drivers/staging/octeon/ethernet.c linux-2.6.39.2/drivers/staging/octeon/ethernet.c
40044 --- linux-2.6.39.2/drivers/staging/octeon/ethernet.c 2011-05-19 00:06:34.000000000 -0400
40045 +++ linux-2.6.39.2/drivers/staging/octeon/ethernet.c 2011-05-22 19:36:32.000000000 -0400
40046 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
40047 * since the RX tasklet also increments it.
40048 */
40049 #ifdef CONFIG_64BIT
40050 - atomic64_add(rx_status.dropped_packets,
40051 - (atomic64_t *)&priv->stats.rx_dropped);
40052 + atomic64_add_unchecked(rx_status.dropped_packets,
40053 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40054 #else
40055 - atomic_add(rx_status.dropped_packets,
40056 - (atomic_t *)&priv->stats.rx_dropped);
40057 + atomic_add_unchecked(rx_status.dropped_packets,
40058 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
40059 #endif
40060 }
40061
40062 diff -urNp linux-2.6.39.2/drivers/staging/octeon/ethernet-rx.c linux-2.6.39.2/drivers/staging/octeon/ethernet-rx.c
40063 --- linux-2.6.39.2/drivers/staging/octeon/ethernet-rx.c 2011-05-19 00:06:34.000000000 -0400
40064 +++ linux-2.6.39.2/drivers/staging/octeon/ethernet-rx.c 2011-05-22 19:36:32.000000000 -0400
40065 @@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
40066 /* Increment RX stats for virtual ports */
40067 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
40068 #ifdef CONFIG_64BIT
40069 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
40070 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
40071 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
40072 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
40073 #else
40074 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
40075 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
40076 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
40077 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
40078 #endif
40079 }
40080 netif_receive_skb(skb);
40081 @@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
40082 dev->name);
40083 */
40084 #ifdef CONFIG_64BIT
40085 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
40086 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40087 #else
40088 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
40089 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
40090 #endif
40091 dev_kfree_skb_irq(skb);
40092 }
40093 diff -urNp linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.c linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.c
40094 --- linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-19 00:06:34.000000000 -0400
40095 +++ linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-22 19:36:32.000000000 -0400
40096 @@ -43,7 +43,7 @@ module_param(noinit, int, 0444);
40097 static int useaa = 1;
40098 module_param(useaa, int, 0444);
40099
40100 -static struct dcon_platform_data *pdata;
40101 +static const struct dcon_platform_data *pdata;
40102
40103 /* I2C structures */
40104
40105 diff -urNp linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.h linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.h
40106 --- linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-19 00:06:34.000000000 -0400
40107 +++ linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-22 19:36:32.000000000 -0400
40108 @@ -92,11 +92,11 @@ struct dcon_platform_data {
40109 extern irqreturn_t dcon_interrupt(int irq, void *id);
40110
40111 #ifdef CONFIG_FB_OLPC_DCON_1
40112 -extern struct dcon_platform_data dcon_pdata_xo_1;
40113 +extern const struct dcon_platform_data dcon_pdata_xo_1;
40114 #endif
40115
40116 #ifdef CONFIG_FB_OLPC_DCON_1_5
40117 -extern struct dcon_platform_data dcon_pdata_xo_1_5;
40118 +extern const struct dcon_platform_data dcon_pdata_xo_1_5;
40119 #endif
40120
40121 #endif
40122 diff -urNp linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c
40123 --- linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-19 00:06:34.000000000 -0400
40124 +++ linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-22 19:36:32.000000000 -0400
40125 @@ -185,7 +185,7 @@ static u8 dcon_read_status_xo_1_5(void)
40126 return status;
40127 }
40128
40129 -struct dcon_platform_data dcon_pdata_xo_1_5 = {
40130 +const struct dcon_platform_data dcon_pdata_xo_1_5 = {
40131 .init = dcon_init_xo_1_5,
40132 .bus_stabilize_wiggle = dcon_wiggle_xo_1_5,
40133 .set_dconload = dcon_set_dconload_xo_1_5,
40134 diff -urNp linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c
40135 --- linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-19 00:06:34.000000000 -0400
40136 +++ linux-2.6.39.2/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-22 19:36:32.000000000 -0400
40137 @@ -196,7 +196,7 @@ static u8 dcon_read_status_xo_1(void)
40138 return status;
40139 }
40140
40141 -struct dcon_platform_data dcon_pdata_xo_1 = {
40142 +const struct dcon_platform_data dcon_pdata_xo_1 = {
40143 .init = dcon_init_xo_1,
40144 .bus_stabilize_wiggle = dcon_wiggle_xo_1,
40145 .set_dconload = dcon_set_dconload_1,
40146 diff -urNp linux-2.6.39.2/drivers/staging/phison/phison.c linux-2.6.39.2/drivers/staging/phison/phison.c
40147 --- linux-2.6.39.2/drivers/staging/phison/phison.c 2011-05-19 00:06:34.000000000 -0400
40148 +++ linux-2.6.39.2/drivers/staging/phison/phison.c 2011-05-22 19:36:32.000000000 -0400
40149 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
40150 ATA_BMDMA_SHT(DRV_NAME),
40151 };
40152
40153 -static struct ata_port_operations phison_ops = {
40154 +static const struct ata_port_operations phison_ops = {
40155 .inherits = &ata_bmdma_port_ops,
40156 .prereset = phison_pre_reset,
40157 };
40158 diff -urNp linux-2.6.39.2/drivers/staging/pohmelfs/inode.c linux-2.6.39.2/drivers/staging/pohmelfs/inode.c
40159 --- linux-2.6.39.2/drivers/staging/pohmelfs/inode.c 2011-05-19 00:06:34.000000000 -0400
40160 +++ linux-2.6.39.2/drivers/staging/pohmelfs/inode.c 2011-05-22 19:36:32.000000000 -0400
40161 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
40162 mutex_init(&psb->mcache_lock);
40163 psb->mcache_root = RB_ROOT;
40164 psb->mcache_timeout = msecs_to_jiffies(5000);
40165 - atomic_long_set(&psb->mcache_gen, 0);
40166 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
40167
40168 psb->trans_max_pages = 100;
40169
40170 @@ -1870,7 +1870,7 @@ static int pohmelfs_fill_super(struct su
40171 INIT_LIST_HEAD(&psb->crypto_ready_list);
40172 INIT_LIST_HEAD(&psb->crypto_active_list);
40173
40174 - atomic_set(&psb->trans_gen, 1);
40175 + atomic_set_unchecked(&psb->trans_gen, 1);
40176 atomic_long_set(&psb->total_inodes, 0);
40177
40178 mutex_init(&psb->state_lock);
40179 diff -urNp linux-2.6.39.2/drivers/staging/pohmelfs/mcache.c linux-2.6.39.2/drivers/staging/pohmelfs/mcache.c
40180 --- linux-2.6.39.2/drivers/staging/pohmelfs/mcache.c 2011-05-19 00:06:34.000000000 -0400
40181 +++ linux-2.6.39.2/drivers/staging/pohmelfs/mcache.c 2011-05-22 19:36:32.000000000 -0400
40182 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
40183 m->data = data;
40184 m->start = start;
40185 m->size = size;
40186 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
40187 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
40188
40189 mutex_lock(&psb->mcache_lock);
40190 err = pohmelfs_mcache_insert(psb, m);
40191 diff -urNp linux-2.6.39.2/drivers/staging/pohmelfs/netfs.h linux-2.6.39.2/drivers/staging/pohmelfs/netfs.h
40192 --- linux-2.6.39.2/drivers/staging/pohmelfs/netfs.h 2011-05-19 00:06:34.000000000 -0400
40193 +++ linux-2.6.39.2/drivers/staging/pohmelfs/netfs.h 2011-05-22 19:36:32.000000000 -0400
40194 @@ -571,14 +571,14 @@ struct pohmelfs_config;
40195 struct pohmelfs_sb {
40196 struct rb_root mcache_root;
40197 struct mutex mcache_lock;
40198 - atomic_long_t mcache_gen;
40199 + atomic_long_unchecked_t mcache_gen;
40200 unsigned long mcache_timeout;
40201
40202 unsigned int idx;
40203
40204 unsigned int trans_retries;
40205
40206 - atomic_t trans_gen;
40207 + atomic_unchecked_t trans_gen;
40208
40209 unsigned int crypto_attached_size;
40210 unsigned int crypto_align_size;
40211 diff -urNp linux-2.6.39.2/drivers/staging/pohmelfs/trans.c linux-2.6.39.2/drivers/staging/pohmelfs/trans.c
40212 --- linux-2.6.39.2/drivers/staging/pohmelfs/trans.c 2011-05-19 00:06:34.000000000 -0400
40213 +++ linux-2.6.39.2/drivers/staging/pohmelfs/trans.c 2011-05-22 19:36:32.000000000 -0400
40214 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
40215 int err;
40216 struct netfs_cmd *cmd = t->iovec.iov_base;
40217
40218 - t->gen = atomic_inc_return(&psb->trans_gen);
40219 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
40220
40221 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
40222 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
40223 diff -urNp linux-2.6.39.2/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.39.2/drivers/staging/rtl8192u/ieee80211/proc.c
40224 --- linux-2.6.39.2/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-19 00:06:34.000000000 -0400
40225 +++ linux-2.6.39.2/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-22 19:36:32.000000000 -0400
40226 @@ -87,7 +87,7 @@ static int c_show(struct seq_file *m, vo
40227 return 0;
40228 }
40229
40230 -static struct seq_operations crypto_seq_ops = {
40231 +static const struct seq_operations crypto_seq_ops = {
40232 .start = c_start,
40233 .next = c_next,
40234 .stop = c_stop,
40235 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
40236 return seq_open(file, &crypto_seq_ops);
40237 }
40238
40239 -static struct file_operations proc_crypto_ops = {
40240 +static const struct file_operations proc_crypto_ops = {
40241 .open = crypto_info_open,
40242 .read = seq_read,
40243 .llseek = seq_lseek,
40244 diff -urNp linux-2.6.39.2/drivers/staging/rtl8712/rtl871x_io.h linux-2.6.39.2/drivers/staging/rtl8712/rtl871x_io.h
40245 --- linux-2.6.39.2/drivers/staging/rtl8712/rtl871x_io.h 2011-05-19 00:06:34.000000000 -0400
40246 +++ linux-2.6.39.2/drivers/staging/rtl8712/rtl871x_io.h 2011-05-22 19:36:32.000000000 -0400
40247 @@ -107,7 +107,7 @@ struct intf_hdl {
40248 void (*intf_hdl_unload)(u8 *priv);
40249 void (*intf_hdl_open)(u8 *priv);
40250 void (*intf_hdl_close)(u8 *priv);
40251 - struct _io_ops io_ops;
40252 + const struct _io_ops io_ops;
40253 };
40254
40255 struct reg_protocol_rd {
40256 diff -urNp linux-2.6.39.2/drivers/staging/solo6x10/g723.c linux-2.6.39.2/drivers/staging/solo6x10/g723.c
40257 --- linux-2.6.39.2/drivers/staging/solo6x10/g723.c 2011-05-19 00:06:34.000000000 -0400
40258 +++ linux-2.6.39.2/drivers/staging/solo6x10/g723.c 2011-05-22 19:36:32.000000000 -0400
40259 @@ -237,7 +237,7 @@ static int snd_solo_pcm_copy(struct snd_
40260 return 0;
40261 }
40262
40263 -static struct snd_pcm_ops snd_solo_pcm_ops = {
40264 +static const struct snd_pcm_ops snd_solo_pcm_ops = {
40265 .open = snd_solo_pcm_open,
40266 .close = snd_solo_pcm_close,
40267 .ioctl = snd_pcm_lib_ioctl,
40268 @@ -334,7 +334,7 @@ static int solo_snd_pcm_init(struct solo
40269
40270 int solo_g723_init(struct solo_dev *solo_dev)
40271 {
40272 - static struct snd_device_ops ops = { NULL };
40273 + static const struct snd_device_ops ops = { NULL };
40274 struct snd_card *card;
40275 struct snd_kcontrol_new kctl;
40276 char name[32];
40277 diff -urNp linux-2.6.39.2/drivers/staging/spectra/ffsport.c linux-2.6.39.2/drivers/staging/spectra/ffsport.c
40278 --- linux-2.6.39.2/drivers/staging/spectra/ffsport.c 2011-05-19 00:06:34.000000000 -0400
40279 +++ linux-2.6.39.2/drivers/staging/spectra/ffsport.c 2011-05-22 19:36:32.000000000 -0400
40280 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
40281 return ret;
40282 }
40283
40284 -static struct block_device_operations GLOB_SBD_ops = {
40285 +static const struct block_device_operations GLOB_SBD_ops = {
40286 .owner = THIS_MODULE,
40287 .open = GLOB_SBD_open,
40288 .release = GLOB_SBD_release,
40289 diff -urNp linux-2.6.39.2/drivers/staging/tm6000/tm6000-alsa.c linux-2.6.39.2/drivers/staging/tm6000/tm6000-alsa.c
40290 --- linux-2.6.39.2/drivers/staging/tm6000/tm6000-alsa.c 2011-05-19 00:06:34.000000000 -0400
40291 +++ linux-2.6.39.2/drivers/staging/tm6000/tm6000-alsa.c 2011-05-22 19:36:32.000000000 -0400
40292 @@ -380,7 +380,7 @@ static snd_pcm_uframes_t snd_tm6000_poin
40293 /*
40294 * operators
40295 */
40296 -static struct snd_pcm_ops snd_tm6000_pcm_ops = {
40297 +static const struct snd_pcm_ops snd_tm6000_pcm_ops = {
40298 .open = snd_tm6000_pcm_open,
40299 .close = snd_tm6000_close,
40300 .ioctl = snd_pcm_lib_ioctl,
40301 diff -urNp linux-2.6.39.2/drivers/staging/tty/istallion.c linux-2.6.39.2/drivers/staging/tty/istallion.c
40302 --- linux-2.6.39.2/drivers/staging/tty/istallion.c 2011-05-19 00:06:34.000000000 -0400
40303 +++ linux-2.6.39.2/drivers/staging/tty/istallion.c 2011-05-22 20:49:07.000000000 -0400
40304 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
40305 * re-used for each stats call.
40306 */
40307 static comstats_t stli_comstats;
40308 -static combrd_t stli_brdstats;
40309 static struct asystats stli_cdkstats;
40310
40311 /*****************************************************************************/
40312 @@ -4003,6 +4002,7 @@ out:
40313
40314 static int stli_getbrdstats(combrd_t __user *bp)
40315 {
40316 + combrd_t stli_brdstats;
40317 struct stlibrd *brdp;
40318 unsigned int i;
40319
40320 @@ -4226,6 +4226,8 @@ static int stli_getportstruct(struct stl
40321 struct stliport stli_dummyport;
40322 struct stliport *portp;
40323
40324 + pax_track_stack();
40325 +
40326 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
40327 return -EFAULT;
40328 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
40329 @@ -4248,6 +4250,8 @@ static int stli_getbrdstruct(struct stli
40330 struct stlibrd stli_dummybrd;
40331 struct stlibrd *brdp;
40332
40333 + pax_track_stack();
40334 +
40335 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
40336 return -EFAULT;
40337 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
40338 diff -urNp linux-2.6.39.2/drivers/staging/tty/stallion.c linux-2.6.39.2/drivers/staging/tty/stallion.c
40339 --- linux-2.6.39.2/drivers/staging/tty/stallion.c 2011-05-19 00:06:34.000000000 -0400
40340 +++ linux-2.6.39.2/drivers/staging/tty/stallion.c 2011-05-22 19:36:32.000000000 -0400
40341 @@ -2406,6 +2406,8 @@ static int stl_getportstruct(struct stlp
40342 struct stlport stl_dummyport;
40343 struct stlport *portp;
40344
40345 + pax_track_stack();
40346 +
40347 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
40348 return -EFAULT;
40349 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
40350 diff -urNp linux-2.6.39.2/drivers/staging/usbip/vhci.h linux-2.6.39.2/drivers/staging/usbip/vhci.h
40351 --- linux-2.6.39.2/drivers/staging/usbip/vhci.h 2011-05-19 00:06:34.000000000 -0400
40352 +++ linux-2.6.39.2/drivers/staging/usbip/vhci.h 2011-05-22 19:36:32.000000000 -0400
40353 @@ -92,7 +92,7 @@ struct vhci_hcd {
40354 unsigned resuming:1;
40355 unsigned long re_timeout;
40356
40357 - atomic_t seqnum;
40358 + atomic_unchecked_t seqnum;
40359
40360 /*
40361 * NOTE:
40362 diff -urNp linux-2.6.39.2/drivers/staging/usbip/vhci_hcd.c linux-2.6.39.2/drivers/staging/usbip/vhci_hcd.c
40363 --- linux-2.6.39.2/drivers/staging/usbip/vhci_hcd.c 2011-05-19 00:06:34.000000000 -0400
40364 +++ linux-2.6.39.2/drivers/staging/usbip/vhci_hcd.c 2011-05-22 19:36:32.000000000 -0400
40365 @@ -536,7 +536,7 @@ static void vhci_tx_urb(struct urb *urb)
40366 return;
40367 }
40368
40369 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
40370 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40371 if (priv->seqnum == 0xffff)
40372 usbip_uinfo("seqnum max\n");
40373
40374 @@ -795,7 +795,7 @@ static int vhci_urb_dequeue(struct usb_h
40375 return -ENOMEM;
40376 }
40377
40378 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
40379 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40380 if (unlink->seqnum == 0xffff)
40381 usbip_uinfo("seqnum max\n");
40382
40383 @@ -992,7 +992,7 @@ static int vhci_start(struct usb_hcd *hc
40384 vdev->rhport = rhport;
40385 }
40386
40387 - atomic_set(&vhci->seqnum, 0);
40388 + atomic_set_unchecked(&vhci->seqnum, 0);
40389 spin_lock_init(&vhci->lock);
40390
40391
40392 diff -urNp linux-2.6.39.2/drivers/staging/usbip/vhci_rx.c linux-2.6.39.2/drivers/staging/usbip/vhci_rx.c
40393 --- linux-2.6.39.2/drivers/staging/usbip/vhci_rx.c 2011-05-19 00:06:34.000000000 -0400
40394 +++ linux-2.6.39.2/drivers/staging/usbip/vhci_rx.c 2011-05-22 19:36:32.000000000 -0400
40395 @@ -81,7 +81,7 @@ static void vhci_recv_ret_submit(struct
40396 usbip_uerr("cannot find a urb of seqnum %u\n",
40397 pdu->base.seqnum);
40398 usbip_uinfo("max seqnum %d\n",
40399 - atomic_read(&the_controller->seqnum));
40400 + atomic_read_unchecked(&the_controller->seqnum));
40401 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
40402 return;
40403 }
40404 diff -urNp linux-2.6.39.2/drivers/staging/vme/devices/vme_user.c linux-2.6.39.2/drivers/staging/vme/devices/vme_user.c
40405 --- linux-2.6.39.2/drivers/staging/vme/devices/vme_user.c 2011-05-19 00:06:34.000000000 -0400
40406 +++ linux-2.6.39.2/drivers/staging/vme/devices/vme_user.c 2011-05-22 19:36:32.000000000 -0400
40407 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
40408 static int __devinit vme_user_probe(struct device *, int, int);
40409 static int __devexit vme_user_remove(struct device *, int, int);
40410
40411 -static struct file_operations vme_user_fops = {
40412 +static const struct file_operations vme_user_fops = {
40413 .open = vme_user_open,
40414 .release = vme_user_release,
40415 .read = vme_user_read,
40416 diff -urNp linux-2.6.39.2/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.39.2/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
40417 --- linux-2.6.39.2/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-19 00:06:34.000000000 -0400
40418 +++ linux-2.6.39.2/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-22 19:36:32.000000000 -0400
40419 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
40420
40421
40422 /*standard block device driver interface */
40423 -static struct block_device_operations cyasblkdev_bdops = {
40424 +static const struct block_device_operations cyasblkdev_bdops = {
40425 .open = cyasblkdev_blk_open,
40426 .release = cyasblkdev_blk_release,
40427 .ioctl = cyasblkdev_blk_ioctl,
40428 diff -urNp linux-2.6.39.2/drivers/staging/wlags49_h2/wl_netdev.c linux-2.6.39.2/drivers/staging/wlags49_h2/wl_netdev.c
40429 --- linux-2.6.39.2/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-19 00:06:34.000000000 -0400
40430 +++ linux-2.6.39.2/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-22 19:36:32.000000000 -0400
40431 @@ -474,7 +474,7 @@ static void wl_get_drvinfo(struct net_de
40432 }
40433 } // wl_get_drvinfo
40434
40435 -static struct ethtool_ops wl_ethtool_ops = {
40436 +static const struct ethtool_ops wl_ethtool_ops = {
40437 .get_drvinfo = wl_get_drvinfo,
40438 .get_link = ethtool_op_get_link,
40439 };
40440 diff -urNp linux-2.6.39.2/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.39.2/drivers/staging/wlan-ng/hfa384x_usb.c
40441 --- linux-2.6.39.2/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-19 00:06:34.000000000 -0400
40442 +++ linux-2.6.39.2/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-22 19:36:32.000000000 -0400
40443 @@ -671,7 +671,7 @@ struct usbctlx_cmd_completor {
40444 hfa384x_cmdresult_t *result;
40445 };
40446
40447 -static inline int usbctlx_cmd_completor_fn(struct usbctlx_completor *head)
40448 +static inline int usbctlx_cmd_completor_fn(const struct usbctlx_completor *head)
40449 {
40450 struct usbctlx_cmd_completor *complete;
40451
40452 @@ -705,7 +705,7 @@ struct usbctlx_rrid_completor {
40453 unsigned int riddatalen;
40454 };
40455
40456 -static int usbctlx_rrid_completor_fn(struct usbctlx_completor *head)
40457 +static int usbctlx_rrid_completor_fn(const struct usbctlx_completor *head)
40458 {
40459 struct usbctlx_rrid_completor *complete;
40460 hfa384x_rridresult_t rridresult;
40461 @@ -768,7 +768,7 @@ struct usbctlx_rmem_completor {
40462 };
40463 typedef struct usbctlx_rmem_completor usbctlx_rmem_completor_t;
40464
40465 -static int usbctlx_rmem_completor_fn(struct usbctlx_completor *head)
40466 +static int usbctlx_rmem_completor_fn(const struct usbctlx_completor *head)
40467 {
40468 usbctlx_rmem_completor_t *complete = (usbctlx_rmem_completor_t *) head;
40469
40470 diff -urNp linux-2.6.39.2/drivers/staging/zcache/tmem.c linux-2.6.39.2/drivers/staging/zcache/tmem.c
40471 --- linux-2.6.39.2/drivers/staging/zcache/tmem.c 2011-05-19 00:06:34.000000000 -0400
40472 +++ linux-2.6.39.2/drivers/staging/zcache/tmem.c 2011-05-22 19:36:32.000000000 -0400
40473 @@ -39,7 +39,7 @@
40474 * A tmem host implementation must use this function to register callbacks
40475 * for memory allocation.
40476 */
40477 -static struct tmem_hostops tmem_hostops;
40478 +static const struct tmem_hostops tmem_hostops;
40479
40480 static void tmem_objnode_tree_init(void);
40481
40482 @@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
40483 * A tmem host implementation must use this function to register
40484 * callbacks for a page-accessible memory (PAM) implementation
40485 */
40486 -static struct tmem_pamops tmem_pamops;
40487 +static const struct tmem_pamops tmem_pamops;
40488
40489 void tmem_register_pamops(struct tmem_pamops *m)
40490 {
40491 diff -urNp linux-2.6.39.2/drivers/staging/zcache/zcache.c linux-2.6.39.2/drivers/staging/zcache/zcache.c
40492 --- linux-2.6.39.2/drivers/staging/zcache/zcache.c 2011-05-19 00:06:34.000000000 -0400
40493 +++ linux-2.6.39.2/drivers/staging/zcache/zcache.c 2011-05-22 19:36:32.000000000 -0400
40494 @@ -882,7 +882,7 @@ static void zcache_obj_free(struct tmem_
40495 kmem_cache_free(zcache_obj_cache, obj);
40496 }
40497
40498 -static struct tmem_hostops zcache_hostops = {
40499 +static const struct tmem_hostops zcache_hostops = {
40500 .obj_alloc = zcache_obj_alloc,
40501 .obj_free = zcache_obj_free,
40502 .objnode_alloc = zcache_objnode_alloc,
40503 @@ -987,7 +987,7 @@ static void zcache_pampd_free(void *pamp
40504 }
40505 }
40506
40507 -static struct tmem_pamops zcache_pamops = {
40508 +static const struct tmem_pamops zcache_pamops = {
40509 .create = zcache_pampd_create,
40510 .get_data = zcache_pampd_get_data,
40511 .free = zcache_pampd_free,
40512 diff -urNp linux-2.6.39.2/drivers/target/target_core_alua.c linux-2.6.39.2/drivers/target/target_core_alua.c
40513 --- linux-2.6.39.2/drivers/target/target_core_alua.c 2011-05-19 00:06:34.000000000 -0400
40514 +++ linux-2.6.39.2/drivers/target/target_core_alua.c 2011-05-22 19:36:32.000000000 -0400
40515 @@ -675,6 +675,8 @@ static int core_alua_update_tpg_primary_
40516 char path[ALUA_METADATA_PATH_LEN];
40517 int len;
40518
40519 + pax_track_stack();
40520 +
40521 memset(path, 0, ALUA_METADATA_PATH_LEN);
40522
40523 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
40524 @@ -938,6 +940,8 @@ static int core_alua_update_tpg_secondar
40525 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
40526 int len;
40527
40528 + pax_track_stack();
40529 +
40530 memset(path, 0, ALUA_METADATA_PATH_LEN);
40531 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
40532
40533 diff -urNp linux-2.6.39.2/drivers/target/target_core_cdb.c linux-2.6.39.2/drivers/target/target_core_cdb.c
40534 --- linux-2.6.39.2/drivers/target/target_core_cdb.c 2011-05-19 00:06:34.000000000 -0400
40535 +++ linux-2.6.39.2/drivers/target/target_core_cdb.c 2011-05-22 19:36:32.000000000 -0400
40536 @@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
40537 int length = 0;
40538 unsigned char buf[SE_MODE_PAGE_BUF];
40539
40540 + pax_track_stack();
40541 +
40542 memset(buf, 0, SE_MODE_PAGE_BUF);
40543
40544 switch (cdb[2] & 0x3f) {
40545 diff -urNp linux-2.6.39.2/drivers/target/target_core_configfs.c linux-2.6.39.2/drivers/target/target_core_configfs.c
40546 --- linux-2.6.39.2/drivers/target/target_core_configfs.c 2011-05-19 00:06:34.000000000 -0400
40547 +++ linux-2.6.39.2/drivers/target/target_core_configfs.c 2011-05-22 19:36:32.000000000 -0400
40548 @@ -1280,6 +1280,8 @@ static ssize_t target_core_dev_pr_show_a
40549 ssize_t len = 0;
40550 int reg_count = 0, prf_isid;
40551
40552 + pax_track_stack();
40553 +
40554 if (!(su_dev->se_dev_ptr))
40555 return -ENODEV;
40556
40557 @@ -2682,7 +2684,7 @@ static void target_core_alua_drop_tg_pt_
40558 config_item_put(item);
40559 }
40560
40561 -static struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40562 +static const struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40563 .make_group = &target_core_alua_create_tg_pt_gp,
40564 .drop_item = &target_core_alua_drop_tg_pt_gp,
40565 };
40566 @@ -2726,7 +2728,7 @@ static void target_core_stat_rmdir(
40567 return;
40568 }
40569
40570 -static struct configfs_group_operations target_core_stat_group_ops = {
40571 +static const struct configfs_group_operations target_core_stat_group_ops = {
40572 .make_group = &target_core_stat_mkdir,
40573 .drop_item = &target_core_stat_rmdir,
40574 };
40575 @@ -2939,7 +2941,7 @@ static void target_core_drop_subdev(
40576 mutex_unlock(&hba->hba_access_mutex);
40577 }
40578
40579 -static struct configfs_group_operations target_core_hba_group_ops = {
40580 +static const struct configfs_group_operations target_core_hba_group_ops = {
40581 .make_group = target_core_make_subdev,
40582 .drop_item = target_core_drop_subdev,
40583 };
40584 @@ -3117,7 +3119,7 @@ static void target_core_call_delhbafromt
40585 config_item_put(item);
40586 }
40587
40588 -static struct configfs_group_operations target_core_group_ops = {
40589 +static const struct configfs_group_operations target_core_group_ops = {
40590 .make_group = target_core_call_addhbatotarget,
40591 .drop_item = target_core_call_delhbafromtarget,
40592 };
40593 diff -urNp linux-2.6.39.2/drivers/target/target_core_fabric_configfs.c linux-2.6.39.2/drivers/target/target_core_fabric_configfs.c
40594 --- linux-2.6.39.2/drivers/target/target_core_fabric_configfs.c 2011-05-19 00:06:34.000000000 -0400
40595 +++ linux-2.6.39.2/drivers/target/target_core_fabric_configfs.c 2011-05-22 19:36:32.000000000 -0400
40596 @@ -1174,7 +1174,7 @@ static void target_fabric_drop_wwn(
40597 config_item_put(item);
40598 }
40599
40600 -static struct configfs_group_operations target_fabric_wwn_group_ops = {
40601 +static const struct configfs_group_operations target_fabric_wwn_group_ops = {
40602 .make_group = target_fabric_make_wwn,
40603 .drop_item = target_fabric_drop_wwn,
40604 };
40605 diff -urNp linux-2.6.39.2/drivers/target/target_core_pr.c linux-2.6.39.2/drivers/target/target_core_pr.c
40606 --- linux-2.6.39.2/drivers/target/target_core_pr.c 2011-05-19 00:06:34.000000000 -0400
40607 +++ linux-2.6.39.2/drivers/target/target_core_pr.c 2011-05-22 19:36:32.000000000 -0400
40608 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
40609 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
40610 u16 tpgt;
40611
40612 + pax_track_stack();
40613 +
40614 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
40615 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
40616 /*
40617 @@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
40618 ssize_t len = 0;
40619 int reg_count = 0;
40620
40621 + pax_track_stack();
40622 +
40623 memset(buf, 0, pr_aptpl_buf_len);
40624 /*
40625 * Called to clear metadata once APTPL has been deactivated.
40626 @@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
40627 char path[512];
40628 int ret;
40629
40630 + pax_track_stack();
40631 +
40632 memset(iov, 0, sizeof(struct iovec));
40633 memset(path, 0, 512);
40634
40635 diff -urNp linux-2.6.39.2/drivers/target/target_core_tmr.c linux-2.6.39.2/drivers/target/target_core_tmr.c
40636 --- linux-2.6.39.2/drivers/target/target_core_tmr.c 2011-06-03 00:04:14.000000000 -0400
40637 +++ linux-2.6.39.2/drivers/target/target_core_tmr.c 2011-06-03 00:32:07.000000000 -0400
40638 @@ -263,7 +263,7 @@ int core_tmr_lun_reset(
40639 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
40640 T_TASK(cmd)->t_task_cdbs,
40641 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40642 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40643 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40644 atomic_read(&T_TASK(cmd)->t_transport_active),
40645 atomic_read(&T_TASK(cmd)->t_transport_stop),
40646 atomic_read(&T_TASK(cmd)->t_transport_sent));
40647 @@ -305,7 +305,7 @@ int core_tmr_lun_reset(
40648 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
40649 " task: %p, t_fe_count: %d dev: %p\n", task,
40650 fe_count, dev);
40651 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40652 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40653 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
40654 flags);
40655 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40656 @@ -315,7 +315,7 @@ int core_tmr_lun_reset(
40657 }
40658 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
40659 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
40660 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40661 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40662 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
40663 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40664
40665 diff -urNp linux-2.6.39.2/drivers/target/target_core_transport.c linux-2.6.39.2/drivers/target/target_core_transport.c
40666 --- linux-2.6.39.2/drivers/target/target_core_transport.c 2011-06-03 00:04:14.000000000 -0400
40667 +++ linux-2.6.39.2/drivers/target/target_core_transport.c 2011-06-03 00:32:07.000000000 -0400
40668 @@ -1681,7 +1681,7 @@ struct se_device *transport_add_device_t
40669
40670 dev->queue_depth = dev_limits->queue_depth;
40671 atomic_set(&dev->depth_left, dev->queue_depth);
40672 - atomic_set(&dev->dev_ordered_id, 0);
40673 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
40674
40675 se_dev_set_default_attribs(dev, dev_limits);
40676
40677 @@ -1882,7 +1882,7 @@ static int transport_check_alloc_task_at
40678 * Used to determine when ORDERED commands should go from
40679 * Dormant to Active status.
40680 */
40681 - cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
40682 + cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
40683 smp_mb__after_atomic_inc();
40684 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
40685 cmd->se_ordered_id, cmd->sam_task_attr,
40686 @@ -2169,7 +2169,7 @@ static void transport_generic_request_fa
40687 " t_transport_active: %d t_transport_stop: %d"
40688 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
40689 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40690 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40691 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40692 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
40693 atomic_read(&T_TASK(cmd)->t_transport_active),
40694 atomic_read(&T_TASK(cmd)->t_transport_stop),
40695 @@ -2673,9 +2673,9 @@ check_depth:
40696 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
40697 atomic_set(&task->task_active, 1);
40698 atomic_set(&task->task_sent, 1);
40699 - atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
40700 + atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
40701
40702 - if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
40703 + if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
40704 T_TASK(cmd)->t_task_cdbs)
40705 atomic_set(&cmd->transport_sent, 1);
40706
40707 @@ -5568,7 +5568,7 @@ static void transport_generic_wait_for_t
40708 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
40709 }
40710 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
40711 - atomic_read(&T_TASK(cmd)->t_transport_aborted))
40712 + atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
40713 goto remove;
40714
40715 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
40716 @@ -5797,7 +5797,7 @@ int transport_check_aborted_status(struc
40717 {
40718 int ret = 0;
40719
40720 - if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
40721 + if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
40722 if (!(send_status) ||
40723 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
40724 return 1;
40725 @@ -5825,7 +5825,7 @@ void transport_send_task_abort(struct se
40726 */
40727 if (cmd->data_direction == DMA_TO_DEVICE) {
40728 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
40729 - atomic_inc(&T_TASK(cmd)->t_transport_aborted);
40730 + atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
40731 smp_mb__after_atomic_inc();
40732 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
40733 transport_new_cmd_failure(cmd);
40734 @@ -5949,7 +5949,7 @@ static void transport_processing_shutdow
40735 CMD_TFO(cmd)->get_task_tag(cmd),
40736 T_TASK(cmd)->t_task_cdbs,
40737 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40738 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40739 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40740 atomic_read(&T_TASK(cmd)->t_transport_active),
40741 atomic_read(&T_TASK(cmd)->t_transport_stop),
40742 atomic_read(&T_TASK(cmd)->t_transport_sent));
40743 diff -urNp linux-2.6.39.2/drivers/telephony/ixj.c linux-2.6.39.2/drivers/telephony/ixj.c
40744 --- linux-2.6.39.2/drivers/telephony/ixj.c 2011-05-19 00:06:34.000000000 -0400
40745 +++ linux-2.6.39.2/drivers/telephony/ixj.c 2011-05-22 19:36:32.000000000 -0400
40746 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
40747 bool mContinue;
40748 char *pIn, *pOut;
40749
40750 + pax_track_stack();
40751 +
40752 if (!SCI_Prepare(j))
40753 return 0;
40754
40755 diff -urNp linux-2.6.39.2/drivers/tty/hvc/hvc_console.h linux-2.6.39.2/drivers/tty/hvc/hvc_console.h
40756 --- linux-2.6.39.2/drivers/tty/hvc/hvc_console.h 2011-05-19 00:06:34.000000000 -0400
40757 +++ linux-2.6.39.2/drivers/tty/hvc/hvc_console.h 2011-05-22 19:36:32.000000000 -0400
40758 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
40759 /* register a vterm for hvc tty operation (module_init or hotplug add) */
40760 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
40761 const struct hv_ops *ops, int outbuf_size);
40762 +
40763 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
40764 extern int hvc_remove(struct hvc_struct *hp);
40765
40766 diff -urNp linux-2.6.39.2/drivers/tty/hvc/hvc_iucv.c linux-2.6.39.2/drivers/tty/hvc/hvc_iucv.c
40767 --- linux-2.6.39.2/drivers/tty/hvc/hvc_iucv.c 2011-05-19 00:06:34.000000000 -0400
40768 +++ linux-2.6.39.2/drivers/tty/hvc/hvc_iucv.c 2011-05-22 19:36:32.000000000 -0400
40769 @@ -1203,7 +1203,7 @@ static int param_get_vmidfilter(char *bu
40770
40771 #define param_check_vmidfilter(name, p) __param_check(name, p, void)
40772
40773 -static struct kernel_param_ops param_ops_vmidfilter = {
40774 +static const struct kernel_param_ops param_ops_vmidfilter = {
40775 .set = param_set_vmidfilter,
40776 .get = param_get_vmidfilter,
40777 };
40778 diff -urNp linux-2.6.39.2/drivers/tty/hvc/hvcs.c linux-2.6.39.2/drivers/tty/hvc/hvcs.c
40779 --- linux-2.6.39.2/drivers/tty/hvc/hvcs.c 2011-05-19 00:06:34.000000000 -0400
40780 +++ linux-2.6.39.2/drivers/tty/hvc/hvcs.c 2011-05-22 19:36:32.000000000 -0400
40781 @@ -83,6 +83,7 @@
40782 #include <asm/hvcserver.h>
40783 #include <asm/uaccess.h>
40784 #include <asm/vio.h>
40785 +#include <asm/local.h>
40786
40787 /*
40788 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
40789 @@ -270,7 +271,7 @@ struct hvcs_struct {
40790 unsigned int index;
40791
40792 struct tty_struct *tty;
40793 - int open_count;
40794 + local_t open_count;
40795
40796 /*
40797 * Used to tell the driver kernel_thread what operations need to take
40798 @@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
40799
40800 spin_lock_irqsave(&hvcsd->lock, flags);
40801
40802 - if (hvcsd->open_count > 0) {
40803 + if (local_read(&hvcsd->open_count) > 0) {
40804 spin_unlock_irqrestore(&hvcsd->lock, flags);
40805 printk(KERN_INFO "HVCS: vterm state unchanged. "
40806 "The hvcs device node is still in use.\n");
40807 @@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
40808 if ((retval = hvcs_partner_connect(hvcsd)))
40809 goto error_release;
40810
40811 - hvcsd->open_count = 1;
40812 + local_set(&hvcsd->open_count, 1);
40813 hvcsd->tty = tty;
40814 tty->driver_data = hvcsd;
40815
40816 @@ -1179,7 +1180,7 @@ fast_open:
40817
40818 spin_lock_irqsave(&hvcsd->lock, flags);
40819 kref_get(&hvcsd->kref);
40820 - hvcsd->open_count++;
40821 + local_inc(&hvcsd->open_count);
40822 hvcsd->todo_mask |= HVCS_SCHED_READ;
40823 spin_unlock_irqrestore(&hvcsd->lock, flags);
40824
40825 @@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
40826 hvcsd = tty->driver_data;
40827
40828 spin_lock_irqsave(&hvcsd->lock, flags);
40829 - if (--hvcsd->open_count == 0) {
40830 + if (local_dec_and_test(&hvcsd->open_count)) {
40831
40832 vio_disable_interrupts(hvcsd->vdev);
40833
40834 @@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
40835 free_irq(irq, hvcsd);
40836 kref_put(&hvcsd->kref, destroy_hvcs_struct);
40837 return;
40838 - } else if (hvcsd->open_count < 0) {
40839 + } else if (local_read(&hvcsd->open_count) < 0) {
40840 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
40841 " is missmanaged.\n",
40842 - hvcsd->vdev->unit_address, hvcsd->open_count);
40843 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
40844 }
40845
40846 spin_unlock_irqrestore(&hvcsd->lock, flags);
40847 @@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
40848
40849 spin_lock_irqsave(&hvcsd->lock, flags);
40850 /* Preserve this so that we know how many kref refs to put */
40851 - temp_open_count = hvcsd->open_count;
40852 + temp_open_count = local_read(&hvcsd->open_count);
40853
40854 /*
40855 * Don't kref put inside the spinlock because the destruction
40856 @@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
40857 hvcsd->tty->driver_data = NULL;
40858 hvcsd->tty = NULL;
40859
40860 - hvcsd->open_count = 0;
40861 + local_set(&hvcsd->open_count, 0);
40862
40863 /* This will drop any buffered data on the floor which is OK in a hangup
40864 * scenario. */
40865 @@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
40866 * the middle of a write operation? This is a crummy place to do this
40867 * but we want to keep it all in the spinlock.
40868 */
40869 - if (hvcsd->open_count <= 0) {
40870 + if (local_read(&hvcsd->open_count) <= 0) {
40871 spin_unlock_irqrestore(&hvcsd->lock, flags);
40872 return -ENODEV;
40873 }
40874 @@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
40875 {
40876 struct hvcs_struct *hvcsd = tty->driver_data;
40877
40878 - if (!hvcsd || hvcsd->open_count <= 0)
40879 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
40880 return 0;
40881
40882 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
40883 diff -urNp linux-2.6.39.2/drivers/tty/hvc/hvc_xen.c linux-2.6.39.2/drivers/tty/hvc/hvc_xen.c
40884 --- linux-2.6.39.2/drivers/tty/hvc/hvc_xen.c 2011-05-19 00:06:34.000000000 -0400
40885 +++ linux-2.6.39.2/drivers/tty/hvc/hvc_xen.c 2011-05-22 19:36:32.000000000 -0400
40886 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
40887 return recv;
40888 }
40889
40890 -static struct hv_ops domU_hvc_ops = {
40891 +static const struct hv_ops domU_hvc_ops = {
40892 .get_chars = domU_read_console,
40893 .put_chars = domU_write_console,
40894 .notifier_add = notifier_add_irq,
40895 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
40896 return len;
40897 }
40898
40899 -static struct hv_ops dom0_hvc_ops = {
40900 +static const struct hv_ops dom0_hvc_ops = {
40901 .get_chars = dom0_read_console,
40902 .put_chars = dom0_write_console,
40903 .notifier_add = notifier_add_irq,
40904 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
40905 static int __init xen_hvc_init(void)
40906 {
40907 struct hvc_struct *hp;
40908 - struct hv_ops *ops;
40909 + const struct hv_ops *ops;
40910
40911 if (!xen_pv_domain())
40912 return -ENODEV;
40913 @@ -205,7 +205,7 @@ static void __exit xen_hvc_fini(void)
40914
40915 static int xen_cons_init(void)
40916 {
40917 - struct hv_ops *ops;
40918 + const struct hv_ops *ops;
40919
40920 if (!xen_pv_domain())
40921 return 0;
40922 diff -urNp linux-2.6.39.2/drivers/tty/ipwireless/tty.c linux-2.6.39.2/drivers/tty/ipwireless/tty.c
40923 --- linux-2.6.39.2/drivers/tty/ipwireless/tty.c 2011-05-19 00:06:34.000000000 -0400
40924 +++ linux-2.6.39.2/drivers/tty/ipwireless/tty.c 2011-05-22 19:36:32.000000000 -0400
40925 @@ -29,6 +29,7 @@
40926 #include <linux/tty_driver.h>
40927 #include <linux/tty_flip.h>
40928 #include <linux/uaccess.h>
40929 +#include <asm/local.h>
40930
40931 #include "tty.h"
40932 #include "network.h"
40933 @@ -51,7 +52,7 @@ struct ipw_tty {
40934 int tty_type;
40935 struct ipw_network *network;
40936 struct tty_struct *linux_tty;
40937 - int open_count;
40938 + local_t open_count;
40939 unsigned int control_lines;
40940 struct mutex ipw_tty_mutex;
40941 int tx_bytes_queued;
40942 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
40943 mutex_unlock(&tty->ipw_tty_mutex);
40944 return -ENODEV;
40945 }
40946 - if (tty->open_count == 0)
40947 + if (local_read(&tty->open_count) == 0)
40948 tty->tx_bytes_queued = 0;
40949
40950 - tty->open_count++;
40951 + local_inc(&tty->open_count);
40952
40953 tty->linux_tty = linux_tty;
40954 linux_tty->driver_data = tty;
40955 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
40956
40957 static void do_ipw_close(struct ipw_tty *tty)
40958 {
40959 - tty->open_count--;
40960 -
40961 - if (tty->open_count == 0) {
40962 + if (local_dec_return(&tty->open_count) == 0) {
40963 struct tty_struct *linux_tty = tty->linux_tty;
40964
40965 if (linux_tty != NULL) {
40966 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
40967 return;
40968
40969 mutex_lock(&tty->ipw_tty_mutex);
40970 - if (tty->open_count == 0) {
40971 + if (local_read(&tty->open_count) == 0) {
40972 mutex_unlock(&tty->ipw_tty_mutex);
40973 return;
40974 }
40975 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
40976 return;
40977 }
40978
40979 - if (!tty->open_count) {
40980 + if (!local_read(&tty->open_count)) {
40981 mutex_unlock(&tty->ipw_tty_mutex);
40982 return;
40983 }
40984 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
40985 return -ENODEV;
40986
40987 mutex_lock(&tty->ipw_tty_mutex);
40988 - if (!tty->open_count) {
40989 + if (!local_read(&tty->open_count)) {
40990 mutex_unlock(&tty->ipw_tty_mutex);
40991 return -EINVAL;
40992 }
40993 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
40994 if (!tty)
40995 return -ENODEV;
40996
40997 - if (!tty->open_count)
40998 + if (!local_read(&tty->open_count))
40999 return -EINVAL;
41000
41001 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
41002 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
41003 if (!tty)
41004 return 0;
41005
41006 - if (!tty->open_count)
41007 + if (!local_read(&tty->open_count))
41008 return 0;
41009
41010 return tty->tx_bytes_queued;
41011 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
41012 if (!tty)
41013 return -ENODEV;
41014
41015 - if (!tty->open_count)
41016 + if (!local_read(&tty->open_count))
41017 return -EINVAL;
41018
41019 return get_control_lines(tty);
41020 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
41021 if (!tty)
41022 return -ENODEV;
41023
41024 - if (!tty->open_count)
41025 + if (!local_read(&tty->open_count))
41026 return -EINVAL;
41027
41028 return set_control_lines(tty, set, clear);
41029 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
41030 if (!tty)
41031 return -ENODEV;
41032
41033 - if (!tty->open_count)
41034 + if (!local_read(&tty->open_count))
41035 return -EINVAL;
41036
41037 /* FIXME: Exactly how is the tty object locked here .. */
41038 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
41039 against a parallel ioctl etc */
41040 mutex_lock(&ttyj->ipw_tty_mutex);
41041 }
41042 - while (ttyj->open_count)
41043 + while (local_read(&ttyj->open_count))
41044 do_ipw_close(ttyj);
41045 ipwireless_disassociate_network_ttys(network,
41046 ttyj->channel_idx);
41047 diff -urNp linux-2.6.39.2/drivers/tty/mxser.c linux-2.6.39.2/drivers/tty/mxser.c
41048 --- linux-2.6.39.2/drivers/tty/mxser.c 2011-05-19 00:06:34.000000000 -0400
41049 +++ linux-2.6.39.2/drivers/tty/mxser.c 2011-05-22 19:36:32.000000000 -0400
41050 @@ -2340,7 +2340,7 @@ static const struct tty_operations mxser
41051 .get_icount = mxser_get_icount,
41052 };
41053
41054 -struct tty_port_operations mxser_port_ops = {
41055 +const struct tty_port_operations mxser_port_ops = {
41056 .carrier_raised = mxser_carrier_raised,
41057 .dtr_rts = mxser_dtr_rts,
41058 .activate = mxser_activate,
41059 diff -urNp linux-2.6.39.2/drivers/tty/n_gsm.c linux-2.6.39.2/drivers/tty/n_gsm.c
41060 --- linux-2.6.39.2/drivers/tty/n_gsm.c 2011-05-19 00:06:34.000000000 -0400
41061 +++ linux-2.6.39.2/drivers/tty/n_gsm.c 2011-05-22 19:36:32.000000000 -0400
41062 @@ -1588,7 +1588,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
41063 return NULL;
41064 spin_lock_init(&dlci->lock);
41065 dlci->fifo = &dlci->_fifo;
41066 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
41067 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
41068 kfree(dlci);
41069 return NULL;
41070 }
41071 diff -urNp linux-2.6.39.2/drivers/tty/n_tty.c linux-2.6.39.2/drivers/tty/n_tty.c
41072 --- linux-2.6.39.2/drivers/tty/n_tty.c 2011-05-19 00:06:34.000000000 -0400
41073 +++ linux-2.6.39.2/drivers/tty/n_tty.c 2011-05-22 19:36:32.000000000 -0400
41074 @@ -2122,6 +2122,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
41075 {
41076 *ops = tty_ldisc_N_TTY;
41077 ops->owner = NULL;
41078 - ops->refcount = ops->flags = 0;
41079 + atomic_set(&ops->refcount, 0);
41080 + ops->flags = 0;
41081 }
41082 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
41083 diff -urNp linux-2.6.39.2/drivers/tty/pty.c linux-2.6.39.2/drivers/tty/pty.c
41084 --- linux-2.6.39.2/drivers/tty/pty.c 2011-05-19 00:06:34.000000000 -0400
41085 +++ linux-2.6.39.2/drivers/tty/pty.c 2011-05-22 19:36:32.000000000 -0400
41086 @@ -699,7 +699,18 @@ out:
41087 return retval;
41088 }
41089
41090 -static struct file_operations ptmx_fops;
41091 +static const struct file_operations ptmx_fops = {
41092 + .llseek = no_llseek,
41093 + .read = tty_read,
41094 + .write = tty_write,
41095 + .poll = tty_poll,
41096 + .unlocked_ioctl = tty_ioctl,
41097 + .compat_ioctl = tty_compat_ioctl,
41098 + .open = ptmx_open,
41099 + .release = tty_release,
41100 + .fasync = tty_fasync,
41101 +};
41102 +
41103
41104 static void __init unix98_pty_init(void)
41105 {
41106 @@ -752,10 +763,6 @@ static void __init unix98_pty_init(void)
41107
41108 register_sysctl_table(pty_root_table);
41109
41110 - /* Now create the /dev/ptmx special device */
41111 - tty_default_fops(&ptmx_fops);
41112 - ptmx_fops.open = ptmx_open;
41113 -
41114 cdev_init(&ptmx_cdev, &ptmx_fops);
41115 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
41116 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
41117 diff -urNp linux-2.6.39.2/drivers/tty/rocket.c linux-2.6.39.2/drivers/tty/rocket.c
41118 --- linux-2.6.39.2/drivers/tty/rocket.c 2011-05-19 00:06:34.000000000 -0400
41119 +++ linux-2.6.39.2/drivers/tty/rocket.c 2011-05-22 19:36:32.000000000 -0400
41120 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
41121 struct rocket_ports tmp;
41122 int board;
41123
41124 + pax_track_stack();
41125 +
41126 if (!retports)
41127 return -EFAULT;
41128 memset(&tmp, 0, sizeof (tmp));
41129 diff -urNp linux-2.6.39.2/drivers/tty/serial/21285.c linux-2.6.39.2/drivers/tty/serial/21285.c
41130 --- linux-2.6.39.2/drivers/tty/serial/21285.c 2011-05-19 00:06:34.000000000 -0400
41131 +++ linux-2.6.39.2/drivers/tty/serial/21285.c 2011-05-22 19:36:32.000000000 -0400
41132 @@ -340,7 +340,7 @@ static int serial21285_verify_port(struc
41133 return ret;
41134 }
41135
41136 -static struct uart_ops serial21285_ops = {
41137 +static const struct uart_ops serial21285_ops = {
41138 .tx_empty = serial21285_tx_empty,
41139 .get_mctrl = serial21285_get_mctrl,
41140 .set_mctrl = serial21285_set_mctrl,
41141 diff -urNp linux-2.6.39.2/drivers/tty/serial/8250.c linux-2.6.39.2/drivers/tty/serial/8250.c
41142 --- linux-2.6.39.2/drivers/tty/serial/8250.c 2011-05-19 00:06:34.000000000 -0400
41143 +++ linux-2.6.39.2/drivers/tty/serial/8250.c 2011-05-22 19:36:32.000000000 -0400
41144 @@ -2708,7 +2708,7 @@ serial8250_type(struct uart_port *port)
41145 return uart_config[type].name;
41146 }
41147
41148 -static struct uart_ops serial8250_pops = {
41149 +static const struct uart_ops serial8250_pops = {
41150 .tx_empty = serial8250_tx_empty,
41151 .set_mctrl = serial8250_set_mctrl,
41152 .get_mctrl = serial8250_get_mctrl,
41153 diff -urNp linux-2.6.39.2/drivers/tty/serial/altera_jtaguart.c linux-2.6.39.2/drivers/tty/serial/altera_jtaguart.c
41154 --- linux-2.6.39.2/drivers/tty/serial/altera_jtaguart.c 2011-05-19 00:06:34.000000000 -0400
41155 +++ linux-2.6.39.2/drivers/tty/serial/altera_jtaguart.c 2011-05-22 19:36:32.000000000 -0400
41156 @@ -281,7 +281,7 @@ static int altera_jtaguart_verify_port(s
41157 /*
41158 * Define the basic serial functions we support.
41159 */
41160 -static struct uart_ops altera_jtaguart_ops = {
41161 +static const struct uart_ops altera_jtaguart_ops = {
41162 .tx_empty = altera_jtaguart_tx_empty,
41163 .get_mctrl = altera_jtaguart_get_mctrl,
41164 .set_mctrl = altera_jtaguart_set_mctrl,
41165 diff -urNp linux-2.6.39.2/drivers/tty/serial/altera_uart.c linux-2.6.39.2/drivers/tty/serial/altera_uart.c
41166 --- linux-2.6.39.2/drivers/tty/serial/altera_uart.c 2011-05-19 00:06:34.000000000 -0400
41167 +++ linux-2.6.39.2/drivers/tty/serial/altera_uart.c 2011-05-22 19:36:32.000000000 -0400
41168 @@ -380,7 +380,7 @@ static int altera_uart_verify_port(struc
41169 /*
41170 * Define the basic serial functions we support.
41171 */
41172 -static struct uart_ops altera_uart_ops = {
41173 +static const struct uart_ops altera_uart_ops = {
41174 .tx_empty = altera_uart_tx_empty,
41175 .get_mctrl = altera_uart_get_mctrl,
41176 .set_mctrl = altera_uart_set_mctrl,
41177 diff -urNp linux-2.6.39.2/drivers/tty/serial/amba-pl010.c linux-2.6.39.2/drivers/tty/serial/amba-pl010.c
41178 --- linux-2.6.39.2/drivers/tty/serial/amba-pl010.c 2011-05-19 00:06:34.000000000 -0400
41179 +++ linux-2.6.39.2/drivers/tty/serial/amba-pl010.c 2011-05-22 19:36:32.000000000 -0400
41180 @@ -529,7 +529,7 @@ static int pl010_verify_port(struct uart
41181 return ret;
41182 }
41183
41184 -static struct uart_ops amba_pl010_pops = {
41185 +static const struct uart_ops amba_pl010_pops = {
41186 .tx_empty = pl010_tx_empty,
41187 .set_mctrl = pl010_set_mctrl,
41188 .get_mctrl = pl010_get_mctrl,
41189 diff -urNp linux-2.6.39.2/drivers/tty/serial/amba-pl011.c linux-2.6.39.2/drivers/tty/serial/amba-pl011.c
41190 --- linux-2.6.39.2/drivers/tty/serial/amba-pl011.c 2011-05-19 00:06:34.000000000 -0400
41191 +++ linux-2.6.39.2/drivers/tty/serial/amba-pl011.c 2011-05-22 19:36:32.000000000 -0400
41192 @@ -1581,7 +1581,7 @@ static int pl010_verify_port(struct uart
41193 return ret;
41194 }
41195
41196 -static struct uart_ops amba_pl011_pops = {
41197 +static const struct uart_ops amba_pl011_pops = {
41198 .tx_empty = pl01x_tx_empty,
41199 .set_mctrl = pl011_set_mctrl,
41200 .get_mctrl = pl01x_get_mctrl,
41201 diff -urNp linux-2.6.39.2/drivers/tty/serial/apbuart.c linux-2.6.39.2/drivers/tty/serial/apbuart.c
41202 --- linux-2.6.39.2/drivers/tty/serial/apbuart.c 2011-05-19 00:06:34.000000000 -0400
41203 +++ linux-2.6.39.2/drivers/tty/serial/apbuart.c 2011-05-22 19:36:32.000000000 -0400
41204 @@ -328,7 +328,7 @@ static int apbuart_verify_port(struct ua
41205 return ret;
41206 }
41207
41208 -static struct uart_ops grlib_apbuart_ops = {
41209 +static const struct uart_ops grlib_apbuart_ops = {
41210 .tx_empty = apbuart_tx_empty,
41211 .set_mctrl = apbuart_set_mctrl,
41212 .get_mctrl = apbuart_get_mctrl,
41213 diff -urNp linux-2.6.39.2/drivers/tty/serial/atmel_serial.c linux-2.6.39.2/drivers/tty/serial/atmel_serial.c
41214 --- linux-2.6.39.2/drivers/tty/serial/atmel_serial.c 2011-05-19 00:06:34.000000000 -0400
41215 +++ linux-2.6.39.2/drivers/tty/serial/atmel_serial.c 2011-05-22 19:36:32.000000000 -0400
41216 @@ -1382,7 +1382,7 @@ atmel_ioctl(struct uart_port *port, unsi
41217
41218
41219
41220 -static struct uart_ops atmel_pops = {
41221 +static const struct uart_ops atmel_pops = {
41222 .tx_empty = atmel_tx_empty,
41223 .set_mctrl = atmel_set_mctrl,
41224 .get_mctrl = atmel_get_mctrl,
41225 diff -urNp linux-2.6.39.2/drivers/tty/serial/bcm63xx_uart.c linux-2.6.39.2/drivers/tty/serial/bcm63xx_uart.c
41226 --- linux-2.6.39.2/drivers/tty/serial/bcm63xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41227 +++ linux-2.6.39.2/drivers/tty/serial/bcm63xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41228 @@ -636,7 +636,7 @@ static int bcm_uart_verify_port(struct u
41229 }
41230
41231 /* serial core callbacks */
41232 -static struct uart_ops bcm_uart_ops = {
41233 +static const struct uart_ops bcm_uart_ops = {
41234 .tx_empty = bcm_uart_tx_empty,
41235 .get_mctrl = bcm_uart_get_mctrl,
41236 .set_mctrl = bcm_uart_set_mctrl,
41237 diff -urNp linux-2.6.39.2/drivers/tty/serial/bfin_5xx.c linux-2.6.39.2/drivers/tty/serial/bfin_5xx.c
41238 --- linux-2.6.39.2/drivers/tty/serial/bfin_5xx.c 2011-05-19 00:06:34.000000000 -0400
41239 +++ linux-2.6.39.2/drivers/tty/serial/bfin_5xx.c 2011-05-22 19:36:32.000000000 -0400
41240 @@ -1036,7 +1036,7 @@ static int bfin_kgdboc_port_startup(stru
41241 }
41242 #endif
41243
41244 -static struct uart_ops bfin_serial_pops = {
41245 +static const struct uart_ops bfin_serial_pops = {
41246 .tx_empty = bfin_serial_tx_empty,
41247 .set_mctrl = bfin_serial_set_mctrl,
41248 .get_mctrl = bfin_serial_get_mctrl,
41249 diff -urNp linux-2.6.39.2/drivers/tty/serial/bfin_sport_uart.c linux-2.6.39.2/drivers/tty/serial/bfin_sport_uart.c
41250 --- linux-2.6.39.2/drivers/tty/serial/bfin_sport_uart.c 2011-05-19 00:06:34.000000000 -0400
41251 +++ linux-2.6.39.2/drivers/tty/serial/bfin_sport_uart.c 2011-05-22 19:36:32.000000000 -0400
41252 @@ -571,7 +571,7 @@ static void sport_set_termios(struct uar
41253 spin_unlock_irqrestore(&up->port.lock, flags);
41254 }
41255
41256 -struct uart_ops sport_uart_ops = {
41257 +const struct uart_ops sport_uart_ops = {
41258 .tx_empty = sport_tx_empty,
41259 .set_mctrl = sport_set_mctrl,
41260 .get_mctrl = sport_get_mctrl,
41261 diff -urNp linux-2.6.39.2/drivers/tty/serial/clps711x.c linux-2.6.39.2/drivers/tty/serial/clps711x.c
41262 --- linux-2.6.39.2/drivers/tty/serial/clps711x.c 2011-05-19 00:06:34.000000000 -0400
41263 +++ linux-2.6.39.2/drivers/tty/serial/clps711x.c 2011-05-22 19:36:32.000000000 -0400
41264 @@ -380,7 +380,7 @@ static int clps711xuart_request_port(str
41265 return 0;
41266 }
41267
41268 -static struct uart_ops clps711x_pops = {
41269 +static const struct uart_ops clps711x_pops = {
41270 .tx_empty = clps711xuart_tx_empty,
41271 .set_mctrl = clps711xuart_set_mctrl_null,
41272 .get_mctrl = clps711xuart_get_mctrl,
41273 diff -urNp linux-2.6.39.2/drivers/tty/serial/cpm_uart/cpm_uart_core.c linux-2.6.39.2/drivers/tty/serial/cpm_uart/cpm_uart_core.c
41274 --- linux-2.6.39.2/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-19 00:06:34.000000000 -0400
41275 +++ linux-2.6.39.2/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-22 19:36:32.000000000 -0400
41276 @@ -1099,7 +1099,7 @@ static void cpm_put_poll_char(struct uar
41277 }
41278 #endif /* CONFIG_CONSOLE_POLL */
41279
41280 -static struct uart_ops cpm_uart_pops = {
41281 +static const struct uart_ops cpm_uart_pops = {
41282 .tx_empty = cpm_uart_tx_empty,
41283 .set_mctrl = cpm_uart_set_mctrl,
41284 .get_mctrl = cpm_uart_get_mctrl,
41285 diff -urNp linux-2.6.39.2/drivers/tty/serial/dz.c linux-2.6.39.2/drivers/tty/serial/dz.c
41286 --- linux-2.6.39.2/drivers/tty/serial/dz.c 2011-05-19 00:06:34.000000000 -0400
41287 +++ linux-2.6.39.2/drivers/tty/serial/dz.c 2011-05-22 19:36:32.000000000 -0400
41288 @@ -746,7 +746,7 @@ static int dz_verify_port(struct uart_po
41289 return ret;
41290 }
41291
41292 -static struct uart_ops dz_ops = {
41293 +static const struct uart_ops dz_ops = {
41294 .tx_empty = dz_tx_empty,
41295 .get_mctrl = dz_get_mctrl,
41296 .set_mctrl = dz_set_mctrl,
41297 diff -urNp linux-2.6.39.2/drivers/tty/serial/imx.c linux-2.6.39.2/drivers/tty/serial/imx.c
41298 --- linux-2.6.39.2/drivers/tty/serial/imx.c 2011-05-19 00:06:34.000000000 -0400
41299 +++ linux-2.6.39.2/drivers/tty/serial/imx.c 2011-05-22 19:36:32.000000000 -0400
41300 @@ -1018,7 +1018,7 @@ imx_verify_port(struct uart_port *port,
41301 return ret;
41302 }
41303
41304 -static struct uart_ops imx_pops = {
41305 +static const struct uart_ops imx_pops = {
41306 .tx_empty = imx_tx_empty,
41307 .set_mctrl = imx_set_mctrl,
41308 .get_mctrl = imx_get_mctrl,
41309 diff -urNp linux-2.6.39.2/drivers/tty/serial/ioc3_serial.c linux-2.6.39.2/drivers/tty/serial/ioc3_serial.c
41310 --- linux-2.6.39.2/drivers/tty/serial/ioc3_serial.c 2011-05-19 00:06:34.000000000 -0400
41311 +++ linux-2.6.39.2/drivers/tty/serial/ioc3_serial.c 2011-05-22 19:36:32.000000000 -0400
41312 @@ -1874,7 +1874,7 @@ static int ic3_request_port(struct uart_
41313 }
41314
41315 /* Associate the uart functions above - given to serial core */
41316 -static struct uart_ops ioc3_ops = {
41317 +static const struct uart_ops ioc3_ops = {
41318 .tx_empty = ic3_tx_empty,
41319 .set_mctrl = ic3_set_mctrl,
41320 .get_mctrl = ic3_get_mctrl,
41321 diff -urNp linux-2.6.39.2/drivers/tty/serial/ioc4_serial.c linux-2.6.39.2/drivers/tty/serial/ioc4_serial.c
41322 --- linux-2.6.39.2/drivers/tty/serial/ioc4_serial.c 2011-05-19 00:06:34.000000000 -0400
41323 +++ linux-2.6.39.2/drivers/tty/serial/ioc4_serial.c 2011-05-22 19:36:32.000000000 -0400
41324 @@ -2593,7 +2593,7 @@ static int ic4_request_port(struct uart_
41325
41326 /* Associate the uart functions above - given to serial core */
41327
41328 -static struct uart_ops ioc4_ops = {
41329 +static const struct uart_ops ioc4_ops = {
41330 .tx_empty = ic4_tx_empty,
41331 .set_mctrl = ic4_set_mctrl,
41332 .get_mctrl = ic4_get_mctrl,
41333 diff -urNp linux-2.6.39.2/drivers/tty/serial/ip22zilog.c linux-2.6.39.2/drivers/tty/serial/ip22zilog.c
41334 --- linux-2.6.39.2/drivers/tty/serial/ip22zilog.c 2011-05-19 00:06:34.000000000 -0400
41335 +++ linux-2.6.39.2/drivers/tty/serial/ip22zilog.c 2011-05-22 19:36:32.000000000 -0400
41336 @@ -928,7 +928,7 @@ static int ip22zilog_verify_port(struct
41337 return -EINVAL;
41338 }
41339
41340 -static struct uart_ops ip22zilog_pops = {
41341 +static const struct uart_ops ip22zilog_pops = {
41342 .tx_empty = ip22zilog_tx_empty,
41343 .set_mctrl = ip22zilog_set_mctrl,
41344 .get_mctrl = ip22zilog_get_mctrl,
41345 diff -urNp linux-2.6.39.2/drivers/tty/serial/kgdboc.c linux-2.6.39.2/drivers/tty/serial/kgdboc.c
41346 --- linux-2.6.39.2/drivers/tty/serial/kgdboc.c 2011-05-19 00:06:34.000000000 -0400
41347 +++ linux-2.6.39.2/drivers/tty/serial/kgdboc.c 2011-05-22 19:36:32.000000000 -0400
41348 @@ -22,7 +22,7 @@
41349
41350 #define MAX_CONFIG_LEN 40
41351
41352 -static struct kgdb_io kgdboc_io_ops;
41353 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
41354
41355 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
41356 static int configured = -1;
41357 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
41358 kgdboc_restore_input();
41359 }
41360
41361 -static struct kgdb_io kgdboc_io_ops = {
41362 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
41363 .name = "kgdboc",
41364 .read_char = kgdboc_get_char,
41365 .write_char = kgdboc_put_char,
41366 diff -urNp linux-2.6.39.2/drivers/tty/serial/m32r_sio.c linux-2.6.39.2/drivers/tty/serial/m32r_sio.c
41367 --- linux-2.6.39.2/drivers/tty/serial/m32r_sio.c 2011-05-19 00:06:34.000000000 -0400
41368 +++ linux-2.6.39.2/drivers/tty/serial/m32r_sio.c 2011-05-22 19:36:32.000000000 -0400
41369 @@ -939,7 +939,7 @@ m32r_sio_type(struct uart_port *port)
41370 return uart_config[type].name;
41371 }
41372
41373 -static struct uart_ops m32r_sio_pops = {
41374 +static const struct uart_ops m32r_sio_pops = {
41375 .tx_empty = m32r_sio_tx_empty,
41376 .set_mctrl = m32r_sio_set_mctrl,
41377 .get_mctrl = m32r_sio_get_mctrl,
41378 diff -urNp linux-2.6.39.2/drivers/tty/serial/max3100.c linux-2.6.39.2/drivers/tty/serial/max3100.c
41379 --- linux-2.6.39.2/drivers/tty/serial/max3100.c 2011-05-19 00:06:34.000000000 -0400
41380 +++ linux-2.6.39.2/drivers/tty/serial/max3100.c 2011-05-22 19:36:32.000000000 -0400
41381 @@ -710,7 +710,7 @@ static void max3100_break_ctl(struct uar
41382 dev_dbg(&s->spi->dev, "%s\n", __func__);
41383 }
41384
41385 -static struct uart_ops max3100_ops = {
41386 +static const struct uart_ops max3100_ops = {
41387 .tx_empty = max3100_tx_empty,
41388 .set_mctrl = max3100_set_mctrl,
41389 .get_mctrl = max3100_get_mctrl,
41390 diff -urNp linux-2.6.39.2/drivers/tty/serial/max3107.c linux-2.6.39.2/drivers/tty/serial/max3107.c
41391 --- linux-2.6.39.2/drivers/tty/serial/max3107.c 2011-05-19 00:06:34.000000000 -0400
41392 +++ linux-2.6.39.2/drivers/tty/serial/max3107.c 2011-05-22 19:36:32.000000000 -0400
41393 @@ -910,7 +910,7 @@ static void max3107_break_ctl(struct uar
41394
41395
41396 /* Port functions */
41397 -static struct uart_ops max3107_ops = {
41398 +static const struct uart_ops max3107_ops = {
41399 .tx_empty = max3107_tx_empty,
41400 .set_mctrl = max3107_set_mctrl,
41401 .get_mctrl = max3107_get_mctrl,
41402 diff -urNp linux-2.6.39.2/drivers/tty/serial/mfd.c linux-2.6.39.2/drivers/tty/serial/mfd.c
41403 --- linux-2.6.39.2/drivers/tty/serial/mfd.c 2011-05-19 00:06:34.000000000 -0400
41404 +++ linux-2.6.39.2/drivers/tty/serial/mfd.c 2011-05-22 19:36:32.000000000 -0400
41405 @@ -1178,7 +1178,7 @@ static struct console serial_hsu_console
41406 };
41407 #endif
41408
41409 -struct uart_ops serial_hsu_pops = {
41410 +const struct uart_ops serial_hsu_pops = {
41411 .tx_empty = serial_hsu_tx_empty,
41412 .set_mctrl = serial_hsu_set_mctrl,
41413 .get_mctrl = serial_hsu_get_mctrl,
41414 diff -urNp linux-2.6.39.2/drivers/tty/serial/mpc52xx_uart.c linux-2.6.39.2/drivers/tty/serial/mpc52xx_uart.c
41415 --- linux-2.6.39.2/drivers/tty/serial/mpc52xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41416 +++ linux-2.6.39.2/drivers/tty/serial/mpc52xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41417 @@ -283,7 +283,7 @@ static irqreturn_t mpc52xx_psc_handle_ir
41418 return mpc5xxx_uart_process_int(port);
41419 }
41420
41421 -static struct psc_ops mpc52xx_psc_ops = {
41422 +static const struct psc_ops mpc52xx_psc_ops = {
41423 .fifo_init = mpc52xx_psc_fifo_init,
41424 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41425 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41426 @@ -304,7 +304,7 @@ static struct psc_ops mpc52xx_psc_ops =
41427 .handle_irq = mpc52xx_psc_handle_irq,
41428 };
41429
41430 -static struct psc_ops mpc5200b_psc_ops = {
41431 +static const struct psc_ops mpc5200b_psc_ops = {
41432 .fifo_init = mpc52xx_psc_fifo_init,
41433 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41434 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41435 @@ -571,7 +571,7 @@ static void mpc512x_psc_get_irq(struct u
41436 port->irq = psc_fifoc_irq;
41437 }
41438
41439 -static struct psc_ops mpc512x_psc_ops = {
41440 +static const struct psc_ops mpc512x_psc_ops = {
41441 .fifo_init = mpc512x_psc_fifo_init,
41442 .raw_rx_rdy = mpc512x_psc_raw_rx_rdy,
41443 .raw_tx_rdy = mpc512x_psc_raw_tx_rdy,
41444 @@ -596,7 +596,7 @@ static struct psc_ops mpc512x_psc_ops =
41445 };
41446 #endif
41447
41448 -static struct psc_ops *psc_ops;
41449 +static const struct psc_ops *psc_ops;
41450
41451 /* ======================================================================== */
41452 /* UART operations */
41453 @@ -905,7 +905,7 @@ mpc52xx_uart_verify_port(struct uart_por
41454 }
41455
41456
41457 -static struct uart_ops mpc52xx_uart_ops = {
41458 +static const struct uart_ops mpc52xx_uart_ops = {
41459 .tx_empty = mpc52xx_uart_tx_empty,
41460 .set_mctrl = mpc52xx_uart_set_mctrl,
41461 .get_mctrl = mpc52xx_uart_get_mctrl,
41462 diff -urNp linux-2.6.39.2/drivers/tty/serial/mpsc.c linux-2.6.39.2/drivers/tty/serial/mpsc.c
41463 --- linux-2.6.39.2/drivers/tty/serial/mpsc.c 2011-05-19 00:06:34.000000000 -0400
41464 +++ linux-2.6.39.2/drivers/tty/serial/mpsc.c 2011-05-22 19:36:32.000000000 -0400
41465 @@ -1663,7 +1663,7 @@ static void mpsc_put_poll_char(struct ua
41466 }
41467 #endif
41468
41469 -static struct uart_ops mpsc_pops = {
41470 +static const struct uart_ops mpsc_pops = {
41471 .tx_empty = mpsc_tx_empty,
41472 .set_mctrl = mpsc_set_mctrl,
41473 .get_mctrl = mpsc_get_mctrl,
41474 diff -urNp linux-2.6.39.2/drivers/tty/serial/mrst_max3110.c linux-2.6.39.2/drivers/tty/serial/mrst_max3110.c
41475 --- linux-2.6.39.2/drivers/tty/serial/mrst_max3110.c 2011-05-19 00:06:34.000000000 -0400
41476 +++ linux-2.6.39.2/drivers/tty/serial/mrst_max3110.c 2011-05-22 19:36:32.000000000 -0400
41477 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
41478 int loop = 1, num, total = 0;
41479 u8 recv_buf[512], *pbuf;
41480
41481 + pax_track_stack();
41482 +
41483 pbuf = recv_buf;
41484 do {
41485 num = max3110_read_multi(max, pbuf);
41486 @@ -726,7 +728,7 @@ static void serial_m3110_enable_ms(struc
41487 {
41488 }
41489
41490 -struct uart_ops serial_m3110_ops = {
41491 +const struct uart_ops serial_m3110_ops = {
41492 .tx_empty = serial_m3110_tx_empty,
41493 .set_mctrl = serial_m3110_set_mctrl,
41494 .get_mctrl = serial_m3110_get_mctrl,
41495 diff -urNp linux-2.6.39.2/drivers/tty/serial/msm_serial.c linux-2.6.39.2/drivers/tty/serial/msm_serial.c
41496 --- linux-2.6.39.2/drivers/tty/serial/msm_serial.c 2011-05-19 00:06:34.000000000 -0400
41497 +++ linux-2.6.39.2/drivers/tty/serial/msm_serial.c 2011-05-22 19:36:32.000000000 -0400
41498 @@ -702,7 +702,7 @@ static void msm_power(struct uart_port *
41499 }
41500 }
41501
41502 -static struct uart_ops msm_uart_pops = {
41503 +static const struct uart_ops msm_uart_pops = {
41504 .tx_empty = msm_tx_empty,
41505 .set_mctrl = msm_set_mctrl,
41506 .get_mctrl = msm_get_mctrl,
41507 diff -urNp linux-2.6.39.2/drivers/tty/serial/msm_serial_hs.c linux-2.6.39.2/drivers/tty/serial/msm_serial_hs.c
41508 --- linux-2.6.39.2/drivers/tty/serial/msm_serial_hs.c 2011-05-19 00:06:34.000000000 -0400
41509 +++ linux-2.6.39.2/drivers/tty/serial/msm_serial_hs.c 2011-05-22 19:36:32.000000000 -0400
41510 @@ -360,7 +360,7 @@ struct msm_hs_port {
41511 static struct msm_hs_port q_uart_port[UARTDM_NR];
41512 static struct platform_driver msm_serial_hs_platform_driver;
41513 static struct uart_driver msm_hs_driver;
41514 -static struct uart_ops msm_hs_ops;
41515 +static const struct uart_ops msm_hs_ops;
41516 static struct workqueue_struct *msm_hs_workqueue;
41517
41518 #define UARTDM_TO_MSM(uart_port) \
41519 @@ -1856,7 +1856,7 @@ static struct uart_driver msm_hs_driver
41520 .cons = 0,
41521 };
41522
41523 -static struct uart_ops msm_hs_ops = {
41524 +static const struct uart_ops msm_hs_ops = {
41525 .tx_empty = msm_hs_tx_empty,
41526 .set_mctrl = msm_hs_set_mctrl_locked,
41527 .get_mctrl = msm_hs_get_mctrl_locked,
41528 diff -urNp linux-2.6.39.2/drivers/tty/serial/mux.c linux-2.6.39.2/drivers/tty/serial/mux.c
41529 --- linux-2.6.39.2/drivers/tty/serial/mux.c 2011-05-19 00:06:34.000000000 -0400
41530 +++ linux-2.6.39.2/drivers/tty/serial/mux.c 2011-05-22 19:36:32.000000000 -0400
41531 @@ -442,7 +442,7 @@ static struct console mux_console = {
41532 #define MUX_CONSOLE NULL
41533 #endif
41534
41535 -static struct uart_ops mux_pops = {
41536 +static const struct uart_ops mux_pops = {
41537 .tx_empty = mux_tx_empty,
41538 .set_mctrl = mux_set_mctrl,
41539 .get_mctrl = mux_get_mctrl,
41540 diff -urNp linux-2.6.39.2/drivers/tty/serial/mxs-auart.c linux-2.6.39.2/drivers/tty/serial/mxs-auart.c
41541 --- linux-2.6.39.2/drivers/tty/serial/mxs-auart.c 2011-05-19 00:06:34.000000000 -0400
41542 +++ linux-2.6.39.2/drivers/tty/serial/mxs-auart.c 2011-05-22 19:36:32.000000000 -0400
41543 @@ -499,7 +499,7 @@ static void mxs_auart_enable_ms(struct u
41544 /* just empty */
41545 }
41546
41547 -static struct uart_ops mxs_auart_ops = {
41548 +static const struct uart_ops mxs_auart_ops = {
41549 .tx_empty = mxs_auart_tx_empty,
41550 .start_tx = mxs_auart_start_tx,
41551 .stop_tx = mxs_auart_stop_tx,
41552 diff -urNp linux-2.6.39.2/drivers/tty/serial/netx-serial.c linux-2.6.39.2/drivers/tty/serial/netx-serial.c
41553 --- linux-2.6.39.2/drivers/tty/serial/netx-serial.c 2011-05-19 00:06:34.000000000 -0400
41554 +++ linux-2.6.39.2/drivers/tty/serial/netx-serial.c 2011-05-22 19:36:32.000000000 -0400
41555 @@ -464,7 +464,7 @@ netx_verify_port(struct uart_port *port,
41556 return ret;
41557 }
41558
41559 -static struct uart_ops netx_pops = {
41560 +static const struct uart_ops netx_pops = {
41561 .tx_empty = netx_tx_empty,
41562 .set_mctrl = netx_set_mctrl,
41563 .get_mctrl = netx_get_mctrl,
41564 diff -urNp linux-2.6.39.2/drivers/tty/serial/nwpserial.c linux-2.6.39.2/drivers/tty/serial/nwpserial.c
41565 --- linux-2.6.39.2/drivers/tty/serial/nwpserial.c 2011-05-19 00:06:34.000000000 -0400
41566 +++ linux-2.6.39.2/drivers/tty/serial/nwpserial.c 2011-05-22 19:36:32.000000000 -0400
41567 @@ -303,7 +303,7 @@ static unsigned int nwpserial_tx_empty(s
41568 return ret & UART_LSR_TEMT ? TIOCSER_TEMT : 0;
41569 }
41570
41571 -static struct uart_ops nwpserial_pops = {
41572 +static const struct uart_ops nwpserial_pops = {
41573 .tx_empty = nwpserial_tx_empty,
41574 .set_mctrl = nwpserial_set_mctrl,
41575 .get_mctrl = nwpserial_get_mctrl,
41576 diff -urNp linux-2.6.39.2/drivers/tty/serial/omap-serial.c linux-2.6.39.2/drivers/tty/serial/omap-serial.c
41577 --- linux-2.6.39.2/drivers/tty/serial/omap-serial.c 2011-05-19 00:06:34.000000000 -0400
41578 +++ linux-2.6.39.2/drivers/tty/serial/omap-serial.c 2011-05-22 19:36:32.000000000 -0400
41579 @@ -1029,7 +1029,7 @@ static inline void serial_omap_add_conso
41580
41581 #endif
41582
41583 -static struct uart_ops serial_omap_pops = {
41584 +static const struct uart_ops serial_omap_pops = {
41585 .tx_empty = serial_omap_tx_empty,
41586 .set_mctrl = serial_omap_set_mctrl,
41587 .get_mctrl = serial_omap_get_mctrl,
41588 diff -urNp linux-2.6.39.2/drivers/tty/serial/pch_uart.c linux-2.6.39.2/drivers/tty/serial/pch_uart.c
41589 --- linux-2.6.39.2/drivers/tty/serial/pch_uart.c 2011-05-19 00:06:34.000000000 -0400
41590 +++ linux-2.6.39.2/drivers/tty/serial/pch_uart.c 2011-05-22 19:36:32.000000000 -0400
41591 @@ -1351,7 +1351,7 @@ static int pch_uart_verify_port(struct u
41592 return 0;
41593 }
41594
41595 -static struct uart_ops pch_uart_ops = {
41596 +static const struct uart_ops pch_uart_ops = {
41597 .tx_empty = pch_uart_tx_empty,
41598 .set_mctrl = pch_uart_set_mctrl,
41599 .get_mctrl = pch_uart_get_mctrl,
41600 diff -urNp linux-2.6.39.2/drivers/tty/serial/pmac_zilog.c linux-2.6.39.2/drivers/tty/serial/pmac_zilog.c
41601 --- linux-2.6.39.2/drivers/tty/serial/pmac_zilog.c 2011-05-19 00:06:34.000000000 -0400
41602 +++ linux-2.6.39.2/drivers/tty/serial/pmac_zilog.c 2011-05-22 19:36:32.000000000 -0400
41603 @@ -1427,7 +1427,7 @@ static void pmz_poll_put_char(struct uar
41604
41605 #endif /* CONFIG_CONSOLE_POLL */
41606
41607 -static struct uart_ops pmz_pops = {
41608 +static const struct uart_ops pmz_pops = {
41609 .tx_empty = pmz_tx_empty,
41610 .set_mctrl = pmz_set_mctrl,
41611 .get_mctrl = pmz_get_mctrl,
41612 diff -urNp linux-2.6.39.2/drivers/tty/serial/pnx8xxx_uart.c linux-2.6.39.2/drivers/tty/serial/pnx8xxx_uart.c
41613 --- linux-2.6.39.2/drivers/tty/serial/pnx8xxx_uart.c 2011-05-19 00:06:34.000000000 -0400
41614 +++ linux-2.6.39.2/drivers/tty/serial/pnx8xxx_uart.c 2011-05-22 19:36:32.000000000 -0400
41615 @@ -614,7 +614,7 @@ pnx8xxx_verify_port(struct uart_port *po
41616 return ret;
41617 }
41618
41619 -static struct uart_ops pnx8xxx_pops = {
41620 +static const struct uart_ops pnx8xxx_pops = {
41621 .tx_empty = pnx8xxx_tx_empty,
41622 .set_mctrl = pnx8xxx_set_mctrl,
41623 .get_mctrl = pnx8xxx_get_mctrl,
41624 diff -urNp linux-2.6.39.2/drivers/tty/serial/pxa.c linux-2.6.39.2/drivers/tty/serial/pxa.c
41625 --- linux-2.6.39.2/drivers/tty/serial/pxa.c 2011-05-19 00:06:34.000000000 -0400
41626 +++ linux-2.6.39.2/drivers/tty/serial/pxa.c 2011-05-22 19:36:32.000000000 -0400
41627 @@ -706,7 +706,7 @@ static struct console serial_pxa_console
41628 #define PXA_CONSOLE NULL
41629 #endif
41630
41631 -struct uart_ops serial_pxa_pops = {
41632 +const struct uart_ops serial_pxa_pops = {
41633 .tx_empty = serial_pxa_tx_empty,
41634 .set_mctrl = serial_pxa_set_mctrl,
41635 .get_mctrl = serial_pxa_get_mctrl,
41636 diff -urNp linux-2.6.39.2/drivers/tty/serial/sa1100.c linux-2.6.39.2/drivers/tty/serial/sa1100.c
41637 --- linux-2.6.39.2/drivers/tty/serial/sa1100.c 2011-05-19 00:06:34.000000000 -0400
41638 +++ linux-2.6.39.2/drivers/tty/serial/sa1100.c 2011-05-22 19:36:32.000000000 -0400
41639 @@ -577,7 +577,7 @@ sa1100_verify_port(struct uart_port *por
41640 return ret;
41641 }
41642
41643 -static struct uart_ops sa1100_pops = {
41644 +static const struct uart_ops sa1100_pops = {
41645 .tx_empty = sa1100_tx_empty,
41646 .set_mctrl = sa1100_set_mctrl,
41647 .get_mctrl = sa1100_get_mctrl,
41648 diff -urNp linux-2.6.39.2/drivers/tty/serial/samsung.c linux-2.6.39.2/drivers/tty/serial/samsung.c
41649 --- linux-2.6.39.2/drivers/tty/serial/samsung.c 2011-05-19 00:06:34.000000000 -0400
41650 +++ linux-2.6.39.2/drivers/tty/serial/samsung.c 2011-05-22 19:36:32.000000000 -0400
41651 @@ -860,7 +860,7 @@ static struct console s3c24xx_serial_con
41652 #define S3C24XX_SERIAL_CONSOLE NULL
41653 #endif
41654
41655 -static struct uart_ops s3c24xx_serial_ops = {
41656 +static const struct uart_ops s3c24xx_serial_ops = {
41657 .pm = s3c24xx_serial_pm,
41658 .tx_empty = s3c24xx_serial_tx_empty,
41659 .get_mctrl = s3c24xx_serial_get_mctrl,
41660 diff -urNp linux-2.6.39.2/drivers/tty/serial/sc26xx.c linux-2.6.39.2/drivers/tty/serial/sc26xx.c
41661 --- linux-2.6.39.2/drivers/tty/serial/sc26xx.c 2011-05-19 00:06:34.000000000 -0400
41662 +++ linux-2.6.39.2/drivers/tty/serial/sc26xx.c 2011-05-22 19:36:32.000000000 -0400
41663 @@ -515,7 +515,7 @@ static int sc26xx_verify_port(struct uar
41664 return -EINVAL;
41665 }
41666
41667 -static struct uart_ops sc26xx_ops = {
41668 +static const struct uart_ops sc26xx_ops = {
41669 .tx_empty = sc26xx_tx_empty,
41670 .set_mctrl = sc26xx_set_mctrl,
41671 .get_mctrl = sc26xx_get_mctrl,
41672 diff -urNp linux-2.6.39.2/drivers/tty/serial/serial_ks8695.c linux-2.6.39.2/drivers/tty/serial/serial_ks8695.c
41673 --- linux-2.6.39.2/drivers/tty/serial/serial_ks8695.c 2011-05-19 00:06:34.000000000 -0400
41674 +++ linux-2.6.39.2/drivers/tty/serial/serial_ks8695.c 2011-05-22 19:36:32.000000000 -0400
41675 @@ -528,7 +528,7 @@ static int ks8695uart_verify_port(struct
41676 return ret;
41677 }
41678
41679 -static struct uart_ops ks8695uart_pops = {
41680 +static const struct uart_ops ks8695uart_pops = {
41681 .tx_empty = ks8695uart_tx_empty,
41682 .set_mctrl = ks8695uart_set_mctrl,
41683 .get_mctrl = ks8695uart_get_mctrl,
41684 diff -urNp linux-2.6.39.2/drivers/tty/serial/serial_txx9.c linux-2.6.39.2/drivers/tty/serial/serial_txx9.c
41685 --- linux-2.6.39.2/drivers/tty/serial/serial_txx9.c 2011-05-19 00:06:34.000000000 -0400
41686 +++ linux-2.6.39.2/drivers/tty/serial/serial_txx9.c 2011-05-22 19:36:32.000000000 -0400
41687 @@ -857,7 +857,7 @@ serial_txx9_type(struct uart_port *port)
41688 return "txx9";
41689 }
41690
41691 -static struct uart_ops serial_txx9_pops = {
41692 +static const struct uart_ops serial_txx9_pops = {
41693 .tx_empty = serial_txx9_tx_empty,
41694 .set_mctrl = serial_txx9_set_mctrl,
41695 .get_mctrl = serial_txx9_get_mctrl,
41696 diff -urNp linux-2.6.39.2/drivers/tty/serial/sn_console.c linux-2.6.39.2/drivers/tty/serial/sn_console.c
41697 --- linux-2.6.39.2/drivers/tty/serial/sn_console.c 2011-05-19 00:06:34.000000000 -0400
41698 +++ linux-2.6.39.2/drivers/tty/serial/sn_console.c 2011-05-22 19:36:32.000000000 -0400
41699 @@ -388,7 +388,7 @@ static void snp_config_port(struct uart_
41700
41701 /* Associate the uart functions above - given to serial core */
41702
41703 -static struct uart_ops sn_console_ops = {
41704 +static const struct uart_ops sn_console_ops = {
41705 .tx_empty = snp_tx_empty,
41706 .set_mctrl = snp_set_mctrl,
41707 .get_mctrl = snp_get_mctrl,
41708 diff -urNp linux-2.6.39.2/drivers/tty/serial/sunhv.c linux-2.6.39.2/drivers/tty/serial/sunhv.c
41709 --- linux-2.6.39.2/drivers/tty/serial/sunhv.c 2011-05-19 00:06:34.000000000 -0400
41710 +++ linux-2.6.39.2/drivers/tty/serial/sunhv.c 2011-05-22 19:36:32.000000000 -0400
41711 @@ -168,12 +168,12 @@ struct sunhv_ops {
41712 int (*receive_chars)(struct uart_port *port, struct tty_struct *tty);
41713 };
41714
41715 -static struct sunhv_ops bychar_ops = {
41716 +static const struct sunhv_ops bychar_ops = {
41717 .transmit_chars = transmit_chars_putchar,
41718 .receive_chars = receive_chars_getchar,
41719 };
41720
41721 -static struct sunhv_ops bywrite_ops = {
41722 +static const struct sunhv_ops bywrite_ops = {
41723 .transmit_chars = transmit_chars_write,
41724 .receive_chars = receive_chars_read,
41725 };
41726 @@ -370,7 +370,7 @@ static int sunhv_verify_port(struct uart
41727 return -EINVAL;
41728 }
41729
41730 -static struct uart_ops sunhv_pops = {
41731 +static const struct uart_ops sunhv_pops = {
41732 .tx_empty = sunhv_tx_empty,
41733 .set_mctrl = sunhv_set_mctrl,
41734 .get_mctrl = sunhv_get_mctrl,
41735 diff -urNp linux-2.6.39.2/drivers/tty/serial/sunsab.c linux-2.6.39.2/drivers/tty/serial/sunsab.c
41736 --- linux-2.6.39.2/drivers/tty/serial/sunsab.c 2011-05-19 00:06:34.000000000 -0400
41737 +++ linux-2.6.39.2/drivers/tty/serial/sunsab.c 2011-05-22 19:36:32.000000000 -0400
41738 @@ -804,7 +804,7 @@ static int sunsab_verify_port(struct uar
41739 return -EINVAL;
41740 }
41741
41742 -static struct uart_ops sunsab_pops = {
41743 +static const struct uart_ops sunsab_pops = {
41744 .tx_empty = sunsab_tx_empty,
41745 .set_mctrl = sunsab_set_mctrl,
41746 .get_mctrl = sunsab_get_mctrl,
41747 diff -urNp linux-2.6.39.2/drivers/tty/serial/sunsu.c linux-2.6.39.2/drivers/tty/serial/sunsu.c
41748 --- linux-2.6.39.2/drivers/tty/serial/sunsu.c 2011-05-19 00:06:34.000000000 -0400
41749 +++ linux-2.6.39.2/drivers/tty/serial/sunsu.c 2011-05-22 19:36:32.000000000 -0400
41750 @@ -946,7 +946,7 @@ sunsu_type(struct uart_port *port)
41751 return uart_config[type].name;
41752 }
41753
41754 -static struct uart_ops sunsu_pops = {
41755 +static const struct uart_ops sunsu_pops = {
41756 .tx_empty = sunsu_tx_empty,
41757 .set_mctrl = sunsu_set_mctrl,
41758 .get_mctrl = sunsu_get_mctrl,
41759 diff -urNp linux-2.6.39.2/drivers/tty/serial/sunzilog.c linux-2.6.39.2/drivers/tty/serial/sunzilog.c
41760 --- linux-2.6.39.2/drivers/tty/serial/sunzilog.c 2011-05-19 00:06:34.000000000 -0400
41761 +++ linux-2.6.39.2/drivers/tty/serial/sunzilog.c 2011-05-22 19:36:32.000000000 -0400
41762 @@ -1042,7 +1042,7 @@ static void sunzilog_put_poll_char(struc
41763 }
41764 #endif /* CONFIG_CONSOLE_POLL */
41765
41766 -static struct uart_ops sunzilog_pops = {
41767 +static const struct uart_ops sunzilog_pops = {
41768 .tx_empty = sunzilog_tx_empty,
41769 .set_mctrl = sunzilog_set_mctrl,
41770 .get_mctrl = sunzilog_get_mctrl,
41771 diff -urNp linux-2.6.39.2/drivers/tty/serial/timbuart.c linux-2.6.39.2/drivers/tty/serial/timbuart.c
41772 --- linux-2.6.39.2/drivers/tty/serial/timbuart.c 2011-05-19 00:06:34.000000000 -0400
41773 +++ linux-2.6.39.2/drivers/tty/serial/timbuart.c 2011-05-22 19:36:32.000000000 -0400
41774 @@ -394,7 +394,7 @@ static int timbuart_verify_port(struct u
41775 return -EINVAL;
41776 }
41777
41778 -static struct uart_ops timbuart_ops = {
41779 +static const struct uart_ops timbuart_ops = {
41780 .tx_empty = timbuart_tx_empty,
41781 .set_mctrl = timbuart_set_mctrl,
41782 .get_mctrl = timbuart_get_mctrl,
41783 diff -urNp linux-2.6.39.2/drivers/tty/serial/uartlite.c linux-2.6.39.2/drivers/tty/serial/uartlite.c
41784 --- linux-2.6.39.2/drivers/tty/serial/uartlite.c 2011-05-19 00:06:34.000000000 -0400
41785 +++ linux-2.6.39.2/drivers/tty/serial/uartlite.c 2011-05-22 19:36:32.000000000 -0400
41786 @@ -331,7 +331,7 @@ static void ulite_put_poll_char(struct u
41787 }
41788 #endif
41789
41790 -static struct uart_ops ulite_ops = {
41791 +static const struct uart_ops ulite_ops = {
41792 .tx_empty = ulite_tx_empty,
41793 .set_mctrl = ulite_set_mctrl,
41794 .get_mctrl = ulite_get_mctrl,
41795 diff -urNp linux-2.6.39.2/drivers/tty/serial/ucc_uart.c linux-2.6.39.2/drivers/tty/serial/ucc_uart.c
41796 --- linux-2.6.39.2/drivers/tty/serial/ucc_uart.c 2011-05-19 00:06:34.000000000 -0400
41797 +++ linux-2.6.39.2/drivers/tty/serial/ucc_uart.c 2011-05-22 19:36:32.000000000 -0400
41798 @@ -1088,7 +1088,7 @@ static int qe_uart_verify_port(struct ua
41799 *
41800 * Details on these functions can be found in Documentation/serial/driver
41801 */
41802 -static struct uart_ops qe_uart_pops = {
41803 +static const struct uart_ops qe_uart_pops = {
41804 .tx_empty = qe_uart_tx_empty,
41805 .set_mctrl = qe_uart_set_mctrl,
41806 .get_mctrl = qe_uart_get_mctrl,
41807 diff -urNp linux-2.6.39.2/drivers/tty/serial/vr41xx_siu.c linux-2.6.39.2/drivers/tty/serial/vr41xx_siu.c
41808 --- linux-2.6.39.2/drivers/tty/serial/vr41xx_siu.c 2011-05-19 00:06:34.000000000 -0400
41809 +++ linux-2.6.39.2/drivers/tty/serial/vr41xx_siu.c 2011-05-22 19:36:32.000000000 -0400
41810 @@ -683,7 +683,7 @@ static int siu_verify_port(struct uart_p
41811 return 0;
41812 }
41813
41814 -static struct uart_ops siu_uart_ops = {
41815 +static const struct uart_ops siu_uart_ops = {
41816 .tx_empty = siu_tx_empty,
41817 .set_mctrl = siu_set_mctrl,
41818 .get_mctrl = siu_get_mctrl,
41819 diff -urNp linux-2.6.39.2/drivers/tty/serial/vt8500_serial.c linux-2.6.39.2/drivers/tty/serial/vt8500_serial.c
41820 --- linux-2.6.39.2/drivers/tty/serial/vt8500_serial.c 2011-05-19 00:06:34.000000000 -0400
41821 +++ linux-2.6.39.2/drivers/tty/serial/vt8500_serial.c 2011-05-22 19:36:32.000000000 -0400
41822 @@ -519,7 +519,7 @@ static struct console vt8500_console = {
41823 #define VT8500_CONSOLE NULL
41824 #endif
41825
41826 -static struct uart_ops vt8500_uart_pops = {
41827 +static const struct uart_ops vt8500_uart_pops = {
41828 .tx_empty = vt8500_tx_empty,
41829 .set_mctrl = vt8500_set_mctrl,
41830 .get_mctrl = vt8500_get_mctrl,
41831 diff -urNp linux-2.6.39.2/drivers/tty/serial/zs.c linux-2.6.39.2/drivers/tty/serial/zs.c
41832 --- linux-2.6.39.2/drivers/tty/serial/zs.c 2011-05-19 00:06:34.000000000 -0400
41833 +++ linux-2.6.39.2/drivers/tty/serial/zs.c 2011-05-22 19:36:32.000000000 -0400
41834 @@ -1044,7 +1044,7 @@ static int zs_verify_port(struct uart_po
41835 }
41836
41837
41838 -static struct uart_ops zs_ops = {
41839 +static const struct uart_ops zs_ops = {
41840 .tx_empty = zs_tx_empty,
41841 .set_mctrl = zs_set_mctrl,
41842 .get_mctrl = zs_get_mctrl,
41843 diff -urNp linux-2.6.39.2/drivers/tty/tty_io.c linux-2.6.39.2/drivers/tty/tty_io.c
41844 --- linux-2.6.39.2/drivers/tty/tty_io.c 2011-05-19 00:06:34.000000000 -0400
41845 +++ linux-2.6.39.2/drivers/tty/tty_io.c 2011-05-22 19:36:32.000000000 -0400
41846 @@ -139,21 +139,11 @@ EXPORT_SYMBOL(tty_mutex);
41847 /* Spinlock to protect the tty->tty_files list */
41848 DEFINE_SPINLOCK(tty_files_lock);
41849
41850 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
41851 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
41852 ssize_t redirected_tty_write(struct file *, const char __user *,
41853 size_t, loff_t *);
41854 -static unsigned int tty_poll(struct file *, poll_table *);
41855 static int tty_open(struct inode *, struct file *);
41856 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
41857 -#ifdef CONFIG_COMPAT
41858 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
41859 - unsigned long arg);
41860 -#else
41861 -#define tty_compat_ioctl NULL
41862 -#endif
41863 static int __tty_fasync(int fd, struct file *filp, int on);
41864 -static int tty_fasync(int fd, struct file *filp, int on);
41865 static void release_tty(struct tty_struct *tty, int idx);
41866 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
41867 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
41868 @@ -937,7 +927,7 @@ EXPORT_SYMBOL(start_tty);
41869 * read calls may be outstanding in parallel.
41870 */
41871
41872 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
41873 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
41874 loff_t *ppos)
41875 {
41876 int i;
41877 @@ -963,6 +953,8 @@ static ssize_t tty_read(struct file *fil
41878 return i;
41879 }
41880
41881 +EXPORT_SYMBOL(tty_read);
41882 +
41883 void tty_write_unlock(struct tty_struct *tty)
41884 {
41885 mutex_unlock(&tty->atomic_write_lock);
41886 @@ -1112,7 +1104,7 @@ void tty_write_message(struct tty_struct
41887 * write method will not be invoked in parallel for each device.
41888 */
41889
41890 -static ssize_t tty_write(struct file *file, const char __user *buf,
41891 +ssize_t tty_write(struct file *file, const char __user *buf,
41892 size_t count, loff_t *ppos)
41893 {
41894 struct inode *inode = file->f_path.dentry->d_inode;
41895 @@ -1138,6 +1130,8 @@ static ssize_t tty_write(struct file *fi
41896 return ret;
41897 }
41898
41899 +EXPORT_SYMBOL(tty_write);
41900 +
41901 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
41902 size_t count, loff_t *ppos)
41903 {
41904 @@ -1777,6 +1771,8 @@ int tty_release(struct inode *inode, str
41905 return 0;
41906 }
41907
41908 +EXPORT_SYMBOL(tty_release);
41909 +
41910 /**
41911 * tty_open - open a tty device
41912 * @inode: inode of device file
41913 @@ -1968,7 +1964,7 @@ got_driver:
41914 * may be re-entered freely by other callers.
41915 */
41916
41917 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
41918 +unsigned int tty_poll(struct file *filp, poll_table *wait)
41919 {
41920 struct tty_struct *tty = file_tty(filp);
41921 struct tty_ldisc *ld;
41922 @@ -1984,6 +1980,8 @@ static unsigned int tty_poll(struct file
41923 return ret;
41924 }
41925
41926 +EXPORT_SYMBOL(tty_poll);
41927 +
41928 static int __tty_fasync(int fd, struct file *filp, int on)
41929 {
41930 struct tty_struct *tty = file_tty(filp);
41931 @@ -2025,7 +2023,7 @@ out:
41932 return retval;
41933 }
41934
41935 -static int tty_fasync(int fd, struct file *filp, int on)
41936 +int tty_fasync(int fd, struct file *filp, int on)
41937 {
41938 int retval;
41939 tty_lock();
41940 @@ -2034,6 +2032,8 @@ static int tty_fasync(int fd, struct fil
41941 return retval;
41942 }
41943
41944 +EXPORT_SYMBOL(tty_fasync);
41945 +
41946 /**
41947 * tiocsti - fake input character
41948 * @tty: tty to fake input into
41949 @@ -2695,8 +2695,10 @@ long tty_ioctl(struct file *file, unsign
41950 return retval;
41951 }
41952
41953 +EXPORT_SYMBOL(tty_ioctl);
41954 +
41955 #ifdef CONFIG_COMPAT
41956 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
41957 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
41958 unsigned long arg)
41959 {
41960 struct inode *inode = file->f_dentry->d_inode;
41961 @@ -2720,6 +2722,9 @@ static long tty_compat_ioctl(struct file
41962
41963 return retval;
41964 }
41965 +
41966 +EXPORT_SYMBOL(tty_compat_ioctl);
41967 +
41968 #endif
41969
41970 /*
41971 @@ -3198,11 +3203,6 @@ struct tty_struct *get_current_tty(void)
41972 }
41973 EXPORT_SYMBOL_GPL(get_current_tty);
41974
41975 -void tty_default_fops(struct file_operations *fops)
41976 -{
41977 - *fops = tty_fops;
41978 -}
41979 -
41980 /*
41981 * Initialize the console device. This is called *early*, so
41982 * we can't necessarily depend on lots of kernel help here.
41983 diff -urNp linux-2.6.39.2/drivers/tty/tty_ldisc.c linux-2.6.39.2/drivers/tty/tty_ldisc.c
41984 --- linux-2.6.39.2/drivers/tty/tty_ldisc.c 2011-05-19 00:06:34.000000000 -0400
41985 +++ linux-2.6.39.2/drivers/tty/tty_ldisc.c 2011-05-22 19:36:32.000000000 -0400
41986 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
41987 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
41988 struct tty_ldisc_ops *ldo = ld->ops;
41989
41990 - ldo->refcount--;
41991 + atomic_dec(&ldo->refcount);
41992 module_put(ldo->owner);
41993 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
41994
41995 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
41996 spin_lock_irqsave(&tty_ldisc_lock, flags);
41997 tty_ldiscs[disc] = new_ldisc;
41998 new_ldisc->num = disc;
41999 - new_ldisc->refcount = 0;
42000 + atomic_set(&new_ldisc->refcount, 0);
42001 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42002
42003 return ret;
42004 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
42005 return -EINVAL;
42006
42007 spin_lock_irqsave(&tty_ldisc_lock, flags);
42008 - if (tty_ldiscs[disc]->refcount)
42009 + if (atomic_read(&tty_ldiscs[disc]->refcount))
42010 ret = -EBUSY;
42011 else
42012 tty_ldiscs[disc] = NULL;
42013 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
42014 if (ldops) {
42015 ret = ERR_PTR(-EAGAIN);
42016 if (try_module_get(ldops->owner)) {
42017 - ldops->refcount++;
42018 + atomic_inc(&ldops->refcount);
42019 ret = ldops;
42020 }
42021 }
42022 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
42023 unsigned long flags;
42024
42025 spin_lock_irqsave(&tty_ldisc_lock, flags);
42026 - ldops->refcount--;
42027 + atomic_dec(&ldops->refcount);
42028 module_put(ldops->owner);
42029 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42030 }
42031 diff -urNp linux-2.6.39.2/drivers/tty/vt/keyboard.c linux-2.6.39.2/drivers/tty/vt/keyboard.c
42032 --- linux-2.6.39.2/drivers/tty/vt/keyboard.c 2011-05-19 00:06:34.000000000 -0400
42033 +++ linux-2.6.39.2/drivers/tty/vt/keyboard.c 2011-05-22 20:32:43.000000000 -0400
42034 @@ -658,6 +658,16 @@ static void k_spec(struct vc_data *vc, u
42035 kbd->kbdmode == VC_OFF) &&
42036 value != KVAL(K_SAK))
42037 return; /* SAK is allowed even in raw mode */
42038 +
42039 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
42040 + {
42041 + void *func = fn_handler[value];
42042 + if (func == fn_show_state || func == fn_show_ptregs ||
42043 + func == fn_show_mem)
42044 + return;
42045 + }
42046 +#endif
42047 +
42048 fn_handler[value](vc);
42049 }
42050
42051 diff -urNp linux-2.6.39.2/drivers/tty/vt/vt.c linux-2.6.39.2/drivers/tty/vt/vt.c
42052 --- linux-2.6.39.2/drivers/tty/vt/vt.c 2011-05-19 00:06:34.000000000 -0400
42053 +++ linux-2.6.39.2/drivers/tty/vt/vt.c 2011-05-22 19:36:32.000000000 -0400
42054 @@ -261,7 +261,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
42055
42056 static void notify_write(struct vc_data *vc, unsigned int unicode)
42057 {
42058 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
42059 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
42060 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
42061 }
42062
42063 diff -urNp linux-2.6.39.2/drivers/tty/vt/vt_ioctl.c linux-2.6.39.2/drivers/tty/vt/vt_ioctl.c
42064 --- linux-2.6.39.2/drivers/tty/vt/vt_ioctl.c 2011-05-19 00:06:34.000000000 -0400
42065 +++ linux-2.6.39.2/drivers/tty/vt/vt_ioctl.c 2011-05-22 19:41:37.000000000 -0400
42066 @@ -209,9 +209,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42067 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
42068 return -EFAULT;
42069
42070 - if (!capable(CAP_SYS_TTY_CONFIG))
42071 - perm = 0;
42072 -
42073 switch (cmd) {
42074 case KDGKBENT:
42075 key_map = key_maps[s];
42076 @@ -223,6 +220,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42077 val = (i ? K_HOLE : K_NOSUCHMAP);
42078 return put_user(val, &user_kbe->kb_value);
42079 case KDSKBENT:
42080 + if (!capable(CAP_SYS_TTY_CONFIG))
42081 + perm = 0;
42082 +
42083 if (!perm)
42084 return -EPERM;
42085 if (!i && v == K_NOSUCHMAP) {
42086 @@ -324,9 +324,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42087 int i, j, k;
42088 int ret;
42089
42090 - if (!capable(CAP_SYS_TTY_CONFIG))
42091 - perm = 0;
42092 -
42093 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
42094 if (!kbs) {
42095 ret = -ENOMEM;
42096 @@ -360,6 +357,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42097 kfree(kbs);
42098 return ((p && *p) ? -EOVERFLOW : 0);
42099 case KDSKBSENT:
42100 + if (!capable(CAP_SYS_TTY_CONFIG))
42101 + perm = 0;
42102 +
42103 if (!perm) {
42104 ret = -EPERM;
42105 goto reterr;
42106 diff -urNp linux-2.6.39.2/drivers/uio/uio.c linux-2.6.39.2/drivers/uio/uio.c
42107 --- linux-2.6.39.2/drivers/uio/uio.c 2011-05-19 00:06:34.000000000 -0400
42108 +++ linux-2.6.39.2/drivers/uio/uio.c 2011-05-22 19:36:32.000000000 -0400
42109 @@ -25,6 +25,7 @@
42110 #include <linux/kobject.h>
42111 #include <linux/cdev.h>
42112 #include <linux/uio_driver.h>
42113 +#include <asm/local.h>
42114
42115 #define UIO_MAX_DEVICES (1U << MINORBITS)
42116
42117 @@ -32,10 +33,10 @@ struct uio_device {
42118 struct module *owner;
42119 struct device *dev;
42120 int minor;
42121 - atomic_t event;
42122 + atomic_unchecked_t event;
42123 struct fasync_struct *async_queue;
42124 wait_queue_head_t wait;
42125 - int vma_count;
42126 + local_t vma_count;
42127 struct uio_info *info;
42128 struct kobject *map_dir;
42129 struct kobject *portio_dir;
42130 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
42131 struct device_attribute *attr, char *buf)
42132 {
42133 struct uio_device *idev = dev_get_drvdata(dev);
42134 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
42135 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
42136 }
42137
42138 static struct device_attribute uio_class_attributes[] = {
42139 @@ -402,7 +403,7 @@ void uio_event_notify(struct uio_info *i
42140 {
42141 struct uio_device *idev = info->uio_dev;
42142
42143 - atomic_inc(&idev->event);
42144 + atomic_inc_unchecked(&idev->event);
42145 wake_up_interruptible(&idev->wait);
42146 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
42147 }
42148 @@ -455,7 +456,7 @@ static int uio_open(struct inode *inode,
42149 }
42150
42151 listener->dev = idev;
42152 - listener->event_count = atomic_read(&idev->event);
42153 + listener->event_count = atomic_read_unchecked(&idev->event);
42154 filep->private_data = listener;
42155
42156 if (idev->info->open) {
42157 @@ -506,7 +507,7 @@ static unsigned int uio_poll(struct file
42158 return -EIO;
42159
42160 poll_wait(filep, &idev->wait, wait);
42161 - if (listener->event_count != atomic_read(&idev->event))
42162 + if (listener->event_count != atomic_read_unchecked(&idev->event))
42163 return POLLIN | POLLRDNORM;
42164 return 0;
42165 }
42166 @@ -531,7 +532,7 @@ static ssize_t uio_read(struct file *fil
42167 do {
42168 set_current_state(TASK_INTERRUPTIBLE);
42169
42170 - event_count = atomic_read(&idev->event);
42171 + event_count = atomic_read_unchecked(&idev->event);
42172 if (event_count != listener->event_count) {
42173 if (copy_to_user(buf, &event_count, count))
42174 retval = -EFAULT;
42175 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
42176 static void uio_vma_open(struct vm_area_struct *vma)
42177 {
42178 struct uio_device *idev = vma->vm_private_data;
42179 - idev->vma_count++;
42180 + local_inc(&idev->vma_count);
42181 }
42182
42183 static void uio_vma_close(struct vm_area_struct *vma)
42184 {
42185 struct uio_device *idev = vma->vm_private_data;
42186 - idev->vma_count--;
42187 + local_dec(&idev->vma_count);
42188 }
42189
42190 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
42191 @@ -819,7 +820,7 @@ int __uio_register_device(struct module
42192 idev->owner = owner;
42193 idev->info = info;
42194 init_waitqueue_head(&idev->wait);
42195 - atomic_set(&idev->event, 0);
42196 + atomic_set_unchecked(&idev->event, 0);
42197
42198 ret = uio_get_minor(idev);
42199 if (ret)
42200 diff -urNp linux-2.6.39.2/drivers/usb/atm/cxacru.c linux-2.6.39.2/drivers/usb/atm/cxacru.c
42201 --- linux-2.6.39.2/drivers/usb/atm/cxacru.c 2011-05-19 00:06:34.000000000 -0400
42202 +++ linux-2.6.39.2/drivers/usb/atm/cxacru.c 2011-05-22 19:36:32.000000000 -0400
42203 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
42204 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
42205 if (ret < 2)
42206 return -EINVAL;
42207 - if (index < 0 || index > 0x7f)
42208 + if (index > 0x7f)
42209 return -EINVAL;
42210 pos += tmp;
42211
42212 diff -urNp linux-2.6.39.2/drivers/usb/atm/usbatm.c linux-2.6.39.2/drivers/usb/atm/usbatm.c
42213 --- linux-2.6.39.2/drivers/usb/atm/usbatm.c 2011-05-19 00:06:34.000000000 -0400
42214 +++ linux-2.6.39.2/drivers/usb/atm/usbatm.c 2011-05-22 19:36:32.000000000 -0400
42215 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
42216 if (printk_ratelimit())
42217 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
42218 __func__, vpi, vci);
42219 - atomic_inc(&vcc->stats->rx_err);
42220 + atomic_inc_unchecked(&vcc->stats->rx_err);
42221 return;
42222 }
42223
42224 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
42225 if (length > ATM_MAX_AAL5_PDU) {
42226 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
42227 __func__, length, vcc);
42228 - atomic_inc(&vcc->stats->rx_err);
42229 + atomic_inc_unchecked(&vcc->stats->rx_err);
42230 goto out;
42231 }
42232
42233 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
42234 if (sarb->len < pdu_length) {
42235 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
42236 __func__, pdu_length, sarb->len, vcc);
42237 - atomic_inc(&vcc->stats->rx_err);
42238 + atomic_inc_unchecked(&vcc->stats->rx_err);
42239 goto out;
42240 }
42241
42242 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
42243 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
42244 __func__, vcc);
42245 - atomic_inc(&vcc->stats->rx_err);
42246 + atomic_inc_unchecked(&vcc->stats->rx_err);
42247 goto out;
42248 }
42249
42250 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
42251 if (printk_ratelimit())
42252 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
42253 __func__, length);
42254 - atomic_inc(&vcc->stats->rx_drop);
42255 + atomic_inc_unchecked(&vcc->stats->rx_drop);
42256 goto out;
42257 }
42258
42259 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
42260
42261 vcc->push(vcc, skb);
42262
42263 - atomic_inc(&vcc->stats->rx);
42264 + atomic_inc_unchecked(&vcc->stats->rx);
42265 out:
42266 skb_trim(sarb, 0);
42267 }
42268 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
42269 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
42270
42271 usbatm_pop(vcc, skb);
42272 - atomic_inc(&vcc->stats->tx);
42273 + atomic_inc_unchecked(&vcc->stats->tx);
42274
42275 skb = skb_dequeue(&instance->sndqueue);
42276 }
42277 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
42278 if (!left--)
42279 return sprintf(page,
42280 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
42281 - atomic_read(&atm_dev->stats.aal5.tx),
42282 - atomic_read(&atm_dev->stats.aal5.tx_err),
42283 - atomic_read(&atm_dev->stats.aal5.rx),
42284 - atomic_read(&atm_dev->stats.aal5.rx_err),
42285 - atomic_read(&atm_dev->stats.aal5.rx_drop));
42286 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
42287 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
42288 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
42289 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
42290 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
42291
42292 if (!left--) {
42293 if (instance->disconnected)
42294 diff -urNp linux-2.6.39.2/drivers/usb/core/devices.c linux-2.6.39.2/drivers/usb/core/devices.c
42295 --- linux-2.6.39.2/drivers/usb/core/devices.c 2011-05-19 00:06:34.000000000 -0400
42296 +++ linux-2.6.39.2/drivers/usb/core/devices.c 2011-05-22 19:36:32.000000000 -0400
42297 @@ -126,7 +126,7 @@ static const char *format_endpt =
42298 * time it gets called.
42299 */
42300 static struct device_connect_event {
42301 - atomic_t count;
42302 + atomic_unchecked_t count;
42303 wait_queue_head_t wait;
42304 } device_event = {
42305 .count = ATOMIC_INIT(1),
42306 @@ -164,7 +164,7 @@ static const struct class_info clas_info
42307
42308 void usbfs_conn_disc_event(void)
42309 {
42310 - atomic_add(2, &device_event.count);
42311 + atomic_add_unchecked(2, &device_event.count);
42312 wake_up(&device_event.wait);
42313 }
42314
42315 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
42316
42317 poll_wait(file, &device_event.wait, wait);
42318
42319 - event_count = atomic_read(&device_event.count);
42320 + event_count = atomic_read_unchecked(&device_event.count);
42321 if (file->f_version != event_count) {
42322 file->f_version = event_count;
42323 return POLLIN | POLLRDNORM;
42324 diff -urNp linux-2.6.39.2/drivers/usb/core/hcd.c linux-2.6.39.2/drivers/usb/core/hcd.c
42325 --- linux-2.6.39.2/drivers/usb/core/hcd.c 2011-06-03 00:04:14.000000000 -0400
42326 +++ linux-2.6.39.2/drivers/usb/core/hcd.c 2011-06-03 00:32:07.000000000 -0400
42327 @@ -2574,7 +2574,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
42328
42329 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
42330
42331 -struct usb_mon_operations *mon_ops;
42332 +const struct usb_mon_operations *mon_ops;
42333
42334 /*
42335 * The registration is unlocked.
42336 @@ -2584,7 +2584,7 @@ struct usb_mon_operations *mon_ops;
42337 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
42338 */
42339
42340 -int usb_mon_register (struct usb_mon_operations *ops)
42341 +int usb_mon_register (const struct usb_mon_operations *ops)
42342 {
42343
42344 if (mon_ops)
42345 diff -urNp linux-2.6.39.2/drivers/usb/core/message.c linux-2.6.39.2/drivers/usb/core/message.c
42346 --- linux-2.6.39.2/drivers/usb/core/message.c 2011-05-19 00:06:34.000000000 -0400
42347 +++ linux-2.6.39.2/drivers/usb/core/message.c 2011-05-22 19:36:32.000000000 -0400
42348 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
42349 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
42350 if (buf) {
42351 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
42352 - if (len > 0) {
42353 - smallbuf = kmalloc(++len, GFP_NOIO);
42354 + if (len++ > 0) {
42355 + smallbuf = kmalloc(len, GFP_NOIO);
42356 if (!smallbuf)
42357 return buf;
42358 memcpy(smallbuf, buf, len);
42359 diff -urNp linux-2.6.39.2/drivers/usb/early/ehci-dbgp.c linux-2.6.39.2/drivers/usb/early/ehci-dbgp.c
42360 --- linux-2.6.39.2/drivers/usb/early/ehci-dbgp.c 2011-05-19 00:06:34.000000000 -0400
42361 +++ linux-2.6.39.2/drivers/usb/early/ehci-dbgp.c 2011-05-22 19:36:32.000000000 -0400
42362 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
42363 }
42364
42365 #ifdef CONFIG_KGDB
42366 -static struct kgdb_io kgdbdbgp_io_ops;
42367 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
42368 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
42369 #else
42370 #define dbgp_kgdb_mode (0)
42371 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
42372 early_dbgp_write(NULL, &chr, 1);
42373 }
42374
42375 -static struct kgdb_io kgdbdbgp_io_ops = {
42376 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
42377 .name = "kgdbdbgp",
42378 .read_char = kgdbdbgp_read_char,
42379 .write_char = kgdbdbgp_write_char,
42380 diff -urNp linux-2.6.39.2/drivers/usb/gadget/fsl_qe_udc.c linux-2.6.39.2/drivers/usb/gadget/fsl_qe_udc.c
42381 --- linux-2.6.39.2/drivers/usb/gadget/fsl_qe_udc.c 2011-05-19 00:06:34.000000000 -0400
42382 +++ linux-2.6.39.2/drivers/usb/gadget/fsl_qe_udc.c 2011-05-22 19:36:32.000000000 -0400
42383 @@ -1859,7 +1859,7 @@ out:
42384 return status;
42385 }
42386
42387 -static struct usb_ep_ops qe_ep_ops = {
42388 +static const struct usb_ep_ops qe_ep_ops = {
42389 .enable = qe_ep_enable,
42390 .disable = qe_ep_disable,
42391
42392 @@ -1928,7 +1928,7 @@ static int qe_pullup(struct usb_gadget *
42393 }
42394
42395 /* defined in usb_gadget.h */
42396 -static struct usb_gadget_ops qe_gadget_ops = {
42397 +static const struct usb_gadget_ops qe_gadget_ops = {
42398 .get_frame = qe_get_frame,
42399 .wakeup = qe_wakeup,
42400 /* .set_selfpowered = qe_set_selfpowered,*/ /* always selfpowered */
42401 diff -urNp linux-2.6.39.2/drivers/usb/gadget/fsl_udc_core.c linux-2.6.39.2/drivers/usb/gadget/fsl_udc_core.c
42402 --- linux-2.6.39.2/drivers/usb/gadget/fsl_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42403 +++ linux-2.6.39.2/drivers/usb/gadget/fsl_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42404 @@ -1003,7 +1003,7 @@ static void fsl_ep_fifo_flush(struct usb
42405 } while (fsl_readl(&dr_regs->endptstatus) & bits);
42406 }
42407
42408 -static struct usb_ep_ops fsl_ep_ops = {
42409 +static const struct usb_ep_ops fsl_ep_ops = {
42410 .enable = fsl_ep_enable,
42411 .disable = fsl_ep_disable,
42412
42413 @@ -1114,7 +1114,7 @@ static int fsl_pullup(struct usb_gadget
42414 }
42415
42416 /* defined in gadget.h */
42417 -static struct usb_gadget_ops fsl_gadget_ops = {
42418 +static const struct usb_gadget_ops fsl_gadget_ops = {
42419 .get_frame = fsl_get_frame,
42420 .wakeup = fsl_wakeup,
42421 /* .set_selfpowered = fsl_set_selfpowered, */ /* Always selfpowered */
42422 diff -urNp linux-2.6.39.2/drivers/usb/gadget/fusb300_udc.c linux-2.6.39.2/drivers/usb/gadget/fusb300_udc.c
42423 --- linux-2.6.39.2/drivers/usb/gadget/fusb300_udc.c 2011-05-19 00:06:34.000000000 -0400
42424 +++ linux-2.6.39.2/drivers/usb/gadget/fusb300_udc.c 2011-05-22 19:36:32.000000000 -0400
42425 @@ -527,7 +527,7 @@ static void fusb300_fifo_flush(struct us
42426 {
42427 }
42428
42429 -static struct usb_ep_ops fusb300_ep_ops = {
42430 +static const struct usb_ep_ops fusb300_ep_ops = {
42431 .enable = fusb300_enable,
42432 .disable = fusb300_disable,
42433
42434 @@ -1570,7 +1570,7 @@ static int fusb300_udc_pullup(struct usb
42435 return 0;
42436 }
42437
42438 -static struct usb_gadget_ops fusb300_gadget_ops = {
42439 +static const struct usb_gadget_ops fusb300_gadget_ops = {
42440 .pullup = fusb300_udc_pullup,
42441 };
42442
42443 diff -urNp linux-2.6.39.2/drivers/usb/gadget/goku_udc.c linux-2.6.39.2/drivers/usb/gadget/goku_udc.c
42444 --- linux-2.6.39.2/drivers/usb/gadget/goku_udc.c 2011-05-19 00:06:34.000000000 -0400
42445 +++ linux-2.6.39.2/drivers/usb/gadget/goku_udc.c 2011-05-22 19:36:32.000000000 -0400
42446 @@ -973,7 +973,7 @@ static void goku_fifo_flush(struct usb_e
42447 command(regs, COMMAND_FIFO_CLEAR, ep->num);
42448 }
42449
42450 -static struct usb_ep_ops goku_ep_ops = {
42451 +static const struct usb_ep_ops goku_ep_ops = {
42452 .enable = goku_ep_enable,
42453 .disable = goku_ep_disable,
42454
42455 diff -urNp linux-2.6.39.2/drivers/usb/gadget/imx_udc.c linux-2.6.39.2/drivers/usb/gadget/imx_udc.c
42456 --- linux-2.6.39.2/drivers/usb/gadget/imx_udc.c 2011-05-19 00:06:34.000000000 -0400
42457 +++ linux-2.6.39.2/drivers/usb/gadget/imx_udc.c 2011-05-22 19:36:32.000000000 -0400
42458 @@ -937,7 +937,7 @@ static void imx_ep_fifo_flush(struct usb
42459 local_irq_restore(flags);
42460 }
42461
42462 -static struct usb_ep_ops imx_ep_ops = {
42463 +static const struct usb_ep_ops imx_ep_ops = {
42464 .enable = imx_ep_enable,
42465 .disable = imx_ep_disable,
42466
42467 diff -urNp linux-2.6.39.2/drivers/usb/gadget/m66592-udc.c linux-2.6.39.2/drivers/usb/gadget/m66592-udc.c
42468 --- linux-2.6.39.2/drivers/usb/gadget/m66592-udc.c 2011-05-19 00:06:34.000000000 -0400
42469 +++ linux-2.6.39.2/drivers/usb/gadget/m66592-udc.c 2011-05-22 19:36:32.000000000 -0400
42470 @@ -1437,7 +1437,7 @@ static void m66592_fifo_flush(struct usb
42471 spin_unlock_irqrestore(&ep->m66592->lock, flags);
42472 }
42473
42474 -static struct usb_ep_ops m66592_ep_ops = {
42475 +static const struct usb_ep_ops m66592_ep_ops = {
42476 .enable = m66592_enable,
42477 .disable = m66592_disable,
42478
42479 @@ -1542,7 +1542,7 @@ static int m66592_get_frame(struct usb_g
42480 return m66592_read(m66592, M66592_FRMNUM) & 0x03FF;
42481 }
42482
42483 -static struct usb_gadget_ops m66592_gadget_ops = {
42484 +static const struct usb_gadget_ops m66592_gadget_ops = {
42485 .get_frame = m66592_get_frame,
42486 };
42487
42488 diff -urNp linux-2.6.39.2/drivers/usb/gadget/mv_udc_core.c linux-2.6.39.2/drivers/usb/gadget/mv_udc_core.c
42489 --- linux-2.6.39.2/drivers/usb/gadget/mv_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42490 +++ linux-2.6.39.2/drivers/usb/gadget/mv_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42491 @@ -972,7 +972,7 @@ static int mv_ep_set_wedge(struct usb_ep
42492 return mv_ep_set_halt_wedge(_ep, 1, 1);
42493 }
42494
42495 -static struct usb_ep_ops mv_ep_ops = {
42496 +static const struct usb_ep_ops mv_ep_ops = {
42497 .enable = mv_ep_enable,
42498 .disable = mv_ep_disable,
42499
42500 diff -urNp linux-2.6.39.2/drivers/usb/gadget/omap_udc.c linux-2.6.39.2/drivers/usb/gadget/omap_udc.c
42501 --- linux-2.6.39.2/drivers/usb/gadget/omap_udc.c 2011-05-19 00:06:34.000000000 -0400
42502 +++ linux-2.6.39.2/drivers/usb/gadget/omap_udc.c 2011-05-22 19:36:32.000000000 -0400
42503 @@ -1177,7 +1177,7 @@ done:
42504 return status;
42505 }
42506
42507 -static struct usb_ep_ops omap_ep_ops = {
42508 +static const struct usb_ep_ops omap_ep_ops = {
42509 .enable = omap_ep_enable,
42510 .disable = omap_ep_disable,
42511
42512 @@ -1374,7 +1374,7 @@ static int omap_pullup(struct usb_gadget
42513 return 0;
42514 }
42515
42516 -static struct usb_gadget_ops omap_gadget_ops = {
42517 +static const struct usb_gadget_ops omap_gadget_ops = {
42518 .get_frame = omap_get_frame,
42519 .wakeup = omap_wakeup,
42520 .set_selfpowered = omap_set_selfpowered,
42521 diff -urNp linux-2.6.39.2/drivers/usb/gadget/pxa25x_udc.c linux-2.6.39.2/drivers/usb/gadget/pxa25x_udc.c
42522 --- linux-2.6.39.2/drivers/usb/gadget/pxa25x_udc.c 2011-05-19 00:06:34.000000000 -0400
42523 +++ linux-2.6.39.2/drivers/usb/gadget/pxa25x_udc.c 2011-05-22 19:36:32.000000000 -0400
42524 @@ -896,7 +896,7 @@ static void pxa25x_ep_fifo_flush(struct
42525 }
42526
42527
42528 -static struct usb_ep_ops pxa25x_ep_ops = {
42529 +static const struct usb_ep_ops pxa25x_ep_ops = {
42530 .enable = pxa25x_ep_enable,
42531 .disable = pxa25x_ep_disable,
42532
42533 diff -urNp linux-2.6.39.2/drivers/usb/gadget/pxa27x_udc.c linux-2.6.39.2/drivers/usb/gadget/pxa27x_udc.c
42534 --- linux-2.6.39.2/drivers/usb/gadget/pxa27x_udc.c 2011-05-19 00:06:34.000000000 -0400
42535 +++ linux-2.6.39.2/drivers/usb/gadget/pxa27x_udc.c 2011-05-22 19:36:32.000000000 -0400
42536 @@ -1491,7 +1491,7 @@ static int pxa_ep_disable(struct usb_ep
42537 return 0;
42538 }
42539
42540 -static struct usb_ep_ops pxa_ep_ops = {
42541 +static const struct usb_ep_ops pxa_ep_ops = {
42542 .enable = pxa_ep_enable,
42543 .disable = pxa_ep_disable,
42544
42545 diff -urNp linux-2.6.39.2/drivers/usb/gadget/r8a66597-udc.c linux-2.6.39.2/drivers/usb/gadget/r8a66597-udc.c
42546 --- linux-2.6.39.2/drivers/usb/gadget/r8a66597-udc.c 2011-05-19 00:06:34.000000000 -0400
42547 +++ linux-2.6.39.2/drivers/usb/gadget/r8a66597-udc.c 2011-05-22 19:36:32.000000000 -0400
42548 @@ -1392,7 +1392,7 @@ static void r8a66597_fifo_flush(struct u
42549 spin_unlock_irqrestore(&ep->r8a66597->lock, flags);
42550 }
42551
42552 -static struct usb_ep_ops r8a66597_ep_ops = {
42553 +static const struct usb_ep_ops r8a66597_ep_ops = {
42554 .enable = r8a66597_enable,
42555 .disable = r8a66597_disable,
42556
42557 @@ -1497,7 +1497,7 @@ static int r8a66597_get_frame(struct usb
42558 return r8a66597_read(r8a66597, FRMNUM) & 0x03FF;
42559 }
42560
42561 -static struct usb_gadget_ops r8a66597_gadget_ops = {
42562 +static const struct usb_gadget_ops r8a66597_gadget_ops = {
42563 .get_frame = r8a66597_get_frame,
42564 };
42565
42566 diff -urNp linux-2.6.39.2/drivers/usb/gadget/s3c-hsotg.c linux-2.6.39.2/drivers/usb/gadget/s3c-hsotg.c
42567 --- linux-2.6.39.2/drivers/usb/gadget/s3c-hsotg.c 2011-05-19 00:06:34.000000000 -0400
42568 +++ linux-2.6.39.2/drivers/usb/gadget/s3c-hsotg.c 2011-05-22 19:36:32.000000000 -0400
42569 @@ -2461,7 +2461,7 @@ static int s3c_hsotg_ep_sethalt(struct u
42570 return 0;
42571 }
42572
42573 -static struct usb_ep_ops s3c_hsotg_ep_ops = {
42574 +static const struct usb_ep_ops s3c_hsotg_ep_ops = {
42575 .enable = s3c_hsotg_ep_enable,
42576 .disable = s3c_hsotg_ep_disable,
42577 .alloc_request = s3c_hsotg_ep_alloc_request,
42578 @@ -2725,7 +2725,7 @@ static int s3c_hsotg_gadget_getframe(str
42579 return s3c_hsotg_read_frameno(to_hsotg(gadget));
42580 }
42581
42582 -static struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42583 +static const struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42584 .get_frame = s3c_hsotg_gadget_getframe,
42585 };
42586
42587 diff -urNp linux-2.6.39.2/drivers/usb/gadget/uvc_queue.c linux-2.6.39.2/drivers/usb/gadget/uvc_queue.c
42588 --- linux-2.6.39.2/drivers/usb/gadget/uvc_queue.c 2011-05-19 00:06:34.000000000 -0400
42589 +++ linux-2.6.39.2/drivers/usb/gadget/uvc_queue.c 2011-05-22 19:36:32.000000000 -0400
42590 @@ -400,7 +400,7 @@ static void uvc_vm_close(struct vm_area_
42591 buffer->vma_use_count--;
42592 }
42593
42594 -static struct vm_operations_struct uvc_vm_ops = {
42595 +static const struct vm_operations_struct uvc_vm_ops = {
42596 .open = uvc_vm_open,
42597 .close = uvc_vm_close,
42598 };
42599 diff -urNp linux-2.6.39.2/drivers/usb/host/ehci-fsl.c linux-2.6.39.2/drivers/usb/host/ehci-fsl.c
42600 --- linux-2.6.39.2/drivers/usb/host/ehci-fsl.c 2011-05-19 00:06:34.000000000 -0400
42601 +++ linux-2.6.39.2/drivers/usb/host/ehci-fsl.c 2011-05-22 19:36:32.000000000 -0400
42602 @@ -380,7 +380,7 @@ static int ehci_fsl_drv_restore(struct d
42603 return 0;
42604 }
42605
42606 -static struct dev_pm_ops ehci_fsl_pm_ops = {
42607 +static const struct dev_pm_ops ehci_fsl_pm_ops = {
42608 .suspend = ehci_fsl_drv_suspend,
42609 .resume = ehci_fsl_drv_resume,
42610 .restore = ehci_fsl_drv_restore,
42611 diff -urNp linux-2.6.39.2/drivers/usb/host/xhci-mem.c linux-2.6.39.2/drivers/usb/host/xhci-mem.c
42612 --- linux-2.6.39.2/drivers/usb/host/xhci-mem.c 2011-06-25 12:55:23.000000000 -0400
42613 +++ linux-2.6.39.2/drivers/usb/host/xhci-mem.c 2011-06-25 13:00:26.000000000 -0400
42614 @@ -1680,6 +1680,8 @@ static int xhci_check_trb_in_td_math(str
42615 unsigned int num_tests;
42616 int i, ret;
42617
42618 + pax_track_stack();
42619 +
42620 num_tests = ARRAY_SIZE(simple_test_vector);
42621 for (i = 0; i < num_tests; i++) {
42622 ret = xhci_test_trb_in_td(xhci,
42623 diff -urNp linux-2.6.39.2/drivers/usb/mon/mon_main.c linux-2.6.39.2/drivers/usb/mon/mon_main.c
42624 --- linux-2.6.39.2/drivers/usb/mon/mon_main.c 2011-05-19 00:06:34.000000000 -0400
42625 +++ linux-2.6.39.2/drivers/usb/mon/mon_main.c 2011-05-22 19:36:32.000000000 -0400
42626 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
42627 /*
42628 * Ops
42629 */
42630 -static struct usb_mon_operations mon_ops_0 = {
42631 +static const struct usb_mon_operations mon_ops_0 = {
42632 .urb_submit = mon_submit,
42633 .urb_submit_error = mon_submit_error,
42634 .urb_complete = mon_complete,
42635 diff -urNp linux-2.6.39.2/drivers/usb/musb/cppi_dma.h linux-2.6.39.2/drivers/usb/musb/cppi_dma.h
42636 --- linux-2.6.39.2/drivers/usb/musb/cppi_dma.h 2011-05-19 00:06:34.000000000 -0400
42637 +++ linux-2.6.39.2/drivers/usb/musb/cppi_dma.h 2011-05-22 19:36:32.000000000 -0400
42638 @@ -113,7 +113,7 @@ struct cppi_channel {
42639
42640 /* CPPI DMA controller object */
42641 struct cppi {
42642 - struct dma_controller controller;
42643 + const struct dma_controller controller;
42644 struct musb *musb;
42645 void __iomem *mregs; /* Mentor regs */
42646 void __iomem *tibase; /* TI/CPPI regs */
42647 diff -urNp linux-2.6.39.2/drivers/usb/otg/msm_otg.c linux-2.6.39.2/drivers/usb/otg/msm_otg.c
42648 --- linux-2.6.39.2/drivers/usb/otg/msm_otg.c 2011-05-19 00:06:34.000000000 -0400
42649 +++ linux-2.6.39.2/drivers/usb/otg/msm_otg.c 2011-05-22 19:36:32.000000000 -0400
42650 @@ -95,7 +95,7 @@ static int ulpi_write(struct otg_transce
42651 return 0;
42652 }
42653
42654 -static struct otg_io_access_ops msm_otg_io_ops = {
42655 +static const struct otg_io_access_ops msm_otg_io_ops = {
42656 .read = ulpi_read,
42657 .write = ulpi_write,
42658 };
42659 diff -urNp linux-2.6.39.2/drivers/usb/otg/ulpi_viewport.c linux-2.6.39.2/drivers/usb/otg/ulpi_viewport.c
42660 --- linux-2.6.39.2/drivers/usb/otg/ulpi_viewport.c 2011-05-19 00:06:34.000000000 -0400
42661 +++ linux-2.6.39.2/drivers/usb/otg/ulpi_viewport.c 2011-05-22 19:36:32.000000000 -0400
42662 @@ -74,7 +74,7 @@ static int ulpi_viewport_write(struct ot
42663 return ulpi_viewport_wait(view, ULPI_VIEW_RUN);
42664 }
42665
42666 -struct otg_io_access_ops ulpi_viewport_access_ops = {
42667 +const struct otg_io_access_ops ulpi_viewport_access_ops = {
42668 .read = ulpi_viewport_read,
42669 .write = ulpi_viewport_write,
42670 };
42671 diff -urNp linux-2.6.39.2/drivers/usb/serial/ftdi_sio.c linux-2.6.39.2/drivers/usb/serial/ftdi_sio.c
42672 --- linux-2.6.39.2/drivers/usb/serial/ftdi_sio.c 2011-06-25 12:55:23.000000000 -0400
42673 +++ linux-2.6.39.2/drivers/usb/serial/ftdi_sio.c 2011-06-25 13:00:26.000000000 -0400
42674 @@ -104,27 +104,27 @@ static int ftdi_stmclite_probe(struct
42675 static void ftdi_USB_UIRT_setup(struct ftdi_private *priv);
42676 static void ftdi_HE_TIRA1_setup(struct ftdi_private *priv);
42677
42678 -static struct ftdi_sio_quirk ftdi_jtag_quirk = {
42679 +static const struct ftdi_sio_quirk ftdi_jtag_quirk = {
42680 .probe = ftdi_jtag_probe,
42681 };
42682
42683 -static struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42684 +static const struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42685 .probe = ftdi_mtxorb_hack_setup,
42686 };
42687
42688 -static struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42689 +static const struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42690 .probe = ftdi_NDI_device_setup,
42691 };
42692
42693 -static struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42694 +static const struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42695 .port_probe = ftdi_USB_UIRT_setup,
42696 };
42697
42698 -static struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42699 +static const struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42700 .port_probe = ftdi_HE_TIRA1_setup,
42701 };
42702
42703 -static struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42704 +static const struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42705 .probe = ftdi_stmclite_probe,
42706 };
42707
42708 diff -urNp linux-2.6.39.2/drivers/usb/wusbcore/wa-hc.h linux-2.6.39.2/drivers/usb/wusbcore/wa-hc.h
42709 --- linux-2.6.39.2/drivers/usb/wusbcore/wa-hc.h 2011-05-19 00:06:34.000000000 -0400
42710 +++ linux-2.6.39.2/drivers/usb/wusbcore/wa-hc.h 2011-05-22 19:36:32.000000000 -0400
42711 @@ -192,7 +192,7 @@ struct wahc {
42712 struct list_head xfer_delayed_list;
42713 spinlock_t xfer_list_lock;
42714 struct work_struct xfer_work;
42715 - atomic_t xfer_id_count;
42716 + atomic_unchecked_t xfer_id_count;
42717 };
42718
42719
42720 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
42721 INIT_LIST_HEAD(&wa->xfer_delayed_list);
42722 spin_lock_init(&wa->xfer_list_lock);
42723 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
42724 - atomic_set(&wa->xfer_id_count, 1);
42725 + atomic_set_unchecked(&wa->xfer_id_count, 1);
42726 }
42727
42728 /**
42729 diff -urNp linux-2.6.39.2/drivers/usb/wusbcore/wa-xfer.c linux-2.6.39.2/drivers/usb/wusbcore/wa-xfer.c
42730 --- linux-2.6.39.2/drivers/usb/wusbcore/wa-xfer.c 2011-05-19 00:06:34.000000000 -0400
42731 +++ linux-2.6.39.2/drivers/usb/wusbcore/wa-xfer.c 2011-05-22 19:36:32.000000000 -0400
42732 @@ -294,7 +294,7 @@ out:
42733 */
42734 static void wa_xfer_id_init(struct wa_xfer *xfer)
42735 {
42736 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
42737 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
42738 }
42739
42740 /*
42741 diff -urNp linux-2.6.39.2/drivers/vhost/vhost.c linux-2.6.39.2/drivers/vhost/vhost.c
42742 --- linux-2.6.39.2/drivers/vhost/vhost.c 2011-05-19 00:06:34.000000000 -0400
42743 +++ linux-2.6.39.2/drivers/vhost/vhost.c 2011-05-22 19:36:32.000000000 -0400
42744 @@ -580,7 +580,7 @@ static int init_used(struct vhost_virtqu
42745 return get_user(vq->last_used_idx, &used->idx);
42746 }
42747
42748 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
42749 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
42750 {
42751 struct file *eventfp, *filep = NULL,
42752 *pollstart = NULL, *pollstop = NULL;
42753 diff -urNp linux-2.6.39.2/drivers/video/backlight/corgi_lcd.c linux-2.6.39.2/drivers/video/backlight/corgi_lcd.c
42754 --- linux-2.6.39.2/drivers/video/backlight/corgi_lcd.c 2011-05-19 00:06:34.000000000 -0400
42755 +++ linux-2.6.39.2/drivers/video/backlight/corgi_lcd.c 2011-05-22 19:36:32.000000000 -0400
42756 @@ -383,7 +383,7 @@ static int corgi_lcd_get_power(struct lc
42757 return lcd->power;
42758 }
42759
42760 -static struct lcd_ops corgi_lcd_ops = {
42761 +static const struct lcd_ops corgi_lcd_ops = {
42762 .get_power = corgi_lcd_get_power,
42763 .set_power = corgi_lcd_set_power,
42764 .set_mode = corgi_lcd_set_mode,
42765 diff -urNp linux-2.6.39.2/drivers/video/backlight/cr_bllcd.c linux-2.6.39.2/drivers/video/backlight/cr_bllcd.c
42766 --- linux-2.6.39.2/drivers/video/backlight/cr_bllcd.c 2011-05-19 00:06:34.000000000 -0400
42767 +++ linux-2.6.39.2/drivers/video/backlight/cr_bllcd.c 2011-05-22 19:36:32.000000000 -0400
42768 @@ -165,7 +165,7 @@ static int cr_lcd_set_power(struct lcd_d
42769 return 0;
42770 }
42771
42772 -static struct lcd_ops cr_lcd_ops = {
42773 +static const struct lcd_ops cr_lcd_ops = {
42774 .set_power = cr_lcd_set_power,
42775 };
42776
42777 diff -urNp linux-2.6.39.2/drivers/video/backlight/ili9320.c linux-2.6.39.2/drivers/video/backlight/ili9320.c
42778 --- linux-2.6.39.2/drivers/video/backlight/ili9320.c 2011-05-19 00:06:34.000000000 -0400
42779 +++ linux-2.6.39.2/drivers/video/backlight/ili9320.c 2011-05-22 19:36:32.000000000 -0400
42780 @@ -166,7 +166,7 @@ static int ili9320_get_power(struct lcd_
42781 return lcd->power;
42782 }
42783
42784 -static struct lcd_ops ili9320_ops = {
42785 +static const struct lcd_ops ili9320_ops = {
42786 .get_power = ili9320_get_power,
42787 .set_power = ili9320_set_power,
42788 };
42789 diff -urNp linux-2.6.39.2/drivers/video/backlight/jornada720_lcd.c linux-2.6.39.2/drivers/video/backlight/jornada720_lcd.c
42790 --- linux-2.6.39.2/drivers/video/backlight/jornada720_lcd.c 2011-05-19 00:06:34.000000000 -0400
42791 +++ linux-2.6.39.2/drivers/video/backlight/jornada720_lcd.c 2011-05-22 19:36:32.000000000 -0400
42792 @@ -87,7 +87,7 @@ static int jornada_lcd_set_power(struct
42793 return 0;
42794 }
42795
42796 -static struct lcd_ops jornada_lcd_props = {
42797 +static const struct lcd_ops jornada_lcd_props = {
42798 .get_contrast = jornada_lcd_get_contrast,
42799 .set_contrast = jornada_lcd_set_contrast,
42800 .get_power = jornada_lcd_get_power,
42801 diff -urNp linux-2.6.39.2/drivers/video/backlight/l4f00242t03.c linux-2.6.39.2/drivers/video/backlight/l4f00242t03.c
42802 --- linux-2.6.39.2/drivers/video/backlight/l4f00242t03.c 2011-05-19 00:06:34.000000000 -0400
42803 +++ linux-2.6.39.2/drivers/video/backlight/l4f00242t03.c 2011-05-22 19:36:32.000000000 -0400
42804 @@ -149,7 +149,7 @@ static int l4f00242t03_lcd_power_set(str
42805 return 0;
42806 }
42807
42808 -static struct lcd_ops l4f_ops = {
42809 +static const struct lcd_ops l4f_ops = {
42810 .set_power = l4f00242t03_lcd_power_set,
42811 .get_power = l4f00242t03_lcd_power_get,
42812 };
42813 diff -urNp linux-2.6.39.2/drivers/video/backlight/lcd.c linux-2.6.39.2/drivers/video/backlight/lcd.c
42814 --- linux-2.6.39.2/drivers/video/backlight/lcd.c 2011-05-19 00:06:34.000000000 -0400
42815 +++ linux-2.6.39.2/drivers/video/backlight/lcd.c 2011-05-22 19:36:32.000000000 -0400
42816 @@ -192,7 +192,7 @@ static struct device_attribute lcd_devic
42817 * or a pointer to the newly allocated device.
42818 */
42819 struct lcd_device *lcd_device_register(const char *name, struct device *parent,
42820 - void *devdata, struct lcd_ops *ops)
42821 + void *devdata, const struct lcd_ops *ops)
42822 {
42823 struct lcd_device *new_ld;
42824 int rc;
42825 diff -urNp linux-2.6.39.2/drivers/video/backlight/ld9040.c linux-2.6.39.2/drivers/video/backlight/ld9040.c
42826 --- linux-2.6.39.2/drivers/video/backlight/ld9040.c 2011-05-19 00:06:34.000000000 -0400
42827 +++ linux-2.6.39.2/drivers/video/backlight/ld9040.c 2011-05-22 19:36:32.000000000 -0400
42828 @@ -651,7 +651,7 @@ static int ld9040_set_brightness(struct
42829 return ret;
42830 }
42831
42832 -static struct lcd_ops ld9040_lcd_ops = {
42833 +static const struct lcd_ops ld9040_lcd_ops = {
42834 .set_power = ld9040_set_power,
42835 .get_power = ld9040_get_power,
42836 };
42837 diff -urNp linux-2.6.39.2/drivers/video/backlight/lms283gf05.c linux-2.6.39.2/drivers/video/backlight/lms283gf05.c
42838 --- linux-2.6.39.2/drivers/video/backlight/lms283gf05.c 2011-05-19 00:06:34.000000000 -0400
42839 +++ linux-2.6.39.2/drivers/video/backlight/lms283gf05.c 2011-05-22 19:36:32.000000000 -0400
42840 @@ -144,7 +144,7 @@ static int lms283gf05_power_set(struct l
42841 return 0;
42842 }
42843
42844 -static struct lcd_ops lms_ops = {
42845 +static const struct lcd_ops lms_ops = {
42846 .set_power = lms283gf05_power_set,
42847 .get_power = NULL,
42848 };
42849 diff -urNp linux-2.6.39.2/drivers/video/backlight/ltv350qv.c linux-2.6.39.2/drivers/video/backlight/ltv350qv.c
42850 --- linux-2.6.39.2/drivers/video/backlight/ltv350qv.c 2011-05-19 00:06:34.000000000 -0400
42851 +++ linux-2.6.39.2/drivers/video/backlight/ltv350qv.c 2011-05-22 19:36:32.000000000 -0400
42852 @@ -221,7 +221,7 @@ static int ltv350qv_get_power(struct lcd
42853 return lcd->power;
42854 }
42855
42856 -static struct lcd_ops ltv_ops = {
42857 +static const struct lcd_ops ltv_ops = {
42858 .get_power = ltv350qv_get_power,
42859 .set_power = ltv350qv_set_power,
42860 };
42861 diff -urNp linux-2.6.39.2/drivers/video/backlight/platform_lcd.c linux-2.6.39.2/drivers/video/backlight/platform_lcd.c
42862 --- linux-2.6.39.2/drivers/video/backlight/platform_lcd.c 2011-05-19 00:06:34.000000000 -0400
42863 +++ linux-2.6.39.2/drivers/video/backlight/platform_lcd.c 2011-05-22 19:36:32.000000000 -0400
42864 @@ -66,7 +66,7 @@ static int platform_lcd_match(struct lcd
42865 return plcd->us->parent == info->device;
42866 }
42867
42868 -static struct lcd_ops platform_lcd_ops = {
42869 +static const struct lcd_ops platform_lcd_ops = {
42870 .get_power = platform_lcd_get_power,
42871 .set_power = platform_lcd_set_power,
42872 .check_fb = platform_lcd_match,
42873 diff -urNp linux-2.6.39.2/drivers/video/backlight/s6e63m0.c linux-2.6.39.2/drivers/video/backlight/s6e63m0.c
42874 --- linux-2.6.39.2/drivers/video/backlight/s6e63m0.c 2011-05-19 00:06:34.000000000 -0400
42875 +++ linux-2.6.39.2/drivers/video/backlight/s6e63m0.c 2011-05-22 19:36:32.000000000 -0400
42876 @@ -644,7 +644,7 @@ static int s6e63m0_set_brightness(struct
42877 return ret;
42878 }
42879
42880 -static struct lcd_ops s6e63m0_lcd_ops = {
42881 +static const struct lcd_ops s6e63m0_lcd_ops = {
42882 .set_power = s6e63m0_set_power,
42883 .get_power = s6e63m0_get_power,
42884 };
42885 diff -urNp linux-2.6.39.2/drivers/video/backlight/tdo24m.c linux-2.6.39.2/drivers/video/backlight/tdo24m.c
42886 --- linux-2.6.39.2/drivers/video/backlight/tdo24m.c 2011-05-19 00:06:34.000000000 -0400
42887 +++ linux-2.6.39.2/drivers/video/backlight/tdo24m.c 2011-05-22 19:36:32.000000000 -0400
42888 @@ -322,7 +322,7 @@ static int tdo24m_set_mode(struct lcd_de
42889 return lcd->adj_mode(lcd, mode);
42890 }
42891
42892 -static struct lcd_ops tdo24m_ops = {
42893 +static const struct lcd_ops tdo24m_ops = {
42894 .get_power = tdo24m_get_power,
42895 .set_power = tdo24m_set_power,
42896 .set_mode = tdo24m_set_mode,
42897 diff -urNp linux-2.6.39.2/drivers/video/backlight/tosa_lcd.c linux-2.6.39.2/drivers/video/backlight/tosa_lcd.c
42898 --- linux-2.6.39.2/drivers/video/backlight/tosa_lcd.c 2011-05-19 00:06:34.000000000 -0400
42899 +++ linux-2.6.39.2/drivers/video/backlight/tosa_lcd.c 2011-05-22 19:36:32.000000000 -0400
42900 @@ -163,7 +163,7 @@ static int tosa_lcd_set_mode(struct lcd_
42901 return 0;
42902 }
42903
42904 -static struct lcd_ops tosa_lcd_ops = {
42905 +static const struct lcd_ops tosa_lcd_ops = {
42906 .set_power = tosa_lcd_set_power,
42907 .get_power = tosa_lcd_get_power,
42908 .set_mode = tosa_lcd_set_mode,
42909 diff -urNp linux-2.6.39.2/drivers/video/bf537-lq035.c linux-2.6.39.2/drivers/video/bf537-lq035.c
42910 --- linux-2.6.39.2/drivers/video/bf537-lq035.c 2011-05-19 00:06:34.000000000 -0400
42911 +++ linux-2.6.39.2/drivers/video/bf537-lq035.c 2011-05-22 19:36:32.000000000 -0400
42912 @@ -682,7 +682,7 @@ static int bfin_lcd_check_fb(struct lcd_
42913 return 0;
42914 }
42915
42916 -static struct lcd_ops bfin_lcd_ops = {
42917 +static const struct lcd_ops bfin_lcd_ops = {
42918 .get_power = bfin_lcd_get_power,
42919 .set_power = bfin_lcd_set_power,
42920 .get_contrast = bfin_lcd_get_contrast,
42921 diff -urNp linux-2.6.39.2/drivers/video/bf54x-lq043fb.c linux-2.6.39.2/drivers/video/bf54x-lq043fb.c
42922 --- linux-2.6.39.2/drivers/video/bf54x-lq043fb.c 2011-05-19 00:06:34.000000000 -0400
42923 +++ linux-2.6.39.2/drivers/video/bf54x-lq043fb.c 2011-05-22 19:36:32.000000000 -0400
42924 @@ -467,7 +467,7 @@ static int bfin_lcd_check_fb(struct lcd_
42925 return 0;
42926 }
42927
42928 -static struct lcd_ops bfin_lcd_ops = {
42929 +static const struct lcd_ops bfin_lcd_ops = {
42930 .get_power = bfin_lcd_get_power,
42931 .set_power = bfin_lcd_set_power,
42932 .get_contrast = bfin_lcd_get_contrast,
42933 diff -urNp linux-2.6.39.2/drivers/video/bfin-t350mcqb-fb.c linux-2.6.39.2/drivers/video/bfin-t350mcqb-fb.c
42934 --- linux-2.6.39.2/drivers/video/bfin-t350mcqb-fb.c 2011-05-19 00:06:34.000000000 -0400
42935 +++ linux-2.6.39.2/drivers/video/bfin-t350mcqb-fb.c 2011-05-22 19:36:32.000000000 -0400
42936 @@ -387,7 +387,7 @@ static int bfin_lcd_check_fb(struct lcd_
42937 return 0;
42938 }
42939
42940 -static struct lcd_ops bfin_lcd_ops = {
42941 +static const struct lcd_ops bfin_lcd_ops = {
42942 .get_power = bfin_lcd_get_power,
42943 .set_power = bfin_lcd_set_power,
42944 .get_contrast = bfin_lcd_get_contrast,
42945 diff -urNp linux-2.6.39.2/drivers/video/fbcmap.c linux-2.6.39.2/drivers/video/fbcmap.c
42946 --- linux-2.6.39.2/drivers/video/fbcmap.c 2011-05-19 00:06:34.000000000 -0400
42947 +++ linux-2.6.39.2/drivers/video/fbcmap.c 2011-05-22 19:36:32.000000000 -0400
42948 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
42949 rc = -ENODEV;
42950 goto out;
42951 }
42952 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
42953 - !info->fbops->fb_setcmap)) {
42954 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
42955 rc = -EINVAL;
42956 goto out1;
42957 }
42958 diff -urNp linux-2.6.39.2/drivers/video/fbmem.c linux-2.6.39.2/drivers/video/fbmem.c
42959 --- linux-2.6.39.2/drivers/video/fbmem.c 2011-05-19 00:06:34.000000000 -0400
42960 +++ linux-2.6.39.2/drivers/video/fbmem.c 2011-05-22 19:36:32.000000000 -0400
42961 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
42962 image->dx += image->width + 8;
42963 }
42964 } else if (rotate == FB_ROTATE_UD) {
42965 - for (x = 0; x < num && image->dx >= 0; x++) {
42966 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
42967 info->fbops->fb_imageblit(info, image);
42968 image->dx -= image->width + 8;
42969 }
42970 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
42971 image->dy += image->height + 8;
42972 }
42973 } else if (rotate == FB_ROTATE_CCW) {
42974 - for (x = 0; x < num && image->dy >= 0; x++) {
42975 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
42976 info->fbops->fb_imageblit(info, image);
42977 image->dy -= image->height + 8;
42978 }
42979 @@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
42980 int flags = info->flags;
42981 int ret = 0;
42982
42983 + pax_track_stack();
42984 +
42985 if (var->activate & FB_ACTIVATE_INV_MODE) {
42986 struct fb_videomode mode1, mode2;
42987
42988 @@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
42989 void __user *argp = (void __user *)arg;
42990 long ret = 0;
42991
42992 + pax_track_stack();
42993 +
42994 switch (cmd) {
42995 case FBIOGET_VSCREENINFO:
42996 if (!lock_fb_info(info))
42997 @@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
42998 return -EFAULT;
42999 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
43000 return -EINVAL;
43001 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
43002 + if (con2fb.framebuffer >= FB_MAX)
43003 return -EINVAL;
43004 if (!registered_fb[con2fb.framebuffer])
43005 request_module("fb%d", con2fb.framebuffer);
43006 diff -urNp linux-2.6.39.2/drivers/video/geode/display_gx1.c linux-2.6.39.2/drivers/video/geode/display_gx1.c
43007 --- linux-2.6.39.2/drivers/video/geode/display_gx1.c 2011-05-19 00:06:34.000000000 -0400
43008 +++ linux-2.6.39.2/drivers/video/geode/display_gx1.c 2011-05-22 19:36:32.000000000 -0400
43009 @@ -208,7 +208,7 @@ static void gx1_set_hw_palette_reg(struc
43010 writel(val, par->dc_regs + DC_PAL_DATA);
43011 }
43012
43013 -struct geode_dc_ops gx1_dc_ops = {
43014 +const struct geode_dc_ops gx1_dc_ops = {
43015 .set_mode = gx1_set_mode,
43016 .set_palette_reg = gx1_set_hw_palette_reg,
43017 };
43018 diff -urNp linux-2.6.39.2/drivers/video/geode/display_gx1.h linux-2.6.39.2/drivers/video/geode/display_gx1.h
43019 --- linux-2.6.39.2/drivers/video/geode/display_gx1.h 2011-05-19 00:06:34.000000000 -0400
43020 +++ linux-2.6.39.2/drivers/video/geode/display_gx1.h 2011-05-22 19:36:32.000000000 -0400
43021 @@ -18,7 +18,7 @@
43022 unsigned gx1_gx_base(void);
43023 int gx1_frame_buffer_size(void);
43024
43025 -extern struct geode_dc_ops gx1_dc_ops;
43026 +extern const struct geode_dc_ops gx1_dc_ops;
43027
43028 /* GX1 configuration I/O registers */
43029
43030 diff -urNp linux-2.6.39.2/drivers/video/geode/geodefb.h linux-2.6.39.2/drivers/video/geode/geodefb.h
43031 --- linux-2.6.39.2/drivers/video/geode/geodefb.h 2011-05-19 00:06:34.000000000 -0400
43032 +++ linux-2.6.39.2/drivers/video/geode/geodefb.h 2011-05-22 19:36:32.000000000 -0400
43033 @@ -31,8 +31,8 @@ struct geodefb_par {
43034 int panel_y;
43035 void __iomem *dc_regs;
43036 void __iomem *vid_regs;
43037 - struct geode_dc_ops *dc_ops;
43038 - struct geode_vid_ops *vid_ops;
43039 + const struct geode_dc_ops *dc_ops;
43040 + const struct geode_vid_ops *vid_ops;
43041 };
43042
43043 #endif /* !__GEODEFB_H__ */
43044 diff -urNp linux-2.6.39.2/drivers/video/geode/video_cs5530.c linux-2.6.39.2/drivers/video/geode/video_cs5530.c
43045 --- linux-2.6.39.2/drivers/video/geode/video_cs5530.c 2011-05-19 00:06:34.000000000 -0400
43046 +++ linux-2.6.39.2/drivers/video/geode/video_cs5530.c 2011-05-22 19:36:32.000000000 -0400
43047 @@ -186,7 +186,7 @@ static int cs5530_blank_display(struct f
43048 return 0;
43049 }
43050
43051 -struct geode_vid_ops cs5530_vid_ops = {
43052 +const struct geode_vid_ops cs5530_vid_ops = {
43053 .set_dclk = cs5530_set_dclk_frequency,
43054 .configure_display = cs5530_configure_display,
43055 .blank_display = cs5530_blank_display,
43056 diff -urNp linux-2.6.39.2/drivers/video/geode/video_cs5530.h linux-2.6.39.2/drivers/video/geode/video_cs5530.h
43057 --- linux-2.6.39.2/drivers/video/geode/video_cs5530.h 2011-05-19 00:06:34.000000000 -0400
43058 +++ linux-2.6.39.2/drivers/video/geode/video_cs5530.h 2011-05-22 19:36:32.000000000 -0400
43059 @@ -15,7 +15,7 @@
43060 #ifndef __VIDEO_CS5530_H__
43061 #define __VIDEO_CS5530_H__
43062
43063 -extern struct geode_vid_ops cs5530_vid_ops;
43064 +extern const struct geode_vid_ops cs5530_vid_ops;
43065
43066 /* CS5530 Video device registers */
43067
43068 diff -urNp linux-2.6.39.2/drivers/video/i810/i810_accel.c linux-2.6.39.2/drivers/video/i810/i810_accel.c
43069 --- linux-2.6.39.2/drivers/video/i810/i810_accel.c 2011-05-19 00:06:34.000000000 -0400
43070 +++ linux-2.6.39.2/drivers/video/i810/i810_accel.c 2011-05-22 19:36:32.000000000 -0400
43071 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
43072 }
43073 }
43074 printk("ringbuffer lockup!!!\n");
43075 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
43076 i810_report_error(mmio);
43077 par->dev_flags |= LOCKUP;
43078 info->pixmap.scan_align = 1;
43079 diff -urNp linux-2.6.39.2/drivers/video/matrox/matroxfb_base.c linux-2.6.39.2/drivers/video/matrox/matroxfb_base.c
43080 --- linux-2.6.39.2/drivers/video/matrox/matroxfb_base.c 2011-05-19 00:06:34.000000000 -0400
43081 +++ linux-2.6.39.2/drivers/video/matrox/matroxfb_base.c 2011-05-22 19:36:32.000000000 -0400
43082 @@ -1232,7 +1232,7 @@ static struct fb_ops matroxfb_ops = {
43083 #define RSText 0x7
43084 #define RSText8 0x8
43085 /* 9-F */
43086 -static struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43087 +static const struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43088 { { 0, 8, 0}, { 0, 8, 0}, { 0, 8, 0}, { 0, 0, 0}, 8 },
43089 { { 10, 5, 0}, { 5, 5, 0}, { 0, 5, 0}, { 15, 1, 0}, 16 },
43090 { { 11, 5, 0}, { 5, 6, 0}, { 0, 5, 0}, { 0, 0, 0}, 16 },
43091 diff -urNp linux-2.6.39.2/drivers/video/omap/lcd_ams_delta.c linux-2.6.39.2/drivers/video/omap/lcd_ams_delta.c
43092 --- linux-2.6.39.2/drivers/video/omap/lcd_ams_delta.c 2011-05-19 00:06:34.000000000 -0400
43093 +++ linux-2.6.39.2/drivers/video/omap/lcd_ams_delta.c 2011-05-22 19:36:32.000000000 -0400
43094 @@ -87,7 +87,7 @@ static int ams_delta_lcd_get_contrast(st
43095 return ams_delta_lcd & AMS_DELTA_MAX_CONTRAST;
43096 }
43097
43098 -static struct lcd_ops ams_delta_lcd_ops = {
43099 +static const struct lcd_ops ams_delta_lcd_ops = {
43100 .get_power = ams_delta_lcd_get_power,
43101 .set_power = ams_delta_lcd_set_power,
43102 .get_contrast = ams_delta_lcd_get_contrast,
43103 diff -urNp linux-2.6.39.2/drivers/video/pxa3xx-gcu.c linux-2.6.39.2/drivers/video/pxa3xx-gcu.c
43104 --- linux-2.6.39.2/drivers/video/pxa3xx-gcu.c 2011-05-19 00:06:34.000000000 -0400
43105 +++ linux-2.6.39.2/drivers/video/pxa3xx-gcu.c 2011-05-22 19:36:32.000000000 -0400
43106 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
43107 dma_addr_t shared_phys;
43108 struct resource *resource_mem;
43109 struct miscdevice misc_dev;
43110 - struct file_operations misc_fops;
43111 + const struct file_operations misc_fops;
43112 wait_queue_head_t wait_idle;
43113 wait_queue_head_t wait_free;
43114 spinlock_t spinlock;
43115 diff -urNp linux-2.6.39.2/drivers/video/sh_mobile_lcdcfb.c linux-2.6.39.2/drivers/video/sh_mobile_lcdcfb.c
43116 --- linux-2.6.39.2/drivers/video/sh_mobile_lcdcfb.c 2011-05-19 00:06:34.000000000 -0400
43117 +++ linux-2.6.39.2/drivers/video/sh_mobile_lcdcfb.c 2011-05-22 19:36:32.000000000 -0400
43118 @@ -245,7 +245,7 @@ static unsigned long lcdc_sys_read_data(
43119 return lcdc_read(ch->lcdc, _LDDRDR) & 0x3ffff;
43120 }
43121
43122 -struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43123 +const struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43124 lcdc_sys_write_index,
43125 lcdc_sys_write_data,
43126 lcdc_sys_read_data,
43127 diff -urNp linux-2.6.39.2/drivers/video/udlfb.c linux-2.6.39.2/drivers/video/udlfb.c
43128 --- linux-2.6.39.2/drivers/video/udlfb.c 2011-05-19 00:06:34.000000000 -0400
43129 +++ linux-2.6.39.2/drivers/video/udlfb.c 2011-05-22 19:36:32.000000000 -0400
43130 @@ -584,11 +584,11 @@ int dlfb_handle_damage(struct dlfb_data
43131 dlfb_urb_completion(urb);
43132
43133 error:
43134 - atomic_add(bytes_sent, &dev->bytes_sent);
43135 - atomic_add(bytes_identical, &dev->bytes_identical);
43136 - atomic_add(width*height*2, &dev->bytes_rendered);
43137 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43138 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43139 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
43140 end_cycles = get_cycles();
43141 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43142 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43143 >> 10)), /* Kcycles */
43144 &dev->cpu_kcycles_used);
43145
43146 @@ -709,11 +709,11 @@ static void dlfb_dpy_deferred_io(struct
43147 dlfb_urb_completion(urb);
43148
43149 error:
43150 - atomic_add(bytes_sent, &dev->bytes_sent);
43151 - atomic_add(bytes_identical, &dev->bytes_identical);
43152 - atomic_add(bytes_rendered, &dev->bytes_rendered);
43153 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43154 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43155 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
43156 end_cycles = get_cycles();
43157 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43158 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43159 >> 10)), /* Kcycles */
43160 &dev->cpu_kcycles_used);
43161 }
43162 @@ -1301,7 +1301,7 @@ static ssize_t metrics_bytes_rendered_sh
43163 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43164 struct dlfb_data *dev = fb_info->par;
43165 return snprintf(buf, PAGE_SIZE, "%u\n",
43166 - atomic_read(&dev->bytes_rendered));
43167 + atomic_read_unchecked(&dev->bytes_rendered));
43168 }
43169
43170 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
43171 @@ -1309,7 +1309,7 @@ static ssize_t metrics_bytes_identical_s
43172 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43173 struct dlfb_data *dev = fb_info->par;
43174 return snprintf(buf, PAGE_SIZE, "%u\n",
43175 - atomic_read(&dev->bytes_identical));
43176 + atomic_read_unchecked(&dev->bytes_identical));
43177 }
43178
43179 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
43180 @@ -1317,7 +1317,7 @@ static ssize_t metrics_bytes_sent_show(s
43181 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43182 struct dlfb_data *dev = fb_info->par;
43183 return snprintf(buf, PAGE_SIZE, "%u\n",
43184 - atomic_read(&dev->bytes_sent));
43185 + atomic_read_unchecked(&dev->bytes_sent));
43186 }
43187
43188 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
43189 @@ -1325,7 +1325,7 @@ static ssize_t metrics_cpu_kcycles_used_
43190 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43191 struct dlfb_data *dev = fb_info->par;
43192 return snprintf(buf, PAGE_SIZE, "%u\n",
43193 - atomic_read(&dev->cpu_kcycles_used));
43194 + atomic_read_unchecked(&dev->cpu_kcycles_used));
43195 }
43196
43197 static ssize_t edid_show(
43198 @@ -1382,10 +1382,10 @@ static ssize_t metrics_reset_store(struc
43199 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43200 struct dlfb_data *dev = fb_info->par;
43201
43202 - atomic_set(&dev->bytes_rendered, 0);
43203 - atomic_set(&dev->bytes_identical, 0);
43204 - atomic_set(&dev->bytes_sent, 0);
43205 - atomic_set(&dev->cpu_kcycles_used, 0);
43206 + atomic_set_unchecked(&dev->bytes_rendered, 0);
43207 + atomic_set_unchecked(&dev->bytes_identical, 0);
43208 + atomic_set_unchecked(&dev->bytes_sent, 0);
43209 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
43210
43211 return count;
43212 }
43213 diff -urNp linux-2.6.39.2/drivers/video/uvesafb.c linux-2.6.39.2/drivers/video/uvesafb.c
43214 --- linux-2.6.39.2/drivers/video/uvesafb.c 2011-05-19 00:06:34.000000000 -0400
43215 +++ linux-2.6.39.2/drivers/video/uvesafb.c 2011-05-22 19:36:32.000000000 -0400
43216 @@ -19,6 +19,7 @@
43217 #include <linux/io.h>
43218 #include <linux/mutex.h>
43219 #include <linux/slab.h>
43220 +#include <linux/moduleloader.h>
43221 #include <video/edid.h>
43222 #include <video/uvesafb.h>
43223 #ifdef CONFIG_X86
43224 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
43225 NULL,
43226 };
43227
43228 - return call_usermodehelper(v86d_path, argv, envp, 1);
43229 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
43230 }
43231
43232 /*
43233 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
43234 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
43235 par->pmi_setpal = par->ypan = 0;
43236 } else {
43237 +
43238 +#ifdef CONFIG_PAX_KERNEXEC
43239 +#ifdef CONFIG_MODULES
43240 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
43241 +#endif
43242 + if (!par->pmi_code) {
43243 + par->pmi_setpal = par->ypan = 0;
43244 + return 0;
43245 + }
43246 +#endif
43247 +
43248 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
43249 + task->t.regs.edi);
43250 +
43251 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43252 + pax_open_kernel();
43253 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
43254 + pax_close_kernel();
43255 +
43256 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
43257 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
43258 +#else
43259 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
43260 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
43261 +#endif
43262 +
43263 printk(KERN_INFO "uvesafb: protected mode interface info at "
43264 "%04x:%04x\n",
43265 (u16)task->t.regs.es, (u16)task->t.regs.edi);
43266 @@ -1821,6 +1844,11 @@ out:
43267 if (par->vbe_modes)
43268 kfree(par->vbe_modes);
43269
43270 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43271 + if (par->pmi_code)
43272 + module_free_exec(NULL, par->pmi_code);
43273 +#endif
43274 +
43275 framebuffer_release(info);
43276 return err;
43277 }
43278 @@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
43279 kfree(par->vbe_state_orig);
43280 if (par->vbe_state_saved)
43281 kfree(par->vbe_state_saved);
43282 +
43283 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43284 + if (par->pmi_code)
43285 + module_free_exec(NULL, par->pmi_code);
43286 +#endif
43287 +
43288 }
43289
43290 framebuffer_release(info);
43291 @@ -2013,7 +2047,7 @@ static int param_set_scroll(const char *
43292
43293 return 0;
43294 }
43295 -static struct kernel_param_ops param_ops_scroll = {
43296 +static const struct kernel_param_ops param_ops_scroll = {
43297 .set = param_set_scroll,
43298 };
43299 #define param_check_scroll(name, p) __param_check(name, p, void)
43300 diff -urNp linux-2.6.39.2/drivers/video/vesafb.c linux-2.6.39.2/drivers/video/vesafb.c
43301 --- linux-2.6.39.2/drivers/video/vesafb.c 2011-05-19 00:06:34.000000000 -0400
43302 +++ linux-2.6.39.2/drivers/video/vesafb.c 2011-05-22 19:36:32.000000000 -0400
43303 @@ -9,6 +9,7 @@
43304 */
43305
43306 #include <linux/module.h>
43307 +#include <linux/moduleloader.h>
43308 #include <linux/kernel.h>
43309 #include <linux/errno.h>
43310 #include <linux/string.h>
43311 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
43312 static int vram_total __initdata; /* Set total amount of memory */
43313 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
43314 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
43315 -static void (*pmi_start)(void) __read_mostly;
43316 -static void (*pmi_pal) (void) __read_mostly;
43317 +static void (*pmi_start)(void) __read_only;
43318 +static void (*pmi_pal) (void) __read_only;
43319 static int depth __read_mostly;
43320 static int vga_compat __read_mostly;
43321 /* --------------------------------------------------------------------- */
43322 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
43323 unsigned int size_vmode;
43324 unsigned int size_remap;
43325 unsigned int size_total;
43326 + void *pmi_code = NULL;
43327
43328 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
43329 return -ENODEV;
43330 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
43331 size_remap = size_total;
43332 vesafb_fix.smem_len = size_remap;
43333
43334 -#ifndef __i386__
43335 - screen_info.vesapm_seg = 0;
43336 -#endif
43337 -
43338 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
43339 printk(KERN_WARNING
43340 "vesafb: cannot reserve video memory at 0x%lx\n",
43341 @@ -306,9 +304,21 @@ static int __init vesafb_probe(struct pl
43342 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
43343 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
43344
43345 +#ifdef __i386__
43346 +
43347 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43348 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
43349 + if (!pmi_code)
43350 +#elif !defined(CONFIG_PAX_KERNEXEC)
43351 + if (0)
43352 +#endif
43353 +
43354 +#endif
43355 + screen_info.vesapm_seg = 0;
43356 +
43357 if (screen_info.vesapm_seg) {
43358 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
43359 - screen_info.vesapm_seg,screen_info.vesapm_off);
43360 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
43361 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
43362 }
43363
43364 if (screen_info.vesapm_seg < 0xc000)
43365 @@ -316,9 +326,25 @@ static int __init vesafb_probe(struct pl
43366
43367 if (ypan || pmi_setpal) {
43368 unsigned short *pmi_base;
43369 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43370 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
43371 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
43372 +
43373 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43374 +
43375 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43376 + pax_open_kernel();
43377 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
43378 +#else
43379 + pmi_code = pmi_base;
43380 +#endif
43381 +
43382 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
43383 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
43384 +
43385 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43386 + pmi_start = ktva_ktla(pmi_start);
43387 + pmi_pal = ktva_ktla(pmi_pal);
43388 + pax_close_kernel();
43389 +#endif
43390 +
43391 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
43392 if (pmi_base[3]) {
43393 printk(KERN_INFO "vesafb: pmi: ports = ");
43394 @@ -487,6 +513,11 @@ static int __init vesafb_probe(struct pl
43395 info->node, info->fix.id);
43396 return 0;
43397 err:
43398 +
43399 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43400 + module_free_exec(NULL, pmi_code);
43401 +#endif
43402 +
43403 if (info->screen_base)
43404 iounmap(info->screen_base);
43405 framebuffer_release(info);
43406 diff -urNp linux-2.6.39.2/drivers/virtio/virtio_balloon.c linux-2.6.39.2/drivers/virtio/virtio_balloon.c
43407 --- linux-2.6.39.2/drivers/virtio/virtio_balloon.c 2011-05-19 00:06:34.000000000 -0400
43408 +++ linux-2.6.39.2/drivers/virtio/virtio_balloon.c 2011-05-22 19:36:32.000000000 -0400
43409 @@ -176,6 +176,8 @@ static void update_balloon_stats(struct
43410 struct sysinfo i;
43411 int idx = 0;
43412
43413 + pax_track_stack();
43414 +
43415 all_vm_events(events);
43416 si_meminfo(&i);
43417
43418 diff -urNp linux-2.6.39.2/drivers/xen/gntalloc.c linux-2.6.39.2/drivers/xen/gntalloc.c
43419 --- linux-2.6.39.2/drivers/xen/gntalloc.c 2011-05-19 00:06:34.000000000 -0400
43420 +++ linux-2.6.39.2/drivers/xen/gntalloc.c 2011-05-22 19:36:32.000000000 -0400
43421 @@ -440,7 +440,7 @@ static void gntalloc_vma_close(struct vm
43422 spin_unlock(&gref_lock);
43423 }
43424
43425 -static struct vm_operations_struct gntalloc_vmops = {
43426 +static const struct vm_operations_struct gntalloc_vmops = {
43427 .close = gntalloc_vma_close,
43428 };
43429
43430 diff -urNp linux-2.6.39.2/drivers/xen/gntdev.c linux-2.6.39.2/drivers/xen/gntdev.c
43431 --- linux-2.6.39.2/drivers/xen/gntdev.c 2011-05-19 00:06:34.000000000 -0400
43432 +++ linux-2.6.39.2/drivers/xen/gntdev.c 2011-05-22 19:36:32.000000000 -0400
43433 @@ -340,7 +340,7 @@ static void gntdev_vma_close(struct vm_a
43434 gntdev_put_map(map);
43435 }
43436
43437 -static struct vm_operations_struct gntdev_vmops = {
43438 +static const struct vm_operations_struct gntdev_vmops = {
43439 .close = gntdev_vma_close,
43440 };
43441
43442 @@ -404,7 +404,7 @@ static void mn_release(struct mmu_notifi
43443 spin_unlock(&priv->lock);
43444 }
43445
43446 -struct mmu_notifier_ops gntdev_mmu_ops = {
43447 +const struct mmu_notifier_ops gntdev_mmu_ops = {
43448 .release = mn_release,
43449 .invalidate_page = mn_invl_page,
43450 .invalidate_range_start = mn_invl_range_start,
43451 diff -urNp linux-2.6.39.2/drivers/xen/xenfs/privcmd.c linux-2.6.39.2/drivers/xen/xenfs/privcmd.c
43452 --- linux-2.6.39.2/drivers/xen/xenfs/privcmd.c 2011-05-19 00:06:34.000000000 -0400
43453 +++ linux-2.6.39.2/drivers/xen/xenfs/privcmd.c 2011-05-22 19:36:32.000000000 -0400
43454 @@ -268,7 +268,7 @@ static int mmap_return_errors(void *data
43455 return put_user(*mfnp, st->user++);
43456 }
43457
43458 -static struct vm_operations_struct privcmd_vm_ops;
43459 +static const struct vm_operations_struct privcmd_vm_ops;
43460
43461 static long privcmd_ioctl_mmap_batch(void __user *udata)
43462 {
43463 @@ -369,7 +369,7 @@ static int privcmd_fault(struct vm_area_
43464 return VM_FAULT_SIGBUS;
43465 }
43466
43467 -static struct vm_operations_struct privcmd_vm_ops = {
43468 +static const struct vm_operations_struct privcmd_vm_ops = {
43469 .fault = privcmd_fault
43470 };
43471
43472 diff -urNp linux-2.6.39.2/fs/9p/vfs_inode.c linux-2.6.39.2/fs/9p/vfs_inode.c
43473 --- linux-2.6.39.2/fs/9p/vfs_inode.c 2011-05-19 00:06:34.000000000 -0400
43474 +++ linux-2.6.39.2/fs/9p/vfs_inode.c 2011-05-22 19:36:32.000000000 -0400
43475 @@ -1210,7 +1210,7 @@ static void *v9fs_vfs_follow_link(struct
43476 void
43477 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43478 {
43479 - char *s = nd_get_link(nd);
43480 + const char *s = nd_get_link(nd);
43481
43482 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
43483 IS_ERR(s) ? "<error>" : s);
43484 diff -urNp linux-2.6.39.2/fs/aio.c linux-2.6.39.2/fs/aio.c
43485 --- linux-2.6.39.2/fs/aio.c 2011-05-19 00:06:34.000000000 -0400
43486 +++ linux-2.6.39.2/fs/aio.c 2011-06-03 01:00:34.000000000 -0400
43487 @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
43488 size += sizeof(struct io_event) * nr_events;
43489 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
43490
43491 - if (nr_pages < 0)
43492 + if (nr_pages <= 0)
43493 return -EINVAL;
43494
43495 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
43496 @@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
43497 struct aio_timeout to;
43498 int retry = 0;
43499
43500 + pax_track_stack();
43501 +
43502 /* needed to zero any padding within an entry (there shouldn't be
43503 * any, but C is fun!
43504 */
43505 @@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
43506 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
43507 {
43508 ssize_t ret;
43509 + struct iovec iovstack;
43510
43511 #ifdef CONFIG_COMPAT
43512 if (compat)
43513 ret = compat_rw_copy_check_uvector(type,
43514 (struct compat_iovec __user *)kiocb->ki_buf,
43515 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43516 + kiocb->ki_nbytes, 1, &iovstack,
43517 &kiocb->ki_iovec);
43518 else
43519 #endif
43520 ret = rw_copy_check_uvector(type,
43521 (struct iovec __user *)kiocb->ki_buf,
43522 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43523 + kiocb->ki_nbytes, 1, &iovstack,
43524 &kiocb->ki_iovec);
43525 if (ret < 0)
43526 goto out;
43527
43528 + if (kiocb->ki_iovec == &iovstack) {
43529 + kiocb->ki_inline_vec = iovstack;
43530 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
43531 + }
43532 kiocb->ki_nr_segs = kiocb->ki_nbytes;
43533 kiocb->ki_cur_seg = 0;
43534 /* ki_nbytes/left now reflect bytes instead of segs */
43535 diff -urNp linux-2.6.39.2/fs/attr.c linux-2.6.39.2/fs/attr.c
43536 --- linux-2.6.39.2/fs/attr.c 2011-05-19 00:06:34.000000000 -0400
43537 +++ linux-2.6.39.2/fs/attr.c 2011-05-22 19:41:37.000000000 -0400
43538 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
43539 unsigned long limit;
43540
43541 limit = rlimit(RLIMIT_FSIZE);
43542 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
43543 if (limit != RLIM_INFINITY && offset > limit)
43544 goto out_sig;
43545 if (offset > inode->i_sb->s_maxbytes)
43546 diff -urNp linux-2.6.39.2/fs/befs/linuxvfs.c linux-2.6.39.2/fs/befs/linuxvfs.c
43547 --- linux-2.6.39.2/fs/befs/linuxvfs.c 2011-05-19 00:06:34.000000000 -0400
43548 +++ linux-2.6.39.2/fs/befs/linuxvfs.c 2011-05-22 19:36:32.000000000 -0400
43549 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
43550 {
43551 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
43552 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
43553 - char *link = nd_get_link(nd);
43554 + const char *link = nd_get_link(nd);
43555 if (!IS_ERR(link))
43556 kfree(link);
43557 }
43558 diff -urNp linux-2.6.39.2/fs/binfmt_aout.c linux-2.6.39.2/fs/binfmt_aout.c
43559 --- linux-2.6.39.2/fs/binfmt_aout.c 2011-05-19 00:06:34.000000000 -0400
43560 +++ linux-2.6.39.2/fs/binfmt_aout.c 2011-05-22 19:41:37.000000000 -0400
43561 @@ -16,6 +16,7 @@
43562 #include <linux/string.h>
43563 #include <linux/fs.h>
43564 #include <linux/file.h>
43565 +#include <linux/security.h>
43566 #include <linux/stat.h>
43567 #include <linux/fcntl.h>
43568 #include <linux/ptrace.h>
43569 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
43570 #endif
43571 # define START_STACK(u) ((void __user *)u.start_stack)
43572
43573 + memset(&dump, 0, sizeof(dump));
43574 +
43575 fs = get_fs();
43576 set_fs(KERNEL_DS);
43577 has_dumped = 1;
43578 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
43579
43580 /* If the size of the dump file exceeds the rlimit, then see what would happen
43581 if we wrote the stack, but not the data area. */
43582 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
43583 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
43584 dump.u_dsize = 0;
43585
43586 /* Make sure we have enough room to write the stack and data areas. */
43587 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
43588 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
43589 dump.u_ssize = 0;
43590
43591 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
43592 rlim = rlimit(RLIMIT_DATA);
43593 if (rlim >= RLIM_INFINITY)
43594 rlim = ~0;
43595 +
43596 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
43597 if (ex.a_data + ex.a_bss > rlim)
43598 return -ENOMEM;
43599
43600 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
43601 install_exec_creds(bprm);
43602 current->flags &= ~PF_FORKNOEXEC;
43603
43604 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43605 + current->mm->pax_flags = 0UL;
43606 +#endif
43607 +
43608 +#ifdef CONFIG_PAX_PAGEEXEC
43609 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
43610 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
43611 +
43612 +#ifdef CONFIG_PAX_EMUTRAMP
43613 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
43614 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
43615 +#endif
43616 +
43617 +#ifdef CONFIG_PAX_MPROTECT
43618 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
43619 + current->mm->pax_flags |= MF_PAX_MPROTECT;
43620 +#endif
43621 +
43622 + }
43623 +#endif
43624 +
43625 if (N_MAGIC(ex) == OMAGIC) {
43626 unsigned long text_addr, map_size;
43627 loff_t pos;
43628 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
43629
43630 down_write(&current->mm->mmap_sem);
43631 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
43632 - PROT_READ | PROT_WRITE | PROT_EXEC,
43633 + PROT_READ | PROT_WRITE,
43634 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
43635 fd_offset + ex.a_text);
43636 up_write(&current->mm->mmap_sem);
43637 diff -urNp linux-2.6.39.2/fs/binfmt_elf.c linux-2.6.39.2/fs/binfmt_elf.c
43638 --- linux-2.6.39.2/fs/binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
43639 +++ linux-2.6.39.2/fs/binfmt_elf.c 2011-05-22 19:41:37.000000000 -0400
43640 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
43641 #define elf_core_dump NULL
43642 #endif
43643
43644 +#ifdef CONFIG_PAX_MPROTECT
43645 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
43646 +#endif
43647 +
43648 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
43649 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
43650 #else
43651 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
43652 .load_binary = load_elf_binary,
43653 .load_shlib = load_elf_library,
43654 .core_dump = elf_core_dump,
43655 +
43656 +#ifdef CONFIG_PAX_MPROTECT
43657 + .handle_mprotect= elf_handle_mprotect,
43658 +#endif
43659 +
43660 .min_coredump = ELF_EXEC_PAGESIZE,
43661 };
43662
43663 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
43664
43665 static int set_brk(unsigned long start, unsigned long end)
43666 {
43667 + unsigned long e = end;
43668 +
43669 start = ELF_PAGEALIGN(start);
43670 end = ELF_PAGEALIGN(end);
43671 if (end > start) {
43672 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
43673 if (BAD_ADDR(addr))
43674 return addr;
43675 }
43676 - current->mm->start_brk = current->mm->brk = end;
43677 + current->mm->start_brk = current->mm->brk = e;
43678 return 0;
43679 }
43680
43681 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
43682 elf_addr_t __user *u_rand_bytes;
43683 const char *k_platform = ELF_PLATFORM;
43684 const char *k_base_platform = ELF_BASE_PLATFORM;
43685 - unsigned char k_rand_bytes[16];
43686 + u32 k_rand_bytes[4];
43687 int items;
43688 elf_addr_t *elf_info;
43689 int ei_index = 0;
43690 const struct cred *cred = current_cred();
43691 struct vm_area_struct *vma;
43692 + unsigned long saved_auxv[AT_VECTOR_SIZE];
43693 +
43694 + pax_track_stack();
43695
43696 /*
43697 * In some cases (e.g. Hyper-Threading), we want to avoid L1
43698 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
43699 * Generate 16 random bytes for userspace PRNG seeding.
43700 */
43701 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
43702 - u_rand_bytes = (elf_addr_t __user *)
43703 - STACK_ALLOC(p, sizeof(k_rand_bytes));
43704 + srandom32(k_rand_bytes[0] ^ random32());
43705 + srandom32(k_rand_bytes[1] ^ random32());
43706 + srandom32(k_rand_bytes[2] ^ random32());
43707 + srandom32(k_rand_bytes[3] ^ random32());
43708 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
43709 + u_rand_bytes = (elf_addr_t __user *) p;
43710 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
43711 return -EFAULT;
43712
43713 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
43714 return -EFAULT;
43715 current->mm->env_end = p;
43716
43717 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
43718 +
43719 /* Put the elf_info on the stack in the right place. */
43720 sp = (elf_addr_t __user *)envp + 1;
43721 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
43722 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
43723 return -EFAULT;
43724 return 0;
43725 }
43726 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
43727 {
43728 struct elf_phdr *elf_phdata;
43729 struct elf_phdr *eppnt;
43730 - unsigned long load_addr = 0;
43731 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
43732 int load_addr_set = 0;
43733 unsigned long last_bss = 0, elf_bss = 0;
43734 - unsigned long error = ~0UL;
43735 + unsigned long error = -EINVAL;
43736 unsigned long total_size;
43737 int retval, i, size;
43738
43739 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
43740 goto out_close;
43741 }
43742
43743 +#ifdef CONFIG_PAX_SEGMEXEC
43744 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
43745 + pax_task_size = SEGMEXEC_TASK_SIZE;
43746 +#endif
43747 +
43748 eppnt = elf_phdata;
43749 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
43750 if (eppnt->p_type == PT_LOAD) {
43751 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
43752 k = load_addr + eppnt->p_vaddr;
43753 if (BAD_ADDR(k) ||
43754 eppnt->p_filesz > eppnt->p_memsz ||
43755 - eppnt->p_memsz > TASK_SIZE ||
43756 - TASK_SIZE - eppnt->p_memsz < k) {
43757 + eppnt->p_memsz > pax_task_size ||
43758 + pax_task_size - eppnt->p_memsz < k) {
43759 error = -ENOMEM;
43760 goto out_close;
43761 }
43762 @@ -528,6 +553,193 @@ out:
43763 return error;
43764 }
43765
43766 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
43767 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
43768 +{
43769 + unsigned long pax_flags = 0UL;
43770 +
43771 +#ifdef CONFIG_PAX_PAGEEXEC
43772 + if (elf_phdata->p_flags & PF_PAGEEXEC)
43773 + pax_flags |= MF_PAX_PAGEEXEC;
43774 +#endif
43775 +
43776 +#ifdef CONFIG_PAX_SEGMEXEC
43777 + if (elf_phdata->p_flags & PF_SEGMEXEC)
43778 + pax_flags |= MF_PAX_SEGMEXEC;
43779 +#endif
43780 +
43781 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43782 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43783 + if ((__supported_pte_mask & _PAGE_NX))
43784 + pax_flags &= ~MF_PAX_SEGMEXEC;
43785 + else
43786 + pax_flags &= ~MF_PAX_PAGEEXEC;
43787 + }
43788 +#endif
43789 +
43790 +#ifdef CONFIG_PAX_EMUTRAMP
43791 + if (elf_phdata->p_flags & PF_EMUTRAMP)
43792 + pax_flags |= MF_PAX_EMUTRAMP;
43793 +#endif
43794 +
43795 +#ifdef CONFIG_PAX_MPROTECT
43796 + if (elf_phdata->p_flags & PF_MPROTECT)
43797 + pax_flags |= MF_PAX_MPROTECT;
43798 +#endif
43799 +
43800 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43801 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
43802 + pax_flags |= MF_PAX_RANDMMAP;
43803 +#endif
43804 +
43805 + return pax_flags;
43806 +}
43807 +#endif
43808 +
43809 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43810 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
43811 +{
43812 + unsigned long pax_flags = 0UL;
43813 +
43814 +#ifdef CONFIG_PAX_PAGEEXEC
43815 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
43816 + pax_flags |= MF_PAX_PAGEEXEC;
43817 +#endif
43818 +
43819 +#ifdef CONFIG_PAX_SEGMEXEC
43820 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
43821 + pax_flags |= MF_PAX_SEGMEXEC;
43822 +#endif
43823 +
43824 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43825 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43826 + if ((__supported_pte_mask & _PAGE_NX))
43827 + pax_flags &= ~MF_PAX_SEGMEXEC;
43828 + else
43829 + pax_flags &= ~MF_PAX_PAGEEXEC;
43830 + }
43831 +#endif
43832 +
43833 +#ifdef CONFIG_PAX_EMUTRAMP
43834 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
43835 + pax_flags |= MF_PAX_EMUTRAMP;
43836 +#endif
43837 +
43838 +#ifdef CONFIG_PAX_MPROTECT
43839 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
43840 + pax_flags |= MF_PAX_MPROTECT;
43841 +#endif
43842 +
43843 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43844 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
43845 + pax_flags |= MF_PAX_RANDMMAP;
43846 +#endif
43847 +
43848 + return pax_flags;
43849 +}
43850 +#endif
43851 +
43852 +#ifdef CONFIG_PAX_EI_PAX
43853 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
43854 +{
43855 + unsigned long pax_flags = 0UL;
43856 +
43857 +#ifdef CONFIG_PAX_PAGEEXEC
43858 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
43859 + pax_flags |= MF_PAX_PAGEEXEC;
43860 +#endif
43861 +
43862 +#ifdef CONFIG_PAX_SEGMEXEC
43863 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
43864 + pax_flags |= MF_PAX_SEGMEXEC;
43865 +#endif
43866 +
43867 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43868 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43869 + if ((__supported_pte_mask & _PAGE_NX))
43870 + pax_flags &= ~MF_PAX_SEGMEXEC;
43871 + else
43872 + pax_flags &= ~MF_PAX_PAGEEXEC;
43873 + }
43874 +#endif
43875 +
43876 +#ifdef CONFIG_PAX_EMUTRAMP
43877 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
43878 + pax_flags |= MF_PAX_EMUTRAMP;
43879 +#endif
43880 +
43881 +#ifdef CONFIG_PAX_MPROTECT
43882 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
43883 + pax_flags |= MF_PAX_MPROTECT;
43884 +#endif
43885 +
43886 +#ifdef CONFIG_PAX_ASLR
43887 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
43888 + pax_flags |= MF_PAX_RANDMMAP;
43889 +#endif
43890 +
43891 + return pax_flags;
43892 +}
43893 +#endif
43894 +
43895 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
43896 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
43897 +{
43898 + unsigned long pax_flags = 0UL;
43899 +
43900 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43901 + unsigned long i;
43902 + int found_flags = 0;
43903 +#endif
43904 +
43905 +#ifdef CONFIG_PAX_EI_PAX
43906 + pax_flags = pax_parse_ei_pax(elf_ex);
43907 +#endif
43908 +
43909 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43910 + for (i = 0UL; i < elf_ex->e_phnum; i++)
43911 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
43912 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
43913 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
43914 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
43915 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
43916 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
43917 + return -EINVAL;
43918 +
43919 +#ifdef CONFIG_PAX_SOFTMODE
43920 + if (pax_softmode)
43921 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
43922 + else
43923 +#endif
43924 +
43925 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
43926 + found_flags = 1;
43927 + break;
43928 + }
43929 +#endif
43930 +
43931 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
43932 + if (found_flags == 0) {
43933 + struct elf_phdr phdr;
43934 + memset(&phdr, 0, sizeof(phdr));
43935 + phdr.p_flags = PF_NOEMUTRAMP;
43936 +#ifdef CONFIG_PAX_SOFTMODE
43937 + if (pax_softmode)
43938 + pax_flags = pax_parse_softmode(&phdr);
43939 + else
43940 +#endif
43941 + pax_flags = pax_parse_hardmode(&phdr);
43942 + }
43943 +#endif
43944 +
43945 + if (0 > pax_check_flags(&pax_flags))
43946 + return -EINVAL;
43947 +
43948 + current->mm->pax_flags = pax_flags;
43949 + return 0;
43950 +}
43951 +#endif
43952 +
43953 /*
43954 * These are the functions used to load ELF style executables and shared
43955 * libraries. There is no binary dependent code anywhere else.
43956 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
43957 {
43958 unsigned int random_variable = 0;
43959
43960 +#ifdef CONFIG_PAX_RANDUSTACK
43961 + if (randomize_va_space)
43962 + return stack_top - current->mm->delta_stack;
43963 +#endif
43964 +
43965 if ((current->flags & PF_RANDOMIZE) &&
43966 !(current->personality & ADDR_NO_RANDOMIZE)) {
43967 random_variable = get_random_int() & STACK_RND_MASK;
43968 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
43969 unsigned long load_addr = 0, load_bias = 0;
43970 int load_addr_set = 0;
43971 char * elf_interpreter = NULL;
43972 - unsigned long error;
43973 + unsigned long error = 0;
43974 struct elf_phdr *elf_ppnt, *elf_phdata;
43975 unsigned long elf_bss, elf_brk;
43976 int retval, i;
43977 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
43978 unsigned long start_code, end_code, start_data, end_data;
43979 unsigned long reloc_func_desc __maybe_unused = 0;
43980 int executable_stack = EXSTACK_DEFAULT;
43981 - unsigned long def_flags = 0;
43982 struct {
43983 struct elfhdr elf_ex;
43984 struct elfhdr interp_elf_ex;
43985 } *loc;
43986 + unsigned long pax_task_size = TASK_SIZE;
43987
43988 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
43989 if (!loc) {
43990 @@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
43991
43992 /* OK, This is the point of no return */
43993 current->flags &= ~PF_FORKNOEXEC;
43994 - current->mm->def_flags = def_flags;
43995 +
43996 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43997 + current->mm->pax_flags = 0UL;
43998 +#endif
43999 +
44000 +#ifdef CONFIG_PAX_DLRESOLVE
44001 + current->mm->call_dl_resolve = 0UL;
44002 +#endif
44003 +
44004 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
44005 + current->mm->call_syscall = 0UL;
44006 +#endif
44007 +
44008 +#ifdef CONFIG_PAX_ASLR
44009 + current->mm->delta_mmap = 0UL;
44010 + current->mm->delta_stack = 0UL;
44011 +#endif
44012 +
44013 + current->mm->def_flags = 0;
44014 +
44015 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44016 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
44017 + send_sig(SIGKILL, current, 0);
44018 + goto out_free_dentry;
44019 + }
44020 +#endif
44021 +
44022 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44023 + pax_set_initial_flags(bprm);
44024 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44025 + if (pax_set_initial_flags_func)
44026 + (pax_set_initial_flags_func)(bprm);
44027 +#endif
44028 +
44029 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
44030 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
44031 + current->mm->context.user_cs_limit = PAGE_SIZE;
44032 + current->mm->def_flags |= VM_PAGEEXEC;
44033 + }
44034 +#endif
44035 +
44036 +#ifdef CONFIG_PAX_SEGMEXEC
44037 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
44038 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
44039 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
44040 + pax_task_size = SEGMEXEC_TASK_SIZE;
44041 + current->mm->def_flags |= VM_NOHUGEPAGE;
44042 + }
44043 +#endif
44044 +
44045 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
44046 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44047 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
44048 + put_cpu();
44049 + }
44050 +#endif
44051
44052 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
44053 may depend on the personality. */
44054 SET_PERSONALITY(loc->elf_ex);
44055 +
44056 +#ifdef CONFIG_PAX_ASLR
44057 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
44058 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
44059 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
44060 + }
44061 +#endif
44062 +
44063 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44064 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44065 + executable_stack = EXSTACK_DISABLE_X;
44066 + current->personality &= ~READ_IMPLIES_EXEC;
44067 + } else
44068 +#endif
44069 +
44070 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
44071 current->personality |= READ_IMPLIES_EXEC;
44072
44073 @@ -800,6 +1087,20 @@ static int load_elf_binary(struct linux_
44074 #else
44075 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44076 #endif
44077 +
44078 +#ifdef CONFIG_PAX_RANDMMAP
44079 + /* PaX: randomize base address at the default exe base if requested */
44080 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
44081 +#ifdef CONFIG_SPARC64
44082 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
44083 +#else
44084 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
44085 +#endif
44086 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
44087 + elf_flags |= MAP_FIXED;
44088 + }
44089 +#endif
44090 +
44091 }
44092
44093 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
44094 @@ -832,9 +1133,9 @@ static int load_elf_binary(struct linux_
44095 * allowed task size. Note that p_filesz must always be
44096 * <= p_memsz so it is only necessary to check p_memsz.
44097 */
44098 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44099 - elf_ppnt->p_memsz > TASK_SIZE ||
44100 - TASK_SIZE - elf_ppnt->p_memsz < k) {
44101 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44102 + elf_ppnt->p_memsz > pax_task_size ||
44103 + pax_task_size - elf_ppnt->p_memsz < k) {
44104 /* set_brk can never work. Avoid overflows. */
44105 send_sig(SIGKILL, current, 0);
44106 retval = -EINVAL;
44107 @@ -862,6 +1163,11 @@ static int load_elf_binary(struct linux_
44108 start_data += load_bias;
44109 end_data += load_bias;
44110
44111 +#ifdef CONFIG_PAX_RANDMMAP
44112 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
44113 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
44114 +#endif
44115 +
44116 /* Calling set_brk effectively mmaps the pages that we need
44117 * for the bss and break sections. We must do this before
44118 * mapping in the interpreter, to make sure it doesn't wind
44119 @@ -873,9 +1179,11 @@ static int load_elf_binary(struct linux_
44120 goto out_free_dentry;
44121 }
44122 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
44123 - send_sig(SIGSEGV, current, 0);
44124 - retval = -EFAULT; /* Nobody gets to see this, but.. */
44125 - goto out_free_dentry;
44126 + /*
44127 + * This bss-zeroing can fail if the ELF
44128 + * file specifies odd protections. So
44129 + * we don't check the return value
44130 + */
44131 }
44132
44133 if (elf_interpreter) {
44134 @@ -1090,7 +1398,7 @@ out:
44135 * Decide what to dump of a segment, part, all or none.
44136 */
44137 static unsigned long vma_dump_size(struct vm_area_struct *vma,
44138 - unsigned long mm_flags)
44139 + unsigned long mm_flags, long signr)
44140 {
44141 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
44142
44143 @@ -1124,7 +1432,7 @@ static unsigned long vma_dump_size(struc
44144 if (vma->vm_file == NULL)
44145 return 0;
44146
44147 - if (FILTER(MAPPED_PRIVATE))
44148 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
44149 goto whole;
44150
44151 /*
44152 @@ -1346,9 +1654,9 @@ static void fill_auxv_note(struct memelf
44153 {
44154 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
44155 int i = 0;
44156 - do
44157 + do {
44158 i += 2;
44159 - while (auxv[i - 2] != AT_NULL);
44160 + } while (auxv[i - 2] != AT_NULL);
44161 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
44162 }
44163
44164 @@ -1854,14 +2162,14 @@ static void fill_extnum_info(struct elfh
44165 }
44166
44167 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
44168 - unsigned long mm_flags)
44169 + struct coredump_params *cprm)
44170 {
44171 struct vm_area_struct *vma;
44172 size_t size = 0;
44173
44174 for (vma = first_vma(current, gate_vma); vma != NULL;
44175 vma = next_vma(vma, gate_vma))
44176 - size += vma_dump_size(vma, mm_flags);
44177 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44178 return size;
44179 }
44180
44181 @@ -1955,7 +2263,7 @@ static int elf_core_dump(struct coredump
44182
44183 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
44184
44185 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
44186 + offset += elf_core_vma_data_size(gate_vma, cprm);
44187 offset += elf_core_extra_data_size();
44188 e_shoff = offset;
44189
44190 @@ -1969,10 +2277,12 @@ static int elf_core_dump(struct coredump
44191 offset = dataoff;
44192
44193 size += sizeof(*elf);
44194 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44195 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
44196 goto end_coredump;
44197
44198 size += sizeof(*phdr4note);
44199 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44200 if (size > cprm->limit
44201 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
44202 goto end_coredump;
44203 @@ -1986,7 +2296,7 @@ static int elf_core_dump(struct coredump
44204 phdr.p_offset = offset;
44205 phdr.p_vaddr = vma->vm_start;
44206 phdr.p_paddr = 0;
44207 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
44208 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44209 phdr.p_memsz = vma->vm_end - vma->vm_start;
44210 offset += phdr.p_filesz;
44211 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
44212 @@ -1997,6 +2307,7 @@ static int elf_core_dump(struct coredump
44213 phdr.p_align = ELF_EXEC_PAGESIZE;
44214
44215 size += sizeof(phdr);
44216 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44217 if (size > cprm->limit
44218 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
44219 goto end_coredump;
44220 @@ -2021,7 +2332,7 @@ static int elf_core_dump(struct coredump
44221 unsigned long addr;
44222 unsigned long end;
44223
44224 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
44225 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44226
44227 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
44228 struct page *page;
44229 @@ -2030,6 +2341,7 @@ static int elf_core_dump(struct coredump
44230 page = get_dump_page(addr);
44231 if (page) {
44232 void *kaddr = kmap(page);
44233 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
44234 stop = ((size += PAGE_SIZE) > cprm->limit) ||
44235 !dump_write(cprm->file, kaddr,
44236 PAGE_SIZE);
44237 @@ -2047,6 +2359,7 @@ static int elf_core_dump(struct coredump
44238
44239 if (e_phnum == PN_XNUM) {
44240 size += sizeof(*shdr4extnum);
44241 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44242 if (size > cprm->limit
44243 || !dump_write(cprm->file, shdr4extnum,
44244 sizeof(*shdr4extnum)))
44245 @@ -2067,6 +2380,97 @@ out:
44246
44247 #endif /* CONFIG_ELF_CORE */
44248
44249 +#ifdef CONFIG_PAX_MPROTECT
44250 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
44251 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
44252 + * we'll remove VM_MAYWRITE for good on RELRO segments.
44253 + *
44254 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
44255 + * basis because we want to allow the common case and not the special ones.
44256 + */
44257 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
44258 +{
44259 + struct elfhdr elf_h;
44260 + struct elf_phdr elf_p;
44261 + unsigned long i;
44262 + unsigned long oldflags;
44263 + bool is_textrel_rw, is_textrel_rx, is_relro;
44264 +
44265 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
44266 + return;
44267 +
44268 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
44269 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
44270 +
44271 +#ifdef CONFIG_PAX_ELFRELOCS
44272 + /* possible TEXTREL */
44273 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
44274 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
44275 +#else
44276 + is_textrel_rw = false;
44277 + is_textrel_rx = false;
44278 +#endif
44279 +
44280 + /* possible RELRO */
44281 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
44282 +
44283 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
44284 + return;
44285 +
44286 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
44287 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
44288 +
44289 +#ifdef CONFIG_PAX_ETEXECRELOCS
44290 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44291 +#else
44292 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
44293 +#endif
44294 +
44295 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44296 + !elf_check_arch(&elf_h) ||
44297 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
44298 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
44299 + return;
44300 +
44301 + for (i = 0UL; i < elf_h.e_phnum; i++) {
44302 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
44303 + return;
44304 + switch (elf_p.p_type) {
44305 + case PT_DYNAMIC:
44306 + if (!is_textrel_rw && !is_textrel_rx)
44307 + continue;
44308 + i = 0UL;
44309 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
44310 + elf_dyn dyn;
44311 +
44312 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
44313 + return;
44314 + if (dyn.d_tag == DT_NULL)
44315 + return;
44316 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
44317 + gr_log_textrel(vma);
44318 + if (is_textrel_rw)
44319 + vma->vm_flags |= VM_MAYWRITE;
44320 + else
44321 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
44322 + vma->vm_flags &= ~VM_MAYWRITE;
44323 + return;
44324 + }
44325 + i++;
44326 + }
44327 + return;
44328 +
44329 + case PT_GNU_RELRO:
44330 + if (!is_relro)
44331 + continue;
44332 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
44333 + vma->vm_flags &= ~VM_MAYWRITE;
44334 + return;
44335 + }
44336 + }
44337 +}
44338 +#endif
44339 +
44340 static int __init init_elf_binfmt(void)
44341 {
44342 return register_binfmt(&elf_format);
44343 diff -urNp linux-2.6.39.2/fs/binfmt_flat.c linux-2.6.39.2/fs/binfmt_flat.c
44344 --- linux-2.6.39.2/fs/binfmt_flat.c 2011-05-19 00:06:34.000000000 -0400
44345 +++ linux-2.6.39.2/fs/binfmt_flat.c 2011-05-22 19:36:32.000000000 -0400
44346 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
44347 realdatastart = (unsigned long) -ENOMEM;
44348 printk("Unable to allocate RAM for process data, errno %d\n",
44349 (int)-realdatastart);
44350 + down_write(&current->mm->mmap_sem);
44351 do_munmap(current->mm, textpos, text_len);
44352 + up_write(&current->mm->mmap_sem);
44353 ret = realdatastart;
44354 goto err;
44355 }
44356 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
44357 }
44358 if (IS_ERR_VALUE(result)) {
44359 printk("Unable to read data+bss, errno %d\n", (int)-result);
44360 + down_write(&current->mm->mmap_sem);
44361 do_munmap(current->mm, textpos, text_len);
44362 do_munmap(current->mm, realdatastart, len);
44363 + up_write(&current->mm->mmap_sem);
44364 ret = result;
44365 goto err;
44366 }
44367 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
44368 }
44369 if (IS_ERR_VALUE(result)) {
44370 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
44371 + down_write(&current->mm->mmap_sem);
44372 do_munmap(current->mm, textpos, text_len + data_len + extra +
44373 MAX_SHARED_LIBS * sizeof(unsigned long));
44374 + up_write(&current->mm->mmap_sem);
44375 ret = result;
44376 goto err;
44377 }
44378 diff -urNp linux-2.6.39.2/fs/bio.c linux-2.6.39.2/fs/bio.c
44379 --- linux-2.6.39.2/fs/bio.c 2011-05-19 00:06:34.000000000 -0400
44380 +++ linux-2.6.39.2/fs/bio.c 2011-05-22 19:36:32.000000000 -0400
44381 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
44382 const int read = bio_data_dir(bio) == READ;
44383 struct bio_map_data *bmd = bio->bi_private;
44384 int i;
44385 - char *p = bmd->sgvecs[0].iov_base;
44386 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
44387
44388 __bio_for_each_segment(bvec, bio, i, 0) {
44389 char *addr = page_address(bvec->bv_page);
44390 diff -urNp linux-2.6.39.2/fs/block_dev.c linux-2.6.39.2/fs/block_dev.c
44391 --- linux-2.6.39.2/fs/block_dev.c 2011-06-25 12:55:23.000000000 -0400
44392 +++ linux-2.6.39.2/fs/block_dev.c 2011-06-06 19:57:05.000000000 -0400
44393 @@ -671,7 +671,7 @@ static bool bd_may_claim(struct block_de
44394 else if (bdev->bd_contains == bdev)
44395 return true; /* is a whole device which isn't held */
44396
44397 - else if (whole->bd_holder == bd_may_claim)
44398 + else if (whole->bd_holder == (void *)bd_may_claim)
44399 return true; /* is a partition of a device that is being partitioned */
44400 else if (whole->bd_holder != NULL)
44401 return false; /* is a partition of a held device */
44402 diff -urNp linux-2.6.39.2/fs/btrfs/compression.c linux-2.6.39.2/fs/btrfs/compression.c
44403 --- linux-2.6.39.2/fs/btrfs/compression.c 2011-05-19 00:06:34.000000000 -0400
44404 +++ linux-2.6.39.2/fs/btrfs/compression.c 2011-05-22 19:36:32.000000000 -0400
44405 @@ -719,7 +719,7 @@ static int comp_num_workspace[BTRFS_COMP
44406 static atomic_t comp_alloc_workspace[BTRFS_COMPRESS_TYPES];
44407 static wait_queue_head_t comp_workspace_wait[BTRFS_COMPRESS_TYPES];
44408
44409 -struct btrfs_compress_op *btrfs_compress_op[] = {
44410 +const struct btrfs_compress_op *btrfs_compress_op[] = {
44411 &btrfs_zlib_compress,
44412 &btrfs_lzo_compress,
44413 };
44414 diff -urNp linux-2.6.39.2/fs/btrfs/compression.h linux-2.6.39.2/fs/btrfs/compression.h
44415 --- linux-2.6.39.2/fs/btrfs/compression.h 2011-05-19 00:06:34.000000000 -0400
44416 +++ linux-2.6.39.2/fs/btrfs/compression.h 2011-05-22 19:36:32.000000000 -0400
44417 @@ -77,7 +77,7 @@ struct btrfs_compress_op {
44418 size_t srclen, size_t destlen);
44419 };
44420
44421 -extern struct btrfs_compress_op btrfs_zlib_compress;
44422 -extern struct btrfs_compress_op btrfs_lzo_compress;
44423 +extern const struct btrfs_compress_op btrfs_zlib_compress;
44424 +extern const struct btrfs_compress_op btrfs_lzo_compress;
44425
44426 #endif
44427 diff -urNp linux-2.6.39.2/fs/btrfs/ctree.c linux-2.6.39.2/fs/btrfs/ctree.c
44428 --- linux-2.6.39.2/fs/btrfs/ctree.c 2011-05-19 00:06:34.000000000 -0400
44429 +++ linux-2.6.39.2/fs/btrfs/ctree.c 2011-05-22 19:36:32.000000000 -0400
44430 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
44431 free_extent_buffer(buf);
44432 add_root_to_dirty_list(root);
44433 } else {
44434 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
44435 - parent_start = parent->start;
44436 - else
44437 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
44438 + if (parent)
44439 + parent_start = parent->start;
44440 + else
44441 + parent_start = 0;
44442 + } else
44443 parent_start = 0;
44444
44445 WARN_ON(trans->transid != btrfs_header_generation(parent));
44446 @@ -3647,7 +3650,6 @@ setup_items_for_insert(struct btrfs_tran
44447
44448 ret = 0;
44449 if (slot == 0) {
44450 - struct btrfs_disk_key disk_key;
44451 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
44452 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
44453 }
44454 diff -urNp linux-2.6.39.2/fs/btrfs/disk-io.c linux-2.6.39.2/fs/btrfs/disk-io.c
44455 --- linux-2.6.39.2/fs/btrfs/disk-io.c 2011-05-19 00:06:34.000000000 -0400
44456 +++ linux-2.6.39.2/fs/btrfs/disk-io.c 2011-05-22 19:36:32.000000000 -0400
44457 @@ -42,7 +42,7 @@
44458 #include "tree-log.h"
44459 #include "free-space-cache.h"
44460
44461 -static struct extent_io_ops btree_extent_io_ops;
44462 +static const struct extent_io_ops btree_extent_io_ops;
44463 static void end_workqueue_fn(struct btrfs_work *work);
44464 static void free_fs_root(struct btrfs_root *root);
44465 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
44466 @@ -3070,7 +3070,7 @@ static int btrfs_cleanup_transaction(str
44467 return 0;
44468 }
44469
44470 -static struct extent_io_ops btree_extent_io_ops = {
44471 +static const struct extent_io_ops btree_extent_io_ops = {
44472 .write_cache_pages_lock_hook = btree_lock_page_hook,
44473 .readpage_end_io_hook = btree_readpage_end_io_hook,
44474 .submit_bio_hook = btree_submit_bio_hook,
44475 diff -urNp linux-2.6.39.2/fs/btrfs/extent_io.h linux-2.6.39.2/fs/btrfs/extent_io.h
44476 --- linux-2.6.39.2/fs/btrfs/extent_io.h 2011-05-19 00:06:34.000000000 -0400
44477 +++ linux-2.6.39.2/fs/btrfs/extent_io.h 2011-05-22 19:36:32.000000000 -0400
44478 @@ -56,36 +56,36 @@ typedef int (extent_submit_bio_hook_t)(s
44479 struct bio *bio, int mirror_num,
44480 unsigned long bio_flags, u64 bio_offset);
44481 struct extent_io_ops {
44482 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
44483 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
44484 u64 start, u64 end, int *page_started,
44485 unsigned long *nr_written);
44486 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
44487 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
44488 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
44489 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
44490 extent_submit_bio_hook_t *submit_bio_hook;
44491 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
44492 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
44493 size_t size, struct bio *bio,
44494 unsigned long bio_flags);
44495 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
44496 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
44497 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
44498 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
44499 u64 start, u64 end,
44500 struct extent_state *state);
44501 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
44502 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
44503 u64 start, u64 end,
44504 struct extent_state *state);
44505 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44506 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44507 struct extent_state *state);
44508 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44509 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44510 struct extent_state *state, int uptodate);
44511 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
44512 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
44513 int *bits);
44514 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
44515 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
44516 int *bits);
44517 - int (*merge_extent_hook)(struct inode *inode,
44518 + int (* const merge_extent_hook)(struct inode *inode,
44519 struct extent_state *new,
44520 struct extent_state *other);
44521 - int (*split_extent_hook)(struct inode *inode,
44522 + int (* const split_extent_hook)(struct inode *inode,
44523 struct extent_state *orig, u64 split);
44524 - int (*write_cache_pages_lock_hook)(struct page *page);
44525 + int (* const write_cache_pages_lock_hook)(struct page *page);
44526 };
44527
44528 struct extent_io_tree {
44529 @@ -95,7 +95,7 @@ struct extent_io_tree {
44530 u64 dirty_bytes;
44531 spinlock_t lock;
44532 spinlock_t buffer_lock;
44533 - struct extent_io_ops *ops;
44534 + const struct extent_io_ops *ops;
44535 };
44536
44537 struct extent_state {
44538 diff -urNp linux-2.6.39.2/fs/btrfs/free-space-cache.c linux-2.6.39.2/fs/btrfs/free-space-cache.c
44539 --- linux-2.6.39.2/fs/btrfs/free-space-cache.c 2011-05-19 00:06:34.000000000 -0400
44540 +++ linux-2.6.39.2/fs/btrfs/free-space-cache.c 2011-05-22 19:36:32.000000000 -0400
44541 @@ -1910,8 +1910,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44542 while(1) {
44543 if (entry->bytes < bytes ||
44544 (!entry->bitmap && entry->offset < min_start)) {
44545 - struct rb_node *node;
44546 -
44547 node = rb_next(&entry->offset_index);
44548 if (!node)
44549 break;
44550 @@ -1925,7 +1923,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44551 cluster, entry, bytes,
44552 min_start);
44553 if (ret == 0) {
44554 - struct rb_node *node;
44555 node = rb_next(&entry->offset_index);
44556 if (!node)
44557 break;
44558 diff -urNp linux-2.6.39.2/fs/btrfs/inode.c linux-2.6.39.2/fs/btrfs/inode.c
44559 --- linux-2.6.39.2/fs/btrfs/inode.c 2011-05-19 00:06:34.000000000 -0400
44560 +++ linux-2.6.39.2/fs/btrfs/inode.c 2011-05-22 20:42:42.000000000 -0400
44561 @@ -65,7 +65,7 @@ static const struct inode_operations btr
44562 static const struct address_space_operations btrfs_aops;
44563 static const struct address_space_operations btrfs_symlink_aops;
44564 static const struct file_operations btrfs_dir_file_operations;
44565 -static struct extent_io_ops btrfs_extent_io_ops;
44566 +static const struct extent_io_ops btrfs_extent_io_ops;
44567
44568 static struct kmem_cache *btrfs_inode_cachep;
44569 struct kmem_cache *btrfs_trans_handle_cachep;
44570 @@ -6947,7 +6947,7 @@ fail:
44571 return -ENOMEM;
44572 }
44573
44574 -static int btrfs_getattr(struct vfsmount *mnt,
44575 +int btrfs_getattr(struct vfsmount *mnt,
44576 struct dentry *dentry, struct kstat *stat)
44577 {
44578 struct inode *inode = dentry->d_inode;
44579 @@ -6959,6 +6959,14 @@ static int btrfs_getattr(struct vfsmount
44580 return 0;
44581 }
44582
44583 +EXPORT_SYMBOL(btrfs_getattr);
44584 +
44585 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
44586 +{
44587 + return BTRFS_I(inode)->root->anon_super.s_dev;
44588 +}
44589 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
44590 +
44591 /*
44592 * If a file is moved, it will inherit the cow and compression flags of the new
44593 * directory.
44594 @@ -7488,7 +7496,7 @@ static const struct file_operations btrf
44595 .fsync = btrfs_sync_file,
44596 };
44597
44598 -static struct extent_io_ops btrfs_extent_io_ops = {
44599 +static const struct extent_io_ops btrfs_extent_io_ops = {
44600 .fill_delalloc = run_delalloc_range,
44601 .submit_bio_hook = btrfs_submit_bio_hook,
44602 .merge_bio_hook = btrfs_merge_bio_hook,
44603 diff -urNp linux-2.6.39.2/fs/btrfs/ioctl.c linux-2.6.39.2/fs/btrfs/ioctl.c
44604 --- linux-2.6.39.2/fs/btrfs/ioctl.c 2011-05-19 00:06:34.000000000 -0400
44605 +++ linux-2.6.39.2/fs/btrfs/ioctl.c 2011-05-22 19:41:37.000000000 -0400
44606 @@ -2361,9 +2361,12 @@ long btrfs_ioctl_space_info(struct btrfs
44607 for (i = 0; i < num_types; i++) {
44608 struct btrfs_space_info *tmp;
44609
44610 + /* Don't copy in more than we allocated */
44611 if (!slot_count)
44612 break;
44613
44614 + slot_count--;
44615 +
44616 info = NULL;
44617 rcu_read_lock();
44618 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
44619 @@ -2385,10 +2388,7 @@ long btrfs_ioctl_space_info(struct btrfs
44620 memcpy(dest, &space, sizeof(space));
44621 dest++;
44622 space_args.total_spaces++;
44623 - slot_count--;
44624 }
44625 - if (!slot_count)
44626 - break;
44627 }
44628 up_read(&info->groups_sem);
44629 }
44630 diff -urNp linux-2.6.39.2/fs/btrfs/lzo.c linux-2.6.39.2/fs/btrfs/lzo.c
44631 --- linux-2.6.39.2/fs/btrfs/lzo.c 2011-05-19 00:06:34.000000000 -0400
44632 +++ linux-2.6.39.2/fs/btrfs/lzo.c 2011-05-22 19:36:32.000000000 -0400
44633 @@ -418,7 +418,7 @@ out:
44634 return ret;
44635 }
44636
44637 -struct btrfs_compress_op btrfs_lzo_compress = {
44638 +const struct btrfs_compress_op btrfs_lzo_compress = {
44639 .alloc_workspace = lzo_alloc_workspace,
44640 .free_workspace = lzo_free_workspace,
44641 .compress_pages = lzo_compress_pages,
44642 diff -urNp linux-2.6.39.2/fs/btrfs/relocation.c linux-2.6.39.2/fs/btrfs/relocation.c
44643 --- linux-2.6.39.2/fs/btrfs/relocation.c 2011-05-19 00:06:34.000000000 -0400
44644 +++ linux-2.6.39.2/fs/btrfs/relocation.c 2011-05-22 19:36:32.000000000 -0400
44645 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
44646 }
44647 spin_unlock(&rc->reloc_root_tree.lock);
44648
44649 - BUG_ON((struct btrfs_root *)node->data != root);
44650 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
44651
44652 if (!del) {
44653 spin_lock(&rc->reloc_root_tree.lock);
44654 diff -urNp linux-2.6.39.2/fs/btrfs/zlib.c linux-2.6.39.2/fs/btrfs/zlib.c
44655 --- linux-2.6.39.2/fs/btrfs/zlib.c 2011-05-19 00:06:34.000000000 -0400
44656 +++ linux-2.6.39.2/fs/btrfs/zlib.c 2011-05-22 19:36:32.000000000 -0400
44657 @@ -390,7 +390,7 @@ next:
44658 return ret;
44659 }
44660
44661 -struct btrfs_compress_op btrfs_zlib_compress = {
44662 +const struct btrfs_compress_op btrfs_zlib_compress = {
44663 .alloc_workspace = zlib_alloc_workspace,
44664 .free_workspace = zlib_free_workspace,
44665 .compress_pages = zlib_compress_pages,
44666 diff -urNp linux-2.6.39.2/fs/cachefiles/bind.c linux-2.6.39.2/fs/cachefiles/bind.c
44667 --- linux-2.6.39.2/fs/cachefiles/bind.c 2011-05-19 00:06:34.000000000 -0400
44668 +++ linux-2.6.39.2/fs/cachefiles/bind.c 2011-05-22 19:36:32.000000000 -0400
44669 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
44670 args);
44671
44672 /* start by checking things over */
44673 - ASSERT(cache->fstop_percent >= 0 &&
44674 - cache->fstop_percent < cache->fcull_percent &&
44675 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
44676 cache->fcull_percent < cache->frun_percent &&
44677 cache->frun_percent < 100);
44678
44679 - ASSERT(cache->bstop_percent >= 0 &&
44680 - cache->bstop_percent < cache->bcull_percent &&
44681 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
44682 cache->bcull_percent < cache->brun_percent &&
44683 cache->brun_percent < 100);
44684
44685 diff -urNp linux-2.6.39.2/fs/cachefiles/daemon.c linux-2.6.39.2/fs/cachefiles/daemon.c
44686 --- linux-2.6.39.2/fs/cachefiles/daemon.c 2011-05-19 00:06:34.000000000 -0400
44687 +++ linux-2.6.39.2/fs/cachefiles/daemon.c 2011-05-22 19:36:32.000000000 -0400
44688 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
44689 if (n > buflen)
44690 return -EMSGSIZE;
44691
44692 - if (copy_to_user(_buffer, buffer, n) != 0)
44693 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
44694 return -EFAULT;
44695
44696 return n;
44697 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
44698 if (test_bit(CACHEFILES_DEAD, &cache->flags))
44699 return -EIO;
44700
44701 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
44702 + if (datalen > PAGE_SIZE - 1)
44703 return -EOPNOTSUPP;
44704
44705 /* drag the command string into the kernel so we can parse it */
44706 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
44707 if (args[0] != '%' || args[1] != '\0')
44708 return -EINVAL;
44709
44710 - if (fstop < 0 || fstop >= cache->fcull_percent)
44711 + if (fstop >= cache->fcull_percent)
44712 return cachefiles_daemon_range_error(cache, args);
44713
44714 cache->fstop_percent = fstop;
44715 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
44716 if (args[0] != '%' || args[1] != '\0')
44717 return -EINVAL;
44718
44719 - if (bstop < 0 || bstop >= cache->bcull_percent)
44720 + if (bstop >= cache->bcull_percent)
44721 return cachefiles_daemon_range_error(cache, args);
44722
44723 cache->bstop_percent = bstop;
44724 diff -urNp linux-2.6.39.2/fs/cachefiles/internal.h linux-2.6.39.2/fs/cachefiles/internal.h
44725 --- linux-2.6.39.2/fs/cachefiles/internal.h 2011-05-19 00:06:34.000000000 -0400
44726 +++ linux-2.6.39.2/fs/cachefiles/internal.h 2011-05-22 19:36:32.000000000 -0400
44727 @@ -57,7 +57,7 @@ struct cachefiles_cache {
44728 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
44729 struct rb_root active_nodes; /* active nodes (can't be culled) */
44730 rwlock_t active_lock; /* lock for active_nodes */
44731 - atomic_t gravecounter; /* graveyard uniquifier */
44732 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
44733 unsigned frun_percent; /* when to stop culling (% files) */
44734 unsigned fcull_percent; /* when to start culling (% files) */
44735 unsigned fstop_percent; /* when to stop allocating (% files) */
44736 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
44737 * proc.c
44738 */
44739 #ifdef CONFIG_CACHEFILES_HISTOGRAM
44740 -extern atomic_t cachefiles_lookup_histogram[HZ];
44741 -extern atomic_t cachefiles_mkdir_histogram[HZ];
44742 -extern atomic_t cachefiles_create_histogram[HZ];
44743 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44744 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44745 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
44746
44747 extern int __init cachefiles_proc_init(void);
44748 extern void cachefiles_proc_cleanup(void);
44749 static inline
44750 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
44751 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
44752 {
44753 unsigned long jif = jiffies - start_jif;
44754 if (jif >= HZ)
44755 jif = HZ - 1;
44756 - atomic_inc(&histogram[jif]);
44757 + atomic_inc_unchecked(&histogram[jif]);
44758 }
44759
44760 #else
44761 diff -urNp linux-2.6.39.2/fs/cachefiles/namei.c linux-2.6.39.2/fs/cachefiles/namei.c
44762 --- linux-2.6.39.2/fs/cachefiles/namei.c 2011-05-19 00:06:34.000000000 -0400
44763 +++ linux-2.6.39.2/fs/cachefiles/namei.c 2011-05-22 19:36:32.000000000 -0400
44764 @@ -318,7 +318,7 @@ try_again:
44765 /* first step is to make up a grave dentry in the graveyard */
44766 sprintf(nbuffer, "%08x%08x",
44767 (uint32_t) get_seconds(),
44768 - (uint32_t) atomic_inc_return(&cache->gravecounter));
44769 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
44770
44771 /* do the multiway lock magic */
44772 trap = lock_rename(cache->graveyard, dir);
44773 diff -urNp linux-2.6.39.2/fs/cachefiles/proc.c linux-2.6.39.2/fs/cachefiles/proc.c
44774 --- linux-2.6.39.2/fs/cachefiles/proc.c 2011-05-19 00:06:34.000000000 -0400
44775 +++ linux-2.6.39.2/fs/cachefiles/proc.c 2011-05-22 19:36:32.000000000 -0400
44776 @@ -14,9 +14,9 @@
44777 #include <linux/seq_file.h>
44778 #include "internal.h"
44779
44780 -atomic_t cachefiles_lookup_histogram[HZ];
44781 -atomic_t cachefiles_mkdir_histogram[HZ];
44782 -atomic_t cachefiles_create_histogram[HZ];
44783 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44784 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44785 +atomic_unchecked_t cachefiles_create_histogram[HZ];
44786
44787 /*
44788 * display the latency histogram
44789 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
44790 return 0;
44791 default:
44792 index = (unsigned long) v - 3;
44793 - x = atomic_read(&cachefiles_lookup_histogram[index]);
44794 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
44795 - z = atomic_read(&cachefiles_create_histogram[index]);
44796 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
44797 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
44798 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
44799 if (x == 0 && y == 0 && z == 0)
44800 return 0;
44801
44802 diff -urNp linux-2.6.39.2/fs/cachefiles/rdwr.c linux-2.6.39.2/fs/cachefiles/rdwr.c
44803 --- linux-2.6.39.2/fs/cachefiles/rdwr.c 2011-05-19 00:06:34.000000000 -0400
44804 +++ linux-2.6.39.2/fs/cachefiles/rdwr.c 2011-05-22 19:36:32.000000000 -0400
44805 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
44806 old_fs = get_fs();
44807 set_fs(KERNEL_DS);
44808 ret = file->f_op->write(
44809 - file, (const void __user *) data, len, &pos);
44810 + file, (__force const void __user *) data, len, &pos);
44811 set_fs(old_fs);
44812 kunmap(page);
44813 if (ret != len)
44814 diff -urNp linux-2.6.39.2/fs/ceph/addr.c linux-2.6.39.2/fs/ceph/addr.c
44815 --- linux-2.6.39.2/fs/ceph/addr.c 2011-05-19 00:06:34.000000000 -0400
44816 +++ linux-2.6.39.2/fs/ceph/addr.c 2011-05-22 19:36:32.000000000 -0400
44817 @@ -1164,7 +1164,7 @@ out:
44818 return ret;
44819 }
44820
44821 -static struct vm_operations_struct ceph_vmops = {
44822 +static const struct vm_operations_struct ceph_vmops = {
44823 .fault = filemap_fault,
44824 .page_mkwrite = ceph_page_mkwrite,
44825 };
44826 diff -urNp linux-2.6.39.2/fs/ceph/dir.c linux-2.6.39.2/fs/ceph/dir.c
44827 --- linux-2.6.39.2/fs/ceph/dir.c 2011-05-19 00:06:34.000000000 -0400
44828 +++ linux-2.6.39.2/fs/ceph/dir.c 2011-05-22 19:36:32.000000000 -0400
44829 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
44830 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
44831 struct ceph_mds_client *mdsc = fsc->mdsc;
44832 unsigned frag = fpos_frag(filp->f_pos);
44833 - int off = fpos_off(filp->f_pos);
44834 + unsigned int off = fpos_off(filp->f_pos);
44835 int err;
44836 u32 ftype;
44837 struct ceph_mds_reply_info_parsed *rinfo;
44838 @@ -360,7 +360,7 @@ more:
44839 rinfo = &fi->last_readdir->r_reply_info;
44840 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
44841 rinfo->dir_nr, off, fi->offset);
44842 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
44843 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
44844 u64 pos = ceph_make_fpos(frag, off);
44845 struct ceph_mds_reply_inode *in =
44846 rinfo->dir_in[off - fi->offset].in;
44847 diff -urNp linux-2.6.39.2/fs/cifs/cifs_debug.c linux-2.6.39.2/fs/cifs/cifs_debug.c
44848 --- linux-2.6.39.2/fs/cifs/cifs_debug.c 2011-05-19 00:06:34.000000000 -0400
44849 +++ linux-2.6.39.2/fs/cifs/cifs_debug.c 2011-05-22 19:36:32.000000000 -0400
44850 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
44851 tcon = list_entry(tmp3,
44852 struct cifsTconInfo,
44853 tcon_list);
44854 - atomic_set(&tcon->num_smbs_sent, 0);
44855 - atomic_set(&tcon->num_writes, 0);
44856 - atomic_set(&tcon->num_reads, 0);
44857 - atomic_set(&tcon->num_oplock_brks, 0);
44858 - atomic_set(&tcon->num_opens, 0);
44859 - atomic_set(&tcon->num_posixopens, 0);
44860 - atomic_set(&tcon->num_posixmkdirs, 0);
44861 - atomic_set(&tcon->num_closes, 0);
44862 - atomic_set(&tcon->num_deletes, 0);
44863 - atomic_set(&tcon->num_mkdirs, 0);
44864 - atomic_set(&tcon->num_rmdirs, 0);
44865 - atomic_set(&tcon->num_renames, 0);
44866 - atomic_set(&tcon->num_t2renames, 0);
44867 - atomic_set(&tcon->num_ffirst, 0);
44868 - atomic_set(&tcon->num_fnext, 0);
44869 - atomic_set(&tcon->num_fclose, 0);
44870 - atomic_set(&tcon->num_hardlinks, 0);
44871 - atomic_set(&tcon->num_symlinks, 0);
44872 - atomic_set(&tcon->num_locks, 0);
44873 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
44874 + atomic_set_unchecked(&tcon->num_writes, 0);
44875 + atomic_set_unchecked(&tcon->num_reads, 0);
44876 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
44877 + atomic_set_unchecked(&tcon->num_opens, 0);
44878 + atomic_set_unchecked(&tcon->num_posixopens, 0);
44879 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
44880 + atomic_set_unchecked(&tcon->num_closes, 0);
44881 + atomic_set_unchecked(&tcon->num_deletes, 0);
44882 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
44883 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
44884 + atomic_set_unchecked(&tcon->num_renames, 0);
44885 + atomic_set_unchecked(&tcon->num_t2renames, 0);
44886 + atomic_set_unchecked(&tcon->num_ffirst, 0);
44887 + atomic_set_unchecked(&tcon->num_fnext, 0);
44888 + atomic_set_unchecked(&tcon->num_fclose, 0);
44889 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
44890 + atomic_set_unchecked(&tcon->num_symlinks, 0);
44891 + atomic_set_unchecked(&tcon->num_locks, 0);
44892 }
44893 }
44894 }
44895 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
44896 if (tcon->need_reconnect)
44897 seq_puts(m, "\tDISCONNECTED ");
44898 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
44899 - atomic_read(&tcon->num_smbs_sent),
44900 - atomic_read(&tcon->num_oplock_brks));
44901 + atomic_read_unchecked(&tcon->num_smbs_sent),
44902 + atomic_read_unchecked(&tcon->num_oplock_brks));
44903 seq_printf(m, "\nReads: %d Bytes: %lld",
44904 - atomic_read(&tcon->num_reads),
44905 + atomic_read_unchecked(&tcon->num_reads),
44906 (long long)(tcon->bytes_read));
44907 seq_printf(m, "\nWrites: %d Bytes: %lld",
44908 - atomic_read(&tcon->num_writes),
44909 + atomic_read_unchecked(&tcon->num_writes),
44910 (long long)(tcon->bytes_written));
44911 seq_printf(m, "\nFlushes: %d",
44912 - atomic_read(&tcon->num_flushes));
44913 + atomic_read_unchecked(&tcon->num_flushes));
44914 seq_printf(m, "\nLocks: %d HardLinks: %d "
44915 "Symlinks: %d",
44916 - atomic_read(&tcon->num_locks),
44917 - atomic_read(&tcon->num_hardlinks),
44918 - atomic_read(&tcon->num_symlinks));
44919 + atomic_read_unchecked(&tcon->num_locks),
44920 + atomic_read_unchecked(&tcon->num_hardlinks),
44921 + atomic_read_unchecked(&tcon->num_symlinks));
44922 seq_printf(m, "\nOpens: %d Closes: %d "
44923 "Deletes: %d",
44924 - atomic_read(&tcon->num_opens),
44925 - atomic_read(&tcon->num_closes),
44926 - atomic_read(&tcon->num_deletes));
44927 + atomic_read_unchecked(&tcon->num_opens),
44928 + atomic_read_unchecked(&tcon->num_closes),
44929 + atomic_read_unchecked(&tcon->num_deletes));
44930 seq_printf(m, "\nPosix Opens: %d "
44931 "Posix Mkdirs: %d",
44932 - atomic_read(&tcon->num_posixopens),
44933 - atomic_read(&tcon->num_posixmkdirs));
44934 + atomic_read_unchecked(&tcon->num_posixopens),
44935 + atomic_read_unchecked(&tcon->num_posixmkdirs));
44936 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
44937 - atomic_read(&tcon->num_mkdirs),
44938 - atomic_read(&tcon->num_rmdirs));
44939 + atomic_read_unchecked(&tcon->num_mkdirs),
44940 + atomic_read_unchecked(&tcon->num_rmdirs));
44941 seq_printf(m, "\nRenames: %d T2 Renames %d",
44942 - atomic_read(&tcon->num_renames),
44943 - atomic_read(&tcon->num_t2renames));
44944 + atomic_read_unchecked(&tcon->num_renames),
44945 + atomic_read_unchecked(&tcon->num_t2renames));
44946 seq_printf(m, "\nFindFirst: %d FNext %d "
44947 "FClose %d",
44948 - atomic_read(&tcon->num_ffirst),
44949 - atomic_read(&tcon->num_fnext),
44950 - atomic_read(&tcon->num_fclose));
44951 + atomic_read_unchecked(&tcon->num_ffirst),
44952 + atomic_read_unchecked(&tcon->num_fnext),
44953 + atomic_read_unchecked(&tcon->num_fclose));
44954 }
44955 }
44956 }
44957 diff -urNp linux-2.6.39.2/fs/cifs/cifsglob.h linux-2.6.39.2/fs/cifs/cifsglob.h
44958 --- linux-2.6.39.2/fs/cifs/cifsglob.h 2011-05-19 00:06:34.000000000 -0400
44959 +++ linux-2.6.39.2/fs/cifs/cifsglob.h 2011-05-22 19:36:32.000000000 -0400
44960 @@ -305,28 +305,28 @@ struct cifsTconInfo {
44961 __u16 Flags; /* optional support bits */
44962 enum statusEnum tidStatus;
44963 #ifdef CONFIG_CIFS_STATS
44964 - atomic_t num_smbs_sent;
44965 - atomic_t num_writes;
44966 - atomic_t num_reads;
44967 - atomic_t num_flushes;
44968 - atomic_t num_oplock_brks;
44969 - atomic_t num_opens;
44970 - atomic_t num_closes;
44971 - atomic_t num_deletes;
44972 - atomic_t num_mkdirs;
44973 - atomic_t num_posixopens;
44974 - atomic_t num_posixmkdirs;
44975 - atomic_t num_rmdirs;
44976 - atomic_t num_renames;
44977 - atomic_t num_t2renames;
44978 - atomic_t num_ffirst;
44979 - atomic_t num_fnext;
44980 - atomic_t num_fclose;
44981 - atomic_t num_hardlinks;
44982 - atomic_t num_symlinks;
44983 - atomic_t num_locks;
44984 - atomic_t num_acl_get;
44985 - atomic_t num_acl_set;
44986 + atomic_unchecked_t num_smbs_sent;
44987 + atomic_unchecked_t num_writes;
44988 + atomic_unchecked_t num_reads;
44989 + atomic_unchecked_t num_flushes;
44990 + atomic_unchecked_t num_oplock_brks;
44991 + atomic_unchecked_t num_opens;
44992 + atomic_unchecked_t num_closes;
44993 + atomic_unchecked_t num_deletes;
44994 + atomic_unchecked_t num_mkdirs;
44995 + atomic_unchecked_t num_posixopens;
44996 + atomic_unchecked_t num_posixmkdirs;
44997 + atomic_unchecked_t num_rmdirs;
44998 + atomic_unchecked_t num_renames;
44999 + atomic_unchecked_t num_t2renames;
45000 + atomic_unchecked_t num_ffirst;
45001 + atomic_unchecked_t num_fnext;
45002 + atomic_unchecked_t num_fclose;
45003 + atomic_unchecked_t num_hardlinks;
45004 + atomic_unchecked_t num_symlinks;
45005 + atomic_unchecked_t num_locks;
45006 + atomic_unchecked_t num_acl_get;
45007 + atomic_unchecked_t num_acl_set;
45008 #ifdef CONFIG_CIFS_STATS2
45009 unsigned long long time_writes;
45010 unsigned long long time_reads;
45011 @@ -509,7 +509,7 @@ static inline char CIFS_DIR_SEP(const st
45012 }
45013
45014 #ifdef CONFIG_CIFS_STATS
45015 -#define cifs_stats_inc atomic_inc
45016 +#define cifs_stats_inc atomic_inc_unchecked
45017
45018 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
45019 unsigned int bytes)
45020 diff -urNp linux-2.6.39.2/fs/cifs/link.c linux-2.6.39.2/fs/cifs/link.c
45021 --- linux-2.6.39.2/fs/cifs/link.c 2011-05-19 00:06:34.000000000 -0400
45022 +++ linux-2.6.39.2/fs/cifs/link.c 2011-05-22 19:36:32.000000000 -0400
45023 @@ -577,7 +577,7 @@ symlink_exit:
45024
45025 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
45026 {
45027 - char *p = nd_get_link(nd);
45028 + const char *p = nd_get_link(nd);
45029 if (!IS_ERR(p))
45030 kfree(p);
45031 }
45032 diff -urNp linux-2.6.39.2/fs/coda/cache.c linux-2.6.39.2/fs/coda/cache.c
45033 --- linux-2.6.39.2/fs/coda/cache.c 2011-05-19 00:06:34.000000000 -0400
45034 +++ linux-2.6.39.2/fs/coda/cache.c 2011-05-22 19:36:32.000000000 -0400
45035 @@ -24,7 +24,7 @@
45036 #include "coda_linux.h"
45037 #include "coda_cache.h"
45038
45039 -static atomic_t permission_epoch = ATOMIC_INIT(0);
45040 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
45041
45042 /* replace or extend an acl cache hit */
45043 void coda_cache_enter(struct inode *inode, int mask)
45044 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
45045 struct coda_inode_info *cii = ITOC(inode);
45046
45047 spin_lock(&cii->c_lock);
45048 - cii->c_cached_epoch = atomic_read(&permission_epoch);
45049 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
45050 if (cii->c_uid != current_fsuid()) {
45051 cii->c_uid = current_fsuid();
45052 cii->c_cached_perm = mask;
45053 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
45054 {
45055 struct coda_inode_info *cii = ITOC(inode);
45056 spin_lock(&cii->c_lock);
45057 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
45058 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
45059 spin_unlock(&cii->c_lock);
45060 }
45061
45062 /* remove all acl caches */
45063 void coda_cache_clear_all(struct super_block *sb)
45064 {
45065 - atomic_inc(&permission_epoch);
45066 + atomic_inc_unchecked(&permission_epoch);
45067 }
45068
45069
45070 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
45071 spin_lock(&cii->c_lock);
45072 hit = (mask & cii->c_cached_perm) == mask &&
45073 cii->c_uid == current_fsuid() &&
45074 - cii->c_cached_epoch == atomic_read(&permission_epoch);
45075 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
45076 spin_unlock(&cii->c_lock);
45077
45078 return hit;
45079 diff -urNp linux-2.6.39.2/fs/compat_binfmt_elf.c linux-2.6.39.2/fs/compat_binfmt_elf.c
45080 --- linux-2.6.39.2/fs/compat_binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
45081 +++ linux-2.6.39.2/fs/compat_binfmt_elf.c 2011-05-22 19:36:32.000000000 -0400
45082 @@ -30,11 +30,13 @@
45083 #undef elf_phdr
45084 #undef elf_shdr
45085 #undef elf_note
45086 +#undef elf_dyn
45087 #undef elf_addr_t
45088 #define elfhdr elf32_hdr
45089 #define elf_phdr elf32_phdr
45090 #define elf_shdr elf32_shdr
45091 #define elf_note elf32_note
45092 +#define elf_dyn Elf32_Dyn
45093 #define elf_addr_t Elf32_Addr
45094
45095 /*
45096 diff -urNp linux-2.6.39.2/fs/compat.c linux-2.6.39.2/fs/compat.c
45097 --- linux-2.6.39.2/fs/compat.c 2011-05-19 00:06:34.000000000 -0400
45098 +++ linux-2.6.39.2/fs/compat.c 2011-05-22 19:41:37.000000000 -0400
45099 @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
45100 goto out;
45101
45102 ret = -EINVAL;
45103 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
45104 + if (nr_segs > UIO_MAXIOV)
45105 goto out;
45106 if (nr_segs > fast_segs) {
45107 ret = -ENOMEM;
45108 @@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
45109
45110 struct compat_readdir_callback {
45111 struct compat_old_linux_dirent __user *dirent;
45112 + struct file * file;
45113 int result;
45114 };
45115
45116 @@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
45117 buf->result = -EOVERFLOW;
45118 return -EOVERFLOW;
45119 }
45120 +
45121 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45122 + return 0;
45123 +
45124 buf->result++;
45125 dirent = buf->dirent;
45126 if (!access_ok(VERIFY_WRITE, dirent,
45127 @@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
45128
45129 buf.result = 0;
45130 buf.dirent = dirent;
45131 + buf.file = file;
45132
45133 error = vfs_readdir(file, compat_fillonedir, &buf);
45134 if (buf.result)
45135 @@ -917,6 +923,7 @@ struct compat_linux_dirent {
45136 struct compat_getdents_callback {
45137 struct compat_linux_dirent __user *current_dir;
45138 struct compat_linux_dirent __user *previous;
45139 + struct file * file;
45140 int count;
45141 int error;
45142 };
45143 @@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
45144 buf->error = -EOVERFLOW;
45145 return -EOVERFLOW;
45146 }
45147 +
45148 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45149 + return 0;
45150 +
45151 dirent = buf->previous;
45152 if (dirent) {
45153 if (__put_user(offset, &dirent->d_off))
45154 @@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
45155 buf.previous = NULL;
45156 buf.count = count;
45157 buf.error = 0;
45158 + buf.file = file;
45159
45160 error = vfs_readdir(file, compat_filldir, &buf);
45161 if (error >= 0)
45162 @@ -1006,6 +1018,7 @@ out:
45163 struct compat_getdents_callback64 {
45164 struct linux_dirent64 __user *current_dir;
45165 struct linux_dirent64 __user *previous;
45166 + struct file * file;
45167 int count;
45168 int error;
45169 };
45170 @@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
45171 buf->error = -EINVAL; /* only used if we fail.. */
45172 if (reclen > buf->count)
45173 return -EINVAL;
45174 +
45175 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45176 + return 0;
45177 +
45178 dirent = buf->previous;
45179
45180 if (dirent) {
45181 @@ -1073,6 +1090,7 @@ asmlinkage long compat_sys_getdents64(un
45182 buf.previous = NULL;
45183 buf.count = count;
45184 buf.error = 0;
45185 + buf.file = file;
45186
45187 error = vfs_readdir(file, compat_filldir64, &buf);
45188 if (error >= 0)
45189 @@ -1436,6 +1454,11 @@ int compat_do_execve(char * filename,
45190 compat_uptr_t __user *envp,
45191 struct pt_regs * regs)
45192 {
45193 +#ifdef CONFIG_GRKERNSEC
45194 + struct file *old_exec_file;
45195 + struct acl_subject_label *old_acl;
45196 + struct rlimit old_rlim[RLIM_NLIMITS];
45197 +#endif
45198 struct linux_binprm *bprm;
45199 struct file *file;
45200 struct files_struct *displaced;
45201 @@ -1472,6 +1495,19 @@ int compat_do_execve(char * filename,
45202 bprm->filename = filename;
45203 bprm->interp = filename;
45204
45205 + if (gr_process_user_ban()) {
45206 + retval = -EPERM;
45207 + goto out_file;
45208 + }
45209 +
45210 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45211 + retval = -EAGAIN;
45212 + if (gr_handle_nproc())
45213 + goto out_file;
45214 + retval = -EACCES;
45215 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
45216 + goto out_file;
45217 +
45218 retval = bprm_mm_init(bprm);
45219 if (retval)
45220 goto out_file;
45221 @@ -1501,9 +1537,40 @@ int compat_do_execve(char * filename,
45222 if (retval < 0)
45223 goto out;
45224
45225 + if (!gr_tpe_allow(file)) {
45226 + retval = -EACCES;
45227 + goto out;
45228 + }
45229 +
45230 + if (gr_check_crash_exec(file)) {
45231 + retval = -EACCES;
45232 + goto out;
45233 + }
45234 +
45235 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45236 +
45237 + gr_handle_exec_args_compat(bprm, argv);
45238 +
45239 +#ifdef CONFIG_GRKERNSEC
45240 + old_acl = current->acl;
45241 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45242 + old_exec_file = current->exec_file;
45243 + get_file(file);
45244 + current->exec_file = file;
45245 +#endif
45246 +
45247 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45248 + bprm->unsafe & LSM_UNSAFE_SHARE);
45249 + if (retval < 0)
45250 + goto out_fail;
45251 +
45252 retval = search_binary_handler(bprm, regs);
45253 if (retval < 0)
45254 - goto out;
45255 + goto out_fail;
45256 +#ifdef CONFIG_GRKERNSEC
45257 + if (old_exec_file)
45258 + fput(old_exec_file);
45259 +#endif
45260
45261 /* execve succeeded */
45262 current->fs->in_exec = 0;
45263 @@ -1514,6 +1581,14 @@ int compat_do_execve(char * filename,
45264 put_files_struct(displaced);
45265 return retval;
45266
45267 +out_fail:
45268 +#ifdef CONFIG_GRKERNSEC
45269 + current->acl = old_acl;
45270 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45271 + fput(current->exec_file);
45272 + current->exec_file = old_exec_file;
45273 +#endif
45274 +
45275 out:
45276 if (bprm->mm) {
45277 acct_arg_size(bprm, 0);
45278 @@ -1681,6 +1756,8 @@ int compat_core_sys_select(int n, compat
45279 struct fdtable *fdt;
45280 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
45281
45282 + pax_track_stack();
45283 +
45284 if (n < 0)
45285 goto out_nofds;
45286
45287 diff -urNp linux-2.6.39.2/fs/compat_ioctl.c linux-2.6.39.2/fs/compat_ioctl.c
45288 --- linux-2.6.39.2/fs/compat_ioctl.c 2011-05-19 00:06:34.000000000 -0400
45289 +++ linux-2.6.39.2/fs/compat_ioctl.c 2011-05-22 19:36:32.000000000 -0400
45290 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
45291
45292 err = get_user(palp, &up->palette);
45293 err |= get_user(length, &up->length);
45294 + if (err)
45295 + return -EFAULT;
45296
45297 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
45298 err = put_user(compat_ptr(palp), &up_native->palette);
45299 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
45300 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
45301 {
45302 unsigned int a, b;
45303 - a = *(unsigned int *)p;
45304 - b = *(unsigned int *)q;
45305 + a = *(const unsigned int *)p;
45306 + b = *(const unsigned int *)q;
45307 if (a > b)
45308 return 1;
45309 if (a < b)
45310 diff -urNp linux-2.6.39.2/fs/configfs/dir.c linux-2.6.39.2/fs/configfs/dir.c
45311 --- linux-2.6.39.2/fs/configfs/dir.c 2011-05-19 00:06:34.000000000 -0400
45312 +++ linux-2.6.39.2/fs/configfs/dir.c 2011-05-22 19:36:32.000000000 -0400
45313 @@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
45314 }
45315 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
45316 struct configfs_dirent *next;
45317 - const char * name;
45318 + const unsigned char * name;
45319 + char d_name[sizeof(next->s_dentry->d_iname)];
45320 int len;
45321 struct inode *inode = NULL;
45322
45323 @@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
45324 continue;
45325
45326 name = configfs_get_name(next);
45327 - len = strlen(name);
45328 + if (next->s_dentry && name == next->s_dentry->d_iname) {
45329 + len = next->s_dentry->d_name.len;
45330 + memcpy(d_name, name, len);
45331 + name = d_name;
45332 + } else
45333 + len = strlen(name);
45334
45335 /*
45336 * We'll have a dentry and an inode for
45337 diff -urNp linux-2.6.39.2/fs/configfs/file.c linux-2.6.39.2/fs/configfs/file.c
45338 --- linux-2.6.39.2/fs/configfs/file.c 2011-05-19 00:06:34.000000000 -0400
45339 +++ linux-2.6.39.2/fs/configfs/file.c 2011-05-22 19:36:32.000000000 -0400
45340 @@ -215,7 +215,7 @@ static int check_perm(struct inode * ino
45341 struct config_item *item = configfs_get_config_item(file->f_path.dentry->d_parent);
45342 struct configfs_attribute * attr = to_attr(file->f_path.dentry);
45343 struct configfs_buffer * buffer;
45344 - struct configfs_item_operations * ops = NULL;
45345 + struct configfs_item_operations *ops = NULL;
45346 int error = 0;
45347
45348 if (!item || !attr)
45349 diff -urNp linux-2.6.39.2/fs/configfs/item.c linux-2.6.39.2/fs/configfs/item.c
45350 --- linux-2.6.39.2/fs/configfs/item.c 2011-05-19 00:06:34.000000000 -0400
45351 +++ linux-2.6.39.2/fs/configfs/item.c 2011-05-22 19:36:32.000000000 -0400
45352 @@ -123,7 +123,7 @@ void config_item_init_type_name(struct c
45353 EXPORT_SYMBOL(config_item_init_type_name);
45354
45355 void config_group_init_type_name(struct config_group *group, const char *name,
45356 - struct config_item_type *type)
45357 + struct config_item_type *type)
45358 {
45359 config_item_set_name(&group->cg_item, name);
45360 group->cg_item.ci_type = type;
45361 diff -urNp linux-2.6.39.2/fs/dcache.c linux-2.6.39.2/fs/dcache.c
45362 --- linux-2.6.39.2/fs/dcache.c 2011-05-19 00:06:34.000000000 -0400
45363 +++ linux-2.6.39.2/fs/dcache.c 2011-05-22 19:36:32.000000000 -0400
45364 @@ -3069,7 +3069,7 @@ void __init vfs_caches_init(unsigned lon
45365 mempages -= reserve;
45366
45367 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
45368 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
45369 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
45370
45371 dcache_init();
45372 inode_init();
45373 diff -urNp linux-2.6.39.2/fs/dlm/lockspace.c linux-2.6.39.2/fs/dlm/lockspace.c
45374 --- linux-2.6.39.2/fs/dlm/lockspace.c 2011-05-19 00:06:34.000000000 -0400
45375 +++ linux-2.6.39.2/fs/dlm/lockspace.c 2011-05-22 19:36:32.000000000 -0400
45376 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
45377 return 0;
45378 }
45379
45380 -static struct kset_uevent_ops dlm_uevent_ops = {
45381 +static const struct kset_uevent_ops dlm_uevent_ops = {
45382 .uevent = dlm_uevent,
45383 };
45384
45385 diff -urNp linux-2.6.39.2/fs/ecryptfs/inode.c linux-2.6.39.2/fs/ecryptfs/inode.c
45386 --- linux-2.6.39.2/fs/ecryptfs/inode.c 2011-06-03 00:04:14.000000000 -0400
45387 +++ linux-2.6.39.2/fs/ecryptfs/inode.c 2011-06-03 00:32:07.000000000 -0400
45388 @@ -623,7 +623,7 @@ static int ecryptfs_readlink_lower(struc
45389 old_fs = get_fs();
45390 set_fs(get_ds());
45391 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
45392 - (char __user *)lower_buf,
45393 + (__force char __user *)lower_buf,
45394 lower_bufsiz);
45395 set_fs(old_fs);
45396 if (rc < 0)
45397 @@ -669,7 +669,7 @@ static void *ecryptfs_follow_link(struct
45398 }
45399 old_fs = get_fs();
45400 set_fs(get_ds());
45401 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
45402 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
45403 set_fs(old_fs);
45404 if (rc < 0) {
45405 kfree(buf);
45406 @@ -684,7 +684,7 @@ out:
45407 static void
45408 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
45409 {
45410 - char *buf = nd_get_link(nd);
45411 + const char *buf = nd_get_link(nd);
45412 if (!IS_ERR(buf)) {
45413 /* Free the char* */
45414 kfree(buf);
45415 diff -urNp linux-2.6.39.2/fs/ecryptfs/miscdev.c linux-2.6.39.2/fs/ecryptfs/miscdev.c
45416 --- linux-2.6.39.2/fs/ecryptfs/miscdev.c 2011-05-19 00:06:34.000000000 -0400
45417 +++ linux-2.6.39.2/fs/ecryptfs/miscdev.c 2011-05-22 19:36:32.000000000 -0400
45418 @@ -328,7 +328,7 @@ check_list:
45419 goto out_unlock_msg_ctx;
45420 i = 5;
45421 if (msg_ctx->msg) {
45422 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
45423 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
45424 goto out_unlock_msg_ctx;
45425 i += packet_length_size;
45426 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
45427 diff -urNp linux-2.6.39.2/fs/exec.c linux-2.6.39.2/fs/exec.c
45428 --- linux-2.6.39.2/fs/exec.c 2011-06-25 12:55:23.000000000 -0400
45429 +++ linux-2.6.39.2/fs/exec.c 2011-06-25 13:00:28.000000000 -0400
45430 @@ -55,12 +55,24 @@
45431 #include <linux/fs_struct.h>
45432 #include <linux/pipe_fs_i.h>
45433 #include <linux/oom.h>
45434 +#include <linux/random.h>
45435 +#include <linux/seq_file.h>
45436 +
45437 +#ifdef CONFIG_PAX_REFCOUNT
45438 +#include <linux/kallsyms.h>
45439 +#include <linux/kdebug.h>
45440 +#endif
45441
45442 #include <asm/uaccess.h>
45443 #include <asm/mmu_context.h>
45444 #include <asm/tlb.h>
45445 #include "internal.h"
45446
45447 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
45448 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
45449 +EXPORT_SYMBOL(pax_set_initial_flags_func);
45450 +#endif
45451 +
45452 int core_uses_pid;
45453 char core_pattern[CORENAME_MAX_SIZE] = "core";
45454 unsigned int core_pipe_limit;
45455 @@ -70,7 +82,7 @@ struct core_name {
45456 char *corename;
45457 int used, size;
45458 };
45459 -static atomic_t call_count = ATOMIC_INIT(1);
45460 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
45461
45462 /* The maximal length of core_pattern is also specified in sysctl.c */
45463
45464 @@ -116,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __use
45465 char *tmp = getname(library);
45466 int error = PTR_ERR(tmp);
45467 static const struct open_flags uselib_flags = {
45468 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45469 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45470 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
45471 .intent = LOOKUP_OPEN
45472 };
45473 @@ -190,18 +202,10 @@ struct page *get_arg_page(struct linux_b
45474 int write)
45475 {
45476 struct page *page;
45477 - int ret;
45478
45479 -#ifdef CONFIG_STACK_GROWSUP
45480 - if (write) {
45481 - ret = expand_stack_downwards(bprm->vma, pos);
45482 - if (ret < 0)
45483 - return NULL;
45484 - }
45485 -#endif
45486 - ret = get_user_pages(current, bprm->mm, pos,
45487 - 1, write, 1, &page, NULL);
45488 - if (ret <= 0)
45489 + if (0 > expand_stack_downwards(bprm->vma, pos))
45490 + return NULL;
45491 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
45492 return NULL;
45493
45494 if (write) {
45495 @@ -276,6 +280,11 @@ static int __bprm_mm_init(struct linux_b
45496 vma->vm_end = STACK_TOP_MAX;
45497 vma->vm_start = vma->vm_end - PAGE_SIZE;
45498 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
45499 +
45500 +#ifdef CONFIG_PAX_SEGMEXEC
45501 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
45502 +#endif
45503 +
45504 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45505 INIT_LIST_HEAD(&vma->anon_vma_chain);
45506
45507 @@ -290,6 +299,12 @@ static int __bprm_mm_init(struct linux_b
45508 mm->stack_vm = mm->total_vm = 1;
45509 up_write(&mm->mmap_sem);
45510 bprm->p = vma->vm_end - sizeof(void *);
45511 +
45512 +#ifdef CONFIG_PAX_RANDUSTACK
45513 + if (randomize_va_space)
45514 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
45515 +#endif
45516 +
45517 return 0;
45518 err:
45519 up_write(&mm->mmap_sem);
45520 @@ -525,7 +540,7 @@ int copy_strings_kernel(int argc, const
45521 int r;
45522 mm_segment_t oldfs = get_fs();
45523 set_fs(KERNEL_DS);
45524 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
45525 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
45526 set_fs(oldfs);
45527 return r;
45528 }
45529 @@ -555,7 +570,8 @@ static int shift_arg_pages(struct vm_are
45530 unsigned long new_end = old_end - shift;
45531 struct mmu_gather *tlb;
45532
45533 - BUG_ON(new_start > new_end);
45534 + if (new_start >= new_end || new_start < mmap_min_addr)
45535 + return -ENOMEM;
45536
45537 /*
45538 * ensure there are no vmas between where we want to go
45539 @@ -564,6 +580,10 @@ static int shift_arg_pages(struct vm_are
45540 if (vma != find_vma(mm, new_start))
45541 return -EFAULT;
45542
45543 +#ifdef CONFIG_PAX_SEGMEXEC
45544 + BUG_ON(pax_find_mirror_vma(vma));
45545 +#endif
45546 +
45547 /*
45548 * cover the whole range: [new_start, old_end)
45549 */
45550 @@ -644,10 +664,6 @@ int setup_arg_pages(struct linux_binprm
45551 stack_top = arch_align_stack(stack_top);
45552 stack_top = PAGE_ALIGN(stack_top);
45553
45554 - if (unlikely(stack_top < mmap_min_addr) ||
45555 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
45556 - return -ENOMEM;
45557 -
45558 stack_shift = vma->vm_end - stack_top;
45559
45560 bprm->p -= stack_shift;
45561 @@ -659,8 +675,28 @@ int setup_arg_pages(struct linux_binprm
45562 bprm->exec -= stack_shift;
45563
45564 down_write(&mm->mmap_sem);
45565 +
45566 + /* Move stack pages down in memory. */
45567 + if (stack_shift) {
45568 + ret = shift_arg_pages(vma, stack_shift);
45569 + if (ret)
45570 + goto out_unlock;
45571 + }
45572 +
45573 vm_flags = VM_STACK_FLAGS;
45574
45575 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45576 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
45577 + vm_flags &= ~VM_EXEC;
45578 +
45579 +#ifdef CONFIG_PAX_MPROTECT
45580 + if (mm->pax_flags & MF_PAX_MPROTECT)
45581 + vm_flags &= ~VM_MAYEXEC;
45582 +#endif
45583 +
45584 + }
45585 +#endif
45586 +
45587 /*
45588 * Adjust stack execute permissions; explicitly enable for
45589 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
45590 @@ -679,13 +715,6 @@ int setup_arg_pages(struct linux_binprm
45591 goto out_unlock;
45592 BUG_ON(prev != vma);
45593
45594 - /* Move stack pages down in memory. */
45595 - if (stack_shift) {
45596 - ret = shift_arg_pages(vma, stack_shift);
45597 - if (ret)
45598 - goto out_unlock;
45599 - }
45600 -
45601 /* mprotect_fixup is overkill to remove the temporary stack flags */
45602 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
45603
45604 @@ -725,7 +754,7 @@ struct file *open_exec(const char *name)
45605 struct file *file;
45606 int err;
45607 static const struct open_flags open_exec_flags = {
45608 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45609 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45610 .acc_mode = MAY_EXEC | MAY_OPEN,
45611 .intent = LOOKUP_OPEN
45612 };
45613 @@ -766,7 +795,7 @@ int kernel_read(struct file *file, loff_
45614 old_fs = get_fs();
45615 set_fs(get_ds());
45616 /* The cast to a user pointer is valid due to the set_fs() */
45617 - result = vfs_read(file, (void __user *)addr, count, &pos);
45618 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
45619 set_fs(old_fs);
45620 return result;
45621 }
45622 @@ -1189,7 +1218,7 @@ int check_unsafe_exec(struct linux_binpr
45623 }
45624 rcu_read_unlock();
45625
45626 - if (p->fs->users > n_fs) {
45627 + if (atomic_read(&p->fs->users) > n_fs) {
45628 bprm->unsafe |= LSM_UNSAFE_SHARE;
45629 } else {
45630 res = -EAGAIN;
45631 @@ -1381,6 +1410,11 @@ int do_execve(const char * filename,
45632 const char __user *const __user *envp,
45633 struct pt_regs * regs)
45634 {
45635 +#ifdef CONFIG_GRKERNSEC
45636 + struct file *old_exec_file;
45637 + struct acl_subject_label *old_acl;
45638 + struct rlimit old_rlim[RLIM_NLIMITS];
45639 +#endif
45640 struct linux_binprm *bprm;
45641 struct file *file;
45642 struct files_struct *displaced;
45643 @@ -1417,6 +1451,23 @@ int do_execve(const char * filename,
45644 bprm->filename = filename;
45645 bprm->interp = filename;
45646
45647 + if (gr_process_user_ban()) {
45648 + retval = -EPERM;
45649 + goto out_file;
45650 + }
45651 +
45652 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45653 +
45654 + if (gr_handle_nproc()) {
45655 + retval = -EAGAIN;
45656 + goto out_file;
45657 + }
45658 +
45659 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
45660 + retval = -EACCES;
45661 + goto out_file;
45662 + }
45663 +
45664 retval = bprm_mm_init(bprm);
45665 if (retval)
45666 goto out_file;
45667 @@ -1446,9 +1497,40 @@ int do_execve(const char * filename,
45668 if (retval < 0)
45669 goto out;
45670
45671 + if (!gr_tpe_allow(file)) {
45672 + retval = -EACCES;
45673 + goto out;
45674 + }
45675 +
45676 + if (gr_check_crash_exec(file)) {
45677 + retval = -EACCES;
45678 + goto out;
45679 + }
45680 +
45681 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45682 +
45683 + gr_handle_exec_args(bprm, argv);
45684 +
45685 +#ifdef CONFIG_GRKERNSEC
45686 + old_acl = current->acl;
45687 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45688 + old_exec_file = current->exec_file;
45689 + get_file(file);
45690 + current->exec_file = file;
45691 +#endif
45692 +
45693 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45694 + bprm->unsafe & LSM_UNSAFE_SHARE);
45695 + if (retval < 0)
45696 + goto out_fail;
45697 +
45698 retval = search_binary_handler(bprm,regs);
45699 if (retval < 0)
45700 - goto out;
45701 + goto out_fail;
45702 +#ifdef CONFIG_GRKERNSEC
45703 + if (old_exec_file)
45704 + fput(old_exec_file);
45705 +#endif
45706
45707 /* execve succeeded */
45708 current->fs->in_exec = 0;
45709 @@ -1459,6 +1541,14 @@ int do_execve(const char * filename,
45710 put_files_struct(displaced);
45711 return retval;
45712
45713 +out_fail:
45714 +#ifdef CONFIG_GRKERNSEC
45715 + current->acl = old_acl;
45716 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45717 + fput(current->exec_file);
45718 + current->exec_file = old_exec_file;
45719 +#endif
45720 +
45721 out:
45722 if (bprm->mm) {
45723 acct_arg_size(bprm, 0);
45724 @@ -1504,7 +1594,7 @@ static int expand_corename(struct core_n
45725 {
45726 char *old_corename = cn->corename;
45727
45728 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
45729 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
45730 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
45731
45732 if (!cn->corename) {
45733 @@ -1557,7 +1647,7 @@ static int format_corename(struct core_n
45734 int pid_in_pattern = 0;
45735 int err = 0;
45736
45737 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
45738 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
45739 cn->corename = kmalloc(cn->size, GFP_KERNEL);
45740 cn->used = 0;
45741
45742 @@ -1645,6 +1735,219 @@ out:
45743 return ispipe;
45744 }
45745
45746 +int pax_check_flags(unsigned long *flags)
45747 +{
45748 + int retval = 0;
45749 +
45750 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
45751 + if (*flags & MF_PAX_SEGMEXEC)
45752 + {
45753 + *flags &= ~MF_PAX_SEGMEXEC;
45754 + retval = -EINVAL;
45755 + }
45756 +#endif
45757 +
45758 + if ((*flags & MF_PAX_PAGEEXEC)
45759 +
45760 +#ifdef CONFIG_PAX_PAGEEXEC
45761 + && (*flags & MF_PAX_SEGMEXEC)
45762 +#endif
45763 +
45764 + )
45765 + {
45766 + *flags &= ~MF_PAX_PAGEEXEC;
45767 + retval = -EINVAL;
45768 + }
45769 +
45770 + if ((*flags & MF_PAX_MPROTECT)
45771 +
45772 +#ifdef CONFIG_PAX_MPROTECT
45773 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45774 +#endif
45775 +
45776 + )
45777 + {
45778 + *flags &= ~MF_PAX_MPROTECT;
45779 + retval = -EINVAL;
45780 + }
45781 +
45782 + if ((*flags & MF_PAX_EMUTRAMP)
45783 +
45784 +#ifdef CONFIG_PAX_EMUTRAMP
45785 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45786 +#endif
45787 +
45788 + )
45789 + {
45790 + *flags &= ~MF_PAX_EMUTRAMP;
45791 + retval = -EINVAL;
45792 + }
45793 +
45794 + return retval;
45795 +}
45796 +
45797 +EXPORT_SYMBOL(pax_check_flags);
45798 +
45799 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45800 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
45801 +{
45802 + struct task_struct *tsk = current;
45803 + struct mm_struct *mm = current->mm;
45804 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
45805 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
45806 + char *path_exec = NULL;
45807 + char *path_fault = NULL;
45808 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
45809 +
45810 + if (buffer_exec && buffer_fault) {
45811 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
45812 +
45813 + down_read(&mm->mmap_sem);
45814 + vma = mm->mmap;
45815 + while (vma && (!vma_exec || !vma_fault)) {
45816 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
45817 + vma_exec = vma;
45818 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
45819 + vma_fault = vma;
45820 + vma = vma->vm_next;
45821 + }
45822 + if (vma_exec) {
45823 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
45824 + if (IS_ERR(path_exec))
45825 + path_exec = "<path too long>";
45826 + else {
45827 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
45828 + if (path_exec) {
45829 + *path_exec = 0;
45830 + path_exec = buffer_exec;
45831 + } else
45832 + path_exec = "<path too long>";
45833 + }
45834 + }
45835 + if (vma_fault) {
45836 + start = vma_fault->vm_start;
45837 + end = vma_fault->vm_end;
45838 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
45839 + if (vma_fault->vm_file) {
45840 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
45841 + if (IS_ERR(path_fault))
45842 + path_fault = "<path too long>";
45843 + else {
45844 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
45845 + if (path_fault) {
45846 + *path_fault = 0;
45847 + path_fault = buffer_fault;
45848 + } else
45849 + path_fault = "<path too long>";
45850 + }
45851 + } else
45852 + path_fault = "<anonymous mapping>";
45853 + }
45854 + up_read(&mm->mmap_sem);
45855 + }
45856 + if (tsk->signal->curr_ip)
45857 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
45858 + else
45859 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
45860 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
45861 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
45862 + task_uid(tsk), task_euid(tsk), pc, sp);
45863 + free_page((unsigned long)buffer_exec);
45864 + free_page((unsigned long)buffer_fault);
45865 + pax_report_insns(pc, sp);
45866 + do_coredump(SIGKILL, SIGKILL, regs);
45867 +}
45868 +#endif
45869 +
45870 +#ifdef CONFIG_PAX_REFCOUNT
45871 +void pax_report_refcount_overflow(struct pt_regs *regs)
45872 +{
45873 + if (current->signal->curr_ip)
45874 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
45875 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
45876 + else
45877 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
45878 + current->comm, task_pid_nr(current), current_uid(), current_euid());
45879 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
45880 + show_regs(regs);
45881 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
45882 +}
45883 +#endif
45884 +
45885 +#ifdef CONFIG_PAX_USERCOPY
45886 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
45887 +int object_is_on_stack(const void *obj, unsigned long len)
45888 +{
45889 + const void * const stack = task_stack_page(current);
45890 + const void * const stackend = stack + THREAD_SIZE;
45891 +
45892 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
45893 + const void *frame = NULL;
45894 + const void *oldframe;
45895 +#endif
45896 +
45897 + if (obj + len < obj)
45898 + return -1;
45899 +
45900 + if (obj + len <= stack || stackend <= obj)
45901 + return 0;
45902 +
45903 + if (obj < stack || stackend < obj + len)
45904 + return -1;
45905 +
45906 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
45907 + oldframe = __builtin_frame_address(1);
45908 + if (oldframe)
45909 + frame = __builtin_frame_address(2);
45910 + /*
45911 + low ----------------------------------------------> high
45912 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
45913 + ^----------------^
45914 + allow copies only within here
45915 + */
45916 + while (stack <= frame && frame < stackend) {
45917 + /* if obj + len extends past the last frame, this
45918 + check won't pass and the next frame will be 0,
45919 + causing us to bail out and correctly report
45920 + the copy as invalid
45921 + */
45922 + if (obj + len <= frame)
45923 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
45924 + oldframe = frame;
45925 + frame = *(const void * const *)frame;
45926 + }
45927 + return -1;
45928 +#else
45929 + return 1;
45930 +#endif
45931 +}
45932 +
45933 +
45934 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
45935 +{
45936 + if (current->signal->curr_ip)
45937 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
45938 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
45939 + else
45940 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
45941 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
45942 + dump_stack();
45943 + gr_handle_kernel_exploit();
45944 + do_group_exit(SIGKILL);
45945 +}
45946 +#endif
45947 +
45948 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
45949 +void pax_track_stack(void)
45950 +{
45951 + unsigned long sp = (unsigned long)&sp;
45952 + if (sp < current_thread_info()->lowest_stack &&
45953 + sp > (unsigned long)task_stack_page(current))
45954 + current_thread_info()->lowest_stack = sp;
45955 +}
45956 +EXPORT_SYMBOL(pax_track_stack);
45957 +#endif
45958 +
45959 static int zap_process(struct task_struct *start, int exit_code)
45960 {
45961 struct task_struct *t;
45962 @@ -1855,17 +2158,17 @@ static void wait_for_dump_helpers(struct
45963 pipe = file->f_path.dentry->d_inode->i_pipe;
45964
45965 pipe_lock(pipe);
45966 - pipe->readers++;
45967 - pipe->writers--;
45968 + atomic_inc(&pipe->readers);
45969 + atomic_dec(&pipe->writers);
45970
45971 - while ((pipe->readers > 1) && (!signal_pending(current))) {
45972 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
45973 wake_up_interruptible_sync(&pipe->wait);
45974 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
45975 pipe_wait(pipe);
45976 }
45977
45978 - pipe->readers--;
45979 - pipe->writers++;
45980 + atomic_dec(&pipe->readers);
45981 + atomic_inc(&pipe->writers);
45982 pipe_unlock(pipe);
45983
45984 }
45985 @@ -1926,7 +2229,7 @@ void do_coredump(long signr, int exit_co
45986 int retval = 0;
45987 int flag = 0;
45988 int ispipe;
45989 - static atomic_t core_dump_count = ATOMIC_INIT(0);
45990 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
45991 struct coredump_params cprm = {
45992 .signr = signr,
45993 .regs = regs,
45994 @@ -1941,6 +2244,9 @@ void do_coredump(long signr, int exit_co
45995
45996 audit_core_dumps(signr);
45997
45998 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
45999 + gr_handle_brute_attach(current, cprm.mm_flags);
46000 +
46001 binfmt = mm->binfmt;
46002 if (!binfmt || !binfmt->core_dump)
46003 goto fail;
46004 @@ -1981,6 +2287,8 @@ void do_coredump(long signr, int exit_co
46005 goto fail_corename;
46006 }
46007
46008 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
46009 +
46010 if (ispipe) {
46011 int dump_count;
46012 char **helper_argv;
46013 @@ -2008,7 +2316,7 @@ void do_coredump(long signr, int exit_co
46014 }
46015 cprm.limit = RLIM_INFINITY;
46016
46017 - dump_count = atomic_inc_return(&core_dump_count);
46018 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
46019 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
46020 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
46021 task_tgid_vnr(current), current->comm);
46022 @@ -2078,7 +2386,7 @@ close_fail:
46023 filp_close(cprm.file, NULL);
46024 fail_dropcount:
46025 if (ispipe)
46026 - atomic_dec(&core_dump_count);
46027 + atomic_dec_unchecked(&core_dump_count);
46028 fail_unlock:
46029 kfree(cn.corename);
46030 fail_corename:
46031 diff -urNp linux-2.6.39.2/fs/ext2/balloc.c linux-2.6.39.2/fs/ext2/balloc.c
46032 --- linux-2.6.39.2/fs/ext2/balloc.c 2011-05-19 00:06:34.000000000 -0400
46033 +++ linux-2.6.39.2/fs/ext2/balloc.c 2011-05-22 19:41:37.000000000 -0400
46034 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
46035
46036 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46037 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46038 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46039 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46040 sbi->s_resuid != current_fsuid() &&
46041 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46042 return 0;
46043 diff -urNp linux-2.6.39.2/fs/ext3/balloc.c linux-2.6.39.2/fs/ext3/balloc.c
46044 --- linux-2.6.39.2/fs/ext3/balloc.c 2011-05-19 00:06:34.000000000 -0400
46045 +++ linux-2.6.39.2/fs/ext3/balloc.c 2011-05-22 19:41:37.000000000 -0400
46046 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
46047
46048 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46049 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46050 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46051 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46052 sbi->s_resuid != current_fsuid() &&
46053 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46054 return 0;
46055 diff -urNp linux-2.6.39.2/fs/ext4/balloc.c linux-2.6.39.2/fs/ext4/balloc.c
46056 --- linux-2.6.39.2/fs/ext4/balloc.c 2011-05-19 00:06:34.000000000 -0400
46057 +++ linux-2.6.39.2/fs/ext4/balloc.c 2011-05-22 19:41:37.000000000 -0400
46058 @@ -522,7 +522,7 @@ static int ext4_has_free_blocks(struct e
46059 /* Hm, nope. Are (enough) root reserved blocks available? */
46060 if (sbi->s_resuid == current_fsuid() ||
46061 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
46062 - capable(CAP_SYS_RESOURCE)) {
46063 + capable_nolog(CAP_SYS_RESOURCE)) {
46064 if (free_blocks >= (nblocks + dirty_blocks))
46065 return 1;
46066 }
46067 diff -urNp linux-2.6.39.2/fs/ext4/ext4.h linux-2.6.39.2/fs/ext4/ext4.h
46068 --- linux-2.6.39.2/fs/ext4/ext4.h 2011-06-03 00:04:14.000000000 -0400
46069 +++ linux-2.6.39.2/fs/ext4/ext4.h 2011-06-03 00:32:07.000000000 -0400
46070 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
46071 unsigned long s_mb_last_start;
46072
46073 /* stats for buddy allocator */
46074 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
46075 - atomic_t s_bal_success; /* we found long enough chunks */
46076 - atomic_t s_bal_allocated; /* in blocks */
46077 - atomic_t s_bal_ex_scanned; /* total extents scanned */
46078 - atomic_t s_bal_goals; /* goal hits */
46079 - atomic_t s_bal_breaks; /* too long searches */
46080 - atomic_t s_bal_2orders; /* 2^order hits */
46081 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
46082 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
46083 + atomic_unchecked_t s_bal_allocated; /* in blocks */
46084 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
46085 + atomic_unchecked_t s_bal_goals; /* goal hits */
46086 + atomic_unchecked_t s_bal_breaks; /* too long searches */
46087 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
46088 spinlock_t s_bal_lock;
46089 unsigned long s_mb_buddies_generated;
46090 unsigned long long s_mb_generation_time;
46091 - atomic_t s_mb_lost_chunks;
46092 - atomic_t s_mb_preallocated;
46093 - atomic_t s_mb_discarded;
46094 + atomic_unchecked_t s_mb_lost_chunks;
46095 + atomic_unchecked_t s_mb_preallocated;
46096 + atomic_unchecked_t s_mb_discarded;
46097 atomic_t s_lock_busy;
46098
46099 /* locality groups */
46100 diff -urNp linux-2.6.39.2/fs/ext4/mballoc.c linux-2.6.39.2/fs/ext4/mballoc.c
46101 --- linux-2.6.39.2/fs/ext4/mballoc.c 2011-06-03 00:04:14.000000000 -0400
46102 +++ linux-2.6.39.2/fs/ext4/mballoc.c 2011-06-03 00:32:07.000000000 -0400
46103 @@ -1853,7 +1853,7 @@ void ext4_mb_simple_scan_group(struct ex
46104 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
46105
46106 if (EXT4_SB(sb)->s_mb_stats)
46107 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
46108 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
46109
46110 break;
46111 }
46112 @@ -2147,7 +2147,7 @@ repeat:
46113 ac->ac_status = AC_STATUS_CONTINUE;
46114 ac->ac_flags |= EXT4_MB_HINT_FIRST;
46115 cr = 3;
46116 - atomic_inc(&sbi->s_mb_lost_chunks);
46117 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
46118 goto repeat;
46119 }
46120 }
46121 @@ -2190,6 +2190,8 @@ static int ext4_mb_seq_groups_show(struc
46122 ext4_grpblk_t counters[16];
46123 } sg;
46124
46125 + pax_track_stack();
46126 +
46127 group--;
46128 if (group == 0)
46129 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
46130 @@ -2613,25 +2615,25 @@ int ext4_mb_release(struct super_block *
46131 if (sbi->s_mb_stats) {
46132 printk(KERN_INFO
46133 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
46134 - atomic_read(&sbi->s_bal_allocated),
46135 - atomic_read(&sbi->s_bal_reqs),
46136 - atomic_read(&sbi->s_bal_success));
46137 + atomic_read_unchecked(&sbi->s_bal_allocated),
46138 + atomic_read_unchecked(&sbi->s_bal_reqs),
46139 + atomic_read_unchecked(&sbi->s_bal_success));
46140 printk(KERN_INFO
46141 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
46142 "%u 2^N hits, %u breaks, %u lost\n",
46143 - atomic_read(&sbi->s_bal_ex_scanned),
46144 - atomic_read(&sbi->s_bal_goals),
46145 - atomic_read(&sbi->s_bal_2orders),
46146 - atomic_read(&sbi->s_bal_breaks),
46147 - atomic_read(&sbi->s_mb_lost_chunks));
46148 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
46149 + atomic_read_unchecked(&sbi->s_bal_goals),
46150 + atomic_read_unchecked(&sbi->s_bal_2orders),
46151 + atomic_read_unchecked(&sbi->s_bal_breaks),
46152 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
46153 printk(KERN_INFO
46154 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
46155 sbi->s_mb_buddies_generated++,
46156 sbi->s_mb_generation_time);
46157 printk(KERN_INFO
46158 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
46159 - atomic_read(&sbi->s_mb_preallocated),
46160 - atomic_read(&sbi->s_mb_discarded));
46161 + atomic_read_unchecked(&sbi->s_mb_preallocated),
46162 + atomic_read_unchecked(&sbi->s_mb_discarded));
46163 }
46164
46165 free_percpu(sbi->s_locality_groups);
46166 @@ -3107,16 +3109,16 @@ static void ext4_mb_collect_stats(struct
46167 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
46168
46169 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
46170 - atomic_inc(&sbi->s_bal_reqs);
46171 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46172 + atomic_inc_unchecked(&sbi->s_bal_reqs);
46173 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46174 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
46175 - atomic_inc(&sbi->s_bal_success);
46176 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
46177 + atomic_inc_unchecked(&sbi->s_bal_success);
46178 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
46179 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
46180 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
46181 - atomic_inc(&sbi->s_bal_goals);
46182 + atomic_inc_unchecked(&sbi->s_bal_goals);
46183 if (ac->ac_found > sbi->s_mb_max_to_scan)
46184 - atomic_inc(&sbi->s_bal_breaks);
46185 + atomic_inc_unchecked(&sbi->s_bal_breaks);
46186 }
46187
46188 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
46189 @@ -3514,7 +3516,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
46190 trace_ext4_mb_new_inode_pa(ac, pa);
46191
46192 ext4_mb_use_inode_pa(ac, pa);
46193 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46194 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46195
46196 ei = EXT4_I(ac->ac_inode);
46197 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46198 @@ -3574,7 +3576,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
46199 trace_ext4_mb_new_group_pa(ac, pa);
46200
46201 ext4_mb_use_group_pa(ac, pa);
46202 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46203 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46204
46205 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46206 lg = ac->ac_lg;
46207 @@ -3661,7 +3663,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
46208 * from the bitmap and continue.
46209 */
46210 }
46211 - atomic_add(free, &sbi->s_mb_discarded);
46212 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
46213
46214 return err;
46215 }
46216 @@ -3679,7 +3681,7 @@ ext4_mb_release_group_pa(struct ext4_bud
46217 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
46218 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
46219 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
46220 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46221 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46222 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
46223
46224 return 0;
46225 diff -urNp linux-2.6.39.2/fs/fcntl.c linux-2.6.39.2/fs/fcntl.c
46226 --- linux-2.6.39.2/fs/fcntl.c 2011-05-19 00:06:34.000000000 -0400
46227 +++ linux-2.6.39.2/fs/fcntl.c 2011-05-22 20:45:50.000000000 -0400
46228 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
46229 if (err)
46230 return err;
46231
46232 + if (gr_handle_chroot_fowner(pid, type))
46233 + return -ENOENT;
46234 + if (gr_check_protected_task_fowner(pid, type))
46235 + return -EACCES;
46236 +
46237 f_modown(filp, pid, type, force);
46238 return 0;
46239 }
46240 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
46241 switch (cmd) {
46242 case F_DUPFD:
46243 case F_DUPFD_CLOEXEC:
46244 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
46245 if (arg >= rlimit(RLIMIT_NOFILE))
46246 break;
46247 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
46248 @@ -835,14 +841,14 @@ static int __init fcntl_init(void)
46249 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
46250 * is defined as O_NONBLOCK on some platforms and not on others.
46251 */
46252 - BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46253 + BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46254 O_RDONLY | O_WRONLY | O_RDWR |
46255 O_CREAT | O_EXCL | O_NOCTTY |
46256 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
46257 __O_SYNC | O_DSYNC | FASYNC |
46258 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
46259 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
46260 - __FMODE_EXEC | O_PATH
46261 + __FMODE_EXEC | O_PATH | FMODE_GREXEC
46262 ));
46263
46264 fasync_cache = kmem_cache_create("fasync_cache",
46265 diff -urNp linux-2.6.39.2/fs/fifo.c linux-2.6.39.2/fs/fifo.c
46266 --- linux-2.6.39.2/fs/fifo.c 2011-05-19 00:06:34.000000000 -0400
46267 +++ linux-2.6.39.2/fs/fifo.c 2011-05-22 19:36:32.000000000 -0400
46268 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
46269 */
46270 filp->f_op = &read_pipefifo_fops;
46271 pipe->r_counter++;
46272 - if (pipe->readers++ == 0)
46273 + if (atomic_inc_return(&pipe->readers) == 1)
46274 wake_up_partner(inode);
46275
46276 - if (!pipe->writers) {
46277 + if (!atomic_read(&pipe->writers)) {
46278 if ((filp->f_flags & O_NONBLOCK)) {
46279 /* suppress POLLHUP until we have
46280 * seen a writer */
46281 @@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
46282 * errno=ENXIO when there is no process reading the FIFO.
46283 */
46284 ret = -ENXIO;
46285 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
46286 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
46287 goto err;
46288
46289 filp->f_op = &write_pipefifo_fops;
46290 pipe->w_counter++;
46291 - if (!pipe->writers++)
46292 + if (atomic_inc_return(&pipe->writers) == 1)
46293 wake_up_partner(inode);
46294
46295 - if (!pipe->readers) {
46296 + if (!atomic_read(&pipe->readers)) {
46297 wait_for_partner(inode, &pipe->r_counter);
46298 if (signal_pending(current))
46299 goto err_wr;
46300 @@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
46301 */
46302 filp->f_op = &rdwr_pipefifo_fops;
46303
46304 - pipe->readers++;
46305 - pipe->writers++;
46306 + atomic_inc(&pipe->readers);
46307 + atomic_inc(&pipe->writers);
46308 pipe->r_counter++;
46309 pipe->w_counter++;
46310 - if (pipe->readers == 1 || pipe->writers == 1)
46311 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
46312 wake_up_partner(inode);
46313 break;
46314
46315 @@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
46316 return 0;
46317
46318 err_rd:
46319 - if (!--pipe->readers)
46320 + if (atomic_dec_and_test(&pipe->readers))
46321 wake_up_interruptible(&pipe->wait);
46322 ret = -ERESTARTSYS;
46323 goto err;
46324
46325 err_wr:
46326 - if (!--pipe->writers)
46327 + if (atomic_dec_and_test(&pipe->writers))
46328 wake_up_interruptible(&pipe->wait);
46329 ret = -ERESTARTSYS;
46330 goto err;
46331
46332 err:
46333 - if (!pipe->readers && !pipe->writers)
46334 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
46335 free_pipe_info(inode);
46336
46337 err_nocleanup:
46338 diff -urNp linux-2.6.39.2/fs/file.c linux-2.6.39.2/fs/file.c
46339 --- linux-2.6.39.2/fs/file.c 2011-05-19 00:06:34.000000000 -0400
46340 +++ linux-2.6.39.2/fs/file.c 2011-05-22 19:41:37.000000000 -0400
46341 @@ -15,6 +15,7 @@
46342 #include <linux/slab.h>
46343 #include <linux/vmalloc.h>
46344 #include <linux/file.h>
46345 +#include <linux/security.h>
46346 #include <linux/fdtable.h>
46347 #include <linux/bitops.h>
46348 #include <linux/interrupt.h>
46349 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
46350 * N.B. For clone tasks sharing a files structure, this test
46351 * will limit the total number of files that can be opened.
46352 */
46353 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
46354 if (nr >= rlimit(RLIMIT_NOFILE))
46355 return -EMFILE;
46356
46357 diff -urNp linux-2.6.39.2/fs/filesystems.c linux-2.6.39.2/fs/filesystems.c
46358 --- linux-2.6.39.2/fs/filesystems.c 2011-05-19 00:06:34.000000000 -0400
46359 +++ linux-2.6.39.2/fs/filesystems.c 2011-05-22 19:41:37.000000000 -0400
46360 @@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
46361 int len = dot ? dot - name : strlen(name);
46362
46363 fs = __get_fs_type(name, len);
46364 +
46365 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46366 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
46367 +#else
46368 if (!fs && (request_module("%.*s", len, name) == 0))
46369 +#endif
46370 fs = __get_fs_type(name, len);
46371
46372 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
46373 diff -urNp linux-2.6.39.2/fs/fscache/cookie.c linux-2.6.39.2/fs/fscache/cookie.c
46374 --- linux-2.6.39.2/fs/fscache/cookie.c 2011-05-19 00:06:34.000000000 -0400
46375 +++ linux-2.6.39.2/fs/fscache/cookie.c 2011-05-22 19:36:32.000000000 -0400
46376 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46377 parent ? (char *) parent->def->name : "<no-parent>",
46378 def->name, netfs_data);
46379
46380 - fscache_stat(&fscache_n_acquires);
46381 + fscache_stat_unchecked(&fscache_n_acquires);
46382
46383 /* if there's no parent cookie, then we don't create one here either */
46384 if (!parent) {
46385 - fscache_stat(&fscache_n_acquires_null);
46386 + fscache_stat_unchecked(&fscache_n_acquires_null);
46387 _leave(" [no parent]");
46388 return NULL;
46389 }
46390 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46391 /* allocate and initialise a cookie */
46392 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46393 if (!cookie) {
46394 - fscache_stat(&fscache_n_acquires_oom);
46395 + fscache_stat_unchecked(&fscache_n_acquires_oom);
46396 _leave(" [ENOMEM]");
46397 return NULL;
46398 }
46399 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46400
46401 switch (cookie->def->type) {
46402 case FSCACHE_COOKIE_TYPE_INDEX:
46403 - fscache_stat(&fscache_n_cookie_index);
46404 + fscache_stat_unchecked(&fscache_n_cookie_index);
46405 break;
46406 case FSCACHE_COOKIE_TYPE_DATAFILE:
46407 - fscache_stat(&fscache_n_cookie_data);
46408 + fscache_stat_unchecked(&fscache_n_cookie_data);
46409 break;
46410 default:
46411 - fscache_stat(&fscache_n_cookie_special);
46412 + fscache_stat_unchecked(&fscache_n_cookie_special);
46413 break;
46414 }
46415
46416 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46417 if (fscache_acquire_non_index_cookie(cookie) < 0) {
46418 atomic_dec(&parent->n_children);
46419 __fscache_cookie_put(cookie);
46420 - fscache_stat(&fscache_n_acquires_nobufs);
46421 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
46422 _leave(" = NULL");
46423 return NULL;
46424 }
46425 }
46426
46427 - fscache_stat(&fscache_n_acquires_ok);
46428 + fscache_stat_unchecked(&fscache_n_acquires_ok);
46429 _leave(" = %p", cookie);
46430 return cookie;
46431 }
46432 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
46433 cache = fscache_select_cache_for_object(cookie->parent);
46434 if (!cache) {
46435 up_read(&fscache_addremove_sem);
46436 - fscache_stat(&fscache_n_acquires_no_cache);
46437 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
46438 _leave(" = -ENOMEDIUM [no cache]");
46439 return -ENOMEDIUM;
46440 }
46441 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
46442 object = cache->ops->alloc_object(cache, cookie);
46443 fscache_stat_d(&fscache_n_cop_alloc_object);
46444 if (IS_ERR(object)) {
46445 - fscache_stat(&fscache_n_object_no_alloc);
46446 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
46447 ret = PTR_ERR(object);
46448 goto error;
46449 }
46450
46451 - fscache_stat(&fscache_n_object_alloc);
46452 + fscache_stat_unchecked(&fscache_n_object_alloc);
46453
46454 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
46455
46456 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
46457 struct fscache_object *object;
46458 struct hlist_node *_p;
46459
46460 - fscache_stat(&fscache_n_updates);
46461 + fscache_stat_unchecked(&fscache_n_updates);
46462
46463 if (!cookie) {
46464 - fscache_stat(&fscache_n_updates_null);
46465 + fscache_stat_unchecked(&fscache_n_updates_null);
46466 _leave(" [no cookie]");
46467 return;
46468 }
46469 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
46470 struct fscache_object *object;
46471 unsigned long event;
46472
46473 - fscache_stat(&fscache_n_relinquishes);
46474 + fscache_stat_unchecked(&fscache_n_relinquishes);
46475 if (retire)
46476 - fscache_stat(&fscache_n_relinquishes_retire);
46477 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
46478
46479 if (!cookie) {
46480 - fscache_stat(&fscache_n_relinquishes_null);
46481 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
46482 _leave(" [no cookie]");
46483 return;
46484 }
46485 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
46486
46487 /* wait for the cookie to finish being instantiated (or to fail) */
46488 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
46489 - fscache_stat(&fscache_n_relinquishes_waitcrt);
46490 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
46491 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
46492 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
46493 }
46494 diff -urNp linux-2.6.39.2/fs/fscache/internal.h linux-2.6.39.2/fs/fscache/internal.h
46495 --- linux-2.6.39.2/fs/fscache/internal.h 2011-05-19 00:06:34.000000000 -0400
46496 +++ linux-2.6.39.2/fs/fscache/internal.h 2011-05-22 19:36:32.000000000 -0400
46497 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
46498 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
46499 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
46500
46501 -extern atomic_t fscache_n_op_pend;
46502 -extern atomic_t fscache_n_op_run;
46503 -extern atomic_t fscache_n_op_enqueue;
46504 -extern atomic_t fscache_n_op_deferred_release;
46505 -extern atomic_t fscache_n_op_release;
46506 -extern atomic_t fscache_n_op_gc;
46507 -extern atomic_t fscache_n_op_cancelled;
46508 -extern atomic_t fscache_n_op_rejected;
46509 -
46510 -extern atomic_t fscache_n_attr_changed;
46511 -extern atomic_t fscache_n_attr_changed_ok;
46512 -extern atomic_t fscache_n_attr_changed_nobufs;
46513 -extern atomic_t fscache_n_attr_changed_nomem;
46514 -extern atomic_t fscache_n_attr_changed_calls;
46515 -
46516 -extern atomic_t fscache_n_allocs;
46517 -extern atomic_t fscache_n_allocs_ok;
46518 -extern atomic_t fscache_n_allocs_wait;
46519 -extern atomic_t fscache_n_allocs_nobufs;
46520 -extern atomic_t fscache_n_allocs_intr;
46521 -extern atomic_t fscache_n_allocs_object_dead;
46522 -extern atomic_t fscache_n_alloc_ops;
46523 -extern atomic_t fscache_n_alloc_op_waits;
46524 -
46525 -extern atomic_t fscache_n_retrievals;
46526 -extern atomic_t fscache_n_retrievals_ok;
46527 -extern atomic_t fscache_n_retrievals_wait;
46528 -extern atomic_t fscache_n_retrievals_nodata;
46529 -extern atomic_t fscache_n_retrievals_nobufs;
46530 -extern atomic_t fscache_n_retrievals_intr;
46531 -extern atomic_t fscache_n_retrievals_nomem;
46532 -extern atomic_t fscache_n_retrievals_object_dead;
46533 -extern atomic_t fscache_n_retrieval_ops;
46534 -extern atomic_t fscache_n_retrieval_op_waits;
46535 -
46536 -extern atomic_t fscache_n_stores;
46537 -extern atomic_t fscache_n_stores_ok;
46538 -extern atomic_t fscache_n_stores_again;
46539 -extern atomic_t fscache_n_stores_nobufs;
46540 -extern atomic_t fscache_n_stores_oom;
46541 -extern atomic_t fscache_n_store_ops;
46542 -extern atomic_t fscache_n_store_calls;
46543 -extern atomic_t fscache_n_store_pages;
46544 -extern atomic_t fscache_n_store_radix_deletes;
46545 -extern atomic_t fscache_n_store_pages_over_limit;
46546 -
46547 -extern atomic_t fscache_n_store_vmscan_not_storing;
46548 -extern atomic_t fscache_n_store_vmscan_gone;
46549 -extern atomic_t fscache_n_store_vmscan_busy;
46550 -extern atomic_t fscache_n_store_vmscan_cancelled;
46551 -
46552 -extern atomic_t fscache_n_marks;
46553 -extern atomic_t fscache_n_uncaches;
46554 -
46555 -extern atomic_t fscache_n_acquires;
46556 -extern atomic_t fscache_n_acquires_null;
46557 -extern atomic_t fscache_n_acquires_no_cache;
46558 -extern atomic_t fscache_n_acquires_ok;
46559 -extern atomic_t fscache_n_acquires_nobufs;
46560 -extern atomic_t fscache_n_acquires_oom;
46561 -
46562 -extern atomic_t fscache_n_updates;
46563 -extern atomic_t fscache_n_updates_null;
46564 -extern atomic_t fscache_n_updates_run;
46565 -
46566 -extern atomic_t fscache_n_relinquishes;
46567 -extern atomic_t fscache_n_relinquishes_null;
46568 -extern atomic_t fscache_n_relinquishes_waitcrt;
46569 -extern atomic_t fscache_n_relinquishes_retire;
46570 -
46571 -extern atomic_t fscache_n_cookie_index;
46572 -extern atomic_t fscache_n_cookie_data;
46573 -extern atomic_t fscache_n_cookie_special;
46574 -
46575 -extern atomic_t fscache_n_object_alloc;
46576 -extern atomic_t fscache_n_object_no_alloc;
46577 -extern atomic_t fscache_n_object_lookups;
46578 -extern atomic_t fscache_n_object_lookups_negative;
46579 -extern atomic_t fscache_n_object_lookups_positive;
46580 -extern atomic_t fscache_n_object_lookups_timed_out;
46581 -extern atomic_t fscache_n_object_created;
46582 -extern atomic_t fscache_n_object_avail;
46583 -extern atomic_t fscache_n_object_dead;
46584 -
46585 -extern atomic_t fscache_n_checkaux_none;
46586 -extern atomic_t fscache_n_checkaux_okay;
46587 -extern atomic_t fscache_n_checkaux_update;
46588 -extern atomic_t fscache_n_checkaux_obsolete;
46589 +extern atomic_unchecked_t fscache_n_op_pend;
46590 +extern atomic_unchecked_t fscache_n_op_run;
46591 +extern atomic_unchecked_t fscache_n_op_enqueue;
46592 +extern atomic_unchecked_t fscache_n_op_deferred_release;
46593 +extern atomic_unchecked_t fscache_n_op_release;
46594 +extern atomic_unchecked_t fscache_n_op_gc;
46595 +extern atomic_unchecked_t fscache_n_op_cancelled;
46596 +extern atomic_unchecked_t fscache_n_op_rejected;
46597 +
46598 +extern atomic_unchecked_t fscache_n_attr_changed;
46599 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
46600 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
46601 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
46602 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
46603 +
46604 +extern atomic_unchecked_t fscache_n_allocs;
46605 +extern atomic_unchecked_t fscache_n_allocs_ok;
46606 +extern atomic_unchecked_t fscache_n_allocs_wait;
46607 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
46608 +extern atomic_unchecked_t fscache_n_allocs_intr;
46609 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
46610 +extern atomic_unchecked_t fscache_n_alloc_ops;
46611 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
46612 +
46613 +extern atomic_unchecked_t fscache_n_retrievals;
46614 +extern atomic_unchecked_t fscache_n_retrievals_ok;
46615 +extern atomic_unchecked_t fscache_n_retrievals_wait;
46616 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
46617 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
46618 +extern atomic_unchecked_t fscache_n_retrievals_intr;
46619 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
46620 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
46621 +extern atomic_unchecked_t fscache_n_retrieval_ops;
46622 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
46623 +
46624 +extern atomic_unchecked_t fscache_n_stores;
46625 +extern atomic_unchecked_t fscache_n_stores_ok;
46626 +extern atomic_unchecked_t fscache_n_stores_again;
46627 +extern atomic_unchecked_t fscache_n_stores_nobufs;
46628 +extern atomic_unchecked_t fscache_n_stores_oom;
46629 +extern atomic_unchecked_t fscache_n_store_ops;
46630 +extern atomic_unchecked_t fscache_n_store_calls;
46631 +extern atomic_unchecked_t fscache_n_store_pages;
46632 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
46633 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
46634 +
46635 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
46636 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
46637 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
46638 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
46639 +
46640 +extern atomic_unchecked_t fscache_n_marks;
46641 +extern atomic_unchecked_t fscache_n_uncaches;
46642 +
46643 +extern atomic_unchecked_t fscache_n_acquires;
46644 +extern atomic_unchecked_t fscache_n_acquires_null;
46645 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
46646 +extern atomic_unchecked_t fscache_n_acquires_ok;
46647 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
46648 +extern atomic_unchecked_t fscache_n_acquires_oom;
46649 +
46650 +extern atomic_unchecked_t fscache_n_updates;
46651 +extern atomic_unchecked_t fscache_n_updates_null;
46652 +extern atomic_unchecked_t fscache_n_updates_run;
46653 +
46654 +extern atomic_unchecked_t fscache_n_relinquishes;
46655 +extern atomic_unchecked_t fscache_n_relinquishes_null;
46656 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
46657 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
46658 +
46659 +extern atomic_unchecked_t fscache_n_cookie_index;
46660 +extern atomic_unchecked_t fscache_n_cookie_data;
46661 +extern atomic_unchecked_t fscache_n_cookie_special;
46662 +
46663 +extern atomic_unchecked_t fscache_n_object_alloc;
46664 +extern atomic_unchecked_t fscache_n_object_no_alloc;
46665 +extern atomic_unchecked_t fscache_n_object_lookups;
46666 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
46667 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
46668 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
46669 +extern atomic_unchecked_t fscache_n_object_created;
46670 +extern atomic_unchecked_t fscache_n_object_avail;
46671 +extern atomic_unchecked_t fscache_n_object_dead;
46672 +
46673 +extern atomic_unchecked_t fscache_n_checkaux_none;
46674 +extern atomic_unchecked_t fscache_n_checkaux_okay;
46675 +extern atomic_unchecked_t fscache_n_checkaux_update;
46676 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
46677
46678 extern atomic_t fscache_n_cop_alloc_object;
46679 extern atomic_t fscache_n_cop_lookup_object;
46680 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
46681 atomic_inc(stat);
46682 }
46683
46684 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
46685 +{
46686 + atomic_inc_unchecked(stat);
46687 +}
46688 +
46689 static inline void fscache_stat_d(atomic_t *stat)
46690 {
46691 atomic_dec(stat);
46692 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
46693
46694 #define __fscache_stat(stat) (NULL)
46695 #define fscache_stat(stat) do {} while (0)
46696 +#define fscache_stat_unchecked(stat) do {} while (0)
46697 #define fscache_stat_d(stat) do {} while (0)
46698 #endif
46699
46700 diff -urNp linux-2.6.39.2/fs/fscache/object.c linux-2.6.39.2/fs/fscache/object.c
46701 --- linux-2.6.39.2/fs/fscache/object.c 2011-05-19 00:06:34.000000000 -0400
46702 +++ linux-2.6.39.2/fs/fscache/object.c 2011-05-22 19:36:32.000000000 -0400
46703 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
46704 /* update the object metadata on disk */
46705 case FSCACHE_OBJECT_UPDATING:
46706 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
46707 - fscache_stat(&fscache_n_updates_run);
46708 + fscache_stat_unchecked(&fscache_n_updates_run);
46709 fscache_stat(&fscache_n_cop_update_object);
46710 object->cache->ops->update_object(object);
46711 fscache_stat_d(&fscache_n_cop_update_object);
46712 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
46713 spin_lock(&object->lock);
46714 object->state = FSCACHE_OBJECT_DEAD;
46715 spin_unlock(&object->lock);
46716 - fscache_stat(&fscache_n_object_dead);
46717 + fscache_stat_unchecked(&fscache_n_object_dead);
46718 goto terminal_transit;
46719
46720 /* handle the parent cache of this object being withdrawn from
46721 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
46722 spin_lock(&object->lock);
46723 object->state = FSCACHE_OBJECT_DEAD;
46724 spin_unlock(&object->lock);
46725 - fscache_stat(&fscache_n_object_dead);
46726 + fscache_stat_unchecked(&fscache_n_object_dead);
46727 goto terminal_transit;
46728
46729 /* complain about the object being woken up once it is
46730 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
46731 parent->cookie->def->name, cookie->def->name,
46732 object->cache->tag->name);
46733
46734 - fscache_stat(&fscache_n_object_lookups);
46735 + fscache_stat_unchecked(&fscache_n_object_lookups);
46736 fscache_stat(&fscache_n_cop_lookup_object);
46737 ret = object->cache->ops->lookup_object(object);
46738 fscache_stat_d(&fscache_n_cop_lookup_object);
46739 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
46740 if (ret == -ETIMEDOUT) {
46741 /* probably stuck behind another object, so move this one to
46742 * the back of the queue */
46743 - fscache_stat(&fscache_n_object_lookups_timed_out);
46744 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
46745 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46746 }
46747
46748 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
46749
46750 spin_lock(&object->lock);
46751 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46752 - fscache_stat(&fscache_n_object_lookups_negative);
46753 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
46754
46755 /* transit here to allow write requests to begin stacking up
46756 * and read requests to begin returning ENODATA */
46757 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
46758 * result, in which case there may be data available */
46759 spin_lock(&object->lock);
46760 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46761 - fscache_stat(&fscache_n_object_lookups_positive);
46762 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
46763
46764 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
46765
46766 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
46767 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46768 } else {
46769 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
46770 - fscache_stat(&fscache_n_object_created);
46771 + fscache_stat_unchecked(&fscache_n_object_created);
46772
46773 object->state = FSCACHE_OBJECT_AVAILABLE;
46774 spin_unlock(&object->lock);
46775 @@ -602,7 +602,7 @@ static void fscache_object_available(str
46776 fscache_enqueue_dependents(object);
46777
46778 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
46779 - fscache_stat(&fscache_n_object_avail);
46780 + fscache_stat_unchecked(&fscache_n_object_avail);
46781
46782 _leave("");
46783 }
46784 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
46785 enum fscache_checkaux result;
46786
46787 if (!object->cookie->def->check_aux) {
46788 - fscache_stat(&fscache_n_checkaux_none);
46789 + fscache_stat_unchecked(&fscache_n_checkaux_none);
46790 return FSCACHE_CHECKAUX_OKAY;
46791 }
46792
46793 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
46794 switch (result) {
46795 /* entry okay as is */
46796 case FSCACHE_CHECKAUX_OKAY:
46797 - fscache_stat(&fscache_n_checkaux_okay);
46798 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
46799 break;
46800
46801 /* entry requires update */
46802 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
46803 - fscache_stat(&fscache_n_checkaux_update);
46804 + fscache_stat_unchecked(&fscache_n_checkaux_update);
46805 break;
46806
46807 /* entry requires deletion */
46808 case FSCACHE_CHECKAUX_OBSOLETE:
46809 - fscache_stat(&fscache_n_checkaux_obsolete);
46810 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
46811 break;
46812
46813 default:
46814 diff -urNp linux-2.6.39.2/fs/fscache/operation.c linux-2.6.39.2/fs/fscache/operation.c
46815 --- linux-2.6.39.2/fs/fscache/operation.c 2011-05-19 00:06:34.000000000 -0400
46816 +++ linux-2.6.39.2/fs/fscache/operation.c 2011-05-22 19:36:32.000000000 -0400
46817 @@ -17,7 +17,7 @@
46818 #include <linux/slab.h>
46819 #include "internal.h"
46820
46821 -atomic_t fscache_op_debug_id;
46822 +atomic_unchecked_t fscache_op_debug_id;
46823 EXPORT_SYMBOL(fscache_op_debug_id);
46824
46825 /**
46826 @@ -40,7 +40,7 @@ void fscache_enqueue_operation(struct fs
46827 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
46828 ASSERTCMP(atomic_read(&op->usage), >, 0);
46829
46830 - fscache_stat(&fscache_n_op_enqueue);
46831 + fscache_stat_unchecked(&fscache_n_op_enqueue);
46832 switch (op->flags & FSCACHE_OP_TYPE) {
46833 case FSCACHE_OP_ASYNC:
46834 _debug("queue async");
46835 @@ -73,7 +73,7 @@ static void fscache_run_op(struct fscach
46836 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
46837 if (op->processor)
46838 fscache_enqueue_operation(op);
46839 - fscache_stat(&fscache_n_op_run);
46840 + fscache_stat_unchecked(&fscache_n_op_run);
46841 }
46842
46843 /*
46844 @@ -104,11 +104,11 @@ int fscache_submit_exclusive_op(struct f
46845 if (object->n_ops > 1) {
46846 atomic_inc(&op->usage);
46847 list_add_tail(&op->pend_link, &object->pending_ops);
46848 - fscache_stat(&fscache_n_op_pend);
46849 + fscache_stat_unchecked(&fscache_n_op_pend);
46850 } else if (!list_empty(&object->pending_ops)) {
46851 atomic_inc(&op->usage);
46852 list_add_tail(&op->pend_link, &object->pending_ops);
46853 - fscache_stat(&fscache_n_op_pend);
46854 + fscache_stat_unchecked(&fscache_n_op_pend);
46855 fscache_start_operations(object);
46856 } else {
46857 ASSERTCMP(object->n_in_progress, ==, 0);
46858 @@ -124,7 +124,7 @@ int fscache_submit_exclusive_op(struct f
46859 object->n_exclusive++; /* reads and writes must wait */
46860 atomic_inc(&op->usage);
46861 list_add_tail(&op->pend_link, &object->pending_ops);
46862 - fscache_stat(&fscache_n_op_pend);
46863 + fscache_stat_unchecked(&fscache_n_op_pend);
46864 ret = 0;
46865 } else {
46866 /* not allowed to submit ops in any other state */
46867 @@ -211,11 +211,11 @@ int fscache_submit_op(struct fscache_obj
46868 if (object->n_exclusive > 0) {
46869 atomic_inc(&op->usage);
46870 list_add_tail(&op->pend_link, &object->pending_ops);
46871 - fscache_stat(&fscache_n_op_pend);
46872 + fscache_stat_unchecked(&fscache_n_op_pend);
46873 } else if (!list_empty(&object->pending_ops)) {
46874 atomic_inc(&op->usage);
46875 list_add_tail(&op->pend_link, &object->pending_ops);
46876 - fscache_stat(&fscache_n_op_pend);
46877 + fscache_stat_unchecked(&fscache_n_op_pend);
46878 fscache_start_operations(object);
46879 } else {
46880 ASSERTCMP(object->n_exclusive, ==, 0);
46881 @@ -227,12 +227,12 @@ int fscache_submit_op(struct fscache_obj
46882 object->n_ops++;
46883 atomic_inc(&op->usage);
46884 list_add_tail(&op->pend_link, &object->pending_ops);
46885 - fscache_stat(&fscache_n_op_pend);
46886 + fscache_stat_unchecked(&fscache_n_op_pend);
46887 ret = 0;
46888 } else if (object->state == FSCACHE_OBJECT_DYING ||
46889 object->state == FSCACHE_OBJECT_LC_DYING ||
46890 object->state == FSCACHE_OBJECT_WITHDRAWING) {
46891 - fscache_stat(&fscache_n_op_rejected);
46892 + fscache_stat_unchecked(&fscache_n_op_rejected);
46893 ret = -ENOBUFS;
46894 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
46895 fscache_report_unexpected_submission(object, op, ostate);
46896 @@ -302,7 +302,7 @@ int fscache_cancel_op(struct fscache_ope
46897
46898 ret = -EBUSY;
46899 if (!list_empty(&op->pend_link)) {
46900 - fscache_stat(&fscache_n_op_cancelled);
46901 + fscache_stat_unchecked(&fscache_n_op_cancelled);
46902 list_del_init(&op->pend_link);
46903 object->n_ops--;
46904 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
46905 @@ -341,7 +341,7 @@ void fscache_put_operation(struct fscach
46906 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
46907 BUG();
46908
46909 - fscache_stat(&fscache_n_op_release);
46910 + fscache_stat_unchecked(&fscache_n_op_release);
46911
46912 if (op->release) {
46913 op->release(op);
46914 @@ -358,7 +358,7 @@ void fscache_put_operation(struct fscach
46915 * lock, and defer it otherwise */
46916 if (!spin_trylock(&object->lock)) {
46917 _debug("defer put");
46918 - fscache_stat(&fscache_n_op_deferred_release);
46919 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
46920
46921 cache = object->cache;
46922 spin_lock(&cache->op_gc_list_lock);
46923 @@ -420,7 +420,7 @@ void fscache_operation_gc(struct work_st
46924
46925 _debug("GC DEFERRED REL OBJ%x OP%x",
46926 object->debug_id, op->debug_id);
46927 - fscache_stat(&fscache_n_op_gc);
46928 + fscache_stat_unchecked(&fscache_n_op_gc);
46929
46930 ASSERTCMP(atomic_read(&op->usage), ==, 0);
46931
46932 diff -urNp linux-2.6.39.2/fs/fscache/page.c linux-2.6.39.2/fs/fscache/page.c
46933 --- linux-2.6.39.2/fs/fscache/page.c 2011-05-19 00:06:34.000000000 -0400
46934 +++ linux-2.6.39.2/fs/fscache/page.c 2011-05-22 19:36:32.000000000 -0400
46935 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
46936 val = radix_tree_lookup(&cookie->stores, page->index);
46937 if (!val) {
46938 rcu_read_unlock();
46939 - fscache_stat(&fscache_n_store_vmscan_not_storing);
46940 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
46941 __fscache_uncache_page(cookie, page);
46942 return true;
46943 }
46944 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
46945 spin_unlock(&cookie->stores_lock);
46946
46947 if (xpage) {
46948 - fscache_stat(&fscache_n_store_vmscan_cancelled);
46949 - fscache_stat(&fscache_n_store_radix_deletes);
46950 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
46951 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
46952 ASSERTCMP(xpage, ==, page);
46953 } else {
46954 - fscache_stat(&fscache_n_store_vmscan_gone);
46955 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
46956 }
46957
46958 wake_up_bit(&cookie->flags, 0);
46959 @@ -107,7 +107,7 @@ page_busy:
46960 /* we might want to wait here, but that could deadlock the allocator as
46961 * the work threads writing to the cache may all end up sleeping
46962 * on memory allocation */
46963 - fscache_stat(&fscache_n_store_vmscan_busy);
46964 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
46965 return false;
46966 }
46967 EXPORT_SYMBOL(__fscache_maybe_release_page);
46968 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
46969 FSCACHE_COOKIE_STORING_TAG);
46970 if (!radix_tree_tag_get(&cookie->stores, page->index,
46971 FSCACHE_COOKIE_PENDING_TAG)) {
46972 - fscache_stat(&fscache_n_store_radix_deletes);
46973 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
46974 xpage = radix_tree_delete(&cookie->stores, page->index);
46975 }
46976 spin_unlock(&cookie->stores_lock);
46977 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
46978
46979 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
46980
46981 - fscache_stat(&fscache_n_attr_changed_calls);
46982 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
46983
46984 if (fscache_object_is_active(object)) {
46985 fscache_set_op_state(op, "CallFS");
46986 @@ -179,11 +179,11 @@ int __fscache_attr_changed(struct fscach
46987
46988 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
46989
46990 - fscache_stat(&fscache_n_attr_changed);
46991 + fscache_stat_unchecked(&fscache_n_attr_changed);
46992
46993 op = kzalloc(sizeof(*op), GFP_KERNEL);
46994 if (!op) {
46995 - fscache_stat(&fscache_n_attr_changed_nomem);
46996 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
46997 _leave(" = -ENOMEM");
46998 return -ENOMEM;
46999 }
47000 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
47001 if (fscache_submit_exclusive_op(object, op) < 0)
47002 goto nobufs;
47003 spin_unlock(&cookie->lock);
47004 - fscache_stat(&fscache_n_attr_changed_ok);
47005 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
47006 fscache_put_operation(op);
47007 _leave(" = 0");
47008 return 0;
47009 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
47010 nobufs:
47011 spin_unlock(&cookie->lock);
47012 kfree(op);
47013 - fscache_stat(&fscache_n_attr_changed_nobufs);
47014 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
47015 _leave(" = %d", -ENOBUFS);
47016 return -ENOBUFS;
47017 }
47018 @@ -246,7 +246,7 @@ static struct fscache_retrieval *fscache
47019 /* allocate a retrieval operation and attempt to submit it */
47020 op = kzalloc(sizeof(*op), GFP_NOIO);
47021 if (!op) {
47022 - fscache_stat(&fscache_n_retrievals_nomem);
47023 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47024 return NULL;
47025 }
47026
47027 @@ -275,13 +275,13 @@ static int fscache_wait_for_deferred_loo
47028 return 0;
47029 }
47030
47031 - fscache_stat(&fscache_n_retrievals_wait);
47032 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
47033
47034 jif = jiffies;
47035 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
47036 fscache_wait_bit_interruptible,
47037 TASK_INTERRUPTIBLE) != 0) {
47038 - fscache_stat(&fscache_n_retrievals_intr);
47039 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47040 _leave(" = -ERESTARTSYS");
47041 return -ERESTARTSYS;
47042 }
47043 @@ -299,8 +299,8 @@ static int fscache_wait_for_deferred_loo
47044 */
47045 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
47046 struct fscache_retrieval *op,
47047 - atomic_t *stat_op_waits,
47048 - atomic_t *stat_object_dead)
47049 + atomic_unchecked_t *stat_op_waits,
47050 + atomic_unchecked_t *stat_object_dead)
47051 {
47052 int ret;
47053
47054 @@ -308,7 +308,7 @@ static int fscache_wait_for_retrieval_ac
47055 goto check_if_dead;
47056
47057 _debug(">>> WT");
47058 - fscache_stat(stat_op_waits);
47059 + fscache_stat_unchecked(stat_op_waits);
47060 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
47061 fscache_wait_bit_interruptible,
47062 TASK_INTERRUPTIBLE) < 0) {
47063 @@ -325,7 +325,7 @@ static int fscache_wait_for_retrieval_ac
47064
47065 check_if_dead:
47066 if (unlikely(fscache_object_is_dead(object))) {
47067 - fscache_stat(stat_object_dead);
47068 + fscache_stat_unchecked(stat_object_dead);
47069 return -ENOBUFS;
47070 }
47071 return 0;
47072 @@ -352,7 +352,7 @@ int __fscache_read_or_alloc_page(struct
47073
47074 _enter("%p,%p,,,", cookie, page);
47075
47076 - fscache_stat(&fscache_n_retrievals);
47077 + fscache_stat_unchecked(&fscache_n_retrievals);
47078
47079 if (hlist_empty(&cookie->backing_objects))
47080 goto nobufs;
47081 @@ -386,7 +386,7 @@ int __fscache_read_or_alloc_page(struct
47082 goto nobufs_unlock;
47083 spin_unlock(&cookie->lock);
47084
47085 - fscache_stat(&fscache_n_retrieval_ops);
47086 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47087
47088 /* pin the netfs read context in case we need to do the actual netfs
47089 * read because we've encountered a cache read failure */
47090 @@ -416,15 +416,15 @@ int __fscache_read_or_alloc_page(struct
47091
47092 error:
47093 if (ret == -ENOMEM)
47094 - fscache_stat(&fscache_n_retrievals_nomem);
47095 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47096 else if (ret == -ERESTARTSYS)
47097 - fscache_stat(&fscache_n_retrievals_intr);
47098 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47099 else if (ret == -ENODATA)
47100 - fscache_stat(&fscache_n_retrievals_nodata);
47101 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47102 else if (ret < 0)
47103 - fscache_stat(&fscache_n_retrievals_nobufs);
47104 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47105 else
47106 - fscache_stat(&fscache_n_retrievals_ok);
47107 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47108
47109 fscache_put_retrieval(op);
47110 _leave(" = %d", ret);
47111 @@ -434,7 +434,7 @@ nobufs_unlock:
47112 spin_unlock(&cookie->lock);
47113 kfree(op);
47114 nobufs:
47115 - fscache_stat(&fscache_n_retrievals_nobufs);
47116 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47117 _leave(" = -ENOBUFS");
47118 return -ENOBUFS;
47119 }
47120 @@ -472,7 +472,7 @@ int __fscache_read_or_alloc_pages(struct
47121
47122 _enter("%p,,%d,,,", cookie, *nr_pages);
47123
47124 - fscache_stat(&fscache_n_retrievals);
47125 + fscache_stat_unchecked(&fscache_n_retrievals);
47126
47127 if (hlist_empty(&cookie->backing_objects))
47128 goto nobufs;
47129 @@ -503,7 +503,7 @@ int __fscache_read_or_alloc_pages(struct
47130 goto nobufs_unlock;
47131 spin_unlock(&cookie->lock);
47132
47133 - fscache_stat(&fscache_n_retrieval_ops);
47134 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47135
47136 /* pin the netfs read context in case we need to do the actual netfs
47137 * read because we've encountered a cache read failure */
47138 @@ -533,15 +533,15 @@ int __fscache_read_or_alloc_pages(struct
47139
47140 error:
47141 if (ret == -ENOMEM)
47142 - fscache_stat(&fscache_n_retrievals_nomem);
47143 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47144 else if (ret == -ERESTARTSYS)
47145 - fscache_stat(&fscache_n_retrievals_intr);
47146 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47147 else if (ret == -ENODATA)
47148 - fscache_stat(&fscache_n_retrievals_nodata);
47149 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47150 else if (ret < 0)
47151 - fscache_stat(&fscache_n_retrievals_nobufs);
47152 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47153 else
47154 - fscache_stat(&fscache_n_retrievals_ok);
47155 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47156
47157 fscache_put_retrieval(op);
47158 _leave(" = %d", ret);
47159 @@ -551,7 +551,7 @@ nobufs_unlock:
47160 spin_unlock(&cookie->lock);
47161 kfree(op);
47162 nobufs:
47163 - fscache_stat(&fscache_n_retrievals_nobufs);
47164 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47165 _leave(" = -ENOBUFS");
47166 return -ENOBUFS;
47167 }
47168 @@ -575,7 +575,7 @@ int __fscache_alloc_page(struct fscache_
47169
47170 _enter("%p,%p,,,", cookie, page);
47171
47172 - fscache_stat(&fscache_n_allocs);
47173 + fscache_stat_unchecked(&fscache_n_allocs);
47174
47175 if (hlist_empty(&cookie->backing_objects))
47176 goto nobufs;
47177 @@ -602,7 +602,7 @@ int __fscache_alloc_page(struct fscache_
47178 goto nobufs_unlock;
47179 spin_unlock(&cookie->lock);
47180
47181 - fscache_stat(&fscache_n_alloc_ops);
47182 + fscache_stat_unchecked(&fscache_n_alloc_ops);
47183
47184 ret = fscache_wait_for_retrieval_activation(
47185 object, op,
47186 @@ -618,11 +618,11 @@ int __fscache_alloc_page(struct fscache_
47187
47188 error:
47189 if (ret == -ERESTARTSYS)
47190 - fscache_stat(&fscache_n_allocs_intr);
47191 + fscache_stat_unchecked(&fscache_n_allocs_intr);
47192 else if (ret < 0)
47193 - fscache_stat(&fscache_n_allocs_nobufs);
47194 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47195 else
47196 - fscache_stat(&fscache_n_allocs_ok);
47197 + fscache_stat_unchecked(&fscache_n_allocs_ok);
47198
47199 fscache_put_retrieval(op);
47200 _leave(" = %d", ret);
47201 @@ -632,7 +632,7 @@ nobufs_unlock:
47202 spin_unlock(&cookie->lock);
47203 kfree(op);
47204 nobufs:
47205 - fscache_stat(&fscache_n_allocs_nobufs);
47206 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47207 _leave(" = -ENOBUFS");
47208 return -ENOBUFS;
47209 }
47210 @@ -675,7 +675,7 @@ static void fscache_write_op(struct fsca
47211
47212 spin_lock(&cookie->stores_lock);
47213
47214 - fscache_stat(&fscache_n_store_calls);
47215 + fscache_stat_unchecked(&fscache_n_store_calls);
47216
47217 /* find a page to store */
47218 page = NULL;
47219 @@ -686,7 +686,7 @@ static void fscache_write_op(struct fsca
47220 page = results[0];
47221 _debug("gang %d [%lx]", n, page->index);
47222 if (page->index > op->store_limit) {
47223 - fscache_stat(&fscache_n_store_pages_over_limit);
47224 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
47225 goto superseded;
47226 }
47227
47228 @@ -699,7 +699,7 @@ static void fscache_write_op(struct fsca
47229 spin_unlock(&object->lock);
47230
47231 fscache_set_op_state(&op->op, "Store");
47232 - fscache_stat(&fscache_n_store_pages);
47233 + fscache_stat_unchecked(&fscache_n_store_pages);
47234 fscache_stat(&fscache_n_cop_write_page);
47235 ret = object->cache->ops->write_page(op, page);
47236 fscache_stat_d(&fscache_n_cop_write_page);
47237 @@ -769,7 +769,7 @@ int __fscache_write_page(struct fscache_
47238 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47239 ASSERT(PageFsCache(page));
47240
47241 - fscache_stat(&fscache_n_stores);
47242 + fscache_stat_unchecked(&fscache_n_stores);
47243
47244 op = kzalloc(sizeof(*op), GFP_NOIO);
47245 if (!op)
47246 @@ -821,7 +821,7 @@ int __fscache_write_page(struct fscache_
47247 spin_unlock(&cookie->stores_lock);
47248 spin_unlock(&object->lock);
47249
47250 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
47251 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
47252 op->store_limit = object->store_limit;
47253
47254 if (fscache_submit_op(object, &op->op) < 0)
47255 @@ -829,8 +829,8 @@ int __fscache_write_page(struct fscache_
47256
47257 spin_unlock(&cookie->lock);
47258 radix_tree_preload_end();
47259 - fscache_stat(&fscache_n_store_ops);
47260 - fscache_stat(&fscache_n_stores_ok);
47261 + fscache_stat_unchecked(&fscache_n_store_ops);
47262 + fscache_stat_unchecked(&fscache_n_stores_ok);
47263
47264 /* the work queue now carries its own ref on the object */
47265 fscache_put_operation(&op->op);
47266 @@ -838,14 +838,14 @@ int __fscache_write_page(struct fscache_
47267 return 0;
47268
47269 already_queued:
47270 - fscache_stat(&fscache_n_stores_again);
47271 + fscache_stat_unchecked(&fscache_n_stores_again);
47272 already_pending:
47273 spin_unlock(&cookie->stores_lock);
47274 spin_unlock(&object->lock);
47275 spin_unlock(&cookie->lock);
47276 radix_tree_preload_end();
47277 kfree(op);
47278 - fscache_stat(&fscache_n_stores_ok);
47279 + fscache_stat_unchecked(&fscache_n_stores_ok);
47280 _leave(" = 0");
47281 return 0;
47282
47283 @@ -864,14 +864,14 @@ nobufs:
47284 spin_unlock(&cookie->lock);
47285 radix_tree_preload_end();
47286 kfree(op);
47287 - fscache_stat(&fscache_n_stores_nobufs);
47288 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
47289 _leave(" = -ENOBUFS");
47290 return -ENOBUFS;
47291
47292 nomem_free:
47293 kfree(op);
47294 nomem:
47295 - fscache_stat(&fscache_n_stores_oom);
47296 + fscache_stat_unchecked(&fscache_n_stores_oom);
47297 _leave(" = -ENOMEM");
47298 return -ENOMEM;
47299 }
47300 @@ -889,7 +889,7 @@ void __fscache_uncache_page(struct fscac
47301 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47302 ASSERTCMP(page, !=, NULL);
47303
47304 - fscache_stat(&fscache_n_uncaches);
47305 + fscache_stat_unchecked(&fscache_n_uncaches);
47306
47307 /* cache withdrawal may beat us to it */
47308 if (!PageFsCache(page))
47309 @@ -942,7 +942,7 @@ void fscache_mark_pages_cached(struct fs
47310 unsigned long loop;
47311
47312 #ifdef CONFIG_FSCACHE_STATS
47313 - atomic_add(pagevec->nr, &fscache_n_marks);
47314 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
47315 #endif
47316
47317 for (loop = 0; loop < pagevec->nr; loop++) {
47318 diff -urNp linux-2.6.39.2/fs/fscache/stats.c linux-2.6.39.2/fs/fscache/stats.c
47319 --- linux-2.6.39.2/fs/fscache/stats.c 2011-05-19 00:06:34.000000000 -0400
47320 +++ linux-2.6.39.2/fs/fscache/stats.c 2011-05-22 19:36:32.000000000 -0400
47321 @@ -18,95 +18,95 @@
47322 /*
47323 * operation counters
47324 */
47325 -atomic_t fscache_n_op_pend;
47326 -atomic_t fscache_n_op_run;
47327 -atomic_t fscache_n_op_enqueue;
47328 -atomic_t fscache_n_op_requeue;
47329 -atomic_t fscache_n_op_deferred_release;
47330 -atomic_t fscache_n_op_release;
47331 -atomic_t fscache_n_op_gc;
47332 -atomic_t fscache_n_op_cancelled;
47333 -atomic_t fscache_n_op_rejected;
47334 -
47335 -atomic_t fscache_n_attr_changed;
47336 -atomic_t fscache_n_attr_changed_ok;
47337 -atomic_t fscache_n_attr_changed_nobufs;
47338 -atomic_t fscache_n_attr_changed_nomem;
47339 -atomic_t fscache_n_attr_changed_calls;
47340 -
47341 -atomic_t fscache_n_allocs;
47342 -atomic_t fscache_n_allocs_ok;
47343 -atomic_t fscache_n_allocs_wait;
47344 -atomic_t fscache_n_allocs_nobufs;
47345 -atomic_t fscache_n_allocs_intr;
47346 -atomic_t fscache_n_allocs_object_dead;
47347 -atomic_t fscache_n_alloc_ops;
47348 -atomic_t fscache_n_alloc_op_waits;
47349 -
47350 -atomic_t fscache_n_retrievals;
47351 -atomic_t fscache_n_retrievals_ok;
47352 -atomic_t fscache_n_retrievals_wait;
47353 -atomic_t fscache_n_retrievals_nodata;
47354 -atomic_t fscache_n_retrievals_nobufs;
47355 -atomic_t fscache_n_retrievals_intr;
47356 -atomic_t fscache_n_retrievals_nomem;
47357 -atomic_t fscache_n_retrievals_object_dead;
47358 -atomic_t fscache_n_retrieval_ops;
47359 -atomic_t fscache_n_retrieval_op_waits;
47360 -
47361 -atomic_t fscache_n_stores;
47362 -atomic_t fscache_n_stores_ok;
47363 -atomic_t fscache_n_stores_again;
47364 -atomic_t fscache_n_stores_nobufs;
47365 -atomic_t fscache_n_stores_oom;
47366 -atomic_t fscache_n_store_ops;
47367 -atomic_t fscache_n_store_calls;
47368 -atomic_t fscache_n_store_pages;
47369 -atomic_t fscache_n_store_radix_deletes;
47370 -atomic_t fscache_n_store_pages_over_limit;
47371 -
47372 -atomic_t fscache_n_store_vmscan_not_storing;
47373 -atomic_t fscache_n_store_vmscan_gone;
47374 -atomic_t fscache_n_store_vmscan_busy;
47375 -atomic_t fscache_n_store_vmscan_cancelled;
47376 -
47377 -atomic_t fscache_n_marks;
47378 -atomic_t fscache_n_uncaches;
47379 -
47380 -atomic_t fscache_n_acquires;
47381 -atomic_t fscache_n_acquires_null;
47382 -atomic_t fscache_n_acquires_no_cache;
47383 -atomic_t fscache_n_acquires_ok;
47384 -atomic_t fscache_n_acquires_nobufs;
47385 -atomic_t fscache_n_acquires_oom;
47386 -
47387 -atomic_t fscache_n_updates;
47388 -atomic_t fscache_n_updates_null;
47389 -atomic_t fscache_n_updates_run;
47390 -
47391 -atomic_t fscache_n_relinquishes;
47392 -atomic_t fscache_n_relinquishes_null;
47393 -atomic_t fscache_n_relinquishes_waitcrt;
47394 -atomic_t fscache_n_relinquishes_retire;
47395 -
47396 -atomic_t fscache_n_cookie_index;
47397 -atomic_t fscache_n_cookie_data;
47398 -atomic_t fscache_n_cookie_special;
47399 -
47400 -atomic_t fscache_n_object_alloc;
47401 -atomic_t fscache_n_object_no_alloc;
47402 -atomic_t fscache_n_object_lookups;
47403 -atomic_t fscache_n_object_lookups_negative;
47404 -atomic_t fscache_n_object_lookups_positive;
47405 -atomic_t fscache_n_object_lookups_timed_out;
47406 -atomic_t fscache_n_object_created;
47407 -atomic_t fscache_n_object_avail;
47408 -atomic_t fscache_n_object_dead;
47409 -
47410 -atomic_t fscache_n_checkaux_none;
47411 -atomic_t fscache_n_checkaux_okay;
47412 -atomic_t fscache_n_checkaux_update;
47413 -atomic_t fscache_n_checkaux_obsolete;
47414 +atomic_unchecked_t fscache_n_op_pend;
47415 +atomic_unchecked_t fscache_n_op_run;
47416 +atomic_unchecked_t fscache_n_op_enqueue;
47417 +atomic_unchecked_t fscache_n_op_requeue;
47418 +atomic_unchecked_t fscache_n_op_deferred_release;
47419 +atomic_unchecked_t fscache_n_op_release;
47420 +atomic_unchecked_t fscache_n_op_gc;
47421 +atomic_unchecked_t fscache_n_op_cancelled;
47422 +atomic_unchecked_t fscache_n_op_rejected;
47423 +
47424 +atomic_unchecked_t fscache_n_attr_changed;
47425 +atomic_unchecked_t fscache_n_attr_changed_ok;
47426 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
47427 +atomic_unchecked_t fscache_n_attr_changed_nomem;
47428 +atomic_unchecked_t fscache_n_attr_changed_calls;
47429 +
47430 +atomic_unchecked_t fscache_n_allocs;
47431 +atomic_unchecked_t fscache_n_allocs_ok;
47432 +atomic_unchecked_t fscache_n_allocs_wait;
47433 +atomic_unchecked_t fscache_n_allocs_nobufs;
47434 +atomic_unchecked_t fscache_n_allocs_intr;
47435 +atomic_unchecked_t fscache_n_allocs_object_dead;
47436 +atomic_unchecked_t fscache_n_alloc_ops;
47437 +atomic_unchecked_t fscache_n_alloc_op_waits;
47438 +
47439 +atomic_unchecked_t fscache_n_retrievals;
47440 +atomic_unchecked_t fscache_n_retrievals_ok;
47441 +atomic_unchecked_t fscache_n_retrievals_wait;
47442 +atomic_unchecked_t fscache_n_retrievals_nodata;
47443 +atomic_unchecked_t fscache_n_retrievals_nobufs;
47444 +atomic_unchecked_t fscache_n_retrievals_intr;
47445 +atomic_unchecked_t fscache_n_retrievals_nomem;
47446 +atomic_unchecked_t fscache_n_retrievals_object_dead;
47447 +atomic_unchecked_t fscache_n_retrieval_ops;
47448 +atomic_unchecked_t fscache_n_retrieval_op_waits;
47449 +
47450 +atomic_unchecked_t fscache_n_stores;
47451 +atomic_unchecked_t fscache_n_stores_ok;
47452 +atomic_unchecked_t fscache_n_stores_again;
47453 +atomic_unchecked_t fscache_n_stores_nobufs;
47454 +atomic_unchecked_t fscache_n_stores_oom;
47455 +atomic_unchecked_t fscache_n_store_ops;
47456 +atomic_unchecked_t fscache_n_store_calls;
47457 +atomic_unchecked_t fscache_n_store_pages;
47458 +atomic_unchecked_t fscache_n_store_radix_deletes;
47459 +atomic_unchecked_t fscache_n_store_pages_over_limit;
47460 +
47461 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47462 +atomic_unchecked_t fscache_n_store_vmscan_gone;
47463 +atomic_unchecked_t fscache_n_store_vmscan_busy;
47464 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47465 +
47466 +atomic_unchecked_t fscache_n_marks;
47467 +atomic_unchecked_t fscache_n_uncaches;
47468 +
47469 +atomic_unchecked_t fscache_n_acquires;
47470 +atomic_unchecked_t fscache_n_acquires_null;
47471 +atomic_unchecked_t fscache_n_acquires_no_cache;
47472 +atomic_unchecked_t fscache_n_acquires_ok;
47473 +atomic_unchecked_t fscache_n_acquires_nobufs;
47474 +atomic_unchecked_t fscache_n_acquires_oom;
47475 +
47476 +atomic_unchecked_t fscache_n_updates;
47477 +atomic_unchecked_t fscache_n_updates_null;
47478 +atomic_unchecked_t fscache_n_updates_run;
47479 +
47480 +atomic_unchecked_t fscache_n_relinquishes;
47481 +atomic_unchecked_t fscache_n_relinquishes_null;
47482 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47483 +atomic_unchecked_t fscache_n_relinquishes_retire;
47484 +
47485 +atomic_unchecked_t fscache_n_cookie_index;
47486 +atomic_unchecked_t fscache_n_cookie_data;
47487 +atomic_unchecked_t fscache_n_cookie_special;
47488 +
47489 +atomic_unchecked_t fscache_n_object_alloc;
47490 +atomic_unchecked_t fscache_n_object_no_alloc;
47491 +atomic_unchecked_t fscache_n_object_lookups;
47492 +atomic_unchecked_t fscache_n_object_lookups_negative;
47493 +atomic_unchecked_t fscache_n_object_lookups_positive;
47494 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
47495 +atomic_unchecked_t fscache_n_object_created;
47496 +atomic_unchecked_t fscache_n_object_avail;
47497 +atomic_unchecked_t fscache_n_object_dead;
47498 +
47499 +atomic_unchecked_t fscache_n_checkaux_none;
47500 +atomic_unchecked_t fscache_n_checkaux_okay;
47501 +atomic_unchecked_t fscache_n_checkaux_update;
47502 +atomic_unchecked_t fscache_n_checkaux_obsolete;
47503
47504 atomic_t fscache_n_cop_alloc_object;
47505 atomic_t fscache_n_cop_lookup_object;
47506 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
47507 seq_puts(m, "FS-Cache statistics\n");
47508
47509 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
47510 - atomic_read(&fscache_n_cookie_index),
47511 - atomic_read(&fscache_n_cookie_data),
47512 - atomic_read(&fscache_n_cookie_special));
47513 + atomic_read_unchecked(&fscache_n_cookie_index),
47514 + atomic_read_unchecked(&fscache_n_cookie_data),
47515 + atomic_read_unchecked(&fscache_n_cookie_special));
47516
47517 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
47518 - atomic_read(&fscache_n_object_alloc),
47519 - atomic_read(&fscache_n_object_no_alloc),
47520 - atomic_read(&fscache_n_object_avail),
47521 - atomic_read(&fscache_n_object_dead));
47522 + atomic_read_unchecked(&fscache_n_object_alloc),
47523 + atomic_read_unchecked(&fscache_n_object_no_alloc),
47524 + atomic_read_unchecked(&fscache_n_object_avail),
47525 + atomic_read_unchecked(&fscache_n_object_dead));
47526 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
47527 - atomic_read(&fscache_n_checkaux_none),
47528 - atomic_read(&fscache_n_checkaux_okay),
47529 - atomic_read(&fscache_n_checkaux_update),
47530 - atomic_read(&fscache_n_checkaux_obsolete));
47531 + atomic_read_unchecked(&fscache_n_checkaux_none),
47532 + atomic_read_unchecked(&fscache_n_checkaux_okay),
47533 + atomic_read_unchecked(&fscache_n_checkaux_update),
47534 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
47535
47536 seq_printf(m, "Pages : mrk=%u unc=%u\n",
47537 - atomic_read(&fscache_n_marks),
47538 - atomic_read(&fscache_n_uncaches));
47539 + atomic_read_unchecked(&fscache_n_marks),
47540 + atomic_read_unchecked(&fscache_n_uncaches));
47541
47542 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
47543 " oom=%u\n",
47544 - atomic_read(&fscache_n_acquires),
47545 - atomic_read(&fscache_n_acquires_null),
47546 - atomic_read(&fscache_n_acquires_no_cache),
47547 - atomic_read(&fscache_n_acquires_ok),
47548 - atomic_read(&fscache_n_acquires_nobufs),
47549 - atomic_read(&fscache_n_acquires_oom));
47550 + atomic_read_unchecked(&fscache_n_acquires),
47551 + atomic_read_unchecked(&fscache_n_acquires_null),
47552 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
47553 + atomic_read_unchecked(&fscache_n_acquires_ok),
47554 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
47555 + atomic_read_unchecked(&fscache_n_acquires_oom));
47556
47557 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
47558 - atomic_read(&fscache_n_object_lookups),
47559 - atomic_read(&fscache_n_object_lookups_negative),
47560 - atomic_read(&fscache_n_object_lookups_positive),
47561 - atomic_read(&fscache_n_object_created),
47562 - atomic_read(&fscache_n_object_lookups_timed_out));
47563 + atomic_read_unchecked(&fscache_n_object_lookups),
47564 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
47565 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
47566 + atomic_read_unchecked(&fscache_n_object_created),
47567 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
47568
47569 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
47570 - atomic_read(&fscache_n_updates),
47571 - atomic_read(&fscache_n_updates_null),
47572 - atomic_read(&fscache_n_updates_run));
47573 + atomic_read_unchecked(&fscache_n_updates),
47574 + atomic_read_unchecked(&fscache_n_updates_null),
47575 + atomic_read_unchecked(&fscache_n_updates_run));
47576
47577 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
47578 - atomic_read(&fscache_n_relinquishes),
47579 - atomic_read(&fscache_n_relinquishes_null),
47580 - atomic_read(&fscache_n_relinquishes_waitcrt),
47581 - atomic_read(&fscache_n_relinquishes_retire));
47582 + atomic_read_unchecked(&fscache_n_relinquishes),
47583 + atomic_read_unchecked(&fscache_n_relinquishes_null),
47584 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
47585 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
47586
47587 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
47588 - atomic_read(&fscache_n_attr_changed),
47589 - atomic_read(&fscache_n_attr_changed_ok),
47590 - atomic_read(&fscache_n_attr_changed_nobufs),
47591 - atomic_read(&fscache_n_attr_changed_nomem),
47592 - atomic_read(&fscache_n_attr_changed_calls));
47593 + atomic_read_unchecked(&fscache_n_attr_changed),
47594 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
47595 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
47596 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
47597 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
47598
47599 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
47600 - atomic_read(&fscache_n_allocs),
47601 - atomic_read(&fscache_n_allocs_ok),
47602 - atomic_read(&fscache_n_allocs_wait),
47603 - atomic_read(&fscache_n_allocs_nobufs),
47604 - atomic_read(&fscache_n_allocs_intr));
47605 + atomic_read_unchecked(&fscache_n_allocs),
47606 + atomic_read_unchecked(&fscache_n_allocs_ok),
47607 + atomic_read_unchecked(&fscache_n_allocs_wait),
47608 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
47609 + atomic_read_unchecked(&fscache_n_allocs_intr));
47610 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
47611 - atomic_read(&fscache_n_alloc_ops),
47612 - atomic_read(&fscache_n_alloc_op_waits),
47613 - atomic_read(&fscache_n_allocs_object_dead));
47614 + atomic_read_unchecked(&fscache_n_alloc_ops),
47615 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
47616 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
47617
47618 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
47619 " int=%u oom=%u\n",
47620 - atomic_read(&fscache_n_retrievals),
47621 - atomic_read(&fscache_n_retrievals_ok),
47622 - atomic_read(&fscache_n_retrievals_wait),
47623 - atomic_read(&fscache_n_retrievals_nodata),
47624 - atomic_read(&fscache_n_retrievals_nobufs),
47625 - atomic_read(&fscache_n_retrievals_intr),
47626 - atomic_read(&fscache_n_retrievals_nomem));
47627 + atomic_read_unchecked(&fscache_n_retrievals),
47628 + atomic_read_unchecked(&fscache_n_retrievals_ok),
47629 + atomic_read_unchecked(&fscache_n_retrievals_wait),
47630 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
47631 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
47632 + atomic_read_unchecked(&fscache_n_retrievals_intr),
47633 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
47634 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
47635 - atomic_read(&fscache_n_retrieval_ops),
47636 - atomic_read(&fscache_n_retrieval_op_waits),
47637 - atomic_read(&fscache_n_retrievals_object_dead));
47638 + atomic_read_unchecked(&fscache_n_retrieval_ops),
47639 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
47640 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
47641
47642 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
47643 - atomic_read(&fscache_n_stores),
47644 - atomic_read(&fscache_n_stores_ok),
47645 - atomic_read(&fscache_n_stores_again),
47646 - atomic_read(&fscache_n_stores_nobufs),
47647 - atomic_read(&fscache_n_stores_oom));
47648 + atomic_read_unchecked(&fscache_n_stores),
47649 + atomic_read_unchecked(&fscache_n_stores_ok),
47650 + atomic_read_unchecked(&fscache_n_stores_again),
47651 + atomic_read_unchecked(&fscache_n_stores_nobufs),
47652 + atomic_read_unchecked(&fscache_n_stores_oom));
47653 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
47654 - atomic_read(&fscache_n_store_ops),
47655 - atomic_read(&fscache_n_store_calls),
47656 - atomic_read(&fscache_n_store_pages),
47657 - atomic_read(&fscache_n_store_radix_deletes),
47658 - atomic_read(&fscache_n_store_pages_over_limit));
47659 + atomic_read_unchecked(&fscache_n_store_ops),
47660 + atomic_read_unchecked(&fscache_n_store_calls),
47661 + atomic_read_unchecked(&fscache_n_store_pages),
47662 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
47663 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
47664
47665 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
47666 - atomic_read(&fscache_n_store_vmscan_not_storing),
47667 - atomic_read(&fscache_n_store_vmscan_gone),
47668 - atomic_read(&fscache_n_store_vmscan_busy),
47669 - atomic_read(&fscache_n_store_vmscan_cancelled));
47670 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
47671 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
47672 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
47673 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
47674
47675 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
47676 - atomic_read(&fscache_n_op_pend),
47677 - atomic_read(&fscache_n_op_run),
47678 - atomic_read(&fscache_n_op_enqueue),
47679 - atomic_read(&fscache_n_op_cancelled),
47680 - atomic_read(&fscache_n_op_rejected));
47681 + atomic_read_unchecked(&fscache_n_op_pend),
47682 + atomic_read_unchecked(&fscache_n_op_run),
47683 + atomic_read_unchecked(&fscache_n_op_enqueue),
47684 + atomic_read_unchecked(&fscache_n_op_cancelled),
47685 + atomic_read_unchecked(&fscache_n_op_rejected));
47686 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
47687 - atomic_read(&fscache_n_op_deferred_release),
47688 - atomic_read(&fscache_n_op_release),
47689 - atomic_read(&fscache_n_op_gc));
47690 + atomic_read_unchecked(&fscache_n_op_deferred_release),
47691 + atomic_read_unchecked(&fscache_n_op_release),
47692 + atomic_read_unchecked(&fscache_n_op_gc));
47693
47694 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
47695 atomic_read(&fscache_n_cop_alloc_object),
47696 diff -urNp linux-2.6.39.2/fs/fs_struct.c linux-2.6.39.2/fs/fs_struct.c
47697 --- linux-2.6.39.2/fs/fs_struct.c 2011-05-19 00:06:34.000000000 -0400
47698 +++ linux-2.6.39.2/fs/fs_struct.c 2011-05-22 19:41:37.000000000 -0400
47699 @@ -4,6 +4,7 @@
47700 #include <linux/path.h>
47701 #include <linux/slab.h>
47702 #include <linux/fs_struct.h>
47703 +#include <linux/grsecurity.h>
47704 #include "internal.h"
47705
47706 static inline void path_get_longterm(struct path *path)
47707 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
47708 old_root = fs->root;
47709 fs->root = *path;
47710 path_get_longterm(path);
47711 + gr_set_chroot_entries(current, path);
47712 write_seqcount_end(&fs->seq);
47713 spin_unlock(&fs->lock);
47714 if (old_root.dentry)
47715 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
47716 && fs->root.mnt == old_root->mnt) {
47717 path_get_longterm(new_root);
47718 fs->root = *new_root;
47719 + gr_set_chroot_entries(p, new_root);
47720 count++;
47721 }
47722 if (fs->pwd.dentry == old_root->dentry
47723 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
47724 spin_lock(&fs->lock);
47725 write_seqcount_begin(&fs->seq);
47726 tsk->fs = NULL;
47727 - kill = !--fs->users;
47728 + gr_clear_chroot_entries(tsk);
47729 + kill = !atomic_dec_return(&fs->users);
47730 write_seqcount_end(&fs->seq);
47731 spin_unlock(&fs->lock);
47732 task_unlock(tsk);
47733 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
47734 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
47735 /* We don't need to lock fs - think why ;-) */
47736 if (fs) {
47737 - fs->users = 1;
47738 + atomic_set(&fs->users, 1);
47739 fs->in_exec = 0;
47740 spin_lock_init(&fs->lock);
47741 seqcount_init(&fs->seq);
47742 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
47743 spin_lock(&old->lock);
47744 fs->root = old->root;
47745 path_get_longterm(&fs->root);
47746 + /* instead of calling gr_set_chroot_entries here,
47747 + we call it from every caller of this function
47748 + */
47749 fs->pwd = old->pwd;
47750 path_get_longterm(&fs->pwd);
47751 spin_unlock(&old->lock);
47752 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
47753
47754 task_lock(current);
47755 spin_lock(&fs->lock);
47756 - kill = !--fs->users;
47757 + kill = !atomic_dec_return(&fs->users);
47758 current->fs = new_fs;
47759 + gr_set_chroot_entries(current, &new_fs->root);
47760 spin_unlock(&fs->lock);
47761 task_unlock(current);
47762
47763 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
47764
47765 /* to be mentioned only in INIT_TASK */
47766 struct fs_struct init_fs = {
47767 - .users = 1,
47768 + .users = ATOMIC_INIT(1),
47769 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
47770 .seq = SEQCNT_ZERO,
47771 .umask = 0022,
47772 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
47773 task_lock(current);
47774
47775 spin_lock(&init_fs.lock);
47776 - init_fs.users++;
47777 + atomic_inc(&init_fs.users);
47778 spin_unlock(&init_fs.lock);
47779
47780 spin_lock(&fs->lock);
47781 current->fs = &init_fs;
47782 - kill = !--fs->users;
47783 + gr_set_chroot_entries(current, &current->fs->root);
47784 + kill = !atomic_dec_return(&fs->users);
47785 spin_unlock(&fs->lock);
47786
47787 task_unlock(current);
47788 diff -urNp linux-2.6.39.2/fs/fuse/cuse.c linux-2.6.39.2/fs/fuse/cuse.c
47789 --- linux-2.6.39.2/fs/fuse/cuse.c 2011-05-19 00:06:34.000000000 -0400
47790 +++ linux-2.6.39.2/fs/fuse/cuse.c 2011-05-22 19:36:32.000000000 -0400
47791 @@ -538,8 +538,18 @@ static int cuse_channel_release(struct i
47792 return rc;
47793 }
47794
47795 -static struct file_operations cuse_channel_fops; /* initialized during init */
47796 -
47797 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
47798 + .owner = THIS_MODULE,
47799 + .llseek = no_llseek,
47800 + .read = do_sync_read,
47801 + .aio_read = fuse_dev_read,
47802 + .write = do_sync_write,
47803 + .aio_write = fuse_dev_write,
47804 + .poll = fuse_dev_poll,
47805 + .open = cuse_channel_open,
47806 + .release = cuse_channel_release,
47807 + .fasync = fuse_dev_fasync,
47808 +};
47809
47810 /**************************************************************************
47811 * Misc stuff and module initializatiion
47812 @@ -585,12 +595,6 @@ static int __init cuse_init(void)
47813 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
47814 INIT_LIST_HEAD(&cuse_conntbl[i]);
47815
47816 - /* inherit and extend fuse_dev_operations */
47817 - cuse_channel_fops = fuse_dev_operations;
47818 - cuse_channel_fops.owner = THIS_MODULE;
47819 - cuse_channel_fops.open = cuse_channel_open;
47820 - cuse_channel_fops.release = cuse_channel_release;
47821 -
47822 cuse_class = class_create(THIS_MODULE, "cuse");
47823 if (IS_ERR(cuse_class))
47824 return PTR_ERR(cuse_class);
47825 diff -urNp linux-2.6.39.2/fs/fuse/dev.c linux-2.6.39.2/fs/fuse/dev.c
47826 --- linux-2.6.39.2/fs/fuse/dev.c 2011-05-19 00:06:34.000000000 -0400
47827 +++ linux-2.6.39.2/fs/fuse/dev.c 2011-05-22 19:36:32.000000000 -0400
47828 @@ -1181,7 +1181,7 @@ static ssize_t fuse_dev_do_read(struct f
47829 return err;
47830 }
47831
47832 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47833 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47834 unsigned long nr_segs, loff_t pos)
47835 {
47836 struct fuse_copy_state cs;
47837 @@ -1195,6 +1195,8 @@ static ssize_t fuse_dev_read(struct kioc
47838 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
47839 }
47840
47841 +EXPORT_SYMBOL_GPL(fuse_dev_read);
47842 +
47843 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
47844 struct pipe_buffer *buf)
47845 {
47846 @@ -1238,7 +1240,7 @@ static ssize_t fuse_dev_splice_read(stru
47847 ret = 0;
47848 pipe_lock(pipe);
47849
47850 - if (!pipe->readers) {
47851 + if (!atomic_read(&pipe->readers)) {
47852 send_sig(SIGPIPE, current, 0);
47853 if (!ret)
47854 ret = -EPIPE;
47855 @@ -1731,7 +1733,7 @@ static ssize_t fuse_dev_do_write(struct
47856 return err;
47857 }
47858
47859 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
47860 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
47861 unsigned long nr_segs, loff_t pos)
47862 {
47863 struct fuse_copy_state cs;
47864 @@ -1744,6 +1746,8 @@ static ssize_t fuse_dev_write(struct kio
47865 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
47866 }
47867
47868 +EXPORT_SYMBOL_GPL(fuse_dev_write);
47869 +
47870 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
47871 struct file *out, loff_t *ppos,
47872 size_t len, unsigned int flags)
47873 @@ -1822,7 +1826,7 @@ out:
47874 return ret;
47875 }
47876
47877 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
47878 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
47879 {
47880 unsigned mask = POLLOUT | POLLWRNORM;
47881 struct fuse_conn *fc = fuse_get_conn(file);
47882 @@ -1841,6 +1845,8 @@ static unsigned fuse_dev_poll(struct fil
47883 return mask;
47884 }
47885
47886 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
47887 +
47888 /*
47889 * Abort all requests on the given list (pending or processing)
47890 *
47891 @@ -1977,7 +1983,7 @@ int fuse_dev_release(struct inode *inode
47892 }
47893 EXPORT_SYMBOL_GPL(fuse_dev_release);
47894
47895 -static int fuse_dev_fasync(int fd, struct file *file, int on)
47896 +int fuse_dev_fasync(int fd, struct file *file, int on)
47897 {
47898 struct fuse_conn *fc = fuse_get_conn(file);
47899 if (!fc)
47900 @@ -1987,6 +1993,8 @@ static int fuse_dev_fasync(int fd, struc
47901 return fasync_helper(fd, file, on, &fc->fasync);
47902 }
47903
47904 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
47905 +
47906 const struct file_operations fuse_dev_operations = {
47907 .owner = THIS_MODULE,
47908 .llseek = no_llseek,
47909 diff -urNp linux-2.6.39.2/fs/fuse/dir.c linux-2.6.39.2/fs/fuse/dir.c
47910 --- linux-2.6.39.2/fs/fuse/dir.c 2011-05-19 00:06:34.000000000 -0400
47911 +++ linux-2.6.39.2/fs/fuse/dir.c 2011-05-22 19:36:32.000000000 -0400
47912 @@ -1147,7 +1147,7 @@ static char *read_link(struct dentry *de
47913 return link;
47914 }
47915
47916 -static void free_link(char *link)
47917 +static void free_link(const char *link)
47918 {
47919 if (!IS_ERR(link))
47920 free_page((unsigned long) link);
47921 diff -urNp linux-2.6.39.2/fs/fuse/fuse_i.h linux-2.6.39.2/fs/fuse/fuse_i.h
47922 --- linux-2.6.39.2/fs/fuse/fuse_i.h 2011-05-19 00:06:34.000000000 -0400
47923 +++ linux-2.6.39.2/fs/fuse/fuse_i.h 2011-05-22 19:36:32.000000000 -0400
47924 @@ -540,6 +540,16 @@ extern const struct file_operations fuse
47925
47926 extern const struct dentry_operations fuse_dentry_operations;
47927
47928 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47929 + unsigned long nr_segs, loff_t pos);
47930 +
47931 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
47932 + unsigned long nr_segs, loff_t pos);
47933 +
47934 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
47935 +
47936 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
47937 +
47938 /**
47939 * Inode to nodeid comparison.
47940 */
47941 diff -urNp linux-2.6.39.2/fs/gfs2/ops_inode.c linux-2.6.39.2/fs/gfs2/ops_inode.c
47942 --- linux-2.6.39.2/fs/gfs2/ops_inode.c 2011-05-19 00:06:34.000000000 -0400
47943 +++ linux-2.6.39.2/fs/gfs2/ops_inode.c 2011-05-22 19:36:32.000000000 -0400
47944 @@ -740,6 +740,8 @@ static int gfs2_rename(struct inode *odi
47945 unsigned int x;
47946 int error;
47947
47948 + pax_track_stack();
47949 +
47950 if (ndentry->d_inode) {
47951 nip = GFS2_I(ndentry->d_inode);
47952 if (ip == nip)
47953 @@ -1019,7 +1021,7 @@ out:
47954
47955 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
47956 {
47957 - char *s = nd_get_link(nd);
47958 + const char *s = nd_get_link(nd);
47959 if (!IS_ERR(s))
47960 kfree(s);
47961 }
47962 diff -urNp linux-2.6.39.2/fs/hfsplus/catalog.c linux-2.6.39.2/fs/hfsplus/catalog.c
47963 --- linux-2.6.39.2/fs/hfsplus/catalog.c 2011-05-19 00:06:34.000000000 -0400
47964 +++ linux-2.6.39.2/fs/hfsplus/catalog.c 2011-05-22 19:36:32.000000000 -0400
47965 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
47966 int err;
47967 u16 type;
47968
47969 + pax_track_stack();
47970 +
47971 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
47972 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
47973 if (err)
47974 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
47975 int entry_size;
47976 int err;
47977
47978 + pax_track_stack();
47979 +
47980 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
47981 str->name, cnid, inode->i_nlink);
47982 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
47983 @@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
47984 int entry_size, type;
47985 int err = 0;
47986
47987 + pax_track_stack();
47988 +
47989 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
47990 cnid, src_dir->i_ino, src_name->name,
47991 dst_dir->i_ino, dst_name->name);
47992 diff -urNp linux-2.6.39.2/fs/hfsplus/dir.c linux-2.6.39.2/fs/hfsplus/dir.c
47993 --- linux-2.6.39.2/fs/hfsplus/dir.c 2011-05-19 00:06:34.000000000 -0400
47994 +++ linux-2.6.39.2/fs/hfsplus/dir.c 2011-05-22 19:36:32.000000000 -0400
47995 @@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
47996 struct hfsplus_readdir_data *rd;
47997 u16 type;
47998
47999 + pax_track_stack();
48000 +
48001 if (filp->f_pos >= inode->i_size)
48002 return 0;
48003
48004 diff -urNp linux-2.6.39.2/fs/hfsplus/inode.c linux-2.6.39.2/fs/hfsplus/inode.c
48005 --- linux-2.6.39.2/fs/hfsplus/inode.c 2011-05-19 00:06:34.000000000 -0400
48006 +++ linux-2.6.39.2/fs/hfsplus/inode.c 2011-05-22 19:36:32.000000000 -0400
48007 @@ -489,6 +489,8 @@ int hfsplus_cat_read_inode(struct inode
48008 int res = 0;
48009 u16 type;
48010
48011 + pax_track_stack();
48012 +
48013 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
48014
48015 HFSPLUS_I(inode)->linkid = 0;
48016 @@ -552,6 +554,8 @@ int hfsplus_cat_write_inode(struct inode
48017 struct hfs_find_data fd;
48018 hfsplus_cat_entry entry;
48019
48020 + pax_track_stack();
48021 +
48022 if (HFSPLUS_IS_RSRC(inode))
48023 main_inode = HFSPLUS_I(inode)->rsrc_inode;
48024
48025 diff -urNp linux-2.6.39.2/fs/hfsplus/ioctl.c linux-2.6.39.2/fs/hfsplus/ioctl.c
48026 --- linux-2.6.39.2/fs/hfsplus/ioctl.c 2011-05-19 00:06:34.000000000 -0400
48027 +++ linux-2.6.39.2/fs/hfsplus/ioctl.c 2011-05-22 19:36:32.000000000 -0400
48028 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
48029 struct hfsplus_cat_file *file;
48030 int res;
48031
48032 + pax_track_stack();
48033 +
48034 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48035 return -EOPNOTSUPP;
48036
48037 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
48038 struct hfsplus_cat_file *file;
48039 ssize_t res = 0;
48040
48041 + pax_track_stack();
48042 +
48043 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48044 return -EOPNOTSUPP;
48045
48046 diff -urNp linux-2.6.39.2/fs/hfsplus/super.c linux-2.6.39.2/fs/hfsplus/super.c
48047 --- linux-2.6.39.2/fs/hfsplus/super.c 2011-05-19 00:06:34.000000000 -0400
48048 +++ linux-2.6.39.2/fs/hfsplus/super.c 2011-05-22 19:36:32.000000000 -0400
48049 @@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
48050 struct nls_table *nls = NULL;
48051 int err;
48052
48053 + pax_track_stack();
48054 +
48055 err = -EINVAL;
48056 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
48057 if (!sbi)
48058 diff -urNp linux-2.6.39.2/fs/hugetlbfs/inode.c linux-2.6.39.2/fs/hugetlbfs/inode.c
48059 --- linux-2.6.39.2/fs/hugetlbfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48060 +++ linux-2.6.39.2/fs/hugetlbfs/inode.c 2011-05-22 19:41:37.000000000 -0400
48061 @@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs
48062 .kill_sb = kill_litter_super,
48063 };
48064
48065 -static struct vfsmount *hugetlbfs_vfsmount;
48066 +struct vfsmount *hugetlbfs_vfsmount;
48067
48068 static int can_do_hugetlb_shm(void)
48069 {
48070 diff -urNp linux-2.6.39.2/fs/inode.c linux-2.6.39.2/fs/inode.c
48071 --- linux-2.6.39.2/fs/inode.c 2011-05-19 00:06:34.000000000 -0400
48072 +++ linux-2.6.39.2/fs/inode.c 2011-05-22 19:36:32.000000000 -0400
48073 @@ -862,8 +862,8 @@ unsigned int get_next_ino(void)
48074
48075 #ifdef CONFIG_SMP
48076 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
48077 - static atomic_t shared_last_ino;
48078 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
48079 + static atomic_unchecked_t shared_last_ino;
48080 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
48081
48082 res = next - LAST_INO_BATCH;
48083 }
48084 diff -urNp linux-2.6.39.2/fs/jbd/checkpoint.c linux-2.6.39.2/fs/jbd/checkpoint.c
48085 --- linux-2.6.39.2/fs/jbd/checkpoint.c 2011-05-19 00:06:34.000000000 -0400
48086 +++ linux-2.6.39.2/fs/jbd/checkpoint.c 2011-05-22 19:36:32.000000000 -0400
48087 @@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
48088 tid_t this_tid;
48089 int result;
48090
48091 + pax_track_stack();
48092 +
48093 jbd_debug(1, "Start checkpoint\n");
48094
48095 /*
48096 diff -urNp linux-2.6.39.2/fs/jffs2/compr_rtime.c linux-2.6.39.2/fs/jffs2/compr_rtime.c
48097 --- linux-2.6.39.2/fs/jffs2/compr_rtime.c 2011-05-19 00:06:34.000000000 -0400
48098 +++ linux-2.6.39.2/fs/jffs2/compr_rtime.c 2011-05-22 19:36:32.000000000 -0400
48099 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
48100 int outpos = 0;
48101 int pos=0;
48102
48103 + pax_track_stack();
48104 +
48105 memset(positions,0,sizeof(positions));
48106
48107 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
48108 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
48109 int outpos = 0;
48110 int pos=0;
48111
48112 + pax_track_stack();
48113 +
48114 memset(positions,0,sizeof(positions));
48115
48116 while (outpos<destlen) {
48117 diff -urNp linux-2.6.39.2/fs/jffs2/compr_rubin.c linux-2.6.39.2/fs/jffs2/compr_rubin.c
48118 --- linux-2.6.39.2/fs/jffs2/compr_rubin.c 2011-05-19 00:06:34.000000000 -0400
48119 +++ linux-2.6.39.2/fs/jffs2/compr_rubin.c 2011-05-22 19:36:32.000000000 -0400
48120 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
48121 int ret;
48122 uint32_t mysrclen, mydstlen;
48123
48124 + pax_track_stack();
48125 +
48126 mysrclen = *sourcelen;
48127 mydstlen = *dstlen - 8;
48128
48129 diff -urNp linux-2.6.39.2/fs/jffs2/erase.c linux-2.6.39.2/fs/jffs2/erase.c
48130 --- linux-2.6.39.2/fs/jffs2/erase.c 2011-05-19 00:06:34.000000000 -0400
48131 +++ linux-2.6.39.2/fs/jffs2/erase.c 2011-05-22 19:36:32.000000000 -0400
48132 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
48133 struct jffs2_unknown_node marker = {
48134 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
48135 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48136 - .totlen = cpu_to_je32(c->cleanmarker_size)
48137 + .totlen = cpu_to_je32(c->cleanmarker_size),
48138 + .hdr_crc = cpu_to_je32(0)
48139 };
48140
48141 jffs2_prealloc_raw_node_refs(c, jeb, 1);
48142 diff -urNp linux-2.6.39.2/fs/jffs2/wbuf.c linux-2.6.39.2/fs/jffs2/wbuf.c
48143 --- linux-2.6.39.2/fs/jffs2/wbuf.c 2011-05-19 00:06:34.000000000 -0400
48144 +++ linux-2.6.39.2/fs/jffs2/wbuf.c 2011-05-22 19:36:32.000000000 -0400
48145 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
48146 {
48147 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
48148 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48149 - .totlen = constant_cpu_to_je32(8)
48150 + .totlen = constant_cpu_to_je32(8),
48151 + .hdr_crc = constant_cpu_to_je32(0)
48152 };
48153
48154 /*
48155 diff -urNp linux-2.6.39.2/fs/jffs2/xattr.c linux-2.6.39.2/fs/jffs2/xattr.c
48156 --- linux-2.6.39.2/fs/jffs2/xattr.c 2011-05-19 00:06:34.000000000 -0400
48157 +++ linux-2.6.39.2/fs/jffs2/xattr.c 2011-05-22 19:36:32.000000000 -0400
48158 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
48159
48160 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
48161
48162 + pax_track_stack();
48163 +
48164 /* Phase.1 : Merge same xref */
48165 for (i=0; i < XREF_TMPHASH_SIZE; i++)
48166 xref_tmphash[i] = NULL;
48167 diff -urNp linux-2.6.39.2/fs/jfs/super.c linux-2.6.39.2/fs/jfs/super.c
48168 --- linux-2.6.39.2/fs/jfs/super.c 2011-05-19 00:06:34.000000000 -0400
48169 +++ linux-2.6.39.2/fs/jfs/super.c 2011-06-07 18:07:24.000000000 -0400
48170 @@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
48171
48172 jfs_inode_cachep =
48173 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
48174 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
48175 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
48176 init_once);
48177 if (jfs_inode_cachep == NULL)
48178 return -ENOMEM;
48179 diff -urNp linux-2.6.39.2/fs/Kconfig.binfmt linux-2.6.39.2/fs/Kconfig.binfmt
48180 --- linux-2.6.39.2/fs/Kconfig.binfmt 2011-05-19 00:06:34.000000000 -0400
48181 +++ linux-2.6.39.2/fs/Kconfig.binfmt 2011-05-22 19:36:32.000000000 -0400
48182 @@ -86,7 +86,7 @@ config HAVE_AOUT
48183
48184 config BINFMT_AOUT
48185 tristate "Kernel support for a.out and ECOFF binaries"
48186 - depends on HAVE_AOUT
48187 + depends on HAVE_AOUT && BROKEN
48188 ---help---
48189 A.out (Assembler.OUTput) is a set of formats for libraries and
48190 executables used in the earliest versions of UNIX. Linux used
48191 diff -urNp linux-2.6.39.2/fs/libfs.c linux-2.6.39.2/fs/libfs.c
48192 --- linux-2.6.39.2/fs/libfs.c 2011-05-19 00:06:34.000000000 -0400
48193 +++ linux-2.6.39.2/fs/libfs.c 2011-05-22 19:36:32.000000000 -0400
48194 @@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
48195
48196 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
48197 struct dentry *next;
48198 + char d_name[sizeof(next->d_iname)];
48199 + const unsigned char *name;
48200 +
48201 next = list_entry(p, struct dentry, d_u.d_child);
48202 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
48203 if (!simple_positive(next)) {
48204 @@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
48205
48206 spin_unlock(&next->d_lock);
48207 spin_unlock(&dentry->d_lock);
48208 - if (filldir(dirent, next->d_name.name,
48209 + name = next->d_name.name;
48210 + if (name == next->d_iname) {
48211 + memcpy(d_name, name, next->d_name.len);
48212 + name = d_name;
48213 + }
48214 + if (filldir(dirent, name,
48215 next->d_name.len, filp->f_pos,
48216 next->d_inode->i_ino,
48217 dt_type(next->d_inode)) < 0)
48218 diff -urNp linux-2.6.39.2/fs/lockd/clntproc.c linux-2.6.39.2/fs/lockd/clntproc.c
48219 --- linux-2.6.39.2/fs/lockd/clntproc.c 2011-05-19 00:06:34.000000000 -0400
48220 +++ linux-2.6.39.2/fs/lockd/clntproc.c 2011-05-22 19:36:32.000000000 -0400
48221 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
48222 /*
48223 * Cookie counter for NLM requests
48224 */
48225 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
48226 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
48227
48228 void nlmclnt_next_cookie(struct nlm_cookie *c)
48229 {
48230 - u32 cookie = atomic_inc_return(&nlm_cookie);
48231 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
48232
48233 memcpy(c->data, &cookie, 4);
48234 c->len=4;
48235 @@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
48236 struct nlm_rqst reqst, *req;
48237 int status;
48238
48239 + pax_track_stack();
48240 +
48241 req = &reqst;
48242 memset(req, 0, sizeof(*req));
48243 locks_init_lock(&req->a_args.lock.fl);
48244 diff -urNp linux-2.6.39.2/fs/lockd/svc.c linux-2.6.39.2/fs/lockd/svc.c
48245 --- linux-2.6.39.2/fs/lockd/svc.c 2011-05-19 00:06:34.000000000 -0400
48246 +++ linux-2.6.39.2/fs/lockd/svc.c 2011-05-22 19:36:32.000000000 -0400
48247 @@ -41,7 +41,7 @@
48248
48249 static struct svc_program nlmsvc_program;
48250
48251 -struct nlmsvc_binding * nlmsvc_ops;
48252 +const struct nlmsvc_binding * nlmsvc_ops;
48253 EXPORT_SYMBOL_GPL(nlmsvc_ops);
48254
48255 static DEFINE_MUTEX(nlmsvc_mutex);
48256 diff -urNp linux-2.6.39.2/fs/locks.c linux-2.6.39.2/fs/locks.c
48257 --- linux-2.6.39.2/fs/locks.c 2011-05-19 00:06:34.000000000 -0400
48258 +++ linux-2.6.39.2/fs/locks.c 2011-05-22 19:36:32.000000000 -0400
48259 @@ -2033,16 +2033,16 @@ void locks_remove_flock(struct file *fil
48260 return;
48261
48262 if (filp->f_op && filp->f_op->flock) {
48263 - struct file_lock fl = {
48264 + struct file_lock flock = {
48265 .fl_pid = current->tgid,
48266 .fl_file = filp,
48267 .fl_flags = FL_FLOCK,
48268 .fl_type = F_UNLCK,
48269 .fl_end = OFFSET_MAX,
48270 };
48271 - filp->f_op->flock(filp, F_SETLKW, &fl);
48272 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
48273 - fl.fl_ops->fl_release_private(&fl);
48274 + filp->f_op->flock(filp, F_SETLKW, &flock);
48275 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
48276 + flock.fl_ops->fl_release_private(&flock);
48277 }
48278
48279 lock_flocks();
48280 diff -urNp linux-2.6.39.2/fs/logfs/super.c linux-2.6.39.2/fs/logfs/super.c
48281 --- linux-2.6.39.2/fs/logfs/super.c 2011-05-19 00:06:34.000000000 -0400
48282 +++ linux-2.6.39.2/fs/logfs/super.c 2011-05-22 19:36:32.000000000 -0400
48283 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
48284 struct logfs_disk_super _ds1, *ds1 = &_ds1;
48285 int err, valid0, valid1;
48286
48287 + pax_track_stack();
48288 +
48289 /* read first superblock */
48290 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
48291 if (err)
48292 diff -urNp linux-2.6.39.2/fs/namei.c linux-2.6.39.2/fs/namei.c
48293 --- linux-2.6.39.2/fs/namei.c 2011-06-03 00:04:14.000000000 -0400
48294 +++ linux-2.6.39.2/fs/namei.c 2011-06-03 00:32:07.000000000 -0400
48295 @@ -237,20 +237,30 @@ int generic_permission(struct inode *ino
48296 return ret;
48297
48298 /*
48299 - * Read/write DACs are always overridable.
48300 - * Executable DACs are overridable if at least one exec bit is set.
48301 + * Searching includes executable on directories, else just read.
48302 */
48303 - if (!(mask & MAY_EXEC) || execute_ok(inode))
48304 - if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48305 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48306 + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) {
48307 +#ifdef CONFIG_GRKERNSEC
48308 + if (flags & IPERM_FLAG_RCU)
48309 + return -ECHILD;
48310 +#endif
48311 + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48312 return 0;
48313 + }
48314
48315 /*
48316 - * Searching includes executable on directories, else just read.
48317 + * Read/write DACs are always overridable.
48318 + * Executable DACs are overridable if at least one exec bit is set.
48319 */
48320 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48321 - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
48322 - if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48323 + if (!(mask & MAY_EXEC) || execute_ok(inode)) {
48324 +#ifdef CONFIG_GRKERNSEC
48325 + if (flags & IPERM_FLAG_RCU)
48326 + return -ECHILD;
48327 +#endif
48328 + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48329 return 0;
48330 + }
48331
48332 return -EACCES;
48333 }
48334 @@ -626,6 +636,9 @@ static inline int handle_reval_path(stru
48335 struct dentry *dentry = nd->path.dentry;
48336 int status;
48337
48338 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
48339 + return -ENOENT;
48340 +
48341 if (likely(!(nd->flags & LOOKUP_JUMPED)))
48342 return 0;
48343
48344 @@ -671,9 +684,16 @@ static inline int exec_permission(struct
48345 if (ret == -ECHILD)
48346 return ret;
48347
48348 - if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
48349 - ns_capable(ns, CAP_DAC_READ_SEARCH))
48350 + if (ns_capable_nolog(ns, CAP_DAC_OVERRIDE))
48351 goto ok;
48352 + else {
48353 +#ifdef CONFIG_GRKERNSEC
48354 + if (flags & IPERM_FLAG_RCU)
48355 + return -ECHILD;
48356 +#endif
48357 + if (ns_capable(ns, CAP_DAC_READ_SEARCH) || ns_capable(ns, CAP_DAC_OVERRIDE))
48358 + goto ok;
48359 + }
48360
48361 return ret;
48362 ok:
48363 @@ -781,11 +801,19 @@ follow_link(struct path *link, struct na
48364 return error;
48365 }
48366
48367 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
48368 + dentry->d_inode, dentry, nd->path.mnt)) {
48369 + error = -EACCES;
48370 + *p = ERR_PTR(error); /* no ->put_link(), please */
48371 + path_put(&nd->path);
48372 + return error;
48373 + }
48374 +
48375 nd->last_type = LAST_BIND;
48376 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
48377 error = PTR_ERR(*p);
48378 if (!IS_ERR(*p)) {
48379 - char *s = nd_get_link(nd);
48380 + const char *s = nd_get_link(nd);
48381 error = 0;
48382 if (s)
48383 error = __vfs_follow_link(nd, s);
48384 @@ -1697,6 +1725,9 @@ static int do_path_lookup(int dfd, const
48385 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
48386
48387 if (likely(!retval)) {
48388 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
48389 + return -ENOENT;
48390 +
48391 if (unlikely(!audit_dummy_context())) {
48392 if (nd->path.dentry && nd->inode)
48393 audit_inode(name, nd->path.dentry);
48394 @@ -2007,6 +2038,30 @@ int vfs_create(struct inode *dir, struct
48395 return error;
48396 }
48397
48398 +/*
48399 + * Note that while the flag value (low two bits) for sys_open means:
48400 + * 00 - read-only
48401 + * 01 - write-only
48402 + * 10 - read-write
48403 + * 11 - special
48404 + * it is changed into
48405 + * 00 - no permissions needed
48406 + * 01 - read-permission
48407 + * 10 - write-permission
48408 + * 11 - read-write
48409 + * for the internal routines (ie open_namei()/follow_link() etc)
48410 + * This is more logical, and also allows the 00 "no perm needed"
48411 + * to be used for symlinks (where the permissions are checked
48412 + * later).
48413 + *
48414 +*/
48415 +static inline int open_to_namei_flags(int flag)
48416 +{
48417 + if ((flag+1) & O_ACCMODE)
48418 + flag++;
48419 + return flag;
48420 +}
48421 +
48422 static int may_open(struct path *path, int acc_mode, int flag)
48423 {
48424 struct dentry *dentry = path->dentry;
48425 @@ -2059,7 +2114,27 @@ static int may_open(struct path *path, i
48426 /*
48427 * Ensure there are no outstanding leases on the file.
48428 */
48429 - return break_lease(inode, flag);
48430 + error = break_lease(inode, flag);
48431 +
48432 + if (error)
48433 + return error;
48434 +
48435 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
48436 + error = -EPERM;
48437 + goto exit;
48438 + }
48439 +
48440 + if (gr_handle_rawio(inode)) {
48441 + error = -EPERM;
48442 + goto exit;
48443 + }
48444 +
48445 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
48446 + error = -EACCES;
48447 + goto exit;
48448 + }
48449 +exit:
48450 + return error;
48451 }
48452
48453 static int handle_truncate(struct file *filp)
48454 @@ -2085,30 +2160,6 @@ static int handle_truncate(struct file *
48455 }
48456
48457 /*
48458 - * Note that while the flag value (low two bits) for sys_open means:
48459 - * 00 - read-only
48460 - * 01 - write-only
48461 - * 10 - read-write
48462 - * 11 - special
48463 - * it is changed into
48464 - * 00 - no permissions needed
48465 - * 01 - read-permission
48466 - * 10 - write-permission
48467 - * 11 - read-write
48468 - * for the internal routines (ie open_namei()/follow_link() etc)
48469 - * This is more logical, and also allows the 00 "no perm needed"
48470 - * to be used for symlinks (where the permissions are checked
48471 - * later).
48472 - *
48473 -*/
48474 -static inline int open_to_namei_flags(int flag)
48475 -{
48476 - if ((flag+1) & O_ACCMODE)
48477 - flag++;
48478 - return flag;
48479 -}
48480 -
48481 -/*
48482 * Handle the last step of open()
48483 */
48484 static struct file *do_last(struct nameidata *nd, struct path *path,
48485 @@ -2117,6 +2168,7 @@ static struct file *do_last(struct namei
48486 struct dentry *dir = nd->path.dentry;
48487 struct dentry *dentry;
48488 int open_flag = op->open_flag;
48489 + int flag = open_to_namei_flags(open_flag);
48490 int will_truncate = open_flag & O_TRUNC;
48491 int want_write = 0;
48492 int acc_mode = op->acc_mode;
48493 @@ -2212,6 +2264,12 @@ static struct file *do_last(struct namei
48494 /* Negative dentry, just create the file */
48495 if (!dentry->d_inode) {
48496 int mode = op->mode;
48497 +
48498 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, flag, mode)) {
48499 + error = -EACCES;
48500 + goto exit_mutex_unlock;
48501 + }
48502 +
48503 if (!IS_POSIXACL(dir->d_inode))
48504 mode &= ~current_umask();
48505 /*
48506 @@ -2235,6 +2293,8 @@ static struct file *do_last(struct namei
48507 error = vfs_create(dir->d_inode, dentry, mode, nd);
48508 if (error)
48509 goto exit_mutex_unlock;
48510 + else
48511 + gr_handle_create(path->dentry, path->mnt);
48512 mutex_unlock(&dir->d_inode->i_mutex);
48513 dput(nd->path.dentry);
48514 nd->path.dentry = dentry;
48515 @@ -2244,6 +2304,14 @@ static struct file *do_last(struct namei
48516 /*
48517 * It already exists.
48518 */
48519 +
48520 + /* only check if O_CREAT is specified, all other checks need to go
48521 + into may_open */
48522 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
48523 + error = -EACCES;
48524 + goto exit_mutex_unlock;
48525 + }
48526 +
48527 mutex_unlock(&dir->d_inode->i_mutex);
48528 audit_inode(pathname, path->dentry);
48529
48530 @@ -2530,6 +2598,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48531 error = may_mknod(mode);
48532 if (error)
48533 goto out_dput;
48534 +
48535 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
48536 + error = -EPERM;
48537 + goto out_dput;
48538 + }
48539 +
48540 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
48541 + error = -EACCES;
48542 + goto out_dput;
48543 + }
48544 +
48545 error = mnt_want_write(nd.path.mnt);
48546 if (error)
48547 goto out_dput;
48548 @@ -2550,6 +2629,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48549 }
48550 out_drop_write:
48551 mnt_drop_write(nd.path.mnt);
48552 +
48553 + if (!error)
48554 + gr_handle_create(dentry, nd.path.mnt);
48555 out_dput:
48556 dput(dentry);
48557 out_unlock:
48558 @@ -2602,6 +2684,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48559 if (IS_ERR(dentry))
48560 goto out_unlock;
48561
48562 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
48563 + error = -EACCES;
48564 + goto out_dput;
48565 + }
48566 +
48567 if (!IS_POSIXACL(nd.path.dentry->d_inode))
48568 mode &= ~current_umask();
48569 error = mnt_want_write(nd.path.mnt);
48570 @@ -2613,6 +2700,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48571 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
48572 out_drop_write:
48573 mnt_drop_write(nd.path.mnt);
48574 +
48575 + if (!error)
48576 + gr_handle_create(dentry, nd.path.mnt);
48577 +
48578 out_dput:
48579 dput(dentry);
48580 out_unlock:
48581 @@ -2692,6 +2783,8 @@ static long do_rmdir(int dfd, const char
48582 char * name;
48583 struct dentry *dentry;
48584 struct nameidata nd;
48585 + ino_t saved_ino = 0;
48586 + dev_t saved_dev = 0;
48587
48588 error = user_path_parent(dfd, pathname, &nd, &name);
48589 if (error)
48590 @@ -2716,6 +2809,19 @@ static long do_rmdir(int dfd, const char
48591 error = PTR_ERR(dentry);
48592 if (IS_ERR(dentry))
48593 goto exit2;
48594 +
48595 + if (dentry->d_inode != NULL) {
48596 + if (dentry->d_inode->i_nlink <= 1) {
48597 + saved_ino = dentry->d_inode->i_ino;
48598 + saved_dev = gr_get_dev_from_dentry(dentry);
48599 + }
48600 +
48601 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
48602 + error = -EACCES;
48603 + goto exit3;
48604 + }
48605 + }
48606 +
48607 error = mnt_want_write(nd.path.mnt);
48608 if (error)
48609 goto exit3;
48610 @@ -2723,6 +2829,8 @@ static long do_rmdir(int dfd, const char
48611 if (error)
48612 goto exit4;
48613 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
48614 + if (!error && (saved_dev || saved_ino))
48615 + gr_handle_delete(saved_ino, saved_dev);
48616 exit4:
48617 mnt_drop_write(nd.path.mnt);
48618 exit3:
48619 @@ -2785,6 +2893,8 @@ static long do_unlinkat(int dfd, const c
48620 struct dentry *dentry;
48621 struct nameidata nd;
48622 struct inode *inode = NULL;
48623 + ino_t saved_ino = 0;
48624 + dev_t saved_dev = 0;
48625
48626 error = user_path_parent(dfd, pathname, &nd, &name);
48627 if (error)
48628 @@ -2804,8 +2914,17 @@ static long do_unlinkat(int dfd, const c
48629 if (nd.last.name[nd.last.len])
48630 goto slashes;
48631 inode = dentry->d_inode;
48632 - if (inode)
48633 + if (inode) {
48634 ihold(inode);
48635 + if (inode->i_nlink <= 1) {
48636 + saved_ino = inode->i_ino;
48637 + saved_dev = gr_get_dev_from_dentry(dentry);
48638 + }
48639 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
48640 + error = -EACCES;
48641 + goto exit2;
48642 + }
48643 + }
48644 error = mnt_want_write(nd.path.mnt);
48645 if (error)
48646 goto exit2;
48647 @@ -2813,6 +2932,8 @@ static long do_unlinkat(int dfd, const c
48648 if (error)
48649 goto exit3;
48650 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
48651 + if (!error && (saved_ino || saved_dev))
48652 + gr_handle_delete(saved_ino, saved_dev);
48653 exit3:
48654 mnt_drop_write(nd.path.mnt);
48655 exit2:
48656 @@ -2890,6 +3011,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
48657 if (IS_ERR(dentry))
48658 goto out_unlock;
48659
48660 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
48661 + error = -EACCES;
48662 + goto out_dput;
48663 + }
48664 +
48665 error = mnt_want_write(nd.path.mnt);
48666 if (error)
48667 goto out_dput;
48668 @@ -2897,6 +3023,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
48669 if (error)
48670 goto out_drop_write;
48671 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
48672 + if (!error)
48673 + gr_handle_create(dentry, nd.path.mnt);
48674 out_drop_write:
48675 mnt_drop_write(nd.path.mnt);
48676 out_dput:
48677 @@ -3005,6 +3133,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48678 error = PTR_ERR(new_dentry);
48679 if (IS_ERR(new_dentry))
48680 goto out_unlock;
48681 +
48682 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
48683 + old_path.dentry->d_inode,
48684 + old_path.dentry->d_inode->i_mode, to)) {
48685 + error = -EACCES;
48686 + goto out_dput;
48687 + }
48688 +
48689 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
48690 + old_path.dentry, old_path.mnt, to)) {
48691 + error = -EACCES;
48692 + goto out_dput;
48693 + }
48694 +
48695 error = mnt_want_write(nd.path.mnt);
48696 if (error)
48697 goto out_dput;
48698 @@ -3012,6 +3154,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48699 if (error)
48700 goto out_drop_write;
48701 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
48702 + if (!error)
48703 + gr_handle_create(new_dentry, nd.path.mnt);
48704 out_drop_write:
48705 mnt_drop_write(nd.path.mnt);
48706 out_dput:
48707 @@ -3189,6 +3333,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48708 char *to;
48709 int error;
48710
48711 + pax_track_stack();
48712 +
48713 error = user_path_parent(olddfd, oldname, &oldnd, &from);
48714 if (error)
48715 goto exit;
48716 @@ -3245,6 +3391,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48717 if (new_dentry == trap)
48718 goto exit5;
48719
48720 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
48721 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
48722 + to);
48723 + if (error)
48724 + goto exit5;
48725 +
48726 error = mnt_want_write(oldnd.path.mnt);
48727 if (error)
48728 goto exit5;
48729 @@ -3254,6 +3406,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48730 goto exit6;
48731 error = vfs_rename(old_dir->d_inode, old_dentry,
48732 new_dir->d_inode, new_dentry);
48733 + if (!error)
48734 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
48735 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
48736 exit6:
48737 mnt_drop_write(oldnd.path.mnt);
48738 exit5:
48739 @@ -3279,6 +3434,8 @@ SYSCALL_DEFINE2(rename, const char __use
48740
48741 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
48742 {
48743 + char tmpbuf[64];
48744 + const char *newlink;
48745 int len;
48746
48747 len = PTR_ERR(link);
48748 @@ -3288,7 +3445,14 @@ int vfs_readlink(struct dentry *dentry,
48749 len = strlen(link);
48750 if (len > (unsigned) buflen)
48751 len = buflen;
48752 - if (copy_to_user(buffer, link, len))
48753 +
48754 + if (len < sizeof(tmpbuf)) {
48755 + memcpy(tmpbuf, link, len);
48756 + newlink = tmpbuf;
48757 + } else
48758 + newlink = link;
48759 +
48760 + if (copy_to_user(buffer, newlink, len))
48761 len = -EFAULT;
48762 out:
48763 return len;
48764 diff -urNp linux-2.6.39.2/fs/namespace.c linux-2.6.39.2/fs/namespace.c
48765 --- linux-2.6.39.2/fs/namespace.c 2011-05-19 00:06:34.000000000 -0400
48766 +++ linux-2.6.39.2/fs/namespace.c 2011-05-22 20:43:58.000000000 -0400
48767 @@ -1328,6 +1328,9 @@ static int do_umount(struct vfsmount *mn
48768 if (!(sb->s_flags & MS_RDONLY))
48769 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
48770 up_write(&sb->s_umount);
48771 +
48772 + gr_log_remount(mnt->mnt_devname, retval);
48773 +
48774 return retval;
48775 }
48776
48777 @@ -1347,6 +1350,9 @@ static int do_umount(struct vfsmount *mn
48778 br_write_unlock(vfsmount_lock);
48779 up_write(&namespace_sem);
48780 release_mounts(&umount_list);
48781 +
48782 + gr_log_unmount(mnt->mnt_devname, retval);
48783 +
48784 return retval;
48785 }
48786
48787 @@ -2338,6 +2344,16 @@ long do_mount(char *dev_name, char *dir_
48788 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
48789 MS_STRICTATIME);
48790
48791 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
48792 + retval = -EPERM;
48793 + goto dput_out;
48794 + }
48795 +
48796 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
48797 + retval = -EPERM;
48798 + goto dput_out;
48799 + }
48800 +
48801 if (flags & MS_REMOUNT)
48802 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
48803 data_page);
48804 @@ -2352,6 +2368,9 @@ long do_mount(char *dev_name, char *dir_
48805 dev_name, data_page);
48806 dput_out:
48807 path_put(&path);
48808 +
48809 + gr_log_mount(dev_name, dir_name, retval);
48810 +
48811 return retval;
48812 }
48813
48814 @@ -2575,6 +2594,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
48815 if (error)
48816 goto out2;
48817
48818 + if (gr_handle_chroot_pivot()) {
48819 + error = -EPERM;
48820 + goto out2;
48821 + }
48822 +
48823 get_fs_root(current->fs, &root);
48824 error = lock_mount(&old);
48825 if (error)
48826 diff -urNp linux-2.6.39.2/fs/ncpfs/dir.c linux-2.6.39.2/fs/ncpfs/dir.c
48827 --- linux-2.6.39.2/fs/ncpfs/dir.c 2011-05-19 00:06:34.000000000 -0400
48828 +++ linux-2.6.39.2/fs/ncpfs/dir.c 2011-05-22 19:36:32.000000000 -0400
48829 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
48830 int res, val = 0, len;
48831 __u8 __name[NCP_MAXPATHLEN + 1];
48832
48833 + pax_track_stack();
48834 +
48835 if (dentry == dentry->d_sb->s_root)
48836 return 1;
48837
48838 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
48839 int error, res, len;
48840 __u8 __name[NCP_MAXPATHLEN + 1];
48841
48842 + pax_track_stack();
48843 +
48844 error = -EIO;
48845 if (!ncp_conn_valid(server))
48846 goto finished;
48847 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
48848 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
48849 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
48850
48851 + pax_track_stack();
48852 +
48853 ncp_age_dentry(server, dentry);
48854 len = sizeof(__name);
48855 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
48856 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
48857 int error, len;
48858 __u8 __name[NCP_MAXPATHLEN + 1];
48859
48860 + pax_track_stack();
48861 +
48862 DPRINTK("ncp_mkdir: making %s/%s\n",
48863 dentry->d_parent->d_name.name, dentry->d_name.name);
48864
48865 @@ -1135,6 +1143,8 @@ static int ncp_rename(struct inode *old_
48866 int old_len, new_len;
48867 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
48868
48869 + pax_track_stack();
48870 +
48871 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
48872 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
48873 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
48874 diff -urNp linux-2.6.39.2/fs/ncpfs/inode.c linux-2.6.39.2/fs/ncpfs/inode.c
48875 --- linux-2.6.39.2/fs/ncpfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48876 +++ linux-2.6.39.2/fs/ncpfs/inode.c 2011-05-22 19:36:32.000000000 -0400
48877 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
48878 #endif
48879 struct ncp_entry_info finfo;
48880
48881 + pax_track_stack();
48882 +
48883 data.wdog_pid = NULL;
48884 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
48885 if (!server)
48886 diff -urNp linux-2.6.39.2/fs/nfs/inode.c linux-2.6.39.2/fs/nfs/inode.c
48887 --- linux-2.6.39.2/fs/nfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48888 +++ linux-2.6.39.2/fs/nfs/inode.c 2011-05-22 19:36:32.000000000 -0400
48889 @@ -999,16 +999,16 @@ static int nfs_size_need_update(const st
48890 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
48891 }
48892
48893 -static atomic_long_t nfs_attr_generation_counter;
48894 +static atomic_long_unchecked_t nfs_attr_generation_counter;
48895
48896 static unsigned long nfs_read_attr_generation_counter(void)
48897 {
48898 - return atomic_long_read(&nfs_attr_generation_counter);
48899 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
48900 }
48901
48902 unsigned long nfs_inc_attr_generation_counter(void)
48903 {
48904 - return atomic_long_inc_return(&nfs_attr_generation_counter);
48905 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
48906 }
48907
48908 void nfs_fattr_init(struct nfs_fattr *fattr)
48909 diff -urNp linux-2.6.39.2/fs/nfs/nfs4proc.c linux-2.6.39.2/fs/nfs/nfs4proc.c
48910 --- linux-2.6.39.2/fs/nfs/nfs4proc.c 2011-06-03 00:04:14.000000000 -0400
48911 +++ linux-2.6.39.2/fs/nfs/nfs4proc.c 2011-06-03 00:32:07.000000000 -0400
48912 @@ -5845,14 +5845,14 @@ struct nfs4_state_recovery_ops nfs41_nog
48913 };
48914 #endif /* CONFIG_NFS_V4_1 */
48915
48916 -struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
48917 +const struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
48918 .sched_state_renewal = nfs4_proc_async_renew,
48919 .get_state_renewal_cred_locked = nfs4_get_renew_cred_locked,
48920 .renew_lease = nfs4_proc_renew,
48921 };
48922
48923 #if defined(CONFIG_NFS_V4_1)
48924 -struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
48925 +const struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
48926 .sched_state_renewal = nfs41_proc_async_sequence,
48927 .get_state_renewal_cred_locked = nfs4_get_machine_cred_locked,
48928 .renew_lease = nfs4_proc_sequence,
48929 diff -urNp linux-2.6.39.2/fs/nfsd/lockd.c linux-2.6.39.2/fs/nfsd/lockd.c
48930 --- linux-2.6.39.2/fs/nfsd/lockd.c 2011-05-19 00:06:34.000000000 -0400
48931 +++ linux-2.6.39.2/fs/nfsd/lockd.c 2011-05-22 19:36:32.000000000 -0400
48932 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
48933 fput(filp);
48934 }
48935
48936 -static struct nlmsvc_binding nfsd_nlm_ops = {
48937 +static const struct nlmsvc_binding nfsd_nlm_ops = {
48938 .fopen = nlm_fopen, /* open file for locking */
48939 .fclose = nlm_fclose, /* close file */
48940 };
48941 diff -urNp linux-2.6.39.2/fs/nfsd/nfs4state.c linux-2.6.39.2/fs/nfsd/nfs4state.c
48942 --- linux-2.6.39.2/fs/nfsd/nfs4state.c 2011-05-19 00:06:34.000000000 -0400
48943 +++ linux-2.6.39.2/fs/nfsd/nfs4state.c 2011-05-22 19:36:32.000000000 -0400
48944 @@ -3784,6 +3784,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
48945 unsigned int strhashval;
48946 int err;
48947
48948 + pax_track_stack();
48949 +
48950 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
48951 (long long) lock->lk_offset,
48952 (long long) lock->lk_length);
48953 diff -urNp linux-2.6.39.2/fs/nfsd/nfs4xdr.c linux-2.6.39.2/fs/nfsd/nfs4xdr.c
48954 --- linux-2.6.39.2/fs/nfsd/nfs4xdr.c 2011-05-19 00:06:34.000000000 -0400
48955 +++ linux-2.6.39.2/fs/nfsd/nfs4xdr.c 2011-05-22 19:36:32.000000000 -0400
48956 @@ -1793,6 +1793,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
48957 .dentry = dentry,
48958 };
48959
48960 + pax_track_stack();
48961 +
48962 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
48963 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
48964 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
48965 diff -urNp linux-2.6.39.2/fs/nfsd/nfsctl.c linux-2.6.39.2/fs/nfsd/nfsctl.c
48966 --- linux-2.6.39.2/fs/nfsd/nfsctl.c 2011-05-19 00:06:34.000000000 -0400
48967 +++ linux-2.6.39.2/fs/nfsd/nfsctl.c 2011-05-22 19:36:32.000000000 -0400
48968 @@ -182,7 +182,7 @@ static int export_features_open(struct i
48969 return single_open(file, export_features_show, NULL);
48970 }
48971
48972 -static struct file_operations export_features_operations = {
48973 +static const struct file_operations export_features_operations = {
48974 .open = export_features_open,
48975 .read = seq_read,
48976 .llseek = seq_lseek,
48977 diff -urNp linux-2.6.39.2/fs/nfsd/vfs.c linux-2.6.39.2/fs/nfsd/vfs.c
48978 --- linux-2.6.39.2/fs/nfsd/vfs.c 2011-05-19 00:06:34.000000000 -0400
48979 +++ linux-2.6.39.2/fs/nfsd/vfs.c 2011-05-22 19:36:32.000000000 -0400
48980 @@ -898,7 +898,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
48981 } else {
48982 oldfs = get_fs();
48983 set_fs(KERNEL_DS);
48984 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
48985 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
48986 set_fs(oldfs);
48987 }
48988
48989 @@ -1002,7 +1002,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
48990
48991 /* Write the data. */
48992 oldfs = get_fs(); set_fs(KERNEL_DS);
48993 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
48994 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
48995 set_fs(oldfs);
48996 if (host_err < 0)
48997 goto out_nfserr;
48998 @@ -1525,7 +1525,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
48999 */
49000
49001 oldfs = get_fs(); set_fs(KERNEL_DS);
49002 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
49003 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
49004 set_fs(oldfs);
49005
49006 if (host_err < 0)
49007 diff -urNp linux-2.6.39.2/fs/nilfs2/segment.c linux-2.6.39.2/fs/nilfs2/segment.c
49008 --- linux-2.6.39.2/fs/nilfs2/segment.c 2011-05-19 00:06:34.000000000 -0400
49009 +++ linux-2.6.39.2/fs/nilfs2/segment.c 2011-05-22 19:36:32.000000000 -0400
49010 @@ -555,7 +555,7 @@ static void nilfs_write_file_node_binfo(
49011 *vblocknr = binfo->bi_v.bi_vblocknr;
49012 }
49013
49014 -static struct nilfs_sc_operations nilfs_sc_file_ops = {
49015 +static const struct nilfs_sc_operations nilfs_sc_file_ops = {
49016 .collect_data = nilfs_collect_file_data,
49017 .collect_node = nilfs_collect_file_node,
49018 .collect_bmap = nilfs_collect_file_bmap,
49019 @@ -604,7 +604,7 @@ static void nilfs_write_dat_node_binfo(s
49020 *binfo_dat = binfo->bi_dat;
49021 }
49022
49023 -static struct nilfs_sc_operations nilfs_sc_dat_ops = {
49024 +static const struct nilfs_sc_operations nilfs_sc_dat_ops = {
49025 .collect_data = nilfs_collect_dat_data,
49026 .collect_node = nilfs_collect_file_node,
49027 .collect_bmap = nilfs_collect_dat_bmap,
49028 @@ -612,7 +612,7 @@ static struct nilfs_sc_operations nilfs_
49029 .write_node_binfo = nilfs_write_dat_node_binfo,
49030 };
49031
49032 -static struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49033 +static const struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49034 .collect_data = nilfs_collect_file_data,
49035 .collect_node = NULL,
49036 .collect_bmap = NULL,
49037 @@ -971,7 +971,7 @@ static size_t nilfs_segctor_buffer_rest(
49038
49039 static int nilfs_segctor_scan_file(struct nilfs_sc_info *sci,
49040 struct inode *inode,
49041 - struct nilfs_sc_operations *sc_ops)
49042 + const struct nilfs_sc_operations *sc_ops)
49043 {
49044 LIST_HEAD(data_buffers);
49045 LIST_HEAD(node_buffers);
49046 @@ -1475,7 +1475,7 @@ nilfs_segctor_update_payload_blocknr(str
49047 sector_t blocknr;
49048 unsigned long nfinfo = segbuf->sb_sum.nfinfo;
49049 unsigned long nblocks = 0, ndatablk = 0;
49050 - struct nilfs_sc_operations *sc_op = NULL;
49051 + const struct nilfs_sc_operations *sc_op = NULL;
49052 struct nilfs_segsum_pointer ssp;
49053 struct nilfs_finfo *finfo = NULL;
49054 union nilfs_binfo binfo;
49055 diff -urNp linux-2.6.39.2/fs/notify/dnotify/dnotify.c linux-2.6.39.2/fs/notify/dnotify/dnotify.c
49056 --- linux-2.6.39.2/fs/notify/dnotify/dnotify.c 2011-05-19 00:06:34.000000000 -0400
49057 +++ linux-2.6.39.2/fs/notify/dnotify/dnotify.c 2011-05-22 19:36:32.000000000 -0400
49058 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
49059 kmem_cache_free(dnotify_mark_cache, dn_mark);
49060 }
49061
49062 -static struct fsnotify_ops dnotify_fsnotify_ops = {
49063 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
49064 .handle_event = dnotify_handle_event,
49065 .should_send_event = dnotify_should_send_event,
49066 .free_group_priv = NULL,
49067 diff -urNp linux-2.6.39.2/fs/notify/notification.c linux-2.6.39.2/fs/notify/notification.c
49068 --- linux-2.6.39.2/fs/notify/notification.c 2011-05-19 00:06:34.000000000 -0400
49069 +++ linux-2.6.39.2/fs/notify/notification.c 2011-05-22 19:36:32.000000000 -0400
49070 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
49071 * get set to 0 so it will never get 'freed'
49072 */
49073 static struct fsnotify_event *q_overflow_event;
49074 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49075 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49076
49077 /**
49078 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
49079 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
49080 */
49081 u32 fsnotify_get_cookie(void)
49082 {
49083 - return atomic_inc_return(&fsnotify_sync_cookie);
49084 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
49085 }
49086 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
49087
49088 diff -urNp linux-2.6.39.2/fs/ntfs/dir.c linux-2.6.39.2/fs/ntfs/dir.c
49089 --- linux-2.6.39.2/fs/ntfs/dir.c 2011-05-19 00:06:34.000000000 -0400
49090 +++ linux-2.6.39.2/fs/ntfs/dir.c 2011-05-22 19:36:32.000000000 -0400
49091 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
49092 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
49093 ~(s64)(ndir->itype.index.block_size - 1)));
49094 /* Bounds checks. */
49095 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49096 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49097 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
49098 "inode 0x%lx or driver bug.", vdir->i_ino);
49099 goto err_out;
49100 diff -urNp linux-2.6.39.2/fs/ntfs/file.c linux-2.6.39.2/fs/ntfs/file.c
49101 --- linux-2.6.39.2/fs/ntfs/file.c 2011-05-19 00:06:34.000000000 -0400
49102 +++ linux-2.6.39.2/fs/ntfs/file.c 2011-05-22 19:36:32.000000000 -0400
49103 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
49104 #endif /* NTFS_RW */
49105 };
49106
49107 -const struct file_operations ntfs_empty_file_ops = {};
49108 +const struct file_operations ntfs_empty_file_ops __read_only;
49109
49110 -const struct inode_operations ntfs_empty_inode_ops = {};
49111 +const struct inode_operations ntfs_empty_inode_ops __read_only;
49112 diff -urNp linux-2.6.39.2/fs/ocfs2/cluster/heartbeat.c linux-2.6.39.2/fs/ocfs2/cluster/heartbeat.c
49113 --- linux-2.6.39.2/fs/ocfs2/cluster/heartbeat.c 2011-05-19 00:06:34.000000000 -0400
49114 +++ linux-2.6.39.2/fs/ocfs2/cluster/heartbeat.c 2011-05-22 19:36:32.000000000 -0400
49115 @@ -2261,7 +2261,7 @@ static struct configfs_item_operations o
49116 .store_attribute = o2hb_heartbeat_group_store,
49117 };
49118
49119 -static struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49120 +static const struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49121 .make_item = o2hb_heartbeat_group_make_item,
49122 .drop_item = o2hb_heartbeat_group_drop_item,
49123 };
49124 diff -urNp linux-2.6.39.2/fs/ocfs2/cluster/nodemanager.c linux-2.6.39.2/fs/ocfs2/cluster/nodemanager.c
49125 --- linux-2.6.39.2/fs/ocfs2/cluster/nodemanager.c 2011-05-19 00:06:34.000000000 -0400
49126 +++ linux-2.6.39.2/fs/ocfs2/cluster/nodemanager.c 2011-05-22 19:36:32.000000000 -0400
49127 @@ -752,7 +752,7 @@ static void o2nm_node_group_drop_item(st
49128 config_item_put(item);
49129 }
49130
49131 -static struct configfs_group_operations o2nm_node_group_group_ops = {
49132 +static const struct configfs_group_operations o2nm_node_group_group_ops = {
49133 .make_item = o2nm_node_group_make_item,
49134 .drop_item = o2nm_node_group_drop_item,
49135 };
49136 @@ -869,7 +869,7 @@ static void o2nm_cluster_group_drop_item
49137 config_item_put(item);
49138 }
49139
49140 -static struct configfs_group_operations o2nm_cluster_group_group_ops = {
49141 +static const struct configfs_group_operations o2nm_cluster_group_group_ops = {
49142 .make_group = o2nm_cluster_group_make_group,
49143 .drop_item = o2nm_cluster_group_drop_item,
49144 };
49145 diff -urNp linux-2.6.39.2/fs/ocfs2/localalloc.c linux-2.6.39.2/fs/ocfs2/localalloc.c
49146 --- linux-2.6.39.2/fs/ocfs2/localalloc.c 2011-05-19 00:06:34.000000000 -0400
49147 +++ linux-2.6.39.2/fs/ocfs2/localalloc.c 2011-05-22 19:36:32.000000000 -0400
49148 @@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
49149 goto bail;
49150 }
49151
49152 - atomic_inc(&osb->alloc_stats.moves);
49153 + atomic_inc_unchecked(&osb->alloc_stats.moves);
49154
49155 bail:
49156 if (handle)
49157 diff -urNp linux-2.6.39.2/fs/ocfs2/namei.c linux-2.6.39.2/fs/ocfs2/namei.c
49158 --- linux-2.6.39.2/fs/ocfs2/namei.c 2011-05-19 00:06:34.000000000 -0400
49159 +++ linux-2.6.39.2/fs/ocfs2/namei.c 2011-05-22 19:36:32.000000000 -0400
49160 @@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
49161 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
49162 struct ocfs2_dir_lookup_result target_insert = { NULL, };
49163
49164 + pax_track_stack();
49165 +
49166 /* At some point it might be nice to break this function up a
49167 * bit. */
49168
49169 diff -urNp linux-2.6.39.2/fs/ocfs2/ocfs2.h linux-2.6.39.2/fs/ocfs2/ocfs2.h
49170 --- linux-2.6.39.2/fs/ocfs2/ocfs2.h 2011-05-19 00:06:34.000000000 -0400
49171 +++ linux-2.6.39.2/fs/ocfs2/ocfs2.h 2011-05-22 19:36:32.000000000 -0400
49172 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
49173
49174 struct ocfs2_alloc_stats
49175 {
49176 - atomic_t moves;
49177 - atomic_t local_data;
49178 - atomic_t bitmap_data;
49179 - atomic_t bg_allocs;
49180 - atomic_t bg_extends;
49181 + atomic_unchecked_t moves;
49182 + atomic_unchecked_t local_data;
49183 + atomic_unchecked_t bitmap_data;
49184 + atomic_unchecked_t bg_allocs;
49185 + atomic_unchecked_t bg_extends;
49186 };
49187
49188 enum ocfs2_local_alloc_state
49189 diff -urNp linux-2.6.39.2/fs/ocfs2/stackglue.h linux-2.6.39.2/fs/ocfs2/stackglue.h
49190 --- linux-2.6.39.2/fs/ocfs2/stackglue.h 2011-05-19 00:06:34.000000000 -0400
49191 +++ linux-2.6.39.2/fs/ocfs2/stackglue.h 2011-05-22 19:36:32.000000000 -0400
49192 @@ -221,13 +221,13 @@ struct ocfs2_stack_operations {
49193 };
49194
49195 /*
49196 - * Each stack plugin must describe itself by registering a
49197 + * Each stack plugin must describe itself by registerin const g a
49198 * ocfs2_stack_plugin structure. This is only seen by stackglue and the
49199 * stack driver.
49200 */
49201 struct ocfs2_stack_plugin {
49202 char *sp_name;
49203 - struct ocfs2_stack_operations *sp_ops;
49204 + const struct ocfs2_stack_operations *sp_ops;
49205 struct module *sp_owner;
49206
49207 /* These are managed by the stackglue code. */
49208 diff -urNp linux-2.6.39.2/fs/ocfs2/stack_o2cb.c linux-2.6.39.2/fs/ocfs2/stack_o2cb.c
49209 --- linux-2.6.39.2/fs/ocfs2/stack_o2cb.c 2011-05-19 00:06:34.000000000 -0400
49210 +++ linux-2.6.39.2/fs/ocfs2/stack_o2cb.c 2011-06-07 18:07:24.000000000 -0400
49211 @@ -358,7 +358,7 @@ static int o2cb_cluster_this_node(unsign
49212 return 0;
49213 }
49214
49215 -static struct ocfs2_stack_operations o2cb_stack_ops = {
49216 +static const struct ocfs2_stack_operations o2cb_stack_ops = {
49217 .connect = o2cb_cluster_connect,
49218 .disconnect = o2cb_cluster_disconnect,
49219 .this_node = o2cb_cluster_this_node,
49220 diff -urNp linux-2.6.39.2/fs/ocfs2/stack_user.c linux-2.6.39.2/fs/ocfs2/stack_user.c
49221 --- linux-2.6.39.2/fs/ocfs2/stack_user.c 2011-05-19 00:06:34.000000000 -0400
49222 +++ linux-2.6.39.2/fs/ocfs2/stack_user.c 2011-05-22 19:36:32.000000000 -0400
49223 @@ -399,7 +399,7 @@ static int ocfs2_control_do_setversion_m
49224 long major, minor;
49225 char *ptr = NULL;
49226 struct ocfs2_control_private *p = file->private_data;
49227 - struct ocfs2_protocol_version *max =
49228 + const struct ocfs2_protocol_version *max =
49229 &ocfs2_user_plugin.sp_max_proto;
49230
49231 if (ocfs2_control_get_handshake_state(file) !=
49232 @@ -861,7 +861,7 @@ static int user_cluster_this_node(unsign
49233 return 0;
49234 }
49235
49236 -static struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49237 +static const struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49238 .connect = user_cluster_connect,
49239 .disconnect = user_cluster_disconnect,
49240 .this_node = user_cluster_this_node,
49241 diff -urNp linux-2.6.39.2/fs/ocfs2/suballoc.c linux-2.6.39.2/fs/ocfs2/suballoc.c
49242 --- linux-2.6.39.2/fs/ocfs2/suballoc.c 2011-05-19 00:06:34.000000000 -0400
49243 +++ linux-2.6.39.2/fs/ocfs2/suballoc.c 2011-05-22 19:36:32.000000000 -0400
49244 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
49245 mlog_errno(status);
49246 goto bail;
49247 }
49248 - atomic_inc(&osb->alloc_stats.bg_extends);
49249 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
49250
49251 /* You should never ask for this much metadata */
49252 BUG_ON(bits_wanted >
49253 @@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
49254 mlog_errno(status);
49255 goto bail;
49256 }
49257 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49258 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49259
49260 *suballoc_loc = res.sr_bg_blkno;
49261 *suballoc_bit_start = res.sr_bit_offset;
49262 @@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
49263 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
49264 res->sr_bits);
49265
49266 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49267 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49268
49269 BUG_ON(res->sr_bits != 1);
49270
49271 @@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
49272 mlog_errno(status);
49273 goto bail;
49274 }
49275 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49276 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49277
49278 BUG_ON(res.sr_bits != 1);
49279
49280 @@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
49281 cluster_start,
49282 num_clusters);
49283 if (!status)
49284 - atomic_inc(&osb->alloc_stats.local_data);
49285 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
49286 } else {
49287 if (min_clusters > (osb->bitmap_cpg - 1)) {
49288 /* The only paths asking for contiguousness
49289 @@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
49290 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
49291 res.sr_bg_blkno,
49292 res.sr_bit_offset);
49293 - atomic_inc(&osb->alloc_stats.bitmap_data);
49294 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
49295 *num_clusters = res.sr_bits;
49296 }
49297 }
49298 diff -urNp linux-2.6.39.2/fs/ocfs2/super.c linux-2.6.39.2/fs/ocfs2/super.c
49299 --- linux-2.6.39.2/fs/ocfs2/super.c 2011-05-19 00:06:34.000000000 -0400
49300 +++ linux-2.6.39.2/fs/ocfs2/super.c 2011-05-22 19:36:32.000000000 -0400
49301 @@ -299,11 +299,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
49302 "%10s => GlobalAllocs: %d LocalAllocs: %d "
49303 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
49304 "Stats",
49305 - atomic_read(&osb->alloc_stats.bitmap_data),
49306 - atomic_read(&osb->alloc_stats.local_data),
49307 - atomic_read(&osb->alloc_stats.bg_allocs),
49308 - atomic_read(&osb->alloc_stats.moves),
49309 - atomic_read(&osb->alloc_stats.bg_extends));
49310 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
49311 + atomic_read_unchecked(&osb->alloc_stats.local_data),
49312 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
49313 + atomic_read_unchecked(&osb->alloc_stats.moves),
49314 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
49315
49316 out += snprintf(buf + out, len - out,
49317 "%10s => State: %u Descriptor: %llu Size: %u bits "
49318 @@ -2111,11 +2111,11 @@ static int ocfs2_initialize_super(struct
49319 spin_lock_init(&osb->osb_xattr_lock);
49320 ocfs2_init_steal_slots(osb);
49321
49322 - atomic_set(&osb->alloc_stats.moves, 0);
49323 - atomic_set(&osb->alloc_stats.local_data, 0);
49324 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
49325 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
49326 - atomic_set(&osb->alloc_stats.bg_extends, 0);
49327 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
49328 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
49329 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
49330 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
49331 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
49332
49333 /* Copy the blockcheck stats from the superblock probe */
49334 osb->osb_ecc_stats = *stats;
49335 diff -urNp linux-2.6.39.2/fs/ocfs2/symlink.c linux-2.6.39.2/fs/ocfs2/symlink.c
49336 --- linux-2.6.39.2/fs/ocfs2/symlink.c 2011-05-19 00:06:34.000000000 -0400
49337 +++ linux-2.6.39.2/fs/ocfs2/symlink.c 2011-05-22 19:36:32.000000000 -0400
49338 @@ -142,7 +142,7 @@ bail:
49339
49340 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
49341 {
49342 - char *link = nd_get_link(nd);
49343 + const char *link = nd_get_link(nd);
49344 if (!IS_ERR(link))
49345 kfree(link);
49346 }
49347 diff -urNp linux-2.6.39.2/fs/open.c linux-2.6.39.2/fs/open.c
49348 --- linux-2.6.39.2/fs/open.c 2011-05-19 00:06:34.000000000 -0400
49349 +++ linux-2.6.39.2/fs/open.c 2011-05-22 20:46:51.000000000 -0400
49350 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
49351 error = locks_verify_truncate(inode, NULL, length);
49352 if (!error)
49353 error = security_path_truncate(&path);
49354 +
49355 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
49356 + error = -EACCES;
49357 +
49358 if (!error)
49359 error = do_truncate(path.dentry, length, 0, NULL);
49360
49361 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
49362 if (__mnt_is_readonly(path.mnt))
49363 res = -EROFS;
49364
49365 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
49366 + res = -EACCES;
49367 +
49368 out_path_release:
49369 path_put(&path);
49370 out:
49371 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
49372 if (error)
49373 goto dput_and_out;
49374
49375 + gr_log_chdir(path.dentry, path.mnt);
49376 +
49377 set_fs_pwd(current->fs, &path);
49378
49379 dput_and_out:
49380 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
49381 goto out_putf;
49382
49383 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
49384 +
49385 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
49386 + error = -EPERM;
49387 +
49388 + if (!error)
49389 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
49390 +
49391 if (!error)
49392 set_fs_pwd(current->fs, &file->f_path);
49393 out_putf:
49394 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
49395 if (error)
49396 goto dput_and_out;
49397
49398 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
49399 + goto dput_and_out;
49400 +
49401 + if (gr_handle_chroot_caps(&path)) {
49402 + error = -ENOMEM;
49403 + goto dput_and_out;
49404 + }
49405 +
49406 set_fs_root(current->fs, &path);
49407 +
49408 + gr_handle_chroot_chdir(&path);
49409 +
49410 error = 0;
49411 dput_and_out:
49412 path_put(&path);
49413 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
49414 err = mnt_want_write_file(file);
49415 if (err)
49416 goto out_putf;
49417 +
49418 mutex_lock(&inode->i_mutex);
49419 +
49420 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
49421 + err = -EACCES;
49422 + goto out_unlock;
49423 + }
49424 +
49425 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
49426 if (err)
49427 goto out_unlock;
49428 if (mode == (mode_t) -1)
49429 mode = inode->i_mode;
49430 +
49431 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
49432 + err = -EACCES;
49433 + goto out_unlock;
49434 + }
49435 +
49436 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49437 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49438 err = notify_change(dentry, &newattrs);
49439 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
49440 error = mnt_want_write(path.mnt);
49441 if (error)
49442 goto dput_and_out;
49443 +
49444 mutex_lock(&inode->i_mutex);
49445 +
49446 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
49447 + error = -EACCES;
49448 + goto out_unlock;
49449 + }
49450 +
49451 error = security_path_chmod(path.dentry, path.mnt, mode);
49452 if (error)
49453 goto out_unlock;
49454 if (mode == (mode_t) -1)
49455 mode = inode->i_mode;
49456 +
49457 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
49458 + error = -EACCES;
49459 + goto out_unlock;
49460 + }
49461 +
49462 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49463 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49464 error = notify_change(path.dentry, &newattrs);
49465 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
49466 int error;
49467 struct iattr newattrs;
49468
49469 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
49470 + return -EACCES;
49471 +
49472 newattrs.ia_valid = ATTR_CTIME;
49473 if (user != (uid_t) -1) {
49474 newattrs.ia_valid |= ATTR_UID;
49475 @@ -998,7 +1054,10 @@ long do_sys_open(int dfd, const char __u
49476 if (!IS_ERR(tmp)) {
49477 fd = get_unused_fd_flags(flags);
49478 if (fd >= 0) {
49479 - struct file *f = do_filp_open(dfd, tmp, &op, lookup);
49480 + struct file *f;
49481 + /* don't allow to be set by userland */
49482 + flags &= ~FMODE_GREXEC;
49483 + f = do_filp_open(dfd, tmp, &op, lookup);
49484 if (IS_ERR(f)) {
49485 put_unused_fd(fd);
49486 fd = PTR_ERR(f);
49487 diff -urNp linux-2.6.39.2/fs/partitions/ldm.c linux-2.6.39.2/fs/partitions/ldm.c
49488 --- linux-2.6.39.2/fs/partitions/ldm.c 2011-06-03 00:04:14.000000000 -0400
49489 +++ linux-2.6.39.2/fs/partitions/ldm.c 2011-06-03 00:32:07.000000000 -0400
49490 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
49491 ldm_error ("A VBLK claims to have %d parts.", num);
49492 return false;
49493 }
49494 +
49495 if (rec >= num) {
49496 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
49497 return false;
49498 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
49499 goto found;
49500 }
49501
49502 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
49503 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
49504 if (!f) {
49505 ldm_crit ("Out of memory.");
49506 return false;
49507 diff -urNp linux-2.6.39.2/fs/pipe.c linux-2.6.39.2/fs/pipe.c
49508 --- linux-2.6.39.2/fs/pipe.c 2011-05-19 00:06:34.000000000 -0400
49509 +++ linux-2.6.39.2/fs/pipe.c 2011-05-22 19:41:37.000000000 -0400
49510 @@ -420,9 +420,9 @@ redo:
49511 }
49512 if (bufs) /* More to do? */
49513 continue;
49514 - if (!pipe->writers)
49515 + if (!atomic_read(&pipe->writers))
49516 break;
49517 - if (!pipe->waiting_writers) {
49518 + if (!atomic_read(&pipe->waiting_writers)) {
49519 /* syscall merging: Usually we must not sleep
49520 * if O_NONBLOCK is set, or if we got some data.
49521 * But if a writer sleeps in kernel space, then
49522 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
49523 mutex_lock(&inode->i_mutex);
49524 pipe = inode->i_pipe;
49525
49526 - if (!pipe->readers) {
49527 + if (!atomic_read(&pipe->readers)) {
49528 send_sig(SIGPIPE, current, 0);
49529 ret = -EPIPE;
49530 goto out;
49531 @@ -530,7 +530,7 @@ redo1:
49532 for (;;) {
49533 int bufs;
49534
49535 - if (!pipe->readers) {
49536 + if (!atomic_read(&pipe->readers)) {
49537 send_sig(SIGPIPE, current, 0);
49538 if (!ret)
49539 ret = -EPIPE;
49540 @@ -616,9 +616,9 @@ redo2:
49541 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
49542 do_wakeup = 0;
49543 }
49544 - pipe->waiting_writers++;
49545 + atomic_inc(&pipe->waiting_writers);
49546 pipe_wait(pipe);
49547 - pipe->waiting_writers--;
49548 + atomic_dec(&pipe->waiting_writers);
49549 }
49550 out:
49551 mutex_unlock(&inode->i_mutex);
49552 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
49553 mask = 0;
49554 if (filp->f_mode & FMODE_READ) {
49555 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
49556 - if (!pipe->writers && filp->f_version != pipe->w_counter)
49557 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
49558 mask |= POLLHUP;
49559 }
49560
49561 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
49562 * Most Unices do not set POLLERR for FIFOs but on Linux they
49563 * behave exactly like pipes for poll().
49564 */
49565 - if (!pipe->readers)
49566 + if (!atomic_read(&pipe->readers))
49567 mask |= POLLERR;
49568 }
49569
49570 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
49571
49572 mutex_lock(&inode->i_mutex);
49573 pipe = inode->i_pipe;
49574 - pipe->readers -= decr;
49575 - pipe->writers -= decw;
49576 + atomic_sub(decr, &pipe->readers);
49577 + atomic_sub(decw, &pipe->writers);
49578
49579 - if (!pipe->readers && !pipe->writers) {
49580 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
49581 free_pipe_info(inode);
49582 } else {
49583 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
49584 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
49585
49586 if (inode->i_pipe) {
49587 ret = 0;
49588 - inode->i_pipe->readers++;
49589 + atomic_inc(&inode->i_pipe->readers);
49590 }
49591
49592 mutex_unlock(&inode->i_mutex);
49593 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
49594
49595 if (inode->i_pipe) {
49596 ret = 0;
49597 - inode->i_pipe->writers++;
49598 + atomic_inc(&inode->i_pipe->writers);
49599 }
49600
49601 mutex_unlock(&inode->i_mutex);
49602 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
49603 if (inode->i_pipe) {
49604 ret = 0;
49605 if (filp->f_mode & FMODE_READ)
49606 - inode->i_pipe->readers++;
49607 + atomic_inc(&inode->i_pipe->readers);
49608 if (filp->f_mode & FMODE_WRITE)
49609 - inode->i_pipe->writers++;
49610 + atomic_inc(&inode->i_pipe->writers);
49611 }
49612
49613 mutex_unlock(&inode->i_mutex);
49614 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
49615 inode->i_pipe = NULL;
49616 }
49617
49618 -static struct vfsmount *pipe_mnt __read_mostly;
49619 +struct vfsmount *pipe_mnt __read_mostly;
49620
49621 /*
49622 * pipefs_dname() is called from d_path().
49623 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
49624 goto fail_iput;
49625 inode->i_pipe = pipe;
49626
49627 - pipe->readers = pipe->writers = 1;
49628 + atomic_set(&pipe->readers, 1);
49629 + atomic_set(&pipe->writers, 1);
49630 inode->i_fop = &rdwr_pipefifo_fops;
49631
49632 /*
49633 diff -urNp linux-2.6.39.2/fs/proc/array.c linux-2.6.39.2/fs/proc/array.c
49634 --- linux-2.6.39.2/fs/proc/array.c 2011-05-19 00:06:34.000000000 -0400
49635 +++ linux-2.6.39.2/fs/proc/array.c 2011-05-22 19:41:37.000000000 -0400
49636 @@ -60,6 +60,7 @@
49637 #include <linux/tty.h>
49638 #include <linux/string.h>
49639 #include <linux/mman.h>
49640 +#include <linux/grsecurity.h>
49641 #include <linux/proc_fs.h>
49642 #include <linux/ioport.h>
49643 #include <linux/uaccess.h>
49644 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
49645 seq_putc(m, '\n');
49646 }
49647
49648 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49649 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
49650 +{
49651 + if (p->mm)
49652 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
49653 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
49654 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
49655 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
49656 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
49657 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
49658 + else
49659 + seq_printf(m, "PaX:\t-----\n");
49660 +}
49661 +#endif
49662 +
49663 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
49664 struct pid *pid, struct task_struct *task)
49665 {
49666 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
49667 task_cpus_allowed(m, task);
49668 cpuset_task_status_allowed(m, task);
49669 task_context_switch_counts(m, task);
49670 +
49671 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49672 + task_pax(m, task);
49673 +#endif
49674 +
49675 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
49676 + task_grsec_rbac(m, task);
49677 +#endif
49678 +
49679 return 0;
49680 }
49681
49682 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49683 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49684 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49685 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49686 +#endif
49687 +
49688 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
49689 struct pid *pid, struct task_struct *task, int whole)
49690 {
49691 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
49692 cputime_t cutime, cstime, utime, stime;
49693 cputime_t cgtime, gtime;
49694 unsigned long rsslim = 0;
49695 - char tcomm[sizeof(task->comm)];
49696 + char tcomm[sizeof(task->comm)] = { 0 };
49697 unsigned long flags;
49698
49699 + pax_track_stack();
49700 +
49701 state = *get_task_state(task);
49702 vsize = eip = esp = 0;
49703 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
49704 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
49705 gtime = task->gtime;
49706 }
49707
49708 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49709 + if (PAX_RAND_FLAGS(mm)) {
49710 + eip = 0;
49711 + esp = 0;
49712 + wchan = 0;
49713 + }
49714 +#endif
49715 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49716 + wchan = 0;
49717 + eip =0;
49718 + esp =0;
49719 +#endif
49720 +
49721 /* scale priority and nice values from timeslices to -20..20 */
49722 /* to make it look like a "normal" Unix priority/nice value */
49723 priority = task_prio(task);
49724 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
49725 vsize,
49726 mm ? get_mm_rss(mm) : 0,
49727 rsslim,
49728 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49729 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
49730 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
49731 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
49732 +#else
49733 mm ? (permitted ? mm->start_code : 1) : 0,
49734 mm ? (permitted ? mm->end_code : 1) : 0,
49735 (permitted && mm) ? mm->start_stack : 0,
49736 +#endif
49737 esp,
49738 eip,
49739 /* The signal information here is obsolete.
49740 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
49741
49742 return 0;
49743 }
49744 +
49745 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49746 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
49747 +{
49748 + u32 curr_ip = 0;
49749 + unsigned long flags;
49750 +
49751 + if (lock_task_sighand(task, &flags)) {
49752 + curr_ip = task->signal->curr_ip;
49753 + unlock_task_sighand(task, &flags);
49754 + }
49755 +
49756 + return sprintf(buffer, "%pI4\n", &curr_ip);
49757 +}
49758 +#endif
49759 diff -urNp linux-2.6.39.2/fs/proc/base.c linux-2.6.39.2/fs/proc/base.c
49760 --- linux-2.6.39.2/fs/proc/base.c 2011-05-19 00:06:34.000000000 -0400
49761 +++ linux-2.6.39.2/fs/proc/base.c 2011-06-04 21:20:04.000000000 -0400
49762 @@ -104,6 +104,22 @@ struct pid_entry {
49763 union proc_op op;
49764 };
49765
49766 +struct getdents_callback {
49767 + struct linux_dirent __user * current_dir;
49768 + struct linux_dirent __user * previous;
49769 + struct file * file;
49770 + int count;
49771 + int error;
49772 +};
49773 +
49774 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
49775 + loff_t offset, u64 ino, unsigned int d_type)
49776 +{
49777 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
49778 + buf->error = -EINVAL;
49779 + return 0;
49780 +}
49781 +
49782 #define NOD(NAME, MODE, IOP, FOP, OP) { \
49783 .name = (NAME), \
49784 .len = sizeof(NAME) - 1, \
49785 @@ -206,6 +222,9 @@ static struct mm_struct *__check_mem_per
49786 if (task == current)
49787 return mm;
49788
49789 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
49790 + return ERR_PTR(-EPERM);
49791 +
49792 /*
49793 * If current is actively ptrace'ing, and would also be
49794 * permitted to freshly attach with ptrace now, permit it.
49795 @@ -279,6 +298,9 @@ static int proc_pid_cmdline(struct task_
49796 if (!mm->arg_end)
49797 goto out_mm; /* Shh! No looking before we're done */
49798
49799 + if (gr_acl_handle_procpidmem(task))
49800 + goto out_mm;
49801 +
49802 len = mm->arg_end - mm->arg_start;
49803
49804 if (len > PAGE_SIZE)
49805 @@ -306,12 +328,28 @@ out:
49806 return res;
49807 }
49808
49809 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49810 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49811 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49812 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49813 +#endif
49814 +
49815 static int proc_pid_auxv(struct task_struct *task, char *buffer)
49816 {
49817 struct mm_struct *mm = mm_for_maps(task);
49818 int res = PTR_ERR(mm);
49819 if (mm && !IS_ERR(mm)) {
49820 unsigned int nwords = 0;
49821 +
49822 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49823 + /* allow if we're currently ptracing this task */
49824 + if (PAX_RAND_FLAGS(mm) &&
49825 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
49826 + mmput(mm);
49827 + return res;
49828 + }
49829 +#endif
49830 +
49831 do {
49832 nwords += 2;
49833 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
49834 @@ -325,7 +363,7 @@ static int proc_pid_auxv(struct task_str
49835 }
49836
49837
49838 -#ifdef CONFIG_KALLSYMS
49839 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49840 /*
49841 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
49842 * Returns the resolved symbol. If that fails, simply return the address.
49843 @@ -364,7 +402,7 @@ static void unlock_trace(struct task_str
49844 mutex_unlock(&task->signal->cred_guard_mutex);
49845 }
49846
49847 -#ifdef CONFIG_STACKTRACE
49848 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49849
49850 #define MAX_STACK_TRACE_DEPTH 64
49851
49852 @@ -555,7 +593,7 @@ static int proc_pid_limits(struct task_s
49853 return count;
49854 }
49855
49856 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
49857 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
49858 static int proc_pid_syscall(struct task_struct *task, char *buffer)
49859 {
49860 long nr;
49861 @@ -584,7 +622,7 @@ static int proc_pid_syscall(struct task_
49862 /************************************************************************/
49863
49864 /* permission checks */
49865 -static int proc_fd_access_allowed(struct inode *inode)
49866 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
49867 {
49868 struct task_struct *task;
49869 int allowed = 0;
49870 @@ -594,7 +632,10 @@ static int proc_fd_access_allowed(struct
49871 */
49872 task = get_proc_task(inode);
49873 if (task) {
49874 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
49875 + if (log)
49876 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
49877 + else
49878 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
49879 put_task_struct(task);
49880 }
49881 return allowed;
49882 @@ -973,6 +1014,9 @@ static ssize_t environ_read(struct file
49883 if (!task)
49884 goto out_no_task;
49885
49886 + if (gr_acl_handle_procpidmem(task))
49887 + goto out;
49888 +
49889 ret = -ENOMEM;
49890 page = (char *)__get_free_page(GFP_TEMPORARY);
49891 if (!page)
49892 @@ -1660,7 +1704,7 @@ static void *proc_pid_follow_link(struct
49893 path_put(&nd->path);
49894
49895 /* Are we allowed to snoop on the tasks file descriptors? */
49896 - if (!proc_fd_access_allowed(inode))
49897 + if (!proc_fd_access_allowed(inode,0))
49898 goto out;
49899
49900 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
49901 @@ -1699,8 +1743,18 @@ static int proc_pid_readlink(struct dent
49902 struct path path;
49903
49904 /* Are we allowed to snoop on the tasks file descriptors? */
49905 - if (!proc_fd_access_allowed(inode))
49906 - goto out;
49907 + /* logging this is needed for learning on chromium to work properly,
49908 + but we don't want to flood the logs from 'ps' which does a readlink
49909 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
49910 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
49911 + */
49912 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
49913 + if (!proc_fd_access_allowed(inode,0))
49914 + goto out;
49915 + } else {
49916 + if (!proc_fd_access_allowed(inode,1))
49917 + goto out;
49918 + }
49919
49920 error = PROC_I(inode)->op.proc_get_link(inode, &path);
49921 if (error)
49922 @@ -1766,7 +1820,11 @@ static struct inode *proc_pid_make_inode
49923 rcu_read_lock();
49924 cred = __task_cred(task);
49925 inode->i_uid = cred->euid;
49926 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49927 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49928 +#else
49929 inode->i_gid = cred->egid;
49930 +#endif
49931 rcu_read_unlock();
49932 }
49933 security_task_to_inode(task, inode);
49934 @@ -1784,6 +1842,9 @@ static int pid_getattr(struct vfsmount *
49935 struct inode *inode = dentry->d_inode;
49936 struct task_struct *task;
49937 const struct cred *cred;
49938 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49939 + const struct cred *tmpcred = current_cred();
49940 +#endif
49941
49942 generic_fillattr(inode, stat);
49943
49944 @@ -1791,13 +1852,41 @@ static int pid_getattr(struct vfsmount *
49945 stat->uid = 0;
49946 stat->gid = 0;
49947 task = pid_task(proc_pid(inode), PIDTYPE_PID);
49948 +
49949 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
49950 + rcu_read_unlock();
49951 + return -ENOENT;
49952 + }
49953 +
49954 if (task) {
49955 + cred = __task_cred(task);
49956 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49957 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
49958 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49959 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
49960 +#endif
49961 + ) {
49962 +#endif
49963 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
49964 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49965 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
49966 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49967 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
49968 +#endif
49969 task_dumpable(task)) {
49970 - cred = __task_cred(task);
49971 stat->uid = cred->euid;
49972 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49973 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
49974 +#else
49975 stat->gid = cred->egid;
49976 +#endif
49977 }
49978 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49979 + } else {
49980 + rcu_read_unlock();
49981 + return -ENOENT;
49982 + }
49983 +#endif
49984 }
49985 rcu_read_unlock();
49986 return 0;
49987 @@ -1834,11 +1923,20 @@ static int pid_revalidate(struct dentry
49988
49989 if (task) {
49990 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
49991 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49992 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
49993 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49994 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
49995 +#endif
49996 task_dumpable(task)) {
49997 rcu_read_lock();
49998 cred = __task_cred(task);
49999 inode->i_uid = cred->euid;
50000 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50001 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50002 +#else
50003 inode->i_gid = cred->egid;
50004 +#endif
50005 rcu_read_unlock();
50006 } else {
50007 inode->i_uid = 0;
50008 @@ -1959,7 +2057,8 @@ static int proc_fd_info(struct inode *in
50009 int fd = proc_fd(inode);
50010
50011 if (task) {
50012 - files = get_files_struct(task);
50013 + if (!gr_acl_handle_procpidmem(task))
50014 + files = get_files_struct(task);
50015 put_task_struct(task);
50016 }
50017 if (files) {
50018 @@ -2219,15 +2318,25 @@ static const struct file_operations proc
50019 */
50020 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
50021 {
50022 + struct task_struct *task;
50023 int rv;
50024
50025 if (flags & IPERM_FLAG_RCU)
50026 return -ECHILD;
50027 rv = generic_permission(inode, mask, flags, NULL);
50028 - if (rv == 0)
50029 - return 0;
50030 +
50031 if (task_pid(current) == proc_pid(inode))
50032 rv = 0;
50033 +
50034 + task = get_proc_task(inode);
50035 + if (task == NULL)
50036 + return rv;
50037 +
50038 + if (gr_acl_handle_procpidmem(task))
50039 + rv = -EACCES;
50040 +
50041 + put_task_struct(task);
50042 +
50043 return rv;
50044 }
50045
50046 @@ -2337,6 +2446,9 @@ static struct dentry *proc_pident_lookup
50047 if (!task)
50048 goto out_no_task;
50049
50050 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50051 + goto out;
50052 +
50053 /*
50054 * Yes, it does not scale. And it should not. Don't add
50055 * new entries into /proc/<tgid>/ without very good reasons.
50056 @@ -2381,6 +2493,9 @@ static int proc_pident_readdir(struct fi
50057 if (!task)
50058 goto out_no_task;
50059
50060 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50061 + goto out;
50062 +
50063 ret = 0;
50064 i = filp->f_pos;
50065 switch (i) {
50066 @@ -2651,7 +2766,7 @@ static void *proc_self_follow_link(struc
50067 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
50068 void *cookie)
50069 {
50070 - char *s = nd_get_link(nd);
50071 + const char *s = nd_get_link(nd);
50072 if (!IS_ERR(s))
50073 __putname(s);
50074 }
50075 @@ -2835,7 +2950,7 @@ static const struct pid_entry tgid_base_
50076 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
50077 #endif
50078 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50079 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50080 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50081 INF("syscall", S_IRUGO, proc_pid_syscall),
50082 #endif
50083 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50084 @@ -2860,10 +2975,10 @@ static const struct pid_entry tgid_base_
50085 #ifdef CONFIG_SECURITY
50086 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50087 #endif
50088 -#ifdef CONFIG_KALLSYMS
50089 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50090 INF("wchan", S_IRUGO, proc_pid_wchan),
50091 #endif
50092 -#ifdef CONFIG_STACKTRACE
50093 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50094 ONE("stack", S_IRUGO, proc_pid_stack),
50095 #endif
50096 #ifdef CONFIG_SCHEDSTATS
50097 @@ -2894,6 +3009,9 @@ static const struct pid_entry tgid_base_
50098 #ifdef CONFIG_TASK_IO_ACCOUNTING
50099 INF("io", S_IRUGO, proc_tgid_io_accounting),
50100 #endif
50101 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50102 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
50103 +#endif
50104 };
50105
50106 static int proc_tgid_base_readdir(struct file * filp,
50107 @@ -3019,7 +3137,14 @@ static struct dentry *proc_pid_instantia
50108 if (!inode)
50109 goto out;
50110
50111 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50112 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
50113 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50114 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50115 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
50116 +#else
50117 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
50118 +#endif
50119 inode->i_op = &proc_tgid_base_inode_operations;
50120 inode->i_fop = &proc_tgid_base_operations;
50121 inode->i_flags|=S_IMMUTABLE;
50122 @@ -3061,7 +3186,11 @@ struct dentry *proc_pid_lookup(struct in
50123 if (!task)
50124 goto out;
50125
50126 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50127 + goto out_put_task;
50128 +
50129 result = proc_pid_instantiate(dir, dentry, task, NULL);
50130 +out_put_task:
50131 put_task_struct(task);
50132 out:
50133 return result;
50134 @@ -3126,6 +3255,11 @@ int proc_pid_readdir(struct file * filp,
50135 {
50136 unsigned int nr;
50137 struct task_struct *reaper;
50138 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50139 + const struct cred *tmpcred = current_cred();
50140 + const struct cred *itercred;
50141 +#endif
50142 + filldir_t __filldir = filldir;
50143 struct tgid_iter iter;
50144 struct pid_namespace *ns;
50145
50146 @@ -3149,8 +3283,27 @@ int proc_pid_readdir(struct file * filp,
50147 for (iter = next_tgid(ns, iter);
50148 iter.task;
50149 iter.tgid += 1, iter = next_tgid(ns, iter)) {
50150 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50151 + rcu_read_lock();
50152 + itercred = __task_cred(iter.task);
50153 +#endif
50154 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
50155 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50156 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
50157 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50158 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50159 +#endif
50160 + )
50161 +#endif
50162 + )
50163 + __filldir = &gr_fake_filldir;
50164 + else
50165 + __filldir = filldir;
50166 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50167 + rcu_read_unlock();
50168 +#endif
50169 filp->f_pos = iter.tgid + TGID_OFFSET;
50170 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
50171 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
50172 put_task_struct(iter.task);
50173 goto out;
50174 }
50175 @@ -3177,7 +3330,7 @@ static const struct pid_entry tid_base_s
50176 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50177 #endif
50178 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50179 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50180 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50181 INF("syscall", S_IRUGO, proc_pid_syscall),
50182 #endif
50183 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50184 @@ -3201,10 +3354,10 @@ static const struct pid_entry tid_base_s
50185 #ifdef CONFIG_SECURITY
50186 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50187 #endif
50188 -#ifdef CONFIG_KALLSYMS
50189 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50190 INF("wchan", S_IRUGO, proc_pid_wchan),
50191 #endif
50192 -#ifdef CONFIG_STACKTRACE
50193 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50194 ONE("stack", S_IRUGO, proc_pid_stack),
50195 #endif
50196 #ifdef CONFIG_SCHEDSTATS
50197 diff -urNp linux-2.6.39.2/fs/proc/cmdline.c linux-2.6.39.2/fs/proc/cmdline.c
50198 --- linux-2.6.39.2/fs/proc/cmdline.c 2011-05-19 00:06:34.000000000 -0400
50199 +++ linux-2.6.39.2/fs/proc/cmdline.c 2011-05-22 19:41:37.000000000 -0400
50200 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
50201
50202 static int __init proc_cmdline_init(void)
50203 {
50204 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50205 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
50206 +#else
50207 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
50208 +#endif
50209 return 0;
50210 }
50211 module_init(proc_cmdline_init);
50212 diff -urNp linux-2.6.39.2/fs/proc/devices.c linux-2.6.39.2/fs/proc/devices.c
50213 --- linux-2.6.39.2/fs/proc/devices.c 2011-05-19 00:06:34.000000000 -0400
50214 +++ linux-2.6.39.2/fs/proc/devices.c 2011-05-22 19:41:37.000000000 -0400
50215 @@ -64,7 +64,11 @@ static const struct file_operations proc
50216
50217 static int __init proc_devices_init(void)
50218 {
50219 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50220 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
50221 +#else
50222 proc_create("devices", 0, NULL, &proc_devinfo_operations);
50223 +#endif
50224 return 0;
50225 }
50226 module_init(proc_devices_init);
50227 diff -urNp linux-2.6.39.2/fs/proc/inode.c linux-2.6.39.2/fs/proc/inode.c
50228 --- linux-2.6.39.2/fs/proc/inode.c 2011-05-19 00:06:34.000000000 -0400
50229 +++ linux-2.6.39.2/fs/proc/inode.c 2011-05-22 19:41:37.000000000 -0400
50230 @@ -433,7 +433,11 @@ struct inode *proc_get_inode(struct supe
50231 if (de->mode) {
50232 inode->i_mode = de->mode;
50233 inode->i_uid = de->uid;
50234 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50235 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50236 +#else
50237 inode->i_gid = de->gid;
50238 +#endif
50239 }
50240 if (de->size)
50241 inode->i_size = de->size;
50242 diff -urNp linux-2.6.39.2/fs/proc/internal.h linux-2.6.39.2/fs/proc/internal.h
50243 --- linux-2.6.39.2/fs/proc/internal.h 2011-05-19 00:06:34.000000000 -0400
50244 +++ linux-2.6.39.2/fs/proc/internal.h 2011-05-22 19:41:37.000000000 -0400
50245 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
50246 struct pid *pid, struct task_struct *task);
50247 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
50248 struct pid *pid, struct task_struct *task);
50249 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50250 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
50251 +#endif
50252 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
50253
50254 extern const struct file_operations proc_maps_operations;
50255 diff -urNp linux-2.6.39.2/fs/proc/Kconfig linux-2.6.39.2/fs/proc/Kconfig
50256 --- linux-2.6.39.2/fs/proc/Kconfig 2011-05-19 00:06:34.000000000 -0400
50257 +++ linux-2.6.39.2/fs/proc/Kconfig 2011-05-22 19:41:37.000000000 -0400
50258 @@ -30,12 +30,12 @@ config PROC_FS
50259
50260 config PROC_KCORE
50261 bool "/proc/kcore support" if !ARM
50262 - depends on PROC_FS && MMU
50263 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
50264
50265 config PROC_VMCORE
50266 bool "/proc/vmcore support"
50267 - depends on PROC_FS && CRASH_DUMP
50268 - default y
50269 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
50270 + default n
50271 help
50272 Exports the dump image of crashed kernel in ELF format.
50273
50274 @@ -59,8 +59,8 @@ config PROC_SYSCTL
50275 limited in memory.
50276
50277 config PROC_PAGE_MONITOR
50278 - default y
50279 - depends on PROC_FS && MMU
50280 + default n
50281 + depends on PROC_FS && MMU && !GRKERNSEC
50282 bool "Enable /proc page monitoring" if EXPERT
50283 help
50284 Various /proc files exist to monitor process memory utilization:
50285 diff -urNp linux-2.6.39.2/fs/proc/kcore.c linux-2.6.39.2/fs/proc/kcore.c
50286 --- linux-2.6.39.2/fs/proc/kcore.c 2011-05-19 00:06:34.000000000 -0400
50287 +++ linux-2.6.39.2/fs/proc/kcore.c 2011-05-22 19:41:37.000000000 -0400
50288 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
50289 off_t offset = 0;
50290 struct kcore_list *m;
50291
50292 + pax_track_stack();
50293 +
50294 /* setup ELF header */
50295 elf = (struct elfhdr *) bufp;
50296 bufp += sizeof(struct elfhdr);
50297 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
50298 * the addresses in the elf_phdr on our list.
50299 */
50300 start = kc_offset_to_vaddr(*fpos - elf_buflen);
50301 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
50302 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
50303 + if (tsz > buflen)
50304 tsz = buflen;
50305 -
50306 +
50307 while (buflen) {
50308 struct kcore_list *m;
50309
50310 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
50311 kfree(elf_buf);
50312 } else {
50313 if (kern_addr_valid(start)) {
50314 - unsigned long n;
50315 + char *elf_buf;
50316 + mm_segment_t oldfs;
50317
50318 - n = copy_to_user(buffer, (char *)start, tsz);
50319 - /*
50320 - * We cannot distingush between fault on source
50321 - * and fault on destination. When this happens
50322 - * we clear too and hope it will trigger the
50323 - * EFAULT again.
50324 - */
50325 - if (n) {
50326 - if (clear_user(buffer + tsz - n,
50327 - n))
50328 + elf_buf = kmalloc(tsz, GFP_KERNEL);
50329 + if (!elf_buf)
50330 + return -ENOMEM;
50331 + oldfs = get_fs();
50332 + set_fs(KERNEL_DS);
50333 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
50334 + set_fs(oldfs);
50335 + if (copy_to_user(buffer, elf_buf, tsz)) {
50336 + kfree(elf_buf);
50337 return -EFAULT;
50338 + }
50339 }
50340 + set_fs(oldfs);
50341 + kfree(elf_buf);
50342 } else {
50343 if (clear_user(buffer, tsz))
50344 return -EFAULT;
50345 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
50346
50347 static int open_kcore(struct inode *inode, struct file *filp)
50348 {
50349 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50350 + return -EPERM;
50351 +#endif
50352 if (!capable(CAP_SYS_RAWIO))
50353 return -EPERM;
50354 if (kcore_need_update)
50355 diff -urNp linux-2.6.39.2/fs/proc/meminfo.c linux-2.6.39.2/fs/proc/meminfo.c
50356 --- linux-2.6.39.2/fs/proc/meminfo.c 2011-05-19 00:06:34.000000000 -0400
50357 +++ linux-2.6.39.2/fs/proc/meminfo.c 2011-05-22 19:36:32.000000000 -0400
50358 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
50359 unsigned long pages[NR_LRU_LISTS];
50360 int lru;
50361
50362 + pax_track_stack();
50363 +
50364 /*
50365 * display in kilobytes.
50366 */
50367 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
50368 vmi.used >> 10,
50369 vmi.largest_chunk >> 10
50370 #ifdef CONFIG_MEMORY_FAILURE
50371 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
50372 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
50373 #endif
50374 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
50375 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
50376 diff -urNp linux-2.6.39.2/fs/proc/nommu.c linux-2.6.39.2/fs/proc/nommu.c
50377 --- linux-2.6.39.2/fs/proc/nommu.c 2011-05-19 00:06:34.000000000 -0400
50378 +++ linux-2.6.39.2/fs/proc/nommu.c 2011-05-22 19:36:32.000000000 -0400
50379 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
50380 if (len < 1)
50381 len = 1;
50382 seq_printf(m, "%*c", len, ' ');
50383 - seq_path(m, &file->f_path, "");
50384 + seq_path(m, &file->f_path, "\n\\");
50385 }
50386
50387 seq_putc(m, '\n');
50388 diff -urNp linux-2.6.39.2/fs/proc/proc_net.c linux-2.6.39.2/fs/proc/proc_net.c
50389 --- linux-2.6.39.2/fs/proc/proc_net.c 2011-05-19 00:06:34.000000000 -0400
50390 +++ linux-2.6.39.2/fs/proc/proc_net.c 2011-05-22 19:41:37.000000000 -0400
50391 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
50392 struct task_struct *task;
50393 struct nsproxy *ns;
50394 struct net *net = NULL;
50395 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50396 + const struct cred *cred = current_cred();
50397 +#endif
50398 +
50399 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50400 + if (cred->fsuid)
50401 + return net;
50402 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50403 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
50404 + return net;
50405 +#endif
50406
50407 rcu_read_lock();
50408 task = pid_task(proc_pid(dir), PIDTYPE_PID);
50409 diff -urNp linux-2.6.39.2/fs/proc/proc_sysctl.c linux-2.6.39.2/fs/proc/proc_sysctl.c
50410 --- linux-2.6.39.2/fs/proc/proc_sysctl.c 2011-05-19 00:06:34.000000000 -0400
50411 +++ linux-2.6.39.2/fs/proc/proc_sysctl.c 2011-05-22 19:41:37.000000000 -0400
50412 @@ -8,6 +8,8 @@
50413 #include <linux/namei.h>
50414 #include "internal.h"
50415
50416 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
50417 +
50418 static const struct dentry_operations proc_sys_dentry_operations;
50419 static const struct file_operations proc_sys_file_operations;
50420 static const struct inode_operations proc_sys_inode_operations;
50421 @@ -111,6 +113,9 @@ static struct dentry *proc_sys_lookup(st
50422 if (!p)
50423 goto out;
50424
50425 + if (gr_handle_sysctl(p, MAY_EXEC))
50426 + goto out;
50427 +
50428 err = ERR_PTR(-ENOMEM);
50429 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
50430 if (h)
50431 @@ -230,6 +235,9 @@ static int scan(struct ctl_table_header
50432 if (*pos < file->f_pos)
50433 continue;
50434
50435 + if (gr_handle_sysctl(table, 0))
50436 + continue;
50437 +
50438 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
50439 if (res)
50440 return res;
50441 @@ -358,6 +366,9 @@ static int proc_sys_getattr(struct vfsmo
50442 if (IS_ERR(head))
50443 return PTR_ERR(head);
50444
50445 + if (table && gr_handle_sysctl(table, MAY_EXEC))
50446 + return -ENOENT;
50447 +
50448 generic_fillattr(inode, stat);
50449 if (table)
50450 stat->mode = (stat->mode & S_IFMT) | table->mode;
50451 diff -urNp linux-2.6.39.2/fs/proc/root.c linux-2.6.39.2/fs/proc/root.c
50452 --- linux-2.6.39.2/fs/proc/root.c 2011-05-19 00:06:34.000000000 -0400
50453 +++ linux-2.6.39.2/fs/proc/root.c 2011-05-22 19:41:37.000000000 -0400
50454 @@ -122,7 +122,15 @@ void __init proc_root_init(void)
50455 #ifdef CONFIG_PROC_DEVICETREE
50456 proc_device_tree_init();
50457 #endif
50458 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50459 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50460 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
50461 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50462 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
50463 +#endif
50464 +#else
50465 proc_mkdir("bus", NULL);
50466 +#endif
50467 proc_sys_init();
50468 }
50469
50470 diff -urNp linux-2.6.39.2/fs/proc/task_mmu.c linux-2.6.39.2/fs/proc/task_mmu.c
50471 --- linux-2.6.39.2/fs/proc/task_mmu.c 2011-05-19 00:06:34.000000000 -0400
50472 +++ linux-2.6.39.2/fs/proc/task_mmu.c 2011-05-22 22:43:29.000000000 -0400
50473 @@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
50474 "VmExe:\t%8lu kB\n"
50475 "VmLib:\t%8lu kB\n"
50476 "VmPTE:\t%8lu kB\n"
50477 - "VmSwap:\t%8lu kB\n",
50478 - hiwater_vm << (PAGE_SHIFT-10),
50479 + "VmSwap:\t%8lu kB\n"
50480 +
50481 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50482 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
50483 +#endif
50484 +
50485 + ,hiwater_vm << (PAGE_SHIFT-10),
50486 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
50487 mm->locked_vm << (PAGE_SHIFT-10),
50488 hiwater_rss << (PAGE_SHIFT-10),
50489 @@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
50490 data << (PAGE_SHIFT-10),
50491 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
50492 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
50493 - swap << (PAGE_SHIFT-10));
50494 + swap << (PAGE_SHIFT-10)
50495 +
50496 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50497 + , mm->context.user_cs_base, mm->context.user_cs_limit
50498 +#endif
50499 +
50500 + );
50501 }
50502
50503 unsigned long task_vsize(struct mm_struct *mm)
50504 @@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
50505 return ret;
50506 }
50507
50508 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50509 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50510 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50511 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50512 +#endif
50513 +
50514 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
50515 {
50516 struct mm_struct *mm = vma->vm_mm;
50517 @@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
50518 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
50519 }
50520
50521 - /* We don't show the stack guard page in /proc/maps */
50522 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50523 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
50524 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
50525 +#else
50526 start = vma->vm_start;
50527 - if (stack_guard_page_start(vma, start))
50528 - start += PAGE_SIZE;
50529 end = vma->vm_end;
50530 - if (stack_guard_page_end(vma, end))
50531 - end -= PAGE_SIZE;
50532 +#endif
50533
50534 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
50535 start,
50536 @@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
50537 flags & VM_WRITE ? 'w' : '-',
50538 flags & VM_EXEC ? 'x' : '-',
50539 flags & VM_MAYSHARE ? 's' : 'p',
50540 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50541 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
50542 +#else
50543 pgoff,
50544 +#endif
50545 MAJOR(dev), MINOR(dev), ino, &len);
50546
50547 /*
50548 @@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
50549 */
50550 if (file) {
50551 pad_len_spaces(m, len);
50552 - seq_path(m, &file->f_path, "\n");
50553 + seq_path(m, &file->f_path, "\n\\");
50554 } else {
50555 const char *name = arch_vma_name(vma);
50556 if (!name) {
50557 @@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
50558 if (vma->vm_start <= mm->brk &&
50559 vma->vm_end >= mm->start_brk) {
50560 name = "[heap]";
50561 - } else if (vma->vm_start <= mm->start_stack &&
50562 - vma->vm_end >= mm->start_stack) {
50563 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
50564 + (vma->vm_start <= mm->start_stack &&
50565 + vma->vm_end >= mm->start_stack)) {
50566 name = "[stack]";
50567 }
50568 } else {
50569 @@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
50570 };
50571
50572 memset(&mss, 0, sizeof mss);
50573 - mss.vma = vma;
50574 - /* mmap_sem is held in m_start */
50575 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50576 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50577 -
50578 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50579 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
50580 +#endif
50581 + mss.vma = vma;
50582 + /* mmap_sem is held in m_start */
50583 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50584 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50585 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50586 + }
50587 +#endif
50588 show_map_vma(m, vma);
50589
50590 seq_printf(m,
50591 @@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
50592 "KernelPageSize: %8lu kB\n"
50593 "MMUPageSize: %8lu kB\n"
50594 "Locked: %8lu kB\n",
50595 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50596 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
50597 +#else
50598 (vma->vm_end - vma->vm_start) >> 10,
50599 +#endif
50600 mss.resident >> 10,
50601 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
50602 mss.shared_clean >> 10,
50603 diff -urNp linux-2.6.39.2/fs/proc/task_nommu.c linux-2.6.39.2/fs/proc/task_nommu.c
50604 --- linux-2.6.39.2/fs/proc/task_nommu.c 2011-05-19 00:06:34.000000000 -0400
50605 +++ linux-2.6.39.2/fs/proc/task_nommu.c 2011-05-22 19:36:32.000000000 -0400
50606 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
50607 else
50608 bytes += kobjsize(mm);
50609
50610 - if (current->fs && current->fs->users > 1)
50611 + if (current->fs && atomic_read(&current->fs->users) > 1)
50612 sbytes += kobjsize(current->fs);
50613 else
50614 bytes += kobjsize(current->fs);
50615 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
50616
50617 if (file) {
50618 pad_len_spaces(m, len);
50619 - seq_path(m, &file->f_path, "");
50620 + seq_path(m, &file->f_path, "\n\\");
50621 } else if (mm) {
50622 if (vma->vm_start <= mm->start_stack &&
50623 vma->vm_end >= mm->start_stack) {
50624 diff -urNp linux-2.6.39.2/fs/quota/netlink.c linux-2.6.39.2/fs/quota/netlink.c
50625 --- linux-2.6.39.2/fs/quota/netlink.c 2011-05-19 00:06:34.000000000 -0400
50626 +++ linux-2.6.39.2/fs/quota/netlink.c 2011-05-22 19:36:32.000000000 -0400
50627 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
50628 void quota_send_warning(short type, unsigned int id, dev_t dev,
50629 const char warntype)
50630 {
50631 - static atomic_t seq;
50632 + static atomic_unchecked_t seq;
50633 struct sk_buff *skb;
50634 void *msg_head;
50635 int ret;
50636 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
50637 "VFS: Not enough memory to send quota warning.\n");
50638 return;
50639 }
50640 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
50641 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
50642 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
50643 if (!msg_head) {
50644 printk(KERN_ERR
50645 diff -urNp linux-2.6.39.2/fs/readdir.c linux-2.6.39.2/fs/readdir.c
50646 --- linux-2.6.39.2/fs/readdir.c 2011-05-19 00:06:34.000000000 -0400
50647 +++ linux-2.6.39.2/fs/readdir.c 2011-05-22 19:41:42.000000000 -0400
50648 @@ -17,6 +17,7 @@
50649 #include <linux/security.h>
50650 #include <linux/syscalls.h>
50651 #include <linux/unistd.h>
50652 +#include <linux/namei.h>
50653
50654 #include <asm/uaccess.h>
50655
50656 @@ -67,6 +68,7 @@ struct old_linux_dirent {
50657
50658 struct readdir_callback {
50659 struct old_linux_dirent __user * dirent;
50660 + struct file * file;
50661 int result;
50662 };
50663
50664 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
50665 buf->result = -EOVERFLOW;
50666 return -EOVERFLOW;
50667 }
50668 +
50669 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50670 + return 0;
50671 +
50672 buf->result++;
50673 dirent = buf->dirent;
50674 if (!access_ok(VERIFY_WRITE, dirent,
50675 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
50676
50677 buf.result = 0;
50678 buf.dirent = dirent;
50679 + buf.file = file;
50680
50681 error = vfs_readdir(file, fillonedir, &buf);
50682 if (buf.result)
50683 @@ -142,6 +149,7 @@ struct linux_dirent {
50684 struct getdents_callback {
50685 struct linux_dirent __user * current_dir;
50686 struct linux_dirent __user * previous;
50687 + struct file * file;
50688 int count;
50689 int error;
50690 };
50691 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
50692 buf->error = -EOVERFLOW;
50693 return -EOVERFLOW;
50694 }
50695 +
50696 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50697 + return 0;
50698 +
50699 dirent = buf->previous;
50700 if (dirent) {
50701 if (__put_user(offset, &dirent->d_off))
50702 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
50703 buf.previous = NULL;
50704 buf.count = count;
50705 buf.error = 0;
50706 + buf.file = file;
50707
50708 error = vfs_readdir(file, filldir, &buf);
50709 if (error >= 0)
50710 @@ -229,6 +242,7 @@ out:
50711 struct getdents_callback64 {
50712 struct linux_dirent64 __user * current_dir;
50713 struct linux_dirent64 __user * previous;
50714 + struct file *file;
50715 int count;
50716 int error;
50717 };
50718 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
50719 buf->error = -EINVAL; /* only used if we fail.. */
50720 if (reclen > buf->count)
50721 return -EINVAL;
50722 +
50723 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50724 + return 0;
50725 +
50726 dirent = buf->previous;
50727 if (dirent) {
50728 if (__put_user(offset, &dirent->d_off))
50729 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
50730
50731 buf.current_dir = dirent;
50732 buf.previous = NULL;
50733 + buf.file = file;
50734 buf.count = count;
50735 buf.error = 0;
50736
50737 diff -urNp linux-2.6.39.2/fs/reiserfs/dir.c linux-2.6.39.2/fs/reiserfs/dir.c
50738 --- linux-2.6.39.2/fs/reiserfs/dir.c 2011-05-19 00:06:34.000000000 -0400
50739 +++ linux-2.6.39.2/fs/reiserfs/dir.c 2011-05-22 19:36:32.000000000 -0400
50740 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
50741 struct reiserfs_dir_entry de;
50742 int ret = 0;
50743
50744 + pax_track_stack();
50745 +
50746 reiserfs_write_lock(inode->i_sb);
50747
50748 reiserfs_check_lock_depth(inode->i_sb, "readdir");
50749 diff -urNp linux-2.6.39.2/fs/reiserfs/do_balan.c linux-2.6.39.2/fs/reiserfs/do_balan.c
50750 --- linux-2.6.39.2/fs/reiserfs/do_balan.c 2011-05-19 00:06:34.000000000 -0400
50751 +++ linux-2.6.39.2/fs/reiserfs/do_balan.c 2011-05-22 19:36:32.000000000 -0400
50752 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
50753 return;
50754 }
50755
50756 - atomic_inc(&(fs_generation(tb->tb_sb)));
50757 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
50758 do_balance_starts(tb);
50759
50760 /* balance leaf returns 0 except if combining L R and S into
50761 diff -urNp linux-2.6.39.2/fs/reiserfs/item_ops.c linux-2.6.39.2/fs/reiserfs/item_ops.c
50762 --- linux-2.6.39.2/fs/reiserfs/item_ops.c 2011-05-19 00:06:34.000000000 -0400
50763 +++ linux-2.6.39.2/fs/reiserfs/item_ops.c 2011-05-22 19:36:32.000000000 -0400
50764 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
50765 vi->vi_index, vi->vi_type, vi->vi_ih);
50766 }
50767
50768 -static struct item_operations stat_data_ops = {
50769 +static const struct item_operations stat_data_ops = {
50770 .bytes_number = sd_bytes_number,
50771 .decrement_key = sd_decrement_key,
50772 .is_left_mergeable = sd_is_left_mergeable,
50773 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
50774 vi->vi_index, vi->vi_type, vi->vi_ih);
50775 }
50776
50777 -static struct item_operations direct_ops = {
50778 +static const struct item_operations direct_ops = {
50779 .bytes_number = direct_bytes_number,
50780 .decrement_key = direct_decrement_key,
50781 .is_left_mergeable = direct_is_left_mergeable,
50782 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
50783 vi->vi_index, vi->vi_type, vi->vi_ih);
50784 }
50785
50786 -static struct item_operations indirect_ops = {
50787 +static const struct item_operations indirect_ops = {
50788 .bytes_number = indirect_bytes_number,
50789 .decrement_key = indirect_decrement_key,
50790 .is_left_mergeable = indirect_is_left_mergeable,
50791 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
50792 printk("\n");
50793 }
50794
50795 -static struct item_operations direntry_ops = {
50796 +static const struct item_operations direntry_ops = {
50797 .bytes_number = direntry_bytes_number,
50798 .decrement_key = direntry_decrement_key,
50799 .is_left_mergeable = direntry_is_left_mergeable,
50800 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
50801 "Invalid item type observed, run fsck ASAP");
50802 }
50803
50804 -static struct item_operations errcatch_ops = {
50805 +static const struct item_operations errcatch_ops = {
50806 errcatch_bytes_number,
50807 errcatch_decrement_key,
50808 errcatch_is_left_mergeable,
50809 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
50810 #error Item types must use disk-format assigned values.
50811 #endif
50812
50813 -struct item_operations *item_ops[TYPE_ANY + 1] = {
50814 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
50815 &stat_data_ops,
50816 &indirect_ops,
50817 &direct_ops,
50818 diff -urNp linux-2.6.39.2/fs/reiserfs/journal.c linux-2.6.39.2/fs/reiserfs/journal.c
50819 --- linux-2.6.39.2/fs/reiserfs/journal.c 2011-05-19 00:06:34.000000000 -0400
50820 +++ linux-2.6.39.2/fs/reiserfs/journal.c 2011-05-22 19:36:32.000000000 -0400
50821 @@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
50822 struct buffer_head *bh;
50823 int i, j;
50824
50825 + pax_track_stack();
50826 +
50827 bh = __getblk(dev, block, bufsize);
50828 if (buffer_uptodate(bh))
50829 return (bh);
50830 diff -urNp linux-2.6.39.2/fs/reiserfs/namei.c linux-2.6.39.2/fs/reiserfs/namei.c
50831 --- linux-2.6.39.2/fs/reiserfs/namei.c 2011-05-19 00:06:34.000000000 -0400
50832 +++ linux-2.6.39.2/fs/reiserfs/namei.c 2011-05-22 19:36:32.000000000 -0400
50833 @@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
50834 unsigned long savelink = 1;
50835 struct timespec ctime;
50836
50837 + pax_track_stack();
50838 +
50839 /* three balancings: (1) old name removal, (2) new name insertion
50840 and (3) maybe "save" link insertion
50841 stat data updates: (1) old directory,
50842 diff -urNp linux-2.6.39.2/fs/reiserfs/procfs.c linux-2.6.39.2/fs/reiserfs/procfs.c
50843 --- linux-2.6.39.2/fs/reiserfs/procfs.c 2011-05-19 00:06:34.000000000 -0400
50844 +++ linux-2.6.39.2/fs/reiserfs/procfs.c 2011-05-22 19:36:32.000000000 -0400
50845 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
50846 "SMALL_TAILS " : "NO_TAILS ",
50847 replay_only(sb) ? "REPLAY_ONLY " : "",
50848 convert_reiserfs(sb) ? "CONV " : "",
50849 - atomic_read(&r->s_generation_counter),
50850 + atomic_read_unchecked(&r->s_generation_counter),
50851 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
50852 SF(s_do_balance), SF(s_unneeded_left_neighbor),
50853 SF(s_good_search_by_key_reada), SF(s_bmaps),
50854 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
50855 struct journal_params *jp = &rs->s_v1.s_journal;
50856 char b[BDEVNAME_SIZE];
50857
50858 + pax_track_stack();
50859 +
50860 seq_printf(m, /* on-disk fields */
50861 "jp_journal_1st_block: \t%i\n"
50862 "jp_journal_dev: \t%s[%x]\n"
50863 diff -urNp linux-2.6.39.2/fs/reiserfs/stree.c linux-2.6.39.2/fs/reiserfs/stree.c
50864 --- linux-2.6.39.2/fs/reiserfs/stree.c 2011-05-19 00:06:34.000000000 -0400
50865 +++ linux-2.6.39.2/fs/reiserfs/stree.c 2011-05-22 19:36:32.000000000 -0400
50866 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
50867 int iter = 0;
50868 #endif
50869
50870 + pax_track_stack();
50871 +
50872 BUG_ON(!th->t_trans_id);
50873
50874 init_tb_struct(th, &s_del_balance, sb, path,
50875 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
50876 int retval;
50877 int quota_cut_bytes = 0;
50878
50879 + pax_track_stack();
50880 +
50881 BUG_ON(!th->t_trans_id);
50882
50883 le_key2cpu_key(&cpu_key, key);
50884 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
50885 int quota_cut_bytes;
50886 loff_t tail_pos = 0;
50887
50888 + pax_track_stack();
50889 +
50890 BUG_ON(!th->t_trans_id);
50891
50892 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
50893 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
50894 int retval;
50895 int fs_gen;
50896
50897 + pax_track_stack();
50898 +
50899 BUG_ON(!th->t_trans_id);
50900
50901 fs_gen = get_generation(inode->i_sb);
50902 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
50903 int fs_gen = 0;
50904 int quota_bytes = 0;
50905
50906 + pax_track_stack();
50907 +
50908 BUG_ON(!th->t_trans_id);
50909
50910 if (inode) { /* Do we count quotas for item? */
50911 diff -urNp linux-2.6.39.2/fs/reiserfs/super.c linux-2.6.39.2/fs/reiserfs/super.c
50912 --- linux-2.6.39.2/fs/reiserfs/super.c 2011-05-19 00:06:34.000000000 -0400
50913 +++ linux-2.6.39.2/fs/reiserfs/super.c 2011-05-22 19:36:32.000000000 -0400
50914 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
50915 {.option_name = NULL}
50916 };
50917
50918 + pax_track_stack();
50919 +
50920 *blocks = 0;
50921 if (!options || !*options)
50922 /* use default configuration: create tails, journaling on, no
50923 diff -urNp linux-2.6.39.2/fs/select.c linux-2.6.39.2/fs/select.c
50924 --- linux-2.6.39.2/fs/select.c 2011-05-19 00:06:34.000000000 -0400
50925 +++ linux-2.6.39.2/fs/select.c 2011-05-22 19:41:42.000000000 -0400
50926 @@ -20,6 +20,7 @@
50927 #include <linux/module.h>
50928 #include <linux/slab.h>
50929 #include <linux/poll.h>
50930 +#include <linux/security.h>
50931 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
50932 #include <linux/file.h>
50933 #include <linux/fdtable.h>
50934 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
50935 int retval, i, timed_out = 0;
50936 unsigned long slack = 0;
50937
50938 + pax_track_stack();
50939 +
50940 rcu_read_lock();
50941 retval = max_select_fd(n, fds);
50942 rcu_read_unlock();
50943 @@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
50944 /* Allocate small arguments on the stack to save memory and be faster */
50945 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
50946
50947 + pax_track_stack();
50948 +
50949 ret = -EINVAL;
50950 if (n < 0)
50951 goto out_nofds;
50952 @@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
50953 struct poll_list *walk = head;
50954 unsigned long todo = nfds;
50955
50956 + pax_track_stack();
50957 +
50958 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
50959 if (nfds > rlimit(RLIMIT_NOFILE))
50960 return -EINVAL;
50961
50962 diff -urNp linux-2.6.39.2/fs/seq_file.c linux-2.6.39.2/fs/seq_file.c
50963 --- linux-2.6.39.2/fs/seq_file.c 2011-05-19 00:06:34.000000000 -0400
50964 +++ linux-2.6.39.2/fs/seq_file.c 2011-05-22 19:36:32.000000000 -0400
50965 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
50966 return 0;
50967 }
50968 if (!m->buf) {
50969 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
50970 + m->size = PAGE_SIZE;
50971 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
50972 if (!m->buf)
50973 return -ENOMEM;
50974 }
50975 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
50976 Eoverflow:
50977 m->op->stop(m, p);
50978 kfree(m->buf);
50979 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
50980 + m->size <<= 1;
50981 + m->buf = kmalloc(m->size, GFP_KERNEL);
50982 return !m->buf ? -ENOMEM : -EAGAIN;
50983 }
50984
50985 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
50986 m->version = file->f_version;
50987 /* grab buffer if we didn't have one */
50988 if (!m->buf) {
50989 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
50990 + m->size = PAGE_SIZE;
50991 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
50992 if (!m->buf)
50993 goto Enomem;
50994 }
50995 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
50996 goto Fill;
50997 m->op->stop(m, p);
50998 kfree(m->buf);
50999 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51000 + m->size <<= 1;
51001 + m->buf = kmalloc(m->size, GFP_KERNEL);
51002 if (!m->buf)
51003 goto Enomem;
51004 m->count = 0;
51005 diff -urNp linux-2.6.39.2/fs/splice.c linux-2.6.39.2/fs/splice.c
51006 --- linux-2.6.39.2/fs/splice.c 2011-05-19 00:06:34.000000000 -0400
51007 +++ linux-2.6.39.2/fs/splice.c 2011-05-22 19:36:32.000000000 -0400
51008 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
51009 pipe_lock(pipe);
51010
51011 for (;;) {
51012 - if (!pipe->readers) {
51013 + if (!atomic_read(&pipe->readers)) {
51014 send_sig(SIGPIPE, current, 0);
51015 if (!ret)
51016 ret = -EPIPE;
51017 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
51018 do_wakeup = 0;
51019 }
51020
51021 - pipe->waiting_writers++;
51022 + atomic_inc(&pipe->waiting_writers);
51023 pipe_wait(pipe);
51024 - pipe->waiting_writers--;
51025 + atomic_dec(&pipe->waiting_writers);
51026 }
51027
51028 pipe_unlock(pipe);
51029 @@ -316,6 +316,8 @@ __generic_file_splice_read(struct file *
51030 .spd_release = spd_release_page,
51031 };
51032
51033 + pax_track_stack();
51034 +
51035 if (splice_grow_spd(pipe, &spd))
51036 return -ENOMEM;
51037
51038 @@ -556,7 +558,7 @@ static ssize_t kernel_readv(struct file
51039 old_fs = get_fs();
51040 set_fs(get_ds());
51041 /* The cast to a user pointer is valid due to the set_fs() */
51042 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
51043 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
51044 set_fs(old_fs);
51045
51046 return res;
51047 @@ -571,7 +573,7 @@ static ssize_t kernel_write(struct file
51048 old_fs = get_fs();
51049 set_fs(get_ds());
51050 /* The cast to a user pointer is valid due to the set_fs() */
51051 - res = vfs_write(file, (const char __user *)buf, count, &pos);
51052 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
51053 set_fs(old_fs);
51054
51055 return res;
51056 @@ -599,6 +601,8 @@ ssize_t default_file_splice_read(struct
51057 .spd_release = spd_release_page,
51058 };
51059
51060 + pax_track_stack();
51061 +
51062 if (splice_grow_spd(pipe, &spd))
51063 return -ENOMEM;
51064
51065 @@ -622,7 +626,7 @@ ssize_t default_file_splice_read(struct
51066 goto err;
51067
51068 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
51069 - vec[i].iov_base = (void __user *) page_address(page);
51070 + vec[i].iov_base = (__force void __user *) page_address(page);
51071 vec[i].iov_len = this_len;
51072 spd.pages[i] = page;
51073 spd.nr_pages++;
51074 @@ -842,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
51075 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
51076 {
51077 while (!pipe->nrbufs) {
51078 - if (!pipe->writers)
51079 + if (!atomic_read(&pipe->writers))
51080 return 0;
51081
51082 - if (!pipe->waiting_writers && sd->num_spliced)
51083 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
51084 return 0;
51085
51086 if (sd->flags & SPLICE_F_NONBLOCK)
51087 @@ -1178,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct fi
51088 * out of the pipe right after the splice_to_pipe(). So set
51089 * PIPE_READERS appropriately.
51090 */
51091 - pipe->readers = 1;
51092 + atomic_set(&pipe->readers, 1);
51093
51094 current->splice_pipe = pipe;
51095 }
51096 @@ -1615,6 +1619,8 @@ static long vmsplice_to_pipe(struct file
51097 };
51098 long ret;
51099
51100 + pax_track_stack();
51101 +
51102 pipe = get_pipe_info(file);
51103 if (!pipe)
51104 return -EBADF;
51105 @@ -1730,9 +1736,9 @@ static int ipipe_prep(struct pipe_inode_
51106 ret = -ERESTARTSYS;
51107 break;
51108 }
51109 - if (!pipe->writers)
51110 + if (!atomic_read(&pipe->writers))
51111 break;
51112 - if (!pipe->waiting_writers) {
51113 + if (!atomic_read(&pipe->waiting_writers)) {
51114 if (flags & SPLICE_F_NONBLOCK) {
51115 ret = -EAGAIN;
51116 break;
51117 @@ -1764,7 +1770,7 @@ static int opipe_prep(struct pipe_inode_
51118 pipe_lock(pipe);
51119
51120 while (pipe->nrbufs >= pipe->buffers) {
51121 - if (!pipe->readers) {
51122 + if (!atomic_read(&pipe->readers)) {
51123 send_sig(SIGPIPE, current, 0);
51124 ret = -EPIPE;
51125 break;
51126 @@ -1777,9 +1783,9 @@ static int opipe_prep(struct pipe_inode_
51127 ret = -ERESTARTSYS;
51128 break;
51129 }
51130 - pipe->waiting_writers++;
51131 + atomic_inc(&pipe->waiting_writers);
51132 pipe_wait(pipe);
51133 - pipe->waiting_writers--;
51134 + atomic_dec(&pipe->waiting_writers);
51135 }
51136
51137 pipe_unlock(pipe);
51138 @@ -1815,14 +1821,14 @@ retry:
51139 pipe_double_lock(ipipe, opipe);
51140
51141 do {
51142 - if (!opipe->readers) {
51143 + if (!atomic_read(&opipe->readers)) {
51144 send_sig(SIGPIPE, current, 0);
51145 if (!ret)
51146 ret = -EPIPE;
51147 break;
51148 }
51149
51150 - if (!ipipe->nrbufs && !ipipe->writers)
51151 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
51152 break;
51153
51154 /*
51155 @@ -1922,7 +1928,7 @@ static int link_pipe(struct pipe_inode_i
51156 pipe_double_lock(ipipe, opipe);
51157
51158 do {
51159 - if (!opipe->readers) {
51160 + if (!atomic_read(&opipe->readers)) {
51161 send_sig(SIGPIPE, current, 0);
51162 if (!ret)
51163 ret = -EPIPE;
51164 @@ -1967,7 +1973,7 @@ static int link_pipe(struct pipe_inode_i
51165 * return EAGAIN if we have the potential of some data in the
51166 * future, otherwise just return 0
51167 */
51168 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
51169 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
51170 ret = -EAGAIN;
51171
51172 pipe_unlock(ipipe);
51173 diff -urNp linux-2.6.39.2/fs/sysfs/file.c linux-2.6.39.2/fs/sysfs/file.c
51174 --- linux-2.6.39.2/fs/sysfs/file.c 2011-05-19 00:06:34.000000000 -0400
51175 +++ linux-2.6.39.2/fs/sysfs/file.c 2011-05-22 19:36:32.000000000 -0400
51176 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
51177
51178 struct sysfs_open_dirent {
51179 atomic_t refcnt;
51180 - atomic_t event;
51181 + atomic_unchecked_t event;
51182 wait_queue_head_t poll;
51183 struct list_head buffers; /* goes through sysfs_buffer.list */
51184 };
51185 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
51186 if (!sysfs_get_active(attr_sd))
51187 return -ENODEV;
51188
51189 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
51190 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
51191 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
51192
51193 sysfs_put_active(attr_sd);
51194 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
51195 return -ENOMEM;
51196
51197 atomic_set(&new_od->refcnt, 0);
51198 - atomic_set(&new_od->event, 1);
51199 + atomic_set_unchecked(&new_od->event, 1);
51200 init_waitqueue_head(&new_od->poll);
51201 INIT_LIST_HEAD(&new_od->buffers);
51202 goto retry;
51203 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
51204
51205 sysfs_put_active(attr_sd);
51206
51207 - if (buffer->event != atomic_read(&od->event))
51208 + if (buffer->event != atomic_read_unchecked(&od->event))
51209 goto trigger;
51210
51211 return DEFAULT_POLLMASK;
51212 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
51213
51214 od = sd->s_attr.open;
51215 if (od) {
51216 - atomic_inc(&od->event);
51217 + atomic_inc_unchecked(&od->event);
51218 wake_up_interruptible(&od->poll);
51219 }
51220
51221 diff -urNp linux-2.6.39.2/fs/sysfs/mount.c linux-2.6.39.2/fs/sysfs/mount.c
51222 --- linux-2.6.39.2/fs/sysfs/mount.c 2011-05-19 00:06:34.000000000 -0400
51223 +++ linux-2.6.39.2/fs/sysfs/mount.c 2011-05-22 19:41:42.000000000 -0400
51224 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
51225 .s_name = "",
51226 .s_count = ATOMIC_INIT(1),
51227 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
51228 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
51229 + .s_mode = S_IFDIR | S_IRWXU,
51230 +#else
51231 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
51232 +#endif
51233 .s_ino = 1,
51234 };
51235
51236 diff -urNp linux-2.6.39.2/fs/sysfs/symlink.c linux-2.6.39.2/fs/sysfs/symlink.c
51237 --- linux-2.6.39.2/fs/sysfs/symlink.c 2011-05-19 00:06:34.000000000 -0400
51238 +++ linux-2.6.39.2/fs/sysfs/symlink.c 2011-05-22 19:36:32.000000000 -0400
51239 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
51240
51241 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
51242 {
51243 - char *page = nd_get_link(nd);
51244 + const char *page = nd_get_link(nd);
51245 if (!IS_ERR(page))
51246 free_page((unsigned long)page);
51247 }
51248 diff -urNp linux-2.6.39.2/fs/udf/inode.c linux-2.6.39.2/fs/udf/inode.c
51249 --- linux-2.6.39.2/fs/udf/inode.c 2011-05-19 00:06:34.000000000 -0400
51250 +++ linux-2.6.39.2/fs/udf/inode.c 2011-05-22 19:36:32.000000000 -0400
51251 @@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
51252 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
51253 int lastblock = 0;
51254
51255 + pax_track_stack();
51256 +
51257 prev_epos.offset = udf_file_entry_alloc_offset(inode);
51258 prev_epos.block = iinfo->i_location;
51259 prev_epos.bh = NULL;
51260 diff -urNp linux-2.6.39.2/fs/udf/misc.c linux-2.6.39.2/fs/udf/misc.c
51261 --- linux-2.6.39.2/fs/udf/misc.c 2011-05-19 00:06:34.000000000 -0400
51262 +++ linux-2.6.39.2/fs/udf/misc.c 2011-05-22 19:36:32.000000000 -0400
51263 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
51264
51265 u8 udf_tag_checksum(const struct tag *t)
51266 {
51267 - u8 *data = (u8 *)t;
51268 + const u8 *data = (const u8 *)t;
51269 u8 checksum = 0;
51270 int i;
51271 for (i = 0; i < sizeof(struct tag); ++i)
51272 diff -urNp linux-2.6.39.2/fs/utimes.c linux-2.6.39.2/fs/utimes.c
51273 --- linux-2.6.39.2/fs/utimes.c 2011-05-19 00:06:34.000000000 -0400
51274 +++ linux-2.6.39.2/fs/utimes.c 2011-05-22 19:41:42.000000000 -0400
51275 @@ -1,6 +1,7 @@
51276 #include <linux/compiler.h>
51277 #include <linux/file.h>
51278 #include <linux/fs.h>
51279 +#include <linux/security.h>
51280 #include <linux/linkage.h>
51281 #include <linux/mount.h>
51282 #include <linux/namei.h>
51283 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
51284 goto mnt_drop_write_and_out;
51285 }
51286 }
51287 +
51288 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
51289 + error = -EACCES;
51290 + goto mnt_drop_write_and_out;
51291 + }
51292 +
51293 mutex_lock(&inode->i_mutex);
51294 error = notify_change(path->dentry, &newattrs);
51295 mutex_unlock(&inode->i_mutex);
51296 diff -urNp linux-2.6.39.2/fs/xattr_acl.c linux-2.6.39.2/fs/xattr_acl.c
51297 --- linux-2.6.39.2/fs/xattr_acl.c 2011-05-19 00:06:34.000000000 -0400
51298 +++ linux-2.6.39.2/fs/xattr_acl.c 2011-05-22 19:36:32.000000000 -0400
51299 @@ -17,8 +17,8 @@
51300 struct posix_acl *
51301 posix_acl_from_xattr(const void *value, size_t size)
51302 {
51303 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
51304 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
51305 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
51306 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
51307 int count;
51308 struct posix_acl *acl;
51309 struct posix_acl_entry *acl_e;
51310 diff -urNp linux-2.6.39.2/fs/xattr.c linux-2.6.39.2/fs/xattr.c
51311 --- linux-2.6.39.2/fs/xattr.c 2011-05-19 00:06:34.000000000 -0400
51312 +++ linux-2.6.39.2/fs/xattr.c 2011-05-22 19:41:42.000000000 -0400
51313 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
51314 * Extended attribute SET operations
51315 */
51316 static long
51317 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
51318 +setxattr(struct path *path, const char __user *name, const void __user *value,
51319 size_t size, int flags)
51320 {
51321 int error;
51322 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
51323 return PTR_ERR(kvalue);
51324 }
51325
51326 - error = vfs_setxattr(d, kname, kvalue, size, flags);
51327 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
51328 + error = -EACCES;
51329 + goto out;
51330 + }
51331 +
51332 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
51333 +out:
51334 kfree(kvalue);
51335 return error;
51336 }
51337 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
51338 return error;
51339 error = mnt_want_write(path.mnt);
51340 if (!error) {
51341 - error = setxattr(path.dentry, name, value, size, flags);
51342 + error = setxattr(&path, name, value, size, flags);
51343 mnt_drop_write(path.mnt);
51344 }
51345 path_put(&path);
51346 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
51347 return error;
51348 error = mnt_want_write(path.mnt);
51349 if (!error) {
51350 - error = setxattr(path.dentry, name, value, size, flags);
51351 + error = setxattr(&path, name, value, size, flags);
51352 mnt_drop_write(path.mnt);
51353 }
51354 path_put(&path);
51355 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
51356 const void __user *,value, size_t, size, int, flags)
51357 {
51358 struct file *f;
51359 - struct dentry *dentry;
51360 int error = -EBADF;
51361
51362 f = fget(fd);
51363 if (!f)
51364 return error;
51365 - dentry = f->f_path.dentry;
51366 - audit_inode(NULL, dentry);
51367 + audit_inode(NULL, f->f_path.dentry);
51368 error = mnt_want_write_file(f);
51369 if (!error) {
51370 - error = setxattr(dentry, name, value, size, flags);
51371 + error = setxattr(&f->f_path, name, value, size, flags);
51372 mnt_drop_write(f->f_path.mnt);
51373 }
51374 fput(f);
51375 diff -urNp linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl32.c
51376 --- linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-19 00:06:34.000000000 -0400
51377 +++ linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-22 19:41:42.000000000 -0400
51378 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
51379 xfs_fsop_geom_t fsgeo;
51380 int error;
51381
51382 + memset(&fsgeo, 0, sizeof(fsgeo));
51383 error = xfs_fs_geometry(mp, &fsgeo, 3);
51384 if (error)
51385 return -error;
51386 diff -urNp linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl.c
51387 --- linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-19 00:06:34.000000000 -0400
51388 +++ linux-2.6.39.2/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-22 19:36:32.000000000 -0400
51389 @@ -128,7 +128,7 @@ xfs_find_handle(
51390 }
51391
51392 error = -EFAULT;
51393 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
51394 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
51395 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
51396 goto out_put;
51397
51398 diff -urNp linux-2.6.39.2/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.39.2/fs/xfs/linux-2.6/xfs_iops.c
51399 --- linux-2.6.39.2/fs/xfs/linux-2.6/xfs_iops.c 2011-05-19 00:06:34.000000000 -0400
51400 +++ linux-2.6.39.2/fs/xfs/linux-2.6/xfs_iops.c 2011-05-22 19:36:32.000000000 -0400
51401 @@ -437,7 +437,7 @@ xfs_vn_put_link(
51402 struct nameidata *nd,
51403 void *p)
51404 {
51405 - char *s = nd_get_link(nd);
51406 + const char *s = nd_get_link(nd);
51407
51408 if (!IS_ERR(s))
51409 kfree(s);
51410 diff -urNp linux-2.6.39.2/fs/xfs/xfs_bmap.c linux-2.6.39.2/fs/xfs/xfs_bmap.c
51411 --- linux-2.6.39.2/fs/xfs/xfs_bmap.c 2011-05-19 00:06:34.000000000 -0400
51412 +++ linux-2.6.39.2/fs/xfs/xfs_bmap.c 2011-05-22 19:36:32.000000000 -0400
51413 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
51414 int nmap,
51415 int ret_nmap);
51416 #else
51417 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
51418 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
51419 #endif /* DEBUG */
51420
51421 STATIC int
51422 diff -urNp linux-2.6.39.2/fs/xfs/xfs_dir2.c linux-2.6.39.2/fs/xfs/xfs_dir2.c
51423 --- linux-2.6.39.2/fs/xfs/xfs_dir2.c 2011-05-19 00:06:34.000000000 -0400
51424 +++ linux-2.6.39.2/fs/xfs/xfs_dir2.c 2011-05-22 19:36:32.000000000 -0400
51425 @@ -85,7 +85,7 @@ xfs_ascii_ci_compname(
51426 return result;
51427 }
51428
51429 -static struct xfs_nameops xfs_ascii_ci_nameops = {
51430 +static const struct xfs_nameops xfs_ascii_ci_nameops = {
51431 .hashname = xfs_ascii_ci_hashname,
51432 .compname = xfs_ascii_ci_compname,
51433 };
51434 diff -urNp linux-2.6.39.2/fs/xfs/xfs_dir2_sf.c linux-2.6.39.2/fs/xfs/xfs_dir2_sf.c
51435 --- linux-2.6.39.2/fs/xfs/xfs_dir2_sf.c 2011-05-19 00:06:34.000000000 -0400
51436 +++ linux-2.6.39.2/fs/xfs/xfs_dir2_sf.c 2011-05-22 19:36:32.000000000 -0400
51437 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
51438 }
51439
51440 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
51441 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51442 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
51443 + char name[sfep->namelen];
51444 + memcpy(name, sfep->name, sfep->namelen);
51445 + if (filldir(dirent, name, sfep->namelen,
51446 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
51447 + *offset = off & 0x7fffffff;
51448 + return 0;
51449 + }
51450 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51451 off & 0x7fffffff, ino, DT_UNKNOWN)) {
51452 *offset = off & 0x7fffffff;
51453 return 0;
51454 diff -urNp linux-2.6.39.2/grsecurity/gracl_alloc.c linux-2.6.39.2/grsecurity/gracl_alloc.c
51455 --- linux-2.6.39.2/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
51456 +++ linux-2.6.39.2/grsecurity/gracl_alloc.c 2011-05-22 19:41:42.000000000 -0400
51457 @@ -0,0 +1,105 @@
51458 +#include <linux/kernel.h>
51459 +#include <linux/mm.h>
51460 +#include <linux/slab.h>
51461 +#include <linux/vmalloc.h>
51462 +#include <linux/gracl.h>
51463 +#include <linux/grsecurity.h>
51464 +
51465 +static unsigned long alloc_stack_next = 1;
51466 +static unsigned long alloc_stack_size = 1;
51467 +static void **alloc_stack;
51468 +
51469 +static __inline__ int
51470 +alloc_pop(void)
51471 +{
51472 + if (alloc_stack_next == 1)
51473 + return 0;
51474 +
51475 + kfree(alloc_stack[alloc_stack_next - 2]);
51476 +
51477 + alloc_stack_next--;
51478 +
51479 + return 1;
51480 +}
51481 +
51482 +static __inline__ int
51483 +alloc_push(void *buf)
51484 +{
51485 + if (alloc_stack_next >= alloc_stack_size)
51486 + return 1;
51487 +
51488 + alloc_stack[alloc_stack_next - 1] = buf;
51489 +
51490 + alloc_stack_next++;
51491 +
51492 + return 0;
51493 +}
51494 +
51495 +void *
51496 +acl_alloc(unsigned long len)
51497 +{
51498 + void *ret = NULL;
51499 +
51500 + if (!len || len > PAGE_SIZE)
51501 + goto out;
51502 +
51503 + ret = kmalloc(len, GFP_KERNEL);
51504 +
51505 + if (ret) {
51506 + if (alloc_push(ret)) {
51507 + kfree(ret);
51508 + ret = NULL;
51509 + }
51510 + }
51511 +
51512 +out:
51513 + return ret;
51514 +}
51515 +
51516 +void *
51517 +acl_alloc_num(unsigned long num, unsigned long len)
51518 +{
51519 + if (!len || (num > (PAGE_SIZE / len)))
51520 + return NULL;
51521 +
51522 + return acl_alloc(num * len);
51523 +}
51524 +
51525 +void
51526 +acl_free_all(void)
51527 +{
51528 + if (gr_acl_is_enabled() || !alloc_stack)
51529 + return;
51530 +
51531 + while (alloc_pop()) ;
51532 +
51533 + if (alloc_stack) {
51534 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
51535 + kfree(alloc_stack);
51536 + else
51537 + vfree(alloc_stack);
51538 + }
51539 +
51540 + alloc_stack = NULL;
51541 + alloc_stack_size = 1;
51542 + alloc_stack_next = 1;
51543 +
51544 + return;
51545 +}
51546 +
51547 +int
51548 +acl_alloc_stack_init(unsigned long size)
51549 +{
51550 + if ((size * sizeof (void *)) <= PAGE_SIZE)
51551 + alloc_stack =
51552 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
51553 + else
51554 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
51555 +
51556 + alloc_stack_size = size;
51557 +
51558 + if (!alloc_stack)
51559 + return 0;
51560 + else
51561 + return 1;
51562 +}
51563 diff -urNp linux-2.6.39.2/grsecurity/gracl.c linux-2.6.39.2/grsecurity/gracl.c
51564 --- linux-2.6.39.2/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
51565 +++ linux-2.6.39.2/grsecurity/gracl.c 2011-06-11 16:26:18.000000000 -0400
51566 @@ -0,0 +1,4109 @@
51567 +#include <linux/kernel.h>
51568 +#include <linux/module.h>
51569 +#include <linux/sched.h>
51570 +#include <linux/mm.h>
51571 +#include <linux/file.h>
51572 +#include <linux/fs.h>
51573 +#include <linux/namei.h>
51574 +#include <linux/mount.h>
51575 +#include <linux/tty.h>
51576 +#include <linux/proc_fs.h>
51577 +#include <linux/lglock.h>
51578 +#include <linux/slab.h>
51579 +#include <linux/vmalloc.h>
51580 +#include <linux/types.h>
51581 +#include <linux/sysctl.h>
51582 +#include <linux/netdevice.h>
51583 +#include <linux/ptrace.h>
51584 +#include <linux/gracl.h>
51585 +#include <linux/gralloc.h>
51586 +#include <linux/grsecurity.h>
51587 +#include <linux/grinternal.h>
51588 +#include <linux/pid_namespace.h>
51589 +#include <linux/fdtable.h>
51590 +#include <linux/percpu.h>
51591 +
51592 +#include <asm/uaccess.h>
51593 +#include <asm/errno.h>
51594 +#include <asm/mman.h>
51595 +
51596 +static struct acl_role_db acl_role_set;
51597 +static struct name_db name_set;
51598 +static struct inodev_db inodev_set;
51599 +
51600 +/* for keeping track of userspace pointers used for subjects, so we
51601 + can share references in the kernel as well
51602 +*/
51603 +
51604 +static struct path real_root;
51605 +
51606 +static struct acl_subj_map_db subj_map_set;
51607 +
51608 +static struct acl_role_label *default_role;
51609 +
51610 +static struct acl_role_label *role_list;
51611 +
51612 +static u16 acl_sp_role_value;
51613 +
51614 +extern char *gr_shared_page[4];
51615 +static DEFINE_MUTEX(gr_dev_mutex);
51616 +DEFINE_RWLOCK(gr_inode_lock);
51617 +
51618 +struct gr_arg *gr_usermode;
51619 +
51620 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
51621 +
51622 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
51623 +extern void gr_clear_learn_entries(void);
51624 +
51625 +#ifdef CONFIG_GRKERNSEC_RESLOG
51626 +extern void gr_log_resource(const struct task_struct *task,
51627 + const int res, const unsigned long wanted, const int gt);
51628 +#endif
51629 +
51630 +unsigned char *gr_system_salt;
51631 +unsigned char *gr_system_sum;
51632 +
51633 +static struct sprole_pw **acl_special_roles = NULL;
51634 +static __u16 num_sprole_pws = 0;
51635 +
51636 +static struct acl_role_label *kernel_role = NULL;
51637 +
51638 +static unsigned int gr_auth_attempts = 0;
51639 +static unsigned long gr_auth_expires = 0UL;
51640 +
51641 +#ifdef CONFIG_NET
51642 +extern struct vfsmount *sock_mnt;
51643 +#endif
51644 +
51645 +extern struct vfsmount *pipe_mnt;
51646 +extern struct vfsmount *shm_mnt;
51647 +#ifdef CONFIG_HUGETLBFS
51648 +extern struct vfsmount *hugetlbfs_vfsmount;
51649 +#endif
51650 +
51651 +static struct acl_object_label *fakefs_obj_rw;
51652 +static struct acl_object_label *fakefs_obj_rwx;
51653 +
51654 +extern int gr_init_uidset(void);
51655 +extern void gr_free_uidset(void);
51656 +extern void gr_remove_uid(uid_t uid);
51657 +extern int gr_find_uid(uid_t uid);
51658 +
51659 +DECLARE_BRLOCK(vfsmount_lock);
51660 +
51661 +__inline__ int
51662 +gr_acl_is_enabled(void)
51663 +{
51664 + return (gr_status & GR_READY);
51665 +}
51666 +
51667 +#ifdef CONFIG_BTRFS_FS
51668 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
51669 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
51670 +#endif
51671 +
51672 +static inline dev_t __get_dev(const struct dentry *dentry)
51673 +{
51674 +#ifdef CONFIG_BTRFS_FS
51675 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
51676 + return get_btrfs_dev_from_inode(dentry->d_inode);
51677 + else
51678 +#endif
51679 + return dentry->d_inode->i_sb->s_dev;
51680 +}
51681 +
51682 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
51683 +{
51684 + return __get_dev(dentry);
51685 +}
51686 +
51687 +static char gr_task_roletype_to_char(struct task_struct *task)
51688 +{
51689 + switch (task->role->roletype &
51690 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
51691 + GR_ROLE_SPECIAL)) {
51692 + case GR_ROLE_DEFAULT:
51693 + return 'D';
51694 + case GR_ROLE_USER:
51695 + return 'U';
51696 + case GR_ROLE_GROUP:
51697 + return 'G';
51698 + case GR_ROLE_SPECIAL:
51699 + return 'S';
51700 + }
51701 +
51702 + return 'X';
51703 +}
51704 +
51705 +char gr_roletype_to_char(void)
51706 +{
51707 + return gr_task_roletype_to_char(current);
51708 +}
51709 +
51710 +__inline__ int
51711 +gr_acl_tpe_check(void)
51712 +{
51713 + if (unlikely(!(gr_status & GR_READY)))
51714 + return 0;
51715 + if (current->role->roletype & GR_ROLE_TPE)
51716 + return 1;
51717 + else
51718 + return 0;
51719 +}
51720 +
51721 +int
51722 +gr_handle_rawio(const struct inode *inode)
51723 +{
51724 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
51725 + if (inode && S_ISBLK(inode->i_mode) &&
51726 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
51727 + !capable(CAP_SYS_RAWIO))
51728 + return 1;
51729 +#endif
51730 + return 0;
51731 +}
51732 +
51733 +static int
51734 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
51735 +{
51736 + if (likely(lena != lenb))
51737 + return 0;
51738 +
51739 + return !memcmp(a, b, lena);
51740 +}
51741 +
51742 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
51743 +{
51744 + *buflen -= namelen;
51745 + if (*buflen < 0)
51746 + return -ENAMETOOLONG;
51747 + *buffer -= namelen;
51748 + memcpy(*buffer, str, namelen);
51749 + return 0;
51750 +}
51751 +
51752 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
51753 +{
51754 + return prepend(buffer, buflen, name->name, name->len);
51755 +}
51756 +
51757 +static int prepend_path(const struct path *path, struct path *root,
51758 + char **buffer, int *buflen)
51759 +{
51760 + struct dentry *dentry = path->dentry;
51761 + struct vfsmount *vfsmnt = path->mnt;
51762 + bool slash = false;
51763 + int error = 0;
51764 +
51765 + while (dentry != root->dentry || vfsmnt != root->mnt) {
51766 + struct dentry * parent;
51767 +
51768 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
51769 + /* Global root? */
51770 + if (vfsmnt->mnt_parent == vfsmnt) {
51771 + goto out;
51772 + }
51773 + dentry = vfsmnt->mnt_mountpoint;
51774 + vfsmnt = vfsmnt->mnt_parent;
51775 + continue;
51776 + }
51777 + parent = dentry->d_parent;
51778 + prefetch(parent);
51779 + spin_lock(&dentry->d_lock);
51780 + error = prepend_name(buffer, buflen, &dentry->d_name);
51781 + spin_unlock(&dentry->d_lock);
51782 + if (!error)
51783 + error = prepend(buffer, buflen, "/", 1);
51784 + if (error)
51785 + break;
51786 +
51787 + slash = true;
51788 + dentry = parent;
51789 + }
51790 +
51791 +out:
51792 + if (!error && !slash)
51793 + error = prepend(buffer, buflen, "/", 1);
51794 +
51795 + return error;
51796 +}
51797 +
51798 +/* this must be called with vfsmount_lock and rename_lock held */
51799 +
51800 +static char *__our_d_path(const struct path *path, struct path *root,
51801 + char *buf, int buflen)
51802 +{
51803 + char *res = buf + buflen;
51804 + int error;
51805 +
51806 + prepend(&res, &buflen, "\0", 1);
51807 + error = prepend_path(path, root, &res, &buflen);
51808 + if (error)
51809 + return ERR_PTR(error);
51810 +
51811 + return res;
51812 +}
51813 +
51814 +static char *
51815 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
51816 +{
51817 + char *retval;
51818 +
51819 + retval = __our_d_path(path, root, buf, buflen);
51820 + if (unlikely(IS_ERR(retval)))
51821 + retval = strcpy(buf, "<path too long>");
51822 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
51823 + retval[1] = '\0';
51824 +
51825 + return retval;
51826 +}
51827 +
51828 +static char *
51829 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
51830 + char *buf, int buflen)
51831 +{
51832 + struct path path;
51833 + char *res;
51834 +
51835 + path.dentry = (struct dentry *)dentry;
51836 + path.mnt = (struct vfsmount *)vfsmnt;
51837 +
51838 + /* we can use real_root.dentry, real_root.mnt, because this is only called
51839 + by the RBAC system */
51840 + res = gen_full_path(&path, &real_root, buf, buflen);
51841 +
51842 + return res;
51843 +}
51844 +
51845 +static char *
51846 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
51847 + char *buf, int buflen)
51848 +{
51849 + char *res;
51850 + struct path path;
51851 + struct path root;
51852 + struct task_struct *reaper = &init_task;
51853 +
51854 + path.dentry = (struct dentry *)dentry;
51855 + path.mnt = (struct vfsmount *)vfsmnt;
51856 +
51857 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
51858 + get_fs_root(reaper->fs, &root);
51859 +
51860 + write_seqlock(&rename_lock);
51861 + br_read_lock(vfsmount_lock);
51862 + res = gen_full_path(&path, &root, buf, buflen);
51863 + br_read_unlock(vfsmount_lock);
51864 + write_sequnlock(&rename_lock);
51865 +
51866 + path_put(&root);
51867 + return res;
51868 +}
51869 +
51870 +static char *
51871 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
51872 +{
51873 + char *ret;
51874 + write_seqlock(&rename_lock);
51875 + br_read_lock(vfsmount_lock);
51876 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
51877 + PAGE_SIZE);
51878 + br_read_unlock(vfsmount_lock);
51879 + write_sequnlock(&rename_lock);
51880 + return ret;
51881 +}
51882 +
51883 +char *
51884 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
51885 +{
51886 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
51887 + PAGE_SIZE);
51888 +}
51889 +
51890 +char *
51891 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
51892 +{
51893 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
51894 + PAGE_SIZE);
51895 +}
51896 +
51897 +char *
51898 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
51899 +{
51900 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
51901 + PAGE_SIZE);
51902 +}
51903 +
51904 +char *
51905 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
51906 +{
51907 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
51908 + PAGE_SIZE);
51909 +}
51910 +
51911 +char *
51912 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
51913 +{
51914 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
51915 + PAGE_SIZE);
51916 +}
51917 +
51918 +__inline__ __u32
51919 +to_gr_audit(const __u32 reqmode)
51920 +{
51921 + /* masks off auditable permission flags, then shifts them to create
51922 + auditing flags, and adds the special case of append auditing if
51923 + we're requesting write */
51924 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
51925 +}
51926 +
51927 +struct acl_subject_label *
51928 +lookup_subject_map(const struct acl_subject_label *userp)
51929 +{
51930 + unsigned int index = shash(userp, subj_map_set.s_size);
51931 + struct subject_map *match;
51932 +
51933 + match = subj_map_set.s_hash[index];
51934 +
51935 + while (match && match->user != userp)
51936 + match = match->next;
51937 +
51938 + if (match != NULL)
51939 + return match->kernel;
51940 + else
51941 + return NULL;
51942 +}
51943 +
51944 +static void
51945 +insert_subj_map_entry(struct subject_map *subjmap)
51946 +{
51947 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
51948 + struct subject_map **curr;
51949 +
51950 + subjmap->prev = NULL;
51951 +
51952 + curr = &subj_map_set.s_hash[index];
51953 + if (*curr != NULL)
51954 + (*curr)->prev = subjmap;
51955 +
51956 + subjmap->next = *curr;
51957 + *curr = subjmap;
51958 +
51959 + return;
51960 +}
51961 +
51962 +static struct acl_role_label *
51963 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
51964 + const gid_t gid)
51965 +{
51966 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
51967 + struct acl_role_label *match;
51968 + struct role_allowed_ip *ipp;
51969 + unsigned int x;
51970 + u32 curr_ip = task->signal->curr_ip;
51971 +
51972 + task->signal->saved_ip = curr_ip;
51973 +
51974 + match = acl_role_set.r_hash[index];
51975 +
51976 + while (match) {
51977 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
51978 + for (x = 0; x < match->domain_child_num; x++) {
51979 + if (match->domain_children[x] == uid)
51980 + goto found;
51981 + }
51982 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
51983 + break;
51984 + match = match->next;
51985 + }
51986 +found:
51987 + if (match == NULL) {
51988 + try_group:
51989 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
51990 + match = acl_role_set.r_hash[index];
51991 +
51992 + while (match) {
51993 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
51994 + for (x = 0; x < match->domain_child_num; x++) {
51995 + if (match->domain_children[x] == gid)
51996 + goto found2;
51997 + }
51998 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
51999 + break;
52000 + match = match->next;
52001 + }
52002 +found2:
52003 + if (match == NULL)
52004 + match = default_role;
52005 + if (match->allowed_ips == NULL)
52006 + return match;
52007 + else {
52008 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52009 + if (likely
52010 + ((ntohl(curr_ip) & ipp->netmask) ==
52011 + (ntohl(ipp->addr) & ipp->netmask)))
52012 + return match;
52013 + }
52014 + match = default_role;
52015 + }
52016 + } else if (match->allowed_ips == NULL) {
52017 + return match;
52018 + } else {
52019 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52020 + if (likely
52021 + ((ntohl(curr_ip) & ipp->netmask) ==
52022 + (ntohl(ipp->addr) & ipp->netmask)))
52023 + return match;
52024 + }
52025 + goto try_group;
52026 + }
52027 +
52028 + return match;
52029 +}
52030 +
52031 +struct acl_subject_label *
52032 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
52033 + const struct acl_role_label *role)
52034 +{
52035 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52036 + struct acl_subject_label *match;
52037 +
52038 + match = role->subj_hash[index];
52039 +
52040 + while (match && (match->inode != ino || match->device != dev ||
52041 + (match->mode & GR_DELETED))) {
52042 + match = match->next;
52043 + }
52044 +
52045 + if (match && !(match->mode & GR_DELETED))
52046 + return match;
52047 + else
52048 + return NULL;
52049 +}
52050 +
52051 +struct acl_subject_label *
52052 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
52053 + const struct acl_role_label *role)
52054 +{
52055 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52056 + struct acl_subject_label *match;
52057 +
52058 + match = role->subj_hash[index];
52059 +
52060 + while (match && (match->inode != ino || match->device != dev ||
52061 + !(match->mode & GR_DELETED))) {
52062 + match = match->next;
52063 + }
52064 +
52065 + if (match && (match->mode & GR_DELETED))
52066 + return match;
52067 + else
52068 + return NULL;
52069 +}
52070 +
52071 +static struct acl_object_label *
52072 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
52073 + const struct acl_subject_label *subj)
52074 +{
52075 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52076 + struct acl_object_label *match;
52077 +
52078 + match = subj->obj_hash[index];
52079 +
52080 + while (match && (match->inode != ino || match->device != dev ||
52081 + (match->mode & GR_DELETED))) {
52082 + match = match->next;
52083 + }
52084 +
52085 + if (match && !(match->mode & GR_DELETED))
52086 + return match;
52087 + else
52088 + return NULL;
52089 +}
52090 +
52091 +static struct acl_object_label *
52092 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
52093 + const struct acl_subject_label *subj)
52094 +{
52095 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52096 + struct acl_object_label *match;
52097 +
52098 + match = subj->obj_hash[index];
52099 +
52100 + while (match && (match->inode != ino || match->device != dev ||
52101 + !(match->mode & GR_DELETED))) {
52102 + match = match->next;
52103 + }
52104 +
52105 + if (match && (match->mode & GR_DELETED))
52106 + return match;
52107 +
52108 + match = subj->obj_hash[index];
52109 +
52110 + while (match && (match->inode != ino || match->device != dev ||
52111 + (match->mode & GR_DELETED))) {
52112 + match = match->next;
52113 + }
52114 +
52115 + if (match && !(match->mode & GR_DELETED))
52116 + return match;
52117 + else
52118 + return NULL;
52119 +}
52120 +
52121 +static struct name_entry *
52122 +lookup_name_entry(const char *name)
52123 +{
52124 + unsigned int len = strlen(name);
52125 + unsigned int key = full_name_hash(name, len);
52126 + unsigned int index = key % name_set.n_size;
52127 + struct name_entry *match;
52128 +
52129 + match = name_set.n_hash[index];
52130 +
52131 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
52132 + match = match->next;
52133 +
52134 + return match;
52135 +}
52136 +
52137 +static struct name_entry *
52138 +lookup_name_entry_create(const char *name)
52139 +{
52140 + unsigned int len = strlen(name);
52141 + unsigned int key = full_name_hash(name, len);
52142 + unsigned int index = key % name_set.n_size;
52143 + struct name_entry *match;
52144 +
52145 + match = name_set.n_hash[index];
52146 +
52147 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52148 + !match->deleted))
52149 + match = match->next;
52150 +
52151 + if (match && match->deleted)
52152 + return match;
52153 +
52154 + match = name_set.n_hash[index];
52155 +
52156 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52157 + match->deleted))
52158 + match = match->next;
52159 +
52160 + if (match && !match->deleted)
52161 + return match;
52162 + else
52163 + return NULL;
52164 +}
52165 +
52166 +static struct inodev_entry *
52167 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
52168 +{
52169 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
52170 + struct inodev_entry *match;
52171 +
52172 + match = inodev_set.i_hash[index];
52173 +
52174 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
52175 + match = match->next;
52176 +
52177 + return match;
52178 +}
52179 +
52180 +static void
52181 +insert_inodev_entry(struct inodev_entry *entry)
52182 +{
52183 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
52184 + inodev_set.i_size);
52185 + struct inodev_entry **curr;
52186 +
52187 + entry->prev = NULL;
52188 +
52189 + curr = &inodev_set.i_hash[index];
52190 + if (*curr != NULL)
52191 + (*curr)->prev = entry;
52192 +
52193 + entry->next = *curr;
52194 + *curr = entry;
52195 +
52196 + return;
52197 +}
52198 +
52199 +static void
52200 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
52201 +{
52202 + unsigned int index =
52203 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
52204 + struct acl_role_label **curr;
52205 + struct acl_role_label *tmp;
52206 +
52207 + curr = &acl_role_set.r_hash[index];
52208 +
52209 + /* if role was already inserted due to domains and already has
52210 + a role in the same bucket as it attached, then we need to
52211 + combine these two buckets
52212 + */
52213 + if (role->next) {
52214 + tmp = role->next;
52215 + while (tmp->next)
52216 + tmp = tmp->next;
52217 + tmp->next = *curr;
52218 + } else
52219 + role->next = *curr;
52220 + *curr = role;
52221 +
52222 + return;
52223 +}
52224 +
52225 +static void
52226 +insert_acl_role_label(struct acl_role_label *role)
52227 +{
52228 + int i;
52229 +
52230 + if (role_list == NULL) {
52231 + role_list = role;
52232 + role->prev = NULL;
52233 + } else {
52234 + role->prev = role_list;
52235 + role_list = role;
52236 + }
52237 +
52238 + /* used for hash chains */
52239 + role->next = NULL;
52240 +
52241 + if (role->roletype & GR_ROLE_DOMAIN) {
52242 + for (i = 0; i < role->domain_child_num; i++)
52243 + __insert_acl_role_label(role, role->domain_children[i]);
52244 + } else
52245 + __insert_acl_role_label(role, role->uidgid);
52246 +}
52247 +
52248 +static int
52249 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
52250 +{
52251 + struct name_entry **curr, *nentry;
52252 + struct inodev_entry *ientry;
52253 + unsigned int len = strlen(name);
52254 + unsigned int key = full_name_hash(name, len);
52255 + unsigned int index = key % name_set.n_size;
52256 +
52257 + curr = &name_set.n_hash[index];
52258 +
52259 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
52260 + curr = &((*curr)->next);
52261 +
52262 + if (*curr != NULL)
52263 + return 1;
52264 +
52265 + nentry = acl_alloc(sizeof (struct name_entry));
52266 + if (nentry == NULL)
52267 + return 0;
52268 + ientry = acl_alloc(sizeof (struct inodev_entry));
52269 + if (ientry == NULL)
52270 + return 0;
52271 + ientry->nentry = nentry;
52272 +
52273 + nentry->key = key;
52274 + nentry->name = name;
52275 + nentry->inode = inode;
52276 + nentry->device = device;
52277 + nentry->len = len;
52278 + nentry->deleted = deleted;
52279 +
52280 + nentry->prev = NULL;
52281 + curr = &name_set.n_hash[index];
52282 + if (*curr != NULL)
52283 + (*curr)->prev = nentry;
52284 + nentry->next = *curr;
52285 + *curr = nentry;
52286 +
52287 + /* insert us into the table searchable by inode/dev */
52288 + insert_inodev_entry(ientry);
52289 +
52290 + return 1;
52291 +}
52292 +
52293 +static void
52294 +insert_acl_obj_label(struct acl_object_label *obj,
52295 + struct acl_subject_label *subj)
52296 +{
52297 + unsigned int index =
52298 + fhash(obj->inode, obj->device, subj->obj_hash_size);
52299 + struct acl_object_label **curr;
52300 +
52301 +
52302 + obj->prev = NULL;
52303 +
52304 + curr = &subj->obj_hash[index];
52305 + if (*curr != NULL)
52306 + (*curr)->prev = obj;
52307 +
52308 + obj->next = *curr;
52309 + *curr = obj;
52310 +
52311 + return;
52312 +}
52313 +
52314 +static void
52315 +insert_acl_subj_label(struct acl_subject_label *obj,
52316 + struct acl_role_label *role)
52317 +{
52318 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
52319 + struct acl_subject_label **curr;
52320 +
52321 + obj->prev = NULL;
52322 +
52323 + curr = &role->subj_hash[index];
52324 + if (*curr != NULL)
52325 + (*curr)->prev = obj;
52326 +
52327 + obj->next = *curr;
52328 + *curr = obj;
52329 +
52330 + return;
52331 +}
52332 +
52333 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
52334 +
52335 +static void *
52336 +create_table(__u32 * len, int elementsize)
52337 +{
52338 + unsigned int table_sizes[] = {
52339 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
52340 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
52341 + 4194301, 8388593, 16777213, 33554393, 67108859
52342 + };
52343 + void *newtable = NULL;
52344 + unsigned int pwr = 0;
52345 +
52346 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
52347 + table_sizes[pwr] <= *len)
52348 + pwr++;
52349 +
52350 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
52351 + return newtable;
52352 +
52353 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
52354 + newtable =
52355 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
52356 + else
52357 + newtable = vmalloc(table_sizes[pwr] * elementsize);
52358 +
52359 + *len = table_sizes[pwr];
52360 +
52361 + return newtable;
52362 +}
52363 +
52364 +static int
52365 +init_variables(const struct gr_arg *arg)
52366 +{
52367 + struct task_struct *reaper = &init_task;
52368 + unsigned int stacksize;
52369 +
52370 + subj_map_set.s_size = arg->role_db.num_subjects;
52371 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
52372 + name_set.n_size = arg->role_db.num_objects;
52373 + inodev_set.i_size = arg->role_db.num_objects;
52374 +
52375 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
52376 + !name_set.n_size || !inodev_set.i_size)
52377 + return 1;
52378 +
52379 + if (!gr_init_uidset())
52380 + return 1;
52381 +
52382 + /* set up the stack that holds allocation info */
52383 +
52384 + stacksize = arg->role_db.num_pointers + 5;
52385 +
52386 + if (!acl_alloc_stack_init(stacksize))
52387 + return 1;
52388 +
52389 + /* grab reference for the real root dentry and vfsmount */
52390 + get_fs_root(reaper->fs, &real_root);
52391 +
52392 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52393 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
52394 +#endif
52395 +
52396 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
52397 + if (fakefs_obj_rw == NULL)
52398 + return 1;
52399 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
52400 +
52401 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
52402 + if (fakefs_obj_rwx == NULL)
52403 + return 1;
52404 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
52405 +
52406 + subj_map_set.s_hash =
52407 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
52408 + acl_role_set.r_hash =
52409 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
52410 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
52411 + inodev_set.i_hash =
52412 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
52413 +
52414 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
52415 + !name_set.n_hash || !inodev_set.i_hash)
52416 + return 1;
52417 +
52418 + memset(subj_map_set.s_hash, 0,
52419 + sizeof(struct subject_map *) * subj_map_set.s_size);
52420 + memset(acl_role_set.r_hash, 0,
52421 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
52422 + memset(name_set.n_hash, 0,
52423 + sizeof (struct name_entry *) * name_set.n_size);
52424 + memset(inodev_set.i_hash, 0,
52425 + sizeof (struct inodev_entry *) * inodev_set.i_size);
52426 +
52427 + return 0;
52428 +}
52429 +
52430 +/* free information not needed after startup
52431 + currently contains user->kernel pointer mappings for subjects
52432 +*/
52433 +
52434 +static void
52435 +free_init_variables(void)
52436 +{
52437 + __u32 i;
52438 +
52439 + if (subj_map_set.s_hash) {
52440 + for (i = 0; i < subj_map_set.s_size; i++) {
52441 + if (subj_map_set.s_hash[i]) {
52442 + kfree(subj_map_set.s_hash[i]);
52443 + subj_map_set.s_hash[i] = NULL;
52444 + }
52445 + }
52446 +
52447 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
52448 + PAGE_SIZE)
52449 + kfree(subj_map_set.s_hash);
52450 + else
52451 + vfree(subj_map_set.s_hash);
52452 + }
52453 +
52454 + return;
52455 +}
52456 +
52457 +static void
52458 +free_variables(void)
52459 +{
52460 + struct acl_subject_label *s;
52461 + struct acl_role_label *r;
52462 + struct task_struct *task, *task2;
52463 + unsigned int x;
52464 +
52465 + gr_clear_learn_entries();
52466 +
52467 + read_lock(&tasklist_lock);
52468 + do_each_thread(task2, task) {
52469 + task->acl_sp_role = 0;
52470 + task->acl_role_id = 0;
52471 + task->acl = NULL;
52472 + task->role = NULL;
52473 + } while_each_thread(task2, task);
52474 + read_unlock(&tasklist_lock);
52475 +
52476 + /* release the reference to the real root dentry and vfsmount */
52477 + path_put(&real_root);
52478 +
52479 + /* free all object hash tables */
52480 +
52481 + FOR_EACH_ROLE_START(r)
52482 + if (r->subj_hash == NULL)
52483 + goto next_role;
52484 + FOR_EACH_SUBJECT_START(r, s, x)
52485 + if (s->obj_hash == NULL)
52486 + break;
52487 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52488 + kfree(s->obj_hash);
52489 + else
52490 + vfree(s->obj_hash);
52491 + FOR_EACH_SUBJECT_END(s, x)
52492 + FOR_EACH_NESTED_SUBJECT_START(r, s)
52493 + if (s->obj_hash == NULL)
52494 + break;
52495 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52496 + kfree(s->obj_hash);
52497 + else
52498 + vfree(s->obj_hash);
52499 + FOR_EACH_NESTED_SUBJECT_END(s)
52500 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
52501 + kfree(r->subj_hash);
52502 + else
52503 + vfree(r->subj_hash);
52504 + r->subj_hash = NULL;
52505 +next_role:
52506 + FOR_EACH_ROLE_END(r)
52507 +
52508 + acl_free_all();
52509 +
52510 + if (acl_role_set.r_hash) {
52511 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
52512 + PAGE_SIZE)
52513 + kfree(acl_role_set.r_hash);
52514 + else
52515 + vfree(acl_role_set.r_hash);
52516 + }
52517 + if (name_set.n_hash) {
52518 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
52519 + PAGE_SIZE)
52520 + kfree(name_set.n_hash);
52521 + else
52522 + vfree(name_set.n_hash);
52523 + }
52524 +
52525 + if (inodev_set.i_hash) {
52526 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
52527 + PAGE_SIZE)
52528 + kfree(inodev_set.i_hash);
52529 + else
52530 + vfree(inodev_set.i_hash);
52531 + }
52532 +
52533 + gr_free_uidset();
52534 +
52535 + memset(&name_set, 0, sizeof (struct name_db));
52536 + memset(&inodev_set, 0, sizeof (struct inodev_db));
52537 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
52538 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
52539 +
52540 + default_role = NULL;
52541 + role_list = NULL;
52542 +
52543 + return;
52544 +}
52545 +
52546 +static __u32
52547 +count_user_objs(struct acl_object_label *userp)
52548 +{
52549 + struct acl_object_label o_tmp;
52550 + __u32 num = 0;
52551 +
52552 + while (userp) {
52553 + if (copy_from_user(&o_tmp, userp,
52554 + sizeof (struct acl_object_label)))
52555 + break;
52556 +
52557 + userp = o_tmp.prev;
52558 + num++;
52559 + }
52560 +
52561 + return num;
52562 +}
52563 +
52564 +static struct acl_subject_label *
52565 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
52566 +
52567 +static int
52568 +copy_user_glob(struct acl_object_label *obj)
52569 +{
52570 + struct acl_object_label *g_tmp, **guser;
52571 + unsigned int len;
52572 + char *tmp;
52573 +
52574 + if (obj->globbed == NULL)
52575 + return 0;
52576 +
52577 + guser = &obj->globbed;
52578 + while (*guser) {
52579 + g_tmp = (struct acl_object_label *)
52580 + acl_alloc(sizeof (struct acl_object_label));
52581 + if (g_tmp == NULL)
52582 + return -ENOMEM;
52583 +
52584 + if (copy_from_user(g_tmp, *guser,
52585 + sizeof (struct acl_object_label)))
52586 + return -EFAULT;
52587 +
52588 + len = strnlen_user(g_tmp->filename, PATH_MAX);
52589 +
52590 + if (!len || len >= PATH_MAX)
52591 + return -EINVAL;
52592 +
52593 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52594 + return -ENOMEM;
52595 +
52596 + if (copy_from_user(tmp, g_tmp->filename, len))
52597 + return -EFAULT;
52598 + tmp[len-1] = '\0';
52599 + g_tmp->filename = tmp;
52600 +
52601 + *guser = g_tmp;
52602 + guser = &(g_tmp->next);
52603 + }
52604 +
52605 + return 0;
52606 +}
52607 +
52608 +static int
52609 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
52610 + struct acl_role_label *role)
52611 +{
52612 + struct acl_object_label *o_tmp;
52613 + unsigned int len;
52614 + int ret;
52615 + char *tmp;
52616 +
52617 + while (userp) {
52618 + if ((o_tmp = (struct acl_object_label *)
52619 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
52620 + return -ENOMEM;
52621 +
52622 + if (copy_from_user(o_tmp, userp,
52623 + sizeof (struct acl_object_label)))
52624 + return -EFAULT;
52625 +
52626 + userp = o_tmp->prev;
52627 +
52628 + len = strnlen_user(o_tmp->filename, PATH_MAX);
52629 +
52630 + if (!len || len >= PATH_MAX)
52631 + return -EINVAL;
52632 +
52633 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52634 + return -ENOMEM;
52635 +
52636 + if (copy_from_user(tmp, o_tmp->filename, len))
52637 + return -EFAULT;
52638 + tmp[len-1] = '\0';
52639 + o_tmp->filename = tmp;
52640 +
52641 + insert_acl_obj_label(o_tmp, subj);
52642 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
52643 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
52644 + return -ENOMEM;
52645 +
52646 + ret = copy_user_glob(o_tmp);
52647 + if (ret)
52648 + return ret;
52649 +
52650 + if (o_tmp->nested) {
52651 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
52652 + if (IS_ERR(o_tmp->nested))
52653 + return PTR_ERR(o_tmp->nested);
52654 +
52655 + /* insert into nested subject list */
52656 + o_tmp->nested->next = role->hash->first;
52657 + role->hash->first = o_tmp->nested;
52658 + }
52659 + }
52660 +
52661 + return 0;
52662 +}
52663 +
52664 +static __u32
52665 +count_user_subjs(struct acl_subject_label *userp)
52666 +{
52667 + struct acl_subject_label s_tmp;
52668 + __u32 num = 0;
52669 +
52670 + while (userp) {
52671 + if (copy_from_user(&s_tmp, userp,
52672 + sizeof (struct acl_subject_label)))
52673 + break;
52674 +
52675 + userp = s_tmp.prev;
52676 + /* do not count nested subjects against this count, since
52677 + they are not included in the hash table, but are
52678 + attached to objects. We have already counted
52679 + the subjects in userspace for the allocation
52680 + stack
52681 + */
52682 + if (!(s_tmp.mode & GR_NESTED))
52683 + num++;
52684 + }
52685 +
52686 + return num;
52687 +}
52688 +
52689 +static int
52690 +copy_user_allowedips(struct acl_role_label *rolep)
52691 +{
52692 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
52693 +
52694 + ruserip = rolep->allowed_ips;
52695 +
52696 + while (ruserip) {
52697 + rlast = rtmp;
52698 +
52699 + if ((rtmp = (struct role_allowed_ip *)
52700 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
52701 + return -ENOMEM;
52702 +
52703 + if (copy_from_user(rtmp, ruserip,
52704 + sizeof (struct role_allowed_ip)))
52705 + return -EFAULT;
52706 +
52707 + ruserip = rtmp->prev;
52708 +
52709 + if (!rlast) {
52710 + rtmp->prev = NULL;
52711 + rolep->allowed_ips = rtmp;
52712 + } else {
52713 + rlast->next = rtmp;
52714 + rtmp->prev = rlast;
52715 + }
52716 +
52717 + if (!ruserip)
52718 + rtmp->next = NULL;
52719 + }
52720 +
52721 + return 0;
52722 +}
52723 +
52724 +static int
52725 +copy_user_transitions(struct acl_role_label *rolep)
52726 +{
52727 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
52728 +
52729 + unsigned int len;
52730 + char *tmp;
52731 +
52732 + rusertp = rolep->transitions;
52733 +
52734 + while (rusertp) {
52735 + rlast = rtmp;
52736 +
52737 + if ((rtmp = (struct role_transition *)
52738 + acl_alloc(sizeof (struct role_transition))) == NULL)
52739 + return -ENOMEM;
52740 +
52741 + if (copy_from_user(rtmp, rusertp,
52742 + sizeof (struct role_transition)))
52743 + return -EFAULT;
52744 +
52745 + rusertp = rtmp->prev;
52746 +
52747 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
52748 +
52749 + if (!len || len >= GR_SPROLE_LEN)
52750 + return -EINVAL;
52751 +
52752 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52753 + return -ENOMEM;
52754 +
52755 + if (copy_from_user(tmp, rtmp->rolename, len))
52756 + return -EFAULT;
52757 + tmp[len-1] = '\0';
52758 + rtmp->rolename = tmp;
52759 +
52760 + if (!rlast) {
52761 + rtmp->prev = NULL;
52762 + rolep->transitions = rtmp;
52763 + } else {
52764 + rlast->next = rtmp;
52765 + rtmp->prev = rlast;
52766 + }
52767 +
52768 + if (!rusertp)
52769 + rtmp->next = NULL;
52770 + }
52771 +
52772 + return 0;
52773 +}
52774 +
52775 +static struct acl_subject_label *
52776 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
52777 +{
52778 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
52779 + unsigned int len;
52780 + char *tmp;
52781 + __u32 num_objs;
52782 + struct acl_ip_label **i_tmp, *i_utmp2;
52783 + struct gr_hash_struct ghash;
52784 + struct subject_map *subjmap;
52785 + unsigned int i_num;
52786 + int err;
52787 +
52788 + s_tmp = lookup_subject_map(userp);
52789 +
52790 + /* we've already copied this subject into the kernel, just return
52791 + the reference to it, and don't copy it over again
52792 + */
52793 + if (s_tmp)
52794 + return(s_tmp);
52795 +
52796 + if ((s_tmp = (struct acl_subject_label *)
52797 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
52798 + return ERR_PTR(-ENOMEM);
52799 +
52800 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
52801 + if (subjmap == NULL)
52802 + return ERR_PTR(-ENOMEM);
52803 +
52804 + subjmap->user = userp;
52805 + subjmap->kernel = s_tmp;
52806 + insert_subj_map_entry(subjmap);
52807 +
52808 + if (copy_from_user(s_tmp, userp,
52809 + sizeof (struct acl_subject_label)))
52810 + return ERR_PTR(-EFAULT);
52811 +
52812 + len = strnlen_user(s_tmp->filename, PATH_MAX);
52813 +
52814 + if (!len || len >= PATH_MAX)
52815 + return ERR_PTR(-EINVAL);
52816 +
52817 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52818 + return ERR_PTR(-ENOMEM);
52819 +
52820 + if (copy_from_user(tmp, s_tmp->filename, len))
52821 + return ERR_PTR(-EFAULT);
52822 + tmp[len-1] = '\0';
52823 + s_tmp->filename = tmp;
52824 +
52825 + if (!strcmp(s_tmp->filename, "/"))
52826 + role->root_label = s_tmp;
52827 +
52828 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
52829 + return ERR_PTR(-EFAULT);
52830 +
52831 + /* copy user and group transition tables */
52832 +
52833 + if (s_tmp->user_trans_num) {
52834 + uid_t *uidlist;
52835 +
52836 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
52837 + if (uidlist == NULL)
52838 + return ERR_PTR(-ENOMEM);
52839 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
52840 + return ERR_PTR(-EFAULT);
52841 +
52842 + s_tmp->user_transitions = uidlist;
52843 + }
52844 +
52845 + if (s_tmp->group_trans_num) {
52846 + gid_t *gidlist;
52847 +
52848 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
52849 + if (gidlist == NULL)
52850 + return ERR_PTR(-ENOMEM);
52851 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
52852 + return ERR_PTR(-EFAULT);
52853 +
52854 + s_tmp->group_transitions = gidlist;
52855 + }
52856 +
52857 + /* set up object hash table */
52858 + num_objs = count_user_objs(ghash.first);
52859 +
52860 + s_tmp->obj_hash_size = num_objs;
52861 + s_tmp->obj_hash =
52862 + (struct acl_object_label **)
52863 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
52864 +
52865 + if (!s_tmp->obj_hash)
52866 + return ERR_PTR(-ENOMEM);
52867 +
52868 + memset(s_tmp->obj_hash, 0,
52869 + s_tmp->obj_hash_size *
52870 + sizeof (struct acl_object_label *));
52871 +
52872 + /* add in objects */
52873 + err = copy_user_objs(ghash.first, s_tmp, role);
52874 +
52875 + if (err)
52876 + return ERR_PTR(err);
52877 +
52878 + /* set pointer for parent subject */
52879 + if (s_tmp->parent_subject) {
52880 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
52881 +
52882 + if (IS_ERR(s_tmp2))
52883 + return s_tmp2;
52884 +
52885 + s_tmp->parent_subject = s_tmp2;
52886 + }
52887 +
52888 + /* add in ip acls */
52889 +
52890 + if (!s_tmp->ip_num) {
52891 + s_tmp->ips = NULL;
52892 + goto insert;
52893 + }
52894 +
52895 + i_tmp =
52896 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
52897 + sizeof (struct acl_ip_label *));
52898 +
52899 + if (!i_tmp)
52900 + return ERR_PTR(-ENOMEM);
52901 +
52902 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
52903 + *(i_tmp + i_num) =
52904 + (struct acl_ip_label *)
52905 + acl_alloc(sizeof (struct acl_ip_label));
52906 + if (!*(i_tmp + i_num))
52907 + return ERR_PTR(-ENOMEM);
52908 +
52909 + if (copy_from_user
52910 + (&i_utmp2, s_tmp->ips + i_num,
52911 + sizeof (struct acl_ip_label *)))
52912 + return ERR_PTR(-EFAULT);
52913 +
52914 + if (copy_from_user
52915 + (*(i_tmp + i_num), i_utmp2,
52916 + sizeof (struct acl_ip_label)))
52917 + return ERR_PTR(-EFAULT);
52918 +
52919 + if ((*(i_tmp + i_num))->iface == NULL)
52920 + continue;
52921 +
52922 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
52923 + if (!len || len >= IFNAMSIZ)
52924 + return ERR_PTR(-EINVAL);
52925 + tmp = acl_alloc(len);
52926 + if (tmp == NULL)
52927 + return ERR_PTR(-ENOMEM);
52928 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
52929 + return ERR_PTR(-EFAULT);
52930 + (*(i_tmp + i_num))->iface = tmp;
52931 + }
52932 +
52933 + s_tmp->ips = i_tmp;
52934 +
52935 +insert:
52936 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
52937 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
52938 + return ERR_PTR(-ENOMEM);
52939 +
52940 + return s_tmp;
52941 +}
52942 +
52943 +static int
52944 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
52945 +{
52946 + struct acl_subject_label s_pre;
52947 + struct acl_subject_label * ret;
52948 + int err;
52949 +
52950 + while (userp) {
52951 + if (copy_from_user(&s_pre, userp,
52952 + sizeof (struct acl_subject_label)))
52953 + return -EFAULT;
52954 +
52955 + /* do not add nested subjects here, add
52956 + while parsing objects
52957 + */
52958 +
52959 + if (s_pre.mode & GR_NESTED) {
52960 + userp = s_pre.prev;
52961 + continue;
52962 + }
52963 +
52964 + ret = do_copy_user_subj(userp, role);
52965 +
52966 + err = PTR_ERR(ret);
52967 + if (IS_ERR(ret))
52968 + return err;
52969 +
52970 + insert_acl_subj_label(ret, role);
52971 +
52972 + userp = s_pre.prev;
52973 + }
52974 +
52975 + return 0;
52976 +}
52977 +
52978 +static int
52979 +copy_user_acl(struct gr_arg *arg)
52980 +{
52981 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
52982 + struct sprole_pw *sptmp;
52983 + struct gr_hash_struct *ghash;
52984 + uid_t *domainlist;
52985 + unsigned int r_num;
52986 + unsigned int len;
52987 + char *tmp;
52988 + int err = 0;
52989 + __u16 i;
52990 + __u32 num_subjs;
52991 +
52992 + /* we need a default and kernel role */
52993 + if (arg->role_db.num_roles < 2)
52994 + return -EINVAL;
52995 +
52996 + /* copy special role authentication info from userspace */
52997 +
52998 + num_sprole_pws = arg->num_sprole_pws;
52999 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
53000 +
53001 + if (!acl_special_roles) {
53002 + err = -ENOMEM;
53003 + goto cleanup;
53004 + }
53005 +
53006 + for (i = 0; i < num_sprole_pws; i++) {
53007 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
53008 + if (!sptmp) {
53009 + err = -ENOMEM;
53010 + goto cleanup;
53011 + }
53012 + if (copy_from_user(sptmp, arg->sprole_pws + i,
53013 + sizeof (struct sprole_pw))) {
53014 + err = -EFAULT;
53015 + goto cleanup;
53016 + }
53017 +
53018 + len =
53019 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
53020 +
53021 + if (!len || len >= GR_SPROLE_LEN) {
53022 + err = -EINVAL;
53023 + goto cleanup;
53024 + }
53025 +
53026 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53027 + err = -ENOMEM;
53028 + goto cleanup;
53029 + }
53030 +
53031 + if (copy_from_user(tmp, sptmp->rolename, len)) {
53032 + err = -EFAULT;
53033 + goto cleanup;
53034 + }
53035 + tmp[len-1] = '\0';
53036 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53037 + printk(KERN_ALERT "Copying special role %s\n", tmp);
53038 +#endif
53039 + sptmp->rolename = tmp;
53040 + acl_special_roles[i] = sptmp;
53041 + }
53042 +
53043 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
53044 +
53045 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
53046 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
53047 +
53048 + if (!r_tmp) {
53049 + err = -ENOMEM;
53050 + goto cleanup;
53051 + }
53052 +
53053 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
53054 + sizeof (struct acl_role_label *))) {
53055 + err = -EFAULT;
53056 + goto cleanup;
53057 + }
53058 +
53059 + if (copy_from_user(r_tmp, r_utmp2,
53060 + sizeof (struct acl_role_label))) {
53061 + err = -EFAULT;
53062 + goto cleanup;
53063 + }
53064 +
53065 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
53066 +
53067 + if (!len || len >= PATH_MAX) {
53068 + err = -EINVAL;
53069 + goto cleanup;
53070 + }
53071 +
53072 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53073 + err = -ENOMEM;
53074 + goto cleanup;
53075 + }
53076 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
53077 + err = -EFAULT;
53078 + goto cleanup;
53079 + }
53080 + tmp[len-1] = '\0';
53081 + r_tmp->rolename = tmp;
53082 +
53083 + if (!strcmp(r_tmp->rolename, "default")
53084 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
53085 + default_role = r_tmp;
53086 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
53087 + kernel_role = r_tmp;
53088 + }
53089 +
53090 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
53091 + err = -ENOMEM;
53092 + goto cleanup;
53093 + }
53094 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
53095 + err = -EFAULT;
53096 + goto cleanup;
53097 + }
53098 +
53099 + r_tmp->hash = ghash;
53100 +
53101 + num_subjs = count_user_subjs(r_tmp->hash->first);
53102 +
53103 + r_tmp->subj_hash_size = num_subjs;
53104 + r_tmp->subj_hash =
53105 + (struct acl_subject_label **)
53106 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
53107 +
53108 + if (!r_tmp->subj_hash) {
53109 + err = -ENOMEM;
53110 + goto cleanup;
53111 + }
53112 +
53113 + err = copy_user_allowedips(r_tmp);
53114 + if (err)
53115 + goto cleanup;
53116 +
53117 + /* copy domain info */
53118 + if (r_tmp->domain_children != NULL) {
53119 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
53120 + if (domainlist == NULL) {
53121 + err = -ENOMEM;
53122 + goto cleanup;
53123 + }
53124 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
53125 + err = -EFAULT;
53126 + goto cleanup;
53127 + }
53128 + r_tmp->domain_children = domainlist;
53129 + }
53130 +
53131 + err = copy_user_transitions(r_tmp);
53132 + if (err)
53133 + goto cleanup;
53134 +
53135 + memset(r_tmp->subj_hash, 0,
53136 + r_tmp->subj_hash_size *
53137 + sizeof (struct acl_subject_label *));
53138 +
53139 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
53140 +
53141 + if (err)
53142 + goto cleanup;
53143 +
53144 + /* set nested subject list to null */
53145 + r_tmp->hash->first = NULL;
53146 +
53147 + insert_acl_role_label(r_tmp);
53148 + }
53149 +
53150 + goto return_err;
53151 + cleanup:
53152 + free_variables();
53153 + return_err:
53154 + return err;
53155 +
53156 +}
53157 +
53158 +static int
53159 +gracl_init(struct gr_arg *args)
53160 +{
53161 + int error = 0;
53162 +
53163 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
53164 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
53165 +
53166 + if (init_variables(args)) {
53167 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
53168 + error = -ENOMEM;
53169 + free_variables();
53170 + goto out;
53171 + }
53172 +
53173 + error = copy_user_acl(args);
53174 + free_init_variables();
53175 + if (error) {
53176 + free_variables();
53177 + goto out;
53178 + }
53179 +
53180 + if ((error = gr_set_acls(0))) {
53181 + free_variables();
53182 + goto out;
53183 + }
53184 +
53185 + pax_open_kernel();
53186 + gr_status |= GR_READY;
53187 + pax_close_kernel();
53188 +
53189 + out:
53190 + return error;
53191 +}
53192 +
53193 +/* derived from glibc fnmatch() 0: match, 1: no match*/
53194 +
53195 +static int
53196 +glob_match(const char *p, const char *n)
53197 +{
53198 + char c;
53199 +
53200 + while ((c = *p++) != '\0') {
53201 + switch (c) {
53202 + case '?':
53203 + if (*n == '\0')
53204 + return 1;
53205 + else if (*n == '/')
53206 + return 1;
53207 + break;
53208 + case '\\':
53209 + if (*n != c)
53210 + return 1;
53211 + break;
53212 + case '*':
53213 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
53214 + if (*n == '/')
53215 + return 1;
53216 + else if (c == '?') {
53217 + if (*n == '\0')
53218 + return 1;
53219 + else
53220 + ++n;
53221 + }
53222 + }
53223 + if (c == '\0') {
53224 + return 0;
53225 + } else {
53226 + const char *endp;
53227 +
53228 + if ((endp = strchr(n, '/')) == NULL)
53229 + endp = n + strlen(n);
53230 +
53231 + if (c == '[') {
53232 + for (--p; n < endp; ++n)
53233 + if (!glob_match(p, n))
53234 + return 0;
53235 + } else if (c == '/') {
53236 + while (*n != '\0' && *n != '/')
53237 + ++n;
53238 + if (*n == '/' && !glob_match(p, n + 1))
53239 + return 0;
53240 + } else {
53241 + for (--p; n < endp; ++n)
53242 + if (*n == c && !glob_match(p, n))
53243 + return 0;
53244 + }
53245 +
53246 + return 1;
53247 + }
53248 + case '[':
53249 + {
53250 + int not;
53251 + char cold;
53252 +
53253 + if (*n == '\0' || *n == '/')
53254 + return 1;
53255 +
53256 + not = (*p == '!' || *p == '^');
53257 + if (not)
53258 + ++p;
53259 +
53260 + c = *p++;
53261 + for (;;) {
53262 + unsigned char fn = (unsigned char)*n;
53263 +
53264 + if (c == '\0')
53265 + return 1;
53266 + else {
53267 + if (c == fn)
53268 + goto matched;
53269 + cold = c;
53270 + c = *p++;
53271 +
53272 + if (c == '-' && *p != ']') {
53273 + unsigned char cend = *p++;
53274 +
53275 + if (cend == '\0')
53276 + return 1;
53277 +
53278 + if (cold <= fn && fn <= cend)
53279 + goto matched;
53280 +
53281 + c = *p++;
53282 + }
53283 + }
53284 +
53285 + if (c == ']')
53286 + break;
53287 + }
53288 + if (!not)
53289 + return 1;
53290 + break;
53291 + matched:
53292 + while (c != ']') {
53293 + if (c == '\0')
53294 + return 1;
53295 +
53296 + c = *p++;
53297 + }
53298 + if (not)
53299 + return 1;
53300 + }
53301 + break;
53302 + default:
53303 + if (c != *n)
53304 + return 1;
53305 + }
53306 +
53307 + ++n;
53308 + }
53309 +
53310 + if (*n == '\0')
53311 + return 0;
53312 +
53313 + if (*n == '/')
53314 + return 0;
53315 +
53316 + return 1;
53317 +}
53318 +
53319 +static struct acl_object_label *
53320 +chk_glob_label(struct acl_object_label *globbed,
53321 + struct dentry *dentry, struct vfsmount *mnt, char **path)
53322 +{
53323 + struct acl_object_label *tmp;
53324 +
53325 + if (*path == NULL)
53326 + *path = gr_to_filename_nolock(dentry, mnt);
53327 +
53328 + tmp = globbed;
53329 +
53330 + while (tmp) {
53331 + if (!glob_match(tmp->filename, *path))
53332 + return tmp;
53333 + tmp = tmp->next;
53334 + }
53335 +
53336 + return NULL;
53337 +}
53338 +
53339 +static struct acl_object_label *
53340 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53341 + const ino_t curr_ino, const dev_t curr_dev,
53342 + const struct acl_subject_label *subj, char **path, const int checkglob)
53343 +{
53344 + struct acl_subject_label *tmpsubj;
53345 + struct acl_object_label *retval;
53346 + struct acl_object_label *retval2;
53347 +
53348 + tmpsubj = (struct acl_subject_label *) subj;
53349 + read_lock(&gr_inode_lock);
53350 + do {
53351 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
53352 + if (retval) {
53353 + if (checkglob && retval->globbed) {
53354 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
53355 + (struct vfsmount *)orig_mnt, path);
53356 + if (retval2)
53357 + retval = retval2;
53358 + }
53359 + break;
53360 + }
53361 + } while ((tmpsubj = tmpsubj->parent_subject));
53362 + read_unlock(&gr_inode_lock);
53363 +
53364 + return retval;
53365 +}
53366 +
53367 +static __inline__ struct acl_object_label *
53368 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53369 + struct dentry *curr_dentry,
53370 + const struct acl_subject_label *subj, char **path, const int checkglob)
53371 +{
53372 + int newglob = checkglob;
53373 + ino_t inode;
53374 + dev_t device;
53375 +
53376 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
53377 + as we don't want a / * rule to match instead of the / object
53378 + don't do this for create lookups that call this function though, since they're looking up
53379 + on the parent and thus need globbing checks on all paths
53380 + */
53381 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
53382 + newglob = GR_NO_GLOB;
53383 +
53384 + spin_lock(&curr_dentry->d_lock);
53385 + inode = curr_dentry->d_inode->i_ino;
53386 + device = __get_dev(curr_dentry);
53387 + spin_unlock(&curr_dentry->d_lock);
53388 +
53389 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
53390 +}
53391 +
53392 +static struct acl_object_label *
53393 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53394 + const struct acl_subject_label *subj, char *path, const int checkglob)
53395 +{
53396 + struct dentry *dentry = (struct dentry *) l_dentry;
53397 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53398 + struct acl_object_label *retval;
53399 + struct dentry *parent;
53400 +
53401 + write_seqlock(&rename_lock);
53402 + br_read_lock(vfsmount_lock);
53403 +
53404 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
53405 +#ifdef CONFIG_NET
53406 + mnt == sock_mnt ||
53407 +#endif
53408 +#ifdef CONFIG_HUGETLBFS
53409 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
53410 +#endif
53411 + /* ignore Eric Biederman */
53412 + IS_PRIVATE(l_dentry->d_inode))) {
53413 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
53414 + goto out;
53415 + }
53416 +
53417 + for (;;) {
53418 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53419 + break;
53420 +
53421 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53422 + if (mnt->mnt_parent == mnt)
53423 + break;
53424 +
53425 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53426 + if (retval != NULL)
53427 + goto out;
53428 +
53429 + dentry = mnt->mnt_mountpoint;
53430 + mnt = mnt->mnt_parent;
53431 + continue;
53432 + }
53433 +
53434 + parent = dentry->d_parent;
53435 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53436 + if (retval != NULL)
53437 + goto out;
53438 +
53439 + dentry = parent;
53440 + }
53441 +
53442 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53443 +
53444 + /* real_root is pinned so we don't have to hold a reference */
53445 + if (retval == NULL)
53446 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
53447 +out:
53448 + br_read_unlock(vfsmount_lock);
53449 + write_sequnlock(&rename_lock);
53450 +
53451 + BUG_ON(retval == NULL);
53452 +
53453 + return retval;
53454 +}
53455 +
53456 +static __inline__ struct acl_object_label *
53457 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53458 + const struct acl_subject_label *subj)
53459 +{
53460 + char *path = NULL;
53461 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
53462 +}
53463 +
53464 +static __inline__ struct acl_object_label *
53465 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53466 + const struct acl_subject_label *subj)
53467 +{
53468 + char *path = NULL;
53469 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
53470 +}
53471 +
53472 +static __inline__ struct acl_object_label *
53473 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53474 + const struct acl_subject_label *subj, char *path)
53475 +{
53476 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
53477 +}
53478 +
53479 +static struct acl_subject_label *
53480 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53481 + const struct acl_role_label *role)
53482 +{
53483 + struct dentry *dentry = (struct dentry *) l_dentry;
53484 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53485 + struct acl_subject_label *retval;
53486 + struct dentry *parent;
53487 +
53488 + write_seqlock(&rename_lock);
53489 + br_read_lock(vfsmount_lock);
53490 +
53491 + for (;;) {
53492 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53493 + break;
53494 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53495 + if (mnt->mnt_parent == mnt)
53496 + break;
53497 +
53498 + spin_lock(&dentry->d_lock);
53499 + read_lock(&gr_inode_lock);
53500 + retval =
53501 + lookup_acl_subj_label(dentry->d_inode->i_ino,
53502 + __get_dev(dentry), role);
53503 + read_unlock(&gr_inode_lock);
53504 + spin_unlock(&dentry->d_lock);
53505 + if (retval != NULL)
53506 + goto out;
53507 +
53508 + dentry = mnt->mnt_mountpoint;
53509 + mnt = mnt->mnt_parent;
53510 + continue;
53511 + }
53512 +
53513 + spin_lock(&dentry->d_lock);
53514 + read_lock(&gr_inode_lock);
53515 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53516 + __get_dev(dentry), role);
53517 + read_unlock(&gr_inode_lock);
53518 + parent = dentry->d_parent;
53519 + spin_unlock(&dentry->d_lock);
53520 +
53521 + if (retval != NULL)
53522 + goto out;
53523 +
53524 + dentry = parent;
53525 + }
53526 +
53527 + spin_lock(&dentry->d_lock);
53528 + read_lock(&gr_inode_lock);
53529 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53530 + __get_dev(dentry), role);
53531 + read_unlock(&gr_inode_lock);
53532 + spin_unlock(&dentry->d_lock);
53533 +
53534 + if (unlikely(retval == NULL)) {
53535 + /* real_root is pinned, we don't need to hold a reference */
53536 + read_lock(&gr_inode_lock);
53537 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
53538 + __get_dev(real_root.dentry), role);
53539 + read_unlock(&gr_inode_lock);
53540 + }
53541 +out:
53542 + br_read_unlock(vfsmount_lock);
53543 + write_sequnlock(&rename_lock);
53544 +
53545 + BUG_ON(retval == NULL);
53546 +
53547 + return retval;
53548 +}
53549 +
53550 +static void
53551 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
53552 +{
53553 + struct task_struct *task = current;
53554 + const struct cred *cred = current_cred();
53555 +
53556 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53557 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53558 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53559 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
53560 +
53561 + return;
53562 +}
53563 +
53564 +static void
53565 +gr_log_learn_sysctl(const char *path, const __u32 mode)
53566 +{
53567 + struct task_struct *task = current;
53568 + const struct cred *cred = current_cred();
53569 +
53570 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53571 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53572 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53573 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
53574 +
53575 + return;
53576 +}
53577 +
53578 +static void
53579 +gr_log_learn_id_change(const char type, const unsigned int real,
53580 + const unsigned int effective, const unsigned int fs)
53581 +{
53582 + struct task_struct *task = current;
53583 + const struct cred *cred = current_cred();
53584 +
53585 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
53586 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53587 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53588 + type, real, effective, fs, &task->signal->saved_ip);
53589 +
53590 + return;
53591 +}
53592 +
53593 +__u32
53594 +gr_check_link(const struct dentry * new_dentry,
53595 + const struct dentry * parent_dentry,
53596 + const struct vfsmount * parent_mnt,
53597 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
53598 +{
53599 + struct acl_object_label *obj;
53600 + __u32 oldmode, newmode;
53601 + __u32 needmode;
53602 +
53603 + if (unlikely(!(gr_status & GR_READY)))
53604 + return (GR_CREATE | GR_LINK);
53605 +
53606 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
53607 + oldmode = obj->mode;
53608 +
53609 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53610 + oldmode |= (GR_CREATE | GR_LINK);
53611 +
53612 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
53613 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53614 + needmode |= GR_SETID | GR_AUDIT_SETID;
53615 +
53616 + newmode =
53617 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
53618 + oldmode | needmode);
53619 +
53620 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
53621 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
53622 + GR_INHERIT | GR_AUDIT_INHERIT);
53623 +
53624 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
53625 + goto bad;
53626 +
53627 + if ((oldmode & needmode) != needmode)
53628 + goto bad;
53629 +
53630 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
53631 + if ((newmode & needmode) != needmode)
53632 + goto bad;
53633 +
53634 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
53635 + return newmode;
53636 +bad:
53637 + needmode = oldmode;
53638 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53639 + needmode |= GR_SETID;
53640 +
53641 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53642 + gr_log_learn(old_dentry, old_mnt, needmode);
53643 + return (GR_CREATE | GR_LINK);
53644 + } else if (newmode & GR_SUPPRESS)
53645 + return GR_SUPPRESS;
53646 + else
53647 + return 0;
53648 +}
53649 +
53650 +__u32
53651 +gr_search_file(const struct dentry * dentry, const __u32 mode,
53652 + const struct vfsmount * mnt)
53653 +{
53654 + __u32 retval = mode;
53655 + struct acl_subject_label *curracl;
53656 + struct acl_object_label *currobj;
53657 +
53658 + if (unlikely(!(gr_status & GR_READY)))
53659 + return (mode & ~GR_AUDITS);
53660 +
53661 + curracl = current->acl;
53662 +
53663 + currobj = chk_obj_label(dentry, mnt, curracl);
53664 + retval = currobj->mode & mode;
53665 +
53666 + /* if we're opening a specified transfer file for writing
53667 + (e.g. /dev/initctl), then transfer our role to init
53668 + */
53669 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
53670 + current->role->roletype & GR_ROLE_PERSIST)) {
53671 + struct task_struct *task = init_pid_ns.child_reaper;
53672 +
53673 + if (task->role != current->role) {
53674 + task->acl_sp_role = 0;
53675 + task->acl_role_id = current->acl_role_id;
53676 + task->role = current->role;
53677 + rcu_read_lock();
53678 + read_lock(&grsec_exec_file_lock);
53679 + gr_apply_subject_to_task(task);
53680 + read_unlock(&grsec_exec_file_lock);
53681 + rcu_read_unlock();
53682 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
53683 + }
53684 + }
53685 +
53686 + if (unlikely
53687 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
53688 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
53689 + __u32 new_mode = mode;
53690 +
53691 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53692 +
53693 + retval = new_mode;
53694 +
53695 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
53696 + new_mode |= GR_INHERIT;
53697 +
53698 + if (!(mode & GR_NOLEARN))
53699 + gr_log_learn(dentry, mnt, new_mode);
53700 + }
53701 +
53702 + return retval;
53703 +}
53704 +
53705 +__u32
53706 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
53707 + const struct vfsmount * mnt, const __u32 mode)
53708 +{
53709 + struct name_entry *match;
53710 + struct acl_object_label *matchpo;
53711 + struct acl_subject_label *curracl;
53712 + char *path;
53713 + __u32 retval;
53714 +
53715 + if (unlikely(!(gr_status & GR_READY)))
53716 + return (mode & ~GR_AUDITS);
53717 +
53718 + preempt_disable();
53719 + path = gr_to_filename_rbac(new_dentry, mnt);
53720 + match = lookup_name_entry_create(path);
53721 +
53722 + if (!match)
53723 + goto check_parent;
53724 +
53725 + curracl = current->acl;
53726 +
53727 + read_lock(&gr_inode_lock);
53728 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
53729 + read_unlock(&gr_inode_lock);
53730 +
53731 + if (matchpo) {
53732 + if ((matchpo->mode & mode) !=
53733 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
53734 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53735 + __u32 new_mode = mode;
53736 +
53737 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53738 +
53739 + gr_log_learn(new_dentry, mnt, new_mode);
53740 +
53741 + preempt_enable();
53742 + return new_mode;
53743 + }
53744 + preempt_enable();
53745 + return (matchpo->mode & mode);
53746 + }
53747 +
53748 + check_parent:
53749 + curracl = current->acl;
53750 +
53751 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
53752 + retval = matchpo->mode & mode;
53753 +
53754 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
53755 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
53756 + __u32 new_mode = mode;
53757 +
53758 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53759 +
53760 + gr_log_learn(new_dentry, mnt, new_mode);
53761 + preempt_enable();
53762 + return new_mode;
53763 + }
53764 +
53765 + preempt_enable();
53766 + return retval;
53767 +}
53768 +
53769 +int
53770 +gr_check_hidden_task(const struct task_struct *task)
53771 +{
53772 + if (unlikely(!(gr_status & GR_READY)))
53773 + return 0;
53774 +
53775 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
53776 + return 1;
53777 +
53778 + return 0;
53779 +}
53780 +
53781 +int
53782 +gr_check_protected_task(const struct task_struct *task)
53783 +{
53784 + if (unlikely(!(gr_status & GR_READY) || !task))
53785 + return 0;
53786 +
53787 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53788 + task->acl != current->acl)
53789 + return 1;
53790 +
53791 + return 0;
53792 +}
53793 +
53794 +int
53795 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53796 +{
53797 + struct task_struct *p;
53798 + int ret = 0;
53799 +
53800 + if (unlikely(!(gr_status & GR_READY) || !pid))
53801 + return ret;
53802 +
53803 + read_lock(&tasklist_lock);
53804 + do_each_pid_task(pid, type, p) {
53805 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53806 + p->acl != current->acl) {
53807 + ret = 1;
53808 + goto out;
53809 + }
53810 + } while_each_pid_task(pid, type, p);
53811 +out:
53812 + read_unlock(&tasklist_lock);
53813 +
53814 + return ret;
53815 +}
53816 +
53817 +void
53818 +gr_copy_label(struct task_struct *tsk)
53819 +{
53820 + tsk->signal->used_accept = 0;
53821 + tsk->acl_sp_role = 0;
53822 + tsk->acl_role_id = current->acl_role_id;
53823 + tsk->acl = current->acl;
53824 + tsk->role = current->role;
53825 + tsk->signal->curr_ip = current->signal->curr_ip;
53826 + tsk->signal->saved_ip = current->signal->saved_ip;
53827 + if (current->exec_file)
53828 + get_file(current->exec_file);
53829 + tsk->exec_file = current->exec_file;
53830 + tsk->is_writable = current->is_writable;
53831 + if (unlikely(current->signal->used_accept)) {
53832 + current->signal->curr_ip = 0;
53833 + current->signal->saved_ip = 0;
53834 + }
53835 +
53836 + return;
53837 +}
53838 +
53839 +static void
53840 +gr_set_proc_res(struct task_struct *task)
53841 +{
53842 + struct acl_subject_label *proc;
53843 + unsigned short i;
53844 +
53845 + proc = task->acl;
53846 +
53847 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
53848 + return;
53849 +
53850 + for (i = 0; i < RLIM_NLIMITS; i++) {
53851 + if (!(proc->resmask & (1 << i)))
53852 + continue;
53853 +
53854 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
53855 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
53856 + }
53857 +
53858 + return;
53859 +}
53860 +
53861 +extern int __gr_process_user_ban(struct user_struct *user);
53862 +
53863 +int
53864 +gr_check_user_change(int real, int effective, int fs)
53865 +{
53866 + unsigned int i;
53867 + __u16 num;
53868 + uid_t *uidlist;
53869 + int curuid;
53870 + int realok = 0;
53871 + int effectiveok = 0;
53872 + int fsok = 0;
53873 +
53874 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
53875 + struct user_struct *user;
53876 +
53877 + if (real == -1)
53878 + goto skipit;
53879 +
53880 + user = find_user(real);
53881 + if (user == NULL)
53882 + goto skipit;
53883 +
53884 + if (__gr_process_user_ban(user)) {
53885 + /* for find_user */
53886 + free_uid(user);
53887 + return 1;
53888 + }
53889 +
53890 + /* for find_user */
53891 + free_uid(user);
53892 +
53893 +skipit:
53894 +#endif
53895 +
53896 + if (unlikely(!(gr_status & GR_READY)))
53897 + return 0;
53898 +
53899 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53900 + gr_log_learn_id_change('u', real, effective, fs);
53901 +
53902 + num = current->acl->user_trans_num;
53903 + uidlist = current->acl->user_transitions;
53904 +
53905 + if (uidlist == NULL)
53906 + return 0;
53907 +
53908 + if (real == -1)
53909 + realok = 1;
53910 + if (effective == -1)
53911 + effectiveok = 1;
53912 + if (fs == -1)
53913 + fsok = 1;
53914 +
53915 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
53916 + for (i = 0; i < num; i++) {
53917 + curuid = (int)uidlist[i];
53918 + if (real == curuid)
53919 + realok = 1;
53920 + if (effective == curuid)
53921 + effectiveok = 1;
53922 + if (fs == curuid)
53923 + fsok = 1;
53924 + }
53925 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
53926 + for (i = 0; i < num; i++) {
53927 + curuid = (int)uidlist[i];
53928 + if (real == curuid)
53929 + break;
53930 + if (effective == curuid)
53931 + break;
53932 + if (fs == curuid)
53933 + break;
53934 + }
53935 + /* not in deny list */
53936 + if (i == num) {
53937 + realok = 1;
53938 + effectiveok = 1;
53939 + fsok = 1;
53940 + }
53941 + }
53942 +
53943 + if (realok && effectiveok && fsok)
53944 + return 0;
53945 + else {
53946 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
53947 + return 1;
53948 + }
53949 +}
53950 +
53951 +int
53952 +gr_check_group_change(int real, int effective, int fs)
53953 +{
53954 + unsigned int i;
53955 + __u16 num;
53956 + gid_t *gidlist;
53957 + int curgid;
53958 + int realok = 0;
53959 + int effectiveok = 0;
53960 + int fsok = 0;
53961 +
53962 + if (unlikely(!(gr_status & GR_READY)))
53963 + return 0;
53964 +
53965 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53966 + gr_log_learn_id_change('g', real, effective, fs);
53967 +
53968 + num = current->acl->group_trans_num;
53969 + gidlist = current->acl->group_transitions;
53970 +
53971 + if (gidlist == NULL)
53972 + return 0;
53973 +
53974 + if (real == -1)
53975 + realok = 1;
53976 + if (effective == -1)
53977 + effectiveok = 1;
53978 + if (fs == -1)
53979 + fsok = 1;
53980 +
53981 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
53982 + for (i = 0; i < num; i++) {
53983 + curgid = (int)gidlist[i];
53984 + if (real == curgid)
53985 + realok = 1;
53986 + if (effective == curgid)
53987 + effectiveok = 1;
53988 + if (fs == curgid)
53989 + fsok = 1;
53990 + }
53991 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
53992 + for (i = 0; i < num; i++) {
53993 + curgid = (int)gidlist[i];
53994 + if (real == curgid)
53995 + break;
53996 + if (effective == curgid)
53997 + break;
53998 + if (fs == curgid)
53999 + break;
54000 + }
54001 + /* not in deny list */
54002 + if (i == num) {
54003 + realok = 1;
54004 + effectiveok = 1;
54005 + fsok = 1;
54006 + }
54007 + }
54008 +
54009 + if (realok && effectiveok && fsok)
54010 + return 0;
54011 + else {
54012 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54013 + return 1;
54014 + }
54015 +}
54016 +
54017 +void
54018 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
54019 +{
54020 + struct acl_role_label *role = task->role;
54021 + struct acl_subject_label *subj = NULL;
54022 + struct acl_object_label *obj;
54023 + struct file *filp;
54024 +
54025 + if (unlikely(!(gr_status & GR_READY)))
54026 + return;
54027 +
54028 + filp = task->exec_file;
54029 +
54030 + /* kernel process, we'll give them the kernel role */
54031 + if (unlikely(!filp)) {
54032 + task->role = kernel_role;
54033 + task->acl = kernel_role->root_label;
54034 + return;
54035 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
54036 + role = lookup_acl_role_label(task, uid, gid);
54037 +
54038 + /* perform subject lookup in possibly new role
54039 + we can use this result below in the case where role == task->role
54040 + */
54041 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
54042 +
54043 + /* if we changed uid/gid, but result in the same role
54044 + and are using inheritance, don't lose the inherited subject
54045 + if current subject is other than what normal lookup
54046 + would result in, we arrived via inheritance, don't
54047 + lose subject
54048 + */
54049 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
54050 + (subj == task->acl)))
54051 + task->acl = subj;
54052 +
54053 + task->role = role;
54054 +
54055 + task->is_writable = 0;
54056 +
54057 + /* ignore additional mmap checks for processes that are writable
54058 + by the default ACL */
54059 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54060 + if (unlikely(obj->mode & GR_WRITE))
54061 + task->is_writable = 1;
54062 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54063 + if (unlikely(obj->mode & GR_WRITE))
54064 + task->is_writable = 1;
54065 +
54066 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54067 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54068 +#endif
54069 +
54070 + gr_set_proc_res(task);
54071 +
54072 + return;
54073 +}
54074 +
54075 +int
54076 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54077 + const int unsafe_share)
54078 +{
54079 + struct task_struct *task = current;
54080 + struct acl_subject_label *newacl;
54081 + struct acl_object_label *obj;
54082 + __u32 retmode;
54083 +
54084 + if (unlikely(!(gr_status & GR_READY)))
54085 + return 0;
54086 +
54087 + newacl = chk_subj_label(dentry, mnt, task->role);
54088 +
54089 + task_lock(task);
54090 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
54091 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
54092 + !(task->role->roletype & GR_ROLE_GOD) &&
54093 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
54094 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
54095 + task_unlock(task);
54096 + if (unsafe_share)
54097 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
54098 + else
54099 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
54100 + return -EACCES;
54101 + }
54102 + task_unlock(task);
54103 +
54104 + obj = chk_obj_label(dentry, mnt, task->acl);
54105 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
54106 +
54107 + if (!(task->acl->mode & GR_INHERITLEARN) &&
54108 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
54109 + if (obj->nested)
54110 + task->acl = obj->nested;
54111 + else
54112 + task->acl = newacl;
54113 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
54114 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
54115 +
54116 + task->is_writable = 0;
54117 +
54118 + /* ignore additional mmap checks for processes that are writable
54119 + by the default ACL */
54120 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
54121 + if (unlikely(obj->mode & GR_WRITE))
54122 + task->is_writable = 1;
54123 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
54124 + if (unlikely(obj->mode & GR_WRITE))
54125 + task->is_writable = 1;
54126 +
54127 + gr_set_proc_res(task);
54128 +
54129 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54130 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54131 +#endif
54132 + return 0;
54133 +}
54134 +
54135 +/* always called with valid inodev ptr */
54136 +static void
54137 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
54138 +{
54139 + struct acl_object_label *matchpo;
54140 + struct acl_subject_label *matchps;
54141 + struct acl_subject_label *subj;
54142 + struct acl_role_label *role;
54143 + unsigned int x;
54144 +
54145 + FOR_EACH_ROLE_START(role)
54146 + FOR_EACH_SUBJECT_START(role, subj, x)
54147 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
54148 + matchpo->mode |= GR_DELETED;
54149 + FOR_EACH_SUBJECT_END(subj,x)
54150 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54151 + if (subj->inode == ino && subj->device == dev)
54152 + subj->mode |= GR_DELETED;
54153 + FOR_EACH_NESTED_SUBJECT_END(subj)
54154 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
54155 + matchps->mode |= GR_DELETED;
54156 + FOR_EACH_ROLE_END(role)
54157 +
54158 + inodev->nentry->deleted = 1;
54159 +
54160 + return;
54161 +}
54162 +
54163 +void
54164 +gr_handle_delete(const ino_t ino, const dev_t dev)
54165 +{
54166 + struct inodev_entry *inodev;
54167 +
54168 + if (unlikely(!(gr_status & GR_READY)))
54169 + return;
54170 +
54171 + write_lock(&gr_inode_lock);
54172 + inodev = lookup_inodev_entry(ino, dev);
54173 + if (inodev != NULL)
54174 + do_handle_delete(inodev, ino, dev);
54175 + write_unlock(&gr_inode_lock);
54176 +
54177 + return;
54178 +}
54179 +
54180 +static void
54181 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
54182 + const ino_t newinode, const dev_t newdevice,
54183 + struct acl_subject_label *subj)
54184 +{
54185 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
54186 + struct acl_object_label *match;
54187 +
54188 + match = subj->obj_hash[index];
54189 +
54190 + while (match && (match->inode != oldinode ||
54191 + match->device != olddevice ||
54192 + !(match->mode & GR_DELETED)))
54193 + match = match->next;
54194 +
54195 + if (match && (match->inode == oldinode)
54196 + && (match->device == olddevice)
54197 + && (match->mode & GR_DELETED)) {
54198 + if (match->prev == NULL) {
54199 + subj->obj_hash[index] = match->next;
54200 + if (match->next != NULL)
54201 + match->next->prev = NULL;
54202 + } else {
54203 + match->prev->next = match->next;
54204 + if (match->next != NULL)
54205 + match->next->prev = match->prev;
54206 + }
54207 + match->prev = NULL;
54208 + match->next = NULL;
54209 + match->inode = newinode;
54210 + match->device = newdevice;
54211 + match->mode &= ~GR_DELETED;
54212 +
54213 + insert_acl_obj_label(match, subj);
54214 + }
54215 +
54216 + return;
54217 +}
54218 +
54219 +static void
54220 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
54221 + const ino_t newinode, const dev_t newdevice,
54222 + struct acl_role_label *role)
54223 +{
54224 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
54225 + struct acl_subject_label *match;
54226 +
54227 + match = role->subj_hash[index];
54228 +
54229 + while (match && (match->inode != oldinode ||
54230 + match->device != olddevice ||
54231 + !(match->mode & GR_DELETED)))
54232 + match = match->next;
54233 +
54234 + if (match && (match->inode == oldinode)
54235 + && (match->device == olddevice)
54236 + && (match->mode & GR_DELETED)) {
54237 + if (match->prev == NULL) {
54238 + role->subj_hash[index] = match->next;
54239 + if (match->next != NULL)
54240 + match->next->prev = NULL;
54241 + } else {
54242 + match->prev->next = match->next;
54243 + if (match->next != NULL)
54244 + match->next->prev = match->prev;
54245 + }
54246 + match->prev = NULL;
54247 + match->next = NULL;
54248 + match->inode = newinode;
54249 + match->device = newdevice;
54250 + match->mode &= ~GR_DELETED;
54251 +
54252 + insert_acl_subj_label(match, role);
54253 + }
54254 +
54255 + return;
54256 +}
54257 +
54258 +static void
54259 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
54260 + const ino_t newinode, const dev_t newdevice)
54261 +{
54262 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
54263 + struct inodev_entry *match;
54264 +
54265 + match = inodev_set.i_hash[index];
54266 +
54267 + while (match && (match->nentry->inode != oldinode ||
54268 + match->nentry->device != olddevice || !match->nentry->deleted))
54269 + match = match->next;
54270 +
54271 + if (match && (match->nentry->inode == oldinode)
54272 + && (match->nentry->device == olddevice) &&
54273 + match->nentry->deleted) {
54274 + if (match->prev == NULL) {
54275 + inodev_set.i_hash[index] = match->next;
54276 + if (match->next != NULL)
54277 + match->next->prev = NULL;
54278 + } else {
54279 + match->prev->next = match->next;
54280 + if (match->next != NULL)
54281 + match->next->prev = match->prev;
54282 + }
54283 + match->prev = NULL;
54284 + match->next = NULL;
54285 + match->nentry->inode = newinode;
54286 + match->nentry->device = newdevice;
54287 + match->nentry->deleted = 0;
54288 +
54289 + insert_inodev_entry(match);
54290 + }
54291 +
54292 + return;
54293 +}
54294 +
54295 +static void
54296 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
54297 + const struct vfsmount *mnt)
54298 +{
54299 + struct acl_subject_label *subj;
54300 + struct acl_role_label *role;
54301 + unsigned int x;
54302 + ino_t ino = dentry->d_inode->i_ino;
54303 + dev_t dev = __get_dev(dentry);
54304 +
54305 + FOR_EACH_ROLE_START(role)
54306 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
54307 +
54308 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54309 + if ((subj->inode == ino) && (subj->device == dev)) {
54310 + subj->inode = ino;
54311 + subj->device = dev;
54312 + }
54313 + FOR_EACH_NESTED_SUBJECT_END(subj)
54314 + FOR_EACH_SUBJECT_START(role, subj, x)
54315 + update_acl_obj_label(matchn->inode, matchn->device,
54316 + ino, dev, subj);
54317 + FOR_EACH_SUBJECT_END(subj,x)
54318 + FOR_EACH_ROLE_END(role)
54319 +
54320 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
54321 +
54322 + return;
54323 +}
54324 +
54325 +void
54326 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
54327 +{
54328 + struct name_entry *matchn;
54329 +
54330 + if (unlikely(!(gr_status & GR_READY)))
54331 + return;
54332 +
54333 + preempt_disable();
54334 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
54335 +
54336 + if (unlikely((unsigned long)matchn)) {
54337 + write_lock(&gr_inode_lock);
54338 + do_handle_create(matchn, dentry, mnt);
54339 + write_unlock(&gr_inode_lock);
54340 + }
54341 + preempt_enable();
54342 +
54343 + return;
54344 +}
54345 +
54346 +void
54347 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
54348 + struct dentry *old_dentry,
54349 + struct dentry *new_dentry,
54350 + struct vfsmount *mnt, const __u8 replace)
54351 +{
54352 + struct name_entry *matchn;
54353 + struct inodev_entry *inodev;
54354 + ino_t old_ino = old_dentry->d_inode->i_ino;
54355 + dev_t old_dev = __get_dev(old_dentry);
54356 +
54357 + /* vfs_rename swaps the name and parent link for old_dentry and
54358 + new_dentry
54359 + at this point, old_dentry has the new name, parent link, and inode
54360 + for the renamed file
54361 + if a file is being replaced by a rename, new_dentry has the inode
54362 + and name for the replaced file
54363 + */
54364 +
54365 + if (unlikely(!(gr_status & GR_READY)))
54366 + return;
54367 +
54368 + preempt_disable();
54369 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
54370 +
54371 + /* we wouldn't have to check d_inode if it weren't for
54372 + NFS silly-renaming
54373 + */
54374 +
54375 + write_lock(&gr_inode_lock);
54376 + if (unlikely(replace && new_dentry->d_inode)) {
54377 + ino_t new_ino = new_dentry->d_inode->i_ino;
54378 + dev_t new_dev = __get_dev(new_dentry);
54379 +
54380 + inodev = lookup_inodev_entry(new_ino, new_dev);
54381 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
54382 + do_handle_delete(inodev, new_ino, new_dev);
54383 + }
54384 +
54385 + inodev = lookup_inodev_entry(old_ino, old_dev);
54386 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
54387 + do_handle_delete(inodev, old_ino, old_dev);
54388 +
54389 + if (unlikely((unsigned long)matchn))
54390 + do_handle_create(matchn, old_dentry, mnt);
54391 +
54392 + write_unlock(&gr_inode_lock);
54393 + preempt_enable();
54394 +
54395 + return;
54396 +}
54397 +
54398 +static int
54399 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
54400 + unsigned char **sum)
54401 +{
54402 + struct acl_role_label *r;
54403 + struct role_allowed_ip *ipp;
54404 + struct role_transition *trans;
54405 + unsigned int i;
54406 + int found = 0;
54407 + u32 curr_ip = current->signal->curr_ip;
54408 +
54409 + current->signal->saved_ip = curr_ip;
54410 +
54411 + /* check transition table */
54412 +
54413 + for (trans = current->role->transitions; trans; trans = trans->next) {
54414 + if (!strcmp(rolename, trans->rolename)) {
54415 + found = 1;
54416 + break;
54417 + }
54418 + }
54419 +
54420 + if (!found)
54421 + return 0;
54422 +
54423 + /* handle special roles that do not require authentication
54424 + and check ip */
54425 +
54426 + FOR_EACH_ROLE_START(r)
54427 + if (!strcmp(rolename, r->rolename) &&
54428 + (r->roletype & GR_ROLE_SPECIAL)) {
54429 + found = 0;
54430 + if (r->allowed_ips != NULL) {
54431 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
54432 + if ((ntohl(curr_ip) & ipp->netmask) ==
54433 + (ntohl(ipp->addr) & ipp->netmask))
54434 + found = 1;
54435 + }
54436 + } else
54437 + found = 2;
54438 + if (!found)
54439 + return 0;
54440 +
54441 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
54442 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
54443 + *salt = NULL;
54444 + *sum = NULL;
54445 + return 1;
54446 + }
54447 + }
54448 + FOR_EACH_ROLE_END(r)
54449 +
54450 + for (i = 0; i < num_sprole_pws; i++) {
54451 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
54452 + *salt = acl_special_roles[i]->salt;
54453 + *sum = acl_special_roles[i]->sum;
54454 + return 1;
54455 + }
54456 + }
54457 +
54458 + return 0;
54459 +}
54460 +
54461 +static void
54462 +assign_special_role(char *rolename)
54463 +{
54464 + struct acl_object_label *obj;
54465 + struct acl_role_label *r;
54466 + struct acl_role_label *assigned = NULL;
54467 + struct task_struct *tsk;
54468 + struct file *filp;
54469 +
54470 + FOR_EACH_ROLE_START(r)
54471 + if (!strcmp(rolename, r->rolename) &&
54472 + (r->roletype & GR_ROLE_SPECIAL)) {
54473 + assigned = r;
54474 + break;
54475 + }
54476 + FOR_EACH_ROLE_END(r)
54477 +
54478 + if (!assigned)
54479 + return;
54480 +
54481 + read_lock(&tasklist_lock);
54482 + read_lock(&grsec_exec_file_lock);
54483 +
54484 + tsk = current->real_parent;
54485 + if (tsk == NULL)
54486 + goto out_unlock;
54487 +
54488 + filp = tsk->exec_file;
54489 + if (filp == NULL)
54490 + goto out_unlock;
54491 +
54492 + tsk->is_writable = 0;
54493 +
54494 + tsk->acl_sp_role = 1;
54495 + tsk->acl_role_id = ++acl_sp_role_value;
54496 + tsk->role = assigned;
54497 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
54498 +
54499 + /* ignore additional mmap checks for processes that are writable
54500 + by the default ACL */
54501 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54502 + if (unlikely(obj->mode & GR_WRITE))
54503 + tsk->is_writable = 1;
54504 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
54505 + if (unlikely(obj->mode & GR_WRITE))
54506 + tsk->is_writable = 1;
54507 +
54508 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54509 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
54510 +#endif
54511 +
54512 +out_unlock:
54513 + read_unlock(&grsec_exec_file_lock);
54514 + read_unlock(&tasklist_lock);
54515 + return;
54516 +}
54517 +
54518 +int gr_check_secure_terminal(struct task_struct *task)
54519 +{
54520 + struct task_struct *p, *p2, *p3;
54521 + struct files_struct *files;
54522 + struct fdtable *fdt;
54523 + struct file *our_file = NULL, *file;
54524 + int i;
54525 +
54526 + if (task->signal->tty == NULL)
54527 + return 1;
54528 +
54529 + files = get_files_struct(task);
54530 + if (files != NULL) {
54531 + rcu_read_lock();
54532 + fdt = files_fdtable(files);
54533 + for (i=0; i < fdt->max_fds; i++) {
54534 + file = fcheck_files(files, i);
54535 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
54536 + get_file(file);
54537 + our_file = file;
54538 + }
54539 + }
54540 + rcu_read_unlock();
54541 + put_files_struct(files);
54542 + }
54543 +
54544 + if (our_file == NULL)
54545 + return 1;
54546 +
54547 + read_lock(&tasklist_lock);
54548 + do_each_thread(p2, p) {
54549 + files = get_files_struct(p);
54550 + if (files == NULL ||
54551 + (p->signal && p->signal->tty == task->signal->tty)) {
54552 + if (files != NULL)
54553 + put_files_struct(files);
54554 + continue;
54555 + }
54556 + rcu_read_lock();
54557 + fdt = files_fdtable(files);
54558 + for (i=0; i < fdt->max_fds; i++) {
54559 + file = fcheck_files(files, i);
54560 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
54561 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
54562 + p3 = task;
54563 + while (p3->pid > 0) {
54564 + if (p3 == p)
54565 + break;
54566 + p3 = p3->real_parent;
54567 + }
54568 + if (p3 == p)
54569 + break;
54570 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
54571 + gr_handle_alertkill(p);
54572 + rcu_read_unlock();
54573 + put_files_struct(files);
54574 + read_unlock(&tasklist_lock);
54575 + fput(our_file);
54576 + return 0;
54577 + }
54578 + }
54579 + rcu_read_unlock();
54580 + put_files_struct(files);
54581 + } while_each_thread(p2, p);
54582 + read_unlock(&tasklist_lock);
54583 +
54584 + fput(our_file);
54585 + return 1;
54586 +}
54587 +
54588 +ssize_t
54589 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
54590 +{
54591 + struct gr_arg_wrapper uwrap;
54592 + unsigned char *sprole_salt = NULL;
54593 + unsigned char *sprole_sum = NULL;
54594 + int error = sizeof (struct gr_arg_wrapper);
54595 + int error2 = 0;
54596 +
54597 + mutex_lock(&gr_dev_mutex);
54598 +
54599 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
54600 + error = -EPERM;
54601 + goto out;
54602 + }
54603 +
54604 + if (count != sizeof (struct gr_arg_wrapper)) {
54605 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
54606 + error = -EINVAL;
54607 + goto out;
54608 + }
54609 +
54610 +
54611 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
54612 + gr_auth_expires = 0;
54613 + gr_auth_attempts = 0;
54614 + }
54615 +
54616 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
54617 + error = -EFAULT;
54618 + goto out;
54619 + }
54620 +
54621 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
54622 + error = -EINVAL;
54623 + goto out;
54624 + }
54625 +
54626 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
54627 + error = -EFAULT;
54628 + goto out;
54629 + }
54630 +
54631 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54632 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54633 + time_after(gr_auth_expires, get_seconds())) {
54634 + error = -EBUSY;
54635 + goto out;
54636 + }
54637 +
54638 + /* if non-root trying to do anything other than use a special role,
54639 + do not attempt authentication, do not count towards authentication
54640 + locking
54641 + */
54642 +
54643 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
54644 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54645 + current_uid()) {
54646 + error = -EPERM;
54647 + goto out;
54648 + }
54649 +
54650 + /* ensure pw and special role name are null terminated */
54651 +
54652 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
54653 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
54654 +
54655 + /* Okay.
54656 + * We have our enough of the argument structure..(we have yet
54657 + * to copy_from_user the tables themselves) . Copy the tables
54658 + * only if we need them, i.e. for loading operations. */
54659 +
54660 + switch (gr_usermode->mode) {
54661 + case GR_STATUS:
54662 + if (gr_status & GR_READY) {
54663 + error = 1;
54664 + if (!gr_check_secure_terminal(current))
54665 + error = 3;
54666 + } else
54667 + error = 2;
54668 + goto out;
54669 + case GR_SHUTDOWN:
54670 + if ((gr_status & GR_READY)
54671 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54672 + pax_open_kernel();
54673 + gr_status &= ~GR_READY;
54674 + pax_close_kernel();
54675 +
54676 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
54677 + free_variables();
54678 + memset(gr_usermode, 0, sizeof (struct gr_arg));
54679 + memset(gr_system_salt, 0, GR_SALT_LEN);
54680 + memset(gr_system_sum, 0, GR_SHA_LEN);
54681 + } else if (gr_status & GR_READY) {
54682 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
54683 + error = -EPERM;
54684 + } else {
54685 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
54686 + error = -EAGAIN;
54687 + }
54688 + break;
54689 + case GR_ENABLE:
54690 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
54691 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
54692 + else {
54693 + if (gr_status & GR_READY)
54694 + error = -EAGAIN;
54695 + else
54696 + error = error2;
54697 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
54698 + }
54699 + break;
54700 + case GR_RELOAD:
54701 + if (!(gr_status & GR_READY)) {
54702 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
54703 + error = -EAGAIN;
54704 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54705 + preempt_disable();
54706 +
54707 + pax_open_kernel();
54708 + gr_status &= ~GR_READY;
54709 + pax_close_kernel();
54710 +
54711 + free_variables();
54712 + if (!(error2 = gracl_init(gr_usermode))) {
54713 + preempt_enable();
54714 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
54715 + } else {
54716 + preempt_enable();
54717 + error = error2;
54718 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54719 + }
54720 + } else {
54721 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54722 + error = -EPERM;
54723 + }
54724 + break;
54725 + case GR_SEGVMOD:
54726 + if (unlikely(!(gr_status & GR_READY))) {
54727 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
54728 + error = -EAGAIN;
54729 + break;
54730 + }
54731 +
54732 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54733 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
54734 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
54735 + struct acl_subject_label *segvacl;
54736 + segvacl =
54737 + lookup_acl_subj_label(gr_usermode->segv_inode,
54738 + gr_usermode->segv_device,
54739 + current->role);
54740 + if (segvacl) {
54741 + segvacl->crashes = 0;
54742 + segvacl->expires = 0;
54743 + }
54744 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
54745 + gr_remove_uid(gr_usermode->segv_uid);
54746 + }
54747 + } else {
54748 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
54749 + error = -EPERM;
54750 + }
54751 + break;
54752 + case GR_SPROLE:
54753 + case GR_SPROLEPAM:
54754 + if (unlikely(!(gr_status & GR_READY))) {
54755 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
54756 + error = -EAGAIN;
54757 + break;
54758 + }
54759 +
54760 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
54761 + current->role->expires = 0;
54762 + current->role->auth_attempts = 0;
54763 + }
54764 +
54765 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54766 + time_after(current->role->expires, get_seconds())) {
54767 + error = -EBUSY;
54768 + goto out;
54769 + }
54770 +
54771 + if (lookup_special_role_auth
54772 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
54773 + && ((!sprole_salt && !sprole_sum)
54774 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
54775 + char *p = "";
54776 + assign_special_role(gr_usermode->sp_role);
54777 + read_lock(&tasklist_lock);
54778 + if (current->real_parent)
54779 + p = current->real_parent->role->rolename;
54780 + read_unlock(&tasklist_lock);
54781 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
54782 + p, acl_sp_role_value);
54783 + } else {
54784 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
54785 + error = -EPERM;
54786 + if(!(current->role->auth_attempts++))
54787 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54788 +
54789 + goto out;
54790 + }
54791 + break;
54792 + case GR_UNSPROLE:
54793 + if (unlikely(!(gr_status & GR_READY))) {
54794 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
54795 + error = -EAGAIN;
54796 + break;
54797 + }
54798 +
54799 + if (current->role->roletype & GR_ROLE_SPECIAL) {
54800 + char *p = "";
54801 + int i = 0;
54802 +
54803 + read_lock(&tasklist_lock);
54804 + if (current->real_parent) {
54805 + p = current->real_parent->role->rolename;
54806 + i = current->real_parent->acl_role_id;
54807 + }
54808 + read_unlock(&tasklist_lock);
54809 +
54810 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
54811 + gr_set_acls(1);
54812 + } else {
54813 + error = -EPERM;
54814 + goto out;
54815 + }
54816 + break;
54817 + default:
54818 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
54819 + error = -EINVAL;
54820 + break;
54821 + }
54822 +
54823 + if (error != -EPERM)
54824 + goto out;
54825 +
54826 + if(!(gr_auth_attempts++))
54827 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54828 +
54829 + out:
54830 + mutex_unlock(&gr_dev_mutex);
54831 + return error;
54832 +}
54833 +
54834 +/* must be called with
54835 + rcu_read_lock();
54836 + read_lock(&tasklist_lock);
54837 + read_lock(&grsec_exec_file_lock);
54838 +*/
54839 +int gr_apply_subject_to_task(struct task_struct *task)
54840 +{
54841 + struct acl_object_label *obj;
54842 + char *tmpname;
54843 + struct acl_subject_label *tmpsubj;
54844 + struct file *filp;
54845 + struct name_entry *nmatch;
54846 +
54847 + filp = task->exec_file;
54848 + if (filp == NULL)
54849 + return 0;
54850 +
54851 + /* the following is to apply the correct subject
54852 + on binaries running when the RBAC system
54853 + is enabled, when the binaries have been
54854 + replaced or deleted since their execution
54855 + -----
54856 + when the RBAC system starts, the inode/dev
54857 + from exec_file will be one the RBAC system
54858 + is unaware of. It only knows the inode/dev
54859 + of the present file on disk, or the absence
54860 + of it.
54861 + */
54862 + preempt_disable();
54863 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
54864 +
54865 + nmatch = lookup_name_entry(tmpname);
54866 + preempt_enable();
54867 + tmpsubj = NULL;
54868 + if (nmatch) {
54869 + if (nmatch->deleted)
54870 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
54871 + else
54872 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
54873 + if (tmpsubj != NULL)
54874 + task->acl = tmpsubj;
54875 + }
54876 + if (tmpsubj == NULL)
54877 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
54878 + task->role);
54879 + if (task->acl) {
54880 + struct acl_subject_label *curr;
54881 + curr = task->acl;
54882 +
54883 + task->is_writable = 0;
54884 + /* ignore additional mmap checks for processes that are writable
54885 + by the default ACL */
54886 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54887 + if (unlikely(obj->mode & GR_WRITE))
54888 + task->is_writable = 1;
54889 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54890 + if (unlikely(obj->mode & GR_WRITE))
54891 + task->is_writable = 1;
54892 +
54893 + gr_set_proc_res(task);
54894 +
54895 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54896 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54897 +#endif
54898 + } else {
54899 + return 1;
54900 + }
54901 +
54902 + return 0;
54903 +}
54904 +
54905 +int
54906 +gr_set_acls(const int type)
54907 +{
54908 + struct task_struct *task, *task2;
54909 + struct acl_role_label *role = current->role;
54910 + __u16 acl_role_id = current->acl_role_id;
54911 + const struct cred *cred;
54912 + int ret;
54913 +
54914 + rcu_read_lock();
54915 + read_lock(&tasklist_lock);
54916 + read_lock(&grsec_exec_file_lock);
54917 + do_each_thread(task2, task) {
54918 + /* check to see if we're called from the exit handler,
54919 + if so, only replace ACLs that have inherited the admin
54920 + ACL */
54921 +
54922 + if (type && (task->role != role ||
54923 + task->acl_role_id != acl_role_id))
54924 + continue;
54925 +
54926 + task->acl_role_id = 0;
54927 + task->acl_sp_role = 0;
54928 +
54929 + if (task->exec_file) {
54930 + cred = __task_cred(task);
54931 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
54932 + ret = gr_apply_subject_to_task(task);
54933 + if (ret) {
54934 + read_unlock(&grsec_exec_file_lock);
54935 + read_unlock(&tasklist_lock);
54936 + rcu_read_unlock();
54937 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
54938 + return ret;
54939 + }
54940 + } else {
54941 + // it's a kernel process
54942 + task->role = kernel_role;
54943 + task->acl = kernel_role->root_label;
54944 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
54945 + task->acl->mode &= ~GR_PROCFIND;
54946 +#endif
54947 + }
54948 + } while_each_thread(task2, task);
54949 + read_unlock(&grsec_exec_file_lock);
54950 + read_unlock(&tasklist_lock);
54951 + rcu_read_unlock();
54952 +
54953 + return 0;
54954 +}
54955 +
54956 +void
54957 +gr_learn_resource(const struct task_struct *task,
54958 + const int res, const unsigned long wanted, const int gt)
54959 +{
54960 + struct acl_subject_label *acl;
54961 + const struct cred *cred;
54962 +
54963 + if (unlikely((gr_status & GR_READY) &&
54964 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
54965 + goto skip_reslog;
54966 +
54967 +#ifdef CONFIG_GRKERNSEC_RESLOG
54968 + gr_log_resource(task, res, wanted, gt);
54969 +#endif
54970 + skip_reslog:
54971 +
54972 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
54973 + return;
54974 +
54975 + acl = task->acl;
54976 +
54977 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
54978 + !(acl->resmask & (1 << (unsigned short) res))))
54979 + return;
54980 +
54981 + if (wanted >= acl->res[res].rlim_cur) {
54982 + unsigned long res_add;
54983 +
54984 + res_add = wanted;
54985 + switch (res) {
54986 + case RLIMIT_CPU:
54987 + res_add += GR_RLIM_CPU_BUMP;
54988 + break;
54989 + case RLIMIT_FSIZE:
54990 + res_add += GR_RLIM_FSIZE_BUMP;
54991 + break;
54992 + case RLIMIT_DATA:
54993 + res_add += GR_RLIM_DATA_BUMP;
54994 + break;
54995 + case RLIMIT_STACK:
54996 + res_add += GR_RLIM_STACK_BUMP;
54997 + break;
54998 + case RLIMIT_CORE:
54999 + res_add += GR_RLIM_CORE_BUMP;
55000 + break;
55001 + case RLIMIT_RSS:
55002 + res_add += GR_RLIM_RSS_BUMP;
55003 + break;
55004 + case RLIMIT_NPROC:
55005 + res_add += GR_RLIM_NPROC_BUMP;
55006 + break;
55007 + case RLIMIT_NOFILE:
55008 + res_add += GR_RLIM_NOFILE_BUMP;
55009 + break;
55010 + case RLIMIT_MEMLOCK:
55011 + res_add += GR_RLIM_MEMLOCK_BUMP;
55012 + break;
55013 + case RLIMIT_AS:
55014 + res_add += GR_RLIM_AS_BUMP;
55015 + break;
55016 + case RLIMIT_LOCKS:
55017 + res_add += GR_RLIM_LOCKS_BUMP;
55018 + break;
55019 + case RLIMIT_SIGPENDING:
55020 + res_add += GR_RLIM_SIGPENDING_BUMP;
55021 + break;
55022 + case RLIMIT_MSGQUEUE:
55023 + res_add += GR_RLIM_MSGQUEUE_BUMP;
55024 + break;
55025 + case RLIMIT_NICE:
55026 + res_add += GR_RLIM_NICE_BUMP;
55027 + break;
55028 + case RLIMIT_RTPRIO:
55029 + res_add += GR_RLIM_RTPRIO_BUMP;
55030 + break;
55031 + case RLIMIT_RTTIME:
55032 + res_add += GR_RLIM_RTTIME_BUMP;
55033 + break;
55034 + }
55035 +
55036 + acl->res[res].rlim_cur = res_add;
55037 +
55038 + if (wanted > acl->res[res].rlim_max)
55039 + acl->res[res].rlim_max = res_add;
55040 +
55041 + /* only log the subject filename, since resource logging is supported for
55042 + single-subject learning only */
55043 + rcu_read_lock();
55044 + cred = __task_cred(task);
55045 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55046 + task->role->roletype, cred->uid, cred->gid, acl->filename,
55047 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
55048 + "", (unsigned long) res, &task->signal->saved_ip);
55049 + rcu_read_unlock();
55050 + }
55051 +
55052 + return;
55053 +}
55054 +
55055 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
55056 +void
55057 +pax_set_initial_flags(struct linux_binprm *bprm)
55058 +{
55059 + struct task_struct *task = current;
55060 + struct acl_subject_label *proc;
55061 + unsigned long flags;
55062 +
55063 + if (unlikely(!(gr_status & GR_READY)))
55064 + return;
55065 +
55066 + flags = pax_get_flags(task);
55067 +
55068 + proc = task->acl;
55069 +
55070 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
55071 + flags &= ~MF_PAX_PAGEEXEC;
55072 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
55073 + flags &= ~MF_PAX_SEGMEXEC;
55074 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
55075 + flags &= ~MF_PAX_RANDMMAP;
55076 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
55077 + flags &= ~MF_PAX_EMUTRAMP;
55078 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
55079 + flags &= ~MF_PAX_MPROTECT;
55080 +
55081 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
55082 + flags |= MF_PAX_PAGEEXEC;
55083 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
55084 + flags |= MF_PAX_SEGMEXEC;
55085 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
55086 + flags |= MF_PAX_RANDMMAP;
55087 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
55088 + flags |= MF_PAX_EMUTRAMP;
55089 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
55090 + flags |= MF_PAX_MPROTECT;
55091 +
55092 + pax_set_flags(task, flags);
55093 +
55094 + return;
55095 +}
55096 +#endif
55097 +
55098 +#ifdef CONFIG_SYSCTL
55099 +/* Eric Biederman likes breaking userland ABI and every inode-based security
55100 + system to save 35kb of memory */
55101 +
55102 +/* we modify the passed in filename, but adjust it back before returning */
55103 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
55104 +{
55105 + struct name_entry *nmatch;
55106 + char *p, *lastp = NULL;
55107 + struct acl_object_label *obj = NULL, *tmp;
55108 + struct acl_subject_label *tmpsubj;
55109 + char c = '\0';
55110 +
55111 + read_lock(&gr_inode_lock);
55112 +
55113 + p = name + len - 1;
55114 + do {
55115 + nmatch = lookup_name_entry(name);
55116 + if (lastp != NULL)
55117 + *lastp = c;
55118 +
55119 + if (nmatch == NULL)
55120 + goto next_component;
55121 + tmpsubj = current->acl;
55122 + do {
55123 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
55124 + if (obj != NULL) {
55125 + tmp = obj->globbed;
55126 + while (tmp) {
55127 + if (!glob_match(tmp->filename, name)) {
55128 + obj = tmp;
55129 + goto found_obj;
55130 + }
55131 + tmp = tmp->next;
55132 + }
55133 + goto found_obj;
55134 + }
55135 + } while ((tmpsubj = tmpsubj->parent_subject));
55136 +next_component:
55137 + /* end case */
55138 + if (p == name)
55139 + break;
55140 +
55141 + while (*p != '/')
55142 + p--;
55143 + if (p == name)
55144 + lastp = p + 1;
55145 + else {
55146 + lastp = p;
55147 + p--;
55148 + }
55149 + c = *lastp;
55150 + *lastp = '\0';
55151 + } while (1);
55152 +found_obj:
55153 + read_unlock(&gr_inode_lock);
55154 + /* obj returned will always be non-null */
55155 + return obj;
55156 +}
55157 +
55158 +/* returns 0 when allowing, non-zero on error
55159 + op of 0 is used for readdir, so we don't log the names of hidden files
55160 +*/
55161 +__u32
55162 +gr_handle_sysctl(const struct ctl_table *table, const int op)
55163 +{
55164 + struct ctl_table *tmp;
55165 + const char *proc_sys = "/proc/sys";
55166 + char *path;
55167 + struct acl_object_label *obj;
55168 + unsigned short len = 0, pos = 0, depth = 0, i;
55169 + __u32 err = 0;
55170 + __u32 mode = 0;
55171 +
55172 + if (unlikely(!(gr_status & GR_READY)))
55173 + return 0;
55174 +
55175 + /* for now, ignore operations on non-sysctl entries if it's not a
55176 + readdir*/
55177 + if (table->child != NULL && op != 0)
55178 + return 0;
55179 +
55180 + mode |= GR_FIND;
55181 + /* it's only a read if it's an entry, read on dirs is for readdir */
55182 + if (op & MAY_READ)
55183 + mode |= GR_READ;
55184 + if (op & MAY_WRITE)
55185 + mode |= GR_WRITE;
55186 +
55187 + preempt_disable();
55188 +
55189 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
55190 +
55191 + /* it's only a read/write if it's an actual entry, not a dir
55192 + (which are opened for readdir)
55193 + */
55194 +
55195 + /* convert the requested sysctl entry into a pathname */
55196 +
55197 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55198 + len += strlen(tmp->procname);
55199 + len++;
55200 + depth++;
55201 + }
55202 +
55203 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
55204 + /* deny */
55205 + goto out;
55206 + }
55207 +
55208 + memset(path, 0, PAGE_SIZE);
55209 +
55210 + memcpy(path, proc_sys, strlen(proc_sys));
55211 +
55212 + pos += strlen(proc_sys);
55213 +
55214 + for (; depth > 0; depth--) {
55215 + path[pos] = '/';
55216 + pos++;
55217 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55218 + if (depth == i) {
55219 + memcpy(path + pos, tmp->procname,
55220 + strlen(tmp->procname));
55221 + pos += strlen(tmp->procname);
55222 + }
55223 + i++;
55224 + }
55225 + }
55226 +
55227 + obj = gr_lookup_by_name(path, pos);
55228 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
55229 +
55230 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
55231 + ((err & mode) != mode))) {
55232 + __u32 new_mode = mode;
55233 +
55234 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55235 +
55236 + err = 0;
55237 + gr_log_learn_sysctl(path, new_mode);
55238 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
55239 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
55240 + err = -ENOENT;
55241 + } else if (!(err & GR_FIND)) {
55242 + err = -ENOENT;
55243 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
55244 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
55245 + path, (mode & GR_READ) ? " reading" : "",
55246 + (mode & GR_WRITE) ? " writing" : "");
55247 + err = -EACCES;
55248 + } else if ((err & mode) != mode) {
55249 + err = -EACCES;
55250 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
55251 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
55252 + path, (mode & GR_READ) ? " reading" : "",
55253 + (mode & GR_WRITE) ? " writing" : "");
55254 + err = 0;
55255 + } else
55256 + err = 0;
55257 +
55258 + out:
55259 + preempt_enable();
55260 +
55261 + return err;
55262 +}
55263 +#endif
55264 +
55265 +int
55266 +gr_handle_proc_ptrace(struct task_struct *task)
55267 +{
55268 + struct file *filp;
55269 + struct task_struct *tmp = task;
55270 + struct task_struct *curtemp = current;
55271 + __u32 retmode;
55272 +
55273 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55274 + if (unlikely(!(gr_status & GR_READY)))
55275 + return 0;
55276 +#endif
55277 +
55278 + read_lock(&tasklist_lock);
55279 + read_lock(&grsec_exec_file_lock);
55280 + filp = task->exec_file;
55281 +
55282 + while (tmp->pid > 0) {
55283 + if (tmp == curtemp)
55284 + break;
55285 + tmp = tmp->real_parent;
55286 + }
55287 +
55288 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55289 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
55290 + read_unlock(&grsec_exec_file_lock);
55291 + read_unlock(&tasklist_lock);
55292 + return 1;
55293 + }
55294 +
55295 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55296 + if (!(gr_status & GR_READY)) {
55297 + read_unlock(&grsec_exec_file_lock);
55298 + read_unlock(&tasklist_lock);
55299 + return 0;
55300 + }
55301 +#endif
55302 +
55303 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
55304 + read_unlock(&grsec_exec_file_lock);
55305 + read_unlock(&tasklist_lock);
55306 +
55307 + if (retmode & GR_NOPTRACE)
55308 + return 1;
55309 +
55310 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
55311 + && (current->acl != task->acl || (current->acl != current->role->root_label
55312 + && current->pid != task->pid)))
55313 + return 1;
55314 +
55315 + return 0;
55316 +}
55317 +
55318 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
55319 +{
55320 + if (unlikely(!(gr_status & GR_READY)))
55321 + return;
55322 +
55323 + if (!(current->role->roletype & GR_ROLE_GOD))
55324 + return;
55325 +
55326 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
55327 + p->role->rolename, gr_task_roletype_to_char(p),
55328 + p->acl->filename);
55329 +}
55330 +
55331 +int
55332 +gr_handle_ptrace(struct task_struct *task, const long request)
55333 +{
55334 + struct task_struct *tmp = task;
55335 + struct task_struct *curtemp = current;
55336 + __u32 retmode;
55337 +
55338 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55339 + if (unlikely(!(gr_status & GR_READY)))
55340 + return 0;
55341 +#endif
55342 +
55343 + read_lock(&tasklist_lock);
55344 + while (tmp->pid > 0) {
55345 + if (tmp == curtemp)
55346 + break;
55347 + tmp = tmp->real_parent;
55348 + }
55349 +
55350 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55351 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
55352 + read_unlock(&tasklist_lock);
55353 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55354 + return 1;
55355 + }
55356 + read_unlock(&tasklist_lock);
55357 +
55358 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55359 + if (!(gr_status & GR_READY))
55360 + return 0;
55361 +#endif
55362 +
55363 + read_lock(&grsec_exec_file_lock);
55364 + if (unlikely(!task->exec_file)) {
55365 + read_unlock(&grsec_exec_file_lock);
55366 + return 0;
55367 + }
55368 +
55369 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
55370 + read_unlock(&grsec_exec_file_lock);
55371 +
55372 + if (retmode & GR_NOPTRACE) {
55373 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55374 + return 1;
55375 + }
55376 +
55377 + if (retmode & GR_PTRACERD) {
55378 + switch (request) {
55379 + case PTRACE_POKETEXT:
55380 + case PTRACE_POKEDATA:
55381 + case PTRACE_POKEUSR:
55382 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
55383 + case PTRACE_SETREGS:
55384 + case PTRACE_SETFPREGS:
55385 +#endif
55386 +#ifdef CONFIG_X86
55387 + case PTRACE_SETFPXREGS:
55388 +#endif
55389 +#ifdef CONFIG_ALTIVEC
55390 + case PTRACE_SETVRREGS:
55391 +#endif
55392 + return 1;
55393 + default:
55394 + return 0;
55395 + }
55396 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
55397 + !(current->role->roletype & GR_ROLE_GOD) &&
55398 + (current->acl != task->acl)) {
55399 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55400 + return 1;
55401 + }
55402 +
55403 + return 0;
55404 +}
55405 +
55406 +static int is_writable_mmap(const struct file *filp)
55407 +{
55408 + struct task_struct *task = current;
55409 + struct acl_object_label *obj, *obj2;
55410 +
55411 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
55412 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
55413 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55414 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
55415 + task->role->root_label);
55416 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
55417 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
55418 + return 1;
55419 + }
55420 + }
55421 + return 0;
55422 +}
55423 +
55424 +int
55425 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
55426 +{
55427 + __u32 mode;
55428 +
55429 + if (unlikely(!file || !(prot & PROT_EXEC)))
55430 + return 1;
55431 +
55432 + if (is_writable_mmap(file))
55433 + return 0;
55434 +
55435 + mode =
55436 + gr_search_file(file->f_path.dentry,
55437 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55438 + file->f_path.mnt);
55439 +
55440 + if (!gr_tpe_allow(file))
55441 + return 0;
55442 +
55443 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55444 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55445 + return 0;
55446 + } else if (unlikely(!(mode & GR_EXEC))) {
55447 + return 0;
55448 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55449 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55450 + return 1;
55451 + }
55452 +
55453 + return 1;
55454 +}
55455 +
55456 +int
55457 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
55458 +{
55459 + __u32 mode;
55460 +
55461 + if (unlikely(!file || !(prot & PROT_EXEC)))
55462 + return 1;
55463 +
55464 + if (is_writable_mmap(file))
55465 + return 0;
55466 +
55467 + mode =
55468 + gr_search_file(file->f_path.dentry,
55469 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55470 + file->f_path.mnt);
55471 +
55472 + if (!gr_tpe_allow(file))
55473 + return 0;
55474 +
55475 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55476 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55477 + return 0;
55478 + } else if (unlikely(!(mode & GR_EXEC))) {
55479 + return 0;
55480 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55481 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55482 + return 1;
55483 + }
55484 +
55485 + return 1;
55486 +}
55487 +
55488 +void
55489 +gr_acl_handle_psacct(struct task_struct *task, const long code)
55490 +{
55491 + unsigned long runtime;
55492 + unsigned long cputime;
55493 + unsigned int wday, cday;
55494 + __u8 whr, chr;
55495 + __u8 wmin, cmin;
55496 + __u8 wsec, csec;
55497 + struct timespec timeval;
55498 +
55499 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
55500 + !(task->acl->mode & GR_PROCACCT)))
55501 + return;
55502 +
55503 + do_posix_clock_monotonic_gettime(&timeval);
55504 + runtime = timeval.tv_sec - task->start_time.tv_sec;
55505 + wday = runtime / (3600 * 24);
55506 + runtime -= wday * (3600 * 24);
55507 + whr = runtime / 3600;
55508 + runtime -= whr * 3600;
55509 + wmin = runtime / 60;
55510 + runtime -= wmin * 60;
55511 + wsec = runtime;
55512 +
55513 + cputime = (task->utime + task->stime) / HZ;
55514 + cday = cputime / (3600 * 24);
55515 + cputime -= cday * (3600 * 24);
55516 + chr = cputime / 3600;
55517 + cputime -= chr * 3600;
55518 + cmin = cputime / 60;
55519 + cputime -= cmin * 60;
55520 + csec = cputime;
55521 +
55522 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
55523 +
55524 + return;
55525 +}
55526 +
55527 +void gr_set_kernel_label(struct task_struct *task)
55528 +{
55529 + if (gr_status & GR_READY) {
55530 + task->role = kernel_role;
55531 + task->acl = kernel_role->root_label;
55532 + }
55533 + return;
55534 +}
55535 +
55536 +#ifdef CONFIG_TASKSTATS
55537 +int gr_is_taskstats_denied(int pid)
55538 +{
55539 + struct task_struct *task;
55540 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55541 + const struct cred *cred;
55542 +#endif
55543 + int ret = 0;
55544 +
55545 + /* restrict taskstats viewing to un-chrooted root users
55546 + who have the 'view' subject flag if the RBAC system is enabled
55547 + */
55548 +
55549 + rcu_read_lock();
55550 + read_lock(&tasklist_lock);
55551 + task = find_task_by_vpid(pid);
55552 + if (task) {
55553 +#ifdef CONFIG_GRKERNSEC_CHROOT
55554 + if (proc_is_chrooted(task))
55555 + ret = -EACCES;
55556 +#endif
55557 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55558 + cred = __task_cred(task);
55559 +#ifdef CONFIG_GRKERNSEC_PROC_USER
55560 + if (cred->uid != 0)
55561 + ret = -EACCES;
55562 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55563 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
55564 + ret = -EACCES;
55565 +#endif
55566 +#endif
55567 + if (gr_status & GR_READY) {
55568 + if (!(task->acl->mode & GR_VIEW))
55569 + ret = -EACCES;
55570 + }
55571 + } else
55572 + ret = -ENOENT;
55573 +
55574 + read_unlock(&tasklist_lock);
55575 + rcu_read_unlock();
55576 +
55577 + return ret;
55578 +}
55579 +#endif
55580 +
55581 +/* AUXV entries are filled via a descendant of search_binary_handler
55582 + after we've already applied the subject for the target
55583 +*/
55584 +int gr_acl_enable_at_secure(void)
55585 +{
55586 + if (unlikely(!(gr_status & GR_READY)))
55587 + return 0;
55588 +
55589 + if (current->acl->mode & GR_ATSECURE)
55590 + return 1;
55591 +
55592 + return 0;
55593 +}
55594 +
55595 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
55596 +{
55597 + struct task_struct *task = current;
55598 + struct dentry *dentry = file->f_path.dentry;
55599 + struct vfsmount *mnt = file->f_path.mnt;
55600 + struct acl_object_label *obj, *tmp;
55601 + struct acl_subject_label *subj;
55602 + unsigned int bufsize;
55603 + int is_not_root;
55604 + char *path;
55605 + dev_t dev = __get_dev(dentry);
55606 +
55607 + if (unlikely(!(gr_status & GR_READY)))
55608 + return 1;
55609 +
55610 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55611 + return 1;
55612 +
55613 + /* ignore Eric Biederman */
55614 + if (IS_PRIVATE(dentry->d_inode))
55615 + return 1;
55616 +
55617 + subj = task->acl;
55618 + do {
55619 + obj = lookup_acl_obj_label(ino, dev, subj);
55620 + if (obj != NULL)
55621 + return (obj->mode & GR_FIND) ? 1 : 0;
55622 + } while ((subj = subj->parent_subject));
55623 +
55624 + /* this is purely an optimization since we're looking for an object
55625 + for the directory we're doing a readdir on
55626 + if it's possible for any globbed object to match the entry we're
55627 + filling into the directory, then the object we find here will be
55628 + an anchor point with attached globbed objects
55629 + */
55630 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
55631 + if (obj->globbed == NULL)
55632 + return (obj->mode & GR_FIND) ? 1 : 0;
55633 +
55634 + is_not_root = ((obj->filename[0] == '/') &&
55635 + (obj->filename[1] == '\0')) ? 0 : 1;
55636 + bufsize = PAGE_SIZE - namelen - is_not_root;
55637 +
55638 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
55639 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
55640 + return 1;
55641 +
55642 + preempt_disable();
55643 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
55644 + bufsize);
55645 +
55646 + bufsize = strlen(path);
55647 +
55648 + /* if base is "/", don't append an additional slash */
55649 + if (is_not_root)
55650 + *(path + bufsize) = '/';
55651 + memcpy(path + bufsize + is_not_root, name, namelen);
55652 + *(path + bufsize + namelen + is_not_root) = '\0';
55653 +
55654 + tmp = obj->globbed;
55655 + while (tmp) {
55656 + if (!glob_match(tmp->filename, path)) {
55657 + preempt_enable();
55658 + return (tmp->mode & GR_FIND) ? 1 : 0;
55659 + }
55660 + tmp = tmp->next;
55661 + }
55662 + preempt_enable();
55663 + return (obj->mode & GR_FIND) ? 1 : 0;
55664 +}
55665 +
55666 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
55667 +EXPORT_SYMBOL(gr_acl_is_enabled);
55668 +#endif
55669 +EXPORT_SYMBOL(gr_learn_resource);
55670 +EXPORT_SYMBOL(gr_set_kernel_label);
55671 +#ifdef CONFIG_SECURITY
55672 +EXPORT_SYMBOL(gr_check_user_change);
55673 +EXPORT_SYMBOL(gr_check_group_change);
55674 +#endif
55675 +
55676 diff -urNp linux-2.6.39.2/grsecurity/gracl_cap.c linux-2.6.39.2/grsecurity/gracl_cap.c
55677 --- linux-2.6.39.2/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
55678 +++ linux-2.6.39.2/grsecurity/gracl_cap.c 2011-05-22 19:41:42.000000000 -0400
55679 @@ -0,0 +1,139 @@
55680 +#include <linux/kernel.h>
55681 +#include <linux/module.h>
55682 +#include <linux/sched.h>
55683 +#include <linux/gracl.h>
55684 +#include <linux/grsecurity.h>
55685 +#include <linux/grinternal.h>
55686 +
55687 +static const char *captab_log[] = {
55688 + "CAP_CHOWN",
55689 + "CAP_DAC_OVERRIDE",
55690 + "CAP_DAC_READ_SEARCH",
55691 + "CAP_FOWNER",
55692 + "CAP_FSETID",
55693 + "CAP_KILL",
55694 + "CAP_SETGID",
55695 + "CAP_SETUID",
55696 + "CAP_SETPCAP",
55697 + "CAP_LINUX_IMMUTABLE",
55698 + "CAP_NET_BIND_SERVICE",
55699 + "CAP_NET_BROADCAST",
55700 + "CAP_NET_ADMIN",
55701 + "CAP_NET_RAW",
55702 + "CAP_IPC_LOCK",
55703 + "CAP_IPC_OWNER",
55704 + "CAP_SYS_MODULE",
55705 + "CAP_SYS_RAWIO",
55706 + "CAP_SYS_CHROOT",
55707 + "CAP_SYS_PTRACE",
55708 + "CAP_SYS_PACCT",
55709 + "CAP_SYS_ADMIN",
55710 + "CAP_SYS_BOOT",
55711 + "CAP_SYS_NICE",
55712 + "CAP_SYS_RESOURCE",
55713 + "CAP_SYS_TIME",
55714 + "CAP_SYS_TTY_CONFIG",
55715 + "CAP_MKNOD",
55716 + "CAP_LEASE",
55717 + "CAP_AUDIT_WRITE",
55718 + "CAP_AUDIT_CONTROL",
55719 + "CAP_SETFCAP",
55720 + "CAP_MAC_OVERRIDE",
55721 + "CAP_MAC_ADMIN",
55722 + "CAP_SYSLOG"
55723 +};
55724 +
55725 +EXPORT_SYMBOL(gr_is_capable);
55726 +EXPORT_SYMBOL(gr_is_capable_nolog);
55727 +
55728 +int
55729 +gr_is_capable(const int cap)
55730 +{
55731 + struct task_struct *task = current;
55732 + const struct cred *cred = current_cred();
55733 + struct acl_subject_label *curracl;
55734 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55735 + kernel_cap_t cap_audit = __cap_empty_set;
55736 +
55737 + if (!gr_acl_is_enabled())
55738 + return 1;
55739 +
55740 + curracl = task->acl;
55741 +
55742 + cap_drop = curracl->cap_lower;
55743 + cap_mask = curracl->cap_mask;
55744 + cap_audit = curracl->cap_invert_audit;
55745 +
55746 + while ((curracl = curracl->parent_subject)) {
55747 + /* if the cap isn't specified in the current computed mask but is specified in the
55748 + current level subject, and is lowered in the current level subject, then add
55749 + it to the set of dropped capabilities
55750 + otherwise, add the current level subject's mask to the current computed mask
55751 + */
55752 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55753 + cap_raise(cap_mask, cap);
55754 + if (cap_raised(curracl->cap_lower, cap))
55755 + cap_raise(cap_drop, cap);
55756 + if (cap_raised(curracl->cap_invert_audit, cap))
55757 + cap_raise(cap_audit, cap);
55758 + }
55759 + }
55760 +
55761 + if (!cap_raised(cap_drop, cap)) {
55762 + if (cap_raised(cap_audit, cap))
55763 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
55764 + return 1;
55765 + }
55766 +
55767 + curracl = task->acl;
55768 +
55769 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
55770 + && cap_raised(cred->cap_effective, cap)) {
55771 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55772 + task->role->roletype, cred->uid,
55773 + cred->gid, task->exec_file ?
55774 + gr_to_filename(task->exec_file->f_path.dentry,
55775 + task->exec_file->f_path.mnt) : curracl->filename,
55776 + curracl->filename, 0UL,
55777 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
55778 + return 1;
55779 + }
55780 +
55781 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
55782 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
55783 + return 0;
55784 +}
55785 +
55786 +int
55787 +gr_is_capable_nolog(const int cap)
55788 +{
55789 + struct acl_subject_label *curracl;
55790 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55791 +
55792 + if (!gr_acl_is_enabled())
55793 + return 1;
55794 +
55795 + curracl = current->acl;
55796 +
55797 + cap_drop = curracl->cap_lower;
55798 + cap_mask = curracl->cap_mask;
55799 +
55800 + while ((curracl = curracl->parent_subject)) {
55801 + /* if the cap isn't specified in the current computed mask but is specified in the
55802 + current level subject, and is lowered in the current level subject, then add
55803 + it to the set of dropped capabilities
55804 + otherwise, add the current level subject's mask to the current computed mask
55805 + */
55806 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55807 + cap_raise(cap_mask, cap);
55808 + if (cap_raised(curracl->cap_lower, cap))
55809 + cap_raise(cap_drop, cap);
55810 + }
55811 + }
55812 +
55813 + if (!cap_raised(cap_drop, cap))
55814 + return 1;
55815 +
55816 + return 0;
55817 +}
55818 +
55819 diff -urNp linux-2.6.39.2/grsecurity/gracl_fs.c linux-2.6.39.2/grsecurity/gracl_fs.c
55820 --- linux-2.6.39.2/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
55821 +++ linux-2.6.39.2/grsecurity/gracl_fs.c 2011-05-22 19:41:42.000000000 -0400
55822 @@ -0,0 +1,431 @@
55823 +#include <linux/kernel.h>
55824 +#include <linux/sched.h>
55825 +#include <linux/types.h>
55826 +#include <linux/fs.h>
55827 +#include <linux/file.h>
55828 +#include <linux/stat.h>
55829 +#include <linux/grsecurity.h>
55830 +#include <linux/grinternal.h>
55831 +#include <linux/gracl.h>
55832 +
55833 +__u32
55834 +gr_acl_handle_hidden_file(const struct dentry * dentry,
55835 + const struct vfsmount * mnt)
55836 +{
55837 + __u32 mode;
55838 +
55839 + if (unlikely(!dentry->d_inode))
55840 + return GR_FIND;
55841 +
55842 + mode =
55843 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
55844 +
55845 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
55846 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
55847 + return mode;
55848 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
55849 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
55850 + return 0;
55851 + } else if (unlikely(!(mode & GR_FIND)))
55852 + return 0;
55853 +
55854 + return GR_FIND;
55855 +}
55856 +
55857 +__u32
55858 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
55859 + const int fmode)
55860 +{
55861 + __u32 reqmode = GR_FIND;
55862 + __u32 mode;
55863 +
55864 + if (unlikely(!dentry->d_inode))
55865 + return reqmode;
55866 +
55867 + if (unlikely(fmode & O_APPEND))
55868 + reqmode |= GR_APPEND;
55869 + else if (unlikely(fmode & FMODE_WRITE))
55870 + reqmode |= GR_WRITE;
55871 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
55872 + reqmode |= GR_READ;
55873 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
55874 + reqmode &= ~GR_READ;
55875 + mode =
55876 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
55877 + mnt);
55878 +
55879 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
55880 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
55881 + reqmode & GR_READ ? " reading" : "",
55882 + reqmode & GR_WRITE ? " writing" : reqmode &
55883 + GR_APPEND ? " appending" : "");
55884 + return reqmode;
55885 + } else
55886 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
55887 + {
55888 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
55889 + reqmode & GR_READ ? " reading" : "",
55890 + reqmode & GR_WRITE ? " writing" : reqmode &
55891 + GR_APPEND ? " appending" : "");
55892 + return 0;
55893 + } else if (unlikely((mode & reqmode) != reqmode))
55894 + return 0;
55895 +
55896 + return reqmode;
55897 +}
55898 +
55899 +__u32
55900 +gr_acl_handle_creat(const struct dentry * dentry,
55901 + const struct dentry * p_dentry,
55902 + const struct vfsmount * p_mnt, const int fmode,
55903 + const int imode)
55904 +{
55905 + __u32 reqmode = GR_WRITE | GR_CREATE;
55906 + __u32 mode;
55907 +
55908 + if (unlikely(fmode & O_APPEND))
55909 + reqmode |= GR_APPEND;
55910 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
55911 + reqmode |= GR_READ;
55912 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
55913 + reqmode |= GR_SETID;
55914 +
55915 + mode =
55916 + gr_check_create(dentry, p_dentry, p_mnt,
55917 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
55918 +
55919 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
55920 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
55921 + reqmode & GR_READ ? " reading" : "",
55922 + reqmode & GR_WRITE ? " writing" : reqmode &
55923 + GR_APPEND ? " appending" : "");
55924 + return reqmode;
55925 + } else
55926 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
55927 + {
55928 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
55929 + reqmode & GR_READ ? " reading" : "",
55930 + reqmode & GR_WRITE ? " writing" : reqmode &
55931 + GR_APPEND ? " appending" : "");
55932 + return 0;
55933 + } else if (unlikely((mode & reqmode) != reqmode))
55934 + return 0;
55935 +
55936 + return reqmode;
55937 +}
55938 +
55939 +__u32
55940 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
55941 + const int fmode)
55942 +{
55943 + __u32 mode, reqmode = GR_FIND;
55944 +
55945 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
55946 + reqmode |= GR_EXEC;
55947 + if (fmode & S_IWOTH)
55948 + reqmode |= GR_WRITE;
55949 + if (fmode & S_IROTH)
55950 + reqmode |= GR_READ;
55951 +
55952 + mode =
55953 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
55954 + mnt);
55955 +
55956 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
55957 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
55958 + reqmode & GR_READ ? " reading" : "",
55959 + reqmode & GR_WRITE ? " writing" : "",
55960 + reqmode & GR_EXEC ? " executing" : "");
55961 + return reqmode;
55962 + } else
55963 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
55964 + {
55965 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
55966 + reqmode & GR_READ ? " reading" : "",
55967 + reqmode & GR_WRITE ? " writing" : "",
55968 + reqmode & GR_EXEC ? " executing" : "");
55969 + return 0;
55970 + } else if (unlikely((mode & reqmode) != reqmode))
55971 + return 0;
55972 +
55973 + return reqmode;
55974 +}
55975 +
55976 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
55977 +{
55978 + __u32 mode;
55979 +
55980 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
55981 +
55982 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
55983 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
55984 + return mode;
55985 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
55986 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
55987 + return 0;
55988 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
55989 + return 0;
55990 +
55991 + return (reqmode);
55992 +}
55993 +
55994 +__u32
55995 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
55996 +{
55997 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
55998 +}
55999 +
56000 +__u32
56001 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
56002 +{
56003 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
56004 +}
56005 +
56006 +__u32
56007 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
56008 +{
56009 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
56010 +}
56011 +
56012 +__u32
56013 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
56014 +{
56015 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
56016 +}
56017 +
56018 +__u32
56019 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
56020 + mode_t mode)
56021 +{
56022 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
56023 + return 1;
56024 +
56025 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56026 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56027 + GR_FCHMOD_ACL_MSG);
56028 + } else {
56029 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
56030 + }
56031 +}
56032 +
56033 +__u32
56034 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
56035 + mode_t mode)
56036 +{
56037 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56038 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56039 + GR_CHMOD_ACL_MSG);
56040 + } else {
56041 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
56042 + }
56043 +}
56044 +
56045 +__u32
56046 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
56047 +{
56048 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
56049 +}
56050 +
56051 +__u32
56052 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
56053 +{
56054 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
56055 +}
56056 +
56057 +__u32
56058 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
56059 +{
56060 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
56061 +}
56062 +
56063 +__u32
56064 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
56065 +{
56066 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
56067 + GR_UNIXCONNECT_ACL_MSG);
56068 +}
56069 +
56070 +/* hardlinks require at minimum create permission,
56071 + any additional privilege required is based on the
56072 + privilege of the file being linked to
56073 +*/
56074 +__u32
56075 +gr_acl_handle_link(const struct dentry * new_dentry,
56076 + const struct dentry * parent_dentry,
56077 + const struct vfsmount * parent_mnt,
56078 + const struct dentry * old_dentry,
56079 + const struct vfsmount * old_mnt, const char *to)
56080 +{
56081 + __u32 mode;
56082 + __u32 needmode = GR_CREATE | GR_LINK;
56083 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
56084 +
56085 + mode =
56086 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
56087 + old_mnt);
56088 +
56089 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
56090 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56091 + return mode;
56092 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56093 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56094 + return 0;
56095 + } else if (unlikely((mode & needmode) != needmode))
56096 + return 0;
56097 +
56098 + return 1;
56099 +}
56100 +
56101 +__u32
56102 +gr_acl_handle_symlink(const struct dentry * new_dentry,
56103 + const struct dentry * parent_dentry,
56104 + const struct vfsmount * parent_mnt, const char *from)
56105 +{
56106 + __u32 needmode = GR_WRITE | GR_CREATE;
56107 + __u32 mode;
56108 +
56109 + mode =
56110 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
56111 + GR_CREATE | GR_AUDIT_CREATE |
56112 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
56113 +
56114 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
56115 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56116 + return mode;
56117 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56118 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56119 + return 0;
56120 + } else if (unlikely((mode & needmode) != needmode))
56121 + return 0;
56122 +
56123 + return (GR_WRITE | GR_CREATE);
56124 +}
56125 +
56126 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
56127 +{
56128 + __u32 mode;
56129 +
56130 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56131 +
56132 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56133 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
56134 + return mode;
56135 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56136 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
56137 + return 0;
56138 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56139 + return 0;
56140 +
56141 + return (reqmode);
56142 +}
56143 +
56144 +__u32
56145 +gr_acl_handle_mknod(const struct dentry * new_dentry,
56146 + const struct dentry * parent_dentry,
56147 + const struct vfsmount * parent_mnt,
56148 + const int mode)
56149 +{
56150 + __u32 reqmode = GR_WRITE | GR_CREATE;
56151 + if (unlikely(mode & (S_ISUID | S_ISGID)))
56152 + reqmode |= GR_SETID;
56153 +
56154 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56155 + reqmode, GR_MKNOD_ACL_MSG);
56156 +}
56157 +
56158 +__u32
56159 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
56160 + const struct dentry *parent_dentry,
56161 + const struct vfsmount *parent_mnt)
56162 +{
56163 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56164 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
56165 +}
56166 +
56167 +#define RENAME_CHECK_SUCCESS(old, new) \
56168 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
56169 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
56170 +
56171 +int
56172 +gr_acl_handle_rename(struct dentry *new_dentry,
56173 + struct dentry *parent_dentry,
56174 + const struct vfsmount *parent_mnt,
56175 + struct dentry *old_dentry,
56176 + struct inode *old_parent_inode,
56177 + struct vfsmount *old_mnt, const char *newname)
56178 +{
56179 + __u32 comp1, comp2;
56180 + int error = 0;
56181 +
56182 + if (unlikely(!gr_acl_is_enabled()))
56183 + return 0;
56184 +
56185 + if (!new_dentry->d_inode) {
56186 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
56187 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
56188 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
56189 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
56190 + GR_DELETE | GR_AUDIT_DELETE |
56191 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56192 + GR_SUPPRESS, old_mnt);
56193 + } else {
56194 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
56195 + GR_CREATE | GR_DELETE |
56196 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
56197 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56198 + GR_SUPPRESS, parent_mnt);
56199 + comp2 =
56200 + gr_search_file(old_dentry,
56201 + GR_READ | GR_WRITE | GR_AUDIT_READ |
56202 + GR_DELETE | GR_AUDIT_DELETE |
56203 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
56204 + }
56205 +
56206 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
56207 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
56208 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56209 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
56210 + && !(comp2 & GR_SUPPRESS)) {
56211 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56212 + error = -EACCES;
56213 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
56214 + error = -EACCES;
56215 +
56216 + return error;
56217 +}
56218 +
56219 +void
56220 +gr_acl_handle_exit(void)
56221 +{
56222 + u16 id;
56223 + char *rolename;
56224 + struct file *exec_file;
56225 +
56226 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
56227 + !(current->role->roletype & GR_ROLE_PERSIST))) {
56228 + id = current->acl_role_id;
56229 + rolename = current->role->rolename;
56230 + gr_set_acls(1);
56231 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56232 + }
56233 +
56234 + write_lock(&grsec_exec_file_lock);
56235 + exec_file = current->exec_file;
56236 + current->exec_file = NULL;
56237 + write_unlock(&grsec_exec_file_lock);
56238 +
56239 + if (exec_file)
56240 + fput(exec_file);
56241 +}
56242 +
56243 +int
56244 +gr_acl_handle_procpidmem(const struct task_struct *task)
56245 +{
56246 + if (unlikely(!gr_acl_is_enabled()))
56247 + return 0;
56248 +
56249 + if (task != current && task->acl->mode & GR_PROTPROCFD)
56250 + return -EACCES;
56251 +
56252 + return 0;
56253 +}
56254 diff -urNp linux-2.6.39.2/grsecurity/gracl_ip.c linux-2.6.39.2/grsecurity/gracl_ip.c
56255 --- linux-2.6.39.2/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
56256 +++ linux-2.6.39.2/grsecurity/gracl_ip.c 2011-05-22 22:47:31.000000000 -0400
56257 @@ -0,0 +1,381 @@
56258 +#include <linux/kernel.h>
56259 +#include <asm/uaccess.h>
56260 +#include <asm/errno.h>
56261 +#include <net/sock.h>
56262 +#include <linux/file.h>
56263 +#include <linux/fs.h>
56264 +#include <linux/net.h>
56265 +#include <linux/in.h>
56266 +#include <linux/skbuff.h>
56267 +#include <linux/ip.h>
56268 +#include <linux/udp.h>
56269 +#include <linux/types.h>
56270 +#include <linux/sched.h>
56271 +#include <linux/netdevice.h>
56272 +#include <linux/inetdevice.h>
56273 +#include <linux/gracl.h>
56274 +#include <linux/grsecurity.h>
56275 +#include <linux/grinternal.h>
56276 +
56277 +#define GR_BIND 0x01
56278 +#define GR_CONNECT 0x02
56279 +#define GR_INVERT 0x04
56280 +#define GR_BINDOVERRIDE 0x08
56281 +#define GR_CONNECTOVERRIDE 0x10
56282 +#define GR_SOCK_FAMILY 0x20
56283 +
56284 +static const char * gr_protocols[IPPROTO_MAX] = {
56285 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
56286 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
56287 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
56288 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
56289 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
56290 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
56291 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
56292 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
56293 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
56294 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
56295 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
56296 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
56297 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
56298 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
56299 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
56300 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
56301 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
56302 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
56303 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
56304 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
56305 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
56306 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
56307 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
56308 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
56309 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
56310 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
56311 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
56312 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
56313 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
56314 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
56315 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
56316 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
56317 + };
56318 +
56319 +static const char * gr_socktypes[SOCK_MAX] = {
56320 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
56321 + "unknown:7", "unknown:8", "unknown:9", "packet"
56322 + };
56323 +
56324 +static const char * gr_sockfamilies[AF_MAX+1] = {
56325 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
56326 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
56327 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
56328 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
56329 + };
56330 +
56331 +const char *
56332 +gr_proto_to_name(unsigned char proto)
56333 +{
56334 + return gr_protocols[proto];
56335 +}
56336 +
56337 +const char *
56338 +gr_socktype_to_name(unsigned char type)
56339 +{
56340 + return gr_socktypes[type];
56341 +}
56342 +
56343 +const char *
56344 +gr_sockfamily_to_name(unsigned char family)
56345 +{
56346 + return gr_sockfamilies[family];
56347 +}
56348 +
56349 +int
56350 +gr_search_socket(const int domain, const int type, const int protocol)
56351 +{
56352 + struct acl_subject_label *curr;
56353 + const struct cred *cred = current_cred();
56354 +
56355 + if (unlikely(!gr_acl_is_enabled()))
56356 + goto exit;
56357 +
56358 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
56359 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
56360 + goto exit; // let the kernel handle it
56361 +
56362 + curr = current->acl;
56363 +
56364 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
56365 + /* the family is allowed, if this is PF_INET allow it only if
56366 + the extra sock type/protocol checks pass */
56367 + if (domain == PF_INET)
56368 + goto inet_check;
56369 + goto exit;
56370 + } else {
56371 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56372 + __u32 fakeip = 0;
56373 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56374 + current->role->roletype, cred->uid,
56375 + cred->gid, current->exec_file ?
56376 + gr_to_filename(current->exec_file->f_path.dentry,
56377 + current->exec_file->f_path.mnt) :
56378 + curr->filename, curr->filename,
56379 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
56380 + &current->signal->saved_ip);
56381 + goto exit;
56382 + }
56383 + goto exit_fail;
56384 + }
56385 +
56386 +inet_check:
56387 + /* the rest of this checking is for IPv4 only */
56388 + if (!curr->ips)
56389 + goto exit;
56390 +
56391 + if ((curr->ip_type & (1 << type)) &&
56392 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
56393 + goto exit;
56394 +
56395 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56396 + /* we don't place acls on raw sockets , and sometimes
56397 + dgram/ip sockets are opened for ioctl and not
56398 + bind/connect, so we'll fake a bind learn log */
56399 + if (type == SOCK_RAW || type == SOCK_PACKET) {
56400 + __u32 fakeip = 0;
56401 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56402 + current->role->roletype, cred->uid,
56403 + cred->gid, current->exec_file ?
56404 + gr_to_filename(current->exec_file->f_path.dentry,
56405 + current->exec_file->f_path.mnt) :
56406 + curr->filename, curr->filename,
56407 + &fakeip, 0, type,
56408 + protocol, GR_CONNECT, &current->signal->saved_ip);
56409 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
56410 + __u32 fakeip = 0;
56411 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56412 + current->role->roletype, cred->uid,
56413 + cred->gid, current->exec_file ?
56414 + gr_to_filename(current->exec_file->f_path.dentry,
56415 + current->exec_file->f_path.mnt) :
56416 + curr->filename, curr->filename,
56417 + &fakeip, 0, type,
56418 + protocol, GR_BIND, &current->signal->saved_ip);
56419 + }
56420 + /* we'll log when they use connect or bind */
56421 + goto exit;
56422 + }
56423 +
56424 +exit_fail:
56425 + if (domain == PF_INET)
56426 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
56427 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
56428 + else
56429 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
56430 + gr_socktype_to_name(type), protocol);
56431 +
56432 + return 0;
56433 +exit:
56434 + return 1;
56435 +}
56436 +
56437 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
56438 +{
56439 + if ((ip->mode & mode) &&
56440 + (ip_port >= ip->low) &&
56441 + (ip_port <= ip->high) &&
56442 + ((ntohl(ip_addr) & our_netmask) ==
56443 + (ntohl(our_addr) & our_netmask))
56444 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
56445 + && (ip->type & (1 << type))) {
56446 + if (ip->mode & GR_INVERT)
56447 + return 2; // specifically denied
56448 + else
56449 + return 1; // allowed
56450 + }
56451 +
56452 + return 0; // not specifically allowed, may continue parsing
56453 +}
56454 +
56455 +static int
56456 +gr_search_connectbind(const int full_mode, struct sock *sk,
56457 + struct sockaddr_in *addr, const int type)
56458 +{
56459 + char iface[IFNAMSIZ] = {0};
56460 + struct acl_subject_label *curr;
56461 + struct acl_ip_label *ip;
56462 + struct inet_sock *isk;
56463 + struct net_device *dev;
56464 + struct in_device *idev;
56465 + unsigned long i;
56466 + int ret;
56467 + int mode = full_mode & (GR_BIND | GR_CONNECT);
56468 + __u32 ip_addr = 0;
56469 + __u32 our_addr;
56470 + __u32 our_netmask;
56471 + char *p;
56472 + __u16 ip_port = 0;
56473 + const struct cred *cred = current_cred();
56474 +
56475 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
56476 + return 0;
56477 +
56478 + curr = current->acl;
56479 + isk = inet_sk(sk);
56480 +
56481 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
56482 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
56483 + addr->sin_addr.s_addr = curr->inaddr_any_override;
56484 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
56485 + struct sockaddr_in saddr;
56486 + int err;
56487 +
56488 + saddr.sin_family = AF_INET;
56489 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
56490 + saddr.sin_port = isk->inet_sport;
56491 +
56492 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56493 + if (err)
56494 + return err;
56495 +
56496 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56497 + if (err)
56498 + return err;
56499 + }
56500 +
56501 + if (!curr->ips)
56502 + return 0;
56503 +
56504 + ip_addr = addr->sin_addr.s_addr;
56505 + ip_port = ntohs(addr->sin_port);
56506 +
56507 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56508 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56509 + current->role->roletype, cred->uid,
56510 + cred->gid, current->exec_file ?
56511 + gr_to_filename(current->exec_file->f_path.dentry,
56512 + current->exec_file->f_path.mnt) :
56513 + curr->filename, curr->filename,
56514 + &ip_addr, ip_port, type,
56515 + sk->sk_protocol, mode, &current->signal->saved_ip);
56516 + return 0;
56517 + }
56518 +
56519 + for (i = 0; i < curr->ip_num; i++) {
56520 + ip = *(curr->ips + i);
56521 + if (ip->iface != NULL) {
56522 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
56523 + p = strchr(iface, ':');
56524 + if (p != NULL)
56525 + *p = '\0';
56526 + dev = dev_get_by_name(sock_net(sk), iface);
56527 + if (dev == NULL)
56528 + continue;
56529 + idev = in_dev_get(dev);
56530 + if (idev == NULL) {
56531 + dev_put(dev);
56532 + continue;
56533 + }
56534 + rcu_read_lock();
56535 + for_ifa(idev) {
56536 + if (!strcmp(ip->iface, ifa->ifa_label)) {
56537 + our_addr = ifa->ifa_address;
56538 + our_netmask = 0xffffffff;
56539 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56540 + if (ret == 1) {
56541 + rcu_read_unlock();
56542 + in_dev_put(idev);
56543 + dev_put(dev);
56544 + return 0;
56545 + } else if (ret == 2) {
56546 + rcu_read_unlock();
56547 + in_dev_put(idev);
56548 + dev_put(dev);
56549 + goto denied;
56550 + }
56551 + }
56552 + } endfor_ifa(idev);
56553 + rcu_read_unlock();
56554 + in_dev_put(idev);
56555 + dev_put(dev);
56556 + } else {
56557 + our_addr = ip->addr;
56558 + our_netmask = ip->netmask;
56559 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56560 + if (ret == 1)
56561 + return 0;
56562 + else if (ret == 2)
56563 + goto denied;
56564 + }
56565 + }
56566 +
56567 +denied:
56568 + if (mode == GR_BIND)
56569 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56570 + else if (mode == GR_CONNECT)
56571 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56572 +
56573 + return -EACCES;
56574 +}
56575 +
56576 +int
56577 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
56578 +{
56579 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
56580 +}
56581 +
56582 +int
56583 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
56584 +{
56585 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
56586 +}
56587 +
56588 +int gr_search_listen(struct socket *sock)
56589 +{
56590 + struct sock *sk = sock->sk;
56591 + struct sockaddr_in addr;
56592 +
56593 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56594 + addr.sin_port = inet_sk(sk)->inet_sport;
56595 +
56596 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56597 +}
56598 +
56599 +int gr_search_accept(struct socket *sock)
56600 +{
56601 + struct sock *sk = sock->sk;
56602 + struct sockaddr_in addr;
56603 +
56604 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56605 + addr.sin_port = inet_sk(sk)->inet_sport;
56606 +
56607 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56608 +}
56609 +
56610 +int
56611 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
56612 +{
56613 + if (addr)
56614 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
56615 + else {
56616 + struct sockaddr_in sin;
56617 + const struct inet_sock *inet = inet_sk(sk);
56618 +
56619 + sin.sin_addr.s_addr = inet->inet_daddr;
56620 + sin.sin_port = inet->inet_dport;
56621 +
56622 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56623 + }
56624 +}
56625 +
56626 +int
56627 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
56628 +{
56629 + struct sockaddr_in sin;
56630 +
56631 + if (unlikely(skb->len < sizeof (struct udphdr)))
56632 + return 0; // skip this packet
56633 +
56634 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
56635 + sin.sin_port = udp_hdr(skb)->source;
56636 +
56637 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56638 +}
56639 diff -urNp linux-2.6.39.2/grsecurity/gracl_learn.c linux-2.6.39.2/grsecurity/gracl_learn.c
56640 --- linux-2.6.39.2/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
56641 +++ linux-2.6.39.2/grsecurity/gracl_learn.c 2011-05-22 22:47:45.000000000 -0400
56642 @@ -0,0 +1,210 @@
56643 +#include <linux/kernel.h>
56644 +#include <linux/mm.h>
56645 +#include <linux/sched.h>
56646 +#include <linux/poll.h>
56647 +#include <linux/string.h>
56648 +#include <linux/file.h>
56649 +#include <linux/types.h>
56650 +#include <linux/vmalloc.h>
56651 +#include <linux/grinternal.h>
56652 +
56653 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
56654 + size_t count, loff_t *ppos);
56655 +extern int gr_acl_is_enabled(void);
56656 +
56657 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
56658 +static int gr_learn_attached;
56659 +
56660 +/* use a 512k buffer */
56661 +#define LEARN_BUFFER_SIZE (512 * 1024)
56662 +
56663 +static DEFINE_SPINLOCK(gr_learn_lock);
56664 +static DEFINE_MUTEX(gr_learn_user_mutex);
56665 +
56666 +/* we need to maintain two buffers, so that the kernel context of grlearn
56667 + uses a semaphore around the userspace copying, and the other kernel contexts
56668 + use a spinlock when copying into the buffer, since they cannot sleep
56669 +*/
56670 +static char *learn_buffer;
56671 +static char *learn_buffer_user;
56672 +static int learn_buffer_len;
56673 +static int learn_buffer_user_len;
56674 +
56675 +static ssize_t
56676 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
56677 +{
56678 + DECLARE_WAITQUEUE(wait, current);
56679 + ssize_t retval = 0;
56680 +
56681 + add_wait_queue(&learn_wait, &wait);
56682 + set_current_state(TASK_INTERRUPTIBLE);
56683 + do {
56684 + mutex_lock(&gr_learn_user_mutex);
56685 + spin_lock(&gr_learn_lock);
56686 + if (learn_buffer_len)
56687 + break;
56688 + spin_unlock(&gr_learn_lock);
56689 + mutex_unlock(&gr_learn_user_mutex);
56690 + if (file->f_flags & O_NONBLOCK) {
56691 + retval = -EAGAIN;
56692 + goto out;
56693 + }
56694 + if (signal_pending(current)) {
56695 + retval = -ERESTARTSYS;
56696 + goto out;
56697 + }
56698 +
56699 + schedule();
56700 + } while (1);
56701 +
56702 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
56703 + learn_buffer_user_len = learn_buffer_len;
56704 + retval = learn_buffer_len;
56705 + learn_buffer_len = 0;
56706 +
56707 + spin_unlock(&gr_learn_lock);
56708 +
56709 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
56710 + retval = -EFAULT;
56711 +
56712 + mutex_unlock(&gr_learn_user_mutex);
56713 +out:
56714 + set_current_state(TASK_RUNNING);
56715 + remove_wait_queue(&learn_wait, &wait);
56716 + return retval;
56717 +}
56718 +
56719 +static unsigned int
56720 +poll_learn(struct file * file, poll_table * wait)
56721 +{
56722 + poll_wait(file, &learn_wait, wait);
56723 +
56724 + if (learn_buffer_len)
56725 + return (POLLIN | POLLRDNORM);
56726 +
56727 + return 0;
56728 +}
56729 +
56730 +void
56731 +gr_clear_learn_entries(void)
56732 +{
56733 + char *tmp;
56734 +
56735 + mutex_lock(&gr_learn_user_mutex);
56736 + if (learn_buffer != NULL) {
56737 + spin_lock(&gr_learn_lock);
56738 + tmp = learn_buffer;
56739 + learn_buffer = NULL;
56740 + spin_unlock(&gr_learn_lock);
56741 + vfree(learn_buffer);
56742 + }
56743 + if (learn_buffer_user != NULL) {
56744 + vfree(learn_buffer_user);
56745 + learn_buffer_user = NULL;
56746 + }
56747 + learn_buffer_len = 0;
56748 + mutex_unlock(&gr_learn_user_mutex);
56749 +
56750 + return;
56751 +}
56752 +
56753 +void
56754 +gr_add_learn_entry(const char *fmt, ...)
56755 +{
56756 + va_list args;
56757 + unsigned int len;
56758 +
56759 + if (!gr_learn_attached)
56760 + return;
56761 +
56762 + spin_lock(&gr_learn_lock);
56763 +
56764 + /* leave a gap at the end so we know when it's "full" but don't have to
56765 + compute the exact length of the string we're trying to append
56766 + */
56767 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
56768 + spin_unlock(&gr_learn_lock);
56769 + wake_up_interruptible(&learn_wait);
56770 + return;
56771 + }
56772 + if (learn_buffer == NULL) {
56773 + spin_unlock(&gr_learn_lock);
56774 + return;
56775 + }
56776 +
56777 + va_start(args, fmt);
56778 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
56779 + va_end(args);
56780 +
56781 + learn_buffer_len += len + 1;
56782 +
56783 + spin_unlock(&gr_learn_lock);
56784 + wake_up_interruptible(&learn_wait);
56785 +
56786 + return;
56787 +}
56788 +
56789 +static int
56790 +open_learn(struct inode *inode, struct file *file)
56791 +{
56792 + if (file->f_mode & FMODE_READ && gr_learn_attached)
56793 + return -EBUSY;
56794 + if (file->f_mode & FMODE_READ) {
56795 + int retval = 0;
56796 + mutex_lock(&gr_learn_user_mutex);
56797 + if (learn_buffer == NULL)
56798 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
56799 + if (learn_buffer_user == NULL)
56800 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
56801 + if (learn_buffer == NULL) {
56802 + retval = -ENOMEM;
56803 + goto out_error;
56804 + }
56805 + if (learn_buffer_user == NULL) {
56806 + retval = -ENOMEM;
56807 + goto out_error;
56808 + }
56809 + learn_buffer_len = 0;
56810 + learn_buffer_user_len = 0;
56811 + gr_learn_attached = 1;
56812 +out_error:
56813 + mutex_unlock(&gr_learn_user_mutex);
56814 + return retval;
56815 + }
56816 + return 0;
56817 +}
56818 +
56819 +static int
56820 +close_learn(struct inode *inode, struct file *file)
56821 +{
56822 + char *tmp;
56823 +
56824 + if (file->f_mode & FMODE_READ) {
56825 + mutex_lock(&gr_learn_user_mutex);
56826 + if (learn_buffer != NULL) {
56827 + spin_lock(&gr_learn_lock);
56828 + tmp = learn_buffer;
56829 + learn_buffer = NULL;
56830 + spin_unlock(&gr_learn_lock);
56831 + vfree(tmp);
56832 + }
56833 + if (learn_buffer_user != NULL) {
56834 + vfree(learn_buffer_user);
56835 + learn_buffer_user = NULL;
56836 + }
56837 + learn_buffer_len = 0;
56838 + learn_buffer_user_len = 0;
56839 + gr_learn_attached = 0;
56840 + mutex_unlock(&gr_learn_user_mutex);
56841 + }
56842 +
56843 + return 0;
56844 +}
56845 +
56846 +const struct file_operations grsec_fops = {
56847 + .read = read_learn,
56848 + .write = write_grsec_handler,
56849 + .open = open_learn,
56850 + .release = close_learn,
56851 + .poll = poll_learn,
56852 +};
56853 diff -urNp linux-2.6.39.2/grsecurity/gracl_res.c linux-2.6.39.2/grsecurity/gracl_res.c
56854 --- linux-2.6.39.2/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
56855 +++ linux-2.6.39.2/grsecurity/gracl_res.c 2011-05-22 19:41:42.000000000 -0400
56856 @@ -0,0 +1,68 @@
56857 +#include <linux/kernel.h>
56858 +#include <linux/sched.h>
56859 +#include <linux/gracl.h>
56860 +#include <linux/grinternal.h>
56861 +
56862 +static const char *restab_log[] = {
56863 + [RLIMIT_CPU] = "RLIMIT_CPU",
56864 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
56865 + [RLIMIT_DATA] = "RLIMIT_DATA",
56866 + [RLIMIT_STACK] = "RLIMIT_STACK",
56867 + [RLIMIT_CORE] = "RLIMIT_CORE",
56868 + [RLIMIT_RSS] = "RLIMIT_RSS",
56869 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
56870 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
56871 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
56872 + [RLIMIT_AS] = "RLIMIT_AS",
56873 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
56874 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
56875 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
56876 + [RLIMIT_NICE] = "RLIMIT_NICE",
56877 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
56878 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
56879 + [GR_CRASH_RES] = "RLIMIT_CRASH"
56880 +};
56881 +
56882 +void
56883 +gr_log_resource(const struct task_struct *task,
56884 + const int res, const unsigned long wanted, const int gt)
56885 +{
56886 + const struct cred *cred;
56887 + unsigned long rlim;
56888 +
56889 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
56890 + return;
56891 +
56892 + // not yet supported resource
56893 + if (unlikely(!restab_log[res]))
56894 + return;
56895 +
56896 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
56897 + rlim = task_rlimit_max(task, res);
56898 + else
56899 + rlim = task_rlimit(task, res);
56900 +
56901 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
56902 + return;
56903 +
56904 + rcu_read_lock();
56905 + cred = __task_cred(task);
56906 +
56907 + if (res == RLIMIT_NPROC &&
56908 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
56909 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
56910 + goto out_rcu_unlock;
56911 + else if (res == RLIMIT_MEMLOCK &&
56912 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
56913 + goto out_rcu_unlock;
56914 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
56915 + goto out_rcu_unlock;
56916 + rcu_read_unlock();
56917 +
56918 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
56919 +
56920 + return;
56921 +out_rcu_unlock:
56922 + rcu_read_unlock();
56923 + return;
56924 +}
56925 diff -urNp linux-2.6.39.2/grsecurity/gracl_segv.c linux-2.6.39.2/grsecurity/gracl_segv.c
56926 --- linux-2.6.39.2/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
56927 +++ linux-2.6.39.2/grsecurity/gracl_segv.c 2011-05-22 22:47:39.000000000 -0400
56928 @@ -0,0 +1,299 @@
56929 +#include <linux/kernel.h>
56930 +#include <linux/mm.h>
56931 +#include <asm/uaccess.h>
56932 +#include <asm/errno.h>
56933 +#include <asm/mman.h>
56934 +#include <net/sock.h>
56935 +#include <linux/file.h>
56936 +#include <linux/fs.h>
56937 +#include <linux/net.h>
56938 +#include <linux/in.h>
56939 +#include <linux/slab.h>
56940 +#include <linux/types.h>
56941 +#include <linux/sched.h>
56942 +#include <linux/timer.h>
56943 +#include <linux/gracl.h>
56944 +#include <linux/grsecurity.h>
56945 +#include <linux/grinternal.h>
56946 +
56947 +static struct crash_uid *uid_set;
56948 +static unsigned short uid_used;
56949 +static DEFINE_SPINLOCK(gr_uid_lock);
56950 +extern rwlock_t gr_inode_lock;
56951 +extern struct acl_subject_label *
56952 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
56953 + struct acl_role_label *role);
56954 +
56955 +#ifdef CONFIG_BTRFS_FS
56956 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
56957 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
56958 +#endif
56959 +
56960 +static inline dev_t __get_dev(const struct dentry *dentry)
56961 +{
56962 +#ifdef CONFIG_BTRFS_FS
56963 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
56964 + return get_btrfs_dev_from_inode(dentry->d_inode);
56965 + else
56966 +#endif
56967 + return dentry->d_inode->i_sb->s_dev;
56968 +}
56969 +
56970 +int
56971 +gr_init_uidset(void)
56972 +{
56973 + uid_set =
56974 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
56975 + uid_used = 0;
56976 +
56977 + return uid_set ? 1 : 0;
56978 +}
56979 +
56980 +void
56981 +gr_free_uidset(void)
56982 +{
56983 + if (uid_set)
56984 + kfree(uid_set);
56985 +
56986 + return;
56987 +}
56988 +
56989 +int
56990 +gr_find_uid(const uid_t uid)
56991 +{
56992 + struct crash_uid *tmp = uid_set;
56993 + uid_t buid;
56994 + int low = 0, high = uid_used - 1, mid;
56995 +
56996 + while (high >= low) {
56997 + mid = (low + high) >> 1;
56998 + buid = tmp[mid].uid;
56999 + if (buid == uid)
57000 + return mid;
57001 + if (buid > uid)
57002 + high = mid - 1;
57003 + if (buid < uid)
57004 + low = mid + 1;
57005 + }
57006 +
57007 + return -1;
57008 +}
57009 +
57010 +static __inline__ void
57011 +gr_insertsort(void)
57012 +{
57013 + unsigned short i, j;
57014 + struct crash_uid index;
57015 +
57016 + for (i = 1; i < uid_used; i++) {
57017 + index = uid_set[i];
57018 + j = i;
57019 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
57020 + uid_set[j] = uid_set[j - 1];
57021 + j--;
57022 + }
57023 + uid_set[j] = index;
57024 + }
57025 +
57026 + return;
57027 +}
57028 +
57029 +static __inline__ void
57030 +gr_insert_uid(const uid_t uid, const unsigned long expires)
57031 +{
57032 + int loc;
57033 +
57034 + if (uid_used == GR_UIDTABLE_MAX)
57035 + return;
57036 +
57037 + loc = gr_find_uid(uid);
57038 +
57039 + if (loc >= 0) {
57040 + uid_set[loc].expires = expires;
57041 + return;
57042 + }
57043 +
57044 + uid_set[uid_used].uid = uid;
57045 + uid_set[uid_used].expires = expires;
57046 + uid_used++;
57047 +
57048 + gr_insertsort();
57049 +
57050 + return;
57051 +}
57052 +
57053 +void
57054 +gr_remove_uid(const unsigned short loc)
57055 +{
57056 + unsigned short i;
57057 +
57058 + for (i = loc + 1; i < uid_used; i++)
57059 + uid_set[i - 1] = uid_set[i];
57060 +
57061 + uid_used--;
57062 +
57063 + return;
57064 +}
57065 +
57066 +int
57067 +gr_check_crash_uid(const uid_t uid)
57068 +{
57069 + int loc;
57070 + int ret = 0;
57071 +
57072 + if (unlikely(!gr_acl_is_enabled()))
57073 + return 0;
57074 +
57075 + spin_lock(&gr_uid_lock);
57076 + loc = gr_find_uid(uid);
57077 +
57078 + if (loc < 0)
57079 + goto out_unlock;
57080 +
57081 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
57082 + gr_remove_uid(loc);
57083 + else
57084 + ret = 1;
57085 +
57086 +out_unlock:
57087 + spin_unlock(&gr_uid_lock);
57088 + return ret;
57089 +}
57090 +
57091 +static __inline__ int
57092 +proc_is_setxid(const struct cred *cred)
57093 +{
57094 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
57095 + cred->uid != cred->fsuid)
57096 + return 1;
57097 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
57098 + cred->gid != cred->fsgid)
57099 + return 1;
57100 +
57101 + return 0;
57102 +}
57103 +
57104 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
57105 +
57106 +void
57107 +gr_handle_crash(struct task_struct *task, const int sig)
57108 +{
57109 + struct acl_subject_label *curr;
57110 + struct acl_subject_label *curr2;
57111 + struct task_struct *tsk, *tsk2;
57112 + const struct cred *cred;
57113 + const struct cred *cred2;
57114 +
57115 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
57116 + return;
57117 +
57118 + if (unlikely(!gr_acl_is_enabled()))
57119 + return;
57120 +
57121 + curr = task->acl;
57122 +
57123 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
57124 + return;
57125 +
57126 + if (time_before_eq(curr->expires, get_seconds())) {
57127 + curr->expires = 0;
57128 + curr->crashes = 0;
57129 + }
57130 +
57131 + curr->crashes++;
57132 +
57133 + if (!curr->expires)
57134 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
57135 +
57136 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57137 + time_after(curr->expires, get_seconds())) {
57138 + rcu_read_lock();
57139 + cred = __task_cred(task);
57140 + if (cred->uid && proc_is_setxid(cred)) {
57141 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57142 + spin_lock(&gr_uid_lock);
57143 + gr_insert_uid(cred->uid, curr->expires);
57144 + spin_unlock(&gr_uid_lock);
57145 + curr->expires = 0;
57146 + curr->crashes = 0;
57147 + read_lock(&tasklist_lock);
57148 + do_each_thread(tsk2, tsk) {
57149 + cred2 = __task_cred(tsk);
57150 + if (tsk != task && cred2->uid == cred->uid)
57151 + gr_fake_force_sig(SIGKILL, tsk);
57152 + } while_each_thread(tsk2, tsk);
57153 + read_unlock(&tasklist_lock);
57154 + } else {
57155 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57156 + read_lock(&tasklist_lock);
57157 + do_each_thread(tsk2, tsk) {
57158 + if (likely(tsk != task)) {
57159 + curr2 = tsk->acl;
57160 +
57161 + if (curr2->device == curr->device &&
57162 + curr2->inode == curr->inode)
57163 + gr_fake_force_sig(SIGKILL, tsk);
57164 + }
57165 + } while_each_thread(tsk2, tsk);
57166 + read_unlock(&tasklist_lock);
57167 + }
57168 + rcu_read_unlock();
57169 + }
57170 +
57171 + return;
57172 +}
57173 +
57174 +int
57175 +gr_check_crash_exec(const struct file *filp)
57176 +{
57177 + struct acl_subject_label *curr;
57178 +
57179 + if (unlikely(!gr_acl_is_enabled()))
57180 + return 0;
57181 +
57182 + read_lock(&gr_inode_lock);
57183 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
57184 + __get_dev(filp->f_path.dentry),
57185 + current->role);
57186 + read_unlock(&gr_inode_lock);
57187 +
57188 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
57189 + (!curr->crashes && !curr->expires))
57190 + return 0;
57191 +
57192 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57193 + time_after(curr->expires, get_seconds()))
57194 + return 1;
57195 + else if (time_before_eq(curr->expires, get_seconds())) {
57196 + curr->crashes = 0;
57197 + curr->expires = 0;
57198 + }
57199 +
57200 + return 0;
57201 +}
57202 +
57203 +void
57204 +gr_handle_alertkill(struct task_struct *task)
57205 +{
57206 + struct acl_subject_label *curracl;
57207 + __u32 curr_ip;
57208 + struct task_struct *p, *p2;
57209 +
57210 + if (unlikely(!gr_acl_is_enabled()))
57211 + return;
57212 +
57213 + curracl = task->acl;
57214 + curr_ip = task->signal->curr_ip;
57215 +
57216 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
57217 + read_lock(&tasklist_lock);
57218 + do_each_thread(p2, p) {
57219 + if (p->signal->curr_ip == curr_ip)
57220 + gr_fake_force_sig(SIGKILL, p);
57221 + } while_each_thread(p2, p);
57222 + read_unlock(&tasklist_lock);
57223 + } else if (curracl->mode & GR_KILLPROC)
57224 + gr_fake_force_sig(SIGKILL, task);
57225 +
57226 + return;
57227 +}
57228 diff -urNp linux-2.6.39.2/grsecurity/gracl_shm.c linux-2.6.39.2/grsecurity/gracl_shm.c
57229 --- linux-2.6.39.2/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57230 +++ linux-2.6.39.2/grsecurity/gracl_shm.c 2011-05-22 19:41:42.000000000 -0400
57231 @@ -0,0 +1,40 @@
57232 +#include <linux/kernel.h>
57233 +#include <linux/mm.h>
57234 +#include <linux/sched.h>
57235 +#include <linux/file.h>
57236 +#include <linux/ipc.h>
57237 +#include <linux/gracl.h>
57238 +#include <linux/grsecurity.h>
57239 +#include <linux/grinternal.h>
57240 +
57241 +int
57242 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57243 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57244 +{
57245 + struct task_struct *task;
57246 +
57247 + if (!gr_acl_is_enabled())
57248 + return 1;
57249 +
57250 + rcu_read_lock();
57251 + read_lock(&tasklist_lock);
57252 +
57253 + task = find_task_by_vpid(shm_cprid);
57254 +
57255 + if (unlikely(!task))
57256 + task = find_task_by_vpid(shm_lapid);
57257 +
57258 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57259 + (task->pid == shm_lapid)) &&
57260 + (task->acl->mode & GR_PROTSHM) &&
57261 + (task->acl != current->acl))) {
57262 + read_unlock(&tasklist_lock);
57263 + rcu_read_unlock();
57264 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
57265 + return 0;
57266 + }
57267 + read_unlock(&tasklist_lock);
57268 + rcu_read_unlock();
57269 +
57270 + return 1;
57271 +}
57272 diff -urNp linux-2.6.39.2/grsecurity/grsec_chdir.c linux-2.6.39.2/grsecurity/grsec_chdir.c
57273 --- linux-2.6.39.2/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
57274 +++ linux-2.6.39.2/grsecurity/grsec_chdir.c 2011-05-22 19:41:42.000000000 -0400
57275 @@ -0,0 +1,19 @@
57276 +#include <linux/kernel.h>
57277 +#include <linux/sched.h>
57278 +#include <linux/fs.h>
57279 +#include <linux/file.h>
57280 +#include <linux/grsecurity.h>
57281 +#include <linux/grinternal.h>
57282 +
57283 +void
57284 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
57285 +{
57286 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57287 + if ((grsec_enable_chdir && grsec_enable_group &&
57288 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
57289 + !grsec_enable_group)) {
57290 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
57291 + }
57292 +#endif
57293 + return;
57294 +}
57295 diff -urNp linux-2.6.39.2/grsecurity/grsec_chroot.c linux-2.6.39.2/grsecurity/grsec_chroot.c
57296 --- linux-2.6.39.2/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
57297 +++ linux-2.6.39.2/grsecurity/grsec_chroot.c 2011-06-20 19:44:48.000000000 -0400
57298 @@ -0,0 +1,355 @@
57299 +#include <linux/kernel.h>
57300 +#include <linux/module.h>
57301 +#include <linux/sched.h>
57302 +#include <linux/file.h>
57303 +#include <linux/fs.h>
57304 +#include <linux/mount.h>
57305 +#include <linux/types.h>
57306 +#include <linux/pid_namespace.h>
57307 +#include <linux/grsecurity.h>
57308 +#include <linux/grinternal.h>
57309 +
57310 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
57311 +{
57312 +#ifdef CONFIG_GRKERNSEC
57313 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
57314 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
57315 + task->gr_is_chrooted = 1;
57316 + else
57317 + task->gr_is_chrooted = 0;
57318 +
57319 + task->gr_chroot_dentry = path->dentry;
57320 +#endif
57321 + return;
57322 +}
57323 +
57324 +void gr_clear_chroot_entries(struct task_struct *task)
57325 +{
57326 +#ifdef CONFIG_GRKERNSEC
57327 + task->gr_is_chrooted = 0;
57328 + task->gr_chroot_dentry = NULL;
57329 +#endif
57330 + return;
57331 +}
57332 +
57333 +int
57334 +gr_handle_chroot_unix(struct pid *pid)
57335 +{
57336 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57337 + struct task_struct *p;
57338 +
57339 + if (unlikely(!grsec_enable_chroot_unix))
57340 + return 1;
57341 +
57342 + if (likely(!proc_is_chrooted(current)))
57343 + return 1;
57344 +
57345 + rcu_read_lock();
57346 + read_lock(&tasklist_lock);
57347 + p = pid_task(pid, PIDTYPE_PID);
57348 + if (unlikely(p && !have_same_root(current, p))) {
57349 + read_unlock(&tasklist_lock);
57350 + rcu_read_unlock();
57351 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
57352 + return 0;
57353 + }
57354 + read_unlock(&tasklist_lock);
57355 + rcu_read_unlock();
57356 +#endif
57357 + return 1;
57358 +}
57359 +
57360 +int
57361 +gr_handle_chroot_nice(void)
57362 +{
57363 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57364 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
57365 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
57366 + return -EPERM;
57367 + }
57368 +#endif
57369 + return 0;
57370 +}
57371 +
57372 +int
57373 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
57374 +{
57375 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57376 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
57377 + && proc_is_chrooted(current)) {
57378 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
57379 + return -EACCES;
57380 + }
57381 +#endif
57382 + return 0;
57383 +}
57384 +
57385 +int
57386 +gr_handle_chroot_rawio(const struct inode *inode)
57387 +{
57388 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57389 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
57390 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
57391 + return 1;
57392 +#endif
57393 + return 0;
57394 +}
57395 +
57396 +int
57397 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
57398 +{
57399 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57400 + struct task_struct *p;
57401 + int ret = 0;
57402 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
57403 + return ret;
57404 +
57405 + read_lock(&tasklist_lock);
57406 + do_each_pid_task(pid, type, p) {
57407 + if (!have_same_root(current, p)) {
57408 + ret = 1;
57409 + goto out;
57410 + }
57411 + } while_each_pid_task(pid, type, p);
57412 +out:
57413 + read_unlock(&tasklist_lock);
57414 + return ret;
57415 +#endif
57416 + return 0;
57417 +}
57418 +
57419 +int
57420 +gr_pid_is_chrooted(struct task_struct *p)
57421 +{
57422 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57423 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
57424 + return 0;
57425 +
57426 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
57427 + !have_same_root(current, p)) {
57428 + return 1;
57429 + }
57430 +#endif
57431 + return 0;
57432 +}
57433 +
57434 +EXPORT_SYMBOL(gr_pid_is_chrooted);
57435 +
57436 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
57437 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
57438 +{
57439 + struct path path, currentroot;
57440 + int ret = 0;
57441 +
57442 + path.dentry = (struct dentry *)u_dentry;
57443 + path.mnt = (struct vfsmount *)u_mnt;
57444 + get_fs_root(current->fs, &currentroot);
57445 + if (path_is_under(&path, &currentroot))
57446 + ret = 1;
57447 + path_put(&currentroot);
57448 +
57449 + return ret;
57450 +}
57451 +#endif
57452 +
57453 +int
57454 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
57455 +{
57456 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
57457 + if (!grsec_enable_chroot_fchdir)
57458 + return 1;
57459 +
57460 + if (!proc_is_chrooted(current))
57461 + return 1;
57462 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
57463 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
57464 + return 0;
57465 + }
57466 +#endif
57467 + return 1;
57468 +}
57469 +
57470 +int
57471 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57472 + const time_t shm_createtime)
57473 +{
57474 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
57475 + struct pid *pid = NULL;
57476 + time_t starttime;
57477 +
57478 + if (unlikely(!grsec_enable_chroot_shmat))
57479 + return 1;
57480 +
57481 + if (likely(!proc_is_chrooted(current)))
57482 + return 1;
57483 +
57484 + rcu_read_lock();
57485 + read_lock(&tasklist_lock);
57486 +
57487 + pid = find_vpid(shm_cprid);
57488 + if (pid) {
57489 + struct task_struct *p;
57490 + p = pid_task(pid, PIDTYPE_PID);
57491 + if (p == NULL)
57492 + goto unlock;
57493 + starttime = p->start_time.tv_sec;
57494 + if (unlikely(!have_same_root(current, p) &&
57495 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
57496 + read_unlock(&tasklist_lock);
57497 + rcu_read_unlock();
57498 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57499 + return 0;
57500 + }
57501 + } else {
57502 + pid = find_vpid(shm_lapid);
57503 + if (pid) {
57504 + struct task_struct *p;
57505 + p = pid_task(pid, PIDTYPE_PID);
57506 + if (p == NULL)
57507 + goto unlock;
57508 + if (unlikely(!have_same_root(current, p))) {
57509 + read_unlock(&tasklist_lock);
57510 + rcu_read_unlock();
57511 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57512 + return 0;
57513 + }
57514 + }
57515 + }
57516 +unlock:
57517 + read_unlock(&tasklist_lock);
57518 + rcu_read_unlock();
57519 +#endif
57520 + return 1;
57521 +}
57522 +
57523 +void
57524 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
57525 +{
57526 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
57527 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
57528 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
57529 +#endif
57530 + return;
57531 +}
57532 +
57533 +int
57534 +gr_handle_chroot_mknod(const struct dentry *dentry,
57535 + const struct vfsmount *mnt, const int mode)
57536 +{
57537 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
57538 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
57539 + proc_is_chrooted(current)) {
57540 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
57541 + return -EPERM;
57542 + }
57543 +#endif
57544 + return 0;
57545 +}
57546 +
57547 +int
57548 +gr_handle_chroot_mount(const struct dentry *dentry,
57549 + const struct vfsmount *mnt, const char *dev_name)
57550 +{
57551 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
57552 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
57553 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
57554 + return -EPERM;
57555 + }
57556 +#endif
57557 + return 0;
57558 +}
57559 +
57560 +int
57561 +gr_handle_chroot_pivot(void)
57562 +{
57563 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
57564 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
57565 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
57566 + return -EPERM;
57567 + }
57568 +#endif
57569 + return 0;
57570 +}
57571 +
57572 +int
57573 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
57574 +{
57575 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
57576 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
57577 + !gr_is_outside_chroot(dentry, mnt)) {
57578 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
57579 + return -EPERM;
57580 + }
57581 +#endif
57582 + return 0;
57583 +}
57584 +
57585 +int
57586 +gr_handle_chroot_caps(struct path *path)
57587 +{
57588 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57589 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
57590 + (init_task.fs->root.dentry != path->dentry) &&
57591 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
57592 +
57593 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
57594 + const struct cred *old = current_cred();
57595 + struct cred *new = prepare_creds();
57596 + if (new == NULL)
57597 + return 1;
57598 +
57599 + new->cap_permitted = cap_drop(old->cap_permitted,
57600 + chroot_caps);
57601 + new->cap_inheritable = cap_drop(old->cap_inheritable,
57602 + chroot_caps);
57603 + new->cap_effective = cap_drop(old->cap_effective,
57604 + chroot_caps);
57605 +
57606 + commit_creds(new);
57607 +
57608 + return 0;
57609 + }
57610 +#endif
57611 + return 0;
57612 +}
57613 +
57614 +int
57615 +gr_handle_chroot_sysctl(const int op)
57616 +{
57617 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
57618 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
57619 + proc_is_chrooted(current))
57620 + return -EACCES;
57621 +#endif
57622 + return 0;
57623 +}
57624 +
57625 +void
57626 +gr_handle_chroot_chdir(struct path *path)
57627 +{
57628 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
57629 + if (grsec_enable_chroot_chdir)
57630 + set_fs_pwd(current->fs, path);
57631 +#endif
57632 + return;
57633 +}
57634 +
57635 +int
57636 +gr_handle_chroot_chmod(const struct dentry *dentry,
57637 + const struct vfsmount *mnt, const int mode)
57638 +{
57639 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
57640 + /* allow chmod +s on directories, but not files */
57641 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
57642 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
57643 + proc_is_chrooted(current)) {
57644 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
57645 + return -EPERM;
57646 + }
57647 +#endif
57648 + return 0;
57649 +}
57650 +
57651 +#ifdef CONFIG_SECURITY
57652 +EXPORT_SYMBOL(gr_handle_chroot_caps);
57653 +#endif
57654 diff -urNp linux-2.6.39.2/grsecurity/grsec_disabled.c linux-2.6.39.2/grsecurity/grsec_disabled.c
57655 --- linux-2.6.39.2/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
57656 +++ linux-2.6.39.2/grsecurity/grsec_disabled.c 2011-05-22 19:41:42.000000000 -0400
57657 @@ -0,0 +1,447 @@
57658 +#include <linux/kernel.h>
57659 +#include <linux/module.h>
57660 +#include <linux/sched.h>
57661 +#include <linux/file.h>
57662 +#include <linux/fs.h>
57663 +#include <linux/kdev_t.h>
57664 +#include <linux/net.h>
57665 +#include <linux/in.h>
57666 +#include <linux/ip.h>
57667 +#include <linux/skbuff.h>
57668 +#include <linux/sysctl.h>
57669 +
57670 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57671 +void
57672 +pax_set_initial_flags(struct linux_binprm *bprm)
57673 +{
57674 + return;
57675 +}
57676 +#endif
57677 +
57678 +#ifdef CONFIG_SYSCTL
57679 +__u32
57680 +gr_handle_sysctl(const struct ctl_table * table, const int op)
57681 +{
57682 + return 0;
57683 +}
57684 +#endif
57685 +
57686 +#ifdef CONFIG_TASKSTATS
57687 +int gr_is_taskstats_denied(int pid)
57688 +{
57689 + return 0;
57690 +}
57691 +#endif
57692 +
57693 +int
57694 +gr_acl_is_enabled(void)
57695 +{
57696 + return 0;
57697 +}
57698 +
57699 +int
57700 +gr_handle_rawio(const struct inode *inode)
57701 +{
57702 + return 0;
57703 +}
57704 +
57705 +void
57706 +gr_acl_handle_psacct(struct task_struct *task, const long code)
57707 +{
57708 + return;
57709 +}
57710 +
57711 +int
57712 +gr_handle_ptrace(struct task_struct *task, const long request)
57713 +{
57714 + return 0;
57715 +}
57716 +
57717 +int
57718 +gr_handle_proc_ptrace(struct task_struct *task)
57719 +{
57720 + return 0;
57721 +}
57722 +
57723 +void
57724 +gr_learn_resource(const struct task_struct *task,
57725 + const int res, const unsigned long wanted, const int gt)
57726 +{
57727 + return;
57728 +}
57729 +
57730 +int
57731 +gr_set_acls(const int type)
57732 +{
57733 + return 0;
57734 +}
57735 +
57736 +int
57737 +gr_check_hidden_task(const struct task_struct *tsk)
57738 +{
57739 + return 0;
57740 +}
57741 +
57742 +int
57743 +gr_check_protected_task(const struct task_struct *task)
57744 +{
57745 + return 0;
57746 +}
57747 +
57748 +int
57749 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
57750 +{
57751 + return 0;
57752 +}
57753 +
57754 +void
57755 +gr_copy_label(struct task_struct *tsk)
57756 +{
57757 + return;
57758 +}
57759 +
57760 +void
57761 +gr_set_pax_flags(struct task_struct *task)
57762 +{
57763 + return;
57764 +}
57765 +
57766 +int
57767 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
57768 + const int unsafe_share)
57769 +{
57770 + return 0;
57771 +}
57772 +
57773 +void
57774 +gr_handle_delete(const ino_t ino, const dev_t dev)
57775 +{
57776 + return;
57777 +}
57778 +
57779 +void
57780 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
57781 +{
57782 + return;
57783 +}
57784 +
57785 +void
57786 +gr_handle_crash(struct task_struct *task, const int sig)
57787 +{
57788 + return;
57789 +}
57790 +
57791 +int
57792 +gr_check_crash_exec(const struct file *filp)
57793 +{
57794 + return 0;
57795 +}
57796 +
57797 +int
57798 +gr_check_crash_uid(const uid_t uid)
57799 +{
57800 + return 0;
57801 +}
57802 +
57803 +void
57804 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
57805 + struct dentry *old_dentry,
57806 + struct dentry *new_dentry,
57807 + struct vfsmount *mnt, const __u8 replace)
57808 +{
57809 + return;
57810 +}
57811 +
57812 +int
57813 +gr_search_socket(const int family, const int type, const int protocol)
57814 +{
57815 + return 1;
57816 +}
57817 +
57818 +int
57819 +gr_search_connectbind(const int mode, const struct socket *sock,
57820 + const struct sockaddr_in *addr)
57821 +{
57822 + return 0;
57823 +}
57824 +
57825 +int
57826 +gr_is_capable(const int cap)
57827 +{
57828 + return 1;
57829 +}
57830 +
57831 +int
57832 +gr_is_capable_nolog(const int cap)
57833 +{
57834 + return 1;
57835 +}
57836 +
57837 +void
57838 +gr_handle_alertkill(struct task_struct *task)
57839 +{
57840 + return;
57841 +}
57842 +
57843 +__u32
57844 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
57845 +{
57846 + return 1;
57847 +}
57848 +
57849 +__u32
57850 +gr_acl_handle_hidden_file(const struct dentry * dentry,
57851 + const struct vfsmount * mnt)
57852 +{
57853 + return 1;
57854 +}
57855 +
57856 +__u32
57857 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
57858 + const int fmode)
57859 +{
57860 + return 1;
57861 +}
57862 +
57863 +__u32
57864 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
57865 +{
57866 + return 1;
57867 +}
57868 +
57869 +__u32
57870 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
57871 +{
57872 + return 1;
57873 +}
57874 +
57875 +int
57876 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
57877 + unsigned int *vm_flags)
57878 +{
57879 + return 1;
57880 +}
57881 +
57882 +__u32
57883 +gr_acl_handle_truncate(const struct dentry * dentry,
57884 + const struct vfsmount * mnt)
57885 +{
57886 + return 1;
57887 +}
57888 +
57889 +__u32
57890 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
57891 +{
57892 + return 1;
57893 +}
57894 +
57895 +__u32
57896 +gr_acl_handle_access(const struct dentry * dentry,
57897 + const struct vfsmount * mnt, const int fmode)
57898 +{
57899 + return 1;
57900 +}
57901 +
57902 +__u32
57903 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
57904 + mode_t mode)
57905 +{
57906 + return 1;
57907 +}
57908 +
57909 +__u32
57910 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
57911 + mode_t mode)
57912 +{
57913 + return 1;
57914 +}
57915 +
57916 +__u32
57917 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
57918 +{
57919 + return 1;
57920 +}
57921 +
57922 +__u32
57923 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
57924 +{
57925 + return 1;
57926 +}
57927 +
57928 +void
57929 +grsecurity_init(void)
57930 +{
57931 + return;
57932 +}
57933 +
57934 +__u32
57935 +gr_acl_handle_mknod(const struct dentry * new_dentry,
57936 + const struct dentry * parent_dentry,
57937 + const struct vfsmount * parent_mnt,
57938 + const int mode)
57939 +{
57940 + return 1;
57941 +}
57942 +
57943 +__u32
57944 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
57945 + const struct dentry * parent_dentry,
57946 + const struct vfsmount * parent_mnt)
57947 +{
57948 + return 1;
57949 +}
57950 +
57951 +__u32
57952 +gr_acl_handle_symlink(const struct dentry * new_dentry,
57953 + const struct dentry * parent_dentry,
57954 + const struct vfsmount * parent_mnt, const char *from)
57955 +{
57956 + return 1;
57957 +}
57958 +
57959 +__u32
57960 +gr_acl_handle_link(const struct dentry * new_dentry,
57961 + const struct dentry * parent_dentry,
57962 + const struct vfsmount * parent_mnt,
57963 + const struct dentry * old_dentry,
57964 + const struct vfsmount * old_mnt, const char *to)
57965 +{
57966 + return 1;
57967 +}
57968 +
57969 +int
57970 +gr_acl_handle_rename(const struct dentry *new_dentry,
57971 + const struct dentry *parent_dentry,
57972 + const struct vfsmount *parent_mnt,
57973 + const struct dentry *old_dentry,
57974 + const struct inode *old_parent_inode,
57975 + const struct vfsmount *old_mnt, const char *newname)
57976 +{
57977 + return 0;
57978 +}
57979 +
57980 +int
57981 +gr_acl_handle_filldir(const struct file *file, const char *name,
57982 + const int namelen, const ino_t ino)
57983 +{
57984 + return 1;
57985 +}
57986 +
57987 +int
57988 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57989 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57990 +{
57991 + return 1;
57992 +}
57993 +
57994 +int
57995 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
57996 +{
57997 + return 0;
57998 +}
57999 +
58000 +int
58001 +gr_search_accept(const struct socket *sock)
58002 +{
58003 + return 0;
58004 +}
58005 +
58006 +int
58007 +gr_search_listen(const struct socket *sock)
58008 +{
58009 + return 0;
58010 +}
58011 +
58012 +int
58013 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58014 +{
58015 + return 0;
58016 +}
58017 +
58018 +__u32
58019 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
58020 +{
58021 + return 1;
58022 +}
58023 +
58024 +__u32
58025 +gr_acl_handle_creat(const struct dentry * dentry,
58026 + const struct dentry * p_dentry,
58027 + const struct vfsmount * p_mnt, const int fmode,
58028 + const int imode)
58029 +{
58030 + return 1;
58031 +}
58032 +
58033 +void
58034 +gr_acl_handle_exit(void)
58035 +{
58036 + return;
58037 +}
58038 +
58039 +int
58040 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
58041 +{
58042 + return 1;
58043 +}
58044 +
58045 +void
58046 +gr_set_role_label(const uid_t uid, const gid_t gid)
58047 +{
58048 + return;
58049 +}
58050 +
58051 +int
58052 +gr_acl_handle_procpidmem(const struct task_struct *task)
58053 +{
58054 + return 0;
58055 +}
58056 +
58057 +int
58058 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58059 +{
58060 + return 0;
58061 +}
58062 +
58063 +int
58064 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58065 +{
58066 + return 0;
58067 +}
58068 +
58069 +void
58070 +gr_set_kernel_label(struct task_struct *task)
58071 +{
58072 + return;
58073 +}
58074 +
58075 +int
58076 +gr_check_user_change(int real, int effective, int fs)
58077 +{
58078 + return 0;
58079 +}
58080 +
58081 +int
58082 +gr_check_group_change(int real, int effective, int fs)
58083 +{
58084 + return 0;
58085 +}
58086 +
58087 +int gr_acl_enable_at_secure(void)
58088 +{
58089 + return 0;
58090 +}
58091 +
58092 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
58093 +{
58094 + return dentry->d_inode->i_sb->s_dev;
58095 +}
58096 +
58097 +EXPORT_SYMBOL(gr_is_capable);
58098 +EXPORT_SYMBOL(gr_is_capable_nolog);
58099 +EXPORT_SYMBOL(gr_learn_resource);
58100 +EXPORT_SYMBOL(gr_set_kernel_label);
58101 +#ifdef CONFIG_SECURITY
58102 +EXPORT_SYMBOL(gr_check_user_change);
58103 +EXPORT_SYMBOL(gr_check_group_change);
58104 +#endif
58105 diff -urNp linux-2.6.39.2/grsecurity/grsec_exec.c linux-2.6.39.2/grsecurity/grsec_exec.c
58106 --- linux-2.6.39.2/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
58107 +++ linux-2.6.39.2/grsecurity/grsec_exec.c 2011-05-22 22:41:29.000000000 -0400
58108 @@ -0,0 +1,146 @@
58109 +#include <linux/kernel.h>
58110 +#include <linux/sched.h>
58111 +#include <linux/file.h>
58112 +#include <linux/binfmts.h>
58113 +#include <linux/fs.h>
58114 +#include <linux/types.h>
58115 +#include <linux/grdefs.h>
58116 +#include <linux/grinternal.h>
58117 +#include <linux/capability.h>
58118 +#include <linux/compat.h>
58119 +
58120 +#include <asm/uaccess.h>
58121 +
58122 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58123 +static char gr_exec_arg_buf[132];
58124 +static DEFINE_MUTEX(gr_exec_arg_mutex);
58125 +#endif
58126 +
58127 +int
58128 +gr_handle_nproc(void)
58129 +{
58130 +#ifdef CONFIG_GRKERNSEC_EXECVE
58131 + const struct cred *cred = current_cred();
58132 + if (grsec_enable_execve && cred->user &&
58133 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
58134 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
58135 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
58136 + return -EAGAIN;
58137 + }
58138 +#endif
58139 + return 0;
58140 +}
58141 +
58142 +void
58143 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
58144 +{
58145 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58146 + char *grarg = gr_exec_arg_buf;
58147 + unsigned int i, x, execlen = 0;
58148 + char c;
58149 +
58150 + if (!((grsec_enable_execlog && grsec_enable_group &&
58151 + in_group_p(grsec_audit_gid))
58152 + || (grsec_enable_execlog && !grsec_enable_group)))
58153 + return;
58154 +
58155 + mutex_lock(&gr_exec_arg_mutex);
58156 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58157 +
58158 + if (unlikely(argv == NULL))
58159 + goto log;
58160 +
58161 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58162 + const char __user *p;
58163 + unsigned int len;
58164 +
58165 + if (copy_from_user(&p, argv + i, sizeof(p)))
58166 + goto log;
58167 + if (!p)
58168 + goto log;
58169 + len = strnlen_user(p, 128 - execlen);
58170 + if (len > 128 - execlen)
58171 + len = 128 - execlen;
58172 + else if (len > 0)
58173 + len--;
58174 + if (copy_from_user(grarg + execlen, p, len))
58175 + goto log;
58176 +
58177 + /* rewrite unprintable characters */
58178 + for (x = 0; x < len; x++) {
58179 + c = *(grarg + execlen + x);
58180 + if (c < 32 || c > 126)
58181 + *(grarg + execlen + x) = ' ';
58182 + }
58183 +
58184 + execlen += len;
58185 + *(grarg + execlen) = ' ';
58186 + *(grarg + execlen + 1) = '\0';
58187 + execlen++;
58188 + }
58189 +
58190 + log:
58191 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58192 + bprm->file->f_path.mnt, grarg);
58193 + mutex_unlock(&gr_exec_arg_mutex);
58194 +#endif
58195 + return;
58196 +}
58197 +
58198 +#ifdef CONFIG_COMPAT
58199 +void
58200 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
58201 +{
58202 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58203 + char *grarg = gr_exec_arg_buf;
58204 + unsigned int i, x, execlen = 0;
58205 + char c;
58206 +
58207 + if (!((grsec_enable_execlog && grsec_enable_group &&
58208 + in_group_p(grsec_audit_gid))
58209 + || (grsec_enable_execlog && !grsec_enable_group)))
58210 + return;
58211 +
58212 + mutex_lock(&gr_exec_arg_mutex);
58213 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58214 +
58215 + if (unlikely(argv == NULL))
58216 + goto log;
58217 +
58218 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58219 + compat_uptr_t p;
58220 + unsigned int len;
58221 +
58222 + if (get_user(p, argv + i))
58223 + goto log;
58224 + len = strnlen_user(compat_ptr(p), 128 - execlen);
58225 + if (len > 128 - execlen)
58226 + len = 128 - execlen;
58227 + else if (len > 0)
58228 + len--;
58229 + else
58230 + goto log;
58231 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58232 + goto log;
58233 +
58234 + /* rewrite unprintable characters */
58235 + for (x = 0; x < len; x++) {
58236 + c = *(grarg + execlen + x);
58237 + if (c < 32 || c > 126)
58238 + *(grarg + execlen + x) = ' ';
58239 + }
58240 +
58241 + execlen += len;
58242 + *(grarg + execlen) = ' ';
58243 + *(grarg + execlen + 1) = '\0';
58244 + execlen++;
58245 + }
58246 +
58247 + log:
58248 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58249 + bprm->file->f_path.mnt, grarg);
58250 + mutex_unlock(&gr_exec_arg_mutex);
58251 +#endif
58252 + return;
58253 +}
58254 +#endif
58255 diff -urNp linux-2.6.39.2/grsecurity/grsec_fifo.c linux-2.6.39.2/grsecurity/grsec_fifo.c
58256 --- linux-2.6.39.2/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
58257 +++ linux-2.6.39.2/grsecurity/grsec_fifo.c 2011-05-22 19:41:42.000000000 -0400
58258 @@ -0,0 +1,24 @@
58259 +#include <linux/kernel.h>
58260 +#include <linux/sched.h>
58261 +#include <linux/fs.h>
58262 +#include <linux/file.h>
58263 +#include <linux/grinternal.h>
58264 +
58265 +int
58266 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
58267 + const struct dentry *dir, const int flag, const int acc_mode)
58268 +{
58269 +#ifdef CONFIG_GRKERNSEC_FIFO
58270 + const struct cred *cred = current_cred();
58271 +
58272 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
58273 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
58274 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
58275 + (cred->fsuid != dentry->d_inode->i_uid)) {
58276 + if (!inode_permission(dentry->d_inode, acc_mode))
58277 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
58278 + return -EACCES;
58279 + }
58280 +#endif
58281 + return 0;
58282 +}
58283 diff -urNp linux-2.6.39.2/grsecurity/grsec_fork.c linux-2.6.39.2/grsecurity/grsec_fork.c
58284 --- linux-2.6.39.2/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
58285 +++ linux-2.6.39.2/grsecurity/grsec_fork.c 2011-05-22 19:41:42.000000000 -0400
58286 @@ -0,0 +1,23 @@
58287 +#include <linux/kernel.h>
58288 +#include <linux/sched.h>
58289 +#include <linux/grsecurity.h>
58290 +#include <linux/grinternal.h>
58291 +#include <linux/errno.h>
58292 +
58293 +void
58294 +gr_log_forkfail(const int retval)
58295 +{
58296 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58297 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
58298 + switch (retval) {
58299 + case -EAGAIN:
58300 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
58301 + break;
58302 + case -ENOMEM:
58303 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
58304 + break;
58305 + }
58306 + }
58307 +#endif
58308 + return;
58309 +}
58310 diff -urNp linux-2.6.39.2/grsecurity/grsec_init.c linux-2.6.39.2/grsecurity/grsec_init.c
58311 --- linux-2.6.39.2/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
58312 +++ linux-2.6.39.2/grsecurity/grsec_init.c 2011-06-29 19:35:59.000000000 -0400
58313 @@ -0,0 +1,273 @@
58314 +#include <linux/kernel.h>
58315 +#include <linux/sched.h>
58316 +#include <linux/mm.h>
58317 +#include <linux/gracl.h>
58318 +#include <linux/slab.h>
58319 +#include <linux/vmalloc.h>
58320 +#include <linux/percpu.h>
58321 +#include <linux/module.h>
58322 +
58323 +int grsec_enable_brute;
58324 +int grsec_enable_link;
58325 +int grsec_enable_dmesg;
58326 +int grsec_enable_harden_ptrace;
58327 +int grsec_enable_fifo;
58328 +int grsec_enable_execve;
58329 +int grsec_enable_execlog;
58330 +int grsec_enable_signal;
58331 +int grsec_enable_forkfail;
58332 +int grsec_enable_audit_ptrace;
58333 +int grsec_enable_time;
58334 +int grsec_enable_audit_textrel;
58335 +int grsec_enable_group;
58336 +int grsec_audit_gid;
58337 +int grsec_enable_chdir;
58338 +int grsec_enable_mount;
58339 +int grsec_enable_rofs;
58340 +int grsec_enable_chroot_findtask;
58341 +int grsec_enable_chroot_mount;
58342 +int grsec_enable_chroot_shmat;
58343 +int grsec_enable_chroot_fchdir;
58344 +int grsec_enable_chroot_double;
58345 +int grsec_enable_chroot_pivot;
58346 +int grsec_enable_chroot_chdir;
58347 +int grsec_enable_chroot_chmod;
58348 +int grsec_enable_chroot_mknod;
58349 +int grsec_enable_chroot_nice;
58350 +int grsec_enable_chroot_execlog;
58351 +int grsec_enable_chroot_caps;
58352 +int grsec_enable_chroot_sysctl;
58353 +int grsec_enable_chroot_unix;
58354 +int grsec_enable_tpe;
58355 +int grsec_tpe_gid;
58356 +int grsec_enable_blackhole;
58357 +#ifdef CONFIG_IPV6_MODULE
58358 +EXPORT_SYMBOL(grsec_enable_blackhole);
58359 +#endif
58360 +int grsec_lastack_retries;
58361 +int grsec_enable_tpe_all;
58362 +int grsec_enable_tpe_invert;
58363 +int grsec_enable_socket_all;
58364 +int grsec_socket_all_gid;
58365 +int grsec_enable_socket_client;
58366 +int grsec_socket_client_gid;
58367 +int grsec_enable_socket_server;
58368 +int grsec_socket_server_gid;
58369 +int grsec_resource_logging;
58370 +int grsec_disable_privio;
58371 +int grsec_enable_log_rwxmaps;
58372 +int grsec_lock;
58373 +
58374 +DEFINE_SPINLOCK(grsec_alert_lock);
58375 +unsigned long grsec_alert_wtime = 0;
58376 +unsigned long grsec_alert_fyet = 0;
58377 +
58378 +DEFINE_SPINLOCK(grsec_audit_lock);
58379 +
58380 +DEFINE_RWLOCK(grsec_exec_file_lock);
58381 +
58382 +char *gr_shared_page[4];
58383 +
58384 +char *gr_alert_log_fmt;
58385 +char *gr_audit_log_fmt;
58386 +char *gr_alert_log_buf;
58387 +char *gr_audit_log_buf;
58388 +
58389 +extern struct gr_arg *gr_usermode;
58390 +extern unsigned char *gr_system_salt;
58391 +extern unsigned char *gr_system_sum;
58392 +
58393 +void __init
58394 +grsecurity_init(void)
58395 +{
58396 + int j;
58397 + /* create the per-cpu shared pages */
58398 +
58399 +#ifdef CONFIG_X86
58400 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
58401 +#endif
58402 +
58403 + for (j = 0; j < 4; j++) {
58404 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
58405 + if (gr_shared_page[j] == NULL) {
58406 + panic("Unable to allocate grsecurity shared page");
58407 + return;
58408 + }
58409 + }
58410 +
58411 + /* allocate log buffers */
58412 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
58413 + if (!gr_alert_log_fmt) {
58414 + panic("Unable to allocate grsecurity alert log format buffer");
58415 + return;
58416 + }
58417 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
58418 + if (!gr_audit_log_fmt) {
58419 + panic("Unable to allocate grsecurity audit log format buffer");
58420 + return;
58421 + }
58422 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58423 + if (!gr_alert_log_buf) {
58424 + panic("Unable to allocate grsecurity alert log buffer");
58425 + return;
58426 + }
58427 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58428 + if (!gr_audit_log_buf) {
58429 + panic("Unable to allocate grsecurity audit log buffer");
58430 + return;
58431 + }
58432 +
58433 + /* allocate memory for authentication structure */
58434 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
58435 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
58436 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
58437 +
58438 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
58439 + panic("Unable to allocate grsecurity authentication structure");
58440 + return;
58441 + }
58442 +
58443 +
58444 +#ifdef CONFIG_GRKERNSEC_IO
58445 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
58446 + grsec_disable_privio = 1;
58447 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58448 + grsec_disable_privio = 1;
58449 +#else
58450 + grsec_disable_privio = 0;
58451 +#endif
58452 +#endif
58453 +
58454 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
58455 + /* for backward compatibility, tpe_invert always defaults to on if
58456 + enabled in the kernel
58457 + */
58458 + grsec_enable_tpe_invert = 1;
58459 +#endif
58460 +
58461 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58462 +#ifndef CONFIG_GRKERNSEC_SYSCTL
58463 + grsec_lock = 1;
58464 +#endif
58465 +
58466 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
58467 + grsec_enable_audit_textrel = 1;
58468 +#endif
58469 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58470 + grsec_enable_log_rwxmaps = 1;
58471 +#endif
58472 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
58473 + grsec_enable_group = 1;
58474 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
58475 +#endif
58476 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
58477 + grsec_enable_chdir = 1;
58478 +#endif
58479 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
58480 + grsec_enable_harden_ptrace = 1;
58481 +#endif
58482 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58483 + grsec_enable_mount = 1;
58484 +#endif
58485 +#ifdef CONFIG_GRKERNSEC_LINK
58486 + grsec_enable_link = 1;
58487 +#endif
58488 +#ifdef CONFIG_GRKERNSEC_BRUTE
58489 + grsec_enable_brute = 1;
58490 +#endif
58491 +#ifdef CONFIG_GRKERNSEC_DMESG
58492 + grsec_enable_dmesg = 1;
58493 +#endif
58494 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58495 + grsec_enable_blackhole = 1;
58496 + grsec_lastack_retries = 4;
58497 +#endif
58498 +#ifdef CONFIG_GRKERNSEC_FIFO
58499 + grsec_enable_fifo = 1;
58500 +#endif
58501 +#ifdef CONFIG_GRKERNSEC_EXECVE
58502 + grsec_enable_execve = 1;
58503 +#endif
58504 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58505 + grsec_enable_execlog = 1;
58506 +#endif
58507 +#ifdef CONFIG_GRKERNSEC_SIGNAL
58508 + grsec_enable_signal = 1;
58509 +#endif
58510 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58511 + grsec_enable_forkfail = 1;
58512 +#endif
58513 +#ifdef CONFIG_GRKERNSEC_TIME
58514 + grsec_enable_time = 1;
58515 +#endif
58516 +#ifdef CONFIG_GRKERNSEC_RESLOG
58517 + grsec_resource_logging = 1;
58518 +#endif
58519 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58520 + grsec_enable_chroot_findtask = 1;
58521 +#endif
58522 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58523 + grsec_enable_chroot_unix = 1;
58524 +#endif
58525 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58526 + grsec_enable_chroot_mount = 1;
58527 +#endif
58528 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58529 + grsec_enable_chroot_fchdir = 1;
58530 +#endif
58531 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58532 + grsec_enable_chroot_shmat = 1;
58533 +#endif
58534 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
58535 + grsec_enable_audit_ptrace = 1;
58536 +#endif
58537 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58538 + grsec_enable_chroot_double = 1;
58539 +#endif
58540 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58541 + grsec_enable_chroot_pivot = 1;
58542 +#endif
58543 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58544 + grsec_enable_chroot_chdir = 1;
58545 +#endif
58546 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58547 + grsec_enable_chroot_chmod = 1;
58548 +#endif
58549 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58550 + grsec_enable_chroot_mknod = 1;
58551 +#endif
58552 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58553 + grsec_enable_chroot_nice = 1;
58554 +#endif
58555 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58556 + grsec_enable_chroot_execlog = 1;
58557 +#endif
58558 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58559 + grsec_enable_chroot_caps = 1;
58560 +#endif
58561 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58562 + grsec_enable_chroot_sysctl = 1;
58563 +#endif
58564 +#ifdef CONFIG_GRKERNSEC_TPE
58565 + grsec_enable_tpe = 1;
58566 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
58567 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
58568 + grsec_enable_tpe_all = 1;
58569 +#endif
58570 +#endif
58571 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
58572 + grsec_enable_socket_all = 1;
58573 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
58574 +#endif
58575 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
58576 + grsec_enable_socket_client = 1;
58577 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
58578 +#endif
58579 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58580 + grsec_enable_socket_server = 1;
58581 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
58582 +#endif
58583 +#endif
58584 +
58585 + return;
58586 +}
58587 diff -urNp linux-2.6.39.2/grsecurity/grsec_link.c linux-2.6.39.2/grsecurity/grsec_link.c
58588 --- linux-2.6.39.2/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
58589 +++ linux-2.6.39.2/grsecurity/grsec_link.c 2011-05-22 19:41:42.000000000 -0400
58590 @@ -0,0 +1,43 @@
58591 +#include <linux/kernel.h>
58592 +#include <linux/sched.h>
58593 +#include <linux/fs.h>
58594 +#include <linux/file.h>
58595 +#include <linux/grinternal.h>
58596 +
58597 +int
58598 +gr_handle_follow_link(const struct inode *parent,
58599 + const struct inode *inode,
58600 + const struct dentry *dentry, const struct vfsmount *mnt)
58601 +{
58602 +#ifdef CONFIG_GRKERNSEC_LINK
58603 + const struct cred *cred = current_cred();
58604 +
58605 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
58606 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
58607 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
58608 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
58609 + return -EACCES;
58610 + }
58611 +#endif
58612 + return 0;
58613 +}
58614 +
58615 +int
58616 +gr_handle_hardlink(const struct dentry *dentry,
58617 + const struct vfsmount *mnt,
58618 + struct inode *inode, const int mode, const char *to)
58619 +{
58620 +#ifdef CONFIG_GRKERNSEC_LINK
58621 + const struct cred *cred = current_cred();
58622 +
58623 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
58624 + (!S_ISREG(mode) || (mode & S_ISUID) ||
58625 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
58626 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
58627 + !capable(CAP_FOWNER) && cred->uid) {
58628 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
58629 + return -EPERM;
58630 + }
58631 +#endif
58632 + return 0;
58633 +}
58634 diff -urNp linux-2.6.39.2/grsecurity/grsec_log.c linux-2.6.39.2/grsecurity/grsec_log.c
58635 --- linux-2.6.39.2/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
58636 +++ linux-2.6.39.2/grsecurity/grsec_log.c 2011-05-22 19:41:42.000000000 -0400
58637 @@ -0,0 +1,310 @@
58638 +#include <linux/kernel.h>
58639 +#include <linux/sched.h>
58640 +#include <linux/file.h>
58641 +#include <linux/tty.h>
58642 +#include <linux/fs.h>
58643 +#include <linux/grinternal.h>
58644 +
58645 +#ifdef CONFIG_TREE_PREEMPT_RCU
58646 +#define DISABLE_PREEMPT() preempt_disable()
58647 +#define ENABLE_PREEMPT() preempt_enable()
58648 +#else
58649 +#define DISABLE_PREEMPT()
58650 +#define ENABLE_PREEMPT()
58651 +#endif
58652 +
58653 +#define BEGIN_LOCKS(x) \
58654 + DISABLE_PREEMPT(); \
58655 + rcu_read_lock(); \
58656 + read_lock(&tasklist_lock); \
58657 + read_lock(&grsec_exec_file_lock); \
58658 + if (x != GR_DO_AUDIT) \
58659 + spin_lock(&grsec_alert_lock); \
58660 + else \
58661 + spin_lock(&grsec_audit_lock)
58662 +
58663 +#define END_LOCKS(x) \
58664 + if (x != GR_DO_AUDIT) \
58665 + spin_unlock(&grsec_alert_lock); \
58666 + else \
58667 + spin_unlock(&grsec_audit_lock); \
58668 + read_unlock(&grsec_exec_file_lock); \
58669 + read_unlock(&tasklist_lock); \
58670 + rcu_read_unlock(); \
58671 + ENABLE_PREEMPT(); \
58672 + if (x == GR_DONT_AUDIT) \
58673 + gr_handle_alertkill(current)
58674 +
58675 +enum {
58676 + FLOODING,
58677 + NO_FLOODING
58678 +};
58679 +
58680 +extern char *gr_alert_log_fmt;
58681 +extern char *gr_audit_log_fmt;
58682 +extern char *gr_alert_log_buf;
58683 +extern char *gr_audit_log_buf;
58684 +
58685 +static int gr_log_start(int audit)
58686 +{
58687 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
58688 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
58689 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58690 +
58691 + if (audit == GR_DO_AUDIT)
58692 + goto set_fmt;
58693 +
58694 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
58695 + grsec_alert_wtime = jiffies;
58696 + grsec_alert_fyet = 0;
58697 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
58698 + grsec_alert_fyet++;
58699 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
58700 + grsec_alert_wtime = jiffies;
58701 + grsec_alert_fyet++;
58702 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
58703 + return FLOODING;
58704 + } else return FLOODING;
58705 +
58706 +set_fmt:
58707 + memset(buf, 0, PAGE_SIZE);
58708 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
58709 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
58710 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58711 + } else if (current->signal->curr_ip) {
58712 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
58713 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
58714 + } else if (gr_acl_is_enabled()) {
58715 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
58716 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58717 + } else {
58718 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
58719 + strcpy(buf, fmt);
58720 + }
58721 +
58722 + return NO_FLOODING;
58723 +}
58724 +
58725 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58726 + __attribute__ ((format (printf, 2, 0)));
58727 +
58728 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58729 +{
58730 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58731 + unsigned int len = strlen(buf);
58732 +
58733 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58734 +
58735 + return;
58736 +}
58737 +
58738 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58739 + __attribute__ ((format (printf, 2, 3)));
58740 +
58741 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58742 +{
58743 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58744 + unsigned int len = strlen(buf);
58745 + va_list ap;
58746 +
58747 + va_start(ap, msg);
58748 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58749 + va_end(ap);
58750 +
58751 + return;
58752 +}
58753 +
58754 +static void gr_log_end(int audit)
58755 +{
58756 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58757 + unsigned int len = strlen(buf);
58758 +
58759 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
58760 + printk("%s\n", buf);
58761 +
58762 + return;
58763 +}
58764 +
58765 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
58766 +{
58767 + int logtype;
58768 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
58769 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
58770 + void *voidptr = NULL;
58771 + int num1 = 0, num2 = 0;
58772 + unsigned long ulong1 = 0, ulong2 = 0;
58773 + struct dentry *dentry = NULL;
58774 + struct vfsmount *mnt = NULL;
58775 + struct file *file = NULL;
58776 + struct task_struct *task = NULL;
58777 + const struct cred *cred, *pcred;
58778 + va_list ap;
58779 +
58780 + BEGIN_LOCKS(audit);
58781 + logtype = gr_log_start(audit);
58782 + if (logtype == FLOODING) {
58783 + END_LOCKS(audit);
58784 + return;
58785 + }
58786 + va_start(ap, argtypes);
58787 + switch (argtypes) {
58788 + case GR_TTYSNIFF:
58789 + task = va_arg(ap, struct task_struct *);
58790 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
58791 + break;
58792 + case GR_SYSCTL_HIDDEN:
58793 + str1 = va_arg(ap, char *);
58794 + gr_log_middle_varargs(audit, msg, result, str1);
58795 + break;
58796 + case GR_RBAC:
58797 + dentry = va_arg(ap, struct dentry *);
58798 + mnt = va_arg(ap, struct vfsmount *);
58799 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
58800 + break;
58801 + case GR_RBAC_STR:
58802 + dentry = va_arg(ap, struct dentry *);
58803 + mnt = va_arg(ap, struct vfsmount *);
58804 + str1 = va_arg(ap, char *);
58805 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
58806 + break;
58807 + case GR_STR_RBAC:
58808 + str1 = va_arg(ap, char *);
58809 + dentry = va_arg(ap, struct dentry *);
58810 + mnt = va_arg(ap, struct vfsmount *);
58811 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
58812 + break;
58813 + case GR_RBAC_MODE2:
58814 + dentry = va_arg(ap, struct dentry *);
58815 + mnt = va_arg(ap, struct vfsmount *);
58816 + str1 = va_arg(ap, char *);
58817 + str2 = va_arg(ap, char *);
58818 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
58819 + break;
58820 + case GR_RBAC_MODE3:
58821 + dentry = va_arg(ap, struct dentry *);
58822 + mnt = va_arg(ap, struct vfsmount *);
58823 + str1 = va_arg(ap, char *);
58824 + str2 = va_arg(ap, char *);
58825 + str3 = va_arg(ap, char *);
58826 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
58827 + break;
58828 + case GR_FILENAME:
58829 + dentry = va_arg(ap, struct dentry *);
58830 + mnt = va_arg(ap, struct vfsmount *);
58831 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
58832 + break;
58833 + case GR_STR_FILENAME:
58834 + str1 = va_arg(ap, char *);
58835 + dentry = va_arg(ap, struct dentry *);
58836 + mnt = va_arg(ap, struct vfsmount *);
58837 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
58838 + break;
58839 + case GR_FILENAME_STR:
58840 + dentry = va_arg(ap, struct dentry *);
58841 + mnt = va_arg(ap, struct vfsmount *);
58842 + str1 = va_arg(ap, char *);
58843 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
58844 + break;
58845 + case GR_FILENAME_TWO_INT:
58846 + dentry = va_arg(ap, struct dentry *);
58847 + mnt = va_arg(ap, struct vfsmount *);
58848 + num1 = va_arg(ap, int);
58849 + num2 = va_arg(ap, int);
58850 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
58851 + break;
58852 + case GR_FILENAME_TWO_INT_STR:
58853 + dentry = va_arg(ap, struct dentry *);
58854 + mnt = va_arg(ap, struct vfsmount *);
58855 + num1 = va_arg(ap, int);
58856 + num2 = va_arg(ap, int);
58857 + str1 = va_arg(ap, char *);
58858 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
58859 + break;
58860 + case GR_TEXTREL:
58861 + file = va_arg(ap, struct file *);
58862 + ulong1 = va_arg(ap, unsigned long);
58863 + ulong2 = va_arg(ap, unsigned long);
58864 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
58865 + break;
58866 + case GR_PTRACE:
58867 + task = va_arg(ap, struct task_struct *);
58868 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
58869 + break;
58870 + case GR_RESOURCE:
58871 + task = va_arg(ap, struct task_struct *);
58872 + cred = __task_cred(task);
58873 + pcred = __task_cred(task->real_parent);
58874 + ulong1 = va_arg(ap, unsigned long);
58875 + str1 = va_arg(ap, char *);
58876 + ulong2 = va_arg(ap, unsigned long);
58877 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58878 + break;
58879 + case GR_CAP:
58880 + task = va_arg(ap, struct task_struct *);
58881 + cred = __task_cred(task);
58882 + pcred = __task_cred(task->real_parent);
58883 + str1 = va_arg(ap, char *);
58884 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58885 + break;
58886 + case GR_SIG:
58887 + str1 = va_arg(ap, char *);
58888 + voidptr = va_arg(ap, void *);
58889 + gr_log_middle_varargs(audit, msg, str1, voidptr);
58890 + break;
58891 + case GR_SIG2:
58892 + task = va_arg(ap, struct task_struct *);
58893 + cred = __task_cred(task);
58894 + pcred = __task_cred(task->real_parent);
58895 + num1 = va_arg(ap, int);
58896 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58897 + break;
58898 + case GR_CRASH1:
58899 + task = va_arg(ap, struct task_struct *);
58900 + cred = __task_cred(task);
58901 + pcred = __task_cred(task->real_parent);
58902 + ulong1 = va_arg(ap, unsigned long);
58903 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
58904 + break;
58905 + case GR_CRASH2:
58906 + task = va_arg(ap, struct task_struct *);
58907 + cred = __task_cred(task);
58908 + pcred = __task_cred(task->real_parent);
58909 + ulong1 = va_arg(ap, unsigned long);
58910 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
58911 + break;
58912 + case GR_RWXMAP:
58913 + file = va_arg(ap, struct file *);
58914 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
58915 + break;
58916 + case GR_PSACCT:
58917 + {
58918 + unsigned int wday, cday;
58919 + __u8 whr, chr;
58920 + __u8 wmin, cmin;
58921 + __u8 wsec, csec;
58922 + char cur_tty[64] = { 0 };
58923 + char parent_tty[64] = { 0 };
58924 +
58925 + task = va_arg(ap, struct task_struct *);
58926 + wday = va_arg(ap, unsigned int);
58927 + cday = va_arg(ap, unsigned int);
58928 + whr = va_arg(ap, int);
58929 + chr = va_arg(ap, int);
58930 + wmin = va_arg(ap, int);
58931 + cmin = va_arg(ap, int);
58932 + wsec = va_arg(ap, int);
58933 + csec = va_arg(ap, int);
58934 + ulong1 = va_arg(ap, unsigned long);
58935 + cred = __task_cred(task);
58936 + pcred = __task_cred(task->real_parent);
58937 +
58938 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58939 + }
58940 + break;
58941 + default:
58942 + gr_log_middle(audit, msg, ap);
58943 + }
58944 + va_end(ap);
58945 + gr_log_end(audit);
58946 + END_LOCKS(audit);
58947 +}
58948 diff -urNp linux-2.6.39.2/grsecurity/grsec_mem.c linux-2.6.39.2/grsecurity/grsec_mem.c
58949 --- linux-2.6.39.2/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
58950 +++ linux-2.6.39.2/grsecurity/grsec_mem.c 2011-05-22 19:41:42.000000000 -0400
58951 @@ -0,0 +1,33 @@
58952 +#include <linux/kernel.h>
58953 +#include <linux/sched.h>
58954 +#include <linux/mm.h>
58955 +#include <linux/mman.h>
58956 +#include <linux/grinternal.h>
58957 +
58958 +void
58959 +gr_handle_ioperm(void)
58960 +{
58961 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
58962 + return;
58963 +}
58964 +
58965 +void
58966 +gr_handle_iopl(void)
58967 +{
58968 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
58969 + return;
58970 +}
58971 +
58972 +void
58973 +gr_handle_mem_readwrite(u64 from, u64 to)
58974 +{
58975 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
58976 + return;
58977 +}
58978 +
58979 +void
58980 +gr_handle_vm86(void)
58981 +{
58982 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
58983 + return;
58984 +}
58985 diff -urNp linux-2.6.39.2/grsecurity/grsec_mount.c linux-2.6.39.2/grsecurity/grsec_mount.c
58986 --- linux-2.6.39.2/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
58987 +++ linux-2.6.39.2/grsecurity/grsec_mount.c 2011-06-20 19:46:18.000000000 -0400
58988 @@ -0,0 +1,62 @@
58989 +#include <linux/kernel.h>
58990 +#include <linux/sched.h>
58991 +#include <linux/mount.h>
58992 +#include <linux/grsecurity.h>
58993 +#include <linux/grinternal.h>
58994 +
58995 +void
58996 +gr_log_remount(const char *devname, const int retval)
58997 +{
58998 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58999 + if (grsec_enable_mount && (retval >= 0))
59000 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
59001 +#endif
59002 + return;
59003 +}
59004 +
59005 +void
59006 +gr_log_unmount(const char *devname, const int retval)
59007 +{
59008 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59009 + if (grsec_enable_mount && (retval >= 0))
59010 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
59011 +#endif
59012 + return;
59013 +}
59014 +
59015 +void
59016 +gr_log_mount(const char *from, const char *to, const int retval)
59017 +{
59018 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59019 + if (grsec_enable_mount && (retval >= 0))
59020 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
59021 +#endif
59022 + return;
59023 +}
59024 +
59025 +int
59026 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
59027 +{
59028 +#ifdef CONFIG_GRKERNSEC_ROFS
59029 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
59030 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
59031 + return -EPERM;
59032 + } else
59033 + return 0;
59034 +#endif
59035 + return 0;
59036 +}
59037 +
59038 +int
59039 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
59040 +{
59041 +#ifdef CONFIG_GRKERNSEC_ROFS
59042 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
59043 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
59044 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
59045 + return -EPERM;
59046 + } else
59047 + return 0;
59048 +#endif
59049 + return 0;
59050 +}
59051 diff -urNp linux-2.6.39.2/grsecurity/grsec_pax.c linux-2.6.39.2/grsecurity/grsec_pax.c
59052 --- linux-2.6.39.2/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
59053 +++ linux-2.6.39.2/grsecurity/grsec_pax.c 2011-05-22 19:41:42.000000000 -0400
59054 @@ -0,0 +1,36 @@
59055 +#include <linux/kernel.h>
59056 +#include <linux/sched.h>
59057 +#include <linux/mm.h>
59058 +#include <linux/file.h>
59059 +#include <linux/grinternal.h>
59060 +#include <linux/grsecurity.h>
59061 +
59062 +void
59063 +gr_log_textrel(struct vm_area_struct * vma)
59064 +{
59065 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59066 + if (grsec_enable_audit_textrel)
59067 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
59068 +#endif
59069 + return;
59070 +}
59071 +
59072 +void
59073 +gr_log_rwxmmap(struct file *file)
59074 +{
59075 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59076 + if (grsec_enable_log_rwxmaps)
59077 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
59078 +#endif
59079 + return;
59080 +}
59081 +
59082 +void
59083 +gr_log_rwxmprotect(struct file *file)
59084 +{
59085 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59086 + if (grsec_enable_log_rwxmaps)
59087 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
59088 +#endif
59089 + return;
59090 +}
59091 diff -urNp linux-2.6.39.2/grsecurity/grsec_ptrace.c linux-2.6.39.2/grsecurity/grsec_ptrace.c
59092 --- linux-2.6.39.2/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
59093 +++ linux-2.6.39.2/grsecurity/grsec_ptrace.c 2011-05-22 19:41:42.000000000 -0400
59094 @@ -0,0 +1,14 @@
59095 +#include <linux/kernel.h>
59096 +#include <linux/sched.h>
59097 +#include <linux/grinternal.h>
59098 +#include <linux/grsecurity.h>
59099 +
59100 +void
59101 +gr_audit_ptrace(struct task_struct *task)
59102 +{
59103 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59104 + if (grsec_enable_audit_ptrace)
59105 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
59106 +#endif
59107 + return;
59108 +}
59109 diff -urNp linux-2.6.39.2/grsecurity/grsec_sig.c linux-2.6.39.2/grsecurity/grsec_sig.c
59110 --- linux-2.6.39.2/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
59111 +++ linux-2.6.39.2/grsecurity/grsec_sig.c 2011-06-29 19:40:46.000000000 -0400
59112 @@ -0,0 +1,206 @@
59113 +#include <linux/kernel.h>
59114 +#include <linux/sched.h>
59115 +#include <linux/delay.h>
59116 +#include <linux/grsecurity.h>
59117 +#include <linux/grinternal.h>
59118 +#include <linux/hardirq.h>
59119 +
59120 +char *signames[] = {
59121 + [SIGSEGV] = "Segmentation fault",
59122 + [SIGILL] = "Illegal instruction",
59123 + [SIGABRT] = "Abort",
59124 + [SIGBUS] = "Invalid alignment/Bus error"
59125 +};
59126 +
59127 +void
59128 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
59129 +{
59130 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59131 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
59132 + (sig == SIGABRT) || (sig == SIGBUS))) {
59133 + if (t->pid == current->pid) {
59134 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
59135 + } else {
59136 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
59137 + }
59138 + }
59139 +#endif
59140 + return;
59141 +}
59142 +
59143 +int
59144 +gr_handle_signal(const struct task_struct *p, const int sig)
59145 +{
59146 +#ifdef CONFIG_GRKERNSEC
59147 + if (current->pid > 1 && gr_check_protected_task(p)) {
59148 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
59149 + return -EPERM;
59150 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
59151 + return -EPERM;
59152 + }
59153 +#endif
59154 + return 0;
59155 +}
59156 +
59157 +#ifdef CONFIG_GRKERNSEC
59158 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
59159 +
59160 +int gr_fake_force_sig(int sig, struct task_struct *t)
59161 +{
59162 + unsigned long int flags;
59163 + int ret, blocked, ignored;
59164 + struct k_sigaction *action;
59165 +
59166 + spin_lock_irqsave(&t->sighand->siglock, flags);
59167 + action = &t->sighand->action[sig-1];
59168 + ignored = action->sa.sa_handler == SIG_IGN;
59169 + blocked = sigismember(&t->blocked, sig);
59170 + if (blocked || ignored) {
59171 + action->sa.sa_handler = SIG_DFL;
59172 + if (blocked) {
59173 + sigdelset(&t->blocked, sig);
59174 + recalc_sigpending_and_wake(t);
59175 + }
59176 + }
59177 + if (action->sa.sa_handler == SIG_DFL)
59178 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
59179 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
59180 +
59181 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
59182 +
59183 + return ret;
59184 +}
59185 +#endif
59186 +
59187 +#ifdef CONFIG_GRKERNSEC_BRUTE
59188 +#define GR_USER_BAN_TIME (15 * 60)
59189 +
59190 +static int __get_dumpable(unsigned long mm_flags)
59191 +{
59192 + int ret;
59193 +
59194 + ret = mm_flags & MMF_DUMPABLE_MASK;
59195 + return (ret >= 2) ? 2 : ret;
59196 +}
59197 +#endif
59198 +
59199 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
59200 +{
59201 +#ifdef CONFIG_GRKERNSEC_BRUTE
59202 + uid_t uid = 0;
59203 +
59204 + if (!grsec_enable_brute)
59205 + return;
59206 +
59207 + rcu_read_lock();
59208 + read_lock(&tasklist_lock);
59209 + read_lock(&grsec_exec_file_lock);
59210 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
59211 + p->real_parent->brute = 1;
59212 + else {
59213 + const struct cred *cred = __task_cred(p), *cred2;
59214 + struct task_struct *tsk, *tsk2;
59215 +
59216 + if (!__get_dumpable(mm_flags) && cred->uid) {
59217 + struct user_struct *user;
59218 +
59219 + uid = cred->uid;
59220 +
59221 + /* this is put upon execution past expiration */
59222 + user = find_user(uid);
59223 + if (user == NULL)
59224 + goto unlock;
59225 + user->banned = 1;
59226 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
59227 + if (user->ban_expires == ~0UL)
59228 + user->ban_expires--;
59229 +
59230 + do_each_thread(tsk2, tsk) {
59231 + cred2 = __task_cred(tsk);
59232 + if (tsk != p && cred2->uid == uid)
59233 + gr_fake_force_sig(SIGKILL, tsk);
59234 + } while_each_thread(tsk2, tsk);
59235 + }
59236 + }
59237 +unlock:
59238 + read_unlock(&grsec_exec_file_lock);
59239 + read_unlock(&tasklist_lock);
59240 + rcu_read_unlock();
59241 +
59242 + if (uid)
59243 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
59244 +
59245 +#endif
59246 + return;
59247 +}
59248 +
59249 +void gr_handle_brute_check(void)
59250 +{
59251 +#ifdef CONFIG_GRKERNSEC_BRUTE
59252 + if (current->brute)
59253 + msleep(30 * 1000);
59254 +#endif
59255 + return;
59256 +}
59257 +
59258 +void gr_handle_kernel_exploit(void)
59259 +{
59260 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
59261 + const struct cred *cred;
59262 + struct task_struct *tsk, *tsk2;
59263 + struct user_struct *user;
59264 + uid_t uid;
59265 +
59266 + if (in_irq() || in_serving_softirq() || in_nmi())
59267 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
59268 +
59269 + uid = current_uid();
59270 +
59271 + if (uid == 0)
59272 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
59273 + else {
59274 + /* kill all the processes of this user, hold a reference
59275 + to their creds struct, and prevent them from creating
59276 + another process until system reset
59277 + */
59278 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
59279 + /* we intentionally leak this ref */
59280 + user = get_uid(current->cred->user);
59281 + if (user) {
59282 + user->banned = 1;
59283 + user->ban_expires = ~0UL;
59284 + }
59285 +
59286 + read_lock(&tasklist_lock);
59287 + do_each_thread(tsk2, tsk) {
59288 + cred = __task_cred(tsk);
59289 + if (cred->uid == uid)
59290 + gr_fake_force_sig(SIGKILL, tsk);
59291 + } while_each_thread(tsk2, tsk);
59292 + read_unlock(&tasklist_lock);
59293 + }
59294 +#endif
59295 +}
59296 +
59297 +int __gr_process_user_ban(struct user_struct *user)
59298 +{
59299 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59300 + if (unlikely(user->banned)) {
59301 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
59302 + user->banned = 0;
59303 + user->ban_expires = 0;
59304 + free_uid(user);
59305 + } else
59306 + return -EPERM;
59307 + }
59308 +#endif
59309 + return 0;
59310 +}
59311 +
59312 +int gr_process_user_ban(void)
59313 +{
59314 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59315 + return __gr_process_user_ban(current->cred->user);
59316 +#endif
59317 + return 0;
59318 +}
59319 diff -urNp linux-2.6.39.2/grsecurity/grsec_sock.c linux-2.6.39.2/grsecurity/grsec_sock.c
59320 --- linux-2.6.39.2/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
59321 +++ linux-2.6.39.2/grsecurity/grsec_sock.c 2011-05-22 20:29:21.000000000 -0400
59322 @@ -0,0 +1,244 @@
59323 +#include <linux/kernel.h>
59324 +#include <linux/module.h>
59325 +#include <linux/sched.h>
59326 +#include <linux/file.h>
59327 +#include <linux/net.h>
59328 +#include <linux/in.h>
59329 +#include <linux/ip.h>
59330 +#include <net/sock.h>
59331 +#include <net/inet_sock.h>
59332 +#include <linux/grsecurity.h>
59333 +#include <linux/grinternal.h>
59334 +#include <linux/gracl.h>
59335 +
59336 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
59337 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
59338 +
59339 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
59340 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
59341 +
59342 +#ifdef CONFIG_UNIX_MODULE
59343 +EXPORT_SYMBOL(gr_acl_handle_unix);
59344 +EXPORT_SYMBOL(gr_acl_handle_mknod);
59345 +EXPORT_SYMBOL(gr_handle_chroot_unix);
59346 +EXPORT_SYMBOL(gr_handle_create);
59347 +#endif
59348 +
59349 +#ifdef CONFIG_GRKERNSEC
59350 +#define gr_conn_table_size 32749
59351 +struct conn_table_entry {
59352 + struct conn_table_entry *next;
59353 + struct signal_struct *sig;
59354 +};
59355 +
59356 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
59357 +DEFINE_SPINLOCK(gr_conn_table_lock);
59358 +
59359 +extern const char * gr_socktype_to_name(unsigned char type);
59360 +extern const char * gr_proto_to_name(unsigned char proto);
59361 +extern const char * gr_sockfamily_to_name(unsigned char family);
59362 +
59363 +static __inline__ int
59364 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
59365 +{
59366 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
59367 +}
59368 +
59369 +static __inline__ int
59370 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
59371 + __u16 sport, __u16 dport)
59372 +{
59373 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
59374 + sig->gr_sport == sport && sig->gr_dport == dport))
59375 + return 1;
59376 + else
59377 + return 0;
59378 +}
59379 +
59380 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
59381 +{
59382 + struct conn_table_entry **match;
59383 + unsigned int index;
59384 +
59385 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59386 + sig->gr_sport, sig->gr_dport,
59387 + gr_conn_table_size);
59388 +
59389 + newent->sig = sig;
59390 +
59391 + match = &gr_conn_table[index];
59392 + newent->next = *match;
59393 + *match = newent;
59394 +
59395 + return;
59396 +}
59397 +
59398 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
59399 +{
59400 + struct conn_table_entry *match, *last = NULL;
59401 + unsigned int index;
59402 +
59403 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59404 + sig->gr_sport, sig->gr_dport,
59405 + gr_conn_table_size);
59406 +
59407 + match = gr_conn_table[index];
59408 + while (match && !conn_match(match->sig,
59409 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
59410 + sig->gr_dport)) {
59411 + last = match;
59412 + match = match->next;
59413 + }
59414 +
59415 + if (match) {
59416 + if (last)
59417 + last->next = match->next;
59418 + else
59419 + gr_conn_table[index] = NULL;
59420 + kfree(match);
59421 + }
59422 +
59423 + return;
59424 +}
59425 +
59426 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
59427 + __u16 sport, __u16 dport)
59428 +{
59429 + struct conn_table_entry *match;
59430 + unsigned int index;
59431 +
59432 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
59433 +
59434 + match = gr_conn_table[index];
59435 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
59436 + match = match->next;
59437 +
59438 + if (match)
59439 + return match->sig;
59440 + else
59441 + return NULL;
59442 +}
59443 +
59444 +#endif
59445 +
59446 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
59447 +{
59448 +#ifdef CONFIG_GRKERNSEC
59449 + struct signal_struct *sig = task->signal;
59450 + struct conn_table_entry *newent;
59451 +
59452 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
59453 + if (newent == NULL)
59454 + return;
59455 + /* no bh lock needed since we are called with bh disabled */
59456 + spin_lock(&gr_conn_table_lock);
59457 + gr_del_task_from_ip_table_nolock(sig);
59458 + sig->gr_saddr = inet->inet_rcv_saddr;
59459 + sig->gr_daddr = inet->inet_daddr;
59460 + sig->gr_sport = inet->inet_sport;
59461 + sig->gr_dport = inet->inet_dport;
59462 + gr_add_to_task_ip_table_nolock(sig, newent);
59463 + spin_unlock(&gr_conn_table_lock);
59464 +#endif
59465 + return;
59466 +}
59467 +
59468 +void gr_del_task_from_ip_table(struct task_struct *task)
59469 +{
59470 +#ifdef CONFIG_GRKERNSEC
59471 + spin_lock_bh(&gr_conn_table_lock);
59472 + gr_del_task_from_ip_table_nolock(task->signal);
59473 + spin_unlock_bh(&gr_conn_table_lock);
59474 +#endif
59475 + return;
59476 +}
59477 +
59478 +void
59479 +gr_attach_curr_ip(const struct sock *sk)
59480 +{
59481 +#ifdef CONFIG_GRKERNSEC
59482 + struct signal_struct *p, *set;
59483 + const struct inet_sock *inet = inet_sk(sk);
59484 +
59485 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
59486 + return;
59487 +
59488 + set = current->signal;
59489 +
59490 + spin_lock_bh(&gr_conn_table_lock);
59491 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
59492 + inet->inet_dport, inet->inet_sport);
59493 + if (unlikely(p != NULL)) {
59494 + set->curr_ip = p->curr_ip;
59495 + set->used_accept = 1;
59496 + gr_del_task_from_ip_table_nolock(p);
59497 + spin_unlock_bh(&gr_conn_table_lock);
59498 + return;
59499 + }
59500 + spin_unlock_bh(&gr_conn_table_lock);
59501 +
59502 + set->curr_ip = inet->inet_daddr;
59503 + set->used_accept = 1;
59504 +#endif
59505 + return;
59506 +}
59507 +
59508 +int
59509 +gr_handle_sock_all(const int family, const int type, const int protocol)
59510 +{
59511 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59512 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
59513 + (family != AF_UNIX)) {
59514 + if (family == AF_INET)
59515 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
59516 + else
59517 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
59518 + return -EACCES;
59519 + }
59520 +#endif
59521 + return 0;
59522 +}
59523 +
59524 +int
59525 +gr_handle_sock_server(const struct sockaddr *sck)
59526 +{
59527 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59528 + if (grsec_enable_socket_server &&
59529 + in_group_p(grsec_socket_server_gid) &&
59530 + sck && (sck->sa_family != AF_UNIX) &&
59531 + (sck->sa_family != AF_LOCAL)) {
59532 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59533 + return -EACCES;
59534 + }
59535 +#endif
59536 + return 0;
59537 +}
59538 +
59539 +int
59540 +gr_handle_sock_server_other(const struct sock *sck)
59541 +{
59542 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59543 + if (grsec_enable_socket_server &&
59544 + in_group_p(grsec_socket_server_gid) &&
59545 + sck && (sck->sk_family != AF_UNIX) &&
59546 + (sck->sk_family != AF_LOCAL)) {
59547 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59548 + return -EACCES;
59549 + }
59550 +#endif
59551 + return 0;
59552 +}
59553 +
59554 +int
59555 +gr_handle_sock_client(const struct sockaddr *sck)
59556 +{
59557 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59558 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
59559 + sck && (sck->sa_family != AF_UNIX) &&
59560 + (sck->sa_family != AF_LOCAL)) {
59561 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
59562 + return -EACCES;
59563 + }
59564 +#endif
59565 + return 0;
59566 +}
59567 diff -urNp linux-2.6.39.2/grsecurity/grsec_sysctl.c linux-2.6.39.2/grsecurity/grsec_sysctl.c
59568 --- linux-2.6.39.2/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
59569 +++ linux-2.6.39.2/grsecurity/grsec_sysctl.c 2011-06-29 19:38:04.000000000 -0400
59570 @@ -0,0 +1,442 @@
59571 +#include <linux/kernel.h>
59572 +#include <linux/sched.h>
59573 +#include <linux/sysctl.h>
59574 +#include <linux/grsecurity.h>
59575 +#include <linux/grinternal.h>
59576 +
59577 +int
59578 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
59579 +{
59580 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59581 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
59582 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
59583 + return -EACCES;
59584 + }
59585 +#endif
59586 + return 0;
59587 +}
59588 +
59589 +#ifdef CONFIG_GRKERNSEC_ROFS
59590 +static int __maybe_unused one = 1;
59591 +#endif
59592 +
59593 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
59594 +struct ctl_table grsecurity_table[] = {
59595 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59596 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
59597 +#ifdef CONFIG_GRKERNSEC_IO
59598 + {
59599 + .procname = "disable_priv_io",
59600 + .data = &grsec_disable_privio,
59601 + .maxlen = sizeof(int),
59602 + .mode = 0600,
59603 + .proc_handler = &proc_dointvec,
59604 + },
59605 +#endif
59606 +#endif
59607 +#ifdef CONFIG_GRKERNSEC_LINK
59608 + {
59609 + .procname = "linking_restrictions",
59610 + .data = &grsec_enable_link,
59611 + .maxlen = sizeof(int),
59612 + .mode = 0600,
59613 + .proc_handler = &proc_dointvec,
59614 + },
59615 +#endif
59616 +#ifdef CONFIG_GRKERNSEC_BRUTE
59617 + {
59618 + .procname = "deter_bruteforce",
59619 + .data = &grsec_enable_brute,
59620 + .maxlen = sizeof(int),
59621 + .mode = 0600,
59622 + .proc_handler = &proc_dointvec,
59623 + },
59624 +#endif
59625 +#ifdef CONFIG_GRKERNSEC_FIFO
59626 + {
59627 + .procname = "fifo_restrictions",
59628 + .data = &grsec_enable_fifo,
59629 + .maxlen = sizeof(int),
59630 + .mode = 0600,
59631 + .proc_handler = &proc_dointvec,
59632 + },
59633 +#endif
59634 +#ifdef CONFIG_GRKERNSEC_EXECVE
59635 + {
59636 + .procname = "execve_limiting",
59637 + .data = &grsec_enable_execve,
59638 + .maxlen = sizeof(int),
59639 + .mode = 0600,
59640 + .proc_handler = &proc_dointvec,
59641 + },
59642 +#endif
59643 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59644 + {
59645 + .procname = "ip_blackhole",
59646 + .data = &grsec_enable_blackhole,
59647 + .maxlen = sizeof(int),
59648 + .mode = 0600,
59649 + .proc_handler = &proc_dointvec,
59650 + },
59651 + {
59652 + .procname = "lastack_retries",
59653 + .data = &grsec_lastack_retries,
59654 + .maxlen = sizeof(int),
59655 + .mode = 0600,
59656 + .proc_handler = &proc_dointvec,
59657 + },
59658 +#endif
59659 +#ifdef CONFIG_GRKERNSEC_EXECLOG
59660 + {
59661 + .procname = "exec_logging",
59662 + .data = &grsec_enable_execlog,
59663 + .maxlen = sizeof(int),
59664 + .mode = 0600,
59665 + .proc_handler = &proc_dointvec,
59666 + },
59667 +#endif
59668 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59669 + {
59670 + .procname = "rwxmap_logging",
59671 + .data = &grsec_enable_log_rwxmaps,
59672 + .maxlen = sizeof(int),
59673 + .mode = 0600,
59674 + .proc_handler = &proc_dointvec,
59675 + },
59676 +#endif
59677 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59678 + {
59679 + .procname = "signal_logging",
59680 + .data = &grsec_enable_signal,
59681 + .maxlen = sizeof(int),
59682 + .mode = 0600,
59683 + .proc_handler = &proc_dointvec,
59684 + },
59685 +#endif
59686 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
59687 + {
59688 + .procname = "forkfail_logging",
59689 + .data = &grsec_enable_forkfail,
59690 + .maxlen = sizeof(int),
59691 + .mode = 0600,
59692 + .proc_handler = &proc_dointvec,
59693 + },
59694 +#endif
59695 +#ifdef CONFIG_GRKERNSEC_TIME
59696 + {
59697 + .procname = "timechange_logging",
59698 + .data = &grsec_enable_time,
59699 + .maxlen = sizeof(int),
59700 + .mode = 0600,
59701 + .proc_handler = &proc_dointvec,
59702 + },
59703 +#endif
59704 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59705 + {
59706 + .procname = "chroot_deny_shmat",
59707 + .data = &grsec_enable_chroot_shmat,
59708 + .maxlen = sizeof(int),
59709 + .mode = 0600,
59710 + .proc_handler = &proc_dointvec,
59711 + },
59712 +#endif
59713 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59714 + {
59715 + .procname = "chroot_deny_unix",
59716 + .data = &grsec_enable_chroot_unix,
59717 + .maxlen = sizeof(int),
59718 + .mode = 0600,
59719 + .proc_handler = &proc_dointvec,
59720 + },
59721 +#endif
59722 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59723 + {
59724 + .procname = "chroot_deny_mount",
59725 + .data = &grsec_enable_chroot_mount,
59726 + .maxlen = sizeof(int),
59727 + .mode = 0600,
59728 + .proc_handler = &proc_dointvec,
59729 + },
59730 +#endif
59731 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59732 + {
59733 + .procname = "chroot_deny_fchdir",
59734 + .data = &grsec_enable_chroot_fchdir,
59735 + .maxlen = sizeof(int),
59736 + .mode = 0600,
59737 + .proc_handler = &proc_dointvec,
59738 + },
59739 +#endif
59740 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59741 + {
59742 + .procname = "chroot_deny_chroot",
59743 + .data = &grsec_enable_chroot_double,
59744 + .maxlen = sizeof(int),
59745 + .mode = 0600,
59746 + .proc_handler = &proc_dointvec,
59747 + },
59748 +#endif
59749 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59750 + {
59751 + .procname = "chroot_deny_pivot",
59752 + .data = &grsec_enable_chroot_pivot,
59753 + .maxlen = sizeof(int),
59754 + .mode = 0600,
59755 + .proc_handler = &proc_dointvec,
59756 + },
59757 +#endif
59758 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59759 + {
59760 + .procname = "chroot_enforce_chdir",
59761 + .data = &grsec_enable_chroot_chdir,
59762 + .maxlen = sizeof(int),
59763 + .mode = 0600,
59764 + .proc_handler = &proc_dointvec,
59765 + },
59766 +#endif
59767 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59768 + {
59769 + .procname = "chroot_deny_chmod",
59770 + .data = &grsec_enable_chroot_chmod,
59771 + .maxlen = sizeof(int),
59772 + .mode = 0600,
59773 + .proc_handler = &proc_dointvec,
59774 + },
59775 +#endif
59776 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59777 + {
59778 + .procname = "chroot_deny_mknod",
59779 + .data = &grsec_enable_chroot_mknod,
59780 + .maxlen = sizeof(int),
59781 + .mode = 0600,
59782 + .proc_handler = &proc_dointvec,
59783 + },
59784 +#endif
59785 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59786 + {
59787 + .procname = "chroot_restrict_nice",
59788 + .data = &grsec_enable_chroot_nice,
59789 + .maxlen = sizeof(int),
59790 + .mode = 0600,
59791 + .proc_handler = &proc_dointvec,
59792 + },
59793 +#endif
59794 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59795 + {
59796 + .procname = "chroot_execlog",
59797 + .data = &grsec_enable_chroot_execlog,
59798 + .maxlen = sizeof(int),
59799 + .mode = 0600,
59800 + .proc_handler = &proc_dointvec,
59801 + },
59802 +#endif
59803 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59804 + {
59805 + .procname = "chroot_caps",
59806 + .data = &grsec_enable_chroot_caps,
59807 + .maxlen = sizeof(int),
59808 + .mode = 0600,
59809 + .proc_handler = &proc_dointvec,
59810 + },
59811 +#endif
59812 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59813 + {
59814 + .procname = "chroot_deny_sysctl",
59815 + .data = &grsec_enable_chroot_sysctl,
59816 + .maxlen = sizeof(int),
59817 + .mode = 0600,
59818 + .proc_handler = &proc_dointvec,
59819 + },
59820 +#endif
59821 +#ifdef CONFIG_GRKERNSEC_TPE
59822 + {
59823 + .procname = "tpe",
59824 + .data = &grsec_enable_tpe,
59825 + .maxlen = sizeof(int),
59826 + .mode = 0600,
59827 + .proc_handler = &proc_dointvec,
59828 + },
59829 + {
59830 + .procname = "tpe_gid",
59831 + .data = &grsec_tpe_gid,
59832 + .maxlen = sizeof(int),
59833 + .mode = 0600,
59834 + .proc_handler = &proc_dointvec,
59835 + },
59836 +#endif
59837 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
59838 + {
59839 + .procname = "tpe_invert",
59840 + .data = &grsec_enable_tpe_invert,
59841 + .maxlen = sizeof(int),
59842 + .mode = 0600,
59843 + .proc_handler = &proc_dointvec,
59844 + },
59845 +#endif
59846 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
59847 + {
59848 + .procname = "tpe_restrict_all",
59849 + .data = &grsec_enable_tpe_all,
59850 + .maxlen = sizeof(int),
59851 + .mode = 0600,
59852 + .proc_handler = &proc_dointvec,
59853 + },
59854 +#endif
59855 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59856 + {
59857 + .procname = "socket_all",
59858 + .data = &grsec_enable_socket_all,
59859 + .maxlen = sizeof(int),
59860 + .mode = 0600,
59861 + .proc_handler = &proc_dointvec,
59862 + },
59863 + {
59864 + .procname = "socket_all_gid",
59865 + .data = &grsec_socket_all_gid,
59866 + .maxlen = sizeof(int),
59867 + .mode = 0600,
59868 + .proc_handler = &proc_dointvec,
59869 + },
59870 +#endif
59871 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59872 + {
59873 + .procname = "socket_client",
59874 + .data = &grsec_enable_socket_client,
59875 + .maxlen = sizeof(int),
59876 + .mode = 0600,
59877 + .proc_handler = &proc_dointvec,
59878 + },
59879 + {
59880 + .procname = "socket_client_gid",
59881 + .data = &grsec_socket_client_gid,
59882 + .maxlen = sizeof(int),
59883 + .mode = 0600,
59884 + .proc_handler = &proc_dointvec,
59885 + },
59886 +#endif
59887 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59888 + {
59889 + .procname = "socket_server",
59890 + .data = &grsec_enable_socket_server,
59891 + .maxlen = sizeof(int),
59892 + .mode = 0600,
59893 + .proc_handler = &proc_dointvec,
59894 + },
59895 + {
59896 + .procname = "socket_server_gid",
59897 + .data = &grsec_socket_server_gid,
59898 + .maxlen = sizeof(int),
59899 + .mode = 0600,
59900 + .proc_handler = &proc_dointvec,
59901 + },
59902 +#endif
59903 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
59904 + {
59905 + .procname = "audit_group",
59906 + .data = &grsec_enable_group,
59907 + .maxlen = sizeof(int),
59908 + .mode = 0600,
59909 + .proc_handler = &proc_dointvec,
59910 + },
59911 + {
59912 + .procname = "audit_gid",
59913 + .data = &grsec_audit_gid,
59914 + .maxlen = sizeof(int),
59915 + .mode = 0600,
59916 + .proc_handler = &proc_dointvec,
59917 + },
59918 +#endif
59919 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
59920 + {
59921 + .procname = "audit_chdir",
59922 + .data = &grsec_enable_chdir,
59923 + .maxlen = sizeof(int),
59924 + .mode = 0600,
59925 + .proc_handler = &proc_dointvec,
59926 + },
59927 +#endif
59928 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59929 + {
59930 + .procname = "audit_mount",
59931 + .data = &grsec_enable_mount,
59932 + .maxlen = sizeof(int),
59933 + .mode = 0600,
59934 + .proc_handler = &proc_dointvec,
59935 + },
59936 +#endif
59937 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59938 + {
59939 + .procname = "audit_textrel",
59940 + .data = &grsec_enable_audit_textrel,
59941 + .maxlen = sizeof(int),
59942 + .mode = 0600,
59943 + .proc_handler = &proc_dointvec,
59944 + },
59945 +#endif
59946 +#ifdef CONFIG_GRKERNSEC_DMESG
59947 + {
59948 + .procname = "dmesg",
59949 + .data = &grsec_enable_dmesg,
59950 + .maxlen = sizeof(int),
59951 + .mode = 0600,
59952 + .proc_handler = &proc_dointvec,
59953 + },
59954 +#endif
59955 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59956 + {
59957 + .procname = "chroot_findtask",
59958 + .data = &grsec_enable_chroot_findtask,
59959 + .maxlen = sizeof(int),
59960 + .mode = 0600,
59961 + .proc_handler = &proc_dointvec,
59962 + },
59963 +#endif
59964 +#ifdef CONFIG_GRKERNSEC_RESLOG
59965 + {
59966 + .procname = "resource_logging",
59967 + .data = &grsec_resource_logging,
59968 + .maxlen = sizeof(int),
59969 + .mode = 0600,
59970 + .proc_handler = &proc_dointvec,
59971 + },
59972 +#endif
59973 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59974 + {
59975 + .procname = "audit_ptrace",
59976 + .data = &grsec_enable_audit_ptrace,
59977 + .maxlen = sizeof(int),
59978 + .mode = 0600,
59979 + .proc_handler = &proc_dointvec,
59980 + },
59981 +#endif
59982 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
59983 + {
59984 + .procname = "harden_ptrace",
59985 + .data = &grsec_enable_harden_ptrace,
59986 + .maxlen = sizeof(int),
59987 + .mode = 0600,
59988 + .proc_handler = &proc_dointvec,
59989 + },
59990 +#endif
59991 + {
59992 + .procname = "grsec_lock",
59993 + .data = &grsec_lock,
59994 + .maxlen = sizeof(int),
59995 + .mode = 0600,
59996 + .proc_handler = &proc_dointvec,
59997 + },
59998 +#endif
59999 +#ifdef CONFIG_GRKERNSEC_ROFS
60000 + {
60001 + .procname = "romount_protect",
60002 + .data = &grsec_enable_rofs,
60003 + .maxlen = sizeof(int),
60004 + .mode = 0600,
60005 + .proc_handler = &proc_dointvec_minmax,
60006 + .extra1 = &one,
60007 + .extra2 = &one,
60008 + },
60009 +#endif
60010 + { }
60011 +};
60012 +#endif
60013 diff -urNp linux-2.6.39.2/grsecurity/grsec_time.c linux-2.6.39.2/grsecurity/grsec_time.c
60014 --- linux-2.6.39.2/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
60015 +++ linux-2.6.39.2/grsecurity/grsec_time.c 2011-05-22 19:41:42.000000000 -0400
60016 @@ -0,0 +1,16 @@
60017 +#include <linux/kernel.h>
60018 +#include <linux/sched.h>
60019 +#include <linux/grinternal.h>
60020 +#include <linux/module.h>
60021 +
60022 +void
60023 +gr_log_timechange(void)
60024 +{
60025 +#ifdef CONFIG_GRKERNSEC_TIME
60026 + if (grsec_enable_time)
60027 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
60028 +#endif
60029 + return;
60030 +}
60031 +
60032 +EXPORT_SYMBOL(gr_log_timechange);
60033 diff -urNp linux-2.6.39.2/grsecurity/grsec_tpe.c linux-2.6.39.2/grsecurity/grsec_tpe.c
60034 --- linux-2.6.39.2/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
60035 +++ linux-2.6.39.2/grsecurity/grsec_tpe.c 2011-05-22 19:41:42.000000000 -0400
60036 @@ -0,0 +1,39 @@
60037 +#include <linux/kernel.h>
60038 +#include <linux/sched.h>
60039 +#include <linux/file.h>
60040 +#include <linux/fs.h>
60041 +#include <linux/grinternal.h>
60042 +
60043 +extern int gr_acl_tpe_check(void);
60044 +
60045 +int
60046 +gr_tpe_allow(const struct file *file)
60047 +{
60048 +#ifdef CONFIG_GRKERNSEC
60049 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
60050 + const struct cred *cred = current_cred();
60051 +
60052 + if (cred->uid && ((grsec_enable_tpe &&
60053 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60054 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
60055 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
60056 +#else
60057 + in_group_p(grsec_tpe_gid)
60058 +#endif
60059 + ) || gr_acl_tpe_check()) &&
60060 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
60061 + (inode->i_mode & S_IWOTH))))) {
60062 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60063 + return 0;
60064 + }
60065 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60066 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
60067 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
60068 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
60069 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60070 + return 0;
60071 + }
60072 +#endif
60073 +#endif
60074 + return 1;
60075 +}
60076 diff -urNp linux-2.6.39.2/grsecurity/grsum.c linux-2.6.39.2/grsecurity/grsum.c
60077 --- linux-2.6.39.2/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
60078 +++ linux-2.6.39.2/grsecurity/grsum.c 2011-05-22 19:41:42.000000000 -0400
60079 @@ -0,0 +1,61 @@
60080 +#include <linux/err.h>
60081 +#include <linux/kernel.h>
60082 +#include <linux/sched.h>
60083 +#include <linux/mm.h>
60084 +#include <linux/scatterlist.h>
60085 +#include <linux/crypto.h>
60086 +#include <linux/gracl.h>
60087 +
60088 +
60089 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
60090 +#error "crypto and sha256 must be built into the kernel"
60091 +#endif
60092 +
60093 +int
60094 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
60095 +{
60096 + char *p;
60097 + struct crypto_hash *tfm;
60098 + struct hash_desc desc;
60099 + struct scatterlist sg;
60100 + unsigned char temp_sum[GR_SHA_LEN];
60101 + volatile int retval = 0;
60102 + volatile int dummy = 0;
60103 + unsigned int i;
60104 +
60105 + sg_init_table(&sg, 1);
60106 +
60107 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
60108 + if (IS_ERR(tfm)) {
60109 + /* should never happen, since sha256 should be built in */
60110 + return 1;
60111 + }
60112 +
60113 + desc.tfm = tfm;
60114 + desc.flags = 0;
60115 +
60116 + crypto_hash_init(&desc);
60117 +
60118 + p = salt;
60119 + sg_set_buf(&sg, p, GR_SALT_LEN);
60120 + crypto_hash_update(&desc, &sg, sg.length);
60121 +
60122 + p = entry->pw;
60123 + sg_set_buf(&sg, p, strlen(p));
60124 +
60125 + crypto_hash_update(&desc, &sg, sg.length);
60126 +
60127 + crypto_hash_final(&desc, temp_sum);
60128 +
60129 + memset(entry->pw, 0, GR_PW_LEN);
60130 +
60131 + for (i = 0; i < GR_SHA_LEN; i++)
60132 + if (sum[i] != temp_sum[i])
60133 + retval = 1;
60134 + else
60135 + dummy = 1; // waste a cycle
60136 +
60137 + crypto_free_hash(tfm);
60138 +
60139 + return retval;
60140 +}
60141 diff -urNp linux-2.6.39.2/grsecurity/Kconfig linux-2.6.39.2/grsecurity/Kconfig
60142 --- linux-2.6.39.2/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
60143 +++ linux-2.6.39.2/grsecurity/Kconfig 2011-06-29 20:57:06.000000000 -0400
60144 @@ -0,0 +1,1048 @@
60145 +#
60146 +# grecurity configuration
60147 +#
60148 +
60149 +menu "Grsecurity"
60150 +
60151 +config GRKERNSEC
60152 + bool "Grsecurity"
60153 + select CRYPTO
60154 + select CRYPTO_SHA256
60155 + help
60156 + If you say Y here, you will be able to configure many features
60157 + that will enhance the security of your system. It is highly
60158 + recommended that you say Y here and read through the help
60159 + for each option so that you fully understand the features and
60160 + can evaluate their usefulness for your machine.
60161 +
60162 +choice
60163 + prompt "Security Level"
60164 + depends on GRKERNSEC
60165 + default GRKERNSEC_CUSTOM
60166 +
60167 +config GRKERNSEC_LOW
60168 + bool "Low"
60169 + select GRKERNSEC_LINK
60170 + select GRKERNSEC_FIFO
60171 + select GRKERNSEC_EXECVE
60172 + select GRKERNSEC_RANDNET
60173 + select GRKERNSEC_DMESG
60174 + select GRKERNSEC_CHROOT
60175 + select GRKERNSEC_CHROOT_CHDIR
60176 +
60177 + help
60178 + If you choose this option, several of the grsecurity options will
60179 + be enabled that will give you greater protection against a number
60180 + of attacks, while assuring that none of your software will have any
60181 + conflicts with the additional security measures. If you run a lot
60182 + of unusual software, or you are having problems with the higher
60183 + security levels, you should say Y here. With this option, the
60184 + following features are enabled:
60185 +
60186 + - Linking restrictions
60187 + - FIFO restrictions
60188 + - Enforcing RLIMIT_NPROC on execve
60189 + - Restricted dmesg
60190 + - Enforced chdir("/") on chroot
60191 + - Runtime module disabling
60192 +
60193 +config GRKERNSEC_MEDIUM
60194 + bool "Medium"
60195 + select PAX
60196 + select PAX_EI_PAX
60197 + select PAX_PT_PAX_FLAGS
60198 + select PAX_HAVE_ACL_FLAGS
60199 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60200 + select GRKERNSEC_CHROOT
60201 + select GRKERNSEC_CHROOT_SYSCTL
60202 + select GRKERNSEC_LINK
60203 + select GRKERNSEC_FIFO
60204 + select GRKERNSEC_EXECVE
60205 + select GRKERNSEC_DMESG
60206 + select GRKERNSEC_RANDNET
60207 + select GRKERNSEC_FORKFAIL
60208 + select GRKERNSEC_TIME
60209 + select GRKERNSEC_SIGNAL
60210 + select GRKERNSEC_CHROOT
60211 + select GRKERNSEC_CHROOT_UNIX
60212 + select GRKERNSEC_CHROOT_MOUNT
60213 + select GRKERNSEC_CHROOT_PIVOT
60214 + select GRKERNSEC_CHROOT_DOUBLE
60215 + select GRKERNSEC_CHROOT_CHDIR
60216 + select GRKERNSEC_CHROOT_MKNOD
60217 + select GRKERNSEC_PROC
60218 + select GRKERNSEC_PROC_USERGROUP
60219 + select PAX_RANDUSTACK
60220 + select PAX_ASLR
60221 + select PAX_RANDMMAP
60222 + select PAX_REFCOUNT if (X86 || SPARC64)
60223 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB))
60224 +
60225 + help
60226 + If you say Y here, several features in addition to those included
60227 + in the low additional security level will be enabled. These
60228 + features provide even more security to your system, though in rare
60229 + cases they may be incompatible with very old or poorly written
60230 + software. If you enable this option, make sure that your auth
60231 + service (identd) is running as gid 1001. With this option,
60232 + the following features (in addition to those provided in the
60233 + low additional security level) will be enabled:
60234 +
60235 + - Failed fork logging
60236 + - Time change logging
60237 + - Signal logging
60238 + - Deny mounts in chroot
60239 + - Deny double chrooting
60240 + - Deny sysctl writes in chroot
60241 + - Deny mknod in chroot
60242 + - Deny access to abstract AF_UNIX sockets out of chroot
60243 + - Deny pivot_root in chroot
60244 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
60245 + - /proc restrictions with special GID set to 10 (usually wheel)
60246 + - Address Space Layout Randomization (ASLR)
60247 + - Prevent exploitation of most refcount overflows
60248 + - Bounds checking of copying between the kernel and userland
60249 +
60250 +config GRKERNSEC_HIGH
60251 + bool "High"
60252 + select GRKERNSEC_LINK
60253 + select GRKERNSEC_FIFO
60254 + select GRKERNSEC_EXECVE
60255 + select GRKERNSEC_DMESG
60256 + select GRKERNSEC_FORKFAIL
60257 + select GRKERNSEC_TIME
60258 + select GRKERNSEC_SIGNAL
60259 + select GRKERNSEC_CHROOT
60260 + select GRKERNSEC_CHROOT_SHMAT
60261 + select GRKERNSEC_CHROOT_UNIX
60262 + select GRKERNSEC_CHROOT_MOUNT
60263 + select GRKERNSEC_CHROOT_FCHDIR
60264 + select GRKERNSEC_CHROOT_PIVOT
60265 + select GRKERNSEC_CHROOT_DOUBLE
60266 + select GRKERNSEC_CHROOT_CHDIR
60267 + select GRKERNSEC_CHROOT_MKNOD
60268 + select GRKERNSEC_CHROOT_CAPS
60269 + select GRKERNSEC_CHROOT_SYSCTL
60270 + select GRKERNSEC_CHROOT_FINDTASK
60271 + select GRKERNSEC_SYSFS_RESTRICT
60272 + select GRKERNSEC_PROC
60273 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60274 + select GRKERNSEC_HIDESYM
60275 + select GRKERNSEC_BRUTE
60276 + select GRKERNSEC_PROC_USERGROUP
60277 + select GRKERNSEC_KMEM
60278 + select GRKERNSEC_RESLOG
60279 + select GRKERNSEC_RANDNET
60280 + select GRKERNSEC_PROC_ADD
60281 + select GRKERNSEC_CHROOT_CHMOD
60282 + select GRKERNSEC_CHROOT_NICE
60283 + select GRKERNSEC_AUDIT_MOUNT
60284 + select GRKERNSEC_MODHARDEN if (MODULES)
60285 + select GRKERNSEC_HARDEN_PTRACE
60286 + select GRKERNSEC_VM86 if (X86_32)
60287 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
60288 + select PAX
60289 + select PAX_RANDUSTACK
60290 + select PAX_ASLR
60291 + select PAX_RANDMMAP
60292 + select PAX_NOEXEC
60293 + select PAX_MPROTECT
60294 + select PAX_EI_PAX
60295 + select PAX_PT_PAX_FLAGS
60296 + select PAX_HAVE_ACL_FLAGS
60297 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
60298 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
60299 + select PAX_RANDKSTACK if (X86_TSC && X86)
60300 + select PAX_SEGMEXEC if (X86_32)
60301 + select PAX_PAGEEXEC
60302 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
60303 + select PAX_EMUTRAMP if (PARISC)
60304 + select PAX_EMUSIGRT if (PARISC)
60305 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
60306 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
60307 + select PAX_REFCOUNT if (X86 || SPARC64)
60308 + select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB))
60309 + help
60310 + If you say Y here, many of the features of grsecurity will be
60311 + enabled, which will protect you against many kinds of attacks
60312 + against your system. The heightened security comes at a cost
60313 + of an increased chance of incompatibilities with rare software
60314 + on your machine. Since this security level enables PaX, you should
60315 + view <http://pax.grsecurity.net> and read about the PaX
60316 + project. While you are there, download chpax and run it on
60317 + binaries that cause problems with PaX. Also remember that
60318 + since the /proc restrictions are enabled, you must run your
60319 + identd as gid 1001. This security level enables the following
60320 + features in addition to those listed in the low and medium
60321 + security levels:
60322 +
60323 + - Additional /proc restrictions
60324 + - Chmod restrictions in chroot
60325 + - No signals, ptrace, or viewing of processes outside of chroot
60326 + - Capability restrictions in chroot
60327 + - Deny fchdir out of chroot
60328 + - Priority restrictions in chroot
60329 + - Segmentation-based implementation of PaX
60330 + - Mprotect restrictions
60331 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
60332 + - Kernel stack randomization
60333 + - Mount/unmount/remount logging
60334 + - Kernel symbol hiding
60335 + - Prevention of memory exhaustion-based exploits
60336 + - Hardening of module auto-loading
60337 + - Ptrace restrictions
60338 + - Restricted vm86 mode
60339 + - Restricted sysfs/debugfs
60340 + - Active kernel exploit response
60341 +
60342 +config GRKERNSEC_CUSTOM
60343 + bool "Custom"
60344 + help
60345 + If you say Y here, you will be able to configure every grsecurity
60346 + option, which allows you to enable many more features that aren't
60347 + covered in the basic security levels. These additional features
60348 + include TPE, socket restrictions, and the sysctl system for
60349 + grsecurity. It is advised that you read through the help for
60350 + each option to determine its usefulness in your situation.
60351 +
60352 +endchoice
60353 +
60354 +menu "Address Space Protection"
60355 +depends on GRKERNSEC
60356 +
60357 +config GRKERNSEC_KMEM
60358 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
60359 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
60360 + help
60361 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
60362 + be written to via mmap or otherwise to modify the running kernel.
60363 + /dev/port will also not be allowed to be opened. If you have module
60364 + support disabled, enabling this will close up four ways that are
60365 + currently used to insert malicious code into the running kernel.
60366 + Even with all these features enabled, we still highly recommend that
60367 + you use the RBAC system, as it is still possible for an attacker to
60368 + modify the running kernel through privileged I/O granted by ioperm/iopl.
60369 + If you are not using XFree86, you may be able to stop this additional
60370 + case by enabling the 'Disable privileged I/O' option. Though nothing
60371 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
60372 + but only to video memory, which is the only writing we allow in this
60373 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
60374 + not be allowed to mprotect it with PROT_WRITE later.
60375 + It is highly recommended that you say Y here if you meet all the
60376 + conditions above.
60377 +
60378 +config GRKERNSEC_VM86
60379 + bool "Restrict VM86 mode"
60380 + depends on X86_32
60381 +
60382 + help
60383 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
60384 + make use of a special execution mode on 32bit x86 processors called
60385 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
60386 + video cards and will still work with this option enabled. The purpose
60387 + of the option is to prevent exploitation of emulation errors in
60388 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
60389 + Nearly all users should be able to enable this option.
60390 +
60391 +config GRKERNSEC_IO
60392 + bool "Disable privileged I/O"
60393 + depends on X86
60394 + select RTC_CLASS
60395 + select RTC_INTF_DEV
60396 + select RTC_DRV_CMOS
60397 +
60398 + help
60399 + If you say Y here, all ioperm and iopl calls will return an error.
60400 + Ioperm and iopl can be used to modify the running kernel.
60401 + Unfortunately, some programs need this access to operate properly,
60402 + the most notable of which are XFree86 and hwclock. hwclock can be
60403 + remedied by having RTC support in the kernel, so real-time
60404 + clock support is enabled if this option is enabled, to ensure
60405 + that hwclock operates correctly. XFree86 still will not
60406 + operate correctly with this option enabled, so DO NOT CHOOSE Y
60407 + IF YOU USE XFree86. If you use XFree86 and you still want to
60408 + protect your kernel against modification, use the RBAC system.
60409 +
60410 +config GRKERNSEC_PROC_MEMMAP
60411 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
60412 + default y if (PAX_NOEXEC || PAX_ASLR)
60413 + depends on PAX_NOEXEC || PAX_ASLR
60414 + help
60415 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
60416 + give no information about the addresses of its mappings if
60417 + PaX features that rely on random addresses are enabled on the task.
60418 + If you use PaX it is greatly recommended that you say Y here as it
60419 + closes up a hole that makes the full ASLR useless for suid
60420 + binaries.
60421 +
60422 +config GRKERNSEC_BRUTE
60423 + bool "Deter exploit bruteforcing"
60424 + help
60425 + If you say Y here, attempts to bruteforce exploits against forking
60426 + daemons such as apache or sshd, as well as against suid/sgid binaries
60427 + will be deterred. When a child of a forking daemon is killed by PaX
60428 + or crashes due to an illegal instruction or other suspicious signal,
60429 + the parent process will be delayed 30 seconds upon every subsequent
60430 + fork until the administrator is able to assess the situation and
60431 + restart the daemon.
60432 + In the suid/sgid case, the attempt is logged, the user has all their
60433 + processes terminated, and they are prevented from executing any further
60434 + processes for 15 minutes.
60435 + It is recommended that you also enable signal logging in the auditing
60436 + section so that logs are generated when a process triggers a suspicious
60437 + signal.
60438 + If the sysctl option is enabled, a sysctl option with name
60439 + "deter_bruteforce" is created.
60440 +
60441 +
60442 +config GRKERNSEC_MODHARDEN
60443 + bool "Harden module auto-loading"
60444 + depends on MODULES
60445 + help
60446 + If you say Y here, module auto-loading in response to use of some
60447 + feature implemented by an unloaded module will be restricted to
60448 + root users. Enabling this option helps defend against attacks
60449 + by unprivileged users who abuse the auto-loading behavior to
60450 + cause a vulnerable module to load that is then exploited.
60451 +
60452 + If this option prevents a legitimate use of auto-loading for a
60453 + non-root user, the administrator can execute modprobe manually
60454 + with the exact name of the module mentioned in the alert log.
60455 + Alternatively, the administrator can add the module to the list
60456 + of modules loaded at boot by modifying init scripts.
60457 +
60458 + Modification of init scripts will most likely be needed on
60459 + Ubuntu servers with encrypted home directory support enabled,
60460 + as the first non-root user logging in will cause the ecb(aes),
60461 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
60462 +
60463 +config GRKERNSEC_HIDESYM
60464 + bool "Hide kernel symbols"
60465 + help
60466 + If you say Y here, getting information on loaded modules, and
60467 + displaying all kernel symbols through a syscall will be restricted
60468 + to users with CAP_SYS_MODULE. For software compatibility reasons,
60469 + /proc/kallsyms will be restricted to the root user. The RBAC
60470 + system can hide that entry even from root.
60471 +
60472 + This option also prevents leaking of kernel addresses through
60473 + several /proc entries.
60474 +
60475 + Note that this option is only effective provided the following
60476 + conditions are met:
60477 + 1) The kernel using grsecurity is not precompiled by some distribution
60478 + 2) You have also enabled GRKERNSEC_DMESG
60479 + 3) You are using the RBAC system and hiding other files such as your
60480 + kernel image and System.map. Alternatively, enabling this option
60481 + causes the permissions on /boot, /lib/modules, and the kernel
60482 + source directory to change at compile time to prevent
60483 + reading by non-root users.
60484 + If the above conditions are met, this option will aid in providing a
60485 + useful protection against local kernel exploitation of overflows
60486 + and arbitrary read/write vulnerabilities.
60487 +
60488 +config GRKERNSEC_KERN_LOCKOUT
60489 + bool "Active kernel exploit response"
60490 + depends on X86 || ARM || PPC || SPARC
60491 + help
60492 + If you say Y here, when a PaX alert is triggered due to suspicious
60493 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
60494 + or an OOPs occurs due to bad memory accesses, instead of just
60495 + terminating the offending process (and potentially allowing
60496 + a subsequent exploit from the same user), we will take one of two
60497 + actions:
60498 + If the user was root, we will panic the system
60499 + If the user was non-root, we will log the attempt, terminate
60500 + all processes owned by the user, then prevent them from creating
60501 + any new processes until the system is restarted
60502 + This deters repeated kernel exploitation/bruteforcing attempts
60503 + and is useful for later forensics.
60504 +
60505 +endmenu
60506 +menu "Role Based Access Control Options"
60507 +depends on GRKERNSEC
60508 +
60509 +config GRKERNSEC_RBAC_DEBUG
60510 + bool
60511 +
60512 +config GRKERNSEC_NO_RBAC
60513 + bool "Disable RBAC system"
60514 + help
60515 + If you say Y here, the /dev/grsec device will be removed from the kernel,
60516 + preventing the RBAC system from being enabled. You should only say Y
60517 + here if you have no intention of using the RBAC system, so as to prevent
60518 + an attacker with root access from misusing the RBAC system to hide files
60519 + and processes when loadable module support and /dev/[k]mem have been
60520 + locked down.
60521 +
60522 +config GRKERNSEC_ACL_HIDEKERN
60523 + bool "Hide kernel processes"
60524 + help
60525 + If you say Y here, all kernel threads will be hidden to all
60526 + processes but those whose subject has the "view hidden processes"
60527 + flag.
60528 +
60529 +config GRKERNSEC_ACL_MAXTRIES
60530 + int "Maximum tries before password lockout"
60531 + default 3
60532 + help
60533 + This option enforces the maximum number of times a user can attempt
60534 + to authorize themselves with the grsecurity RBAC system before being
60535 + denied the ability to attempt authorization again for a specified time.
60536 + The lower the number, the harder it will be to brute-force a password.
60537 +
60538 +config GRKERNSEC_ACL_TIMEOUT
60539 + int "Time to wait after max password tries, in seconds"
60540 + default 30
60541 + help
60542 + This option specifies the time the user must wait after attempting to
60543 + authorize to the RBAC system with the maximum number of invalid
60544 + passwords. The higher the number, the harder it will be to brute-force
60545 + a password.
60546 +
60547 +endmenu
60548 +menu "Filesystem Protections"
60549 +depends on GRKERNSEC
60550 +
60551 +config GRKERNSEC_PROC
60552 + bool "Proc restrictions"
60553 + help
60554 + If you say Y here, the permissions of the /proc filesystem
60555 + will be altered to enhance system security and privacy. You MUST
60556 + choose either a user only restriction or a user and group restriction.
60557 + Depending upon the option you choose, you can either restrict users to
60558 + see only the processes they themselves run, or choose a group that can
60559 + view all processes and files normally restricted to root if you choose
60560 + the "restrict to user only" option. NOTE: If you're running identd as
60561 + a non-root user, you will have to run it as the group you specify here.
60562 +
60563 +config GRKERNSEC_PROC_USER
60564 + bool "Restrict /proc to user only"
60565 + depends on GRKERNSEC_PROC
60566 + help
60567 + If you say Y here, non-root users will only be able to view their own
60568 + processes, and restricts them from viewing network-related information,
60569 + and viewing kernel symbol and module information.
60570 +
60571 +config GRKERNSEC_PROC_USERGROUP
60572 + bool "Allow special group"
60573 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
60574 + help
60575 + If you say Y here, you will be able to select a group that will be
60576 + able to view all processes and network-related information. If you've
60577 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
60578 + remain hidden. This option is useful if you want to run identd as
60579 + a non-root user.
60580 +
60581 +config GRKERNSEC_PROC_GID
60582 + int "GID for special group"
60583 + depends on GRKERNSEC_PROC_USERGROUP
60584 + default 1001
60585 +
60586 +config GRKERNSEC_PROC_ADD
60587 + bool "Additional restrictions"
60588 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
60589 + help
60590 + If you say Y here, additional restrictions will be placed on
60591 + /proc that keep normal users from viewing device information and
60592 + slabinfo information that could be useful for exploits.
60593 +
60594 +config GRKERNSEC_LINK
60595 + bool "Linking restrictions"
60596 + help
60597 + If you say Y here, /tmp race exploits will be prevented, since users
60598 + will no longer be able to follow symlinks owned by other users in
60599 + world-writable +t directories (e.g. /tmp), unless the owner of the
60600 + symlink is the owner of the directory. users will also not be
60601 + able to hardlink to files they do not own. If the sysctl option is
60602 + enabled, a sysctl option with name "linking_restrictions" is created.
60603 +
60604 +config GRKERNSEC_FIFO
60605 + bool "FIFO restrictions"
60606 + help
60607 + If you say Y here, users will not be able to write to FIFOs they don't
60608 + own in world-writable +t directories (e.g. /tmp), unless the owner of
60609 + the FIFO is the same owner of the directory it's held in. If the sysctl
60610 + option is enabled, a sysctl option with name "fifo_restrictions" is
60611 + created.
60612 +
60613 +config GRKERNSEC_SYSFS_RESTRICT
60614 + bool "Sysfs/debugfs restriction"
60615 + depends on SYSFS
60616 + help
60617 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
60618 + any filesystem normally mounted under it (e.g. debugfs) will only
60619 + be accessible by root. These filesystems generally provide access
60620 + to hardware and debug information that isn't appropriate for unprivileged
60621 + users of the system. Sysfs and debugfs have also become a large source
60622 + of new vulnerabilities, ranging from infoleaks to local compromise.
60623 + There has been very little oversight with an eye toward security involved
60624 + in adding new exporters of information to these filesystems, so their
60625 + use is discouraged.
60626 + This option is equivalent to a chmod 0700 of the mount paths.
60627 +
60628 +config GRKERNSEC_ROFS
60629 + bool "Runtime read-only mount protection"
60630 + help
60631 + If you say Y here, a sysctl option with name "romount_protect" will
60632 + be created. By setting this option to 1 at runtime, filesystems
60633 + will be protected in the following ways:
60634 + * No new writable mounts will be allowed
60635 + * Existing read-only mounts won't be able to be remounted read/write
60636 + * Write operations will be denied on all block devices
60637 + This option acts independently of grsec_lock: once it is set to 1,
60638 + it cannot be turned off. Therefore, please be mindful of the resulting
60639 + behavior if this option is enabled in an init script on a read-only
60640 + filesystem. This feature is mainly intended for secure embedded systems.
60641 +
60642 +config GRKERNSEC_CHROOT
60643 + bool "Chroot jail restrictions"
60644 + help
60645 + If you say Y here, you will be able to choose several options that will
60646 + make breaking out of a chrooted jail much more difficult. If you
60647 + encounter no software incompatibilities with the following options, it
60648 + is recommended that you enable each one.
60649 +
60650 +config GRKERNSEC_CHROOT_MOUNT
60651 + bool "Deny mounts"
60652 + depends on GRKERNSEC_CHROOT
60653 + help
60654 + If you say Y here, processes inside a chroot will not be able to
60655 + mount or remount filesystems. If the sysctl option is enabled, a
60656 + sysctl option with name "chroot_deny_mount" is created.
60657 +
60658 +config GRKERNSEC_CHROOT_DOUBLE
60659 + bool "Deny double-chroots"
60660 + depends on GRKERNSEC_CHROOT
60661 + help
60662 + If you say Y here, processes inside a chroot will not be able to chroot
60663 + again outside the chroot. This is a widely used method of breaking
60664 + out of a chroot jail and should not be allowed. If the sysctl
60665 + option is enabled, a sysctl option with name
60666 + "chroot_deny_chroot" is created.
60667 +
60668 +config GRKERNSEC_CHROOT_PIVOT
60669 + bool "Deny pivot_root in chroot"
60670 + depends on GRKERNSEC_CHROOT
60671 + help
60672 + If you say Y here, processes inside a chroot will not be able to use
60673 + a function called pivot_root() that was introduced in Linux 2.3.41. It
60674 + works similar to chroot in that it changes the root filesystem. This
60675 + function could be misused in a chrooted process to attempt to break out
60676 + of the chroot, and therefore should not be allowed. If the sysctl
60677 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
60678 + created.
60679 +
60680 +config GRKERNSEC_CHROOT_CHDIR
60681 + bool "Enforce chdir(\"/\") on all chroots"
60682 + depends on GRKERNSEC_CHROOT
60683 + help
60684 + If you say Y here, the current working directory of all newly-chrooted
60685 + applications will be set to the the root directory of the chroot.
60686 + The man page on chroot(2) states:
60687 + Note that this call does not change the current working
60688 + directory, so that `.' can be outside the tree rooted at
60689 + `/'. In particular, the super-user can escape from a
60690 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
60691 +
60692 + It is recommended that you say Y here, since it's not known to break
60693 + any software. If the sysctl option is enabled, a sysctl option with
60694 + name "chroot_enforce_chdir" is created.
60695 +
60696 +config GRKERNSEC_CHROOT_CHMOD
60697 + bool "Deny (f)chmod +s"
60698 + depends on GRKERNSEC_CHROOT
60699 + help
60700 + If you say Y here, processes inside a chroot will not be able to chmod
60701 + or fchmod files to make them have suid or sgid bits. This protects
60702 + against another published method of breaking a chroot. If the sysctl
60703 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
60704 + created.
60705 +
60706 +config GRKERNSEC_CHROOT_FCHDIR
60707 + bool "Deny fchdir out of chroot"
60708 + depends on GRKERNSEC_CHROOT
60709 + help
60710 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
60711 + to a file descriptor of the chrooting process that points to a directory
60712 + outside the filesystem will be stopped. If the sysctl option
60713 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
60714 +
60715 +config GRKERNSEC_CHROOT_MKNOD
60716 + bool "Deny mknod"
60717 + depends on GRKERNSEC_CHROOT
60718 + help
60719 + If you say Y here, processes inside a chroot will not be allowed to
60720 + mknod. The problem with using mknod inside a chroot is that it
60721 + would allow an attacker to create a device entry that is the same
60722 + as one on the physical root of your system, which could range from
60723 + anything from the console device to a device for your harddrive (which
60724 + they could then use to wipe the drive or steal data). It is recommended
60725 + that you say Y here, unless you run into software incompatibilities.
60726 + If the sysctl option is enabled, a sysctl option with name
60727 + "chroot_deny_mknod" is created.
60728 +
60729 +config GRKERNSEC_CHROOT_SHMAT
60730 + bool "Deny shmat() out of chroot"
60731 + depends on GRKERNSEC_CHROOT
60732 + help
60733 + If you say Y here, processes inside a chroot will not be able to attach
60734 + to shared memory segments that were created outside of the chroot jail.
60735 + It is recommended that you say Y here. If the sysctl option is enabled,
60736 + a sysctl option with name "chroot_deny_shmat" is created.
60737 +
60738 +config GRKERNSEC_CHROOT_UNIX
60739 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
60740 + depends on GRKERNSEC_CHROOT
60741 + help
60742 + If you say Y here, processes inside a chroot will not be able to
60743 + connect to abstract (meaning not belonging to a filesystem) Unix
60744 + domain sockets that were bound outside of a chroot. It is recommended
60745 + that you say Y here. If the sysctl option is enabled, a sysctl option
60746 + with name "chroot_deny_unix" is created.
60747 +
60748 +config GRKERNSEC_CHROOT_FINDTASK
60749 + bool "Protect outside processes"
60750 + depends on GRKERNSEC_CHROOT
60751 + help
60752 + If you say Y here, processes inside a chroot will not be able to
60753 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
60754 + getsid, or view any process outside of the chroot. If the sysctl
60755 + option is enabled, a sysctl option with name "chroot_findtask" is
60756 + created.
60757 +
60758 +config GRKERNSEC_CHROOT_NICE
60759 + bool "Restrict priority changes"
60760 + depends on GRKERNSEC_CHROOT
60761 + help
60762 + If you say Y here, processes inside a chroot will not be able to raise
60763 + the priority of processes in the chroot, or alter the priority of
60764 + processes outside the chroot. This provides more security than simply
60765 + removing CAP_SYS_NICE from the process' capability set. If the
60766 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
60767 + is created.
60768 +
60769 +config GRKERNSEC_CHROOT_SYSCTL
60770 + bool "Deny sysctl writes"
60771 + depends on GRKERNSEC_CHROOT
60772 + help
60773 + If you say Y here, an attacker in a chroot will not be able to
60774 + write to sysctl entries, either by sysctl(2) or through a /proc
60775 + interface. It is strongly recommended that you say Y here. If the
60776 + sysctl option is enabled, a sysctl option with name
60777 + "chroot_deny_sysctl" is created.
60778 +
60779 +config GRKERNSEC_CHROOT_CAPS
60780 + bool "Capability restrictions"
60781 + depends on GRKERNSEC_CHROOT
60782 + help
60783 + If you say Y here, the capabilities on all root processes within a
60784 + chroot jail will be lowered to stop module insertion, raw i/o,
60785 + system and net admin tasks, rebooting the system, modifying immutable
60786 + files, modifying IPC owned by another, and changing the system time.
60787 + This is left an option because it can break some apps. Disable this
60788 + if your chrooted apps are having problems performing those kinds of
60789 + tasks. If the sysctl option is enabled, a sysctl option with
60790 + name "chroot_caps" is created.
60791 +
60792 +endmenu
60793 +menu "Kernel Auditing"
60794 +depends on GRKERNSEC
60795 +
60796 +config GRKERNSEC_AUDIT_GROUP
60797 + bool "Single group for auditing"
60798 + help
60799 + If you say Y here, the exec, chdir, and (un)mount logging features
60800 + will only operate on a group you specify. This option is recommended
60801 + if you only want to watch certain users instead of having a large
60802 + amount of logs from the entire system. If the sysctl option is enabled,
60803 + a sysctl option with name "audit_group" is created.
60804 +
60805 +config GRKERNSEC_AUDIT_GID
60806 + int "GID for auditing"
60807 + depends on GRKERNSEC_AUDIT_GROUP
60808 + default 1007
60809 +
60810 +config GRKERNSEC_EXECLOG
60811 + bool "Exec logging"
60812 + help
60813 + If you say Y here, all execve() calls will be logged (since the
60814 + other exec*() calls are frontends to execve(), all execution
60815 + will be logged). Useful for shell-servers that like to keep track
60816 + of their users. If the sysctl option is enabled, a sysctl option with
60817 + name "exec_logging" is created.
60818 + WARNING: This option when enabled will produce a LOT of logs, especially
60819 + on an active system.
60820 +
60821 +config GRKERNSEC_RESLOG
60822 + bool "Resource logging"
60823 + help
60824 + If you say Y here, all attempts to overstep resource limits will
60825 + be logged with the resource name, the requested size, and the current
60826 + limit. It is highly recommended that you say Y here. If the sysctl
60827 + option is enabled, a sysctl option with name "resource_logging" is
60828 + created. If the RBAC system is enabled, the sysctl value is ignored.
60829 +
60830 +config GRKERNSEC_CHROOT_EXECLOG
60831 + bool "Log execs within chroot"
60832 + help
60833 + If you say Y here, all executions inside a chroot jail will be logged
60834 + to syslog. This can cause a large amount of logs if certain
60835 + applications (eg. djb's daemontools) are installed on the system, and
60836 + is therefore left as an option. If the sysctl option is enabled, a
60837 + sysctl option with name "chroot_execlog" is created.
60838 +
60839 +config GRKERNSEC_AUDIT_PTRACE
60840 + bool "Ptrace logging"
60841 + help
60842 + If you say Y here, all attempts to attach to a process via ptrace
60843 + will be logged. If the sysctl option is enabled, a sysctl option
60844 + with name "audit_ptrace" is created.
60845 +
60846 +config GRKERNSEC_AUDIT_CHDIR
60847 + bool "Chdir logging"
60848 + help
60849 + If you say Y here, all chdir() calls will be logged. If the sysctl
60850 + option is enabled, a sysctl option with name "audit_chdir" is created.
60851 +
60852 +config GRKERNSEC_AUDIT_MOUNT
60853 + bool "(Un)Mount logging"
60854 + help
60855 + If you say Y here, all mounts and unmounts will be logged. If the
60856 + sysctl option is enabled, a sysctl option with name "audit_mount" is
60857 + created.
60858 +
60859 +config GRKERNSEC_SIGNAL
60860 + bool "Signal logging"
60861 + help
60862 + If you say Y here, certain important signals will be logged, such as
60863 + SIGSEGV, which will as a result inform you of when a error in a program
60864 + occurred, which in some cases could mean a possible exploit attempt.
60865 + If the sysctl option is enabled, a sysctl option with name
60866 + "signal_logging" is created.
60867 +
60868 +config GRKERNSEC_FORKFAIL
60869 + bool "Fork failure logging"
60870 + help
60871 + If you say Y here, all failed fork() attempts will be logged.
60872 + This could suggest a fork bomb, or someone attempting to overstep
60873 + their process limit. If the sysctl option is enabled, a sysctl option
60874 + with name "forkfail_logging" is created.
60875 +
60876 +config GRKERNSEC_TIME
60877 + bool "Time change logging"
60878 + help
60879 + If you say Y here, any changes of the system clock will be logged.
60880 + If the sysctl option is enabled, a sysctl option with name
60881 + "timechange_logging" is created.
60882 +
60883 +config GRKERNSEC_PROC_IPADDR
60884 + bool "/proc/<pid>/ipaddr support"
60885 + help
60886 + If you say Y here, a new entry will be added to each /proc/<pid>
60887 + directory that contains the IP address of the person using the task.
60888 + The IP is carried across local TCP and AF_UNIX stream sockets.
60889 + This information can be useful for IDS/IPSes to perform remote response
60890 + to a local attack. The entry is readable by only the owner of the
60891 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
60892 + the RBAC system), and thus does not create privacy concerns.
60893 +
60894 +config GRKERNSEC_RWXMAP_LOG
60895 + bool 'Denied RWX mmap/mprotect logging'
60896 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
60897 + help
60898 + If you say Y here, calls to mmap() and mprotect() with explicit
60899 + usage of PROT_WRITE and PROT_EXEC together will be logged when
60900 + denied by the PAX_MPROTECT feature. If the sysctl option is
60901 + enabled, a sysctl option with name "rwxmap_logging" is created.
60902 +
60903 +config GRKERNSEC_AUDIT_TEXTREL
60904 + bool 'ELF text relocations logging (READ HELP)'
60905 + depends on PAX_MPROTECT
60906 + help
60907 + If you say Y here, text relocations will be logged with the filename
60908 + of the offending library or binary. The purpose of the feature is
60909 + to help Linux distribution developers get rid of libraries and
60910 + binaries that need text relocations which hinder the future progress
60911 + of PaX. Only Linux distribution developers should say Y here, and
60912 + never on a production machine, as this option creates an information
60913 + leak that could aid an attacker in defeating the randomization of
60914 + a single memory region. If the sysctl option is enabled, a sysctl
60915 + option with name "audit_textrel" is created.
60916 +
60917 +endmenu
60918 +
60919 +menu "Executable Protections"
60920 +depends on GRKERNSEC
60921 +
60922 +config GRKERNSEC_EXECVE
60923 + bool "Enforce RLIMIT_NPROC on execs"
60924 + help
60925 + If you say Y here, users with a resource limit on processes will
60926 + have the value checked during execve() calls. The current system
60927 + only checks the system limit during fork() calls. If the sysctl option
60928 + is enabled, a sysctl option with name "execve_limiting" is created.
60929 +
60930 +config GRKERNSEC_DMESG
60931 + bool "Dmesg(8) restriction"
60932 + help
60933 + If you say Y here, non-root users will not be able to use dmesg(8)
60934 + to view up to the last 4kb of messages in the kernel's log buffer.
60935 + The kernel's log buffer often contains kernel addresses and other
60936 + identifying information useful to an attacker in fingerprinting a
60937 + system for a targeted exploit.
60938 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
60939 + created.
60940 +
60941 +config GRKERNSEC_HARDEN_PTRACE
60942 + bool "Deter ptrace-based process snooping"
60943 + help
60944 + If you say Y here, TTY sniffers and other malicious monitoring
60945 + programs implemented through ptrace will be defeated. If you
60946 + have been using the RBAC system, this option has already been
60947 + enabled for several years for all users, with the ability to make
60948 + fine-grained exceptions.
60949 +
60950 + This option only affects the ability of non-root users to ptrace
60951 + processes that are not a descendent of the ptracing process.
60952 + This means that strace ./binary and gdb ./binary will still work,
60953 + but attaching to arbitrary processes will not. If the sysctl
60954 + option is enabled, a sysctl option with name "harden_ptrace" is
60955 + created.
60956 +
60957 +config GRKERNSEC_TPE
60958 + bool "Trusted Path Execution (TPE)"
60959 + help
60960 + If you say Y here, you will be able to choose a gid to add to the
60961 + supplementary groups of users you want to mark as "untrusted."
60962 + These users will not be able to execute any files that are not in
60963 + root-owned directories writable only by root. If the sysctl option
60964 + is enabled, a sysctl option with name "tpe" is created.
60965 +
60966 +config GRKERNSEC_TPE_ALL
60967 + bool "Partially restrict all non-root users"
60968 + depends on GRKERNSEC_TPE
60969 + help
60970 + If you say Y here, all non-root users will be covered under
60971 + a weaker TPE restriction. This is separate from, and in addition to,
60972 + the main TPE options that you have selected elsewhere. Thus, if a
60973 + "trusted" GID is chosen, this restriction applies to even that GID.
60974 + Under this restriction, all non-root users will only be allowed to
60975 + execute files in directories they own that are not group or
60976 + world-writable, or in directories owned by root and writable only by
60977 + root. If the sysctl option is enabled, a sysctl option with name
60978 + "tpe_restrict_all" is created.
60979 +
60980 +config GRKERNSEC_TPE_INVERT
60981 + bool "Invert GID option"
60982 + depends on GRKERNSEC_TPE
60983 + help
60984 + If you say Y here, the group you specify in the TPE configuration will
60985 + decide what group TPE restrictions will be *disabled* for. This
60986 + option is useful if you want TPE restrictions to be applied to most
60987 + users on the system. If the sysctl option is enabled, a sysctl option
60988 + with name "tpe_invert" is created. Unlike other sysctl options, this
60989 + entry will default to on for backward-compatibility.
60990 +
60991 +config GRKERNSEC_TPE_GID
60992 + int "GID for untrusted users"
60993 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
60994 + default 1005
60995 + help
60996 + Setting this GID determines what group TPE restrictions will be
60997 + *enabled* for. If the sysctl option is enabled, a sysctl option
60998 + with name "tpe_gid" is created.
60999 +
61000 +config GRKERNSEC_TPE_GID
61001 + int "GID for trusted users"
61002 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
61003 + default 1005
61004 + help
61005 + Setting this GID determines what group TPE restrictions will be
61006 + *disabled* for. If the sysctl option is enabled, a sysctl option
61007 + with name "tpe_gid" is created.
61008 +
61009 +endmenu
61010 +menu "Network Protections"
61011 +depends on GRKERNSEC
61012 +
61013 +config GRKERNSEC_RANDNET
61014 + bool "Larger entropy pools"
61015 + help
61016 + If you say Y here, the entropy pools used for many features of Linux
61017 + and grsecurity will be doubled in size. Since several grsecurity
61018 + features use additional randomness, it is recommended that you say Y
61019 + here. Saying Y here has a similar effect as modifying
61020 + /proc/sys/kernel/random/poolsize.
61021 +
61022 +config GRKERNSEC_BLACKHOLE
61023 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
61024 + help
61025 + If you say Y here, neither TCP resets nor ICMP
61026 + destination-unreachable packets will be sent in response to packets
61027 + sent to ports for which no associated listening process exists.
61028 + This feature supports both IPV4 and IPV6 and exempts the
61029 + loopback interface from blackholing. Enabling this feature
61030 + makes a host more resilient to DoS attacks and reduces network
61031 + visibility against scanners.
61032 +
61033 + The blackhole feature as-implemented is equivalent to the FreeBSD
61034 + blackhole feature, as it prevents RST responses to all packets, not
61035 + just SYNs. Under most application behavior this causes no
61036 + problems, but applications (like haproxy) may not close certain
61037 + connections in a way that cleanly terminates them on the remote
61038 + end, leaving the remote host in LAST_ACK state. Because of this
61039 + side-effect and to prevent intentional LAST_ACK DoSes, this
61040 + feature also adds automatic mitigation against such attacks.
61041 + The mitigation drastically reduces the amount of time a socket
61042 + can spend in LAST_ACK state. If you're using haproxy and not
61043 + all servers it connects to have this option enabled, consider
61044 + disabling this feature on the haproxy host.
61045 +
61046 + If the sysctl option is enabled, two sysctl options with names
61047 + "ip_blackhole" and "lastack_retries" will be created.
61048 + While "ip_blackhole" takes the standard zero/non-zero on/off
61049 + toggle, "lastack_retries" uses the same kinds of values as
61050 + "tcp_retries1" and "tcp_retries2". The default value of 4
61051 + prevents a socket from lasting more than 45 seconds in LAST_ACK
61052 + state.
61053 +
61054 +config GRKERNSEC_SOCKET
61055 + bool "Socket restrictions"
61056 + help
61057 + If you say Y here, you will be able to choose from several options.
61058 + If you assign a GID on your system and add it to the supplementary
61059 + groups of users you want to restrict socket access to, this patch
61060 + will perform up to three things, based on the option(s) you choose.
61061 +
61062 +config GRKERNSEC_SOCKET_ALL
61063 + bool "Deny any sockets to group"
61064 + depends on GRKERNSEC_SOCKET
61065 + help
61066 + If you say Y here, you will be able to choose a GID of whose users will
61067 + be unable to connect to other hosts from your machine or run server
61068 + applications from your machine. If the sysctl option is enabled, a
61069 + sysctl option with name "socket_all" is created.
61070 +
61071 +config GRKERNSEC_SOCKET_ALL_GID
61072 + int "GID to deny all sockets for"
61073 + depends on GRKERNSEC_SOCKET_ALL
61074 + default 1004
61075 + help
61076 + Here you can choose the GID to disable socket access for. Remember to
61077 + add the users you want socket access disabled for to the GID
61078 + specified here. If the sysctl option is enabled, a sysctl option
61079 + with name "socket_all_gid" is created.
61080 +
61081 +config GRKERNSEC_SOCKET_CLIENT
61082 + bool "Deny client sockets to group"
61083 + depends on GRKERNSEC_SOCKET
61084 + help
61085 + If you say Y here, you will be able to choose a GID of whose users will
61086 + be unable to connect to other hosts from your machine, but will be
61087 + able to run servers. If this option is enabled, all users in the group
61088 + you specify will have to use passive mode when initiating ftp transfers
61089 + from the shell on your machine. If the sysctl option is enabled, a
61090 + sysctl option with name "socket_client" is created.
61091 +
61092 +config GRKERNSEC_SOCKET_CLIENT_GID
61093 + int "GID to deny client sockets for"
61094 + depends on GRKERNSEC_SOCKET_CLIENT
61095 + default 1003
61096 + help
61097 + Here you can choose the GID to disable client socket access for.
61098 + Remember to add the users you want client socket access disabled for to
61099 + the GID specified here. If the sysctl option is enabled, a sysctl
61100 + option with name "socket_client_gid" is created.
61101 +
61102 +config GRKERNSEC_SOCKET_SERVER
61103 + bool "Deny server sockets to group"
61104 + depends on GRKERNSEC_SOCKET
61105 + help
61106 + If you say Y here, you will be able to choose a GID of whose users will
61107 + be unable to run server applications from your machine. If the sysctl
61108 + option is enabled, a sysctl option with name "socket_server" is created.
61109 +
61110 +config GRKERNSEC_SOCKET_SERVER_GID
61111 + int "GID to deny server sockets for"
61112 + depends on GRKERNSEC_SOCKET_SERVER
61113 + default 1002
61114 + help
61115 + Here you can choose the GID to disable server socket access for.
61116 + Remember to add the users you want server socket access disabled for to
61117 + the GID specified here. If the sysctl option is enabled, a sysctl
61118 + option with name "socket_server_gid" is created.
61119 +
61120 +endmenu
61121 +menu "Sysctl support"
61122 +depends on GRKERNSEC && SYSCTL
61123 +
61124 +config GRKERNSEC_SYSCTL
61125 + bool "Sysctl support"
61126 + help
61127 + If you say Y here, you will be able to change the options that
61128 + grsecurity runs with at bootup, without having to recompile your
61129 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
61130 + to enable (1) or disable (0) various features. All the sysctl entries
61131 + are mutable until the "grsec_lock" entry is set to a non-zero value.
61132 + All features enabled in the kernel configuration are disabled at boot
61133 + if you do not say Y to the "Turn on features by default" option.
61134 + All options should be set at startup, and the grsec_lock entry should
61135 + be set to a non-zero value after all the options are set.
61136 + *THIS IS EXTREMELY IMPORTANT*
61137 +
61138 +config GRKERNSEC_SYSCTL_DISTRO
61139 + bool "Extra sysctl support for distro makers (READ HELP)"
61140 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
61141 + help
61142 + If you say Y here, additional sysctl options will be created
61143 + for features that affect processes running as root. Therefore,
61144 + it is critical when using this option that the grsec_lock entry be
61145 + enabled after boot. Only distros with prebuilt kernel packages
61146 + with this option enabled that can ensure grsec_lock is enabled
61147 + after boot should use this option.
61148 + *Failure to set grsec_lock after boot makes all grsec features
61149 + this option covers useless*
61150 +
61151 + Currently this option creates the following sysctl entries:
61152 + "Disable Privileged I/O": "disable_priv_io"
61153 +
61154 +config GRKERNSEC_SYSCTL_ON
61155 + bool "Turn on features by default"
61156 + depends on GRKERNSEC_SYSCTL
61157 + help
61158 + If you say Y here, instead of having all features enabled in the
61159 + kernel configuration disabled at boot time, the features will be
61160 + enabled at boot time. It is recommended you say Y here unless
61161 + there is some reason you would want all sysctl-tunable features to
61162 + be disabled by default. As mentioned elsewhere, it is important
61163 + to enable the grsec_lock entry once you have finished modifying
61164 + the sysctl entries.
61165 +
61166 +endmenu
61167 +menu "Logging Options"
61168 +depends on GRKERNSEC
61169 +
61170 +config GRKERNSEC_FLOODTIME
61171 + int "Seconds in between log messages (minimum)"
61172 + default 10
61173 + help
61174 + This option allows you to enforce the number of seconds between
61175 + grsecurity log messages. The default should be suitable for most
61176 + people, however, if you choose to change it, choose a value small enough
61177 + to allow informative logs to be produced, but large enough to
61178 + prevent flooding.
61179 +
61180 +config GRKERNSEC_FLOODBURST
61181 + int "Number of messages in a burst (maximum)"
61182 + default 4
61183 + help
61184 + This option allows you to choose the maximum number of messages allowed
61185 + within the flood time interval you chose in a separate option. The
61186 + default should be suitable for most people, however if you find that
61187 + many of your logs are being interpreted as flooding, you may want to
61188 + raise this value.
61189 +
61190 +endmenu
61191 +
61192 +endmenu
61193 diff -urNp linux-2.6.39.2/grsecurity/Makefile linux-2.6.39.2/grsecurity/Makefile
61194 --- linux-2.6.39.2/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
61195 +++ linux-2.6.39.2/grsecurity/Makefile 2011-05-24 20:26:54.000000000 -0400
61196 @@ -0,0 +1,33 @@
61197 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
61198 +# during 2001-2009 it has been completely redesigned by Brad Spengler
61199 +# into an RBAC system
61200 +#
61201 +# All code in this directory and various hooks inserted throughout the kernel
61202 +# are copyright Brad Spengler - Open Source Security, Inc., and released
61203 +# under the GPL v2 or higher
61204 +
61205 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
61206 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
61207 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
61208 +
61209 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
61210 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
61211 + gracl_learn.o grsec_log.o
61212 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
61213 +
61214 +ifdef CONFIG_NET
61215 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
61216 +endif
61217 +
61218 +ifndef CONFIG_GRKERNSEC
61219 +obj-y += grsec_disabled.o
61220 +endif
61221 +
61222 +ifdef CONFIG_GRKERNSEC_HIDESYM
61223 +extra-y := grsec_hidesym.o
61224 +$(obj)/grsec_hidesym.o:
61225 + @-chmod -f 500 /boot
61226 + @-chmod -f 500 /lib/modules
61227 + @-chmod -f 700 .
61228 + @echo ' grsec: protected kernel image paths'
61229 +endif
61230 diff -urNp linux-2.6.39.2/include/acpi/acpi_drivers.h linux-2.6.39.2/include/acpi/acpi_drivers.h
61231 --- linux-2.6.39.2/include/acpi/acpi_drivers.h 2011-05-19 00:06:34.000000000 -0400
61232 +++ linux-2.6.39.2/include/acpi/acpi_drivers.h 2011-05-22 19:36:32.000000000 -0400
61233 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
61234 Dock Station
61235 -------------------------------------------------------------------------- */
61236 struct acpi_dock_ops {
61237 - acpi_notify_handler handler;
61238 - acpi_notify_handler uevent;
61239 + const acpi_notify_handler handler;
61240 + const acpi_notify_handler uevent;
61241 };
61242
61243 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
61244 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
61245 extern int register_dock_notifier(struct notifier_block *nb);
61246 extern void unregister_dock_notifier(struct notifier_block *nb);
61247 extern int register_hotplug_dock_device(acpi_handle handle,
61248 - struct acpi_dock_ops *ops,
61249 + const struct acpi_dock_ops *ops,
61250 void *context);
61251 extern void unregister_hotplug_dock_device(acpi_handle handle);
61252 #else
61253 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
61254 {
61255 }
61256 static inline int register_hotplug_dock_device(acpi_handle handle,
61257 - struct acpi_dock_ops *ops,
61258 + const struct acpi_dock_ops *ops,
61259 void *context)
61260 {
61261 return -ENODEV;
61262 diff -urNp linux-2.6.39.2/include/acpi/processor.h linux-2.6.39.2/include/acpi/processor.h
61263 --- linux-2.6.39.2/include/acpi/processor.h 2011-05-19 00:06:34.000000000 -0400
61264 +++ linux-2.6.39.2/include/acpi/processor.h 2011-05-22 19:36:32.000000000 -0400
61265 @@ -344,7 +344,7 @@ extern struct cpuidle_driver acpi_idle_d
61266
61267 /* in processor_thermal.c */
61268 int acpi_processor_get_limit_info(struct acpi_processor *pr);
61269 -extern struct thermal_cooling_device_ops processor_cooling_ops;
61270 +extern const struct thermal_cooling_device_ops processor_cooling_ops;
61271 #ifdef CONFIG_CPU_FREQ
61272 void acpi_thermal_cpufreq_init(void);
61273 void acpi_thermal_cpufreq_exit(void);
61274 diff -urNp linux-2.6.39.2/include/asm-generic/atomic-long.h linux-2.6.39.2/include/asm-generic/atomic-long.h
61275 --- linux-2.6.39.2/include/asm-generic/atomic-long.h 2011-05-19 00:06:34.000000000 -0400
61276 +++ linux-2.6.39.2/include/asm-generic/atomic-long.h 2011-05-22 19:36:32.000000000 -0400
61277 @@ -22,6 +22,12 @@
61278
61279 typedef atomic64_t atomic_long_t;
61280
61281 +#ifdef CONFIG_PAX_REFCOUNT
61282 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
61283 +#else
61284 +typedef atomic64_t atomic_long_unchecked_t;
61285 +#endif
61286 +
61287 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
61288
61289 static inline long atomic_long_read(atomic_long_t *l)
61290 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
61291 return (long)atomic64_read(v);
61292 }
61293
61294 +#ifdef CONFIG_PAX_REFCOUNT
61295 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61296 +{
61297 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61298 +
61299 + return (long)atomic64_read_unchecked(v);
61300 +}
61301 +#endif
61302 +
61303 static inline void atomic_long_set(atomic_long_t *l, long i)
61304 {
61305 atomic64_t *v = (atomic64_t *)l;
61306 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
61307 atomic64_set(v, i);
61308 }
61309
61310 +#ifdef CONFIG_PAX_REFCOUNT
61311 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61312 +{
61313 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61314 +
61315 + atomic64_set_unchecked(v, i);
61316 +}
61317 +#endif
61318 +
61319 static inline void atomic_long_inc(atomic_long_t *l)
61320 {
61321 atomic64_t *v = (atomic64_t *)l;
61322 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
61323 atomic64_inc(v);
61324 }
61325
61326 +#ifdef CONFIG_PAX_REFCOUNT
61327 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61328 +{
61329 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61330 +
61331 + atomic64_inc_unchecked(v);
61332 +}
61333 +#endif
61334 +
61335 static inline void atomic_long_dec(atomic_long_t *l)
61336 {
61337 atomic64_t *v = (atomic64_t *)l;
61338 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
61339 atomic64_dec(v);
61340 }
61341
61342 +#ifdef CONFIG_PAX_REFCOUNT
61343 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61344 +{
61345 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61346 +
61347 + atomic64_dec_unchecked(v);
61348 +}
61349 +#endif
61350 +
61351 static inline void atomic_long_add(long i, atomic_long_t *l)
61352 {
61353 atomic64_t *v = (atomic64_t *)l;
61354 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
61355 atomic64_add(i, v);
61356 }
61357
61358 +#ifdef CONFIG_PAX_REFCOUNT
61359 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61360 +{
61361 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61362 +
61363 + atomic64_add_unchecked(i, v);
61364 +}
61365 +#endif
61366 +
61367 static inline void atomic_long_sub(long i, atomic_long_t *l)
61368 {
61369 atomic64_t *v = (atomic64_t *)l;
61370 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
61371 atomic64_sub(i, v);
61372 }
61373
61374 +#ifdef CONFIG_PAX_REFCOUNT
61375 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61376 +{
61377 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61378 +
61379 + atomic64_sub_unchecked(i, v);
61380 +}
61381 +#endif
61382 +
61383 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61384 {
61385 atomic64_t *v = (atomic64_t *)l;
61386 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
61387 return (long)atomic64_inc_return(v);
61388 }
61389
61390 +#ifdef CONFIG_PAX_REFCOUNT
61391 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61392 +{
61393 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61394 +
61395 + return (long)atomic64_inc_return_unchecked(v);
61396 +}
61397 +#endif
61398 +
61399 static inline long atomic_long_dec_return(atomic_long_t *l)
61400 {
61401 atomic64_t *v = (atomic64_t *)l;
61402 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
61403
61404 typedef atomic_t atomic_long_t;
61405
61406 +#ifdef CONFIG_PAX_REFCOUNT
61407 +typedef atomic_unchecked_t atomic_long_unchecked_t;
61408 +#else
61409 +typedef atomic_t atomic_long_unchecked_t;
61410 +#endif
61411 +
61412 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
61413 static inline long atomic_long_read(atomic_long_t *l)
61414 {
61415 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
61416 return (long)atomic_read(v);
61417 }
61418
61419 +#ifdef CONFIG_PAX_REFCOUNT
61420 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61421 +{
61422 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61423 +
61424 + return (long)atomic_read_unchecked(v);
61425 +}
61426 +#endif
61427 +
61428 static inline void atomic_long_set(atomic_long_t *l, long i)
61429 {
61430 atomic_t *v = (atomic_t *)l;
61431 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
61432 atomic_set(v, i);
61433 }
61434
61435 +#ifdef CONFIG_PAX_REFCOUNT
61436 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61437 +{
61438 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61439 +
61440 + atomic_set_unchecked(v, i);
61441 +}
61442 +#endif
61443 +
61444 static inline void atomic_long_inc(atomic_long_t *l)
61445 {
61446 atomic_t *v = (atomic_t *)l;
61447 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
61448 atomic_inc(v);
61449 }
61450
61451 +#ifdef CONFIG_PAX_REFCOUNT
61452 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61453 +{
61454 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61455 +
61456 + atomic_inc_unchecked(v);
61457 +}
61458 +#endif
61459 +
61460 static inline void atomic_long_dec(atomic_long_t *l)
61461 {
61462 atomic_t *v = (atomic_t *)l;
61463 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
61464 atomic_dec(v);
61465 }
61466
61467 +#ifdef CONFIG_PAX_REFCOUNT
61468 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61469 +{
61470 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61471 +
61472 + atomic_dec_unchecked(v);
61473 +}
61474 +#endif
61475 +
61476 static inline void atomic_long_add(long i, atomic_long_t *l)
61477 {
61478 atomic_t *v = (atomic_t *)l;
61479 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
61480 atomic_add(i, v);
61481 }
61482
61483 +#ifdef CONFIG_PAX_REFCOUNT
61484 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61485 +{
61486 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61487 +
61488 + atomic_add_unchecked(i, v);
61489 +}
61490 +#endif
61491 +
61492 static inline void atomic_long_sub(long i, atomic_long_t *l)
61493 {
61494 atomic_t *v = (atomic_t *)l;
61495 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
61496 atomic_sub(i, v);
61497 }
61498
61499 +#ifdef CONFIG_PAX_REFCOUNT
61500 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61501 +{
61502 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61503 +
61504 + atomic_sub_unchecked(i, v);
61505 +}
61506 +#endif
61507 +
61508 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61509 {
61510 atomic_t *v = (atomic_t *)l;
61511 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
61512 return (long)atomic_inc_return(v);
61513 }
61514
61515 +#ifdef CONFIG_PAX_REFCOUNT
61516 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61517 +{
61518 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61519 +
61520 + return (long)atomic_inc_return_unchecked(v);
61521 +}
61522 +#endif
61523 +
61524 static inline long atomic_long_dec_return(atomic_long_t *l)
61525 {
61526 atomic_t *v = (atomic_t *)l;
61527 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
61528
61529 #endif /* BITS_PER_LONG == 64 */
61530
61531 +#ifdef CONFIG_PAX_REFCOUNT
61532 +static inline void pax_refcount_needs_these_functions(void)
61533 +{
61534 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
61535 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
61536 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
61537 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
61538 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
61539 + atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
61540 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
61541 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
61542 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
61543 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
61544 + atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
61545 +
61546 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
61547 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
61548 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
61549 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
61550 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
61551 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
61552 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
61553 +}
61554 +#else
61555 +#define atomic_read_unchecked(v) atomic_read(v)
61556 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
61557 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
61558 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
61559 +#define atomic_inc_unchecked(v) atomic_inc(v)
61560 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
61561 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
61562 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
61563 +#define atomic_dec_unchecked(v) atomic_dec(v)
61564 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
61565 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
61566 +
61567 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
61568 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
61569 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
61570 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
61571 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
61572 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
61573 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
61574 +#endif
61575 +
61576 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
61577 diff -urNp linux-2.6.39.2/include/asm-generic/cache.h linux-2.6.39.2/include/asm-generic/cache.h
61578 --- linux-2.6.39.2/include/asm-generic/cache.h 2011-05-19 00:06:34.000000000 -0400
61579 +++ linux-2.6.39.2/include/asm-generic/cache.h 2011-05-22 19:36:32.000000000 -0400
61580 @@ -6,7 +6,7 @@
61581 * cache lines need to provide their own cache.h.
61582 */
61583
61584 -#define L1_CACHE_SHIFT 5
61585 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
61586 +#define L1_CACHE_SHIFT 5U
61587 +#define L1_CACHE_BYTES (1U << L1_CACHE_SHIFT)
61588
61589 #endif /* __ASM_GENERIC_CACHE_H */
61590 diff -urNp linux-2.6.39.2/include/asm-generic/dma-mapping-common.h linux-2.6.39.2/include/asm-generic/dma-mapping-common.h
61591 --- linux-2.6.39.2/include/asm-generic/dma-mapping-common.h 2011-05-19 00:06:34.000000000 -0400
61592 +++ linux-2.6.39.2/include/asm-generic/dma-mapping-common.h 2011-05-22 19:36:32.000000000 -0400
61593 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
61594 enum dma_data_direction dir,
61595 struct dma_attrs *attrs)
61596 {
61597 - struct dma_map_ops *ops = get_dma_ops(dev);
61598 + const struct dma_map_ops *ops = get_dma_ops(dev);
61599 dma_addr_t addr;
61600
61601 kmemcheck_mark_initialized(ptr, size);
61602 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
61603 enum dma_data_direction dir,
61604 struct dma_attrs *attrs)
61605 {
61606 - struct dma_map_ops *ops = get_dma_ops(dev);
61607 + const struct dma_map_ops *ops = get_dma_ops(dev);
61608
61609 BUG_ON(!valid_dma_direction(dir));
61610 if (ops->unmap_page)
61611 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
61612 int nents, enum dma_data_direction dir,
61613 struct dma_attrs *attrs)
61614 {
61615 - struct dma_map_ops *ops = get_dma_ops(dev);
61616 + const struct dma_map_ops *ops = get_dma_ops(dev);
61617 int i, ents;
61618 struct scatterlist *s;
61619
61620 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
61621 int nents, enum dma_data_direction dir,
61622 struct dma_attrs *attrs)
61623 {
61624 - struct dma_map_ops *ops = get_dma_ops(dev);
61625 + const struct dma_map_ops *ops = get_dma_ops(dev);
61626
61627 BUG_ON(!valid_dma_direction(dir));
61628 debug_dma_unmap_sg(dev, sg, nents, dir);
61629 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
61630 size_t offset, size_t size,
61631 enum dma_data_direction dir)
61632 {
61633 - struct dma_map_ops *ops = get_dma_ops(dev);
61634 + const struct dma_map_ops *ops = get_dma_ops(dev);
61635 dma_addr_t addr;
61636
61637 kmemcheck_mark_initialized(page_address(page) + offset, size);
61638 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
61639 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
61640 size_t size, enum dma_data_direction dir)
61641 {
61642 - struct dma_map_ops *ops = get_dma_ops(dev);
61643 + const struct dma_map_ops *ops = get_dma_ops(dev);
61644
61645 BUG_ON(!valid_dma_direction(dir));
61646 if (ops->unmap_page)
61647 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
61648 size_t size,
61649 enum dma_data_direction dir)
61650 {
61651 - struct dma_map_ops *ops = get_dma_ops(dev);
61652 + const struct dma_map_ops *ops = get_dma_ops(dev);
61653
61654 BUG_ON(!valid_dma_direction(dir));
61655 if (ops->sync_single_for_cpu)
61656 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
61657 dma_addr_t addr, size_t size,
61658 enum dma_data_direction dir)
61659 {
61660 - struct dma_map_ops *ops = get_dma_ops(dev);
61661 + const struct dma_map_ops *ops = get_dma_ops(dev);
61662
61663 BUG_ON(!valid_dma_direction(dir));
61664 if (ops->sync_single_for_device)
61665 @@ -139,7 +139,7 @@ static inline void
61666 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
61667 int nelems, enum dma_data_direction dir)
61668 {
61669 - struct dma_map_ops *ops = get_dma_ops(dev);
61670 + const struct dma_map_ops *ops = get_dma_ops(dev);
61671
61672 BUG_ON(!valid_dma_direction(dir));
61673 if (ops->sync_sg_for_cpu)
61674 @@ -151,7 +151,7 @@ static inline void
61675 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
61676 int nelems, enum dma_data_direction dir)
61677 {
61678 - struct dma_map_ops *ops = get_dma_ops(dev);
61679 + const struct dma_map_ops *ops = get_dma_ops(dev);
61680
61681 BUG_ON(!valid_dma_direction(dir));
61682 if (ops->sync_sg_for_device)
61683 diff -urNp linux-2.6.39.2/include/asm-generic/int-l64.h linux-2.6.39.2/include/asm-generic/int-l64.h
61684 --- linux-2.6.39.2/include/asm-generic/int-l64.h 2011-05-19 00:06:34.000000000 -0400
61685 +++ linux-2.6.39.2/include/asm-generic/int-l64.h 2011-05-22 19:36:32.000000000 -0400
61686 @@ -46,6 +46,8 @@ typedef unsigned int u32;
61687 typedef signed long s64;
61688 typedef unsigned long u64;
61689
61690 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
61691 +
61692 #define S8_C(x) x
61693 #define U8_C(x) x ## U
61694 #define S16_C(x) x
61695 diff -urNp linux-2.6.39.2/include/asm-generic/int-ll64.h linux-2.6.39.2/include/asm-generic/int-ll64.h
61696 --- linux-2.6.39.2/include/asm-generic/int-ll64.h 2011-05-19 00:06:34.000000000 -0400
61697 +++ linux-2.6.39.2/include/asm-generic/int-ll64.h 2011-05-22 19:36:32.000000000 -0400
61698 @@ -51,6 +51,8 @@ typedef unsigned int u32;
61699 typedef signed long long s64;
61700 typedef unsigned long long u64;
61701
61702 +typedef unsigned long long intoverflow_t;
61703 +
61704 #define S8_C(x) x
61705 #define U8_C(x) x ## U
61706 #define S16_C(x) x
61707 diff -urNp linux-2.6.39.2/include/asm-generic/kmap_types.h linux-2.6.39.2/include/asm-generic/kmap_types.h
61708 --- linux-2.6.39.2/include/asm-generic/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
61709 +++ linux-2.6.39.2/include/asm-generic/kmap_types.h 2011-05-22 19:36:32.000000000 -0400
61710 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
61711 KMAP_D(17) KM_NMI,
61712 KMAP_D(18) KM_NMI_PTE,
61713 KMAP_D(19) KM_KDB,
61714 +KMAP_D(20) KM_CLEARPAGE,
61715 /*
61716 * Remember to update debug_kmap_atomic() when adding new kmap types!
61717 */
61718 -KMAP_D(20) KM_TYPE_NR
61719 +KMAP_D(21) KM_TYPE_NR
61720 };
61721
61722 #undef KMAP_D
61723 diff -urNp linux-2.6.39.2/include/asm-generic/pgtable.h linux-2.6.39.2/include/asm-generic/pgtable.h
61724 --- linux-2.6.39.2/include/asm-generic/pgtable.h 2011-05-19 00:06:34.000000000 -0400
61725 +++ linux-2.6.39.2/include/asm-generic/pgtable.h 2011-05-22 19:36:32.000000000 -0400
61726 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
61727 #endif /* __HAVE_ARCH_PMD_WRITE */
61728 #endif
61729
61730 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
61731 +static inline unsigned long pax_open_kernel(void) { return 0; }
61732 +#endif
61733 +
61734 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
61735 +static inline unsigned long pax_close_kernel(void) { return 0; }
61736 +#endif
61737 +
61738 #endif /* !__ASSEMBLY__ */
61739
61740 #endif /* _ASM_GENERIC_PGTABLE_H */
61741 diff -urNp linux-2.6.39.2/include/asm-generic/pgtable-nopmd.h linux-2.6.39.2/include/asm-generic/pgtable-nopmd.h
61742 --- linux-2.6.39.2/include/asm-generic/pgtable-nopmd.h 2011-05-19 00:06:34.000000000 -0400
61743 +++ linux-2.6.39.2/include/asm-generic/pgtable-nopmd.h 2011-05-22 19:36:32.000000000 -0400
61744 @@ -1,14 +1,19 @@
61745 #ifndef _PGTABLE_NOPMD_H
61746 #define _PGTABLE_NOPMD_H
61747
61748 -#ifndef __ASSEMBLY__
61749 -
61750 #include <asm-generic/pgtable-nopud.h>
61751
61752 -struct mm_struct;
61753 -
61754 #define __PAGETABLE_PMD_FOLDED
61755
61756 +#define PMD_SHIFT PUD_SHIFT
61757 +#define PTRS_PER_PMD 1
61758 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
61759 +#define PMD_MASK (~(PMD_SIZE-1))
61760 +
61761 +#ifndef __ASSEMBLY__
61762 +
61763 +struct mm_struct;
61764 +
61765 /*
61766 * Having the pmd type consist of a pud gets the size right, and allows
61767 * us to conceptually access the pud entry that this pmd is folded into
61768 @@ -16,11 +21,6 @@ struct mm_struct;
61769 */
61770 typedef struct { pud_t pud; } pmd_t;
61771
61772 -#define PMD_SHIFT PUD_SHIFT
61773 -#define PTRS_PER_PMD 1
61774 -#define PMD_SIZE (1UL << PMD_SHIFT)
61775 -#define PMD_MASK (~(PMD_SIZE-1))
61776 -
61777 /*
61778 * The "pud_xxx()" functions here are trivial for a folded two-level
61779 * setup: the pmd is never bad, and a pmd always exists (as it's folded
61780 diff -urNp linux-2.6.39.2/include/asm-generic/pgtable-nopud.h linux-2.6.39.2/include/asm-generic/pgtable-nopud.h
61781 --- linux-2.6.39.2/include/asm-generic/pgtable-nopud.h 2011-05-19 00:06:34.000000000 -0400
61782 +++ linux-2.6.39.2/include/asm-generic/pgtable-nopud.h 2011-05-22 19:36:32.000000000 -0400
61783 @@ -1,10 +1,15 @@
61784 #ifndef _PGTABLE_NOPUD_H
61785 #define _PGTABLE_NOPUD_H
61786
61787 -#ifndef __ASSEMBLY__
61788 -
61789 #define __PAGETABLE_PUD_FOLDED
61790
61791 +#define PUD_SHIFT PGDIR_SHIFT
61792 +#define PTRS_PER_PUD 1
61793 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
61794 +#define PUD_MASK (~(PUD_SIZE-1))
61795 +
61796 +#ifndef __ASSEMBLY__
61797 +
61798 /*
61799 * Having the pud type consist of a pgd gets the size right, and allows
61800 * us to conceptually access the pgd entry that this pud is folded into
61801 @@ -12,11 +17,6 @@
61802 */
61803 typedef struct { pgd_t pgd; } pud_t;
61804
61805 -#define PUD_SHIFT PGDIR_SHIFT
61806 -#define PTRS_PER_PUD 1
61807 -#define PUD_SIZE (1UL << PUD_SHIFT)
61808 -#define PUD_MASK (~(PUD_SIZE-1))
61809 -
61810 /*
61811 * The "pgd_xxx()" functions here are trivial for a folded two-level
61812 * setup: the pud is never bad, and a pud always exists (as it's folded
61813 diff -urNp linux-2.6.39.2/include/asm-generic/vmlinux.lds.h linux-2.6.39.2/include/asm-generic/vmlinux.lds.h
61814 --- linux-2.6.39.2/include/asm-generic/vmlinux.lds.h 2011-05-19 00:06:34.000000000 -0400
61815 +++ linux-2.6.39.2/include/asm-generic/vmlinux.lds.h 2011-05-22 19:36:32.000000000 -0400
61816 @@ -213,6 +213,7 @@
61817 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
61818 VMLINUX_SYMBOL(__start_rodata) = .; \
61819 *(.rodata) *(.rodata.*) \
61820 + *(.data..read_only) \
61821 *(__vermagic) /* Kernel version magic */ \
61822 . = ALIGN(8); \
61823 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
61824 @@ -707,14 +708,15 @@
61825 * section in the linker script will go there too. @phdr should have
61826 * a leading colon.
61827 *
61828 - * Note that this macros defines __per_cpu_load as an absolute symbol.
61829 + * Note that this macros defines per_cpu_load as an absolute symbol.
61830 * If there is no need to put the percpu section at a predetermined
61831 * address, use PERCPU().
61832 */
61833 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
61834 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
61835 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
61836 + per_cpu_load = .; \
61837 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
61838 - LOAD_OFFSET) { \
61839 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
61840 VMLINUX_SYMBOL(__per_cpu_start) = .; \
61841 *(.data..percpu..first) \
61842 . = ALIGN(PAGE_SIZE); \
61843 @@ -726,7 +728,7 @@
61844 *(.data..percpu..shared_aligned) \
61845 VMLINUX_SYMBOL(__per_cpu_end) = .; \
61846 } phdr \
61847 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
61848 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
61849
61850 /**
61851 * PERCPU - define output section for percpu area, simple version
61852 diff -urNp linux-2.6.39.2/include/drm/drmP.h linux-2.6.39.2/include/drm/drmP.h
61853 --- linux-2.6.39.2/include/drm/drmP.h 2011-05-19 00:06:34.000000000 -0400
61854 +++ linux-2.6.39.2/include/drm/drmP.h 2011-05-22 19:41:42.000000000 -0400
61855 @@ -73,6 +73,7 @@
61856 #include <linux/workqueue.h>
61857 #include <linux/poll.h>
61858 #include <asm/pgalloc.h>
61859 +#include <asm/local.h>
61860 #include "drm.h"
61861
61862 #include <linux/idr.h>
61863 @@ -908,7 +909,7 @@ struct drm_driver {
61864 uint32_t handle);
61865
61866 /* Driver private ops for this object */
61867 - struct vm_operations_struct *gem_vm_ops;
61868 + const struct vm_operations_struct *gem_vm_ops;
61869
61870 int major;
61871 int minor;
61872 @@ -1023,7 +1024,7 @@ struct drm_device {
61873
61874 /** \name Usage Counters */
61875 /*@{ */
61876 - int open_count; /**< Outstanding files open */
61877 + local_t open_count; /**< Outstanding files open */
61878 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
61879 atomic_t vma_count; /**< Outstanding vma areas open */
61880 int buf_use; /**< Buffers in use -- cannot alloc */
61881 @@ -1034,7 +1035,7 @@ struct drm_device {
61882 /*@{ */
61883 unsigned long counters;
61884 enum drm_stat_type types[15];
61885 - atomic_t counts[15];
61886 + atomic_unchecked_t counts[15];
61887 /*@} */
61888
61889 struct list_head filelist;
61890 diff -urNp linux-2.6.39.2/include/linux/a.out.h linux-2.6.39.2/include/linux/a.out.h
61891 --- linux-2.6.39.2/include/linux/a.out.h 2011-05-19 00:06:34.000000000 -0400
61892 +++ linux-2.6.39.2/include/linux/a.out.h 2011-05-22 19:36:32.000000000 -0400
61893 @@ -39,6 +39,14 @@ enum machine_type {
61894 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
61895 };
61896
61897 +/* Constants for the N_FLAGS field */
61898 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
61899 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
61900 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
61901 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
61902 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
61903 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
61904 +
61905 #if !defined (N_MAGIC)
61906 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
61907 #endif
61908 diff -urNp linux-2.6.39.2/include/linux/atmdev.h linux-2.6.39.2/include/linux/atmdev.h
61909 --- linux-2.6.39.2/include/linux/atmdev.h 2011-05-19 00:06:34.000000000 -0400
61910 +++ linux-2.6.39.2/include/linux/atmdev.h 2011-05-22 19:36:32.000000000 -0400
61911 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
61912 #endif
61913
61914 struct k_atm_aal_stats {
61915 -#define __HANDLE_ITEM(i) atomic_t i
61916 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
61917 __AAL_STAT_ITEMS
61918 #undef __HANDLE_ITEM
61919 };
61920 diff -urNp linux-2.6.39.2/include/linux/binfmts.h linux-2.6.39.2/include/linux/binfmts.h
61921 --- linux-2.6.39.2/include/linux/binfmts.h 2011-05-19 00:06:34.000000000 -0400
61922 +++ linux-2.6.39.2/include/linux/binfmts.h 2011-05-22 19:36:32.000000000 -0400
61923 @@ -92,6 +92,7 @@ struct linux_binfmt {
61924 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
61925 int (*load_shlib)(struct file *);
61926 int (*core_dump)(struct coredump_params *cprm);
61927 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
61928 unsigned long min_coredump; /* minimal dump size */
61929 };
61930
61931 diff -urNp linux-2.6.39.2/include/linux/blkdev.h linux-2.6.39.2/include/linux/blkdev.h
61932 --- linux-2.6.39.2/include/linux/blkdev.h 2011-06-03 00:04:14.000000000 -0400
61933 +++ linux-2.6.39.2/include/linux/blkdev.h 2011-06-03 00:32:08.000000000 -0400
61934 @@ -1292,22 +1292,22 @@ queue_max_integrity_segments(struct requ
61935 #endif /* CONFIG_BLK_DEV_INTEGRITY */
61936
61937 struct block_device_operations {
61938 - int (*open) (struct block_device *, fmode_t);
61939 - int (*release) (struct gendisk *, fmode_t);
61940 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61941 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61942 - int (*direct_access) (struct block_device *, sector_t,
61943 + int (* const open) (struct block_device *, fmode_t);
61944 + int (* const release) (struct gendisk *, fmode_t);
61945 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61946 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
61947 + int (* const direct_access) (struct block_device *, sector_t,
61948 void **, unsigned long *);
61949 - unsigned int (*check_events) (struct gendisk *disk,
61950 + unsigned int (* const check_events) (struct gendisk *disk,
61951 unsigned int clearing);
61952 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
61953 - int (*media_changed) (struct gendisk *);
61954 - void (*unlock_native_capacity) (struct gendisk *);
61955 - int (*revalidate_disk) (struct gendisk *);
61956 - int (*getgeo)(struct block_device *, struct hd_geometry *);
61957 + int (* const media_changed) (struct gendisk *);
61958 + void (* const unlock_native_capacity) (struct gendisk *);
61959 + int (* const revalidate_disk) (struct gendisk *);
61960 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
61961 /* this callback is with swap_lock and sometimes page table lock held */
61962 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
61963 - struct module *owner;
61964 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
61965 + struct module * const owner;
61966 };
61967
61968 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
61969 diff -urNp linux-2.6.39.2/include/linux/blktrace_api.h linux-2.6.39.2/include/linux/blktrace_api.h
61970 --- linux-2.6.39.2/include/linux/blktrace_api.h 2011-05-19 00:06:34.000000000 -0400
61971 +++ linux-2.6.39.2/include/linux/blktrace_api.h 2011-05-22 19:36:32.000000000 -0400
61972 @@ -161,7 +161,7 @@ struct blk_trace {
61973 struct dentry *dir;
61974 struct dentry *dropped_file;
61975 struct dentry *msg_file;
61976 - atomic_t dropped;
61977 + atomic_unchecked_t dropped;
61978 };
61979
61980 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
61981 diff -urNp linux-2.6.39.2/include/linux/byteorder/little_endian.h linux-2.6.39.2/include/linux/byteorder/little_endian.h
61982 --- linux-2.6.39.2/include/linux/byteorder/little_endian.h 2011-05-19 00:06:34.000000000 -0400
61983 +++ linux-2.6.39.2/include/linux/byteorder/little_endian.h 2011-05-22 19:36:32.000000000 -0400
61984 @@ -42,51 +42,51 @@
61985
61986 static inline __le64 __cpu_to_le64p(const __u64 *p)
61987 {
61988 - return (__force __le64)*p;
61989 + return (__force const __le64)*p;
61990 }
61991 static inline __u64 __le64_to_cpup(const __le64 *p)
61992 {
61993 - return (__force __u64)*p;
61994 + return (__force const __u64)*p;
61995 }
61996 static inline __le32 __cpu_to_le32p(const __u32 *p)
61997 {
61998 - return (__force __le32)*p;
61999 + return (__force const __le32)*p;
62000 }
62001 static inline __u32 __le32_to_cpup(const __le32 *p)
62002 {
62003 - return (__force __u32)*p;
62004 + return (__force const __u32)*p;
62005 }
62006 static inline __le16 __cpu_to_le16p(const __u16 *p)
62007 {
62008 - return (__force __le16)*p;
62009 + return (__force const __le16)*p;
62010 }
62011 static inline __u16 __le16_to_cpup(const __le16 *p)
62012 {
62013 - return (__force __u16)*p;
62014 + return (__force const __u16)*p;
62015 }
62016 static inline __be64 __cpu_to_be64p(const __u64 *p)
62017 {
62018 - return (__force __be64)__swab64p(p);
62019 + return (__force const __be64)__swab64p(p);
62020 }
62021 static inline __u64 __be64_to_cpup(const __be64 *p)
62022 {
62023 - return __swab64p((__u64 *)p);
62024 + return __swab64p((const __u64 *)p);
62025 }
62026 static inline __be32 __cpu_to_be32p(const __u32 *p)
62027 {
62028 - return (__force __be32)__swab32p(p);
62029 + return (__force const __be32)__swab32p(p);
62030 }
62031 static inline __u32 __be32_to_cpup(const __be32 *p)
62032 {
62033 - return __swab32p((__u32 *)p);
62034 + return __swab32p((const __u32 *)p);
62035 }
62036 static inline __be16 __cpu_to_be16p(const __u16 *p)
62037 {
62038 - return (__force __be16)__swab16p(p);
62039 + return (__force const __be16)__swab16p(p);
62040 }
62041 static inline __u16 __be16_to_cpup(const __be16 *p)
62042 {
62043 - return __swab16p((__u16 *)p);
62044 + return __swab16p((const __u16 *)p);
62045 }
62046 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
62047 #define __le64_to_cpus(x) do { (void)(x); } while (0)
62048 diff -urNp linux-2.6.39.2/include/linux/cache.h linux-2.6.39.2/include/linux/cache.h
62049 --- linux-2.6.39.2/include/linux/cache.h 2011-05-19 00:06:34.000000000 -0400
62050 +++ linux-2.6.39.2/include/linux/cache.h 2011-05-22 19:36:32.000000000 -0400
62051 @@ -16,6 +16,10 @@
62052 #define __read_mostly
62053 #endif
62054
62055 +#ifndef __read_only
62056 +#define __read_only __read_mostly
62057 +#endif
62058 +
62059 #ifndef ____cacheline_aligned
62060 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
62061 #endif
62062 diff -urNp linux-2.6.39.2/include/linux/capability.h linux-2.6.39.2/include/linux/capability.h
62063 --- linux-2.6.39.2/include/linux/capability.h 2011-05-19 00:06:34.000000000 -0400
62064 +++ linux-2.6.39.2/include/linux/capability.h 2011-05-22 21:02:47.000000000 -0400
62065 @@ -547,6 +547,9 @@ extern bool capable(int cap);
62066 extern bool ns_capable(struct user_namespace *ns, int cap);
62067 extern bool task_ns_capable(struct task_struct *t, int cap);
62068 extern bool nsown_capable(int cap);
62069 +extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
62070 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
62071 +extern bool capable_nolog(int cap);
62072
62073 /* audit system wants to get cap info from files as well */
62074 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
62075 diff -urNp linux-2.6.39.2/include/linux/compiler-gcc4.h linux-2.6.39.2/include/linux/compiler-gcc4.h
62076 --- linux-2.6.39.2/include/linux/compiler-gcc4.h 2011-05-19 00:06:34.000000000 -0400
62077 +++ linux-2.6.39.2/include/linux/compiler-gcc4.h 2011-05-22 19:36:32.000000000 -0400
62078 @@ -46,6 +46,11 @@
62079 #define __noclone __attribute__((__noclone__))
62080
62081 #endif
62082 +
62083 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
62084 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
62085 +#define __bos0(ptr) __bos((ptr), 0)
62086 +#define __bos1(ptr) __bos((ptr), 1)
62087 #endif
62088
62089 #if __GNUC_MINOR__ > 0
62090 diff -urNp linux-2.6.39.2/include/linux/compiler.h linux-2.6.39.2/include/linux/compiler.h
62091 --- linux-2.6.39.2/include/linux/compiler.h 2011-05-19 00:06:34.000000000 -0400
62092 +++ linux-2.6.39.2/include/linux/compiler.h 2011-05-22 19:36:32.000000000 -0400
62093 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
62094 #define __cold
62095 #endif
62096
62097 +#ifndef __alloc_size
62098 +#define __alloc_size
62099 +#endif
62100 +
62101 +#ifndef __bos
62102 +#define __bos
62103 +#endif
62104 +
62105 +#ifndef __bos0
62106 +#define __bos0
62107 +#endif
62108 +
62109 +#ifndef __bos1
62110 +#define __bos1
62111 +#endif
62112 +
62113 /* Simple shorthand for a section definition */
62114 #ifndef __section
62115 # define __section(S) __attribute__ ((__section__(#S)))
62116 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
62117 * use is to mediate communication between process-level code and irq/NMI
62118 * handlers, all running on the same CPU.
62119 */
62120 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
62121 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
62122 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
62123
62124 #endif /* __LINUX_COMPILER_H */
62125 diff -urNp linux-2.6.39.2/include/linux/concap.h linux-2.6.39.2/include/linux/concap.h
62126 --- linux-2.6.39.2/include/linux/concap.h 2011-05-19 00:06:34.000000000 -0400
62127 +++ linux-2.6.39.2/include/linux/concap.h 2011-05-22 19:36:32.000000000 -0400
62128 @@ -30,7 +30,7 @@ struct concap_device_ops;
62129 struct concap_proto{
62130 struct net_device *net_dev; /* net device using our service */
62131 struct concap_device_ops *dops; /* callbacks provided by device */
62132 - struct concap_proto_ops *pops; /* callbacks provided by us */
62133 + const struct concap_proto_ops *pops; /* callbacks provided by us */
62134 spinlock_t lock;
62135 int flags;
62136 void *proto_data; /* protocol specific private data, to
62137 diff -urNp linux-2.6.39.2/include/linux/configfs.h linux-2.6.39.2/include/linux/configfs.h
62138 --- linux-2.6.39.2/include/linux/configfs.h 2011-05-19 00:06:34.000000000 -0400
62139 +++ linux-2.6.39.2/include/linux/configfs.h 2011-05-22 19:36:32.000000000 -0400
62140 @@ -82,7 +82,7 @@ extern void config_item_put(struct confi
62141 struct config_item_type {
62142 struct module *ct_owner;
62143 struct configfs_item_operations *ct_item_ops;
62144 - struct configfs_group_operations *ct_group_ops;
62145 + const struct configfs_group_operations *ct_group_ops;
62146 struct configfs_attribute **ct_attrs;
62147 };
62148
62149 diff -urNp linux-2.6.39.2/include/linux/cpuset.h linux-2.6.39.2/include/linux/cpuset.h
62150 --- linux-2.6.39.2/include/linux/cpuset.h 2011-05-19 00:06:34.000000000 -0400
62151 +++ linux-2.6.39.2/include/linux/cpuset.h 2011-05-22 19:36:32.000000000 -0400
62152 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
62153 * nodemask.
62154 */
62155 smp_mb();
62156 - --ACCESS_ONCE(current->mems_allowed_change_disable);
62157 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
62158 }
62159
62160 static inline void set_mems_allowed(nodemask_t nodemask)
62161 diff -urNp linux-2.6.39.2/include/linux/dca.h linux-2.6.39.2/include/linux/dca.h
62162 --- linux-2.6.39.2/include/linux/dca.h 2011-05-19 00:06:34.000000000 -0400
62163 +++ linux-2.6.39.2/include/linux/dca.h 2011-05-22 19:36:32.000000000 -0400
62164 @@ -34,7 +34,7 @@ void dca_unregister_notify(struct notifi
62165
62166 struct dca_provider {
62167 struct list_head node;
62168 - struct dca_ops *ops;
62169 + const struct dca_ops *ops;
62170 struct device *cd;
62171 int id;
62172 };
62173 @@ -53,7 +53,7 @@ struct dca_ops {
62174 int (*dev_managed) (struct dca_provider *, struct device *);
62175 };
62176
62177 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size);
62178 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size);
62179 void free_dca_provider(struct dca_provider *dca);
62180 int register_dca_provider(struct dca_provider *dca, struct device *dev);
62181 void unregister_dca_provider(struct dca_provider *dca, struct device *dev);
62182 diff -urNp linux-2.6.39.2/include/linux/decompress/mm.h linux-2.6.39.2/include/linux/decompress/mm.h
62183 --- linux-2.6.39.2/include/linux/decompress/mm.h 2011-05-19 00:06:34.000000000 -0400
62184 +++ linux-2.6.39.2/include/linux/decompress/mm.h 2011-05-22 19:36:33.000000000 -0400
62185 @@ -77,7 +77,7 @@ static void free(void *where)
62186 * warnings when not needed (indeed large_malloc / large_free are not
62187 * needed by inflate */
62188
62189 -#define malloc(a) kmalloc(a, GFP_KERNEL)
62190 +#define malloc(a) kmalloc((a), GFP_KERNEL)
62191 #define free(a) kfree(a)
62192
62193 #define large_malloc(a) vmalloc(a)
62194 diff -urNp linux-2.6.39.2/include/linux/dma-mapping.h linux-2.6.39.2/include/linux/dma-mapping.h
62195 --- linux-2.6.39.2/include/linux/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
62196 +++ linux-2.6.39.2/include/linux/dma-mapping.h 2011-05-22 19:36:33.000000000 -0400
62197 @@ -16,40 +16,40 @@ enum dma_data_direction {
62198 };
62199
62200 struct dma_map_ops {
62201 - void* (*alloc_coherent)(struct device *dev, size_t size,
62202 + void* (* const alloc_coherent)(struct device *dev, size_t size,
62203 dma_addr_t *dma_handle, gfp_t gfp);
62204 - void (*free_coherent)(struct device *dev, size_t size,
62205 + void (* const free_coherent)(struct device *dev, size_t size,
62206 void *vaddr, dma_addr_t dma_handle);
62207 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
62208 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
62209 unsigned long offset, size_t size,
62210 enum dma_data_direction dir,
62211 struct dma_attrs *attrs);
62212 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
62213 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
62214 size_t size, enum dma_data_direction dir,
62215 struct dma_attrs *attrs);
62216 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
62217 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
62218 int nents, enum dma_data_direction dir,
62219 struct dma_attrs *attrs);
62220 - void (*unmap_sg)(struct device *dev,
62221 + void (* const unmap_sg)(struct device *dev,
62222 struct scatterlist *sg, int nents,
62223 enum dma_data_direction dir,
62224 struct dma_attrs *attrs);
62225 - void (*sync_single_for_cpu)(struct device *dev,
62226 + void (* const sync_single_for_cpu)(struct device *dev,
62227 dma_addr_t dma_handle, size_t size,
62228 enum dma_data_direction dir);
62229 - void (*sync_single_for_device)(struct device *dev,
62230 + void (* const sync_single_for_device)(struct device *dev,
62231 dma_addr_t dma_handle, size_t size,
62232 enum dma_data_direction dir);
62233 - void (*sync_sg_for_cpu)(struct device *dev,
62234 + void (* const sync_sg_for_cpu)(struct device *dev,
62235 struct scatterlist *sg, int nents,
62236 enum dma_data_direction dir);
62237 - void (*sync_sg_for_device)(struct device *dev,
62238 + void (* const sync_sg_for_device)(struct device *dev,
62239 struct scatterlist *sg, int nents,
62240 enum dma_data_direction dir);
62241 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
62242 - int (*dma_supported)(struct device *dev, u64 mask);
62243 - int (*set_dma_mask)(struct device *dev, u64 mask);
62244 - int is_phys;
62245 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
62246 + int (* const dma_supported)(struct device *dev, u64 mask);
62247 + int (* set_dma_mask)(struct device *dev, u64 mask);
62248 + const int is_phys;
62249 };
62250
62251 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
62252 diff -urNp linux-2.6.39.2/include/linux/elf.h linux-2.6.39.2/include/linux/elf.h
62253 --- linux-2.6.39.2/include/linux/elf.h 2011-05-19 00:06:34.000000000 -0400
62254 +++ linux-2.6.39.2/include/linux/elf.h 2011-05-22 19:36:33.000000000 -0400
62255 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
62256 #define PT_GNU_EH_FRAME 0x6474e550
62257
62258 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
62259 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
62260 +
62261 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
62262 +
62263 +/* Constants for the e_flags field */
62264 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62265 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
62266 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
62267 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
62268 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62269 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62270
62271 /*
62272 * Extended Numbering
62273 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
62274 #define DT_DEBUG 21
62275 #define DT_TEXTREL 22
62276 #define DT_JMPREL 23
62277 +#define DT_FLAGS 30
62278 + #define DF_TEXTREL 0x00000004
62279 #define DT_ENCODING 32
62280 #define OLD_DT_LOOS 0x60000000
62281 #define DT_LOOS 0x6000000d
62282 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
62283 #define PF_W 0x2
62284 #define PF_X 0x1
62285
62286 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
62287 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
62288 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
62289 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
62290 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
62291 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
62292 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
62293 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
62294 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
62295 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
62296 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
62297 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
62298 +
62299 typedef struct elf32_phdr{
62300 Elf32_Word p_type;
62301 Elf32_Off p_offset;
62302 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
62303 #define EI_OSABI 7
62304 #define EI_PAD 8
62305
62306 +#define EI_PAX 14
62307 +
62308 #define ELFMAG0 0x7f /* EI_MAG */
62309 #define ELFMAG1 'E'
62310 #define ELFMAG2 'L'
62311 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
62312 #define elf_note elf32_note
62313 #define elf_addr_t Elf32_Off
62314 #define Elf_Half Elf32_Half
62315 +#define elf_dyn Elf32_Dyn
62316
62317 #else
62318
62319 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
62320 #define elf_note elf64_note
62321 #define elf_addr_t Elf64_Off
62322 #define Elf_Half Elf64_Half
62323 +#define elf_dyn Elf64_Dyn
62324
62325 #endif
62326
62327 diff -urNp linux-2.6.39.2/include/linux/enclosure.h linux-2.6.39.2/include/linux/enclosure.h
62328 --- linux-2.6.39.2/include/linux/enclosure.h 2011-05-19 00:06:34.000000000 -0400
62329 +++ linux-2.6.39.2/include/linux/enclosure.h 2011-05-22 19:36:33.000000000 -0400
62330 @@ -98,7 +98,7 @@ struct enclosure_device {
62331 void *scratch;
62332 struct list_head node;
62333 struct device edev;
62334 - struct enclosure_component_callbacks *cb;
62335 + const struct enclosure_component_callbacks *cb;
62336 int components;
62337 struct enclosure_component component[0];
62338 };
62339 diff -urNp linux-2.6.39.2/include/linux/fscache-cache.h linux-2.6.39.2/include/linux/fscache-cache.h
62340 --- linux-2.6.39.2/include/linux/fscache-cache.h 2011-05-19 00:06:34.000000000 -0400
62341 +++ linux-2.6.39.2/include/linux/fscache-cache.h 2011-05-22 19:36:33.000000000 -0400
62342 @@ -113,7 +113,7 @@ struct fscache_operation {
62343 #endif
62344 };
62345
62346 -extern atomic_t fscache_op_debug_id;
62347 +extern atomic_unchecked_t fscache_op_debug_id;
62348 extern void fscache_op_work_func(struct work_struct *work);
62349
62350 extern void fscache_enqueue_operation(struct fscache_operation *);
62351 @@ -133,7 +133,7 @@ static inline void fscache_operation_ini
62352 {
62353 INIT_WORK(&op->work, fscache_op_work_func);
62354 atomic_set(&op->usage, 1);
62355 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
62356 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
62357 op->processor = processor;
62358 op->release = release;
62359 INIT_LIST_HEAD(&op->pend_link);
62360 diff -urNp linux-2.6.39.2/include/linux/fs.h linux-2.6.39.2/include/linux/fs.h
62361 --- linux-2.6.39.2/include/linux/fs.h 2011-05-19 00:06:34.000000000 -0400
62362 +++ linux-2.6.39.2/include/linux/fs.h 2011-05-22 19:41:42.000000000 -0400
62363 @@ -108,6 +108,11 @@ struct inodes_stat_t {
62364 /* File was opened by fanotify and shouldn't generate fanotify events */
62365 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
62366
62367 +/* Hack for grsec so as not to require read permission simply to execute
62368 + * a binary
62369 + */
62370 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
62371 +
62372 /*
62373 * The below are the various read and write types that we support. Some of
62374 * them include behavioral modifiers that send information down to the
62375 @@ -575,41 +580,41 @@ typedef int (*read_actor_t)(read_descrip
62376 unsigned long, unsigned long);
62377
62378 struct address_space_operations {
62379 - int (*writepage)(struct page *page, struct writeback_control *wbc);
62380 - int (*readpage)(struct file *, struct page *);
62381 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
62382 + int (* const readpage)(struct file *, struct page *);
62383
62384 /* Write back some dirty pages from this mapping. */
62385 - int (*writepages)(struct address_space *, struct writeback_control *);
62386 + int (* const writepages)(struct address_space *, struct writeback_control *);
62387
62388 /* Set a page dirty. Return true if this dirtied it */
62389 - int (*set_page_dirty)(struct page *page);
62390 + int (* const set_page_dirty)(struct page *page);
62391
62392 - int (*readpages)(struct file *filp, struct address_space *mapping,
62393 + int (* const readpages)(struct file *filp, struct address_space *mapping,
62394 struct list_head *pages, unsigned nr_pages);
62395
62396 - int (*write_begin)(struct file *, struct address_space *mapping,
62397 + int (* const write_begin)(struct file *, struct address_space *mapping,
62398 loff_t pos, unsigned len, unsigned flags,
62399 struct page **pagep, void **fsdata);
62400 - int (*write_end)(struct file *, struct address_space *mapping,
62401 + int (* const write_end)(struct file *, struct address_space *mapping,
62402 loff_t pos, unsigned len, unsigned copied,
62403 struct page *page, void *fsdata);
62404
62405 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
62406 - sector_t (*bmap)(struct address_space *, sector_t);
62407 - void (*invalidatepage) (struct page *, unsigned long);
62408 - int (*releasepage) (struct page *, gfp_t);
62409 - void (*freepage)(struct page *);
62410 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
62411 + sector_t (* const bmap)(struct address_space *, sector_t);
62412 + void (* const invalidatepage) (struct page *, unsigned long);
62413 + int (* const releasepage) (struct page *, gfp_t);
62414 + void (* const freepage)(struct page *);
62415 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
62416 loff_t offset, unsigned long nr_segs);
62417 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
62418 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
62419 void **, unsigned long *);
62420 /* migrate the contents of a page to the specified target */
62421 - int (*migratepage) (struct address_space *,
62422 + int (* const migratepage) (struct address_space *,
62423 struct page *, struct page *);
62424 - int (*launder_page) (struct page *);
62425 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
62426 + int (* const launder_page) (struct page *);
62427 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
62428 unsigned long);
62429 - int (*error_remove_page)(struct address_space *, struct page *);
62430 + int (* const error_remove_page)(struct address_space *, struct page *);
62431 };
62432
62433 extern const struct address_space_operations empty_aops;
62434 @@ -1060,17 +1065,17 @@ static inline int file_check_writeable(s
62435 typedef struct files_struct *fl_owner_t;
62436
62437 struct file_lock_operations {
62438 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
62439 - void (*fl_release_private)(struct file_lock *);
62440 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
62441 + void (* const fl_release_private)(struct file_lock *);
62442 };
62443
62444 struct lock_manager_operations {
62445 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
62446 - void (*fl_notify)(struct file_lock *); /* unblock callback */
62447 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
62448 - void (*fl_release_private)(struct file_lock *);
62449 - void (*fl_break)(struct file_lock *);
62450 - int (*fl_change)(struct file_lock **, int);
62451 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
62452 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
62453 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
62454 + void (* const fl_release_private)(struct file_lock *);
62455 + void (* const fl_break)(struct file_lock *);
62456 + int (* const fl_change)(struct file_lock **, int);
62457 };
62458
62459 struct lock_manager {
62460 @@ -1611,31 +1616,31 @@ extern ssize_t vfs_writev(struct file *,
62461 unsigned long, loff_t *);
62462
62463 struct super_operations {
62464 - struct inode *(*alloc_inode)(struct super_block *sb);
62465 - void (*destroy_inode)(struct inode *);
62466 + struct inode *(* const alloc_inode)(struct super_block *sb);
62467 + void (* const destroy_inode)(struct inode *);
62468
62469 - void (*dirty_inode) (struct inode *);
62470 - int (*write_inode) (struct inode *, struct writeback_control *wbc);
62471 - int (*drop_inode) (struct inode *);
62472 - void (*evict_inode) (struct inode *);
62473 - void (*put_super) (struct super_block *);
62474 - void (*write_super) (struct super_block *);
62475 - int (*sync_fs)(struct super_block *sb, int wait);
62476 - int (*freeze_fs) (struct super_block *);
62477 - int (*unfreeze_fs) (struct super_block *);
62478 - int (*statfs) (struct dentry *, struct kstatfs *);
62479 - int (*remount_fs) (struct super_block *, int *, char *);
62480 - void (*umount_begin) (struct super_block *);
62481 -
62482 - int (*show_options)(struct seq_file *, struct vfsmount *);
62483 - int (*show_devname)(struct seq_file *, struct vfsmount *);
62484 - int (*show_path)(struct seq_file *, struct vfsmount *);
62485 - int (*show_stats)(struct seq_file *, struct vfsmount *);
62486 + void (* const dirty_inode) (struct inode *);
62487 + int (* const write_inode) (struct inode *, struct writeback_control *wbc);
62488 + int (* const drop_inode) (struct inode *);
62489 + void (* const evict_inode) (struct inode *);
62490 + void (* const put_super) (struct super_block *);
62491 + void (* const write_super) (struct super_block *);
62492 + int (* const sync_fs)(struct super_block *sb, int wait);
62493 + int (* const freeze_fs) (struct super_block *);
62494 + int (* const unfreeze_fs) (struct super_block *);
62495 + int (* const statfs) (struct dentry *, struct kstatfs *);
62496 + int (* const remount_fs) (struct super_block *, int *, char *);
62497 + void (* const umount_begin) (struct super_block *);
62498 +
62499 + int (* const show_options)(struct seq_file *, struct vfsmount *);
62500 + int (* const show_devname)(struct seq_file *, struct vfsmount *);
62501 + int (* const show_path)(struct seq_file *, struct vfsmount *);
62502 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
62503 #ifdef CONFIG_QUOTA
62504 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
62505 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62506 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
62507 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62508 #endif
62509 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62510 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62511 };
62512
62513 /*
62514 diff -urNp linux-2.6.39.2/include/linux/fs_struct.h linux-2.6.39.2/include/linux/fs_struct.h
62515 --- linux-2.6.39.2/include/linux/fs_struct.h 2011-05-19 00:06:34.000000000 -0400
62516 +++ linux-2.6.39.2/include/linux/fs_struct.h 2011-05-22 19:36:33.000000000 -0400
62517 @@ -6,7 +6,7 @@
62518 #include <linux/seqlock.h>
62519
62520 struct fs_struct {
62521 - int users;
62522 + atomic_t users;
62523 spinlock_t lock;
62524 seqcount_t seq;
62525 int umask;
62526 diff -urNp linux-2.6.39.2/include/linux/ftrace_event.h linux-2.6.39.2/include/linux/ftrace_event.h
62527 --- linux-2.6.39.2/include/linux/ftrace_event.h 2011-05-19 00:06:34.000000000 -0400
62528 +++ linux-2.6.39.2/include/linux/ftrace_event.h 2011-05-22 19:36:33.000000000 -0400
62529 @@ -235,7 +235,7 @@ extern int trace_define_field(struct ftr
62530 extern int trace_add_event_call(struct ftrace_event_call *call);
62531 extern void trace_remove_event_call(struct ftrace_event_call *call);
62532
62533 -#define is_signed_type(type) (((type)(-1)) < 0)
62534 +#define is_signed_type(type) (((type)(-1)) < (type)1)
62535
62536 int trace_set_clr_event(const char *system, const char *event, int set);
62537
62538 diff -urNp linux-2.6.39.2/include/linux/ftrace.h linux-2.6.39.2/include/linux/ftrace.h
62539 --- linux-2.6.39.2/include/linux/ftrace.h 2011-05-19 00:06:34.000000000 -0400
62540 +++ linux-2.6.39.2/include/linux/ftrace.h 2011-05-22 19:36:33.000000000 -0400
62541 @@ -140,7 +140,7 @@ extern void
62542 unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
62543 void *data);
62544 extern void
62545 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops);
62546 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops);
62547 extern void unregister_ftrace_function_probe_all(char *glob);
62548
62549 extern int ftrace_text_reserved(void *start, void *end);
62550 diff -urNp linux-2.6.39.2/include/linux/genhd.h linux-2.6.39.2/include/linux/genhd.h
62551 --- linux-2.6.39.2/include/linux/genhd.h 2011-06-03 00:04:14.000000000 -0400
62552 +++ linux-2.6.39.2/include/linux/genhd.h 2011-06-03 00:32:08.000000000 -0400
62553 @@ -184,7 +184,7 @@ struct gendisk {
62554 struct kobject *slave_dir;
62555
62556 struct timer_rand_state *random;
62557 - atomic_t sync_io; /* RAID */
62558 + atomic_unchecked_t sync_io; /* RAID */
62559 struct disk_events *ev;
62560 #ifdef CONFIG_BLK_DEV_INTEGRITY
62561 struct blk_integrity *integrity;
62562 diff -urNp linux-2.6.39.2/include/linux/gracl.h linux-2.6.39.2/include/linux/gracl.h
62563 --- linux-2.6.39.2/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
62564 +++ linux-2.6.39.2/include/linux/gracl.h 2011-05-22 19:41:42.000000000 -0400
62565 @@ -0,0 +1,317 @@
62566 +#ifndef GR_ACL_H
62567 +#define GR_ACL_H
62568 +
62569 +#include <linux/grdefs.h>
62570 +#include <linux/resource.h>
62571 +#include <linux/capability.h>
62572 +#include <linux/dcache.h>
62573 +#include <asm/resource.h>
62574 +
62575 +/* Major status information */
62576 +
62577 +#define GR_VERSION "grsecurity 2.2.2"
62578 +#define GRSECURITY_VERSION 0x2202
62579 +
62580 +enum {
62581 + GR_SHUTDOWN = 0,
62582 + GR_ENABLE = 1,
62583 + GR_SPROLE = 2,
62584 + GR_RELOAD = 3,
62585 + GR_SEGVMOD = 4,
62586 + GR_STATUS = 5,
62587 + GR_UNSPROLE = 6,
62588 + GR_PASSSET = 7,
62589 + GR_SPROLEPAM = 8,
62590 +};
62591 +
62592 +/* Password setup definitions
62593 + * kernel/grhash.c */
62594 +enum {
62595 + GR_PW_LEN = 128,
62596 + GR_SALT_LEN = 16,
62597 + GR_SHA_LEN = 32,
62598 +};
62599 +
62600 +enum {
62601 + GR_SPROLE_LEN = 64,
62602 +};
62603 +
62604 +enum {
62605 + GR_NO_GLOB = 0,
62606 + GR_REG_GLOB,
62607 + GR_CREATE_GLOB
62608 +};
62609 +
62610 +#define GR_NLIMITS 32
62611 +
62612 +/* Begin Data Structures */
62613 +
62614 +struct sprole_pw {
62615 + unsigned char *rolename;
62616 + unsigned char salt[GR_SALT_LEN];
62617 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
62618 +};
62619 +
62620 +struct name_entry {
62621 + __u32 key;
62622 + ino_t inode;
62623 + dev_t device;
62624 + char *name;
62625 + __u16 len;
62626 + __u8 deleted;
62627 + struct name_entry *prev;
62628 + struct name_entry *next;
62629 +};
62630 +
62631 +struct inodev_entry {
62632 + struct name_entry *nentry;
62633 + struct inodev_entry *prev;
62634 + struct inodev_entry *next;
62635 +};
62636 +
62637 +struct acl_role_db {
62638 + struct acl_role_label **r_hash;
62639 + __u32 r_size;
62640 +};
62641 +
62642 +struct inodev_db {
62643 + struct inodev_entry **i_hash;
62644 + __u32 i_size;
62645 +};
62646 +
62647 +struct name_db {
62648 + struct name_entry **n_hash;
62649 + __u32 n_size;
62650 +};
62651 +
62652 +struct crash_uid {
62653 + uid_t uid;
62654 + unsigned long expires;
62655 +};
62656 +
62657 +struct gr_hash_struct {
62658 + void **table;
62659 + void **nametable;
62660 + void *first;
62661 + __u32 table_size;
62662 + __u32 used_size;
62663 + int type;
62664 +};
62665 +
62666 +/* Userspace Grsecurity ACL data structures */
62667 +
62668 +struct acl_subject_label {
62669 + char *filename;
62670 + ino_t inode;
62671 + dev_t device;
62672 + __u32 mode;
62673 + kernel_cap_t cap_mask;
62674 + kernel_cap_t cap_lower;
62675 + kernel_cap_t cap_invert_audit;
62676 +
62677 + struct rlimit res[GR_NLIMITS];
62678 + __u32 resmask;
62679 +
62680 + __u8 user_trans_type;
62681 + __u8 group_trans_type;
62682 + uid_t *user_transitions;
62683 + gid_t *group_transitions;
62684 + __u16 user_trans_num;
62685 + __u16 group_trans_num;
62686 +
62687 + __u32 sock_families[2];
62688 + __u32 ip_proto[8];
62689 + __u32 ip_type;
62690 + struct acl_ip_label **ips;
62691 + __u32 ip_num;
62692 + __u32 inaddr_any_override;
62693 +
62694 + __u32 crashes;
62695 + unsigned long expires;
62696 +
62697 + struct acl_subject_label *parent_subject;
62698 + struct gr_hash_struct *hash;
62699 + struct acl_subject_label *prev;
62700 + struct acl_subject_label *next;
62701 +
62702 + struct acl_object_label **obj_hash;
62703 + __u32 obj_hash_size;
62704 + __u16 pax_flags;
62705 +};
62706 +
62707 +struct role_allowed_ip {
62708 + __u32 addr;
62709 + __u32 netmask;
62710 +
62711 + struct role_allowed_ip *prev;
62712 + struct role_allowed_ip *next;
62713 +};
62714 +
62715 +struct role_transition {
62716 + char *rolename;
62717 +
62718 + struct role_transition *prev;
62719 + struct role_transition *next;
62720 +};
62721 +
62722 +struct acl_role_label {
62723 + char *rolename;
62724 + uid_t uidgid;
62725 + __u16 roletype;
62726 +
62727 + __u16 auth_attempts;
62728 + unsigned long expires;
62729 +
62730 + struct acl_subject_label *root_label;
62731 + struct gr_hash_struct *hash;
62732 +
62733 + struct acl_role_label *prev;
62734 + struct acl_role_label *next;
62735 +
62736 + struct role_transition *transitions;
62737 + struct role_allowed_ip *allowed_ips;
62738 + uid_t *domain_children;
62739 + __u16 domain_child_num;
62740 +
62741 + struct acl_subject_label **subj_hash;
62742 + __u32 subj_hash_size;
62743 +};
62744 +
62745 +struct user_acl_role_db {
62746 + struct acl_role_label **r_table;
62747 + __u32 num_pointers; /* Number of allocations to track */
62748 + __u32 num_roles; /* Number of roles */
62749 + __u32 num_domain_children; /* Number of domain children */
62750 + __u32 num_subjects; /* Number of subjects */
62751 + __u32 num_objects; /* Number of objects */
62752 +};
62753 +
62754 +struct acl_object_label {
62755 + char *filename;
62756 + ino_t inode;
62757 + dev_t device;
62758 + __u32 mode;
62759 +
62760 + struct acl_subject_label *nested;
62761 + struct acl_object_label *globbed;
62762 +
62763 + /* next two structures not used */
62764 +
62765 + struct acl_object_label *prev;
62766 + struct acl_object_label *next;
62767 +};
62768 +
62769 +struct acl_ip_label {
62770 + char *iface;
62771 + __u32 addr;
62772 + __u32 netmask;
62773 + __u16 low, high;
62774 + __u8 mode;
62775 + __u32 type;
62776 + __u32 proto[8];
62777 +
62778 + /* next two structures not used */
62779 +
62780 + struct acl_ip_label *prev;
62781 + struct acl_ip_label *next;
62782 +};
62783 +
62784 +struct gr_arg {
62785 + struct user_acl_role_db role_db;
62786 + unsigned char pw[GR_PW_LEN];
62787 + unsigned char salt[GR_SALT_LEN];
62788 + unsigned char sum[GR_SHA_LEN];
62789 + unsigned char sp_role[GR_SPROLE_LEN];
62790 + struct sprole_pw *sprole_pws;
62791 + dev_t segv_device;
62792 + ino_t segv_inode;
62793 + uid_t segv_uid;
62794 + __u16 num_sprole_pws;
62795 + __u16 mode;
62796 +};
62797 +
62798 +struct gr_arg_wrapper {
62799 + struct gr_arg *arg;
62800 + __u32 version;
62801 + __u32 size;
62802 +};
62803 +
62804 +struct subject_map {
62805 + struct acl_subject_label *user;
62806 + struct acl_subject_label *kernel;
62807 + struct subject_map *prev;
62808 + struct subject_map *next;
62809 +};
62810 +
62811 +struct acl_subj_map_db {
62812 + struct subject_map **s_hash;
62813 + __u32 s_size;
62814 +};
62815 +
62816 +/* End Data Structures Section */
62817 +
62818 +/* Hash functions generated by empirical testing by Brad Spengler
62819 + Makes good use of the low bits of the inode. Generally 0-1 times
62820 + in loop for successful match. 0-3 for unsuccessful match.
62821 + Shift/add algorithm with modulus of table size and an XOR*/
62822 +
62823 +static __inline__ unsigned int
62824 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
62825 +{
62826 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
62827 +}
62828 +
62829 + static __inline__ unsigned int
62830 +shash(const struct acl_subject_label *userp, const unsigned int sz)
62831 +{
62832 + return ((const unsigned long)userp % sz);
62833 +}
62834 +
62835 +static __inline__ unsigned int
62836 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
62837 +{
62838 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
62839 +}
62840 +
62841 +static __inline__ unsigned int
62842 +nhash(const char *name, const __u16 len, const unsigned int sz)
62843 +{
62844 + return full_name_hash((const unsigned char *)name, len) % sz;
62845 +}
62846 +
62847 +#define FOR_EACH_ROLE_START(role) \
62848 + role = role_list; \
62849 + while (role) {
62850 +
62851 +#define FOR_EACH_ROLE_END(role) \
62852 + role = role->prev; \
62853 + }
62854 +
62855 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
62856 + subj = NULL; \
62857 + iter = 0; \
62858 + while (iter < role->subj_hash_size) { \
62859 + if (subj == NULL) \
62860 + subj = role->subj_hash[iter]; \
62861 + if (subj == NULL) { \
62862 + iter++; \
62863 + continue; \
62864 + }
62865 +
62866 +#define FOR_EACH_SUBJECT_END(subj,iter) \
62867 + subj = subj->next; \
62868 + if (subj == NULL) \
62869 + iter++; \
62870 + }
62871 +
62872 +
62873 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
62874 + subj = role->hash->first; \
62875 + while (subj != NULL) {
62876 +
62877 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
62878 + subj = subj->next; \
62879 + }
62880 +
62881 +#endif
62882 +
62883 diff -urNp linux-2.6.39.2/include/linux/gralloc.h linux-2.6.39.2/include/linux/gralloc.h
62884 --- linux-2.6.39.2/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
62885 +++ linux-2.6.39.2/include/linux/gralloc.h 2011-05-22 19:41:42.000000000 -0400
62886 @@ -0,0 +1,9 @@
62887 +#ifndef __GRALLOC_H
62888 +#define __GRALLOC_H
62889 +
62890 +void acl_free_all(void);
62891 +int acl_alloc_stack_init(unsigned long size);
62892 +void *acl_alloc(unsigned long len);
62893 +void *acl_alloc_num(unsigned long num, unsigned long len);
62894 +
62895 +#endif
62896 diff -urNp linux-2.6.39.2/include/linux/grdefs.h linux-2.6.39.2/include/linux/grdefs.h
62897 --- linux-2.6.39.2/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
62898 +++ linux-2.6.39.2/include/linux/grdefs.h 2011-06-11 16:24:51.000000000 -0400
62899 @@ -0,0 +1,140 @@
62900 +#ifndef GRDEFS_H
62901 +#define GRDEFS_H
62902 +
62903 +/* Begin grsecurity status declarations */
62904 +
62905 +enum {
62906 + GR_READY = 0x01,
62907 + GR_STATUS_INIT = 0x00 // disabled state
62908 +};
62909 +
62910 +/* Begin ACL declarations */
62911 +
62912 +/* Role flags */
62913 +
62914 +enum {
62915 + GR_ROLE_USER = 0x0001,
62916 + GR_ROLE_GROUP = 0x0002,
62917 + GR_ROLE_DEFAULT = 0x0004,
62918 + GR_ROLE_SPECIAL = 0x0008,
62919 + GR_ROLE_AUTH = 0x0010,
62920 + GR_ROLE_NOPW = 0x0020,
62921 + GR_ROLE_GOD = 0x0040,
62922 + GR_ROLE_LEARN = 0x0080,
62923 + GR_ROLE_TPE = 0x0100,
62924 + GR_ROLE_DOMAIN = 0x0200,
62925 + GR_ROLE_PAM = 0x0400,
62926 + GR_ROLE_PERSIST = 0x0800
62927 +};
62928 +
62929 +/* ACL Subject and Object mode flags */
62930 +enum {
62931 + GR_DELETED = 0x80000000
62932 +};
62933 +
62934 +/* ACL Object-only mode flags */
62935 +enum {
62936 + GR_READ = 0x00000001,
62937 + GR_APPEND = 0x00000002,
62938 + GR_WRITE = 0x00000004,
62939 + GR_EXEC = 0x00000008,
62940 + GR_FIND = 0x00000010,
62941 + GR_INHERIT = 0x00000020,
62942 + GR_SETID = 0x00000040,
62943 + GR_CREATE = 0x00000080,
62944 + GR_DELETE = 0x00000100,
62945 + GR_LINK = 0x00000200,
62946 + GR_AUDIT_READ = 0x00000400,
62947 + GR_AUDIT_APPEND = 0x00000800,
62948 + GR_AUDIT_WRITE = 0x00001000,
62949 + GR_AUDIT_EXEC = 0x00002000,
62950 + GR_AUDIT_FIND = 0x00004000,
62951 + GR_AUDIT_INHERIT= 0x00008000,
62952 + GR_AUDIT_SETID = 0x00010000,
62953 + GR_AUDIT_CREATE = 0x00020000,
62954 + GR_AUDIT_DELETE = 0x00040000,
62955 + GR_AUDIT_LINK = 0x00080000,
62956 + GR_PTRACERD = 0x00100000,
62957 + GR_NOPTRACE = 0x00200000,
62958 + GR_SUPPRESS = 0x00400000,
62959 + GR_NOLEARN = 0x00800000,
62960 + GR_INIT_TRANSFER= 0x01000000
62961 +};
62962 +
62963 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
62964 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
62965 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
62966 +
62967 +/* ACL subject-only mode flags */
62968 +enum {
62969 + GR_KILL = 0x00000001,
62970 + GR_VIEW = 0x00000002,
62971 + GR_PROTECTED = 0x00000004,
62972 + GR_LEARN = 0x00000008,
62973 + GR_OVERRIDE = 0x00000010,
62974 + /* just a placeholder, this mode is only used in userspace */
62975 + GR_DUMMY = 0x00000020,
62976 + GR_PROTSHM = 0x00000040,
62977 + GR_KILLPROC = 0x00000080,
62978 + GR_KILLIPPROC = 0x00000100,
62979 + /* just a placeholder, this mode is only used in userspace */
62980 + GR_NOTROJAN = 0x00000200,
62981 + GR_PROTPROCFD = 0x00000400,
62982 + GR_PROCACCT = 0x00000800,
62983 + GR_RELAXPTRACE = 0x00001000,
62984 + GR_NESTED = 0x00002000,
62985 + GR_INHERITLEARN = 0x00004000,
62986 + GR_PROCFIND = 0x00008000,
62987 + GR_POVERRIDE = 0x00010000,
62988 + GR_KERNELAUTH = 0x00020000,
62989 + GR_ATSECURE = 0x00040000,
62990 + GR_SHMEXEC = 0x00080000
62991 +};
62992 +
62993 +enum {
62994 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
62995 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
62996 + GR_PAX_ENABLE_MPROTECT = 0x0004,
62997 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
62998 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
62999 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
63000 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
63001 + GR_PAX_DISABLE_MPROTECT = 0x0400,
63002 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
63003 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
63004 +};
63005 +
63006 +enum {
63007 + GR_ID_USER = 0x01,
63008 + GR_ID_GROUP = 0x02,
63009 +};
63010 +
63011 +enum {
63012 + GR_ID_ALLOW = 0x01,
63013 + GR_ID_DENY = 0x02,
63014 +};
63015 +
63016 +#define GR_CRASH_RES 31
63017 +#define GR_UIDTABLE_MAX 500
63018 +
63019 +/* begin resource learning section */
63020 +enum {
63021 + GR_RLIM_CPU_BUMP = 60,
63022 + GR_RLIM_FSIZE_BUMP = 50000,
63023 + GR_RLIM_DATA_BUMP = 10000,
63024 + GR_RLIM_STACK_BUMP = 1000,
63025 + GR_RLIM_CORE_BUMP = 10000,
63026 + GR_RLIM_RSS_BUMP = 500000,
63027 + GR_RLIM_NPROC_BUMP = 1,
63028 + GR_RLIM_NOFILE_BUMP = 5,
63029 + GR_RLIM_MEMLOCK_BUMP = 50000,
63030 + GR_RLIM_AS_BUMP = 500000,
63031 + GR_RLIM_LOCKS_BUMP = 2,
63032 + GR_RLIM_SIGPENDING_BUMP = 5,
63033 + GR_RLIM_MSGQUEUE_BUMP = 10000,
63034 + GR_RLIM_NICE_BUMP = 1,
63035 + GR_RLIM_RTPRIO_BUMP = 1,
63036 + GR_RLIM_RTTIME_BUMP = 1000000
63037 +};
63038 +
63039 +#endif
63040 diff -urNp linux-2.6.39.2/include/linux/grinternal.h linux-2.6.39.2/include/linux/grinternal.h
63041 --- linux-2.6.39.2/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
63042 +++ linux-2.6.39.2/include/linux/grinternal.h 2011-06-29 19:41:29.000000000 -0400
63043 @@ -0,0 +1,220 @@
63044 +#ifndef __GRINTERNAL_H
63045 +#define __GRINTERNAL_H
63046 +
63047 +#ifdef CONFIG_GRKERNSEC
63048 +
63049 +#include <linux/fs.h>
63050 +#include <linux/mnt_namespace.h>
63051 +#include <linux/nsproxy.h>
63052 +#include <linux/gracl.h>
63053 +#include <linux/grdefs.h>
63054 +#include <linux/grmsg.h>
63055 +
63056 +void gr_add_learn_entry(const char *fmt, ...)
63057 + __attribute__ ((format (printf, 1, 2)));
63058 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
63059 + const struct vfsmount *mnt);
63060 +__u32 gr_check_create(const struct dentry *new_dentry,
63061 + const struct dentry *parent,
63062 + const struct vfsmount *mnt, const __u32 mode);
63063 +int gr_check_protected_task(const struct task_struct *task);
63064 +__u32 to_gr_audit(const __u32 reqmode);
63065 +int gr_set_acls(const int type);
63066 +int gr_apply_subject_to_task(struct task_struct *task);
63067 +int gr_acl_is_enabled(void);
63068 +char gr_roletype_to_char(void);
63069 +
63070 +void gr_handle_alertkill(struct task_struct *task);
63071 +char *gr_to_filename(const struct dentry *dentry,
63072 + const struct vfsmount *mnt);
63073 +char *gr_to_filename1(const struct dentry *dentry,
63074 + const struct vfsmount *mnt);
63075 +char *gr_to_filename2(const struct dentry *dentry,
63076 + const struct vfsmount *mnt);
63077 +char *gr_to_filename3(const struct dentry *dentry,
63078 + const struct vfsmount *mnt);
63079 +
63080 +extern int grsec_enable_harden_ptrace;
63081 +extern int grsec_enable_link;
63082 +extern int grsec_enable_fifo;
63083 +extern int grsec_enable_execve;
63084 +extern int grsec_enable_shm;
63085 +extern int grsec_enable_execlog;
63086 +extern int grsec_enable_signal;
63087 +extern int grsec_enable_audit_ptrace;
63088 +extern int grsec_enable_forkfail;
63089 +extern int grsec_enable_time;
63090 +extern int grsec_enable_rofs;
63091 +extern int grsec_enable_chroot_shmat;
63092 +extern int grsec_enable_chroot_findtask;
63093 +extern int grsec_enable_chroot_mount;
63094 +extern int grsec_enable_chroot_double;
63095 +extern int grsec_enable_chroot_pivot;
63096 +extern int grsec_enable_chroot_chdir;
63097 +extern int grsec_enable_chroot_chmod;
63098 +extern int grsec_enable_chroot_mknod;
63099 +extern int grsec_enable_chroot_fchdir;
63100 +extern int grsec_enable_chroot_nice;
63101 +extern int grsec_enable_chroot_execlog;
63102 +extern int grsec_enable_chroot_caps;
63103 +extern int grsec_enable_chroot_sysctl;
63104 +extern int grsec_enable_chroot_unix;
63105 +extern int grsec_enable_tpe;
63106 +extern int grsec_tpe_gid;
63107 +extern int grsec_enable_tpe_all;
63108 +extern int grsec_enable_tpe_invert;
63109 +extern int grsec_enable_socket_all;
63110 +extern int grsec_socket_all_gid;
63111 +extern int grsec_enable_socket_client;
63112 +extern int grsec_socket_client_gid;
63113 +extern int grsec_enable_socket_server;
63114 +extern int grsec_socket_server_gid;
63115 +extern int grsec_audit_gid;
63116 +extern int grsec_enable_group;
63117 +extern int grsec_enable_audit_textrel;
63118 +extern int grsec_enable_log_rwxmaps;
63119 +extern int grsec_enable_mount;
63120 +extern int grsec_enable_chdir;
63121 +extern int grsec_resource_logging;
63122 +extern int grsec_enable_blackhole;
63123 +extern int grsec_lastack_retries;
63124 +extern int grsec_enable_brute;
63125 +extern int grsec_lock;
63126 +
63127 +extern spinlock_t grsec_alert_lock;
63128 +extern unsigned long grsec_alert_wtime;
63129 +extern unsigned long grsec_alert_fyet;
63130 +
63131 +extern spinlock_t grsec_audit_lock;
63132 +
63133 +extern rwlock_t grsec_exec_file_lock;
63134 +
63135 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
63136 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
63137 + (tsk)->exec_file->f_vfsmnt) : "/")
63138 +
63139 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
63140 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
63141 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63142 +
63143 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
63144 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
63145 + (tsk)->exec_file->f_vfsmnt) : "/")
63146 +
63147 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
63148 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
63149 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63150 +
63151 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
63152 +
63153 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
63154 +
63155 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
63156 + (task)->pid, (cred)->uid, \
63157 + (cred)->euid, (cred)->gid, (cred)->egid, \
63158 + gr_parent_task_fullpath(task), \
63159 + (task)->real_parent->comm, (task)->real_parent->pid, \
63160 + (pcred)->uid, (pcred)->euid, \
63161 + (pcred)->gid, (pcred)->egid
63162 +
63163 +#define GR_CHROOT_CAPS {{ \
63164 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
63165 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
63166 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
63167 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
63168 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
63169 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
63170 +
63171 +#define security_learn(normal_msg,args...) \
63172 +({ \
63173 + read_lock(&grsec_exec_file_lock); \
63174 + gr_add_learn_entry(normal_msg "\n", ## args); \
63175 + read_unlock(&grsec_exec_file_lock); \
63176 +})
63177 +
63178 +enum {
63179 + GR_DO_AUDIT,
63180 + GR_DONT_AUDIT,
63181 + /* used for non-audit messages that we shouldn't kill the task on */
63182 + GR_DONT_AUDIT_GOOD
63183 +};
63184 +
63185 +enum {
63186 + GR_TTYSNIFF,
63187 + GR_RBAC,
63188 + GR_RBAC_STR,
63189 + GR_STR_RBAC,
63190 + GR_RBAC_MODE2,
63191 + GR_RBAC_MODE3,
63192 + GR_FILENAME,
63193 + GR_SYSCTL_HIDDEN,
63194 + GR_NOARGS,
63195 + GR_ONE_INT,
63196 + GR_ONE_INT_TWO_STR,
63197 + GR_ONE_STR,
63198 + GR_STR_INT,
63199 + GR_TWO_STR_INT,
63200 + GR_TWO_INT,
63201 + GR_TWO_U64,
63202 + GR_THREE_INT,
63203 + GR_FIVE_INT_TWO_STR,
63204 + GR_TWO_STR,
63205 + GR_THREE_STR,
63206 + GR_FOUR_STR,
63207 + GR_STR_FILENAME,
63208 + GR_FILENAME_STR,
63209 + GR_FILENAME_TWO_INT,
63210 + GR_FILENAME_TWO_INT_STR,
63211 + GR_TEXTREL,
63212 + GR_PTRACE,
63213 + GR_RESOURCE,
63214 + GR_CAP,
63215 + GR_SIG,
63216 + GR_SIG2,
63217 + GR_CRASH1,
63218 + GR_CRASH2,
63219 + GR_PSACCT,
63220 + GR_RWXMAP
63221 +};
63222 +
63223 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
63224 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
63225 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
63226 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
63227 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
63228 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
63229 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
63230 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
63231 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
63232 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
63233 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
63234 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
63235 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
63236 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
63237 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
63238 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
63239 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
63240 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
63241 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
63242 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
63243 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
63244 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
63245 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
63246 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
63247 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
63248 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
63249 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
63250 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
63251 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
63252 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
63253 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
63254 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
63255 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
63256 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
63257 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
63258 +
63259 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
63260 +
63261 +#endif
63262 +
63263 +#endif
63264 diff -urNp linux-2.6.39.2/include/linux/grmsg.h linux-2.6.39.2/include/linux/grmsg.h
63265 --- linux-2.6.39.2/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
63266 +++ linux-2.6.39.2/include/linux/grmsg.h 2011-05-22 19:41:42.000000000 -0400
63267 @@ -0,0 +1,108 @@
63268 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
63269 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
63270 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
63271 +#define GR_STOPMOD_MSG "denied modification of module state by "
63272 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
63273 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
63274 +#define GR_IOPERM_MSG "denied use of ioperm() by "
63275 +#define GR_IOPL_MSG "denied use of iopl() by "
63276 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
63277 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
63278 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
63279 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
63280 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
63281 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
63282 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
63283 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
63284 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
63285 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
63286 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
63287 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
63288 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
63289 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
63290 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
63291 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
63292 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
63293 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
63294 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
63295 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
63296 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
63297 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
63298 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
63299 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
63300 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
63301 +#define GR_NPROC_MSG "denied overstep of process limit by "
63302 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
63303 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
63304 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
63305 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
63306 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
63307 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
63308 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
63309 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
63310 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
63311 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
63312 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
63313 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
63314 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
63315 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
63316 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
63317 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
63318 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
63319 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
63320 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
63321 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
63322 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
63323 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
63324 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
63325 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
63326 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
63327 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
63328 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
63329 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
63330 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
63331 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
63332 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
63333 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
63334 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
63335 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
63336 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
63337 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
63338 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
63339 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
63340 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
63341 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
63342 +#define GR_NICE_CHROOT_MSG "denied priority change by "
63343 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
63344 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
63345 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
63346 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
63347 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
63348 +#define GR_TIME_MSG "time set by "
63349 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
63350 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
63351 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
63352 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
63353 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
63354 +#define GR_BIND_MSG "denied bind() by "
63355 +#define GR_CONNECT_MSG "denied connect() by "
63356 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
63357 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
63358 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
63359 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
63360 +#define GR_CAP_ACL_MSG "use of %s denied for "
63361 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
63362 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
63363 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
63364 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
63365 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
63366 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
63367 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
63368 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
63369 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
63370 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
63371 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
63372 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
63373 +#define GR_VM86_MSG "denied use of vm86 by "
63374 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
63375 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
63376 diff -urNp linux-2.6.39.2/include/linux/grsecurity.h linux-2.6.39.2/include/linux/grsecurity.h
63377 --- linux-2.6.39.2/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
63378 +++ linux-2.6.39.2/include/linux/grsecurity.h 2011-05-22 19:41:42.000000000 -0400
63379 @@ -0,0 +1,212 @@
63380 +#ifndef GR_SECURITY_H
63381 +#define GR_SECURITY_H
63382 +#include <linux/fs.h>
63383 +#include <linux/fs_struct.h>
63384 +#include <linux/binfmts.h>
63385 +#include <linux/gracl.h>
63386 +#include <linux/compat.h>
63387 +
63388 +/* notify of brain-dead configs */
63389 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
63390 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
63391 +#endif
63392 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63393 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63394 +#endif
63395 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63396 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63397 +#endif
63398 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
63399 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
63400 +#endif
63401 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
63402 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
63403 +#endif
63404 +
63405 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
63406 +void gr_handle_brute_check(void);
63407 +void gr_handle_kernel_exploit(void);
63408 +int gr_process_user_ban(void);
63409 +
63410 +char gr_roletype_to_char(void);
63411 +
63412 +int gr_acl_enable_at_secure(void);
63413 +
63414 +int gr_check_user_change(int real, int effective, int fs);
63415 +int gr_check_group_change(int real, int effective, int fs);
63416 +
63417 +void gr_del_task_from_ip_table(struct task_struct *p);
63418 +
63419 +int gr_pid_is_chrooted(struct task_struct *p);
63420 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
63421 +int gr_handle_chroot_nice(void);
63422 +int gr_handle_chroot_sysctl(const int op);
63423 +int gr_handle_chroot_setpriority(struct task_struct *p,
63424 + const int niceval);
63425 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
63426 +int gr_handle_chroot_chroot(const struct dentry *dentry,
63427 + const struct vfsmount *mnt);
63428 +int gr_handle_chroot_caps(struct path *path);
63429 +void gr_handle_chroot_chdir(struct path *path);
63430 +int gr_handle_chroot_chmod(const struct dentry *dentry,
63431 + const struct vfsmount *mnt, const int mode);
63432 +int gr_handle_chroot_mknod(const struct dentry *dentry,
63433 + const struct vfsmount *mnt, const int mode);
63434 +int gr_handle_chroot_mount(const struct dentry *dentry,
63435 + const struct vfsmount *mnt,
63436 + const char *dev_name);
63437 +int gr_handle_chroot_pivot(void);
63438 +int gr_handle_chroot_unix(struct pid *pid);
63439 +
63440 +int gr_handle_rawio(const struct inode *inode);
63441 +int gr_handle_nproc(void);
63442 +
63443 +void gr_handle_ioperm(void);
63444 +void gr_handle_iopl(void);
63445 +
63446 +int gr_tpe_allow(const struct file *file);
63447 +
63448 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
63449 +void gr_clear_chroot_entries(struct task_struct *task);
63450 +
63451 +void gr_log_forkfail(const int retval);
63452 +void gr_log_timechange(void);
63453 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
63454 +void gr_log_chdir(const struct dentry *dentry,
63455 + const struct vfsmount *mnt);
63456 +void gr_log_chroot_exec(const struct dentry *dentry,
63457 + const struct vfsmount *mnt);
63458 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
63459 +#ifdef CONFIG_COMPAT
63460 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
63461 +#endif
63462 +void gr_log_remount(const char *devname, const int retval);
63463 +void gr_log_unmount(const char *devname, const int retval);
63464 +void gr_log_mount(const char *from, const char *to, const int retval);
63465 +void gr_log_textrel(struct vm_area_struct *vma);
63466 +void gr_log_rwxmmap(struct file *file);
63467 +void gr_log_rwxmprotect(struct file *file);
63468 +
63469 +int gr_handle_follow_link(const struct inode *parent,
63470 + const struct inode *inode,
63471 + const struct dentry *dentry,
63472 + const struct vfsmount *mnt);
63473 +int gr_handle_fifo(const struct dentry *dentry,
63474 + const struct vfsmount *mnt,
63475 + const struct dentry *dir, const int flag,
63476 + const int acc_mode);
63477 +int gr_handle_hardlink(const struct dentry *dentry,
63478 + const struct vfsmount *mnt,
63479 + struct inode *inode,
63480 + const int mode, const char *to);
63481 +
63482 +int gr_is_capable(const int cap);
63483 +int gr_is_capable_nolog(const int cap);
63484 +void gr_learn_resource(const struct task_struct *task, const int limit,
63485 + const unsigned long wanted, const int gt);
63486 +void gr_copy_label(struct task_struct *tsk);
63487 +void gr_handle_crash(struct task_struct *task, const int sig);
63488 +int gr_handle_signal(const struct task_struct *p, const int sig);
63489 +int gr_check_crash_uid(const uid_t uid);
63490 +int gr_check_protected_task(const struct task_struct *task);
63491 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
63492 +int gr_acl_handle_mmap(const struct file *file,
63493 + const unsigned long prot);
63494 +int gr_acl_handle_mprotect(const struct file *file,
63495 + const unsigned long prot);
63496 +int gr_check_hidden_task(const struct task_struct *tsk);
63497 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
63498 + const struct vfsmount *mnt);
63499 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
63500 + const struct vfsmount *mnt);
63501 +__u32 gr_acl_handle_access(const struct dentry *dentry,
63502 + const struct vfsmount *mnt, const int fmode);
63503 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
63504 + const struct vfsmount *mnt, mode_t mode);
63505 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
63506 + const struct vfsmount *mnt, mode_t mode);
63507 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
63508 + const struct vfsmount *mnt);
63509 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
63510 + const struct vfsmount *mnt);
63511 +int gr_handle_ptrace(struct task_struct *task, const long request);
63512 +int gr_handle_proc_ptrace(struct task_struct *task);
63513 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
63514 + const struct vfsmount *mnt);
63515 +int gr_check_crash_exec(const struct file *filp);
63516 +int gr_acl_is_enabled(void);
63517 +void gr_set_kernel_label(struct task_struct *task);
63518 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
63519 + const gid_t gid);
63520 +int gr_set_proc_label(const struct dentry *dentry,
63521 + const struct vfsmount *mnt,
63522 + const int unsafe_share);
63523 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
63524 + const struct vfsmount *mnt);
63525 +__u32 gr_acl_handle_open(const struct dentry *dentry,
63526 + const struct vfsmount *mnt, const int fmode);
63527 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
63528 + const struct dentry *p_dentry,
63529 + const struct vfsmount *p_mnt, const int fmode,
63530 + const int imode);
63531 +void gr_handle_create(const struct dentry *dentry,
63532 + const struct vfsmount *mnt);
63533 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
63534 + const struct dentry *parent_dentry,
63535 + const struct vfsmount *parent_mnt,
63536 + const int mode);
63537 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
63538 + const struct dentry *parent_dentry,
63539 + const struct vfsmount *parent_mnt);
63540 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
63541 + const struct vfsmount *mnt);
63542 +void gr_handle_delete(const ino_t ino, const dev_t dev);
63543 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
63544 + const struct vfsmount *mnt);
63545 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
63546 + const struct dentry *parent_dentry,
63547 + const struct vfsmount *parent_mnt,
63548 + const char *from);
63549 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
63550 + const struct dentry *parent_dentry,
63551 + const struct vfsmount *parent_mnt,
63552 + const struct dentry *old_dentry,
63553 + const struct vfsmount *old_mnt, const char *to);
63554 +int gr_acl_handle_rename(struct dentry *new_dentry,
63555 + struct dentry *parent_dentry,
63556 + const struct vfsmount *parent_mnt,
63557 + struct dentry *old_dentry,
63558 + struct inode *old_parent_inode,
63559 + struct vfsmount *old_mnt, const char *newname);
63560 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
63561 + struct dentry *old_dentry,
63562 + struct dentry *new_dentry,
63563 + struct vfsmount *mnt, const __u8 replace);
63564 +__u32 gr_check_link(const struct dentry *new_dentry,
63565 + const struct dentry *parent_dentry,
63566 + const struct vfsmount *parent_mnt,
63567 + const struct dentry *old_dentry,
63568 + const struct vfsmount *old_mnt);
63569 +int gr_acl_handle_filldir(const struct file *file, const char *name,
63570 + const unsigned int namelen, const ino_t ino);
63571 +
63572 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
63573 + const struct vfsmount *mnt);
63574 +void gr_acl_handle_exit(void);
63575 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
63576 +int gr_acl_handle_procpidmem(const struct task_struct *task);
63577 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
63578 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
63579 +void gr_audit_ptrace(struct task_struct *task);
63580 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
63581 +
63582 +#ifdef CONFIG_GRKERNSEC
63583 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
63584 +void gr_handle_vm86(void);
63585 +void gr_handle_mem_readwrite(u64 from, u64 to);
63586 +
63587 +extern int grsec_enable_dmesg;
63588 +extern int grsec_disable_privio;
63589 +#endif
63590 +
63591 +#endif
63592 diff -urNp linux-2.6.39.2/include/linux/grsock.h linux-2.6.39.2/include/linux/grsock.h
63593 --- linux-2.6.39.2/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
63594 +++ linux-2.6.39.2/include/linux/grsock.h 2011-05-22 19:41:42.000000000 -0400
63595 @@ -0,0 +1,19 @@
63596 +#ifndef __GRSOCK_H
63597 +#define __GRSOCK_H
63598 +
63599 +extern void gr_attach_curr_ip(const struct sock *sk);
63600 +extern int gr_handle_sock_all(const int family, const int type,
63601 + const int protocol);
63602 +extern int gr_handle_sock_server(const struct sockaddr *sck);
63603 +extern int gr_handle_sock_server_other(const struct sock *sck);
63604 +extern int gr_handle_sock_client(const struct sockaddr *sck);
63605 +extern int gr_search_connect(struct socket * sock,
63606 + struct sockaddr_in * addr);
63607 +extern int gr_search_bind(struct socket * sock,
63608 + struct sockaddr_in * addr);
63609 +extern int gr_search_listen(struct socket * sock);
63610 +extern int gr_search_accept(struct socket * sock);
63611 +extern int gr_search_socket(const int domain, const int type,
63612 + const int protocol);
63613 +
63614 +#endif
63615 diff -urNp linux-2.6.39.2/include/linux/highmem.h linux-2.6.39.2/include/linux/highmem.h
63616 --- linux-2.6.39.2/include/linux/highmem.h 2011-05-19 00:06:34.000000000 -0400
63617 +++ linux-2.6.39.2/include/linux/highmem.h 2011-05-22 19:36:33.000000000 -0400
63618 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
63619 kunmap_atomic(kaddr, KM_USER0);
63620 }
63621
63622 +static inline void sanitize_highpage(struct page *page)
63623 +{
63624 + void *kaddr;
63625 + unsigned long flags;
63626 +
63627 + local_irq_save(flags);
63628 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
63629 + clear_page(kaddr);
63630 + kunmap_atomic(kaddr, KM_CLEARPAGE);
63631 + local_irq_restore(flags);
63632 +}
63633 +
63634 static inline void zero_user_segments(struct page *page,
63635 unsigned start1, unsigned end1,
63636 unsigned start2, unsigned end2)
63637 diff -urNp linux-2.6.39.2/include/linux/i2o.h linux-2.6.39.2/include/linux/i2o.h
63638 --- linux-2.6.39.2/include/linux/i2o.h 2011-05-19 00:06:34.000000000 -0400
63639 +++ linux-2.6.39.2/include/linux/i2o.h 2011-05-22 19:36:33.000000000 -0400
63640 @@ -564,7 +564,7 @@ struct i2o_controller {
63641 struct i2o_device *exec; /* Executive */
63642 #if BITS_PER_LONG == 64
63643 spinlock_t context_list_lock; /* lock for context_list */
63644 - atomic_t context_list_counter; /* needed for unique contexts */
63645 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
63646 struct list_head context_list; /* list of context id's
63647 and pointers */
63648 #endif
63649 diff -urNp linux-2.6.39.2/include/linux/if_phonet.h linux-2.6.39.2/include/linux/if_phonet.h
63650 --- linux-2.6.39.2/include/linux/if_phonet.h 2011-05-19 00:06:34.000000000 -0400
63651 +++ linux-2.6.39.2/include/linux/if_phonet.h 2011-05-22 19:36:33.000000000 -0400
63652 @@ -13,7 +13,7 @@
63653 #define PHONET_DEV_MTU PHONET_MAX_MTU
63654
63655 #ifdef __KERNEL__
63656 -extern struct header_ops phonet_header_ops;
63657 +extern const struct header_ops phonet_header_ops;
63658 #endif
63659
63660 #endif
63661 diff -urNp linux-2.6.39.2/include/linux/init.h linux-2.6.39.2/include/linux/init.h
63662 --- linux-2.6.39.2/include/linux/init.h 2011-05-19 00:06:34.000000000 -0400
63663 +++ linux-2.6.39.2/include/linux/init.h 2011-05-22 19:36:33.000000000 -0400
63664 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
63665
63666 /* Each module must use one module_init(). */
63667 #define module_init(initfn) \
63668 - static inline initcall_t __inittest(void) \
63669 + static inline __used initcall_t __inittest(void) \
63670 { return initfn; } \
63671 int init_module(void) __attribute__((alias(#initfn)));
63672
63673 /* This is only required if you want to be unloadable. */
63674 #define module_exit(exitfn) \
63675 - static inline exitcall_t __exittest(void) \
63676 + static inline __used exitcall_t __exittest(void) \
63677 { return exitfn; } \
63678 void cleanup_module(void) __attribute__((alias(#exitfn)));
63679
63680 diff -urNp linux-2.6.39.2/include/linux/init_task.h linux-2.6.39.2/include/linux/init_task.h
63681 --- linux-2.6.39.2/include/linux/init_task.h 2011-05-19 00:06:34.000000000 -0400
63682 +++ linux-2.6.39.2/include/linux/init_task.h 2011-05-22 19:36:33.000000000 -0400
63683 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
63684 #define INIT_IDS
63685 #endif
63686
63687 +#ifdef CONFIG_X86
63688 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
63689 +#else
63690 +#define INIT_TASK_THREAD_INFO
63691 +#endif
63692 +
63693 /*
63694 * Because of the reduced scope of CAP_SETPCAP when filesystem
63695 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
63696 @@ -163,6 +169,7 @@ extern struct cred init_cred;
63697 RCU_INIT_POINTER(.cred, &init_cred), \
63698 .comm = "swapper", \
63699 .thread = INIT_THREAD, \
63700 + INIT_TASK_THREAD_INFO \
63701 .fs = &init_fs, \
63702 .files = &init_files, \
63703 .signal = &init_signals, \
63704 diff -urNp linux-2.6.39.2/include/linux/interrupt.h linux-2.6.39.2/include/linux/interrupt.h
63705 --- linux-2.6.39.2/include/linux/interrupt.h 2011-05-19 00:06:34.000000000 -0400
63706 +++ linux-2.6.39.2/include/linux/interrupt.h 2011-05-22 19:36:33.000000000 -0400
63707 @@ -422,7 +422,7 @@ enum
63708 /* map softirq index to softirq name. update 'softirq_to_name' in
63709 * kernel/softirq.c when adding a new softirq.
63710 */
63711 -extern char *softirq_to_name[NR_SOFTIRQS];
63712 +extern const char * const softirq_to_name[NR_SOFTIRQS];
63713
63714 /* softirq mask and active fields moved to irq_cpustat_t in
63715 * asm/hardirq.h to get better cache usage. KAO
63716 @@ -430,12 +430,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
63717
63718 struct softirq_action
63719 {
63720 - void (*action)(struct softirq_action *);
63721 + void (*action)(void);
63722 };
63723
63724 asmlinkage void do_softirq(void);
63725 asmlinkage void __do_softirq(void);
63726 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
63727 +extern void open_softirq(int nr, void (*action)(void));
63728 extern void softirq_init(void);
63729 static inline void __raise_softirq_irqoff(unsigned int nr)
63730 {
63731 diff -urNp linux-2.6.39.2/include/linux/iommu.h linux-2.6.39.2/include/linux/iommu.h
63732 --- linux-2.6.39.2/include/linux/iommu.h 2011-05-19 00:06:34.000000000 -0400
63733 +++ linux-2.6.39.2/include/linux/iommu.h 2011-05-22 19:36:33.000000000 -0400
63734 @@ -49,7 +49,7 @@ struct iommu_ops {
63735
63736 #ifdef CONFIG_IOMMU_API
63737
63738 -extern void register_iommu(struct iommu_ops *ops);
63739 +extern void register_iommu(const struct iommu_ops *ops);
63740 extern bool iommu_found(void);
63741 extern struct iommu_domain *iommu_domain_alloc(void);
63742 extern void iommu_domain_free(struct iommu_domain *domain);
63743 diff -urNp linux-2.6.39.2/include/linux/ipmi.h linux-2.6.39.2/include/linux/ipmi.h
63744 --- linux-2.6.39.2/include/linux/ipmi.h 2011-05-19 00:06:34.000000000 -0400
63745 +++ linux-2.6.39.2/include/linux/ipmi.h 2011-05-22 19:36:33.000000000 -0400
63746 @@ -282,7 +282,7 @@ struct ipmi_user_hndl {
63747
63748 /* Create a new user of the IPMI layer on the given interface number. */
63749 int ipmi_create_user(unsigned int if_num,
63750 - struct ipmi_user_hndl *handler,
63751 + const struct ipmi_user_hndl *handler,
63752 void *handler_data,
63753 ipmi_user_t *user);
63754
63755 diff -urNp linux-2.6.39.2/include/linux/kallsyms.h linux-2.6.39.2/include/linux/kallsyms.h
63756 --- linux-2.6.39.2/include/linux/kallsyms.h 2011-05-19 00:06:34.000000000 -0400
63757 +++ linux-2.6.39.2/include/linux/kallsyms.h 2011-05-22 22:52:54.000000000 -0400
63758 @@ -15,7 +15,8 @@
63759
63760 struct module;
63761
63762 -#ifdef CONFIG_KALLSYMS
63763 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
63764 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63765 /* Lookup the address for a symbol. Returns 0 if not found. */
63766 unsigned long kallsyms_lookup_name(const char *name);
63767
63768 @@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
63769 /* Stupid that this does nothing, but I didn't create this mess. */
63770 #define __print_symbol(fmt, addr)
63771 #endif /*CONFIG_KALLSYMS*/
63772 +#else /* when included by kallsyms.c, vsnprintf.c, or
63773 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
63774 +extern void __print_symbol(const char *fmt, unsigned long address);
63775 +extern int sprint_backtrace(char *buffer, unsigned long address);
63776 +extern int sprint_symbol(char *buffer, unsigned long address);
63777 +const char *kallsyms_lookup(unsigned long addr,
63778 + unsigned long *symbolsize,
63779 + unsigned long *offset,
63780 + char **modname, char *namebuf);
63781 +#endif
63782
63783 /* This macro allows us to keep printk typechecking */
63784 static void __check_printsym_format(const char *fmt, ...)
63785 diff -urNp linux-2.6.39.2/include/linux/kgdb.h linux-2.6.39.2/include/linux/kgdb.h
63786 --- linux-2.6.39.2/include/linux/kgdb.h 2011-05-19 00:06:34.000000000 -0400
63787 +++ linux-2.6.39.2/include/linux/kgdb.h 2011-05-22 19:36:33.000000000 -0400
63788 @@ -53,7 +53,7 @@ extern int kgdb_connected;
63789 extern int kgdb_io_module_registered;
63790
63791 extern atomic_t kgdb_setting_breakpoint;
63792 -extern atomic_t kgdb_cpu_doing_single_step;
63793 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
63794
63795 extern struct task_struct *kgdb_usethread;
63796 extern struct task_struct *kgdb_contthread;
63797 @@ -269,22 +269,22 @@ struct kgdb_arch {
63798 */
63799 struct kgdb_io {
63800 const char *name;
63801 - int (*read_char) (void);
63802 - void (*write_char) (u8);
63803 - void (*flush) (void);
63804 - int (*init) (void);
63805 - void (*pre_exception) (void);
63806 - void (*post_exception) (void);
63807 + int (* const read_char) (void);
63808 + void (* const write_char) (u8);
63809 + void (* const flush) (void);
63810 + int (* const init) (void);
63811 + void (* const pre_exception) (void);
63812 + void (* const post_exception) (void);
63813 int is_console;
63814 };
63815
63816 -extern struct kgdb_arch arch_kgdb_ops;
63817 +extern const struct kgdb_arch arch_kgdb_ops;
63818
63819 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
63820
63821 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
63822 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
63823 -extern struct kgdb_io *dbg_io_ops;
63824 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
63825 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
63826 +extern const struct kgdb_io *dbg_io_ops;
63827
63828 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
63829 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
63830 diff -urNp linux-2.6.39.2/include/linux/kmod.h linux-2.6.39.2/include/linux/kmod.h
63831 --- linux-2.6.39.2/include/linux/kmod.h 2011-05-19 00:06:34.000000000 -0400
63832 +++ linux-2.6.39.2/include/linux/kmod.h 2011-05-22 19:41:42.000000000 -0400
63833 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
63834 * usually useless though. */
63835 extern int __request_module(bool wait, const char *name, ...) \
63836 __attribute__((format(printf, 2, 3)));
63837 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
63838 + __attribute__((format(printf, 3, 4)));
63839 #define request_module(mod...) __request_module(true, mod)
63840 #define request_module_nowait(mod...) __request_module(false, mod)
63841 #define try_then_request_module(x, mod...) \
63842 diff -urNp linux-2.6.39.2/include/linux/kvm_host.h linux-2.6.39.2/include/linux/kvm_host.h
63843 --- linux-2.6.39.2/include/linux/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
63844 +++ linux-2.6.39.2/include/linux/kvm_host.h 2011-05-22 19:36:33.000000000 -0400
63845 @@ -302,7 +302,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
63846 void vcpu_load(struct kvm_vcpu *vcpu);
63847 void vcpu_put(struct kvm_vcpu *vcpu);
63848
63849 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
63850 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
63851 struct module *module);
63852 void kvm_exit(void);
63853
63854 @@ -442,7 +442,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
63855 struct kvm_guest_debug *dbg);
63856 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
63857
63858 -int kvm_arch_init(void *opaque);
63859 +int kvm_arch_init(const void *opaque);
63860 void kvm_arch_exit(void);
63861
63862 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
63863 diff -urNp linux-2.6.39.2/include/linux/lapb.h linux-2.6.39.2/include/linux/lapb.h
63864 --- linux-2.6.39.2/include/linux/lapb.h 2011-05-19 00:06:34.000000000 -0400
63865 +++ linux-2.6.39.2/include/linux/lapb.h 2011-05-22 19:36:33.000000000 -0400
63866 @@ -44,7 +44,7 @@ struct lapb_parms_struct {
63867 unsigned int mode;
63868 };
63869
63870 -extern int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks);
63871 +extern int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks);
63872 extern int lapb_unregister(struct net_device *dev);
63873 extern int lapb_getparms(struct net_device *dev, struct lapb_parms_struct *parms);
63874 extern int lapb_setparms(struct net_device *dev, struct lapb_parms_struct *parms);
63875 diff -urNp linux-2.6.39.2/include/linux/lcd.h linux-2.6.39.2/include/linux/lcd.h
63876 --- linux-2.6.39.2/include/linux/lcd.h 2011-05-19 00:06:34.000000000 -0400
63877 +++ linux-2.6.39.2/include/linux/lcd.h 2011-05-22 19:36:33.000000000 -0400
63878 @@ -60,7 +60,7 @@ struct lcd_device {
63879 points to something in the body of that driver, it is also invalid. */
63880 struct mutex ops_lock;
63881 /* If this is NULL, the backing module is unloaded */
63882 - struct lcd_ops *ops;
63883 + const struct lcd_ops *ops;
63884 /* Serialise access to set_power method */
63885 struct mutex update_lock;
63886 /* The framebuffer notifier block */
63887 @@ -101,7 +101,7 @@ static inline void lcd_set_power(struct
63888 }
63889
63890 extern struct lcd_device *lcd_device_register(const char *name,
63891 - struct device *parent, void *devdata, struct lcd_ops *ops);
63892 + struct device *parent, void *devdata, const struct lcd_ops *ops);
63893 extern void lcd_device_unregister(struct lcd_device *ld);
63894
63895 #define to_lcd_device(obj) container_of(obj, struct lcd_device, dev)
63896 diff -urNp linux-2.6.39.2/include/linux/libata.h linux-2.6.39.2/include/linux/libata.h
63897 --- linux-2.6.39.2/include/linux/libata.h 2011-05-19 00:06:34.000000000 -0400
63898 +++ linux-2.6.39.2/include/linux/libata.h 2011-05-22 19:36:33.000000000 -0400
63899 @@ -524,11 +524,11 @@ struct ata_ioports {
63900
63901 struct ata_host {
63902 spinlock_t lock;
63903 - struct device *dev;
63904 + struct device *dev;
63905 void __iomem * const *iomap;
63906 unsigned int n_ports;
63907 void *private_data;
63908 - struct ata_port_operations *ops;
63909 + const struct ata_port_operations *ops;
63910 unsigned long flags;
63911
63912 struct mutex eh_mutex;
63913 @@ -719,7 +719,7 @@ struct ata_link {
63914
63915 struct ata_port {
63916 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
63917 - struct ata_port_operations *ops;
63918 + const struct ata_port_operations *ops;
63919 spinlock_t *lock;
63920 /* Flags owned by the EH context. Only EH should touch these once the
63921 port is active */
63922 @@ -907,7 +907,7 @@ struct ata_port_info {
63923 unsigned long pio_mask;
63924 unsigned long mwdma_mask;
63925 unsigned long udma_mask;
63926 - struct ata_port_operations *port_ops;
63927 + const struct ata_port_operations *port_ops;
63928 void *private_data;
63929 };
63930
63931 @@ -931,7 +931,7 @@ extern const unsigned long sata_deb_timi
63932 extern const unsigned long sata_deb_timing_hotplug[];
63933 extern const unsigned long sata_deb_timing_long[];
63934
63935 -extern struct ata_port_operations ata_dummy_port_ops;
63936 +extern const struct ata_port_operations ata_dummy_port_ops;
63937 extern const struct ata_port_info ata_dummy_port_info;
63938
63939 static inline const unsigned long *
63940 @@ -977,7 +977,7 @@ extern int ata_host_activate(struct ata_
63941 struct scsi_host_template *sht);
63942 extern void ata_host_detach(struct ata_host *host);
63943 extern void ata_host_init(struct ata_host *, struct device *,
63944 - unsigned long, struct ata_port_operations *);
63945 + unsigned long, const struct ata_port_operations *);
63946 extern int ata_scsi_detect(struct scsi_host_template *sht);
63947 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
63948 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
63949 diff -urNp linux-2.6.39.2/include/linux/lockd/bind.h linux-2.6.39.2/include/linux/lockd/bind.h
63950 --- linux-2.6.39.2/include/linux/lockd/bind.h 2011-05-19 00:06:34.000000000 -0400
63951 +++ linux-2.6.39.2/include/linux/lockd/bind.h 2011-05-22 19:36:33.000000000 -0400
63952 @@ -23,13 +23,13 @@ struct svc_rqst;
63953 * This is the set of functions for lockd->nfsd communication
63954 */
63955 struct nlmsvc_binding {
63956 - __be32 (*fopen)(struct svc_rqst *,
63957 + __be32 (* const fopen)(struct svc_rqst *,
63958 struct nfs_fh *,
63959 struct file **);
63960 - void (*fclose)(struct file *);
63961 + void (* const fclose)(struct file *);
63962 };
63963
63964 -extern struct nlmsvc_binding * nlmsvc_ops;
63965 +extern const struct nlmsvc_binding * nlmsvc_ops;
63966
63967 /*
63968 * Similar to nfs_client_initdata, but without the NFS-specific
63969 diff -urNp linux-2.6.39.2/include/linux/mfd/abx500.h linux-2.6.39.2/include/linux/mfd/abx500.h
63970 --- linux-2.6.39.2/include/linux/mfd/abx500.h 2011-05-19 00:06:34.000000000 -0400
63971 +++ linux-2.6.39.2/include/linux/mfd/abx500.h 2011-05-22 19:36:33.000000000 -0400
63972 @@ -227,6 +227,6 @@ struct abx500_ops {
63973 int (*startup_irq_enabled) (struct device *, unsigned int);
63974 };
63975
63976 -int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
63977 +int abx500_register_ops(struct device *core_dev, const struct abx500_ops *ops);
63978 void abx500_remove_ops(struct device *dev);
63979 #endif
63980 diff -urNp linux-2.6.39.2/include/linux/mm.h linux-2.6.39.2/include/linux/mm.h
63981 --- linux-2.6.39.2/include/linux/mm.h 2011-05-19 00:06:34.000000000 -0400
63982 +++ linux-2.6.39.2/include/linux/mm.h 2011-05-22 19:36:33.000000000 -0400
63983 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
63984
63985 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
63986 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
63987 +
63988 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
63989 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
63990 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
63991 +#else
63992 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
63993 +#endif
63994 +
63995 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
63996 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
63997
63998 @@ -1010,34 +1017,6 @@ int set_page_dirty(struct page *page);
63999 int set_page_dirty_lock(struct page *page);
64000 int clear_page_dirty_for_io(struct page *page);
64001
64002 -/* Is the vma a continuation of the stack vma above it? */
64003 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
64004 -{
64005 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
64006 -}
64007 -
64008 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
64009 - unsigned long addr)
64010 -{
64011 - return (vma->vm_flags & VM_GROWSDOWN) &&
64012 - (vma->vm_start == addr) &&
64013 - !vma_growsdown(vma->vm_prev, addr);
64014 -}
64015 -
64016 -/* Is the vma a continuation of the stack vma below it? */
64017 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
64018 -{
64019 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
64020 -}
64021 -
64022 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
64023 - unsigned long addr)
64024 -{
64025 - return (vma->vm_flags & VM_GROWSUP) &&
64026 - (vma->vm_end == addr) &&
64027 - !vma_growsup(vma->vm_next, addr);
64028 -}
64029 -
64030 extern unsigned long move_page_tables(struct vm_area_struct *vma,
64031 unsigned long old_addr, struct vm_area_struct *new_vma,
64032 unsigned long new_addr, unsigned long len);
64033 @@ -1189,6 +1168,15 @@ struct shrinker {
64034 extern void register_shrinker(struct shrinker *);
64035 extern void unregister_shrinker(struct shrinker *);
64036
64037 +#ifdef CONFIG_MMU
64038 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
64039 +#else
64040 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64041 +{
64042 + return __pgprot(0);
64043 +}
64044 +#endif
64045 +
64046 int vma_wants_writenotify(struct vm_area_struct *vma);
64047
64048 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
64049 @@ -1476,6 +1464,7 @@ out:
64050 }
64051
64052 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
64053 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
64054
64055 extern unsigned long do_brk(unsigned long, unsigned long);
64056
64057 @@ -1532,6 +1521,10 @@ extern struct vm_area_struct * find_vma(
64058 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
64059 struct vm_area_struct **pprev);
64060
64061 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
64062 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
64063 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
64064 +
64065 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
64066 NULL if none. Assume start_addr < end_addr. */
64067 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
64068 @@ -1548,15 +1541,6 @@ static inline unsigned long vma_pages(st
64069 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
64070 }
64071
64072 -#ifdef CONFIG_MMU
64073 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
64074 -#else
64075 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64076 -{
64077 - return __pgprot(0);
64078 -}
64079 -#endif
64080 -
64081 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
64082 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
64083 unsigned long pfn, unsigned long size, pgprot_t);
64084 @@ -1668,7 +1652,7 @@ extern int unpoison_memory(unsigned long
64085 extern int sysctl_memory_failure_early_kill;
64086 extern int sysctl_memory_failure_recovery;
64087 extern void shake_page(struct page *p, int access);
64088 -extern atomic_long_t mce_bad_pages;
64089 +extern atomic_long_unchecked_t mce_bad_pages;
64090 extern int soft_offline_page(struct page *page, int flags);
64091
64092 extern void dump_page(struct page *page);
64093 @@ -1682,5 +1666,11 @@ extern void copy_user_huge_page(struct p
64094 unsigned int pages_per_huge_page);
64095 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
64096
64097 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
64098 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
64099 +#else
64100 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
64101 +#endif
64102 +
64103 #endif /* __KERNEL__ */
64104 #endif /* _LINUX_MM_H */
64105 diff -urNp linux-2.6.39.2/include/linux/mm_types.h linux-2.6.39.2/include/linux/mm_types.h
64106 --- linux-2.6.39.2/include/linux/mm_types.h 2011-05-19 00:06:34.000000000 -0400
64107 +++ linux-2.6.39.2/include/linux/mm_types.h 2011-05-22 19:36:33.000000000 -0400
64108 @@ -183,6 +183,8 @@ struct vm_area_struct {
64109 #ifdef CONFIG_NUMA
64110 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
64111 #endif
64112 +
64113 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
64114 };
64115
64116 struct core_thread {
64117 @@ -317,6 +319,24 @@ struct mm_struct {
64118 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
64119 pgtable_t pmd_huge_pte; /* protected by page_table_lock */
64120 #endif
64121 +
64122 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64123 + unsigned long pax_flags;
64124 +#endif
64125 +
64126 +#ifdef CONFIG_PAX_DLRESOLVE
64127 + unsigned long call_dl_resolve;
64128 +#endif
64129 +
64130 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
64131 + unsigned long call_syscall;
64132 +#endif
64133 +
64134 +#ifdef CONFIG_PAX_ASLR
64135 + unsigned long delta_mmap; /* randomized offset */
64136 + unsigned long delta_stack; /* randomized offset */
64137 +#endif
64138 +
64139 };
64140
64141 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
64142 diff -urNp linux-2.6.39.2/include/linux/mmu_notifier.h linux-2.6.39.2/include/linux/mmu_notifier.h
64143 --- linux-2.6.39.2/include/linux/mmu_notifier.h 2011-05-19 00:06:34.000000000 -0400
64144 +++ linux-2.6.39.2/include/linux/mmu_notifier.h 2011-05-22 19:36:33.000000000 -0400
64145 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
64146 */
64147 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
64148 ({ \
64149 - pte_t __pte; \
64150 + pte_t ___pte; \
64151 struct vm_area_struct *___vma = __vma; \
64152 unsigned long ___address = __address; \
64153 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
64154 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
64155 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
64156 - __pte; \
64157 + ___pte; \
64158 })
64159
64160 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
64161 diff -urNp linux-2.6.39.2/include/linux/mmzone.h linux-2.6.39.2/include/linux/mmzone.h
64162 --- linux-2.6.39.2/include/linux/mmzone.h 2011-05-19 00:06:34.000000000 -0400
64163 +++ linux-2.6.39.2/include/linux/mmzone.h 2011-05-22 19:36:33.000000000 -0400
64164 @@ -355,7 +355,7 @@ struct zone {
64165 unsigned long flags; /* zone flags, see below */
64166
64167 /* Zone statistics */
64168 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64169 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64170
64171 /*
64172 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
64173 diff -urNp linux-2.6.39.2/include/linux/mod_devicetable.h linux-2.6.39.2/include/linux/mod_devicetable.h
64174 --- linux-2.6.39.2/include/linux/mod_devicetable.h 2011-05-19 00:06:34.000000000 -0400
64175 +++ linux-2.6.39.2/include/linux/mod_devicetable.h 2011-05-22 19:36:33.000000000 -0400
64176 @@ -12,7 +12,7 @@
64177 typedef unsigned long kernel_ulong_t;
64178 #endif
64179
64180 -#define PCI_ANY_ID (~0)
64181 +#define PCI_ANY_ID ((__u16)~0)
64182
64183 struct pci_device_id {
64184 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
64185 @@ -131,7 +131,7 @@ struct usb_device_id {
64186 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
64187 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
64188
64189 -#define HID_ANY_ID (~0)
64190 +#define HID_ANY_ID (~0U)
64191
64192 struct hid_device_id {
64193 __u16 bus;
64194 diff -urNp linux-2.6.39.2/include/linux/module.h linux-2.6.39.2/include/linux/module.h
64195 --- linux-2.6.39.2/include/linux/module.h 2011-05-19 00:06:34.000000000 -0400
64196 +++ linux-2.6.39.2/include/linux/module.h 2011-05-22 19:36:33.000000000 -0400
64197 @@ -324,19 +324,16 @@ struct module
64198 int (*init)(void);
64199
64200 /* If this is non-NULL, vfree after init() returns */
64201 - void *module_init;
64202 + void *module_init_rx, *module_init_rw;
64203
64204 /* Here is the actual code + data, vfree'd on unload. */
64205 - void *module_core;
64206 + void *module_core_rx, *module_core_rw;
64207
64208 /* Here are the sizes of the init and core sections */
64209 - unsigned int init_size, core_size;
64210 + unsigned int init_size_rw, core_size_rw;
64211
64212 /* The size of the executable code in each section. */
64213 - unsigned int init_text_size, core_text_size;
64214 -
64215 - /* Size of RO sections of the module (text+rodata) */
64216 - unsigned int init_ro_size, core_ro_size;
64217 + unsigned int init_size_rx, core_size_rx;
64218
64219 /* Arch-specific module values */
64220 struct mod_arch_specific arch;
64221 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
64222 bool is_module_percpu_address(unsigned long addr);
64223 bool is_module_text_address(unsigned long addr);
64224
64225 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
64226 +{
64227 +
64228 +#ifdef CONFIG_PAX_KERNEXEC
64229 + if (ktla_ktva(addr) >= (unsigned long)start &&
64230 + ktla_ktva(addr) < (unsigned long)start + size)
64231 + return 1;
64232 +#endif
64233 +
64234 + return ((void *)addr >= start && (void *)addr < start + size);
64235 +}
64236 +
64237 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
64238 +{
64239 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
64240 +}
64241 +
64242 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
64243 +{
64244 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
64245 +}
64246 +
64247 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
64248 +{
64249 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
64250 +}
64251 +
64252 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
64253 +{
64254 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
64255 +}
64256 +
64257 static inline int within_module_core(unsigned long addr, struct module *mod)
64258 {
64259 - return (unsigned long)mod->module_core <= addr &&
64260 - addr < (unsigned long)mod->module_core + mod->core_size;
64261 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
64262 }
64263
64264 static inline int within_module_init(unsigned long addr, struct module *mod)
64265 {
64266 - return (unsigned long)mod->module_init <= addr &&
64267 - addr < (unsigned long)mod->module_init + mod->init_size;
64268 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
64269 }
64270
64271 /* Search for module by name: must hold module_mutex. */
64272 diff -urNp linux-2.6.39.2/include/linux/moduleloader.h linux-2.6.39.2/include/linux/moduleloader.h
64273 --- linux-2.6.39.2/include/linux/moduleloader.h 2011-05-19 00:06:34.000000000 -0400
64274 +++ linux-2.6.39.2/include/linux/moduleloader.h 2011-05-22 19:36:33.000000000 -0400
64275 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
64276 sections. Returns NULL on failure. */
64277 void *module_alloc(unsigned long size);
64278
64279 +#ifdef CONFIG_PAX_KERNEXEC
64280 +void *module_alloc_exec(unsigned long size);
64281 +#else
64282 +#define module_alloc_exec(x) module_alloc(x)
64283 +#endif
64284 +
64285 /* Free memory returned from module_alloc. */
64286 void module_free(struct module *mod, void *module_region);
64287
64288 +#ifdef CONFIG_PAX_KERNEXEC
64289 +void module_free_exec(struct module *mod, void *module_region);
64290 +#else
64291 +#define module_free_exec(x, y) module_free((x), (y))
64292 +#endif
64293 +
64294 /* Apply the given relocation to the (simplified) ELF. Return -error
64295 or 0. */
64296 int apply_relocate(Elf_Shdr *sechdrs,
64297 diff -urNp linux-2.6.39.2/include/linux/moduleparam.h linux-2.6.39.2/include/linux/moduleparam.h
64298 --- linux-2.6.39.2/include/linux/moduleparam.h 2011-05-19 00:06:34.000000000 -0400
64299 +++ linux-2.6.39.2/include/linux/moduleparam.h 2011-05-22 19:36:33.000000000 -0400
64300 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
64301 * @len is usually just sizeof(string).
64302 */
64303 #define module_param_string(name, string, len, perm) \
64304 - static const struct kparam_string __param_string_##name \
64305 + static const struct kparam_string __param_string_##name __used \
64306 = { len, string }; \
64307 __module_param_call(MODULE_PARAM_PREFIX, name, \
64308 &param_ops_string, \
64309 @@ -285,48 +285,48 @@ static inline void destroy_params(const
64310 #define __param_check(name, p, type) \
64311 static inline type *__check_##name(void) { return(p); }
64312
64313 -extern struct kernel_param_ops param_ops_byte;
64314 +extern const struct kernel_param_ops param_ops_byte;
64315 extern int param_set_byte(const char *val, const struct kernel_param *kp);
64316 extern int param_get_byte(char *buffer, const struct kernel_param *kp);
64317 #define param_check_byte(name, p) __param_check(name, p, unsigned char)
64318
64319 -extern struct kernel_param_ops param_ops_short;
64320 +extern const struct kernel_param_ops param_ops_short;
64321 extern int param_set_short(const char *val, const struct kernel_param *kp);
64322 extern int param_get_short(char *buffer, const struct kernel_param *kp);
64323 #define param_check_short(name, p) __param_check(name, p, short)
64324
64325 -extern struct kernel_param_ops param_ops_ushort;
64326 +extern const struct kernel_param_ops param_ops_ushort;
64327 extern int param_set_ushort(const char *val, const struct kernel_param *kp);
64328 extern int param_get_ushort(char *buffer, const struct kernel_param *kp);
64329 #define param_check_ushort(name, p) __param_check(name, p, unsigned short)
64330
64331 -extern struct kernel_param_ops param_ops_int;
64332 +extern const struct kernel_param_ops param_ops_int;
64333 extern int param_set_int(const char *val, const struct kernel_param *kp);
64334 extern int param_get_int(char *buffer, const struct kernel_param *kp);
64335 #define param_check_int(name, p) __param_check(name, p, int)
64336
64337 -extern struct kernel_param_ops param_ops_uint;
64338 +extern const struct kernel_param_ops param_ops_uint;
64339 extern int param_set_uint(const char *val, const struct kernel_param *kp);
64340 extern int param_get_uint(char *buffer, const struct kernel_param *kp);
64341 #define param_check_uint(name, p) __param_check(name, p, unsigned int)
64342
64343 -extern struct kernel_param_ops param_ops_long;
64344 +extern const struct kernel_param_ops param_ops_long;
64345 extern int param_set_long(const char *val, const struct kernel_param *kp);
64346 extern int param_get_long(char *buffer, const struct kernel_param *kp);
64347 #define param_check_long(name, p) __param_check(name, p, long)
64348
64349 -extern struct kernel_param_ops param_ops_ulong;
64350 +extern const struct kernel_param_ops param_ops_ulong;
64351 extern int param_set_ulong(const char *val, const struct kernel_param *kp);
64352 extern int param_get_ulong(char *buffer, const struct kernel_param *kp);
64353 #define param_check_ulong(name, p) __param_check(name, p, unsigned long)
64354
64355 -extern struct kernel_param_ops param_ops_charp;
64356 +extern const struct kernel_param_ops param_ops_charp;
64357 extern int param_set_charp(const char *val, const struct kernel_param *kp);
64358 extern int param_get_charp(char *buffer, const struct kernel_param *kp);
64359 #define param_check_charp(name, p) __param_check(name, p, char *)
64360
64361 /* For historical reasons "bool" parameters can be (unsigned) "int". */
64362 -extern struct kernel_param_ops param_ops_bool;
64363 +extern const struct kernel_param_ops param_ops_bool;
64364 extern int param_set_bool(const char *val, const struct kernel_param *kp);
64365 extern int param_get_bool(char *buffer, const struct kernel_param *kp);
64366 #define param_check_bool(name, p) \
64367 @@ -337,7 +337,7 @@ extern int param_get_bool(char *buffer,
64368 !__same_type((p), int *)); \
64369 }
64370
64371 -extern struct kernel_param_ops param_ops_invbool;
64372 +extern const struct kernel_param_ops param_ops_invbool;
64373 extern int param_set_invbool(const char *val, const struct kernel_param *kp);
64374 extern int param_get_invbool(char *buffer, const struct kernel_param *kp);
64375 #define param_check_invbool(name, p) __param_check(name, p, bool)
64376 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
64377 * module_param_named() for why this might be necessary.
64378 */
64379 #define module_param_array_named(name, array, type, nump, perm) \
64380 - static const struct kparam_array __param_arr_##name \
64381 + static const struct kparam_array __param_arr_##name __used \
64382 = { ARRAY_SIZE(array), nump, &param_ops_##type, \
64383 sizeof(array[0]), array }; \
64384 __module_param_call(MODULE_PARAM_PREFIX, name, \
64385 @@ -379,9 +379,9 @@ extern int param_get_invbool(char *buffe
64386 __same_type(array[0], bool), perm); \
64387 __MODULE_PARM_TYPE(name, "array of " #type)
64388
64389 -extern struct kernel_param_ops param_array_ops;
64390 +extern const struct kernel_param_ops param_array_ops;
64391
64392 -extern struct kernel_param_ops param_ops_string;
64393 +extern const struct kernel_param_ops param_ops_string;
64394 extern int param_set_copystring(const char *val, const struct kernel_param *);
64395 extern int param_get_string(char *buffer, const struct kernel_param *kp);
64396
64397 diff -urNp linux-2.6.39.2/include/linux/mutex.h linux-2.6.39.2/include/linux/mutex.h
64398 --- linux-2.6.39.2/include/linux/mutex.h 2011-05-19 00:06:34.000000000 -0400
64399 +++ linux-2.6.39.2/include/linux/mutex.h 2011-05-22 19:36:33.000000000 -0400
64400 @@ -51,7 +51,7 @@ struct mutex {
64401 spinlock_t wait_lock;
64402 struct list_head wait_list;
64403 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
64404 - struct thread_info *owner;
64405 + struct task_struct *owner;
64406 #endif
64407 #ifdef CONFIG_DEBUG_MUTEXES
64408 const char *name;
64409 diff -urNp linux-2.6.39.2/include/linux/namei.h linux-2.6.39.2/include/linux/namei.h
64410 --- linux-2.6.39.2/include/linux/namei.h 2011-05-19 00:06:34.000000000 -0400
64411 +++ linux-2.6.39.2/include/linux/namei.h 2011-05-22 19:36:33.000000000 -0400
64412 @@ -24,7 +24,7 @@ struct nameidata {
64413 unsigned seq;
64414 int last_type;
64415 unsigned depth;
64416 - char *saved_names[MAX_NESTED_LINKS + 1];
64417 + const char *saved_names[MAX_NESTED_LINKS + 1];
64418
64419 /* Intent data */
64420 union {
64421 @@ -91,12 +91,12 @@ extern int follow_up(struct path *);
64422 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
64423 extern void unlock_rename(struct dentry *, struct dentry *);
64424
64425 -static inline void nd_set_link(struct nameidata *nd, char *path)
64426 +static inline void nd_set_link(struct nameidata *nd, const char *path)
64427 {
64428 nd->saved_names[nd->depth] = path;
64429 }
64430
64431 -static inline char *nd_get_link(struct nameidata *nd)
64432 +static inline const char *nd_get_link(const struct nameidata *nd)
64433 {
64434 return nd->saved_names[nd->depth];
64435 }
64436 diff -urNp linux-2.6.39.2/include/linux/netfilter/xt_gradm.h linux-2.6.39.2/include/linux/netfilter/xt_gradm.h
64437 --- linux-2.6.39.2/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
64438 +++ linux-2.6.39.2/include/linux/netfilter/xt_gradm.h 2011-05-22 19:41:42.000000000 -0400
64439 @@ -0,0 +1,9 @@
64440 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
64441 +#define _LINUX_NETFILTER_XT_GRADM_H 1
64442 +
64443 +struct xt_gradm_mtinfo {
64444 + __u16 flags;
64445 + __u16 invflags;
64446 +};
64447 +
64448 +#endif
64449 diff -urNp linux-2.6.39.2/include/linux/oprofile.h linux-2.6.39.2/include/linux/oprofile.h
64450 --- linux-2.6.39.2/include/linux/oprofile.h 2011-05-19 00:06:34.000000000 -0400
64451 +++ linux-2.6.39.2/include/linux/oprofile.h 2011-05-22 19:36:33.000000000 -0400
64452 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
64453 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
64454 char const * name, ulong * val);
64455
64456 -/** Create a file for read-only access to an atomic_t. */
64457 +/** Create a file for read-only access to an atomic_unchecked_t. */
64458 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
64459 - char const * name, atomic_t * val);
64460 + char const * name, atomic_unchecked_t * val);
64461
64462 /** create a directory */
64463 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
64464 diff -urNp linux-2.6.39.2/include/linux/padata.h linux-2.6.39.2/include/linux/padata.h
64465 --- linux-2.6.39.2/include/linux/padata.h 2011-05-19 00:06:34.000000000 -0400
64466 +++ linux-2.6.39.2/include/linux/padata.h 2011-05-22 19:36:33.000000000 -0400
64467 @@ -129,7 +129,7 @@ struct parallel_data {
64468 struct padata_instance *pinst;
64469 struct padata_parallel_queue __percpu *pqueue;
64470 struct padata_serial_queue __percpu *squeue;
64471 - atomic_t seq_nr;
64472 + atomic_unchecked_t seq_nr;
64473 atomic_t reorder_objects;
64474 atomic_t refcnt;
64475 unsigned int max_seq_nr;
64476 diff -urNp linux-2.6.39.2/include/linux/pci.h linux-2.6.39.2/include/linux/pci.h
64477 --- linux-2.6.39.2/include/linux/pci.h 2011-05-19 00:06:34.000000000 -0400
64478 +++ linux-2.6.39.2/include/linux/pci.h 2011-05-22 19:36:33.000000000 -0400
64479 @@ -411,7 +411,7 @@ struct pci_bus {
64480 struct resource *resource[PCI_BRIDGE_RESOURCE_NUM];
64481 struct list_head resources; /* address space routed to this bus */
64482
64483 - struct pci_ops *ops; /* configuration access functions */
64484 + const struct pci_ops *ops; /* configuration access functions */
64485 void *sysdata; /* hook for sys-specific extension */
64486 struct proc_dir_entry *procdir; /* directory entry in /proc/bus/pci */
64487
64488 @@ -550,7 +550,7 @@ struct pci_driver {
64489 int (*resume_early) (struct pci_dev *dev);
64490 int (*resume) (struct pci_dev *dev); /* Device woken up */
64491 void (*shutdown) (struct pci_dev *dev);
64492 - struct pci_error_handlers *err_handler;
64493 + const struct pci_error_handlers *err_handler;
64494 struct device_driver driver;
64495 struct pci_dynids dynids;
64496 };
64497 @@ -639,7 +639,7 @@ void pcibios_scan_specific_bus(int busn)
64498 extern struct pci_bus *pci_find_bus(int domain, int busnr);
64499 void pci_bus_add_devices(const struct pci_bus *bus);
64500 struct pci_bus *pci_scan_bus_parented(struct device *parent, int bus,
64501 - struct pci_ops *ops, void *sysdata);
64502 + const struct pci_ops *ops, void *sysdata);
64503 static inline struct pci_bus * __devinit pci_scan_bus(int bus, struct pci_ops *ops,
64504 void *sysdata)
64505 {
64506 @@ -650,7 +650,7 @@ static inline struct pci_bus * __devinit
64507 return root_bus;
64508 }
64509 struct pci_bus *pci_create_bus(struct device *parent, int bus,
64510 - struct pci_ops *ops, void *sysdata);
64511 + const struct pci_ops *ops, void *sysdata);
64512 struct pci_bus *pci_add_new_bus(struct pci_bus *parent, struct pci_dev *dev,
64513 int busnr);
64514 void pcie_update_link_speed(struct pci_bus *bus, u16 link_status);
64515 @@ -727,7 +727,7 @@ int pci_bus_write_config_word(struct pci
64516 int where, u16 val);
64517 int pci_bus_write_config_dword(struct pci_bus *bus, unsigned int devfn,
64518 int where, u32 val);
64519 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops);
64520 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops);
64521
64522 static inline int pci_read_config_byte(struct pci_dev *dev, int where, u8 *val)
64523 {
64524 diff -urNp linux-2.6.39.2/include/linux/perf_event.h linux-2.6.39.2/include/linux/perf_event.h
64525 --- linux-2.6.39.2/include/linux/perf_event.h 2011-05-19 00:06:34.000000000 -0400
64526 +++ linux-2.6.39.2/include/linux/perf_event.h 2011-05-22 19:36:33.000000000 -0400
64527 @@ -759,8 +759,8 @@ struct perf_event {
64528
64529 enum perf_event_active_state state;
64530 unsigned int attach_state;
64531 - local64_t count;
64532 - atomic64_t child_count;
64533 + local64_t count; /* PaX: fix it one day */
64534 + atomic64_unchecked_t child_count;
64535
64536 /*
64537 * These are the total time in nanoseconds that the event
64538 @@ -811,8 +811,8 @@ struct perf_event {
64539 * These accumulate total time (in nanoseconds) that children
64540 * events have been enabled and running, respectively.
64541 */
64542 - atomic64_t child_total_time_enabled;
64543 - atomic64_t child_total_time_running;
64544 + atomic64_unchecked_t child_total_time_enabled;
64545 + atomic64_unchecked_t child_total_time_running;
64546
64547 /*
64548 * Protect attach/detach and child_list:
64549 @@ -1090,9 +1090,9 @@ void perf_event_task_sched_out(struct ta
64550 }
64551
64552 extern void perf_event_mmap(struct vm_area_struct *vma);
64553 -extern struct perf_guest_info_callbacks *perf_guest_cbs;
64554 -extern int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64555 -extern int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64556 +extern const struct perf_guest_info_callbacks *perf_guest_cbs;
64557 +extern int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64558 +extern int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64559
64560 extern void perf_event_comm(struct task_struct *tsk);
64561 extern void perf_event_fork(struct task_struct *tsk);
64562 diff -urNp linux-2.6.39.2/include/linux/pipe_fs_i.h linux-2.6.39.2/include/linux/pipe_fs_i.h
64563 --- linux-2.6.39.2/include/linux/pipe_fs_i.h 2011-05-19 00:06:34.000000000 -0400
64564 +++ linux-2.6.39.2/include/linux/pipe_fs_i.h 2011-05-22 19:36:33.000000000 -0400
64565 @@ -46,9 +46,9 @@ struct pipe_buffer {
64566 struct pipe_inode_info {
64567 wait_queue_head_t wait;
64568 unsigned int nrbufs, curbuf, buffers;
64569 - unsigned int readers;
64570 - unsigned int writers;
64571 - unsigned int waiting_writers;
64572 + atomic_t readers;
64573 + atomic_t writers;
64574 + atomic_t waiting_writers;
64575 unsigned int r_counter;
64576 unsigned int w_counter;
64577 struct page *tmp_page;
64578 diff -urNp linux-2.6.39.2/include/linux/pm.h linux-2.6.39.2/include/linux/pm.h
64579 --- linux-2.6.39.2/include/linux/pm.h 2011-05-19 00:06:34.000000000 -0400
64580 +++ linux-2.6.39.2/include/linux/pm.h 2011-05-22 19:36:33.000000000 -0400
64581 @@ -268,7 +268,7 @@ const struct dev_pm_ops name = { \
64582 * runtime PM, make the pm member point to generic_subsys_pm_ops.
64583 */
64584 #ifdef CONFIG_PM
64585 -extern struct dev_pm_ops generic_subsys_pm_ops;
64586 +extern const struct dev_pm_ops generic_subsys_pm_ops;
64587 #define GENERIC_SUBSYS_PM_OPS (&generic_subsys_pm_ops)
64588 #else
64589 #define GENERIC_SUBSYS_PM_OPS NULL
64590 @@ -471,7 +471,7 @@ extern void update_pm_runtime_accounting
64591 * subsystem-level and driver-level callbacks.
64592 */
64593 struct dev_power_domain {
64594 - struct dev_pm_ops ops;
64595 + const struct dev_pm_ops ops;
64596 };
64597
64598 /*
64599 diff -urNp linux-2.6.39.2/include/linux/pm_runtime.h linux-2.6.39.2/include/linux/pm_runtime.h
64600 --- linux-2.6.39.2/include/linux/pm_runtime.h 2011-05-19 00:06:34.000000000 -0400
64601 +++ linux-2.6.39.2/include/linux/pm_runtime.h 2011-05-22 19:36:33.000000000 -0400
64602 @@ -94,7 +94,7 @@ static inline bool pm_runtime_callbacks_
64603
64604 static inline void pm_runtime_mark_last_busy(struct device *dev)
64605 {
64606 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
64607 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
64608 }
64609
64610 #else /* !CONFIG_PM_RUNTIME */
64611 diff -urNp linux-2.6.39.2/include/linux/poison.h linux-2.6.39.2/include/linux/poison.h
64612 --- linux-2.6.39.2/include/linux/poison.h 2011-05-19 00:06:34.000000000 -0400
64613 +++ linux-2.6.39.2/include/linux/poison.h 2011-05-22 19:36:33.000000000 -0400
64614 @@ -19,8 +19,8 @@
64615 * under normal circumstances, used to verify that nobody uses
64616 * non-initialized list entries.
64617 */
64618 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
64619 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
64620 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
64621 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
64622
64623 /********** include/linux/timer.h **********/
64624 /*
64625 diff -urNp linux-2.6.39.2/include/linux/posix-timers.h linux-2.6.39.2/include/linux/posix-timers.h
64626 --- linux-2.6.39.2/include/linux/posix-timers.h 2011-05-19 00:06:34.000000000 -0400
64627 +++ linux-2.6.39.2/include/linux/posix-timers.h 2011-05-22 19:36:33.000000000 -0400
64628 @@ -102,10 +102,10 @@ struct k_clock {
64629 struct itimerspec * cur_setting);
64630 };
64631
64632 -extern struct k_clock clock_posix_cpu;
64633 -extern struct k_clock clock_posix_dynamic;
64634 +extern const struct k_clock clock_posix_cpu;
64635 +extern const struct k_clock clock_posix_dynamic;
64636
64637 -void posix_timers_register_clock(const clockid_t clock_id, struct k_clock *new_clock);
64638 +void posix_timers_register_clock(const clockid_t clock_id, const struct k_clock *new_clock);
64639
64640 /* function to call to trigger timer event */
64641 int posix_timer_event(struct k_itimer *timr, int si_private);
64642 diff -urNp linux-2.6.39.2/include/linux/proc_fs.h linux-2.6.39.2/include/linux/proc_fs.h
64643 --- linux-2.6.39.2/include/linux/proc_fs.h 2011-05-19 00:06:34.000000000 -0400
64644 +++ linux-2.6.39.2/include/linux/proc_fs.h 2011-05-22 19:41:42.000000000 -0400
64645 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
64646 return proc_create_data(name, mode, parent, proc_fops, NULL);
64647 }
64648
64649 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
64650 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
64651 +{
64652 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64653 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
64654 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64655 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
64656 +#else
64657 + return proc_create_data(name, mode, parent, proc_fops, NULL);
64658 +#endif
64659 +}
64660 +
64661 +
64662 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
64663 mode_t mode, struct proc_dir_entry *base,
64664 read_proc_t *read_proc, void * data)
64665 diff -urNp linux-2.6.39.2/include/linux/ptrace.h linux-2.6.39.2/include/linux/ptrace.h
64666 --- linux-2.6.39.2/include/linux/ptrace.h 2011-05-19 00:06:34.000000000 -0400
64667 +++ linux-2.6.39.2/include/linux/ptrace.h 2011-05-22 19:41:42.000000000 -0400
64668 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
64669 extern void exit_ptrace(struct task_struct *tracer);
64670 #define PTRACE_MODE_READ 1
64671 #define PTRACE_MODE_ATTACH 2
64672 -/* Returns 0 on success, -errno on denial. */
64673 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
64674 /* Returns true on success, false on denial. */
64675 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
64676 +/* Returns true on success, false on denial. */
64677 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
64678
64679 static inline int ptrace_reparented(struct task_struct *child)
64680 {
64681 diff -urNp linux-2.6.39.2/include/linux/random.h linux-2.6.39.2/include/linux/random.h
64682 --- linux-2.6.39.2/include/linux/random.h 2011-05-19 00:06:34.000000000 -0400
64683 +++ linux-2.6.39.2/include/linux/random.h 2011-05-22 19:36:33.000000000 -0400
64684 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
64685
64686 u32 prandom32(struct rnd_state *);
64687
64688 +static inline unsigned long pax_get_random_long(void)
64689 +{
64690 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
64691 +}
64692 +
64693 /*
64694 * Handle minimum values for seeds
64695 */
64696 static inline u32 __seed(u32 x, u32 m)
64697 {
64698 - return (x < m) ? x + m : x;
64699 + return (x <= m) ? x + m + 1 : x;
64700 }
64701
64702 /**
64703 diff -urNp linux-2.6.39.2/include/linux/reboot.h linux-2.6.39.2/include/linux/reboot.h
64704 --- linux-2.6.39.2/include/linux/reboot.h 2011-05-19 00:06:34.000000000 -0400
64705 +++ linux-2.6.39.2/include/linux/reboot.h 2011-05-22 19:36:33.000000000 -0400
64706 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
64707 * Architecture-specific implementations of sys_reboot commands.
64708 */
64709
64710 -extern void machine_restart(char *cmd);
64711 -extern void machine_halt(void);
64712 -extern void machine_power_off(void);
64713 +extern void machine_restart(char *cmd) __noreturn;
64714 +extern void machine_halt(void) __noreturn;
64715 +extern void machine_power_off(void) __noreturn;
64716
64717 extern void machine_shutdown(void);
64718 struct pt_regs;
64719 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
64720 */
64721
64722 extern void kernel_restart_prepare(char *cmd);
64723 -extern void kernel_restart(char *cmd);
64724 -extern void kernel_halt(void);
64725 -extern void kernel_power_off(void);
64726 +extern void kernel_restart(char *cmd) __noreturn;
64727 +extern void kernel_halt(void) __noreturn;
64728 +extern void kernel_power_off(void) __noreturn;
64729
64730 extern int C_A_D; /* for sysctl */
64731 void ctrl_alt_del(void);
64732 @@ -76,7 +76,7 @@ extern int orderly_poweroff(bool force);
64733 * Emergency restart, callable from an interrupt handler.
64734 */
64735
64736 -extern void emergency_restart(void);
64737 +extern void emergency_restart(void) __noreturn;
64738 #include <asm/emergency-restart.h>
64739
64740 #endif
64741 diff -urNp linux-2.6.39.2/include/linux/reiserfs_fs.h linux-2.6.39.2/include/linux/reiserfs_fs.h
64742 --- linux-2.6.39.2/include/linux/reiserfs_fs.h 2011-05-19 00:06:34.000000000 -0400
64743 +++ linux-2.6.39.2/include/linux/reiserfs_fs.h 2011-05-22 19:36:33.000000000 -0400
64744 @@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
64745 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
64746
64747 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
64748 -#define get_generation(s) atomic_read (&fs_generation(s))
64749 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
64750 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
64751 #define __fs_changed(gen,s) (gen != get_generation (s))
64752 #define fs_changed(gen,s) \
64753 @@ -1618,24 +1618,24 @@ static inline struct super_block *sb_fro
64754 */
64755
64756 struct item_operations {
64757 - int (*bytes_number) (struct item_head * ih, int block_size);
64758 - void (*decrement_key) (struct cpu_key *);
64759 - int (*is_left_mergeable) (struct reiserfs_key * ih,
64760 + int (* const bytes_number) (struct item_head * ih, int block_size);
64761 + void (* const decrement_key) (struct cpu_key *);
64762 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
64763 unsigned long bsize);
64764 - void (*print_item) (struct item_head *, char *item);
64765 - void (*check_item) (struct item_head *, char *item);
64766 + void (* const print_item) (struct item_head *, char *item);
64767 + void (* const check_item) (struct item_head *, char *item);
64768
64769 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64770 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64771 int is_affected, int insert_size);
64772 - int (*check_left) (struct virtual_item * vi, int free,
64773 + int (* const check_left) (struct virtual_item * vi, int free,
64774 int start_skip, int end_skip);
64775 - int (*check_right) (struct virtual_item * vi, int free);
64776 - int (*part_size) (struct virtual_item * vi, int from, int to);
64777 - int (*unit_num) (struct virtual_item * vi);
64778 - void (*print_vi) (struct virtual_item * vi);
64779 + int (* const check_right) (struct virtual_item * vi, int free);
64780 + int (* const part_size) (struct virtual_item * vi, int from, int to);
64781 + int (* const unit_num) (struct virtual_item * vi);
64782 + void (* const print_vi) (struct virtual_item * vi);
64783 };
64784
64785 -extern struct item_operations *item_ops[TYPE_ANY + 1];
64786 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
64787
64788 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
64789 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
64790 diff -urNp linux-2.6.39.2/include/linux/reiserfs_fs_sb.h linux-2.6.39.2/include/linux/reiserfs_fs_sb.h
64791 --- linux-2.6.39.2/include/linux/reiserfs_fs_sb.h 2011-05-19 00:06:34.000000000 -0400
64792 +++ linux-2.6.39.2/include/linux/reiserfs_fs_sb.h 2011-05-22 19:36:33.000000000 -0400
64793 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
64794 /* Comment? -Hans */
64795 wait_queue_head_t s_wait;
64796 /* To be obsoleted soon by per buffer seals.. -Hans */
64797 - atomic_t s_generation_counter; // increased by one every time the
64798 + atomic_unchecked_t s_generation_counter; // increased by one every time the
64799 // tree gets re-balanced
64800 unsigned long s_properties; /* File system properties. Currently holds
64801 on-disk FS format */
64802 diff -urNp linux-2.6.39.2/include/linux/rmap.h linux-2.6.39.2/include/linux/rmap.h
64803 --- linux-2.6.39.2/include/linux/rmap.h 2011-05-19 00:06:34.000000000 -0400
64804 +++ linux-2.6.39.2/include/linux/rmap.h 2011-05-22 19:36:33.000000000 -0400
64805 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
64806 void anon_vma_init(void); /* create anon_vma_cachep */
64807 int anon_vma_prepare(struct vm_area_struct *);
64808 void unlink_anon_vmas(struct vm_area_struct *);
64809 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
64810 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
64811 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
64812 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
64813 void __anon_vma_link(struct vm_area_struct *);
64814
64815 static inline void anon_vma_merge(struct vm_area_struct *vma,
64816 diff -urNp linux-2.6.39.2/include/linux/sched.h linux-2.6.39.2/include/linux/sched.h
64817 --- linux-2.6.39.2/include/linux/sched.h 2011-05-19 00:06:34.000000000 -0400
64818 +++ linux-2.6.39.2/include/linux/sched.h 2011-06-03 23:34:26.000000000 -0400
64819 @@ -100,6 +100,7 @@ struct bio_list;
64820 struct fs_struct;
64821 struct perf_event_context;
64822 struct blk_plug;
64823 +struct linux_binprm;
64824
64825 /*
64826 * List of flags we want to share for kernel threads,
64827 @@ -360,7 +361,7 @@ extern signed long schedule_timeout_inte
64828 extern signed long schedule_timeout_killable(signed long timeout);
64829 extern signed long schedule_timeout_uninterruptible(signed long timeout);
64830 asmlinkage void schedule(void);
64831 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
64832 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
64833
64834 struct nsproxy;
64835 struct user_namespace;
64836 @@ -381,10 +382,13 @@ struct user_namespace;
64837 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
64838
64839 extern int sysctl_max_map_count;
64840 +extern unsigned long sysctl_heap_stack_gap;
64841
64842 #include <linux/aio.h>
64843
64844 #ifdef CONFIG_MMU
64845 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
64846 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
64847 extern void arch_pick_mmap_layout(struct mm_struct *mm);
64848 extern unsigned long
64849 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
64850 @@ -629,6 +633,17 @@ struct signal_struct {
64851 #ifdef CONFIG_TASKSTATS
64852 struct taskstats *stats;
64853 #endif
64854 +
64855 +#ifdef CONFIG_GRKERNSEC
64856 + u32 curr_ip;
64857 + u32 saved_ip;
64858 + u32 gr_saddr;
64859 + u32 gr_daddr;
64860 + u16 gr_sport;
64861 + u16 gr_dport;
64862 + u8 used_accept:1;
64863 +#endif
64864 +
64865 #ifdef CONFIG_AUDIT
64866 unsigned audit_tty;
64867 struct tty_audit_buf *tty_audit_buf;
64868 @@ -701,6 +716,11 @@ struct user_struct {
64869 struct key *session_keyring; /* UID's default session keyring */
64870 #endif
64871
64872 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
64873 + unsigned int banned;
64874 + unsigned long ban_expires;
64875 +#endif
64876 +
64877 /* Hash table maintenance information */
64878 struct hlist_node uidhash_node;
64879 uid_t uid;
64880 @@ -1310,8 +1330,8 @@ struct task_struct {
64881 struct list_head thread_group;
64882
64883 struct completion *vfork_done; /* for vfork() */
64884 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
64885 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
64886 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
64887 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
64888
64889 cputime_t utime, stime, utimescaled, stimescaled;
64890 cputime_t gtime;
64891 @@ -1327,13 +1347,6 @@ struct task_struct {
64892 struct task_cputime cputime_expires;
64893 struct list_head cpu_timers[3];
64894
64895 -/* process credentials */
64896 - const struct cred __rcu *real_cred; /* objective and real subjective task
64897 - * credentials (COW) */
64898 - const struct cred __rcu *cred; /* effective (overridable) subjective task
64899 - * credentials (COW) */
64900 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
64901 -
64902 char comm[TASK_COMM_LEN]; /* executable name excluding path
64903 - access with [gs]et_task_comm (which lock
64904 it with task_lock())
64905 @@ -1350,8 +1363,16 @@ struct task_struct {
64906 #endif
64907 /* CPU-specific state of this task */
64908 struct thread_struct thread;
64909 +/* thread_info moved to task_struct */
64910 +#ifdef CONFIG_X86
64911 + struct thread_info tinfo;
64912 +#endif
64913 /* filesystem information */
64914 struct fs_struct *fs;
64915 +
64916 + const struct cred __rcu *cred; /* effective (overridable) subjective task
64917 + * credentials (COW) */
64918 +
64919 /* open file information */
64920 struct files_struct *files;
64921 /* namespaces */
64922 @@ -1398,6 +1419,11 @@ struct task_struct {
64923 struct rt_mutex_waiter *pi_blocked_on;
64924 #endif
64925
64926 +/* process credentials */
64927 + const struct cred __rcu *real_cred; /* objective and real subjective task
64928 + * credentials (COW) */
64929 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
64930 +
64931 #ifdef CONFIG_DEBUG_MUTEXES
64932 /* mutex deadlock detection */
64933 struct mutex_waiter *blocked_on;
64934 @@ -1508,6 +1534,21 @@ struct task_struct {
64935 unsigned long default_timer_slack_ns;
64936
64937 struct list_head *scm_work_list;
64938 +
64939 +#ifdef CONFIG_GRKERNSEC
64940 + /* grsecurity */
64941 + struct dentry *gr_chroot_dentry;
64942 + struct acl_subject_label *acl;
64943 + struct acl_role_label *role;
64944 + struct file *exec_file;
64945 + u16 acl_role_id;
64946 + /* is this the task that authenticated to the special role */
64947 + u8 acl_sp_role;
64948 + u8 is_writable;
64949 + u8 brute;
64950 + u8 gr_is_chrooted;
64951 +#endif
64952 +
64953 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
64954 /* Index of current stored address in ret_stack */
64955 int curr_ret_stack;
64956 @@ -1542,6 +1583,57 @@ struct task_struct {
64957 #endif
64958 };
64959
64960 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
64961 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
64962 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
64963 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
64964 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
64965 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
64966 +
64967 +#ifdef CONFIG_PAX_SOFTMODE
64968 +extern unsigned int pax_softmode;
64969 +#endif
64970 +
64971 +extern int pax_check_flags(unsigned long *);
64972 +
64973 +/* if tsk != current then task_lock must be held on it */
64974 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64975 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
64976 +{
64977 + if (likely(tsk->mm))
64978 + return tsk->mm->pax_flags;
64979 + else
64980 + return 0UL;
64981 +}
64982 +
64983 +/* if tsk != current then task_lock must be held on it */
64984 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
64985 +{
64986 + if (likely(tsk->mm)) {
64987 + tsk->mm->pax_flags = flags;
64988 + return 0;
64989 + }
64990 + return -EINVAL;
64991 +}
64992 +#endif
64993 +
64994 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
64995 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
64996 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
64997 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
64998 +#endif
64999 +
65000 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
65001 +void pax_report_insns(void *pc, void *sp);
65002 +void pax_report_refcount_overflow(struct pt_regs *regs);
65003 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type);
65004 +
65005 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
65006 +extern void pax_track_stack(void);
65007 +#else
65008 +static inline void pax_track_stack(void) {}
65009 +#endif
65010 +
65011 /* Future-safe accessor for struct task_struct's cpus_allowed. */
65012 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
65013
65014 @@ -2009,7 +2101,9 @@ void yield(void);
65015 extern struct exec_domain default_exec_domain;
65016
65017 union thread_union {
65018 +#ifndef CONFIG_X86
65019 struct thread_info thread_info;
65020 +#endif
65021 unsigned long stack[THREAD_SIZE/sizeof(long)];
65022 };
65023
65024 @@ -2179,7 +2273,7 @@ extern void __cleanup_sighand(struct sig
65025 extern void exit_itimers(struct signal_struct *);
65026 extern void flush_itimer_signals(void);
65027
65028 -extern NORET_TYPE void do_group_exit(int);
65029 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
65030
65031 extern void daemonize(const char *, ...);
65032 extern int allow_signal(int);
65033 @@ -2320,13 +2414,17 @@ static inline unsigned long *end_of_stac
65034
65035 #endif
65036
65037 -static inline int object_is_on_stack(void *obj)
65038 +static inline int object_starts_on_stack(void *obj)
65039 {
65040 - void *stack = task_stack_page(current);
65041 + const void *stack = task_stack_page(current);
65042
65043 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
65044 }
65045
65046 +#ifdef CONFIG_PAX_USERCOPY
65047 +extern int object_is_on_stack(const void *obj, unsigned long len);
65048 +#endif
65049 +
65050 extern void thread_info_cache_init(void);
65051
65052 #ifdef CONFIG_DEBUG_STACK_USAGE
65053 diff -urNp linux-2.6.39.2/include/linux/screen_info.h linux-2.6.39.2/include/linux/screen_info.h
65054 --- linux-2.6.39.2/include/linux/screen_info.h 2011-05-19 00:06:34.000000000 -0400
65055 +++ linux-2.6.39.2/include/linux/screen_info.h 2011-05-22 19:36:33.000000000 -0400
65056 @@ -43,7 +43,8 @@ struct screen_info {
65057 __u16 pages; /* 0x32 */
65058 __u16 vesa_attributes; /* 0x34 */
65059 __u32 capabilities; /* 0x36 */
65060 - __u8 _reserved[6]; /* 0x3a */
65061 + __u16 vesapm_size; /* 0x3a */
65062 + __u8 _reserved[4]; /* 0x3c */
65063 } __attribute__((packed));
65064
65065 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
65066 diff -urNp linux-2.6.39.2/include/linux/security.h linux-2.6.39.2/include/linux/security.h
65067 --- linux-2.6.39.2/include/linux/security.h 2011-05-19 00:06:34.000000000 -0400
65068 +++ linux-2.6.39.2/include/linux/security.h 2011-05-22 19:41:42.000000000 -0400
65069 @@ -36,6 +36,7 @@
65070 #include <linux/key.h>
65071 #include <linux/xfrm.h>
65072 #include <linux/slab.h>
65073 +#include <linux/grsecurity.h>
65074 #include <net/flow.h>
65075
65076 /* Maximum number of letters for an LSM name string */
65077 diff -urNp linux-2.6.39.2/include/linux/shm.h linux-2.6.39.2/include/linux/shm.h
65078 --- linux-2.6.39.2/include/linux/shm.h 2011-05-19 00:06:34.000000000 -0400
65079 +++ linux-2.6.39.2/include/linux/shm.h 2011-05-22 19:41:42.000000000 -0400
65080 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
65081 pid_t shm_cprid;
65082 pid_t shm_lprid;
65083 struct user_struct *mlock_user;
65084 +#ifdef CONFIG_GRKERNSEC
65085 + time_t shm_createtime;
65086 + pid_t shm_lapid;
65087 +#endif
65088 };
65089
65090 /* shm_mode upper byte flags */
65091 diff -urNp linux-2.6.39.2/include/linux/skbuff.h linux-2.6.39.2/include/linux/skbuff.h
65092 --- linux-2.6.39.2/include/linux/skbuff.h 2011-05-19 00:06:34.000000000 -0400
65093 +++ linux-2.6.39.2/include/linux/skbuff.h 2011-05-22 19:36:33.000000000 -0400
65094 @@ -592,7 +592,7 @@ static inline struct skb_shared_hwtstamp
65095 */
65096 static inline int skb_queue_empty(const struct sk_buff_head *list)
65097 {
65098 - return list->next == (struct sk_buff *)list;
65099 + return list->next == (const struct sk_buff *)list;
65100 }
65101
65102 /**
65103 @@ -605,7 +605,7 @@ static inline int skb_queue_empty(const
65104 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
65105 const struct sk_buff *skb)
65106 {
65107 - return skb->next == (struct sk_buff *)list;
65108 + return skb->next == (const struct sk_buff *)list;
65109 }
65110
65111 /**
65112 @@ -618,7 +618,7 @@ static inline bool skb_queue_is_last(con
65113 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
65114 const struct sk_buff *skb)
65115 {
65116 - return skb->prev == (struct sk_buff *)list;
65117 + return skb->prev == (const struct sk_buff *)list;
65118 }
65119
65120 /**
65121 @@ -1435,7 +1435,7 @@ static inline int pskb_network_may_pull(
65122 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
65123 */
65124 #ifndef NET_SKB_PAD
65125 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
65126 +#define NET_SKB_PAD max(_AC(32,U), L1_CACHE_BYTES)
65127 #endif
65128
65129 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
65130 diff -urNp linux-2.6.39.2/include/linux/slab_def.h linux-2.6.39.2/include/linux/slab_def.h
65131 --- linux-2.6.39.2/include/linux/slab_def.h 2011-05-19 00:06:34.000000000 -0400
65132 +++ linux-2.6.39.2/include/linux/slab_def.h 2011-05-22 19:36:33.000000000 -0400
65133 @@ -96,10 +96,10 @@ struct kmem_cache {
65134 unsigned long node_allocs;
65135 unsigned long node_frees;
65136 unsigned long node_overflow;
65137 - atomic_t allochit;
65138 - atomic_t allocmiss;
65139 - atomic_t freehit;
65140 - atomic_t freemiss;
65141 + atomic_unchecked_t allochit;
65142 + atomic_unchecked_t allocmiss;
65143 + atomic_unchecked_t freehit;
65144 + atomic_unchecked_t freemiss;
65145
65146 /*
65147 * If debugging is enabled, then the allocator can add additional
65148 diff -urNp linux-2.6.39.2/include/linux/slab.h linux-2.6.39.2/include/linux/slab.h
65149 --- linux-2.6.39.2/include/linux/slab.h 2011-05-19 00:06:34.000000000 -0400
65150 +++ linux-2.6.39.2/include/linux/slab.h 2011-05-23 17:07:00.000000000 -0400
65151 @@ -11,12 +11,20 @@
65152
65153 #include <linux/gfp.h>
65154 #include <linux/types.h>
65155 +#include <linux/err.h>
65156
65157 /*
65158 * Flags to pass to kmem_cache_create().
65159 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
65160 */
65161 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
65162 +
65163 +#ifdef CONFIG_PAX_USERCOPY
65164 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
65165 +#else
65166 +#define SLAB_USERCOPY 0x00000000UL
65167 +#endif
65168 +
65169 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
65170 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
65171 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
65172 @@ -87,10 +95,13 @@
65173 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
65174 * Both make kfree a no-op.
65175 */
65176 -#define ZERO_SIZE_PTR ((void *)16)
65177 +#define ZERO_SIZE_PTR \
65178 +({ \
65179 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
65180 + (void *)(-MAX_ERRNO-1L); \
65181 +})
65182
65183 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
65184 - (unsigned long)ZERO_SIZE_PTR)
65185 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
65186
65187 /*
65188 * struct kmem_cache related prototypes
65189 @@ -141,6 +152,7 @@ void * __must_check krealloc(const void
65190 void kfree(const void *);
65191 void kzfree(const void *);
65192 size_t ksize(const void *);
65193 +void check_object_size(const void *ptr, unsigned long n, bool to);
65194
65195 /*
65196 * Allocator specific definitions. These are mainly used to establish optimized
65197 @@ -333,4 +345,59 @@ static inline void *kzalloc_node(size_t
65198
65199 void __init kmem_cache_init_late(void);
65200
65201 +#define kmalloc(x, y) \
65202 +({ \
65203 + void *___retval; \
65204 + intoverflow_t ___x = (intoverflow_t)x; \
65205 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
65206 + ___retval = NULL; \
65207 + else \
65208 + ___retval = kmalloc((size_t)___x, (y)); \
65209 + ___retval; \
65210 +})
65211 +
65212 +#define kmalloc_node(x, y, z) \
65213 +({ \
65214 + void *___retval; \
65215 + intoverflow_t ___x = (intoverflow_t)x; \
65216 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
65217 + ___retval = NULL; \
65218 + else \
65219 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
65220 + ___retval; \
65221 +})
65222 +
65223 +#define kzalloc(x, y) \
65224 +({ \
65225 + void *___retval; \
65226 + intoverflow_t ___x = (intoverflow_t)x; \
65227 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
65228 + ___retval = NULL; \
65229 + else \
65230 + ___retval = kzalloc((size_t)___x, (y)); \
65231 + ___retval; \
65232 +})
65233 +
65234 +#define __krealloc(x, y, z) \
65235 +({ \
65236 + void *___retval; \
65237 + intoverflow_t ___y = (intoverflow_t)y; \
65238 + if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
65239 + ___retval = NULL; \
65240 + else \
65241 + ___retval = __krealloc((x), (size_t)___y, (z)); \
65242 + ___retval; \
65243 +})
65244 +
65245 +#define krealloc(x, y, z) \
65246 +({ \
65247 + void *___retval; \
65248 + intoverflow_t ___y = (intoverflow_t)y; \
65249 + if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
65250 + ___retval = NULL; \
65251 + else \
65252 + ___retval = krealloc((x), (size_t)___y, (z)); \
65253 + ___retval; \
65254 +})
65255 +
65256 #endif /* _LINUX_SLAB_H */
65257 diff -urNp linux-2.6.39.2/include/linux/slub_def.h linux-2.6.39.2/include/linux/slub_def.h
65258 --- linux-2.6.39.2/include/linux/slub_def.h 2011-05-19 00:06:34.000000000 -0400
65259 +++ linux-2.6.39.2/include/linux/slub_def.h 2011-05-22 19:36:33.000000000 -0400
65260 @@ -84,7 +84,7 @@ struct kmem_cache {
65261 struct kmem_cache_order_objects max;
65262 struct kmem_cache_order_objects min;
65263 gfp_t allocflags; /* gfp flags to use on each alloc */
65264 - int refcount; /* Refcount for slab cache destroy */
65265 + atomic_t refcount; /* Refcount for slab cache destroy */
65266 void (*ctor)(void *);
65267 int inuse; /* Offset to metadata */
65268 int align; /* Alignment */
65269 diff -urNp linux-2.6.39.2/include/linux/sonet.h linux-2.6.39.2/include/linux/sonet.h
65270 --- linux-2.6.39.2/include/linux/sonet.h 2011-05-19 00:06:34.000000000 -0400
65271 +++ linux-2.6.39.2/include/linux/sonet.h 2011-05-22 19:36:33.000000000 -0400
65272 @@ -61,7 +61,7 @@ struct sonet_stats {
65273 #include <asm/atomic.h>
65274
65275 struct k_sonet_stats {
65276 -#define __HANDLE_ITEM(i) atomic_t i
65277 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
65278 __SONET_ITEMS
65279 #undef __HANDLE_ITEM
65280 };
65281 diff -urNp linux-2.6.39.2/include/linux/ssb/ssb_driver_gige.h linux-2.6.39.2/include/linux/ssb/ssb_driver_gige.h
65282 --- linux-2.6.39.2/include/linux/ssb/ssb_driver_gige.h 2011-05-19 00:06:34.000000000 -0400
65283 +++ linux-2.6.39.2/include/linux/ssb/ssb_driver_gige.h 2011-05-22 19:36:33.000000000 -0400
65284 @@ -44,7 +44,7 @@ struct ssb_gige {
65285
65286 /* The PCI controller device. */
65287 struct pci_controller pci_controller;
65288 - struct pci_ops pci_ops;
65289 + const struct pci_ops pci_ops;
65290 struct resource mem_resource;
65291 struct resource io_resource;
65292 };
65293 diff -urNp linux-2.6.39.2/include/linux/sunrpc/clnt.h linux-2.6.39.2/include/linux/sunrpc/clnt.h
65294 --- linux-2.6.39.2/include/linux/sunrpc/clnt.h 2011-05-19 00:06:34.000000000 -0400
65295 +++ linux-2.6.39.2/include/linux/sunrpc/clnt.h 2011-05-22 19:36:33.000000000 -0400
65296 @@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
65297 {
65298 switch (sap->sa_family) {
65299 case AF_INET:
65300 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
65301 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
65302 case AF_INET6:
65303 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
65304 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
65305 }
65306 return 0;
65307 }
65308 @@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
65309 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
65310 const struct sockaddr *src)
65311 {
65312 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
65313 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
65314 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
65315
65316 dsin->sin_family = ssin->sin_family;
65317 @@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
65318 if (sa->sa_family != AF_INET6)
65319 return 0;
65320
65321 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
65322 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
65323 }
65324
65325 #endif /* __KERNEL__ */
65326 diff -urNp linux-2.6.39.2/include/linux/sunrpc/svc_rdma.h linux-2.6.39.2/include/linux/sunrpc/svc_rdma.h
65327 --- linux-2.6.39.2/include/linux/sunrpc/svc_rdma.h 2011-05-19 00:06:34.000000000 -0400
65328 +++ linux-2.6.39.2/include/linux/sunrpc/svc_rdma.h 2011-05-22 19:36:33.000000000 -0400
65329 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
65330 extern unsigned int svcrdma_max_requests;
65331 extern unsigned int svcrdma_max_req_size;
65332
65333 -extern atomic_t rdma_stat_recv;
65334 -extern atomic_t rdma_stat_read;
65335 -extern atomic_t rdma_stat_write;
65336 -extern atomic_t rdma_stat_sq_starve;
65337 -extern atomic_t rdma_stat_rq_starve;
65338 -extern atomic_t rdma_stat_rq_poll;
65339 -extern atomic_t rdma_stat_rq_prod;
65340 -extern atomic_t rdma_stat_sq_poll;
65341 -extern atomic_t rdma_stat_sq_prod;
65342 +extern atomic_unchecked_t rdma_stat_recv;
65343 +extern atomic_unchecked_t rdma_stat_read;
65344 +extern atomic_unchecked_t rdma_stat_write;
65345 +extern atomic_unchecked_t rdma_stat_sq_starve;
65346 +extern atomic_unchecked_t rdma_stat_rq_starve;
65347 +extern atomic_unchecked_t rdma_stat_rq_poll;
65348 +extern atomic_unchecked_t rdma_stat_rq_prod;
65349 +extern atomic_unchecked_t rdma_stat_sq_poll;
65350 +extern atomic_unchecked_t rdma_stat_sq_prod;
65351
65352 #define RPCRDMA_VERSION 1
65353
65354 diff -urNp linux-2.6.39.2/include/linux/suspend.h linux-2.6.39.2/include/linux/suspend.h
65355 --- linux-2.6.39.2/include/linux/suspend.h 2011-05-19 00:06:34.000000000 -0400
65356 +++ linux-2.6.39.2/include/linux/suspend.h 2011-05-22 19:36:33.000000000 -0400
65357 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
65358 * which require special recovery actions in that situation.
65359 */
65360 struct platform_suspend_ops {
65361 - int (*valid)(suspend_state_t state);
65362 - int (*begin)(suspend_state_t state);
65363 - int (*prepare)(void);
65364 - int (*prepare_late)(void);
65365 - int (*enter)(suspend_state_t state);
65366 - void (*wake)(void);
65367 - void (*finish)(void);
65368 - void (*end)(void);
65369 - void (*recover)(void);
65370 + int (* const valid)(suspend_state_t state);
65371 + int (* const begin)(suspend_state_t state);
65372 + int (* const prepare)(void);
65373 + int (* const prepare_late)(void);
65374 + int (* const enter)(suspend_state_t state);
65375 + void (* const wake)(void);
65376 + void (* const finish)(void);
65377 + void (* const end)(void);
65378 + void (* const recover)(void);
65379 };
65380
65381 #ifdef CONFIG_SUSPEND
65382 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
65383 * platforms which require special recovery actions in that situation.
65384 */
65385 struct platform_hibernation_ops {
65386 - int (*begin)(void);
65387 - void (*end)(void);
65388 - int (*pre_snapshot)(void);
65389 - void (*finish)(void);
65390 - int (*prepare)(void);
65391 - int (*enter)(void);
65392 - void (*leave)(void);
65393 - int (*pre_restore)(void);
65394 - void (*restore_cleanup)(void);
65395 - void (*recover)(void);
65396 + int (* const begin)(void);
65397 + void (* const end)(void);
65398 + int (* const pre_snapshot)(void);
65399 + void (* const finish)(void);
65400 + int (* const prepare)(void);
65401 + int (* const enter)(void);
65402 + void (* const leave)(void);
65403 + int (* const pre_restore)(void);
65404 + void (* const restore_cleanup)(void);
65405 + void (* const recover)(void);
65406 };
65407
65408 #ifdef CONFIG_HIBERNATION
65409 diff -urNp linux-2.6.39.2/include/linux/sysctl.h linux-2.6.39.2/include/linux/sysctl.h
65410 --- linux-2.6.39.2/include/linux/sysctl.h 2011-05-19 00:06:34.000000000 -0400
65411 +++ linux-2.6.39.2/include/linux/sysctl.h 2011-05-22 19:41:42.000000000 -0400
65412 @@ -155,7 +155,11 @@ enum
65413 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
65414 };
65415
65416 -
65417 +#ifdef CONFIG_PAX_SOFTMODE
65418 +enum {
65419 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65420 +};
65421 +#endif
65422
65423 /* CTL_VM names: */
65424 enum
65425 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
65426
65427 extern int proc_dostring(struct ctl_table *, int,
65428 void __user *, size_t *, loff_t *);
65429 +extern int proc_dostring_modpriv(struct ctl_table *, int,
65430 + void __user *, size_t *, loff_t *);
65431 extern int proc_dointvec(struct ctl_table *, int,
65432 void __user *, size_t *, loff_t *);
65433 extern int proc_dointvec_minmax(struct ctl_table *, int,
65434 diff -urNp linux-2.6.39.2/include/linux/sysfs.h linux-2.6.39.2/include/linux/sysfs.h
65435 --- linux-2.6.39.2/include/linux/sysfs.h 2011-05-19 00:06:34.000000000 -0400
65436 +++ linux-2.6.39.2/include/linux/sysfs.h 2011-05-22 19:36:33.000000000 -0400
65437 @@ -110,8 +110,8 @@ struct bin_attribute {
65438 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
65439
65440 struct sysfs_ops {
65441 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
65442 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
65443 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
65444 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
65445 };
65446
65447 struct sysfs_dirent;
65448 diff -urNp linux-2.6.39.2/include/linux/tty.h linux-2.6.39.2/include/linux/tty.h
65449 --- linux-2.6.39.2/include/linux/tty.h 2011-05-19 00:06:34.000000000 -0400
65450 +++ linux-2.6.39.2/include/linux/tty.h 2011-05-22 19:36:33.000000000 -0400
65451 @@ -13,6 +13,7 @@
65452 #include <linux/tty_driver.h>
65453 #include <linux/tty_ldisc.h>
65454 #include <linux/mutex.h>
65455 +#include <linux/poll.h>
65456
65457 #include <asm/system.h>
65458
65459 @@ -466,7 +467,6 @@ extern int tty_perform_flush(struct tty_
65460 extern dev_t tty_devnum(struct tty_struct *tty);
65461 extern void proc_clear_tty(struct task_struct *p);
65462 extern struct tty_struct *get_current_tty(void);
65463 -extern void tty_default_fops(struct file_operations *fops);
65464 extern struct tty_struct *alloc_tty_struct(void);
65465 extern int tty_add_file(struct tty_struct *tty, struct file *file);
65466 extern void free_tty_struct(struct tty_struct *tty);
65467 @@ -529,6 +529,18 @@ extern void tty_ldisc_begin(void);
65468 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
65469 extern void tty_ldisc_enable(struct tty_struct *tty);
65470
65471 +/* tty_io.c */
65472 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
65473 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
65474 +extern unsigned int tty_poll(struct file *, poll_table *);
65475 +#ifdef CONFIG_COMPAT
65476 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
65477 + unsigned long arg);
65478 +#else
65479 +#define tty_compat_ioctl NULL
65480 +#endif
65481 +extern int tty_release(struct inode *, struct file *);
65482 +extern int tty_fasync(int fd, struct file *filp, int on);
65483
65484 /* n_tty.c */
65485 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
65486 diff -urNp linux-2.6.39.2/include/linux/tty_ldisc.h linux-2.6.39.2/include/linux/tty_ldisc.h
65487 --- linux-2.6.39.2/include/linux/tty_ldisc.h 2011-05-19 00:06:34.000000000 -0400
65488 +++ linux-2.6.39.2/include/linux/tty_ldisc.h 2011-05-22 19:36:33.000000000 -0400
65489 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
65490
65491 struct module *owner;
65492
65493 - int refcount;
65494 + atomic_t refcount;
65495 };
65496
65497 struct tty_ldisc {
65498 diff -urNp linux-2.6.39.2/include/linux/types.h linux-2.6.39.2/include/linux/types.h
65499 --- linux-2.6.39.2/include/linux/types.h 2011-05-19 00:06:34.000000000 -0400
65500 +++ linux-2.6.39.2/include/linux/types.h 2011-05-22 19:36:33.000000000 -0400
65501 @@ -213,10 +213,26 @@ typedef struct {
65502 int counter;
65503 } atomic_t;
65504
65505 +#ifdef CONFIG_PAX_REFCOUNT
65506 +typedef struct {
65507 + int counter;
65508 +} atomic_unchecked_t;
65509 +#else
65510 +typedef atomic_t atomic_unchecked_t;
65511 +#endif
65512 +
65513 #ifdef CONFIG_64BIT
65514 typedef struct {
65515 long counter;
65516 } atomic64_t;
65517 +
65518 +#ifdef CONFIG_PAX_REFCOUNT
65519 +typedef struct {
65520 + long counter;
65521 +} atomic64_unchecked_t;
65522 +#else
65523 +typedef atomic64_t atomic64_unchecked_t;
65524 +#endif
65525 #endif
65526
65527 struct list_head {
65528 diff -urNp linux-2.6.39.2/include/linux/uaccess.h linux-2.6.39.2/include/linux/uaccess.h
65529 --- linux-2.6.39.2/include/linux/uaccess.h 2011-05-19 00:06:34.000000000 -0400
65530 +++ linux-2.6.39.2/include/linux/uaccess.h 2011-05-22 19:36:33.000000000 -0400
65531 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65532 long ret; \
65533 mm_segment_t old_fs = get_fs(); \
65534 \
65535 - set_fs(KERNEL_DS); \
65536 pagefault_disable(); \
65537 + set_fs(KERNEL_DS); \
65538 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
65539 - pagefault_enable(); \
65540 set_fs(old_fs); \
65541 + pagefault_enable(); \
65542 ret; \
65543 })
65544
65545 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
65546 * Safely read from address @src to the buffer at @dst. If a kernel fault
65547 * happens, handle that and return -EFAULT.
65548 */
65549 -extern long probe_kernel_read(void *dst, void *src, size_t size);
65550 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
65551 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
65552 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
65553
65554 /*
65555 * probe_kernel_write(): safely attempt to write to a location
65556 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
65557 * Safely write to address @dst from the buffer at @src. If a kernel fault
65558 * happens, handle that and return -EFAULT.
65559 */
65560 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
65561 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
65562 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
65563 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
65564
65565 #endif /* __LINUX_UACCESS_H__ */
65566 diff -urNp linux-2.6.39.2/include/linux/unaligned/access_ok.h linux-2.6.39.2/include/linux/unaligned/access_ok.h
65567 --- linux-2.6.39.2/include/linux/unaligned/access_ok.h 2011-05-19 00:06:34.000000000 -0400
65568 +++ linux-2.6.39.2/include/linux/unaligned/access_ok.h 2011-05-22 19:36:33.000000000 -0400
65569 @@ -6,32 +6,32 @@
65570
65571 static inline u16 get_unaligned_le16(const void *p)
65572 {
65573 - return le16_to_cpup((__le16 *)p);
65574 + return le16_to_cpup((const __le16 *)p);
65575 }
65576
65577 static inline u32 get_unaligned_le32(const void *p)
65578 {
65579 - return le32_to_cpup((__le32 *)p);
65580 + return le32_to_cpup((const __le32 *)p);
65581 }
65582
65583 static inline u64 get_unaligned_le64(const void *p)
65584 {
65585 - return le64_to_cpup((__le64 *)p);
65586 + return le64_to_cpup((const __le64 *)p);
65587 }
65588
65589 static inline u16 get_unaligned_be16(const void *p)
65590 {
65591 - return be16_to_cpup((__be16 *)p);
65592 + return be16_to_cpup((const __be16 *)p);
65593 }
65594
65595 static inline u32 get_unaligned_be32(const void *p)
65596 {
65597 - return be32_to_cpup((__be32 *)p);
65598 + return be32_to_cpup((const __be32 *)p);
65599 }
65600
65601 static inline u64 get_unaligned_be64(const void *p)
65602 {
65603 - return be64_to_cpup((__be64 *)p);
65604 + return be64_to_cpup((const __be64 *)p);
65605 }
65606
65607 static inline void put_unaligned_le16(u16 val, void *p)
65608 diff -urNp linux-2.6.39.2/include/linux/usb/hcd.h linux-2.6.39.2/include/linux/usb/hcd.h
65609 --- linux-2.6.39.2/include/linux/usb/hcd.h 2011-05-19 00:06:34.000000000 -0400
65610 +++ linux-2.6.39.2/include/linux/usb/hcd.h 2011-05-22 19:36:33.000000000 -0400
65611 @@ -615,7 +615,7 @@ struct usb_mon_operations {
65612 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
65613 };
65614
65615 -extern struct usb_mon_operations *mon_ops;
65616 +extern const struct usb_mon_operations *mon_ops;
65617
65618 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
65619 {
65620 @@ -637,7 +637,7 @@ static inline void usbmon_urb_complete(s
65621 (*mon_ops->urb_complete)(bus, urb, status);
65622 }
65623
65624 -int usb_mon_register(struct usb_mon_operations *ops);
65625 +int usb_mon_register(const struct usb_mon_operations *ops);
65626 void usb_mon_deregister(void);
65627
65628 #else
65629 diff -urNp linux-2.6.39.2/include/linux/usb/intel_mid_otg.h linux-2.6.39.2/include/linux/usb/intel_mid_otg.h
65630 --- linux-2.6.39.2/include/linux/usb/intel_mid_otg.h 2011-05-19 00:06:34.000000000 -0400
65631 +++ linux-2.6.39.2/include/linux/usb/intel_mid_otg.h 2011-05-22 19:36:33.000000000 -0400
65632 @@ -115,7 +115,7 @@ struct intel_mid_otg_xceiv {
65633 void __iomem *base;
65634
65635 /* ops to access ulpi */
65636 - struct iotg_ulpi_access_ops ulpi_ops;
65637 + const struct iotg_ulpi_access_ops ulpi_ops;
65638
65639 /* atomic notifier for interrupt context */
65640 struct atomic_notifier_head iotg_notifier;
65641 diff -urNp linux-2.6.39.2/include/linux/usb/ulpi.h linux-2.6.39.2/include/linux/usb/ulpi.h
65642 --- linux-2.6.39.2/include/linux/usb/ulpi.h 2011-05-19 00:06:34.000000000 -0400
65643 +++ linux-2.6.39.2/include/linux/usb/ulpi.h 2011-05-22 19:36:33.000000000 -0400
65644 @@ -186,7 +186,7 @@ struct otg_transceiver *otg_ulpi_create(
65645
65646 #ifdef CONFIG_USB_ULPI_VIEWPORT
65647 /* access ops for controllers with a viewport register */
65648 -extern struct otg_io_access_ops ulpi_viewport_access_ops;
65649 +extern const struct otg_io_access_ops ulpi_viewport_access_ops;
65650 #endif
65651
65652 #endif /* __LINUX_USB_ULPI_H */
65653 diff -urNp linux-2.6.39.2/include/linux/vga_switcheroo.h linux-2.6.39.2/include/linux/vga_switcheroo.h
65654 --- linux-2.6.39.2/include/linux/vga_switcheroo.h 2011-05-19 00:06:34.000000000 -0400
65655 +++ linux-2.6.39.2/include/linux/vga_switcheroo.h 2011-05-22 19:36:33.000000000 -0400
65656 @@ -39,7 +39,7 @@ int vga_switcheroo_register_client(struc
65657 void vga_switcheroo_client_fb_set(struct pci_dev *dev,
65658 struct fb_info *info);
65659
65660 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler);
65661 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler);
65662 void vga_switcheroo_unregister_handler(void);
65663
65664 int vga_switcheroo_process_delayed_switch(void);
65665 @@ -52,7 +52,7 @@ static inline int vga_switcheroo_registe
65666 void (*reprobe)(struct pci_dev *dev),
65667 bool (*can_switch)(struct pci_dev *dev)) { return 0; }
65668 static inline void vga_switcheroo_client_fb_set(struct pci_dev *dev, struct fb_info *info) {}
65669 -static inline int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler) { return 0; }
65670 +static inline int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler) { return 0; }
65671 static inline void vga_switcheroo_unregister_handler(void) {}
65672 static inline int vga_switcheroo_process_delayed_switch(void) { return 0; }
65673
65674 diff -urNp linux-2.6.39.2/include/linux/virtio.h linux-2.6.39.2/include/linux/virtio.h
65675 --- linux-2.6.39.2/include/linux/virtio.h 2011-05-19 00:06:34.000000000 -0400
65676 +++ linux-2.6.39.2/include/linux/virtio.h 2011-05-22 19:36:33.000000000 -0400
65677 @@ -102,7 +102,7 @@ struct virtio_device {
65678 int index;
65679 struct device dev;
65680 struct virtio_device_id id;
65681 - struct virtio_config_ops *config;
65682 + const struct virtio_config_ops *config;
65683 struct list_head vqs;
65684 /* Note that this is a Linux set_bit-style bitmap. */
65685 unsigned long features[1];
65686 diff -urNp linux-2.6.39.2/include/linux/vmalloc.h linux-2.6.39.2/include/linux/vmalloc.h
65687 --- linux-2.6.39.2/include/linux/vmalloc.h 2011-05-19 00:06:34.000000000 -0400
65688 +++ linux-2.6.39.2/include/linux/vmalloc.h 2011-05-22 19:36:33.000000000 -0400
65689 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
65690 #define VM_MAP 0x00000004 /* vmap()ed pages */
65691 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
65692 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
65693 +
65694 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65695 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
65696 +#endif
65697 +
65698 /* bits [20..32] reserved for arch specific ioremap internals */
65699
65700 /*
65701 @@ -155,4 +160,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
65702 # endif
65703 #endif
65704
65705 +#define vmalloc(x) \
65706 +({ \
65707 + void *___retval; \
65708 + intoverflow_t ___x = (intoverflow_t)x; \
65709 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
65710 + ___retval = NULL; \
65711 + else \
65712 + ___retval = vmalloc((unsigned long)___x); \
65713 + ___retval; \
65714 +})
65715 +
65716 +#define vzalloc(x) \
65717 +({ \
65718 + void *___retval; \
65719 + intoverflow_t ___x = (intoverflow_t)x; \
65720 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
65721 + ___retval = NULL; \
65722 + else \
65723 + ___retval = vzalloc((unsigned long)___x); \
65724 + ___retval; \
65725 +})
65726 +
65727 +#define __vmalloc(x, y, z) \
65728 +({ \
65729 + void *___retval; \
65730 + intoverflow_t ___x = (intoverflow_t)x; \
65731 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
65732 + ___retval = NULL; \
65733 + else \
65734 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
65735 + ___retval; \
65736 +})
65737 +
65738 +#define vmalloc_user(x) \
65739 +({ \
65740 + void *___retval; \
65741 + intoverflow_t ___x = (intoverflow_t)x; \
65742 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
65743 + ___retval = NULL; \
65744 + else \
65745 + ___retval = vmalloc_user((unsigned long)___x); \
65746 + ___retval; \
65747 +})
65748 +
65749 +#define vmalloc_exec(x) \
65750 +({ \
65751 + void *___retval; \
65752 + intoverflow_t ___x = (intoverflow_t)x; \
65753 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
65754 + ___retval = NULL; \
65755 + else \
65756 + ___retval = vmalloc_exec((unsigned long)___x); \
65757 + ___retval; \
65758 +})
65759 +
65760 +#define vmalloc_node(x, y) \
65761 +({ \
65762 + void *___retval; \
65763 + intoverflow_t ___x = (intoverflow_t)x; \
65764 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
65765 + ___retval = NULL; \
65766 + else \
65767 + ___retval = vmalloc_node((unsigned long)___x, (y));\
65768 + ___retval; \
65769 +})
65770 +
65771 +#define vzalloc_node(x, y) \
65772 +({ \
65773 + void *___retval; \
65774 + intoverflow_t ___x = (intoverflow_t)x; \
65775 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
65776 + ___retval = NULL; \
65777 + else \
65778 + ___retval = vzalloc_node((unsigned long)___x, (y));\
65779 + ___retval; \
65780 +})
65781 +
65782 +#define vmalloc_32(x) \
65783 +({ \
65784 + void *___retval; \
65785 + intoverflow_t ___x = (intoverflow_t)x; \
65786 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
65787 + ___retval = NULL; \
65788 + else \
65789 + ___retval = vmalloc_32((unsigned long)___x); \
65790 + ___retval; \
65791 +})
65792 +
65793 +#define vmalloc_32_user(x) \
65794 +({ \
65795 +void *___retval; \
65796 + intoverflow_t ___x = (intoverflow_t)x; \
65797 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
65798 + ___retval = NULL; \
65799 + else \
65800 + ___retval = vmalloc_32_user((unsigned long)___x);\
65801 + ___retval; \
65802 +})
65803 +
65804 #endif /* _LINUX_VMALLOC_H */
65805 diff -urNp linux-2.6.39.2/include/linux/vmstat.h linux-2.6.39.2/include/linux/vmstat.h
65806 --- linux-2.6.39.2/include/linux/vmstat.h 2011-05-19 00:06:34.000000000 -0400
65807 +++ linux-2.6.39.2/include/linux/vmstat.h 2011-05-22 19:36:33.000000000 -0400
65808 @@ -147,18 +147,18 @@ static inline void vm_events_fold_cpu(in
65809 /*
65810 * Zone based page accounting with per cpu differentials.
65811 */
65812 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65813 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65814
65815 static inline void zone_page_state_add(long x, struct zone *zone,
65816 enum zone_stat_item item)
65817 {
65818 - atomic_long_add(x, &zone->vm_stat[item]);
65819 - atomic_long_add(x, &vm_stat[item]);
65820 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
65821 + atomic_long_add_unchecked(x, &vm_stat[item]);
65822 }
65823
65824 static inline unsigned long global_page_state(enum zone_stat_item item)
65825 {
65826 - long x = atomic_long_read(&vm_stat[item]);
65827 + long x = atomic_long_read_unchecked(&vm_stat[item]);
65828 #ifdef CONFIG_SMP
65829 if (x < 0)
65830 x = 0;
65831 @@ -169,7 +169,7 @@ static inline unsigned long global_page_
65832 static inline unsigned long zone_page_state(struct zone *zone,
65833 enum zone_stat_item item)
65834 {
65835 - long x = atomic_long_read(&zone->vm_stat[item]);
65836 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
65837 #ifdef CONFIG_SMP
65838 if (x < 0)
65839 x = 0;
65840 @@ -186,7 +186,7 @@ static inline unsigned long zone_page_st
65841 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
65842 enum zone_stat_item item)
65843 {
65844 - long x = atomic_long_read(&zone->vm_stat[item]);
65845 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
65846
65847 #ifdef CONFIG_SMP
65848 int cpu;
65849 @@ -280,8 +280,8 @@ static inline void __mod_zone_page_state
65850
65851 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
65852 {
65853 - atomic_long_inc(&zone->vm_stat[item]);
65854 - atomic_long_inc(&vm_stat[item]);
65855 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
65856 + atomic_long_inc_unchecked(&vm_stat[item]);
65857 }
65858
65859 static inline void __inc_zone_page_state(struct page *page,
65860 @@ -292,8 +292,8 @@ static inline void __inc_zone_page_state
65861
65862 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
65863 {
65864 - atomic_long_dec(&zone->vm_stat[item]);
65865 - atomic_long_dec(&vm_stat[item]);
65866 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
65867 + atomic_long_dec_unchecked(&vm_stat[item]);
65868 }
65869
65870 static inline void __dec_zone_page_state(struct page *page,
65871 diff -urNp linux-2.6.39.2/include/media/saa7146_vv.h linux-2.6.39.2/include/media/saa7146_vv.h
65872 --- linux-2.6.39.2/include/media/saa7146_vv.h 2011-05-19 00:06:34.000000000 -0400
65873 +++ linux-2.6.39.2/include/media/saa7146_vv.h 2011-05-22 19:36:33.000000000 -0400
65874 @@ -202,13 +202,13 @@ void saa7146_set_gpio(struct saa7146_dev
65875
65876 /* from saa7146_video.c */
65877 extern const struct v4l2_ioctl_ops saa7146_video_ioctl_ops;
65878 -extern struct saa7146_use_ops saa7146_video_uops;
65879 +extern const struct saa7146_use_ops saa7146_video_uops;
65880 int saa7146_start_preview(struct saa7146_fh *fh);
65881 int saa7146_stop_preview(struct saa7146_fh *fh);
65882 long saa7146_video_do_ioctl(struct file *file, unsigned int cmd, void *arg);
65883
65884 /* from saa7146_vbi.c */
65885 -extern struct saa7146_use_ops saa7146_vbi_uops;
65886 +extern const struct saa7146_use_ops saa7146_vbi_uops;
65887
65888 /* resource management functions */
65889 int saa7146_res_get(struct saa7146_fh *fh, unsigned int bit);
65890 diff -urNp linux-2.6.39.2/include/media/v4l2-device.h linux-2.6.39.2/include/media/v4l2-device.h
65891 --- linux-2.6.39.2/include/media/v4l2-device.h 2011-05-19 00:06:34.000000000 -0400
65892 +++ linux-2.6.39.2/include/media/v4l2-device.h 2011-05-22 19:36:33.000000000 -0400
65893 @@ -95,7 +95,7 @@ int __must_check v4l2_device_register(st
65894 this function returns 0. If the name ends with a digit (e.g. cx18),
65895 then the name will be set to cx18-0 since cx180 looks really odd. */
65896 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
65897 - atomic_t *instance);
65898 + atomic_unchecked_t *instance);
65899
65900 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
65901 Since the parent disappears this ensures that v4l2_dev doesn't have an
65902 diff -urNp linux-2.6.39.2/include/net/caif/cfctrl.h linux-2.6.39.2/include/net/caif/cfctrl.h
65903 --- linux-2.6.39.2/include/net/caif/cfctrl.h 2011-05-19 00:06:34.000000000 -0400
65904 +++ linux-2.6.39.2/include/net/caif/cfctrl.h 2011-05-22 19:36:33.000000000 -0400
65905 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
65906 struct cfctrl {
65907 struct cfsrvl serv;
65908 struct cfctrl_rsp res;
65909 - atomic_t req_seq_no;
65910 - atomic_t rsp_seq_no;
65911 + atomic_unchecked_t req_seq_no;
65912 + atomic_unchecked_t rsp_seq_no;
65913 struct list_head list;
65914 /* Protects from simultaneous access to first_req list */
65915 spinlock_t info_list_lock;
65916 diff -urNp linux-2.6.39.2/include/net/flow.h linux-2.6.39.2/include/net/flow.h
65917 --- linux-2.6.39.2/include/net/flow.h 2011-05-19 00:06:34.000000000 -0400
65918 +++ linux-2.6.39.2/include/net/flow.h 2011-05-22 19:36:33.000000000 -0400
65919 @@ -167,6 +167,6 @@ extern struct flow_cache_object *flow_ca
65920 u8 dir, flow_resolve_t resolver, void *ctx);
65921
65922 extern void flow_cache_flush(void);
65923 -extern atomic_t flow_cache_genid;
65924 +extern atomic_unchecked_t flow_cache_genid;
65925
65926 #endif
65927 diff -urNp linux-2.6.39.2/include/net/inetpeer.h linux-2.6.39.2/include/net/inetpeer.h
65928 --- linux-2.6.39.2/include/net/inetpeer.h 2011-05-19 00:06:34.000000000 -0400
65929 +++ linux-2.6.39.2/include/net/inetpeer.h 2011-05-22 19:36:33.000000000 -0400
65930 @@ -43,8 +43,8 @@ struct inet_peer {
65931 */
65932 union {
65933 struct {
65934 - atomic_t rid; /* Frag reception counter */
65935 - atomic_t ip_id_count; /* IP ID for the next packet */
65936 + atomic_unchecked_t rid; /* Frag reception counter */
65937 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
65938 __u32 tcp_ts;
65939 __u32 tcp_ts_stamp;
65940 u32 metrics[RTAX_MAX];
65941 @@ -108,7 +108,7 @@ static inline __u16 inet_getid(struct in
65942 {
65943 more++;
65944 inet_peer_refcheck(p);
65945 - return atomic_add_return(more, &p->ip_id_count) - more;
65946 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
65947 }
65948
65949 #endif /* _NET_INETPEER_H */
65950 diff -urNp linux-2.6.39.2/include/net/ip_fib.h linux-2.6.39.2/include/net/ip_fib.h
65951 --- linux-2.6.39.2/include/net/ip_fib.h 2011-05-19 00:06:34.000000000 -0400
65952 +++ linux-2.6.39.2/include/net/ip_fib.h 2011-05-22 19:36:33.000000000 -0400
65953 @@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
65954
65955 #define FIB_RES_SADDR(net, res) \
65956 ((FIB_RES_NH(res).nh_saddr_genid == \
65957 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
65958 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
65959 FIB_RES_NH(res).nh_saddr : \
65960 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
65961 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
65962 diff -urNp linux-2.6.39.2/include/net/ip_vs.h linux-2.6.39.2/include/net/ip_vs.h
65963 --- linux-2.6.39.2/include/net/ip_vs.h 2011-05-19 00:06:34.000000000 -0400
65964 +++ linux-2.6.39.2/include/net/ip_vs.h 2011-05-22 19:36:33.000000000 -0400
65965 @@ -512,7 +512,7 @@ struct ip_vs_conn {
65966 struct ip_vs_conn *control; /* Master control connection */
65967 atomic_t n_control; /* Number of controlled ones */
65968 struct ip_vs_dest *dest; /* real server */
65969 - atomic_t in_pkts; /* incoming packet counter */
65970 + atomic_unchecked_t in_pkts; /* incoming packet counter */
65971
65972 /* packet transmitter for different forwarding methods. If it
65973 mangles the packet, it must return NF_DROP or better NF_STOLEN,
65974 @@ -650,7 +650,7 @@ struct ip_vs_dest {
65975 __be16 port; /* port number of the server */
65976 union nf_inet_addr addr; /* IP address of the server */
65977 volatile unsigned flags; /* dest status flags */
65978 - atomic_t conn_flags; /* flags to copy to conn */
65979 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
65980 atomic_t weight; /* server weight */
65981
65982 atomic_t refcnt; /* reference counter */
65983 diff -urNp linux-2.6.39.2/include/net/irda/ircomm_tty.h linux-2.6.39.2/include/net/irda/ircomm_tty.h
65984 --- linux-2.6.39.2/include/net/irda/ircomm_tty.h 2011-05-19 00:06:34.000000000 -0400
65985 +++ linux-2.6.39.2/include/net/irda/ircomm_tty.h 2011-05-22 19:36:33.000000000 -0400
65986 @@ -35,6 +35,7 @@
65987 #include <linux/termios.h>
65988 #include <linux/timer.h>
65989 #include <linux/tty.h> /* struct tty_struct */
65990 +#include <asm/local.h>
65991
65992 #include <net/irda/irias_object.h>
65993 #include <net/irda/ircomm_core.h>
65994 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
65995 unsigned short close_delay;
65996 unsigned short closing_wait; /* time to wait before closing */
65997
65998 - int open_count;
65999 - int blocked_open; /* # of blocked opens */
66000 + local_t open_count;
66001 + local_t blocked_open; /* # of blocked opens */
66002
66003 /* Protect concurent access to :
66004 * o self->open_count
66005 diff -urNp linux-2.6.39.2/include/net/iucv/af_iucv.h linux-2.6.39.2/include/net/iucv/af_iucv.h
66006 --- linux-2.6.39.2/include/net/iucv/af_iucv.h 2011-05-19 00:06:34.000000000 -0400
66007 +++ linux-2.6.39.2/include/net/iucv/af_iucv.h 2011-05-22 19:36:33.000000000 -0400
66008 @@ -87,7 +87,7 @@ struct iucv_sock {
66009 struct iucv_sock_list {
66010 struct hlist_head head;
66011 rwlock_t lock;
66012 - atomic_t autobind_name;
66013 + atomic_unchecked_t autobind_name;
66014 };
66015
66016 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
66017 diff -urNp linux-2.6.39.2/include/net/neighbour.h linux-2.6.39.2/include/net/neighbour.h
66018 --- linux-2.6.39.2/include/net/neighbour.h 2011-05-19 00:06:34.000000000 -0400
66019 +++ linux-2.6.39.2/include/net/neighbour.h 2011-05-22 19:36:33.000000000 -0400
66020 @@ -118,12 +118,12 @@ struct neighbour {
66021
66022 struct neigh_ops {
66023 int family;
66024 - void (*solicit)(struct neighbour *, struct sk_buff*);
66025 - void (*error_report)(struct neighbour *, struct sk_buff*);
66026 - int (*output)(struct sk_buff*);
66027 - int (*connected_output)(struct sk_buff*);
66028 - int (*hh_output)(struct sk_buff*);
66029 - int (*queue_xmit)(struct sk_buff*);
66030 + void (* const solicit)(struct neighbour *, struct sk_buff*);
66031 + void (* const error_report)(struct neighbour *, struct sk_buff*);
66032 + int (* const output)(struct sk_buff*);
66033 + int (* const connected_output)(struct sk_buff*);
66034 + int (* const hh_output)(struct sk_buff*);
66035 + int (* const queue_xmit)(struct sk_buff*);
66036 };
66037
66038 struct pneigh_entry {
66039 diff -urNp linux-2.6.39.2/include/net/netfilter/nf_conntrack_ecache.h linux-2.6.39.2/include/net/netfilter/nf_conntrack_ecache.h
66040 --- linux-2.6.39.2/include/net/netfilter/nf_conntrack_ecache.h 2011-05-19 00:06:34.000000000 -0400
66041 +++ linux-2.6.39.2/include/net/netfilter/nf_conntrack_ecache.h 2011-05-22 19:36:33.000000000 -0400
66042 @@ -95,7 +95,7 @@ nf_conntrack_eventmask_report(unsigned i
66043 int report)
66044 {
66045 int ret = 0;
66046 - struct nf_ct_event_notifier *notify;
66047 + const struct nf_ct_event_notifier *notify;
66048 struct nf_conntrack_ecache *e;
66049
66050 rcu_read_lock();
66051 @@ -174,7 +174,7 @@ nf_ct_expect_event_report(enum ip_conntr
66052 u32 pid,
66053 int report)
66054 {
66055 - struct nf_exp_event_notifier *notify;
66056 + const struct nf_exp_event_notifier *notify;
66057 struct nf_conntrack_ecache *e;
66058
66059 rcu_read_lock();
66060 diff -urNp linux-2.6.39.2/include/net/netlink.h linux-2.6.39.2/include/net/netlink.h
66061 --- linux-2.6.39.2/include/net/netlink.h 2011-05-19 00:06:34.000000000 -0400
66062 +++ linux-2.6.39.2/include/net/netlink.h 2011-05-22 19:36:33.000000000 -0400
66063 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
66064 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
66065 {
66066 if (mark)
66067 - skb_trim(skb, (unsigned char *) mark - skb->data);
66068 + skb_trim(skb, (const unsigned char *) mark - skb->data);
66069 }
66070
66071 /**
66072 diff -urNp linux-2.6.39.2/include/net/netns/ipv4.h linux-2.6.39.2/include/net/netns/ipv4.h
66073 --- linux-2.6.39.2/include/net/netns/ipv4.h 2011-05-19 00:06:34.000000000 -0400
66074 +++ linux-2.6.39.2/include/net/netns/ipv4.h 2011-05-22 19:36:33.000000000 -0400
66075 @@ -54,8 +54,8 @@ struct netns_ipv4 {
66076 int sysctl_rt_cache_rebuild_count;
66077 int current_rt_cache_rebuild_count;
66078
66079 - atomic_t rt_genid;
66080 - atomic_t dev_addr_genid;
66081 + atomic_unchecked_t rt_genid;
66082 + atomic_unchecked_t dev_addr_genid;
66083
66084 #ifdef CONFIG_IP_MROUTE
66085 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
66086 diff -urNp linux-2.6.39.2/include/net/sctp/sctp.h linux-2.6.39.2/include/net/sctp/sctp.h
66087 --- linux-2.6.39.2/include/net/sctp/sctp.h 2011-05-19 00:06:34.000000000 -0400
66088 +++ linux-2.6.39.2/include/net/sctp/sctp.h 2011-05-22 19:36:33.000000000 -0400
66089 @@ -316,9 +316,9 @@ do { \
66090
66091 #else /* SCTP_DEBUG */
66092
66093 -#define SCTP_DEBUG_PRINTK(whatever...)
66094 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
66095 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
66096 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
66097 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
66098 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
66099 #define SCTP_ENABLE_DEBUG
66100 #define SCTP_DISABLE_DEBUG
66101 #define SCTP_ASSERT(expr, str, func)
66102 diff -urNp linux-2.6.39.2/include/net/sock.h linux-2.6.39.2/include/net/sock.h
66103 --- linux-2.6.39.2/include/net/sock.h 2011-05-19 00:06:34.000000000 -0400
66104 +++ linux-2.6.39.2/include/net/sock.h 2011-05-22 19:36:33.000000000 -0400
66105 @@ -277,7 +277,7 @@ struct sock {
66106 #ifdef CONFIG_RPS
66107 __u32 sk_rxhash;
66108 #endif
66109 - atomic_t sk_drops;
66110 + atomic_unchecked_t sk_drops;
66111 int sk_rcvbuf;
66112
66113 struct sk_filter __rcu *sk_filter;
66114 diff -urNp linux-2.6.39.2/include/net/tcp.h linux-2.6.39.2/include/net/tcp.h
66115 --- linux-2.6.39.2/include/net/tcp.h 2011-05-19 00:06:34.000000000 -0400
66116 +++ linux-2.6.39.2/include/net/tcp.h 2011-05-22 19:36:33.000000000 -0400
66117 @@ -1374,7 +1374,7 @@ enum tcp_seq_states {
66118 struct tcp_seq_afinfo {
66119 char *name;
66120 sa_family_t family;
66121 - struct file_operations seq_fops;
66122 + struct file_operations seq_fops; /* cannot be const */
66123 struct seq_operations seq_ops;
66124 };
66125
66126 diff -urNp linux-2.6.39.2/include/net/udp.h linux-2.6.39.2/include/net/udp.h
66127 --- linux-2.6.39.2/include/net/udp.h 2011-05-19 00:06:34.000000000 -0400
66128 +++ linux-2.6.39.2/include/net/udp.h 2011-05-22 19:36:33.000000000 -0400
66129 @@ -234,7 +234,7 @@ struct udp_seq_afinfo {
66130 char *name;
66131 sa_family_t family;
66132 struct udp_table *udp_table;
66133 - struct file_operations seq_fops;
66134 + struct file_operations seq_fops; /* cannot be const */
66135 struct seq_operations seq_ops;
66136 };
66137
66138 diff -urNp linux-2.6.39.2/include/net/xfrm.h linux-2.6.39.2/include/net/xfrm.h
66139 --- linux-2.6.39.2/include/net/xfrm.h 2011-05-19 00:06:34.000000000 -0400
66140 +++ linux-2.6.39.2/include/net/xfrm.h 2011-05-22 19:36:33.000000000 -0400
66141 @@ -505,7 +505,7 @@ struct xfrm_policy {
66142 struct timer_list timer;
66143
66144 struct flow_cache_object flo;
66145 - atomic_t genid;
66146 + atomic_unchecked_t genid;
66147 u32 priority;
66148 u32 index;
66149 struct xfrm_mark mark;
66150 diff -urNp linux-2.6.39.2/include/pcmcia/ss.h linux-2.6.39.2/include/pcmcia/ss.h
66151 --- linux-2.6.39.2/include/pcmcia/ss.h 2011-05-19 00:06:34.000000000 -0400
66152 +++ linux-2.6.39.2/include/pcmcia/ss.h 2011-05-22 19:36:33.000000000 -0400
66153 @@ -241,9 +241,9 @@ struct pcmcia_socket {
66154 * "select PCCARD_NONSTATIC" in Kconfig.
66155 *
66156 */
66157 -extern struct pccard_resource_ops pccard_static_ops;
66158 +extern const struct pccard_resource_ops pccard_static_ops;
66159 #if defined(CONFIG_PCMCIA) || defined(CONFIG_PCMCIA_MODULE)
66160 -extern struct pccard_resource_ops pccard_iodyn_ops;
66161 +extern const struct pccard_resource_ops pccard_iodyn_ops;
66162 extern struct pccard_resource_ops pccard_nonstatic_ops;
66163 #else
66164 /* If PCMCIA is not used, but only CARDBUS, these functions are not used
66165 diff -urNp linux-2.6.39.2/include/rdma/ib_verbs.h linux-2.6.39.2/include/rdma/ib_verbs.h
66166 --- linux-2.6.39.2/include/rdma/ib_verbs.h 2011-05-19 00:06:34.000000000 -0400
66167 +++ linux-2.6.39.2/include/rdma/ib_verbs.h 2011-05-22 19:36:33.000000000 -0400
66168 @@ -1149,7 +1149,7 @@ struct ib_device {
66169 struct ib_mad *in_mad,
66170 struct ib_mad *out_mad);
66171
66172 - struct ib_dma_mapping_ops *dma_ops;
66173 + const struct ib_dma_mapping_ops *dma_ops;
66174
66175 struct module *owner;
66176 struct device dev;
66177 diff -urNp linux-2.6.39.2/include/scsi/libfc.h linux-2.6.39.2/include/scsi/libfc.h
66178 --- linux-2.6.39.2/include/scsi/libfc.h 2011-05-19 00:06:34.000000000 -0400
66179 +++ linux-2.6.39.2/include/scsi/libfc.h 2011-05-22 19:36:33.000000000 -0400
66180 @@ -202,7 +202,7 @@ struct fc_rport_priv {
66181 struct mutex rp_mutex;
66182 struct delayed_work retry_work;
66183 enum fc_rport_event event;
66184 - struct fc_rport_operations *ops;
66185 + const struct fc_rport_operations *ops;
66186 struct list_head peers;
66187 struct work_struct event_work;
66188 u32 supported_classes;
66189 diff -urNp linux-2.6.39.2/include/scsi/scsi_device.h linux-2.6.39.2/include/scsi/scsi_device.h
66190 --- linux-2.6.39.2/include/scsi/scsi_device.h 2011-05-19 00:06:34.000000000 -0400
66191 +++ linux-2.6.39.2/include/scsi/scsi_device.h 2011-05-22 19:36:33.000000000 -0400
66192 @@ -161,9 +161,9 @@ struct scsi_device {
66193 unsigned int max_device_blocked; /* what device_blocked counts down from */
66194 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
66195
66196 - atomic_t iorequest_cnt;
66197 - atomic_t iodone_cnt;
66198 - atomic_t ioerr_cnt;
66199 + atomic_unchecked_t iorequest_cnt;
66200 + atomic_unchecked_t iodone_cnt;
66201 + atomic_unchecked_t ioerr_cnt;
66202
66203 struct device sdev_gendev,
66204 sdev_dev;
66205 diff -urNp linux-2.6.39.2/include/sound/ac97_codec.h linux-2.6.39.2/include/sound/ac97_codec.h
66206 --- linux-2.6.39.2/include/sound/ac97_codec.h 2011-05-19 00:06:34.000000000 -0400
66207 +++ linux-2.6.39.2/include/sound/ac97_codec.h 2011-05-22 19:36:33.000000000 -0400
66208 @@ -424,15 +424,15 @@
66209 struct snd_ac97;
66210
66211 struct snd_ac97_build_ops {
66212 - int (*build_3d) (struct snd_ac97 *ac97);
66213 - int (*build_specific) (struct snd_ac97 *ac97);
66214 - int (*build_spdif) (struct snd_ac97 *ac97);
66215 - int (*build_post_spdif) (struct snd_ac97 *ac97);
66216 + int (* const build_3d) (struct snd_ac97 *ac97);
66217 + int (* const build_specific) (struct snd_ac97 *ac97);
66218 + int (* const build_spdif) (struct snd_ac97 *ac97);
66219 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
66220 #ifdef CONFIG_PM
66221 - void (*suspend) (struct snd_ac97 *ac97);
66222 - void (*resume) (struct snd_ac97 *ac97);
66223 + void (* const suspend) (struct snd_ac97 *ac97);
66224 + void (* const resume) (struct snd_ac97 *ac97);
66225 #endif
66226 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66227 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66228 };
66229
66230 struct snd_ac97_bus_ops {
66231 @@ -446,7 +446,7 @@ struct snd_ac97_bus_ops {
66232
66233 struct snd_ac97_bus {
66234 /* -- lowlevel (hardware) driver specific -- */
66235 - struct snd_ac97_bus_ops *ops;
66236 + const struct snd_ac97_bus_ops *ops;
66237 void *private_data;
66238 void (*private_free) (struct snd_ac97_bus *bus);
66239 /* --- */
66240 @@ -556,7 +556,7 @@ static inline int ac97_can_spdif(struct
66241
66242 /* functions */
66243 /* create new AC97 bus */
66244 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
66245 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
66246 void *private_data, struct snd_ac97_bus **rbus);
66247 /* create mixer controls */
66248 int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
66249 diff -urNp linux-2.6.39.2/include/sound/core.h linux-2.6.39.2/include/sound/core.h
66250 --- linux-2.6.39.2/include/sound/core.h 2011-05-19 00:06:34.000000000 -0400
66251 +++ linux-2.6.39.2/include/sound/core.h 2011-05-22 19:36:33.000000000 -0400
66252 @@ -88,7 +88,7 @@ struct snd_device {
66253 snd_device_state_t state; /* state of the device */
66254 snd_device_type_t type; /* device type */
66255 void *device_data; /* device structure */
66256 - struct snd_device_ops *ops; /* operations */
66257 + const struct snd_device_ops *ops; /* operations */
66258 };
66259
66260 #define snd_device(n) list_entry(n, struct snd_device, list)
66261 @@ -301,7 +301,7 @@ int snd_card_file_remove(struct snd_card
66262 /* device.c */
66263
66264 int snd_device_new(struct snd_card *card, snd_device_type_t type,
66265 - void *device_data, struct snd_device_ops *ops);
66266 + void *device_data, const struct snd_device_ops *ops);
66267 int snd_device_register(struct snd_card *card, void *device_data);
66268 int snd_device_register_all(struct snd_card *card);
66269 int snd_device_disconnect(struct snd_card *card, void *device_data);
66270 diff -urNp linux-2.6.39.2/include/sound/pcm.h linux-2.6.39.2/include/sound/pcm.h
66271 --- linux-2.6.39.2/include/sound/pcm.h 2011-05-19 00:06:34.000000000 -0400
66272 +++ linux-2.6.39.2/include/sound/pcm.h 2011-05-22 19:36:33.000000000 -0400
66273 @@ -379,7 +379,7 @@ struct snd_pcm_substream {
66274 unsigned int dma_buf_id;
66275 size_t dma_max;
66276 /* -- hardware operations -- */
66277 - struct snd_pcm_ops *ops;
66278 + const struct snd_pcm_ops *ops;
66279 /* -- runtime information -- */
66280 struct snd_pcm_runtime *runtime;
66281 /* -- timer section -- */
66282 @@ -845,7 +845,7 @@ const unsigned char *snd_pcm_format_sile
66283 int snd_pcm_format_set_silence(snd_pcm_format_t format, void *buf, unsigned int frames);
66284 snd_pcm_format_t snd_pcm_build_linear_format(int width, int unsignd, int big_endian);
66285
66286 -void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, struct snd_pcm_ops *ops);
66287 +void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, const struct snd_pcm_ops *ops);
66288 void snd_pcm_set_sync(struct snd_pcm_substream *substream);
66289 int snd_pcm_lib_interleave_len(struct snd_pcm_substream *substream);
66290 int snd_pcm_lib_ioctl(struct snd_pcm_substream *substream,
66291 diff -urNp linux-2.6.39.2/include/sound/rawmidi.h linux-2.6.39.2/include/sound/rawmidi.h
66292 --- linux-2.6.39.2/include/sound/rawmidi.h 2011-05-19 00:06:34.000000000 -0400
66293 +++ linux-2.6.39.2/include/sound/rawmidi.h 2011-05-22 19:36:33.000000000 -0400
66294 @@ -100,7 +100,7 @@ struct snd_rawmidi_substream {
66295 struct snd_rawmidi_runtime *runtime;
66296 struct pid *pid;
66297 /* hardware layer */
66298 - struct snd_rawmidi_ops *ops;
66299 + const struct snd_rawmidi_ops *ops;
66300 };
66301
66302 struct snd_rawmidi_file {
66303 @@ -127,7 +127,7 @@ struct snd_rawmidi {
66304 int ossreg;
66305 #endif
66306
66307 - struct snd_rawmidi_global_ops *ops;
66308 + const struct snd_rawmidi_global_ops *ops;
66309
66310 struct snd_rawmidi_str streams[2];
66311
66312 @@ -151,7 +151,7 @@ int snd_rawmidi_new(struct snd_card *car
66313 int output_count, int input_count,
66314 struct snd_rawmidi **rmidi);
66315 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
66316 - struct snd_rawmidi_ops *ops);
66317 + const struct snd_rawmidi_ops *ops);
66318
66319 /* callbacks */
66320
66321 diff -urNp linux-2.6.39.2/include/sound/seq_device.h linux-2.6.39.2/include/sound/seq_device.h
66322 --- linux-2.6.39.2/include/sound/seq_device.h 2011-05-19 00:06:34.000000000 -0400
66323 +++ linux-2.6.39.2/include/sound/seq_device.h 2011-05-22 19:36:33.000000000 -0400
66324 @@ -69,7 +69,7 @@ struct snd_seq_dev_ops {
66325 */
66326 void snd_seq_device_load_drivers(void);
66327 int snd_seq_device_new(struct snd_card *card, int device, char *id, int argsize, struct snd_seq_device **result);
66328 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry, int argsize);
66329 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry, int argsize);
66330 int snd_seq_device_unregister_driver(char *id);
66331
66332 #define SNDRV_SEQ_DEVICE_ARGPTR(dev) (void *)((char *)(dev) + sizeof(struct snd_seq_device))
66333 diff -urNp linux-2.6.39.2/include/sound/snd_wavefront.h linux-2.6.39.2/include/sound/snd_wavefront.h
66334 --- linux-2.6.39.2/include/sound/snd_wavefront.h 2011-05-19 00:06:34.000000000 -0400
66335 +++ linux-2.6.39.2/include/sound/snd_wavefront.h 2011-05-22 19:36:33.000000000 -0400
66336 @@ -37,8 +37,8 @@ struct _snd_wavefront_midi {
66337 #define MPU_ACK 0xFE
66338 #define UART_MODE_ON 0x3F
66339
66340 -extern struct snd_rawmidi_ops snd_wavefront_midi_output;
66341 -extern struct snd_rawmidi_ops snd_wavefront_midi_input;
66342 +extern const struct snd_rawmidi_ops snd_wavefront_midi_output;
66343 +extern const struct snd_rawmidi_ops snd_wavefront_midi_input;
66344
66345 extern void snd_wavefront_midi_enable_virtual (snd_wavefront_card_t *);
66346 extern void snd_wavefront_midi_disable_virtual (snd_wavefront_card_t *);
66347 diff -urNp linux-2.6.39.2/include/sound/soc.h linux-2.6.39.2/include/sound/soc.h
66348 --- linux-2.6.39.2/include/sound/soc.h 2011-05-19 00:06:34.000000000 -0400
66349 +++ linux-2.6.39.2/include/sound/soc.h 2011-05-22 19:36:33.000000000 -0400
66350 @@ -245,7 +245,7 @@ struct snd_soc_jack_gpio;
66351
66352 typedef int (*hw_write_t)(void *,const char* ,int);
66353
66354 -extern struct snd_ac97_bus_ops soc_ac97_ops;
66355 +extern const struct snd_ac97_bus_ops soc_ac97_ops;
66356
66357 enum snd_soc_control_type {
66358 SND_SOC_CUSTOM,
66359 diff -urNp linux-2.6.39.2/include/sound/ymfpci.h linux-2.6.39.2/include/sound/ymfpci.h
66360 --- linux-2.6.39.2/include/sound/ymfpci.h 2011-05-19 00:06:34.000000000 -0400
66361 +++ linux-2.6.39.2/include/sound/ymfpci.h 2011-05-22 19:36:33.000000000 -0400
66362 @@ -358,7 +358,7 @@ struct snd_ymfpci {
66363 spinlock_t reg_lock;
66364 spinlock_t voice_lock;
66365 wait_queue_head_t interrupt_sleep;
66366 - atomic_t interrupt_sleep_count;
66367 + atomic_unchecked_t interrupt_sleep_count;
66368 struct snd_info_entry *proc_entry;
66369 const struct firmware *dsp_microcode;
66370 const struct firmware *controller_microcode;
66371 diff -urNp linux-2.6.39.2/include/target/target_core_base.h linux-2.6.39.2/include/target/target_core_base.h
66372 --- linux-2.6.39.2/include/target/target_core_base.h 2011-06-03 00:04:14.000000000 -0400
66373 +++ linux-2.6.39.2/include/target/target_core_base.h 2011-06-03 00:32:08.000000000 -0400
66374 @@ -432,8 +432,8 @@ struct se_transport_task {
66375 atomic_t t_task_cdbs_left;
66376 atomic_t t_task_cdbs_ex_left;
66377 atomic_t t_task_cdbs_timeout_left;
66378 - atomic_t t_task_cdbs_sent;
66379 - atomic_t t_transport_aborted;
66380 + atomic_unchecked_t t_task_cdbs_sent;
66381 + atomic_unchecked_t t_transport_aborted;
66382 atomic_t t_transport_active;
66383 atomic_t t_transport_complete;
66384 atomic_t t_transport_queue_active;
66385 @@ -774,7 +774,7 @@ struct se_device {
66386 atomic_t active_cmds;
66387 atomic_t simple_cmds;
66388 atomic_t depth_left;
66389 - atomic_t dev_ordered_id;
66390 + atomic_unchecked_t dev_ordered_id;
66391 atomic_t dev_tur_active;
66392 atomic_t execute_tasks;
66393 atomic_t dev_status_thr_count;
66394 diff -urNp linux-2.6.39.2/include/trace/events/irq.h linux-2.6.39.2/include/trace/events/irq.h
66395 --- linux-2.6.39.2/include/trace/events/irq.h 2011-05-19 00:06:34.000000000 -0400
66396 +++ linux-2.6.39.2/include/trace/events/irq.h 2011-05-22 19:36:33.000000000 -0400
66397 @@ -36,7 +36,7 @@ struct softirq_action;
66398 */
66399 TRACE_EVENT(irq_handler_entry,
66400
66401 - TP_PROTO(int irq, struct irqaction *action),
66402 + TP_PROTO(int irq, const struct irqaction *action),
66403
66404 TP_ARGS(irq, action),
66405
66406 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
66407 */
66408 TRACE_EVENT(irq_handler_exit,
66409
66410 - TP_PROTO(int irq, struct irqaction *action, int ret),
66411 + TP_PROTO(int irq, const struct irqaction *action, int ret),
66412
66413 TP_ARGS(irq, action, ret),
66414
66415 diff -urNp linux-2.6.39.2/include/video/udlfb.h linux-2.6.39.2/include/video/udlfb.h
66416 --- linux-2.6.39.2/include/video/udlfb.h 2011-05-19 00:06:34.000000000 -0400
66417 +++ linux-2.6.39.2/include/video/udlfb.h 2011-05-22 19:36:33.000000000 -0400
66418 @@ -51,10 +51,10 @@ struct dlfb_data {
66419 int base8;
66420 u32 pseudo_palette[256];
66421 /* blit-only rendering path metrics, exposed through sysfs */
66422 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66423 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
66424 - atomic_t bytes_sent; /* to usb, after compression including overhead */
66425 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
66426 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66427 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
66428 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
66429 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
66430 };
66431
66432 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
66433 diff -urNp linux-2.6.39.2/include/video/uvesafb.h linux-2.6.39.2/include/video/uvesafb.h
66434 --- linux-2.6.39.2/include/video/uvesafb.h 2011-05-19 00:06:34.000000000 -0400
66435 +++ linux-2.6.39.2/include/video/uvesafb.h 2011-05-22 19:36:33.000000000 -0400
66436 @@ -177,6 +177,7 @@ struct uvesafb_par {
66437 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
66438 u8 pmi_setpal; /* PMI for palette changes */
66439 u16 *pmi_base; /* protected mode interface location */
66440 + u8 *pmi_code; /* protected mode code location */
66441 void *pmi_start;
66442 void *pmi_pal;
66443 u8 *vbe_state_orig; /*
66444 diff -urNp linux-2.6.39.2/init/do_mounts.c linux-2.6.39.2/init/do_mounts.c
66445 --- linux-2.6.39.2/init/do_mounts.c 2011-05-19 00:06:34.000000000 -0400
66446 +++ linux-2.6.39.2/init/do_mounts.c 2011-05-22 19:36:33.000000000 -0400
66447 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
66448
66449 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
66450 {
66451 - int err = sys_mount(name, "/root", fs, flags, data);
66452 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
66453 if (err)
66454 return err;
66455
66456 @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
66457 va_start(args, fmt);
66458 vsprintf(buf, fmt, args);
66459 va_end(args);
66460 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
66461 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
66462 if (fd >= 0) {
66463 sys_ioctl(fd, FDEJECT, 0);
66464 sys_close(fd);
66465 }
66466 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
66467 - fd = sys_open("/dev/console", O_RDWR, 0);
66468 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
66469 if (fd >= 0) {
66470 sys_ioctl(fd, TCGETS, (long)&termios);
66471 termios.c_lflag &= ~ICANON;
66472 sys_ioctl(fd, TCSETSF, (long)&termios);
66473 - sys_read(fd, &c, 1);
66474 + sys_read(fd, (char __user *)&c, 1);
66475 termios.c_lflag |= ICANON;
66476 sys_ioctl(fd, TCSETSF, (long)&termios);
66477 sys_close(fd);
66478 @@ -488,6 +488,6 @@ void __init prepare_namespace(void)
66479 mount_root();
66480 out:
66481 devtmpfs_mount("dev");
66482 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66483 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66484 sys_chroot((const char __user __force *)".");
66485 }
66486 diff -urNp linux-2.6.39.2/init/do_mounts.h linux-2.6.39.2/init/do_mounts.h
66487 --- linux-2.6.39.2/init/do_mounts.h 2011-05-19 00:06:34.000000000 -0400
66488 +++ linux-2.6.39.2/init/do_mounts.h 2011-05-22 19:36:33.000000000 -0400
66489 @@ -15,15 +15,15 @@ extern int root_mountflags;
66490
66491 static inline int create_dev(char *name, dev_t dev)
66492 {
66493 - sys_unlink(name);
66494 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
66495 + sys_unlink((__force char __user *)name);
66496 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
66497 }
66498
66499 #if BITS_PER_LONG == 32
66500 static inline u32 bstat(char *name)
66501 {
66502 struct stat64 stat;
66503 - if (sys_stat64(name, &stat) != 0)
66504 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
66505 return 0;
66506 if (!S_ISBLK(stat.st_mode))
66507 return 0;
66508 diff -urNp linux-2.6.39.2/init/do_mounts_initrd.c linux-2.6.39.2/init/do_mounts_initrd.c
66509 --- linux-2.6.39.2/init/do_mounts_initrd.c 2011-05-19 00:06:34.000000000 -0400
66510 +++ linux-2.6.39.2/init/do_mounts_initrd.c 2011-05-22 19:36:33.000000000 -0400
66511 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
66512 create_dev("/dev/root.old", Root_RAM0);
66513 /* mount initrd on rootfs' /root */
66514 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
66515 - sys_mkdir("/old", 0700);
66516 - root_fd = sys_open("/", 0, 0);
66517 - old_fd = sys_open("/old", 0, 0);
66518 + sys_mkdir((__force const char __user *)"/old", 0700);
66519 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
66520 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
66521 /* move initrd over / and chdir/chroot in initrd root */
66522 - sys_chdir("/root");
66523 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66524 - sys_chroot(".");
66525 + sys_chdir((__force const char __user *)"/root");
66526 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66527 + sys_chroot((__force const char __user *)".");
66528
66529 /*
66530 * In case that a resume from disk is carried out by linuxrc or one of
66531 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
66532
66533 /* move initrd to rootfs' /old */
66534 sys_fchdir(old_fd);
66535 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
66536 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
66537 /* switch root and cwd back to / of rootfs */
66538 sys_fchdir(root_fd);
66539 - sys_chroot(".");
66540 + sys_chroot((__force const char __user *)".");
66541 sys_close(old_fd);
66542 sys_close(root_fd);
66543
66544 if (new_decode_dev(real_root_dev) == Root_RAM0) {
66545 - sys_chdir("/old");
66546 + sys_chdir((__force const char __user *)"/old");
66547 return;
66548 }
66549
66550 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
66551 mount_root();
66552
66553 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
66554 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
66555 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
66556 if (!error)
66557 printk("okay\n");
66558 else {
66559 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
66560 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
66561 if (error == -ENOENT)
66562 printk("/initrd does not exist. Ignored.\n");
66563 else
66564 printk("failed\n");
66565 printk(KERN_NOTICE "Unmounting old root\n");
66566 - sys_umount("/old", MNT_DETACH);
66567 + sys_umount((__force char __user *)"/old", MNT_DETACH);
66568 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
66569 if (fd < 0) {
66570 error = fd;
66571 @@ -116,11 +116,11 @@ int __init initrd_load(void)
66572 * mounted in the normal path.
66573 */
66574 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
66575 - sys_unlink("/initrd.image");
66576 + sys_unlink((__force const char __user *)"/initrd.image");
66577 handle_initrd();
66578 return 1;
66579 }
66580 }
66581 - sys_unlink("/initrd.image");
66582 + sys_unlink((__force const char __user *)"/initrd.image");
66583 return 0;
66584 }
66585 diff -urNp linux-2.6.39.2/init/do_mounts_md.c linux-2.6.39.2/init/do_mounts_md.c
66586 --- linux-2.6.39.2/init/do_mounts_md.c 2011-05-19 00:06:34.000000000 -0400
66587 +++ linux-2.6.39.2/init/do_mounts_md.c 2011-05-22 19:36:33.000000000 -0400
66588 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
66589 partitioned ? "_d" : "", minor,
66590 md_setup_args[ent].device_names);
66591
66592 - fd = sys_open(name, 0, 0);
66593 + fd = sys_open((__force char __user *)name, 0, 0);
66594 if (fd < 0) {
66595 printk(KERN_ERR "md: open failed - cannot start "
66596 "array %s\n", name);
66597 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
66598 * array without it
66599 */
66600 sys_close(fd);
66601 - fd = sys_open(name, 0, 0);
66602 + fd = sys_open((__force char __user *)name, 0, 0);
66603 sys_ioctl(fd, BLKRRPART, 0);
66604 }
66605 sys_close(fd);
66606 diff -urNp linux-2.6.39.2/init/initramfs.c linux-2.6.39.2/init/initramfs.c
66607 --- linux-2.6.39.2/init/initramfs.c 2011-05-19 00:06:34.000000000 -0400
66608 +++ linux-2.6.39.2/init/initramfs.c 2011-05-22 19:36:33.000000000 -0400
66609 @@ -74,7 +74,7 @@ static void __init free_hash(void)
66610 }
66611 }
66612
66613 -static long __init do_utime(char __user *filename, time_t mtime)
66614 +static long __init do_utime(__force char __user *filename, time_t mtime)
66615 {
66616 struct timespec t[2];
66617
66618 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
66619 struct dir_entry *de, *tmp;
66620 list_for_each_entry_safe(de, tmp, &dir_list, list) {
66621 list_del(&de->list);
66622 - do_utime(de->name, de->mtime);
66623 + do_utime((__force char __user *)de->name, de->mtime);
66624 kfree(de->name);
66625 kfree(de);
66626 }
66627 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
66628 if (nlink >= 2) {
66629 char *old = find_link(major, minor, ino, mode, collected);
66630 if (old)
66631 - return (sys_link(old, collected) < 0) ? -1 : 1;
66632 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
66633 }
66634 return 0;
66635 }
66636 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
66637 {
66638 struct stat st;
66639
66640 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
66641 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
66642 if (S_ISDIR(st.st_mode))
66643 - sys_rmdir(path);
66644 + sys_rmdir((__force char __user *)path);
66645 else
66646 - sys_unlink(path);
66647 + sys_unlink((__force char __user *)path);
66648 }
66649 }
66650
66651 @@ -305,7 +305,7 @@ static int __init do_name(void)
66652 int openflags = O_WRONLY|O_CREAT;
66653 if (ml != 1)
66654 openflags |= O_TRUNC;
66655 - wfd = sys_open(collected, openflags, mode);
66656 + wfd = sys_open((__force char __user *)collected, openflags, mode);
66657
66658 if (wfd >= 0) {
66659 sys_fchown(wfd, uid, gid);
66660 @@ -317,17 +317,17 @@ static int __init do_name(void)
66661 }
66662 }
66663 } else if (S_ISDIR(mode)) {
66664 - sys_mkdir(collected, mode);
66665 - sys_chown(collected, uid, gid);
66666 - sys_chmod(collected, mode);
66667 + sys_mkdir((__force char __user *)collected, mode);
66668 + sys_chown((__force char __user *)collected, uid, gid);
66669 + sys_chmod((__force char __user *)collected, mode);
66670 dir_add(collected, mtime);
66671 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
66672 S_ISFIFO(mode) || S_ISSOCK(mode)) {
66673 if (maybe_link() == 0) {
66674 - sys_mknod(collected, mode, rdev);
66675 - sys_chown(collected, uid, gid);
66676 - sys_chmod(collected, mode);
66677 - do_utime(collected, mtime);
66678 + sys_mknod((__force char __user *)collected, mode, rdev);
66679 + sys_chown((__force char __user *)collected, uid, gid);
66680 + sys_chmod((__force char __user *)collected, mode);
66681 + do_utime((__force char __user *)collected, mtime);
66682 }
66683 }
66684 return 0;
66685 @@ -336,15 +336,15 @@ static int __init do_name(void)
66686 static int __init do_copy(void)
66687 {
66688 if (count >= body_len) {
66689 - sys_write(wfd, victim, body_len);
66690 + sys_write(wfd, (__force char __user *)victim, body_len);
66691 sys_close(wfd);
66692 - do_utime(vcollected, mtime);
66693 + do_utime((__force char __user *)vcollected, mtime);
66694 kfree(vcollected);
66695 eat(body_len);
66696 state = SkipIt;
66697 return 0;
66698 } else {
66699 - sys_write(wfd, victim, count);
66700 + sys_write(wfd, (__force char __user *)victim, count);
66701 body_len -= count;
66702 eat(count);
66703 return 1;
66704 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
66705 {
66706 collected[N_ALIGN(name_len) + body_len] = '\0';
66707 clean_path(collected, 0);
66708 - sys_symlink(collected + N_ALIGN(name_len), collected);
66709 - sys_lchown(collected, uid, gid);
66710 - do_utime(collected, mtime);
66711 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
66712 + sys_lchown((__force char __user *)collected, uid, gid);
66713 + do_utime((__force char __user *)collected, mtime);
66714 state = SkipIt;
66715 next_state = Reset;
66716 return 0;
66717 diff -urNp linux-2.6.39.2/init/Kconfig linux-2.6.39.2/init/Kconfig
66718 --- linux-2.6.39.2/init/Kconfig 2011-05-19 00:06:34.000000000 -0400
66719 +++ linux-2.6.39.2/init/Kconfig 2011-05-22 19:36:33.000000000 -0400
66720 @@ -1202,7 +1202,7 @@ config SLUB_DEBUG
66721
66722 config COMPAT_BRK
66723 bool "Disable heap randomization"
66724 - default y
66725 + default n
66726 help
66727 Randomizing heap placement makes heap exploits harder, but it
66728 also breaks ancient binaries (including anything libc5 based).
66729 diff -urNp linux-2.6.39.2/init/main.c linux-2.6.39.2/init/main.c
66730 --- linux-2.6.39.2/init/main.c 2011-06-03 00:04:14.000000000 -0400
66731 +++ linux-2.6.39.2/init/main.c 2011-06-03 00:32:08.000000000 -0400
66732 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
66733 extern void tc_init(void);
66734 #endif
66735
66736 +extern void grsecurity_init(void);
66737 +
66738 /*
66739 * Debug helper: via this flag we know that we are in 'early bootup code'
66740 * where only the boot processor is running with IRQ disabled. This means
66741 @@ -149,6 +151,49 @@ static int __init set_reset_devices(char
66742
66743 __setup("reset_devices", set_reset_devices);
66744
66745 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
66746 +extern char pax_enter_kernel_user[];
66747 +extern char pax_exit_kernel_user[];
66748 +extern pgdval_t clone_pgd_mask;
66749 +#endif
66750 +
66751 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
66752 +static int __init setup_pax_nouderef(char *str)
66753 +{
66754 +#ifdef CONFIG_X86_32
66755 + unsigned int cpu;
66756 + struct desc_struct *gdt;
66757 +
66758 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
66759 + gdt = get_cpu_gdt_table(cpu);
66760 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
66761 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
66762 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
66763 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
66764 + }
66765 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
66766 +#else
66767 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
66768 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
66769 + clone_pgd_mask = ~(pgdval_t)0UL;
66770 +#endif
66771 +
66772 + return 0;
66773 +}
66774 +early_param("pax_nouderef", setup_pax_nouderef);
66775 +#endif
66776 +
66777 +#ifdef CONFIG_PAX_SOFTMODE
66778 +unsigned int pax_softmode;
66779 +
66780 +static int __init setup_pax_softmode(char *str)
66781 +{
66782 + get_option(&str, &pax_softmode);
66783 + return 1;
66784 +}
66785 +__setup("pax_softmode=", setup_pax_softmode);
66786 +#endif
66787 +
66788 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
66789 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
66790 static const char *panic_later, *panic_param;
66791 @@ -663,6 +708,7 @@ int __init_or_module do_one_initcall(ini
66792 {
66793 int count = preempt_count();
66794 int ret;
66795 + const char *msg1 = "", *msg2 = "";
66796
66797 if (initcall_debug)
66798 ret = do_one_initcall_debug(fn);
66799 @@ -675,15 +721,15 @@ int __init_or_module do_one_initcall(ini
66800 sprintf(msgbuf, "error code %d ", ret);
66801
66802 if (preempt_count() != count) {
66803 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
66804 + msg1 = " preemption imbalance";
66805 preempt_count() = count;
66806 }
66807 if (irqs_disabled()) {
66808 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
66809 + msg2 = " disabled interrupts";
66810 local_irq_enable();
66811 }
66812 - if (msgbuf[0]) {
66813 - printk("initcall %pF returned with %s\n", fn, msgbuf);
66814 + if (msgbuf[0] || *msg1 || *msg2) {
66815 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
66816 }
66817
66818 return ret;
66819 @@ -801,7 +847,7 @@ static int __init kernel_init(void * unu
66820 do_basic_setup();
66821
66822 /* Open the /dev/console on the rootfs, this should never fail */
66823 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
66824 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
66825 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
66826
66827 (void) sys_dup(0);
66828 @@ -814,11 +860,13 @@ static int __init kernel_init(void * unu
66829 if (!ramdisk_execute_command)
66830 ramdisk_execute_command = "/init";
66831
66832 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
66833 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
66834 ramdisk_execute_command = NULL;
66835 prepare_namespace();
66836 }
66837
66838 + grsecurity_init();
66839 +
66840 /*
66841 * Ok, we have completed the initial bootup, and
66842 * we're essentially up and running. Get rid of the
66843 diff -urNp linux-2.6.39.2/ipc/mqueue.c linux-2.6.39.2/ipc/mqueue.c
66844 --- linux-2.6.39.2/ipc/mqueue.c 2011-05-19 00:06:34.000000000 -0400
66845 +++ linux-2.6.39.2/ipc/mqueue.c 2011-05-22 19:41:42.000000000 -0400
66846 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
66847 mq_bytes = (mq_msg_tblsz +
66848 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
66849
66850 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
66851 spin_lock(&mq_lock);
66852 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
66853 u->mq_bytes + mq_bytes >
66854 diff -urNp linux-2.6.39.2/ipc/sem.c linux-2.6.39.2/ipc/sem.c
66855 --- linux-2.6.39.2/ipc/sem.c 2011-05-19 00:06:34.000000000 -0400
66856 +++ linux-2.6.39.2/ipc/sem.c 2011-05-22 19:36:33.000000000 -0400
66857 @@ -854,6 +854,8 @@ static int semctl_main(struct ipc_namesp
66858 int nsems;
66859 struct list_head tasks;
66860
66861 + pax_track_stack();
66862 +
66863 sma = sem_lock_check(ns, semid);
66864 if (IS_ERR(sma))
66865 return PTR_ERR(sma);
66866 @@ -1301,6 +1303,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
66867 struct ipc_namespace *ns;
66868 struct list_head tasks;
66869
66870 + pax_track_stack();
66871 +
66872 ns = current->nsproxy->ipc_ns;
66873
66874 if (nsops < 1 || semid < 0)
66875 diff -urNp linux-2.6.39.2/ipc/shm.c linux-2.6.39.2/ipc/shm.c
66876 --- linux-2.6.39.2/ipc/shm.c 2011-05-19 00:06:34.000000000 -0400
66877 +++ linux-2.6.39.2/ipc/shm.c 2011-05-22 19:41:42.000000000 -0400
66878 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
66879 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
66880 #endif
66881
66882 +#ifdef CONFIG_GRKERNSEC
66883 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66884 + const time_t shm_createtime, const uid_t cuid,
66885 + const int shmid);
66886 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66887 + const time_t shm_createtime);
66888 +#endif
66889 +
66890 void shm_init_ns(struct ipc_namespace *ns)
66891 {
66892 ns->shm_ctlmax = SHMMAX;
66893 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
66894 shp->shm_lprid = 0;
66895 shp->shm_atim = shp->shm_dtim = 0;
66896 shp->shm_ctim = get_seconds();
66897 +#ifdef CONFIG_GRKERNSEC
66898 + {
66899 + struct timespec timeval;
66900 + do_posix_clock_monotonic_gettime(&timeval);
66901 +
66902 + shp->shm_createtime = timeval.tv_sec;
66903 + }
66904 +#endif
66905 shp->shm_segsz = size;
66906 shp->shm_nattch = 0;
66907 shp->shm_file = file;
66908 @@ -762,8 +778,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
66909 case SHM_LOCK:
66910 case SHM_UNLOCK:
66911 {
66912 - struct file *uninitialized_var(shm_file);
66913 -
66914 lru_add_drain_all(); /* drain pagevecs to lru lists */
66915
66916 shp = shm_lock_check(ns, shmid);
66917 @@ -896,9 +910,21 @@ long do_shmat(int shmid, char __user *sh
66918 if (err)
66919 goto out_unlock;
66920
66921 +#ifdef CONFIG_GRKERNSEC
66922 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
66923 + shp->shm_perm.cuid, shmid) ||
66924 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
66925 + err = -EACCES;
66926 + goto out_unlock;
66927 + }
66928 +#endif
66929 +
66930 path = shp->shm_file->f_path;
66931 path_get(&path);
66932 shp->shm_nattch++;
66933 +#ifdef CONFIG_GRKERNSEC
66934 + shp->shm_lapid = current->pid;
66935 +#endif
66936 size = i_size_read(path.dentry->d_inode);
66937 shm_unlock(shp);
66938
66939 diff -urNp linux-2.6.39.2/kernel/acct.c linux-2.6.39.2/kernel/acct.c
66940 --- linux-2.6.39.2/kernel/acct.c 2011-05-19 00:06:34.000000000 -0400
66941 +++ linux-2.6.39.2/kernel/acct.c 2011-05-22 19:36:33.000000000 -0400
66942 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
66943 */
66944 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
66945 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
66946 - file->f_op->write(file, (char *)&ac,
66947 + file->f_op->write(file, (__force char __user *)&ac,
66948 sizeof(acct_t), &file->f_pos);
66949 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
66950 set_fs(fs);
66951 diff -urNp linux-2.6.39.2/kernel/audit.c linux-2.6.39.2/kernel/audit.c
66952 --- linux-2.6.39.2/kernel/audit.c 2011-05-19 00:06:34.000000000 -0400
66953 +++ linux-2.6.39.2/kernel/audit.c 2011-05-22 19:36:33.000000000 -0400
66954 @@ -112,7 +112,7 @@ u32 audit_sig_sid = 0;
66955 3) suppressed due to audit_rate_limit
66956 4) suppressed due to audit_backlog_limit
66957 */
66958 -static atomic_t audit_lost = ATOMIC_INIT(0);
66959 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
66960
66961 /* The netlink socket. */
66962 static struct sock *audit_sock;
66963 @@ -234,7 +234,7 @@ void audit_log_lost(const char *message)
66964 unsigned long now;
66965 int print;
66966
66967 - atomic_inc(&audit_lost);
66968 + atomic_inc_unchecked(&audit_lost);
66969
66970 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
66971
66972 @@ -253,7 +253,7 @@ void audit_log_lost(const char *message)
66973 printk(KERN_WARNING
66974 "audit: audit_lost=%d audit_rate_limit=%d "
66975 "audit_backlog_limit=%d\n",
66976 - atomic_read(&audit_lost),
66977 + atomic_read_unchecked(&audit_lost),
66978 audit_rate_limit,
66979 audit_backlog_limit);
66980 audit_panic(message);
66981 @@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_b
66982 status_set.pid = audit_pid;
66983 status_set.rate_limit = audit_rate_limit;
66984 status_set.backlog_limit = audit_backlog_limit;
66985 - status_set.lost = atomic_read(&audit_lost);
66986 + status_set.lost = atomic_read_unchecked(&audit_lost);
66987 status_set.backlog = skb_queue_len(&audit_skb_queue);
66988 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
66989 &status_set, sizeof(status_set));
66990 diff -urNp linux-2.6.39.2/kernel/auditsc.c linux-2.6.39.2/kernel/auditsc.c
66991 --- linux-2.6.39.2/kernel/auditsc.c 2011-05-19 00:06:34.000000000 -0400
66992 +++ linux-2.6.39.2/kernel/auditsc.c 2011-05-22 19:36:33.000000000 -0400
66993 @@ -2111,7 +2111,7 @@ int auditsc_get_stamp(struct audit_conte
66994 }
66995
66996 /* global counter which is incremented every time something logs in */
66997 -static atomic_t session_id = ATOMIC_INIT(0);
66998 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
66999
67000 /**
67001 * audit_set_loginuid - set a task's audit_context loginuid
67002 @@ -2124,7 +2124,7 @@ static atomic_t session_id = ATOMIC_INIT
67003 */
67004 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
67005 {
67006 - unsigned int sessionid = atomic_inc_return(&session_id);
67007 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
67008 struct audit_context *context = task->audit_context;
67009
67010 if (context && context->in_syscall) {
67011 diff -urNp linux-2.6.39.2/kernel/capability.c linux-2.6.39.2/kernel/capability.c
67012 --- linux-2.6.39.2/kernel/capability.c 2011-05-19 00:06:34.000000000 -0400
67013 +++ linux-2.6.39.2/kernel/capability.c 2011-05-22 21:02:23.000000000 -0400
67014 @@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
67015 * before modification is attempted and the application
67016 * fails.
67017 */
67018 + if (tocopy > ARRAY_SIZE(kdata))
67019 + return -EFAULT;
67020 +
67021 if (copy_to_user(dataptr, kdata, tocopy
67022 * sizeof(struct __user_cap_data_struct))) {
67023 return -EFAULT;
67024 @@ -378,7 +381,7 @@ bool ns_capable(struct user_namespace *n
67025 BUG();
67026 }
67027
67028 - if (security_capable(ns, current_cred(), cap) == 0) {
67029 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
67030 current->flags |= PF_SUPERPRIV;
67031 return true;
67032 }
67033 @@ -386,6 +389,27 @@ bool ns_capable(struct user_namespace *n
67034 }
67035 EXPORT_SYMBOL(ns_capable);
67036
67037 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
67038 +{
67039 + if (unlikely(!cap_valid(cap))) {
67040 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
67041 + BUG();
67042 + }
67043 +
67044 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
67045 + current->flags |= PF_SUPERPRIV;
67046 + return true;
67047 + }
67048 + return false;
67049 +}
67050 +EXPORT_SYMBOL(ns_capable_nolog);
67051 +
67052 +bool capable_nolog(int cap)
67053 +{
67054 + return ns_capable_nolog(&init_user_ns, cap);
67055 +}
67056 +EXPORT_SYMBOL(capable_nolog);
67057 +
67058 /**
67059 * task_ns_capable - Determine whether current task has a superior
67060 * capability targeted at a specific task's user namespace.
67061 @@ -400,6 +424,12 @@ bool task_ns_capable(struct task_struct
67062 }
67063 EXPORT_SYMBOL(task_ns_capable);
67064
67065 +bool task_ns_capable_nolog(struct task_struct *t, int cap)
67066 +{
67067 + return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
67068 +}
67069 +EXPORT_SYMBOL(task_ns_capable_nolog);
67070 +
67071 /**
67072 * nsown_capable - Check superior capability to one's own user_ns
67073 * @cap: The capability in question
67074 diff -urNp linux-2.6.39.2/kernel/cgroup.c linux-2.6.39.2/kernel/cgroup.c
67075 --- linux-2.6.39.2/kernel/cgroup.c 2011-05-19 00:06:34.000000000 -0400
67076 +++ linux-2.6.39.2/kernel/cgroup.c 2011-05-22 19:36:33.000000000 -0400
67077 @@ -598,6 +598,8 @@ static struct css_set *find_css_set(
67078 struct hlist_head *hhead;
67079 struct cg_cgroup_link *link;
67080
67081 + pax_track_stack();
67082 +
67083 /* First see if we already have a cgroup group that matches
67084 * the desired set */
67085 read_lock(&css_set_lock);
67086 diff -urNp linux-2.6.39.2/kernel/compat.c linux-2.6.39.2/kernel/compat.c
67087 --- linux-2.6.39.2/kernel/compat.c 2011-05-19 00:06:34.000000000 -0400
67088 +++ linux-2.6.39.2/kernel/compat.c 2011-05-22 19:41:42.000000000 -0400
67089 @@ -13,6 +13,7 @@
67090
67091 #include <linux/linkage.h>
67092 #include <linux/compat.h>
67093 +#include <linux/module.h>
67094 #include <linux/errno.h>
67095 #include <linux/time.h>
67096 #include <linux/signal.h>
67097 diff -urNp linux-2.6.39.2/kernel/configs.c linux-2.6.39.2/kernel/configs.c
67098 --- linux-2.6.39.2/kernel/configs.c 2011-05-19 00:06:34.000000000 -0400
67099 +++ linux-2.6.39.2/kernel/configs.c 2011-05-22 19:41:42.000000000 -0400
67100 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
67101 struct proc_dir_entry *entry;
67102
67103 /* create the current config file */
67104 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
67105 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
67106 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
67107 + &ikconfig_file_ops);
67108 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
67109 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
67110 + &ikconfig_file_ops);
67111 +#endif
67112 +#else
67113 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
67114 &ikconfig_file_ops);
67115 +#endif
67116 +
67117 if (!entry)
67118 return -ENOMEM;
67119
67120 diff -urNp linux-2.6.39.2/kernel/cred.c linux-2.6.39.2/kernel/cred.c
67121 --- linux-2.6.39.2/kernel/cred.c 2011-05-19 00:06:34.000000000 -0400
67122 +++ linux-2.6.39.2/kernel/cred.c 2011-05-22 19:41:42.000000000 -0400
67123 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
67124 */
67125 void __put_cred(struct cred *cred)
67126 {
67127 + pax_track_stack();
67128 +
67129 kdebug("__put_cred(%p{%d,%d})", cred,
67130 atomic_read(&cred->usage),
67131 read_cred_subscribers(cred));
67132 @@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
67133 {
67134 struct cred *cred;
67135
67136 + pax_track_stack();
67137 +
67138 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
67139 atomic_read(&tsk->cred->usage),
67140 read_cred_subscribers(tsk->cred));
67141 @@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
67142 {
67143 const struct cred *cred;
67144
67145 + pax_track_stack();
67146 +
67147 rcu_read_lock();
67148
67149 do {
67150 @@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
67151 {
67152 struct cred *new;
67153
67154 + pax_track_stack();
67155 +
67156 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
67157 if (!new)
67158 return NULL;
67159 @@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
67160 const struct cred *old;
67161 struct cred *new;
67162
67163 + pax_track_stack();
67164 +
67165 validate_process_creds();
67166
67167 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67168 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
67169 struct thread_group_cred *tgcred = NULL;
67170 struct cred *new;
67171
67172 + pax_track_stack();
67173 +
67174 #ifdef CONFIG_KEYS
67175 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
67176 if (!tgcred)
67177 @@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
67178 struct cred *new;
67179 int ret;
67180
67181 + pax_track_stack();
67182 +
67183 if (
67184 #ifdef CONFIG_KEYS
67185 !p->cred->thread_keyring &&
67186 @@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
67187 struct task_struct *task = current;
67188 const struct cred *old = task->real_cred;
67189
67190 + pax_track_stack();
67191 +
67192 kdebug("commit_creds(%p{%d,%d})", new,
67193 atomic_read(&new->usage),
67194 read_cred_subscribers(new));
67195 @@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
67196
67197 get_cred(new); /* we will require a ref for the subj creds too */
67198
67199 + gr_set_role_label(task, new->uid, new->gid);
67200 +
67201 /* dumpability changes */
67202 if (old->euid != new->euid ||
67203 old->egid != new->egid ||
67204 @@ -551,6 +569,8 @@ EXPORT_SYMBOL(commit_creds);
67205 */
67206 void abort_creds(struct cred *new)
67207 {
67208 + pax_track_stack();
67209 +
67210 kdebug("abort_creds(%p{%d,%d})", new,
67211 atomic_read(&new->usage),
67212 read_cred_subscribers(new));
67213 @@ -574,6 +594,8 @@ const struct cred *override_creds(const
67214 {
67215 const struct cred *old = current->cred;
67216
67217 + pax_track_stack();
67218 +
67219 kdebug("override_creds(%p{%d,%d})", new,
67220 atomic_read(&new->usage),
67221 read_cred_subscribers(new));
67222 @@ -603,6 +625,8 @@ void revert_creds(const struct cred *old
67223 {
67224 const struct cred *override = current->cred;
67225
67226 + pax_track_stack();
67227 +
67228 kdebug("revert_creds(%p{%d,%d})", old,
67229 atomic_read(&old->usage),
67230 read_cred_subscribers(old));
67231 @@ -649,6 +673,8 @@ struct cred *prepare_kernel_cred(struct
67232 const struct cred *old;
67233 struct cred *new;
67234
67235 + pax_track_stack();
67236 +
67237 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67238 if (!new)
67239 return NULL;
67240 @@ -703,6 +729,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
67241 */
67242 int set_security_override(struct cred *new, u32 secid)
67243 {
67244 + pax_track_stack();
67245 +
67246 return security_kernel_act_as(new, secid);
67247 }
67248 EXPORT_SYMBOL(set_security_override);
67249 @@ -722,6 +750,8 @@ int set_security_override_from_ctx(struc
67250 u32 secid;
67251 int ret;
67252
67253 + pax_track_stack();
67254 +
67255 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
67256 if (ret < 0)
67257 return ret;
67258 diff -urNp linux-2.6.39.2/kernel/debug/debug_core.c linux-2.6.39.2/kernel/debug/debug_core.c
67259 --- linux-2.6.39.2/kernel/debug/debug_core.c 2011-05-19 00:06:34.000000000 -0400
67260 +++ linux-2.6.39.2/kernel/debug/debug_core.c 2011-05-22 19:36:33.000000000 -0400
67261 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
67262 /* Guard for recursive entry */
67263 static int exception_level;
67264
67265 -struct kgdb_io *dbg_io_ops;
67266 +const struct kgdb_io *dbg_io_ops;
67267 static DEFINE_SPINLOCK(kgdb_registration_lock);
67268
67269 /* kgdb console driver is loaded */
67270 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
67271 */
67272 static atomic_t masters_in_kgdb;
67273 static atomic_t slaves_in_kgdb;
67274 -static atomic_t kgdb_break_tasklet_var;
67275 +static atomic_unchecked_t kgdb_break_tasklet_var;
67276 atomic_t kgdb_setting_breakpoint;
67277
67278 struct task_struct *kgdb_usethread;
67279 @@ -129,7 +129,7 @@ int kgdb_single_step;
67280 static pid_t kgdb_sstep_pid;
67281
67282 /* to keep track of the CPU which is doing the single stepping*/
67283 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67284 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67285
67286 /*
67287 * If you are debugging a problem where roundup (the collection of
67288 @@ -542,7 +542,7 @@ return_normal:
67289 * kernel will only try for the value of sstep_tries before
67290 * giving up and continuing on.
67291 */
67292 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
67293 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
67294 (kgdb_info[cpu].task &&
67295 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
67296 atomic_set(&kgdb_active, -1);
67297 @@ -636,8 +636,8 @@ cpu_master_loop:
67298 }
67299
67300 kgdb_restore:
67301 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
67302 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
67303 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
67304 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
67305 if (kgdb_info[sstep_cpu].task)
67306 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
67307 else
67308 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
67309 static void kgdb_tasklet_bpt(unsigned long ing)
67310 {
67311 kgdb_breakpoint();
67312 - atomic_set(&kgdb_break_tasklet_var, 0);
67313 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
67314 }
67315
67316 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
67317
67318 void kgdb_schedule_breakpoint(void)
67319 {
67320 - if (atomic_read(&kgdb_break_tasklet_var) ||
67321 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
67322 atomic_read(&kgdb_active) != -1 ||
67323 atomic_read(&kgdb_setting_breakpoint))
67324 return;
67325 - atomic_inc(&kgdb_break_tasklet_var);
67326 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
67327 tasklet_schedule(&kgdb_tasklet_breakpoint);
67328 }
67329 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
67330 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
67331 *
67332 * Register it with the KGDB core.
67333 */
67334 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
67335 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
67336 {
67337 int err;
67338
67339 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
67340 *
67341 * Unregister it with the KGDB core.
67342 */
67343 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
67344 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
67345 {
67346 BUG_ON(kgdb_connected);
67347
67348 diff -urNp linux-2.6.39.2/kernel/debug/kdb/kdb_main.c linux-2.6.39.2/kernel/debug/kdb/kdb_main.c
67349 --- linux-2.6.39.2/kernel/debug/kdb/kdb_main.c 2011-05-19 00:06:34.000000000 -0400
67350 +++ linux-2.6.39.2/kernel/debug/kdb/kdb_main.c 2011-05-22 19:36:33.000000000 -0400
67351 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
67352 list_for_each_entry(mod, kdb_modules, list) {
67353
67354 kdb_printf("%-20s%8u 0x%p ", mod->name,
67355 - mod->core_size, (void *)mod);
67356 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
67357 #ifdef CONFIG_MODULE_UNLOAD
67358 kdb_printf("%4d ", module_refcount(mod));
67359 #endif
67360 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
67361 kdb_printf(" (Loading)");
67362 else
67363 kdb_printf(" (Live)");
67364 - kdb_printf(" 0x%p", mod->module_core);
67365 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67366
67367 #ifdef CONFIG_MODULE_UNLOAD
67368 {
67369 diff -urNp linux-2.6.39.2/kernel/exit.c linux-2.6.39.2/kernel/exit.c
67370 --- linux-2.6.39.2/kernel/exit.c 2011-05-19 00:06:34.000000000 -0400
67371 +++ linux-2.6.39.2/kernel/exit.c 2011-05-22 20:02:30.000000000 -0400
67372 @@ -57,6 +57,10 @@
67373 #include <asm/pgtable.h>
67374 #include <asm/mmu_context.h>
67375
67376 +#ifdef CONFIG_GRKERNSEC
67377 +extern rwlock_t grsec_exec_file_lock;
67378 +#endif
67379 +
67380 static void exit_mm(struct task_struct * tsk);
67381
67382 static void __unhash_process(struct task_struct *p, bool group_dead)
67383 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
67384 struct task_struct *leader;
67385 int zap_leader;
67386 repeat:
67387 + gr_del_task_from_ip_table(p);
67388 +
67389 tracehook_prepare_release_task(p);
67390 /* don't need to get the RCU readlock here - the process is dead and
67391 * can't be modifying its own credentials. But shut RCU-lockdep up */
67392 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
67393 {
67394 write_lock_irq(&tasklist_lock);
67395
67396 +#ifdef CONFIG_GRKERNSEC
67397 + write_lock(&grsec_exec_file_lock);
67398 + if (current->exec_file) {
67399 + fput(current->exec_file);
67400 + current->exec_file = NULL;
67401 + }
67402 + write_unlock(&grsec_exec_file_lock);
67403 +#endif
67404 +
67405 ptrace_unlink(current);
67406 /* Reparent to init */
67407 current->real_parent = current->parent = kthreadd_task;
67408 list_move_tail(&current->sibling, &current->real_parent->children);
67409
67410 + gr_set_kernel_label(current);
67411 +
67412 /* Set the exit signal to SIGCHLD so we signal init on exit */
67413 current->exit_signal = SIGCHLD;
67414
67415 @@ -394,7 +411,7 @@ int allow_signal(int sig)
67416 * know it'll be handled, so that they don't get converted to
67417 * SIGKILL or just silently dropped.
67418 */
67419 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
67420 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
67421 recalc_sigpending();
67422 spin_unlock_irq(&current->sighand->siglock);
67423 return 0;
67424 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
67425 vsnprintf(current->comm, sizeof(current->comm), name, args);
67426 va_end(args);
67427
67428 +#ifdef CONFIG_GRKERNSEC
67429 + write_lock(&grsec_exec_file_lock);
67430 + if (current->exec_file) {
67431 + fput(current->exec_file);
67432 + current->exec_file = NULL;
67433 + }
67434 + write_unlock(&grsec_exec_file_lock);
67435 +#endif
67436 +
67437 + gr_set_kernel_label(current);
67438 +
67439 /*
67440 * If we were started as result of loading a module, close all of the
67441 * user space pages. We don't need them, and if we didn't close them
67442 @@ -905,15 +933,8 @@ NORET_TYPE void do_exit(long code)
67443 struct task_struct *tsk = current;
67444 int group_dead;
67445
67446 - profile_task_exit(tsk);
67447 -
67448 - WARN_ON(atomic_read(&tsk->fs_excl));
67449 - WARN_ON(blk_needs_flush_plug(tsk));
67450 -
67451 if (unlikely(in_interrupt()))
67452 panic("Aiee, killing interrupt handler!");
67453 - if (unlikely(!tsk->pid))
67454 - panic("Attempted to kill the idle task!");
67455
67456 /*
67457 * If do_exit is called because this processes oopsed, it's possible
67458 @@ -924,6 +945,14 @@ NORET_TYPE void do_exit(long code)
67459 */
67460 set_fs(USER_DS);
67461
67462 + profile_task_exit(tsk);
67463 +
67464 + WARN_ON(atomic_read(&tsk->fs_excl));
67465 + WARN_ON(blk_needs_flush_plug(tsk));
67466 +
67467 + if (unlikely(!tsk->pid))
67468 + panic("Attempted to kill the idle task!");
67469 +
67470 tracehook_report_exit(&code);
67471
67472 validate_creds_for_do_exit(tsk);
67473 @@ -984,6 +1013,9 @@ NORET_TYPE void do_exit(long code)
67474 tsk->exit_code = code;
67475 taskstats_exit(tsk, group_dead);
67476
67477 + gr_acl_handle_psacct(tsk, code);
67478 + gr_acl_handle_exit();
67479 +
67480 exit_mm(tsk);
67481
67482 if (group_dead)
67483 diff -urNp linux-2.6.39.2/kernel/fork.c linux-2.6.39.2/kernel/fork.c
67484 --- linux-2.6.39.2/kernel/fork.c 2011-05-19 00:06:34.000000000 -0400
67485 +++ linux-2.6.39.2/kernel/fork.c 2011-05-22 19:41:42.000000000 -0400
67486 @@ -287,7 +287,7 @@ static struct task_struct *dup_task_stru
67487 *stackend = STACK_END_MAGIC; /* for overflow detection */
67488
67489 #ifdef CONFIG_CC_STACKPROTECTOR
67490 - tsk->stack_canary = get_random_int();
67491 + tsk->stack_canary = pax_get_random_long();
67492 #endif
67493
67494 /* One for us, one for whoever does the "release_task()" (usually parent) */
67495 @@ -309,13 +309,78 @@ out:
67496 }
67497
67498 #ifdef CONFIG_MMU
67499 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
67500 +{
67501 + struct vm_area_struct *tmp;
67502 + unsigned long charge;
67503 + struct mempolicy *pol;
67504 + struct file *file;
67505 +
67506 + charge = 0;
67507 + if (mpnt->vm_flags & VM_ACCOUNT) {
67508 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67509 + if (security_vm_enough_memory(len))
67510 + goto fail_nomem;
67511 + charge = len;
67512 + }
67513 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67514 + if (!tmp)
67515 + goto fail_nomem;
67516 + *tmp = *mpnt;
67517 + tmp->vm_mm = mm;
67518 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
67519 + pol = mpol_dup(vma_policy(mpnt));
67520 + if (IS_ERR(pol))
67521 + goto fail_nomem_policy;
67522 + vma_set_policy(tmp, pol);
67523 + if (anon_vma_fork(tmp, mpnt))
67524 + goto fail_nomem_anon_vma_fork;
67525 + tmp->vm_flags &= ~VM_LOCKED;
67526 + tmp->vm_next = tmp->vm_prev = NULL;
67527 + tmp->vm_mirror = NULL;
67528 + file = tmp->vm_file;
67529 + if (file) {
67530 + struct inode *inode = file->f_path.dentry->d_inode;
67531 + struct address_space *mapping = file->f_mapping;
67532 +
67533 + get_file(file);
67534 + if (tmp->vm_flags & VM_DENYWRITE)
67535 + atomic_dec(&inode->i_writecount);
67536 + spin_lock(&mapping->i_mmap_lock);
67537 + if (tmp->vm_flags & VM_SHARED)
67538 + mapping->i_mmap_writable++;
67539 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
67540 + flush_dcache_mmap_lock(mapping);
67541 + /* insert tmp into the share list, just after mpnt */
67542 + vma_prio_tree_add(tmp, mpnt);
67543 + flush_dcache_mmap_unlock(mapping);
67544 + spin_unlock(&mapping->i_mmap_lock);
67545 + }
67546 +
67547 + /*
67548 + * Clear hugetlb-related page reserves for children. This only
67549 + * affects MAP_PRIVATE mappings. Faults generated by the child
67550 + * are not guaranteed to succeed, even if read-only
67551 + */
67552 + if (is_vm_hugetlb_page(tmp))
67553 + reset_vma_resv_huge_pages(tmp);
67554 +
67555 + return tmp;
67556 +
67557 +fail_nomem_anon_vma_fork:
67558 + mpol_put(pol);
67559 +fail_nomem_policy:
67560 + kmem_cache_free(vm_area_cachep, tmp);
67561 +fail_nomem:
67562 + vm_unacct_memory(charge);
67563 + return NULL;
67564 +}
67565 +
67566 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
67567 {
67568 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
67569 struct rb_node **rb_link, *rb_parent;
67570 int retval;
67571 - unsigned long charge;
67572 - struct mempolicy *pol;
67573
67574 down_write(&oldmm->mmap_sem);
67575 flush_cache_dup_mm(oldmm);
67576 @@ -327,8 +392,8 @@ static int dup_mmap(struct mm_struct *mm
67577 mm->locked_vm = 0;
67578 mm->mmap = NULL;
67579 mm->mmap_cache = NULL;
67580 - mm->free_area_cache = oldmm->mmap_base;
67581 - mm->cached_hole_size = ~0UL;
67582 + mm->free_area_cache = oldmm->free_area_cache;
67583 + mm->cached_hole_size = oldmm->cached_hole_size;
67584 mm->map_count = 0;
67585 cpumask_clear(mm_cpumask(mm));
67586 mm->mm_rb = RB_ROOT;
67587 @@ -344,8 +409,6 @@ static int dup_mmap(struct mm_struct *mm
67588
67589 prev = NULL;
67590 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
67591 - struct file *file;
67592 -
67593 if (mpnt->vm_flags & VM_DONTCOPY) {
67594 long pages = vma_pages(mpnt);
67595 mm->total_vm -= pages;
67596 @@ -353,56 +416,13 @@ static int dup_mmap(struct mm_struct *mm
67597 -pages);
67598 continue;
67599 }
67600 - charge = 0;
67601 - if (mpnt->vm_flags & VM_ACCOUNT) {
67602 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67603 - if (security_vm_enough_memory(len))
67604 - goto fail_nomem;
67605 - charge = len;
67606 - }
67607 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67608 - if (!tmp)
67609 - goto fail_nomem;
67610 - *tmp = *mpnt;
67611 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
67612 - pol = mpol_dup(vma_policy(mpnt));
67613 - retval = PTR_ERR(pol);
67614 - if (IS_ERR(pol))
67615 - goto fail_nomem_policy;
67616 - vma_set_policy(tmp, pol);
67617 - tmp->vm_mm = mm;
67618 - if (anon_vma_fork(tmp, mpnt))
67619 - goto fail_nomem_anon_vma_fork;
67620 - tmp->vm_flags &= ~VM_LOCKED;
67621 - tmp->vm_next = tmp->vm_prev = NULL;
67622 - file = tmp->vm_file;
67623 - if (file) {
67624 - struct inode *inode = file->f_path.dentry->d_inode;
67625 - struct address_space *mapping = file->f_mapping;
67626 -
67627 - get_file(file);
67628 - if (tmp->vm_flags & VM_DENYWRITE)
67629 - atomic_dec(&inode->i_writecount);
67630 - spin_lock(&mapping->i_mmap_lock);
67631 - if (tmp->vm_flags & VM_SHARED)
67632 - mapping->i_mmap_writable++;
67633 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
67634 - flush_dcache_mmap_lock(mapping);
67635 - /* insert tmp into the share list, just after mpnt */
67636 - vma_prio_tree_add(tmp, mpnt);
67637 - flush_dcache_mmap_unlock(mapping);
67638 - spin_unlock(&mapping->i_mmap_lock);
67639 + tmp = dup_vma(mm, mpnt);
67640 + if (!tmp) {
67641 + retval = -ENOMEM;
67642 + goto out;
67643 }
67644
67645 /*
67646 - * Clear hugetlb-related page reserves for children. This only
67647 - * affects MAP_PRIVATE mappings. Faults generated by the child
67648 - * are not guaranteed to succeed, even if read-only
67649 - */
67650 - if (is_vm_hugetlb_page(tmp))
67651 - reset_vma_resv_huge_pages(tmp);
67652 -
67653 - /*
67654 * Link in the new vma and copy the page table entries.
67655 */
67656 *pprev = tmp;
67657 @@ -423,6 +443,31 @@ static int dup_mmap(struct mm_struct *mm
67658 if (retval)
67659 goto out;
67660 }
67661 +
67662 +#ifdef CONFIG_PAX_SEGMEXEC
67663 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
67664 + struct vm_area_struct *mpnt_m;
67665 +
67666 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
67667 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
67668 +
67669 + if (!mpnt->vm_mirror)
67670 + continue;
67671 +
67672 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
67673 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
67674 + mpnt->vm_mirror = mpnt_m;
67675 + } else {
67676 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
67677 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
67678 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
67679 + mpnt->vm_mirror->vm_mirror = mpnt;
67680 + }
67681 + }
67682 + BUG_ON(mpnt_m);
67683 + }
67684 +#endif
67685 +
67686 /* a new mm has just been created */
67687 arch_dup_mmap(oldmm, mm);
67688 retval = 0;
67689 @@ -431,14 +476,6 @@ out:
67690 flush_tlb_mm(oldmm);
67691 up_write(&oldmm->mmap_sem);
67692 return retval;
67693 -fail_nomem_anon_vma_fork:
67694 - mpol_put(pol);
67695 -fail_nomem_policy:
67696 - kmem_cache_free(vm_area_cachep, tmp);
67697 -fail_nomem:
67698 - retval = -ENOMEM;
67699 - vm_unacct_memory(charge);
67700 - goto out;
67701 }
67702
67703 static inline int mm_alloc_pgd(struct mm_struct * mm)
67704 @@ -785,13 +822,14 @@ static int copy_fs(unsigned long clone_f
67705 spin_unlock(&fs->lock);
67706 return -EAGAIN;
67707 }
67708 - fs->users++;
67709 + atomic_inc(&fs->users);
67710 spin_unlock(&fs->lock);
67711 return 0;
67712 }
67713 tsk->fs = copy_fs_struct(fs);
67714 if (!tsk->fs)
67715 return -ENOMEM;
67716 + gr_set_chroot_entries(tsk, &tsk->fs->root);
67717 return 0;
67718 }
67719
67720 @@ -1049,10 +1087,13 @@ static struct task_struct *copy_process(
67721 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
67722 #endif
67723 retval = -EAGAIN;
67724 +
67725 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
67726 +
67727 if (atomic_read(&p->real_cred->user->processes) >=
67728 task_rlimit(p, RLIMIT_NPROC)) {
67729 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
67730 - p->real_cred->user != INIT_USER)
67731 + if (p->real_cred->user != INIT_USER &&
67732 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
67733 goto bad_fork_free;
67734 }
67735
67736 @@ -1200,6 +1241,8 @@ static struct task_struct *copy_process(
67737 goto bad_fork_free_pid;
67738 }
67739
67740 + gr_copy_label(p);
67741 +
67742 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
67743 /*
67744 * Clear TID on mm_release()?
67745 @@ -1360,6 +1403,8 @@ bad_fork_cleanup_count:
67746 bad_fork_free:
67747 free_task(p);
67748 fork_out:
67749 + gr_log_forkfail(retval);
67750 +
67751 return ERR_PTR(retval);
67752 }
67753
67754 @@ -1448,6 +1493,8 @@ long do_fork(unsigned long clone_flags,
67755 if (clone_flags & CLONE_PARENT_SETTID)
67756 put_user(nr, parent_tidptr);
67757
67758 + gr_handle_brute_check();
67759 +
67760 if (clone_flags & CLONE_VFORK) {
67761 p->vfork_done = &vfork;
67762 init_completion(&vfork);
67763 @@ -1549,7 +1596,7 @@ static int unshare_fs(unsigned long unsh
67764 return 0;
67765
67766 /* don't need lock here; in the worst case we'll do useless copy */
67767 - if (fs->users == 1)
67768 + if (atomic_read(&fs->users) == 1)
67769 return 0;
67770
67771 *new_fsp = copy_fs_struct(fs);
67772 @@ -1636,7 +1683,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
67773 fs = current->fs;
67774 spin_lock(&fs->lock);
67775 current->fs = new_fs;
67776 - if (--fs->users)
67777 + gr_set_chroot_entries(current, &current->fs->root);
67778 + if (atomic_dec_return(&fs->users))
67779 new_fs = NULL;
67780 else
67781 new_fs = fs;
67782 diff -urNp linux-2.6.39.2/kernel/futex.c linux-2.6.39.2/kernel/futex.c
67783 --- linux-2.6.39.2/kernel/futex.c 2011-05-19 00:06:34.000000000 -0400
67784 +++ linux-2.6.39.2/kernel/futex.c 2011-05-22 22:41:57.000000000 -0400
67785 @@ -54,6 +54,7 @@
67786 #include <linux/mount.h>
67787 #include <linux/pagemap.h>
67788 #include <linux/syscalls.h>
67789 +#include <linux/ptrace.h>
67790 #include <linux/signal.h>
67791 #include <linux/module.h>
67792 #include <linux/magic.h>
67793 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
67794 struct page *page, *page_head;
67795 int err;
67796
67797 +#ifdef CONFIG_PAX_SEGMEXEC
67798 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
67799 + return -EFAULT;
67800 +#endif
67801 +
67802 /*
67803 * The futex address must be "naturally" aligned.
67804 */
67805 @@ -1833,6 +1839,8 @@ static int futex_wait(u32 __user *uaddr,
67806 struct futex_q q = futex_q_init;
67807 int ret;
67808
67809 + pax_track_stack();
67810 +
67811 if (!bitset)
67812 return -EINVAL;
67813 q.bitset = bitset;
67814 @@ -2229,6 +2237,8 @@ static int futex_wait_requeue_pi(u32 __u
67815 struct futex_q q = futex_q_init;
67816 int res, ret;
67817
67818 + pax_track_stack();
67819 +
67820 if (!bitset)
67821 return -EINVAL;
67822
67823 @@ -2401,7 +2411,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67824 {
67825 struct robust_list_head __user *head;
67826 unsigned long ret;
67827 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67828 const struct cred *cred = current_cred(), *pcred;
67829 +#endif
67830
67831 if (!futex_cmpxchg_enabled)
67832 return -ENOSYS;
67833 @@ -2417,6 +2429,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67834 if (!p)
67835 goto err_unlock;
67836 ret = -EPERM;
67837 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67838 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
67839 + goto err_unlock;
67840 +#else
67841 pcred = __task_cred(p);
67842 /* If victim is in different user_ns, then uids are not
67843 comparable, so we must have CAP_SYS_PTRACE */
67844 @@ -2431,6 +2447,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67845 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
67846 goto err_unlock;
67847 ok:
67848 +#endif
67849 head = p->robust_list;
67850 rcu_read_unlock();
67851 }
67852 @@ -2682,6 +2699,7 @@ static int __init futex_init(void)
67853 {
67854 u32 curval;
67855 int i;
67856 + mm_segment_t oldfs;
67857
67858 /*
67859 * This will fail and we want it. Some arch implementations do
67860 @@ -2693,8 +2711,11 @@ static int __init futex_init(void)
67861 * implementation, the non-functional ones will return
67862 * -ENOSYS.
67863 */
67864 + oldfs = get_fs();
67865 + set_fs(USER_DS);
67866 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
67867 futex_cmpxchg_enabled = 1;
67868 + set_fs(oldfs);
67869
67870 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
67871 plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
67872 diff -urNp linux-2.6.39.2/kernel/futex_compat.c linux-2.6.39.2/kernel/futex_compat.c
67873 --- linux-2.6.39.2/kernel/futex_compat.c 2011-05-19 00:06:34.000000000 -0400
67874 +++ linux-2.6.39.2/kernel/futex_compat.c 2011-05-22 22:42:09.000000000 -0400
67875 @@ -10,6 +10,7 @@
67876 #include <linux/compat.h>
67877 #include <linux/nsproxy.h>
67878 #include <linux/futex.h>
67879 +#include <linux/ptrace.h>
67880
67881 #include <asm/uaccess.h>
67882
67883 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
67884 {
67885 struct compat_robust_list_head __user *head;
67886 unsigned long ret;
67887 - const struct cred *cred = current_cred(), *pcred;
67888 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67889 + const struct cred *cred = current_cred();
67890 + const struct cred *pcred;
67891 +#endif
67892
67893 if (!futex_cmpxchg_enabled)
67894 return -ENOSYS;
67895 @@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
67896 if (!p)
67897 goto err_unlock;
67898 ret = -EPERM;
67899 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67900 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
67901 + goto err_unlock;
67902 +#else
67903 pcred = __task_cred(p);
67904 /* If victim is in different user_ns, then uids are not
67905 comparable, so we must have CAP_SYS_PTRACE */
67906 @@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
67907 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
67908 goto err_unlock;
67909 ok:
67910 +#endif
67911 head = p->compat_robust_list;
67912 rcu_read_unlock();
67913 }
67914 diff -urNp linux-2.6.39.2/kernel/gcov/base.c linux-2.6.39.2/kernel/gcov/base.c
67915 --- linux-2.6.39.2/kernel/gcov/base.c 2011-05-19 00:06:34.000000000 -0400
67916 +++ linux-2.6.39.2/kernel/gcov/base.c 2011-05-22 19:36:33.000000000 -0400
67917 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
67918 }
67919
67920 #ifdef CONFIG_MODULES
67921 -static inline int within(void *addr, void *start, unsigned long size)
67922 -{
67923 - return ((addr >= start) && (addr < start + size));
67924 -}
67925 -
67926 /* Update list and generate events when modules are unloaded. */
67927 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
67928 void *data)
67929 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
67930 prev = NULL;
67931 /* Remove entries located in module from linked list. */
67932 for (info = gcov_info_head; info; info = info->next) {
67933 - if (within(info, mod->module_core, mod->core_size)) {
67934 + if (within_module_core_rw((unsigned long)info, mod)) {
67935 if (prev)
67936 prev->next = info->next;
67937 else
67938 diff -urNp linux-2.6.39.2/kernel/hrtimer.c linux-2.6.39.2/kernel/hrtimer.c
67939 --- linux-2.6.39.2/kernel/hrtimer.c 2011-05-19 00:06:34.000000000 -0400
67940 +++ linux-2.6.39.2/kernel/hrtimer.c 2011-05-22 19:36:33.000000000 -0400
67941 @@ -1383,7 +1383,7 @@ void hrtimer_peek_ahead_timers(void)
67942 local_irq_restore(flags);
67943 }
67944
67945 -static void run_hrtimer_softirq(struct softirq_action *h)
67946 +static void run_hrtimer_softirq(void)
67947 {
67948 hrtimer_peek_ahead_timers();
67949 }
67950 diff -urNp linux-2.6.39.2/kernel/irq/manage.c linux-2.6.39.2/kernel/irq/manage.c
67951 --- linux-2.6.39.2/kernel/irq/manage.c 2011-05-19 00:06:34.000000000 -0400
67952 +++ linux-2.6.39.2/kernel/irq/manage.c 2011-06-13 17:09:06.000000000 -0400
67953 @@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, u
67954 struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
67955 int ret = 0;
67956
67957 + if (!desc)
67958 + return -EINVAL;
67959 +
67960 /* wakeup-capable irqs can be shared between drivers that
67961 * don't need to have the same sleep mode behaviors.
67962 */
67963 diff -urNp linux-2.6.39.2/kernel/jump_label.c linux-2.6.39.2/kernel/jump_label.c
67964 --- linux-2.6.39.2/kernel/jump_label.c 2011-05-19 00:06:34.000000000 -0400
67965 +++ linux-2.6.39.2/kernel/jump_label.c 2011-05-22 19:36:33.000000000 -0400
67966 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
67967 mutex_unlock(&jump_label_mutex);
67968 }
67969
67970 +static void jump_label_swap(void *a, void *b, int size)
67971 +{
67972 + struct jump_entry t;
67973 +
67974 + t = *(struct jump_entry *)a;
67975 + pax_open_kernel();
67976 + *(struct jump_entry *)a = *(struct jump_entry *)b;
67977 + *(struct jump_entry *)b = t;
67978 + pax_close_kernel();
67979 +}
67980 +
67981 static int jump_label_cmp(const void *a, const void *b)
67982 {
67983 const struct jump_entry *jea = a;
67984 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
67985
67986 size = (((unsigned long)stop - (unsigned long)start)
67987 / sizeof(struct jump_entry));
67988 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
67989 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
67990 }
67991
67992 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
67993 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
67994 count = e_module->nr_entries;
67995 iter = e_module->table;
67996 while (count--) {
67997 - if (within_module_init(iter->code, mod))
67998 + if (within_module_init(iter->code, mod)) {
67999 + pax_open_kernel();
68000 iter->key = 0;
68001 + pax_close_kernel();
68002 + }
68003 iter++;
68004 }
68005 }
68006 diff -urNp linux-2.6.39.2/kernel/kallsyms.c linux-2.6.39.2/kernel/kallsyms.c
68007 --- linux-2.6.39.2/kernel/kallsyms.c 2011-05-19 00:06:34.000000000 -0400
68008 +++ linux-2.6.39.2/kernel/kallsyms.c 2011-05-22 19:41:42.000000000 -0400
68009 @@ -11,6 +11,9 @@
68010 * Changed the compression method from stem compression to "table lookup"
68011 * compression (see scripts/kallsyms.c for a more complete description)
68012 */
68013 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68014 +#define __INCLUDED_BY_HIDESYM 1
68015 +#endif
68016 #include <linux/kallsyms.h>
68017 #include <linux/module.h>
68018 #include <linux/init.h>
68019 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
68020
68021 static inline int is_kernel_inittext(unsigned long addr)
68022 {
68023 + if (system_state != SYSTEM_BOOTING)
68024 + return 0;
68025 +
68026 if (addr >= (unsigned long)_sinittext
68027 && addr <= (unsigned long)_einittext)
68028 return 1;
68029 return 0;
68030 }
68031
68032 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68033 +#ifdef CONFIG_MODULES
68034 +static inline int is_module_text(unsigned long addr)
68035 +{
68036 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
68037 + return 1;
68038 +
68039 + addr = ktla_ktva(addr);
68040 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
68041 +}
68042 +#else
68043 +static inline int is_module_text(unsigned long addr)
68044 +{
68045 + return 0;
68046 +}
68047 +#endif
68048 +#endif
68049 +
68050 static inline int is_kernel_text(unsigned long addr)
68051 {
68052 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
68053 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
68054
68055 static inline int is_kernel(unsigned long addr)
68056 {
68057 +
68058 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68059 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
68060 + return 1;
68061 +
68062 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
68063 +#else
68064 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
68065 +#endif
68066 +
68067 return 1;
68068 return in_gate_area_no_mm(addr);
68069 }
68070
68071 static int is_ksym_addr(unsigned long addr)
68072 {
68073 +
68074 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68075 + if (is_module_text(addr))
68076 + return 0;
68077 +#endif
68078 +
68079 if (all_var)
68080 return is_kernel(addr);
68081
68082 @@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
68083
68084 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
68085 {
68086 - iter->name[0] = '\0';
68087 iter->nameoff = get_symbol_offset(new_pos);
68088 iter->pos = new_pos;
68089 }
68090 @@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
68091 {
68092 struct kallsym_iter *iter = m->private;
68093
68094 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68095 + if (current_uid())
68096 + return 0;
68097 +#endif
68098 +
68099 /* Some debugging symbols have no name. Ignore them. */
68100 if (!iter->name[0])
68101 return 0;
68102 @@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
68103 struct kallsym_iter *iter;
68104 int ret;
68105
68106 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
68107 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
68108 if (!iter)
68109 return -ENOMEM;
68110 reset_iter(iter, 0);
68111 diff -urNp linux-2.6.39.2/kernel/kmod.c linux-2.6.39.2/kernel/kmod.c
68112 --- linux-2.6.39.2/kernel/kmod.c 2011-05-19 00:06:34.000000000 -0400
68113 +++ linux-2.6.39.2/kernel/kmod.c 2011-05-22 19:41:42.000000000 -0400
68114 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
68115 * If module auto-loading support is disabled then this function
68116 * becomes a no-operation.
68117 */
68118 -int __request_module(bool wait, const char *fmt, ...)
68119 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
68120 {
68121 - va_list args;
68122 char module_name[MODULE_NAME_LEN];
68123 unsigned int max_modprobes;
68124 int ret;
68125 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
68126 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
68127 static char *envp[] = { "HOME=/",
68128 "TERM=linux",
68129 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
68130 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
68131 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
68132 static int kmod_loop_msg;
68133
68134 - va_start(args, fmt);
68135 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
68136 - va_end(args);
68137 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
68138 if (ret >= MODULE_NAME_LEN)
68139 return -ENAMETOOLONG;
68140
68141 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
68142 if (ret)
68143 return ret;
68144
68145 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68146 + if (!current_uid()) {
68147 + /* hack to workaround consolekit/udisks stupidity */
68148 + read_lock(&tasklist_lock);
68149 + if (!strcmp(current->comm, "mount") &&
68150 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
68151 + read_unlock(&tasklist_lock);
68152 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
68153 + return -EPERM;
68154 + }
68155 + read_unlock(&tasklist_lock);
68156 + }
68157 +#endif
68158 +
68159 /* If modprobe needs a service that is in a module, we get a recursive
68160 * loop. Limit the number of running kmod threads to max_threads/2 or
68161 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
68162 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
68163 atomic_dec(&kmod_concurrent);
68164 return ret;
68165 }
68166 +
68167 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
68168 +{
68169 + va_list args;
68170 + int ret;
68171 +
68172 + va_start(args, fmt);
68173 + ret = ____request_module(wait, module_param, fmt, args);
68174 + va_end(args);
68175 +
68176 + return ret;
68177 +}
68178 +
68179 +int __request_module(bool wait, const char *fmt, ...)
68180 +{
68181 + va_list args;
68182 + int ret;
68183 +
68184 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68185 + if (current_uid()) {
68186 + char module_param[MODULE_NAME_LEN];
68187 +
68188 + memset(module_param, 0, sizeof(module_param));
68189 +
68190 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
68191 +
68192 + va_start(args, fmt);
68193 + ret = ____request_module(wait, module_param, fmt, args);
68194 + va_end(args);
68195 +
68196 + return ret;
68197 + }
68198 +#endif
68199 +
68200 + va_start(args, fmt);
68201 + ret = ____request_module(wait, NULL, fmt, args);
68202 + va_end(args);
68203 +
68204 + return ret;
68205 +}
68206 +
68207 EXPORT_SYMBOL(__request_module);
68208 #endif /* CONFIG_MODULES */
68209
68210 diff -urNp linux-2.6.39.2/kernel/kprobes.c linux-2.6.39.2/kernel/kprobes.c
68211 --- linux-2.6.39.2/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
68212 +++ linux-2.6.39.2/kernel/kprobes.c 2011-05-22 19:36:33.000000000 -0400
68213 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
68214 * kernel image and loaded module images reside. This is required
68215 * so x86_64 can correctly handle the %rip-relative fixups.
68216 */
68217 - kip->insns = module_alloc(PAGE_SIZE);
68218 + kip->insns = module_alloc_exec(PAGE_SIZE);
68219 if (!kip->insns) {
68220 kfree(kip);
68221 return NULL;
68222 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
68223 */
68224 if (!list_is_singular(&kip->list)) {
68225 list_del(&kip->list);
68226 - module_free(NULL, kip->insns);
68227 + module_free_exec(NULL, kip->insns);
68228 kfree(kip);
68229 }
68230 return 1;
68231 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
68232 {
68233 int i, err = 0;
68234 unsigned long offset = 0, size = 0;
68235 - char *modname, namebuf[128];
68236 + char *modname, namebuf[KSYM_NAME_LEN];
68237 const char *symbol_name;
68238 void *addr;
68239 struct kprobe_blackpoint *kb;
68240 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
68241 const char *sym = NULL;
68242 unsigned int i = *(loff_t *) v;
68243 unsigned long offset = 0;
68244 - char *modname, namebuf[128];
68245 + char *modname, namebuf[KSYM_NAME_LEN];
68246
68247 head = &kprobe_table[i];
68248 preempt_disable();
68249 diff -urNp linux-2.6.39.2/kernel/lockdep.c linux-2.6.39.2/kernel/lockdep.c
68250 --- linux-2.6.39.2/kernel/lockdep.c 2011-06-25 12:55:23.000000000 -0400
68251 +++ linux-2.6.39.2/kernel/lockdep.c 2011-06-25 13:00:28.000000000 -0400
68252 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
68253 end = (unsigned long) &_end,
68254 addr = (unsigned long) obj;
68255
68256 +#ifdef CONFIG_PAX_KERNEXEC
68257 + start = ktla_ktva(start);
68258 +#endif
68259 +
68260 /*
68261 * static variable?
68262 */
68263 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
68264 if (!static_obj(lock->key)) {
68265 debug_locks_off();
68266 printk("INFO: trying to register non-static key.\n");
68267 + printk("lock:%pS key:%pS.\n", lock, lock->key);
68268 printk("the code is fine but needs lockdep annotation.\n");
68269 printk("turning off the locking correctness validator.\n");
68270 dump_stack();
68271 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
68272 if (!class)
68273 return 0;
68274 }
68275 - atomic_inc((atomic_t *)&class->ops);
68276 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
68277 if (very_verbose(class)) {
68278 printk("\nacquire class [%p] %s", class->key, class->name);
68279 if (class->name_version > 1)
68280 diff -urNp linux-2.6.39.2/kernel/lockdep_proc.c linux-2.6.39.2/kernel/lockdep_proc.c
68281 --- linux-2.6.39.2/kernel/lockdep_proc.c 2011-05-19 00:06:34.000000000 -0400
68282 +++ linux-2.6.39.2/kernel/lockdep_proc.c 2011-05-22 19:36:33.000000000 -0400
68283 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
68284
68285 static void print_name(struct seq_file *m, struct lock_class *class)
68286 {
68287 - char str[128];
68288 + char str[KSYM_NAME_LEN];
68289 const char *name = class->name;
68290
68291 if (!name) {
68292 diff -urNp linux-2.6.39.2/kernel/module.c linux-2.6.39.2/kernel/module.c
68293 --- linux-2.6.39.2/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
68294 +++ linux-2.6.39.2/kernel/module.c 2011-05-22 19:41:42.000000000 -0400
68295 @@ -57,6 +57,7 @@
68296 #include <linux/kmemleak.h>
68297 #include <linux/jump_label.h>
68298 #include <linux/pfn.h>
68299 +#include <linux/grsecurity.h>
68300
68301 #define CREATE_TRACE_POINTS
68302 #include <trace/events/module.h>
68303 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
68304
68305 /* Bounds of module allocation, for speeding __module_address.
68306 * Protected by module_mutex. */
68307 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
68308 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
68309 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
68310
68311 int register_module_notifier(struct notifier_block * nb)
68312 {
68313 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
68314 return true;
68315
68316 list_for_each_entry_rcu(mod, &modules, list) {
68317 - struct symsearch arr[] = {
68318 + struct symsearch modarr[] = {
68319 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
68320 NOT_GPL_ONLY, false },
68321 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
68322 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
68323 #endif
68324 };
68325
68326 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
68327 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
68328 return true;
68329 }
68330 return false;
68331 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
68332 static int percpu_modalloc(struct module *mod,
68333 unsigned long size, unsigned long align)
68334 {
68335 - if (align > PAGE_SIZE) {
68336 + if (align-1 >= PAGE_SIZE) {
68337 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
68338 mod->name, align, PAGE_SIZE);
68339 align = PAGE_SIZE;
68340 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
68341 */
68342 #ifdef CONFIG_SYSFS
68343
68344 -#ifdef CONFIG_KALLSYMS
68345 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
68346 static inline bool sect_empty(const Elf_Shdr *sect)
68347 {
68348 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
68349 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
68350 {
68351 unsigned long total_pages;
68352
68353 - if (mod->module_core == module_region) {
68354 + if (mod->module_core_rx == module_region) {
68355 /* Set core as NX+RW */
68356 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
68357 - set_memory_nx((unsigned long)mod->module_core, total_pages);
68358 - set_memory_rw((unsigned long)mod->module_core, total_pages);
68359 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
68360 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
68361 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
68362
68363 - } else if (mod->module_init == module_region) {
68364 + } else if (mod->module_init_rx == module_region) {
68365 /* Set init as NX+RW */
68366 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
68367 - set_memory_nx((unsigned long)mod->module_init, total_pages);
68368 - set_memory_rw((unsigned long)mod->module_init, total_pages);
68369 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
68370 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
68371 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
68372 }
68373 }
68374
68375 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
68376
68377 mutex_lock(&module_mutex);
68378 list_for_each_entry_rcu(mod, &modules, list) {
68379 - if ((mod->module_core) && (mod->core_text_size)) {
68380 - set_page_attributes(mod->module_core,
68381 - mod->module_core + mod->core_text_size,
68382 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68383 + set_page_attributes(mod->module_core_rx,
68384 + mod->module_core_rx + mod->core_size_rx,
68385 set_memory_rw);
68386 }
68387 - if ((mod->module_init) && (mod->init_text_size)) {
68388 - set_page_attributes(mod->module_init,
68389 - mod->module_init + mod->init_text_size,
68390 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68391 + set_page_attributes(mod->module_init_rx,
68392 + mod->module_init_rx + mod->init_size_rx,
68393 set_memory_rw);
68394 }
68395 }
68396 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
68397
68398 mutex_lock(&module_mutex);
68399 list_for_each_entry_rcu(mod, &modules, list) {
68400 - if ((mod->module_core) && (mod->core_text_size)) {
68401 - set_page_attributes(mod->module_core,
68402 - mod->module_core + mod->core_text_size,
68403 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68404 + set_page_attributes(mod->module_core_rx,
68405 + mod->module_core_rx + mod->core_size_rx,
68406 set_memory_ro);
68407 }
68408 - if ((mod->module_init) && (mod->init_text_size)) {
68409 - set_page_attributes(mod->module_init,
68410 - mod->module_init + mod->init_text_size,
68411 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68412 + set_page_attributes(mod->module_init_rx,
68413 + mod->module_init_rx + mod->init_size_rx,
68414 set_memory_ro);
68415 }
68416 }
68417 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
68418 destroy_params(mod->kp, mod->num_kp);
68419
68420 /* This may be NULL, but that's OK */
68421 - unset_section_ro_nx(mod, mod->module_init);
68422 - module_free(mod, mod->module_init);
68423 + unset_section_ro_nx(mod, mod->module_init_rx);
68424 + module_free(mod, mod->module_init_rw);
68425 + module_free_exec(mod, mod->module_init_rx);
68426 kfree(mod->args);
68427 percpu_modfree(mod);
68428
68429 /* Free lock-classes: */
68430 - lockdep_free_key_range(mod->module_core, mod->core_size);
68431 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
68432 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
68433
68434 /* Finally, free the core (containing the module structure) */
68435 - unset_section_ro_nx(mod, mod->module_core);
68436 - module_free(mod, mod->module_core);
68437 + unset_section_ro_nx(mod, mod->module_core_rx);
68438 + module_free_exec(mod, mod->module_core_rx);
68439 + module_free(mod, mod->module_core_rw);
68440
68441 #ifdef CONFIG_MPU
68442 update_protections(current->mm);
68443 @@ -1775,10 +1780,31 @@ static int simplify_symbols(struct modul
68444 unsigned int i;
68445 int ret = 0;
68446 const struct kernel_symbol *ksym;
68447 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68448 + int is_fs_load = 0;
68449 + int register_filesystem_found = 0;
68450 + char *p;
68451 +
68452 + p = strstr(mod->args, "grsec_modharden_fs");
68453 + if (p) {
68454 + char *endptr = p + strlen("grsec_modharden_fs");
68455 + /* copy \0 as well */
68456 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
68457 + is_fs_load = 1;
68458 + }
68459 +#endif
68460
68461 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
68462 const char *name = info->strtab + sym[i].st_name;
68463
68464 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68465 + /* it's a real shame this will never get ripped and copied
68466 + upstream! ;(
68467 + */
68468 + if (is_fs_load && !strcmp(name, "register_filesystem"))
68469 + register_filesystem_found = 1;
68470 +#endif
68471 +
68472 switch (sym[i].st_shndx) {
68473 case SHN_COMMON:
68474 /* We compiled with -fno-common. These are not
68475 @@ -1799,7 +1825,9 @@ static int simplify_symbols(struct modul
68476 ksym = resolve_symbol_wait(mod, info, name);
68477 /* Ok if resolved. */
68478 if (ksym && !IS_ERR(ksym)) {
68479 + pax_open_kernel();
68480 sym[i].st_value = ksym->value;
68481 + pax_close_kernel();
68482 break;
68483 }
68484
68485 @@ -1818,11 +1846,20 @@ static int simplify_symbols(struct modul
68486 secbase = (unsigned long)mod_percpu(mod);
68487 else
68488 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
68489 + pax_open_kernel();
68490 sym[i].st_value += secbase;
68491 + pax_close_kernel();
68492 break;
68493 }
68494 }
68495
68496 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68497 + if (is_fs_load && !register_filesystem_found) {
68498 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
68499 + ret = -EPERM;
68500 + }
68501 +#endif
68502 +
68503 return ret;
68504 }
68505
68506 @@ -1906,22 +1943,12 @@ static void layout_sections(struct modul
68507 || s->sh_entsize != ~0UL
68508 || strstarts(sname, ".init"))
68509 continue;
68510 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
68511 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68512 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
68513 + else
68514 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
68515 DEBUGP("\t%s\n", name);
68516 }
68517 - switch (m) {
68518 - case 0: /* executable */
68519 - mod->core_size = debug_align(mod->core_size);
68520 - mod->core_text_size = mod->core_size;
68521 - break;
68522 - case 1: /* RO: text and ro-data */
68523 - mod->core_size = debug_align(mod->core_size);
68524 - mod->core_ro_size = mod->core_size;
68525 - break;
68526 - case 3: /* whole core */
68527 - mod->core_size = debug_align(mod->core_size);
68528 - break;
68529 - }
68530 }
68531
68532 DEBUGP("Init section allocation order:\n");
68533 @@ -1935,23 +1962,13 @@ static void layout_sections(struct modul
68534 || s->sh_entsize != ~0UL
68535 || !strstarts(sname, ".init"))
68536 continue;
68537 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
68538 - | INIT_OFFSET_MASK);
68539 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68540 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
68541 + else
68542 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
68543 + s->sh_entsize |= INIT_OFFSET_MASK;
68544 DEBUGP("\t%s\n", sname);
68545 }
68546 - switch (m) {
68547 - case 0: /* executable */
68548 - mod->init_size = debug_align(mod->init_size);
68549 - mod->init_text_size = mod->init_size;
68550 - break;
68551 - case 1: /* RO: text and ro-data */
68552 - mod->init_size = debug_align(mod->init_size);
68553 - mod->init_ro_size = mod->init_size;
68554 - break;
68555 - case 3: /* whole init */
68556 - mod->init_size = debug_align(mod->init_size);
68557 - break;
68558 - }
68559 }
68560 }
68561
68562 @@ -2119,7 +2136,7 @@ static void layout_symtab(struct module
68563
68564 /* Put symbol section at end of init part of module. */
68565 symsect->sh_flags |= SHF_ALLOC;
68566 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
68567 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
68568 info->index.sym) | INIT_OFFSET_MASK;
68569 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
68570
68571 @@ -2136,19 +2153,19 @@ static void layout_symtab(struct module
68572 }
68573
68574 /* Append room for core symbols at end of core part. */
68575 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
68576 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
68577 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
68578 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
68579
68580 /* Put string table section at end of init part of module. */
68581 strsect->sh_flags |= SHF_ALLOC;
68582 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
68583 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
68584 info->index.str) | INIT_OFFSET_MASK;
68585 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
68586
68587 /* Append room for core symbols' strings at end of core part. */
68588 - info->stroffs = mod->core_size;
68589 + info->stroffs = mod->core_size_rx;
68590 __set_bit(0, info->strmap);
68591 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
68592 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
68593 }
68594
68595 static void add_kallsyms(struct module *mod, const struct load_info *info)
68596 @@ -2164,11 +2181,13 @@ static void add_kallsyms(struct module *
68597 /* Make sure we get permanent strtab: don't use info->strtab. */
68598 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
68599
68600 + pax_open_kernel();
68601 +
68602 /* Set types up while we still have access to sections. */
68603 for (i = 0; i < mod->num_symtab; i++)
68604 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
68605
68606 - mod->core_symtab = dst = mod->module_core + info->symoffs;
68607 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
68608 src = mod->symtab;
68609 *dst = *src;
68610 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
68611 @@ -2181,10 +2200,12 @@ static void add_kallsyms(struct module *
68612 }
68613 mod->core_num_syms = ndst;
68614
68615 - mod->core_strtab = s = mod->module_core + info->stroffs;
68616 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
68617 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
68618 if (test_bit(i, info->strmap))
68619 *++s = mod->strtab[i];
68620 +
68621 + pax_close_kernel();
68622 }
68623 #else
68624 static inline void layout_symtab(struct module *mod, struct load_info *info)
68625 @@ -2213,17 +2234,33 @@ static void dynamic_debug_remove(struct
68626 ddebug_remove_module(debug->modname);
68627 }
68628
68629 -static void *module_alloc_update_bounds(unsigned long size)
68630 +static void *module_alloc_update_bounds_rw(unsigned long size)
68631 {
68632 void *ret = module_alloc(size);
68633
68634 if (ret) {
68635 mutex_lock(&module_mutex);
68636 /* Update module bounds. */
68637 - if ((unsigned long)ret < module_addr_min)
68638 - module_addr_min = (unsigned long)ret;
68639 - if ((unsigned long)ret + size > module_addr_max)
68640 - module_addr_max = (unsigned long)ret + size;
68641 + if ((unsigned long)ret < module_addr_min_rw)
68642 + module_addr_min_rw = (unsigned long)ret;
68643 + if ((unsigned long)ret + size > module_addr_max_rw)
68644 + module_addr_max_rw = (unsigned long)ret + size;
68645 + mutex_unlock(&module_mutex);
68646 + }
68647 + return ret;
68648 +}
68649 +
68650 +static void *module_alloc_update_bounds_rx(unsigned long size)
68651 +{
68652 + void *ret = module_alloc_exec(size);
68653 +
68654 + if (ret) {
68655 + mutex_lock(&module_mutex);
68656 + /* Update module bounds. */
68657 + if ((unsigned long)ret < module_addr_min_rx)
68658 + module_addr_min_rx = (unsigned long)ret;
68659 + if ((unsigned long)ret + size > module_addr_max_rx)
68660 + module_addr_max_rx = (unsigned long)ret + size;
68661 mutex_unlock(&module_mutex);
68662 }
68663 return ret;
68664 @@ -2516,7 +2553,7 @@ static int move_module(struct module *mo
68665 void *ptr;
68666
68667 /* Do the allocs. */
68668 - ptr = module_alloc_update_bounds(mod->core_size);
68669 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
68670 /*
68671 * The pointer to this block is stored in the module structure
68672 * which is inside the block. Just mark it as not being a
68673 @@ -2526,23 +2563,50 @@ static int move_module(struct module *mo
68674 if (!ptr)
68675 return -ENOMEM;
68676
68677 - memset(ptr, 0, mod->core_size);
68678 - mod->module_core = ptr;
68679 + memset(ptr, 0, mod->core_size_rw);
68680 + mod->module_core_rw = ptr;
68681
68682 - ptr = module_alloc_update_bounds(mod->init_size);
68683 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
68684 /*
68685 * The pointer to this block is stored in the module structure
68686 * which is inside the block. This block doesn't need to be
68687 * scanned as it contains data and code that will be freed
68688 * after the module is initialized.
68689 */
68690 - kmemleak_ignore(ptr);
68691 - if (!ptr && mod->init_size) {
68692 - module_free(mod, mod->module_core);
68693 + kmemleak_not_leak(ptr);
68694 + if (!ptr && mod->init_size_rw) {
68695 + module_free(mod, mod->module_core_rw);
68696 return -ENOMEM;
68697 }
68698 - memset(ptr, 0, mod->init_size);
68699 - mod->module_init = ptr;
68700 + memset(ptr, 0, mod->init_size_rw);
68701 + mod->module_init_rw = ptr;
68702 +
68703 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
68704 + kmemleak_not_leak(ptr);
68705 + if (!ptr) {
68706 + module_free(mod, mod->module_init_rw);
68707 + module_free(mod, mod->module_core_rw);
68708 + return -ENOMEM;
68709 + }
68710 +
68711 + pax_open_kernel();
68712 + memset(ptr, 0, mod->core_size_rx);
68713 + pax_close_kernel();
68714 + mod->module_core_rx = ptr;
68715 +
68716 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
68717 + kmemleak_not_leak(ptr);
68718 + if (!ptr && mod->init_size_rx) {
68719 + module_free_exec(mod, mod->module_core_rx);
68720 + module_free(mod, mod->module_init_rw);
68721 + module_free(mod, mod->module_core_rw);
68722 + return -ENOMEM;
68723 + }
68724 +
68725 + pax_open_kernel();
68726 + memset(ptr, 0, mod->init_size_rx);
68727 + pax_close_kernel();
68728 + mod->module_init_rx = ptr;
68729
68730 /* Transfer each section which specifies SHF_ALLOC */
68731 DEBUGP("final section addresses:\n");
68732 @@ -2553,16 +2617,45 @@ static int move_module(struct module *mo
68733 if (!(shdr->sh_flags & SHF_ALLOC))
68734 continue;
68735
68736 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
68737 - dest = mod->module_init
68738 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68739 - else
68740 - dest = mod->module_core + shdr->sh_entsize;
68741 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
68742 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68743 + dest = mod->module_init_rw
68744 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68745 + else
68746 + dest = mod->module_init_rx
68747 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68748 + } else {
68749 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68750 + dest = mod->module_core_rw + shdr->sh_entsize;
68751 + else
68752 + dest = mod->module_core_rx + shdr->sh_entsize;
68753 + }
68754 +
68755 + if (shdr->sh_type != SHT_NOBITS) {
68756 +
68757 +#ifdef CONFIG_PAX_KERNEXEC
68758 +#ifdef CONFIG_X86_64
68759 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
68760 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
68761 +#endif
68762 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
68763 + pax_open_kernel();
68764 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68765 + pax_close_kernel();
68766 + } else
68767 +#endif
68768
68769 - if (shdr->sh_type != SHT_NOBITS)
68770 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68771 + }
68772 /* Update sh_addr to point to copy in image. */
68773 - shdr->sh_addr = (unsigned long)dest;
68774 +
68775 +#ifdef CONFIG_PAX_KERNEXEC
68776 + if (shdr->sh_flags & SHF_EXECINSTR)
68777 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
68778 + else
68779 +#endif
68780 +
68781 + shdr->sh_addr = (unsigned long)dest;
68782 DEBUGP("\t0x%lx %s\n",
68783 shdr->sh_addr, info->secstrings + shdr->sh_name);
68784 }
68785 @@ -2613,12 +2706,12 @@ static void flush_module_icache(const st
68786 * Do it before processing of module parameters, so the module
68787 * can provide parameter accessor functions of its own.
68788 */
68789 - if (mod->module_init)
68790 - flush_icache_range((unsigned long)mod->module_init,
68791 - (unsigned long)mod->module_init
68792 - + mod->init_size);
68793 - flush_icache_range((unsigned long)mod->module_core,
68794 - (unsigned long)mod->module_core + mod->core_size);
68795 + if (mod->module_init_rx)
68796 + flush_icache_range((unsigned long)mod->module_init_rx,
68797 + (unsigned long)mod->module_init_rx
68798 + + mod->init_size_rx);
68799 + flush_icache_range((unsigned long)mod->module_core_rx,
68800 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
68801
68802 set_fs(old_fs);
68803 }
68804 @@ -2690,8 +2783,10 @@ static void module_deallocate(struct mod
68805 {
68806 kfree(info->strmap);
68807 percpu_modfree(mod);
68808 - module_free(mod, mod->module_init);
68809 - module_free(mod, mod->module_core);
68810 + module_free_exec(mod, mod->module_init_rx);
68811 + module_free_exec(mod, mod->module_core_rx);
68812 + module_free(mod, mod->module_init_rw);
68813 + module_free(mod, mod->module_core_rw);
68814 }
68815
68816 static int post_relocation(struct module *mod, const struct load_info *info)
68817 @@ -2748,9 +2843,38 @@ static struct module *load_module(void _
68818 if (err)
68819 goto free_unload;
68820
68821 + /* Now copy in args */
68822 + mod->args = strndup_user(uargs, ~0UL >> 1);
68823 + if (IS_ERR(mod->args)) {
68824 + err = PTR_ERR(mod->args);
68825 + goto free_unload;
68826 + }
68827 +
68828 /* Set up MODINFO_ATTR fields */
68829 setup_modinfo(mod, &info);
68830
68831 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68832 + {
68833 + char *p, *p2;
68834 +
68835 + if (strstr(mod->args, "grsec_modharden_netdev")) {
68836 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
68837 + err = -EPERM;
68838 + goto free_modinfo;
68839 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
68840 + p += strlen("grsec_modharden_normal");
68841 + p2 = strstr(p, "_");
68842 + if (p2) {
68843 + *p2 = '\0';
68844 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
68845 + *p2 = '_';
68846 + }
68847 + err = -EPERM;
68848 + goto free_modinfo;
68849 + }
68850 + }
68851 +#endif
68852 +
68853 /* Fix up syms, so that st_value is a pointer to location. */
68854 err = simplify_symbols(mod, &info);
68855 if (err < 0)
68856 @@ -2766,13 +2890,6 @@ static struct module *load_module(void _
68857
68858 flush_module_icache(mod);
68859
68860 - /* Now copy in args */
68861 - mod->args = strndup_user(uargs, ~0UL >> 1);
68862 - if (IS_ERR(mod->args)) {
68863 - err = PTR_ERR(mod->args);
68864 - goto free_arch_cleanup;
68865 - }
68866 -
68867 /* Mark state as coming so strong_try_module_get() ignores us. */
68868 mod->state = MODULE_STATE_COMING;
68869
68870 @@ -2832,11 +2949,10 @@ static struct module *load_module(void _
68871 unlock:
68872 mutex_unlock(&module_mutex);
68873 synchronize_sched();
68874 - kfree(mod->args);
68875 - free_arch_cleanup:
68876 module_arch_cleanup(mod);
68877 free_modinfo:
68878 free_modinfo(mod);
68879 + kfree(mod->args);
68880 free_unload:
68881 module_unload_free(mod);
68882 free_module:
68883 @@ -2877,16 +2993,16 @@ SYSCALL_DEFINE3(init_module, void __user
68884 MODULE_STATE_COMING, mod);
68885
68886 /* Set RO and NX regions for core */
68887 - set_section_ro_nx(mod->module_core,
68888 - mod->core_text_size,
68889 - mod->core_ro_size,
68890 - mod->core_size);
68891 + set_section_ro_nx(mod->module_core_rx,
68892 + mod->core_size_rx,
68893 + mod->core_size_rx,
68894 + mod->core_size_rx);
68895
68896 /* Set RO and NX regions for init */
68897 - set_section_ro_nx(mod->module_init,
68898 - mod->init_text_size,
68899 - mod->init_ro_size,
68900 - mod->init_size);
68901 + set_section_ro_nx(mod->module_init_rx,
68902 + mod->init_size_rx,
68903 + mod->init_size_rx,
68904 + mod->init_size_rx);
68905
68906 do_mod_ctors(mod);
68907 /* Start the module */
68908 @@ -2931,11 +3047,13 @@ SYSCALL_DEFINE3(init_module, void __user
68909 mod->symtab = mod->core_symtab;
68910 mod->strtab = mod->core_strtab;
68911 #endif
68912 - unset_section_ro_nx(mod, mod->module_init);
68913 - module_free(mod, mod->module_init);
68914 - mod->module_init = NULL;
68915 - mod->init_size = 0;
68916 - mod->init_text_size = 0;
68917 + unset_section_ro_nx(mod, mod->module_init_rx);
68918 + module_free(mod, mod->module_init_rw);
68919 + module_free_exec(mod, mod->module_init_rx);
68920 + mod->module_init_rw = NULL;
68921 + mod->module_init_rx = NULL;
68922 + mod->init_size_rw = 0;
68923 + mod->init_size_rx = 0;
68924 mutex_unlock(&module_mutex);
68925
68926 return 0;
68927 @@ -2966,10 +3084,16 @@ static const char *get_ksymbol(struct mo
68928 unsigned long nextval;
68929
68930 /* At worse, next value is at end of module */
68931 - if (within_module_init(addr, mod))
68932 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
68933 + if (within_module_init_rx(addr, mod))
68934 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
68935 + else if (within_module_init_rw(addr, mod))
68936 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
68937 + else if (within_module_core_rx(addr, mod))
68938 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
68939 + else if (within_module_core_rw(addr, mod))
68940 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
68941 else
68942 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
68943 + return NULL;
68944
68945 /* Scan for closest preceding symbol, and next symbol. (ELF
68946 starts real symbols at 1). */
68947 @@ -3215,7 +3339,7 @@ static int m_show(struct seq_file *m, vo
68948 char buf[8];
68949
68950 seq_printf(m, "%s %u",
68951 - mod->name, mod->init_size + mod->core_size);
68952 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
68953 print_unload_info(m, mod);
68954
68955 /* Informative for users. */
68956 @@ -3224,7 +3348,7 @@ static int m_show(struct seq_file *m, vo
68957 mod->state == MODULE_STATE_COMING ? "Loading":
68958 "Live");
68959 /* Used by oprofile and other similar tools. */
68960 - seq_printf(m, " 0x%pK", mod->module_core);
68961 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
68962
68963 /* Taints info */
68964 if (mod->taints)
68965 @@ -3260,7 +3384,17 @@ static const struct file_operations proc
68966
68967 static int __init proc_modules_init(void)
68968 {
68969 +#ifndef CONFIG_GRKERNSEC_HIDESYM
68970 +#ifdef CONFIG_GRKERNSEC_PROC_USER
68971 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
68972 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
68973 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
68974 +#else
68975 proc_create("modules", 0, NULL, &proc_modules_operations);
68976 +#endif
68977 +#else
68978 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
68979 +#endif
68980 return 0;
68981 }
68982 module_init(proc_modules_init);
68983 @@ -3319,12 +3453,12 @@ struct module *__module_address(unsigned
68984 {
68985 struct module *mod;
68986
68987 - if (addr < module_addr_min || addr > module_addr_max)
68988 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
68989 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
68990 return NULL;
68991
68992 list_for_each_entry_rcu(mod, &modules, list)
68993 - if (within_module_core(addr, mod)
68994 - || within_module_init(addr, mod))
68995 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
68996 return mod;
68997 return NULL;
68998 }
68999 @@ -3358,11 +3492,20 @@ bool is_module_text_address(unsigned lon
69000 */
69001 struct module *__module_text_address(unsigned long addr)
69002 {
69003 - struct module *mod = __module_address(addr);
69004 + struct module *mod;
69005 +
69006 +#ifdef CONFIG_X86_32
69007 + addr = ktla_ktva(addr);
69008 +#endif
69009 +
69010 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
69011 + return NULL;
69012 +
69013 + mod = __module_address(addr);
69014 +
69015 if (mod) {
69016 /* Make sure it's within the text section. */
69017 - if (!within(addr, mod->module_init, mod->init_text_size)
69018 - && !within(addr, mod->module_core, mod->core_text_size))
69019 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
69020 mod = NULL;
69021 }
69022 return mod;
69023 diff -urNp linux-2.6.39.2/kernel/mutex.c linux-2.6.39.2/kernel/mutex.c
69024 --- linux-2.6.39.2/kernel/mutex.c 2011-05-19 00:06:34.000000000 -0400
69025 +++ linux-2.6.39.2/kernel/mutex.c 2011-05-22 19:36:33.000000000 -0400
69026 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
69027 */
69028
69029 for (;;) {
69030 - struct thread_info *owner;
69031 + struct task_struct *owner;
69032
69033 /*
69034 * If we own the BKL, then don't spin. The owner of
69035 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
69036 spin_lock_mutex(&lock->wait_lock, flags);
69037
69038 debug_mutex_lock_common(lock, &waiter);
69039 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
69040 + debug_mutex_add_waiter(lock, &waiter, task);
69041
69042 /* add waiting tasks to the end of the waitqueue (FIFO): */
69043 list_add_tail(&waiter.list, &lock->wait_list);
69044 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
69045 * TASK_UNINTERRUPTIBLE case.)
69046 */
69047 if (unlikely(signal_pending_state(state, task))) {
69048 - mutex_remove_waiter(lock, &waiter,
69049 - task_thread_info(task));
69050 + mutex_remove_waiter(lock, &waiter, task);
69051 mutex_release(&lock->dep_map, 1, ip);
69052 spin_unlock_mutex(&lock->wait_lock, flags);
69053
69054 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
69055 done:
69056 lock_acquired(&lock->dep_map, ip);
69057 /* got the lock - rejoice! */
69058 - mutex_remove_waiter(lock, &waiter, current_thread_info());
69059 + mutex_remove_waiter(lock, &waiter, task);
69060 mutex_set_owner(lock);
69061
69062 /* set it to 0 if there are no waiters left: */
69063 diff -urNp linux-2.6.39.2/kernel/mutex-debug.c linux-2.6.39.2/kernel/mutex-debug.c
69064 --- linux-2.6.39.2/kernel/mutex-debug.c 2011-05-19 00:06:34.000000000 -0400
69065 +++ linux-2.6.39.2/kernel/mutex-debug.c 2011-05-22 19:36:33.000000000 -0400
69066 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
69067 }
69068
69069 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69070 - struct thread_info *ti)
69071 + struct task_struct *task)
69072 {
69073 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
69074
69075 /* Mark the current thread as blocked on the lock: */
69076 - ti->task->blocked_on = waiter;
69077 + task->blocked_on = waiter;
69078 }
69079
69080 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69081 - struct thread_info *ti)
69082 + struct task_struct *task)
69083 {
69084 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
69085 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
69086 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
69087 - ti->task->blocked_on = NULL;
69088 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
69089 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
69090 + task->blocked_on = NULL;
69091
69092 list_del_init(&waiter->list);
69093 waiter->task = NULL;
69094 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
69095 return;
69096
69097 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
69098 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
69099 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
69100 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
69101 mutex_clear_owner(lock);
69102 }
69103 diff -urNp linux-2.6.39.2/kernel/mutex-debug.h linux-2.6.39.2/kernel/mutex-debug.h
69104 --- linux-2.6.39.2/kernel/mutex-debug.h 2011-05-19 00:06:34.000000000 -0400
69105 +++ linux-2.6.39.2/kernel/mutex-debug.h 2011-05-22 19:36:33.000000000 -0400
69106 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
69107 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
69108 extern void debug_mutex_add_waiter(struct mutex *lock,
69109 struct mutex_waiter *waiter,
69110 - struct thread_info *ti);
69111 + struct task_struct *task);
69112 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69113 - struct thread_info *ti);
69114 + struct task_struct *task);
69115 extern void debug_mutex_unlock(struct mutex *lock);
69116 extern void debug_mutex_init(struct mutex *lock, const char *name,
69117 struct lock_class_key *key);
69118
69119 static inline void mutex_set_owner(struct mutex *lock)
69120 {
69121 - lock->owner = current_thread_info();
69122 + lock->owner = current;
69123 }
69124
69125 static inline void mutex_clear_owner(struct mutex *lock)
69126 diff -urNp linux-2.6.39.2/kernel/mutex.h linux-2.6.39.2/kernel/mutex.h
69127 --- linux-2.6.39.2/kernel/mutex.h 2011-05-19 00:06:34.000000000 -0400
69128 +++ linux-2.6.39.2/kernel/mutex.h 2011-05-22 19:36:33.000000000 -0400
69129 @@ -19,7 +19,7 @@
69130 #ifdef CONFIG_SMP
69131 static inline void mutex_set_owner(struct mutex *lock)
69132 {
69133 - lock->owner = current_thread_info();
69134 + lock->owner = current;
69135 }
69136
69137 static inline void mutex_clear_owner(struct mutex *lock)
69138 diff -urNp linux-2.6.39.2/kernel/padata.c linux-2.6.39.2/kernel/padata.c
69139 --- linux-2.6.39.2/kernel/padata.c 2011-05-19 00:06:34.000000000 -0400
69140 +++ linux-2.6.39.2/kernel/padata.c 2011-05-22 19:36:33.000000000 -0400
69141 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
69142 padata->pd = pd;
69143 padata->cb_cpu = cb_cpu;
69144
69145 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
69146 - atomic_set(&pd->seq_nr, -1);
69147 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
69148 + atomic_set_unchecked(&pd->seq_nr, -1);
69149
69150 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
69151 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
69152
69153 target_cpu = padata_cpu_hash(padata);
69154 queue = per_cpu_ptr(pd->pqueue, target_cpu);
69155 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
69156 padata_init_pqueues(pd);
69157 padata_init_squeues(pd);
69158 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
69159 - atomic_set(&pd->seq_nr, -1);
69160 + atomic_set_unchecked(&pd->seq_nr, -1);
69161 atomic_set(&pd->reorder_objects, 0);
69162 atomic_set(&pd->refcnt, 0);
69163 pd->pinst = pinst;
69164 diff -urNp linux-2.6.39.2/kernel/panic.c linux-2.6.39.2/kernel/panic.c
69165 --- linux-2.6.39.2/kernel/panic.c 2011-05-19 00:06:34.000000000 -0400
69166 +++ linux-2.6.39.2/kernel/panic.c 2011-05-22 19:41:42.000000000 -0400
69167 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
69168 const char *board;
69169
69170 printk(KERN_WARNING "------------[ cut here ]------------\n");
69171 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
69172 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
69173 board = dmi_get_system_info(DMI_PRODUCT_NAME);
69174 if (board)
69175 printk(KERN_WARNING "Hardware name: %s\n", board);
69176 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
69177 */
69178 void __stack_chk_fail(void)
69179 {
69180 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
69181 + dump_stack();
69182 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
69183 __builtin_return_address(0));
69184 }
69185 EXPORT_SYMBOL(__stack_chk_fail);
69186 diff -urNp linux-2.6.39.2/kernel/params.c linux-2.6.39.2/kernel/params.c
69187 --- linux-2.6.39.2/kernel/params.c 2011-05-19 00:06:34.000000000 -0400
69188 +++ linux-2.6.39.2/kernel/params.c 2011-05-22 19:36:33.000000000 -0400
69189 @@ -234,7 +234,7 @@ int parse_args(const char *name,
69190 { \
69191 return sprintf(buffer, format, *((type *)kp->arg)); \
69192 } \
69193 - struct kernel_param_ops param_ops_##name = { \
69194 + const struct kernel_param_ops param_ops_##name = { \
69195 .set = param_set_##name, \
69196 .get = param_get_##name, \
69197 }; \
69198 @@ -286,7 +286,7 @@ static void param_free_charp(void *arg)
69199 maybe_kfree_parameter(*((char **)arg));
69200 }
69201
69202 -struct kernel_param_ops param_ops_charp = {
69203 +const struct kernel_param_ops param_ops_charp = {
69204 .set = param_set_charp,
69205 .get = param_get_charp,
69206 .free = param_free_charp,
69207 @@ -334,7 +334,7 @@ int param_get_bool(char *buffer, const s
69208 }
69209 EXPORT_SYMBOL(param_get_bool);
69210
69211 -struct kernel_param_ops param_ops_bool = {
69212 +const struct kernel_param_ops param_ops_bool = {
69213 .set = param_set_bool,
69214 .get = param_get_bool,
69215 };
69216 @@ -362,7 +362,7 @@ int param_get_invbool(char *buffer, cons
69217 }
69218 EXPORT_SYMBOL(param_get_invbool);
69219
69220 -struct kernel_param_ops param_ops_invbool = {
69221 +const struct kernel_param_ops param_ops_invbool = {
69222 .set = param_set_invbool,
69223 .get = param_get_invbool,
69224 };
69225 @@ -460,7 +460,7 @@ static void param_array_free(void *arg)
69226 arr->ops->free(arr->elem + arr->elemsize * i);
69227 }
69228
69229 -struct kernel_param_ops param_array_ops = {
69230 +const struct kernel_param_ops param_array_ops = {
69231 .set = param_array_set,
69232 .get = param_array_get,
69233 .free = param_array_free,
69234 @@ -488,7 +488,7 @@ int param_get_string(char *buffer, const
69235 }
69236 EXPORT_SYMBOL(param_get_string);
69237
69238 -struct kernel_param_ops param_ops_string = {
69239 +const struct kernel_param_ops param_ops_string = {
69240 .set = param_set_copystring,
69241 .get = param_get_string,
69242 };
69243 diff -urNp linux-2.6.39.2/kernel/perf_event.c linux-2.6.39.2/kernel/perf_event.c
69244 --- linux-2.6.39.2/kernel/perf_event.c 2011-05-19 00:06:34.000000000 -0400
69245 +++ linux-2.6.39.2/kernel/perf_event.c 2011-05-22 19:36:33.000000000 -0400
69246 @@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
69247 return 0;
69248 }
69249
69250 -static atomic64_t perf_event_id;
69251 +static atomic64_unchecked_t perf_event_id;
69252
69253 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
69254 enum event_type_t event_type);
69255 @@ -2496,7 +2496,7 @@ static void __perf_event_read(void *info
69256
69257 static inline u64 perf_event_count(struct perf_event *event)
69258 {
69259 - return local64_read(&event->count) + atomic64_read(&event->child_count);
69260 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
69261 }
69262
69263 static u64 perf_event_read(struct perf_event *event)
69264 @@ -3031,9 +3031,9 @@ u64 perf_event_read_value(struct perf_ev
69265 mutex_lock(&event->child_mutex);
69266 total += perf_event_read(event);
69267 *enabled += event->total_time_enabled +
69268 - atomic64_read(&event->child_total_time_enabled);
69269 + atomic64_read_unchecked(&event->child_total_time_enabled);
69270 *running += event->total_time_running +
69271 - atomic64_read(&event->child_total_time_running);
69272 + atomic64_read_unchecked(&event->child_total_time_running);
69273
69274 list_for_each_entry(child, &event->child_list, child_list) {
69275 total += perf_event_read(child);
69276 @@ -3396,10 +3396,10 @@ void perf_event_update_userpage(struct p
69277 userpg->offset -= local64_read(&event->hw.prev_count);
69278
69279 userpg->time_enabled = event->total_time_enabled +
69280 - atomic64_read(&event->child_total_time_enabled);
69281 + atomic64_read_unchecked(&event->child_total_time_enabled);
69282
69283 userpg->time_running = event->total_time_running +
69284 - atomic64_read(&event->child_total_time_running);
69285 + atomic64_read_unchecked(&event->child_total_time_running);
69286
69287 barrier();
69288 ++userpg->lock;
69289 @@ -3884,16 +3884,16 @@ static void perf_pending_event(struct ir
69290 * Later on, we might change it to a list if there is
69291 * another virtualization implementation supporting the callbacks.
69292 */
69293 -struct perf_guest_info_callbacks *perf_guest_cbs;
69294 +const struct perf_guest_info_callbacks *perf_guest_cbs;
69295
69296 -int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69297 +int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69298 {
69299 perf_guest_cbs = cbs;
69300 return 0;
69301 }
69302 EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks);
69303
69304 -int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69305 +int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69306 {
69307 perf_guest_cbs = NULL;
69308 return 0;
69309 @@ -4196,11 +4196,11 @@ static void perf_output_read_one(struct
69310 values[n++] = perf_event_count(event);
69311 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69312 values[n++] = enabled +
69313 - atomic64_read(&event->child_total_time_enabled);
69314 + atomic64_read_unchecked(&event->child_total_time_enabled);
69315 }
69316 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69317 values[n++] = running +
69318 - atomic64_read(&event->child_total_time_running);
69319 + atomic64_read_unchecked(&event->child_total_time_running);
69320 }
69321 if (read_format & PERF_FORMAT_ID)
69322 values[n++] = primary_event_id(event);
69323 @@ -6201,7 +6201,7 @@ perf_event_alloc(struct perf_event_attr
69324 event->parent = parent_event;
69325
69326 event->ns = get_pid_ns(current->nsproxy->pid_ns);
69327 - event->id = atomic64_inc_return(&perf_event_id);
69328 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
69329
69330 event->state = PERF_EVENT_STATE_INACTIVE;
69331
69332 @@ -6724,10 +6724,10 @@ static void sync_child_event(struct perf
69333 /*
69334 * Add back the child's count to the parent's count:
69335 */
69336 - atomic64_add(child_val, &parent_event->child_count);
69337 - atomic64_add(child_event->total_time_enabled,
69338 + atomic64_add_unchecked(child_val, &parent_event->child_count);
69339 + atomic64_add_unchecked(child_event->total_time_enabled,
69340 &parent_event->child_total_time_enabled);
69341 - atomic64_add(child_event->total_time_running,
69342 + atomic64_add_unchecked(child_event->total_time_running,
69343 &parent_event->child_total_time_running);
69344
69345 /*
69346 diff -urNp linux-2.6.39.2/kernel/pid.c linux-2.6.39.2/kernel/pid.c
69347 --- linux-2.6.39.2/kernel/pid.c 2011-05-19 00:06:34.000000000 -0400
69348 +++ linux-2.6.39.2/kernel/pid.c 2011-05-22 19:41:42.000000000 -0400
69349 @@ -33,6 +33,7 @@
69350 #include <linux/rculist.h>
69351 #include <linux/bootmem.h>
69352 #include <linux/hash.h>
69353 +#include <linux/security.h>
69354 #include <linux/pid_namespace.h>
69355 #include <linux/init_task.h>
69356 #include <linux/syscalls.h>
69357 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
69358
69359 int pid_max = PID_MAX_DEFAULT;
69360
69361 -#define RESERVED_PIDS 300
69362 +#define RESERVED_PIDS 500
69363
69364 int pid_max_min = RESERVED_PIDS + 1;
69365 int pid_max_max = PID_MAX_LIMIT;
69366 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
69367 */
69368 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
69369 {
69370 + struct task_struct *task;
69371 +
69372 rcu_lockdep_assert(rcu_read_lock_held());
69373 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69374 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69375 +
69376 + if (gr_pid_is_chrooted(task))
69377 + return NULL;
69378 +
69379 + return task;
69380 }
69381
69382 struct task_struct *find_task_by_vpid(pid_t vnr)
69383 diff -urNp linux-2.6.39.2/kernel/posix-cpu-timers.c linux-2.6.39.2/kernel/posix-cpu-timers.c
69384 --- linux-2.6.39.2/kernel/posix-cpu-timers.c 2011-05-19 00:06:34.000000000 -0400
69385 +++ linux-2.6.39.2/kernel/posix-cpu-timers.c 2011-05-22 19:41:42.000000000 -0400
69386 @@ -6,6 +6,7 @@
69387 #include <linux/posix-timers.h>
69388 #include <linux/errno.h>
69389 #include <linux/math64.h>
69390 +#include <linux/security.h>
69391 #include <asm/uaccess.h>
69392 #include <linux/kernel_stat.h>
69393 #include <trace/events/timer.h>
69394 @@ -1590,7 +1591,7 @@ static int thread_cpu_timer_create(struc
69395 return posix_cpu_timer_create(timer);
69396 }
69397
69398 -struct k_clock clock_posix_cpu = {
69399 +const struct k_clock clock_posix_cpu = {
69400 .clock_getres = posix_cpu_clock_getres,
69401 .clock_set = posix_cpu_clock_set,
69402 .clock_get = posix_cpu_clock_get,
69403 @@ -1604,14 +1605,14 @@ struct k_clock clock_posix_cpu = {
69404
69405 static __init int init_posix_cpu_timers(void)
69406 {
69407 - struct k_clock process = {
69408 + const struct k_clock process = {
69409 .clock_getres = process_cpu_clock_getres,
69410 .clock_get = process_cpu_clock_get,
69411 .timer_create = process_cpu_timer_create,
69412 .nsleep = process_cpu_nsleep,
69413 .nsleep_restart = process_cpu_nsleep_restart,
69414 };
69415 - struct k_clock thread = {
69416 + const struct k_clock thread = {
69417 .clock_getres = thread_cpu_clock_getres,
69418 .clock_get = thread_cpu_clock_get,
69419 .timer_create = thread_cpu_timer_create,
69420 diff -urNp linux-2.6.39.2/kernel/posix-timers.c linux-2.6.39.2/kernel/posix-timers.c
69421 --- linux-2.6.39.2/kernel/posix-timers.c 2011-05-19 00:06:34.000000000 -0400
69422 +++ linux-2.6.39.2/kernel/posix-timers.c 2011-05-22 20:13:41.000000000 -0400
69423 @@ -43,6 +43,7 @@
69424 #include <linux/idr.h>
69425 #include <linux/posix-clock.h>
69426 #include <linux/posix-timers.h>
69427 +#include <linux/grsecurity.h>
69428 #include <linux/syscalls.h>
69429 #include <linux/wait.h>
69430 #include <linux/workqueue.h>
69431 @@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
69432 */
69433 static __init int init_posix_timers(void)
69434 {
69435 - struct k_clock clock_realtime = {
69436 + const struct k_clock clock_realtime = {
69437 .clock_getres = hrtimer_get_res,
69438 .clock_get = posix_clock_realtime_get,
69439 .clock_set = posix_clock_realtime_set,
69440 @@ -239,7 +240,7 @@ static __init int init_posix_timers(void
69441 .timer_get = common_timer_get,
69442 .timer_del = common_timer_del,
69443 };
69444 - struct k_clock clock_monotonic = {
69445 + const struct k_clock clock_monotonic = {
69446 .clock_getres = hrtimer_get_res,
69447 .clock_get = posix_ktime_get_ts,
69448 .nsleep = common_nsleep,
69449 @@ -249,19 +250,19 @@ static __init int init_posix_timers(void
69450 .timer_get = common_timer_get,
69451 .timer_del = common_timer_del,
69452 };
69453 - struct k_clock clock_monotonic_raw = {
69454 + const struct k_clock clock_monotonic_raw = {
69455 .clock_getres = hrtimer_get_res,
69456 .clock_get = posix_get_monotonic_raw,
69457 };
69458 - struct k_clock clock_realtime_coarse = {
69459 + const struct k_clock clock_realtime_coarse = {
69460 .clock_getres = posix_get_coarse_res,
69461 .clock_get = posix_get_realtime_coarse,
69462 };
69463 - struct k_clock clock_monotonic_coarse = {
69464 + const struct k_clock clock_monotonic_coarse = {
69465 .clock_getres = posix_get_coarse_res,
69466 .clock_get = posix_get_monotonic_coarse,
69467 };
69468 - struct k_clock clock_boottime = {
69469 + const struct k_clock clock_boottime = {
69470 .clock_getres = hrtimer_get_res,
69471 .clock_get = posix_get_boottime,
69472 .nsleep = common_nsleep,
69473 @@ -272,6 +273,8 @@ static __init int init_posix_timers(void
69474 .timer_del = common_timer_del,
69475 };
69476
69477 + pax_track_stack();
69478 +
69479 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
69480 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
69481 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
69482 @@ -454,7 +457,7 @@ static struct pid *good_sigevent(sigeven
69483 }
69484
69485 void posix_timers_register_clock(const clockid_t clock_id,
69486 - struct k_clock *new_clock)
69487 + const struct k_clock *new_clock)
69488 {
69489 if ((unsigned) clock_id >= MAX_CLOCKS) {
69490 printk(KERN_WARNING "POSIX clock register failed for clock_id %d\n",
69491 @@ -506,7 +509,7 @@ static void release_posix_timer(struct k
69492 kmem_cache_free(posix_timers_cache, tmr);
69493 }
69494
69495 -static struct k_clock *clockid_to_kclock(const clockid_t id)
69496 +static const struct k_clock *clockid_to_kclock(const clockid_t id)
69497 {
69498 if (id < 0)
69499 return (id & CLOCKFD_MASK) == CLOCKFD ?
69500 @@ -529,7 +532,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
69501 struct sigevent __user *, timer_event_spec,
69502 timer_t __user *, created_timer_id)
69503 {
69504 - struct k_clock *kc = clockid_to_kclock(which_clock);
69505 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69506 struct k_itimer *new_timer;
69507 int error, new_timer_id;
69508 sigevent_t event;
69509 @@ -714,7 +717,7 @@ SYSCALL_DEFINE2(timer_gettime, timer_t,
69510 {
69511 struct itimerspec cur_setting;
69512 struct k_itimer *timr;
69513 - struct k_clock *kc;
69514 + const struct k_clock *kc;
69515 unsigned long flags;
69516 int ret = 0;
69517
69518 @@ -822,7 +825,7 @@ SYSCALL_DEFINE4(timer_settime, timer_t,
69519 int error = 0;
69520 unsigned long flag;
69521 struct itimerspec *rtn = old_setting ? &old_spec : NULL;
69522 - struct k_clock *kc;
69523 + const struct k_clock *kc;
69524
69525 if (!new_setting)
69526 return -EINVAL;
69527 @@ -868,7 +871,7 @@ static int common_timer_del(struct k_iti
69528
69529 static inline int timer_delete_hook(struct k_itimer *timer)
69530 {
69531 - struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69532 + const struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69533
69534 if (WARN_ON_ONCE(!kc || !kc->timer_del))
69535 return -EINVAL;
69536 @@ -947,7 +950,7 @@ void exit_itimers(struct signal_struct *
69537 SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
69538 const struct timespec __user *, tp)
69539 {
69540 - struct k_clock *kc = clockid_to_kclock(which_clock);
69541 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69542 struct timespec new_tp;
69543
69544 if (!kc || !kc->clock_set)
69545 @@ -956,13 +959,20 @@ SYSCALL_DEFINE2(clock_settime, const clo
69546 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
69547 return -EFAULT;
69548
69549 + /* only the CLOCK_REALTIME clock can be set, all other clocks
69550 + have their clock_set fptr set to a nosettime dummy function
69551 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
69552 + call common_clock_set, which calls do_sys_settimeofday, which
69553 + we hook
69554 + */
69555 +
69556 return kc->clock_set(which_clock, &new_tp);
69557 }
69558
69559 SYSCALL_DEFINE2(clock_gettime, const clockid_t, which_clock,
69560 struct timespec __user *,tp)
69561 {
69562 - struct k_clock *kc = clockid_to_kclock(which_clock);
69563 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69564 struct timespec kernel_tp;
69565 int error;
69566
69567 @@ -980,7 +990,7 @@ SYSCALL_DEFINE2(clock_gettime, const clo
69568 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
69569 struct timex __user *, utx)
69570 {
69571 - struct k_clock *kc = clockid_to_kclock(which_clock);
69572 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69573 struct timex ktx;
69574 int err;
69575
69576 @@ -1003,7 +1013,7 @@ SYSCALL_DEFINE2(clock_adjtime, const clo
69577 SYSCALL_DEFINE2(clock_getres, const clockid_t, which_clock,
69578 struct timespec __user *, tp)
69579 {
69580 - struct k_clock *kc = clockid_to_kclock(which_clock);
69581 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69582 struct timespec rtn_tp;
69583 int error;
69584
69585 @@ -1033,7 +1043,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69586 const struct timespec __user *, rqtp,
69587 struct timespec __user *, rmtp)
69588 {
69589 - struct k_clock *kc = clockid_to_kclock(which_clock);
69590 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69591 struct timespec t;
69592
69593 if (!kc)
69594 @@ -1057,7 +1067,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69595 long clock_nanosleep_restart(struct restart_block *restart_block)
69596 {
69597 clockid_t which_clock = restart_block->nanosleep.index;
69598 - struct k_clock *kc = clockid_to_kclock(which_clock);
69599 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69600
69601 if (WARN_ON_ONCE(!kc || !kc->nsleep_restart))
69602 return -EINVAL;
69603 diff -urNp linux-2.6.39.2/kernel/power/poweroff.c linux-2.6.39.2/kernel/power/poweroff.c
69604 --- linux-2.6.39.2/kernel/power/poweroff.c 2011-05-19 00:06:34.000000000 -0400
69605 +++ linux-2.6.39.2/kernel/power/poweroff.c 2011-05-22 19:36:33.000000000 -0400
69606 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
69607 .enable_mask = SYSRQ_ENABLE_BOOT,
69608 };
69609
69610 -static int pm_sysrq_init(void)
69611 +static int __init pm_sysrq_init(void)
69612 {
69613 register_sysrq_key('o', &sysrq_poweroff_op);
69614 return 0;
69615 diff -urNp linux-2.6.39.2/kernel/power/process.c linux-2.6.39.2/kernel/power/process.c
69616 --- linux-2.6.39.2/kernel/power/process.c 2011-05-19 00:06:34.000000000 -0400
69617 +++ linux-2.6.39.2/kernel/power/process.c 2011-05-22 19:36:33.000000000 -0400
69618 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
69619 u64 elapsed_csecs64;
69620 unsigned int elapsed_csecs;
69621 bool wakeup = false;
69622 + bool timedout = false;
69623
69624 do_gettimeofday(&start);
69625
69626 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
69627
69628 while (true) {
69629 todo = 0;
69630 + if (time_after(jiffies, end_time))
69631 + timedout = true;
69632 read_lock(&tasklist_lock);
69633 do_each_thread(g, p) {
69634 if (frozen(p) || !freezable(p))
69635 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
69636 * try_to_stop() after schedule() in ptrace/signal
69637 * stop sees TIF_FREEZE.
69638 */
69639 - if (!task_is_stopped_or_traced(p) &&
69640 - !freezer_should_skip(p))
69641 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
69642 todo++;
69643 + if (timedout) {
69644 + printk(KERN_ERR "Task refusing to freeze:\n");
69645 + sched_show_task(p);
69646 + }
69647 + }
69648 } while_each_thread(g, p);
69649 read_unlock(&tasklist_lock);
69650
69651 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
69652 todo += wq_busy;
69653 }
69654
69655 - if (!todo || time_after(jiffies, end_time))
69656 + if (!todo || timedout)
69657 break;
69658
69659 if (pm_wakeup_pending()) {
69660 diff -urNp linux-2.6.39.2/kernel/printk.c linux-2.6.39.2/kernel/printk.c
69661 --- linux-2.6.39.2/kernel/printk.c 2011-05-19 00:06:34.000000000 -0400
69662 +++ linux-2.6.39.2/kernel/printk.c 2011-05-22 19:41:42.000000000 -0400
69663 @@ -284,12 +284,17 @@ static int check_syslog_permissions(int
69664 if (from_file && type != SYSLOG_ACTION_OPEN)
69665 return 0;
69666
69667 +#ifdef CONFIG_GRKERNSEC_DMESG
69668 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
69669 + return -EPERM;
69670 +#endif
69671 +
69672 if (syslog_action_restricted(type)) {
69673 if (capable(CAP_SYSLOG))
69674 return 0;
69675 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
69676 if (capable(CAP_SYS_ADMIN)) {
69677 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
69678 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
69679 "but no CAP_SYSLOG (deprecated).\n");
69680 return 0;
69681 }
69682 diff -urNp linux-2.6.39.2/kernel/profile.c linux-2.6.39.2/kernel/profile.c
69683 --- linux-2.6.39.2/kernel/profile.c 2011-05-19 00:06:34.000000000 -0400
69684 +++ linux-2.6.39.2/kernel/profile.c 2011-05-22 19:36:33.000000000 -0400
69685 @@ -39,7 +39,7 @@ struct profile_hit {
69686 /* Oprofile timer tick hook */
69687 static int (*timer_hook)(struct pt_regs *) __read_mostly;
69688
69689 -static atomic_t *prof_buffer;
69690 +static atomic_unchecked_t *prof_buffer;
69691 static unsigned long prof_len, prof_shift;
69692
69693 int prof_on __read_mostly;
69694 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
69695 hits[i].pc = 0;
69696 continue;
69697 }
69698 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69699 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69700 hits[i].hits = hits[i].pc = 0;
69701 }
69702 }
69703 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
69704 * Add the current hit(s) and flush the write-queue out
69705 * to the global buffer:
69706 */
69707 - atomic_add(nr_hits, &prof_buffer[pc]);
69708 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
69709 for (i = 0; i < NR_PROFILE_HIT; ++i) {
69710 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69711 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69712 hits[i].pc = hits[i].hits = 0;
69713 }
69714 out:
69715 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
69716 if (prof_on != type || !prof_buffer)
69717 return;
69718 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
69719 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69720 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69721 }
69722 #endif /* !CONFIG_SMP */
69723 EXPORT_SYMBOL_GPL(profile_hits);
69724 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
69725 return -EFAULT;
69726 buf++; p++; count--; read++;
69727 }
69728 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
69729 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
69730 if (copy_to_user(buf, (void *)pnt, count))
69731 return -EFAULT;
69732 read += count;
69733 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
69734 }
69735 #endif
69736 profile_discard_flip_buffers();
69737 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
69738 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
69739 return count;
69740 }
69741
69742 diff -urNp linux-2.6.39.2/kernel/ptrace.c linux-2.6.39.2/kernel/ptrace.c
69743 --- linux-2.6.39.2/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
69744 +++ linux-2.6.39.2/kernel/ptrace.c 2011-05-23 17:07:00.000000000 -0400
69745 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
69746 return ret;
69747 }
69748
69749 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
69750 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
69751 + unsigned int log)
69752 {
69753 const struct cred *cred = current_cred(), *tcred;
69754
69755 @@ -143,7 +144,8 @@ int __ptrace_may_access(struct task_stru
69756 cred->gid == tcred->sgid &&
69757 cred->gid == tcred->gid))
69758 goto ok;
69759 - if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
69760 + if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
69761 + (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
69762 goto ok;
69763 rcu_read_unlock();
69764 return -EPERM;
69765 @@ -152,7 +154,9 @@ ok:
69766 smp_rmb();
69767 if (task->mm)
69768 dumpable = get_dumpable(task->mm);
69769 - if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
69770 + if (!dumpable &&
69771 + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
69772 + (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
69773 return -EPERM;
69774
69775 return security_ptrace_access_check(task, mode);
69776 @@ -162,7 +166,16 @@ bool ptrace_may_access(struct task_struc
69777 {
69778 int err;
69779 task_lock(task);
69780 - err = __ptrace_may_access(task, mode);
69781 + err = __ptrace_may_access(task, mode, 0);
69782 + task_unlock(task);
69783 + return !err;
69784 +}
69785 +
69786 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
69787 +{
69788 + int err;
69789 + task_lock(task);
69790 + err = __ptrace_may_access(task, mode, 1);
69791 task_unlock(task);
69792 return !err;
69793 }
69794 @@ -189,7 +202,7 @@ static int ptrace_attach(struct task_str
69795 goto out;
69796
69797 task_lock(task);
69798 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
69799 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
69800 task_unlock(task);
69801 if (retval)
69802 goto unlock_creds;
69803 @@ -202,7 +215,7 @@ static int ptrace_attach(struct task_str
69804 goto unlock_tasklist;
69805
69806 task->ptrace = PT_PTRACED;
69807 - if (task_ns_capable(task, CAP_SYS_PTRACE))
69808 + if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
69809 task->ptrace |= PT_PTRACE_CAP;
69810
69811 __ptrace_link(task, current);
69812 @@ -362,6 +375,8 @@ int ptrace_readdata(struct task_struct *
69813 {
69814 int copied = 0;
69815
69816 + pax_track_stack();
69817 +
69818 while (len > 0) {
69819 char buf[128];
69820 int this_len, retval;
69821 @@ -373,7 +388,7 @@ int ptrace_readdata(struct task_struct *
69822 break;
69823 return -EIO;
69824 }
69825 - if (copy_to_user(dst, buf, retval))
69826 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
69827 return -EFAULT;
69828 copied += retval;
69829 src += retval;
69830 @@ -387,6 +402,8 @@ int ptrace_writedata(struct task_struct
69831 {
69832 int copied = 0;
69833
69834 + pax_track_stack();
69835 +
69836 while (len > 0) {
69837 char buf[128];
69838 int this_len, retval;
69839 @@ -569,9 +586,11 @@ int ptrace_request(struct task_struct *c
69840 {
69841 int ret = -EIO;
69842 siginfo_t siginfo;
69843 - void __user *datavp = (void __user *) data;
69844 + void __user *datavp = (__force void __user *) data;
69845 unsigned long __user *datalp = datavp;
69846
69847 + pax_track_stack();
69848 +
69849 switch (request) {
69850 case PTRACE_PEEKTEXT:
69851 case PTRACE_PEEKDATA:
69852 @@ -717,14 +736,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
69853 goto out;
69854 }
69855
69856 + if (gr_handle_ptrace(child, request)) {
69857 + ret = -EPERM;
69858 + goto out_put_task_struct;
69859 + }
69860 +
69861 if (request == PTRACE_ATTACH) {
69862 ret = ptrace_attach(child);
69863 /*
69864 * Some architectures need to do book-keeping after
69865 * a ptrace attach.
69866 */
69867 - if (!ret)
69868 + if (!ret) {
69869 arch_ptrace_attach(child);
69870 + gr_audit_ptrace(child);
69871 + }
69872 goto out_put_task_struct;
69873 }
69874
69875 @@ -749,7 +775,7 @@ int generic_ptrace_peekdata(struct task_
69876 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
69877 if (copied != sizeof(tmp))
69878 return -EIO;
69879 - return put_user(tmp, (unsigned long __user *)data);
69880 + return put_user(tmp, (__force unsigned long __user *)data);
69881 }
69882
69883 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
69884 @@ -772,6 +798,8 @@ int compat_ptrace_request(struct task_st
69885 siginfo_t siginfo;
69886 int ret;
69887
69888 + pax_track_stack();
69889 +
69890 switch (request) {
69891 case PTRACE_PEEKTEXT:
69892 case PTRACE_PEEKDATA:
69893 @@ -859,14 +887,21 @@ asmlinkage long compat_sys_ptrace(compat
69894 goto out;
69895 }
69896
69897 + if (gr_handle_ptrace(child, request)) {
69898 + ret = -EPERM;
69899 + goto out_put_task_struct;
69900 + }
69901 +
69902 if (request == PTRACE_ATTACH) {
69903 ret = ptrace_attach(child);
69904 /*
69905 * Some architectures need to do book-keeping after
69906 * a ptrace attach.
69907 */
69908 - if (!ret)
69909 + if (!ret) {
69910 arch_ptrace_attach(child);
69911 + gr_audit_ptrace(child);
69912 + }
69913 goto out_put_task_struct;
69914 }
69915
69916 diff -urNp linux-2.6.39.2/kernel/rcutorture.c linux-2.6.39.2/kernel/rcutorture.c
69917 --- linux-2.6.39.2/kernel/rcutorture.c 2011-05-19 00:06:34.000000000 -0400
69918 +++ linux-2.6.39.2/kernel/rcutorture.c 2011-05-22 19:36:33.000000000 -0400
69919 @@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
69920 { 0 };
69921 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
69922 { 0 };
69923 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
69924 -static atomic_t n_rcu_torture_alloc;
69925 -static atomic_t n_rcu_torture_alloc_fail;
69926 -static atomic_t n_rcu_torture_free;
69927 -static atomic_t n_rcu_torture_mberror;
69928 -static atomic_t n_rcu_torture_error;
69929 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
69930 +static atomic_unchecked_t n_rcu_torture_alloc;
69931 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
69932 +static atomic_unchecked_t n_rcu_torture_free;
69933 +static atomic_unchecked_t n_rcu_torture_mberror;
69934 +static atomic_unchecked_t n_rcu_torture_error;
69935 static long n_rcu_torture_boost_ktrerror;
69936 static long n_rcu_torture_boost_rterror;
69937 static long n_rcu_torture_boost_allocerror;
69938 @@ -225,11 +225,11 @@ rcu_torture_alloc(void)
69939
69940 spin_lock_bh(&rcu_torture_lock);
69941 if (list_empty(&rcu_torture_freelist)) {
69942 - atomic_inc(&n_rcu_torture_alloc_fail);
69943 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
69944 spin_unlock_bh(&rcu_torture_lock);
69945 return NULL;
69946 }
69947 - atomic_inc(&n_rcu_torture_alloc);
69948 + atomic_inc_unchecked(&n_rcu_torture_alloc);
69949 p = rcu_torture_freelist.next;
69950 list_del_init(p);
69951 spin_unlock_bh(&rcu_torture_lock);
69952 @@ -242,7 +242,7 @@ rcu_torture_alloc(void)
69953 static void
69954 rcu_torture_free(struct rcu_torture *p)
69955 {
69956 - atomic_inc(&n_rcu_torture_free);
69957 + atomic_inc_unchecked(&n_rcu_torture_free);
69958 spin_lock_bh(&rcu_torture_lock);
69959 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
69960 spin_unlock_bh(&rcu_torture_lock);
69961 @@ -362,7 +362,7 @@ rcu_torture_cb(struct rcu_head *p)
69962 i = rp->rtort_pipe_count;
69963 if (i > RCU_TORTURE_PIPE_LEN)
69964 i = RCU_TORTURE_PIPE_LEN;
69965 - atomic_inc(&rcu_torture_wcount[i]);
69966 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
69967 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
69968 rp->rtort_mbtest = 0;
69969 rcu_torture_free(rp);
69970 @@ -409,7 +409,7 @@ static void rcu_sync_torture_deferred_fr
69971 i = rp->rtort_pipe_count;
69972 if (i > RCU_TORTURE_PIPE_LEN)
69973 i = RCU_TORTURE_PIPE_LEN;
69974 - atomic_inc(&rcu_torture_wcount[i]);
69975 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
69976 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
69977 rp->rtort_mbtest = 0;
69978 list_del(&rp->rtort_free);
69979 @@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
69980 i = old_rp->rtort_pipe_count;
69981 if (i > RCU_TORTURE_PIPE_LEN)
69982 i = RCU_TORTURE_PIPE_LEN;
69983 - atomic_inc(&rcu_torture_wcount[i]);
69984 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
69985 old_rp->rtort_pipe_count++;
69986 cur_ops->deferred_free(old_rp);
69987 }
69988 @@ -951,7 +951,7 @@ static void rcu_torture_timer(unsigned l
69989 return;
69990 }
69991 if (p->rtort_mbtest == 0)
69992 - atomic_inc(&n_rcu_torture_mberror);
69993 + atomic_inc_unchecked(&n_rcu_torture_mberror);
69994 spin_lock(&rand_lock);
69995 cur_ops->read_delay(&rand);
69996 n_rcu_torture_timers++;
69997 @@ -1013,7 +1013,7 @@ rcu_torture_reader(void *arg)
69998 continue;
69999 }
70000 if (p->rtort_mbtest == 0)
70001 - atomic_inc(&n_rcu_torture_mberror);
70002 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70003 cur_ops->read_delay(&rand);
70004 preempt_disable();
70005 pipe_count = p->rtort_pipe_count;
70006 @@ -1072,10 +1072,10 @@ rcu_torture_printk(char *page)
70007 rcu_torture_current,
70008 rcu_torture_current_version,
70009 list_empty(&rcu_torture_freelist),
70010 - atomic_read(&n_rcu_torture_alloc),
70011 - atomic_read(&n_rcu_torture_alloc_fail),
70012 - atomic_read(&n_rcu_torture_free),
70013 - atomic_read(&n_rcu_torture_mberror),
70014 + atomic_read_unchecked(&n_rcu_torture_alloc),
70015 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
70016 + atomic_read_unchecked(&n_rcu_torture_free),
70017 + atomic_read_unchecked(&n_rcu_torture_mberror),
70018 n_rcu_torture_boost_ktrerror,
70019 n_rcu_torture_boost_rterror,
70020 n_rcu_torture_boost_allocerror,
70021 @@ -1083,7 +1083,7 @@ rcu_torture_printk(char *page)
70022 n_rcu_torture_boost_failure,
70023 n_rcu_torture_boosts,
70024 n_rcu_torture_timers);
70025 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
70026 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
70027 n_rcu_torture_boost_ktrerror != 0 ||
70028 n_rcu_torture_boost_rterror != 0 ||
70029 n_rcu_torture_boost_allocerror != 0 ||
70030 @@ -1093,7 +1093,7 @@ rcu_torture_printk(char *page)
70031 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
70032 if (i > 1) {
70033 cnt += sprintf(&page[cnt], "!!! ");
70034 - atomic_inc(&n_rcu_torture_error);
70035 + atomic_inc_unchecked(&n_rcu_torture_error);
70036 WARN_ON_ONCE(1);
70037 }
70038 cnt += sprintf(&page[cnt], "Reader Pipe: ");
70039 @@ -1107,7 +1107,7 @@ rcu_torture_printk(char *page)
70040 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
70041 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70042 cnt += sprintf(&page[cnt], " %d",
70043 - atomic_read(&rcu_torture_wcount[i]));
70044 + atomic_read_unchecked(&rcu_torture_wcount[i]));
70045 }
70046 cnt += sprintf(&page[cnt], "\n");
70047 if (cur_ops->stats)
70048 @@ -1415,7 +1415,7 @@ rcu_torture_cleanup(void)
70049
70050 if (cur_ops->cleanup)
70051 cur_ops->cleanup();
70052 - if (atomic_read(&n_rcu_torture_error))
70053 + if (atomic_read_unchecked(&n_rcu_torture_error))
70054 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
70055 else
70056 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
70057 @@ -1479,11 +1479,11 @@ rcu_torture_init(void)
70058
70059 rcu_torture_current = NULL;
70060 rcu_torture_current_version = 0;
70061 - atomic_set(&n_rcu_torture_alloc, 0);
70062 - atomic_set(&n_rcu_torture_alloc_fail, 0);
70063 - atomic_set(&n_rcu_torture_free, 0);
70064 - atomic_set(&n_rcu_torture_mberror, 0);
70065 - atomic_set(&n_rcu_torture_error, 0);
70066 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
70067 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
70068 + atomic_set_unchecked(&n_rcu_torture_free, 0);
70069 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
70070 + atomic_set_unchecked(&n_rcu_torture_error, 0);
70071 n_rcu_torture_boost_ktrerror = 0;
70072 n_rcu_torture_boost_rterror = 0;
70073 n_rcu_torture_boost_allocerror = 0;
70074 @@ -1491,7 +1491,7 @@ rcu_torture_init(void)
70075 n_rcu_torture_boost_failure = 0;
70076 n_rcu_torture_boosts = 0;
70077 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
70078 - atomic_set(&rcu_torture_wcount[i], 0);
70079 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
70080 for_each_possible_cpu(cpu) {
70081 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70082 per_cpu(rcu_torture_count, cpu)[i] = 0;
70083 diff -urNp linux-2.6.39.2/kernel/rcutree.c linux-2.6.39.2/kernel/rcutree.c
70084 --- linux-2.6.39.2/kernel/rcutree.c 2011-05-19 00:06:34.000000000 -0400
70085 +++ linux-2.6.39.2/kernel/rcutree.c 2011-05-22 19:36:33.000000000 -0400
70086 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
70087 /*
70088 * Do softirq processing for the current CPU.
70089 */
70090 -static void rcu_process_callbacks(struct softirq_action *unused)
70091 +static void rcu_process_callbacks(void)
70092 {
70093 /*
70094 * Memory references from any prior RCU read-side critical sections
70095 diff -urNp linux-2.6.39.2/kernel/rcutree_plugin.h linux-2.6.39.2/kernel/rcutree_plugin.h
70096 --- linux-2.6.39.2/kernel/rcutree_plugin.h 2011-05-19 00:06:34.000000000 -0400
70097 +++ linux-2.6.39.2/kernel/rcutree_plugin.h 2011-05-22 19:36:33.000000000 -0400
70098 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
70099
70100 /* Clean up and exit. */
70101 smp_mb(); /* ensure expedited GP seen before counter increment. */
70102 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
70103 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
70104 unlock_mb_ret:
70105 mutex_unlock(&sync_rcu_preempt_exp_mutex);
70106 mb_ret:
70107 @@ -1025,8 +1025,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
70108
70109 #else /* #ifndef CONFIG_SMP */
70110
70111 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
70112 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
70113 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
70114 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
70115
70116 static int synchronize_sched_expedited_cpu_stop(void *data)
70117 {
70118 @@ -1081,7 +1081,7 @@ void synchronize_sched_expedited(void)
70119 int firstsnap, s, snap, trycount = 0;
70120
70121 /* Note that atomic_inc_return() implies full memory barrier. */
70122 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
70123 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
70124 get_online_cpus();
70125
70126 /*
70127 @@ -1102,7 +1102,7 @@ void synchronize_sched_expedited(void)
70128 }
70129
70130 /* Check to see if someone else did our work for us. */
70131 - s = atomic_read(&sync_sched_expedited_done);
70132 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70133 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
70134 smp_mb(); /* ensure test happens before caller kfree */
70135 return;
70136 @@ -1117,7 +1117,7 @@ void synchronize_sched_expedited(void)
70137 * grace period works for us.
70138 */
70139 get_online_cpus();
70140 - snap = atomic_read(&sync_sched_expedited_started) - 1;
70141 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
70142 smp_mb(); /* ensure read is before try_stop_cpus(). */
70143 }
70144
70145 @@ -1128,12 +1128,12 @@ void synchronize_sched_expedited(void)
70146 * than we did beat us to the punch.
70147 */
70148 do {
70149 - s = atomic_read(&sync_sched_expedited_done);
70150 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70151 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
70152 smp_mb(); /* ensure test happens before caller kfree */
70153 break;
70154 }
70155 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
70156 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
70157
70158 put_online_cpus();
70159 }
70160 diff -urNp linux-2.6.39.2/kernel/relay.c linux-2.6.39.2/kernel/relay.c
70161 --- linux-2.6.39.2/kernel/relay.c 2011-05-19 00:06:34.000000000 -0400
70162 +++ linux-2.6.39.2/kernel/relay.c 2011-05-22 19:36:33.000000000 -0400
70163 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
70164 };
70165 ssize_t ret;
70166
70167 + pax_track_stack();
70168 +
70169 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
70170 return 0;
70171 if (splice_grow_spd(pipe, &spd))
70172 diff -urNp linux-2.6.39.2/kernel/resource.c linux-2.6.39.2/kernel/resource.c
70173 --- linux-2.6.39.2/kernel/resource.c 2011-05-19 00:06:34.000000000 -0400
70174 +++ linux-2.6.39.2/kernel/resource.c 2011-05-22 19:41:42.000000000 -0400
70175 @@ -133,8 +133,18 @@ static const struct file_operations proc
70176
70177 static int __init ioresources_init(void)
70178 {
70179 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70180 +#ifdef CONFIG_GRKERNSEC_PROC_USER
70181 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
70182 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
70183 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70184 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
70185 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
70186 +#endif
70187 +#else
70188 proc_create("ioports", 0, NULL, &proc_ioports_operations);
70189 proc_create("iomem", 0, NULL, &proc_iomem_operations);
70190 +#endif
70191 return 0;
70192 }
70193 __initcall(ioresources_init);
70194 diff -urNp linux-2.6.39.2/kernel/rtmutex-tester.c linux-2.6.39.2/kernel/rtmutex-tester.c
70195 --- linux-2.6.39.2/kernel/rtmutex-tester.c 2011-05-19 00:06:34.000000000 -0400
70196 +++ linux-2.6.39.2/kernel/rtmutex-tester.c 2011-05-22 19:36:33.000000000 -0400
70197 @@ -20,7 +20,7 @@
70198 #define MAX_RT_TEST_MUTEXES 8
70199
70200 static spinlock_t rttest_lock;
70201 -static atomic_t rttest_event;
70202 +static atomic_unchecked_t rttest_event;
70203
70204 struct test_thread_data {
70205 int opcode;
70206 @@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
70207
70208 case RTTEST_LOCKCONT:
70209 td->mutexes[td->opdata] = 1;
70210 - td->event = atomic_add_return(1, &rttest_event);
70211 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70212 return 0;
70213
70214 case RTTEST_RESET:
70215 @@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
70216 return 0;
70217
70218 case RTTEST_RESETEVENT:
70219 - atomic_set(&rttest_event, 0);
70220 + atomic_set_unchecked(&rttest_event, 0);
70221 return 0;
70222
70223 default:
70224 @@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
70225 return ret;
70226
70227 td->mutexes[id] = 1;
70228 - td->event = atomic_add_return(1, &rttest_event);
70229 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70230 rt_mutex_lock(&mutexes[id]);
70231 - td->event = atomic_add_return(1, &rttest_event);
70232 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70233 td->mutexes[id] = 4;
70234 return 0;
70235
70236 @@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
70237 return ret;
70238
70239 td->mutexes[id] = 1;
70240 - td->event = atomic_add_return(1, &rttest_event);
70241 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70242 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
70243 - td->event = atomic_add_return(1, &rttest_event);
70244 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70245 td->mutexes[id] = ret ? 0 : 4;
70246 return ret ? -EINTR : 0;
70247
70248 @@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
70249 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
70250 return ret;
70251
70252 - td->event = atomic_add_return(1, &rttest_event);
70253 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70254 rt_mutex_unlock(&mutexes[id]);
70255 - td->event = atomic_add_return(1, &rttest_event);
70256 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70257 td->mutexes[id] = 0;
70258 return 0;
70259
70260 @@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
70261 break;
70262
70263 td->mutexes[dat] = 2;
70264 - td->event = atomic_add_return(1, &rttest_event);
70265 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70266 break;
70267
70268 default:
70269 @@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
70270 return;
70271
70272 td->mutexes[dat] = 3;
70273 - td->event = atomic_add_return(1, &rttest_event);
70274 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70275 break;
70276
70277 case RTTEST_LOCKNOWAIT:
70278 @@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
70279 return;
70280
70281 td->mutexes[dat] = 1;
70282 - td->event = atomic_add_return(1, &rttest_event);
70283 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70284 return;
70285
70286 default:
70287 diff -urNp linux-2.6.39.2/kernel/sched_autogroup.c linux-2.6.39.2/kernel/sched_autogroup.c
70288 --- linux-2.6.39.2/kernel/sched_autogroup.c 2011-05-19 00:06:34.000000000 -0400
70289 +++ linux-2.6.39.2/kernel/sched_autogroup.c 2011-05-22 19:36:33.000000000 -0400
70290 @@ -7,7 +7,7 @@
70291
70292 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
70293 static struct autogroup autogroup_default;
70294 -static atomic_t autogroup_seq_nr;
70295 +static atomic_unchecked_t autogroup_seq_nr;
70296
70297 static void __init autogroup_init(struct task_struct *init_task)
70298 {
70299 @@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
70300
70301 kref_init(&ag->kref);
70302 init_rwsem(&ag->lock);
70303 - ag->id = atomic_inc_return(&autogroup_seq_nr);
70304 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
70305 ag->tg = tg;
70306 #ifdef CONFIG_RT_GROUP_SCHED
70307 /*
70308 diff -urNp linux-2.6.39.2/kernel/sched.c linux-2.6.39.2/kernel/sched.c
70309 --- linux-2.6.39.2/kernel/sched.c 2011-05-19 00:06:34.000000000 -0400
70310 +++ linux-2.6.39.2/kernel/sched.c 2011-05-23 17:07:00.000000000 -0400
70311 @@ -4078,6 +4078,8 @@ asmlinkage void __sched schedule(void)
70312 struct rq *rq;
70313 int cpu;
70314
70315 + pax_track_stack();
70316 +
70317 need_resched:
70318 preempt_disable();
70319 cpu = smp_processor_id();
70320 @@ -4165,7 +4167,7 @@ EXPORT_SYMBOL(schedule);
70321 * Look out! "owner" is an entirely speculative pointer
70322 * access and not reliable.
70323 */
70324 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
70325 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
70326 {
70327 unsigned int cpu;
70328 struct rq *rq;
70329 @@ -4179,10 +4181,10 @@ int mutex_spin_on_owner(struct mutex *lo
70330 * DEBUG_PAGEALLOC could have unmapped it if
70331 * the mutex owner just released it and exited.
70332 */
70333 - if (probe_kernel_address(&owner->cpu, cpu))
70334 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
70335 return 0;
70336 #else
70337 - cpu = owner->cpu;
70338 + cpu = task_thread_info(owner)->cpu;
70339 #endif
70340
70341 /*
70342 @@ -4219,7 +4221,7 @@ int mutex_spin_on_owner(struct mutex *lo
70343 /*
70344 * Is that owner really running on that cpu?
70345 */
70346 - if (task_thread_info(rq->curr) != owner || need_resched())
70347 + if (rq->curr != owner || need_resched())
70348 return 0;
70349
70350 arch_mutex_cpu_relax();
70351 @@ -4778,6 +4780,8 @@ int can_nice(const struct task_struct *p
70352 /* convert nice value [19,-20] to rlimit style value [1,40] */
70353 int nice_rlim = 20 - nice;
70354
70355 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
70356 +
70357 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
70358 capable(CAP_SYS_NICE));
70359 }
70360 @@ -4811,7 +4815,8 @@ SYSCALL_DEFINE1(nice, int, increment)
70361 if (nice > 19)
70362 nice = 19;
70363
70364 - if (increment < 0 && !can_nice(current, nice))
70365 + if (increment < 0 && (!can_nice(current, nice) ||
70366 + gr_handle_chroot_nice()))
70367 return -EPERM;
70368
70369 retval = security_task_setnice(current, nice);
70370 @@ -4957,6 +4962,7 @@ recheck:
70371 unsigned long rlim_rtprio =
70372 task_rlimit(p, RLIMIT_RTPRIO);
70373
70374 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
70375 /* can't set/change the rt policy */
70376 if (policy != p->policy && !rlim_rtprio)
70377 return -EPERM;
70378 @@ -7164,7 +7170,7 @@ static void init_sched_groups_power(int
70379 long power;
70380 int weight;
70381
70382 - WARN_ON(!sd || !sd->groups);
70383 + BUG_ON(!sd || !sd->groups);
70384
70385 if (cpu != group_first_cpu(sd->groups))
70386 return;
70387 diff -urNp linux-2.6.39.2/kernel/sched_fair.c linux-2.6.39.2/kernel/sched_fair.c
70388 --- linux-2.6.39.2/kernel/sched_fair.c 2011-05-19 00:06:34.000000000 -0400
70389 +++ linux-2.6.39.2/kernel/sched_fair.c 2011-05-22 19:36:33.000000000 -0400
70390 @@ -3999,7 +3999,7 @@ static void nohz_idle_balance(int this_c
70391 * run_rebalance_domains is triggered when needed from the scheduler tick.
70392 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
70393 */
70394 -static void run_rebalance_domains(struct softirq_action *h)
70395 +static void run_rebalance_domains(void)
70396 {
70397 int this_cpu = smp_processor_id();
70398 struct rq *this_rq = cpu_rq(this_cpu);
70399 diff -urNp linux-2.6.39.2/kernel/signal.c linux-2.6.39.2/kernel/signal.c
70400 --- linux-2.6.39.2/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
70401 +++ linux-2.6.39.2/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
70402 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
70403
70404 int print_fatal_signals __read_mostly;
70405
70406 -static void __user *sig_handler(struct task_struct *t, int sig)
70407 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
70408 {
70409 return t->sighand->action[sig - 1].sa.sa_handler;
70410 }
70411
70412 -static int sig_handler_ignored(void __user *handler, int sig)
70413 +static int sig_handler_ignored(__sighandler_t handler, int sig)
70414 {
70415 /* Is it explicitly or implicitly ignored? */
70416 return handler == SIG_IGN ||
70417 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
70418 static int sig_task_ignored(struct task_struct *t, int sig,
70419 int from_ancestor_ns)
70420 {
70421 - void __user *handler;
70422 + __sighandler_t handler;
70423
70424 handler = sig_handler(t, sig);
70425
70426 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
70427 atomic_inc(&user->sigpending);
70428 rcu_read_unlock();
70429
70430 + if (!override_rlimit)
70431 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
70432 +
70433 if (override_rlimit ||
70434 atomic_read(&user->sigpending) <=
70435 task_rlimit(t, RLIMIT_SIGPENDING)) {
70436 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
70437
70438 int unhandled_signal(struct task_struct *tsk, int sig)
70439 {
70440 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
70441 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
70442 if (is_global_init(tsk))
70443 return 1;
70444 if (handler != SIG_IGN && handler != SIG_DFL)
70445 @@ -693,6 +696,9 @@ static int check_kill_permission(int sig
70446 }
70447 }
70448
70449 + if (gr_handle_signal(t, sig))
70450 + return -EPERM;
70451 +
70452 return security_task_kill(t, info, sig, 0);
70453 }
70454
70455 @@ -1041,7 +1047,7 @@ __group_send_sig_info(int sig, struct si
70456 return send_signal(sig, info, p, 1);
70457 }
70458
70459 -static int
70460 +int
70461 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70462 {
70463 return send_signal(sig, info, t, 0);
70464 @@ -1078,6 +1084,7 @@ force_sig_info(int sig, struct siginfo *
70465 unsigned long int flags;
70466 int ret, blocked, ignored;
70467 struct k_sigaction *action;
70468 + int is_unhandled = 0;
70469
70470 spin_lock_irqsave(&t->sighand->siglock, flags);
70471 action = &t->sighand->action[sig-1];
70472 @@ -1092,9 +1099,18 @@ force_sig_info(int sig, struct siginfo *
70473 }
70474 if (action->sa.sa_handler == SIG_DFL)
70475 t->signal->flags &= ~SIGNAL_UNKILLABLE;
70476 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
70477 + is_unhandled = 1;
70478 ret = specific_send_sig_info(sig, info, t);
70479 spin_unlock_irqrestore(&t->sighand->siglock, flags);
70480
70481 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
70482 + normal operation */
70483 + if (is_unhandled) {
70484 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
70485 + gr_handle_crash(t, sig);
70486 + }
70487 +
70488 return ret;
70489 }
70490
70491 @@ -1153,8 +1169,11 @@ int group_send_sig_info(int sig, struct
70492 ret = check_kill_permission(sig, info, p);
70493 rcu_read_unlock();
70494
70495 - if (!ret && sig)
70496 + if (!ret && sig) {
70497 ret = do_send_sig_info(sig, info, p, true);
70498 + if (!ret)
70499 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
70500 + }
70501
70502 return ret;
70503 }
70504 @@ -1718,6 +1737,8 @@ void ptrace_notify(int exit_code)
70505 {
70506 siginfo_t info;
70507
70508 + pax_track_stack();
70509 +
70510 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
70511
70512 memset(&info, 0, sizeof info);
70513 diff -urNp linux-2.6.39.2/kernel/smp.c linux-2.6.39.2/kernel/smp.c
70514 --- linux-2.6.39.2/kernel/smp.c 2011-05-19 00:06:34.000000000 -0400
70515 +++ linux-2.6.39.2/kernel/smp.c 2011-05-22 19:36:33.000000000 -0400
70516 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
70517 }
70518 EXPORT_SYMBOL(smp_call_function);
70519
70520 -void ipi_call_lock(void)
70521 +void ipi_call_lock(void) __acquires(call_function.lock)
70522 {
70523 raw_spin_lock(&call_function.lock);
70524 }
70525
70526 -void ipi_call_unlock(void)
70527 +void ipi_call_unlock(void) __releases(call_function.lock)
70528 {
70529 raw_spin_unlock(&call_function.lock);
70530 }
70531
70532 -void ipi_call_lock_irq(void)
70533 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
70534 {
70535 raw_spin_lock_irq(&call_function.lock);
70536 }
70537
70538 -void ipi_call_unlock_irq(void)
70539 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
70540 {
70541 raw_spin_unlock_irq(&call_function.lock);
70542 }
70543 diff -urNp linux-2.6.39.2/kernel/softirq.c linux-2.6.39.2/kernel/softirq.c
70544 --- linux-2.6.39.2/kernel/softirq.c 2011-05-19 00:06:34.000000000 -0400
70545 +++ linux-2.6.39.2/kernel/softirq.c 2011-05-22 19:36:33.000000000 -0400
70546 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
70547
70548 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
70549
70550 -char *softirq_to_name[NR_SOFTIRQS] = {
70551 +const char * const softirq_to_name[NR_SOFTIRQS] = {
70552 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
70553 "TASKLET", "SCHED", "HRTIMER", "RCU"
70554 };
70555 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
70556
70557 asmlinkage void __do_softirq(void)
70558 {
70559 - struct softirq_action *h;
70560 + const struct softirq_action *h;
70561 __u32 pending;
70562 int max_restart = MAX_SOFTIRQ_RESTART;
70563 int cpu;
70564 @@ -235,7 +235,7 @@ restart:
70565 kstat_incr_softirqs_this_cpu(vec_nr);
70566
70567 trace_softirq_entry(vec_nr);
70568 - h->action(h);
70569 + h->action();
70570 trace_softirq_exit(vec_nr);
70571 if (unlikely(prev_count != preempt_count())) {
70572 printk(KERN_ERR "huh, entered softirq %u %s %p"
70573 @@ -377,7 +377,7 @@ void raise_softirq(unsigned int nr)
70574 local_irq_restore(flags);
70575 }
70576
70577 -void open_softirq(int nr, void (*action)(struct softirq_action *))
70578 +void open_softirq(int nr, void (*action)(void))
70579 {
70580 softirq_vec[nr].action = action;
70581 }
70582 @@ -433,7 +433,7 @@ void __tasklet_hi_schedule_first(struct
70583
70584 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
70585
70586 -static void tasklet_action(struct softirq_action *a)
70587 +static void tasklet_action(void)
70588 {
70589 struct tasklet_struct *list;
70590
70591 @@ -468,7 +468,7 @@ static void tasklet_action(struct softir
70592 }
70593 }
70594
70595 -static void tasklet_hi_action(struct softirq_action *a)
70596 +static void tasklet_hi_action(void)
70597 {
70598 struct tasklet_struct *list;
70599
70600 diff -urNp linux-2.6.39.2/kernel/sys.c linux-2.6.39.2/kernel/sys.c
70601 --- linux-2.6.39.2/kernel/sys.c 2011-05-19 00:06:34.000000000 -0400
70602 +++ linux-2.6.39.2/kernel/sys.c 2011-05-22 21:08:10.000000000 -0400
70603 @@ -154,6 +154,12 @@ static int set_one_prio(struct task_stru
70604 error = -EACCES;
70605 goto out;
70606 }
70607 +
70608 + if (gr_handle_chroot_setpriority(p, niceval)) {
70609 + error = -EACCES;
70610 + goto out;
70611 + }
70612 +
70613 no_nice = security_task_setnice(p, niceval);
70614 if (no_nice) {
70615 error = no_nice;
70616 @@ -538,6 +544,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
70617 goto error;
70618 }
70619
70620 + if (gr_check_group_change(new->gid, new->egid, -1))
70621 + goto error;
70622 +
70623 if (rgid != (gid_t) -1 ||
70624 (egid != (gid_t) -1 && egid != old->gid))
70625 new->sgid = new->egid;
70626 @@ -567,6 +576,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
70627 old = current_cred();
70628
70629 retval = -EPERM;
70630 +
70631 + if (gr_check_group_change(gid, gid, gid))
70632 + goto error;
70633 +
70634 if (nsown_capable(CAP_SETGID))
70635 new->gid = new->egid = new->sgid = new->fsgid = gid;
70636 else if (gid == old->gid || gid == old->sgid)
70637 @@ -647,6 +660,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
70638 goto error;
70639 }
70640
70641 + if (gr_check_user_change(new->uid, new->euid, -1))
70642 + goto error;
70643 +
70644 if (new->uid != old->uid) {
70645 retval = set_user(new);
70646 if (retval < 0)
70647 @@ -691,6 +707,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
70648 old = current_cred();
70649
70650 retval = -EPERM;
70651 +
70652 + if (gr_check_crash_uid(uid))
70653 + goto error;
70654 + if (gr_check_user_change(uid, uid, uid))
70655 + goto error;
70656 +
70657 if (nsown_capable(CAP_SETUID)) {
70658 new->suid = new->uid = uid;
70659 if (uid != old->uid) {
70660 @@ -745,6 +767,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
70661 goto error;
70662 }
70663
70664 + if (gr_check_user_change(ruid, euid, -1))
70665 + goto error;
70666 +
70667 if (ruid != (uid_t) -1) {
70668 new->uid = ruid;
70669 if (ruid != old->uid) {
70670 @@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
70671 goto error;
70672 }
70673
70674 + if (gr_check_group_change(rgid, egid, -1))
70675 + goto error;
70676 +
70677 if (rgid != (gid_t) -1)
70678 new->gid = rgid;
70679 if (egid != (gid_t) -1)
70680 @@ -855,6 +883,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70681 old = current_cred();
70682 old_fsuid = old->fsuid;
70683
70684 + if (gr_check_user_change(-1, -1, uid))
70685 + goto error;
70686 +
70687 if (uid == old->uid || uid == old->euid ||
70688 uid == old->suid || uid == old->fsuid ||
70689 nsown_capable(CAP_SETUID)) {
70690 @@ -865,6 +896,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70691 }
70692 }
70693
70694 +error:
70695 abort_creds(new);
70696 return old_fsuid;
70697
70698 @@ -891,12 +923,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
70699 if (gid == old->gid || gid == old->egid ||
70700 gid == old->sgid || gid == old->fsgid ||
70701 nsown_capable(CAP_SETGID)) {
70702 + if (gr_check_group_change(-1, -1, gid))
70703 + goto error;
70704 +
70705 if (gid != old_fsgid) {
70706 new->fsgid = gid;
70707 goto change_okay;
70708 }
70709 }
70710
70711 +error:
70712 abort_creds(new);
70713 return old_fsgid;
70714
70715 @@ -1643,7 +1679,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
70716 error = get_dumpable(me->mm);
70717 break;
70718 case PR_SET_DUMPABLE:
70719 - if (arg2 < 0 || arg2 > 1) {
70720 + if (arg2 > 1) {
70721 error = -EINVAL;
70722 break;
70723 }
70724 diff -urNp linux-2.6.39.2/kernel/sysctl.c linux-2.6.39.2/kernel/sysctl.c
70725 --- linux-2.6.39.2/kernel/sysctl.c 2011-05-19 00:06:34.000000000 -0400
70726 +++ linux-2.6.39.2/kernel/sysctl.c 2011-05-22 20:23:10.000000000 -0400
70727 @@ -84,6 +84,13 @@
70728
70729
70730 #if defined(CONFIG_SYSCTL)
70731 +#include <linux/grsecurity.h>
70732 +#include <linux/grinternal.h>
70733 +
70734 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
70735 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
70736 + const int op);
70737 +extern int gr_handle_chroot_sysctl(const int op);
70738
70739 /* External variables not in a header file. */
70740 extern int sysctl_overcommit_memory;
70741 @@ -196,6 +203,7 @@ static int sysrq_sysctl_handler(ctl_tabl
70742 }
70743
70744 #endif
70745 +extern struct ctl_table grsecurity_table[];
70746
70747 static struct ctl_table root_table[];
70748 static struct ctl_table_root sysctl_table_root;
70749 @@ -225,6 +233,20 @@ extern struct ctl_table epoll_table[];
70750 int sysctl_legacy_va_layout;
70751 #endif
70752
70753 +#ifdef CONFIG_PAX_SOFTMODE
70754 +static ctl_table pax_table[] = {
70755 + {
70756 + .procname = "softmode",
70757 + .data = &pax_softmode,
70758 + .maxlen = sizeof(unsigned int),
70759 + .mode = 0600,
70760 + .proc_handler = &proc_dointvec,
70761 + },
70762 +
70763 + { }
70764 +};
70765 +#endif
70766 +
70767 /* The default sysctl tables: */
70768
70769 static struct ctl_table root_table[] = {
70770 @@ -271,6 +293,22 @@ static int max_extfrag_threshold = 1000;
70771 #endif
70772
70773 static struct ctl_table kern_table[] = {
70774 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
70775 + {
70776 + .procname = "grsecurity",
70777 + .mode = 0500,
70778 + .child = grsecurity_table,
70779 + },
70780 +#endif
70781 +
70782 +#ifdef CONFIG_PAX_SOFTMODE
70783 + {
70784 + .procname = "pax",
70785 + .mode = 0500,
70786 + .child = pax_table,
70787 + },
70788 +#endif
70789 +
70790 {
70791 .procname = "sched_child_runs_first",
70792 .data = &sysctl_sched_child_runs_first,
70793 @@ -545,7 +583,7 @@ static struct ctl_table kern_table[] = {
70794 .data = &modprobe_path,
70795 .maxlen = KMOD_PATH_LEN,
70796 .mode = 0644,
70797 - .proc_handler = proc_dostring,
70798 + .proc_handler = proc_dostring_modpriv,
70799 },
70800 {
70801 .procname = "modules_disabled",
70802 @@ -707,16 +745,20 @@ static struct ctl_table kern_table[] = {
70803 .extra1 = &zero,
70804 .extra2 = &one,
70805 },
70806 +#endif
70807 {
70808 .procname = "kptr_restrict",
70809 .data = &kptr_restrict,
70810 .maxlen = sizeof(int),
70811 .mode = 0644,
70812 .proc_handler = proc_dmesg_restrict,
70813 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70814 + .extra1 = &two,
70815 +#else
70816 .extra1 = &zero,
70817 +#endif
70818 .extra2 = &two,
70819 },
70820 -#endif
70821 {
70822 .procname = "ngroups_max",
70823 .data = &ngroups_max,
70824 @@ -1189,6 +1231,13 @@ static struct ctl_table vm_table[] = {
70825 .proc_handler = proc_dointvec_minmax,
70826 .extra1 = &zero,
70827 },
70828 + {
70829 + .procname = "heap_stack_gap",
70830 + .data = &sysctl_heap_stack_gap,
70831 + .maxlen = sizeof(sysctl_heap_stack_gap),
70832 + .mode = 0644,
70833 + .proc_handler = proc_doulongvec_minmax,
70834 + },
70835 #else
70836 {
70837 .procname = "nr_trim_pages",
70838 @@ -1698,6 +1747,17 @@ static int test_perm(int mode, int op)
70839 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
70840 {
70841 int mode;
70842 + int error;
70843 +
70844 + if (table->parent != NULL && table->parent->procname != NULL &&
70845 + table->procname != NULL &&
70846 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
70847 + return -EACCES;
70848 + if (gr_handle_chroot_sysctl(op))
70849 + return -EACCES;
70850 + error = gr_handle_sysctl(table, op);
70851 + if (error)
70852 + return error;
70853
70854 if (root->permissions)
70855 mode = root->permissions(root, current->nsproxy, table);
70856 @@ -2102,6 +2162,16 @@ int proc_dostring(struct ctl_table *tabl
70857 buffer, lenp, ppos);
70858 }
70859
70860 +int proc_dostring_modpriv(struct ctl_table *table, int write,
70861 + void __user *buffer, size_t *lenp, loff_t *ppos)
70862 +{
70863 + if (write && !capable(CAP_SYS_MODULE))
70864 + return -EPERM;
70865 +
70866 + return _proc_do_string(table->data, table->maxlen, write,
70867 + buffer, lenp, ppos);
70868 +}
70869 +
70870 static size_t proc_skip_spaces(char **buf)
70871 {
70872 size_t ret;
70873 @@ -2207,6 +2277,8 @@ static int proc_put_long(void __user **b
70874 len = strlen(tmp);
70875 if (len > *size)
70876 len = *size;
70877 + if (len > sizeof(tmp))
70878 + len = sizeof(tmp);
70879 if (copy_to_user(*buf, tmp, len))
70880 return -EFAULT;
70881 *size -= len;
70882 @@ -2523,8 +2595,11 @@ static int __do_proc_doulongvec_minmax(v
70883 *i = val;
70884 } else {
70885 val = convdiv * (*i) / convmul;
70886 - if (!first)
70887 + if (!first) {
70888 err = proc_put_char(&buffer, &left, '\t');
70889 + if (err)
70890 + break;
70891 + }
70892 err = proc_put_long(&buffer, &left, val, false);
70893 if (err)
70894 break;
70895 @@ -2919,6 +2994,12 @@ int proc_dostring(struct ctl_table *tabl
70896 return -ENOSYS;
70897 }
70898
70899 +int proc_dostring_modpriv(struct ctl_table *table, int write,
70900 + void __user *buffer, size_t *lenp, loff_t *ppos)
70901 +{
70902 + return -ENOSYS;
70903 +}
70904 +
70905 int proc_dointvec(struct ctl_table *table, int write,
70906 void __user *buffer, size_t *lenp, loff_t *ppos)
70907 {
70908 @@ -2975,6 +3056,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
70909 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
70910 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
70911 EXPORT_SYMBOL(proc_dostring);
70912 +EXPORT_SYMBOL(proc_dostring_modpriv);
70913 EXPORT_SYMBOL(proc_doulongvec_minmax);
70914 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
70915 EXPORT_SYMBOL(register_sysctl_table);
70916 diff -urNp linux-2.6.39.2/kernel/sysctl_check.c linux-2.6.39.2/kernel/sysctl_check.c
70917 --- linux-2.6.39.2/kernel/sysctl_check.c 2011-05-19 00:06:34.000000000 -0400
70918 +++ linux-2.6.39.2/kernel/sysctl_check.c 2011-05-22 19:41:42.000000000 -0400
70919 @@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
70920 set_fail(&fail, table, "Directory with extra2");
70921 } else {
70922 if ((table->proc_handler == proc_dostring) ||
70923 + (table->proc_handler == proc_dostring_modpriv) ||
70924 (table->proc_handler == proc_dointvec) ||
70925 (table->proc_handler == proc_dointvec_minmax) ||
70926 (table->proc_handler == proc_dointvec_jiffies) ||
70927 diff -urNp linux-2.6.39.2/kernel/taskstats.c linux-2.6.39.2/kernel/taskstats.c
70928 --- linux-2.6.39.2/kernel/taskstats.c 2011-05-19 00:06:34.000000000 -0400
70929 +++ linux-2.6.39.2/kernel/taskstats.c 2011-05-22 19:41:42.000000000 -0400
70930 @@ -27,9 +27,12 @@
70931 #include <linux/cgroup.h>
70932 #include <linux/fs.h>
70933 #include <linux/file.h>
70934 +#include <linux/grsecurity.h>
70935 #include <net/genetlink.h>
70936 #include <asm/atomic.h>
70937
70938 +extern int gr_is_taskstats_denied(int pid);
70939 +
70940 /*
70941 * Maximum length of a cpumask that can be specified in
70942 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
70943 @@ -549,6 +552,9 @@ err:
70944
70945 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
70946 {
70947 + if (gr_is_taskstats_denied(current->pid))
70948 + return -EACCES;
70949 +
70950 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
70951 return cmd_attr_register_cpumask(info);
70952 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
70953 diff -urNp linux-2.6.39.2/kernel/time/posix-clock.c linux-2.6.39.2/kernel/time/posix-clock.c
70954 --- linux-2.6.39.2/kernel/time/posix-clock.c 2011-05-19 00:06:34.000000000 -0400
70955 +++ linux-2.6.39.2/kernel/time/posix-clock.c 2011-05-22 19:36:33.000000000 -0400
70956 @@ -433,7 +433,7 @@ static int pc_timer_settime(struct k_iti
70957 return err;
70958 }
70959
70960 -struct k_clock clock_posix_dynamic = {
70961 +const struct k_clock clock_posix_dynamic = {
70962 .clock_getres = pc_clock_getres,
70963 .clock_set = pc_clock_settime,
70964 .clock_get = pc_clock_gettime,
70965 diff -urNp linux-2.6.39.2/kernel/time/tick-broadcast.c linux-2.6.39.2/kernel/time/tick-broadcast.c
70966 --- linux-2.6.39.2/kernel/time/tick-broadcast.c 2011-05-19 00:06:34.000000000 -0400
70967 +++ linux-2.6.39.2/kernel/time/tick-broadcast.c 2011-05-22 19:36:33.000000000 -0400
70968 @@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
70969 * then clear the broadcast bit.
70970 */
70971 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
70972 - int cpu = smp_processor_id();
70973 + cpu = smp_processor_id();
70974
70975 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
70976 tick_broadcast_clear_oneshot(cpu);
70977 diff -urNp linux-2.6.39.2/kernel/time/timekeeping.c linux-2.6.39.2/kernel/time/timekeeping.c
70978 --- linux-2.6.39.2/kernel/time/timekeeping.c 2011-05-19 00:06:34.000000000 -0400
70979 +++ linux-2.6.39.2/kernel/time/timekeeping.c 2011-05-22 20:40:50.000000000 -0400
70980 @@ -14,6 +14,7 @@
70981 #include <linux/init.h>
70982 #include <linux/mm.h>
70983 #include <linux/sched.h>
70984 +#include <linux/grsecurity.h>
70985 #include <linux/syscore_ops.h>
70986 #include <linux/clocksource.h>
70987 #include <linux/jiffies.h>
70988 @@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
70989 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
70990 return -EINVAL;
70991
70992 + gr_log_timechange();
70993 +
70994 write_seqlock_irqsave(&xtime_lock, flags);
70995
70996 timekeeping_forward_now();
70997 diff -urNp linux-2.6.39.2/kernel/time/timer_list.c linux-2.6.39.2/kernel/time/timer_list.c
70998 --- linux-2.6.39.2/kernel/time/timer_list.c 2011-05-19 00:06:34.000000000 -0400
70999 +++ linux-2.6.39.2/kernel/time/timer_list.c 2011-05-22 19:41:42.000000000 -0400
71000 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
71001
71002 static void print_name_offset(struct seq_file *m, void *sym)
71003 {
71004 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71005 + SEQ_printf(m, "<%p>", NULL);
71006 +#else
71007 char symname[KSYM_NAME_LEN];
71008
71009 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
71010 SEQ_printf(m, "<%pK>", sym);
71011 else
71012 SEQ_printf(m, "%s", symname);
71013 +#endif
71014 }
71015
71016 static void
71017 @@ -112,7 +116,11 @@ next_one:
71018 static void
71019 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
71020 {
71021 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71022 + SEQ_printf(m, " .base: %p\n", NULL);
71023 +#else
71024 SEQ_printf(m, " .base: %pK\n", base);
71025 +#endif
71026 SEQ_printf(m, " .index: %d\n",
71027 base->index);
71028 SEQ_printf(m, " .resolution: %Lu nsecs\n",
71029 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
71030 {
71031 struct proc_dir_entry *pe;
71032
71033 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71034 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
71035 +#else
71036 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
71037 +#endif
71038 if (!pe)
71039 return -ENOMEM;
71040 return 0;
71041 diff -urNp linux-2.6.39.2/kernel/time/timer_stats.c linux-2.6.39.2/kernel/time/timer_stats.c
71042 --- linux-2.6.39.2/kernel/time/timer_stats.c 2011-05-19 00:06:34.000000000 -0400
71043 +++ linux-2.6.39.2/kernel/time/timer_stats.c 2011-05-22 19:41:42.000000000 -0400
71044 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
71045 static unsigned long nr_entries;
71046 static struct entry entries[MAX_ENTRIES];
71047
71048 -static atomic_t overflow_count;
71049 +static atomic_unchecked_t overflow_count;
71050
71051 /*
71052 * The entries are in a hash-table, for fast lookup:
71053 @@ -140,7 +140,7 @@ static void reset_entries(void)
71054 nr_entries = 0;
71055 memset(entries, 0, sizeof(entries));
71056 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
71057 - atomic_set(&overflow_count, 0);
71058 + atomic_set_unchecked(&overflow_count, 0);
71059 }
71060
71061 static struct entry *alloc_entry(void)
71062 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
71063 if (likely(entry))
71064 entry->count++;
71065 else
71066 - atomic_inc(&overflow_count);
71067 + atomic_inc_unchecked(&overflow_count);
71068
71069 out_unlock:
71070 raw_spin_unlock_irqrestore(lock, flags);
71071 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
71072
71073 static void print_name_offset(struct seq_file *m, unsigned long addr)
71074 {
71075 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71076 + seq_printf(m, "<%p>", NULL);
71077 +#else
71078 char symname[KSYM_NAME_LEN];
71079
71080 if (lookup_symbol_name(addr, symname) < 0)
71081 seq_printf(m, "<%p>", (void *)addr);
71082 else
71083 seq_printf(m, "%s", symname);
71084 +#endif
71085 }
71086
71087 static int tstats_show(struct seq_file *m, void *v)
71088 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
71089
71090 seq_puts(m, "Timer Stats Version: v0.2\n");
71091 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
71092 - if (atomic_read(&overflow_count))
71093 + if (atomic_read_unchecked(&overflow_count))
71094 seq_printf(m, "Overflow: %d entries\n",
71095 - atomic_read(&overflow_count));
71096 + atomic_read_unchecked(&overflow_count));
71097
71098 for (i = 0; i < nr_entries; i++) {
71099 entry = entries + i;
71100 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
71101 {
71102 struct proc_dir_entry *pe;
71103
71104 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71105 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
71106 +#else
71107 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
71108 +#endif
71109 if (!pe)
71110 return -ENOMEM;
71111 return 0;
71112 diff -urNp linux-2.6.39.2/kernel/time.c linux-2.6.39.2/kernel/time.c
71113 --- linux-2.6.39.2/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
71114 +++ linux-2.6.39.2/kernel/time.c 2011-05-22 19:41:42.000000000 -0400
71115 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
71116 return error;
71117
71118 if (tz) {
71119 + /* we log in do_settimeofday called below, so don't log twice
71120 + */
71121 + if (!tv)
71122 + gr_log_timechange();
71123 +
71124 /* SMP safe, global irq locking makes it work. */
71125 sys_tz = *tz;
71126 update_vsyscall_tz();
71127 diff -urNp linux-2.6.39.2/kernel/timer.c linux-2.6.39.2/kernel/timer.c
71128 --- linux-2.6.39.2/kernel/timer.c 2011-05-19 00:06:34.000000000 -0400
71129 +++ linux-2.6.39.2/kernel/timer.c 2011-05-22 19:36:33.000000000 -0400
71130 @@ -1305,7 +1305,7 @@ void update_process_times(int user_tick)
71131 /*
71132 * This function runs timers and the timer-tq in bottom half context.
71133 */
71134 -static void run_timer_softirq(struct softirq_action *h)
71135 +static void run_timer_softirq(void)
71136 {
71137 struct tvec_base *base = __this_cpu_read(tvec_bases);
71138
71139 diff -urNp linux-2.6.39.2/kernel/trace/blktrace.c linux-2.6.39.2/kernel/trace/blktrace.c
71140 --- linux-2.6.39.2/kernel/trace/blktrace.c 2011-05-19 00:06:34.000000000 -0400
71141 +++ linux-2.6.39.2/kernel/trace/blktrace.c 2011-05-22 19:36:33.000000000 -0400
71142 @@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
71143 struct blk_trace *bt = filp->private_data;
71144 char buf[16];
71145
71146 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
71147 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
71148
71149 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
71150 }
71151 @@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
71152 return 1;
71153
71154 bt = buf->chan->private_data;
71155 - atomic_inc(&bt->dropped);
71156 + atomic_inc_unchecked(&bt->dropped);
71157 return 0;
71158 }
71159
71160 @@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
71161
71162 bt->dir = dir;
71163 bt->dev = dev;
71164 - atomic_set(&bt->dropped, 0);
71165 + atomic_set_unchecked(&bt->dropped, 0);
71166
71167 ret = -EIO;
71168 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
71169 diff -urNp linux-2.6.39.2/kernel/trace/ftrace.c linux-2.6.39.2/kernel/trace/ftrace.c
71170 --- linux-2.6.39.2/kernel/trace/ftrace.c 2011-06-03 00:04:14.000000000 -0400
71171 +++ linux-2.6.39.2/kernel/trace/ftrace.c 2011-06-03 00:32:08.000000000 -0400
71172 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
71173
71174 ip = rec->ip;
71175
71176 + ret = ftrace_arch_code_modify_prepare();
71177 + FTRACE_WARN_ON(ret);
71178 + if (ret)
71179 + return 0;
71180 +
71181 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
71182 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
71183 if (ret) {
71184 ftrace_bug(ret, ip);
71185 rec->flags |= FTRACE_FL_FAILED;
71186 - return 0;
71187 }
71188 - return 1;
71189 + return ret ? 0 : 1;
71190 }
71191
71192 /*
71193 @@ -2011,7 +2016,7 @@ static void ftrace_free_entry_rcu(struct
71194
71195 int
71196 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71197 - void *data)
71198 + void *data)
71199 {
71200 struct ftrace_func_probe *entry;
71201 struct ftrace_page *pg;
71202 @@ -2083,7 +2088,7 @@ enum {
71203 };
71204
71205 static void
71206 -__unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71207 +__unregister_ftrace_function_probe(char *glob, const struct ftrace_probe_ops *ops,
71208 void *data, int flags)
71209 {
71210 struct ftrace_func_probe *entry;
71211 @@ -2144,7 +2149,7 @@ unregister_ftrace_function_probe(char *g
71212 }
71213
71214 void
71215 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops)
71216 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops)
71217 {
71218 __unregister_ftrace_function_probe(glob, ops, NULL, PROBE_TEST_FUNC);
71219 }
71220 diff -urNp linux-2.6.39.2/kernel/trace/trace.c linux-2.6.39.2/kernel/trace/trace.c
71221 --- linux-2.6.39.2/kernel/trace/trace.c 2011-05-19 00:06:34.000000000 -0400
71222 +++ linux-2.6.39.2/kernel/trace/trace.c 2011-05-22 19:36:33.000000000 -0400
71223 @@ -3330,6 +3330,8 @@ static ssize_t tracing_splice_read_pipe(
71224 size_t rem;
71225 unsigned int i;
71226
71227 + pax_track_stack();
71228 +
71229 if (splice_grow_spd(pipe, &spd))
71230 return -ENOMEM;
71231
71232 @@ -3813,6 +3815,8 @@ tracing_buffers_splice_read(struct file
71233 int entries, size, i;
71234 size_t ret;
71235
71236 + pax_track_stack();
71237 +
71238 if (splice_grow_spd(pipe, &spd))
71239 return -ENOMEM;
71240
71241 @@ -3981,10 +3985,9 @@ static const struct file_operations trac
71242 };
71243 #endif
71244
71245 -static struct dentry *d_tracer;
71246 -
71247 struct dentry *tracing_init_dentry(void)
71248 {
71249 + static struct dentry *d_tracer;
71250 static int once;
71251
71252 if (d_tracer)
71253 @@ -4004,10 +4007,9 @@ struct dentry *tracing_init_dentry(void)
71254 return d_tracer;
71255 }
71256
71257 -static struct dentry *d_percpu;
71258 -
71259 struct dentry *tracing_dentry_percpu(void)
71260 {
71261 + static struct dentry *d_percpu;
71262 static int once;
71263 struct dentry *d_tracer;
71264
71265 diff -urNp linux-2.6.39.2/kernel/trace/trace_events.c linux-2.6.39.2/kernel/trace/trace_events.c
71266 --- linux-2.6.39.2/kernel/trace/trace_events.c 2011-05-19 00:06:34.000000000 -0400
71267 +++ linux-2.6.39.2/kernel/trace/trace_events.c 2011-05-22 19:36:33.000000000 -0400
71268 @@ -1241,10 +1241,10 @@ static LIST_HEAD(ftrace_module_file_list
71269 struct ftrace_module_file_ops {
71270 struct list_head list;
71271 struct module *mod;
71272 - struct file_operations id;
71273 - struct file_operations enable;
71274 - struct file_operations format;
71275 - struct file_operations filter;
71276 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
71277 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
71278 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
71279 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
71280 };
71281
71282 static struct ftrace_module_file_ops *
71283 diff -urNp linux-2.6.39.2/kernel/trace/trace_functions.c linux-2.6.39.2/kernel/trace/trace_functions.c
71284 --- linux-2.6.39.2/kernel/trace/trace_functions.c 2011-05-19 00:06:34.000000000 -0400
71285 +++ linux-2.6.39.2/kernel/trace/trace_functions.c 2011-05-22 19:36:33.000000000 -0400
71286 @@ -308,7 +308,7 @@ ftrace_trace_onoff_print(struct seq_file
71287 static int
71288 ftrace_trace_onoff_unreg(char *glob, char *cmd, char *param)
71289 {
71290 - struct ftrace_probe_ops *ops;
71291 + const struct ftrace_probe_ops *ops;
71292
71293 /* we register both traceon and traceoff to this callback */
71294 if (strcmp(cmd, "traceon") == 0)
71295 diff -urNp linux-2.6.39.2/kernel/trace/trace_mmiotrace.c linux-2.6.39.2/kernel/trace/trace_mmiotrace.c
71296 --- linux-2.6.39.2/kernel/trace/trace_mmiotrace.c 2011-05-19 00:06:34.000000000 -0400
71297 +++ linux-2.6.39.2/kernel/trace/trace_mmiotrace.c 2011-05-22 19:36:33.000000000 -0400
71298 @@ -24,7 +24,7 @@ struct header_iter {
71299 static struct trace_array *mmio_trace_array;
71300 static bool overrun_detected;
71301 static unsigned long prev_overruns;
71302 -static atomic_t dropped_count;
71303 +static atomic_unchecked_t dropped_count;
71304
71305 static void mmio_reset_data(struct trace_array *tr)
71306 {
71307 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
71308
71309 static unsigned long count_overruns(struct trace_iterator *iter)
71310 {
71311 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
71312 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
71313 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
71314
71315 if (over > prev_overruns)
71316 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
71317 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
71318 sizeof(*entry), 0, pc);
71319 if (!event) {
71320 - atomic_inc(&dropped_count);
71321 + atomic_inc_unchecked(&dropped_count);
71322 return;
71323 }
71324 entry = ring_buffer_event_data(event);
71325 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
71326 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
71327 sizeof(*entry), 0, pc);
71328 if (!event) {
71329 - atomic_inc(&dropped_count);
71330 + atomic_inc_unchecked(&dropped_count);
71331 return;
71332 }
71333 entry = ring_buffer_event_data(event);
71334 diff -urNp linux-2.6.39.2/kernel/trace/trace_output.c linux-2.6.39.2/kernel/trace/trace_output.c
71335 --- linux-2.6.39.2/kernel/trace/trace_output.c 2011-05-19 00:06:34.000000000 -0400
71336 +++ linux-2.6.39.2/kernel/trace/trace_output.c 2011-05-22 19:36:33.000000000 -0400
71337 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
71338
71339 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
71340 if (!IS_ERR(p)) {
71341 - p = mangle_path(s->buffer + s->len, p, "\n");
71342 + p = mangle_path(s->buffer + s->len, p, "\n\\");
71343 if (p) {
71344 s->len = p - s->buffer;
71345 return 1;
71346 diff -urNp linux-2.6.39.2/kernel/trace/trace_stack.c linux-2.6.39.2/kernel/trace/trace_stack.c
71347 --- linux-2.6.39.2/kernel/trace/trace_stack.c 2011-05-19 00:06:34.000000000 -0400
71348 +++ linux-2.6.39.2/kernel/trace/trace_stack.c 2011-05-22 19:36:33.000000000 -0400
71349 @@ -50,7 +50,7 @@ static inline void check_stack(void)
71350 return;
71351
71352 /* we do not handle interrupt stacks yet */
71353 - if (!object_is_on_stack(&this_size))
71354 + if (!object_starts_on_stack(&this_size))
71355 return;
71356
71357 local_irq_save(flags);
71358 diff -urNp linux-2.6.39.2/kernel/trace/trace_workqueue.c linux-2.6.39.2/kernel/trace/trace_workqueue.c
71359 --- linux-2.6.39.2/kernel/trace/trace_workqueue.c 2011-05-19 00:06:34.000000000 -0400
71360 +++ linux-2.6.39.2/kernel/trace/trace_workqueue.c 2011-05-22 19:36:33.000000000 -0400
71361 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
71362 int cpu;
71363 pid_t pid;
71364 /* Can be inserted from interrupt or user context, need to be atomic */
71365 - atomic_t inserted;
71366 + atomic_unchecked_t inserted;
71367 /*
71368 * Don't need to be atomic, works are serialized in a single workqueue thread
71369 * on a single CPU.
71370 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
71371 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
71372 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
71373 if (node->pid == wq_thread->pid) {
71374 - atomic_inc(&node->inserted);
71375 + atomic_inc_unchecked(&node->inserted);
71376 goto found;
71377 }
71378 }
71379 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
71380 tsk = get_pid_task(pid, PIDTYPE_PID);
71381 if (tsk) {
71382 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
71383 - atomic_read(&cws->inserted), cws->executed,
71384 + atomic_read_unchecked(&cws->inserted), cws->executed,
71385 tsk->comm);
71386 put_task_struct(tsk);
71387 }
71388 diff -urNp linux-2.6.39.2/lib/bug.c linux-2.6.39.2/lib/bug.c
71389 --- linux-2.6.39.2/lib/bug.c 2011-05-19 00:06:34.000000000 -0400
71390 +++ linux-2.6.39.2/lib/bug.c 2011-05-22 19:36:33.000000000 -0400
71391 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
71392 return BUG_TRAP_TYPE_NONE;
71393
71394 bug = find_bug(bugaddr);
71395 + if (!bug)
71396 + return BUG_TRAP_TYPE_NONE;
71397
71398 file = NULL;
71399 line = 0;
71400 diff -urNp linux-2.6.39.2/lib/debugobjects.c linux-2.6.39.2/lib/debugobjects.c
71401 --- linux-2.6.39.2/lib/debugobjects.c 2011-05-19 00:06:34.000000000 -0400
71402 +++ linux-2.6.39.2/lib/debugobjects.c 2011-05-22 19:36:33.000000000 -0400
71403 @@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
71404 if (limit > 4)
71405 return;
71406
71407 - is_on_stack = object_is_on_stack(addr);
71408 + is_on_stack = object_starts_on_stack(addr);
71409 if (is_on_stack == onstack)
71410 return;
71411
71412 diff -urNp linux-2.6.39.2/lib/dma-debug.c linux-2.6.39.2/lib/dma-debug.c
71413 --- linux-2.6.39.2/lib/dma-debug.c 2011-05-19 00:06:34.000000000 -0400
71414 +++ linux-2.6.39.2/lib/dma-debug.c 2011-05-22 19:36:33.000000000 -0400
71415 @@ -862,7 +862,7 @@ out:
71416
71417 static void check_for_stack(struct device *dev, void *addr)
71418 {
71419 - if (object_is_on_stack(addr))
71420 + if (object_starts_on_stack(addr))
71421 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
71422 "stack [addr=%p]\n", addr);
71423 }
71424 diff -urNp linux-2.6.39.2/lib/inflate.c linux-2.6.39.2/lib/inflate.c
71425 --- linux-2.6.39.2/lib/inflate.c 2011-05-19 00:06:34.000000000 -0400
71426 +++ linux-2.6.39.2/lib/inflate.c 2011-05-22 19:36:33.000000000 -0400
71427 @@ -269,7 +269,7 @@ static void free(void *where)
71428 malloc_ptr = free_mem_ptr;
71429 }
71430 #else
71431 -#define malloc(a) kmalloc(a, GFP_KERNEL)
71432 +#define malloc(a) kmalloc((a), GFP_KERNEL)
71433 #define free(a) kfree(a)
71434 #endif
71435
71436 diff -urNp linux-2.6.39.2/lib/Kconfig.debug linux-2.6.39.2/lib/Kconfig.debug
71437 --- linux-2.6.39.2/lib/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
71438 +++ linux-2.6.39.2/lib/Kconfig.debug 2011-05-22 19:41:42.000000000 -0400
71439 @@ -1078,6 +1078,7 @@ config LATENCYTOP
71440 depends on DEBUG_KERNEL
71441 depends on STACKTRACE_SUPPORT
71442 depends on PROC_FS
71443 + depends on !GRKERNSEC_HIDESYM
71444 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
71445 select KALLSYMS
71446 select KALLSYMS_ALL
71447 diff -urNp linux-2.6.39.2/lib/kref.c linux-2.6.39.2/lib/kref.c
71448 --- linux-2.6.39.2/lib/kref.c 2011-05-19 00:06:34.000000000 -0400
71449 +++ linux-2.6.39.2/lib/kref.c 2011-05-22 19:36:33.000000000 -0400
71450 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
71451 */
71452 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
71453 {
71454 - WARN_ON(release == NULL);
71455 + BUG_ON(release == NULL);
71456 WARN_ON(release == (void (*)(struct kref *))kfree);
71457
71458 if (atomic_dec_and_test(&kref->refcount)) {
71459 diff -urNp linux-2.6.39.2/lib/radix-tree.c linux-2.6.39.2/lib/radix-tree.c
71460 --- linux-2.6.39.2/lib/radix-tree.c 2011-05-19 00:06:34.000000000 -0400
71461 +++ linux-2.6.39.2/lib/radix-tree.c 2011-05-22 19:36:33.000000000 -0400
71462 @@ -80,7 +80,7 @@ struct radix_tree_preload {
71463 int nr;
71464 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71465 };
71466 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71467 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
71468
71469 static inline void *ptr_to_indirect(void *ptr)
71470 {
71471 diff -urNp linux-2.6.39.2/lib/vsprintf.c linux-2.6.39.2/lib/vsprintf.c
71472 --- linux-2.6.39.2/lib/vsprintf.c 2011-05-19 00:06:34.000000000 -0400
71473 +++ linux-2.6.39.2/lib/vsprintf.c 2011-05-22 20:54:59.000000000 -0400
71474 @@ -16,6 +16,9 @@
71475 * - scnprintf and vscnprintf
71476 */
71477
71478 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71479 +#define __INCLUDED_BY_HIDESYM 1
71480 +#endif
71481 #include <stdarg.h>
71482 #include <linux/module.h>
71483 #include <linux/types.h>
71484 @@ -435,7 +438,7 @@ char *symbol_string(char *buf, char *end
71485 char sym[KSYM_SYMBOL_LEN];
71486 if (ext == 'B')
71487 sprint_backtrace(sym, value);
71488 - else if (ext != 'f' && ext != 's')
71489 + else if (ext != 'f' && ext != 's' && ext != 'a')
71490 sprint_symbol(sym, value);
71491 else
71492 kallsyms_lookup(value, NULL, NULL, NULL, sym);
71493 @@ -797,7 +800,11 @@ char *uuid_string(char *buf, char *end,
71494 return string(buf, end, uuid, spec);
71495 }
71496
71497 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71498 +int kptr_restrict __read_mostly = 2;
71499 +#else
71500 int kptr_restrict __read_mostly;
71501 +#endif
71502
71503 /*
71504 * Show a '%p' thing. A kernel extension is that the '%p' is followed
71505 @@ -811,6 +818,8 @@ int kptr_restrict __read_mostly;
71506 * - 'S' For symbolic direct pointers with offset
71507 * - 's' For symbolic direct pointers without offset
71508 * - 'B' For backtraced symbolic direct pointers with offset
71509 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
71510 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
71511 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
71512 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
71513 * - 'M' For a 6-byte MAC address, it prints the address in the
71514 @@ -855,12 +864,12 @@ char *pointer(const char *fmt, char *buf
71515 {
71516 if (!ptr && *fmt != 'K') {
71517 /*
71518 - * Print (null) with the same width as a pointer so it makes
71519 + * Print (nil) with the same width as a pointer so it makes
71520 * tabular output look nice.
71521 */
71522 if (spec.field_width == -1)
71523 spec.field_width = 2 * sizeof(void *);
71524 - return string(buf, end, "(null)", spec);
71525 + return string(buf, end, "(nil)", spec);
71526 }
71527
71528 switch (*fmt) {
71529 @@ -870,6 +879,13 @@ char *pointer(const char *fmt, char *buf
71530 /* Fallthrough */
71531 case 'S':
71532 case 's':
71533 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71534 + break;
71535 +#else
71536 + return symbol_string(buf, end, ptr, spec, *fmt);
71537 +#endif
71538 + case 'A':
71539 + case 'a':
71540 case 'B':
71541 return symbol_string(buf, end, ptr, spec, *fmt);
71542 case 'R':
71543 @@ -1632,11 +1648,11 @@ int bstr_printf(char *buf, size_t size,
71544 typeof(type) value; \
71545 if (sizeof(type) == 8) { \
71546 args = PTR_ALIGN(args, sizeof(u32)); \
71547 - *(u32 *)&value = *(u32 *)args; \
71548 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
71549 + *(u32 *)&value = *(const u32 *)args; \
71550 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
71551 } else { \
71552 args = PTR_ALIGN(args, sizeof(type)); \
71553 - value = *(typeof(type) *)args; \
71554 + value = *(const typeof(type) *)args; \
71555 } \
71556 args += sizeof(type); \
71557 value; \
71558 @@ -1699,7 +1715,7 @@ int bstr_printf(char *buf, size_t size,
71559 case FORMAT_TYPE_STR: {
71560 const char *str_arg = args;
71561 args += strlen(str_arg) + 1;
71562 - str = string(str, end, (char *)str_arg, spec);
71563 + str = string(str, end, str_arg, spec);
71564 break;
71565 }
71566
71567 diff -urNp linux-2.6.39.2/localversion-grsec linux-2.6.39.2/localversion-grsec
71568 --- linux-2.6.39.2/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71569 +++ linux-2.6.39.2/localversion-grsec 2011-05-22 19:41:42.000000000 -0400
71570 @@ -0,0 +1 @@
71571 +-grsec
71572 diff -urNp linux-2.6.39.2/Makefile linux-2.6.39.2/Makefile
71573 --- linux-2.6.39.2/Makefile 2011-06-25 12:55:22.000000000 -0400
71574 +++ linux-2.6.39.2/Makefile 2011-06-25 13:00:25.000000000 -0400
71575 @@ -237,8 +237,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
71576
71577 HOSTCC = gcc
71578 HOSTCXX = g++
71579 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
71580 -HOSTCXXFLAGS = -O2
71581 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
71582 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
71583 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
71584
71585 # Decide whether to build built-in, modular, or both.
71586 # Normally, just do built-in.
71587 @@ -356,10 +357,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
71588 KBUILD_CPPFLAGS := -D__KERNEL__
71589
71590 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
71591 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
71592 -fno-strict-aliasing -fno-common \
71593 -Werror-implicit-function-declaration \
71594 -Wno-format-security \
71595 -fno-delete-null-pointer-checks
71596 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
71597 KBUILD_AFLAGS_KERNEL :=
71598 KBUILD_CFLAGS_KERNEL :=
71599 KBUILD_AFLAGS := -D__ASSEMBLY__
71600 @@ -685,7 +688,7 @@ export mod_strip_cmd
71601
71602
71603 ifeq ($(KBUILD_EXTMOD),)
71604 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
71605 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
71606
71607 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
71608 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
71609 @@ -931,7 +934,19 @@ include/config/kernel.release: include/c
71610 # version.h and scripts_basic is processed / created.
71611
71612 # Listed in dependency order
71613 -PHONY += prepare archprepare prepare0 prepare1 prepare2 prepare3
71614 +PHONY += prepare archprepare prepare0 prepare1 prepare2 prepare3 pax-plugin
71615 +
71616 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71617 +KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0405, -fplugin=$(objtree)/tools/gcc/pax_plugin.so -fplugin-arg-pax_plugin-track-lowest-sp=100)
71618 +endif
71619 +pax-plugin:
71620 +ifneq (,$(findstring pax_plugin, $(KBUILD_CFLAGS)))
71621 + $(Q)$(MAKE) $(build)=tools/gcc
71622 +else
71623 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71624 + $(Q)echo "warning, your gcc does not support plugins, PAX_MEMORY_STACKLEAK will be less secure"
71625 +endif
71626 +endif
71627
71628 # prepare3 is used to check if we are building in a separate output directory,
71629 # and if so do:
71630 @@ -947,7 +962,7 @@ ifneq ($(KBUILD_SRC),)
71631 endif
71632
71633 # prepare2 creates a makefile if using a separate output directory
71634 -prepare2: prepare3 outputmakefile
71635 +prepare2: prepare3 outputmakefile pax-plugin
71636
71637 prepare1: prepare2 include/linux/version.h include/generated/utsrelease.h \
71638 include/config/auto.conf
71639 diff -urNp linux-2.6.39.2/mm/filemap.c linux-2.6.39.2/mm/filemap.c
71640 --- linux-2.6.39.2/mm/filemap.c 2011-05-19 00:06:34.000000000 -0400
71641 +++ linux-2.6.39.2/mm/filemap.c 2011-05-22 19:41:42.000000000 -0400
71642 @@ -1724,7 +1724,7 @@ int generic_file_mmap(struct file * file
71643 struct address_space *mapping = file->f_mapping;
71644
71645 if (!mapping->a_ops->readpage)
71646 - return -ENOEXEC;
71647 + return -ENODEV;
71648 file_accessed(file);
71649 vma->vm_ops = &generic_file_vm_ops;
71650 vma->vm_flags |= VM_CAN_NONLINEAR;
71651 @@ -2120,6 +2120,7 @@ inline int generic_write_checks(struct f
71652 *pos = i_size_read(inode);
71653
71654 if (limit != RLIM_INFINITY) {
71655 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71656 if (*pos >= limit) {
71657 send_sig(SIGXFSZ, current, 0);
71658 return -EFBIG;
71659 diff -urNp linux-2.6.39.2/mm/fremap.c linux-2.6.39.2/mm/fremap.c
71660 --- linux-2.6.39.2/mm/fremap.c 2011-05-19 00:06:34.000000000 -0400
71661 +++ linux-2.6.39.2/mm/fremap.c 2011-05-22 19:36:33.000000000 -0400
71662 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71663 retry:
71664 vma = find_vma(mm, start);
71665
71666 +#ifdef CONFIG_PAX_SEGMEXEC
71667 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
71668 + goto out;
71669 +#endif
71670 +
71671 /*
71672 * Make sure the vma is shared, that it supports prefaulting,
71673 * and that the remapped range is valid and fully within
71674 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71675 /*
71676 * drop PG_Mlocked flag for over-mapped range
71677 */
71678 - unsigned int saved_flags = vma->vm_flags;
71679 + unsigned long saved_flags = vma->vm_flags;
71680 munlock_vma_pages_range(vma, start, start + size);
71681 vma->vm_flags = saved_flags;
71682 }
71683 diff -urNp linux-2.6.39.2/mm/highmem.c linux-2.6.39.2/mm/highmem.c
71684 --- linux-2.6.39.2/mm/highmem.c 2011-05-19 00:06:34.000000000 -0400
71685 +++ linux-2.6.39.2/mm/highmem.c 2011-05-22 19:36:33.000000000 -0400
71686 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
71687 * So no dangers, even with speculative execution.
71688 */
71689 page = pte_page(pkmap_page_table[i]);
71690 + pax_open_kernel();
71691 pte_clear(&init_mm, (unsigned long)page_address(page),
71692 &pkmap_page_table[i]);
71693 -
71694 + pax_close_kernel();
71695 set_page_address(page, NULL);
71696 need_flush = 1;
71697 }
71698 @@ -186,9 +187,11 @@ start:
71699 }
71700 }
71701 vaddr = PKMAP_ADDR(last_pkmap_nr);
71702 +
71703 + pax_open_kernel();
71704 set_pte_at(&init_mm, vaddr,
71705 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
71706 -
71707 + pax_close_kernel();
71708 pkmap_count[last_pkmap_nr] = 1;
71709 set_page_address(page, (void *)vaddr);
71710
71711 diff -urNp linux-2.6.39.2/mm/huge_memory.c linux-2.6.39.2/mm/huge_memory.c
71712 --- linux-2.6.39.2/mm/huge_memory.c 2011-05-19 00:06:34.000000000 -0400
71713 +++ linux-2.6.39.2/mm/huge_memory.c 2011-05-22 19:36:33.000000000 -0400
71714 @@ -702,7 +702,7 @@ out:
71715 * run pte_offset_map on the pmd, if an huge pmd could
71716 * materialize from under us from a different thread.
71717 */
71718 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
71719 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
71720 return VM_FAULT_OOM;
71721 /* if an huge pmd materialized from under us just retry later */
71722 if (unlikely(pmd_trans_huge(*pmd)))
71723 diff -urNp linux-2.6.39.2/mm/hugetlb.c linux-2.6.39.2/mm/hugetlb.c
71724 --- linux-2.6.39.2/mm/hugetlb.c 2011-06-25 12:55:23.000000000 -0400
71725 +++ linux-2.6.39.2/mm/hugetlb.c 2011-06-25 13:00:28.000000000 -0400
71726 @@ -2331,6 +2331,27 @@ static int unmap_ref_private(struct mm_s
71727 return 1;
71728 }
71729
71730 +#ifdef CONFIG_PAX_SEGMEXEC
71731 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71732 +{
71733 + struct mm_struct *mm = vma->vm_mm;
71734 + struct vm_area_struct *vma_m;
71735 + unsigned long address_m;
71736 + pte_t *ptep_m;
71737 +
71738 + vma_m = pax_find_mirror_vma(vma);
71739 + if (!vma_m)
71740 + return;
71741 +
71742 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71743 + address_m = address + SEGMEXEC_TASK_SIZE;
71744 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71745 + get_page(page_m);
71746 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
71747 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71748 +}
71749 +#endif
71750 +
71751 /*
71752 * Hugetlb_cow() should be called with page lock of the original hugepage held.
71753 */
71754 @@ -2432,6 +2453,11 @@ retry_avoidcopy:
71755 make_huge_pte(vma, new_page, 1));
71756 page_remove_rmap(old_page);
71757 hugepage_add_new_anon_rmap(new_page, vma, address);
71758 +
71759 +#ifdef CONFIG_PAX_SEGMEXEC
71760 + pax_mirror_huge_pte(vma, address, new_page);
71761 +#endif
71762 +
71763 /* Make the old page be freed below */
71764 new_page = old_page;
71765 mmu_notifier_invalidate_range_end(mm,
71766 @@ -2583,6 +2609,10 @@ retry:
71767 && (vma->vm_flags & VM_SHARED)));
71768 set_huge_pte_at(mm, address, ptep, new_pte);
71769
71770 +#ifdef CONFIG_PAX_SEGMEXEC
71771 + pax_mirror_huge_pte(vma, address, page);
71772 +#endif
71773 +
71774 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
71775 /* Optimization, do the COW without a second fault */
71776 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
71777 @@ -2612,6 +2642,10 @@ int hugetlb_fault(struct mm_struct *mm,
71778 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71779 struct hstate *h = hstate_vma(vma);
71780
71781 +#ifdef CONFIG_PAX_SEGMEXEC
71782 + struct vm_area_struct *vma_m;
71783 +#endif
71784 +
71785 ptep = huge_pte_offset(mm, address);
71786 if (ptep) {
71787 entry = huge_ptep_get(ptep);
71788 @@ -2623,6 +2657,26 @@ int hugetlb_fault(struct mm_struct *mm,
71789 VM_FAULT_SET_HINDEX(h - hstates);
71790 }
71791
71792 +#ifdef CONFIG_PAX_SEGMEXEC
71793 + vma_m = pax_find_mirror_vma(vma);
71794 + if (vma_m) {
71795 + unsigned long address_m;
71796 +
71797 + if (vma->vm_start > vma_m->vm_start) {
71798 + address_m = address;
71799 + address -= SEGMEXEC_TASK_SIZE;
71800 + vma = vma_m;
71801 + h = hstate_vma(vma);
71802 + } else
71803 + address_m = address + SEGMEXEC_TASK_SIZE;
71804 +
71805 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
71806 + return VM_FAULT_OOM;
71807 + address_m &= HPAGE_MASK;
71808 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
71809 + }
71810 +#endif
71811 +
71812 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
71813 if (!ptep)
71814 return VM_FAULT_OOM;
71815 diff -urNp linux-2.6.39.2/mm/Kconfig linux-2.6.39.2/mm/Kconfig
71816 --- linux-2.6.39.2/mm/Kconfig 2011-05-19 00:06:34.000000000 -0400
71817 +++ linux-2.6.39.2/mm/Kconfig 2011-05-22 19:41:42.000000000 -0400
71818 @@ -240,7 +240,7 @@ config KSM
71819 config DEFAULT_MMAP_MIN_ADDR
71820 int "Low address space to protect from user allocation"
71821 depends on MMU
71822 - default 4096
71823 + default 65536
71824 help
71825 This is the portion of low virtual memory which should be protected
71826 from userspace allocation. Keeping a user from writing to low pages
71827 diff -urNp linux-2.6.39.2/mm/kmemleak.c linux-2.6.39.2/mm/kmemleak.c
71828 --- linux-2.6.39.2/mm/kmemleak.c 2011-06-03 00:04:14.000000000 -0400
71829 +++ linux-2.6.39.2/mm/kmemleak.c 2011-06-03 00:32:08.000000000 -0400
71830 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
71831
71832 for (i = 0; i < object->trace_len; i++) {
71833 void *ptr = (void *)object->trace[i];
71834 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
71835 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
71836 }
71837 }
71838
71839 diff -urNp linux-2.6.39.2/mm/ksm.c linux-2.6.39.2/mm/ksm.c
71840 --- linux-2.6.39.2/mm/ksm.c 2011-05-19 00:06:34.000000000 -0400
71841 +++ linux-2.6.39.2/mm/ksm.c 2011-06-20 19:42:16.000000000 -0400
71842 @@ -1301,6 +1301,12 @@ static struct rmap_item *scan_get_next_r
71843 slot = list_entry(slot->mm_list.next, struct mm_slot, mm_list);
71844 ksm_scan.mm_slot = slot;
71845 spin_unlock(&ksm_mmlist_lock);
71846 + /*
71847 + * Although we tested list_empty() above, a racing __ksm_exit
71848 + * of the last mm on the list may have removed it since then.
71849 + */
71850 + if (slot == &ksm_mm_head)
71851 + return NULL;
71852 next_mm:
71853 ksm_scan.address = 0;
71854 ksm_scan.rmap_list = &slot->rmap_list;
71855 diff -urNp linux-2.6.39.2/mm/maccess.c linux-2.6.39.2/mm/maccess.c
71856 --- linux-2.6.39.2/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
71857 +++ linux-2.6.39.2/mm/maccess.c 2011-05-22 19:36:33.000000000 -0400
71858 @@ -15,10 +15,10 @@
71859 * happens, handle that and return -EFAULT.
71860 */
71861
71862 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
71863 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
71864 __attribute__((alias("__probe_kernel_read")));
71865
71866 -long __probe_kernel_read(void *dst, void *src, size_t size)
71867 +long __probe_kernel_read(void *dst, const void *src, size_t size)
71868 {
71869 long ret;
71870 mm_segment_t old_fs = get_fs();
71871 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
71872 * Safely write to address @dst from the buffer at @src. If a kernel fault
71873 * happens, handle that and return -EFAULT.
71874 */
71875 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
71876 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
71877 __attribute__((alias("__probe_kernel_write")));
71878
71879 -long __probe_kernel_write(void *dst, void *src, size_t size)
71880 +long __probe_kernel_write(void *dst, const void *src, size_t size)
71881 {
71882 long ret;
71883 mm_segment_t old_fs = get_fs();
71884 diff -urNp linux-2.6.39.2/mm/madvise.c linux-2.6.39.2/mm/madvise.c
71885 --- linux-2.6.39.2/mm/madvise.c 2011-05-19 00:06:34.000000000 -0400
71886 +++ linux-2.6.39.2/mm/madvise.c 2011-05-22 19:36:33.000000000 -0400
71887 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
71888 pgoff_t pgoff;
71889 unsigned long new_flags = vma->vm_flags;
71890
71891 +#ifdef CONFIG_PAX_SEGMEXEC
71892 + struct vm_area_struct *vma_m;
71893 +#endif
71894 +
71895 switch (behavior) {
71896 case MADV_NORMAL:
71897 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
71898 @@ -110,6 +114,13 @@ success:
71899 /*
71900 * vm_flags is protected by the mmap_sem held in write mode.
71901 */
71902 +
71903 +#ifdef CONFIG_PAX_SEGMEXEC
71904 + vma_m = pax_find_mirror_vma(vma);
71905 + if (vma_m)
71906 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
71907 +#endif
71908 +
71909 vma->vm_flags = new_flags;
71910
71911 out:
71912 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
71913 struct vm_area_struct ** prev,
71914 unsigned long start, unsigned long end)
71915 {
71916 +
71917 +#ifdef CONFIG_PAX_SEGMEXEC
71918 + struct vm_area_struct *vma_m;
71919 +#endif
71920 +
71921 *prev = vma;
71922 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
71923 return -EINVAL;
71924 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
71925 zap_page_range(vma, start, end - start, &details);
71926 } else
71927 zap_page_range(vma, start, end - start, NULL);
71928 +
71929 +#ifdef CONFIG_PAX_SEGMEXEC
71930 + vma_m = pax_find_mirror_vma(vma);
71931 + if (vma_m) {
71932 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
71933 + struct zap_details details = {
71934 + .nonlinear_vma = vma_m,
71935 + .last_index = ULONG_MAX,
71936 + };
71937 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
71938 + } else
71939 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
71940 + }
71941 +#endif
71942 +
71943 return 0;
71944 }
71945
71946 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
71947 if (end < start)
71948 goto out;
71949
71950 +#ifdef CONFIG_PAX_SEGMEXEC
71951 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
71952 + if (end > SEGMEXEC_TASK_SIZE)
71953 + goto out;
71954 + } else
71955 +#endif
71956 +
71957 + if (end > TASK_SIZE)
71958 + goto out;
71959 +
71960 error = 0;
71961 if (end == start)
71962 goto out;
71963 diff -urNp linux-2.6.39.2/mm/memory.c linux-2.6.39.2/mm/memory.c
71964 --- linux-2.6.39.2/mm/memory.c 2011-05-19 00:06:34.000000000 -0400
71965 +++ linux-2.6.39.2/mm/memory.c 2011-05-22 19:36:33.000000000 -0400
71966 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
71967 return;
71968
71969 pmd = pmd_offset(pud, start);
71970 +
71971 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
71972 pud_clear(pud);
71973 pmd_free_tlb(tlb, pmd, start);
71974 +#endif
71975 +
71976 }
71977
71978 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
71979 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
71980 if (end - 1 > ceiling - 1)
71981 return;
71982
71983 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
71984 pud = pud_offset(pgd, start);
71985 pgd_clear(pgd);
71986 pud_free_tlb(tlb, pud, start);
71987 +#endif
71988 +
71989 }
71990
71991 /*
71992 @@ -1410,12 +1417,6 @@ no_page_table:
71993 return page;
71994 }
71995
71996 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
71997 -{
71998 - return stack_guard_page_start(vma, addr) ||
71999 - stack_guard_page_end(vma, addr+PAGE_SIZE);
72000 -}
72001 -
72002 /**
72003 * __get_user_pages() - pin user pages in memory
72004 * @tsk: task_struct of target task
72005 @@ -1488,10 +1489,10 @@ int __get_user_pages(struct task_struct
72006 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
72007 i = 0;
72008
72009 - do {
72010 + while (nr_pages) {
72011 struct vm_area_struct *vma;
72012
72013 - vma = find_extend_vma(mm, start);
72014 + vma = find_vma(mm, start);
72015 if (!vma && in_gate_area(mm, start)) {
72016 unsigned long pg = start & PAGE_MASK;
72017 pgd_t *pgd;
72018 @@ -1539,7 +1540,7 @@ int __get_user_pages(struct task_struct
72019 goto next_page;
72020 }
72021
72022 - if (!vma ||
72023 + if (!vma || start < vma->vm_start ||
72024 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
72025 !(vm_flags & vma->vm_flags))
72026 return i ? : -EFAULT;
72027 @@ -1566,11 +1567,6 @@ int __get_user_pages(struct task_struct
72028 int ret;
72029 unsigned int fault_flags = 0;
72030
72031 - /* For mlock, just skip the stack guard page. */
72032 - if (foll_flags & FOLL_MLOCK) {
72033 - if (stack_guard_page(vma, start))
72034 - goto next_page;
72035 - }
72036 if (foll_flags & FOLL_WRITE)
72037 fault_flags |= FAULT_FLAG_WRITE;
72038 if (nonblocking)
72039 @@ -1644,7 +1640,7 @@ next_page:
72040 start += PAGE_SIZE;
72041 nr_pages--;
72042 } while (nr_pages && start < vma->vm_end);
72043 - } while (nr_pages);
72044 + }
72045 return i;
72046 }
72047 EXPORT_SYMBOL(__get_user_pages);
72048 @@ -1795,6 +1791,10 @@ static int insert_page(struct vm_area_st
72049 page_add_file_rmap(page);
72050 set_pte_at(mm, addr, pte, mk_pte(page, prot));
72051
72052 +#ifdef CONFIG_PAX_SEGMEXEC
72053 + pax_mirror_file_pte(vma, addr, page, ptl);
72054 +#endif
72055 +
72056 retval = 0;
72057 pte_unmap_unlock(pte, ptl);
72058 return retval;
72059 @@ -1829,10 +1829,22 @@ out:
72060 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
72061 struct page *page)
72062 {
72063 +
72064 +#ifdef CONFIG_PAX_SEGMEXEC
72065 + struct vm_area_struct *vma_m;
72066 +#endif
72067 +
72068 if (addr < vma->vm_start || addr >= vma->vm_end)
72069 return -EFAULT;
72070 if (!page_count(page))
72071 return -EINVAL;
72072 +
72073 +#ifdef CONFIG_PAX_SEGMEXEC
72074 + vma_m = pax_find_mirror_vma(vma);
72075 + if (vma_m)
72076 + vma_m->vm_flags |= VM_INSERTPAGE;
72077 +#endif
72078 +
72079 vma->vm_flags |= VM_INSERTPAGE;
72080 return insert_page(vma, addr, page, vma->vm_page_prot);
72081 }
72082 @@ -1918,6 +1930,7 @@ int vm_insert_mixed(struct vm_area_struc
72083 unsigned long pfn)
72084 {
72085 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
72086 + BUG_ON(vma->vm_mirror);
72087
72088 if (addr < vma->vm_start || addr >= vma->vm_end)
72089 return -EFAULT;
72090 @@ -2233,6 +2246,186 @@ static inline void cow_user_page(struct
72091 copy_user_highpage(dst, src, va, vma);
72092 }
72093
72094 +#ifdef CONFIG_PAX_SEGMEXEC
72095 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
72096 +{
72097 + struct mm_struct *mm = vma->vm_mm;
72098 + spinlock_t *ptl;
72099 + pte_t *pte, entry;
72100 +
72101 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
72102 + entry = *pte;
72103 + if (!pte_present(entry)) {
72104 + if (!pte_none(entry)) {
72105 + BUG_ON(pte_file(entry));
72106 + free_swap_and_cache(pte_to_swp_entry(entry));
72107 + pte_clear_not_present_full(mm, address, pte, 0);
72108 + }
72109 + } else {
72110 + struct page *page;
72111 +
72112 + flush_cache_page(vma, address, pte_pfn(entry));
72113 + entry = ptep_clear_flush(vma, address, pte);
72114 + BUG_ON(pte_dirty(entry));
72115 + page = vm_normal_page(vma, address, entry);
72116 + if (page) {
72117 + update_hiwater_rss(mm);
72118 + if (PageAnon(page))
72119 + dec_mm_counter_fast(mm, MM_ANONPAGES);
72120 + else
72121 + dec_mm_counter_fast(mm, MM_FILEPAGES);
72122 + page_remove_rmap(page);
72123 + page_cache_release(page);
72124 + }
72125 + }
72126 + pte_unmap_unlock(pte, ptl);
72127 +}
72128 +
72129 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
72130 + *
72131 + * the ptl of the lower mapped page is held on entry and is not released on exit
72132 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
72133 + */
72134 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72135 +{
72136 + struct mm_struct *mm = vma->vm_mm;
72137 + unsigned long address_m;
72138 + spinlock_t *ptl_m;
72139 + struct vm_area_struct *vma_m;
72140 + pmd_t *pmd_m;
72141 + pte_t *pte_m, entry_m;
72142 +
72143 + BUG_ON(!page_m || !PageAnon(page_m));
72144 +
72145 + vma_m = pax_find_mirror_vma(vma);
72146 + if (!vma_m)
72147 + return;
72148 +
72149 + BUG_ON(!PageLocked(page_m));
72150 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72151 + address_m = address + SEGMEXEC_TASK_SIZE;
72152 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72153 + pte_m = pte_offset_map(pmd_m, address_m);
72154 + ptl_m = pte_lockptr(mm, pmd_m);
72155 + if (ptl != ptl_m) {
72156 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72157 + if (!pte_none(*pte_m))
72158 + goto out;
72159 + }
72160 +
72161 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72162 + page_cache_get(page_m);
72163 + page_add_anon_rmap(page_m, vma_m, address_m);
72164 + inc_mm_counter_fast(mm, MM_ANONPAGES);
72165 + set_pte_at(mm, address_m, pte_m, entry_m);
72166 + update_mmu_cache(vma_m, address_m, entry_m);
72167 +out:
72168 + if (ptl != ptl_m)
72169 + spin_unlock(ptl_m);
72170 + pte_unmap(pte_m);
72171 + unlock_page(page_m);
72172 +}
72173 +
72174 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72175 +{
72176 + struct mm_struct *mm = vma->vm_mm;
72177 + unsigned long address_m;
72178 + spinlock_t *ptl_m;
72179 + struct vm_area_struct *vma_m;
72180 + pmd_t *pmd_m;
72181 + pte_t *pte_m, entry_m;
72182 +
72183 + BUG_ON(!page_m || PageAnon(page_m));
72184 +
72185 + vma_m = pax_find_mirror_vma(vma);
72186 + if (!vma_m)
72187 + return;
72188 +
72189 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72190 + address_m = address + SEGMEXEC_TASK_SIZE;
72191 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72192 + pte_m = pte_offset_map(pmd_m, address_m);
72193 + ptl_m = pte_lockptr(mm, pmd_m);
72194 + if (ptl != ptl_m) {
72195 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72196 + if (!pte_none(*pte_m))
72197 + goto out;
72198 + }
72199 +
72200 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72201 + page_cache_get(page_m);
72202 + page_add_file_rmap(page_m);
72203 + inc_mm_counter_fast(mm, MM_FILEPAGES);
72204 + set_pte_at(mm, address_m, pte_m, entry_m);
72205 + update_mmu_cache(vma_m, address_m, entry_m);
72206 +out:
72207 + if (ptl != ptl_m)
72208 + spin_unlock(ptl_m);
72209 + pte_unmap(pte_m);
72210 +}
72211 +
72212 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
72213 +{
72214 + struct mm_struct *mm = vma->vm_mm;
72215 + unsigned long address_m;
72216 + spinlock_t *ptl_m;
72217 + struct vm_area_struct *vma_m;
72218 + pmd_t *pmd_m;
72219 + pte_t *pte_m, entry_m;
72220 +
72221 + vma_m = pax_find_mirror_vma(vma);
72222 + if (!vma_m)
72223 + return;
72224 +
72225 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72226 + address_m = address + SEGMEXEC_TASK_SIZE;
72227 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72228 + pte_m = pte_offset_map(pmd_m, address_m);
72229 + ptl_m = pte_lockptr(mm, pmd_m);
72230 + if (ptl != ptl_m) {
72231 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72232 + if (!pte_none(*pte_m))
72233 + goto out;
72234 + }
72235 +
72236 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
72237 + set_pte_at(mm, address_m, pte_m, entry_m);
72238 +out:
72239 + if (ptl != ptl_m)
72240 + spin_unlock(ptl_m);
72241 + pte_unmap(pte_m);
72242 +}
72243 +
72244 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72245 +{
72246 + struct page *page_m;
72247 + pte_t entry;
72248 +
72249 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72250 + goto out;
72251 +
72252 + entry = *pte;
72253 + page_m = vm_normal_page(vma, address, entry);
72254 + if (!page_m)
72255 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72256 + else if (PageAnon(page_m)) {
72257 + if (pax_find_mirror_vma(vma)) {
72258 + pte_unmap_unlock(pte, ptl);
72259 + lock_page(page_m);
72260 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72261 + if (pte_same(entry, *pte))
72262 + pax_mirror_anon_pte(vma, address, page_m, ptl);
72263 + else
72264 + unlock_page(page_m);
72265 + }
72266 + } else
72267 + pax_mirror_file_pte(vma, address, page_m, ptl);
72268 +
72269 +out:
72270 + pte_unmap_unlock(pte, ptl);
72271 +}
72272 +#endif
72273 +
72274 /*
72275 * This routine handles present pages, when users try to write
72276 * to a shared page. It is done by copying the page to a new address
72277 @@ -2444,6 +2637,12 @@ gotten:
72278 */
72279 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72280 if (likely(pte_same(*page_table, orig_pte))) {
72281 +
72282 +#ifdef CONFIG_PAX_SEGMEXEC
72283 + if (pax_find_mirror_vma(vma))
72284 + BUG_ON(!trylock_page(new_page));
72285 +#endif
72286 +
72287 if (old_page) {
72288 if (!PageAnon(old_page)) {
72289 dec_mm_counter_fast(mm, MM_FILEPAGES);
72290 @@ -2495,6 +2694,10 @@ gotten:
72291 page_remove_rmap(old_page);
72292 }
72293
72294 +#ifdef CONFIG_PAX_SEGMEXEC
72295 + pax_mirror_anon_pte(vma, address, new_page, ptl);
72296 +#endif
72297 +
72298 /* Free the old page.. */
72299 new_page = old_page;
72300 ret |= VM_FAULT_WRITE;
72301 @@ -2905,6 +3108,11 @@ static int do_swap_page(struct mm_struct
72302 swap_free(entry);
72303 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
72304 try_to_free_swap(page);
72305 +
72306 +#ifdef CONFIG_PAX_SEGMEXEC
72307 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
72308 +#endif
72309 +
72310 unlock_page(page);
72311 if (swapcache) {
72312 /*
72313 @@ -2928,6 +3136,11 @@ static int do_swap_page(struct mm_struct
72314
72315 /* No need to invalidate - it was non-present before */
72316 update_mmu_cache(vma, address, page_table);
72317 +
72318 +#ifdef CONFIG_PAX_SEGMEXEC
72319 + pax_mirror_anon_pte(vma, address, page, ptl);
72320 +#endif
72321 +
72322 unlock:
72323 pte_unmap_unlock(page_table, ptl);
72324 out:
72325 @@ -2947,40 +3160,6 @@ out_release:
72326 }
72327
72328 /*
72329 - * This is like a special single-page "expand_{down|up}wards()",
72330 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
72331 - * doesn't hit another vma.
72332 - */
72333 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
72334 -{
72335 - address &= PAGE_MASK;
72336 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
72337 - struct vm_area_struct *prev = vma->vm_prev;
72338 -
72339 - /*
72340 - * Is there a mapping abutting this one below?
72341 - *
72342 - * That's only ok if it's the same stack mapping
72343 - * that has gotten split..
72344 - */
72345 - if (prev && prev->vm_end == address)
72346 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
72347 -
72348 - expand_stack(vma, address - PAGE_SIZE);
72349 - }
72350 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
72351 - struct vm_area_struct *next = vma->vm_next;
72352 -
72353 - /* As VM_GROWSDOWN but s/below/above/ */
72354 - if (next && next->vm_start == address + PAGE_SIZE)
72355 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
72356 -
72357 - expand_upwards(vma, address + PAGE_SIZE);
72358 - }
72359 - return 0;
72360 -}
72361 -
72362 -/*
72363 * We enter with non-exclusive mmap_sem (to exclude vma changes,
72364 * but allow concurrent faults), and pte mapped but not yet locked.
72365 * We return with mmap_sem still held, but pte unmapped and unlocked.
72366 @@ -2989,27 +3168,23 @@ static int do_anonymous_page(struct mm_s
72367 unsigned long address, pte_t *page_table, pmd_t *pmd,
72368 unsigned int flags)
72369 {
72370 - struct page *page;
72371 + struct page *page = NULL;
72372 spinlock_t *ptl;
72373 pte_t entry;
72374
72375 - pte_unmap(page_table);
72376 -
72377 - /* Check if we need to add a guard page to the stack */
72378 - if (check_stack_guard_page(vma, address) < 0)
72379 - return VM_FAULT_SIGBUS;
72380 -
72381 - /* Use the zero-page for reads */
72382 if (!(flags & FAULT_FLAG_WRITE)) {
72383 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
72384 vma->vm_page_prot));
72385 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72386 + ptl = pte_lockptr(mm, pmd);
72387 + spin_lock(ptl);
72388 if (!pte_none(*page_table))
72389 goto unlock;
72390 goto setpte;
72391 }
72392
72393 /* Allocate our own private page. */
72394 + pte_unmap(page_table);
72395 +
72396 if (unlikely(anon_vma_prepare(vma)))
72397 goto oom;
72398 page = alloc_zeroed_user_highpage_movable(vma, address);
72399 @@ -3028,6 +3203,11 @@ static int do_anonymous_page(struct mm_s
72400 if (!pte_none(*page_table))
72401 goto release;
72402
72403 +#ifdef CONFIG_PAX_SEGMEXEC
72404 + if (pax_find_mirror_vma(vma))
72405 + BUG_ON(!trylock_page(page));
72406 +#endif
72407 +
72408 inc_mm_counter_fast(mm, MM_ANONPAGES);
72409 page_add_new_anon_rmap(page, vma, address);
72410 setpte:
72411 @@ -3035,6 +3215,12 @@ setpte:
72412
72413 /* No need to invalidate - it was non-present before */
72414 update_mmu_cache(vma, address, page_table);
72415 +
72416 +#ifdef CONFIG_PAX_SEGMEXEC
72417 + if (page)
72418 + pax_mirror_anon_pte(vma, address, page, ptl);
72419 +#endif
72420 +
72421 unlock:
72422 pte_unmap_unlock(page_table, ptl);
72423 return 0;
72424 @@ -3172,6 +3358,12 @@ static int __do_fault(struct mm_struct *
72425 */
72426 /* Only go through if we didn't race with anybody else... */
72427 if (likely(pte_same(*page_table, orig_pte))) {
72428 +
72429 +#ifdef CONFIG_PAX_SEGMEXEC
72430 + if (anon && pax_find_mirror_vma(vma))
72431 + BUG_ON(!trylock_page(page));
72432 +#endif
72433 +
72434 flush_icache_page(vma, page);
72435 entry = mk_pte(page, vma->vm_page_prot);
72436 if (flags & FAULT_FLAG_WRITE)
72437 @@ -3191,6 +3383,14 @@ static int __do_fault(struct mm_struct *
72438
72439 /* no need to invalidate: a not-present page won't be cached */
72440 update_mmu_cache(vma, address, page_table);
72441 +
72442 +#ifdef CONFIG_PAX_SEGMEXEC
72443 + if (anon)
72444 + pax_mirror_anon_pte(vma, address, page, ptl);
72445 + else
72446 + pax_mirror_file_pte(vma, address, page, ptl);
72447 +#endif
72448 +
72449 } else {
72450 if (charged)
72451 mem_cgroup_uncharge_page(page);
72452 @@ -3338,6 +3538,12 @@ int handle_pte_fault(struct mm_struct *m
72453 if (flags & FAULT_FLAG_WRITE)
72454 flush_tlb_fix_spurious_fault(vma, address);
72455 }
72456 +
72457 +#ifdef CONFIG_PAX_SEGMEXEC
72458 + pax_mirror_pte(vma, address, pte, pmd, ptl);
72459 + return 0;
72460 +#endif
72461 +
72462 unlock:
72463 pte_unmap_unlock(pte, ptl);
72464 return 0;
72465 @@ -3354,6 +3560,10 @@ int handle_mm_fault(struct mm_struct *mm
72466 pmd_t *pmd;
72467 pte_t *pte;
72468
72469 +#ifdef CONFIG_PAX_SEGMEXEC
72470 + struct vm_area_struct *vma_m;
72471 +#endif
72472 +
72473 __set_current_state(TASK_RUNNING);
72474
72475 count_vm_event(PGFAULT);
72476 @@ -3364,6 +3574,34 @@ int handle_mm_fault(struct mm_struct *mm
72477 if (unlikely(is_vm_hugetlb_page(vma)))
72478 return hugetlb_fault(mm, vma, address, flags);
72479
72480 +#ifdef CONFIG_PAX_SEGMEXEC
72481 + vma_m = pax_find_mirror_vma(vma);
72482 + if (vma_m) {
72483 + unsigned long address_m;
72484 + pgd_t *pgd_m;
72485 + pud_t *pud_m;
72486 + pmd_t *pmd_m;
72487 +
72488 + if (vma->vm_start > vma_m->vm_start) {
72489 + address_m = address;
72490 + address -= SEGMEXEC_TASK_SIZE;
72491 + vma = vma_m;
72492 + } else
72493 + address_m = address + SEGMEXEC_TASK_SIZE;
72494 +
72495 + pgd_m = pgd_offset(mm, address_m);
72496 + pud_m = pud_alloc(mm, pgd_m, address_m);
72497 + if (!pud_m)
72498 + return VM_FAULT_OOM;
72499 + pmd_m = pmd_alloc(mm, pud_m, address_m);
72500 + if (!pmd_m)
72501 + return VM_FAULT_OOM;
72502 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
72503 + return VM_FAULT_OOM;
72504 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
72505 + }
72506 +#endif
72507 +
72508 pgd = pgd_offset(mm, address);
72509 pud = pud_alloc(mm, pgd, address);
72510 if (!pud)
72511 @@ -3393,7 +3631,7 @@ int handle_mm_fault(struct mm_struct *mm
72512 * run pte_offset_map on the pmd, if an huge pmd could
72513 * materialize from under us from a different thread.
72514 */
72515 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
72516 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
72517 return VM_FAULT_OOM;
72518 /* if an huge pmd materialized from under us just retry later */
72519 if (unlikely(pmd_trans_huge(*pmd)))
72520 @@ -3497,7 +3735,7 @@ static int __init gate_vma_init(void)
72521 gate_vma.vm_start = FIXADDR_USER_START;
72522 gate_vma.vm_end = FIXADDR_USER_END;
72523 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
72524 - gate_vma.vm_page_prot = __P101;
72525 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
72526 /*
72527 * Make sure the vDSO gets into every core dump.
72528 * Dumping its contents makes post-mortem fully interpretable later
72529 diff -urNp linux-2.6.39.2/mm/memory-failure.c linux-2.6.39.2/mm/memory-failure.c
72530 --- linux-2.6.39.2/mm/memory-failure.c 2011-05-19 00:06:34.000000000 -0400
72531 +++ linux-2.6.39.2/mm/memory-failure.c 2011-05-22 19:36:33.000000000 -0400
72532 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
72533
72534 int sysctl_memory_failure_recovery __read_mostly = 1;
72535
72536 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72537 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72538
72539 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
72540
72541 @@ -1012,7 +1012,7 @@ int __memory_failure(unsigned long pfn,
72542 }
72543
72544 nr_pages = 1 << compound_trans_order(hpage);
72545 - atomic_long_add(nr_pages, &mce_bad_pages);
72546 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
72547
72548 /*
72549 * We need/can do nothing about count=0 pages.
72550 @@ -1042,7 +1042,7 @@ int __memory_failure(unsigned long pfn,
72551 if (!PageHWPoison(hpage)
72552 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
72553 || (p != hpage && TestSetPageHWPoison(hpage))) {
72554 - atomic_long_sub(nr_pages, &mce_bad_pages);
72555 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72556 return 0;
72557 }
72558 set_page_hwpoison_huge_page(hpage);
72559 @@ -1100,7 +1100,7 @@ int __memory_failure(unsigned long pfn,
72560 }
72561 if (hwpoison_filter(p)) {
72562 if (TestClearPageHWPoison(p))
72563 - atomic_long_sub(nr_pages, &mce_bad_pages);
72564 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72565 unlock_page(hpage);
72566 put_page(hpage);
72567 return 0;
72568 @@ -1226,7 +1226,7 @@ int unpoison_memory(unsigned long pfn)
72569 return 0;
72570 }
72571 if (TestClearPageHWPoison(p))
72572 - atomic_long_sub(nr_pages, &mce_bad_pages);
72573 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72574 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
72575 return 0;
72576 }
72577 @@ -1240,7 +1240,7 @@ int unpoison_memory(unsigned long pfn)
72578 */
72579 if (TestClearPageHWPoison(page)) {
72580 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
72581 - atomic_long_sub(nr_pages, &mce_bad_pages);
72582 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72583 freeit = 1;
72584 if (PageHuge(page))
72585 clear_page_hwpoison_huge_page(page);
72586 @@ -1353,7 +1353,7 @@ static int soft_offline_huge_page(struct
72587 }
72588 done:
72589 if (!PageHWPoison(hpage))
72590 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
72591 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
72592 set_page_hwpoison_huge_page(hpage);
72593 dequeue_hwpoisoned_huge_page(hpage);
72594 /* keep elevated page count for bad page */
72595 @@ -1482,7 +1482,7 @@ int soft_offline_page(struct page *page,
72596 return ret;
72597
72598 done:
72599 - atomic_long_add(1, &mce_bad_pages);
72600 + atomic_long_add_unchecked(1, &mce_bad_pages);
72601 SetPageHWPoison(page);
72602 /* keep elevated page count for bad page */
72603 return ret;
72604 diff -urNp linux-2.6.39.2/mm/mempolicy.c linux-2.6.39.2/mm/mempolicy.c
72605 --- linux-2.6.39.2/mm/mempolicy.c 2011-05-19 00:06:34.000000000 -0400
72606 +++ linux-2.6.39.2/mm/mempolicy.c 2011-05-22 19:41:42.000000000 -0400
72607 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
72608 unsigned long vmstart;
72609 unsigned long vmend;
72610
72611 +#ifdef CONFIG_PAX_SEGMEXEC
72612 + struct vm_area_struct *vma_m;
72613 +#endif
72614 +
72615 vma = find_vma_prev(mm, start, &prev);
72616 if (!vma || vma->vm_start > start)
72617 return -EFAULT;
72618 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
72619 err = policy_vma(vma, new_pol);
72620 if (err)
72621 goto out;
72622 +
72623 +#ifdef CONFIG_PAX_SEGMEXEC
72624 + vma_m = pax_find_mirror_vma(vma);
72625 + if (vma_m) {
72626 + err = policy_vma(vma_m, new_pol);
72627 + if (err)
72628 + goto out;
72629 + }
72630 +#endif
72631 +
72632 }
72633
72634 out:
72635 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
72636
72637 if (end < start)
72638 return -EINVAL;
72639 +
72640 +#ifdef CONFIG_PAX_SEGMEXEC
72641 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72642 + if (end > SEGMEXEC_TASK_SIZE)
72643 + return -EINVAL;
72644 + } else
72645 +#endif
72646 +
72647 + if (end > TASK_SIZE)
72648 + return -EINVAL;
72649 +
72650 if (end == start)
72651 return 0;
72652
72653 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72654 if (!mm)
72655 goto out;
72656
72657 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72658 + if (mm != current->mm &&
72659 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72660 + err = -EPERM;
72661 + goto out;
72662 + }
72663 +#endif
72664 +
72665 /*
72666 * Check if this process has the right to modify the specified
72667 * process. The right exists if the process has administrative
72668 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72669 rcu_read_lock();
72670 tcred = __task_cred(task);
72671 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72672 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72673 - !capable(CAP_SYS_NICE)) {
72674 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72675 rcu_read_unlock();
72676 err = -EPERM;
72677 goto out;
72678 @@ -2634,7 +2666,7 @@ int show_numa_map(struct seq_file *m, vo
72679
72680 if (file) {
72681 seq_printf(m, " file=");
72682 - seq_path(m, &file->f_path, "\n\t= ");
72683 + seq_path(m, &file->f_path, "\n\t\\= ");
72684 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
72685 seq_printf(m, " heap");
72686 } else if (vma->vm_start <= mm->start_stack &&
72687 diff -urNp linux-2.6.39.2/mm/migrate.c linux-2.6.39.2/mm/migrate.c
72688 --- linux-2.6.39.2/mm/migrate.c 2011-05-19 00:06:34.000000000 -0400
72689 +++ linux-2.6.39.2/mm/migrate.c 2011-05-22 19:41:42.000000000 -0400
72690 @@ -1133,6 +1133,8 @@ static int do_pages_move(struct mm_struc
72691 unsigned long chunk_start;
72692 int err;
72693
72694 + pax_track_stack();
72695 +
72696 task_nodes = cpuset_mems_allowed(task);
72697
72698 err = -ENOMEM;
72699 @@ -1317,6 +1319,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72700 if (!mm)
72701 return -EINVAL;
72702
72703 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72704 + if (mm != current->mm &&
72705 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72706 + err = -EPERM;
72707 + goto out;
72708 + }
72709 +#endif
72710 +
72711 /*
72712 * Check if this process has the right to modify the specified
72713 * process. The right exists if the process has administrative
72714 @@ -1326,8 +1336,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72715 rcu_read_lock();
72716 tcred = __task_cred(task);
72717 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72718 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72719 - !capable(CAP_SYS_NICE)) {
72720 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72721 rcu_read_unlock();
72722 err = -EPERM;
72723 goto out;
72724 diff -urNp linux-2.6.39.2/mm/mlock.c linux-2.6.39.2/mm/mlock.c
72725 --- linux-2.6.39.2/mm/mlock.c 2011-05-19 00:06:34.000000000 -0400
72726 +++ linux-2.6.39.2/mm/mlock.c 2011-05-22 19:41:42.000000000 -0400
72727 @@ -13,6 +13,7 @@
72728 #include <linux/pagemap.h>
72729 #include <linux/mempolicy.h>
72730 #include <linux/syscalls.h>
72731 +#include <linux/security.h>
72732 #include <linux/sched.h>
72733 #include <linux/module.h>
72734 #include <linux/rmap.h>
72735 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
72736 return -EINVAL;
72737 if (end == start)
72738 return 0;
72739 + if (end > TASK_SIZE)
72740 + return -EINVAL;
72741 +
72742 vma = find_vma_prev(current->mm, start, &prev);
72743 if (!vma || vma->vm_start > start)
72744 return -ENOMEM;
72745 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
72746 for (nstart = start ; ; ) {
72747 unsigned int newflags;
72748
72749 +#ifdef CONFIG_PAX_SEGMEXEC
72750 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72751 + break;
72752 +#endif
72753 +
72754 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
72755
72756 newflags = vma->vm_flags | VM_LOCKED;
72757 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
72758 lock_limit >>= PAGE_SHIFT;
72759
72760 /* check against resource limits */
72761 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72762 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72763 error = do_mlock(start, len, 1);
72764 up_write(&current->mm->mmap_sem);
72765 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
72766 static int do_mlockall(int flags)
72767 {
72768 struct vm_area_struct * vma, * prev = NULL;
72769 - unsigned int def_flags = 0;
72770
72771 if (flags & MCL_FUTURE)
72772 - def_flags = VM_LOCKED;
72773 - current->mm->def_flags = def_flags;
72774 + current->mm->def_flags |= VM_LOCKED;
72775 + else
72776 + current->mm->def_flags &= ~VM_LOCKED;
72777 if (flags == MCL_FUTURE)
72778 goto out;
72779
72780 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72781 - unsigned int newflags;
72782 + unsigned long newflags;
72783 +
72784 +#ifdef CONFIG_PAX_SEGMEXEC
72785 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72786 + break;
72787 +#endif
72788
72789 + BUG_ON(vma->vm_end > TASK_SIZE);
72790 newflags = vma->vm_flags | VM_LOCKED;
72791 if (!(flags & MCL_CURRENT))
72792 newflags &= ~VM_LOCKED;
72793 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
72794 lock_limit >>= PAGE_SHIFT;
72795
72796 ret = -ENOMEM;
72797 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
72798 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
72799 capable(CAP_IPC_LOCK))
72800 ret = do_mlockall(flags);
72801 diff -urNp linux-2.6.39.2/mm/mmap.c linux-2.6.39.2/mm/mmap.c
72802 --- linux-2.6.39.2/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
72803 +++ linux-2.6.39.2/mm/mmap.c 2011-05-22 19:41:42.000000000 -0400
72804 @@ -46,6 +46,16 @@
72805 #define arch_rebalance_pgtables(addr, len) (addr)
72806 #endif
72807
72808 +static inline void verify_mm_writelocked(struct mm_struct *mm)
72809 +{
72810 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
72811 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
72812 + up_read(&mm->mmap_sem);
72813 + BUG();
72814 + }
72815 +#endif
72816 +}
72817 +
72818 static void unmap_region(struct mm_struct *mm,
72819 struct vm_area_struct *vma, struct vm_area_struct *prev,
72820 unsigned long start, unsigned long end);
72821 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
72822 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
72823 *
72824 */
72825 -pgprot_t protection_map[16] = {
72826 +pgprot_t protection_map[16] __read_only = {
72827 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
72828 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
72829 };
72830
72831 pgprot_t vm_get_page_prot(unsigned long vm_flags)
72832 {
72833 - return __pgprot(pgprot_val(protection_map[vm_flags &
72834 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
72835 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
72836 pgprot_val(arch_vm_get_page_prot(vm_flags)));
72837 +
72838 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72839 + if (!(__supported_pte_mask & _PAGE_NX) &&
72840 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
72841 + (vm_flags & (VM_READ | VM_WRITE)))
72842 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
72843 +#endif
72844 +
72845 + return prot;
72846 }
72847 EXPORT_SYMBOL(vm_get_page_prot);
72848
72849 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
72850 int sysctl_overcommit_ratio = 50; /* default is 50% */
72851 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
72852 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
72853 struct percpu_counter vm_committed_as;
72854
72855 /*
72856 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
72857 struct vm_area_struct *next = vma->vm_next;
72858
72859 might_sleep();
72860 + BUG_ON(vma->vm_mirror);
72861 if (vma->vm_ops && vma->vm_ops->close)
72862 vma->vm_ops->close(vma);
72863 if (vma->vm_file) {
72864 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
72865 * not page aligned -Ram Gupta
72866 */
72867 rlim = rlimit(RLIMIT_DATA);
72868 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
72869 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
72870 (mm->end_data - mm->start_data) > rlim)
72871 goto out;
72872 @@ -719,6 +741,12 @@ static int
72873 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
72874 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72875 {
72876 +
72877 +#ifdef CONFIG_PAX_SEGMEXEC
72878 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
72879 + return 0;
72880 +#endif
72881 +
72882 if (is_mergeable_vma(vma, file, vm_flags) &&
72883 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72884 if (vma->vm_pgoff == vm_pgoff)
72885 @@ -738,6 +766,12 @@ static int
72886 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
72887 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72888 {
72889 +
72890 +#ifdef CONFIG_PAX_SEGMEXEC
72891 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
72892 + return 0;
72893 +#endif
72894 +
72895 if (is_mergeable_vma(vma, file, vm_flags) &&
72896 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72897 pgoff_t vm_pglen;
72898 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
72899 struct vm_area_struct *vma_merge(struct mm_struct *mm,
72900 struct vm_area_struct *prev, unsigned long addr,
72901 unsigned long end, unsigned long vm_flags,
72902 - struct anon_vma *anon_vma, struct file *file,
72903 + struct anon_vma *anon_vma, struct file *file,
72904 pgoff_t pgoff, struct mempolicy *policy)
72905 {
72906 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
72907 struct vm_area_struct *area, *next;
72908 int err;
72909
72910 +#ifdef CONFIG_PAX_SEGMEXEC
72911 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
72912 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
72913 +
72914 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
72915 +#endif
72916 +
72917 /*
72918 * We later require that vma->vm_flags == vm_flags,
72919 * so this tests vma->vm_flags & VM_SPECIAL, too.
72920 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
72921 if (next && next->vm_end == end) /* cases 6, 7, 8 */
72922 next = next->vm_next;
72923
72924 +#ifdef CONFIG_PAX_SEGMEXEC
72925 + if (prev)
72926 + prev_m = pax_find_mirror_vma(prev);
72927 + if (area)
72928 + area_m = pax_find_mirror_vma(area);
72929 + if (next)
72930 + next_m = pax_find_mirror_vma(next);
72931 +#endif
72932 +
72933 /*
72934 * Can it merge with the predecessor?
72935 */
72936 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
72937 /* cases 1, 6 */
72938 err = vma_adjust(prev, prev->vm_start,
72939 next->vm_end, prev->vm_pgoff, NULL);
72940 - } else /* cases 2, 5, 7 */
72941 +
72942 +#ifdef CONFIG_PAX_SEGMEXEC
72943 + if (!err && prev_m)
72944 + err = vma_adjust(prev_m, prev_m->vm_start,
72945 + next_m->vm_end, prev_m->vm_pgoff, NULL);
72946 +#endif
72947 +
72948 + } else { /* cases 2, 5, 7 */
72949 err = vma_adjust(prev, prev->vm_start,
72950 end, prev->vm_pgoff, NULL);
72951 +
72952 +#ifdef CONFIG_PAX_SEGMEXEC
72953 + if (!err && prev_m)
72954 + err = vma_adjust(prev_m, prev_m->vm_start,
72955 + end_m, prev_m->vm_pgoff, NULL);
72956 +#endif
72957 +
72958 + }
72959 if (err)
72960 return NULL;
72961 khugepaged_enter_vma_merge(prev);
72962 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
72963 mpol_equal(policy, vma_policy(next)) &&
72964 can_vma_merge_before(next, vm_flags,
72965 anon_vma, file, pgoff+pglen)) {
72966 - if (prev && addr < prev->vm_end) /* case 4 */
72967 + if (prev && addr < prev->vm_end) { /* case 4 */
72968 err = vma_adjust(prev, prev->vm_start,
72969 addr, prev->vm_pgoff, NULL);
72970 - else /* cases 3, 8 */
72971 +
72972 +#ifdef CONFIG_PAX_SEGMEXEC
72973 + if (!err && prev_m)
72974 + err = vma_adjust(prev_m, prev_m->vm_start,
72975 + addr_m, prev_m->vm_pgoff, NULL);
72976 +#endif
72977 +
72978 + } else { /* cases 3, 8 */
72979 err = vma_adjust(area, addr, next->vm_end,
72980 next->vm_pgoff - pglen, NULL);
72981 +
72982 +#ifdef CONFIG_PAX_SEGMEXEC
72983 + if (!err && area_m)
72984 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
72985 + next_m->vm_pgoff - pglen, NULL);
72986 +#endif
72987 +
72988 + }
72989 if (err)
72990 return NULL;
72991 khugepaged_enter_vma_merge(area);
72992 @@ -958,14 +1038,11 @@ none:
72993 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
72994 struct file *file, long pages)
72995 {
72996 - const unsigned long stack_flags
72997 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
72998 -
72999 if (file) {
73000 mm->shared_vm += pages;
73001 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
73002 mm->exec_vm += pages;
73003 - } else if (flags & stack_flags)
73004 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
73005 mm->stack_vm += pages;
73006 if (flags & (VM_RESERVED|VM_IO))
73007 mm->reserved_vm += pages;
73008 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
73009 * (the exception is when the underlying filesystem is noexec
73010 * mounted, in which case we dont add PROT_EXEC.)
73011 */
73012 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73013 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73014 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
73015 prot |= PROT_EXEC;
73016
73017 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
73018 /* Obtain the address to map to. we verify (or select) it and ensure
73019 * that it represents a valid section of the address space.
73020 */
73021 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
73022 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
73023 if (addr & ~PAGE_MASK)
73024 return addr;
73025
73026 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
73027 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
73028 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
73029
73030 +#ifdef CONFIG_PAX_MPROTECT
73031 + if (mm->pax_flags & MF_PAX_MPROTECT) {
73032 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
73033 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
73034 + gr_log_rwxmmap(file);
73035 +
73036 +#ifdef CONFIG_PAX_EMUPLT
73037 + vm_flags &= ~VM_EXEC;
73038 +#else
73039 + return -EPERM;
73040 +#endif
73041 +
73042 + }
73043 +
73044 + if (!(vm_flags & VM_EXEC))
73045 + vm_flags &= ~VM_MAYEXEC;
73046 +#else
73047 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73048 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73049 +#endif
73050 + else
73051 + vm_flags &= ~VM_MAYWRITE;
73052 + }
73053 +#endif
73054 +
73055 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73056 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
73057 + vm_flags &= ~VM_PAGEEXEC;
73058 +#endif
73059 +
73060 if (flags & MAP_LOCKED)
73061 if (!can_do_mlock())
73062 return -EPERM;
73063 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
73064 locked += mm->locked_vm;
73065 lock_limit = rlimit(RLIMIT_MEMLOCK);
73066 lock_limit >>= PAGE_SHIFT;
73067 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73068 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
73069 return -EAGAIN;
73070 }
73071 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
73072 if (error)
73073 return error;
73074
73075 + if (!gr_acl_handle_mmap(file, prot))
73076 + return -EACCES;
73077 +
73078 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
73079 }
73080 EXPORT_SYMBOL(do_mmap_pgoff);
73081 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
73082 */
73083 int vma_wants_writenotify(struct vm_area_struct *vma)
73084 {
73085 - unsigned int vm_flags = vma->vm_flags;
73086 + unsigned long vm_flags = vma->vm_flags;
73087
73088 /* If it was private or non-writable, the write bit is already clear */
73089 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
73090 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
73091 return 0;
73092
73093 /* The backer wishes to know when pages are first written to? */
73094 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
73095 unsigned long charged = 0;
73096 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
73097
73098 +#ifdef CONFIG_PAX_SEGMEXEC
73099 + struct vm_area_struct *vma_m = NULL;
73100 +#endif
73101 +
73102 + /*
73103 + * mm->mmap_sem is required to protect against another thread
73104 + * changing the mappings in case we sleep.
73105 + */
73106 + verify_mm_writelocked(mm);
73107 +
73108 /* Clear old maps */
73109 error = -ENOMEM;
73110 -munmap_back:
73111 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73112 if (vma && vma->vm_start < addr + len) {
73113 if (do_munmap(mm, addr, len))
73114 return -ENOMEM;
73115 - goto munmap_back;
73116 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73117 + BUG_ON(vma && vma->vm_start < addr + len);
73118 }
73119
73120 /* Check against address space limit. */
73121 @@ -1295,6 +1416,16 @@ munmap_back:
73122 goto unacct_error;
73123 }
73124
73125 +#ifdef CONFIG_PAX_SEGMEXEC
73126 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
73127 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73128 + if (!vma_m) {
73129 + error = -ENOMEM;
73130 + goto free_vma;
73131 + }
73132 + }
73133 +#endif
73134 +
73135 vma->vm_mm = mm;
73136 vma->vm_start = addr;
73137 vma->vm_end = addr + len;
73138 @@ -1318,6 +1449,19 @@ munmap_back:
73139 error = file->f_op->mmap(file, vma);
73140 if (error)
73141 goto unmap_and_free_vma;
73142 +
73143 +#ifdef CONFIG_PAX_SEGMEXEC
73144 + if (vma_m && (vm_flags & VM_EXECUTABLE))
73145 + added_exe_file_vma(mm);
73146 +#endif
73147 +
73148 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73149 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
73150 + vma->vm_flags |= VM_PAGEEXEC;
73151 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73152 + }
73153 +#endif
73154 +
73155 if (vm_flags & VM_EXECUTABLE)
73156 added_exe_file_vma(mm);
73157
73158 @@ -1353,6 +1497,11 @@ munmap_back:
73159 vma_link(mm, vma, prev, rb_link, rb_parent);
73160 file = vma->vm_file;
73161
73162 +#ifdef CONFIG_PAX_SEGMEXEC
73163 + if (vma_m)
73164 + BUG_ON(pax_mirror_vma(vma_m, vma));
73165 +#endif
73166 +
73167 /* Once vma denies write, undo our temporary denial count */
73168 if (correct_wcount)
73169 atomic_inc(&inode->i_writecount);
73170 @@ -1361,6 +1510,7 @@ out:
73171
73172 mm->total_vm += len >> PAGE_SHIFT;
73173 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
73174 + track_exec_limit(mm, addr, addr + len, vm_flags);
73175 if (vm_flags & VM_LOCKED) {
73176 if (!mlock_vma_pages_range(vma, addr, addr + len))
73177 mm->locked_vm += (len >> PAGE_SHIFT);
73178 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
73179 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
73180 charged = 0;
73181 free_vma:
73182 +
73183 +#ifdef CONFIG_PAX_SEGMEXEC
73184 + if (vma_m)
73185 + kmem_cache_free(vm_area_cachep, vma_m);
73186 +#endif
73187 +
73188 kmem_cache_free(vm_area_cachep, vma);
73189 unacct_error:
73190 if (charged)
73191 @@ -1385,6 +1541,44 @@ unacct_error:
73192 return error;
73193 }
73194
73195 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
73196 +{
73197 + if (!vma) {
73198 +#ifdef CONFIG_STACK_GROWSUP
73199 + if (addr > sysctl_heap_stack_gap)
73200 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
73201 + else
73202 + vma = find_vma(current->mm, 0);
73203 + if (vma && (vma->vm_flags & VM_GROWSUP))
73204 + return false;
73205 +#endif
73206 + return true;
73207 + }
73208 +
73209 + if (addr + len > vma->vm_start)
73210 + return false;
73211 +
73212 + if (vma->vm_flags & VM_GROWSDOWN)
73213 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
73214 +#ifdef CONFIG_STACK_GROWSUP
73215 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
73216 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
73217 +#endif
73218 +
73219 + return true;
73220 +}
73221 +
73222 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
73223 +{
73224 + if (vma->vm_start < len)
73225 + return -ENOMEM;
73226 + if (!(vma->vm_flags & VM_GROWSDOWN))
73227 + return vma->vm_start - len;
73228 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
73229 + return vma->vm_start - len - sysctl_heap_stack_gap;
73230 + return -ENOMEM;
73231 +}
73232 +
73233 /* Get an address range which is currently unmapped.
73234 * For shmat() with addr=0.
73235 *
73236 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
73237 if (flags & MAP_FIXED)
73238 return addr;
73239
73240 +#ifdef CONFIG_PAX_RANDMMAP
73241 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73242 +#endif
73243 +
73244 if (addr) {
73245 addr = PAGE_ALIGN(addr);
73246 - vma = find_vma(mm, addr);
73247 - if (TASK_SIZE - len >= addr &&
73248 - (!vma || addr + len <= vma->vm_start))
73249 - return addr;
73250 + if (TASK_SIZE - len >= addr) {
73251 + vma = find_vma(mm, addr);
73252 + if (check_heap_stack_gap(vma, addr, len))
73253 + return addr;
73254 + }
73255 }
73256 if (len > mm->cached_hole_size) {
73257 - start_addr = addr = mm->free_area_cache;
73258 + start_addr = addr = mm->free_area_cache;
73259 } else {
73260 - start_addr = addr = TASK_UNMAPPED_BASE;
73261 - mm->cached_hole_size = 0;
73262 + start_addr = addr = mm->mmap_base;
73263 + mm->cached_hole_size = 0;
73264 }
73265
73266 full_search:
73267 @@ -1433,34 +1632,40 @@ full_search:
73268 * Start a new search - just in case we missed
73269 * some holes.
73270 */
73271 - if (start_addr != TASK_UNMAPPED_BASE) {
73272 - addr = TASK_UNMAPPED_BASE;
73273 - start_addr = addr;
73274 + if (start_addr != mm->mmap_base) {
73275 + start_addr = addr = mm->mmap_base;
73276 mm->cached_hole_size = 0;
73277 goto full_search;
73278 }
73279 return -ENOMEM;
73280 }
73281 - if (!vma || addr + len <= vma->vm_start) {
73282 - /*
73283 - * Remember the place where we stopped the search:
73284 - */
73285 - mm->free_area_cache = addr + len;
73286 - return addr;
73287 - }
73288 + if (check_heap_stack_gap(vma, addr, len))
73289 + break;
73290 if (addr + mm->cached_hole_size < vma->vm_start)
73291 mm->cached_hole_size = vma->vm_start - addr;
73292 addr = vma->vm_end;
73293 }
73294 +
73295 + /*
73296 + * Remember the place where we stopped the search:
73297 + */
73298 + mm->free_area_cache = addr + len;
73299 + return addr;
73300 }
73301 #endif
73302
73303 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
73304 {
73305 +
73306 +#ifdef CONFIG_PAX_SEGMEXEC
73307 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73308 + return;
73309 +#endif
73310 +
73311 /*
73312 * Is this a new hole at the lowest possible address?
73313 */
73314 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
73315 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
73316 mm->free_area_cache = addr;
73317 mm->cached_hole_size = ~0UL;
73318 }
73319 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
73320 {
73321 struct vm_area_struct *vma;
73322 struct mm_struct *mm = current->mm;
73323 - unsigned long addr = addr0;
73324 + unsigned long base = mm->mmap_base, addr = addr0;
73325
73326 /* requested length too big for entire address space */
73327 if (len > TASK_SIZE)
73328 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
73329 if (flags & MAP_FIXED)
73330 return addr;
73331
73332 +#ifdef CONFIG_PAX_RANDMMAP
73333 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73334 +#endif
73335 +
73336 /* requesting a specific address */
73337 if (addr) {
73338 addr = PAGE_ALIGN(addr);
73339 - vma = find_vma(mm, addr);
73340 - if (TASK_SIZE - len >= addr &&
73341 - (!vma || addr + len <= vma->vm_start))
73342 - return addr;
73343 + if (TASK_SIZE - len >= addr) {
73344 + vma = find_vma(mm, addr);
73345 + if (check_heap_stack_gap(vma, addr, len))
73346 + return addr;
73347 + }
73348 }
73349
73350 /* check if free_area_cache is useful for us */
73351 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
73352 /* make sure it can fit in the remaining address space */
73353 if (addr > len) {
73354 vma = find_vma(mm, addr-len);
73355 - if (!vma || addr <= vma->vm_start)
73356 + if (check_heap_stack_gap(vma, addr - len, len))
73357 /* remember the address as a hint for next time */
73358 return (mm->free_area_cache = addr-len);
73359 }
73360 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
73361 * return with success:
73362 */
73363 vma = find_vma(mm, addr);
73364 - if (!vma || addr+len <= vma->vm_start)
73365 + if (check_heap_stack_gap(vma, addr, len))
73366 /* remember the address as a hint for next time */
73367 return (mm->free_area_cache = addr);
73368
73369 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
73370 mm->cached_hole_size = vma->vm_start - addr;
73371
73372 /* try just below the current vma->vm_start */
73373 - addr = vma->vm_start-len;
73374 - } while (len < vma->vm_start);
73375 + addr = skip_heap_stack_gap(vma, len);
73376 + } while (!IS_ERR_VALUE(addr));
73377
73378 bottomup:
73379 /*
73380 @@ -1544,13 +1754,21 @@ bottomup:
73381 * can happen with large stack limits and large mmap()
73382 * allocations.
73383 */
73384 + mm->mmap_base = TASK_UNMAPPED_BASE;
73385 +
73386 +#ifdef CONFIG_PAX_RANDMMAP
73387 + if (mm->pax_flags & MF_PAX_RANDMMAP)
73388 + mm->mmap_base += mm->delta_mmap;
73389 +#endif
73390 +
73391 + mm->free_area_cache = mm->mmap_base;
73392 mm->cached_hole_size = ~0UL;
73393 - mm->free_area_cache = TASK_UNMAPPED_BASE;
73394 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
73395 /*
73396 * Restore the topdown base:
73397 */
73398 - mm->free_area_cache = mm->mmap_base;
73399 + mm->mmap_base = base;
73400 + mm->free_area_cache = base;
73401 mm->cached_hole_size = ~0UL;
73402
73403 return addr;
73404 @@ -1559,6 +1777,12 @@ bottomup:
73405
73406 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
73407 {
73408 +
73409 +#ifdef CONFIG_PAX_SEGMEXEC
73410 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73411 + return;
73412 +#endif
73413 +
73414 /*
73415 * Is this a new hole at the highest possible address?
73416 */
73417 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
73418 mm->free_area_cache = addr;
73419
73420 /* dont allow allocations above current base */
73421 - if (mm->free_area_cache > mm->mmap_base)
73422 + if (mm->free_area_cache > mm->mmap_base) {
73423 mm->free_area_cache = mm->mmap_base;
73424 + mm->cached_hole_size = ~0UL;
73425 + }
73426 }
73427
73428 unsigned long
73429 @@ -1675,6 +1901,28 @@ out:
73430 return prev ? prev->vm_next : vma;
73431 }
73432
73433 +#ifdef CONFIG_PAX_SEGMEXEC
73434 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
73435 +{
73436 + struct vm_area_struct *vma_m;
73437 +
73438 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
73439 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
73440 + BUG_ON(vma->vm_mirror);
73441 + return NULL;
73442 + }
73443 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
73444 + vma_m = vma->vm_mirror;
73445 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
73446 + BUG_ON(vma->vm_file != vma_m->vm_file);
73447 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
73448 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
73449 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
73450 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
73451 + return vma_m;
73452 +}
73453 +#endif
73454 +
73455 /*
73456 * Verify that the stack growth is acceptable and
73457 * update accounting. This is shared with both the
73458 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
73459 return -ENOMEM;
73460
73461 /* Stack limit test */
73462 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
73463 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
73464 return -ENOMEM;
73465
73466 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
73467 locked = mm->locked_vm + grow;
73468 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
73469 limit >>= PAGE_SHIFT;
73470 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73471 if (locked > limit && !capable(CAP_IPC_LOCK))
73472 return -ENOMEM;
73473 }
73474 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
73475 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
73476 * vma is the last one with address > vma->vm_end. Have to extend vma.
73477 */
73478 +#ifndef CONFIG_IA64
73479 +static
73480 +#endif
73481 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
73482 {
73483 int error;
73484 + bool locknext;
73485
73486 if (!(vma->vm_flags & VM_GROWSUP))
73487 return -EFAULT;
73488
73489 + /* Also guard against wrapping around to address 0. */
73490 + if (address < PAGE_ALIGN(address+1))
73491 + address = PAGE_ALIGN(address+1);
73492 + else
73493 + return -ENOMEM;
73494 +
73495 /*
73496 * We must make sure the anon_vma is allocated
73497 * so that the anon_vma locking is not a noop.
73498 */
73499 if (unlikely(anon_vma_prepare(vma)))
73500 return -ENOMEM;
73501 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
73502 + if (locknext && anon_vma_prepare(vma->vm_next))
73503 + return -ENOMEM;
73504 vma_lock_anon_vma(vma);
73505 + if (locknext)
73506 + vma_lock_anon_vma(vma->vm_next);
73507
73508 /*
73509 * vma->vm_start/vm_end cannot change under us because the caller
73510 * is required to hold the mmap_sem in read mode. We need the
73511 - * anon_vma lock to serialize against concurrent expand_stacks.
73512 - * Also guard against wrapping around to address 0.
73513 + * anon_vma locks to serialize against concurrent expand_stacks
73514 + * and expand_upwards.
73515 */
73516 - if (address < PAGE_ALIGN(address+4))
73517 - address = PAGE_ALIGN(address+4);
73518 - else {
73519 - vma_unlock_anon_vma(vma);
73520 - return -ENOMEM;
73521 - }
73522 error = 0;
73523
73524 /* Somebody else might have raced and expanded it already */
73525 - if (address > vma->vm_end) {
73526 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
73527 + error = -ENOMEM;
73528 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
73529 unsigned long size, grow;
73530
73531 size = address - vma->vm_start;
73532 @@ -1776,6 +2037,8 @@ int expand_upwards(struct vm_area_struct
73533 }
73534 }
73535 }
73536 + if (locknext)
73537 + vma_unlock_anon_vma(vma->vm_next);
73538 vma_unlock_anon_vma(vma);
73539 khugepaged_enter_vma_merge(vma);
73540 return error;
73541 @@ -1789,6 +2052,8 @@ static int expand_downwards(struct vm_ar
73542 unsigned long address)
73543 {
73544 int error;
73545 + bool lockprev = false;
73546 + struct vm_area_struct *prev;
73547
73548 /*
73549 * We must make sure the anon_vma is allocated
73550 @@ -1802,6 +2067,15 @@ static int expand_downwards(struct vm_ar
73551 if (error)
73552 return error;
73553
73554 + prev = vma->vm_prev;
73555 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
73556 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
73557 +#endif
73558 + if (lockprev && anon_vma_prepare(prev))
73559 + return -ENOMEM;
73560 + if (lockprev)
73561 + vma_lock_anon_vma(prev);
73562 +
73563 vma_lock_anon_vma(vma);
73564
73565 /*
73566 @@ -1811,9 +2085,17 @@ static int expand_downwards(struct vm_ar
73567 */
73568
73569 /* Somebody else might have raced and expanded it already */
73570 - if (address < vma->vm_start) {
73571 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
73572 + error = -ENOMEM;
73573 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
73574 unsigned long size, grow;
73575
73576 +#ifdef CONFIG_PAX_SEGMEXEC
73577 + struct vm_area_struct *vma_m;
73578 +
73579 + vma_m = pax_find_mirror_vma(vma);
73580 +#endif
73581 +
73582 size = vma->vm_end - address;
73583 grow = (vma->vm_start - address) >> PAGE_SHIFT;
73584
73585 @@ -1823,11 +2105,22 @@ static int expand_downwards(struct vm_ar
73586 if (!error) {
73587 vma->vm_start = address;
73588 vma->vm_pgoff -= grow;
73589 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
73590 +
73591 +#ifdef CONFIG_PAX_SEGMEXEC
73592 + if (vma_m) {
73593 + vma_m->vm_start -= grow << PAGE_SHIFT;
73594 + vma_m->vm_pgoff -= grow;
73595 + }
73596 +#endif
73597 +
73598 perf_event_mmap(vma);
73599 }
73600 }
73601 }
73602 vma_unlock_anon_vma(vma);
73603 + if (lockprev)
73604 + vma_unlock_anon_vma(prev);
73605 khugepaged_enter_vma_merge(vma);
73606 return error;
73607 }
73608 @@ -1902,6 +2195,13 @@ static void remove_vma_list(struct mm_st
73609 do {
73610 long nrpages = vma_pages(vma);
73611
73612 +#ifdef CONFIG_PAX_SEGMEXEC
73613 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
73614 + vma = remove_vma(vma);
73615 + continue;
73616 + }
73617 +#endif
73618 +
73619 mm->total_vm -= nrpages;
73620 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
73621 vma = remove_vma(vma);
73622 @@ -1947,6 +2247,16 @@ detach_vmas_to_be_unmapped(struct mm_str
73623 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
73624 vma->vm_prev = NULL;
73625 do {
73626 +
73627 +#ifdef CONFIG_PAX_SEGMEXEC
73628 + if (vma->vm_mirror) {
73629 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
73630 + vma->vm_mirror->vm_mirror = NULL;
73631 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
73632 + vma->vm_mirror = NULL;
73633 + }
73634 +#endif
73635 +
73636 rb_erase(&vma->vm_rb, &mm->mm_rb);
73637 mm->map_count--;
73638 tail_vma = vma;
73639 @@ -1975,14 +2285,33 @@ static int __split_vma(struct mm_struct
73640 struct vm_area_struct *new;
73641 int err = -ENOMEM;
73642
73643 +#ifdef CONFIG_PAX_SEGMEXEC
73644 + struct vm_area_struct *vma_m, *new_m = NULL;
73645 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
73646 +#endif
73647 +
73648 if (is_vm_hugetlb_page(vma) && (addr &
73649 ~(huge_page_mask(hstate_vma(vma)))))
73650 return -EINVAL;
73651
73652 +#ifdef CONFIG_PAX_SEGMEXEC
73653 + vma_m = pax_find_mirror_vma(vma);
73654 +#endif
73655 +
73656 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73657 if (!new)
73658 goto out_err;
73659
73660 +#ifdef CONFIG_PAX_SEGMEXEC
73661 + if (vma_m) {
73662 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73663 + if (!new_m) {
73664 + kmem_cache_free(vm_area_cachep, new);
73665 + goto out_err;
73666 + }
73667 + }
73668 +#endif
73669 +
73670 /* most fields are the same, copy all, and then fixup */
73671 *new = *vma;
73672
73673 @@ -1995,6 +2324,22 @@ static int __split_vma(struct mm_struct
73674 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
73675 }
73676
73677 +#ifdef CONFIG_PAX_SEGMEXEC
73678 + if (vma_m) {
73679 + *new_m = *vma_m;
73680 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
73681 + new_m->vm_mirror = new;
73682 + new->vm_mirror = new_m;
73683 +
73684 + if (new_below)
73685 + new_m->vm_end = addr_m;
73686 + else {
73687 + new_m->vm_start = addr_m;
73688 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
73689 + }
73690 + }
73691 +#endif
73692 +
73693 pol = mpol_dup(vma_policy(vma));
73694 if (IS_ERR(pol)) {
73695 err = PTR_ERR(pol);
73696 @@ -2020,6 +2365,42 @@ static int __split_vma(struct mm_struct
73697 else
73698 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
73699
73700 +#ifdef CONFIG_PAX_SEGMEXEC
73701 + if (!err && vma_m) {
73702 + if (anon_vma_clone(new_m, vma_m))
73703 + goto out_free_mpol;
73704 +
73705 + mpol_get(pol);
73706 + vma_set_policy(new_m, pol);
73707 +
73708 + if (new_m->vm_file) {
73709 + get_file(new_m->vm_file);
73710 + if (vma_m->vm_flags & VM_EXECUTABLE)
73711 + added_exe_file_vma(mm);
73712 + }
73713 +
73714 + if (new_m->vm_ops && new_m->vm_ops->open)
73715 + new_m->vm_ops->open(new_m);
73716 +
73717 + if (new_below)
73718 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
73719 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
73720 + else
73721 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
73722 +
73723 + if (err) {
73724 + if (new_m->vm_ops && new_m->vm_ops->close)
73725 + new_m->vm_ops->close(new_m);
73726 + if (new_m->vm_file) {
73727 + if (vma_m->vm_flags & VM_EXECUTABLE)
73728 + removed_exe_file_vma(mm);
73729 + fput(new_m->vm_file);
73730 + }
73731 + mpol_put(pol);
73732 + }
73733 + }
73734 +#endif
73735 +
73736 /* Success. */
73737 if (!err)
73738 return 0;
73739 @@ -2032,10 +2413,18 @@ static int __split_vma(struct mm_struct
73740 removed_exe_file_vma(mm);
73741 fput(new->vm_file);
73742 }
73743 - unlink_anon_vmas(new);
73744 out_free_mpol:
73745 mpol_put(pol);
73746 out_free_vma:
73747 +
73748 +#ifdef CONFIG_PAX_SEGMEXEC
73749 + if (new_m) {
73750 + unlink_anon_vmas(new_m);
73751 + kmem_cache_free(vm_area_cachep, new_m);
73752 + }
73753 +#endif
73754 +
73755 + unlink_anon_vmas(new);
73756 kmem_cache_free(vm_area_cachep, new);
73757 out_err:
73758 return err;
73759 @@ -2048,6 +2437,15 @@ static int __split_vma(struct mm_struct
73760 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
73761 unsigned long addr, int new_below)
73762 {
73763 +
73764 +#ifdef CONFIG_PAX_SEGMEXEC
73765 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
73766 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
73767 + if (mm->map_count >= sysctl_max_map_count-1)
73768 + return -ENOMEM;
73769 + } else
73770 +#endif
73771 +
73772 if (mm->map_count >= sysctl_max_map_count)
73773 return -ENOMEM;
73774
73775 @@ -2059,11 +2457,30 @@ int split_vma(struct mm_struct *mm, stru
73776 * work. This now handles partial unmappings.
73777 * Jeremy Fitzhardinge <jeremy@goop.org>
73778 */
73779 +#ifdef CONFIG_PAX_SEGMEXEC
73780 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73781 +{
73782 + int ret = __do_munmap(mm, start, len);
73783 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73784 + return ret;
73785 +
73786 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73787 +}
73788 +
73789 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73790 +#else
73791 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73792 +#endif
73793 {
73794 unsigned long end;
73795 struct vm_area_struct *vma, *prev, *last;
73796
73797 + /*
73798 + * mm->mmap_sem is required to protect against another thread
73799 + * changing the mappings in case we sleep.
73800 + */
73801 + verify_mm_writelocked(mm);
73802 +
73803 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
73804 return -EINVAL;
73805
73806 @@ -2137,6 +2554,8 @@ int do_munmap(struct mm_struct *mm, unsi
73807 /* Fix up all other VM information */
73808 remove_vma_list(mm, vma);
73809
73810 + track_exec_limit(mm, start, end, 0UL);
73811 +
73812 return 0;
73813 }
73814
73815 @@ -2149,22 +2568,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
73816
73817 profile_munmap(addr);
73818
73819 +#ifdef CONFIG_PAX_SEGMEXEC
73820 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
73821 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
73822 + return -EINVAL;
73823 +#endif
73824 +
73825 down_write(&mm->mmap_sem);
73826 ret = do_munmap(mm, addr, len);
73827 up_write(&mm->mmap_sem);
73828 return ret;
73829 }
73830
73831 -static inline void verify_mm_writelocked(struct mm_struct *mm)
73832 -{
73833 -#ifdef CONFIG_DEBUG_VM
73834 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73835 - WARN_ON(1);
73836 - up_read(&mm->mmap_sem);
73837 - }
73838 -#endif
73839 -}
73840 -
73841 /*
73842 * this is really a simplified "do_mmap". it only handles
73843 * anonymous maps. eventually we may be able to do some
73844 @@ -2178,6 +2593,7 @@ unsigned long do_brk(unsigned long addr,
73845 struct rb_node ** rb_link, * rb_parent;
73846 pgoff_t pgoff = addr >> PAGE_SHIFT;
73847 int error;
73848 + unsigned long charged;
73849
73850 len = PAGE_ALIGN(len);
73851 if (!len)
73852 @@ -2189,16 +2605,30 @@ unsigned long do_brk(unsigned long addr,
73853
73854 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
73855
73856 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
73857 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
73858 + flags &= ~VM_EXEC;
73859 +
73860 +#ifdef CONFIG_PAX_MPROTECT
73861 + if (mm->pax_flags & MF_PAX_MPROTECT)
73862 + flags &= ~VM_MAYEXEC;
73863 +#endif
73864 +
73865 + }
73866 +#endif
73867 +
73868 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
73869 if (error & ~PAGE_MASK)
73870 return error;
73871
73872 + charged = len >> PAGE_SHIFT;
73873 +
73874 /*
73875 * mlock MCL_FUTURE?
73876 */
73877 if (mm->def_flags & VM_LOCKED) {
73878 unsigned long locked, lock_limit;
73879 - locked = len >> PAGE_SHIFT;
73880 + locked = charged;
73881 locked += mm->locked_vm;
73882 lock_limit = rlimit(RLIMIT_MEMLOCK);
73883 lock_limit >>= PAGE_SHIFT;
73884 @@ -2215,22 +2645,22 @@ unsigned long do_brk(unsigned long addr,
73885 /*
73886 * Clear old maps. this also does some error checking for us
73887 */
73888 - munmap_back:
73889 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73890 if (vma && vma->vm_start < addr + len) {
73891 if (do_munmap(mm, addr, len))
73892 return -ENOMEM;
73893 - goto munmap_back;
73894 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73895 + BUG_ON(vma && vma->vm_start < addr + len);
73896 }
73897
73898 /* Check against address space limits *after* clearing old maps... */
73899 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
73900 + if (!may_expand_vm(mm, charged))
73901 return -ENOMEM;
73902
73903 if (mm->map_count > sysctl_max_map_count)
73904 return -ENOMEM;
73905
73906 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
73907 + if (security_vm_enough_memory(charged))
73908 return -ENOMEM;
73909
73910 /* Can we just expand an old private anonymous mapping? */
73911 @@ -2244,7 +2674,7 @@ unsigned long do_brk(unsigned long addr,
73912 */
73913 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73914 if (!vma) {
73915 - vm_unacct_memory(len >> PAGE_SHIFT);
73916 + vm_unacct_memory(charged);
73917 return -ENOMEM;
73918 }
73919
73920 @@ -2258,11 +2688,12 @@ unsigned long do_brk(unsigned long addr,
73921 vma_link(mm, vma, prev, rb_link, rb_parent);
73922 out:
73923 perf_event_mmap(vma);
73924 - mm->total_vm += len >> PAGE_SHIFT;
73925 + mm->total_vm += charged;
73926 if (flags & VM_LOCKED) {
73927 if (!mlock_vma_pages_range(vma, addr, addr + len))
73928 - mm->locked_vm += (len >> PAGE_SHIFT);
73929 + mm->locked_vm += charged;
73930 }
73931 + track_exec_limit(mm, addr, addr + len, flags);
73932 return addr;
73933 }
73934
73935 @@ -2309,8 +2740,10 @@ void exit_mmap(struct mm_struct *mm)
73936 * Walk the list again, actually closing and freeing it,
73937 * with preemption enabled, without holding any MM locks.
73938 */
73939 - while (vma)
73940 + while (vma) {
73941 + vma->vm_mirror = NULL;
73942 vma = remove_vma(vma);
73943 + }
73944
73945 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
73946 }
73947 @@ -2324,6 +2757,13 @@ int insert_vm_struct(struct mm_struct *
73948 struct vm_area_struct * __vma, * prev;
73949 struct rb_node ** rb_link, * rb_parent;
73950
73951 +#ifdef CONFIG_PAX_SEGMEXEC
73952 + struct vm_area_struct *vma_m = NULL;
73953 +#endif
73954 +
73955 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
73956 + return -EPERM;
73957 +
73958 /*
73959 * The vm_pgoff of a purely anonymous vma should be irrelevant
73960 * until its first write fault, when page's anon_vma and index
73961 @@ -2346,7 +2786,22 @@ int insert_vm_struct(struct mm_struct *
73962 if ((vma->vm_flags & VM_ACCOUNT) &&
73963 security_vm_enough_memory_mm(mm, vma_pages(vma)))
73964 return -ENOMEM;
73965 +
73966 +#ifdef CONFIG_PAX_SEGMEXEC
73967 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
73968 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73969 + if (!vma_m)
73970 + return -ENOMEM;
73971 + }
73972 +#endif
73973 +
73974 vma_link(mm, vma, prev, rb_link, rb_parent);
73975 +
73976 +#ifdef CONFIG_PAX_SEGMEXEC
73977 + if (vma_m)
73978 + BUG_ON(pax_mirror_vma(vma_m, vma));
73979 +#endif
73980 +
73981 return 0;
73982 }
73983
73984 @@ -2364,6 +2819,8 @@ struct vm_area_struct *copy_vma(struct v
73985 struct rb_node **rb_link, *rb_parent;
73986 struct mempolicy *pol;
73987
73988 + BUG_ON(vma->vm_mirror);
73989 +
73990 /*
73991 * If anonymous vma has not yet been faulted, update new pgoff
73992 * to match new location, to increase its chance of merging.
73993 @@ -2413,6 +2870,39 @@ struct vm_area_struct *copy_vma(struct v
73994 kmem_cache_free(vm_area_cachep, new_vma);
73995 return NULL;
73996 }
73997 +
73998 +#ifdef CONFIG_PAX_SEGMEXEC
73999 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
74000 +{
74001 + struct vm_area_struct *prev_m;
74002 + struct rb_node **rb_link_m, *rb_parent_m;
74003 + struct mempolicy *pol_m;
74004 +
74005 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
74006 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
74007 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
74008 + *vma_m = *vma;
74009 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
74010 + if (anon_vma_clone(vma_m, vma))
74011 + return -ENOMEM;
74012 + pol_m = vma_policy(vma_m);
74013 + mpol_get(pol_m);
74014 + vma_set_policy(vma_m, pol_m);
74015 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
74016 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
74017 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
74018 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
74019 + if (vma_m->vm_file)
74020 + get_file(vma_m->vm_file);
74021 + if (vma_m->vm_ops && vma_m->vm_ops->open)
74022 + vma_m->vm_ops->open(vma_m);
74023 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
74024 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
74025 + vma_m->vm_mirror = vma;
74026 + vma->vm_mirror = vma_m;
74027 + return 0;
74028 +}
74029 +#endif
74030
74031 /*
74032 * Return true if the calling process may expand its vm space by the passed
74033 @@ -2424,7 +2914,7 @@ int may_expand_vm(struct mm_struct *mm,
74034 unsigned long lim;
74035
74036 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
74037 -
74038 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
74039 if (cur + npages > lim)
74040 return 0;
74041 return 1;
74042 @@ -2495,6 +2985,22 @@ int install_special_mapping(struct mm_st
74043 vma->vm_start = addr;
74044 vma->vm_end = addr + len;
74045
74046 +#ifdef CONFIG_PAX_MPROTECT
74047 + if (mm->pax_flags & MF_PAX_MPROTECT) {
74048 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
74049 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
74050 + return -EPERM;
74051 + if (!(vm_flags & VM_EXEC))
74052 + vm_flags &= ~VM_MAYEXEC;
74053 +#else
74054 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
74055 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
74056 +#endif
74057 + else
74058 + vm_flags &= ~VM_MAYWRITE;
74059 + }
74060 +#endif
74061 +
74062 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
74063 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
74064
74065 diff -urNp linux-2.6.39.2/mm/mprotect.c linux-2.6.39.2/mm/mprotect.c
74066 --- linux-2.6.39.2/mm/mprotect.c 2011-05-19 00:06:34.000000000 -0400
74067 +++ linux-2.6.39.2/mm/mprotect.c 2011-05-22 19:41:42.000000000 -0400
74068 @@ -23,10 +23,16 @@
74069 #include <linux/mmu_notifier.h>
74070 #include <linux/migrate.h>
74071 #include <linux/perf_event.h>
74072 +
74073 +#ifdef CONFIG_PAX_MPROTECT
74074 +#include <linux/elf.h>
74075 +#endif
74076 +
74077 #include <asm/uaccess.h>
74078 #include <asm/pgtable.h>
74079 #include <asm/cacheflush.h>
74080 #include <asm/tlbflush.h>
74081 +#include <asm/mmu_context.h>
74082
74083 #ifndef pgprot_modify
74084 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
74085 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
74086 flush_tlb_range(vma, start, end);
74087 }
74088
74089 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74090 +/* called while holding the mmap semaphor for writing except stack expansion */
74091 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
74092 +{
74093 + unsigned long oldlimit, newlimit = 0UL;
74094 +
74095 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
74096 + return;
74097 +
74098 + spin_lock(&mm->page_table_lock);
74099 + oldlimit = mm->context.user_cs_limit;
74100 + if ((prot & VM_EXEC) && oldlimit < end)
74101 + /* USER_CS limit moved up */
74102 + newlimit = end;
74103 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
74104 + /* USER_CS limit moved down */
74105 + newlimit = start;
74106 +
74107 + if (newlimit) {
74108 + mm->context.user_cs_limit = newlimit;
74109 +
74110 +#ifdef CONFIG_SMP
74111 + wmb();
74112 + cpus_clear(mm->context.cpu_user_cs_mask);
74113 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
74114 +#endif
74115 +
74116 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
74117 + }
74118 + spin_unlock(&mm->page_table_lock);
74119 + if (newlimit == end) {
74120 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
74121 +
74122 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
74123 + if (is_vm_hugetlb_page(vma))
74124 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
74125 + else
74126 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
74127 + }
74128 +}
74129 +#endif
74130 +
74131 int
74132 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
74133 unsigned long start, unsigned long end, unsigned long newflags)
74134 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
74135 int error;
74136 int dirty_accountable = 0;
74137
74138 +#ifdef CONFIG_PAX_SEGMEXEC
74139 + struct vm_area_struct *vma_m = NULL;
74140 + unsigned long start_m, end_m;
74141 +
74142 + start_m = start + SEGMEXEC_TASK_SIZE;
74143 + end_m = end + SEGMEXEC_TASK_SIZE;
74144 +#endif
74145 +
74146 if (newflags == oldflags) {
74147 *pprev = vma;
74148 return 0;
74149 }
74150
74151 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
74152 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
74153 +
74154 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
74155 + return -ENOMEM;
74156 +
74157 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
74158 + return -ENOMEM;
74159 + }
74160 +
74161 /*
74162 * If we make a private mapping writable we increase our commit;
74163 * but (without finer accounting) cannot reduce our commit if we
74164 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
74165 }
74166 }
74167
74168 +#ifdef CONFIG_PAX_SEGMEXEC
74169 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
74170 + if (start != vma->vm_start) {
74171 + error = split_vma(mm, vma, start, 1);
74172 + if (error)
74173 + goto fail;
74174 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
74175 + *pprev = (*pprev)->vm_next;
74176 + }
74177 +
74178 + if (end != vma->vm_end) {
74179 + error = split_vma(mm, vma, end, 0);
74180 + if (error)
74181 + goto fail;
74182 + }
74183 +
74184 + if (pax_find_mirror_vma(vma)) {
74185 + error = __do_munmap(mm, start_m, end_m - start_m);
74186 + if (error)
74187 + goto fail;
74188 + } else {
74189 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74190 + if (!vma_m) {
74191 + error = -ENOMEM;
74192 + goto fail;
74193 + }
74194 + vma->vm_flags = newflags;
74195 + error = pax_mirror_vma(vma_m, vma);
74196 + if (error) {
74197 + vma->vm_flags = oldflags;
74198 + goto fail;
74199 + }
74200 + }
74201 + }
74202 +#endif
74203 +
74204 /*
74205 * First try to merge with previous and/or next vma.
74206 */
74207 @@ -204,9 +306,21 @@ success:
74208 * vm_flags and vm_page_prot are protected by the mmap_sem
74209 * held in write mode.
74210 */
74211 +
74212 +#ifdef CONFIG_PAX_SEGMEXEC
74213 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
74214 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
74215 +#endif
74216 +
74217 vma->vm_flags = newflags;
74218 +
74219 +#ifdef CONFIG_PAX_MPROTECT
74220 + if (mm->binfmt && mm->binfmt->handle_mprotect)
74221 + mm->binfmt->handle_mprotect(vma, newflags);
74222 +#endif
74223 +
74224 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
74225 - vm_get_page_prot(newflags));
74226 + vm_get_page_prot(vma->vm_flags));
74227
74228 if (vma_wants_writenotify(vma)) {
74229 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
74230 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74231 end = start + len;
74232 if (end <= start)
74233 return -ENOMEM;
74234 +
74235 +#ifdef CONFIG_PAX_SEGMEXEC
74236 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
74237 + if (end > SEGMEXEC_TASK_SIZE)
74238 + return -EINVAL;
74239 + } else
74240 +#endif
74241 +
74242 + if (end > TASK_SIZE)
74243 + return -EINVAL;
74244 +
74245 if (!arch_validate_prot(prot))
74246 return -EINVAL;
74247
74248 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74249 /*
74250 * Does the application expect PROT_READ to imply PROT_EXEC:
74251 */
74252 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
74253 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
74254 prot |= PROT_EXEC;
74255
74256 vm_flags = calc_vm_prot_bits(prot);
74257 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74258 if (start > vma->vm_start)
74259 prev = vma;
74260
74261 +#ifdef CONFIG_PAX_MPROTECT
74262 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
74263 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
74264 +#endif
74265 +
74266 for (nstart = start ; ; ) {
74267 unsigned long newflags;
74268
74269 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74270
74271 /* newflags >> 4 shift VM_MAY% in place of VM_% */
74272 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
74273 + if (prot & (PROT_WRITE | PROT_EXEC))
74274 + gr_log_rwxmprotect(vma->vm_file);
74275 +
74276 + error = -EACCES;
74277 + goto out;
74278 + }
74279 +
74280 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
74281 error = -EACCES;
74282 goto out;
74283 }
74284 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74285 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
74286 if (error)
74287 goto out;
74288 +
74289 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
74290 +
74291 nstart = tmp;
74292
74293 if (nstart < prev->vm_end)
74294 diff -urNp linux-2.6.39.2/mm/mremap.c linux-2.6.39.2/mm/mremap.c
74295 --- linux-2.6.39.2/mm/mremap.c 2011-05-19 00:06:34.000000000 -0400
74296 +++ linux-2.6.39.2/mm/mremap.c 2011-05-22 19:36:33.000000000 -0400
74297 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
74298 continue;
74299 pte = ptep_clear_flush(vma, old_addr, old_pte);
74300 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
74301 +
74302 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74303 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
74304 + pte = pte_exprotect(pte);
74305 +#endif
74306 +
74307 set_pte_at(mm, new_addr, new_pte, pte);
74308 }
74309
74310 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
74311 if (is_vm_hugetlb_page(vma))
74312 goto Einval;
74313
74314 +#ifdef CONFIG_PAX_SEGMEXEC
74315 + if (pax_find_mirror_vma(vma))
74316 + goto Einval;
74317 +#endif
74318 +
74319 /* We can't remap across vm area boundaries */
74320 if (old_len > vma->vm_end - addr)
74321 goto Efault;
74322 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
74323 unsigned long ret = -EINVAL;
74324 unsigned long charged = 0;
74325 unsigned long map_flags;
74326 + unsigned long pax_task_size = TASK_SIZE;
74327
74328 if (new_addr & ~PAGE_MASK)
74329 goto out;
74330
74331 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
74332 +#ifdef CONFIG_PAX_SEGMEXEC
74333 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74334 + pax_task_size = SEGMEXEC_TASK_SIZE;
74335 +#endif
74336 +
74337 + pax_task_size -= PAGE_SIZE;
74338 +
74339 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
74340 goto out;
74341
74342 /* Check if the location we're moving into overlaps the
74343 * old location at all, and fail if it does.
74344 */
74345 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
74346 - goto out;
74347 -
74348 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
74349 + if (addr + old_len > new_addr && new_addr + new_len > addr)
74350 goto out;
74351
74352 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74353 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
74354 struct vm_area_struct *vma;
74355 unsigned long ret = -EINVAL;
74356 unsigned long charged = 0;
74357 + unsigned long pax_task_size = TASK_SIZE;
74358
74359 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
74360 goto out;
74361 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
74362 if (!new_len)
74363 goto out;
74364
74365 +#ifdef CONFIG_PAX_SEGMEXEC
74366 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74367 + pax_task_size = SEGMEXEC_TASK_SIZE;
74368 +#endif
74369 +
74370 + pax_task_size -= PAGE_SIZE;
74371 +
74372 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
74373 + old_len > pax_task_size || addr > pax_task_size-old_len)
74374 + goto out;
74375 +
74376 if (flags & MREMAP_FIXED) {
74377 if (flags & MREMAP_MAYMOVE)
74378 ret = mremap_to(addr, old_len, new_addr, new_len);
74379 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
74380 addr + new_len);
74381 }
74382 ret = addr;
74383 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
74384 goto out;
74385 }
74386 }
74387 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
74388 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74389 if (ret)
74390 goto out;
74391 +
74392 + map_flags = vma->vm_flags;
74393 ret = move_vma(vma, addr, old_len, new_len, new_addr);
74394 + if (!(ret & ~PAGE_MASK)) {
74395 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
74396 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
74397 + }
74398 }
74399 out:
74400 if (ret & ~PAGE_MASK)
74401 diff -urNp linux-2.6.39.2/mm/nobootmem.c linux-2.6.39.2/mm/nobootmem.c
74402 --- linux-2.6.39.2/mm/nobootmem.c 2011-05-19 00:06:34.000000000 -0400
74403 +++ linux-2.6.39.2/mm/nobootmem.c 2011-05-22 19:36:33.000000000 -0400
74404 @@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
74405 unsigned long __init free_all_memory_core_early(int nodeid)
74406 {
74407 int i;
74408 - u64 start, end;
74409 + u64 start, end, startrange, endrange;
74410 unsigned long count = 0;
74411 - struct range *range = NULL;
74412 + struct range *range = NULL, rangerange = { 0, 0 };
74413 int nr_range;
74414
74415 nr_range = get_free_all_memory_range(&range, nodeid);
74416 + startrange = __pa(range) >> PAGE_SHIFT;
74417 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
74418
74419 for (i = 0; i < nr_range; i++) {
74420 start = range[i].start;
74421 end = range[i].end;
74422 + if (start <= endrange && startrange < end) {
74423 + BUG_ON(rangerange.start | rangerange.end);
74424 + rangerange = range[i];
74425 + continue;
74426 + }
74427 count += end - start;
74428 __free_pages_memory(start, end);
74429 }
74430 + start = rangerange.start;
74431 + end = rangerange.end;
74432 + count += end - start;
74433 + __free_pages_memory(start, end);
74434
74435 return count;
74436 }
74437 diff -urNp linux-2.6.39.2/mm/nommu.c linux-2.6.39.2/mm/nommu.c
74438 --- linux-2.6.39.2/mm/nommu.c 2011-05-19 00:06:34.000000000 -0400
74439 +++ linux-2.6.39.2/mm/nommu.c 2011-05-22 19:36:33.000000000 -0400
74440 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
74441 int sysctl_overcommit_ratio = 50; /* default is 50% */
74442 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
74443 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
74444 -int heap_stack_gap = 0;
74445
74446 atomic_long_t mmap_pages_allocated;
74447
74448 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
74449 EXPORT_SYMBOL(find_vma);
74450
74451 /*
74452 - * find a VMA
74453 - * - we don't extend stack VMAs under NOMMU conditions
74454 - */
74455 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
74456 -{
74457 - return find_vma(mm, addr);
74458 -}
74459 -
74460 -/*
74461 * expand a stack to a given address
74462 * - not supported under NOMMU conditions
74463 */
74464 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
74465
74466 /* most fields are the same, copy all, and then fixup */
74467 *new = *vma;
74468 + INIT_LIST_HEAD(&new->anon_vma_chain);
74469 *region = *vma->vm_region;
74470 new->vm_region = region;
74471
74472 diff -urNp linux-2.6.39.2/mm/page_alloc.c linux-2.6.39.2/mm/page_alloc.c
74473 --- linux-2.6.39.2/mm/page_alloc.c 2011-06-03 00:04:14.000000000 -0400
74474 +++ linux-2.6.39.2/mm/page_alloc.c 2011-06-03 00:32:08.000000000 -0400
74475 @@ -650,6 +650,10 @@ static bool free_pages_prepare(struct pa
74476 int i;
74477 int bad = 0;
74478
74479 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74480 + unsigned long index = 1UL << order;
74481 +#endif
74482 +
74483 trace_mm_page_free_direct(page, order);
74484 kmemcheck_free_shadow(page, order);
74485
74486 @@ -665,6 +669,12 @@ static bool free_pages_prepare(struct pa
74487 debug_check_no_obj_freed(page_address(page),
74488 PAGE_SIZE << order);
74489 }
74490 +
74491 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74492 + for (; index; --index)
74493 + sanitize_highpage(page + index - 1);
74494 +#endif
74495 +
74496 arch_free_page(page, order);
74497 kernel_map_pages(page, 1 << order, 0);
74498
74499 @@ -780,8 +790,10 @@ static int prep_new_page(struct page *pa
74500 arch_alloc_page(page, order);
74501 kernel_map_pages(page, 1 << order, 1);
74502
74503 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
74504 if (gfp_flags & __GFP_ZERO)
74505 prep_zero_page(page, order, gfp_flags);
74506 +#endif
74507
74508 if (order && (gfp_flags & __GFP_COMP))
74509 prep_compound_page(page, order);
74510 @@ -2504,6 +2516,8 @@ void __show_free_areas(unsigned int filt
74511 int cpu;
74512 struct zone *zone;
74513
74514 + pax_track_stack();
74515 +
74516 for_each_populated_zone(zone) {
74517 if (skip_free_areas_zone(filter, zone))
74518 continue;
74519 diff -urNp linux-2.6.39.2/mm/percpu.c linux-2.6.39.2/mm/percpu.c
74520 --- linux-2.6.39.2/mm/percpu.c 2011-05-19 00:06:34.000000000 -0400
74521 +++ linux-2.6.39.2/mm/percpu.c 2011-05-22 19:36:33.000000000 -0400
74522 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
74523 static unsigned int pcpu_last_unit_cpu __read_mostly;
74524
74525 /* the address of the first chunk which starts with the kernel static area */
74526 -void *pcpu_base_addr __read_mostly;
74527 +void *pcpu_base_addr __read_only;
74528 EXPORT_SYMBOL_GPL(pcpu_base_addr);
74529
74530 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
74531 diff -urNp linux-2.6.39.2/mm/rmap.c linux-2.6.39.2/mm/rmap.c
74532 --- linux-2.6.39.2/mm/rmap.c 2011-05-19 00:06:34.000000000 -0400
74533 +++ linux-2.6.39.2/mm/rmap.c 2011-05-22 19:36:33.000000000 -0400
74534 @@ -131,6 +131,10 @@ int anon_vma_prepare(struct vm_area_stru
74535 struct anon_vma *anon_vma = vma->anon_vma;
74536 struct anon_vma_chain *avc;
74537
74538 +#ifdef CONFIG_PAX_SEGMEXEC
74539 + struct anon_vma_chain *avc_m = NULL;
74540 +#endif
74541 +
74542 might_sleep();
74543 if (unlikely(!anon_vma)) {
74544 struct mm_struct *mm = vma->vm_mm;
74545 @@ -140,6 +144,12 @@ int anon_vma_prepare(struct vm_area_stru
74546 if (!avc)
74547 goto out_enomem;
74548
74549 +#ifdef CONFIG_PAX_SEGMEXEC
74550 + avc_m = anon_vma_chain_alloc();
74551 + if (!avc_m)
74552 + goto out_enomem_free_avc;
74553 +#endif
74554 +
74555 anon_vma = find_mergeable_anon_vma(vma);
74556 allocated = NULL;
74557 if (!anon_vma) {
74558 @@ -153,6 +163,21 @@ int anon_vma_prepare(struct vm_area_stru
74559 /* page_table_lock to protect against threads */
74560 spin_lock(&mm->page_table_lock);
74561 if (likely(!vma->anon_vma)) {
74562 +
74563 +#ifdef CONFIG_PAX_SEGMEXEC
74564 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
74565 +
74566 + if (vma_m) {
74567 + BUG_ON(vma_m->anon_vma);
74568 + vma_m->anon_vma = anon_vma;
74569 + avc_m->anon_vma = anon_vma;
74570 + avc_m->vma = vma;
74571 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
74572 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
74573 + avc_m = NULL;
74574 + }
74575 +#endif
74576 +
74577 vma->anon_vma = anon_vma;
74578 avc->anon_vma = anon_vma;
74579 avc->vma = vma;
74580 @@ -166,12 +191,24 @@ int anon_vma_prepare(struct vm_area_stru
74581
74582 if (unlikely(allocated))
74583 put_anon_vma(allocated);
74584 +
74585 +#ifdef CONFIG_PAX_SEGMEXEC
74586 + if (unlikely(avc_m))
74587 + anon_vma_chain_free(avc_m);
74588 +#endif
74589 +
74590 if (unlikely(avc))
74591 anon_vma_chain_free(avc);
74592 }
74593 return 0;
74594
74595 out_enomem_free_avc:
74596 +
74597 +#ifdef CONFIG_PAX_SEGMEXEC
74598 + if (avc_m)
74599 + anon_vma_chain_free(avc_m);
74600 +#endif
74601 +
74602 anon_vma_chain_free(avc);
74603 out_enomem:
74604 return -ENOMEM;
74605 @@ -198,7 +235,7 @@ static void anon_vma_chain_link(struct v
74606 * Attach the anon_vmas from src to dst.
74607 * Returns 0 on success, -ENOMEM on failure.
74608 */
74609 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
74610 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
74611 {
74612 struct anon_vma_chain *avc, *pavc;
74613
74614 @@ -220,7 +257,7 @@ int anon_vma_clone(struct vm_area_struct
74615 * the corresponding VMA in the parent process is attached to.
74616 * Returns 0 on success, non-zero on failure.
74617 */
74618 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
74619 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
74620 {
74621 struct anon_vma_chain *avc;
74622 struct anon_vma *anon_vma;
74623 diff -urNp linux-2.6.39.2/mm/shmem.c linux-2.6.39.2/mm/shmem.c
74624 --- linux-2.6.39.2/mm/shmem.c 2011-06-03 00:04:14.000000000 -0400
74625 +++ linux-2.6.39.2/mm/shmem.c 2011-06-03 00:32:08.000000000 -0400
74626 @@ -31,7 +31,7 @@
74627 #include <linux/percpu_counter.h>
74628 #include <linux/swap.h>
74629
74630 -static struct vfsmount *shm_mnt;
74631 +struct vfsmount *shm_mnt;
74632
74633 #ifdef CONFIG_SHMEM
74634 /*
74635 @@ -1087,6 +1087,8 @@ static int shmem_writepage(struct page *
74636 goto unlock;
74637 }
74638 entry = shmem_swp_entry(info, index, NULL);
74639 + if (!entry)
74640 + goto unlock;
74641 if (entry->val) {
74642 /*
74643 * The more uptodate page coming down from a stacked
74644 @@ -1158,6 +1160,8 @@ static struct page *shmem_swapin(swp_ent
74645 struct vm_area_struct pvma;
74646 struct page *page;
74647
74648 + pax_track_stack();
74649 +
74650 spol = mpol_cond_copy(&mpol,
74651 mpol_shared_policy_lookup(&info->policy, idx));
74652
74653 @@ -2014,7 +2018,7 @@ static int shmem_symlink(struct inode *d
74654
74655 info = SHMEM_I(inode);
74656 inode->i_size = len-1;
74657 - if (len <= (char *)inode - (char *)info) {
74658 + if (len <= (char *)inode - (char *)info && len <= 64) {
74659 /* do it inline */
74660 memcpy(info, symname, len);
74661 inode->i_op = &shmem_symlink_inline_operations;
74662 @@ -2362,8 +2366,7 @@ int shmem_fill_super(struct super_block
74663 int err = -ENOMEM;
74664
74665 /* Round up to L1_CACHE_BYTES to resist false sharing */
74666 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
74667 - L1_CACHE_BYTES), GFP_KERNEL);
74668 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
74669 if (!sbinfo)
74670 return -ENOMEM;
74671
74672 diff -urNp linux-2.6.39.2/mm/slab.c linux-2.6.39.2/mm/slab.c
74673 --- linux-2.6.39.2/mm/slab.c 2011-05-19 00:06:34.000000000 -0400
74674 +++ linux-2.6.39.2/mm/slab.c 2011-05-22 19:41:42.000000000 -0400
74675 @@ -150,7 +150,7 @@
74676
74677 /* Legal flag mask for kmem_cache_create(). */
74678 #if DEBUG
74679 -# define CREATE_MASK (SLAB_RED_ZONE | \
74680 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
74681 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
74682 SLAB_CACHE_DMA | \
74683 SLAB_STORE_USER | \
74684 @@ -158,7 +158,7 @@
74685 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74686 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
74687 #else
74688 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
74689 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
74690 SLAB_CACHE_DMA | \
74691 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
74692 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74693 @@ -287,7 +287,7 @@ struct kmem_list3 {
74694 * Need this for bootstrapping a per node allocator.
74695 */
74696 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
74697 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
74698 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
74699 #define CACHE_CACHE 0
74700 #define SIZE_AC MAX_NUMNODES
74701 #define SIZE_L3 (2 * MAX_NUMNODES)
74702 @@ -388,10 +388,10 @@ static void kmem_list3_init(struct kmem_
74703 if ((x)->max_freeable < i) \
74704 (x)->max_freeable = i; \
74705 } while (0)
74706 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
74707 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
74708 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
74709 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
74710 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
74711 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
74712 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
74713 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
74714 #else
74715 #define STATS_INC_ACTIVE(x) do { } while (0)
74716 #define STATS_DEC_ACTIVE(x) do { } while (0)
74717 @@ -537,7 +537,7 @@ static inline void *index_to_obj(struct
74718 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
74719 */
74720 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
74721 - const struct slab *slab, void *obj)
74722 + const struct slab *slab, const void *obj)
74723 {
74724 u32 offset = (obj - slab->s_mem);
74725 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
74726 @@ -563,7 +563,7 @@ struct cache_names {
74727 static struct cache_names __initdata cache_names[] = {
74728 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
74729 #include <linux/kmalloc_sizes.h>
74730 - {NULL,}
74731 + {NULL}
74732 #undef CACHE
74733 };
74734
74735 @@ -1529,7 +1529,7 @@ void __init kmem_cache_init(void)
74736 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
74737 sizes[INDEX_AC].cs_size,
74738 ARCH_KMALLOC_MINALIGN,
74739 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74740 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74741 NULL);
74742
74743 if (INDEX_AC != INDEX_L3) {
74744 @@ -1537,7 +1537,7 @@ void __init kmem_cache_init(void)
74745 kmem_cache_create(names[INDEX_L3].name,
74746 sizes[INDEX_L3].cs_size,
74747 ARCH_KMALLOC_MINALIGN,
74748 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74749 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74750 NULL);
74751 }
74752
74753 @@ -1555,7 +1555,7 @@ void __init kmem_cache_init(void)
74754 sizes->cs_cachep = kmem_cache_create(names->name,
74755 sizes->cs_size,
74756 ARCH_KMALLOC_MINALIGN,
74757 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74758 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74759 NULL);
74760 }
74761 #ifdef CONFIG_ZONE_DMA
74762 @@ -4270,10 +4270,10 @@ static int s_show(struct seq_file *m, vo
74763 }
74764 /* cpu stats */
74765 {
74766 - unsigned long allochit = atomic_read(&cachep->allochit);
74767 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
74768 - unsigned long freehit = atomic_read(&cachep->freehit);
74769 - unsigned long freemiss = atomic_read(&cachep->freemiss);
74770 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
74771 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
74772 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
74773 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
74774
74775 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
74776 allochit, allocmiss, freehit, freemiss);
74777 @@ -4530,15 +4530,66 @@ static const struct file_operations proc
74778
74779 static int __init slab_proc_init(void)
74780 {
74781 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
74782 + mode_t gr_mode = S_IRUGO;
74783 +
74784 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
74785 + gr_mode = S_IRUSR;
74786 +#endif
74787 +
74788 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
74789 #ifdef CONFIG_DEBUG_SLAB_LEAK
74790 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
74791 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
74792 #endif
74793 return 0;
74794 }
74795 module_init(slab_proc_init);
74796 #endif
74797
74798 +void check_object_size(const void *ptr, unsigned long n, bool to)
74799 +{
74800 +
74801 +#ifdef CONFIG_PAX_USERCOPY
74802 + struct page *page;
74803 + struct kmem_cache *cachep = NULL;
74804 + struct slab *slabp;
74805 + unsigned int objnr;
74806 + unsigned long offset;
74807 +
74808 + if (!n)
74809 + return;
74810 +
74811 + if (ZERO_OR_NULL_PTR(ptr))
74812 + goto report;
74813 +
74814 + if (!virt_addr_valid(ptr))
74815 + return;
74816 +
74817 + page = virt_to_head_page(ptr);
74818 +
74819 + if (!PageSlab(page)) {
74820 + if (object_is_on_stack(ptr, n) == -1)
74821 + goto report;
74822 + return;
74823 + }
74824 +
74825 + cachep = page_get_cache(page);
74826 + if (!(cachep->flags & SLAB_USERCOPY))
74827 + goto report;
74828 +
74829 + slabp = page_get_slab(page);
74830 + objnr = obj_to_index(cachep, slabp, ptr);
74831 + BUG_ON(objnr >= cachep->num);
74832 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
74833 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
74834 + return;
74835 +
74836 +report:
74837 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
74838 +#endif
74839 +
74840 +}
74841 +EXPORT_SYMBOL(check_object_size);
74842 +
74843 /**
74844 * ksize - get the actual amount of memory allocated for a given object
74845 * @objp: Pointer to the object
74846 diff -urNp linux-2.6.39.2/mm/slob.c linux-2.6.39.2/mm/slob.c
74847 --- linux-2.6.39.2/mm/slob.c 2011-05-19 00:06:34.000000000 -0400
74848 +++ linux-2.6.39.2/mm/slob.c 2011-05-22 19:36:33.000000000 -0400
74849 @@ -29,7 +29,7 @@
74850 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
74851 * alloc_pages() directly, allocating compound pages so the page order
74852 * does not have to be separately tracked, and also stores the exact
74853 - * allocation size in page->private so that it can be used to accurately
74854 + * allocation size in slob_page->size so that it can be used to accurately
74855 * provide ksize(). These objects are detected in kfree() because slob_page()
74856 * is false for them.
74857 *
74858 @@ -58,6 +58,7 @@
74859 */
74860
74861 #include <linux/kernel.h>
74862 +#include <linux/sched.h>
74863 #include <linux/slab.h>
74864 #include <linux/mm.h>
74865 #include <linux/swap.h> /* struct reclaim_state */
74866 @@ -102,7 +103,8 @@ struct slob_page {
74867 unsigned long flags; /* mandatory */
74868 atomic_t _count; /* mandatory */
74869 slobidx_t units; /* free units left in page */
74870 - unsigned long pad[2];
74871 + unsigned long pad[1];
74872 + unsigned long size; /* size when >=PAGE_SIZE */
74873 slob_t *free; /* first free slob_t in page */
74874 struct list_head list; /* linked list of free pages */
74875 };
74876 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
74877 */
74878 static inline int is_slob_page(struct slob_page *sp)
74879 {
74880 - return PageSlab((struct page *)sp);
74881 + return PageSlab((struct page *)sp) && !sp->size;
74882 }
74883
74884 static inline void set_slob_page(struct slob_page *sp)
74885 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
74886
74887 static inline struct slob_page *slob_page(const void *addr)
74888 {
74889 - return (struct slob_page *)virt_to_page(addr);
74890 + return (struct slob_page *)virt_to_head_page(addr);
74891 }
74892
74893 /*
74894 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
74895 /*
74896 * Return the size of a slob block.
74897 */
74898 -static slobidx_t slob_units(slob_t *s)
74899 +static slobidx_t slob_units(const slob_t *s)
74900 {
74901 if (s->units > 0)
74902 return s->units;
74903 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
74904 /*
74905 * Return the next free slob block pointer after this one.
74906 */
74907 -static slob_t *slob_next(slob_t *s)
74908 +static slob_t *slob_next(const slob_t *s)
74909 {
74910 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
74911 slobidx_t next;
74912 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
74913 /*
74914 * Returns true if s is the last free block in its page.
74915 */
74916 -static int slob_last(slob_t *s)
74917 +static int slob_last(const slob_t *s)
74918 {
74919 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
74920 }
74921 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
74922 if (!page)
74923 return NULL;
74924
74925 + set_slob_page(page);
74926 return page_address(page);
74927 }
74928
74929 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
74930 if (!b)
74931 return NULL;
74932 sp = slob_page(b);
74933 - set_slob_page(sp);
74934
74935 spin_lock_irqsave(&slob_lock, flags);
74936 sp->units = SLOB_UNITS(PAGE_SIZE);
74937 sp->free = b;
74938 + sp->size = 0;
74939 INIT_LIST_HEAD(&sp->list);
74940 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
74941 set_slob_page_free(sp, slob_list);
74942 @@ -476,10 +479,9 @@ out:
74943 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
74944 */
74945
74946 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74947 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
74948 {
74949 - unsigned int *m;
74950 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74951 + slob_t *m;
74952 void *ret;
74953
74954 lockdep_trace_alloc(gfp);
74955 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
74956
74957 if (!m)
74958 return NULL;
74959 - *m = size;
74960 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
74961 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
74962 + m[0].units = size;
74963 + m[1].units = align;
74964 ret = (void *)m + align;
74965
74966 trace_kmalloc_node(_RET_IP_, ret,
74967 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
74968 gfp |= __GFP_COMP;
74969 ret = slob_new_pages(gfp, order, node);
74970 if (ret) {
74971 - struct page *page;
74972 - page = virt_to_page(ret);
74973 - page->private = size;
74974 + struct slob_page *sp;
74975 + sp = slob_page(ret);
74976 + sp->size = size;
74977 }
74978
74979 trace_kmalloc_node(_RET_IP_, ret,
74980 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
74981 kmemleak_alloc(ret, size, 1, gfp);
74982 return ret;
74983 }
74984 +
74985 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74986 +{
74987 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74988 +
74989 + return __kmalloc_node_align(size, gfp, node, align);
74990 +}
74991 EXPORT_SYMBOL(__kmalloc_node);
74992
74993 void kfree(const void *block)
74994 @@ -531,13 +543,81 @@ void kfree(const void *block)
74995 sp = slob_page(block);
74996 if (is_slob_page(sp)) {
74997 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74998 - unsigned int *m = (unsigned int *)(block - align);
74999 - slob_free(m, *m + align);
75000 - } else
75001 + slob_t *m = (slob_t *)(block - align);
75002 + slob_free(m, m[0].units + align);
75003 + } else {
75004 + clear_slob_page(sp);
75005 + free_slob_page(sp);
75006 + sp->size = 0;
75007 put_page(&sp->page);
75008 + }
75009 }
75010 EXPORT_SYMBOL(kfree);
75011
75012 +void check_object_size(const void *ptr, unsigned long n, bool to)
75013 +{
75014 +
75015 +#ifdef CONFIG_PAX_USERCOPY
75016 + struct slob_page *sp;
75017 + const slob_t *free;
75018 + const void *base;
75019 +
75020 + if (!n)
75021 + return;
75022 +
75023 + if (ZERO_OR_NULL_PTR(ptr))
75024 + goto report;
75025 +
75026 + if (!virt_addr_valid(ptr))
75027 + return;
75028 +
75029 + sp = slob_page(ptr);
75030 + if (!PageSlab((struct page*)sp)) {
75031 + if (object_is_on_stack(ptr, n) == -1)
75032 + goto report;
75033 + return;
75034 + }
75035 +
75036 + if (sp->size) {
75037 + base = page_address(&sp->page);
75038 + if (base <= ptr && n <= sp->size - (ptr - base))
75039 + return;
75040 + goto report;
75041 + }
75042 +
75043 + /* some tricky double walking to find the chunk */
75044 + base = (void *)((unsigned long)ptr & PAGE_MASK);
75045 + free = sp->free;
75046 +
75047 + while (!slob_last(free) && (void *)free <= ptr) {
75048 + base = free + slob_units(free);
75049 + free = slob_next(free);
75050 + }
75051 +
75052 + while (base < (void *)free) {
75053 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
75054 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
75055 + int offset;
75056 +
75057 + if (ptr < base + align)
75058 + goto report;
75059 +
75060 + offset = ptr - base - align;
75061 + if (offset < m) {
75062 + if (n <= m - offset)
75063 + return;
75064 + goto report;
75065 + }
75066 + base += size;
75067 + }
75068 +
75069 +report:
75070 + pax_report_usercopy(ptr, n, to, NULL);
75071 +#endif
75072 +
75073 +}
75074 +EXPORT_SYMBOL(check_object_size);
75075 +
75076 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
75077 size_t ksize(const void *block)
75078 {
75079 @@ -550,10 +630,10 @@ size_t ksize(const void *block)
75080 sp = slob_page(block);
75081 if (is_slob_page(sp)) {
75082 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75083 - unsigned int *m = (unsigned int *)(block - align);
75084 - return SLOB_UNITS(*m) * SLOB_UNIT;
75085 + slob_t *m = (slob_t *)(block - align);
75086 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
75087 } else
75088 - return sp->page.private;
75089 + return sp->size;
75090 }
75091 EXPORT_SYMBOL(ksize);
75092
75093 @@ -608,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
75094 {
75095 void *b;
75096
75097 +#ifdef CONFIG_PAX_USERCOPY
75098 + b = __kmalloc_node_align(c->size, flags, node, c->align);
75099 +#else
75100 if (c->size < PAGE_SIZE) {
75101 b = slob_alloc(c->size, flags, c->align, node);
75102 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75103 SLOB_UNITS(c->size) * SLOB_UNIT,
75104 flags, node);
75105 } else {
75106 + struct slob_page *sp;
75107 +
75108 b = slob_new_pages(flags, get_order(c->size), node);
75109 + sp = slob_page(b);
75110 + sp->size = c->size;
75111 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75112 PAGE_SIZE << get_order(c->size),
75113 flags, node);
75114 }
75115 +#endif
75116
75117 if (c->ctor)
75118 c->ctor(b);
75119 @@ -630,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
75120
75121 static void __kmem_cache_free(void *b, int size)
75122 {
75123 - if (size < PAGE_SIZE)
75124 + struct slob_page *sp = slob_page(b);
75125 +
75126 + if (is_slob_page(sp))
75127 slob_free(b, size);
75128 - else
75129 + else {
75130 + clear_slob_page(sp);
75131 + free_slob_page(sp);
75132 + sp->size = 0;
75133 slob_free_pages(b, get_order(size));
75134 + }
75135 }
75136
75137 static void kmem_rcu_free(struct rcu_head *head)
75138 @@ -646,14 +740,23 @@ static void kmem_rcu_free(struct rcu_hea
75139
75140 void kmem_cache_free(struct kmem_cache *c, void *b)
75141 {
75142 + int size = c->size;
75143 +
75144 +#ifdef CONFIG_PAX_USERCOPY
75145 + if (size + c->align < PAGE_SIZE) {
75146 + size += c->align;
75147 + b -= c->align;
75148 + }
75149 +#endif
75150 +
75151 kmemleak_free_recursive(b, c->flags);
75152 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
75153 struct slob_rcu *slob_rcu;
75154 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
75155 - slob_rcu->size = c->size;
75156 + slob_rcu = b + (size - sizeof(struct slob_rcu));
75157 + slob_rcu->size = size;
75158 call_rcu(&slob_rcu->head, kmem_rcu_free);
75159 } else {
75160 - __kmem_cache_free(b, c->size);
75161 + __kmem_cache_free(b, size);
75162 }
75163
75164 trace_kmem_cache_free(_RET_IP_, b);
75165 diff -urNp linux-2.6.39.2/mm/slub.c linux-2.6.39.2/mm/slub.c
75166 --- linux-2.6.39.2/mm/slub.c 2011-06-03 00:04:14.000000000 -0400
75167 +++ linux-2.6.39.2/mm/slub.c 2011-06-03 00:32:08.000000000 -0400
75168 @@ -431,7 +431,7 @@ static void print_track(const char *s, s
75169 if (!t->addr)
75170 return;
75171
75172 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
75173 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
75174 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
75175 }
75176
75177 @@ -2183,6 +2183,8 @@ void kmem_cache_free(struct kmem_cache *
75178
75179 page = virt_to_head_page(x);
75180
75181 + BUG_ON(!PageSlab(page));
75182 +
75183 slab_free(s, page, x, _RET_IP_);
75184
75185 trace_kmem_cache_free(_RET_IP_, x);
75186 @@ -2216,7 +2218,7 @@ static int slub_min_objects;
75187 * Merge control. If this is set then no merging of slab caches will occur.
75188 * (Could be removed. This was introduced to pacify the merge skeptics.)
75189 */
75190 -static int slub_nomerge;
75191 +static int slub_nomerge = 1;
75192
75193 /*
75194 * Calculate the order of allocation given an slab object size.
75195 @@ -2644,7 +2646,7 @@ static int kmem_cache_open(struct kmem_c
75196 * list to avoid pounding the page allocator excessively.
75197 */
75198 set_min_partial(s, ilog2(s->size));
75199 - s->refcount = 1;
75200 + atomic_set(&s->refcount, 1);
75201 #ifdef CONFIG_NUMA
75202 s->remote_node_defrag_ratio = 1000;
75203 #endif
75204 @@ -2750,8 +2752,7 @@ static inline int kmem_cache_close(struc
75205 void kmem_cache_destroy(struct kmem_cache *s)
75206 {
75207 down_write(&slub_lock);
75208 - s->refcount--;
75209 - if (!s->refcount) {
75210 + if (atomic_dec_and_test(&s->refcount)) {
75211 list_del(&s->list);
75212 if (kmem_cache_close(s)) {
75213 printk(KERN_ERR "SLUB %s: %s called for cache that "
75214 @@ -2961,6 +2962,46 @@ void *__kmalloc_node(size_t size, gfp_t
75215 EXPORT_SYMBOL(__kmalloc_node);
75216 #endif
75217
75218 +void check_object_size(const void *ptr, unsigned long n, bool to)
75219 +{
75220 +
75221 +#ifdef CONFIG_PAX_USERCOPY
75222 + struct page *page;
75223 + struct kmem_cache *s = NULL;
75224 + unsigned long offset;
75225 +
75226 + if (!n)
75227 + return;
75228 +
75229 + if (ZERO_OR_NULL_PTR(ptr))
75230 + goto report;
75231 +
75232 + if (!virt_addr_valid(ptr))
75233 + return;
75234 +
75235 + page = virt_to_head_page(ptr);
75236 +
75237 + if (!PageSlab(page)) {
75238 + if (object_is_on_stack(ptr, n) == -1)
75239 + goto report;
75240 + return;
75241 + }
75242 +
75243 + s = page->slab;
75244 + if (!(s->flags & SLAB_USERCOPY))
75245 + goto report;
75246 +
75247 + offset = (ptr - page_address(page)) % s->size;
75248 + if (offset <= s->objsize && n <= s->objsize - offset)
75249 + return;
75250 +
75251 +report:
75252 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
75253 +#endif
75254 +
75255 +}
75256 +EXPORT_SYMBOL(check_object_size);
75257 +
75258 size_t ksize(const void *object)
75259 {
75260 struct page *page;
75261 @@ -3205,7 +3246,7 @@ static void __init kmem_cache_bootstrap_
75262 int node;
75263
75264 list_add(&s->list, &slab_caches);
75265 - s->refcount = -1;
75266 + atomic_set(&s->refcount, -1);
75267
75268 for_each_node_state(node, N_NORMAL_MEMORY) {
75269 struct kmem_cache_node *n = get_node(s, node);
75270 @@ -3322,17 +3363,17 @@ void __init kmem_cache_init(void)
75271
75272 /* Caches that are not of the two-to-the-power-of size */
75273 if (KMALLOC_MIN_SIZE <= 32) {
75274 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
75275 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
75276 caches++;
75277 }
75278
75279 if (KMALLOC_MIN_SIZE <= 64) {
75280 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
75281 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
75282 caches++;
75283 }
75284
75285 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
75286 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
75287 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
75288 caches++;
75289 }
75290
75291 @@ -3400,7 +3441,7 @@ static int slab_unmergeable(struct kmem_
75292 /*
75293 * We may have set a slab to be unmergeable during bootstrap.
75294 */
75295 - if (s->refcount < 0)
75296 + if (atomic_read(&s->refcount) < 0)
75297 return 1;
75298
75299 return 0;
75300 @@ -3459,7 +3500,7 @@ struct kmem_cache *kmem_cache_create(con
75301 down_write(&slub_lock);
75302 s = find_mergeable(size, align, flags, name, ctor);
75303 if (s) {
75304 - s->refcount++;
75305 + atomic_inc(&s->refcount);
75306 /*
75307 * Adjust the object sizes so that we clear
75308 * the complete object on kzalloc.
75309 @@ -3468,7 +3509,7 @@ struct kmem_cache *kmem_cache_create(con
75310 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
75311
75312 if (sysfs_slab_alias(s, name)) {
75313 - s->refcount--;
75314 + atomic_dec(&s->refcount);
75315 goto err;
75316 }
75317 up_write(&slub_lock);
75318 @@ -4201,7 +4242,7 @@ SLAB_ATTR_RO(ctor);
75319
75320 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
75321 {
75322 - return sprintf(buf, "%d\n", s->refcount - 1);
75323 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
75324 }
75325 SLAB_ATTR_RO(aliases);
75326
75327 @@ -4945,7 +4986,13 @@ static const struct file_operations proc
75328
75329 static int __init slab_proc_init(void)
75330 {
75331 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
75332 + mode_t gr_mode = S_IRUGO;
75333 +
75334 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75335 + gr_mode = S_IRUSR;
75336 +#endif
75337 +
75338 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
75339 return 0;
75340 }
75341 module_init(slab_proc_init);
75342 diff -urNp linux-2.6.39.2/mm/swapfile.c linux-2.6.39.2/mm/swapfile.c
75343 --- linux-2.6.39.2/mm/swapfile.c 2011-05-19 00:06:34.000000000 -0400
75344 +++ linux-2.6.39.2/mm/swapfile.c 2011-05-22 19:36:33.000000000 -0400
75345 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(swapon_mutex);
75346
75347 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
75348 /* Activity counter to indicate that a swapon or swapoff has occurred */
75349 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
75350 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
75351
75352 static inline unsigned char swap_count(unsigned char ent)
75353 {
75354 @@ -1669,7 +1669,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
75355 }
75356 filp_close(swap_file, NULL);
75357 err = 0;
75358 - atomic_inc(&proc_poll_event);
75359 + atomic_inc_unchecked(&proc_poll_event);
75360 wake_up_interruptible(&proc_poll_wait);
75361
75362 out_dput:
75363 @@ -1690,8 +1690,8 @@ static unsigned swaps_poll(struct file *
75364
75365 poll_wait(file, &proc_poll_wait, wait);
75366
75367 - if (s->event != atomic_read(&proc_poll_event)) {
75368 - s->event = atomic_read(&proc_poll_event);
75369 + if (s->event != atomic_read_unchecked(&proc_poll_event)) {
75370 + s->event = atomic_read_unchecked(&proc_poll_event);
75371 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
75372 }
75373
75374 @@ -1797,7 +1797,7 @@ static int swaps_open(struct inode *inod
75375 }
75376
75377 s->seq.private = s;
75378 - s->event = atomic_read(&proc_poll_event);
75379 + s->event = atomic_read_unchecked(&proc_poll_event);
75380 return ret;
75381 }
75382
75383 @@ -2131,7 +2131,7 @@ SYSCALL_DEFINE2(swapon, const char __use
75384 (p->flags & SWP_DISCARDABLE) ? "D" : "");
75385
75386 mutex_unlock(&swapon_mutex);
75387 - atomic_inc(&proc_poll_event);
75388 + atomic_inc_unchecked(&proc_poll_event);
75389 wake_up_interruptible(&proc_poll_wait);
75390
75391 if (S_ISREG(inode->i_mode))
75392 diff -urNp linux-2.6.39.2/mm/util.c linux-2.6.39.2/mm/util.c
75393 --- linux-2.6.39.2/mm/util.c 2011-05-19 00:06:34.000000000 -0400
75394 +++ linux-2.6.39.2/mm/util.c 2011-05-23 17:07:00.000000000 -0400
75395 @@ -112,6 +112,7 @@ EXPORT_SYMBOL(memdup_user);
75396 * allocated buffer. Use this if you don't want to free the buffer immediately
75397 * like, for example, with RCU.
75398 */
75399 +#undef __krealloc
75400 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
75401 {
75402 void *ret;
75403 @@ -145,6 +146,7 @@ EXPORT_SYMBOL(__krealloc);
75404 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
75405 * %NULL pointer, the object pointed to is freed.
75406 */
75407 +#undef krealloc
75408 void *krealloc(const void *p, size_t new_size, gfp_t flags)
75409 {
75410 void *ret;
75411 @@ -219,6 +221,12 @@ EXPORT_SYMBOL(strndup_user);
75412 void arch_pick_mmap_layout(struct mm_struct *mm)
75413 {
75414 mm->mmap_base = TASK_UNMAPPED_BASE;
75415 +
75416 +#ifdef CONFIG_PAX_RANDMMAP
75417 + if (mm->pax_flags & MF_PAX_RANDMMAP)
75418 + mm->mmap_base += mm->delta_mmap;
75419 +#endif
75420 +
75421 mm->get_unmapped_area = arch_get_unmapped_area;
75422 mm->unmap_area = arch_unmap_area;
75423 }
75424 diff -urNp linux-2.6.39.2/mm/vmalloc.c linux-2.6.39.2/mm/vmalloc.c
75425 --- linux-2.6.39.2/mm/vmalloc.c 2011-05-19 00:06:34.000000000 -0400
75426 +++ linux-2.6.39.2/mm/vmalloc.c 2011-05-22 19:36:33.000000000 -0400
75427 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
75428
75429 pte = pte_offset_kernel(pmd, addr);
75430 do {
75431 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75432 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75433 +
75434 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75435 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
75436 + BUG_ON(!pte_exec(*pte));
75437 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
75438 + continue;
75439 + }
75440 +#endif
75441 +
75442 + {
75443 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75444 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75445 + }
75446 } while (pte++, addr += PAGE_SIZE, addr != end);
75447 }
75448
75449 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
75450 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
75451 {
75452 pte_t *pte;
75453 + int ret = -ENOMEM;
75454
75455 /*
75456 * nr is a running index into the array which helps higher level
75457 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
75458 pte = pte_alloc_kernel(pmd, addr);
75459 if (!pte)
75460 return -ENOMEM;
75461 +
75462 + pax_open_kernel();
75463 do {
75464 struct page *page = pages[*nr];
75465
75466 - if (WARN_ON(!pte_none(*pte)))
75467 - return -EBUSY;
75468 - if (WARN_ON(!page))
75469 - return -ENOMEM;
75470 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75471 + if (pgprot_val(prot) & _PAGE_NX)
75472 +#endif
75473 +
75474 + if (WARN_ON(!pte_none(*pte))) {
75475 + ret = -EBUSY;
75476 + goto out;
75477 + }
75478 + if (WARN_ON(!page)) {
75479 + ret = -ENOMEM;
75480 + goto out;
75481 + }
75482 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
75483 (*nr)++;
75484 } while (pte++, addr += PAGE_SIZE, addr != end);
75485 - return 0;
75486 + ret = 0;
75487 +out:
75488 + pax_close_kernel();
75489 + return ret;
75490 }
75491
75492 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
75493 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
75494 * and fall back on vmalloc() if that fails. Others
75495 * just put it in the vmalloc space.
75496 */
75497 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
75498 +#ifdef CONFIG_MODULES
75499 +#ifdef MODULES_VADDR
75500 unsigned long addr = (unsigned long)x;
75501 if (addr >= MODULES_VADDR && addr < MODULES_END)
75502 return 1;
75503 #endif
75504 +
75505 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75506 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
75507 + return 1;
75508 +#endif
75509 +
75510 +#endif
75511 +
75512 return is_vmalloc_addr(x);
75513 }
75514
75515 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
75516
75517 if (!pgd_none(*pgd)) {
75518 pud_t *pud = pud_offset(pgd, addr);
75519 +#ifdef CONFIG_X86
75520 + if (!pud_large(*pud))
75521 +#endif
75522 if (!pud_none(*pud)) {
75523 pmd_t *pmd = pmd_offset(pud, addr);
75524 +#ifdef CONFIG_X86
75525 + if (!pmd_large(*pmd))
75526 +#endif
75527 if (!pmd_none(*pmd)) {
75528 pte_t *ptep, pte;
75529
75530 @@ -1296,6 +1336,16 @@ static struct vm_struct *__get_vm_area_n
75531 struct vm_struct *area;
75532
75533 BUG_ON(in_interrupt());
75534 +
75535 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75536 + if (flags & VM_KERNEXEC) {
75537 + if (start != VMALLOC_START || end != VMALLOC_END)
75538 + return NULL;
75539 + start = (unsigned long)MODULES_EXEC_VADDR;
75540 + end = (unsigned long)MODULES_EXEC_END;
75541 + }
75542 +#endif
75543 +
75544 if (flags & VM_IOREMAP) {
75545 int bit = fls(size);
75546
75547 @@ -1514,6 +1564,11 @@ void *vmap(struct page **pages, unsigned
75548 if (count > totalram_pages)
75549 return NULL;
75550
75551 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75552 + if (!(pgprot_val(prot) & _PAGE_NX))
75553 + flags |= VM_KERNEXEC;
75554 +#endif
75555 +
75556 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
75557 __builtin_return_address(0));
75558 if (!area)
75559 @@ -1610,6 +1665,13 @@ void *__vmalloc_node_range(unsigned long
75560 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
75561 return NULL;
75562
75563 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75564 + if (!(pgprot_val(prot) & _PAGE_NX))
75565 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
75566 + node, gfp_mask, caller);
75567 + else
75568 +#endif
75569 +
75570 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
75571 gfp_mask, caller);
75572
75573 @@ -1649,6 +1711,7 @@ static void *__vmalloc_node(unsigned lon
75574 gfp_mask, prot, node, caller);
75575 }
75576
75577 +#undef __vmalloc
75578 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
75579 {
75580 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
75581 @@ -1672,6 +1735,7 @@ static inline void *__vmalloc_node_flags
75582 * For tight control over page level allocator and protection flags
75583 * use __vmalloc() instead.
75584 */
75585 +#undef vmalloc
75586 void *vmalloc(unsigned long size)
75587 {
75588 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
75589 @@ -1688,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc);
75590 * For tight control over page level allocator and protection flags
75591 * use __vmalloc() instead.
75592 */
75593 +#undef vzalloc
75594 void *vzalloc(unsigned long size)
75595 {
75596 return __vmalloc_node_flags(size, -1,
75597 @@ -1702,6 +1767,7 @@ EXPORT_SYMBOL(vzalloc);
75598 * The resulting memory area is zeroed so it can be mapped to userspace
75599 * without leaking data.
75600 */
75601 +#undef vmalloc_user
75602 void *vmalloc_user(unsigned long size)
75603 {
75604 struct vm_struct *area;
75605 @@ -1729,6 +1795,7 @@ EXPORT_SYMBOL(vmalloc_user);
75606 * For tight control over page level allocator and protection flags
75607 * use __vmalloc() instead.
75608 */
75609 +#undef vmalloc_node
75610 void *vmalloc_node(unsigned long size, int node)
75611 {
75612 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
75613 @@ -1748,6 +1815,7 @@ EXPORT_SYMBOL(vmalloc_node);
75614 * For tight control over page level allocator and protection flags
75615 * use __vmalloc_node() instead.
75616 */
75617 +#undef vzalloc_node
75618 void *vzalloc_node(unsigned long size, int node)
75619 {
75620 return __vmalloc_node_flags(size, node,
75621 @@ -1770,10 +1838,10 @@ EXPORT_SYMBOL(vzalloc_node);
75622 * For tight control over page level allocator and protection flags
75623 * use __vmalloc() instead.
75624 */
75625 -
75626 +#undef vmalloc_exec
75627 void *vmalloc_exec(unsigned long size)
75628 {
75629 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
75630 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
75631 -1, __builtin_return_address(0));
75632 }
75633
75634 @@ -1792,6 +1860,7 @@ void *vmalloc_exec(unsigned long size)
75635 * Allocate enough 32bit PA addressable pages to cover @size from the
75636 * page level allocator and map them into contiguous kernel virtual space.
75637 */
75638 +#undef vmalloc_32
75639 void *vmalloc_32(unsigned long size)
75640 {
75641 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
75642 @@ -1806,6 +1875,7 @@ EXPORT_SYMBOL(vmalloc_32);
75643 * The resulting memory area is 32bit addressable and zeroed so it can be
75644 * mapped to userspace without leaking data.
75645 */
75646 +#undef vmalloc_32_user
75647 void *vmalloc_32_user(unsigned long size)
75648 {
75649 struct vm_struct *area;
75650 @@ -2068,6 +2138,8 @@ int remap_vmalloc_range(struct vm_area_s
75651 unsigned long uaddr = vma->vm_start;
75652 unsigned long usize = vma->vm_end - vma->vm_start;
75653
75654 + BUG_ON(vma->vm_mirror);
75655 +
75656 if ((PAGE_SIZE-1) & (unsigned long)addr)
75657 return -EINVAL;
75658
75659 diff -urNp linux-2.6.39.2/mm/vmstat.c linux-2.6.39.2/mm/vmstat.c
75660 --- linux-2.6.39.2/mm/vmstat.c 2011-05-19 00:06:34.000000000 -0400
75661 +++ linux-2.6.39.2/mm/vmstat.c 2011-05-22 19:41:42.000000000 -0400
75662 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
75663 *
75664 * vm_stat contains the global counters
75665 */
75666 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75667 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75668 EXPORT_SYMBOL(vm_stat);
75669
75670 #ifdef CONFIG_SMP
75671 @@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
75672 v = p->vm_stat_diff[i];
75673 p->vm_stat_diff[i] = 0;
75674 local_irq_restore(flags);
75675 - atomic_long_add(v, &zone->vm_stat[i]);
75676 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
75677 global_diff[i] += v;
75678 #ifdef CONFIG_NUMA
75679 /* 3 seconds idle till flush */
75680 @@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
75681
75682 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
75683 if (global_diff[i])
75684 - atomic_long_add(global_diff[i], &vm_stat[i]);
75685 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
75686 }
75687
75688 #endif
75689 @@ -1205,10 +1205,20 @@ static int __init setup_vmstat(void)
75690 start_cpu_timer(cpu);
75691 #endif
75692 #ifdef CONFIG_PROC_FS
75693 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
75694 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
75695 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
75696 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
75697 + {
75698 + mode_t gr_mode = S_IRUGO;
75699 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75700 + gr_mode = S_IRUSR;
75701 +#endif
75702 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
75703 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
75704 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
75705 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
75706 +#else
75707 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
75708 +#endif
75709 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
75710 + }
75711 #endif
75712 return 0;
75713 }
75714 diff -urNp linux-2.6.39.2/net/8021q/vlan.c linux-2.6.39.2/net/8021q/vlan.c
75715 --- linux-2.6.39.2/net/8021q/vlan.c 2011-05-19 00:06:34.000000000 -0400
75716 +++ linux-2.6.39.2/net/8021q/vlan.c 2011-05-22 19:36:33.000000000 -0400
75717 @@ -592,8 +592,7 @@ static int vlan_ioctl_handler(struct net
75718 err = -EPERM;
75719 if (!capable(CAP_NET_ADMIN))
75720 break;
75721 - if ((args.u.name_type >= 0) &&
75722 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
75723 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
75724 struct vlan_net *vn;
75725
75726 vn = net_generic(net, vlan_net_id);
75727 diff -urNp linux-2.6.39.2/net/atm/atm_misc.c linux-2.6.39.2/net/atm/atm_misc.c
75728 --- linux-2.6.39.2/net/atm/atm_misc.c 2011-05-19 00:06:34.000000000 -0400
75729 +++ linux-2.6.39.2/net/atm/atm_misc.c 2011-05-22 19:36:33.000000000 -0400
75730 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
75731 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
75732 return 1;
75733 atm_return(vcc, truesize);
75734 - atomic_inc(&vcc->stats->rx_drop);
75735 + atomic_inc_unchecked(&vcc->stats->rx_drop);
75736 return 0;
75737 }
75738 EXPORT_SYMBOL(atm_charge);
75739 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
75740 }
75741 }
75742 atm_return(vcc, guess);
75743 - atomic_inc(&vcc->stats->rx_drop);
75744 + atomic_inc_unchecked(&vcc->stats->rx_drop);
75745 return NULL;
75746 }
75747 EXPORT_SYMBOL(atm_alloc_charge);
75748 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
75749
75750 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
75751 {
75752 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75753 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75754 __SONET_ITEMS
75755 #undef __HANDLE_ITEM
75756 }
75757 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
75758
75759 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
75760 {
75761 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
75762 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
75763 __SONET_ITEMS
75764 #undef __HANDLE_ITEM
75765 }
75766 diff -urNp linux-2.6.39.2/net/atm/mpoa_caches.c linux-2.6.39.2/net/atm/mpoa_caches.c
75767 --- linux-2.6.39.2/net/atm/mpoa_caches.c 2011-05-19 00:06:34.000000000 -0400
75768 +++ linux-2.6.39.2/net/atm/mpoa_caches.c 2011-05-22 19:36:33.000000000 -0400
75769 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
75770 struct timeval now;
75771 struct k_message msg;
75772
75773 + pax_track_stack();
75774 +
75775 do_gettimeofday(&now);
75776
75777 read_lock_bh(&client->ingress_lock);
75778 diff -urNp linux-2.6.39.2/net/atm/proc.c linux-2.6.39.2/net/atm/proc.c
75779 --- linux-2.6.39.2/net/atm/proc.c 2011-05-19 00:06:34.000000000 -0400
75780 +++ linux-2.6.39.2/net/atm/proc.c 2011-05-22 19:41:42.000000000 -0400
75781 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
75782 const struct k_atm_aal_stats *stats)
75783 {
75784 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
75785 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
75786 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
75787 - atomic_read(&stats->rx_drop));
75788 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
75789 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
75790 + atomic_read_unchecked(&stats->rx_drop));
75791 }
75792
75793 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
75794 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
75795 {
75796 struct sock *sk = sk_atm(vcc);
75797
75798 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75799 + seq_printf(seq, "%p ", NULL);
75800 +#else
75801 seq_printf(seq, "%p ", vcc);
75802 +#endif
75803 +
75804 if (!vcc->dev)
75805 seq_printf(seq, "Unassigned ");
75806 else
75807 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
75808 {
75809 if (!vcc->dev)
75810 seq_printf(seq, sizeof(void *) == 4 ?
75811 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75812 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
75813 +#else
75814 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
75815 +#endif
75816 else
75817 seq_printf(seq, "%3d %3d %5d ",
75818 vcc->dev->number, vcc->vpi, vcc->vci);
75819 diff -urNp linux-2.6.39.2/net/atm/resources.c linux-2.6.39.2/net/atm/resources.c
75820 --- linux-2.6.39.2/net/atm/resources.c 2011-05-19 00:06:34.000000000 -0400
75821 +++ linux-2.6.39.2/net/atm/resources.c 2011-05-22 19:36:33.000000000 -0400
75822 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
75823 static void copy_aal_stats(struct k_atm_aal_stats *from,
75824 struct atm_aal_stats *to)
75825 {
75826 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75827 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75828 __AAL_STAT_ITEMS
75829 #undef __HANDLE_ITEM
75830 }
75831 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
75832 static void subtract_aal_stats(struct k_atm_aal_stats *from,
75833 struct atm_aal_stats *to)
75834 {
75835 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
75836 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
75837 __AAL_STAT_ITEMS
75838 #undef __HANDLE_ITEM
75839 }
75840 diff -urNp linux-2.6.39.2/net/batman-adv/hard-interface.c linux-2.6.39.2/net/batman-adv/hard-interface.c
75841 --- linux-2.6.39.2/net/batman-adv/hard-interface.c 2011-05-19 00:06:34.000000000 -0400
75842 +++ linux-2.6.39.2/net/batman-adv/hard-interface.c 2011-05-22 19:36:33.000000000 -0400
75843 @@ -339,8 +339,8 @@ int hardif_enable_interface(struct hard_
75844 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
75845 dev_add_pack(&hard_iface->batman_adv_ptype);
75846
75847 - atomic_set(&hard_iface->seqno, 1);
75848 - atomic_set(&hard_iface->frag_seqno, 1);
75849 + atomic_set_unchecked(&hard_iface->seqno, 1);
75850 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
75851 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
75852 hard_iface->net_dev->name);
75853
75854 diff -urNp linux-2.6.39.2/net/batman-adv/routing.c linux-2.6.39.2/net/batman-adv/routing.c
75855 --- linux-2.6.39.2/net/batman-adv/routing.c 2011-05-19 00:06:34.000000000 -0400
75856 +++ linux-2.6.39.2/net/batman-adv/routing.c 2011-05-22 19:36:33.000000000 -0400
75857 @@ -625,7 +625,7 @@ void receive_bat_packet(struct ethhdr *e
75858 return;
75859
75860 /* could be changed by schedule_own_packet() */
75861 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
75862 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
75863
75864 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
75865
75866 diff -urNp linux-2.6.39.2/net/batman-adv/send.c linux-2.6.39.2/net/batman-adv/send.c
75867 --- linux-2.6.39.2/net/batman-adv/send.c 2011-05-19 00:06:34.000000000 -0400
75868 +++ linux-2.6.39.2/net/batman-adv/send.c 2011-05-22 19:36:33.000000000 -0400
75869 @@ -277,7 +277,7 @@ void schedule_own_packet(struct hard_ifa
75870
75871 /* change sequence number to network order */
75872 batman_packet->seqno =
75873 - htonl((uint32_t)atomic_read(&hard_iface->seqno));
75874 + htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
75875
75876 if (vis_server == VIS_TYPE_SERVER_SYNC)
75877 batman_packet->flags |= VIS_SERVER;
75878 @@ -291,7 +291,7 @@ void schedule_own_packet(struct hard_ifa
75879 else
75880 batman_packet->gw_flags = 0;
75881
75882 - atomic_inc(&hard_iface->seqno);
75883 + atomic_inc_unchecked(&hard_iface->seqno);
75884
75885 slide_own_bcast_window(hard_iface);
75886 send_time = own_send_time(bat_priv);
75887 diff -urNp linux-2.6.39.2/net/batman-adv/soft-interface.c linux-2.6.39.2/net/batman-adv/soft-interface.c
75888 --- linux-2.6.39.2/net/batman-adv/soft-interface.c 2011-05-19 00:06:34.000000000 -0400
75889 +++ linux-2.6.39.2/net/batman-adv/soft-interface.c 2011-05-22 19:36:33.000000000 -0400
75890 @@ -386,7 +386,7 @@ int interface_tx(struct sk_buff *skb, st
75891
75892 /* set broadcast sequence number */
75893 bcast_packet->seqno =
75894 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
75895 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
75896
75897 add_bcast_packet_to_list(bat_priv, skb);
75898
75899 @@ -579,7 +579,7 @@ struct net_device *softif_create(char *n
75900 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
75901
75902 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
75903 - atomic_set(&bat_priv->bcast_seqno, 1);
75904 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
75905 atomic_set(&bat_priv->hna_local_changed, 0);
75906
75907 bat_priv->primary_if = NULL;
75908 diff -urNp linux-2.6.39.2/net/batman-adv/types.h linux-2.6.39.2/net/batman-adv/types.h
75909 --- linux-2.6.39.2/net/batman-adv/types.h 2011-05-19 00:06:34.000000000 -0400
75910 +++ linux-2.6.39.2/net/batman-adv/types.h 2011-05-22 19:36:33.000000000 -0400
75911 @@ -38,8 +38,8 @@ struct hard_iface {
75912 int16_t if_num;
75913 char if_status;
75914 struct net_device *net_dev;
75915 - atomic_t seqno;
75916 - atomic_t frag_seqno;
75917 + atomic_unchecked_t seqno;
75918 + atomic_unchecked_t frag_seqno;
75919 unsigned char *packet_buff;
75920 int packet_len;
75921 struct kobject *hardif_obj;
75922 @@ -141,7 +141,7 @@ struct bat_priv {
75923 atomic_t orig_interval; /* uint */
75924 atomic_t hop_penalty; /* uint */
75925 atomic_t log_level; /* uint */
75926 - atomic_t bcast_seqno;
75927 + atomic_unchecked_t bcast_seqno;
75928 atomic_t bcast_queue_left;
75929 atomic_t batman_queue_left;
75930 char num_ifaces;
75931 diff -urNp linux-2.6.39.2/net/batman-adv/unicast.c linux-2.6.39.2/net/batman-adv/unicast.c
75932 --- linux-2.6.39.2/net/batman-adv/unicast.c 2011-05-19 00:06:34.000000000 -0400
75933 +++ linux-2.6.39.2/net/batman-adv/unicast.c 2011-05-22 19:36:33.000000000 -0400
75934 @@ -263,7 +263,7 @@ int frag_send_skb(struct sk_buff *skb, s
75935 frag1->flags = UNI_FRAG_HEAD | large_tail;
75936 frag2->flags = large_tail;
75937
75938 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
75939 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
75940 frag1->seqno = htons(seqno - 1);
75941 frag2->seqno = htons(seqno);
75942
75943 diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_core.c linux-2.6.39.2/net/bluetooth/l2cap_core.c
75944 --- linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-05-19 00:06:34.000000000 -0400
75945 +++ linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-06-25 14:32:21.000000000 -0400
75946 @@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc
75947
75948 /* Reject if config buffer is too small. */
75949 len = cmd_len - sizeof(*req);
75950 - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
75951 + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
75952 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
75953 l2cap_build_conf_rsp(sk, rsp,
75954 L2CAP_CONF_REJECT, flags), rsp);
75955 diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_sock.c linux-2.6.39.2/net/bluetooth/l2cap_sock.c
75956 --- linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400
75957 +++ linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400
75958 @@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str
75959 break;
75960 }
75961
75962 + memset(&cinfo, 0, sizeof(cinfo));
75963 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
75964 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
75965
75966 diff -urNp linux-2.6.39.2/net/bluetooth/rfcomm/sock.c linux-2.6.39.2/net/bluetooth/rfcomm/sock.c
75967 --- linux-2.6.39.2/net/bluetooth/rfcomm/sock.c 2011-05-19 00:06:34.000000000 -0400
75968 +++ linux-2.6.39.2/net/bluetooth/rfcomm/sock.c 2011-06-12 06:36:42.000000000 -0400
75969 @@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st
75970
75971 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
75972
75973 + memset(&cinfo, 0, sizeof(cinfo));
75974 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
75975 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
75976
75977 diff -urNp linux-2.6.39.2/net/bridge/br_multicast.c linux-2.6.39.2/net/bridge/br_multicast.c
75978 --- linux-2.6.39.2/net/bridge/br_multicast.c 2011-05-19 00:06:34.000000000 -0400
75979 +++ linux-2.6.39.2/net/bridge/br_multicast.c 2011-05-22 19:36:33.000000000 -0400
75980 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
75981 nexthdr = ip6h->nexthdr;
75982 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
75983
75984 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
75985 + if (nexthdr != IPPROTO_ICMPV6)
75986 return 0;
75987
75988 /* Okay, we found ICMPv6 header */
75989 diff -urNp linux-2.6.39.2/net/bridge/netfilter/ebtables.c linux-2.6.39.2/net/bridge/netfilter/ebtables.c
75990 --- linux-2.6.39.2/net/bridge/netfilter/ebtables.c 2011-05-19 00:06:34.000000000 -0400
75991 +++ linux-2.6.39.2/net/bridge/netfilter/ebtables.c 2011-05-22 19:36:33.000000000 -0400
75992 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
75993 tmp.valid_hooks = t->table->valid_hooks;
75994 }
75995 mutex_unlock(&ebt_mutex);
75996 - if (copy_to_user(user, &tmp, *len) != 0){
75997 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
75998 BUGPRINT("c2u Didn't work\n");
75999 ret = -EFAULT;
76000 break;
76001 @@ -1780,6 +1780,8 @@ static int compat_copy_everything_to_use
76002 int ret;
76003 void __user *pos;
76004
76005 + pax_track_stack();
76006 +
76007 memset(&tinfo, 0, sizeof(tinfo));
76008
76009 if (cmd == EBT_SO_GET_ENTRIES) {
76010 diff -urNp linux-2.6.39.2/net/caif/caif_socket.c linux-2.6.39.2/net/caif/caif_socket.c
76011 --- linux-2.6.39.2/net/caif/caif_socket.c 2011-05-19 00:06:34.000000000 -0400
76012 +++ linux-2.6.39.2/net/caif/caif_socket.c 2011-05-22 19:36:33.000000000 -0400
76013 @@ -48,18 +48,19 @@ static struct dentry *debugfsdir;
76014 #ifdef CONFIG_DEBUG_FS
76015 struct debug_fs_counter {
76016 atomic_t caif_nr_socks;
76017 - atomic_t num_connect_req;
76018 - atomic_t num_connect_resp;
76019 - atomic_t num_connect_fail_resp;
76020 - atomic_t num_disconnect;
76021 - atomic_t num_remote_shutdown_ind;
76022 - atomic_t num_tx_flow_off_ind;
76023 - atomic_t num_tx_flow_on_ind;
76024 - atomic_t num_rx_flow_off;
76025 - atomic_t num_rx_flow_on;
76026 + atomic_unchecked_t num_connect_req;
76027 + atomic_unchecked_t num_connect_resp;
76028 + atomic_unchecked_t num_connect_fail_resp;
76029 + atomic_unchecked_t num_disconnect;
76030 + atomic_unchecked_t num_remote_shutdown_ind;
76031 + atomic_unchecked_t num_tx_flow_off_ind;
76032 + atomic_unchecked_t num_tx_flow_on_ind;
76033 + atomic_unchecked_t num_rx_flow_off;
76034 + atomic_unchecked_t num_rx_flow_on;
76035 };
76036 static struct debug_fs_counter cnt;
76037 #define dbfs_atomic_inc(v) atomic_inc(v)
76038 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_unchecked(v)
76039 #define dbfs_atomic_dec(v) atomic_dec(v)
76040 #else
76041 #define dbfs_atomic_inc(v)
76042 @@ -159,7 +160,7 @@ static int caif_queue_rcv_skb(struct soc
76043 atomic_read(&cf_sk->sk.sk_rmem_alloc),
76044 sk_rcvbuf_lowwater(cf_sk));
76045 set_rx_flow_off(cf_sk);
76046 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76047 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76048 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76049 }
76050
76051 @@ -169,7 +170,7 @@ static int caif_queue_rcv_skb(struct soc
76052 if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
76053 set_rx_flow_off(cf_sk);
76054 pr_debug("sending flow OFF due to rmem_schedule\n");
76055 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76056 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76057 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76058 }
76059 skb->dev = NULL;
76060 @@ -218,21 +219,21 @@ static void caif_ctrl_cb(struct cflayer
76061 switch (flow) {
76062 case CAIF_CTRLCMD_FLOW_ON_IND:
76063 /* OK from modem to start sending again */
76064 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
76065 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
76066 set_tx_flow_on(cf_sk);
76067 cf_sk->sk.sk_state_change(&cf_sk->sk);
76068 break;
76069
76070 case CAIF_CTRLCMD_FLOW_OFF_IND:
76071 /* Modem asks us to shut up */
76072 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
76073 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
76074 set_tx_flow_off(cf_sk);
76075 cf_sk->sk.sk_state_change(&cf_sk->sk);
76076 break;
76077
76078 case CAIF_CTRLCMD_INIT_RSP:
76079 /* We're now connected */
76080 - dbfs_atomic_inc(&cnt.num_connect_resp);
76081 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
76082 cf_sk->sk.sk_state = CAIF_CONNECTED;
76083 set_tx_flow_on(cf_sk);
76084 cf_sk->sk.sk_state_change(&cf_sk->sk);
76085 @@ -247,7 +248,7 @@ static void caif_ctrl_cb(struct cflayer
76086
76087 case CAIF_CTRLCMD_INIT_FAIL_RSP:
76088 /* Connect request failed */
76089 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
76090 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
76091 cf_sk->sk.sk_err = ECONNREFUSED;
76092 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
76093 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76094 @@ -261,7 +262,7 @@ static void caif_ctrl_cb(struct cflayer
76095
76096 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
76097 /* Modem has closed this connection, or device is down. */
76098 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
76099 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
76100 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76101 cf_sk->sk.sk_err = ECONNRESET;
76102 set_rx_flow_on(cf_sk);
76103 @@ -281,7 +282,7 @@ static void caif_check_flow_release(stru
76104 return;
76105
76106 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
76107 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
76108 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
76109 set_rx_flow_on(cf_sk);
76110 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
76111 }
76112 @@ -864,7 +865,7 @@ static int caif_connect(struct socket *s
76113 /*ifindex = id of the interface.*/
76114 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
76115
76116 - dbfs_atomic_inc(&cnt.num_connect_req);
76117 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
76118 cf_sk->layer.receive = caif_sktrecv_cb;
76119 err = caif_connect_client(&cf_sk->conn_req,
76120 &cf_sk->layer, &ifindex, &headroom, &tailroom);
76121 @@ -952,7 +953,7 @@ static int caif_release(struct socket *s
76122 spin_unlock(&sk->sk_receive_queue.lock);
76123 sock->sk = NULL;
76124
76125 - dbfs_atomic_inc(&cnt.num_disconnect);
76126 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
76127
76128 if (cf_sk->debugfs_socket_dir != NULL)
76129 debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
76130 diff -urNp linux-2.6.39.2/net/caif/cfctrl.c linux-2.6.39.2/net/caif/cfctrl.c
76131 --- linux-2.6.39.2/net/caif/cfctrl.c 2011-05-19 00:06:34.000000000 -0400
76132 +++ linux-2.6.39.2/net/caif/cfctrl.c 2011-05-22 19:36:33.000000000 -0400
76133 @@ -9,6 +9,7 @@
76134 #include <linux/stddef.h>
76135 #include <linux/spinlock.h>
76136 #include <linux/slab.h>
76137 +#include <linux/sched.h>
76138 #include <net/caif/caif_layer.h>
76139 #include <net/caif/cfpkt.h>
76140 #include <net/caif/cfctrl.h>
76141 @@ -46,8 +47,8 @@ struct cflayer *cfctrl_create(void)
76142 dev_info.id = 0xff;
76143 memset(this, 0, sizeof(*this));
76144 cfsrvl_init(&this->serv, 0, &dev_info, false);
76145 - atomic_set(&this->req_seq_no, 1);
76146 - atomic_set(&this->rsp_seq_no, 1);
76147 + atomic_set_unchecked(&this->req_seq_no, 1);
76148 + atomic_set_unchecked(&this->rsp_seq_no, 1);
76149 this->serv.layer.receive = cfctrl_recv;
76150 sprintf(this->serv.layer.name, "ctrl");
76151 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
76152 @@ -116,8 +117,8 @@ void cfctrl_insert_req(struct cfctrl *ct
76153 struct cfctrl_request_info *req)
76154 {
76155 spin_lock(&ctrl->info_list_lock);
76156 - atomic_inc(&ctrl->req_seq_no);
76157 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
76158 + atomic_inc_unchecked(&ctrl->req_seq_no);
76159 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
76160 list_add_tail(&req->list, &ctrl->list);
76161 spin_unlock(&ctrl->info_list_lock);
76162 }
76163 @@ -136,7 +137,7 @@ struct cfctrl_request_info *cfctrl_remov
76164 if (p != first)
76165 pr_warn("Requests are not received in order\n");
76166
76167 - atomic_set(&ctrl->rsp_seq_no,
76168 + atomic_set_unchecked(&ctrl->rsp_seq_no,
76169 p->sequence_no);
76170 list_del(&p->list);
76171 goto out;
76172 @@ -385,6 +386,7 @@ static int cfctrl_recv(struct cflayer *l
76173 struct cfctrl *cfctrl = container_obj(layer);
76174 struct cfctrl_request_info rsp, *req;
76175
76176 + pax_track_stack();
76177
76178 cfpkt_extr_head(pkt, &cmdrsp, 1);
76179 cmd = cmdrsp & CFCTRL_CMD_MASK;
76180 diff -urNp linux-2.6.39.2/net/can/bcm.c linux-2.6.39.2/net/can/bcm.c
76181 --- linux-2.6.39.2/net/can/bcm.c 2011-05-19 00:06:34.000000000 -0400
76182 +++ linux-2.6.39.2/net/can/bcm.c 2011-05-22 19:41:42.000000000 -0400
76183 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
76184 struct bcm_sock *bo = bcm_sk(sk);
76185 struct bcm_op *op;
76186
76187 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76188 + seq_printf(m, ">>> socket %p", NULL);
76189 + seq_printf(m, " / sk %p", NULL);
76190 + seq_printf(m, " / bo %p", NULL);
76191 +#else
76192 seq_printf(m, ">>> socket %p", sk->sk_socket);
76193 seq_printf(m, " / sk %p", sk);
76194 seq_printf(m, " / bo %p", bo);
76195 +#endif
76196 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
76197 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
76198 seq_printf(m, " <<<\n");
76199 diff -urNp linux-2.6.39.2/net/core/datagram.c linux-2.6.39.2/net/core/datagram.c
76200 --- linux-2.6.39.2/net/core/datagram.c 2011-05-19 00:06:34.000000000 -0400
76201 +++ linux-2.6.39.2/net/core/datagram.c 2011-05-22 19:36:33.000000000 -0400
76202 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
76203 }
76204
76205 kfree_skb(skb);
76206 - atomic_inc(&sk->sk_drops);
76207 + atomic_inc_unchecked(&sk->sk_drops);
76208 sk_mem_reclaim_partial(sk);
76209
76210 return err;
76211 diff -urNp linux-2.6.39.2/net/core/dev.c linux-2.6.39.2/net/core/dev.c
76212 --- linux-2.6.39.2/net/core/dev.c 2011-06-03 00:04:14.000000000 -0400
76213 +++ linux-2.6.39.2/net/core/dev.c 2011-06-03 00:32:08.000000000 -0400
76214 @@ -1125,10 +1125,14 @@ void dev_load(struct net *net, const cha
76215 if (no_module && capable(CAP_NET_ADMIN))
76216 no_module = request_module("netdev-%s", name);
76217 if (no_module && capable(CAP_SYS_MODULE)) {
76218 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
76219 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
76220 +#else
76221 if (!request_module("%s", name))
76222 pr_err("Loading kernel module for a network device "
76223 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
76224 "instead\n", name);
76225 +#endif
76226 }
76227 }
76228 EXPORT_SYMBOL(dev_load);
76229 @@ -1957,7 +1961,7 @@ struct dev_gso_cb {
76230
76231 static void dev_gso_skb_destructor(struct sk_buff *skb)
76232 {
76233 - struct dev_gso_cb *cb;
76234 + const struct dev_gso_cb *cb;
76235
76236 do {
76237 struct sk_buff *nskb = skb->next;
76238 @@ -2901,7 +2905,7 @@ int netif_rx_ni(struct sk_buff *skb)
76239 }
76240 EXPORT_SYMBOL(netif_rx_ni);
76241
76242 -static void net_tx_action(struct softirq_action *h)
76243 +static void net_tx_action(void)
76244 {
76245 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76246
76247 @@ -3765,7 +3769,7 @@ void netif_napi_del(struct napi_struct *
76248 }
76249 EXPORT_SYMBOL(netif_napi_del);
76250
76251 -static void net_rx_action(struct softirq_action *h)
76252 +static void net_rx_action(void)
76253 {
76254 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76255 unsigned long time_limit = jiffies + 2;
76256 diff -urNp linux-2.6.39.2/net/core/flow.c linux-2.6.39.2/net/core/flow.c
76257 --- linux-2.6.39.2/net/core/flow.c 2011-05-19 00:06:34.000000000 -0400
76258 +++ linux-2.6.39.2/net/core/flow.c 2011-05-22 19:36:34.000000000 -0400
76259 @@ -60,7 +60,7 @@ struct flow_cache {
76260 struct timer_list rnd_timer;
76261 };
76262
76263 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
76264 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
76265 EXPORT_SYMBOL(flow_cache_genid);
76266 static struct flow_cache flow_cache_global;
76267 static struct kmem_cache *flow_cachep __read_mostly;
76268 @@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
76269
76270 static int flow_entry_valid(struct flow_cache_entry *fle)
76271 {
76272 - if (atomic_read(&flow_cache_genid) != fle->genid)
76273 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
76274 return 0;
76275 if (fle->object && !fle->object->ops->check(fle->object))
76276 return 0;
76277 @@ -253,7 +253,7 @@ flow_cache_lookup(struct net *net, const
76278 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
76279 fcp->hash_count++;
76280 }
76281 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
76282 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
76283 flo = fle->object;
76284 if (!flo)
76285 goto ret_object;
76286 @@ -274,7 +274,7 @@ nocache:
76287 }
76288 flo = resolver(net, key, family, dir, flo, ctx);
76289 if (fle) {
76290 - fle->genid = atomic_read(&flow_cache_genid);
76291 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
76292 if (!IS_ERR(flo))
76293 fle->object = flo;
76294 else
76295 diff -urNp linux-2.6.39.2/net/core/skbuff.c linux-2.6.39.2/net/core/skbuff.c
76296 --- linux-2.6.39.2/net/core/skbuff.c 2011-06-03 00:04:14.000000000 -0400
76297 +++ linux-2.6.39.2/net/core/skbuff.c 2011-06-03 00:32:08.000000000 -0400
76298 @@ -1542,6 +1542,8 @@ int skb_splice_bits(struct sk_buff *skb,
76299 struct sock *sk = skb->sk;
76300 int ret = 0;
76301
76302 + pax_track_stack();
76303 +
76304 if (splice_grow_spd(pipe, &spd))
76305 return -ENOMEM;
76306
76307 diff -urNp linux-2.6.39.2/net/core/sock.c linux-2.6.39.2/net/core/sock.c
76308 --- linux-2.6.39.2/net/core/sock.c 2011-05-19 00:06:34.000000000 -0400
76309 +++ linux-2.6.39.2/net/core/sock.c 2011-05-22 19:36:34.000000000 -0400
76310 @@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76311 */
76312 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
76313 (unsigned)sk->sk_rcvbuf) {
76314 - atomic_inc(&sk->sk_drops);
76315 + atomic_inc_unchecked(&sk->sk_drops);
76316 return -ENOMEM;
76317 }
76318
76319 @@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76320 return err;
76321
76322 if (!sk_rmem_schedule(sk, skb->truesize)) {
76323 - atomic_inc(&sk->sk_drops);
76324 + atomic_inc_unchecked(&sk->sk_drops);
76325 return -ENOBUFS;
76326 }
76327
76328 @@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76329 skb_dst_force(skb);
76330
76331 spin_lock_irqsave(&list->lock, flags);
76332 - skb->dropcount = atomic_read(&sk->sk_drops);
76333 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
76334 __skb_queue_tail(list, skb);
76335 spin_unlock_irqrestore(&list->lock, flags);
76336
76337 @@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
76338 skb->dev = NULL;
76339
76340 if (sk_rcvqueues_full(sk, skb)) {
76341 - atomic_inc(&sk->sk_drops);
76342 + atomic_inc_unchecked(&sk->sk_drops);
76343 goto discard_and_relse;
76344 }
76345 if (nested)
76346 @@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
76347 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
76348 } else if (sk_add_backlog(sk, skb)) {
76349 bh_unlock_sock(sk);
76350 - atomic_inc(&sk->sk_drops);
76351 + atomic_inc_unchecked(&sk->sk_drops);
76352 goto discard_and_relse;
76353 }
76354
76355 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
76356 return -ENOTCONN;
76357 if (lv < len)
76358 return -EINVAL;
76359 - if (copy_to_user(optval, address, len))
76360 + if (len > sizeof(address) || copy_to_user(optval, address, len))
76361 return -EFAULT;
76362 goto lenout;
76363 }
76364 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
76365
76366 if (len > lv)
76367 len = lv;
76368 - if (copy_to_user(optval, &v, len))
76369 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
76370 return -EFAULT;
76371 lenout:
76372 if (put_user(len, optlen))
76373 @@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock,
76374 */
76375 smp_wmb();
76376 atomic_set(&sk->sk_refcnt, 1);
76377 - atomic_set(&sk->sk_drops, 0);
76378 + atomic_set_unchecked(&sk->sk_drops, 0);
76379 }
76380 EXPORT_SYMBOL(sock_init_data);
76381
76382 diff -urNp linux-2.6.39.2/net/decnet/sysctl_net_decnet.c linux-2.6.39.2/net/decnet/sysctl_net_decnet.c
76383 --- linux-2.6.39.2/net/decnet/sysctl_net_decnet.c 2011-05-19 00:06:34.000000000 -0400
76384 +++ linux-2.6.39.2/net/decnet/sysctl_net_decnet.c 2011-05-22 19:36:34.000000000 -0400
76385 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
76386
76387 if (len > *lenp) len = *lenp;
76388
76389 - if (copy_to_user(buffer, addr, len))
76390 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
76391 return -EFAULT;
76392
76393 *lenp = len;
76394 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
76395
76396 if (len > *lenp) len = *lenp;
76397
76398 - if (copy_to_user(buffer, devname, len))
76399 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
76400 return -EFAULT;
76401
76402 *lenp = len;
76403 diff -urNp linux-2.6.39.2/net/econet/Kconfig linux-2.6.39.2/net/econet/Kconfig
76404 --- linux-2.6.39.2/net/econet/Kconfig 2011-05-19 00:06:34.000000000 -0400
76405 +++ linux-2.6.39.2/net/econet/Kconfig 2011-05-22 19:41:42.000000000 -0400
76406 @@ -4,7 +4,7 @@
76407
76408 config ECONET
76409 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
76410 - depends on EXPERIMENTAL && INET
76411 + depends on EXPERIMENTAL && INET && BROKEN
76412 ---help---
76413 Econet is a fairly old and slow networking protocol mainly used by
76414 Acorn computers to access file and print servers. It uses native
76415 diff -urNp linux-2.6.39.2/net/ipv4/fib_frontend.c linux-2.6.39.2/net/ipv4/fib_frontend.c
76416 --- linux-2.6.39.2/net/ipv4/fib_frontend.c 2011-05-19 00:06:34.000000000 -0400
76417 +++ linux-2.6.39.2/net/ipv4/fib_frontend.c 2011-05-22 19:36:34.000000000 -0400
76418 @@ -968,12 +968,12 @@ static int fib_inetaddr_event(struct not
76419 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76420 fib_sync_up(dev);
76421 #endif
76422 - atomic_inc(&net->ipv4.dev_addr_genid);
76423 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76424 rt_cache_flush(dev_net(dev), -1);
76425 break;
76426 case NETDEV_DOWN:
76427 fib_del_ifaddr(ifa, NULL);
76428 - atomic_inc(&net->ipv4.dev_addr_genid);
76429 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76430 if (ifa->ifa_dev->ifa_list == NULL) {
76431 /* Last address was deleted from this interface.
76432 * Disable IP.
76433 @@ -1009,7 +1009,7 @@ static int fib_netdev_event(struct notif
76434 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76435 fib_sync_up(dev);
76436 #endif
76437 - atomic_inc(&net->ipv4.dev_addr_genid);
76438 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76439 rt_cache_flush(dev_net(dev), -1);
76440 break;
76441 case NETDEV_DOWN:
76442 diff -urNp linux-2.6.39.2/net/ipv4/fib_semantics.c linux-2.6.39.2/net/ipv4/fib_semantics.c
76443 --- linux-2.6.39.2/net/ipv4/fib_semantics.c 2011-05-19 00:06:34.000000000 -0400
76444 +++ linux-2.6.39.2/net/ipv4/fib_semantics.c 2011-05-22 19:36:34.000000000 -0400
76445 @@ -701,7 +701,7 @@ __be32 fib_info_update_nh_saddr(struct n
76446 nh->nh_saddr = inet_select_addr(nh->nh_dev,
76447 nh->nh_gw,
76448 nh->nh_parent->fib_scope);
76449 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
76450 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
76451
76452 return nh->nh_saddr;
76453 }
76454 diff -urNp linux-2.6.39.2/net/ipv4/inet_diag.c linux-2.6.39.2/net/ipv4/inet_diag.c
76455 --- linux-2.6.39.2/net/ipv4/inet_diag.c 2011-05-19 00:06:34.000000000 -0400
76456 +++ linux-2.6.39.2/net/ipv4/inet_diag.c 2011-06-20 19:27:58.000000000 -0400
76457 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
76458 r->idiag_retrans = 0;
76459
76460 r->id.idiag_if = sk->sk_bound_dev_if;
76461 +
76462 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76463 + r->id.idiag_cookie[0] = 0;
76464 + r->id.idiag_cookie[1] = 0;
76465 +#else
76466 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
76467 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
76468 +#endif
76469
76470 r->id.idiag_sport = inet->inet_sport;
76471 r->id.idiag_dport = inet->inet_dport;
76472 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
76473 r->idiag_family = tw->tw_family;
76474 r->idiag_retrans = 0;
76475 r->id.idiag_if = tw->tw_bound_dev_if;
76476 +
76477 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76478 + r->id.idiag_cookie[0] = 0;
76479 + r->id.idiag_cookie[1] = 0;
76480 +#else
76481 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
76482 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
76483 +#endif
76484 +
76485 r->id.idiag_sport = tw->tw_sport;
76486 r->id.idiag_dport = tw->tw_dport;
76487 r->id.idiag_src[0] = tw->tw_rcv_saddr;
76488 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
76489 if (sk == NULL)
76490 goto unlock;
76491
76492 +#ifndef CONFIG_GRKERNSEC_HIDESYM
76493 err = -ESTALE;
76494 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
76495 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
76496 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
76497 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
76498 goto out;
76499 +#endif
76500
76501 err = -ENOMEM;
76502 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
76503 @@ -437,7 +452,7 @@ static int valid_cc(const void *bc, int
76504 return 0;
76505 if (cc == len)
76506 return 1;
76507 - if (op->yes < 4)
76508 + if (op->yes < 4 || op->yes & 3)
76509 return 0;
76510 len -= op->yes;
76511 bc += op->yes;
76512 @@ -447,11 +462,11 @@ static int valid_cc(const void *bc, int
76513
76514 static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
76515 {
76516 - const unsigned char *bc = bytecode;
76517 + const void *bc = bytecode;
76518 int len = bytecode_len;
76519
76520 while (len > 0) {
76521 - struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
76522 + const struct inet_diag_bc_op *op = bc;
76523
76524 //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
76525 switch (op->code) {
76526 @@ -462,22 +477,20 @@ static int inet_diag_bc_audit(const void
76527 case INET_DIAG_BC_S_LE:
76528 case INET_DIAG_BC_D_GE:
76529 case INET_DIAG_BC_D_LE:
76530 - if (op->yes < 4 || op->yes > len + 4)
76531 - return -EINVAL;
76532 case INET_DIAG_BC_JMP:
76533 - if (op->no < 4 || op->no > len + 4)
76534 + if (op->no < 4 || op->no > len + 4 || op->no & 3)
76535 return -EINVAL;
76536 if (op->no < len &&
76537 !valid_cc(bytecode, bytecode_len, len - op->no))
76538 return -EINVAL;
76539 break;
76540 case INET_DIAG_BC_NOP:
76541 - if (op->yes < 4 || op->yes > len + 4)
76542 - return -EINVAL;
76543 break;
76544 default:
76545 return -EINVAL;
76546 }
76547 + if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
76548 + return -EINVAL;
76549 bc += op->yes;
76550 len -= op->yes;
76551 }
76552 @@ -582,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
76553 r->idiag_retrans = req->retrans;
76554
76555 r->id.idiag_if = sk->sk_bound_dev_if;
76556 +
76557 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76558 + r->id.idiag_cookie[0] = 0;
76559 + r->id.idiag_cookie[1] = 0;
76560 +#else
76561 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
76562 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
76563 +#endif
76564
76565 tmo = req->expires - jiffies;
76566 if (tmo < 0)
76567 diff -urNp linux-2.6.39.2/net/ipv4/inet_hashtables.c linux-2.6.39.2/net/ipv4/inet_hashtables.c
76568 --- linux-2.6.39.2/net/ipv4/inet_hashtables.c 2011-05-19 00:06:34.000000000 -0400
76569 +++ linux-2.6.39.2/net/ipv4/inet_hashtables.c 2011-05-22 19:41:42.000000000 -0400
76570 @@ -18,11 +18,14 @@
76571 #include <linux/sched.h>
76572 #include <linux/slab.h>
76573 #include <linux/wait.h>
76574 +#include <linux/security.h>
76575
76576 #include <net/inet_connection_sock.h>
76577 #include <net/inet_hashtables.h>
76578 #include <net/ip.h>
76579
76580 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
76581 +
76582 /*
76583 * Allocate and initialize a new local port bind bucket.
76584 * The bindhash mutex for snum's hash chain must be held here.
76585 @@ -529,6 +532,8 @@ ok:
76586 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
76587 spin_unlock(&head->lock);
76588
76589 + gr_update_task_in_ip_table(current, inet_sk(sk));
76590 +
76591 if (tw) {
76592 inet_twsk_deschedule(tw, death_row);
76593 while (twrefcnt) {
76594 diff -urNp linux-2.6.39.2/net/ipv4/inetpeer.c linux-2.6.39.2/net/ipv4/inetpeer.c
76595 --- linux-2.6.39.2/net/ipv4/inetpeer.c 2011-05-19 00:06:34.000000000 -0400
76596 +++ linux-2.6.39.2/net/ipv4/inetpeer.c 2011-05-22 19:36:34.000000000 -0400
76597 @@ -467,6 +467,8 @@ struct inet_peer *inet_getpeer(struct in
76598 unsigned int sequence;
76599 int invalidated;
76600
76601 + pax_track_stack();
76602 +
76603 /* Look up for the address quickly, lockless.
76604 * Because of a concurrent writer, we might not find an existing entry.
76605 */
76606 @@ -504,8 +506,8 @@ struct inet_peer *inet_getpeer(struct in
76607 if (p) {
76608 p->daddr = *daddr;
76609 atomic_set(&p->refcnt, 1);
76610 - atomic_set(&p->rid, 0);
76611 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76612 + atomic_set_unchecked(&p->rid, 0);
76613 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76614 p->tcp_ts_stamp = 0;
76615 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
76616 p->rate_tokens = 0;
76617 diff -urNp linux-2.6.39.2/net/ipv4/ip_fragment.c linux-2.6.39.2/net/ipv4/ip_fragment.c
76618 --- linux-2.6.39.2/net/ipv4/ip_fragment.c 2011-05-19 00:06:34.000000000 -0400
76619 +++ linux-2.6.39.2/net/ipv4/ip_fragment.c 2011-05-22 19:36:34.000000000 -0400
76620 @@ -297,7 +297,7 @@ static inline int ip_frag_too_far(struct
76621 return 0;
76622
76623 start = qp->rid;
76624 - end = atomic_inc_return(&peer->rid);
76625 + end = atomic_inc_return_unchecked(&peer->rid);
76626 qp->rid = end;
76627
76628 rc = qp->q.fragments && (end - start) > max;
76629 diff -urNp linux-2.6.39.2/net/ipv4/ip_sockglue.c linux-2.6.39.2/net/ipv4/ip_sockglue.c
76630 --- linux-2.6.39.2/net/ipv4/ip_sockglue.c 2011-05-19 00:06:34.000000000 -0400
76631 +++ linux-2.6.39.2/net/ipv4/ip_sockglue.c 2011-05-22 19:36:34.000000000 -0400
76632 @@ -1064,6 +1064,8 @@ static int do_ip_getsockopt(struct sock
76633 int val;
76634 int len;
76635
76636 + pax_track_stack();
76637 +
76638 if (level != SOL_IP)
76639 return -EOPNOTSUPP;
76640
76641 diff -urNp linux-2.6.39.2/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.39.2/net/ipv4/netfilter/nf_nat_snmp_basic.c
76642 --- linux-2.6.39.2/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-19 00:06:34.000000000 -0400
76643 +++ linux-2.6.39.2/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-22 19:36:34.000000000 -0400
76644 @@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
76645
76646 *len = 0;
76647
76648 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
76649 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
76650 if (*octets == NULL) {
76651 if (net_ratelimit())
76652 pr_notice("OOM in bsalg (%d)\n", __LINE__);
76653 diff -urNp linux-2.6.39.2/net/ipv4/raw.c linux-2.6.39.2/net/ipv4/raw.c
76654 --- linux-2.6.39.2/net/ipv4/raw.c 2011-05-19 00:06:34.000000000 -0400
76655 +++ linux-2.6.39.2/net/ipv4/raw.c 2011-05-22 19:41:42.000000000 -0400
76656 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
76657 int raw_rcv(struct sock *sk, struct sk_buff *skb)
76658 {
76659 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
76660 - atomic_inc(&sk->sk_drops);
76661 + atomic_inc_unchecked(&sk->sk_drops);
76662 kfree_skb(skb);
76663 return NET_RX_DROP;
76664 }
76665 @@ -730,15 +730,19 @@ static int raw_init(struct sock *sk)
76666
76667 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
76668 {
76669 + struct icmp_filter filter;
76670 +
76671 if (optlen > sizeof(struct icmp_filter))
76672 optlen = sizeof(struct icmp_filter);
76673 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
76674 + if (copy_from_user(&filter, optval, optlen))
76675 return -EFAULT;
76676 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
76677 return 0;
76678 }
76679
76680 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
76681 {
76682 + struct icmp_filter filter;
76683 int len, ret = -EFAULT;
76684
76685 if (get_user(len, optlen))
76686 @@ -749,8 +753,9 @@ static int raw_geticmpfilter(struct sock
76687 if (len > sizeof(struct icmp_filter))
76688 len = sizeof(struct icmp_filter);
76689 ret = -EFAULT;
76690 + memcpy(&filter, &raw_sk(sk)->filter, len);
76691 if (put_user(len, optlen) ||
76692 - copy_to_user(optval, &raw_sk(sk)->filter, len))
76693 + copy_to_user(optval, &filter, len))
76694 goto out;
76695 ret = 0;
76696 out: return ret;
76697 @@ -978,7 +983,13 @@ static void raw_sock_seq_show(struct seq
76698 sk_wmem_alloc_get(sp),
76699 sk_rmem_alloc_get(sp),
76700 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76701 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76702 + atomic_read(&sp->sk_refcnt),
76703 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76704 + NULL,
76705 +#else
76706 + sp,
76707 +#endif
76708 + atomic_read_unchecked(&sp->sk_drops));
76709 }
76710
76711 static int raw_seq_show(struct seq_file *seq, void *v)
76712 diff -urNp linux-2.6.39.2/net/ipv4/route.c linux-2.6.39.2/net/ipv4/route.c
76713 --- linux-2.6.39.2/net/ipv4/route.c 2011-05-19 00:06:34.000000000 -0400
76714 +++ linux-2.6.39.2/net/ipv4/route.c 2011-05-22 19:36:34.000000000 -0400
76715 @@ -303,7 +303,7 @@ static inline unsigned int rt_hash(__be3
76716
76717 static inline int rt_genid(struct net *net)
76718 {
76719 - return atomic_read(&net->ipv4.rt_genid);
76720 + return atomic_read_unchecked(&net->ipv4.rt_genid);
76721 }
76722
76723 #ifdef CONFIG_PROC_FS
76724 @@ -831,7 +831,7 @@ static void rt_cache_invalidate(struct n
76725 unsigned char shuffle;
76726
76727 get_random_bytes(&shuffle, sizeof(shuffle));
76728 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
76729 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
76730 }
76731
76732 /*
76733 @@ -2835,7 +2835,7 @@ static int rt_fill_info(struct net *net,
76734 rt->peer->pmtu_expires - jiffies : 0;
76735 if (rt->peer) {
76736 inet_peer_refcheck(rt->peer);
76737 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
76738 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
76739 if (rt->peer->tcp_ts_stamp) {
76740 ts = rt->peer->tcp_ts;
76741 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
76742 diff -urNp linux-2.6.39.2/net/ipv4/tcp.c linux-2.6.39.2/net/ipv4/tcp.c
76743 --- linux-2.6.39.2/net/ipv4/tcp.c 2011-05-19 00:06:34.000000000 -0400
76744 +++ linux-2.6.39.2/net/ipv4/tcp.c 2011-05-22 19:36:34.000000000 -0400
76745 @@ -2121,6 +2121,8 @@ static int do_tcp_setsockopt(struct sock
76746 int val;
76747 int err = 0;
76748
76749 + pax_track_stack();
76750 +
76751 /* These are data/string values, all the others are ints */
76752 switch (optname) {
76753 case TCP_CONGESTION: {
76754 @@ -2500,6 +2502,8 @@ static int do_tcp_getsockopt(struct sock
76755 struct tcp_sock *tp = tcp_sk(sk);
76756 int val, len;
76757
76758 + pax_track_stack();
76759 +
76760 if (get_user(len, optlen))
76761 return -EFAULT;
76762
76763 diff -urNp linux-2.6.39.2/net/ipv4/tcp_ipv4.c linux-2.6.39.2/net/ipv4/tcp_ipv4.c
76764 --- linux-2.6.39.2/net/ipv4/tcp_ipv4.c 2011-05-19 00:06:34.000000000 -0400
76765 +++ linux-2.6.39.2/net/ipv4/tcp_ipv4.c 2011-05-22 19:41:42.000000000 -0400
76766 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
76767 int sysctl_tcp_low_latency __read_mostly;
76768 EXPORT_SYMBOL(sysctl_tcp_low_latency);
76769
76770 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76771 +extern int grsec_enable_blackhole;
76772 +#endif
76773
76774 #ifdef CONFIG_TCP_MD5SIG
76775 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
76776 @@ -1594,6 +1597,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
76777 return 0;
76778
76779 reset:
76780 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76781 + if (!grsec_enable_blackhole)
76782 +#endif
76783 tcp_v4_send_reset(rsk, skb);
76784 discard:
76785 kfree_skb(skb);
76786 @@ -1656,12 +1662,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
76787 TCP_SKB_CB(skb)->sacked = 0;
76788
76789 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
76790 - if (!sk)
76791 + if (!sk) {
76792 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76793 + ret = 1;
76794 +#endif
76795 goto no_tcp_socket;
76796 -
76797 + }
76798 process:
76799 - if (sk->sk_state == TCP_TIME_WAIT)
76800 + if (sk->sk_state == TCP_TIME_WAIT) {
76801 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76802 + ret = 2;
76803 +#endif
76804 goto do_time_wait;
76805 + }
76806
76807 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
76808 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
76809 @@ -1711,6 +1724,10 @@ no_tcp_socket:
76810 bad_packet:
76811 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
76812 } else {
76813 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76814 + if (!grsec_enable_blackhole || (ret == 1 &&
76815 + (skb->dev->flags & IFF_LOOPBACK)))
76816 +#endif
76817 tcp_v4_send_reset(NULL, skb);
76818 }
76819
76820 @@ -2374,7 +2391,11 @@ static void get_openreq4(struct sock *sk
76821 0, /* non standard timer */
76822 0, /* open_requests have no inode */
76823 atomic_read(&sk->sk_refcnt),
76824 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76825 + NULL,
76826 +#else
76827 req,
76828 +#endif
76829 len);
76830 }
76831
76832 @@ -2424,7 +2445,12 @@ static void get_tcp4_sock(struct sock *s
76833 sock_i_uid(sk),
76834 icsk->icsk_probes_out,
76835 sock_i_ino(sk),
76836 - atomic_read(&sk->sk_refcnt), sk,
76837 + atomic_read(&sk->sk_refcnt),
76838 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76839 + NULL,
76840 +#else
76841 + sk,
76842 +#endif
76843 jiffies_to_clock_t(icsk->icsk_rto),
76844 jiffies_to_clock_t(icsk->icsk_ack.ato),
76845 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
76846 @@ -2452,7 +2478,13 @@ static void get_timewait4_sock(struct in
76847 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
76848 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
76849 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
76850 - atomic_read(&tw->tw_refcnt), tw, len);
76851 + atomic_read(&tw->tw_refcnt),
76852 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76853 + NULL,
76854 +#else
76855 + tw,
76856 +#endif
76857 + len);
76858 }
76859
76860 #define TMPSZ 150
76861 diff -urNp linux-2.6.39.2/net/ipv4/tcp_minisocks.c linux-2.6.39.2/net/ipv4/tcp_minisocks.c
76862 --- linux-2.6.39.2/net/ipv4/tcp_minisocks.c 2011-05-19 00:06:34.000000000 -0400
76863 +++ linux-2.6.39.2/net/ipv4/tcp_minisocks.c 2011-05-22 19:41:42.000000000 -0400
76864 @@ -27,6 +27,10 @@
76865 #include <net/inet_common.h>
76866 #include <net/xfrm.h>
76867
76868 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76869 +extern int grsec_enable_blackhole;
76870 +#endif
76871 +
76872 int sysctl_tcp_syncookies __read_mostly = 1;
76873 EXPORT_SYMBOL(sysctl_tcp_syncookies);
76874
76875 @@ -745,6 +749,10 @@ listen_overflow:
76876
76877 embryonic_reset:
76878 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
76879 +
76880 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76881 + if (!grsec_enable_blackhole)
76882 +#endif
76883 if (!(flg & TCP_FLAG_RST))
76884 req->rsk_ops->send_reset(sk, skb);
76885
76886 diff -urNp linux-2.6.39.2/net/ipv4/tcp_output.c linux-2.6.39.2/net/ipv4/tcp_output.c
76887 --- linux-2.6.39.2/net/ipv4/tcp_output.c 2011-05-19 00:06:34.000000000 -0400
76888 +++ linux-2.6.39.2/net/ipv4/tcp_output.c 2011-05-22 19:36:34.000000000 -0400
76889 @@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
76890 int mss;
76891 int s_data_desired = 0;
76892
76893 + pax_track_stack();
76894 +
76895 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
76896 s_data_desired = cvp->s_data_desired;
76897 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
76898 diff -urNp linux-2.6.39.2/net/ipv4/tcp_probe.c linux-2.6.39.2/net/ipv4/tcp_probe.c
76899 --- linux-2.6.39.2/net/ipv4/tcp_probe.c 2011-05-19 00:06:34.000000000 -0400
76900 +++ linux-2.6.39.2/net/ipv4/tcp_probe.c 2011-05-22 19:36:34.000000000 -0400
76901 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
76902 if (cnt + width >= len)
76903 break;
76904
76905 - if (copy_to_user(buf + cnt, tbuf, width))
76906 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
76907 return -EFAULT;
76908 cnt += width;
76909 }
76910 diff -urNp linux-2.6.39.2/net/ipv4/tcp_timer.c linux-2.6.39.2/net/ipv4/tcp_timer.c
76911 --- linux-2.6.39.2/net/ipv4/tcp_timer.c 2011-05-19 00:06:34.000000000 -0400
76912 +++ linux-2.6.39.2/net/ipv4/tcp_timer.c 2011-05-22 19:41:42.000000000 -0400
76913 @@ -22,6 +22,10 @@
76914 #include <linux/gfp.h>
76915 #include <net/tcp.h>
76916
76917 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76918 +extern int grsec_lastack_retries;
76919 +#endif
76920 +
76921 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
76922 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
76923 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
76924 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
76925 }
76926 }
76927
76928 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76929 + if ((sk->sk_state == TCP_LAST_ACK) &&
76930 + (grsec_lastack_retries > 0) &&
76931 + (grsec_lastack_retries < retry_until))
76932 + retry_until = grsec_lastack_retries;
76933 +#endif
76934 +
76935 if (retransmits_timed_out(sk, retry_until,
76936 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
76937 /* Has it gone just too far? */
76938 diff -urNp linux-2.6.39.2/net/ipv4/udp.c linux-2.6.39.2/net/ipv4/udp.c
76939 --- linux-2.6.39.2/net/ipv4/udp.c 2011-05-19 00:06:34.000000000 -0400
76940 +++ linux-2.6.39.2/net/ipv4/udp.c 2011-05-22 19:41:42.000000000 -0400
76941 @@ -86,6 +86,7 @@
76942 #include <linux/types.h>
76943 #include <linux/fcntl.h>
76944 #include <linux/module.h>
76945 +#include <linux/security.h>
76946 #include <linux/socket.h>
76947 #include <linux/sockios.h>
76948 #include <linux/igmp.h>
76949 @@ -107,6 +108,10 @@
76950 #include <net/xfrm.h>
76951 #include "udp_impl.h"
76952
76953 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76954 +extern int grsec_enable_blackhole;
76955 +#endif
76956 +
76957 struct udp_table udp_table __read_mostly;
76958 EXPORT_SYMBOL(udp_table);
76959
76960 @@ -564,6 +569,9 @@ found:
76961 return s;
76962 }
76963
76964 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
76965 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
76966 +
76967 /*
76968 * This routine is called by the ICMP module when it gets some
76969 * sort of error condition. If err < 0 then the socket should
76970 @@ -853,9 +861,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
76971 dport = usin->sin_port;
76972 if (dport == 0)
76973 return -EINVAL;
76974 +
76975 + err = gr_search_udp_sendmsg(sk, usin);
76976 + if (err)
76977 + return err;
76978 } else {
76979 if (sk->sk_state != TCP_ESTABLISHED)
76980 return -EDESTADDRREQ;
76981 +
76982 + err = gr_search_udp_sendmsg(sk, NULL);
76983 + if (err)
76984 + return err;
76985 +
76986 daddr = inet->inet_daddr;
76987 dport = inet->inet_dport;
76988 /* Open fast path for connected socket.
76989 @@ -1090,7 +1107,7 @@ static unsigned int first_packet_length(
76990 udp_lib_checksum_complete(skb)) {
76991 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
76992 IS_UDPLITE(sk));
76993 - atomic_inc(&sk->sk_drops);
76994 + atomic_inc_unchecked(&sk->sk_drops);
76995 __skb_unlink(skb, rcvq);
76996 __skb_queue_tail(&list_kill, skb);
76997 }
76998 @@ -1176,6 +1193,10 @@ try_again:
76999 if (!skb)
77000 goto out;
77001
77002 + err = gr_search_udp_recvmsg(sk, skb);
77003 + if (err)
77004 + goto out_free;
77005 +
77006 ulen = skb->len - sizeof(struct udphdr);
77007 if (len > ulen)
77008 len = ulen;
77009 @@ -1472,7 +1493,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
77010
77011 drop:
77012 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77013 - atomic_inc(&sk->sk_drops);
77014 + atomic_inc_unchecked(&sk->sk_drops);
77015 kfree_skb(skb);
77016 return -1;
77017 }
77018 @@ -1491,7 +1512,7 @@ static void flush_stack(struct sock **st
77019 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
77020
77021 if (!skb1) {
77022 - atomic_inc(&sk->sk_drops);
77023 + atomic_inc_unchecked(&sk->sk_drops);
77024 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
77025 IS_UDPLITE(sk));
77026 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
77027 @@ -1660,6 +1681,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
77028 goto csum_error;
77029
77030 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
77031 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77032 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77033 +#endif
77034 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
77035
77036 /*
77037 @@ -2087,8 +2111,13 @@ static void udp4_format_sock(struct sock
77038 sk_wmem_alloc_get(sp),
77039 sk_rmem_alloc_get(sp),
77040 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
77041 - atomic_read(&sp->sk_refcnt), sp,
77042 - atomic_read(&sp->sk_drops), len);
77043 + atomic_read(&sp->sk_refcnt),
77044 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77045 + NULL,
77046 +#else
77047 + sp,
77048 +#endif
77049 + atomic_read_unchecked(&sp->sk_drops), len);
77050 }
77051
77052 int udp4_seq_show(struct seq_file *seq, void *v)
77053 diff -urNp linux-2.6.39.2/net/ipv6/inet6_connection_sock.c linux-2.6.39.2/net/ipv6/inet6_connection_sock.c
77054 --- linux-2.6.39.2/net/ipv6/inet6_connection_sock.c 2011-05-19 00:06:34.000000000 -0400
77055 +++ linux-2.6.39.2/net/ipv6/inet6_connection_sock.c 2011-05-22 19:36:34.000000000 -0400
77056 @@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
77057 #ifdef CONFIG_XFRM
77058 {
77059 struct rt6_info *rt = (struct rt6_info *)dst;
77060 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
77061 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
77062 }
77063 #endif
77064 }
77065 @@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
77066 #ifdef CONFIG_XFRM
77067 if (dst) {
77068 struct rt6_info *rt = (struct rt6_info *)dst;
77069 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
77070 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
77071 __sk_dst_reset(sk);
77072 dst = NULL;
77073 }
77074 diff -urNp linux-2.6.39.2/net/ipv6/ipv6_sockglue.c linux-2.6.39.2/net/ipv6/ipv6_sockglue.c
77075 --- linux-2.6.39.2/net/ipv6/ipv6_sockglue.c 2011-05-19 00:06:34.000000000 -0400
77076 +++ linux-2.6.39.2/net/ipv6/ipv6_sockglue.c 2011-05-22 19:36:34.000000000 -0400
77077 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
77078 int val, valbool;
77079 int retv = -ENOPROTOOPT;
77080
77081 + pax_track_stack();
77082 +
77083 if (optval == NULL)
77084 val=0;
77085 else {
77086 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
77087 int len;
77088 int val;
77089
77090 + pax_track_stack();
77091 +
77092 if (ip6_mroute_opt(optname))
77093 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
77094
77095 diff -urNp linux-2.6.39.2/net/ipv6/raw.c linux-2.6.39.2/net/ipv6/raw.c
77096 --- linux-2.6.39.2/net/ipv6/raw.c 2011-05-19 00:06:34.000000000 -0400
77097 +++ linux-2.6.39.2/net/ipv6/raw.c 2011-05-22 19:41:42.000000000 -0400
77098 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
77099 {
77100 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
77101 skb_checksum_complete(skb)) {
77102 - atomic_inc(&sk->sk_drops);
77103 + atomic_inc_unchecked(&sk->sk_drops);
77104 kfree_skb(skb);
77105 return NET_RX_DROP;
77106 }
77107 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77108 struct raw6_sock *rp = raw6_sk(sk);
77109
77110 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
77111 - atomic_inc(&sk->sk_drops);
77112 + atomic_inc_unchecked(&sk->sk_drops);
77113 kfree_skb(skb);
77114 return NET_RX_DROP;
77115 }
77116 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77117
77118 if (inet->hdrincl) {
77119 if (skb_checksum_complete(skb)) {
77120 - atomic_inc(&sk->sk_drops);
77121 + atomic_inc_unchecked(&sk->sk_drops);
77122 kfree_skb(skb);
77123 return NET_RX_DROP;
77124 }
77125 @@ -601,7 +601,7 @@ out:
77126 return err;
77127 }
77128
77129 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
77130 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
77131 struct flowi6 *fl6, struct dst_entry **dstp,
77132 unsigned int flags)
77133 {
77134 @@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
77135 u16 proto;
77136 int err;
77137
77138 + pax_track_stack();
77139 +
77140 /* Rough check on arithmetic overflow,
77141 better check is made in ip6_append_data().
77142 */
77143 @@ -909,12 +911,15 @@ do_confirm:
77144 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
77145 char __user *optval, int optlen)
77146 {
77147 + struct icmp6_filter filter;
77148 +
77149 switch (optname) {
77150 case ICMPV6_FILTER:
77151 if (optlen > sizeof(struct icmp6_filter))
77152 optlen = sizeof(struct icmp6_filter);
77153 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
77154 + if (copy_from_user(&filter, optval, optlen))
77155 return -EFAULT;
77156 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
77157 return 0;
77158 default:
77159 return -ENOPROTOOPT;
77160 @@ -926,6 +931,7 @@ static int rawv6_seticmpfilter(struct so
77161 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
77162 char __user *optval, int __user *optlen)
77163 {
77164 + struct icmp6_filter filter;
77165 int len;
77166
77167 switch (optname) {
77168 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
77169 len = sizeof(struct icmp6_filter);
77170 if (put_user(len, optlen))
77171 return -EFAULT;
77172 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
77173 + memcpy(&filter, &raw6_sk(sk)->filter, len);
77174 + if (copy_to_user(optval, &filter, len))
77175 return -EFAULT;
77176 return 0;
77177 default:
77178 @@ -1252,7 +1259,13 @@ static void raw6_sock_seq_show(struct se
77179 0, 0L, 0,
77180 sock_i_uid(sp), 0,
77181 sock_i_ino(sp),
77182 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
77183 + atomic_read(&sp->sk_refcnt),
77184 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77185 + NULL,
77186 +#else
77187 + sp,
77188 +#endif
77189 + atomic_read_unchecked(&sp->sk_drops));
77190 }
77191
77192 static int raw6_seq_show(struct seq_file *seq, void *v)
77193 diff -urNp linux-2.6.39.2/net/ipv6/tcp_ipv6.c linux-2.6.39.2/net/ipv6/tcp_ipv6.c
77194 --- linux-2.6.39.2/net/ipv6/tcp_ipv6.c 2011-05-19 00:06:34.000000000 -0400
77195 +++ linux-2.6.39.2/net/ipv6/tcp_ipv6.c 2011-05-22 19:41:42.000000000 -0400
77196 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
77197 }
77198 #endif
77199
77200 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77201 +extern int grsec_enable_blackhole;
77202 +#endif
77203 +
77204 static void tcp_v6_hash(struct sock *sk)
77205 {
77206 if (sk->sk_state != TCP_CLOSE) {
77207 @@ -1660,6 +1664,9 @@ static int tcp_v6_do_rcv(struct sock *sk
77208 return 0;
77209
77210 reset:
77211 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77212 + if (!grsec_enable_blackhole)
77213 +#endif
77214 tcp_v6_send_reset(sk, skb);
77215 discard:
77216 if (opt_skb)
77217 @@ -1739,12 +1746,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
77218 TCP_SKB_CB(skb)->sacked = 0;
77219
77220 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77221 - if (!sk)
77222 + if (!sk) {
77223 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77224 + ret = 1;
77225 +#endif
77226 goto no_tcp_socket;
77227 + }
77228
77229 process:
77230 - if (sk->sk_state == TCP_TIME_WAIT)
77231 + if (sk->sk_state == TCP_TIME_WAIT) {
77232 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77233 + ret = 2;
77234 +#endif
77235 goto do_time_wait;
77236 + }
77237
77238 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
77239 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
77240 @@ -1792,6 +1807,10 @@ no_tcp_socket:
77241 bad_packet:
77242 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77243 } else {
77244 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77245 + if (!grsec_enable_blackhole || (ret == 1 &&
77246 + (skb->dev->flags & IFF_LOOPBACK)))
77247 +#endif
77248 tcp_v6_send_reset(NULL, skb);
77249 }
77250
77251 @@ -2052,7 +2071,13 @@ static void get_openreq6(struct seq_file
77252 uid,
77253 0, /* non standard timer */
77254 0, /* open_requests have no inode */
77255 - 0, req);
77256 + 0,
77257 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77258 + NULL
77259 +#else
77260 + req
77261 +#endif
77262 + );
77263 }
77264
77265 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
77266 @@ -2102,7 +2127,12 @@ static void get_tcp6_sock(struct seq_fil
77267 sock_i_uid(sp),
77268 icsk->icsk_probes_out,
77269 sock_i_ino(sp),
77270 - atomic_read(&sp->sk_refcnt), sp,
77271 + atomic_read(&sp->sk_refcnt),
77272 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77273 + NULL,
77274 +#else
77275 + sp,
77276 +#endif
77277 jiffies_to_clock_t(icsk->icsk_rto),
77278 jiffies_to_clock_t(icsk->icsk_ack.ato),
77279 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
77280 @@ -2137,7 +2167,13 @@ static void get_timewait6_sock(struct se
77281 dest->s6_addr32[2], dest->s6_addr32[3], destp,
77282 tw->tw_substate, 0, 0,
77283 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77284 - atomic_read(&tw->tw_refcnt), tw);
77285 + atomic_read(&tw->tw_refcnt),
77286 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77287 + NULL
77288 +#else
77289 + tw
77290 +#endif
77291 + );
77292 }
77293
77294 static int tcp6_seq_show(struct seq_file *seq, void *v)
77295 diff -urNp linux-2.6.39.2/net/ipv6/udp.c linux-2.6.39.2/net/ipv6/udp.c
77296 --- linux-2.6.39.2/net/ipv6/udp.c 2011-05-19 00:06:34.000000000 -0400
77297 +++ linux-2.6.39.2/net/ipv6/udp.c 2011-05-22 19:41:42.000000000 -0400
77298 @@ -50,6 +50,10 @@
77299 #include <linux/seq_file.h>
77300 #include "udp_impl.h"
77301
77302 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77303 +extern int grsec_enable_blackhole;
77304 +#endif
77305 +
77306 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
77307 {
77308 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
77309 @@ -545,7 +549,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
77310
77311 return 0;
77312 drop:
77313 - atomic_inc(&sk->sk_drops);
77314 + atomic_inc_unchecked(&sk->sk_drops);
77315 drop_no_sk_drops_inc:
77316 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77317 kfree_skb(skb);
77318 @@ -621,7 +625,7 @@ static void flush_stack(struct sock **st
77319 continue;
77320 }
77321 drop:
77322 - atomic_inc(&sk->sk_drops);
77323 + atomic_inc_unchecked(&sk->sk_drops);
77324 UDP6_INC_STATS_BH(sock_net(sk),
77325 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
77326 UDP6_INC_STATS_BH(sock_net(sk),
77327 @@ -776,6 +780,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77328 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
77329 proto == IPPROTO_UDPLITE);
77330
77331 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77332 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77333 +#endif
77334 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
77335
77336 kfree_skb(skb);
77337 @@ -792,7 +799,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77338 if (!sock_owned_by_user(sk))
77339 udpv6_queue_rcv_skb(sk, skb);
77340 else if (sk_add_backlog(sk, skb)) {
77341 - atomic_inc(&sk->sk_drops);
77342 + atomic_inc_unchecked(&sk->sk_drops);
77343 bh_unlock_sock(sk);
77344 sock_put(sk);
77345 goto discard;
77346 @@ -1403,8 +1410,13 @@ static void udp6_sock_seq_show(struct se
77347 0, 0L, 0,
77348 sock_i_uid(sp), 0,
77349 sock_i_ino(sp),
77350 - atomic_read(&sp->sk_refcnt), sp,
77351 - atomic_read(&sp->sk_drops));
77352 + atomic_read(&sp->sk_refcnt),
77353 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77354 + NULL,
77355 +#else
77356 + sp,
77357 +#endif
77358 + atomic_read_unchecked(&sp->sk_drops));
77359 }
77360
77361 int udp6_seq_show(struct seq_file *seq, void *v)
77362 diff -urNp linux-2.6.39.2/net/irda/ircomm/ircomm_tty.c linux-2.6.39.2/net/irda/ircomm/ircomm_tty.c
77363 --- linux-2.6.39.2/net/irda/ircomm/ircomm_tty.c 2011-05-19 00:06:34.000000000 -0400
77364 +++ linux-2.6.39.2/net/irda/ircomm/ircomm_tty.c 2011-05-22 19:36:34.000000000 -0400
77365 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
77366 add_wait_queue(&self->open_wait, &wait);
77367
77368 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
77369 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77370 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77371
77372 /* As far as I can see, we protect open_count - Jean II */
77373 spin_lock_irqsave(&self->spinlock, flags);
77374 if (!tty_hung_up_p(filp)) {
77375 extra_count = 1;
77376 - self->open_count--;
77377 + local_dec(&self->open_count);
77378 }
77379 spin_unlock_irqrestore(&self->spinlock, flags);
77380 - self->blocked_open++;
77381 + local_inc(&self->blocked_open);
77382
77383 while (1) {
77384 if (tty->termios->c_cflag & CBAUD) {
77385 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
77386 }
77387
77388 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
77389 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77390 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77391
77392 schedule();
77393 }
77394 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
77395 if (extra_count) {
77396 /* ++ is not atomic, so this should be protected - Jean II */
77397 spin_lock_irqsave(&self->spinlock, flags);
77398 - self->open_count++;
77399 + local_inc(&self->open_count);
77400 spin_unlock_irqrestore(&self->spinlock, flags);
77401 }
77402 - self->blocked_open--;
77403 + local_dec(&self->blocked_open);
77404
77405 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
77406 - __FILE__,__LINE__, tty->driver->name, self->open_count);
77407 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
77408
77409 if (!retval)
77410 self->flags |= ASYNC_NORMAL_ACTIVE;
77411 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
77412 }
77413 /* ++ is not atomic, so this should be protected - Jean II */
77414 spin_lock_irqsave(&self->spinlock, flags);
77415 - self->open_count++;
77416 + local_inc(&self->open_count);
77417
77418 tty->driver_data = self;
77419 self->tty = tty;
77420 spin_unlock_irqrestore(&self->spinlock, flags);
77421
77422 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
77423 - self->line, self->open_count);
77424 + self->line, local_read(&self->open_count));
77425
77426 /* Not really used by us, but lets do it anyway */
77427 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
77428 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
77429 return;
77430 }
77431
77432 - if ((tty->count == 1) && (self->open_count != 1)) {
77433 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
77434 /*
77435 * Uh, oh. tty->count is 1, which means that the tty
77436 * structure will be freed. state->count should always
77437 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
77438 */
77439 IRDA_DEBUG(0, "%s(), bad serial port count; "
77440 "tty->count is 1, state->count is %d\n", __func__ ,
77441 - self->open_count);
77442 - self->open_count = 1;
77443 + local_read(&self->open_count));
77444 + local_set(&self->open_count, 1);
77445 }
77446
77447 - if (--self->open_count < 0) {
77448 + if (local_dec_return(&self->open_count) < 0) {
77449 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
77450 - __func__, self->line, self->open_count);
77451 - self->open_count = 0;
77452 + __func__, self->line, local_read(&self->open_count));
77453 + local_set(&self->open_count, 0);
77454 }
77455 - if (self->open_count) {
77456 + if (local_read(&self->open_count)) {
77457 spin_unlock_irqrestore(&self->spinlock, flags);
77458
77459 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
77460 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
77461 tty->closing = 0;
77462 self->tty = NULL;
77463
77464 - if (self->blocked_open) {
77465 + if (local_read(&self->blocked_open)) {
77466 if (self->close_delay)
77467 schedule_timeout_interruptible(self->close_delay);
77468 wake_up_interruptible(&self->open_wait);
77469 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
77470 spin_lock_irqsave(&self->spinlock, flags);
77471 self->flags &= ~ASYNC_NORMAL_ACTIVE;
77472 self->tty = NULL;
77473 - self->open_count = 0;
77474 + local_set(&self->open_count, 0);
77475 spin_unlock_irqrestore(&self->spinlock, flags);
77476
77477 wake_up_interruptible(&self->open_wait);
77478 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
77479 seq_putc(m, '\n');
77480
77481 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
77482 - seq_printf(m, "Open count: %d\n", self->open_count);
77483 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
77484 seq_printf(m, "Max data size: %d\n", self->max_data_size);
77485 seq_printf(m, "Max header size: %d\n", self->max_header_size);
77486
77487 diff -urNp linux-2.6.39.2/net/iucv/af_iucv.c linux-2.6.39.2/net/iucv/af_iucv.c
77488 --- linux-2.6.39.2/net/iucv/af_iucv.c 2011-05-19 00:06:34.000000000 -0400
77489 +++ linux-2.6.39.2/net/iucv/af_iucv.c 2011-05-22 19:36:34.000000000 -0400
77490 @@ -653,10 +653,10 @@ static int iucv_sock_autobind(struct soc
77491
77492 write_lock_bh(&iucv_sk_list.lock);
77493
77494 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
77495 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77496 while (__iucv_get_sock_by_name(name)) {
77497 sprintf(name, "%08x",
77498 - atomic_inc_return(&iucv_sk_list.autobind_name));
77499 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77500 }
77501
77502 write_unlock_bh(&iucv_sk_list.lock);
77503 diff -urNp linux-2.6.39.2/net/key/af_key.c linux-2.6.39.2/net/key/af_key.c
77504 --- linux-2.6.39.2/net/key/af_key.c 2011-05-19 00:06:34.000000000 -0400
77505 +++ linux-2.6.39.2/net/key/af_key.c 2011-05-22 19:41:42.000000000 -0400
77506 @@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
77507 struct xfrm_migrate m[XFRM_MAX_DEPTH];
77508 struct xfrm_kmaddress k;
77509
77510 + pax_track_stack();
77511 +
77512 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
77513 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
77514 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
77515 @@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
77516 static u32 get_acqseq(void)
77517 {
77518 u32 res;
77519 - static atomic_t acqseq;
77520 + static atomic_unchecked_t acqseq;
77521
77522 do {
77523 - res = atomic_inc_return(&acqseq);
77524 + res = atomic_inc_return_unchecked(&acqseq);
77525 } while (!res);
77526 return res;
77527 }
77528 @@ -3657,7 +3659,11 @@ static int pfkey_seq_show(struct seq_fil
77529 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
77530 else
77531 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
77532 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77533 + NULL,
77534 +#else
77535 s,
77536 +#endif
77537 atomic_read(&s->sk_refcnt),
77538 sk_rmem_alloc_get(s),
77539 sk_wmem_alloc_get(s),
77540 diff -urNp linux-2.6.39.2/net/l2tp/l2tp_ip.c linux-2.6.39.2/net/l2tp/l2tp_ip.c
77541 --- linux-2.6.39.2/net/l2tp/l2tp_ip.c 2011-05-19 00:06:34.000000000 -0400
77542 +++ linux-2.6.39.2/net/l2tp/l2tp_ip.c 2011-05-22 19:36:34.000000000 -0400
77543 @@ -625,7 +625,7 @@ static struct inet_protosw l2tp_ip_proto
77544 .no_check = 0,
77545 };
77546
77547 -static struct net_protocol l2tp_ip_protocol __read_mostly = {
77548 +static const struct net_protocol l2tp_ip_protocol = {
77549 .handler = l2tp_ip_recv,
77550 };
77551
77552 diff -urNp linux-2.6.39.2/net/lapb/lapb_iface.c linux-2.6.39.2/net/lapb/lapb_iface.c
77553 --- linux-2.6.39.2/net/lapb/lapb_iface.c 2011-05-19 00:06:34.000000000 -0400
77554 +++ linux-2.6.39.2/net/lapb/lapb_iface.c 2011-05-22 19:36:34.000000000 -0400
77555 @@ -138,8 +138,7 @@ static struct lapb_cb *lapb_create_cb(vo
77556 out:
77557 return lapb;
77558 }
77559 -
77560 -int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks)
77561 +int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks)
77562 {
77563 struct lapb_cb *lapb;
77564 int rc = LAPB_BADTOKEN;
77565 diff -urNp linux-2.6.39.2/net/mac80211/cfg.c linux-2.6.39.2/net/mac80211/cfg.c
77566 --- linux-2.6.39.2/net/mac80211/cfg.c 2011-06-03 00:04:14.000000000 -0400
77567 +++ linux-2.6.39.2/net/mac80211/cfg.c 2011-06-03 00:32:08.000000000 -0400
77568 @@ -2031,7 +2031,7 @@ static void ieee80211_get_ringparam(stru
77569 drv_get_ringparam(local, tx, tx_max, rx, rx_max);
77570 }
77571
77572 -struct cfg80211_ops mac80211_config_ops = {
77573 +const struct cfg80211_ops mac80211_config_ops = {
77574 .add_virtual_intf = ieee80211_add_iface,
77575 .del_virtual_intf = ieee80211_del_iface,
77576 .change_virtual_intf = ieee80211_change_iface,
77577 diff -urNp linux-2.6.39.2/net/mac80211/cfg.h linux-2.6.39.2/net/mac80211/cfg.h
77578 --- linux-2.6.39.2/net/mac80211/cfg.h 2011-05-19 00:06:34.000000000 -0400
77579 +++ linux-2.6.39.2/net/mac80211/cfg.h 2011-05-22 19:36:34.000000000 -0400
77580 @@ -4,6 +4,6 @@
77581 #ifndef __CFG_H
77582 #define __CFG_H
77583
77584 -extern struct cfg80211_ops mac80211_config_ops;
77585 +extern const struct cfg80211_ops mac80211_config_ops;
77586
77587 #endif /* __CFG_H */
77588 diff -urNp linux-2.6.39.2/net/mac80211/debugfs_sta.c linux-2.6.39.2/net/mac80211/debugfs_sta.c
77589 --- linux-2.6.39.2/net/mac80211/debugfs_sta.c 2011-05-19 00:06:34.000000000 -0400
77590 +++ linux-2.6.39.2/net/mac80211/debugfs_sta.c 2011-05-22 19:36:34.000000000 -0400
77591 @@ -115,6 +115,8 @@ static ssize_t sta_agg_status_read(struc
77592 struct tid_ampdu_rx *tid_rx;
77593 struct tid_ampdu_tx *tid_tx;
77594
77595 + pax_track_stack();
77596 +
77597 rcu_read_lock();
77598
77599 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
77600 @@ -215,6 +217,8 @@ static ssize_t sta_ht_capa_read(struct f
77601 struct sta_info *sta = file->private_data;
77602 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
77603
77604 + pax_track_stack();
77605 +
77606 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
77607 htc->ht_supported ? "" : "not ");
77608 if (htc->ht_supported) {
77609 diff -urNp linux-2.6.39.2/net/mac80211/ieee80211_i.h linux-2.6.39.2/net/mac80211/ieee80211_i.h
77610 --- linux-2.6.39.2/net/mac80211/ieee80211_i.h 2011-05-19 00:06:34.000000000 -0400
77611 +++ linux-2.6.39.2/net/mac80211/ieee80211_i.h 2011-05-22 19:36:34.000000000 -0400
77612 @@ -27,6 +27,7 @@
77613 #include <net/ieee80211_radiotap.h>
77614 #include <net/cfg80211.h>
77615 #include <net/mac80211.h>
77616 +#include <asm/local.h>
77617 #include "key.h"
77618 #include "sta_info.h"
77619
77620 @@ -714,7 +715,7 @@ struct ieee80211_local {
77621 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
77622 spinlock_t queue_stop_reason_lock;
77623
77624 - int open_count;
77625 + local_t open_count;
77626 int monitors, cooked_mntrs;
77627 /* number of interfaces with corresponding FIF_ flags */
77628 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
77629 diff -urNp linux-2.6.39.2/net/mac80211/iface.c linux-2.6.39.2/net/mac80211/iface.c
77630 --- linux-2.6.39.2/net/mac80211/iface.c 2011-05-19 00:06:34.000000000 -0400
77631 +++ linux-2.6.39.2/net/mac80211/iface.c 2011-05-22 19:36:34.000000000 -0400
77632 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
77633 break;
77634 }
77635
77636 - if (local->open_count == 0) {
77637 + if (local_read(&local->open_count) == 0) {
77638 res = drv_start(local);
77639 if (res)
77640 goto err_del_bss;
77641 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
77642 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
77643
77644 if (!is_valid_ether_addr(dev->dev_addr)) {
77645 - if (!local->open_count)
77646 + if (!local_read(&local->open_count))
77647 drv_stop(local);
77648 return -EADDRNOTAVAIL;
77649 }
77650 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
77651 mutex_unlock(&local->mtx);
77652
77653 if (coming_up)
77654 - local->open_count++;
77655 + local_inc(&local->open_count);
77656
77657 if (hw_reconf_flags) {
77658 ieee80211_hw_config(local, hw_reconf_flags);
77659 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
77660 err_del_interface:
77661 drv_remove_interface(local, &sdata->vif);
77662 err_stop:
77663 - if (!local->open_count)
77664 + if (!local_read(&local->open_count))
77665 drv_stop(local);
77666 err_del_bss:
77667 sdata->bss = NULL;
77668 @@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct iee
77669 }
77670
77671 if (going_down)
77672 - local->open_count--;
77673 + local_dec(&local->open_count);
77674
77675 switch (sdata->vif.type) {
77676 case NL80211_IFTYPE_AP_VLAN:
77677 @@ -533,7 +533,7 @@ static void ieee80211_do_stop(struct iee
77678
77679 ieee80211_recalc_ps(local, -1);
77680
77681 - if (local->open_count == 0) {
77682 + if (local_read(&local->open_count) == 0) {
77683 if (local->ops->napi_poll)
77684 napi_disable(&local->napi);
77685 ieee80211_clear_tx_pending(local);
77686 diff -urNp linux-2.6.39.2/net/mac80211/main.c linux-2.6.39.2/net/mac80211/main.c
77687 --- linux-2.6.39.2/net/mac80211/main.c 2011-05-19 00:06:34.000000000 -0400
77688 +++ linux-2.6.39.2/net/mac80211/main.c 2011-05-22 19:36:34.000000000 -0400
77689 @@ -215,7 +215,7 @@ int ieee80211_hw_config(struct ieee80211
77690 local->hw.conf.power_level = power;
77691 }
77692
77693 - if (changed && local->open_count) {
77694 + if (changed && local_read(&local->open_count)) {
77695 ret = drv_config(local, changed);
77696 /*
77697 * Goal:
77698 diff -urNp linux-2.6.39.2/net/mac80211/mlme.c linux-2.6.39.2/net/mac80211/mlme.c
77699 --- linux-2.6.39.2/net/mac80211/mlme.c 2011-06-03 00:04:14.000000000 -0400
77700 +++ linux-2.6.39.2/net/mac80211/mlme.c 2011-06-03 00:32:08.000000000 -0400
77701 @@ -1431,6 +1431,8 @@ static bool ieee80211_assoc_success(stru
77702 bool have_higher_than_11mbit = false;
77703 u16 ap_ht_cap_flags;
77704
77705 + pax_track_stack();
77706 +
77707 /* AssocResp and ReassocResp have identical structure */
77708
77709 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
77710 diff -urNp linux-2.6.39.2/net/mac80211/pm.c linux-2.6.39.2/net/mac80211/pm.c
77711 --- linux-2.6.39.2/net/mac80211/pm.c 2011-05-19 00:06:34.000000000 -0400
77712 +++ linux-2.6.39.2/net/mac80211/pm.c 2011-05-22 19:36:34.000000000 -0400
77713 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
77714 }
77715
77716 /* stop hardware - this must stop RX */
77717 - if (local->open_count)
77718 + if (local_read(&local->open_count))
77719 ieee80211_stop_device(local);
77720
77721 local->suspended = true;
77722 diff -urNp linux-2.6.39.2/net/mac80211/rate.c linux-2.6.39.2/net/mac80211/rate.c
77723 --- linux-2.6.39.2/net/mac80211/rate.c 2011-05-19 00:06:34.000000000 -0400
77724 +++ linux-2.6.39.2/net/mac80211/rate.c 2011-05-22 19:36:34.000000000 -0400
77725 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
77726
77727 ASSERT_RTNL();
77728
77729 - if (local->open_count)
77730 + if (local_read(&local->open_count))
77731 return -EBUSY;
77732
77733 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
77734 diff -urNp linux-2.6.39.2/net/mac80211/rc80211_pid_debugfs.c linux-2.6.39.2/net/mac80211/rc80211_pid_debugfs.c
77735 --- linux-2.6.39.2/net/mac80211/rc80211_pid_debugfs.c 2011-05-19 00:06:34.000000000 -0400
77736 +++ linux-2.6.39.2/net/mac80211/rc80211_pid_debugfs.c 2011-05-22 19:36:34.000000000 -0400
77737 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
77738
77739 spin_unlock_irqrestore(&events->lock, status);
77740
77741 - if (copy_to_user(buf, pb, p))
77742 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
77743 return -EFAULT;
77744
77745 return p;
77746 diff -urNp linux-2.6.39.2/net/mac80211/util.c linux-2.6.39.2/net/mac80211/util.c
77747 --- linux-2.6.39.2/net/mac80211/util.c 2011-05-19 00:06:34.000000000 -0400
77748 +++ linux-2.6.39.2/net/mac80211/util.c 2011-05-22 19:36:34.000000000 -0400
77749 @@ -1129,7 +1129,7 @@ int ieee80211_reconfig(struct ieee80211_
77750 local->resuming = true;
77751
77752 /* restart hardware */
77753 - if (local->open_count) {
77754 + if (local_read(&local->open_count)) {
77755 /*
77756 * Upon resume hardware can sometimes be goofy due to
77757 * various platform / driver / bus issues, so restarting
77758 diff -urNp linux-2.6.39.2/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.39.2/net/netfilter/ipvs/ip_vs_conn.c
77759 --- linux-2.6.39.2/net/netfilter/ipvs/ip_vs_conn.c 2011-05-19 00:06:34.000000000 -0400
77760 +++ linux-2.6.39.2/net/netfilter/ipvs/ip_vs_conn.c 2011-05-22 19:36:34.000000000 -0400
77761 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
77762 /* Increase the refcnt counter of the dest */
77763 atomic_inc(&dest->refcnt);
77764
77765 - conn_flags = atomic_read(&dest->conn_flags);
77766 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
77767 if (cp->protocol != IPPROTO_UDP)
77768 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
77769 /* Bind with the destination and its corresponding transmitter */
77770 @@ -861,7 +861,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
77771 atomic_set(&cp->refcnt, 1);
77772
77773 atomic_set(&cp->n_control, 0);
77774 - atomic_set(&cp->in_pkts, 0);
77775 + atomic_set_unchecked(&cp->in_pkts, 0);
77776
77777 atomic_inc(&ipvs->conn_count);
77778 if (flags & IP_VS_CONN_F_NO_CPORT)
77779 @@ -1141,7 +1141,7 @@ static inline int todrop_entry(struct ip
77780
77781 /* Don't drop the entry if its number of incoming packets is not
77782 located in [0, 8] */
77783 - i = atomic_read(&cp->in_pkts);
77784 + i = atomic_read_unchecked(&cp->in_pkts);
77785 if (i > 8 || i < 0) return 0;
77786
77787 if (!todrop_rate[i]) return 0;
77788 diff -urNp linux-2.6.39.2/net/netfilter/ipvs/ip_vs_core.c linux-2.6.39.2/net/netfilter/ipvs/ip_vs_core.c
77789 --- linux-2.6.39.2/net/netfilter/ipvs/ip_vs_core.c 2011-05-19 00:06:34.000000000 -0400
77790 +++ linux-2.6.39.2/net/netfilter/ipvs/ip_vs_core.c 2011-05-22 19:36:34.000000000 -0400
77791 @@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
77792 ret = cp->packet_xmit(skb, cp, pd->pp);
77793 /* do not touch skb anymore */
77794
77795 - atomic_inc(&cp->in_pkts);
77796 + atomic_inc_unchecked(&cp->in_pkts);
77797 ip_vs_conn_put(cp);
77798 return ret;
77799 }
77800 @@ -1633,7 +1633,7 @@ ip_vs_in(unsigned int hooknum, struct sk
77801 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
77802 pkts = sysctl_sync_threshold(ipvs);
77803 else
77804 - pkts = atomic_add_return(1, &cp->in_pkts);
77805 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
77806
77807 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
77808 cp->protocol == IPPROTO_SCTP) {
77809 diff -urNp linux-2.6.39.2/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.39.2/net/netfilter/ipvs/ip_vs_ctl.c
77810 --- linux-2.6.39.2/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-19 00:06:34.000000000 -0400
77811 +++ linux-2.6.39.2/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-22 19:36:34.000000000 -0400
77812 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
77813 ip_vs_rs_hash(ipvs, dest);
77814 write_unlock_bh(&ipvs->rs_lock);
77815 }
77816 - atomic_set(&dest->conn_flags, conn_flags);
77817 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
77818
77819 /* bind the service */
77820 if (!dest->svc) {
77821 @@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
77822 " %-7s %-6d %-10d %-10d\n",
77823 &dest->addr.in6,
77824 ntohs(dest->port),
77825 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77826 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77827 atomic_read(&dest->weight),
77828 atomic_read(&dest->activeconns),
77829 atomic_read(&dest->inactconns));
77830 @@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
77831 "%-7s %-6d %-10d %-10d\n",
77832 ntohl(dest->addr.ip),
77833 ntohs(dest->port),
77834 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77835 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77836 atomic_read(&dest->weight),
77837 atomic_read(&dest->activeconns),
77838 atomic_read(&dest->inactconns));
77839 @@ -2287,6 +2287,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
77840 struct ip_vs_dest_user *udest_compat;
77841 struct ip_vs_dest_user_kern udest;
77842
77843 + pax_track_stack();
77844 +
77845 if (!capable(CAP_NET_ADMIN))
77846 return -EPERM;
77847
77848 @@ -2501,7 +2503,7 @@ __ip_vs_get_dest_entries(struct net *net
77849
77850 entry.addr = dest->addr.ip;
77851 entry.port = dest->port;
77852 - entry.conn_flags = atomic_read(&dest->conn_flags);
77853 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
77854 entry.weight = atomic_read(&dest->weight);
77855 entry.u_threshold = dest->u_threshold;
77856 entry.l_threshold = dest->l_threshold;
77857 @@ -3029,7 +3031,7 @@ static int ip_vs_genl_fill_dest(struct s
77858 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
77859
77860 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
77861 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77862 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77863 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
77864 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
77865 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
77866 diff -urNp linux-2.6.39.2/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.39.2/net/netfilter/ipvs/ip_vs_sync.c
77867 --- linux-2.6.39.2/net/netfilter/ipvs/ip_vs_sync.c 2011-05-19 00:06:34.000000000 -0400
77868 +++ linux-2.6.39.2/net/netfilter/ipvs/ip_vs_sync.c 2011-05-22 19:36:34.000000000 -0400
77869 @@ -648,7 +648,7 @@ control:
77870 * i.e only increment in_pkts for Templates.
77871 */
77872 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
77873 - int pkts = atomic_add_return(1, &cp->in_pkts);
77874 + int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
77875
77876 if (pkts % sysctl_sync_period(ipvs) != 1)
77877 return;
77878 @@ -794,7 +794,7 @@ static void ip_vs_proc_conn(struct net *
77879
77880 if (opt)
77881 memcpy(&cp->in_seq, opt, sizeof(*opt));
77882 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
77883 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
77884 cp->state = state;
77885 cp->old_state = cp->state;
77886 /*
77887 diff -urNp linux-2.6.39.2/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.39.2/net/netfilter/ipvs/ip_vs_xmit.c
77888 --- linux-2.6.39.2/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-19 00:06:34.000000000 -0400
77889 +++ linux-2.6.39.2/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-22 19:36:34.000000000 -0400
77890 @@ -1127,7 +1127,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
77891 else
77892 rc = NF_ACCEPT;
77893 /* do not touch skb anymore */
77894 - atomic_inc(&cp->in_pkts);
77895 + atomic_inc_unchecked(&cp->in_pkts);
77896 goto out;
77897 }
77898
77899 @@ -1245,7 +1245,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
77900 else
77901 rc = NF_ACCEPT;
77902 /* do not touch skb anymore */
77903 - atomic_inc(&cp->in_pkts);
77904 + atomic_inc_unchecked(&cp->in_pkts);
77905 goto out;
77906 }
77907
77908 diff -urNp linux-2.6.39.2/net/netfilter/Kconfig linux-2.6.39.2/net/netfilter/Kconfig
77909 --- linux-2.6.39.2/net/netfilter/Kconfig 2011-05-19 00:06:34.000000000 -0400
77910 +++ linux-2.6.39.2/net/netfilter/Kconfig 2011-05-22 19:41:42.000000000 -0400
77911 @@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
77912
77913 To compile it as a module, choose M here. If unsure, say N.
77914
77915 +config NETFILTER_XT_MATCH_GRADM
77916 + tristate '"gradm" match support'
77917 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
77918 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
77919 + ---help---
77920 + The gradm match allows to match on grsecurity RBAC being enabled.
77921 + It is useful when iptables rules are applied early on bootup to
77922 + prevent connections to the machine (except from a trusted host)
77923 + while the RBAC system is disabled.
77924 +
77925 config NETFILTER_XT_MATCH_HASHLIMIT
77926 tristate '"hashlimit" match support'
77927 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
77928 diff -urNp linux-2.6.39.2/net/netfilter/Makefile linux-2.6.39.2/net/netfilter/Makefile
77929 --- linux-2.6.39.2/net/netfilter/Makefile 2011-05-19 00:06:34.000000000 -0400
77930 +++ linux-2.6.39.2/net/netfilter/Makefile 2011-05-22 20:40:16.000000000 -0400
77931 @@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
77932 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
77933 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
77934 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
77935 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
77936 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
77937 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
77938 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
77939 diff -urNp linux-2.6.39.2/net/netfilter/nfnetlink_log.c linux-2.6.39.2/net/netfilter/nfnetlink_log.c
77940 --- linux-2.6.39.2/net/netfilter/nfnetlink_log.c 2011-05-19 00:06:34.000000000 -0400
77941 +++ linux-2.6.39.2/net/netfilter/nfnetlink_log.c 2011-05-22 19:36:35.000000000 -0400
77942 @@ -70,7 +70,7 @@ struct nfulnl_instance {
77943 };
77944
77945 static DEFINE_SPINLOCK(instances_lock);
77946 -static atomic_t global_seq;
77947 +static atomic_unchecked_t global_seq;
77948
77949 #define INSTANCE_BUCKETS 16
77950 static struct hlist_head instance_table[INSTANCE_BUCKETS];
77951 @@ -506,7 +506,7 @@ __build_packet_message(struct nfulnl_ins
77952 /* global sequence number */
77953 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
77954 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
77955 - htonl(atomic_inc_return(&global_seq)));
77956 + htonl(atomic_inc_return_unchecked(&global_seq)));
77957
77958 if (data_len) {
77959 struct nlattr *nla;
77960 diff -urNp linux-2.6.39.2/net/netfilter/nfnetlink_queue.c linux-2.6.39.2/net/netfilter/nfnetlink_queue.c
77961 --- linux-2.6.39.2/net/netfilter/nfnetlink_queue.c 2011-05-19 00:06:34.000000000 -0400
77962 +++ linux-2.6.39.2/net/netfilter/nfnetlink_queue.c 2011-05-22 19:36:35.000000000 -0400
77963 @@ -58,7 +58,7 @@ struct nfqnl_instance {
77964 */
77965 spinlock_t lock;
77966 unsigned int queue_total;
77967 - atomic_t id_sequence; /* 'sequence' of pkt ids */
77968 + atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
77969 struct list_head queue_list; /* packets in queue */
77970 };
77971
77972 @@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
77973 nfmsg->version = NFNETLINK_V0;
77974 nfmsg->res_id = htons(queue->queue_num);
77975
77976 - entry->id = atomic_inc_return(&queue->id_sequence);
77977 + entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
77978 pmsg.packet_id = htonl(entry->id);
77979 pmsg.hw_protocol = entskb->protocol;
77980 pmsg.hook = entry->hook;
77981 @@ -869,7 +869,7 @@ static int seq_show(struct seq_file *s,
77982 inst->peer_pid, inst->queue_total,
77983 inst->copy_mode, inst->copy_range,
77984 inst->queue_dropped, inst->queue_user_dropped,
77985 - atomic_read(&inst->id_sequence), 1);
77986 + atomic_read_unchecked(&inst->id_sequence), 1);
77987 }
77988
77989 static const struct seq_operations nfqnl_seq_ops = {
77990 diff -urNp linux-2.6.39.2/net/netfilter/xt_gradm.c linux-2.6.39.2/net/netfilter/xt_gradm.c
77991 --- linux-2.6.39.2/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
77992 +++ linux-2.6.39.2/net/netfilter/xt_gradm.c 2011-05-22 19:41:42.000000000 -0400
77993 @@ -0,0 +1,51 @@
77994 +/*
77995 + * gradm match for netfilter
77996 + * Copyright © Zbigniew Krzystolik, 2010
77997 + *
77998 + * This program is free software; you can redistribute it and/or modify
77999 + * it under the terms of the GNU General Public License; either version
78000 + * 2 or 3 as published by the Free Software Foundation.
78001 + */
78002 +#include <linux/module.h>
78003 +#include <linux/moduleparam.h>
78004 +#include <linux/skbuff.h>
78005 +#include <linux/netfilter/x_tables.h>
78006 +#include <linux/grsecurity.h>
78007 +#include <linux/netfilter/xt_gradm.h>
78008 +
78009 +static bool
78010 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
78011 +{
78012 + const struct xt_gradm_mtinfo *info = par->matchinfo;
78013 + bool retval = false;
78014 + if (gr_acl_is_enabled())
78015 + retval = true;
78016 + return retval ^ info->invflags;
78017 +}
78018 +
78019 +static struct xt_match gradm_mt_reg __read_mostly = {
78020 + .name = "gradm",
78021 + .revision = 0,
78022 + .family = NFPROTO_UNSPEC,
78023 + .match = gradm_mt,
78024 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
78025 + .me = THIS_MODULE,
78026 +};
78027 +
78028 +static int __init gradm_mt_init(void)
78029 +{
78030 + return xt_register_match(&gradm_mt_reg);
78031 +}
78032 +
78033 +static void __exit gradm_mt_exit(void)
78034 +{
78035 + xt_unregister_match(&gradm_mt_reg);
78036 +}
78037 +
78038 +module_init(gradm_mt_init);
78039 +module_exit(gradm_mt_exit);
78040 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
78041 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
78042 +MODULE_LICENSE("GPL");
78043 +MODULE_ALIAS("ipt_gradm");
78044 +MODULE_ALIAS("ip6t_gradm");
78045 diff -urNp linux-2.6.39.2/net/netfilter/xt_statistic.c linux-2.6.39.2/net/netfilter/xt_statistic.c
78046 --- linux-2.6.39.2/net/netfilter/xt_statistic.c 2011-05-19 00:06:34.000000000 -0400
78047 +++ linux-2.6.39.2/net/netfilter/xt_statistic.c 2011-05-22 19:36:35.000000000 -0400
78048 @@ -18,7 +18,7 @@
78049 #include <linux/netfilter/x_tables.h>
78050
78051 struct xt_statistic_priv {
78052 - atomic_t count;
78053 + atomic_unchecked_t count;
78054 } ____cacheline_aligned_in_smp;
78055
78056 MODULE_LICENSE("GPL");
78057 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
78058 break;
78059 case XT_STATISTIC_MODE_NTH:
78060 do {
78061 - oval = atomic_read(&info->master->count);
78062 + oval = atomic_read_unchecked(&info->master->count);
78063 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
78064 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
78065 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
78066 if (nval == 0)
78067 ret = !ret;
78068 break;
78069 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
78070 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
78071 if (info->master == NULL)
78072 return -ENOMEM;
78073 - atomic_set(&info->master->count, info->u.nth.count);
78074 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
78075
78076 return 0;
78077 }
78078 diff -urNp linux-2.6.39.2/net/netlink/af_netlink.c linux-2.6.39.2/net/netlink/af_netlink.c
78079 --- linux-2.6.39.2/net/netlink/af_netlink.c 2011-05-19 00:06:34.000000000 -0400
78080 +++ linux-2.6.39.2/net/netlink/af_netlink.c 2011-05-22 19:41:42.000000000 -0400
78081 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
78082 sk->sk_error_report(sk);
78083 }
78084 }
78085 - atomic_inc(&sk->sk_drops);
78086 + atomic_inc_unchecked(&sk->sk_drops);
78087 }
78088
78089 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
78090 @@ -1992,15 +1992,23 @@ static int netlink_seq_show(struct seq_f
78091 struct netlink_sock *nlk = nlk_sk(s);
78092
78093 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
78094 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78095 + NULL,
78096 +#else
78097 s,
78098 +#endif
78099 s->sk_protocol,
78100 nlk->pid,
78101 nlk->groups ? (u32)nlk->groups[0] : 0,
78102 sk_rmem_alloc_get(s),
78103 sk_wmem_alloc_get(s),
78104 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78105 + NULL,
78106 +#else
78107 nlk->cb,
78108 +#endif
78109 atomic_read(&s->sk_refcnt),
78110 - atomic_read(&s->sk_drops),
78111 + atomic_read_unchecked(&s->sk_drops),
78112 sock_i_ino(s)
78113 );
78114
78115 diff -urNp linux-2.6.39.2/net/netrom/af_netrom.c linux-2.6.39.2/net/netrom/af_netrom.c
78116 --- linux-2.6.39.2/net/netrom/af_netrom.c 2011-05-19 00:06:34.000000000 -0400
78117 +++ linux-2.6.39.2/net/netrom/af_netrom.c 2011-05-22 19:41:42.000000000 -0400
78118 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
78119 struct sock *sk = sock->sk;
78120 struct nr_sock *nr = nr_sk(sk);
78121
78122 + memset(sax, 0, sizeof(*sax));
78123 lock_sock(sk);
78124 if (peer != 0) {
78125 if (sk->sk_state != TCP_ESTABLISHED) {
78126 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
78127 *uaddr_len = sizeof(struct full_sockaddr_ax25);
78128 } else {
78129 sax->fsa_ax25.sax25_family = AF_NETROM;
78130 - sax->fsa_ax25.sax25_ndigis = 0;
78131 sax->fsa_ax25.sax25_call = nr->source_addr;
78132 *uaddr_len = sizeof(struct sockaddr_ax25);
78133 }
78134 diff -urNp linux-2.6.39.2/net/packet/af_packet.c linux-2.6.39.2/net/packet/af_packet.c
78135 --- linux-2.6.39.2/net/packet/af_packet.c 2011-05-19 00:06:34.000000000 -0400
78136 +++ linux-2.6.39.2/net/packet/af_packet.c 2011-05-22 19:41:42.000000000 -0400
78137 @@ -647,14 +647,14 @@ static int packet_rcv(struct sk_buff *sk
78138
78139 spin_lock(&sk->sk_receive_queue.lock);
78140 po->stats.tp_packets++;
78141 - skb->dropcount = atomic_read(&sk->sk_drops);
78142 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
78143 __skb_queue_tail(&sk->sk_receive_queue, skb);
78144 spin_unlock(&sk->sk_receive_queue.lock);
78145 sk->sk_data_ready(sk, skb->len);
78146 return 0;
78147
78148 drop_n_acct:
78149 - po->stats.tp_drops = atomic_inc_return(&sk->sk_drops);
78150 + po->stats.tp_drops = atomic_inc_return_unchecked(&sk->sk_drops);
78151
78152 drop_n_restore:
78153 if (skb_head != skb->data && skb_shared(skb)) {
78154 @@ -2157,7 +2157,7 @@ static int packet_getsockopt(struct sock
78155 case PACKET_HDRLEN:
78156 if (len > sizeof(int))
78157 len = sizeof(int);
78158 - if (copy_from_user(&val, optval, len))
78159 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
78160 return -EFAULT;
78161 switch (val) {
78162 case TPACKET_V1:
78163 @@ -2195,7 +2195,7 @@ static int packet_getsockopt(struct sock
78164
78165 if (put_user(len, optlen))
78166 return -EFAULT;
78167 - if (copy_to_user(optval, data, len))
78168 + if (len > sizeof(st) || copy_to_user(optval, data, len))
78169 return -EFAULT;
78170 return 0;
78171 }
78172 @@ -2707,7 +2707,11 @@ static int packet_seq_show(struct seq_fi
78173
78174 seq_printf(seq,
78175 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
78176 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78177 + NULL,
78178 +#else
78179 s,
78180 +#endif
78181 atomic_read(&s->sk_refcnt),
78182 s->sk_type,
78183 ntohs(po->num),
78184 diff -urNp linux-2.6.39.2/net/phonet/af_phonet.c linux-2.6.39.2/net/phonet/af_phonet.c
78185 --- linux-2.6.39.2/net/phonet/af_phonet.c 2011-05-19 00:06:34.000000000 -0400
78186 +++ linux-2.6.39.2/net/phonet/af_phonet.c 2011-05-22 19:41:42.000000000 -0400
78187 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
78188 {
78189 struct phonet_protocol *pp;
78190
78191 - if (protocol >= PHONET_NPROTO)
78192 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78193 return NULL;
78194
78195 rcu_read_lock();
78196 @@ -149,7 +149,7 @@ static int pn_header_parse(const struct
78197 return 1;
78198 }
78199
78200 -struct header_ops phonet_header_ops = {
78201 +const struct header_ops phonet_header_ops = {
78202 .create = pn_header_create,
78203 .parse = pn_header_parse,
78204 };
78205 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_regist
78206 {
78207 int err = 0;
78208
78209 - if (protocol >= PHONET_NPROTO)
78210 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78211 return -EINVAL;
78212
78213 err = proto_register(pp->prot, 1);
78214 diff -urNp linux-2.6.39.2/net/phonet/pep.c linux-2.6.39.2/net/phonet/pep.c
78215 --- linux-2.6.39.2/net/phonet/pep.c 2011-05-19 00:06:34.000000000 -0400
78216 +++ linux-2.6.39.2/net/phonet/pep.c 2011-05-22 19:36:35.000000000 -0400
78217 @@ -387,7 +387,7 @@ static int pipe_do_rcv(struct sock *sk,
78218
78219 case PNS_PEP_CTRL_REQ:
78220 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
78221 - atomic_inc(&sk->sk_drops);
78222 + atomic_inc_unchecked(&sk->sk_drops);
78223 break;
78224 }
78225 __skb_pull(skb, 4);
78226 @@ -408,7 +408,7 @@ static int pipe_do_rcv(struct sock *sk,
78227 }
78228
78229 if (pn->rx_credits == 0) {
78230 - atomic_inc(&sk->sk_drops);
78231 + atomic_inc_unchecked(&sk->sk_drops);
78232 err = -ENOBUFS;
78233 break;
78234 }
78235 @@ -556,7 +556,7 @@ static int pipe_handler_do_rcv(struct so
78236 }
78237
78238 if (pn->rx_credits == 0) {
78239 - atomic_inc(&sk->sk_drops);
78240 + atomic_inc_unchecked(&sk->sk_drops);
78241 err = NET_RX_DROP;
78242 break;
78243 }
78244 diff -urNp linux-2.6.39.2/net/phonet/socket.c linux-2.6.39.2/net/phonet/socket.c
78245 --- linux-2.6.39.2/net/phonet/socket.c 2011-05-19 00:06:34.000000000 -0400
78246 +++ linux-2.6.39.2/net/phonet/socket.c 2011-05-22 20:39:26.000000000 -0400
78247 @@ -613,8 +613,13 @@ static int pn_sock_seq_show(struct seq_f
78248 pn->resource, sk->sk_state,
78249 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
78250 sock_i_uid(sk), sock_i_ino(sk),
78251 - atomic_read(&sk->sk_refcnt), sk,
78252 - atomic_read(&sk->sk_drops), &len);
78253 + atomic_read(&sk->sk_refcnt),
78254 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78255 + NULL,
78256 +#else
78257 + sk,
78258 +#endif
78259 + atomic_read_unchecked(&sk->sk_drops), &len);
78260 }
78261 seq_printf(seq, "%*s\n", 127 - len, "");
78262 return 0;
78263 diff -urNp linux-2.6.39.2/net/rds/cong.c linux-2.6.39.2/net/rds/cong.c
78264 --- linux-2.6.39.2/net/rds/cong.c 2011-05-19 00:06:34.000000000 -0400
78265 +++ linux-2.6.39.2/net/rds/cong.c 2011-05-22 19:36:35.000000000 -0400
78266 @@ -77,7 +77,7 @@
78267 * finds that the saved generation number is smaller than the global generation
78268 * number, it wakes up the process.
78269 */
78270 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
78271 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
78272
78273 /*
78274 * Congestion monitoring
78275 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
78276 rdsdebug("waking map %p for %pI4\n",
78277 map, &map->m_addr);
78278 rds_stats_inc(s_cong_update_received);
78279 - atomic_inc(&rds_cong_generation);
78280 + atomic_inc_unchecked(&rds_cong_generation);
78281 if (waitqueue_active(&map->m_waitq))
78282 wake_up(&map->m_waitq);
78283 if (waitqueue_active(&rds_poll_waitq))
78284 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
78285
78286 int rds_cong_updated_since(unsigned long *recent)
78287 {
78288 - unsigned long gen = atomic_read(&rds_cong_generation);
78289 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
78290
78291 if (likely(*recent == gen))
78292 return 0;
78293 diff -urNp linux-2.6.39.2/net/rds/ib_cm.c linux-2.6.39.2/net/rds/ib_cm.c
78294 --- linux-2.6.39.2/net/rds/ib_cm.c 2011-05-19 00:06:34.000000000 -0400
78295 +++ linux-2.6.39.2/net/rds/ib_cm.c 2011-05-22 19:36:35.000000000 -0400
78296 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
78297 /* Clear the ACK state */
78298 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78299 #ifdef KERNEL_HAS_ATOMIC64
78300 - atomic64_set(&ic->i_ack_next, 0);
78301 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78302 #else
78303 ic->i_ack_next = 0;
78304 #endif
78305 diff -urNp linux-2.6.39.2/net/rds/ib.h linux-2.6.39.2/net/rds/ib.h
78306 --- linux-2.6.39.2/net/rds/ib.h 2011-05-19 00:06:34.000000000 -0400
78307 +++ linux-2.6.39.2/net/rds/ib.h 2011-05-22 19:36:35.000000000 -0400
78308 @@ -127,7 +127,7 @@ struct rds_ib_connection {
78309 /* sending acks */
78310 unsigned long i_ack_flags;
78311 #ifdef KERNEL_HAS_ATOMIC64
78312 - atomic64_t i_ack_next; /* next ACK to send */
78313 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78314 #else
78315 spinlock_t i_ack_lock; /* protect i_ack_next */
78316 u64 i_ack_next; /* next ACK to send */
78317 diff -urNp linux-2.6.39.2/net/rds/ib_recv.c linux-2.6.39.2/net/rds/ib_recv.c
78318 --- linux-2.6.39.2/net/rds/ib_recv.c 2011-05-19 00:06:34.000000000 -0400
78319 +++ linux-2.6.39.2/net/rds/ib_recv.c 2011-05-22 19:36:35.000000000 -0400
78320 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78321 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
78322 int ack_required)
78323 {
78324 - atomic64_set(&ic->i_ack_next, seq);
78325 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78326 if (ack_required) {
78327 smp_mb__before_clear_bit();
78328 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78329 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78330 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78331 smp_mb__after_clear_bit();
78332
78333 - return atomic64_read(&ic->i_ack_next);
78334 + return atomic64_read_unchecked(&ic->i_ack_next);
78335 }
78336 #endif
78337
78338 diff -urNp linux-2.6.39.2/net/rds/iw_cm.c linux-2.6.39.2/net/rds/iw_cm.c
78339 --- linux-2.6.39.2/net/rds/iw_cm.c 2011-05-19 00:06:34.000000000 -0400
78340 +++ linux-2.6.39.2/net/rds/iw_cm.c 2011-05-22 19:36:35.000000000 -0400
78341 @@ -664,7 +664,7 @@ void rds_iw_conn_shutdown(struct rds_con
78342 /* Clear the ACK state */
78343 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78344 #ifdef KERNEL_HAS_ATOMIC64
78345 - atomic64_set(&ic->i_ack_next, 0);
78346 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78347 #else
78348 ic->i_ack_next = 0;
78349 #endif
78350 diff -urNp linux-2.6.39.2/net/rds/iw.h linux-2.6.39.2/net/rds/iw.h
78351 --- linux-2.6.39.2/net/rds/iw.h 2011-05-19 00:06:34.000000000 -0400
78352 +++ linux-2.6.39.2/net/rds/iw.h 2011-05-22 19:36:35.000000000 -0400
78353 @@ -133,7 +133,7 @@ struct rds_iw_connection {
78354 /* sending acks */
78355 unsigned long i_ack_flags;
78356 #ifdef KERNEL_HAS_ATOMIC64
78357 - atomic64_t i_ack_next; /* next ACK to send */
78358 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78359 #else
78360 spinlock_t i_ack_lock; /* protect i_ack_next */
78361 u64 i_ack_next; /* next ACK to send */
78362 diff -urNp linux-2.6.39.2/net/rds/iw_rdma.c linux-2.6.39.2/net/rds/iw_rdma.c
78363 --- linux-2.6.39.2/net/rds/iw_rdma.c 2011-05-19 00:06:34.000000000 -0400
78364 +++ linux-2.6.39.2/net/rds/iw_rdma.c 2011-05-22 19:36:35.000000000 -0400
78365 @@ -182,6 +182,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
78366 struct rdma_cm_id *pcm_id;
78367 int rc;
78368
78369 + pax_track_stack();
78370 +
78371 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
78372 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
78373
78374 diff -urNp linux-2.6.39.2/net/rds/iw_recv.c linux-2.6.39.2/net/rds/iw_recv.c
78375 --- linux-2.6.39.2/net/rds/iw_recv.c 2011-05-19 00:06:34.000000000 -0400
78376 +++ linux-2.6.39.2/net/rds/iw_recv.c 2011-05-22 19:36:35.000000000 -0400
78377 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78378 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
78379 int ack_required)
78380 {
78381 - atomic64_set(&ic->i_ack_next, seq);
78382 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78383 if (ack_required) {
78384 smp_mb__before_clear_bit();
78385 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78386 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78387 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78388 smp_mb__after_clear_bit();
78389
78390 - return atomic64_read(&ic->i_ack_next);
78391 + return atomic64_read_unchecked(&ic->i_ack_next);
78392 }
78393 #endif
78394
78395 diff -urNp linux-2.6.39.2/net/rxrpc/af_rxrpc.c linux-2.6.39.2/net/rxrpc/af_rxrpc.c
78396 --- linux-2.6.39.2/net/rxrpc/af_rxrpc.c 2011-05-19 00:06:34.000000000 -0400
78397 +++ linux-2.6.39.2/net/rxrpc/af_rxrpc.c 2011-05-22 19:36:35.000000000 -0400
78398 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
78399 __be32 rxrpc_epoch;
78400
78401 /* current debugging ID */
78402 -atomic_t rxrpc_debug_id;
78403 +atomic_unchecked_t rxrpc_debug_id;
78404
78405 /* count of skbs currently in use */
78406 atomic_t rxrpc_n_skbs;
78407 diff -urNp linux-2.6.39.2/net/rxrpc/ar-ack.c linux-2.6.39.2/net/rxrpc/ar-ack.c
78408 --- linux-2.6.39.2/net/rxrpc/ar-ack.c 2011-05-19 00:06:34.000000000 -0400
78409 +++ linux-2.6.39.2/net/rxrpc/ar-ack.c 2011-05-22 19:36:35.000000000 -0400
78410 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
78411
78412 _enter("{%d,%d,%d,%d},",
78413 call->acks_hard, call->acks_unacked,
78414 - atomic_read(&call->sequence),
78415 + atomic_read_unchecked(&call->sequence),
78416 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
78417
78418 stop = 0;
78419 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
78420
78421 /* each Tx packet has a new serial number */
78422 sp->hdr.serial =
78423 - htonl(atomic_inc_return(&call->conn->serial));
78424 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
78425
78426 hdr = (struct rxrpc_header *) txb->head;
78427 hdr->serial = sp->hdr.serial;
78428 @@ -405,7 +405,7 @@ static void rxrpc_rotate_tx_window(struc
78429 */
78430 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
78431 {
78432 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
78433 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
78434 }
78435
78436 /*
78437 @@ -631,7 +631,7 @@ process_further:
78438
78439 latest = ntohl(sp->hdr.serial);
78440 hard = ntohl(ack.firstPacket);
78441 - tx = atomic_read(&call->sequence);
78442 + tx = atomic_read_unchecked(&call->sequence);
78443
78444 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78445 latest,
78446 @@ -844,6 +844,8 @@ void rxrpc_process_call(struct work_stru
78447 u32 abort_code = RX_PROTOCOL_ERROR;
78448 u8 *acks = NULL;
78449
78450 + pax_track_stack();
78451 +
78452 //printk("\n--------------------\n");
78453 _enter("{%d,%s,%lx} [%lu]",
78454 call->debug_id, rxrpc_call_states[call->state], call->events,
78455 @@ -1163,7 +1165,7 @@ void rxrpc_process_call(struct work_stru
78456 goto maybe_reschedule;
78457
78458 send_ACK_with_skew:
78459 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
78460 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
78461 ntohl(ack.serial));
78462 send_ACK:
78463 mtu = call->conn->trans->peer->if_mtu;
78464 @@ -1175,7 +1177,7 @@ send_ACK:
78465 ackinfo.rxMTU = htonl(5692);
78466 ackinfo.jumbo_max = htonl(4);
78467
78468 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78469 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78470 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78471 ntohl(hdr.serial),
78472 ntohs(ack.maxSkew),
78473 @@ -1193,7 +1195,7 @@ send_ACK:
78474 send_message:
78475 _debug("send message");
78476
78477 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78478 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78479 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
78480 send_message_2:
78481
78482 diff -urNp linux-2.6.39.2/net/rxrpc/ar-call.c linux-2.6.39.2/net/rxrpc/ar-call.c
78483 --- linux-2.6.39.2/net/rxrpc/ar-call.c 2011-05-19 00:06:34.000000000 -0400
78484 +++ linux-2.6.39.2/net/rxrpc/ar-call.c 2011-05-22 19:36:35.000000000 -0400
78485 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
78486 spin_lock_init(&call->lock);
78487 rwlock_init(&call->state_lock);
78488 atomic_set(&call->usage, 1);
78489 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
78490 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78491 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
78492
78493 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
78494 diff -urNp linux-2.6.39.2/net/rxrpc/ar-connection.c linux-2.6.39.2/net/rxrpc/ar-connection.c
78495 --- linux-2.6.39.2/net/rxrpc/ar-connection.c 2011-05-19 00:06:34.000000000 -0400
78496 +++ linux-2.6.39.2/net/rxrpc/ar-connection.c 2011-05-22 19:36:35.000000000 -0400
78497 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
78498 rwlock_init(&conn->lock);
78499 spin_lock_init(&conn->state_lock);
78500 atomic_set(&conn->usage, 1);
78501 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
78502 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78503 conn->avail_calls = RXRPC_MAXCALLS;
78504 conn->size_align = 4;
78505 conn->header_size = sizeof(struct rxrpc_header);
78506 diff -urNp linux-2.6.39.2/net/rxrpc/ar-connevent.c linux-2.6.39.2/net/rxrpc/ar-connevent.c
78507 --- linux-2.6.39.2/net/rxrpc/ar-connevent.c 2011-05-19 00:06:34.000000000 -0400
78508 +++ linux-2.6.39.2/net/rxrpc/ar-connevent.c 2011-05-22 19:36:35.000000000 -0400
78509 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
78510
78511 len = iov[0].iov_len + iov[1].iov_len;
78512
78513 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78514 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78515 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
78516
78517 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78518 diff -urNp linux-2.6.39.2/net/rxrpc/ar-input.c linux-2.6.39.2/net/rxrpc/ar-input.c
78519 --- linux-2.6.39.2/net/rxrpc/ar-input.c 2011-05-19 00:06:34.000000000 -0400
78520 +++ linux-2.6.39.2/net/rxrpc/ar-input.c 2011-05-22 19:36:35.000000000 -0400
78521 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
78522 /* track the latest serial number on this connection for ACK packet
78523 * information */
78524 serial = ntohl(sp->hdr.serial);
78525 - hi_serial = atomic_read(&call->conn->hi_serial);
78526 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
78527 while (serial > hi_serial)
78528 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
78529 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
78530 serial);
78531
78532 /* request ACK generation for any ACK or DATA packet that requests
78533 diff -urNp linux-2.6.39.2/net/rxrpc/ar-internal.h linux-2.6.39.2/net/rxrpc/ar-internal.h
78534 --- linux-2.6.39.2/net/rxrpc/ar-internal.h 2011-05-19 00:06:34.000000000 -0400
78535 +++ linux-2.6.39.2/net/rxrpc/ar-internal.h 2011-05-22 19:36:35.000000000 -0400
78536 @@ -272,8 +272,8 @@ struct rxrpc_connection {
78537 int error; /* error code for local abort */
78538 int debug_id; /* debug ID for printks */
78539 unsigned call_counter; /* call ID counter */
78540 - atomic_t serial; /* packet serial number counter */
78541 - atomic_t hi_serial; /* highest serial number received */
78542 + atomic_unchecked_t serial; /* packet serial number counter */
78543 + atomic_unchecked_t hi_serial; /* highest serial number received */
78544 u8 avail_calls; /* number of calls available */
78545 u8 size_align; /* data size alignment (for security) */
78546 u8 header_size; /* rxrpc + security header size */
78547 @@ -346,7 +346,7 @@ struct rxrpc_call {
78548 spinlock_t lock;
78549 rwlock_t state_lock; /* lock for state transition */
78550 atomic_t usage;
78551 - atomic_t sequence; /* Tx data packet sequence counter */
78552 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
78553 u32 abort_code; /* local/remote abort code */
78554 enum { /* current state of call */
78555 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
78556 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
78557 */
78558 extern atomic_t rxrpc_n_skbs;
78559 extern __be32 rxrpc_epoch;
78560 -extern atomic_t rxrpc_debug_id;
78561 +extern atomic_unchecked_t rxrpc_debug_id;
78562 extern struct workqueue_struct *rxrpc_workqueue;
78563
78564 /*
78565 diff -urNp linux-2.6.39.2/net/rxrpc/ar-local.c linux-2.6.39.2/net/rxrpc/ar-local.c
78566 --- linux-2.6.39.2/net/rxrpc/ar-local.c 2011-05-19 00:06:34.000000000 -0400
78567 +++ linux-2.6.39.2/net/rxrpc/ar-local.c 2011-05-22 19:36:35.000000000 -0400
78568 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
78569 spin_lock_init(&local->lock);
78570 rwlock_init(&local->services_lock);
78571 atomic_set(&local->usage, 1);
78572 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
78573 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78574 memcpy(&local->srx, srx, sizeof(*srx));
78575 }
78576
78577 diff -urNp linux-2.6.39.2/net/rxrpc/ar-output.c linux-2.6.39.2/net/rxrpc/ar-output.c
78578 --- linux-2.6.39.2/net/rxrpc/ar-output.c 2011-05-19 00:06:34.000000000 -0400
78579 +++ linux-2.6.39.2/net/rxrpc/ar-output.c 2011-05-22 19:36:35.000000000 -0400
78580 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
78581 sp->hdr.cid = call->cid;
78582 sp->hdr.callNumber = call->call_id;
78583 sp->hdr.seq =
78584 - htonl(atomic_inc_return(&call->sequence));
78585 + htonl(atomic_inc_return_unchecked(&call->sequence));
78586 sp->hdr.serial =
78587 - htonl(atomic_inc_return(&conn->serial));
78588 + htonl(atomic_inc_return_unchecked(&conn->serial));
78589 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
78590 sp->hdr.userStatus = 0;
78591 sp->hdr.securityIndex = conn->security_ix;
78592 diff -urNp linux-2.6.39.2/net/rxrpc/ar-peer.c linux-2.6.39.2/net/rxrpc/ar-peer.c
78593 --- linux-2.6.39.2/net/rxrpc/ar-peer.c 2011-05-19 00:06:34.000000000 -0400
78594 +++ linux-2.6.39.2/net/rxrpc/ar-peer.c 2011-05-22 19:36:35.000000000 -0400
78595 @@ -71,7 +71,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
78596 INIT_LIST_HEAD(&peer->error_targets);
78597 spin_lock_init(&peer->lock);
78598 atomic_set(&peer->usage, 1);
78599 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
78600 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78601 memcpy(&peer->srx, srx, sizeof(*srx));
78602
78603 rxrpc_assess_MTU_size(peer);
78604 diff -urNp linux-2.6.39.2/net/rxrpc/ar-proc.c linux-2.6.39.2/net/rxrpc/ar-proc.c
78605 --- linux-2.6.39.2/net/rxrpc/ar-proc.c 2011-05-19 00:06:34.000000000 -0400
78606 +++ linux-2.6.39.2/net/rxrpc/ar-proc.c 2011-05-22 19:36:35.000000000 -0400
78607 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
78608 atomic_read(&conn->usage),
78609 rxrpc_conn_states[conn->state],
78610 key_serial(conn->key),
78611 - atomic_read(&conn->serial),
78612 - atomic_read(&conn->hi_serial));
78613 + atomic_read_unchecked(&conn->serial),
78614 + atomic_read_unchecked(&conn->hi_serial));
78615
78616 return 0;
78617 }
78618 diff -urNp linux-2.6.39.2/net/rxrpc/ar-transport.c linux-2.6.39.2/net/rxrpc/ar-transport.c
78619 --- linux-2.6.39.2/net/rxrpc/ar-transport.c 2011-05-19 00:06:34.000000000 -0400
78620 +++ linux-2.6.39.2/net/rxrpc/ar-transport.c 2011-05-22 19:36:35.000000000 -0400
78621 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
78622 spin_lock_init(&trans->client_lock);
78623 rwlock_init(&trans->conn_lock);
78624 atomic_set(&trans->usage, 1);
78625 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
78626 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78627
78628 if (peer->srx.transport.family == AF_INET) {
78629 switch (peer->srx.transport_type) {
78630 diff -urNp linux-2.6.39.2/net/rxrpc/rxkad.c linux-2.6.39.2/net/rxrpc/rxkad.c
78631 --- linux-2.6.39.2/net/rxrpc/rxkad.c 2011-05-19 00:06:34.000000000 -0400
78632 +++ linux-2.6.39.2/net/rxrpc/rxkad.c 2011-05-22 19:36:35.000000000 -0400
78633 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
78634 u16 check;
78635 int nsg;
78636
78637 + pax_track_stack();
78638 +
78639 sp = rxrpc_skb(skb);
78640
78641 _enter("");
78642 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
78643 u16 check;
78644 int nsg;
78645
78646 + pax_track_stack();
78647 +
78648 _enter("");
78649
78650 sp = rxrpc_skb(skb);
78651 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
78652
78653 len = iov[0].iov_len + iov[1].iov_len;
78654
78655 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78656 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78657 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
78658
78659 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78660 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
78661
78662 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
78663
78664 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
78665 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78666 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
78667
78668 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
78669 diff -urNp linux-2.6.39.2/net/sched/em_meta.c linux-2.6.39.2/net/sched/em_meta.c
78670 --- linux-2.6.39.2/net/sched/em_meta.c 2011-05-19 00:06:34.000000000 -0400
78671 +++ linux-2.6.39.2/net/sched/em_meta.c 2011-05-22 19:36:35.000000000 -0400
78672 @@ -832,7 +832,7 @@ static int em_meta_dump(struct sk_buff *
78673 {
78674 struct meta_match *meta = (struct meta_match *) em->data;
78675 struct tcf_meta_hdr hdr;
78676 - struct meta_type_ops *ops;
78677 + const struct meta_type_ops *ops;
78678
78679 memset(&hdr, 0, sizeof(hdr));
78680 memcpy(&hdr.left, &meta->lvalue.hdr, sizeof(hdr.left));
78681 diff -urNp linux-2.6.39.2/net/sctp/proc.c linux-2.6.39.2/net/sctp/proc.c
78682 --- linux-2.6.39.2/net/sctp/proc.c 2011-05-19 00:06:34.000000000 -0400
78683 +++ linux-2.6.39.2/net/sctp/proc.c 2011-05-22 19:41:42.000000000 -0400
78684 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
78685 sctp_for_each_hentry(epb, node, &head->chain) {
78686 ep = sctp_ep(epb);
78687 sk = epb->sk;
78688 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
78689 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
78690 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78691 + NULL, NULL,
78692 +#else
78693 + ep, sk,
78694 +#endif
78695 sctp_sk(sk)->type, sk->sk_state, hash,
78696 epb->bind_addr.port,
78697 sock_i_uid(sk), sock_i_ino(sk));
78698 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
78699 seq_printf(seq,
78700 "%8p %8p %-3d %-3d %-2d %-4d "
78701 "%4d %8d %8d %7d %5lu %-5d %5d ",
78702 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
78703 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78704 + NULL, NULL,
78705 +#else
78706 + assoc, sk,
78707 +#endif
78708 + sctp_sk(sk)->type, sk->sk_state,
78709 assoc->state, hash,
78710 assoc->assoc_id,
78711 assoc->sndbuf_used,
78712 diff -urNp linux-2.6.39.2/net/sctp/socket.c linux-2.6.39.2/net/sctp/socket.c
78713 --- linux-2.6.39.2/net/sctp/socket.c 2011-05-19 00:06:34.000000000 -0400
78714 +++ linux-2.6.39.2/net/sctp/socket.c 2011-05-22 19:36:35.000000000 -0400
78715 @@ -4433,7 +4433,7 @@ static int sctp_getsockopt_peer_addrs(st
78716 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
78717 if (space_left < addrlen)
78718 return -ENOMEM;
78719 - if (copy_to_user(to, &temp, addrlen))
78720 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
78721 return -EFAULT;
78722 to += addrlen;
78723 cnt++;
78724 diff -urNp linux-2.6.39.2/net/socket.c linux-2.6.39.2/net/socket.c
78725 --- linux-2.6.39.2/net/socket.c 2011-06-03 00:04:14.000000000 -0400
78726 +++ linux-2.6.39.2/net/socket.c 2011-06-03 00:32:08.000000000 -0400
78727 @@ -88,6 +88,7 @@
78728 #include <linux/nsproxy.h>
78729 #include <linux/magic.h>
78730 #include <linux/slab.h>
78731 +#include <linux/in.h>
78732
78733 #include <asm/uaccess.h>
78734 #include <asm/unistd.h>
78735 @@ -105,6 +106,8 @@
78736 #include <linux/sockios.h>
78737 #include <linux/atalk.h>
78738
78739 +#include <linux/grsock.h>
78740 +
78741 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
78742 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
78743 unsigned long nr_segs, loff_t pos);
78744 @@ -330,7 +333,7 @@ static struct dentry *sockfs_mount(struc
78745 &sockfs_dentry_operations, SOCKFS_MAGIC);
78746 }
78747
78748 -static struct vfsmount *sock_mnt __read_mostly;
78749 +struct vfsmount *sock_mnt __read_mostly;
78750
78751 static struct file_system_type sock_fs_type = {
78752 .name = "sockfs",
78753 @@ -1179,6 +1182,8 @@ int __sock_create(struct net *net, int f
78754 return -EAFNOSUPPORT;
78755 if (type < 0 || type >= SOCK_MAX)
78756 return -EINVAL;
78757 + if (protocol < 0)
78758 + return -EINVAL;
78759
78760 /* Compatibility.
78761
78762 @@ -1311,6 +1316,16 @@ SYSCALL_DEFINE3(socket, int, family, int
78763 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
78764 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
78765
78766 + if(!gr_search_socket(family, type, protocol)) {
78767 + retval = -EACCES;
78768 + goto out;
78769 + }
78770 +
78771 + if (gr_handle_sock_all(family, type, protocol)) {
78772 + retval = -EACCES;
78773 + goto out;
78774 + }
78775 +
78776 retval = sock_create(family, type, protocol, &sock);
78777 if (retval < 0)
78778 goto out;
78779 @@ -1423,6 +1438,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78780 if (sock) {
78781 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
78782 if (err >= 0) {
78783 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
78784 + err = -EACCES;
78785 + goto error;
78786 + }
78787 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
78788 + if (err)
78789 + goto error;
78790 +
78791 err = security_socket_bind(sock,
78792 (struct sockaddr *)&address,
78793 addrlen);
78794 @@ -1431,6 +1454,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78795 (struct sockaddr *)
78796 &address, addrlen);
78797 }
78798 +error:
78799 fput_light(sock->file, fput_needed);
78800 }
78801 return err;
78802 @@ -1454,10 +1478,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
78803 if ((unsigned)backlog > somaxconn)
78804 backlog = somaxconn;
78805
78806 + if (gr_handle_sock_server_other(sock->sk)) {
78807 + err = -EPERM;
78808 + goto error;
78809 + }
78810 +
78811 + err = gr_search_listen(sock);
78812 + if (err)
78813 + goto error;
78814 +
78815 err = security_socket_listen(sock, backlog);
78816 if (!err)
78817 err = sock->ops->listen(sock, backlog);
78818
78819 +error:
78820 fput_light(sock->file, fput_needed);
78821 }
78822 return err;
78823 @@ -1501,6 +1535,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78824 newsock->type = sock->type;
78825 newsock->ops = sock->ops;
78826
78827 + if (gr_handle_sock_server_other(sock->sk)) {
78828 + err = -EPERM;
78829 + sock_release(newsock);
78830 + goto out_put;
78831 + }
78832 +
78833 + err = gr_search_accept(sock);
78834 + if (err) {
78835 + sock_release(newsock);
78836 + goto out_put;
78837 + }
78838 +
78839 /*
78840 * We don't need try_module_get here, as the listening socket (sock)
78841 * has the protocol module (sock->ops->owner) held.
78842 @@ -1539,6 +1585,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78843 fd_install(newfd, newfile);
78844 err = newfd;
78845
78846 + gr_attach_curr_ip(newsock->sk);
78847 +
78848 out_put:
78849 fput_light(sock->file, fput_needed);
78850 out:
78851 @@ -1571,6 +1619,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78852 int, addrlen)
78853 {
78854 struct socket *sock;
78855 + struct sockaddr *sck;
78856 struct sockaddr_storage address;
78857 int err, fput_needed;
78858
78859 @@ -1581,6 +1630,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78860 if (err < 0)
78861 goto out_put;
78862
78863 + sck = (struct sockaddr *)&address;
78864 +
78865 + if (gr_handle_sock_client(sck)) {
78866 + err = -EACCES;
78867 + goto out_put;
78868 + }
78869 +
78870 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
78871 + if (err)
78872 + goto out_put;
78873 +
78874 err =
78875 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
78876 if (err)
78877 @@ -1882,6 +1942,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
78878 int err, ctl_len, iov_size, total_len;
78879 int fput_needed;
78880
78881 + pax_track_stack();
78882 +
78883 err = -EFAULT;
78884 if (MSG_CMSG_COMPAT & flags) {
78885 if (get_compat_msghdr(&msg_sys, msg_compat))
78886 diff -urNp linux-2.6.39.2/net/sunrpc/sched.c linux-2.6.39.2/net/sunrpc/sched.c
78887 --- linux-2.6.39.2/net/sunrpc/sched.c 2011-05-19 00:06:34.000000000 -0400
78888 +++ linux-2.6.39.2/net/sunrpc/sched.c 2011-05-22 19:36:35.000000000 -0400
78889 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
78890 #ifdef RPC_DEBUG
78891 static void rpc_task_set_debuginfo(struct rpc_task *task)
78892 {
78893 - static atomic_t rpc_pid;
78894 + static atomic_unchecked_t rpc_pid;
78895
78896 - task->tk_pid = atomic_inc_return(&rpc_pid);
78897 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
78898 }
78899 #else
78900 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
78901 diff -urNp linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma.c
78902 --- linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-19 00:06:34.000000000 -0400
78903 +++ linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-22 19:36:35.000000000 -0400
78904 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
78905 static unsigned int min_max_inline = 4096;
78906 static unsigned int max_max_inline = 65536;
78907
78908 -atomic_t rdma_stat_recv;
78909 -atomic_t rdma_stat_read;
78910 -atomic_t rdma_stat_write;
78911 -atomic_t rdma_stat_sq_starve;
78912 -atomic_t rdma_stat_rq_starve;
78913 -atomic_t rdma_stat_rq_poll;
78914 -atomic_t rdma_stat_rq_prod;
78915 -atomic_t rdma_stat_sq_poll;
78916 -atomic_t rdma_stat_sq_prod;
78917 +atomic_unchecked_t rdma_stat_recv;
78918 +atomic_unchecked_t rdma_stat_read;
78919 +atomic_unchecked_t rdma_stat_write;
78920 +atomic_unchecked_t rdma_stat_sq_starve;
78921 +atomic_unchecked_t rdma_stat_rq_starve;
78922 +atomic_unchecked_t rdma_stat_rq_poll;
78923 +atomic_unchecked_t rdma_stat_rq_prod;
78924 +atomic_unchecked_t rdma_stat_sq_poll;
78925 +atomic_unchecked_t rdma_stat_sq_prod;
78926
78927 /* Temporary NFS request map and context caches */
78928 struct kmem_cache *svc_rdma_map_cachep;
78929 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
78930 len -= *ppos;
78931 if (len > *lenp)
78932 len = *lenp;
78933 - if (len && copy_to_user(buffer, str_buf, len))
78934 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
78935 return -EFAULT;
78936 *lenp = len;
78937 *ppos += len;
78938 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
78939 {
78940 .procname = "rdma_stat_read",
78941 .data = &rdma_stat_read,
78942 - .maxlen = sizeof(atomic_t),
78943 + .maxlen = sizeof(atomic_unchecked_t),
78944 .mode = 0644,
78945 .proc_handler = read_reset_stat,
78946 },
78947 {
78948 .procname = "rdma_stat_recv",
78949 .data = &rdma_stat_recv,
78950 - .maxlen = sizeof(atomic_t),
78951 + .maxlen = sizeof(atomic_unchecked_t),
78952 .mode = 0644,
78953 .proc_handler = read_reset_stat,
78954 },
78955 {
78956 .procname = "rdma_stat_write",
78957 .data = &rdma_stat_write,
78958 - .maxlen = sizeof(atomic_t),
78959 + .maxlen = sizeof(atomic_unchecked_t),
78960 .mode = 0644,
78961 .proc_handler = read_reset_stat,
78962 },
78963 {
78964 .procname = "rdma_stat_sq_starve",
78965 .data = &rdma_stat_sq_starve,
78966 - .maxlen = sizeof(atomic_t),
78967 + .maxlen = sizeof(atomic_unchecked_t),
78968 .mode = 0644,
78969 .proc_handler = read_reset_stat,
78970 },
78971 {
78972 .procname = "rdma_stat_rq_starve",
78973 .data = &rdma_stat_rq_starve,
78974 - .maxlen = sizeof(atomic_t),
78975 + .maxlen = sizeof(atomic_unchecked_t),
78976 .mode = 0644,
78977 .proc_handler = read_reset_stat,
78978 },
78979 {
78980 .procname = "rdma_stat_rq_poll",
78981 .data = &rdma_stat_rq_poll,
78982 - .maxlen = sizeof(atomic_t),
78983 + .maxlen = sizeof(atomic_unchecked_t),
78984 .mode = 0644,
78985 .proc_handler = read_reset_stat,
78986 },
78987 {
78988 .procname = "rdma_stat_rq_prod",
78989 .data = &rdma_stat_rq_prod,
78990 - .maxlen = sizeof(atomic_t),
78991 + .maxlen = sizeof(atomic_unchecked_t),
78992 .mode = 0644,
78993 .proc_handler = read_reset_stat,
78994 },
78995 {
78996 .procname = "rdma_stat_sq_poll",
78997 .data = &rdma_stat_sq_poll,
78998 - .maxlen = sizeof(atomic_t),
78999 + .maxlen = sizeof(atomic_unchecked_t),
79000 .mode = 0644,
79001 .proc_handler = read_reset_stat,
79002 },
79003 {
79004 .procname = "rdma_stat_sq_prod",
79005 .data = &rdma_stat_sq_prod,
79006 - .maxlen = sizeof(atomic_t),
79007 + .maxlen = sizeof(atomic_unchecked_t),
79008 .mode = 0644,
79009 .proc_handler = read_reset_stat,
79010 },
79011 diff -urNp linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
79012 --- linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-19 00:06:34.000000000 -0400
79013 +++ linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-22 19:36:35.000000000 -0400
79014 @@ -499,7 +499,7 @@ next_sge:
79015 svc_rdma_put_context(ctxt, 0);
79016 goto out;
79017 }
79018 - atomic_inc(&rdma_stat_read);
79019 + atomic_inc_unchecked(&rdma_stat_read);
79020
79021 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
79022 chl_map->ch[ch_no].count -= read_wr.num_sge;
79023 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79024 dto_q);
79025 list_del_init(&ctxt->dto_q);
79026 } else {
79027 - atomic_inc(&rdma_stat_rq_starve);
79028 + atomic_inc_unchecked(&rdma_stat_rq_starve);
79029 clear_bit(XPT_DATA, &xprt->xpt_flags);
79030 ctxt = NULL;
79031 }
79032 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79033 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
79034 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
79035 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
79036 - atomic_inc(&rdma_stat_recv);
79037 + atomic_inc_unchecked(&rdma_stat_recv);
79038
79039 /* Build up the XDR from the receive buffers. */
79040 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
79041 diff -urNp linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_sendto.c
79042 --- linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-19 00:06:34.000000000 -0400
79043 +++ linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-22 19:36:35.000000000 -0400
79044 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
79045 write_wr.wr.rdma.remote_addr = to;
79046
79047 /* Post It */
79048 - atomic_inc(&rdma_stat_write);
79049 + atomic_inc_unchecked(&rdma_stat_write);
79050 if (svc_rdma_send(xprt, &write_wr))
79051 goto err;
79052 return 0;
79053 diff -urNp linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_transport.c
79054 --- linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-19 00:06:34.000000000 -0400
79055 +++ linux-2.6.39.2/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-22 19:36:35.000000000 -0400
79056 @@ -298,7 +298,7 @@ static void rq_cq_reap(struct svcxprt_rd
79057 return;
79058
79059 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
79060 - atomic_inc(&rdma_stat_rq_poll);
79061 + atomic_inc_unchecked(&rdma_stat_rq_poll);
79062
79063 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
79064 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
79065 @@ -320,7 +320,7 @@ static void rq_cq_reap(struct svcxprt_rd
79066 }
79067
79068 if (ctxt)
79069 - atomic_inc(&rdma_stat_rq_prod);
79070 + atomic_inc_unchecked(&rdma_stat_rq_prod);
79071
79072 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
79073 /*
79074 @@ -392,7 +392,7 @@ static void sq_cq_reap(struct svcxprt_rd
79075 return;
79076
79077 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
79078 - atomic_inc(&rdma_stat_sq_poll);
79079 + atomic_inc_unchecked(&rdma_stat_sq_poll);
79080 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
79081 if (wc.status != IB_WC_SUCCESS)
79082 /* Close the transport */
79083 @@ -410,7 +410,7 @@ static void sq_cq_reap(struct svcxprt_rd
79084 }
79085
79086 if (ctxt)
79087 - atomic_inc(&rdma_stat_sq_prod);
79088 + atomic_inc_unchecked(&rdma_stat_sq_prod);
79089 }
79090
79091 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
79092 @@ -1271,7 +1271,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
79093 spin_lock_bh(&xprt->sc_lock);
79094 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
79095 spin_unlock_bh(&xprt->sc_lock);
79096 - atomic_inc(&rdma_stat_sq_starve);
79097 + atomic_inc_unchecked(&rdma_stat_sq_starve);
79098
79099 /* See if we can opportunistically reap SQ WR to make room */
79100 sq_cq_reap(xprt);
79101 diff -urNp linux-2.6.39.2/net/sysctl_net.c linux-2.6.39.2/net/sysctl_net.c
79102 --- linux-2.6.39.2/net/sysctl_net.c 2011-05-19 00:06:34.000000000 -0400
79103 +++ linux-2.6.39.2/net/sysctl_net.c 2011-05-22 19:41:42.000000000 -0400
79104 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
79105 struct ctl_table *table)
79106 {
79107 /* Allow network administrator to have same access as root. */
79108 - if (capable(CAP_NET_ADMIN)) {
79109 + if (capable_nolog(CAP_NET_ADMIN)) {
79110 int mode = (table->mode >> 6) & 7;
79111 return (mode << 6) | (mode << 3) | mode;
79112 }
79113 diff -urNp linux-2.6.39.2/net/unix/af_unix.c linux-2.6.39.2/net/unix/af_unix.c
79114 --- linux-2.6.39.2/net/unix/af_unix.c 2011-05-19 00:06:34.000000000 -0400
79115 +++ linux-2.6.39.2/net/unix/af_unix.c 2011-05-22 19:41:42.000000000 -0400
79116 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
79117 err = -ECONNREFUSED;
79118 if (!S_ISSOCK(inode->i_mode))
79119 goto put_fail;
79120 +
79121 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
79122 + err = -EACCES;
79123 + goto put_fail;
79124 + }
79125 +
79126 u = unix_find_socket_byinode(inode);
79127 if (!u)
79128 goto put_fail;
79129 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
79130 if (u) {
79131 struct dentry *dentry;
79132 dentry = unix_sk(u)->dentry;
79133 +
79134 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
79135 + err = -EPERM;
79136 + sock_put(u);
79137 + goto fail;
79138 + }
79139 +
79140 if (dentry)
79141 touch_atime(unix_sk(u)->mnt, dentry);
79142 } else
79143 @@ -872,11 +885,18 @@ static int unix_bind(struct socket *sock
79144 err = security_path_mknod(&nd.path, dentry, mode, 0);
79145 if (err)
79146 goto out_mknod_drop_write;
79147 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
79148 + err = -EACCES;
79149 + goto out_mknod_drop_write;
79150 + }
79151 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
79152 out_mknod_drop_write:
79153 mnt_drop_write(nd.path.mnt);
79154 if (err)
79155 goto out_mknod_dput;
79156 +
79157 + gr_handle_create(dentry, nd.path.mnt);
79158 +
79159 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
79160 dput(nd.path.dentry);
79161 nd.path.dentry = dentry;
79162 @@ -894,6 +914,11 @@ out_mknod_drop_write:
79163 goto out_unlock;
79164 }
79165
79166 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
79167 + put_pid(sk->sk_peer_pid);
79168 + sk->sk_peer_pid = get_pid(task_tgid(current));
79169 +#endif
79170 +
79171 list = &unix_socket_table[addr->hash];
79172 } else {
79173 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
79174 @@ -2255,7 +2280,11 @@ static int unix_seq_show(struct seq_file
79175 unix_state_lock(s);
79176
79177 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
79178 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79179 + NULL,
79180 +#else
79181 s,
79182 +#endif
79183 atomic_read(&s->sk_refcnt),
79184 0,
79185 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
79186 diff -urNp linux-2.6.39.2/net/wireless/wext-core.c linux-2.6.39.2/net/wireless/wext-core.c
79187 --- linux-2.6.39.2/net/wireless/wext-core.c 2011-05-19 00:06:34.000000000 -0400
79188 +++ linux-2.6.39.2/net/wireless/wext-core.c 2011-05-22 19:36:35.000000000 -0400
79189 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
79190 */
79191
79192 /* Support for very large requests */
79193 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
79194 - (user_length > descr->max_tokens)) {
79195 + if (user_length > descr->max_tokens) {
79196 /* Allow userspace to GET more than max so
79197 * we can support any size GET requests.
79198 * There is still a limit : -ENOMEM.
79199 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
79200 }
79201 }
79202
79203 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
79204 - /*
79205 - * If this is a GET, but not NOMAX, it means that the extra
79206 - * data is not bounded by userspace, but by max_tokens. Thus
79207 - * set the length to max_tokens. This matches the extra data
79208 - * allocation.
79209 - * The driver should fill it with the number of tokens it
79210 - * provided, and it may check iwp->length rather than having
79211 - * knowledge of max_tokens. If the driver doesn't change the
79212 - * iwp->length, this ioctl just copies back max_token tokens
79213 - * filled with zeroes. Hopefully the driver isn't claiming
79214 - * them to be valid data.
79215 - */
79216 - iwp->length = descr->max_tokens;
79217 - }
79218 -
79219 err = handler(dev, info, (union iwreq_data *) iwp, extra);
79220
79221 iwp->length += essid_compat;
79222 diff -urNp linux-2.6.39.2/net/xfrm/xfrm_policy.c linux-2.6.39.2/net/xfrm/xfrm_policy.c
79223 --- linux-2.6.39.2/net/xfrm/xfrm_policy.c 2011-05-19 00:06:34.000000000 -0400
79224 +++ linux-2.6.39.2/net/xfrm/xfrm_policy.c 2011-05-22 19:36:35.000000000 -0400
79225 @@ -299,7 +299,7 @@ static void xfrm_policy_kill(struct xfrm
79226 {
79227 policy->walk.dead = 1;
79228
79229 - atomic_inc(&policy->genid);
79230 + atomic_inc_unchecked(&policy->genid);
79231
79232 if (del_timer(&policy->timer))
79233 xfrm_pol_put(policy);
79234 @@ -583,7 +583,7 @@ int xfrm_policy_insert(int dir, struct x
79235 hlist_add_head(&policy->bydst, chain);
79236 xfrm_pol_hold(policy);
79237 net->xfrm.policy_count[dir]++;
79238 - atomic_inc(&flow_cache_genid);
79239 + atomic_inc_unchecked(&flow_cache_genid);
79240 if (delpol)
79241 __xfrm_policy_unlink(delpol, dir);
79242 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
79243 @@ -1527,7 +1527,7 @@ free_dst:
79244 goto out;
79245 }
79246
79247 -static int inline
79248 +static inline int
79249 xfrm_dst_alloc_copy(void **target, const void *src, int size)
79250 {
79251 if (!*target) {
79252 @@ -1539,7 +1539,7 @@ xfrm_dst_alloc_copy(void **target, const
79253 return 0;
79254 }
79255
79256 -static int inline
79257 +static inline int
79258 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
79259 {
79260 #ifdef CONFIG_XFRM_SUB_POLICY
79261 @@ -1551,7 +1551,7 @@ xfrm_dst_update_parent(struct dst_entry
79262 #endif
79263 }
79264
79265 -static int inline
79266 +static inline int
79267 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
79268 {
79269 #ifdef CONFIG_XFRM_SUB_POLICY
79270 @@ -1645,7 +1645,7 @@ xfrm_resolve_and_create_bundle(struct xf
79271
79272 xdst->num_pols = num_pols;
79273 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
79274 - xdst->policy_genid = atomic_read(&pols[0]->genid);
79275 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
79276
79277 return xdst;
79278 }
79279 @@ -2332,7 +2332,7 @@ static int xfrm_bundle_ok(struct xfrm_ds
79280 if (xdst->xfrm_genid != dst->xfrm->genid)
79281 return 0;
79282 if (xdst->num_pols > 0 &&
79283 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
79284 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
79285 return 0;
79286
79287 mtu = dst_mtu(dst->child);
79288 @@ -2860,7 +2860,7 @@ static int xfrm_policy_migrate(struct xf
79289 sizeof(pol->xfrm_vec[i].saddr));
79290 pol->xfrm_vec[i].encap_family = mp->new_family;
79291 /* flush bundles */
79292 - atomic_inc(&pol->genid);
79293 + atomic_inc_unchecked(&pol->genid);
79294 }
79295 }
79296
79297 diff -urNp linux-2.6.39.2/net/xfrm/xfrm_user.c linux-2.6.39.2/net/xfrm/xfrm_user.c
79298 --- linux-2.6.39.2/net/xfrm/xfrm_user.c 2011-05-19 00:06:34.000000000 -0400
79299 +++ linux-2.6.39.2/net/xfrm/xfrm_user.c 2011-05-22 19:36:35.000000000 -0400
79300 @@ -1394,6 +1394,8 @@ static int copy_to_user_tmpl(struct xfrm
79301 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
79302 int i;
79303
79304 + pax_track_stack();
79305 +
79306 if (xp->xfrm_nr == 0)
79307 return 0;
79308
79309 @@ -2062,6 +2064,8 @@ static int xfrm_do_migrate(struct sk_buf
79310 int err;
79311 int n = 0;
79312
79313 + pax_track_stack();
79314 +
79315 if (attrs[XFRMA_MIGRATE] == NULL)
79316 return -EINVAL;
79317
79318 diff -urNp linux-2.6.39.2/scripts/basic/fixdep.c linux-2.6.39.2/scripts/basic/fixdep.c
79319 --- linux-2.6.39.2/scripts/basic/fixdep.c 2011-05-19 00:06:34.000000000 -0400
79320 +++ linux-2.6.39.2/scripts/basic/fixdep.c 2011-05-22 19:36:35.000000000 -0400
79321 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
79322
79323 static void parse_config_file(const char *map, size_t len)
79324 {
79325 - const int *end = (const int *) (map + len);
79326 + const unsigned int *end = (const unsigned int *) (map + len);
79327 /* start at +1, so that p can never be < map */
79328 - const int *m = (const int *) map + 1;
79329 + const unsigned int *m = (const unsigned int *) map + 1;
79330 const char *p, *q;
79331
79332 for (; m < end; m++) {
79333 @@ -405,7 +405,7 @@ static void print_deps(void)
79334 static void traps(void)
79335 {
79336 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
79337 - int *p = (int *)test;
79338 + unsigned int *p = (unsigned int *)test;
79339
79340 if (*p != INT_CONF) {
79341 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
79342 diff -urNp linux-2.6.39.2/scripts/dtc/flattree.c linux-2.6.39.2/scripts/dtc/flattree.c
79343 --- linux-2.6.39.2/scripts/dtc/flattree.c 2011-05-19 00:06:34.000000000 -0400
79344 +++ linux-2.6.39.2/scripts/dtc/flattree.c 2011-05-22 19:36:35.000000000 -0400
79345 @@ -104,7 +104,7 @@ static void bin_emit_property(void *e, s
79346 bin_emit_cell(e, FDT_PROP);
79347 }
79348
79349 -static struct emitter bin_emitter = {
79350 +static const struct emitter bin_emitter = {
79351 .cell = bin_emit_cell,
79352 .string = bin_emit_string,
79353 .align = bin_emit_align,
79354 @@ -230,7 +230,7 @@ static void asm_emit_property(void *e, s
79355 asm_emit_cell(e, FDT_PROP);
79356 }
79357
79358 -static struct emitter asm_emitter = {
79359 +static const struct emitter asm_emitter = {
79360 .cell = asm_emit_cell,
79361 .string = asm_emit_string,
79362 .align = asm_emit_align,
79363 diff -urNp linux-2.6.39.2/scripts/Makefile.build linux-2.6.39.2/scripts/Makefile.build
79364 --- linux-2.6.39.2/scripts/Makefile.build 2011-05-19 00:06:34.000000000 -0400
79365 +++ linux-2.6.39.2/scripts/Makefile.build 2011-06-03 01:15:00.000000000 -0400
79366 @@ -93,7 +93,7 @@ endif
79367 endif
79368
79369 # Do not include host rules unless needed
79370 -ifneq ($(hostprogs-y)$(hostprogs-m),)
79371 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
79372 include scripts/Makefile.host
79373 endif
79374
79375 diff -urNp linux-2.6.39.2/scripts/Makefile.clean linux-2.6.39.2/scripts/Makefile.clean
79376 --- linux-2.6.39.2/scripts/Makefile.clean 2011-05-19 00:06:34.000000000 -0400
79377 +++ linux-2.6.39.2/scripts/Makefile.clean 2011-06-03 01:16:02.000000000 -0400
79378 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
79379 __clean-files := $(extra-y) $(always) \
79380 $(targets) $(clean-files) \
79381 $(host-progs) \
79382 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
79383 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
79384 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
79385
79386 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
79387
79388 diff -urNp linux-2.6.39.2/scripts/Makefile.host linux-2.6.39.2/scripts/Makefile.host
79389 --- linux-2.6.39.2/scripts/Makefile.host 2011-05-19 00:06:34.000000000 -0400
79390 +++ linux-2.6.39.2/scripts/Makefile.host 2011-06-03 01:17:12.000000000 -0400
79391 @@ -31,6 +31,7 @@
79392 # Note: Shared libraries consisting of C++ files are not supported
79393
79394 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
79395 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
79396
79397 # C code
79398 # Executables compiled from a single .c file
79399 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
79400 # Shared libaries (only .c supported)
79401 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
79402 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
79403 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
79404 # Remove .so files from "xxx-objs"
79405 host-cobjs := $(filter-out %.so,$(host-cobjs))
79406
79407 diff -urNp linux-2.6.39.2/scripts/mod/file2alias.c linux-2.6.39.2/scripts/mod/file2alias.c
79408 --- linux-2.6.39.2/scripts/mod/file2alias.c 2011-05-19 00:06:34.000000000 -0400
79409 +++ linux-2.6.39.2/scripts/mod/file2alias.c 2011-05-22 19:36:35.000000000 -0400
79410 @@ -72,7 +72,7 @@ static void device_id_check(const char *
79411 unsigned long size, unsigned long id_size,
79412 void *symval)
79413 {
79414 - int i;
79415 + unsigned int i;
79416
79417 if (size % id_size || size < id_size) {
79418 if (cross_build != 0)
79419 @@ -102,7 +102,7 @@ static void device_id_check(const char *
79420 /* USB is special because the bcdDevice can be matched against a numeric range */
79421 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
79422 static void do_usb_entry(struct usb_device_id *id,
79423 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
79424 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
79425 unsigned char range_lo, unsigned char range_hi,
79426 unsigned char max, struct module *mod)
79427 {
79428 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
79429 for (i = 0; i < count; i++) {
79430 const char *id = (char *)devs[i].id;
79431 char acpi_id[sizeof(devs[0].id)];
79432 - int j;
79433 + unsigned int j;
79434
79435 buf_printf(&mod->dev_table_buf,
79436 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79437 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
79438
79439 for (j = 0; j < PNP_MAX_DEVICES; j++) {
79440 const char *id = (char *)card->devs[j].id;
79441 - int i2, j2;
79442 + unsigned int i2, j2;
79443 int dup = 0;
79444
79445 if (!id[0])
79446 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
79447 /* add an individual alias for every device entry */
79448 if (!dup) {
79449 char acpi_id[sizeof(card->devs[0].id)];
79450 - int k;
79451 + unsigned int k;
79452
79453 buf_printf(&mod->dev_table_buf,
79454 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79455 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
79456 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
79457 char *alias)
79458 {
79459 - int i, j;
79460 + unsigned int i, j;
79461
79462 sprintf(alias, "dmi*");
79463
79464 diff -urNp linux-2.6.39.2/scripts/mod/modpost.c linux-2.6.39.2/scripts/mod/modpost.c
79465 --- linux-2.6.39.2/scripts/mod/modpost.c 2011-05-19 00:06:34.000000000 -0400
79466 +++ linux-2.6.39.2/scripts/mod/modpost.c 2011-05-22 19:36:35.000000000 -0400
79467 @@ -896,6 +896,7 @@ enum mismatch {
79468 ANY_INIT_TO_ANY_EXIT,
79469 ANY_EXIT_TO_ANY_INIT,
79470 EXPORT_TO_INIT_EXIT,
79471 + DATA_TO_TEXT
79472 };
79473
79474 struct sectioncheck {
79475 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
79476 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
79477 .mismatch = EXPORT_TO_INIT_EXIT,
79478 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
79479 +},
79480 +/* Do not reference code from writable data */
79481 +{
79482 + .fromsec = { DATA_SECTIONS, NULL },
79483 + .tosec = { TEXT_SECTIONS, NULL },
79484 + .mismatch = DATA_TO_TEXT
79485 }
79486 };
79487
79488 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
79489 continue;
79490 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
79491 continue;
79492 - if (sym->st_value == addr)
79493 - return sym;
79494 /* Find a symbol nearby - addr are maybe negative */
79495 d = sym->st_value - addr;
79496 + if (d == 0)
79497 + return sym;
79498 if (d < 0)
79499 d = addr - sym->st_value;
79500 if (d < distance) {
79501 @@ -1408,6 +1415,14 @@ static void report_sec_mismatch(const ch
79502 tosym, prl_to, prl_to, tosym);
79503 free(prl_to);
79504 break;
79505 + case DATA_TO_TEXT:
79506 +/*
79507 + fprintf(stderr,
79508 + "The variable %s references\n"
79509 + "the %s %s%s%s\n",
79510 + fromsym, to, sec2annotation(tosec), tosym, to_p);
79511 +*/
79512 + break;
79513 }
79514 fprintf(stderr, "\n");
79515 }
79516 @@ -1731,7 +1746,7 @@ void __attribute__((format(printf, 2, 3)
79517 va_end(ap);
79518 }
79519
79520 -void buf_write(struct buffer *buf, const char *s, int len)
79521 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
79522 {
79523 if (buf->size - buf->pos < len) {
79524 buf->size += len + SZ;
79525 @@ -1943,7 +1958,7 @@ static void write_if_changed(struct buff
79526 if (fstat(fileno(file), &st) < 0)
79527 goto close_write;
79528
79529 - if (st.st_size != b->pos)
79530 + if (st.st_size != (off_t)b->pos)
79531 goto close_write;
79532
79533 tmp = NOFAIL(malloc(b->pos));
79534 diff -urNp linux-2.6.39.2/scripts/mod/modpost.h linux-2.6.39.2/scripts/mod/modpost.h
79535 --- linux-2.6.39.2/scripts/mod/modpost.h 2011-05-19 00:06:34.000000000 -0400
79536 +++ linux-2.6.39.2/scripts/mod/modpost.h 2011-05-22 19:36:35.000000000 -0400
79537 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
79538
79539 struct buffer {
79540 char *p;
79541 - int pos;
79542 - int size;
79543 + unsigned int pos;
79544 + unsigned int size;
79545 };
79546
79547 void __attribute__((format(printf, 2, 3)))
79548 buf_printf(struct buffer *buf, const char *fmt, ...);
79549
79550 void
79551 -buf_write(struct buffer *buf, const char *s, int len);
79552 +buf_write(struct buffer *buf, const char *s, unsigned int len);
79553
79554 struct module {
79555 struct module *next;
79556 diff -urNp linux-2.6.39.2/scripts/mod/sumversion.c linux-2.6.39.2/scripts/mod/sumversion.c
79557 --- linux-2.6.39.2/scripts/mod/sumversion.c 2011-05-19 00:06:34.000000000 -0400
79558 +++ linux-2.6.39.2/scripts/mod/sumversion.c 2011-05-22 19:36:35.000000000 -0400
79559 @@ -470,7 +470,7 @@ static void write_version(const char *fi
79560 goto out;
79561 }
79562
79563 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
79564 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
79565 warn("writing sum in %s failed: %s\n",
79566 filename, strerror(errno));
79567 goto out;
79568 diff -urNp linux-2.6.39.2/scripts/pnmtologo.c linux-2.6.39.2/scripts/pnmtologo.c
79569 --- linux-2.6.39.2/scripts/pnmtologo.c 2011-05-19 00:06:34.000000000 -0400
79570 +++ linux-2.6.39.2/scripts/pnmtologo.c 2011-05-22 19:36:35.000000000 -0400
79571 @@ -237,14 +237,14 @@ static void write_header(void)
79572 fprintf(out, " * Linux logo %s\n", logoname);
79573 fputs(" */\n\n", out);
79574 fputs("#include <linux/linux_logo.h>\n\n", out);
79575 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
79576 + fprintf(out, "static unsigned char %s_data[] = {\n",
79577 logoname);
79578 }
79579
79580 static void write_footer(void)
79581 {
79582 fputs("\n};\n\n", out);
79583 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
79584 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
79585 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
79586 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
79587 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
79588 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
79589 fputs("\n};\n\n", out);
79590
79591 /* write logo clut */
79592 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
79593 + fprintf(out, "static unsigned char %s_clut[] = {\n",
79594 logoname);
79595 write_hex_cnt = 0;
79596 for (i = 0; i < logo_clutsize; i++) {
79597 diff -urNp linux-2.6.39.2/security/apparmor/lsm.c linux-2.6.39.2/security/apparmor/lsm.c
79598 --- linux-2.6.39.2/security/apparmor/lsm.c 2011-06-25 12:55:23.000000000 -0400
79599 +++ linux-2.6.39.2/security/apparmor/lsm.c 2011-06-25 13:00:28.000000000 -0400
79600 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
79601 return error;
79602 }
79603
79604 -static struct security_operations apparmor_ops = {
79605 +static struct security_operations apparmor_ops __read_only = {
79606 .name = "apparmor",
79607
79608 .ptrace_access_check = apparmor_ptrace_access_check,
79609 @@ -672,7 +672,7 @@ static struct security_operations apparm
79610 static int param_set_aabool(const char *val, const struct kernel_param *kp);
79611 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
79612 #define param_check_aabool(name, p) __param_check(name, p, int)
79613 -static struct kernel_param_ops param_ops_aabool = {
79614 +static const struct kernel_param_ops param_ops_aabool = {
79615 .set = param_set_aabool,
79616 .get = param_get_aabool
79617 };
79618 @@ -680,7 +680,7 @@ static struct kernel_param_ops param_ops
79619 static int param_set_aauint(const char *val, const struct kernel_param *kp);
79620 static int param_get_aauint(char *buffer, const struct kernel_param *kp);
79621 #define param_check_aauint(name, p) __param_check(name, p, int)
79622 -static struct kernel_param_ops param_ops_aauint = {
79623 +static const struct kernel_param_ops param_ops_aauint = {
79624 .set = param_set_aauint,
79625 .get = param_get_aauint
79626 };
79627 @@ -688,7 +688,7 @@ static struct kernel_param_ops param_ops
79628 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
79629 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
79630 #define param_check_aalockpolicy(name, p) __param_check(name, p, int)
79631 -static struct kernel_param_ops param_ops_aalockpolicy = {
79632 +static const struct kernel_param_ops param_ops_aalockpolicy = {
79633 .set = param_set_aalockpolicy,
79634 .get = param_get_aalockpolicy
79635 };
79636 diff -urNp linux-2.6.39.2/security/commoncap.c linux-2.6.39.2/security/commoncap.c
79637 --- linux-2.6.39.2/security/commoncap.c 2011-05-19 00:06:34.000000000 -0400
79638 +++ linux-2.6.39.2/security/commoncap.c 2011-05-22 20:28:59.000000000 -0400
79639 @@ -28,6 +28,7 @@
79640 #include <linux/prctl.h>
79641 #include <linux/securebits.h>
79642 #include <linux/user_namespace.h>
79643 +#include <net/sock.h>
79644
79645 /*
79646 * If a non-root user executes a setuid-root binary in
79647 @@ -58,7 +59,7 @@ int cap_netlink_send(struct sock *sk, st
79648
79649 int cap_netlink_recv(struct sk_buff *skb, int cap)
79650 {
79651 - if (!cap_raised(current_cap(), cap))
79652 + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
79653 return -EPERM;
79654 return 0;
79655 }
79656 @@ -580,6 +581,9 @@ int cap_bprm_secureexec(struct linux_bin
79657 {
79658 const struct cred *cred = current_cred();
79659
79660 + if (gr_acl_enable_at_secure())
79661 + return 1;
79662 +
79663 if (cred->uid != 0) {
79664 if (bprm->cap_effective)
79665 return 1;
79666 diff -urNp linux-2.6.39.2/security/integrity/ima/ima_api.c linux-2.6.39.2/security/integrity/ima/ima_api.c
79667 --- linux-2.6.39.2/security/integrity/ima/ima_api.c 2011-05-19 00:06:34.000000000 -0400
79668 +++ linux-2.6.39.2/security/integrity/ima/ima_api.c 2011-05-22 19:36:35.000000000 -0400
79669 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
79670 int result;
79671
79672 /* can overflow, only indicator */
79673 - atomic_long_inc(&ima_htable.violations);
79674 + atomic_long_inc_unchecked(&ima_htable.violations);
79675
79676 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
79677 if (!entry) {
79678 diff -urNp linux-2.6.39.2/security/integrity/ima/ima_fs.c linux-2.6.39.2/security/integrity/ima/ima_fs.c
79679 --- linux-2.6.39.2/security/integrity/ima/ima_fs.c 2011-05-19 00:06:34.000000000 -0400
79680 +++ linux-2.6.39.2/security/integrity/ima/ima_fs.c 2011-05-22 19:36:35.000000000 -0400
79681 @@ -28,12 +28,12 @@
79682 static int valid_policy = 1;
79683 #define TMPBUFLEN 12
79684 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
79685 - loff_t *ppos, atomic_long_t *val)
79686 + loff_t *ppos, atomic_long_unchecked_t *val)
79687 {
79688 char tmpbuf[TMPBUFLEN];
79689 ssize_t len;
79690
79691 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
79692 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
79693 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
79694 }
79695
79696 diff -urNp linux-2.6.39.2/security/integrity/ima/ima.h linux-2.6.39.2/security/integrity/ima/ima.h
79697 --- linux-2.6.39.2/security/integrity/ima/ima.h 2011-05-19 00:06:34.000000000 -0400
79698 +++ linux-2.6.39.2/security/integrity/ima/ima.h 2011-05-22 19:36:35.000000000 -0400
79699 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
79700 extern spinlock_t ima_queue_lock;
79701
79702 struct ima_h_table {
79703 - atomic_long_t len; /* number of stored measurements in the list */
79704 - atomic_long_t violations;
79705 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
79706 + atomic_long_unchecked_t violations;
79707 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
79708 };
79709 extern struct ima_h_table ima_htable;
79710 diff -urNp linux-2.6.39.2/security/integrity/ima/ima_queue.c linux-2.6.39.2/security/integrity/ima/ima_queue.c
79711 --- linux-2.6.39.2/security/integrity/ima/ima_queue.c 2011-05-19 00:06:34.000000000 -0400
79712 +++ linux-2.6.39.2/security/integrity/ima/ima_queue.c 2011-05-22 19:36:35.000000000 -0400
79713 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
79714 INIT_LIST_HEAD(&qe->later);
79715 list_add_tail_rcu(&qe->later, &ima_measurements);
79716
79717 - atomic_long_inc(&ima_htable.len);
79718 + atomic_long_inc_unchecked(&ima_htable.len);
79719 key = ima_hash_key(entry->digest);
79720 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
79721 return 0;
79722 diff -urNp linux-2.6.39.2/security/Kconfig linux-2.6.39.2/security/Kconfig
79723 --- linux-2.6.39.2/security/Kconfig 2011-05-19 00:06:34.000000000 -0400
79724 +++ linux-2.6.39.2/security/Kconfig 2011-06-29 20:57:25.000000000 -0400
79725 @@ -4,6 +4,554 @@
79726
79727 menu "Security options"
79728
79729 +source grsecurity/Kconfig
79730 +
79731 +menu "PaX"
79732 +
79733 + config ARCH_TRACK_EXEC_LIMIT
79734 + bool
79735 +
79736 + config PAX_PER_CPU_PGD
79737 + bool
79738 +
79739 + config TASK_SIZE_MAX_SHIFT
79740 + int
79741 + depends on X86_64
79742 + default 47 if !PAX_PER_CPU_PGD
79743 + default 42 if PAX_PER_CPU_PGD
79744 +
79745 + config PAX_ENABLE_PAE
79746 + bool
79747 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
79748 +
79749 +config PAX
79750 + bool "Enable various PaX features"
79751 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
79752 + help
79753 + This allows you to enable various PaX features. PaX adds
79754 + intrusion prevention mechanisms to the kernel that reduce
79755 + the risks posed by exploitable memory corruption bugs.
79756 +
79757 +menu "PaX Control"
79758 + depends on PAX
79759 +
79760 +config PAX_SOFTMODE
79761 + bool 'Support soft mode'
79762 + select PAX_PT_PAX_FLAGS
79763 + help
79764 + Enabling this option will allow you to run PaX in soft mode, that
79765 + is, PaX features will not be enforced by default, only on executables
79766 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
79767 + is the only way to mark executables for soft mode use.
79768 +
79769 + Soft mode can be activated by using the "pax_softmode=1" kernel command
79770 + line option on boot. Furthermore you can control various PaX features
79771 + at runtime via the entries in /proc/sys/kernel/pax.
79772 +
79773 +config PAX_EI_PAX
79774 + bool 'Use legacy ELF header marking'
79775 + help
79776 + Enabling this option will allow you to control PaX features on
79777 + a per executable basis via the 'chpax' utility available at
79778 + http://pax.grsecurity.net/. The control flags will be read from
79779 + an otherwise reserved part of the ELF header. This marking has
79780 + numerous drawbacks (no support for soft-mode, toolchain does not
79781 + know about the non-standard use of the ELF header) therefore it
79782 + has been deprecated in favour of PT_PAX_FLAGS support.
79783 +
79784 + Note that if you enable PT_PAX_FLAGS marking support as well,
79785 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
79786 +
79787 +config PAX_PT_PAX_FLAGS
79788 + bool 'Use ELF program header marking'
79789 + help
79790 + Enabling this option will allow you to control PaX features on
79791 + a per executable basis via the 'paxctl' utility available at
79792 + http://pax.grsecurity.net/. The control flags will be read from
79793 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
79794 + has the benefits of supporting both soft mode and being fully
79795 + integrated into the toolchain (the binutils patch is available
79796 + from http://pax.grsecurity.net).
79797 +
79798 + If your toolchain does not support PT_PAX_FLAGS markings,
79799 + you can create one in most cases with 'paxctl -C'.
79800 +
79801 + Note that if you enable the legacy EI_PAX marking support as well,
79802 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
79803 +
79804 +choice
79805 + prompt 'MAC system integration'
79806 + default PAX_HAVE_ACL_FLAGS
79807 + help
79808 + Mandatory Access Control systems have the option of controlling
79809 + PaX flags on a per executable basis, choose the method supported
79810 + by your particular system.
79811 +
79812 + - "none": if your MAC system does not interact with PaX,
79813 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
79814 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
79815 +
79816 + NOTE: this option is for developers/integrators only.
79817 +
79818 + config PAX_NO_ACL_FLAGS
79819 + bool 'none'
79820 +
79821 + config PAX_HAVE_ACL_FLAGS
79822 + bool 'direct'
79823 +
79824 + config PAX_HOOK_ACL_FLAGS
79825 + bool 'hook'
79826 +endchoice
79827 +
79828 +endmenu
79829 +
79830 +menu "Non-executable pages"
79831 + depends on PAX
79832 +
79833 +config PAX_NOEXEC
79834 + bool "Enforce non-executable pages"
79835 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
79836 + help
79837 + By design some architectures do not allow for protecting memory
79838 + pages against execution or even if they do, Linux does not make
79839 + use of this feature. In practice this means that if a page is
79840 + readable (such as the stack or heap) it is also executable.
79841 +
79842 + There is a well known exploit technique that makes use of this
79843 + fact and a common programming mistake where an attacker can
79844 + introduce code of his choice somewhere in the attacked program's
79845 + memory (typically the stack or the heap) and then execute it.
79846 +
79847 + If the attacked program was running with different (typically
79848 + higher) privileges than that of the attacker, then he can elevate
79849 + his own privilege level (e.g. get a root shell, write to files for
79850 + which he does not have write access to, etc).
79851 +
79852 + Enabling this option will let you choose from various features
79853 + that prevent the injection and execution of 'foreign' code in
79854 + a program.
79855 +
79856 + This will also break programs that rely on the old behaviour and
79857 + expect that dynamically allocated memory via the malloc() family
79858 + of functions is executable (which it is not). Notable examples
79859 + are the XFree86 4.x server, the java runtime and wine.
79860 +
79861 +config PAX_PAGEEXEC
79862 + bool "Paging based non-executable pages"
79863 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
79864 + select S390_SWITCH_AMODE if S390
79865 + select S390_EXEC_PROTECT if S390
79866 + select ARCH_TRACK_EXEC_LIMIT if X86_32
79867 + help
79868 + This implementation is based on the paging feature of the CPU.
79869 + On i386 without hardware non-executable bit support there is a
79870 + variable but usually low performance impact, however on Intel's
79871 + P4 core based CPUs it is very high so you should not enable this
79872 + for kernels meant to be used on such CPUs.
79873 +
79874 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
79875 + with hardware non-executable bit support there is no performance
79876 + impact, on ppc the impact is negligible.
79877 +
79878 + Note that several architectures require various emulations due to
79879 + badly designed userland ABIs, this will cause a performance impact
79880 + but will disappear as soon as userland is fixed. For example, ppc
79881 + userland MUST have been built with secure-plt by a recent toolchain.
79882 +
79883 +config PAX_SEGMEXEC
79884 + bool "Segmentation based non-executable pages"
79885 + depends on PAX_NOEXEC && X86_32
79886 + help
79887 + This implementation is based on the segmentation feature of the
79888 + CPU and has a very small performance impact, however applications
79889 + will be limited to a 1.5 GB address space instead of the normal
79890 + 3 GB.
79891 +
79892 +config PAX_EMUTRAMP
79893 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
79894 + default y if PARISC
79895 + help
79896 + There are some programs and libraries that for one reason or
79897 + another attempt to execute special small code snippets from
79898 + non-executable memory pages. Most notable examples are the
79899 + signal handler return code generated by the kernel itself and
79900 + the GCC trampolines.
79901 +
79902 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
79903 + such programs will no longer work under your kernel.
79904 +
79905 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
79906 + utilities to enable trampoline emulation for the affected programs
79907 + yet still have the protection provided by the non-executable pages.
79908 +
79909 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
79910 + your system will not even boot.
79911 +
79912 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
79913 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
79914 + for the affected files.
79915 +
79916 + NOTE: enabling this feature *may* open up a loophole in the
79917 + protection provided by non-executable pages that an attacker
79918 + could abuse. Therefore the best solution is to not have any
79919 + files on your system that would require this option. This can
79920 + be achieved by not using libc5 (which relies on the kernel
79921 + signal handler return code) and not using or rewriting programs
79922 + that make use of the nested function implementation of GCC.
79923 + Skilled users can just fix GCC itself so that it implements
79924 + nested function calls in a way that does not interfere with PaX.
79925 +
79926 +config PAX_EMUSIGRT
79927 + bool "Automatically emulate sigreturn trampolines"
79928 + depends on PAX_EMUTRAMP && PARISC
79929 + default y
79930 + help
79931 + Enabling this option will have the kernel automatically detect
79932 + and emulate signal return trampolines executing on the stack
79933 + that would otherwise lead to task termination.
79934 +
79935 + This solution is intended as a temporary one for users with
79936 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
79937 + Modula-3 runtime, etc) or executables linked to such, basically
79938 + everything that does not specify its own SA_RESTORER function in
79939 + normal executable memory like glibc 2.1+ does.
79940 +
79941 + On parisc you MUST enable this option, otherwise your system will
79942 + not even boot.
79943 +
79944 + NOTE: this feature cannot be disabled on a per executable basis
79945 + and since it *does* open up a loophole in the protection provided
79946 + by non-executable pages, the best solution is to not have any
79947 + files on your system that would require this option.
79948 +
79949 +config PAX_MPROTECT
79950 + bool "Restrict mprotect()"
79951 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
79952 + help
79953 + Enabling this option will prevent programs from
79954 + - changing the executable status of memory pages that were
79955 + not originally created as executable,
79956 + - making read-only executable pages writable again,
79957 + - creating executable pages from anonymous memory,
79958 + - making read-only-after-relocations (RELRO) data pages writable again.
79959 +
79960 + You should say Y here to complete the protection provided by
79961 + the enforcement of non-executable pages.
79962 +
79963 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
79964 + this feature on a per file basis.
79965 +
79966 +config PAX_MPROTECT_COMPAT
79967 + bool "Use legacy/compat protection demoting (read help)"
79968 + depends on PAX_MPROTECT
79969 + default n
79970 + help
79971 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
79972 + by sending the proper error code to the application. For some broken
79973 + userland, this can cause problems with Python or other applications. The
79974 + current implementation however allows for applications like clamav to
79975 + detect if JIT compilation/execution is allowed and to fall back gracefully
79976 + to an interpreter-based mode if it does not. While we encourage everyone
79977 + to use the current implementation as-is and push upstream to fix broken
79978 + userland (note that the RWX logging option can assist with this), in some
79979 + environments this may not be possible. Having to disable MPROTECT
79980 + completely on certain binaries reduces the security benefit of PaX,
79981 + so this option is provided for those environments to revert to the old
79982 + behavior.
79983 +
79984 +config PAX_ELFRELOCS
79985 + bool "Allow ELF text relocations (read help)"
79986 + depends on PAX_MPROTECT
79987 + default n
79988 + help
79989 + Non-executable pages and mprotect() restrictions are effective
79990 + in preventing the introduction of new executable code into an
79991 + attacked task's address space. There remain only two venues
79992 + for this kind of attack: if the attacker can execute already
79993 + existing code in the attacked task then he can either have it
79994 + create and mmap() a file containing his code or have it mmap()
79995 + an already existing ELF library that does not have position
79996 + independent code in it and use mprotect() on it to make it
79997 + writable and copy his code there. While protecting against
79998 + the former approach is beyond PaX, the latter can be prevented
79999 + by having only PIC ELF libraries on one's system (which do not
80000 + need to relocate their code). If you are sure this is your case,
80001 + as is the case with all modern Linux distributions, then leave
80002 + this option disabled. You should say 'n' here.
80003 +
80004 +config PAX_ETEXECRELOCS
80005 + bool "Allow ELF ET_EXEC text relocations"
80006 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
80007 + select PAX_ELFRELOCS
80008 + default y
80009 + help
80010 + On some architectures there are incorrectly created applications
80011 + that require text relocations and would not work without enabling
80012 + this option. If you are an alpha, ia64 or parisc user, you should
80013 + enable this option and disable it once you have made sure that
80014 + none of your applications need it.
80015 +
80016 +config PAX_EMUPLT
80017 + bool "Automatically emulate ELF PLT"
80018 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
80019 + default y
80020 + help
80021 + Enabling this option will have the kernel automatically detect
80022 + and emulate the Procedure Linkage Table entries in ELF files.
80023 + On some architectures such entries are in writable memory, and
80024 + become non-executable leading to task termination. Therefore
80025 + it is mandatory that you enable this option on alpha, parisc,
80026 + sparc and sparc64, otherwise your system would not even boot.
80027 +
80028 + NOTE: this feature *does* open up a loophole in the protection
80029 + provided by the non-executable pages, therefore the proper
80030 + solution is to modify the toolchain to produce a PLT that does
80031 + not need to be writable.
80032 +
80033 +config PAX_DLRESOLVE
80034 + bool 'Emulate old glibc resolver stub'
80035 + depends on PAX_EMUPLT && SPARC
80036 + default n
80037 + help
80038 + This option is needed if userland has an old glibc (before 2.4)
80039 + that puts a 'save' instruction into the runtime generated resolver
80040 + stub that needs special emulation.
80041 +
80042 +config PAX_KERNEXEC
80043 + bool "Enforce non-executable kernel pages"
80044 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
80045 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
80046 + help
80047 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
80048 + that is, enabling this option will make it harder to inject
80049 + and execute 'foreign' code in kernel memory itself.
80050 +
80051 + Note that on x86_64 kernels there is a known regression when
80052 + this feature and KVM/VMX are both enabled in the host kernel.
80053 +
80054 +config PAX_KERNEXEC_MODULE_TEXT
80055 + int "Minimum amount of memory reserved for module code"
80056 + default "4"
80057 + depends on PAX_KERNEXEC && X86_32 && MODULES
80058 + help
80059 + Due to implementation details the kernel must reserve a fixed
80060 + amount of memory for module code at compile time that cannot be
80061 + changed at runtime. Here you can specify the minimum amount
80062 + in MB that will be reserved. Due to the same implementation
80063 + details this size will always be rounded up to the next 2/4 MB
80064 + boundary (depends on PAE) so the actually available memory for
80065 + module code will usually be more than this minimum.
80066 +
80067 + The default 4 MB should be enough for most users but if you have
80068 + an excessive number of modules (e.g., most distribution configs
80069 + compile many drivers as modules) or use huge modules such as
80070 + nvidia's kernel driver, you will need to adjust this amount.
80071 + A good rule of thumb is to look at your currently loaded kernel
80072 + modules and add up their sizes.
80073 +
80074 +endmenu
80075 +
80076 +menu "Address Space Layout Randomization"
80077 + depends on PAX
80078 +
80079 +config PAX_ASLR
80080 + bool "Address Space Layout Randomization"
80081 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
80082 + help
80083 + Many if not most exploit techniques rely on the knowledge of
80084 + certain addresses in the attacked program. The following options
80085 + will allow the kernel to apply a certain amount of randomization
80086 + to specific parts of the program thereby forcing an attacker to
80087 + guess them in most cases. Any failed guess will most likely crash
80088 + the attacked program which allows the kernel to detect such attempts
80089 + and react on them. PaX itself provides no reaction mechanisms,
80090 + instead it is strongly encouraged that you make use of Nergal's
80091 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
80092 + (http://www.grsecurity.net/) built-in crash detection features or
80093 + develop one yourself.
80094 +
80095 + By saying Y here you can choose to randomize the following areas:
80096 + - top of the task's kernel stack
80097 + - top of the task's userland stack
80098 + - base address for mmap() requests that do not specify one
80099 + (this includes all libraries)
80100 + - base address of the main executable
80101 +
80102 + It is strongly recommended to say Y here as address space layout
80103 + randomization has negligible impact on performance yet it provides
80104 + a very effective protection.
80105 +
80106 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80107 + this feature on a per file basis.
80108 +
80109 +config PAX_RANDKSTACK
80110 + bool "Randomize kernel stack base"
80111 + depends on PAX_ASLR && X86_TSC && X86
80112 + help
80113 + By saying Y here the kernel will randomize every task's kernel
80114 + stack on every system call. This will not only force an attacker
80115 + to guess it but also prevent him from making use of possible
80116 + leaked information about it.
80117 +
80118 + Since the kernel stack is a rather scarce resource, randomization
80119 + may cause unexpected stack overflows, therefore you should very
80120 + carefully test your system. Note that once enabled in the kernel
80121 + configuration, this feature cannot be disabled on a per file basis.
80122 +
80123 +config PAX_RANDUSTACK
80124 + bool "Randomize user stack base"
80125 + depends on PAX_ASLR
80126 + help
80127 + By saying Y here the kernel will randomize every task's userland
80128 + stack. The randomization is done in two steps where the second
80129 + one may apply a big amount of shift to the top of the stack and
80130 + cause problems for programs that want to use lots of memory (more
80131 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
80132 + For this reason the second step can be controlled by 'chpax' or
80133 + 'paxctl' on a per file basis.
80134 +
80135 +config PAX_RANDMMAP
80136 + bool "Randomize mmap() base"
80137 + depends on PAX_ASLR
80138 + help
80139 + By saying Y here the kernel will use a randomized base address for
80140 + mmap() requests that do not specify one themselves. As a result
80141 + all dynamically loaded libraries will appear at random addresses
80142 + and therefore be harder to exploit by a technique where an attacker
80143 + attempts to execute library code for his purposes (e.g. spawn a
80144 + shell from an exploited program that is running at an elevated
80145 + privilege level).
80146 +
80147 + Furthermore, if a program is relinked as a dynamic ELF file, its
80148 + base address will be randomized as well, completing the full
80149 + randomization of the address space layout. Attacking such programs
80150 + becomes a guess game. You can find an example of doing this at
80151 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
80152 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
80153 +
80154 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
80155 + feature on a per file basis.
80156 +
80157 +endmenu
80158 +
80159 +menu "Miscellaneous hardening features"
80160 +
80161 +config PAX_MEMORY_SANITIZE
80162 + bool "Sanitize all freed memory"
80163 + help
80164 + By saying Y here the kernel will erase memory pages as soon as they
80165 + are freed. This in turn reduces the lifetime of data stored in the
80166 + pages, making it less likely that sensitive information such as
80167 + passwords, cryptographic secrets, etc stay in memory for too long.
80168 +
80169 + This is especially useful for programs whose runtime is short, long
80170 + lived processes and the kernel itself benefit from this as long as
80171 + they operate on whole memory pages and ensure timely freeing of pages
80172 + that may hold sensitive information.
80173 +
80174 + The tradeoff is performance impact, on a single CPU system kernel
80175 + compilation sees a 3% slowdown, other systems and workloads may vary
80176 + and you are advised to test this feature on your expected workload
80177 + before deploying it.
80178 +
80179 + Note that this feature does not protect data stored in live pages,
80180 + e.g., process memory swapped to disk may stay there for a long time.
80181 +
80182 +config PAX_MEMORY_STACKLEAK
80183 + bool "Sanitize kernel stack"
80184 + depends on X86
80185 + help
80186 + By saying Y here the kernel will erase the kernel stack before it
80187 + returns from a system call. This in turn reduces the information
80188 + that a kernel stack leak bug can reveal.
80189 +
80190 + Note that such a bug can still leak information that was put on
80191 + the stack by the current system call (the one eventually triggering
80192 + the bug) but traces of earlier system calls on the kernel stack
80193 + cannot leak anymore.
80194 +
80195 + The tradeoff is performance impact: on a single CPU system kernel
80196 + compilation sees a 1% slowdown, other systems and workloads may vary
80197 + and you are advised to test this feature on your expected workload
80198 + before deploying it.
80199 +
80200 + Note: full support for this feature requires gcc with plugin support
80201 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
80202 + is not supported). Using older gcc versions means that functions
80203 + with large enough stack frames may leave uninitialized memory behind
80204 + that may be exposed to a later syscall leaking the stack.
80205 +
80206 +config PAX_MEMORY_UDEREF
80207 + bool "Prevent invalid userland pointer dereference"
80208 + depends on X86 && !UML_X86 && !XEN
80209 + select PAX_PER_CPU_PGD if X86_64
80210 + help
80211 + By saying Y here the kernel will be prevented from dereferencing
80212 + userland pointers in contexts where the kernel expects only kernel
80213 + pointers. This is both a useful runtime debugging feature and a
80214 + security measure that prevents exploiting a class of kernel bugs.
80215 +
80216 + The tradeoff is that some virtualization solutions may experience
80217 + a huge slowdown and therefore you should not enable this feature
80218 + for kernels meant to run in such environments. Whether a given VM
80219 + solution is affected or not is best determined by simply trying it
80220 + out, the performance impact will be obvious right on boot as this
80221 + mechanism engages from very early on. A good rule of thumb is that
80222 + VMs running on CPUs without hardware virtualization support (i.e.,
80223 + the majority of IA-32 CPUs) will likely experience the slowdown.
80224 +
80225 +config PAX_REFCOUNT
80226 + bool "Prevent various kernel object reference counter overflows"
80227 + depends on GRKERNSEC && (X86 || SPARC64)
80228 + help
80229 + By saying Y here the kernel will detect and prevent overflowing
80230 + various (but not all) kinds of object reference counters. Such
80231 + overflows can normally occur due to bugs only and are often, if
80232 + not always, exploitable.
80233 +
80234 + The tradeoff is that data structures protected by an overflowed
80235 + refcount will never be freed and therefore will leak memory. Note
80236 + that this leak also happens even without this protection but in
80237 + that case the overflow can eventually trigger the freeing of the
80238 + data structure while it is still being used elsewhere, resulting
80239 + in the exploitable situation that this feature prevents.
80240 +
80241 + Since this has a negligible performance impact, you should enable
80242 + this feature.
80243 +
80244 +config PAX_USERCOPY
80245 + bool "Harden heap object copies between kernel and userland"
80246 + depends on X86 || PPC || SPARC || ARM
80247 + depends on GRKERNSEC && (SLAB || SLUB)
80248 + help
80249 + By saying Y here the kernel will enforce the size of heap objects
80250 + when they are copied in either direction between the kernel and
80251 + userland, even if only a part of the heap object is copied.
80252 +
80253 + Specifically, this checking prevents information leaking from the
80254 + kernel heap during kernel to userland copies (if the kernel heap
80255 + object is otherwise fully initialized) and prevents kernel heap
80256 + overflows during userland to kernel copies.
80257 +
80258 + Note that the current implementation provides the strictest bounds
80259 + checks for the SLUB allocator.
80260 +
80261 + Enabling this option also enables per-slab cache protection against
80262 + data in a given cache being copied into/out of via userland
80263 + accessors. Though the whitelist of regions will be reduced over
80264 + time, it notably protects important data structures like task structs.
80265 +
80266 + If frame pointers are enabled on x86, this option will also restrict
80267 + copies into and out of the kernel stack to local variables within a
80268 + single frame.
80269 +
80270 + Since this has a negligible performance impact, you should enable
80271 + this feature.
80272 +
80273 +endmenu
80274 +
80275 +endmenu
80276 +
80277 config KEYS
80278 bool "Enable access key retention support"
80279 help
80280 @@ -167,7 +715,7 @@ config INTEL_TXT
80281 config LSM_MMAP_MIN_ADDR
80282 int "Low address space for LSM to protect from user allocation"
80283 depends on SECURITY && SECURITY_SELINUX
80284 - default 65536
80285 + default 32768
80286 help
80287 This is the portion of low virtual memory which should be protected
80288 from userspace allocation. Keeping a user from writing to low pages
80289 diff -urNp linux-2.6.39.2/security/keys/keyring.c linux-2.6.39.2/security/keys/keyring.c
80290 --- linux-2.6.39.2/security/keys/keyring.c 2011-05-19 00:06:34.000000000 -0400
80291 +++ linux-2.6.39.2/security/keys/keyring.c 2011-05-22 19:36:35.000000000 -0400
80292 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
80293 ret = -EFAULT;
80294
80295 for (loop = 0; loop < klist->nkeys; loop++) {
80296 + key_serial_t serial;
80297 key = klist->keys[loop];
80298 + serial = key->serial;
80299
80300 tmp = sizeof(key_serial_t);
80301 if (tmp > buflen)
80302 tmp = buflen;
80303
80304 - if (copy_to_user(buffer,
80305 - &key->serial,
80306 - tmp) != 0)
80307 + if (copy_to_user(buffer, &serial, tmp))
80308 goto error;
80309
80310 buflen -= tmp;
80311 diff -urNp linux-2.6.39.2/security/min_addr.c linux-2.6.39.2/security/min_addr.c
80312 --- linux-2.6.39.2/security/min_addr.c 2011-05-19 00:06:34.000000000 -0400
80313 +++ linux-2.6.39.2/security/min_addr.c 2011-05-22 19:41:42.000000000 -0400
80314 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
80315 */
80316 static void update_mmap_min_addr(void)
80317 {
80318 +#ifndef SPARC
80319 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
80320 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
80321 mmap_min_addr = dac_mmap_min_addr;
80322 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
80323 #else
80324 mmap_min_addr = dac_mmap_min_addr;
80325 #endif
80326 +#endif
80327 }
80328
80329 /*
80330 diff -urNp linux-2.6.39.2/security/security.c linux-2.6.39.2/security/security.c
80331 --- linux-2.6.39.2/security/security.c 2011-05-19 00:06:34.000000000 -0400
80332 +++ linux-2.6.39.2/security/security.c 2011-05-22 19:41:42.000000000 -0400
80333 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
80334 /* things that live in capability.c */
80335 extern void __init security_fixup_ops(struct security_operations *ops);
80336
80337 -static struct security_operations *security_ops;
80338 -static struct security_operations default_security_ops = {
80339 +static struct security_operations *security_ops __read_only;
80340 +static struct security_operations default_security_ops __read_only = {
80341 .name = "default",
80342 };
80343
80344 @@ -67,7 +67,9 @@ int __init security_init(void)
80345
80346 void reset_security_ops(void)
80347 {
80348 + pax_open_kernel();
80349 security_ops = &default_security_ops;
80350 + pax_close_kernel();
80351 }
80352
80353 /* Save user chosen LSM */
80354 diff -urNp linux-2.6.39.2/security/selinux/hooks.c linux-2.6.39.2/security/selinux/hooks.c
80355 --- linux-2.6.39.2/security/selinux/hooks.c 2011-05-19 00:06:34.000000000 -0400
80356 +++ linux-2.6.39.2/security/selinux/hooks.c 2011-05-22 19:41:42.000000000 -0400
80357 @@ -93,7 +93,6 @@
80358 #define NUM_SEL_MNT_OPTS 5
80359
80360 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
80361 -extern struct security_operations *security_ops;
80362
80363 /* SECMARK reference count */
80364 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
80365 @@ -5431,7 +5430,7 @@ static int selinux_key_getsecurity(struc
80366
80367 #endif
80368
80369 -static struct security_operations selinux_ops = {
80370 +static struct security_operations selinux_ops __read_only = {
80371 .name = "selinux",
80372
80373 .ptrace_access_check = selinux_ptrace_access_check,
80374 diff -urNp linux-2.6.39.2/security/selinux/include/xfrm.h linux-2.6.39.2/security/selinux/include/xfrm.h
80375 --- linux-2.6.39.2/security/selinux/include/xfrm.h 2011-05-19 00:06:34.000000000 -0400
80376 +++ linux-2.6.39.2/security/selinux/include/xfrm.h 2011-05-22 19:36:35.000000000 -0400
80377 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
80378
80379 static inline void selinux_xfrm_notify_policyload(void)
80380 {
80381 - atomic_inc(&flow_cache_genid);
80382 + atomic_inc_unchecked(&flow_cache_genid);
80383 }
80384 #else
80385 static inline int selinux_xfrm_enabled(void)
80386 diff -urNp linux-2.6.39.2/security/selinux/ss/services.c linux-2.6.39.2/security/selinux/ss/services.c
80387 --- linux-2.6.39.2/security/selinux/ss/services.c 2011-05-19 00:06:34.000000000 -0400
80388 +++ linux-2.6.39.2/security/selinux/ss/services.c 2011-05-22 19:36:35.000000000 -0400
80389 @@ -1806,6 +1806,8 @@ int security_load_policy(void *data, siz
80390 int rc = 0;
80391 struct policy_file file = { data, len }, *fp = &file;
80392
80393 + pax_track_stack();
80394 +
80395 if (!ss_initialized) {
80396 avtab_cache_init();
80397 rc = policydb_read(&policydb, fp);
80398 diff -urNp linux-2.6.39.2/security/smack/smack_lsm.c linux-2.6.39.2/security/smack/smack_lsm.c
80399 --- linux-2.6.39.2/security/smack/smack_lsm.c 2011-05-19 00:06:34.000000000 -0400
80400 +++ linux-2.6.39.2/security/smack/smack_lsm.c 2011-05-22 19:36:35.000000000 -0400
80401 @@ -3386,7 +3386,7 @@ static int smack_inode_getsecctx(struct
80402 return 0;
80403 }
80404
80405 -struct security_operations smack_ops = {
80406 +struct security_operations smack_ops __read_only = {
80407 .name = "smack",
80408
80409 .ptrace_access_check = smack_ptrace_access_check,
80410 diff -urNp linux-2.6.39.2/security/tomoyo/tomoyo.c linux-2.6.39.2/security/tomoyo/tomoyo.c
80411 --- linux-2.6.39.2/security/tomoyo/tomoyo.c 2011-05-19 00:06:34.000000000 -0400
80412 +++ linux-2.6.39.2/security/tomoyo/tomoyo.c 2011-05-22 19:36:35.000000000 -0400
80413 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
80414 * tomoyo_security_ops is a "struct security_operations" which is used for
80415 * registering TOMOYO.
80416 */
80417 -static struct security_operations tomoyo_security_ops = {
80418 +static struct security_operations tomoyo_security_ops __read_only = {
80419 .name = "tomoyo",
80420 .cred_alloc_blank = tomoyo_cred_alloc_blank,
80421 .cred_prepare = tomoyo_cred_prepare,
80422 diff -urNp linux-2.6.39.2/sound/aoa/aoa.h linux-2.6.39.2/sound/aoa/aoa.h
80423 --- linux-2.6.39.2/sound/aoa/aoa.h 2011-05-19 00:06:34.000000000 -0400
80424 +++ linux-2.6.39.2/sound/aoa/aoa.h 2011-05-22 19:36:35.000000000 -0400
80425 @@ -122,8 +122,8 @@ extern struct snd_card *aoa_get_card(voi
80426 extern int aoa_snd_ctl_add(struct snd_kcontrol* control);
80427
80428 /* GPIO stuff */
80429 -extern struct gpio_methods *pmf_gpio_methods;
80430 -extern struct gpio_methods *ftr_gpio_methods;
80431 +extern const struct gpio_methods *pmf_gpio_methods;
80432 +extern const struct gpio_methods *ftr_gpio_methods;
80433 /* extern struct gpio_methods *map_gpio_methods; */
80434
80435 #endif /* __AOA_H */
80436 diff -urNp linux-2.6.39.2/sound/aoa/codecs/onyx.c linux-2.6.39.2/sound/aoa/codecs/onyx.c
80437 --- linux-2.6.39.2/sound/aoa/codecs/onyx.c 2011-05-19 00:06:34.000000000 -0400
80438 +++ linux-2.6.39.2/sound/aoa/codecs/onyx.c 2011-05-22 19:36:35.000000000 -0400
80439 @@ -54,7 +54,7 @@ struct onyx {
80440 spdif_locked:1,
80441 analog_locked:1,
80442 original_mute:2;
80443 - int open_count;
80444 + local_t open_count;
80445 struct codec_info *codec_info;
80446
80447 /* mutex serializes concurrent access to the device
80448 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
80449 struct onyx *onyx = cii->codec_data;
80450
80451 mutex_lock(&onyx->mutex);
80452 - onyx->open_count++;
80453 + local_inc(&onyx->open_count);
80454 mutex_unlock(&onyx->mutex);
80455
80456 return 0;
80457 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
80458 struct onyx *onyx = cii->codec_data;
80459
80460 mutex_lock(&onyx->mutex);
80461 - onyx->open_count--;
80462 - if (!onyx->open_count)
80463 + if (local_dec_and_test(&onyx->open_count))
80464 onyx->spdif_locked = onyx->analog_locked = 0;
80465 mutex_unlock(&onyx->mutex);
80466
80467 diff -urNp linux-2.6.39.2/sound/aoa/codecs/onyx.h linux-2.6.39.2/sound/aoa/codecs/onyx.h
80468 --- linux-2.6.39.2/sound/aoa/codecs/onyx.h 2011-05-19 00:06:34.000000000 -0400
80469 +++ linux-2.6.39.2/sound/aoa/codecs/onyx.h 2011-05-22 19:36:35.000000000 -0400
80470 @@ -11,6 +11,7 @@
80471 #include <linux/i2c.h>
80472 #include <asm/pmac_low_i2c.h>
80473 #include <asm/prom.h>
80474 +#include <asm/local.h>
80475
80476 /* PCM3052 register definitions */
80477
80478 diff -urNp linux-2.6.39.2/sound/arm/aaci.c linux-2.6.39.2/sound/arm/aaci.c
80479 --- linux-2.6.39.2/sound/arm/aaci.c 2011-05-19 00:06:34.000000000 -0400
80480 +++ linux-2.6.39.2/sound/arm/aaci.c 2011-05-22 19:36:35.000000000 -0400
80481 @@ -635,7 +635,7 @@ static int aaci_pcm_playback_trigger(str
80482 return ret;
80483 }
80484
80485 -static struct snd_pcm_ops aaci_playback_ops = {
80486 +static const struct snd_pcm_ops aaci_playback_ops = {
80487 .open = aaci_pcm_open,
80488 .close = aaci_pcm_close,
80489 .ioctl = snd_pcm_lib_ioctl,
80490 @@ -738,7 +738,7 @@ static int aaci_pcm_capture_prepare(stru
80491 return 0;
80492 }
80493
80494 -static struct snd_pcm_ops aaci_capture_ops = {
80495 +static const struct snd_pcm_ops aaci_capture_ops = {
80496 .open = aaci_pcm_open,
80497 .close = aaci_pcm_close,
80498 .ioctl = snd_pcm_lib_ioctl,
80499 @@ -827,7 +827,7 @@ static struct ac97_pcm ac97_defs[] __dev
80500 }
80501 };
80502
80503 -static struct snd_ac97_bus_ops aaci_bus_ops = {
80504 +static const struct snd_ac97_bus_ops aaci_bus_ops = {
80505 .write = aaci_ac97_write,
80506 .read = aaci_ac97_read,
80507 };
80508 diff -urNp linux-2.6.39.2/sound/arm/pxa2xx-ac97.c linux-2.6.39.2/sound/arm/pxa2xx-ac97.c
80509 --- linux-2.6.39.2/sound/arm/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
80510 +++ linux-2.6.39.2/sound/arm/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
80511 @@ -34,7 +34,7 @@ static void pxa2xx_ac97_reset(struct snd
80512 pxa2xx_ac97_finish_reset(ac97);
80513 }
80514
80515 -static struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80516 +static const struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80517 .read = pxa2xx_ac97_read,
80518 .write = pxa2xx_ac97_write,
80519 .reset = pxa2xx_ac97_reset,
80520 diff -urNp linux-2.6.39.2/sound/atmel/abdac.c linux-2.6.39.2/sound/atmel/abdac.c
80521 --- linux-2.6.39.2/sound/atmel/abdac.c 2011-05-19 00:06:34.000000000 -0400
80522 +++ linux-2.6.39.2/sound/atmel/abdac.c 2011-05-22 19:36:35.000000000 -0400
80523 @@ -297,7 +297,7 @@ static irqreturn_t abdac_interrupt(int i
80524 return IRQ_HANDLED;
80525 }
80526
80527 -static struct snd_pcm_ops atmel_abdac_ops = {
80528 +static const struct snd_pcm_ops atmel_abdac_ops = {
80529 .open = atmel_abdac_open,
80530 .close = atmel_abdac_close,
80531 .ioctl = snd_pcm_lib_ioctl,
80532 diff -urNp linux-2.6.39.2/sound/atmel/ac97c.c linux-2.6.39.2/sound/atmel/ac97c.c
80533 --- linux-2.6.39.2/sound/atmel/ac97c.c 2011-05-19 00:06:34.000000000 -0400
80534 +++ linux-2.6.39.2/sound/atmel/ac97c.c 2011-05-22 19:36:35.000000000 -0400
80535 @@ -626,7 +626,7 @@ atmel_ac97c_capture_pointer(struct snd_p
80536 return frames;
80537 }
80538
80539 -static struct snd_pcm_ops atmel_ac97_playback_ops = {
80540 +static const struct snd_pcm_ops atmel_ac97_playback_ops = {
80541 .open = atmel_ac97c_playback_open,
80542 .close = atmel_ac97c_playback_close,
80543 .ioctl = snd_pcm_lib_ioctl,
80544 @@ -637,7 +637,7 @@ static struct snd_pcm_ops atmel_ac97_pla
80545 .pointer = atmel_ac97c_playback_pointer,
80546 };
80547
80548 -static struct snd_pcm_ops atmel_ac97_capture_ops = {
80549 +static const struct snd_pcm_ops atmel_ac97_capture_ops = {
80550 .open = atmel_ac97c_capture_open,
80551 .close = atmel_ac97c_capture_close,
80552 .ioctl = snd_pcm_lib_ioctl,
80553 @@ -909,7 +909,7 @@ static int __devinit atmel_ac97c_probe(s
80554 struct resource *regs;
80555 struct ac97c_platform_data *pdata;
80556 struct clk *pclk;
80557 - static struct snd_ac97_bus_ops ops = {
80558 + static const struct snd_ac97_bus_ops ops = {
80559 .write = atmel_ac97c_write,
80560 .read = atmel_ac97c_read,
80561 };
80562 diff -urNp linux-2.6.39.2/sound/core/control.c linux-2.6.39.2/sound/core/control.c
80563 --- linux-2.6.39.2/sound/core/control.c 2011-05-19 00:06:34.000000000 -0400
80564 +++ linux-2.6.39.2/sound/core/control.c 2011-05-22 19:36:35.000000000 -0400
80565 @@ -1520,7 +1520,7 @@ static int snd_ctl_dev_free(struct snd_d
80566 */
80567 int snd_ctl_create(struct snd_card *card)
80568 {
80569 - static struct snd_device_ops ops = {
80570 + static const struct snd_device_ops ops = {
80571 .dev_free = snd_ctl_dev_free,
80572 .dev_register = snd_ctl_dev_register,
80573 .dev_disconnect = snd_ctl_dev_disconnect,
80574 diff -urNp linux-2.6.39.2/sound/core/device.c linux-2.6.39.2/sound/core/device.c
80575 --- linux-2.6.39.2/sound/core/device.c 2011-05-19 00:06:34.000000000 -0400
80576 +++ linux-2.6.39.2/sound/core/device.c 2011-05-22 19:36:35.000000000 -0400
80577 @@ -41,7 +41,7 @@
80578 * Returns zero if successful, or a negative error code on failure.
80579 */
80580 int snd_device_new(struct snd_card *card, snd_device_type_t type,
80581 - void *device_data, struct snd_device_ops *ops)
80582 + void *device_data, const struct snd_device_ops *ops)
80583 {
80584 struct snd_device *dev;
80585
80586 diff -urNp linux-2.6.39.2/sound/core/hwdep.c linux-2.6.39.2/sound/core/hwdep.c
80587 --- linux-2.6.39.2/sound/core/hwdep.c 2011-05-19 00:06:34.000000000 -0400
80588 +++ linux-2.6.39.2/sound/core/hwdep.c 2011-05-22 19:36:35.000000000 -0400
80589 @@ -348,7 +348,7 @@ int snd_hwdep_new(struct snd_card *card,
80590 {
80591 struct snd_hwdep *hwdep;
80592 int err;
80593 - static struct snd_device_ops ops = {
80594 + static const struct snd_device_ops ops = {
80595 .dev_free = snd_hwdep_dev_free,
80596 .dev_register = snd_hwdep_dev_register,
80597 .dev_disconnect = snd_hwdep_dev_disconnect,
80598 diff -urNp linux-2.6.39.2/sound/core/info.c linux-2.6.39.2/sound/core/info.c
80599 --- linux-2.6.39.2/sound/core/info.c 2011-05-19 00:06:34.000000000 -0400
80600 +++ linux-2.6.39.2/sound/core/info.c 2011-05-22 19:36:35.000000000 -0400
80601 @@ -897,7 +897,7 @@ static int snd_info_dev_register_entry(s
80602 int snd_card_proc_new(struct snd_card *card, const char *name,
80603 struct snd_info_entry **entryp)
80604 {
80605 - static struct snd_device_ops ops = {
80606 + static const struct snd_device_ops ops = {
80607 .dev_free = snd_info_dev_free_entry,
80608 .dev_register = snd_info_dev_register_entry,
80609 /* disconnect is done via snd_info_card_disconnect() */
80610 diff -urNp linux-2.6.39.2/sound/core/jack.c linux-2.6.39.2/sound/core/jack.c
80611 --- linux-2.6.39.2/sound/core/jack.c 2011-05-19 00:06:34.000000000 -0400
80612 +++ linux-2.6.39.2/sound/core/jack.c 2011-05-22 19:36:35.000000000 -0400
80613 @@ -105,7 +105,7 @@ int snd_jack_new(struct snd_card *card,
80614 struct snd_jack *jack;
80615 int err;
80616 int i;
80617 - static struct snd_device_ops ops = {
80618 + static const struct snd_device_ops ops = {
80619 .dev_free = snd_jack_dev_free,
80620 .dev_register = snd_jack_dev_register,
80621 };
80622 diff -urNp linux-2.6.39.2/sound/core/pcm.c linux-2.6.39.2/sound/core/pcm.c
80623 --- linux-2.6.39.2/sound/core/pcm.c 2011-05-19 00:06:34.000000000 -0400
80624 +++ linux-2.6.39.2/sound/core/pcm.c 2011-05-22 19:36:35.000000000 -0400
80625 @@ -717,7 +717,7 @@ int snd_pcm_new(struct snd_card *card, c
80626 {
80627 struct snd_pcm *pcm;
80628 int err;
80629 - static struct snd_device_ops ops = {
80630 + static const struct snd_device_ops ops = {
80631 .dev_free = snd_pcm_dev_free,
80632 .dev_register = snd_pcm_dev_register,
80633 .dev_disconnect = snd_pcm_dev_disconnect,
80634 diff -urNp linux-2.6.39.2/sound/core/pcm_lib.c linux-2.6.39.2/sound/core/pcm_lib.c
80635 --- linux-2.6.39.2/sound/core/pcm_lib.c 2011-05-19 00:06:34.000000000 -0400
80636 +++ linux-2.6.39.2/sound/core/pcm_lib.c 2011-05-22 19:36:35.000000000 -0400
80637 @@ -505,7 +505,7 @@ int snd_pcm_update_hw_ptr(struct snd_pcm
80638 *
80639 * Sets the given PCM operators to the pcm instance.
80640 */
80641 -void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, struct snd_pcm_ops *ops)
80642 +void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, const struct snd_pcm_ops *ops)
80643 {
80644 struct snd_pcm_str *stream = &pcm->streams[direction];
80645 struct snd_pcm_substream *substream;
80646 diff -urNp linux-2.6.39.2/sound/core/pcm_native.c linux-2.6.39.2/sound/core/pcm_native.c
80647 --- linux-2.6.39.2/sound/core/pcm_native.c 2011-05-19 00:06:34.000000000 -0400
80648 +++ linux-2.6.39.2/sound/core/pcm_native.c 2011-05-22 19:36:35.000000000 -0400
80649 @@ -702,7 +702,7 @@ struct action_ops {
80650 * Note: the stream state might be changed also on failure
80651 * Note2: call with calling stream lock + link lock
80652 */
80653 -static int snd_pcm_action_group(struct action_ops *ops,
80654 +static int snd_pcm_action_group(const struct action_ops *ops,
80655 struct snd_pcm_substream *substream,
80656 int state, int do_lock)
80657 {
80658 @@ -751,7 +751,7 @@ static int snd_pcm_action_group(struct a
80659 /*
80660 * Note: call with stream lock
80661 */
80662 -static int snd_pcm_action_single(struct action_ops *ops,
80663 +static int snd_pcm_action_single(const struct action_ops *ops,
80664 struct snd_pcm_substream *substream,
80665 int state)
80666 {
80667 @@ -771,7 +771,7 @@ static int snd_pcm_action_single(struct
80668 /*
80669 * Note: call with stream lock
80670 */
80671 -static int snd_pcm_action(struct action_ops *ops,
80672 +static int snd_pcm_action(const struct action_ops *ops,
80673 struct snd_pcm_substream *substream,
80674 int state)
80675 {
80676 @@ -794,7 +794,7 @@ static int snd_pcm_action(struct action_
80677 /*
80678 * Note: don't use any locks before
80679 */
80680 -static int snd_pcm_action_lock_irq(struct action_ops *ops,
80681 +static int snd_pcm_action_lock_irq(const struct action_ops *ops,
80682 struct snd_pcm_substream *substream,
80683 int state)
80684 {
80685 @@ -818,7 +818,7 @@ static int snd_pcm_action_lock_irq(struc
80686
80687 /*
80688 */
80689 -static int snd_pcm_action_nonatomic(struct action_ops *ops,
80690 +static int snd_pcm_action_nonatomic(const struct action_ops *ops,
80691 struct snd_pcm_substream *substream,
80692 int state)
80693 {
80694 @@ -877,7 +877,7 @@ static void snd_pcm_post_start(struct sn
80695 &runtime->trigger_tstamp);
80696 }
80697
80698 -static struct action_ops snd_pcm_action_start = {
80699 +static const struct action_ops snd_pcm_action_start = {
80700 .pre_action = snd_pcm_pre_start,
80701 .do_action = snd_pcm_do_start,
80702 .undo_action = snd_pcm_undo_start,
80703 @@ -928,7 +928,7 @@ static void snd_pcm_post_stop(struct snd
80704 wake_up(&runtime->tsleep);
80705 }
80706
80707 -static struct action_ops snd_pcm_action_stop = {
80708 +static const struct action_ops snd_pcm_action_stop = {
80709 .pre_action = snd_pcm_pre_stop,
80710 .do_action = snd_pcm_do_stop,
80711 .post_action = snd_pcm_post_stop
80712 @@ -1025,7 +1025,7 @@ static void snd_pcm_post_pause(struct sn
80713 }
80714 }
80715
80716 -static struct action_ops snd_pcm_action_pause = {
80717 +static const struct action_ops snd_pcm_action_pause = {
80718 .pre_action = snd_pcm_pre_pause,
80719 .do_action = snd_pcm_do_pause,
80720 .undo_action = snd_pcm_undo_pause,
80721 @@ -1076,7 +1076,7 @@ static void snd_pcm_post_suspend(struct
80722 wake_up(&runtime->tsleep);
80723 }
80724
80725 -static struct action_ops snd_pcm_action_suspend = {
80726 +static const struct action_ops snd_pcm_action_suspend = {
80727 .pre_action = snd_pcm_pre_suspend,
80728 .do_action = snd_pcm_do_suspend,
80729 .post_action = snd_pcm_post_suspend
80730 @@ -1175,7 +1175,7 @@ static void snd_pcm_post_resume(struct s
80731 runtime->status->state = runtime->status->suspended_state;
80732 }
80733
80734 -static struct action_ops snd_pcm_action_resume = {
80735 +static const struct action_ops snd_pcm_action_resume = {
80736 .pre_action = snd_pcm_pre_resume,
80737 .do_action = snd_pcm_do_resume,
80738 .undo_action = snd_pcm_undo_resume,
80739 @@ -1278,7 +1278,7 @@ static void snd_pcm_post_reset(struct sn
80740 snd_pcm_playback_silence(substream, ULONG_MAX);
80741 }
80742
80743 -static struct action_ops snd_pcm_action_reset = {
80744 +static const struct action_ops snd_pcm_action_reset = {
80745 .pre_action = snd_pcm_pre_reset,
80746 .do_action = snd_pcm_do_reset,
80747 .post_action = snd_pcm_post_reset
80748 @@ -1322,7 +1322,7 @@ static void snd_pcm_post_prepare(struct
80749 runtime->status->state = SNDRV_PCM_STATE_PREPARED;
80750 }
80751
80752 -static struct action_ops snd_pcm_action_prepare = {
80753 +static const struct action_ops snd_pcm_action_prepare = {
80754 .pre_action = snd_pcm_pre_prepare,
80755 .do_action = snd_pcm_do_prepare,
80756 .post_action = snd_pcm_post_prepare
80757 @@ -1397,7 +1397,7 @@ static void snd_pcm_post_drain_init(stru
80758 {
80759 }
80760
80761 -static struct action_ops snd_pcm_action_drain_init = {
80762 +static const struct action_ops snd_pcm_action_drain_init = {
80763 .pre_action = snd_pcm_pre_drain_init,
80764 .do_action = snd_pcm_do_drain_init,
80765 .post_action = snd_pcm_post_drain_init
80766 diff -urNp linux-2.6.39.2/sound/core/rawmidi.c linux-2.6.39.2/sound/core/rawmidi.c
80767 --- linux-2.6.39.2/sound/core/rawmidi.c 2011-05-19 00:06:34.000000000 -0400
80768 +++ linux-2.6.39.2/sound/core/rawmidi.c 2011-05-22 19:36:35.000000000 -0400
80769 @@ -1449,7 +1449,7 @@ int snd_rawmidi_new(struct snd_card *car
80770 {
80771 struct snd_rawmidi *rmidi;
80772 int err;
80773 - static struct snd_device_ops ops = {
80774 + static const struct snd_device_ops ops = {
80775 .dev_free = snd_rawmidi_dev_free,
80776 .dev_register = snd_rawmidi_dev_register,
80777 .dev_disconnect = snd_rawmidi_dev_disconnect,
80778 @@ -1654,7 +1654,7 @@ static int snd_rawmidi_dev_disconnect(st
80779 * Sets the rawmidi operators for the given stream direction.
80780 */
80781 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
80782 - struct snd_rawmidi_ops *ops)
80783 + const struct snd_rawmidi_ops *ops)
80784 {
80785 struct snd_rawmidi_substream *substream;
80786
80787 diff -urNp linux-2.6.39.2/sound/core/seq/seq_device.c linux-2.6.39.2/sound/core/seq/seq_device.c
80788 --- linux-2.6.39.2/sound/core/seq/seq_device.c 2011-05-19 00:06:34.000000000 -0400
80789 +++ linux-2.6.39.2/sound/core/seq/seq_device.c 2011-05-22 19:36:35.000000000 -0400
80790 @@ -178,7 +178,7 @@ int snd_seq_device_new(struct snd_card *
80791 struct snd_seq_device *dev;
80792 struct ops_list *ops;
80793 int err;
80794 - static struct snd_device_ops dops = {
80795 + static const struct snd_device_ops dops = {
80796 .dev_free = snd_seq_device_dev_free,
80797 .dev_register = snd_seq_device_dev_register,
80798 .dev_disconnect = snd_seq_device_dev_disconnect,
80799 @@ -307,7 +307,7 @@ static int snd_seq_device_dev_disconnect
80800 * id = driver id
80801 * entry = driver operators - duplicated to each instance
80802 */
80803 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry,
80804 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry,
80805 int argsize)
80806 {
80807 struct ops_list *ops;
80808 diff -urNp linux-2.6.39.2/sound/core/seq/seq_midi.c linux-2.6.39.2/sound/core/seq/seq_midi.c
80809 --- linux-2.6.39.2/sound/core/seq/seq_midi.c 2011-05-19 00:06:34.000000000 -0400
80810 +++ linux-2.6.39.2/sound/core/seq/seq_midi.c 2011-05-22 19:36:35.000000000 -0400
80811 @@ -461,7 +461,7 @@ snd_seq_midisynth_unregister_port(struct
80812
80813 static int __init alsa_seq_midi_init(void)
80814 {
80815 - static struct snd_seq_dev_ops ops = {
80816 + static const struct snd_seq_dev_ops ops = {
80817 snd_seq_midisynth_register_port,
80818 snd_seq_midisynth_unregister_port,
80819 };
80820 diff -urNp linux-2.6.39.2/sound/core/seq/seq_virmidi.c linux-2.6.39.2/sound/core/seq/seq_virmidi.c
80821 --- linux-2.6.39.2/sound/core/seq/seq_virmidi.c 2011-05-19 00:06:34.000000000 -0400
80822 +++ linux-2.6.39.2/sound/core/seq/seq_virmidi.c 2011-05-22 19:36:35.000000000 -0400
80823 @@ -337,13 +337,13 @@ static int snd_virmidi_unuse(void *priva
80824 * Register functions
80825 */
80826
80827 -static struct snd_rawmidi_ops snd_virmidi_input_ops = {
80828 +static const struct snd_rawmidi_ops snd_virmidi_input_ops = {
80829 .open = snd_virmidi_input_open,
80830 .close = snd_virmidi_input_close,
80831 .trigger = snd_virmidi_input_trigger,
80832 };
80833
80834 -static struct snd_rawmidi_ops snd_virmidi_output_ops = {
80835 +static const struct snd_rawmidi_ops snd_virmidi_output_ops = {
80836 .open = snd_virmidi_output_open,
80837 .close = snd_virmidi_output_close,
80838 .trigger = snd_virmidi_output_trigger,
80839 @@ -467,7 +467,7 @@ static int snd_virmidi_dev_unregister(st
80840 /*
80841 *
80842 */
80843 -static struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
80844 +static const struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
80845 .dev_register = snd_virmidi_dev_register,
80846 .dev_unregister = snd_virmidi_dev_unregister,
80847 };
80848 diff -urNp linux-2.6.39.2/sound/core/timer.c linux-2.6.39.2/sound/core/timer.c
80849 --- linux-2.6.39.2/sound/core/timer.c 2011-05-19 00:06:34.000000000 -0400
80850 +++ linux-2.6.39.2/sound/core/timer.c 2011-05-22 19:36:35.000000000 -0400
80851 @@ -756,7 +756,7 @@ int snd_timer_new(struct snd_card *card,
80852 {
80853 struct snd_timer *timer;
80854 int err;
80855 - static struct snd_device_ops ops = {
80856 + static const struct snd_device_ops ops = {
80857 .dev_free = snd_timer_dev_free,
80858 .dev_register = snd_timer_dev_register,
80859 .dev_disconnect = snd_timer_dev_disconnect,
80860 diff -urNp linux-2.6.39.2/sound/drivers/aloop.c linux-2.6.39.2/sound/drivers/aloop.c
80861 --- linux-2.6.39.2/sound/drivers/aloop.c 2011-05-19 00:06:34.000000000 -0400
80862 +++ linux-2.6.39.2/sound/drivers/aloop.c 2011-05-22 19:36:35.000000000 -0400
80863 @@ -731,7 +731,7 @@ static int loopback_close(struct snd_pcm
80864 return 0;
80865 }
80866
80867 -static struct snd_pcm_ops loopback_playback_ops = {
80868 +static const struct snd_pcm_ops loopback_playback_ops = {
80869 .open = loopback_open,
80870 .close = loopback_close,
80871 .ioctl = snd_pcm_lib_ioctl,
80872 @@ -742,7 +742,7 @@ static struct snd_pcm_ops loopback_playb
80873 .pointer = loopback_pointer,
80874 };
80875
80876 -static struct snd_pcm_ops loopback_capture_ops = {
80877 +static const struct snd_pcm_ops loopback_capture_ops = {
80878 .open = loopback_open,
80879 .close = loopback_close,
80880 .ioctl = snd_pcm_lib_ioctl,
80881 diff -urNp linux-2.6.39.2/sound/drivers/dummy.c linux-2.6.39.2/sound/drivers/dummy.c
80882 --- linux-2.6.39.2/sound/drivers/dummy.c 2011-05-19 00:06:34.000000000 -0400
80883 +++ linux-2.6.39.2/sound/drivers/dummy.c 2011-05-22 19:36:35.000000000 -0400
80884 @@ -350,7 +350,7 @@ static void dummy_systimer_free(struct s
80885 kfree(substream->runtime->private_data);
80886 }
80887
80888 -static struct dummy_timer_ops dummy_systimer_ops = {
80889 +static const struct dummy_timer_ops dummy_systimer_ops = {
80890 .create = dummy_systimer_create,
80891 .free = dummy_systimer_free,
80892 .prepare = dummy_systimer_prepare,
80893 @@ -474,7 +474,7 @@ static void dummy_hrtimer_free(struct sn
80894 kfree(dpcm);
80895 }
80896
80897 -static struct dummy_timer_ops dummy_hrtimer_ops = {
80898 +static const struct dummy_timer_ops dummy_hrtimer_ops = {
80899 .create = dummy_hrtimer_create,
80900 .free = dummy_hrtimer_free,
80901 .prepare = dummy_hrtimer_prepare,
80902 @@ -660,7 +660,7 @@ static struct page *dummy_pcm_page(struc
80903 return virt_to_page(dummy_page[substream->stream]); /* the same page */
80904 }
80905
80906 -static struct snd_pcm_ops dummy_pcm_ops = {
80907 +static const struct snd_pcm_ops dummy_pcm_ops = {
80908 .open = dummy_pcm_open,
80909 .close = dummy_pcm_close,
80910 .ioctl = snd_pcm_lib_ioctl,
80911 @@ -671,7 +671,7 @@ static struct snd_pcm_ops dummy_pcm_ops
80912 .pointer = dummy_pcm_pointer,
80913 };
80914
80915 -static struct snd_pcm_ops dummy_pcm_ops_no_buf = {
80916 +static const struct snd_pcm_ops dummy_pcm_ops_no_buf = {
80917 .open = dummy_pcm_open,
80918 .close = dummy_pcm_close,
80919 .ioctl = snd_pcm_lib_ioctl,
80920 @@ -689,7 +689,7 @@ static int __devinit snd_card_dummy_pcm(
80921 int substreams)
80922 {
80923 struct snd_pcm *pcm;
80924 - struct snd_pcm_ops *ops;
80925 + const struct snd_pcm_ops *ops;
80926 int err;
80927
80928 err = snd_pcm_new(dummy->card, "Dummy PCM", device,
80929 diff -urNp linux-2.6.39.2/sound/drivers/ml403-ac97cr.c linux-2.6.39.2/sound/drivers/ml403-ac97cr.c
80930 --- linux-2.6.39.2/sound/drivers/ml403-ac97cr.c 2011-05-19 00:06:34.000000000 -0400
80931 +++ linux-2.6.39.2/sound/drivers/ml403-ac97cr.c 2011-05-22 19:36:35.000000000 -0400
80932 @@ -759,7 +759,7 @@ static int snd_ml403_ac97cr_capture_clos
80933 return 0;
80934 }
80935
80936 -static struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
80937 +static const struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
80938 .open = snd_ml403_ac97cr_playback_open,
80939 .close = snd_ml403_ac97cr_playback_close,
80940 .ioctl = snd_pcm_lib_ioctl,
80941 @@ -770,7 +770,7 @@ static struct snd_pcm_ops snd_ml403_ac97
80942 .pointer = snd_ml403_ac97cr_pcm_pointer,
80943 };
80944
80945 -static struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
80946 +static const struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
80947 .open = snd_ml403_ac97cr_capture_open,
80948 .close = snd_ml403_ac97cr_capture_close,
80949 .ioctl = snd_pcm_lib_ioctl,
80950 @@ -1114,7 +1114,7 @@ snd_ml403_ac97cr_create(struct snd_card
80951 {
80952 struct snd_ml403_ac97cr *ml403_ac97cr;
80953 int err;
80954 - static struct snd_device_ops ops = {
80955 + static const struct snd_device_ops ops = {
80956 .dev_free = snd_ml403_ac97cr_dev_free,
80957 };
80958 struct resource *resource;
80959 @@ -1210,7 +1210,7 @@ snd_ml403_ac97cr_mixer(struct snd_ml403_
80960 struct snd_ac97_bus *bus;
80961 struct snd_ac97_template ac97;
80962 int err;
80963 - static struct snd_ac97_bus_ops ops = {
80964 + static const struct snd_ac97_bus_ops ops = {
80965 .write = snd_ml403_ac97cr_codec_write,
80966 .read = snd_ml403_ac97cr_codec_read,
80967 };
80968 diff -urNp linux-2.6.39.2/sound/drivers/mtpav.c linux-2.6.39.2/sound/drivers/mtpav.c
80969 --- linux-2.6.39.2/sound/drivers/mtpav.c 2011-05-19 00:06:34.000000000 -0400
80970 +++ linux-2.6.39.2/sound/drivers/mtpav.c 2011-05-22 19:36:35.000000000 -0400
80971 @@ -601,13 +601,13 @@ static int __devinit snd_mtpav_get_ISA(s
80972 /*
80973 */
80974
80975 -static struct snd_rawmidi_ops snd_mtpav_output = {
80976 +static const struct snd_rawmidi_ops snd_mtpav_output = {
80977 .open = snd_mtpav_output_open,
80978 .close = snd_mtpav_output_close,
80979 .trigger = snd_mtpav_output_trigger,
80980 };
80981
80982 -static struct snd_rawmidi_ops snd_mtpav_input = {
80983 +static const struct snd_rawmidi_ops snd_mtpav_input = {
80984 .open = snd_mtpav_input_open,
80985 .close = snd_mtpav_input_close,
80986 .trigger = snd_mtpav_input_trigger,
80987 diff -urNp linux-2.6.39.2/sound/drivers/mts64.c linux-2.6.39.2/sound/drivers/mts64.c
80988 --- linux-2.6.39.2/sound/drivers/mts64.c 2011-05-19 00:06:34.000000000 -0400
80989 +++ linux-2.6.39.2/sound/drivers/mts64.c 2011-05-22 19:36:35.000000000 -0400
80990 @@ -28,6 +28,7 @@
80991 #include <sound/initval.h>
80992 #include <sound/rawmidi.h>
80993 #include <sound/control.h>
80994 +#include <asm/local.h>
80995
80996 #define CARD_NAME "Miditerminal 4140"
80997 #define DRIVER_NAME "MTS64"
80998 @@ -66,7 +67,7 @@ struct mts64 {
80999 struct pardevice *pardev;
81000 int pardev_claimed;
81001
81002 - int open_count;
81003 + local_t open_count;
81004 int current_midi_output_port;
81005 int current_midi_input_port;
81006 u8 mode[MTS64_NUM_INPUT_PORTS];
81007 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
81008 {
81009 struct mts64 *mts = substream->rmidi->private_data;
81010
81011 - if (mts->open_count == 0) {
81012 + if (local_read(&mts->open_count) == 0) {
81013 /* We don't need a spinlock here, because this is just called
81014 if the device has not been opened before.
81015 So there aren't any IRQs from the device */
81016 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
81017
81018 msleep(50);
81019 }
81020 - ++(mts->open_count);
81021 + local_inc(&mts->open_count);
81022
81023 return 0;
81024 }
81025 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
81026 struct mts64 *mts = substream->rmidi->private_data;
81027 unsigned long flags;
81028
81029 - --(mts->open_count);
81030 - if (mts->open_count == 0) {
81031 + if (local_dec_return(&mts->open_count) == 0) {
81032 /* We need the spinlock_irqsave here because we can still
81033 have IRQs at this point */
81034 spin_lock_irqsave(&mts->lock, flags);
81035 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
81036
81037 msleep(500);
81038
81039 - } else if (mts->open_count < 0)
81040 - mts->open_count = 0;
81041 + } else if (local_read(&mts->open_count) < 0)
81042 + local_set(&mts->open_count, 0);
81043
81044 return 0;
81045 }
81046 @@ -760,13 +760,13 @@ static void snd_mts64_rawmidi_input_trig
81047 spin_unlock_irqrestore(&mts->lock, flags);
81048 }
81049
81050 -static struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81051 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81052 .open = snd_mts64_rawmidi_open,
81053 .close = snd_mts64_rawmidi_close,
81054 .trigger = snd_mts64_rawmidi_output_trigger
81055 };
81056
81057 -static struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81058 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81059 .open = snd_mts64_rawmidi_open,
81060 .close = snd_mts64_rawmidi_close,
81061 .trigger = snd_mts64_rawmidi_input_trigger
81062 diff -urNp linux-2.6.39.2/sound/drivers/pcsp/pcsp.c linux-2.6.39.2/sound/drivers/pcsp/pcsp.c
81063 --- linux-2.6.39.2/sound/drivers/pcsp/pcsp.c 2011-05-19 00:06:34.000000000 -0400
81064 +++ linux-2.6.39.2/sound/drivers/pcsp/pcsp.c 2011-05-22 19:36:35.000000000 -0400
81065 @@ -41,7 +41,7 @@ struct snd_pcsp pcsp_chip;
81066
81067 static int __devinit snd_pcsp_create(struct snd_card *card)
81068 {
81069 - static struct snd_device_ops ops = { };
81070 + static const struct snd_device_ops ops = { };
81071 struct timespec tp;
81072 int err;
81073 int div, min_div, order;
81074 diff -urNp linux-2.6.39.2/sound/drivers/pcsp/pcsp_lib.c linux-2.6.39.2/sound/drivers/pcsp/pcsp_lib.c
81075 --- linux-2.6.39.2/sound/drivers/pcsp/pcsp_lib.c 2011-05-19 00:06:34.000000000 -0400
81076 +++ linux-2.6.39.2/sound/drivers/pcsp/pcsp_lib.c 2011-05-22 19:36:35.000000000 -0400
81077 @@ -323,7 +323,7 @@ static int snd_pcsp_playback_open(struct
81078 return 0;
81079 }
81080
81081 -static struct snd_pcm_ops snd_pcsp_playback_ops = {
81082 +static const struct snd_pcm_ops snd_pcsp_playback_ops = {
81083 .open = snd_pcsp_playback_open,
81084 .close = snd_pcsp_playback_close,
81085 .ioctl = snd_pcm_lib_ioctl,
81086 diff -urNp linux-2.6.39.2/sound/drivers/portman2x4.c linux-2.6.39.2/sound/drivers/portman2x4.c
81087 --- linux-2.6.39.2/sound/drivers/portman2x4.c 2011-05-19 00:06:34.000000000 -0400
81088 +++ linux-2.6.39.2/sound/drivers/portman2x4.c 2011-05-22 19:36:35.000000000 -0400
81089 @@ -47,6 +47,7 @@
81090 #include <sound/initval.h>
81091 #include <sound/rawmidi.h>
81092 #include <sound/control.h>
81093 +#include <asm/local.h>
81094
81095 #define CARD_NAME "Portman 2x4"
81096 #define DRIVER_NAME "portman"
81097 @@ -84,7 +85,7 @@ struct portman {
81098 struct pardevice *pardev;
81099 int pardev_claimed;
81100
81101 - int open_count;
81102 + local_t open_count;
81103 int mode[PORTMAN_NUM_INPUT_PORTS];
81104 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
81105 };
81106 @@ -547,13 +548,13 @@ static void snd_portman_midi_output_trig
81107 spin_unlock_irqrestore(&pm->reg_lock, flags);
81108 }
81109
81110 -static struct snd_rawmidi_ops snd_portman_midi_output = {
81111 +static const struct snd_rawmidi_ops snd_portman_midi_output = {
81112 .open = snd_portman_midi_open,
81113 .close = snd_portman_midi_close,
81114 .trigger = snd_portman_midi_output_trigger,
81115 };
81116
81117 -static struct snd_rawmidi_ops snd_portman_midi_input = {
81118 +static const struct snd_rawmidi_ops snd_portman_midi_input = {
81119 .open = snd_portman_midi_open,
81120 .close = snd_portman_midi_close,
81121 .trigger = snd_portman_midi_input_trigger,
81122 diff -urNp linux-2.6.39.2/sound/drivers/serial-u16550.c linux-2.6.39.2/sound/drivers/serial-u16550.c
81123 --- linux-2.6.39.2/sound/drivers/serial-u16550.c 2011-05-19 00:06:34.000000000 -0400
81124 +++ linux-2.6.39.2/sound/drivers/serial-u16550.c 2011-05-22 19:36:35.000000000 -0400
81125 @@ -754,15 +754,13 @@ static void snd_uart16550_output_trigger
81126 snd_uart16550_output_write(substream);
81127 }
81128
81129 -static struct snd_rawmidi_ops snd_uart16550_output =
81130 -{
81131 +static const struct snd_rawmidi_ops snd_uart16550_output = {
81132 .open = snd_uart16550_output_open,
81133 .close = snd_uart16550_output_close,
81134 .trigger = snd_uart16550_output_trigger,
81135 };
81136
81137 -static struct snd_rawmidi_ops snd_uart16550_input =
81138 -{
81139 +static const struct snd_rawmidi_ops snd_uart16550_input = {
81140 .open = snd_uart16550_input_open,
81141 .close = snd_uart16550_input_close,
81142 .trigger = snd_uart16550_input_trigger,
81143 @@ -792,7 +790,7 @@ static int __devinit snd_uart16550_creat
81144 int droponfull,
81145 struct snd_uart16550 **ruart)
81146 {
81147 - static struct snd_device_ops ops = {
81148 + static const struct snd_device_ops ops = {
81149 .dev_free = snd_uart16550_dev_free,
81150 };
81151 struct snd_uart16550 *uart;
81152 diff -urNp linux-2.6.39.2/sound/drivers/vx/vx_pcm.c linux-2.6.39.2/sound/drivers/vx/vx_pcm.c
81153 --- linux-2.6.39.2/sound/drivers/vx/vx_pcm.c 2011-05-19 00:06:34.000000000 -0400
81154 +++ linux-2.6.39.2/sound/drivers/vx/vx_pcm.c 2011-05-22 19:36:35.000000000 -0400
81155 @@ -895,7 +895,7 @@ static int vx_pcm_prepare(struct snd_pcm
81156 /*
81157 * operators for PCM playback
81158 */
81159 -static struct snd_pcm_ops vx_pcm_playback_ops = {
81160 +static const struct snd_pcm_ops vx_pcm_playback_ops = {
81161 .open = vx_pcm_playback_open,
81162 .close = vx_pcm_playback_close,
81163 .ioctl = snd_pcm_lib_ioctl,
81164 @@ -1116,7 +1116,7 @@ static snd_pcm_uframes_t vx_pcm_capture_
81165 /*
81166 * operators for PCM capture
81167 */
81168 -static struct snd_pcm_ops vx_pcm_capture_ops = {
81169 +static const struct snd_pcm_ops vx_pcm_capture_ops = {
81170 .open = vx_pcm_capture_open,
81171 .close = vx_pcm_capture_close,
81172 .ioctl = snd_pcm_lib_ioctl,
81173 diff -urNp linux-2.6.39.2/sound/firewire/amdtp.c linux-2.6.39.2/sound/firewire/amdtp.c
81174 --- linux-2.6.39.2/sound/firewire/amdtp.c 2011-05-19 00:06:34.000000000 -0400
81175 +++ linux-2.6.39.2/sound/firewire/amdtp.c 2011-05-22 19:36:35.000000000 -0400
81176 @@ -371,7 +371,7 @@ static void queue_out_packet(struct amdt
81177 ptr = s->pcm_buffer_pointer + data_blocks;
81178 if (ptr >= pcm->runtime->buffer_size)
81179 ptr -= pcm->runtime->buffer_size;
81180 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
81181 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
81182
81183 s->pcm_period_pointer += data_blocks;
81184 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
81185 @@ -510,7 +510,7 @@ EXPORT_SYMBOL(amdtp_out_stream_start);
81186 */
81187 void amdtp_out_stream_update(struct amdtp_out_stream *s)
81188 {
81189 - ACCESS_ONCE(s->source_node_id_field) =
81190 + ACCESS_ONCE_RW(s->source_node_id_field) =
81191 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
81192 }
81193 EXPORT_SYMBOL(amdtp_out_stream_update);
81194 diff -urNp linux-2.6.39.2/sound/firewire/amdtp.h linux-2.6.39.2/sound/firewire/amdtp.h
81195 --- linux-2.6.39.2/sound/firewire/amdtp.h 2011-05-19 00:06:34.000000000 -0400
81196 +++ linux-2.6.39.2/sound/firewire/amdtp.h 2011-05-22 19:36:35.000000000 -0400
81197 @@ -146,7 +146,7 @@ static inline void amdtp_out_stream_pcm_
81198 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
81199 struct snd_pcm_substream *pcm)
81200 {
81201 - ACCESS_ONCE(s->pcm) = pcm;
81202 + ACCESS_ONCE_RW(s->pcm) = pcm;
81203 }
81204
81205 /**
81206 diff -urNp linux-2.6.39.2/sound/i2c/i2c.c linux-2.6.39.2/sound/i2c/i2c.c
81207 --- linux-2.6.39.2/sound/i2c/i2c.c 2011-05-19 00:06:34.000000000 -0400
81208 +++ linux-2.6.39.2/sound/i2c/i2c.c 2011-05-22 19:36:35.000000000 -0400
81209 @@ -80,7 +80,7 @@ int snd_i2c_bus_create(struct snd_card *
81210 {
81211 struct snd_i2c_bus *bus;
81212 int err;
81213 - static struct snd_device_ops ops = {
81214 + static const struct snd_device_ops ops = {
81215 .dev_free = snd_i2c_bus_dev_free,
81216 };
81217
81218 diff -urNp linux-2.6.39.2/sound/i2c/other/ak4113.c linux-2.6.39.2/sound/i2c/other/ak4113.c
81219 --- linux-2.6.39.2/sound/i2c/other/ak4113.c 2011-05-19 00:06:34.000000000 -0400
81220 +++ linux-2.6.39.2/sound/i2c/other/ak4113.c 2011-05-22 19:36:35.000000000 -0400
81221 @@ -75,7 +75,7 @@ int snd_ak4113_create(struct snd_card *c
81222 struct ak4113 *chip;
81223 int err = 0;
81224 unsigned char reg;
81225 - static struct snd_device_ops ops = {
81226 + static const struct snd_device_ops ops = {
81227 .dev_free = snd_ak4113_dev_free,
81228 };
81229
81230 diff -urNp linux-2.6.39.2/sound/i2c/other/ak4114.c linux-2.6.39.2/sound/i2c/other/ak4114.c
81231 --- linux-2.6.39.2/sound/i2c/other/ak4114.c 2011-05-19 00:06:34.000000000 -0400
81232 +++ linux-2.6.39.2/sound/i2c/other/ak4114.c 2011-05-22 19:36:35.000000000 -0400
81233 @@ -86,7 +86,7 @@ int snd_ak4114_create(struct snd_card *c
81234 struct ak4114 *chip;
81235 int err = 0;
81236 unsigned char reg;
81237 - static struct snd_device_ops ops = {
81238 + static const struct snd_device_ops ops = {
81239 .dev_free = snd_ak4114_dev_free,
81240 };
81241
81242 diff -urNp linux-2.6.39.2/sound/i2c/other/ak4117.c linux-2.6.39.2/sound/i2c/other/ak4117.c
81243 --- linux-2.6.39.2/sound/i2c/other/ak4117.c 2011-05-19 00:06:34.000000000 -0400
81244 +++ linux-2.6.39.2/sound/i2c/other/ak4117.c 2011-05-22 19:36:35.000000000 -0400
81245 @@ -78,7 +78,7 @@ int snd_ak4117_create(struct snd_card *c
81246 struct ak4117 *chip;
81247 int err = 0;
81248 unsigned char reg;
81249 - static struct snd_device_ops ops = {
81250 + static const struct snd_device_ops ops = {
81251 .dev_free = snd_ak4117_dev_free,
81252 };
81253
81254 diff -urNp linux-2.6.39.2/sound/isa/ad1816a/ad1816a_lib.c linux-2.6.39.2/sound/isa/ad1816a/ad1816a_lib.c
81255 --- linux-2.6.39.2/sound/isa/ad1816a/ad1816a_lib.c 2011-05-19 00:06:34.000000000 -0400
81256 +++ linux-2.6.39.2/sound/isa/ad1816a/ad1816a_lib.c 2011-05-22 19:36:35.000000000 -0400
81257 @@ -575,7 +575,7 @@ int __devinit snd_ad1816a_create(struct
81258 unsigned long port, int irq, int dma1, int dma2,
81259 struct snd_ad1816a **rchip)
81260 {
81261 - static struct snd_device_ops ops = {
81262 + static const struct snd_device_ops ops = {
81263 .dev_free = snd_ad1816a_dev_free,
81264 };
81265 int error;
81266 diff -urNp linux-2.6.39.2/sound/isa/es1688/es1688_lib.c linux-2.6.39.2/sound/isa/es1688/es1688_lib.c
81267 --- linux-2.6.39.2/sound/isa/es1688/es1688_lib.c 2011-05-19 00:06:34.000000000 -0400
81268 +++ linux-2.6.39.2/sound/isa/es1688/es1688_lib.c 2011-05-22 19:36:35.000000000 -0400
81269 @@ -646,7 +646,7 @@ int snd_es1688_create(struct snd_card *c
81270 int dma8,
81271 unsigned short hardware)
81272 {
81273 - static struct snd_device_ops ops = {
81274 + static const struct snd_device_ops ops = {
81275 .dev_free = snd_es1688_dev_free,
81276 };
81277
81278 diff -urNp linux-2.6.39.2/sound/isa/es18xx.c linux-2.6.39.2/sound/isa/es18xx.c
81279 --- linux-2.6.39.2/sound/isa/es18xx.c 2011-05-19 00:06:34.000000000 -0400
81280 +++ linux-2.6.39.2/sound/isa/es18xx.c 2011-05-22 19:36:35.000000000 -0400
81281 @@ -1658,7 +1658,7 @@ static int __devinit snd_es18xx_probe(st
81282 return snd_es18xx_initialize(chip, mpu_port, fm_port);
81283 }
81284
81285 -static struct snd_pcm_ops snd_es18xx_playback_ops = {
81286 +static const struct snd_pcm_ops snd_es18xx_playback_ops = {
81287 .open = snd_es18xx_playback_open,
81288 .close = snd_es18xx_playback_close,
81289 .ioctl = snd_pcm_lib_ioctl,
81290 @@ -1669,7 +1669,7 @@ static struct snd_pcm_ops snd_es18xx_pla
81291 .pointer = snd_es18xx_playback_pointer,
81292 };
81293
81294 -static struct snd_pcm_ops snd_es18xx_capture_ops = {
81295 +static const struct snd_pcm_ops snd_es18xx_capture_ops = {
81296 .open = snd_es18xx_capture_open,
81297 .close = snd_es18xx_capture_close,
81298 .ioctl = snd_pcm_lib_ioctl,
81299 @@ -1784,7 +1784,7 @@ static int __devinit snd_es18xx_new_devi
81300 int irq, int dma1, int dma2)
81301 {
81302 struct snd_es18xx *chip = card->private_data;
81303 - static struct snd_device_ops ops = {
81304 + static const struct snd_device_ops ops = {
81305 .dev_free = snd_es18xx_dev_free,
81306 };
81307 int err;
81308 diff -urNp linux-2.6.39.2/sound/isa/gus/gus_main.c linux-2.6.39.2/sound/isa/gus/gus_main.c
81309 --- linux-2.6.39.2/sound/isa/gus/gus_main.c 2011-05-19 00:06:34.000000000 -0400
81310 +++ linux-2.6.39.2/sound/isa/gus/gus_main.c 2011-05-22 19:36:35.000000000 -0400
81311 @@ -139,7 +139,7 @@ int snd_gus_create(struct snd_card *card
81312 {
81313 struct snd_gus_card *gus;
81314 int err;
81315 - static struct snd_device_ops ops = {
81316 + static const struct snd_device_ops ops = {
81317 .dev_free = snd_gus_dev_free,
81318 };
81319
81320 diff -urNp linux-2.6.39.2/sound/isa/msnd/msnd.c linux-2.6.39.2/sound/isa/msnd/msnd.c
81321 --- linux-2.6.39.2/sound/isa/msnd/msnd.c 2011-05-19 00:06:34.000000000 -0400
81322 +++ linux-2.6.39.2/sound/isa/msnd/msnd.c 2011-05-22 19:36:35.000000000 -0400
81323 @@ -570,7 +570,7 @@ snd_msnd_playback_pointer(struct snd_pcm
81324 }
81325
81326
81327 -static struct snd_pcm_ops snd_msnd_playback_ops = {
81328 +static const struct snd_pcm_ops snd_msnd_playback_ops = {
81329 .open = snd_msnd_playback_open,
81330 .close = snd_msnd_playback_close,
81331 .ioctl = snd_pcm_lib_ioctl,
81332 @@ -667,7 +667,7 @@ static int snd_msnd_capture_hw_params(st
81333 }
81334
81335
81336 -static struct snd_pcm_ops snd_msnd_capture_ops = {
81337 +static const struct snd_pcm_ops snd_msnd_capture_ops = {
81338 .open = snd_msnd_capture_open,
81339 .close = snd_msnd_capture_close,
81340 .ioctl = snd_pcm_lib_ioctl,
81341 diff -urNp linux-2.6.39.2/sound/isa/msnd/msnd_midi.c linux-2.6.39.2/sound/isa/msnd/msnd_midi.c
81342 --- linux-2.6.39.2/sound/isa/msnd/msnd_midi.c 2011-05-19 00:06:34.000000000 -0400
81343 +++ linux-2.6.39.2/sound/isa/msnd/msnd_midi.c 2011-05-22 19:36:35.000000000 -0400
81344 @@ -141,7 +141,7 @@ void snd_msndmidi_input_read(void *mpuv)
81345 }
81346 EXPORT_SYMBOL(snd_msndmidi_input_read);
81347
81348 -static struct snd_rawmidi_ops snd_msndmidi_input = {
81349 +static const struct snd_rawmidi_ops snd_msndmidi_input = {
81350 .open = snd_msndmidi_input_open,
81351 .close = snd_msndmidi_input_close,
81352 .trigger = snd_msndmidi_input_trigger,
81353 diff -urNp linux-2.6.39.2/sound/isa/msnd/msnd_pinnacle.c linux-2.6.39.2/sound/isa/msnd/msnd_pinnacle.c
81354 --- linux-2.6.39.2/sound/isa/msnd/msnd_pinnacle.c 2011-05-19 00:06:34.000000000 -0400
81355 +++ linux-2.6.39.2/sound/isa/msnd/msnd_pinnacle.c 2011-05-22 19:36:35.000000000 -0400
81356 @@ -539,7 +539,7 @@ static int __devinit snd_msnd_attach(str
81357 {
81358 struct snd_msnd *chip = card->private_data;
81359 int err;
81360 - static struct snd_device_ops ops = {
81361 + static const struct snd_device_ops ops = {
81362 .dev_free = snd_msnd_dev_free,
81363 };
81364
81365 diff -urNp linux-2.6.39.2/sound/isa/sb/emu8000.c linux-2.6.39.2/sound/isa/sb/emu8000.c
81366 --- linux-2.6.39.2/sound/isa/sb/emu8000.c 2011-05-19 00:06:34.000000000 -0400
81367 +++ linux-2.6.39.2/sound/isa/sb/emu8000.c 2011-05-22 19:36:35.000000000 -0400
81368 @@ -1079,7 +1079,7 @@ snd_emu8000_new(struct snd_card *card, i
81369 struct snd_seq_device *awe;
81370 struct snd_emu8000 *hw;
81371 int err;
81372 - static struct snd_device_ops ops = {
81373 + static const struct snd_device_ops ops = {
81374 .dev_free = snd_emu8000_dev_free,
81375 };
81376
81377 diff -urNp linux-2.6.39.2/sound/isa/sb/emu8000_pcm.c linux-2.6.39.2/sound/isa/sb/emu8000_pcm.c
81378 --- linux-2.6.39.2/sound/isa/sb/emu8000_pcm.c 2011-05-19 00:06:34.000000000 -0400
81379 +++ linux-2.6.39.2/sound/isa/sb/emu8000_pcm.c 2011-05-22 19:36:35.000000000 -0400
81380 @@ -667,7 +667,7 @@ static snd_pcm_uframes_t emu8k_pcm_point
81381 }
81382
81383
81384 -static struct snd_pcm_ops emu8k_pcm_ops = {
81385 +static const struct snd_pcm_ops emu8k_pcm_ops = {
81386 .open = emu8k_pcm_open,
81387 .close = emu8k_pcm_close,
81388 .ioctl = snd_pcm_lib_ioctl,
81389 diff -urNp linux-2.6.39.2/sound/isa/sb/sb_common.c linux-2.6.39.2/sound/isa/sb/sb_common.c
81390 --- linux-2.6.39.2/sound/isa/sb/sb_common.c 2011-05-19 00:06:34.000000000 -0400
81391 +++ linux-2.6.39.2/sound/isa/sb/sb_common.c 2011-05-22 19:36:35.000000000 -0400
81392 @@ -218,7 +218,7 @@ int snd_sbdsp_create(struct snd_card *ca
81393 {
81394 struct snd_sb *chip;
81395 int err;
81396 - static struct snd_device_ops ops = {
81397 + static const struct snd_device_ops ops = {
81398 .dev_free = snd_sbdsp_dev_free,
81399 };
81400
81401 diff -urNp linux-2.6.39.2/sound/isa/wavefront/wavefront_midi.c linux-2.6.39.2/sound/isa/wavefront/wavefront_midi.c
81402 --- linux-2.6.39.2/sound/isa/wavefront/wavefront_midi.c 2011-05-19 00:06:34.000000000 -0400
81403 +++ linux-2.6.39.2/sound/isa/wavefront/wavefront_midi.c 2011-05-22 19:36:35.000000000 -0400
81404 @@ -561,14 +561,14 @@ snd_wavefront_midi_start (snd_wavefront_
81405 return 0;
81406 }
81407
81408 -struct snd_rawmidi_ops snd_wavefront_midi_output =
81409 +const struct snd_rawmidi_ops snd_wavefront_midi_output =
81410 {
81411 .open = snd_wavefront_midi_output_open,
81412 .close = snd_wavefront_midi_output_close,
81413 .trigger = snd_wavefront_midi_output_trigger,
81414 };
81415
81416 -struct snd_rawmidi_ops snd_wavefront_midi_input =
81417 +const struct snd_rawmidi_ops snd_wavefront_midi_input =
81418 {
81419 .open = snd_wavefront_midi_input_open,
81420 .close = snd_wavefront_midi_input_close,
81421 diff -urNp linux-2.6.39.2/sound/isa/wss/wss_lib.c linux-2.6.39.2/sound/isa/wss/wss_lib.c
81422 --- linux-2.6.39.2/sound/isa/wss/wss_lib.c 2011-05-19 00:06:34.000000000 -0400
81423 +++ linux-2.6.39.2/sound/isa/wss/wss_lib.c 2011-05-22 19:36:35.000000000 -0400
81424 @@ -1801,7 +1801,7 @@ int snd_wss_create(struct snd_card *card
81425 unsigned short hwshare,
81426 struct snd_wss **rchip)
81427 {
81428 - static struct snd_device_ops ops = {
81429 + static const struct snd_device_ops ops = {
81430 .dev_free = snd_wss_dev_free,
81431 };
81432 struct snd_wss *chip;
81433 diff -urNp linux-2.6.39.2/sound/mips/au1x00.c linux-2.6.39.2/sound/mips/au1x00.c
81434 --- linux-2.6.39.2/sound/mips/au1x00.c 2011-05-19 00:06:34.000000000 -0400
81435 +++ linux-2.6.39.2/sound/mips/au1x00.c 2011-05-22 19:36:35.000000000 -0400
81436 @@ -416,7 +416,7 @@ snd_au1000_pointer(struct snd_pcm_substr
81437 return bytes_to_frames(runtime,location);
81438 }
81439
81440 -static struct snd_pcm_ops snd_card_au1000_playback_ops = {
81441 +static const struct snd_pcm_ops snd_card_au1000_playback_ops = {
81442 .open = snd_au1000_playback_open,
81443 .close = snd_au1000_playback_close,
81444 .ioctl = snd_pcm_lib_ioctl,
81445 @@ -427,7 +427,7 @@ static struct snd_pcm_ops snd_card_au100
81446 .pointer = snd_au1000_pointer,
81447 };
81448
81449 -static struct snd_pcm_ops snd_card_au1000_capture_ops = {
81450 +static const struct snd_pcm_ops snd_card_au1000_capture_ops = {
81451 .open = snd_au1000_capture_open,
81452 .close = snd_au1000_capture_close,
81453 .ioctl = snd_pcm_lib_ioctl,
81454 @@ -557,7 +557,7 @@ snd_au1000_ac97_new(struct snd_au1000 *a
81455 int err;
81456 struct snd_ac97_bus *pbus;
81457 struct snd_ac97_template ac97;
81458 - static struct snd_ac97_bus_ops ops = {
81459 + static const struct snd_ac97_bus_ops ops = {
81460 .write = snd_au1000_ac97_write,
81461 .read = snd_au1000_ac97_read,
81462 };
81463 diff -urNp linux-2.6.39.2/sound/mips/hal2.c linux-2.6.39.2/sound/mips/hal2.c
81464 --- linux-2.6.39.2/sound/mips/hal2.c 2011-05-19 00:06:34.000000000 -0400
81465 +++ linux-2.6.39.2/sound/mips/hal2.c 2011-05-22 19:36:35.000000000 -0400
81466 @@ -708,7 +708,7 @@ static int hal2_capture_ack(struct snd_p
81467 return 0;
81468 }
81469
81470 -static struct snd_pcm_ops hal2_playback_ops = {
81471 +static const struct snd_pcm_ops hal2_playback_ops = {
81472 .open = hal2_playback_open,
81473 .close = hal2_playback_close,
81474 .ioctl = snd_pcm_lib_ioctl,
81475 @@ -720,7 +720,7 @@ static struct snd_pcm_ops hal2_playback_
81476 .ack = hal2_playback_ack,
81477 };
81478
81479 -static struct snd_pcm_ops hal2_capture_ops = {
81480 +static const struct snd_pcm_ops hal2_capture_ops = {
81481 .open = hal2_capture_open,
81482 .close = hal2_capture_close,
81483 .ioctl = snd_pcm_lib_ioctl,
81484 @@ -766,7 +766,7 @@ static int hal2_dev_free(struct snd_devi
81485 return 0;
81486 }
81487
81488 -static struct snd_device_ops hal2_ops = {
81489 +static const struct snd_device_ops hal2_ops = {
81490 .dev_free = hal2_dev_free,
81491 };
81492
81493 diff -urNp linux-2.6.39.2/sound/mips/sgio2audio.c linux-2.6.39.2/sound/mips/sgio2audio.c
81494 --- linux-2.6.39.2/sound/mips/sgio2audio.c 2011-05-19 00:06:34.000000000 -0400
81495 +++ linux-2.6.39.2/sound/mips/sgio2audio.c 2011-05-22 19:36:35.000000000 -0400
81496 @@ -681,7 +681,7 @@ snd_sgio2audio_pcm_pointer(struct snd_pc
81497 }
81498
81499 /* operators */
81500 -static struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81501 +static const struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81502 .open = snd_sgio2audio_playback1_open,
81503 .close = snd_sgio2audio_pcm_close,
81504 .ioctl = snd_pcm_lib_ioctl,
81505 @@ -694,7 +694,7 @@ static struct snd_pcm_ops snd_sgio2audio
81506 .mmap = snd_pcm_lib_mmap_vmalloc,
81507 };
81508
81509 -static struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81510 +static const struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81511 .open = snd_sgio2audio_playback2_open,
81512 .close = snd_sgio2audio_pcm_close,
81513 .ioctl = snd_pcm_lib_ioctl,
81514 @@ -707,7 +707,7 @@ static struct snd_pcm_ops snd_sgio2audio
81515 .mmap = snd_pcm_lib_mmap_vmalloc,
81516 };
81517
81518 -static struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81519 +static const struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81520 .open = snd_sgio2audio_capture_open,
81521 .close = snd_sgio2audio_pcm_close,
81522 .ioctl = snd_pcm_lib_ioctl,
81523 @@ -829,7 +829,7 @@ static int snd_sgio2audio_dev_free(struc
81524 return snd_sgio2audio_free(chip);
81525 }
81526
81527 -static struct snd_device_ops ops = {
81528 +static const struct snd_device_ops ops = {
81529 .dev_free = snd_sgio2audio_dev_free,
81530 };
81531
81532 diff -urNp linux-2.6.39.2/sound/oss/ac97_codec.c linux-2.6.39.2/sound/oss/ac97_codec.c
81533 --- linux-2.6.39.2/sound/oss/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81534 +++ linux-2.6.39.2/sound/oss/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81535 @@ -99,23 +99,23 @@ static int generic_digital_control(struc
81536 * operations yet
81537 */
81538
81539 -static struct ac97_ops null_ops = { NULL, NULL, NULL };
81540 -static struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81541 -static struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81542 -static struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81543 -static struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81544 -static struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81545 -static struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81546 -static struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81547 -static struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81548 -static struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81549 -static struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81550 -static struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81551 -static struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81552 -static struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81553 -static struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81554 -static struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81555 -static struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81556 +static const struct ac97_ops null_ops = { NULL, NULL, NULL };
81557 +static const struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81558 +static const struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81559 +static const struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81560 +static const struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81561 +static const struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81562 +static const struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81563 +static const struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81564 +static const struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81565 +static const struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81566 +static const struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81567 +static const struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81568 +static const struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81569 +static const struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81570 +static const struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81571 +static const struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81572 +static const struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81573
81574 /* sorted by vendor/device id */
81575 static const struct {
81576 diff -urNp linux-2.6.39.2/sound/oss/sb_audio.c linux-2.6.39.2/sound/oss/sb_audio.c
81577 --- linux-2.6.39.2/sound/oss/sb_audio.c 2011-05-19 00:06:34.000000000 -0400
81578 +++ linux-2.6.39.2/sound/oss/sb_audio.c 2011-05-22 19:36:35.000000000 -0400
81579 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
81580 buf16 = (signed short *)(localbuf + localoffs);
81581 while (c)
81582 {
81583 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81584 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81585 if (copy_from_user(lbuf8,
81586 userbuf+useroffs + p,
81587 locallen))
81588 diff -urNp linux-2.6.39.2/sound/oss/swarm_cs4297a.c linux-2.6.39.2/sound/oss/swarm_cs4297a.c
81589 --- linux-2.6.39.2/sound/oss/swarm_cs4297a.c 2011-05-19 00:06:34.000000000 -0400
81590 +++ linux-2.6.39.2/sound/oss/swarm_cs4297a.c 2011-05-22 19:36:35.000000000 -0400
81591 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
81592 {
81593 struct cs4297a_state *s;
81594 u32 pwr, id;
81595 - mm_segment_t fs;
81596 int rval;
81597 #ifndef CONFIG_BCM_CS4297A_CSWARM
81598 u64 cfg;
81599 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
81600 if (!rval) {
81601 char *sb1250_duart_present;
81602
81603 +#if 0
81604 + mm_segment_t fs;
81605 fs = get_fs();
81606 set_fs(KERNEL_DS);
81607 -#if 0
81608 val = SOUND_MASK_LINE;
81609 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
81610 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
81611 val = initvol[i].vol;
81612 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
81613 }
81614 + set_fs(fs);
81615 // cs4297a_write_ac97(s, 0x18, 0x0808);
81616 #else
81617 // cs4297a_write_ac97(s, 0x5e, 0x180);
81618 cs4297a_write_ac97(s, 0x02, 0x0808);
81619 cs4297a_write_ac97(s, 0x18, 0x0808);
81620 #endif
81621 - set_fs(fs);
81622
81623 list_add(&s->list, &cs4297a_devs);
81624
81625 diff -urNp linux-2.6.39.2/sound/parisc/harmony.c linux-2.6.39.2/sound/parisc/harmony.c
81626 --- linux-2.6.39.2/sound/parisc/harmony.c 2011-05-19 00:06:34.000000000 -0400
81627 +++ linux-2.6.39.2/sound/parisc/harmony.c 2011-05-22 19:36:35.000000000 -0400
81628 @@ -596,7 +596,7 @@ snd_harmony_hw_free(struct snd_pcm_subst
81629 return snd_pcm_lib_free_pages(ss);
81630 }
81631
81632 -static struct snd_pcm_ops snd_harmony_playback_ops = {
81633 +static const struct snd_pcm_ops snd_harmony_playback_ops = {
81634 .open = snd_harmony_playback_open,
81635 .close = snd_harmony_playback_close,
81636 .ioctl = snd_pcm_lib_ioctl,
81637 @@ -607,7 +607,7 @@ static struct snd_pcm_ops snd_harmony_pl
81638 .pointer = snd_harmony_playback_pointer,
81639 };
81640
81641 -static struct snd_pcm_ops snd_harmony_capture_ops = {
81642 +static const struct snd_pcm_ops snd_harmony_capture_ops = {
81643 .open = snd_harmony_capture_open,
81644 .close = snd_harmony_capture_close,
81645 .ioctl = snd_pcm_lib_ioctl,
81646 @@ -922,7 +922,7 @@ snd_harmony_create(struct snd_card *card
81647 {
81648 int err;
81649 struct snd_harmony *h;
81650 - static struct snd_device_ops ops = {
81651 + static const struct snd_device_ops ops = {
81652 .dev_free = snd_harmony_dev_free,
81653 };
81654
81655 diff -urNp linux-2.6.39.2/sound/pci/ac97/ac97_codec.c linux-2.6.39.2/sound/pci/ac97/ac97_codec.c
81656 --- linux-2.6.39.2/sound/pci/ac97/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81657 +++ linux-2.6.39.2/sound/pci/ac97/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81658 @@ -1910,12 +1910,12 @@ static int ac97_reset_wait(struct snd_ac
81659 *
81660 * Returns zero if successful, or a negative error code on failure.
81661 */
81662 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
81663 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
81664 void *private_data, struct snd_ac97_bus **rbus)
81665 {
81666 int err;
81667 struct snd_ac97_bus *bus;
81668 - static struct snd_device_ops dev_ops = {
81669 + static const struct snd_device_ops dev_ops = {
81670 .dev_free = snd_ac97_bus_dev_free,
81671 };
81672
81673 @@ -2015,7 +2015,7 @@ int snd_ac97_mixer(struct snd_ac97_bus *
81674 unsigned long end_time;
81675 unsigned int reg;
81676 const struct ac97_codec_id *pid;
81677 - static struct snd_device_ops ops = {
81678 + static const struct snd_device_ops ops = {
81679 .dev_free = snd_ac97_dev_free,
81680 .dev_register = snd_ac97_dev_register,
81681 .dev_disconnect = snd_ac97_dev_disconnect,
81682 diff -urNp linux-2.6.39.2/sound/pci/ad1889.c linux-2.6.39.2/sound/pci/ad1889.c
81683 --- linux-2.6.39.2/sound/pci/ad1889.c 2011-05-19 00:06:34.000000000 -0400
81684 +++ linux-2.6.39.2/sound/pci/ad1889.c 2011-05-22 19:36:35.000000000 -0400
81685 @@ -574,7 +574,7 @@ snd_ad1889_capture_pointer(struct snd_pc
81686 return bytes_to_frames(ss->runtime, ptr);
81687 }
81688
81689 -static struct snd_pcm_ops snd_ad1889_playback_ops = {
81690 +static const struct snd_pcm_ops snd_ad1889_playback_ops = {
81691 .open = snd_ad1889_playback_open,
81692 .close = snd_ad1889_playback_close,
81693 .ioctl = snd_pcm_lib_ioctl,
81694 @@ -585,7 +585,7 @@ static struct snd_pcm_ops snd_ad1889_pla
81695 .pointer = snd_ad1889_playback_pointer,
81696 };
81697
81698 -static struct snd_pcm_ops snd_ad1889_capture_ops = {
81699 +static const struct snd_pcm_ops snd_ad1889_capture_ops = {
81700 .open = snd_ad1889_capture_open,
81701 .close = snd_ad1889_capture_close,
81702 .ioctl = snd_pcm_lib_ioctl,
81703 @@ -809,7 +809,7 @@ snd_ad1889_ac97_init(struct snd_ad1889 *
81704 {
81705 int err;
81706 struct snd_ac97_template ac97;
81707 - static struct snd_ac97_bus_ops ops = {
81708 + static const struct snd_ac97_bus_ops ops = {
81709 .write = snd_ad1889_ac97_write,
81710 .read = snd_ad1889_ac97_read,
81711 };
81712 @@ -899,7 +899,7 @@ snd_ad1889_create(struct snd_card *card,
81713 int err;
81714
81715 struct snd_ad1889 *chip;
81716 - static struct snd_device_ops ops = {
81717 + static const struct snd_device_ops ops = {
81718 .dev_free = snd_ad1889_dev_free,
81719 };
81720
81721 diff -urNp linux-2.6.39.2/sound/pci/ak4531_codec.c linux-2.6.39.2/sound/pci/ak4531_codec.c
81722 --- linux-2.6.39.2/sound/pci/ak4531_codec.c 2011-05-19 00:06:34.000000000 -0400
81723 +++ linux-2.6.39.2/sound/pci/ak4531_codec.c 2011-05-22 19:36:35.000000000 -0400
81724 @@ -389,7 +389,7 @@ int __devinit snd_ak4531_mixer(struct sn
81725 unsigned int idx;
81726 int err;
81727 struct snd_ak4531 *ak4531;
81728 - static struct snd_device_ops ops = {
81729 + static const struct snd_device_ops ops = {
81730 .dev_free = snd_ak4531_dev_free,
81731 };
81732
81733 diff -urNp linux-2.6.39.2/sound/pci/ali5451/ali5451.c linux-2.6.39.2/sound/pci/ali5451/ali5451.c
81734 --- linux-2.6.39.2/sound/pci/ali5451/ali5451.c 2011-05-19 00:06:34.000000000 -0400
81735 +++ linux-2.6.39.2/sound/pci/ali5451/ali5451.c 2011-05-22 19:36:35.000000000 -0400
81736 @@ -1847,7 +1847,7 @@ static int __devinit snd_ali_mixer(struc
81737 struct snd_ac97_template ac97;
81738 unsigned int idx;
81739 int i, err;
81740 - static struct snd_ac97_bus_ops ops = {
81741 + static const struct snd_ac97_bus_ops ops = {
81742 .write = snd_ali_codec_write,
81743 .read = snd_ali_codec_read,
81744 };
81745 @@ -2114,7 +2114,7 @@ static int __devinit snd_ali_create(stru
81746 struct snd_ali *codec;
81747 int i, err;
81748 unsigned short cmdw;
81749 - static struct snd_device_ops ops = {
81750 + static const struct snd_device_ops ops = {
81751 .dev_free = snd_ali_dev_free,
81752 };
81753
81754 diff -urNp linux-2.6.39.2/sound/pci/als300.c linux-2.6.39.2/sound/pci/als300.c
81755 --- linux-2.6.39.2/sound/pci/als300.c 2011-05-19 00:06:34.000000000 -0400
81756 +++ linux-2.6.39.2/sound/pci/als300.c 2011-05-22 19:36:35.000000000 -0400
81757 @@ -319,7 +319,7 @@ static int snd_als300_ac97(struct snd_al
81758 struct snd_ac97_bus *bus;
81759 struct snd_ac97_template ac97;
81760 int err;
81761 - static struct snd_ac97_bus_ops ops = {
81762 + static const struct snd_ac97_bus_ops ops = {
81763 .write = snd_als300_ac97_write,
81764 .read = snd_als300_ac97_read,
81765 };
81766 @@ -589,7 +589,7 @@ static snd_pcm_uframes_t snd_als300_poin
81767 return bytes_to_frames(substream->runtime, current_ptr);
81768 }
81769
81770 -static struct snd_pcm_ops snd_als300_playback_ops = {
81771 +static const struct snd_pcm_ops snd_als300_playback_ops = {
81772 .open = snd_als300_playback_open,
81773 .close = snd_als300_playback_close,
81774 .ioctl = snd_pcm_lib_ioctl,
81775 @@ -600,7 +600,7 @@ static struct snd_pcm_ops snd_als300_pla
81776 .pointer = snd_als300_pointer,
81777 };
81778
81779 -static struct snd_pcm_ops snd_als300_capture_ops = {
81780 +static const struct snd_pcm_ops snd_als300_capture_ops = {
81781 .open = snd_als300_capture_open,
81782 .close = snd_als300_capture_close,
81783 .ioctl = snd_pcm_lib_ioctl,
81784 @@ -680,7 +680,7 @@ static int __devinit snd_als300_create(s
81785 void *irq_handler;
81786 int err;
81787
81788 - static struct snd_device_ops ops = {
81789 + static const struct snd_device_ops ops = {
81790 .dev_free = snd_als300_dev_free,
81791 };
81792 *rchip = NULL;
81793 diff -urNp linux-2.6.39.2/sound/pci/als4000.c linux-2.6.39.2/sound/pci/als4000.c
81794 --- linux-2.6.39.2/sound/pci/als4000.c 2011-05-19 00:06:34.000000000 -0400
81795 +++ linux-2.6.39.2/sound/pci/als4000.c 2011-05-22 19:36:35.000000000 -0400
81796 @@ -672,7 +672,7 @@ static int snd_als4000_capture_close(str
81797
81798 /******************************************************************/
81799
81800 -static struct snd_pcm_ops snd_als4000_playback_ops = {
81801 +static const struct snd_pcm_ops snd_als4000_playback_ops = {
81802 .open = snd_als4000_playback_open,
81803 .close = snd_als4000_playback_close,
81804 .ioctl = snd_pcm_lib_ioctl,
81805 @@ -683,7 +683,7 @@ static struct snd_pcm_ops snd_als4000_pl
81806 .pointer = snd_als4000_playback_pointer
81807 };
81808
81809 -static struct snd_pcm_ops snd_als4000_capture_ops = {
81810 +static const struct snd_pcm_ops snd_als4000_capture_ops = {
81811 .open = snd_als4000_capture_open,
81812 .close = snd_als4000_capture_close,
81813 .ioctl = snd_pcm_lib_ioctl,
81814 diff -urNp linux-2.6.39.2/sound/pci/asihpi/asihpi.c linux-2.6.39.2/sound/pci/asihpi/asihpi.c
81815 --- linux-2.6.39.2/sound/pci/asihpi/asihpi.c 2011-05-19 00:06:34.000000000 -0400
81816 +++ linux-2.6.39.2/sound/pci/asihpi/asihpi.c 2011-05-22 19:36:35.000000000 -0400
81817 @@ -1067,7 +1067,7 @@ static int snd_card_asihpi_playback_sile
81818 return 0;
81819 }
81820
81821 -static struct snd_pcm_ops snd_card_asihpi_playback_ops = {
81822 +static const struct snd_pcm_ops snd_card_asihpi_playback_ops = {
81823 .open = snd_card_asihpi_playback_open,
81824 .close = snd_card_asihpi_playback_close,
81825 .ioctl = snd_card_asihpi_playback_ioctl,
81826 @@ -1080,7 +1080,7 @@ static struct snd_pcm_ops snd_card_asihp
81827 .silence = snd_card_asihpi_playback_silence,
81828 };
81829
81830 -static struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
81831 +static const struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
81832 .open = snd_card_asihpi_playback_open,
81833 .close = snd_card_asihpi_playback_close,
81834 .ioctl = snd_card_asihpi_playback_ioctl,
81835 @@ -1268,7 +1268,7 @@ static int snd_card_asihpi_capture_copy(
81836 return 0;
81837 }
81838
81839 -static struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
81840 +static const struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
81841 .open = snd_card_asihpi_capture_open,
81842 .close = snd_card_asihpi_capture_close,
81843 .ioctl = snd_card_asihpi_capture_ioctl,
81844 @@ -1279,7 +1279,7 @@ static struct snd_pcm_ops snd_card_asihp
81845 .pointer = snd_card_asihpi_capture_pointer,
81846 };
81847
81848 -static struct snd_pcm_ops snd_card_asihpi_capture_ops = {
81849 +static const struct snd_pcm_ops snd_card_asihpi_capture_ops = {
81850 .open = snd_card_asihpi_capture_open,
81851 .close = snd_card_asihpi_capture_close,
81852 .ioctl = snd_card_asihpi_capture_ioctl,
81853 diff -urNp linux-2.6.39.2/sound/pci/atiixp.c linux-2.6.39.2/sound/pci/atiixp.c
81854 --- linux-2.6.39.2/sound/pci/atiixp.c 2011-05-19 00:06:34.000000000 -0400
81855 +++ linux-2.6.39.2/sound/pci/atiixp.c 2011-05-22 19:36:35.000000000 -0400
81856 @@ -1148,7 +1148,7 @@ static int snd_atiixp_spdif_close(struct
81857 }
81858
81859 /* AC97 playback */
81860 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
81861 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
81862 .open = snd_atiixp_playback_open,
81863 .close = snd_atiixp_playback_close,
81864 .ioctl = snd_pcm_lib_ioctl,
81865 @@ -1160,7 +1160,7 @@ static struct snd_pcm_ops snd_atiixp_pla
81866 };
81867
81868 /* AC97 capture */
81869 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
81870 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
81871 .open = snd_atiixp_capture_open,
81872 .close = snd_atiixp_capture_close,
81873 .ioctl = snd_pcm_lib_ioctl,
81874 @@ -1172,7 +1172,7 @@ static struct snd_pcm_ops snd_atiixp_cap
81875 };
81876
81877 /* SPDIF playback */
81878 -static struct snd_pcm_ops snd_atiixp_spdif_ops = {
81879 +static const struct snd_pcm_ops snd_atiixp_spdif_ops = {
81880 .open = snd_atiixp_spdif_open,
81881 .close = snd_atiixp_spdif_close,
81882 .ioctl = snd_pcm_lib_ioctl,
81883 @@ -1410,7 +1410,7 @@ static int __devinit snd_atiixp_mixer_ne
81884 struct snd_ac97_template ac97;
81885 int i, err;
81886 int codec_count;
81887 - static struct snd_ac97_bus_ops ops = {
81888 + static const struct snd_ac97_bus_ops ops = {
81889 .write = snd_atiixp_ac97_write,
81890 .read = snd_atiixp_ac97_read,
81891 };
81892 @@ -1590,7 +1590,7 @@ static int __devinit snd_atiixp_create(s
81893 struct pci_dev *pci,
81894 struct atiixp **r_chip)
81895 {
81896 - static struct snd_device_ops ops = {
81897 + static const struct snd_device_ops ops = {
81898 .dev_free = snd_atiixp_dev_free,
81899 };
81900 struct atiixp *chip;
81901 diff -urNp linux-2.6.39.2/sound/pci/atiixp_modem.c linux-2.6.39.2/sound/pci/atiixp_modem.c
81902 --- linux-2.6.39.2/sound/pci/atiixp_modem.c 2011-05-19 00:06:34.000000000 -0400
81903 +++ linux-2.6.39.2/sound/pci/atiixp_modem.c 2011-05-22 19:36:35.000000000 -0400
81904 @@ -947,7 +947,7 @@ static int snd_atiixp_capture_close(stru
81905
81906
81907 /* AC97 playback */
81908 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
81909 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
81910 .open = snd_atiixp_playback_open,
81911 .close = snd_atiixp_playback_close,
81912 .ioctl = snd_pcm_lib_ioctl,
81913 @@ -959,7 +959,7 @@ static struct snd_pcm_ops snd_atiixp_pla
81914 };
81915
81916 /* AC97 capture */
81917 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
81918 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
81919 .open = snd_atiixp_capture_open,
81920 .close = snd_atiixp_capture_close,
81921 .ioctl = snd_pcm_lib_ioctl,
81922 @@ -1067,7 +1067,7 @@ static int __devinit snd_atiixp_mixer_ne
81923 struct snd_ac97_template ac97;
81924 int i, err;
81925 int codec_count;
81926 - static struct snd_ac97_bus_ops ops = {
81927 + static const struct snd_ac97_bus_ops ops = {
81928 .write = snd_atiixp_ac97_write,
81929 .read = snd_atiixp_ac97_read,
81930 };
81931 @@ -1226,7 +1226,7 @@ static int __devinit snd_atiixp_create(s
81932 struct pci_dev *pci,
81933 struct atiixp_modem **r_chip)
81934 {
81935 - static struct snd_device_ops ops = {
81936 + static const struct snd_device_ops ops = {
81937 .dev_free = snd_atiixp_dev_free,
81938 };
81939 struct atiixp_modem *chip;
81940 diff -urNp linux-2.6.39.2/sound/pci/au88x0/au88x0_pcm.c linux-2.6.39.2/sound/pci/au88x0/au88x0_pcm.c
81941 --- linux-2.6.39.2/sound/pci/au88x0/au88x0_pcm.c 2011-05-19 00:06:34.000000000 -0400
81942 +++ linux-2.6.39.2/sound/pci/au88x0/au88x0_pcm.c 2011-05-22 19:36:35.000000000 -0400
81943 @@ -409,7 +409,7 @@ static snd_pcm_uframes_t snd_vortex_pcm_
81944 }
81945
81946 /* operators */
81947 -static struct snd_pcm_ops snd_vortex_playback_ops = {
81948 +static const struct snd_pcm_ops snd_vortex_playback_ops = {
81949 .open = snd_vortex_pcm_open,
81950 .close = snd_vortex_pcm_close,
81951 .ioctl = snd_pcm_lib_ioctl,
81952 diff -urNp linux-2.6.39.2/sound/pci/aw2/aw2-alsa.c linux-2.6.39.2/sound/pci/aw2/aw2-alsa.c
81953 --- linux-2.6.39.2/sound/pci/aw2/aw2-alsa.c 2011-05-19 00:06:34.000000000 -0400
81954 +++ linux-2.6.39.2/sound/pci/aw2/aw2-alsa.c 2011-05-22 19:36:35.000000000 -0400
81955 @@ -178,7 +178,7 @@ static struct pci_driver driver = {
81956 };
81957
81958 /* operators for playback PCM alsa interface */
81959 -static struct snd_pcm_ops snd_aw2_playback_ops = {
81960 +static const struct snd_pcm_ops snd_aw2_playback_ops = {
81961 .open = snd_aw2_pcm_playback_open,
81962 .close = snd_aw2_pcm_playback_close,
81963 .ioctl = snd_pcm_lib_ioctl,
81964 @@ -190,7 +190,7 @@ static struct snd_pcm_ops snd_aw2_playba
81965 };
81966
81967 /* operators for capture PCM alsa interface */
81968 -static struct snd_pcm_ops snd_aw2_capture_ops = {
81969 +static const struct snd_pcm_ops snd_aw2_capture_ops = {
81970 .open = snd_aw2_pcm_capture_open,
81971 .close = snd_aw2_pcm_capture_close,
81972 .ioctl = snd_pcm_lib_ioctl,
81973 @@ -263,7 +263,7 @@ static int __devinit snd_aw2_create(stru
81974 {
81975 struct aw2 *chip;
81976 int err;
81977 - static struct snd_device_ops ops = {
81978 + static const struct snd_device_ops ops = {
81979 .dev_free = snd_aw2_dev_free,
81980 };
81981
81982 diff -urNp linux-2.6.39.2/sound/pci/azt3328.c linux-2.6.39.2/sound/pci/azt3328.c
81983 --- linux-2.6.39.2/sound/pci/azt3328.c 2011-05-19 00:06:34.000000000 -0400
81984 +++ linux-2.6.39.2/sound/pci/azt3328.c 2011-05-22 19:36:35.000000000 -0400
81985 @@ -822,7 +822,7 @@ snd_azf3328_mixer_new(struct snd_azf3328
81986 {
81987 struct snd_ac97_bus *bus;
81988 struct snd_ac97_template ac97;
81989 - static struct snd_ac97_bus_ops ops = {
81990 + static const struct snd_ac97_bus_ops ops = {
81991 .write = snd_azf3328_mixer_ac97_write,
81992 .read = snd_azf3328_mixer_ac97_read,
81993 };
81994 @@ -2179,7 +2179,7 @@ snd_azf3328_pcm_close(struct snd_pcm_sub
81995
81996 /******************************************************************/
81997
81998 -static struct snd_pcm_ops snd_azf3328_playback_ops = {
81999 +static const struct snd_pcm_ops snd_azf3328_playback_ops = {
82000 .open = snd_azf3328_pcm_playback_open,
82001 .close = snd_azf3328_pcm_close,
82002 .ioctl = snd_pcm_lib_ioctl,
82003 @@ -2190,7 +2190,7 @@ static struct snd_pcm_ops snd_azf3328_pl
82004 .pointer = snd_azf3328_pcm_pointer
82005 };
82006
82007 -static struct snd_pcm_ops snd_azf3328_capture_ops = {
82008 +static const struct snd_pcm_ops snd_azf3328_capture_ops = {
82009 .open = snd_azf3328_pcm_capture_open,
82010 .close = snd_azf3328_pcm_close,
82011 .ioctl = snd_pcm_lib_ioctl,
82012 @@ -2201,7 +2201,7 @@ static struct snd_pcm_ops snd_azf3328_ca
82013 .pointer = snd_azf3328_pcm_pointer
82014 };
82015
82016 -static struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82017 +static const struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82018 .open = snd_azf3328_pcm_i2s_out_open,
82019 .close = snd_azf3328_pcm_close,
82020 .ioctl = snd_pcm_lib_ioctl,
82021 @@ -2497,7 +2497,7 @@ snd_azf3328_create(struct snd_card *card
82022 {
82023 struct snd_azf3328 *chip;
82024 int err;
82025 - static struct snd_device_ops ops = {
82026 + static const struct snd_device_ops ops = {
82027 .dev_free = snd_azf3328_dev_free,
82028 };
82029 u8 dma_init;
82030 diff -urNp linux-2.6.39.2/sound/pci/bt87x.c linux-2.6.39.2/sound/pci/bt87x.c
82031 --- linux-2.6.39.2/sound/pci/bt87x.c 2011-05-19 00:06:34.000000000 -0400
82032 +++ linux-2.6.39.2/sound/pci/bt87x.c 2011-05-22 19:36:35.000000000 -0400
82033 @@ -542,7 +542,7 @@ static snd_pcm_uframes_t snd_bt87x_point
82034 return (snd_pcm_uframes_t)bytes_to_frames(runtime, chip->current_line * chip->line_bytes);
82035 }
82036
82037 -static struct snd_pcm_ops snd_bt87x_pcm_ops = {
82038 +static const struct snd_pcm_ops snd_bt87x_pcm_ops = {
82039 .open = snd_bt87x_pcm_open,
82040 .close = snd_bt87x_close,
82041 .ioctl = snd_pcm_lib_ioctl,
82042 @@ -720,7 +720,7 @@ static int __devinit snd_bt87x_create(st
82043 {
82044 struct snd_bt87x *chip;
82045 int err;
82046 - static struct snd_device_ops ops = {
82047 + static const struct snd_device_ops ops = {
82048 .dev_free = snd_bt87x_dev_free
82049 };
82050
82051 diff -urNp linux-2.6.39.2/sound/pci/ca0106/ca0106_main.c linux-2.6.39.2/sound/pci/ca0106/ca0106_main.c
82052 --- linux-2.6.39.2/sound/pci/ca0106/ca0106_main.c 2011-05-19 00:06:34.000000000 -0400
82053 +++ linux-2.6.39.2/sound/pci/ca0106/ca0106_main.c 2011-05-22 19:36:35.000000000 -0400
82054 @@ -1103,7 +1103,7 @@ snd_ca0106_pcm_pointer_capture(struct sn
82055 }
82056
82057 /* operators */
82058 -static struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82059 +static const struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82060 .open = snd_ca0106_pcm_open_playback_front,
82061 .close = snd_ca0106_pcm_close_playback,
82062 .ioctl = snd_pcm_lib_ioctl,
82063 @@ -1114,7 +1114,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82064 .pointer = snd_ca0106_pcm_pointer_playback,
82065 };
82066
82067 -static struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82068 +static const struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82069 .open = snd_ca0106_pcm_open_0_capture,
82070 .close = snd_ca0106_pcm_close_capture,
82071 .ioctl = snd_pcm_lib_ioctl,
82072 @@ -1125,7 +1125,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82073 .pointer = snd_ca0106_pcm_pointer_capture,
82074 };
82075
82076 -static struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82077 +static const struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82078 .open = snd_ca0106_pcm_open_1_capture,
82079 .close = snd_ca0106_pcm_close_capture,
82080 .ioctl = snd_pcm_lib_ioctl,
82081 @@ -1136,7 +1136,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82082 .pointer = snd_ca0106_pcm_pointer_capture,
82083 };
82084
82085 -static struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82086 +static const struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82087 .open = snd_ca0106_pcm_open_2_capture,
82088 .close = snd_ca0106_pcm_close_capture,
82089 .ioctl = snd_pcm_lib_ioctl,
82090 @@ -1147,7 +1147,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82091 .pointer = snd_ca0106_pcm_pointer_capture,
82092 };
82093
82094 -static struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82095 +static const struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82096 .open = snd_ca0106_pcm_open_3_capture,
82097 .close = snd_ca0106_pcm_close_capture,
82098 .ioctl = snd_pcm_lib_ioctl,
82099 @@ -1158,7 +1158,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82100 .pointer = snd_ca0106_pcm_pointer_capture,
82101 };
82102
82103 -static struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82104 +static const struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82105 .open = snd_ca0106_pcm_open_playback_center_lfe,
82106 .close = snd_ca0106_pcm_close_playback,
82107 .ioctl = snd_pcm_lib_ioctl,
82108 @@ -1169,7 +1169,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82109 .pointer = snd_ca0106_pcm_pointer_playback,
82110 };
82111
82112 -static struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82113 +static const struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82114 .open = snd_ca0106_pcm_open_playback_unknown,
82115 .close = snd_ca0106_pcm_close_playback,
82116 .ioctl = snd_pcm_lib_ioctl,
82117 @@ -1180,7 +1180,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82118 .pointer = snd_ca0106_pcm_pointer_playback,
82119 };
82120
82121 -static struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82122 +static const struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82123 .open = snd_ca0106_pcm_open_playback_rear,
82124 .close = snd_ca0106_pcm_close_playback,
82125 .ioctl = snd_pcm_lib_ioctl,
82126 @@ -1223,7 +1223,7 @@ static int snd_ca0106_ac97(struct snd_ca
82127 struct snd_ac97_bus *pbus;
82128 struct snd_ac97_template ac97;
82129 int err;
82130 - static struct snd_ac97_bus_ops ops = {
82131 + static const struct snd_ac97_bus_ops ops = {
82132 .write = snd_ca0106_ac97_write,
82133 .read = snd_ca0106_ac97_read,
82134 };
82135 @@ -1629,7 +1629,7 @@ static int __devinit snd_ca0106_create(i
82136 struct snd_ca0106 *chip;
82137 struct snd_ca0106_details *c;
82138 int err;
82139 - static struct snd_device_ops ops = {
82140 + static const struct snd_device_ops ops = {
82141 .dev_free = snd_ca0106_dev_free,
82142 };
82143
82144 diff -urNp linux-2.6.39.2/sound/pci/ca0106/ca_midi.c linux-2.6.39.2/sound/pci/ca0106/ca_midi.c
82145 --- linux-2.6.39.2/sound/pci/ca0106/ca_midi.c 2011-05-19 00:06:34.000000000 -0400
82146 +++ linux-2.6.39.2/sound/pci/ca0106/ca_midi.c 2011-05-22 19:36:35.000000000 -0400
82147 @@ -255,15 +255,13 @@ static void ca_midi_output_trigger(struc
82148 }
82149 }
82150
82151 -static struct snd_rawmidi_ops ca_midi_output =
82152 -{
82153 +static const struct snd_rawmidi_ops ca_midi_output = {
82154 .open = ca_midi_output_open,
82155 .close = ca_midi_output_close,
82156 .trigger = ca_midi_output_trigger,
82157 };
82158
82159 -static struct snd_rawmidi_ops ca_midi_input =
82160 -{
82161 +static const struct snd_rawmidi_ops ca_midi_input = {
82162 .open = ca_midi_input_open,
82163 .close = ca_midi_input_close,
82164 .trigger = ca_midi_input_trigger,
82165 diff -urNp linux-2.6.39.2/sound/pci/cmipci.c linux-2.6.39.2/sound/pci/cmipci.c
82166 --- linux-2.6.39.2/sound/pci/cmipci.c 2011-05-19 00:06:34.000000000 -0400
82167 +++ linux-2.6.39.2/sound/pci/cmipci.c 2011-05-22 19:36:35.000000000 -0400
82168 @@ -1838,7 +1838,7 @@ static int snd_cmipci_capture_spdif_clos
82169 /*
82170 */
82171
82172 -static struct snd_pcm_ops snd_cmipci_playback_ops = {
82173 +static const struct snd_pcm_ops snd_cmipci_playback_ops = {
82174 .open = snd_cmipci_playback_open,
82175 .close = snd_cmipci_playback_close,
82176 .ioctl = snd_pcm_lib_ioctl,
82177 @@ -1849,7 +1849,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82178 .pointer = snd_cmipci_playback_pointer,
82179 };
82180
82181 -static struct snd_pcm_ops snd_cmipci_capture_ops = {
82182 +static const struct snd_pcm_ops snd_cmipci_capture_ops = {
82183 .open = snd_cmipci_capture_open,
82184 .close = snd_cmipci_capture_close,
82185 .ioctl = snd_pcm_lib_ioctl,
82186 @@ -1860,7 +1860,7 @@ static struct snd_pcm_ops snd_cmipci_cap
82187 .pointer = snd_cmipci_capture_pointer,
82188 };
82189
82190 -static struct snd_pcm_ops snd_cmipci_playback2_ops = {
82191 +static const struct snd_pcm_ops snd_cmipci_playback2_ops = {
82192 .open = snd_cmipci_playback2_open,
82193 .close = snd_cmipci_playback2_close,
82194 .ioctl = snd_pcm_lib_ioctl,
82195 @@ -1871,7 +1871,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82196 .pointer = snd_cmipci_capture_pointer, /* channel B */
82197 };
82198
82199 -static struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82200 +static const struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82201 .open = snd_cmipci_playback_spdif_open,
82202 .close = snd_cmipci_playback_spdif_close,
82203 .ioctl = snd_pcm_lib_ioctl,
82204 @@ -1882,7 +1882,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82205 .pointer = snd_cmipci_playback_pointer,
82206 };
82207
82208 -static struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82209 +static const struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82210 .open = snd_cmipci_capture_spdif_open,
82211 .close = snd_cmipci_capture_spdif_close,
82212 .ioctl = snd_pcm_lib_ioctl,
82213 @@ -3011,7 +3011,7 @@ static int __devinit snd_cmipci_create(s
82214 {
82215 struct cmipci *cm;
82216 int err;
82217 - static struct snd_device_ops ops = {
82218 + static const struct snd_device_ops ops = {
82219 .dev_free = snd_cmipci_dev_free,
82220 };
82221 unsigned int val;
82222 diff -urNp linux-2.6.39.2/sound/pci/cs4281.c linux-2.6.39.2/sound/pci/cs4281.c
82223 --- linux-2.6.39.2/sound/pci/cs4281.c 2011-05-19 00:06:34.000000000 -0400
82224 +++ linux-2.6.39.2/sound/pci/cs4281.c 2011-05-22 19:36:35.000000000 -0400
82225 @@ -947,7 +947,7 @@ static int snd_cs4281_capture_close(stru
82226 return 0;
82227 }
82228
82229 -static struct snd_pcm_ops snd_cs4281_playback_ops = {
82230 +static const struct snd_pcm_ops snd_cs4281_playback_ops = {
82231 .open = snd_cs4281_playback_open,
82232 .close = snd_cs4281_playback_close,
82233 .ioctl = snd_pcm_lib_ioctl,
82234 @@ -958,7 +958,7 @@ static struct snd_pcm_ops snd_cs4281_pla
82235 .pointer = snd_cs4281_pointer,
82236 };
82237
82238 -static struct snd_pcm_ops snd_cs4281_capture_ops = {
82239 +static const struct snd_pcm_ops snd_cs4281_capture_ops = {
82240 .open = snd_cs4281_capture_open,
82241 .close = snd_cs4281_capture_close,
82242 .ioctl = snd_pcm_lib_ioctl,
82243 @@ -1098,7 +1098,7 @@ static int __devinit snd_cs4281_mixer(st
82244 struct snd_card *card = chip->card;
82245 struct snd_ac97_template ac97;
82246 int err;
82247 - static struct snd_ac97_bus_ops ops = {
82248 + static const struct snd_ac97_bus_ops ops = {
82249 .write = snd_cs4281_ac97_write,
82250 .read = snd_cs4281_ac97_read,
82251 };
82252 @@ -1343,7 +1343,7 @@ static int __devinit snd_cs4281_create(s
82253 struct cs4281 *chip;
82254 unsigned int tmp;
82255 int err;
82256 - static struct snd_device_ops ops = {
82257 + static const struct snd_device_ops ops = {
82258 .dev_free = snd_cs4281_dev_free,
82259 };
82260
82261 @@ -1765,15 +1765,13 @@ static void snd_cs4281_midi_output_trigg
82262 spin_unlock_irqrestore(&chip->reg_lock, flags);
82263 }
82264
82265 -static struct snd_rawmidi_ops snd_cs4281_midi_output =
82266 -{
82267 +static const struct snd_rawmidi_ops snd_cs4281_midi_output = {
82268 .open = snd_cs4281_midi_output_open,
82269 .close = snd_cs4281_midi_output_close,
82270 .trigger = snd_cs4281_midi_output_trigger,
82271 };
82272
82273 -static struct snd_rawmidi_ops snd_cs4281_midi_input =
82274 -{
82275 +static const struct snd_rawmidi_ops snd_cs4281_midi_input = {
82276 .open = snd_cs4281_midi_input_open,
82277 .close = snd_cs4281_midi_input_close,
82278 .trigger = snd_cs4281_midi_input_trigger,
82279 diff -urNp linux-2.6.39.2/sound/pci/cs46xx/cs46xx_lib.c linux-2.6.39.2/sound/pci/cs46xx/cs46xx_lib.c
82280 --- linux-2.6.39.2/sound/pci/cs46xx/cs46xx_lib.c 2011-05-19 00:06:34.000000000 -0400
82281 +++ linux-2.6.39.2/sound/pci/cs46xx/cs46xx_lib.c 2011-05-22 19:36:35.000000000 -0400
82282 @@ -3722,7 +3722,7 @@ int __devinit snd_cs46xx_create(struct s
82283 struct snd_cs46xx_region *region;
82284 struct cs_card_type *cp;
82285 u16 ss_card, ss_vendor;
82286 - static struct snd_device_ops ops = {
82287 + static const struct snd_device_ops ops = {
82288 .dev_free = snd_cs46xx_dev_free,
82289 };
82290
82291 diff -urNp linux-2.6.39.2/sound/pci/cs5530.c linux-2.6.39.2/sound/pci/cs5530.c
82292 --- linux-2.6.39.2/sound/pci/cs5530.c 2011-05-19 00:06:34.000000000 -0400
82293 +++ linux-2.6.39.2/sound/pci/cs5530.c 2011-05-22 19:36:35.000000000 -0400
82294 @@ -107,7 +107,7 @@ static int __devinit snd_cs5530_create(s
82295 void __iomem *mem;
82296 int err;
82297
82298 - static struct snd_device_ops ops = {
82299 + static const struct snd_device_ops ops = {
82300 .dev_free = snd_cs5530_dev_free,
82301 };
82302 *rchip = NULL;
82303 diff -urNp linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio.c linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio.c
82304 --- linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio.c 2011-05-19 00:06:34.000000000 -0400
82305 +++ linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio.c 2011-05-22 19:36:35.000000000 -0400
82306 @@ -150,7 +150,7 @@ static int __devinit snd_cs5535audio_mix
82307 struct snd_ac97_bus *pbus;
82308 struct snd_ac97_template ac97;
82309 int err;
82310 - static struct snd_ac97_bus_ops ops = {
82311 + static const struct snd_ac97_bus_ops ops = {
82312 .write = snd_cs5535audio_ac97_codec_write,
82313 .read = snd_cs5535audio_ac97_codec_read,
82314 };
82315 @@ -277,7 +277,7 @@ static int __devinit snd_cs5535audio_cre
82316 struct cs5535audio *cs5535au;
82317
82318 int err;
82319 - static struct snd_device_ops ops = {
82320 + static const struct snd_device_ops ops = {
82321 .dev_free = snd_cs5535audio_dev_free,
82322 };
82323
82324 diff -urNp linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio_pcm.c linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio_pcm.c
82325 --- linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-19 00:06:34.000000000 -0400
82326 +++ linux-2.6.39.2/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-22 19:36:35.000000000 -0400
82327 @@ -380,7 +380,7 @@ static int snd_cs5535audio_capture_prepa
82328 substream->runtime->rate);
82329 }
82330
82331 -static struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82332 +static const struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82333 .open = snd_cs5535audio_playback_open,
82334 .close = snd_cs5535audio_playback_close,
82335 .ioctl = snd_pcm_lib_ioctl,
82336 @@ -391,7 +391,7 @@ static struct snd_pcm_ops snd_cs5535audi
82337 .pointer = snd_cs5535audio_pcm_pointer,
82338 };
82339
82340 -static struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82341 +static const struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82342 .open = snd_cs5535audio_capture_open,
82343 .close = snd_cs5535audio_capture_close,
82344 .ioctl = snd_pcm_lib_ioctl,
82345 diff -urNp linux-2.6.39.2/sound/pci/ctxfi/ctpcm.c linux-2.6.39.2/sound/pci/ctxfi/ctpcm.c
82346 --- linux-2.6.39.2/sound/pci/ctxfi/ctpcm.c 2011-05-19 00:06:34.000000000 -0400
82347 +++ linux-2.6.39.2/sound/pci/ctxfi/ctpcm.c 2011-05-22 19:36:35.000000000 -0400
82348 @@ -370,7 +370,7 @@ ct_pcm_capture_pointer(struct snd_pcm_su
82349 }
82350
82351 /* PCM operators for playback */
82352 -static struct snd_pcm_ops ct_pcm_playback_ops = {
82353 +static const struct snd_pcm_ops ct_pcm_playback_ops = {
82354 .open = ct_pcm_playback_open,
82355 .close = ct_pcm_playback_close,
82356 .ioctl = snd_pcm_lib_ioctl,
82357 @@ -383,7 +383,7 @@ static struct snd_pcm_ops ct_pcm_playbac
82358 };
82359
82360 /* PCM operators for capture */
82361 -static struct snd_pcm_ops ct_pcm_capture_ops = {
82362 +static const struct snd_pcm_ops ct_pcm_capture_ops = {
82363 .open = ct_pcm_capture_open,
82364 .close = ct_pcm_capture_close,
82365 .ioctl = snd_pcm_lib_ioctl,
82366 diff -urNp linux-2.6.39.2/sound/pci/echoaudio/echoaudio.c linux-2.6.39.2/sound/pci/echoaudio/echoaudio.c
82367 --- linux-2.6.39.2/sound/pci/echoaudio/echoaudio.c 2011-05-19 00:06:34.000000000 -0400
82368 +++ linux-2.6.39.2/sound/pci/echoaudio/echoaudio.c 2011-05-22 19:36:35.000000000 -0400
82369 @@ -831,7 +831,7 @@ static snd_pcm_uframes_t pcm_pointer(str
82370
82371
82372 /* pcm *_ops structures */
82373 -static struct snd_pcm_ops analog_playback_ops = {
82374 +static const struct snd_pcm_ops analog_playback_ops = {
82375 .open = pcm_analog_out_open,
82376 .close = pcm_close,
82377 .ioctl = snd_pcm_lib_ioctl,
82378 @@ -842,7 +842,7 @@ static struct snd_pcm_ops analog_playbac
82379 .pointer = pcm_pointer,
82380 .page = snd_pcm_sgbuf_ops_page,
82381 };
82382 -static struct snd_pcm_ops analog_capture_ops = {
82383 +static const struct snd_pcm_ops analog_capture_ops = {
82384 .open = pcm_analog_in_open,
82385 .close = pcm_close,
82386 .ioctl = snd_pcm_lib_ioctl,
82387 @@ -855,7 +855,7 @@ static struct snd_pcm_ops analog_capture
82388 };
82389 #ifdef ECHOCARD_HAS_DIGITAL_IO
82390 #ifndef ECHOCARD_HAS_VMIXER
82391 -static struct snd_pcm_ops digital_playback_ops = {
82392 +static const struct snd_pcm_ops digital_playback_ops = {
82393 .open = pcm_digital_out_open,
82394 .close = pcm_close,
82395 .ioctl = snd_pcm_lib_ioctl,
82396 @@ -867,7 +867,7 @@ static struct snd_pcm_ops digital_playba
82397 .page = snd_pcm_sgbuf_ops_page,
82398 };
82399 #endif /* !ECHOCARD_HAS_VMIXER */
82400 -static struct snd_pcm_ops digital_capture_ops = {
82401 +static const struct snd_pcm_ops digital_capture_ops = {
82402 .open = pcm_digital_in_open,
82403 .close = pcm_close,
82404 .ioctl = snd_pcm_lib_ioctl,
82405 @@ -1945,7 +1945,7 @@ static __devinit int snd_echo_create(str
82406 struct echoaudio *chip;
82407 int err;
82408 size_t sz;
82409 - static struct snd_device_ops ops = {
82410 + static const struct snd_device_ops ops = {
82411 .dev_free = snd_echo_dev_free,
82412 };
82413
82414 diff -urNp linux-2.6.39.2/sound/pci/echoaudio/midi.c linux-2.6.39.2/sound/pci/echoaudio/midi.c
82415 --- linux-2.6.39.2/sound/pci/echoaudio/midi.c 2011-05-19 00:06:34.000000000 -0400
82416 +++ linux-2.6.39.2/sound/pci/echoaudio/midi.c 2011-05-22 19:36:35.000000000 -0400
82417 @@ -292,13 +292,13 @@ static int snd_echo_midi_output_close(st
82418
82419
82420
82421 -static struct snd_rawmidi_ops snd_echo_midi_input = {
82422 +static const struct snd_rawmidi_ops snd_echo_midi_input = {
82423 .open = snd_echo_midi_input_open,
82424 .close = snd_echo_midi_input_close,
82425 .trigger = snd_echo_midi_input_trigger,
82426 };
82427
82428 -static struct snd_rawmidi_ops snd_echo_midi_output = {
82429 +static const struct snd_rawmidi_ops snd_echo_midi_output = {
82430 .open = snd_echo_midi_output_open,
82431 .close = snd_echo_midi_output_close,
82432 .trigger = snd_echo_midi_output_trigger,
82433 diff -urNp linux-2.6.39.2/sound/pci/emu10k1/emu10k1_main.c linux-2.6.39.2/sound/pci/emu10k1/emu10k1_main.c
82434 --- linux-2.6.39.2/sound/pci/emu10k1/emu10k1_main.c 2011-05-19 00:06:34.000000000 -0400
82435 +++ linux-2.6.39.2/sound/pci/emu10k1/emu10k1_main.c 2011-05-22 19:36:35.000000000 -0400
82436 @@ -1722,7 +1722,7 @@ int __devinit snd_emu10k1_create(struct
82437 int is_audigy;
82438 unsigned int silent_page;
82439 const struct snd_emu_chip_details *c;
82440 - static struct snd_device_ops ops = {
82441 + static const struct snd_device_ops ops = {
82442 .dev_free = snd_emu10k1_dev_free,
82443 };
82444
82445 diff -urNp linux-2.6.39.2/sound/pci/emu10k1/emu10k1x.c linux-2.6.39.2/sound/pci/emu10k1/emu10k1x.c
82446 --- linux-2.6.39.2/sound/pci/emu10k1/emu10k1x.c 2011-05-19 00:06:34.000000000 -0400
82447 +++ linux-2.6.39.2/sound/pci/emu10k1/emu10k1x.c 2011-05-22 19:36:35.000000000 -0400
82448 @@ -543,7 +543,7 @@ snd_emu10k1x_pcm_pointer(struct snd_pcm_
82449 }
82450
82451 /* operators */
82452 -static struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82453 +static const struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82454 .open = snd_emu10k1x_playback_open,
82455 .close = snd_emu10k1x_playback_close,
82456 .ioctl = snd_pcm_lib_ioctl,
82457 @@ -689,7 +689,7 @@ snd_emu10k1x_pcm_pointer_capture(struct
82458 return ptr;
82459 }
82460
82461 -static struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82462 +static const struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82463 .open = snd_emu10k1x_pcm_open_capture,
82464 .close = snd_emu10k1x_pcm_close_capture,
82465 .ioctl = snd_pcm_lib_ioctl,
82466 @@ -731,7 +731,7 @@ static int snd_emu10k1x_ac97(struct emu1
82467 struct snd_ac97_bus *pbus;
82468 struct snd_ac97_template ac97;
82469 int err;
82470 - static struct snd_ac97_bus_ops ops = {
82471 + static const struct snd_ac97_bus_ops ops = {
82472 .write = snd_emu10k1x_ac97_write,
82473 .read = snd_emu10k1x_ac97_read,
82474 };
82475 @@ -888,7 +888,7 @@ static int __devinit snd_emu10k1x_create
82476 struct emu10k1x *chip;
82477 int err;
82478 int ch;
82479 - static struct snd_device_ops ops = {
82480 + static const struct snd_device_ops ops = {
82481 .dev_free = snd_emu10k1x_dev_free,
82482 };
82483
82484 @@ -1465,15 +1465,13 @@ static void snd_emu10k1x_midi_output_tri
82485
82486 */
82487
82488 -static struct snd_rawmidi_ops snd_emu10k1x_midi_output =
82489 -{
82490 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_output = {
82491 .open = snd_emu10k1x_midi_output_open,
82492 .close = snd_emu10k1x_midi_output_close,
82493 .trigger = snd_emu10k1x_midi_output_trigger,
82494 };
82495
82496 -static struct snd_rawmidi_ops snd_emu10k1x_midi_input =
82497 -{
82498 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_input = {
82499 .open = snd_emu10k1x_midi_input_open,
82500 .close = snd_emu10k1x_midi_input_close,
82501 .trigger = snd_emu10k1x_midi_input_trigger,
82502 diff -urNp linux-2.6.39.2/sound/pci/emu10k1/p16v.c linux-2.6.39.2/sound/pci/emu10k1/p16v.c
82503 --- linux-2.6.39.2/sound/pci/emu10k1/p16v.c 2011-05-19 00:06:34.000000000 -0400
82504 +++ linux-2.6.39.2/sound/pci/emu10k1/p16v.c 2011-05-22 19:36:35.000000000 -0400
82505 @@ -601,7 +601,7 @@ snd_p16v_pcm_pointer_capture(struct snd_
82506 }
82507
82508 /* operators */
82509 -static struct snd_pcm_ops snd_p16v_playback_front_ops = {
82510 +static const struct snd_pcm_ops snd_p16v_playback_front_ops = {
82511 .open = snd_p16v_pcm_open_playback_front,
82512 .close = snd_p16v_pcm_close_playback,
82513 .ioctl = snd_pcm_lib_ioctl,
82514 @@ -612,7 +612,7 @@ static struct snd_pcm_ops snd_p16v_playb
82515 .pointer = snd_p16v_pcm_pointer_playback,
82516 };
82517
82518 -static struct snd_pcm_ops snd_p16v_capture_ops = {
82519 +static const struct snd_pcm_ops snd_p16v_capture_ops = {
82520 .open = snd_p16v_pcm_open_capture,
82521 .close = snd_p16v_pcm_close_capture,
82522 .ioctl = snd_pcm_lib_ioctl,
82523 diff -urNp linux-2.6.39.2/sound/pci/ens1370.c linux-2.6.39.2/sound/pci/ens1370.c
82524 --- linux-2.6.39.2/sound/pci/ens1370.c 2011-05-19 00:06:34.000000000 -0400
82525 +++ linux-2.6.39.2/sound/pci/ens1370.c 2011-05-22 19:36:35.000000000 -0400
82526 @@ -1225,7 +1225,7 @@ static int snd_ensoniq_capture_close(str
82527 return 0;
82528 }
82529
82530 -static struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82531 +static const struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82532 .open = snd_ensoniq_playback1_open,
82533 .close = snd_ensoniq_playback1_close,
82534 .ioctl = snd_pcm_lib_ioctl,
82535 @@ -1236,7 +1236,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82536 .pointer = snd_ensoniq_playback1_pointer,
82537 };
82538
82539 -static struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82540 +static const struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82541 .open = snd_ensoniq_playback2_open,
82542 .close = snd_ensoniq_playback2_close,
82543 .ioctl = snd_pcm_lib_ioctl,
82544 @@ -1247,7 +1247,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82545 .pointer = snd_ensoniq_playback2_pointer,
82546 };
82547
82548 -static struct snd_pcm_ops snd_ensoniq_capture_ops = {
82549 +static const struct snd_pcm_ops snd_ensoniq_capture_ops = {
82550 .open = snd_ensoniq_capture_open,
82551 .close = snd_ensoniq_capture_close,
82552 .ioctl = snd_pcm_lib_ioctl,
82553 @@ -1633,7 +1633,7 @@ static int __devinit snd_ensoniq_1371_mi
82554 struct snd_ac97_bus *pbus;
82555 struct snd_ac97_template ac97;
82556 int err;
82557 - static struct snd_ac97_bus_ops ops = {
82558 + static const struct snd_ac97_bus_ops ops = {
82559 .write = snd_es1371_codec_write,
82560 .read = snd_es1371_codec_read,
82561 .wait = snd_es1371_codec_wait,
82562 @@ -2096,7 +2096,7 @@ static int __devinit snd_ensoniq_create(
82563 {
82564 struct ensoniq *ensoniq;
82565 int err;
82566 - static struct snd_device_ops ops = {
82567 + static const struct snd_device_ops ops = {
82568 .dev_free = snd_ensoniq_dev_free,
82569 };
82570
82571 @@ -2331,15 +2331,13 @@ static void snd_ensoniq_midi_output_trig
82572 spin_unlock_irqrestore(&ensoniq->reg_lock, flags);
82573 }
82574
82575 -static struct snd_rawmidi_ops snd_ensoniq_midi_output =
82576 -{
82577 +static const struct snd_rawmidi_ops snd_ensoniq_midi_output = {
82578 .open = snd_ensoniq_midi_output_open,
82579 .close = snd_ensoniq_midi_output_close,
82580 .trigger = snd_ensoniq_midi_output_trigger,
82581 };
82582
82583 -static struct snd_rawmidi_ops snd_ensoniq_midi_input =
82584 -{
82585 +static const struct snd_rawmidi_ops snd_ensoniq_midi_input = {
82586 .open = snd_ensoniq_midi_input_open,
82587 .close = snd_ensoniq_midi_input_close,
82588 .trigger = snd_ensoniq_midi_input_trigger,
82589 diff -urNp linux-2.6.39.2/sound/pci/es1938.c linux-2.6.39.2/sound/pci/es1938.c
82590 --- linux-2.6.39.2/sound/pci/es1938.c 2011-05-19 00:06:34.000000000 -0400
82591 +++ linux-2.6.39.2/sound/pci/es1938.c 2011-05-22 19:36:35.000000000 -0400
82592 @@ -1004,7 +1004,7 @@ static int snd_es1938_playback_close(str
82593 return 0;
82594 }
82595
82596 -static struct snd_pcm_ops snd_es1938_playback_ops = {
82597 +static const struct snd_pcm_ops snd_es1938_playback_ops = {
82598 .open = snd_es1938_playback_open,
82599 .close = snd_es1938_playback_close,
82600 .ioctl = snd_pcm_lib_ioctl,
82601 @@ -1015,7 +1015,7 @@ static struct snd_pcm_ops snd_es1938_pla
82602 .pointer = snd_es1938_playback_pointer,
82603 };
82604
82605 -static struct snd_pcm_ops snd_es1938_capture_ops = {
82606 +static const struct snd_pcm_ops snd_es1938_capture_ops = {
82607 .open = snd_es1938_capture_open,
82608 .close = snd_es1938_capture_close,
82609 .ioctl = snd_pcm_lib_ioctl,
82610 @@ -1598,7 +1598,7 @@ static int __devinit snd_es1938_create(s
82611 {
82612 struct es1938 *chip;
82613 int err;
82614 - static struct snd_device_ops ops = {
82615 + static const struct snd_device_ops ops = {
82616 .dev_free = snd_es1938_dev_free,
82617 };
82618
82619 diff -urNp linux-2.6.39.2/sound/pci/es1968.c linux-2.6.39.2/sound/pci/es1968.c
82620 --- linux-2.6.39.2/sound/pci/es1968.c 2011-05-19 00:06:34.000000000 -0400
82621 +++ linux-2.6.39.2/sound/pci/es1968.c 2011-05-22 19:36:35.000000000 -0400
82622 @@ -1682,7 +1682,7 @@ static int snd_es1968_capture_close(stru
82623 return 0;
82624 }
82625
82626 -static struct snd_pcm_ops snd_es1968_playback_ops = {
82627 +static const struct snd_pcm_ops snd_es1968_playback_ops = {
82628 .open = snd_es1968_playback_open,
82629 .close = snd_es1968_playback_close,
82630 .ioctl = snd_pcm_lib_ioctl,
82631 @@ -1693,7 +1693,7 @@ static struct snd_pcm_ops snd_es1968_pla
82632 .pointer = snd_es1968_pcm_pointer,
82633 };
82634
82635 -static struct snd_pcm_ops snd_es1968_capture_ops = {
82636 +static const struct snd_pcm_ops snd_es1968_capture_ops = {
82637 .open = snd_es1968_capture_open,
82638 .close = snd_es1968_capture_close,
82639 .ioctl = snd_pcm_lib_ioctl,
82640 @@ -2053,7 +2053,7 @@ snd_es1968_mixer(struct es1968 *chip)
82641 struct snd_ctl_elem_id elem_id;
82642 #endif
82643 int err;
82644 - static struct snd_ac97_bus_ops ops = {
82645 + static const struct snd_ac97_bus_ops ops = {
82646 .write = snd_es1968_ac97_write,
82647 .read = snd_es1968_ac97_read,
82648 };
82649 @@ -2627,7 +2627,7 @@ static int __devinit snd_es1968_create(s
82650 int do_pm,
82651 struct es1968 **chip_ret)
82652 {
82653 - static struct snd_device_ops ops = {
82654 + static const struct snd_device_ops ops = {
82655 .dev_free = snd_es1968_dev_free,
82656 };
82657 struct es1968 *chip;
82658 diff -urNp linux-2.6.39.2/sound/pci/fm801.c linux-2.6.39.2/sound/pci/fm801.c
82659 --- linux-2.6.39.2/sound/pci/fm801.c 2011-05-19 00:06:34.000000000 -0400
82660 +++ linux-2.6.39.2/sound/pci/fm801.c 2011-05-22 19:36:35.000000000 -0400
82661 @@ -662,7 +662,7 @@ static int snd_fm801_capture_close(struc
82662 return 0;
82663 }
82664
82665 -static struct snd_pcm_ops snd_fm801_playback_ops = {
82666 +static const struct snd_pcm_ops snd_fm801_playback_ops = {
82667 .open = snd_fm801_playback_open,
82668 .close = snd_fm801_playback_close,
82669 .ioctl = snd_pcm_lib_ioctl,
82670 @@ -673,7 +673,7 @@ static struct snd_pcm_ops snd_fm801_play
82671 .pointer = snd_fm801_playback_pointer,
82672 };
82673
82674 -static struct snd_pcm_ops snd_fm801_capture_ops = {
82675 +static const struct snd_pcm_ops snd_fm801_capture_ops = {
82676 .open = snd_fm801_capture_open,
82677 .close = snd_fm801_capture_close,
82678 .ioctl = snd_pcm_lib_ioctl,
82679 @@ -1236,7 +1236,7 @@ static int __devinit snd_fm801_mixer(str
82680 struct snd_ac97_template ac97;
82681 unsigned int i;
82682 int err;
82683 - static struct snd_ac97_bus_ops ops = {
82684 + static const struct snd_ac97_bus_ops ops = {
82685 .write = snd_fm801_codec_write,
82686 .read = snd_fm801_codec_read,
82687 };
82688 @@ -1396,7 +1396,7 @@ static int __devinit snd_fm801_create(st
82689 {
82690 struct fm801 *chip;
82691 int err;
82692 - static struct snd_device_ops ops = {
82693 + static const struct snd_device_ops ops = {
82694 .dev_free = snd_fm801_dev_free,
82695 };
82696
82697 diff -urNp linux-2.6.39.2/sound/pci/hda/hda_generic.c linux-2.6.39.2/sound/pci/hda/hda_generic.c
82698 --- linux-2.6.39.2/sound/pci/hda/hda_generic.c 2011-05-19 00:06:34.000000000 -0400
82699 +++ linux-2.6.39.2/sound/pci/hda/hda_generic.c 2011-05-22 19:36:35.000000000 -0400
82700 @@ -1038,7 +1038,7 @@ static int generic_check_power_status(st
82701
82702 /*
82703 */
82704 -static struct hda_codec_ops generic_patch_ops = {
82705 +static const struct hda_codec_ops generic_patch_ops = {
82706 .build_controls = build_generic_controls,
82707 .build_pcms = build_generic_pcms,
82708 .free = snd_hda_generic_free,
82709 diff -urNp linux-2.6.39.2/sound/pci/hda/hda_intel.c linux-2.6.39.2/sound/pci/hda/hda_intel.c
82710 --- linux-2.6.39.2/sound/pci/hda/hda_intel.c 2011-06-03 00:04:14.000000000 -0400
82711 +++ linux-2.6.39.2/sound/pci/hda/hda_intel.c 2011-06-03 00:32:08.000000000 -0400
82712 @@ -2459,7 +2459,7 @@ static int __devinit azx_create(struct s
82713 struct azx *chip;
82714 int i, err;
82715 unsigned short gcap;
82716 - static struct snd_device_ops ops = {
82717 + static const struct snd_device_ops ops = {
82718 .dev_free = azx_dev_free,
82719 };
82720
82721 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_ca0110.c linux-2.6.39.2/sound/pci/hda/patch_ca0110.c
82722 --- linux-2.6.39.2/sound/pci/hda/patch_ca0110.c 2011-05-19 00:06:34.000000000 -0400
82723 +++ linux-2.6.39.2/sound/pci/hda/patch_ca0110.c 2011-05-22 19:36:35.000000000 -0400
82724 @@ -389,7 +389,7 @@ static void ca0110_free(struct hda_codec
82725 kfree(codec->spec);
82726 }
82727
82728 -static struct hda_codec_ops ca0110_patch_ops = {
82729 +static const struct hda_codec_ops ca0110_patch_ops = {
82730 .build_controls = ca0110_build_controls,
82731 .build_pcms = ca0110_build_pcms,
82732 .init = ca0110_init,
82733 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_cirrus.c linux-2.6.39.2/sound/pci/hda/patch_cirrus.c
82734 --- linux-2.6.39.2/sound/pci/hda/patch_cirrus.c 2011-05-19 00:06:34.000000000 -0400
82735 +++ linux-2.6.39.2/sound/pci/hda/patch_cirrus.c 2011-05-22 19:36:35.000000000 -0400
82736 @@ -1126,7 +1126,7 @@ static void cs_unsol_event(struct hda_co
82737 }
82738 }
82739
82740 -static struct hda_codec_ops cs_patch_ops = {
82741 +static const struct hda_codec_ops cs_patch_ops = {
82742 .build_controls = cs_build_controls,
82743 .build_pcms = cs_build_pcms,
82744 .init = cs_init,
82745 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_cmedia.c linux-2.6.39.2/sound/pci/hda/patch_cmedia.c
82746 --- linux-2.6.39.2/sound/pci/hda/patch_cmedia.c 2011-05-19 00:06:34.000000000 -0400
82747 +++ linux-2.6.39.2/sound/pci/hda/patch_cmedia.c 2011-05-22 19:36:35.000000000 -0400
82748 @@ -624,7 +624,7 @@ static struct snd_pci_quirk cmi9880_cfg_
82749 {} /* terminator */
82750 };
82751
82752 -static struct hda_codec_ops cmi9880_patch_ops = {
82753 +static const struct hda_codec_ops cmi9880_patch_ops = {
82754 .build_controls = cmi9880_build_controls,
82755 .build_pcms = cmi9880_build_pcms,
82756 .init = cmi9880_init,
82757 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_conexant.c linux-2.6.39.2/sound/pci/hda/patch_conexant.c
82758 --- linux-2.6.39.2/sound/pci/hda/patch_conexant.c 2011-06-03 00:04:14.000000000 -0400
82759 +++ linux-2.6.39.2/sound/pci/hda/patch_conexant.c 2011-06-03 00:32:08.000000000 -0400
82760 @@ -546,7 +546,7 @@ static int conexant_suspend(struct hda_c
82761 }
82762 #endif
82763
82764 -static struct hda_codec_ops conexant_patch_ops = {
82765 +static const struct hda_codec_ops conexant_patch_ops = {
82766 .build_controls = conexant_build_controls,
82767 .build_pcms = conexant_build_pcms,
82768 .init = conexant_init,
82769 @@ -3792,7 +3792,7 @@ static int cx_auto_build_controls(struct
82770 return conexant_build_controls(codec);
82771 }
82772
82773 -static struct hda_codec_ops cx_auto_patch_ops = {
82774 +static const struct hda_codec_ops cx_auto_patch_ops = {
82775 .build_controls = cx_auto_build_controls,
82776 .build_pcms = conexant_build_pcms,
82777 .init = cx_auto_init,
82778 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_hdmi.c linux-2.6.39.2/sound/pci/hda/patch_hdmi.c
82779 --- linux-2.6.39.2/sound/pci/hda/patch_hdmi.c 2011-05-19 00:06:34.000000000 -0400
82780 +++ linux-2.6.39.2/sound/pci/hda/patch_hdmi.c 2011-05-22 19:36:35.000000000 -0400
82781 @@ -1124,7 +1124,7 @@ static void generic_hdmi_free(struct hda
82782 kfree(spec);
82783 }
82784
82785 -static struct hda_codec_ops generic_hdmi_patch_ops = {
82786 +static const struct hda_codec_ops generic_hdmi_patch_ops = {
82787 .init = generic_hdmi_init,
82788 .free = generic_hdmi_free,
82789 .build_pcms = generic_hdmi_build_pcms,
82790 @@ -1465,14 +1465,14 @@ static struct hda_pcm_stream nvhdmi_pcm_
82791 },
82792 };
82793
82794 -static struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
82795 +static const struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
82796 .build_controls = generic_hdmi_build_controls,
82797 .build_pcms = generic_hdmi_build_pcms,
82798 .init = nvhdmi_7x_init,
82799 .free = generic_hdmi_free,
82800 };
82801
82802 -static struct hda_codec_ops nvhdmi_patch_ops_2ch = {
82803 +static const struct hda_codec_ops nvhdmi_patch_ops_2ch = {
82804 .build_controls = generic_hdmi_build_controls,
82805 .build_pcms = generic_hdmi_build_pcms,
82806 .init = nvhdmi_7x_init,
82807 @@ -1599,7 +1599,7 @@ static int atihdmi_init(struct hda_codec
82808 return 0;
82809 }
82810
82811 -static struct hda_codec_ops atihdmi_patch_ops = {
82812 +static const struct hda_codec_ops atihdmi_patch_ops = {
82813 .build_controls = generic_hdmi_build_controls,
82814 .build_pcms = generic_hdmi_build_pcms,
82815 .init = atihdmi_init,
82816 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_realtek.c linux-2.6.39.2/sound/pci/hda/patch_realtek.c
82817 --- linux-2.6.39.2/sound/pci/hda/patch_realtek.c 2011-06-25 12:55:23.000000000 -0400
82818 +++ linux-2.6.39.2/sound/pci/hda/patch_realtek.c 2011-06-25 13:00:30.000000000 -0400
82819 @@ -4273,7 +4273,7 @@ static int alc_resume(struct hda_codec *
82820
82821 /*
82822 */
82823 -static struct hda_codec_ops alc_patch_ops = {
82824 +static const struct hda_codec_ops alc_patch_ops = {
82825 .build_controls = alc_build_controls,
82826 .build_pcms = alc_build_pcms,
82827 .init = alc_init,
82828 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_si3054.c linux-2.6.39.2/sound/pci/hda/patch_si3054.c
82829 --- linux-2.6.39.2/sound/pci/hda/patch_si3054.c 2011-05-19 00:06:34.000000000 -0400
82830 +++ linux-2.6.39.2/sound/pci/hda/patch_si3054.c 2011-05-22 19:36:35.000000000 -0400
82831 @@ -263,7 +263,7 @@ static void si3054_free(struct hda_codec
82832 /*
82833 */
82834
82835 -static struct hda_codec_ops si3054_patch_ops = {
82836 +static const struct hda_codec_ops si3054_patch_ops = {
82837 .build_controls = si3054_build_controls,
82838 .build_pcms = si3054_build_pcms,
82839 .init = si3054_init,
82840 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_sigmatel.c linux-2.6.39.2/sound/pci/hda/patch_sigmatel.c
82841 --- linux-2.6.39.2/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:04:14.000000000 -0400
82842 +++ linux-2.6.39.2/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:32:08.000000000 -0400
82843 @@ -4968,7 +4968,7 @@ static int stac92xx_suspend(struct hda_c
82844 }
82845 #endif
82846
82847 -static struct hda_codec_ops stac92xx_patch_ops = {
82848 +static const struct hda_codec_ops stac92xx_patch_ops = {
82849 .build_controls = stac92xx_build_controls,
82850 .build_pcms = stac92xx_build_pcms,
82851 .init = stac92xx_init,
82852 diff -urNp linux-2.6.39.2/sound/pci/hda/patch_via.c linux-2.6.39.2/sound/pci/hda/patch_via.c
82853 --- linux-2.6.39.2/sound/pci/hda/patch_via.c 2011-05-19 00:06:34.000000000 -0400
82854 +++ linux-2.6.39.2/sound/pci/hda/patch_via.c 2011-05-22 19:36:35.000000000 -0400
82855 @@ -2254,7 +2254,7 @@ static int via_check_power_status(struct
82856
82857 /*
82858 */
82859 -static struct hda_codec_ops via_patch_ops = {
82860 +static const struct hda_codec_ops via_patch_ops = {
82861 .build_controls = via_build_controls,
82862 .build_pcms = via_build_pcms,
82863 .init = via_init,
82864 diff -urNp linux-2.6.39.2/sound/pci/ice1712/ice1712.c linux-2.6.39.2/sound/pci/ice1712/ice1712.c
82865 --- linux-2.6.39.2/sound/pci/ice1712/ice1712.c 2011-05-19 00:06:34.000000000 -0400
82866 +++ linux-2.6.39.2/sound/pci/ice1712/ice1712.c 2011-05-22 19:36:35.000000000 -0400
82867 @@ -2541,7 +2541,7 @@ static int __devinit snd_ice1712_create(
82868 {
82869 struct snd_ice1712 *ice;
82870 int err;
82871 - static struct snd_device_ops ops = {
82872 + static const struct snd_device_ops ops = {
82873 .dev_free = snd_ice1712_dev_free,
82874 };
82875
82876 diff -urNp linux-2.6.39.2/sound/pci/ice1712/ice1724.c linux-2.6.39.2/sound/pci/ice1712/ice1724.c
82877 --- linux-2.6.39.2/sound/pci/ice1712/ice1724.c 2011-05-19 00:06:34.000000000 -0400
82878 +++ linux-2.6.39.2/sound/pci/ice1712/ice1724.c 2011-05-22 19:36:35.000000000 -0400
82879 @@ -367,7 +367,7 @@ static void vt1724_midi_output_drain(str
82880 } while (time_after(timeout, jiffies));
82881 }
82882
82883 -static struct snd_rawmidi_ops vt1724_midi_output_ops = {
82884 +static const struct snd_rawmidi_ops vt1724_midi_output_ops = {
82885 .open = vt1724_midi_output_open,
82886 .close = vt1724_midi_output_close,
82887 .trigger = vt1724_midi_output_trigger,
82888 @@ -402,7 +402,7 @@ static void vt1724_midi_input_trigger(st
82889 spin_unlock_irqrestore(&ice->reg_lock, flags);
82890 }
82891
82892 -static struct snd_rawmidi_ops vt1724_midi_input_ops = {
82893 +static const struct snd_rawmidi_ops vt1724_midi_input_ops = {
82894 .open = vt1724_midi_input_open,
82895 .close = vt1724_midi_input_close,
82896 .trigger = vt1724_midi_input_trigger,
82897 @@ -2463,7 +2463,7 @@ static int __devinit snd_vt1724_create(s
82898 {
82899 struct snd_ice1712 *ice;
82900 int err;
82901 - static struct snd_device_ops ops = {
82902 + static const struct snd_device_ops ops = {
82903 .dev_free = snd_vt1724_dev_free,
82904 };
82905
82906 diff -urNp linux-2.6.39.2/sound/pci/intel8x0.c linux-2.6.39.2/sound/pci/intel8x0.c
82907 --- linux-2.6.39.2/sound/pci/intel8x0.c 2011-05-19 00:06:34.000000000 -0400
82908 +++ linux-2.6.39.2/sound/pci/intel8x0.c 2011-05-22 19:36:35.000000000 -0400
82909 @@ -2152,12 +2152,12 @@ static int __devinit snd_intel8x0_mixer(
82910 int err;
82911 unsigned int i, codecs;
82912 unsigned int glob_sta = 0;
82913 - struct snd_ac97_bus_ops *ops;
82914 - static struct snd_ac97_bus_ops standard_bus_ops = {
82915 + const struct snd_ac97_bus_ops *ops;
82916 + static const struct snd_ac97_bus_ops standard_bus_ops = {
82917 .write = snd_intel8x0_codec_write,
82918 .read = snd_intel8x0_codec_read,
82919 };
82920 - static struct snd_ac97_bus_ops ali_bus_ops = {
82921 + static const struct snd_ac97_bus_ops ali_bus_ops = {
82922 .write = snd_intel8x0_ali_codec_write,
82923 .read = snd_intel8x0_ali_codec_read,
82924 };
82925 @@ -2921,7 +2921,7 @@ static int __devinit snd_intel8x0_create
82926 unsigned int i;
82927 unsigned int int_sta_masks;
82928 struct ichdev *ichdev;
82929 - static struct snd_device_ops ops = {
82930 + static const struct snd_device_ops ops = {
82931 .dev_free = snd_intel8x0_dev_free,
82932 };
82933
82934 diff -urNp linux-2.6.39.2/sound/pci/intel8x0m.c linux-2.6.39.2/sound/pci/intel8x0m.c
82935 --- linux-2.6.39.2/sound/pci/intel8x0m.c 2011-05-19 00:06:34.000000000 -0400
82936 +++ linux-2.6.39.2/sound/pci/intel8x0m.c 2011-05-22 19:36:35.000000000 -0400
82937 @@ -826,7 +826,7 @@ static int __devinit snd_intel8x0m_mixer
82938 struct snd_ac97 *x97;
82939 int err;
82940 unsigned int glob_sta = 0;
82941 - static struct snd_ac97_bus_ops ops = {
82942 + static const struct snd_ac97_bus_ops ops = {
82943 .write = snd_intel8x0m_codec_write,
82944 .read = snd_intel8x0m_codec_read,
82945 };
82946 @@ -1116,7 +1116,7 @@ static int __devinit snd_intel8x0m_creat
82947 unsigned int i;
82948 unsigned int int_sta_masks;
82949 struct ichdev *ichdev;
82950 - static struct snd_device_ops ops = {
82951 + static const struct snd_device_ops ops = {
82952 .dev_free = snd_intel8x0m_dev_free,
82953 };
82954 static struct ich_reg_info intel_regs[2] = {
82955 @@ -1265,7 +1265,7 @@ static struct shortname_table {
82956 { 0x5455, "ALi M5455" },
82957 { 0x746d, "AMD AMD8111" },
82958 #endif
82959 - { 0 },
82960 + { 0, },
82961 };
82962
82963 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
82964 diff -urNp linux-2.6.39.2/sound/pci/korg1212/korg1212.c linux-2.6.39.2/sound/pci/korg1212/korg1212.c
82965 --- linux-2.6.39.2/sound/pci/korg1212/korg1212.c 2011-05-19 00:06:34.000000000 -0400
82966 +++ linux-2.6.39.2/sound/pci/korg1212/korg1212.c 2011-05-22 19:36:35.000000000 -0400
82967 @@ -1682,7 +1682,7 @@ static int snd_korg1212_capture_copy(str
82968 return snd_korg1212_copy_to(korg1212, dst, pos, count, 0, korg1212->channels * 2);
82969 }
82970
82971 -static struct snd_pcm_ops snd_korg1212_playback_ops = {
82972 +static const struct snd_pcm_ops snd_korg1212_playback_ops = {
82973 .open = snd_korg1212_playback_open,
82974 .close = snd_korg1212_playback_close,
82975 .ioctl = snd_korg1212_ioctl,
82976 @@ -1694,7 +1694,7 @@ static struct snd_pcm_ops snd_korg1212_p
82977 .silence = snd_korg1212_playback_silence,
82978 };
82979
82980 -static struct snd_pcm_ops snd_korg1212_capture_ops = {
82981 +static const struct snd_pcm_ops snd_korg1212_capture_ops = {
82982 .open = snd_korg1212_capture_open,
82983 .close = snd_korg1212_capture_close,
82984 .ioctl = snd_korg1212_ioctl,
82985 @@ -2164,7 +2164,7 @@ static int __devinit snd_korg1212_create
82986 struct snd_korg1212 * korg1212;
82987 const struct firmware *dsp_code;
82988
82989 - static struct snd_device_ops ops = {
82990 + static const struct snd_device_ops ops = {
82991 .dev_free = snd_korg1212_dev_free,
82992 };
82993
82994 diff -urNp linux-2.6.39.2/sound/pci/maestro3.c linux-2.6.39.2/sound/pci/maestro3.c
82995 --- linux-2.6.39.2/sound/pci/maestro3.c 2011-05-19 00:06:34.000000000 -0400
82996 +++ linux-2.6.39.2/sound/pci/maestro3.c 2011-05-22 19:36:35.000000000 -0400
82997 @@ -1926,7 +1926,7 @@ snd_m3_capture_close(struct snd_pcm_subs
82998 * create pcm instance
82999 */
83000
83001 -static struct snd_pcm_ops snd_m3_playback_ops = {
83002 +static const struct snd_pcm_ops snd_m3_playback_ops = {
83003 .open = snd_m3_playback_open,
83004 .close = snd_m3_playback_close,
83005 .ioctl = snd_pcm_lib_ioctl,
83006 @@ -1937,7 +1937,7 @@ static struct snd_pcm_ops snd_m3_playbac
83007 .pointer = snd_m3_pcm_pointer,
83008 };
83009
83010 -static struct snd_pcm_ops snd_m3_capture_ops = {
83011 +static const struct snd_pcm_ops snd_m3_capture_ops = {
83012 .open = snd_m3_capture_open,
83013 .close = snd_m3_capture_close,
83014 .ioctl = snd_pcm_lib_ioctl,
83015 @@ -2150,7 +2150,7 @@ static int __devinit snd_m3_mixer(struct
83016 struct snd_ctl_elem_id elem_id;
83017 #endif
83018 int err;
83019 - static struct snd_ac97_bus_ops ops = {
83020 + static const struct snd_ac97_bus_ops ops = {
83021 .write = snd_m3_ac97_write,
83022 .read = snd_m3_ac97_read,
83023 };
83024 @@ -2643,7 +2643,7 @@ snd_m3_create(struct snd_card *card, str
83025 struct snd_m3 *chip;
83026 int i, err;
83027 const struct snd_pci_quirk *quirk;
83028 - static struct snd_device_ops ops = {
83029 + static const struct snd_device_ops ops = {
83030 .dev_free = snd_m3_dev_free,
83031 };
83032
83033 diff -urNp linux-2.6.39.2/sound/pci/mixart/mixart.c linux-2.6.39.2/sound/pci/mixart/mixart.c
83034 --- linux-2.6.39.2/sound/pci/mixart/mixart.c 2011-05-19 00:06:34.000000000 -0400
83035 +++ linux-2.6.39.2/sound/pci/mixart/mixart.c 2011-05-22 19:36:35.000000000 -0400
83036 @@ -887,7 +887,7 @@ static snd_pcm_uframes_t snd_mixart_stre
83037
83038
83039
83040 -static struct snd_pcm_ops snd_mixart_playback_ops = {
83041 +static const struct snd_pcm_ops snd_mixart_playback_ops = {
83042 .open = snd_mixart_playback_open,
83043 .close = snd_mixart_close,
83044 .ioctl = snd_pcm_lib_ioctl,
83045 @@ -898,7 +898,7 @@ static struct snd_pcm_ops snd_mixart_pla
83046 .pointer = snd_mixart_stream_pointer,
83047 };
83048
83049 -static struct snd_pcm_ops snd_mixart_capture_ops = {
83050 +static const struct snd_pcm_ops snd_mixart_capture_ops = {
83051 .open = snd_mixart_capture_open,
83052 .close = snd_mixart_close,
83053 .ioctl = snd_pcm_lib_ioctl,
83054 @@ -1008,7 +1008,7 @@ static int __devinit snd_mixart_create(s
83055 {
83056 int err;
83057 struct snd_mixart *chip;
83058 - static struct snd_device_ops ops = {
83059 + static const struct snd_device_ops ops = {
83060 .dev_free = snd_mixart_chip_dev_free,
83061 };
83062
83063 diff -urNp linux-2.6.39.2/sound/pci/nm256/nm256.c linux-2.6.39.2/sound/pci/nm256/nm256.c
83064 --- linux-2.6.39.2/sound/pci/nm256/nm256.c 2011-05-19 00:06:34.000000000 -0400
83065 +++ linux-2.6.39.2/sound/pci/nm256/nm256.c 2011-05-22 19:36:35.000000000 -0400
83066 @@ -899,7 +899,7 @@ snd_nm256_capture_close(struct snd_pcm_s
83067 /*
83068 * create a pcm instance
83069 */
83070 -static struct snd_pcm_ops snd_nm256_playback_ops = {
83071 +static const struct snd_pcm_ops snd_nm256_playback_ops = {
83072 .open = snd_nm256_playback_open,
83073 .close = snd_nm256_playback_close,
83074 .ioctl = snd_pcm_lib_ioctl,
83075 @@ -914,7 +914,7 @@ static struct snd_pcm_ops snd_nm256_play
83076 .mmap = snd_pcm_lib_mmap_iomem,
83077 };
83078
83079 -static struct snd_pcm_ops snd_nm256_capture_ops = {
83080 +static const struct snd_pcm_ops snd_nm256_capture_ops = {
83081 .open = snd_nm256_capture_open,
83082 .close = snd_nm256_capture_close,
83083 .ioctl = snd_pcm_lib_ioctl,
83084 @@ -1301,7 +1301,7 @@ snd_nm256_mixer(struct nm256 *chip)
83085 struct snd_ac97_bus *pbus;
83086 struct snd_ac97_template ac97;
83087 int err;
83088 - static struct snd_ac97_bus_ops ops = {
83089 + static const struct snd_ac97_bus_ops ops = {
83090 .reset = snd_nm256_ac97_reset,
83091 .write = snd_nm256_ac97_write,
83092 .read = snd_nm256_ac97_read,
83093 @@ -1471,7 +1471,7 @@ snd_nm256_create(struct snd_card *card,
83094 {
83095 struct nm256 *chip;
83096 int err, pval;
83097 - static struct snd_device_ops ops = {
83098 + static const struct snd_device_ops ops = {
83099 .dev_free = snd_nm256_dev_free,
83100 };
83101 u32 addr;
83102 diff -urNp linux-2.6.39.2/sound/pci/oxygen/oxygen_pcm.c linux-2.6.39.2/sound/pci/oxygen/oxygen_pcm.c
83103 --- linux-2.6.39.2/sound/pci/oxygen/oxygen_pcm.c 2011-05-19 00:06:34.000000000 -0400
83104 +++ linux-2.6.39.2/sound/pci/oxygen/oxygen_pcm.c 2011-05-22 19:36:35.000000000 -0400
83105 @@ -606,7 +606,7 @@ static snd_pcm_uframes_t oxygen_pointer(
83106 return bytes_to_frames(runtime, curr_addr - (u32)runtime->dma_addr);
83107 }
83108
83109 -static struct snd_pcm_ops oxygen_rec_a_ops = {
83110 +static const struct snd_pcm_ops oxygen_rec_a_ops = {
83111 .open = oxygen_rec_a_open,
83112 .close = oxygen_close,
83113 .ioctl = snd_pcm_lib_ioctl,
83114 @@ -617,7 +617,7 @@ static struct snd_pcm_ops oxygen_rec_a_o
83115 .pointer = oxygen_pointer,
83116 };
83117
83118 -static struct snd_pcm_ops oxygen_rec_b_ops = {
83119 +static const struct snd_pcm_ops oxygen_rec_b_ops = {
83120 .open = oxygen_rec_b_open,
83121 .close = oxygen_close,
83122 .ioctl = snd_pcm_lib_ioctl,
83123 @@ -628,7 +628,7 @@ static struct snd_pcm_ops oxygen_rec_b_o
83124 .pointer = oxygen_pointer,
83125 };
83126
83127 -static struct snd_pcm_ops oxygen_rec_c_ops = {
83128 +static const struct snd_pcm_ops oxygen_rec_c_ops = {
83129 .open = oxygen_rec_c_open,
83130 .close = oxygen_close,
83131 .ioctl = snd_pcm_lib_ioctl,
83132 @@ -639,7 +639,7 @@ static struct snd_pcm_ops oxygen_rec_c_o
83133 .pointer = oxygen_pointer,
83134 };
83135
83136 -static struct snd_pcm_ops oxygen_spdif_ops = {
83137 +static const struct snd_pcm_ops oxygen_spdif_ops = {
83138 .open = oxygen_spdif_open,
83139 .close = oxygen_close,
83140 .ioctl = snd_pcm_lib_ioctl,
83141 @@ -650,7 +650,7 @@ static struct snd_pcm_ops oxygen_spdif_o
83142 .pointer = oxygen_pointer,
83143 };
83144
83145 -static struct snd_pcm_ops oxygen_multich_ops = {
83146 +static const struct snd_pcm_ops oxygen_multich_ops = {
83147 .open = oxygen_multich_open,
83148 .close = oxygen_close,
83149 .ioctl = snd_pcm_lib_ioctl,
83150 @@ -661,7 +661,7 @@ static struct snd_pcm_ops oxygen_multich
83151 .pointer = oxygen_pointer,
83152 };
83153
83154 -static struct snd_pcm_ops oxygen_ac97_ops = {
83155 +static const struct snd_pcm_ops oxygen_ac97_ops = {
83156 .open = oxygen_ac97_open,
83157 .close = oxygen_close,
83158 .ioctl = snd_pcm_lib_ioctl,
83159 diff -urNp linux-2.6.39.2/sound/pci/pcxhr/pcxhr.c linux-2.6.39.2/sound/pci/pcxhr/pcxhr.c
83160 --- linux-2.6.39.2/sound/pci/pcxhr/pcxhr.c 2011-05-19 00:06:34.000000000 -0400
83161 +++ linux-2.6.39.2/sound/pci/pcxhr/pcxhr.c 2011-05-22 19:36:35.000000000 -0400
83162 @@ -1121,7 +1121,7 @@ static snd_pcm_uframes_t pcxhr_stream_po
83163 }
83164
83165
83166 -static struct snd_pcm_ops pcxhr_ops = {
83167 +static const struct snd_pcm_ops pcxhr_ops = {
83168 .open = pcxhr_open,
83169 .close = pcxhr_close,
83170 .ioctl = snd_pcm_lib_ioctl,
83171 @@ -1184,7 +1184,7 @@ static int __devinit pcxhr_create(struct
83172 {
83173 int err;
83174 struct snd_pcxhr *chip;
83175 - static struct snd_device_ops ops = {
83176 + static const struct snd_device_ops ops = {
83177 .dev_free = pcxhr_chip_dev_free,
83178 };
83179
83180 diff -urNp linux-2.6.39.2/sound/pci/riptide/riptide.c linux-2.6.39.2/sound/pci/riptide/riptide.c
83181 --- linux-2.6.39.2/sound/pci/riptide/riptide.c 2011-05-19 00:06:34.000000000 -0400
83182 +++ linux-2.6.39.2/sound/pci/riptide/riptide.c 2011-05-22 19:36:35.000000000 -0400
83183 @@ -1675,7 +1675,7 @@ static int snd_riptide_capture_close(str
83184 return 0;
83185 }
83186
83187 -static struct snd_pcm_ops snd_riptide_playback_ops = {
83188 +static const struct snd_pcm_ops snd_riptide_playback_ops = {
83189 .open = snd_riptide_playback_open,
83190 .close = snd_riptide_playback_close,
83191 .ioctl = snd_pcm_lib_ioctl,
83192 @@ -1686,7 +1686,7 @@ static struct snd_pcm_ops snd_riptide_pl
83193 .trigger = snd_riptide_trigger,
83194 .pointer = snd_riptide_pointer,
83195 };
83196 -static struct snd_pcm_ops snd_riptide_capture_ops = {
83197 +static const struct snd_pcm_ops snd_riptide_capture_ops = {
83198 .open = snd_riptide_capture_open,
83199 .close = snd_riptide_capture_close,
83200 .ioctl = snd_pcm_lib_ioctl,
83201 @@ -1857,7 +1857,7 @@ snd_riptide_create(struct snd_card *card
83202 struct snd_riptide *chip;
83203 struct riptideport *hwport;
83204 int err;
83205 - static struct snd_device_ops ops = {
83206 + static const struct snd_device_ops ops = {
83207 .dev_free = snd_riptide_dev_free,
83208 };
83209
83210 @@ -1999,7 +1999,7 @@ static int __devinit snd_riptide_mixer(s
83211 struct snd_ac97_bus *pbus;
83212 struct snd_ac97_template ac97;
83213 int err = 0;
83214 - static struct snd_ac97_bus_ops ops = {
83215 + static const struct snd_ac97_bus_ops ops = {
83216 .write = snd_riptide_codec_write,
83217 .read = snd_riptide_codec_read,
83218 };
83219 diff -urNp linux-2.6.39.2/sound/pci/rme32.c linux-2.6.39.2/sound/pci/rme32.c
83220 --- linux-2.6.39.2/sound/pci/rme32.c 2011-05-19 00:06:34.000000000 -0400
83221 +++ linux-2.6.39.2/sound/pci/rme32.c 2011-05-22 19:36:35.000000000 -0400
83222 @@ -1197,7 +1197,7 @@ snd_rme32_capture_fd_pointer(struct snd_
83223 }
83224
83225 /* for halfduplex mode */
83226 -static struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83227 +static const struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83228 .open = snd_rme32_playback_spdif_open,
83229 .close = snd_rme32_playback_close,
83230 .ioctl = snd_pcm_lib_ioctl,
83231 @@ -1211,7 +1211,7 @@ static struct snd_pcm_ops snd_rme32_play
83232 .mmap = snd_pcm_lib_mmap_iomem,
83233 };
83234
83235 -static struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83236 +static const struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83237 .open = snd_rme32_capture_spdif_open,
83238 .close = snd_rme32_capture_close,
83239 .ioctl = snd_pcm_lib_ioctl,
83240 @@ -1224,7 +1224,7 @@ static struct snd_pcm_ops snd_rme32_capt
83241 .mmap = snd_pcm_lib_mmap_iomem,
83242 };
83243
83244 -static struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83245 +static const struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83246 .open = snd_rme32_playback_adat_open,
83247 .close = snd_rme32_playback_close,
83248 .ioctl = snd_pcm_lib_ioctl,
83249 @@ -1237,7 +1237,7 @@ static struct snd_pcm_ops snd_rme32_play
83250 .mmap = snd_pcm_lib_mmap_iomem,
83251 };
83252
83253 -static struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83254 +static const struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83255 .open = snd_rme32_capture_adat_open,
83256 .close = snd_rme32_capture_close,
83257 .ioctl = snd_pcm_lib_ioctl,
83258 @@ -1250,7 +1250,7 @@ static struct snd_pcm_ops snd_rme32_capt
83259 };
83260
83261 /* for fullduplex mode */
83262 -static struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83263 +static const struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83264 .open = snd_rme32_playback_spdif_open,
83265 .close = snd_rme32_playback_close,
83266 .ioctl = snd_pcm_lib_ioctl,
83267 @@ -1262,7 +1262,7 @@ static struct snd_pcm_ops snd_rme32_play
83268 .ack = snd_rme32_playback_fd_ack,
83269 };
83270
83271 -static struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83272 +static const struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83273 .open = snd_rme32_capture_spdif_open,
83274 .close = snd_rme32_capture_close,
83275 .ioctl = snd_pcm_lib_ioctl,
83276 @@ -1274,7 +1274,7 @@ static struct snd_pcm_ops snd_rme32_capt
83277 .ack = snd_rme32_capture_fd_ack,
83278 };
83279
83280 -static struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83281 +static const struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83282 .open = snd_rme32_playback_adat_open,
83283 .close = snd_rme32_playback_close,
83284 .ioctl = snd_pcm_lib_ioctl,
83285 @@ -1285,7 +1285,7 @@ static struct snd_pcm_ops snd_rme32_play
83286 .ack = snd_rme32_playback_fd_ack,
83287 };
83288
83289 -static struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83290 +static const struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83291 .open = snd_rme32_capture_adat_open,
83292 .close = snd_rme32_capture_close,
83293 .ioctl = snd_pcm_lib_ioctl,
83294 diff -urNp linux-2.6.39.2/sound/pci/rme9652/hdsp.c linux-2.6.39.2/sound/pci/rme9652/hdsp.c
83295 --- linux-2.6.39.2/sound/pci/rme9652/hdsp.c 2011-05-19 00:06:34.000000000 -0400
83296 +++ linux-2.6.39.2/sound/pci/rme9652/hdsp.c 2011-05-22 19:36:35.000000000 -0400
83297 @@ -1469,15 +1469,13 @@ static int snd_hdsp_midi_output_close(st
83298 return 0;
83299 }
83300
83301 -static struct snd_rawmidi_ops snd_hdsp_midi_output =
83302 -{
83303 +static const struct snd_rawmidi_ops snd_hdsp_midi_output = {
83304 .open = snd_hdsp_midi_output_open,
83305 .close = snd_hdsp_midi_output_close,
83306 .trigger = snd_hdsp_midi_output_trigger,
83307 };
83308
83309 -static struct snd_rawmidi_ops snd_hdsp_midi_input =
83310 -{
83311 +static const struct snd_rawmidi_ops snd_hdsp_midi_input = {
83312 .open = snd_hdsp_midi_input_open,
83313 .close = snd_hdsp_midi_input_close,
83314 .trigger = snd_hdsp_midi_input_trigger,
83315 @@ -5135,7 +5133,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
83316 return 0;
83317 }
83318
83319 -static struct snd_pcm_ops snd_hdsp_playback_ops = {
83320 +static const struct snd_pcm_ops snd_hdsp_playback_ops = {
83321 .open = snd_hdsp_playback_open,
83322 .close = snd_hdsp_playback_release,
83323 .ioctl = snd_hdsp_ioctl,
83324 @@ -5147,7 +5145,7 @@ static struct snd_pcm_ops snd_hdsp_playb
83325 .silence = snd_hdsp_hw_silence,
83326 };
83327
83328 -static struct snd_pcm_ops snd_hdsp_capture_ops = {
83329 +static const struct snd_pcm_ops snd_hdsp_capture_ops = {
83330 .open = snd_hdsp_capture_open,
83331 .close = snd_hdsp_capture_release,
83332 .ioctl = snd_hdsp_ioctl,
83333 diff -urNp linux-2.6.39.2/sound/pci/rme9652/hdspm.c linux-2.6.39.2/sound/pci/rme9652/hdspm.c
83334 --- linux-2.6.39.2/sound/pci/rme9652/hdspm.c 2011-05-19 00:06:34.000000000 -0400
83335 +++ linux-2.6.39.2/sound/pci/rme9652/hdspm.c 2011-05-22 19:36:35.000000000 -0400
83336 @@ -1773,15 +1773,13 @@ static int snd_hdspm_midi_output_close(s
83337 return 0;
83338 }
83339
83340 -static struct snd_rawmidi_ops snd_hdspm_midi_output =
83341 -{
83342 +static const struct snd_rawmidi_ops snd_hdspm_midi_output = {
83343 .open = snd_hdspm_midi_output_open,
83344 .close = snd_hdspm_midi_output_close,
83345 .trigger = snd_hdspm_midi_output_trigger,
83346 };
83347
83348 -static struct snd_rawmidi_ops snd_hdspm_midi_input =
83349 -{
83350 +static const struct snd_rawmidi_ops snd_hdspm_midi_input = {
83351 .open = snd_hdspm_midi_input_open,
83352 .close = snd_hdspm_midi_input_close,
83353 .trigger = snd_hdspm_midi_input_trigger,
83354 @@ -6172,7 +6170,7 @@ static int snd_hdspm_hwdep_ioctl(struct
83355 return 0;
83356 }
83357
83358 -static struct snd_pcm_ops snd_hdspm_playback_ops = {
83359 +static const struct snd_pcm_ops snd_hdspm_playback_ops = {
83360 .open = snd_hdspm_playback_open,
83361 .close = snd_hdspm_playback_release,
83362 .ioctl = snd_hdspm_ioctl,
83363 @@ -6184,7 +6182,7 @@ static struct snd_pcm_ops snd_hdspm_play
83364 .page = snd_pcm_sgbuf_ops_page,
83365 };
83366
83367 -static struct snd_pcm_ops snd_hdspm_capture_ops = {
83368 +static const struct snd_pcm_ops snd_hdspm_capture_ops = {
83369 .open = snd_hdspm_capture_open,
83370 .close = snd_hdspm_capture_release,
83371 .ioctl = snd_hdspm_ioctl,
83372 diff -urNp linux-2.6.39.2/sound/pci/rme9652/rme9652.c linux-2.6.39.2/sound/pci/rme9652/rme9652.c
83373 --- linux-2.6.39.2/sound/pci/rme9652/rme9652.c 2011-05-19 00:06:34.000000000 -0400
83374 +++ linux-2.6.39.2/sound/pci/rme9652/rme9652.c 2011-05-22 19:36:35.000000000 -0400
83375 @@ -2391,7 +2391,7 @@ static int snd_rme9652_capture_release(s
83376 return 0;
83377 }
83378
83379 -static struct snd_pcm_ops snd_rme9652_playback_ops = {
83380 +static const struct snd_pcm_ops snd_rme9652_playback_ops = {
83381 .open = snd_rme9652_playback_open,
83382 .close = snd_rme9652_playback_release,
83383 .ioctl = snd_rme9652_ioctl,
83384 @@ -2403,7 +2403,7 @@ static struct snd_pcm_ops snd_rme9652_pl
83385 .silence = snd_rme9652_hw_silence,
83386 };
83387
83388 -static struct snd_pcm_ops snd_rme9652_capture_ops = {
83389 +static const struct snd_pcm_ops snd_rme9652_capture_ops = {
83390 .open = snd_rme9652_capture_open,
83391 .close = snd_rme9652_capture_release,
83392 .ioctl = snd_rme9652_ioctl,
83393 diff -urNp linux-2.6.39.2/sound/pci/rme96.c linux-2.6.39.2/sound/pci/rme96.c
83394 --- linux-2.6.39.2/sound/pci/rme96.c 2011-05-19 00:06:34.000000000 -0400
83395 +++ linux-2.6.39.2/sound/pci/rme96.c 2011-05-22 19:36:35.000000000 -0400
83396 @@ -1447,7 +1447,7 @@ snd_rme96_capture_pointer(struct snd_pcm
83397 return snd_rme96_capture_ptr(rme96);
83398 }
83399
83400 -static struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83401 +static const struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83402 .open = snd_rme96_playback_spdif_open,
83403 .close = snd_rme96_playback_close,
83404 .ioctl = snd_pcm_lib_ioctl,
83405 @@ -1460,7 +1460,7 @@ static struct snd_pcm_ops snd_rme96_play
83406 .mmap = snd_pcm_lib_mmap_iomem,
83407 };
83408
83409 -static struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83410 +static const struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83411 .open = snd_rme96_capture_spdif_open,
83412 .close = snd_rme96_capture_close,
83413 .ioctl = snd_pcm_lib_ioctl,
83414 @@ -1472,7 +1472,7 @@ static struct snd_pcm_ops snd_rme96_capt
83415 .mmap = snd_pcm_lib_mmap_iomem,
83416 };
83417
83418 -static struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83419 +static const struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83420 .open = snd_rme96_playback_adat_open,
83421 .close = snd_rme96_playback_close,
83422 .ioctl = snd_pcm_lib_ioctl,
83423 @@ -1485,7 +1485,7 @@ static struct snd_pcm_ops snd_rme96_play
83424 .mmap = snd_pcm_lib_mmap_iomem,
83425 };
83426
83427 -static struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83428 +static const struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83429 .open = snd_rme96_capture_adat_open,
83430 .close = snd_rme96_capture_close,
83431 .ioctl = snd_pcm_lib_ioctl,
83432 diff -urNp linux-2.6.39.2/sound/pci/sis7019.c linux-2.6.39.2/sound/pci/sis7019.c
83433 --- linux-2.6.39.2/sound/pci/sis7019.c 2011-05-19 00:06:34.000000000 -0400
83434 +++ linux-2.6.39.2/sound/pci/sis7019.c 2011-05-22 19:36:35.000000000 -0400
83435 @@ -1011,7 +1011,7 @@ static int __devinit sis_mixer_create(st
83436 {
83437 struct snd_ac97_bus *bus;
83438 struct snd_ac97_template ac97;
83439 - static struct snd_ac97_bus_ops ops = {
83440 + static const struct snd_ac97_bus_ops ops = {
83441 .write = sis_ac97_write,
83442 .read = sis_ac97_read,
83443 };
83444 @@ -1293,7 +1293,7 @@ static int __devinit sis_chip_create(str
83445 {
83446 struct sis7019 *sis = card->private_data;
83447 struct voice *voice;
83448 - static struct snd_device_ops ops = {
83449 + static const struct snd_device_ops ops = {
83450 .dev_free = sis_dev_free,
83451 };
83452 int rc;
83453 diff -urNp linux-2.6.39.2/sound/pci/sonicvibes.c linux-2.6.39.2/sound/pci/sonicvibes.c
83454 --- linux-2.6.39.2/sound/pci/sonicvibes.c 2011-05-19 00:06:34.000000000 -0400
83455 +++ linux-2.6.39.2/sound/pci/sonicvibes.c 2011-05-22 19:36:35.000000000 -0400
83456 @@ -855,7 +855,7 @@ static int snd_sonicvibes_capture_close(
83457 return 0;
83458 }
83459
83460 -static struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83461 +static const struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83462 .open = snd_sonicvibes_playback_open,
83463 .close = snd_sonicvibes_playback_close,
83464 .ioctl = snd_pcm_lib_ioctl,
83465 @@ -866,7 +866,7 @@ static struct snd_pcm_ops snd_sonicvibes
83466 .pointer = snd_sonicvibes_playback_pointer,
83467 };
83468
83469 -static struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83470 +static const struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83471 .open = snd_sonicvibes_capture_open,
83472 .close = snd_sonicvibes_capture_close,
83473 .ioctl = snd_pcm_lib_ioctl,
83474 @@ -1255,7 +1255,7 @@ static int __devinit snd_sonicvibes_crea
83475 struct sonicvibes *sonic;
83476 unsigned int dmaa, dmac;
83477 int err;
83478 - static struct snd_device_ops ops = {
83479 + static const struct snd_device_ops ops = {
83480 .dev_free = snd_sonicvibes_dev_free,
83481 };
83482
83483 diff -urNp linux-2.6.39.2/sound/pci/trident/trident_main.c linux-2.6.39.2/sound/pci/trident/trident_main.c
83484 --- linux-2.6.39.2/sound/pci/trident/trident_main.c 2011-05-19 00:06:34.000000000 -0400
83485 +++ linux-2.6.39.2/sound/pci/trident/trident_main.c 2011-05-22 19:36:35.000000000 -0400
83486 @@ -3549,7 +3549,7 @@ int __devinit snd_trident_create(struct
83487 int i, err;
83488 struct snd_trident_voice *voice;
83489 struct snd_trident_pcm_mixer *tmix;
83490 - static struct snd_device_ops ops = {
83491 + static const struct snd_device_ops ops = {
83492 .dev_free = snd_trident_dev_free,
83493 };
83494
83495 diff -urNp linux-2.6.39.2/sound/pci/via82xx.c linux-2.6.39.2/sound/pci/via82xx.c
83496 --- linux-2.6.39.2/sound/pci/via82xx.c 2011-05-19 00:06:34.000000000 -0400
83497 +++ linux-2.6.39.2/sound/pci/via82xx.c 2011-05-22 19:36:35.000000000 -0400
83498 @@ -1352,7 +1352,7 @@ static int snd_via8233_playback_close(st
83499
83500
83501 /* via686 playback callbacks */
83502 -static struct snd_pcm_ops snd_via686_playback_ops = {
83503 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83504 .open = snd_via686_playback_open,
83505 .close = snd_via82xx_pcm_close,
83506 .ioctl = snd_pcm_lib_ioctl,
83507 @@ -1365,7 +1365,7 @@ static struct snd_pcm_ops snd_via686_pla
83508 };
83509
83510 /* via686 capture callbacks */
83511 -static struct snd_pcm_ops snd_via686_capture_ops = {
83512 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83513 .open = snd_via82xx_capture_open,
83514 .close = snd_via82xx_pcm_close,
83515 .ioctl = snd_pcm_lib_ioctl,
83516 @@ -1378,7 +1378,7 @@ static struct snd_pcm_ops snd_via686_cap
83517 };
83518
83519 /* via823x DSX playback callbacks */
83520 -static struct snd_pcm_ops snd_via8233_playback_ops = {
83521 +static const struct snd_pcm_ops snd_via8233_playback_ops = {
83522 .open = snd_via8233_playback_open,
83523 .close = snd_via8233_playback_close,
83524 .ioctl = snd_pcm_lib_ioctl,
83525 @@ -1391,7 +1391,7 @@ static struct snd_pcm_ops snd_via8233_pl
83526 };
83527
83528 /* via823x multi-channel playback callbacks */
83529 -static struct snd_pcm_ops snd_via8233_multi_ops = {
83530 +static const struct snd_pcm_ops snd_via8233_multi_ops = {
83531 .open = snd_via8233_multi_open,
83532 .close = snd_via82xx_pcm_close,
83533 .ioctl = snd_pcm_lib_ioctl,
83534 @@ -1404,7 +1404,7 @@ static struct snd_pcm_ops snd_via8233_mu
83535 };
83536
83537 /* via823x capture callbacks */
83538 -static struct snd_pcm_ops snd_via8233_capture_ops = {
83539 +static const struct snd_pcm_ops snd_via8233_capture_ops = {
83540 .open = snd_via82xx_capture_open,
83541 .close = snd_via82xx_pcm_close,
83542 .ioctl = snd_pcm_lib_ioctl,
83543 @@ -1868,7 +1868,7 @@ static int __devinit snd_via82xx_mixer_n
83544 {
83545 struct snd_ac97_template ac97;
83546 int err;
83547 - static struct snd_ac97_bus_ops ops = {
83548 + static const struct snd_ac97_bus_ops ops = {
83549 .write = snd_via82xx_codec_write,
83550 .read = snd_via82xx_codec_read,
83551 .wait = snd_via82xx_codec_wait,
83552 @@ -2340,7 +2340,7 @@ static int __devinit snd_via82xx_create(
83553 {
83554 struct via82xx *chip;
83555 int err;
83556 - static struct snd_device_ops ops = {
83557 + static const struct snd_device_ops ops = {
83558 .dev_free = snd_via82xx_dev_free,
83559 };
83560
83561 diff -urNp linux-2.6.39.2/sound/pci/via82xx_modem.c linux-2.6.39.2/sound/pci/via82xx_modem.c
83562 --- linux-2.6.39.2/sound/pci/via82xx_modem.c 2011-05-19 00:06:34.000000000 -0400
83563 +++ linux-2.6.39.2/sound/pci/via82xx_modem.c 2011-05-22 19:36:35.000000000 -0400
83564 @@ -799,7 +799,7 @@ static int snd_via82xx_pcm_close(struct
83565
83566
83567 /* via686 playback callbacks */
83568 -static struct snd_pcm_ops snd_via686_playback_ops = {
83569 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83570 .open = snd_via82xx_playback_open,
83571 .close = snd_via82xx_pcm_close,
83572 .ioctl = snd_pcm_lib_ioctl,
83573 @@ -812,7 +812,7 @@ static struct snd_pcm_ops snd_via686_pla
83574 };
83575
83576 /* via686 capture callbacks */
83577 -static struct snd_pcm_ops snd_via686_capture_ops = {
83578 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83579 .open = snd_via82xx_capture_open,
83580 .close = snd_via82xx_pcm_close,
83581 .ioctl = snd_pcm_lib_ioctl,
83582 @@ -889,7 +889,7 @@ static int __devinit snd_via82xx_mixer_n
83583 {
83584 struct snd_ac97_template ac97;
83585 int err;
83586 - static struct snd_ac97_bus_ops ops = {
83587 + static const struct snd_ac97_bus_ops ops = {
83588 .write = snd_via82xx_codec_write,
83589 .read = snd_via82xx_codec_read,
83590 .wait = snd_via82xx_codec_wait,
83591 @@ -1105,7 +1105,7 @@ static int __devinit snd_via82xx_create(
83592 {
83593 struct via82xx_modem *chip;
83594 int err;
83595 - static struct snd_device_ops ops = {
83596 + static const struct snd_device_ops ops = {
83597 .dev_free = snd_via82xx_dev_free,
83598 };
83599
83600 diff -urNp linux-2.6.39.2/sound/pci/vx222/vx222.c linux-2.6.39.2/sound/pci/vx222/vx222.c
83601 --- linux-2.6.39.2/sound/pci/vx222/vx222.c 2011-05-19 00:06:34.000000000 -0400
83602 +++ linux-2.6.39.2/sound/pci/vx222/vx222.c 2011-05-22 19:36:35.000000000 -0400
83603 @@ -141,7 +141,7 @@ static int __devinit snd_vx222_create(st
83604 struct vx_core *chip;
83605 struct snd_vx222 *vx;
83606 int i, err;
83607 - static struct snd_device_ops ops = {
83608 + static const struct snd_device_ops ops = {
83609 .dev_free = snd_vx222_dev_free,
83610 };
83611 struct snd_vx_ops *vx_ops;
83612 diff -urNp linux-2.6.39.2/sound/pci/ymfpci/ymfpci_main.c linux-2.6.39.2/sound/pci/ymfpci/ymfpci_main.c
83613 --- linux-2.6.39.2/sound/pci/ymfpci/ymfpci_main.c 2011-05-19 00:06:34.000000000 -0400
83614 +++ linux-2.6.39.2/sound/pci/ymfpci/ymfpci_main.c 2011-05-22 19:36:35.000000000 -0400
83615 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
83616 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
83617 break;
83618 }
83619 - if (atomic_read(&chip->interrupt_sleep_count)) {
83620 - atomic_set(&chip->interrupt_sleep_count, 0);
83621 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83622 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83623 wake_up(&chip->interrupt_sleep);
83624 }
83625 __end:
83626 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
83627 continue;
83628 init_waitqueue_entry(&wait, current);
83629 add_wait_queue(&chip->interrupt_sleep, &wait);
83630 - atomic_inc(&chip->interrupt_sleep_count);
83631 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
83632 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
83633 remove_wait_queue(&chip->interrupt_sleep, &wait);
83634 }
83635 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
83636 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
83637 spin_unlock(&chip->reg_lock);
83638
83639 - if (atomic_read(&chip->interrupt_sleep_count)) {
83640 - atomic_set(&chip->interrupt_sleep_count, 0);
83641 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83642 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83643 wake_up(&chip->interrupt_sleep);
83644 }
83645 }
83646 @@ -2344,7 +2344,7 @@ int __devinit snd_ymfpci_create(struct s
83647 {
83648 struct snd_ymfpci *chip;
83649 int err;
83650 - static struct snd_device_ops ops = {
83651 + static const struct snd_device_ops ops = {
83652 .dev_free = snd_ymfpci_dev_free,
83653 };
83654
83655 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
83656 spin_lock_init(&chip->reg_lock);
83657 spin_lock_init(&chip->voice_lock);
83658 init_waitqueue_head(&chip->interrupt_sleep);
83659 - atomic_set(&chip->interrupt_sleep_count, 0);
83660 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83661 chip->card = card;
83662 chip->pci = pci;
83663 chip->irq = -1;
83664 diff -urNp linux-2.6.39.2/sound/pcmcia/pdaudiocf/pdaudiocf.c linux-2.6.39.2/sound/pcmcia/pdaudiocf/pdaudiocf.c
83665 --- linux-2.6.39.2/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-19 00:06:34.000000000 -0400
83666 +++ linux-2.6.39.2/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-22 19:36:35.000000000 -0400
83667 @@ -94,7 +94,7 @@ static int snd_pdacf_probe(struct pcmcia
83668 int i, err;
83669 struct snd_pdacf *pdacf;
83670 struct snd_card *card;
83671 - static struct snd_device_ops ops = {
83672 + static const struct snd_device_ops ops = {
83673 .dev_free = snd_pdacf_dev_free,
83674 };
83675
83676 diff -urNp linux-2.6.39.2/sound/pcmcia/vx/vxpocket.c linux-2.6.39.2/sound/pcmcia/vx/vxpocket.c
83677 --- linux-2.6.39.2/sound/pcmcia/vx/vxpocket.c 2011-05-19 00:06:34.000000000 -0400
83678 +++ linux-2.6.39.2/sound/pcmcia/vx/vxpocket.c 2011-05-22 19:36:35.000000000 -0400
83679 @@ -137,7 +137,7 @@ static int snd_vxpocket_new(struct snd_c
83680 {
83681 struct vx_core *chip;
83682 struct snd_vxpocket *vxp;
83683 - static struct snd_device_ops ops = {
83684 + static const struct snd_device_ops ops = {
83685 .dev_free = snd_vxpocket_dev_free,
83686 };
83687 int err;
83688 diff -urNp linux-2.6.39.2/sound/ppc/pmac.c linux-2.6.39.2/sound/ppc/pmac.c
83689 --- linux-2.6.39.2/sound/ppc/pmac.c 2011-05-19 00:06:34.000000000 -0400
83690 +++ linux-2.6.39.2/sound/ppc/pmac.c 2011-05-22 19:36:35.000000000 -0400
83691 @@ -1186,7 +1186,7 @@ int __devinit snd_pmac_new(struct snd_ca
83692 int i, err;
83693 unsigned int irq;
83694 unsigned long ctrl_addr, txdma_addr, rxdma_addr;
83695 - static struct snd_device_ops ops = {
83696 + static const struct snd_device_ops ops = {
83697 .dev_free = snd_pmac_dev_free,
83698 };
83699
83700 diff -urNp linux-2.6.39.2/sound/ppc/snd_ps3.c linux-2.6.39.2/sound/ppc/snd_ps3.c
83701 --- linux-2.6.39.2/sound/ppc/snd_ps3.c 2011-05-19 00:06:34.000000000 -0400
83702 +++ linux-2.6.39.2/sound/ppc/snd_ps3.c 2011-05-22 19:36:35.000000000 -0400
83703 @@ -773,7 +773,7 @@ static struct snd_kcontrol_new spdif_ctl
83704 },
83705 };
83706
83707 -static struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83708 +static const struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83709 .open = snd_ps3_pcm_open,
83710 .close = snd_ps3_pcm_close,
83711 .ioctl = snd_pcm_lib_ioctl,
83712 diff -urNp linux-2.6.39.2/sound/sh/aica.c linux-2.6.39.2/sound/sh/aica.c
83713 --- linux-2.6.39.2/sound/sh/aica.c 2011-05-19 00:06:34.000000000 -0400
83714 +++ linux-2.6.39.2/sound/sh/aica.c 2011-05-22 19:36:35.000000000 -0400
83715 @@ -441,7 +441,7 @@ static unsigned long snd_aicapcm_pcm_poi
83716 return readl(AICA_CONTROL_CHANNEL_SAMPLE_NUMBER);
83717 }
83718
83719 -static struct snd_pcm_ops snd_aicapcm_playback_ops = {
83720 +static const struct snd_pcm_ops snd_aicapcm_playback_ops = {
83721 .open = snd_aicapcm_pcm_open,
83722 .close = snd_aicapcm_pcm_close,
83723 .ioctl = snd_pcm_lib_ioctl,
83724 diff -urNp linux-2.6.39.2/sound/sh/sh_dac_audio.c linux-2.6.39.2/sound/sh/sh_dac_audio.c
83725 --- linux-2.6.39.2/sound/sh/sh_dac_audio.c 2011-05-19 00:06:34.000000000 -0400
83726 +++ linux-2.6.39.2/sound/sh/sh_dac_audio.c 2011-05-22 19:36:35.000000000 -0400
83727 @@ -246,7 +246,7 @@ snd_pcm_uframes_t snd_sh_dac_pcm_pointer
83728 }
83729
83730 /* pcm ops */
83731 -static struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83732 +static const struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83733 .open = snd_sh_dac_pcm_open,
83734 .close = snd_sh_dac_pcm_close,
83735 .ioctl = snd_pcm_lib_ioctl,
83736 @@ -352,7 +352,7 @@ static int __devinit snd_sh_dac_create(s
83737 struct snd_sh_dac *chip;
83738 int err;
83739
83740 - static struct snd_device_ops ops = {
83741 + static const struct snd_device_ops ops = {
83742 .dev_free = snd_sh_dac_dev_free,
83743 };
83744
83745 diff -urNp linux-2.6.39.2/sound/soc/atmel/atmel-pcm.c linux-2.6.39.2/sound/soc/atmel/atmel-pcm.c
83746 --- linux-2.6.39.2/sound/soc/atmel/atmel-pcm.c 2011-05-19 00:06:34.000000000 -0400
83747 +++ linux-2.6.39.2/sound/soc/atmel/atmel-pcm.c 2011-05-22 19:36:35.000000000 -0400
83748 @@ -346,7 +346,7 @@ static int atmel_pcm_mmap(struct snd_pcm
83749 vma->vm_end - vma->vm_start, vma->vm_page_prot);
83750 }
83751
83752 -static struct snd_pcm_ops atmel_pcm_ops = {
83753 +static const struct snd_pcm_ops atmel_pcm_ops = {
83754 .open = atmel_pcm_open,
83755 .close = atmel_pcm_close,
83756 .ioctl = snd_pcm_lib_ioctl,
83757 diff -urNp linux-2.6.39.2/sound/soc/atmel/playpaq_wm8510.c linux-2.6.39.2/sound/soc/atmel/playpaq_wm8510.c
83758 --- linux-2.6.39.2/sound/soc/atmel/playpaq_wm8510.c 2011-05-19 00:06:34.000000000 -0400
83759 +++ linux-2.6.39.2/sound/soc/atmel/playpaq_wm8510.c 2011-05-22 19:36:35.000000000 -0400
83760 @@ -289,7 +289,7 @@ static int playpaq_wm8510_hw_params(stru
83761
83762
83763
83764 -static struct snd_soc_ops playpaq_wm8510_ops = {
83765 +static const struct snd_soc_ops playpaq_wm8510_ops = {
83766 .hw_params = playpaq_wm8510_hw_params,
83767 };
83768
83769 diff -urNp linux-2.6.39.2/sound/soc/atmel/sam9g20_wm8731.c linux-2.6.39.2/sound/soc/atmel/sam9g20_wm8731.c
83770 --- linux-2.6.39.2/sound/soc/atmel/sam9g20_wm8731.c 2011-05-19 00:06:34.000000000 -0400
83771 +++ linux-2.6.39.2/sound/soc/atmel/sam9g20_wm8731.c 2011-05-22 19:36:35.000000000 -0400
83772 @@ -87,7 +87,7 @@ static int at91sam9g20ek_hw_params(struc
83773 return 0;
83774 }
83775
83776 -static struct snd_soc_ops at91sam9g20ek_ops = {
83777 +static const struct snd_soc_ops at91sam9g20ek_ops = {
83778 .hw_params = at91sam9g20ek_hw_params,
83779 };
83780
83781 diff -urNp linux-2.6.39.2/sound/soc/atmel/snd-soc-afeb9260.c linux-2.6.39.2/sound/soc/atmel/snd-soc-afeb9260.c
83782 --- linux-2.6.39.2/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-19 00:06:34.000000000 -0400
83783 +++ linux-2.6.39.2/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-22 19:36:35.000000000 -0400
83784 @@ -81,7 +81,7 @@ static int afeb9260_hw_params(struct snd
83785 return err;
83786 }
83787
83788 -static struct snd_soc_ops afeb9260_ops = {
83789 +static const struct snd_soc_ops afeb9260_ops = {
83790 .hw_params = afeb9260_hw_params,
83791 };
83792
83793 diff -urNp linux-2.6.39.2/sound/soc/au1x/db1200.c linux-2.6.39.2/sound/soc/au1x/db1200.c
83794 --- linux-2.6.39.2/sound/soc/au1x/db1200.c 2011-05-19 00:06:34.000000000 -0400
83795 +++ linux-2.6.39.2/sound/soc/au1x/db1200.c 2011-05-22 19:36:35.000000000 -0400
83796 @@ -67,7 +67,7 @@ out:
83797 return ret;
83798 }
83799
83800 -static struct snd_soc_ops db1200_i2s_wm8731_ops = {
83801 +static const struct snd_soc_ops db1200_i2s_wm8731_ops = {
83802 .startup = db1200_i2s_startup,
83803 };
83804
83805 diff -urNp linux-2.6.39.2/sound/soc/au1x/dbdma2.c linux-2.6.39.2/sound/soc/au1x/dbdma2.c
83806 --- linux-2.6.39.2/sound/soc/au1x/dbdma2.c 2011-05-19 00:06:34.000000000 -0400
83807 +++ linux-2.6.39.2/sound/soc/au1x/dbdma2.c 2011-05-22 19:36:35.000000000 -0400
83808 @@ -303,7 +303,7 @@ static int au1xpsc_pcm_close(struct snd_
83809 return 0;
83810 }
83811
83812 -static struct snd_pcm_ops au1xpsc_pcm_ops = {
83813 +static const struct snd_pcm_ops au1xpsc_pcm_ops = {
83814 .open = au1xpsc_pcm_open,
83815 .close = au1xpsc_pcm_close,
83816 .ioctl = snd_pcm_lib_ioctl,
83817 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.c
83818 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
83819 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
83820 @@ -244,7 +244,7 @@ static void bf5xx_ac97_cold_reset(struct
83821 #endif
83822 }
83823
83824 -struct snd_ac97_bus_ops soc_ac97_ops = {
83825 +const struct snd_ac97_bus_ops soc_ac97_ops = {
83826 .read = bf5xx_ac97_read,
83827 .write = bf5xx_ac97_write,
83828 .warm_reset = bf5xx_ac97_warm_reset,
83829 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.h linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.h
83830 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
83831 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
83832 @@ -9,7 +9,7 @@
83833 #ifndef _BF5XX_AC97_H
83834 #define _BF5XX_AC97_H
83835
83836 -extern struct snd_ac97_bus_ops bf5xx_ac97_ops;
83837 +extern const struct snd_ac97_bus_ops bf5xx_ac97_ops;
83838 extern struct snd_ac97 *ac97;
83839 /* Frame format in memory, only support stereo currently */
83840 struct ac97_frame {
83841 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97-pcm.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97-pcm.c
83842 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-19 00:06:34.000000000 -0400
83843 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-22 19:36:35.000000000 -0400
83844 @@ -297,7 +297,7 @@ static int bf5xx_pcm_copy(struct snd_pcm
83845 }
83846 #endif
83847
83848 -static struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
83849 +static const struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
83850 .open = bf5xx_pcm_open,
83851 .ioctl = snd_pcm_lib_ioctl,
83852 .hw_params = bf5xx_pcm_hw_params,
83853 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1836.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1836.c
83854 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-19 00:06:34.000000000 -0400
83855 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-22 19:36:35.000000000 -0400
83856 @@ -74,7 +74,7 @@ static int bf5xx_ad1836_hw_params(struct
83857 return 0;
83858 }
83859
83860 -static struct snd_soc_ops bf5xx_ad1836_ops = {
83861 +static const struct snd_soc_ops bf5xx_ad1836_ops = {
83862 .startup = bf5xx_ad1836_startup,
83863 .hw_params = bf5xx_ad1836_hw_params,
83864 };
83865 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad193x.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad193x.c
83866 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-19 00:06:34.000000000 -0400
83867 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-22 19:36:35.000000000 -0400
83868 @@ -88,7 +88,7 @@ static int bf5xx_ad193x_hw_params(struct
83869 return 0;
83870 }
83871
83872 -static struct snd_soc_ops bf5xx_ad193x_ops = {
83873 +static const struct snd_soc_ops bf5xx_ad193x_ops = {
83874 .startup = bf5xx_ad193x_startup,
83875 .hw_params = bf5xx_ad193x_hw_params,
83876 };
83877 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1980.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1980.c
83878 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-19 00:06:34.000000000 -0400
83879 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-22 19:36:35.000000000 -0400
83880 @@ -63,7 +63,7 @@ static int bf5xx_board_startup(struct sn
83881 return 0;
83882 }
83883
83884 -static struct snd_soc_ops bf5xx_board_ops = {
83885 +static const struct snd_soc_ops bf5xx_board_ops = {
83886 .startup = bf5xx_board_startup,
83887 };
83888
83889 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad73311.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad73311.c
83890 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-19 00:06:34.000000000 -0400
83891 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-22 19:36:35.000000000 -0400
83892 @@ -175,7 +175,7 @@ static int bf5xx_ad73311_hw_params(struc
83893 }
83894
83895
83896 -static struct snd_soc_ops bf5xx_ad73311_ops = {
83897 +static const struct snd_soc_ops bf5xx_ad73311_ops = {
83898 .startup = bf5xx_ad73311_startup,
83899 .hw_params = bf5xx_ad73311_hw_params,
83900 };
83901 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-i2s-pcm.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-i2s-pcm.c
83902 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-19 00:06:34.000000000 -0400
83903 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-22 19:36:35.000000000 -0400
83904 @@ -183,7 +183,7 @@ static int bf5xx_pcm_mmap(struct snd_pcm
83905 return 0 ;
83906 }
83907
83908 -static struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
83909 +static const struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
83910 .open = bf5xx_pcm_open,
83911 .ioctl = snd_pcm_lib_ioctl,
83912 .hw_params = bf5xx_pcm_hw_params,
83913 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-ssm2602.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-ssm2602.c
83914 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-19 00:06:34.000000000 -0400
83915 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-22 19:36:35.000000000 -0400
83916 @@ -108,7 +108,7 @@ static int bf5xx_ssm2602_hw_params(struc
83917 return 0;
83918 }
83919
83920 -static struct snd_soc_ops bf5xx_ssm2602_ops = {
83921 +static const struct snd_soc_ops bf5xx_ssm2602_ops = {
83922 .startup = bf5xx_ssm2602_startup,
83923 .hw_params = bf5xx_ssm2602_hw_params,
83924 };
83925 diff -urNp linux-2.6.39.2/sound/soc/blackfin/bf5xx-tdm-pcm.c linux-2.6.39.2/sound/soc/blackfin/bf5xx-tdm-pcm.c
83926 --- linux-2.6.39.2/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-19 00:06:34.000000000 -0400
83927 +++ linux-2.6.39.2/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-22 19:36:35.000000000 -0400
83928 @@ -220,7 +220,7 @@ static int bf5xx_pcm_silence(struct snd_
83929 }
83930
83931
83932 -struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
83933 +const struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
83934 .open = bf5xx_pcm_open,
83935 .ioctl = snd_pcm_lib_ioctl,
83936 .hw_params = bf5xx_pcm_hw_params,
83937 diff -urNp linux-2.6.39.2/sound/soc/davinci/davinci-evm.c linux-2.6.39.2/sound/soc/davinci/davinci-evm.c
83938 --- linux-2.6.39.2/sound/soc/davinci/davinci-evm.c 2011-05-19 00:06:34.000000000 -0400
83939 +++ linux-2.6.39.2/sound/soc/davinci/davinci-evm.c 2011-05-22 19:36:35.000000000 -0400
83940 @@ -88,11 +88,11 @@ static int evm_spdif_hw_params(struct sn
83941 return snd_soc_dai_set_fmt(cpu_dai, AUDIO_FORMAT);
83942 }
83943
83944 -static struct snd_soc_ops evm_ops = {
83945 +static const struct snd_soc_ops evm_ops = {
83946 .hw_params = evm_hw_params,
83947 };
83948
83949 -static struct snd_soc_ops evm_spdif_ops = {
83950 +static const struct snd_soc_ops evm_spdif_ops = {
83951 .hw_params = evm_spdif_hw_params,
83952 };
83953
83954 diff -urNp linux-2.6.39.2/sound/soc/davinci/davinci-pcm.c linux-2.6.39.2/sound/soc/davinci/davinci-pcm.c
83955 --- linux-2.6.39.2/sound/soc/davinci/davinci-pcm.c 2011-05-19 00:06:34.000000000 -0400
83956 +++ linux-2.6.39.2/sound/soc/davinci/davinci-pcm.c 2011-05-22 19:36:35.000000000 -0400
83957 @@ -748,7 +748,7 @@ static int davinci_pcm_mmap(struct snd_p
83958 runtime->dma_bytes);
83959 }
83960
83961 -static struct snd_pcm_ops davinci_pcm_ops = {
83962 +static const struct snd_pcm_ops davinci_pcm_ops = {
83963 .open = davinci_pcm_open,
83964 .close = davinci_pcm_close,
83965 .ioctl = snd_pcm_lib_ioctl,
83966 diff -urNp linux-2.6.39.2/sound/soc/davinci/davinci-sffsdr.c linux-2.6.39.2/sound/soc/davinci/davinci-sffsdr.c
83967 --- linux-2.6.39.2/sound/soc/davinci/davinci-sffsdr.c 2011-05-19 00:06:34.000000000 -0400
83968 +++ linux-2.6.39.2/sound/soc/davinci/davinci-sffsdr.c 2011-05-22 19:36:35.000000000 -0400
83969 @@ -75,7 +75,7 @@ static int sffsdr_hw_params(struct snd_p
83970 #endif
83971 }
83972
83973 -static struct snd_soc_ops sffsdr_ops = {
83974 +static const struct snd_soc_ops sffsdr_ops = {
83975 .hw_params = sffsdr_hw_params,
83976 };
83977
83978 diff -urNp linux-2.6.39.2/sound/soc/ep93xx/edb93xx.c linux-2.6.39.2/sound/soc/ep93xx/edb93xx.c
83979 --- linux-2.6.39.2/sound/soc/ep93xx/edb93xx.c 2011-05-19 00:06:34.000000000 -0400
83980 +++ linux-2.6.39.2/sound/soc/ep93xx/edb93xx.c 2011-05-22 19:36:35.000000000 -0400
83981 @@ -74,7 +74,7 @@ static int edb93xx_hw_params(struct snd_
83982 SND_SOC_CLOCK_OUT);
83983 }
83984
83985 -static struct snd_soc_ops edb93xx_ops = {
83986 +static const struct snd_soc_ops edb93xx_ops = {
83987 .hw_params = edb93xx_hw_params,
83988 };
83989
83990 diff -urNp linux-2.6.39.2/sound/soc/ep93xx/ep93xx-ac97.c linux-2.6.39.2/sound/soc/ep93xx/ep93xx-ac97.c
83991 --- linux-2.6.39.2/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
83992 +++ linux-2.6.39.2/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
83993 @@ -239,7 +239,7 @@ static irqreturn_t ep93xx_ac97_interrupt
83994 return IRQ_HANDLED;
83995 }
83996
83997 -struct snd_ac97_bus_ops soc_ac97_ops = {
83998 +const struct snd_ac97_bus_ops soc_ac97_ops = {
83999 .read = ep93xx_ac97_read,
84000 .write = ep93xx_ac97_write,
84001 .reset = ep93xx_ac97_cold_reset,
84002 diff -urNp linux-2.6.39.2/sound/soc/ep93xx/ep93xx-pcm.c linux-2.6.39.2/sound/soc/ep93xx/ep93xx-pcm.c
84003 --- linux-2.6.39.2/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-19 00:06:34.000000000 -0400
84004 +++ linux-2.6.39.2/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-22 19:36:35.000000000 -0400
84005 @@ -216,7 +216,7 @@ static int ep93xx_pcm_mmap(struct snd_pc
84006 runtime->dma_bytes);
84007 }
84008
84009 -static struct snd_pcm_ops ep93xx_pcm_ops = {
84010 +static const struct snd_pcm_ops ep93xx_pcm_ops = {
84011 .open = ep93xx_pcm_open,
84012 .close = ep93xx_pcm_close,
84013 .ioctl = snd_pcm_lib_ioctl,
84014 diff -urNp linux-2.6.39.2/sound/soc/ep93xx/snappercl15.c linux-2.6.39.2/sound/soc/ep93xx/snappercl15.c
84015 --- linux-2.6.39.2/sound/soc/ep93xx/snappercl15.c 2011-05-19 00:06:34.000000000 -0400
84016 +++ linux-2.6.39.2/sound/soc/ep93xx/snappercl15.c 2011-05-22 19:36:35.000000000 -0400
84017 @@ -55,7 +55,7 @@ static int snappercl15_hw_params(struct
84018 return 0;
84019 }
84020
84021 -static struct snd_soc_ops snappercl15_ops = {
84022 +static const struct snd_soc_ops snappercl15_ops = {
84023 .hw_params = snappercl15_hw_params,
84024 };
84025
84026 diff -urNp linux-2.6.39.2/sound/soc/fsl/fsl_dma.c linux-2.6.39.2/sound/soc/fsl/fsl_dma.c
84027 --- linux-2.6.39.2/sound/soc/fsl/fsl_dma.c 2011-05-19 00:06:34.000000000 -0400
84028 +++ linux-2.6.39.2/sound/soc/fsl/fsl_dma.c 2011-05-22 19:36:35.000000000 -0400
84029 @@ -887,7 +887,7 @@ static struct device_node *find_ssi_node
84030 return NULL;
84031 }
84032
84033 -static struct snd_pcm_ops fsl_dma_ops = {
84034 +static const struct snd_pcm_ops fsl_dma_ops = {
84035 .open = fsl_dma_open,
84036 .close = fsl_dma_close,
84037 .ioctl = snd_pcm_lib_ioctl,
84038 diff -urNp linux-2.6.39.2/sound/soc/fsl/mpc8610_hpcd.c linux-2.6.39.2/sound/soc/fsl/mpc8610_hpcd.c
84039 --- linux-2.6.39.2/sound/soc/fsl/mpc8610_hpcd.c 2011-05-19 00:06:34.000000000 -0400
84040 +++ linux-2.6.39.2/sound/soc/fsl/mpc8610_hpcd.c 2011-05-22 19:36:35.000000000 -0400
84041 @@ -175,7 +175,7 @@ static int mpc8610_hpcd_machine_remove(s
84042 /**
84043 * mpc8610_hpcd_ops: ASoC machine driver operations
84044 */
84045 -static struct snd_soc_ops mpc8610_hpcd_ops = {
84046 +static const struct snd_soc_ops mpc8610_hpcd_ops = {
84047 .startup = mpc8610_hpcd_startup,
84048 };
84049
84050 diff -urNp linux-2.6.39.2/sound/soc/fsl/p1022_ds.c linux-2.6.39.2/sound/soc/fsl/p1022_ds.c
84051 --- linux-2.6.39.2/sound/soc/fsl/p1022_ds.c 2011-05-19 00:06:34.000000000 -0400
84052 +++ linux-2.6.39.2/sound/soc/fsl/p1022_ds.c 2011-05-22 19:36:35.000000000 -0400
84053 @@ -185,7 +185,7 @@ static int p1022_ds_machine_remove(struc
84054 /**
84055 * p1022_ds_ops: ASoC machine driver operations
84056 */
84057 -static struct snd_soc_ops p1022_ds_ops = {
84058 +static const struct snd_soc_ops p1022_ds_ops = {
84059 .startup = p1022_ds_startup,
84060 };
84061
84062 diff -urNp linux-2.6.39.2/sound/soc/imx/eukrea-tlv320.c linux-2.6.39.2/sound/soc/imx/eukrea-tlv320.c
84063 --- linux-2.6.39.2/sound/soc/imx/eukrea-tlv320.c 2011-05-19 00:06:34.000000000 -0400
84064 +++ linux-2.6.39.2/sound/soc/imx/eukrea-tlv320.c 2011-05-22 19:36:35.000000000 -0400
84065 @@ -71,7 +71,7 @@ static int eukrea_tlv320_hw_params(struc
84066 return 0;
84067 }
84068
84069 -static struct snd_soc_ops eukrea_tlv320_snd_ops = {
84070 +static const struct snd_soc_ops eukrea_tlv320_snd_ops = {
84071 .hw_params = eukrea_tlv320_hw_params,
84072 };
84073
84074 diff -urNp linux-2.6.39.2/sound/soc/imx/imx-pcm-dma-mx2.c linux-2.6.39.2/sound/soc/imx/imx-pcm-dma-mx2.c
84075 --- linux-2.6.39.2/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-19 00:06:34.000000000 -0400
84076 +++ linux-2.6.39.2/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-22 19:36:35.000000000 -0400
84077 @@ -283,7 +283,7 @@ static int snd_imx_close(struct snd_pcm_
84078 return 0;
84079 }
84080
84081 -static struct snd_pcm_ops imx_pcm_ops = {
84082 +static const struct snd_pcm_ops imx_pcm_ops = {
84083 .open = snd_imx_open,
84084 .close = snd_imx_close,
84085 .ioctl = snd_pcm_lib_ioctl,
84086 diff -urNp linux-2.6.39.2/sound/soc/imx/imx-pcm-fiq.c linux-2.6.39.2/sound/soc/imx/imx-pcm-fiq.c
84087 --- linux-2.6.39.2/sound/soc/imx/imx-pcm-fiq.c 2011-05-19 00:06:34.000000000 -0400
84088 +++ linux-2.6.39.2/sound/soc/imx/imx-pcm-fiq.c 2011-05-22 19:36:35.000000000 -0400
84089 @@ -225,7 +225,7 @@ static int snd_imx_close(struct snd_pcm_
84090 return 0;
84091 }
84092
84093 -static struct snd_pcm_ops imx_pcm_ops = {
84094 +static const struct snd_pcm_ops imx_pcm_ops = {
84095 .open = snd_imx_open,
84096 .close = snd_imx_close,
84097 .ioctl = snd_pcm_lib_ioctl,
84098 diff -urNp linux-2.6.39.2/sound/soc/imx/mx27vis-aic32x4.c linux-2.6.39.2/sound/soc/imx/mx27vis-aic32x4.c
84099 --- linux-2.6.39.2/sound/soc/imx/mx27vis-aic32x4.c 2011-05-19 00:06:34.000000000 -0400
84100 +++ linux-2.6.39.2/sound/soc/imx/mx27vis-aic32x4.c 2011-05-22 19:36:35.000000000 -0400
84101 @@ -70,7 +70,7 @@ static int mx27vis_aic32x4_hw_params(str
84102 return 0;
84103 }
84104
84105 -static struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84106 +static const struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84107 .hw_params = mx27vis_aic32x4_hw_params,
84108 };
84109
84110 diff -urNp linux-2.6.39.2/sound/soc/imx/phycore-ac97.c linux-2.6.39.2/sound/soc/imx/phycore-ac97.c
84111 --- linux-2.6.39.2/sound/soc/imx/phycore-ac97.c 2011-05-19 00:06:34.000000000 -0400
84112 +++ linux-2.6.39.2/sound/soc/imx/phycore-ac97.c 2011-05-22 19:36:35.000000000 -0400
84113 @@ -21,7 +21,7 @@
84114
84115 static struct snd_soc_card imx_phycore;
84116
84117 -static struct snd_soc_ops imx_phycore_hifi_ops = {
84118 +static const struct snd_soc_ops imx_phycore_hifi_ops = {
84119 };
84120
84121 static struct snd_soc_dai_link imx_phycore_dai_ac97[] = {
84122 diff -urNp linux-2.6.39.2/sound/soc/imx/wm1133-ev1.c linux-2.6.39.2/sound/soc/imx/wm1133-ev1.c
84123 --- linux-2.6.39.2/sound/soc/imx/wm1133-ev1.c 2011-05-19 00:06:34.000000000 -0400
84124 +++ linux-2.6.39.2/sound/soc/imx/wm1133-ev1.c 2011-05-22 19:36:35.000000000 -0400
84125 @@ -149,7 +149,7 @@ static int wm1133_ev1_hw_params(struct s
84126 return 0;
84127 }
84128
84129 -static struct snd_soc_ops wm1133_ev1_ops = {
84130 +static const struct snd_soc_ops wm1133_ev1_ops = {
84131 .hw_params = wm1133_ev1_hw_params,
84132 };
84133
84134 diff -urNp linux-2.6.39.2/sound/soc/jz4740/jz4740-pcm.c linux-2.6.39.2/sound/soc/jz4740/jz4740-pcm.c
84135 --- linux-2.6.39.2/sound/soc/jz4740/jz4740-pcm.c 2011-05-19 00:06:34.000000000 -0400
84136 +++ linux-2.6.39.2/sound/soc/jz4740/jz4740-pcm.c 2011-05-22 19:36:35.000000000 -0400
84137 @@ -244,7 +244,7 @@ static int jz4740_pcm_mmap(struct snd_pc
84138 vma->vm_end - vma->vm_start, vma->vm_page_prot);
84139 }
84140
84141 -static struct snd_pcm_ops jz4740_pcm_ops = {
84142 +static const struct snd_pcm_ops jz4740_pcm_ops = {
84143 .open = jz4740_pcm_open,
84144 .close = jz4740_pcm_close,
84145 .ioctl = snd_pcm_lib_ioctl,
84146 diff -urNp linux-2.6.39.2/sound/soc/kirkwood/kirkwood-openrd.c linux-2.6.39.2/sound/soc/kirkwood/kirkwood-openrd.c
84147 --- linux-2.6.39.2/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-19 00:06:34.000000000 -0400
84148 +++ linux-2.6.39.2/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-22 19:36:35.000000000 -0400
84149 @@ -56,7 +56,7 @@ static int openrd_client_hw_params(struc
84150
84151 }
84152
84153 -static struct snd_soc_ops openrd_client_ops = {
84154 +static const struct snd_soc_ops openrd_client_ops = {
84155 .hw_params = openrd_client_hw_params,
84156 };
84157
84158 diff -urNp linux-2.6.39.2/sound/soc/kirkwood/kirkwood-t5325.c linux-2.6.39.2/sound/soc/kirkwood/kirkwood-t5325.c
84159 --- linux-2.6.39.2/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-19 00:06:34.000000000 -0400
84160 +++ linux-2.6.39.2/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-22 19:36:35.000000000 -0400
84161 @@ -44,7 +44,7 @@ static int t5325_hw_params(struct snd_pc
84162
84163 }
84164
84165 -static struct snd_soc_ops t5325_ops = {
84166 +static const struct snd_soc_ops t5325_ops = {
84167 .hw_params = t5325_hw_params,
84168 };
84169
84170 diff -urNp linux-2.6.39.2/sound/soc/mid-x86/sst_platform.c linux-2.6.39.2/sound/soc/mid-x86/sst_platform.c
84171 --- linux-2.6.39.2/sound/soc/mid-x86/sst_platform.c 2011-05-19 00:06:34.000000000 -0400
84172 +++ linux-2.6.39.2/sound/soc/mid-x86/sst_platform.c 2011-05-22 19:36:35.000000000 -0400
84173 @@ -381,7 +381,7 @@ static int sst_platform_pcm_hw_free(stru
84174 return snd_pcm_lib_free_pages(substream);
84175 }
84176
84177 -static struct snd_pcm_ops sst_platform_ops = {
84178 +static const struct snd_pcm_ops sst_platform_ops = {
84179 .open = sst_platform_open,
84180 .close = sst_platform_close,
84181 .ioctl = snd_pcm_lib_ioctl,
84182 diff -urNp linux-2.6.39.2/sound/soc/nuc900/nuc900-pcm.c linux-2.6.39.2/sound/soc/nuc900/nuc900-pcm.c
84183 --- linux-2.6.39.2/sound/soc/nuc900/nuc900-pcm.c 2011-05-19 00:06:34.000000000 -0400
84184 +++ linux-2.6.39.2/sound/soc/nuc900/nuc900-pcm.c 2011-05-22 19:36:35.000000000 -0400
84185 @@ -297,7 +297,7 @@ static int nuc900_dma_mmap(struct snd_pc
84186 runtime->dma_bytes);
84187 }
84188
84189 -static struct snd_pcm_ops nuc900_dma_ops = {
84190 +static const struct snd_pcm_ops nuc900_dma_ops = {
84191 .open = nuc900_dma_open,
84192 .close = nuc900_dma_close,
84193 .ioctl = snd_pcm_lib_ioctl,
84194 diff -urNp linux-2.6.39.2/sound/soc/omap/am3517evm.c linux-2.6.39.2/sound/soc/omap/am3517evm.c
84195 --- linux-2.6.39.2/sound/soc/omap/am3517evm.c 2011-05-19 00:06:34.000000000 -0400
84196 +++ linux-2.6.39.2/sound/soc/omap/am3517evm.c 2011-05-22 19:36:35.000000000 -0400
84197 @@ -88,7 +88,7 @@ static int am3517evm_hw_params(struct sn
84198 return 0;
84199 }
84200
84201 -static struct snd_soc_ops am3517evm_ops = {
84202 +static const struct snd_soc_ops am3517evm_ops = {
84203 .hw_params = am3517evm_hw_params,
84204 };
84205
84206 diff -urNp linux-2.6.39.2/sound/soc/omap/ams-delta.c linux-2.6.39.2/sound/soc/omap/ams-delta.c
84207 --- linux-2.6.39.2/sound/soc/omap/ams-delta.c 2011-05-19 00:06:34.000000000 -0400
84208 +++ linux-2.6.39.2/sound/soc/omap/ams-delta.c 2011-05-22 19:36:35.000000000 -0400
84209 @@ -420,7 +420,7 @@ static int ams_delta_hw_params(struct sn
84210 SND_SOC_DAIFMT_CBM_CFM);
84211 }
84212
84213 -static struct snd_soc_ops ams_delta_ops = {
84214 +static const struct snd_soc_ops ams_delta_ops = {
84215 .hw_params = ams_delta_hw_params,
84216 };
84217
84218 diff -urNp linux-2.6.39.2/sound/soc/omap/igep0020.c linux-2.6.39.2/sound/soc/omap/igep0020.c
84219 --- linux-2.6.39.2/sound/soc/omap/igep0020.c 2011-05-19 00:06:34.000000000 -0400
84220 +++ linux-2.6.39.2/sound/soc/omap/igep0020.c 2011-05-22 19:36:35.000000000 -0400
84221 @@ -72,7 +72,7 @@ static int igep2_hw_params(struct snd_pc
84222 return 0;
84223 }
84224
84225 -static struct snd_soc_ops igep2_ops = {
84226 +static const struct snd_soc_ops igep2_ops = {
84227 .hw_params = igep2_hw_params,
84228 };
84229
84230 diff -urNp linux-2.6.39.2/sound/soc/omap/n810.c linux-2.6.39.2/sound/soc/omap/n810.c
84231 --- linux-2.6.39.2/sound/soc/omap/n810.c 2011-05-19 00:06:34.000000000 -0400
84232 +++ linux-2.6.39.2/sound/soc/omap/n810.c 2011-05-22 19:36:35.000000000 -0400
84233 @@ -141,7 +141,7 @@ static int n810_hw_params(struct snd_pcm
84234 return err;
84235 }
84236
84237 -static struct snd_soc_ops n810_ops = {
84238 +static const struct snd_soc_ops n810_ops = {
84239 .startup = n810_startup,
84240 .hw_params = n810_hw_params,
84241 .shutdown = n810_shutdown,
84242 diff -urNp linux-2.6.39.2/sound/soc/omap/omap2evm.c linux-2.6.39.2/sound/soc/omap/omap2evm.c
84243 --- linux-2.6.39.2/sound/soc/omap/omap2evm.c 2011-05-19 00:06:34.000000000 -0400
84244 +++ linux-2.6.39.2/sound/soc/omap/omap2evm.c 2011-05-22 19:36:35.000000000 -0400
84245 @@ -74,7 +74,7 @@ static int omap2evm_hw_params(struct snd
84246 return 0;
84247 }
84248
84249 -static struct snd_soc_ops omap2evm_ops = {
84250 +static const struct snd_soc_ops omap2evm_ops = {
84251 .hw_params = omap2evm_hw_params,
84252 };
84253
84254 diff -urNp linux-2.6.39.2/sound/soc/omap/omap3beagle.c linux-2.6.39.2/sound/soc/omap/omap3beagle.c
84255 --- linux-2.6.39.2/sound/soc/omap/omap3beagle.c 2011-05-19 00:06:34.000000000 -0400
84256 +++ linux-2.6.39.2/sound/soc/omap/omap3beagle.c 2011-05-22 19:36:35.000000000 -0400
84257 @@ -82,7 +82,7 @@ static int omap3beagle_hw_params(struct
84258 return 0;
84259 }
84260
84261 -static struct snd_soc_ops omap3beagle_ops = {
84262 +static const struct snd_soc_ops omap3beagle_ops = {
84263 .hw_params = omap3beagle_hw_params,
84264 };
84265
84266 diff -urNp linux-2.6.39.2/sound/soc/omap/omap3evm.c linux-2.6.39.2/sound/soc/omap/omap3evm.c
84267 --- linux-2.6.39.2/sound/soc/omap/omap3evm.c 2011-05-19 00:06:34.000000000 -0400
84268 +++ linux-2.6.39.2/sound/soc/omap/omap3evm.c 2011-05-22 19:36:35.000000000 -0400
84269 @@ -70,7 +70,7 @@ static int omap3evm_hw_params(struct snd
84270 return 0;
84271 }
84272
84273 -static struct snd_soc_ops omap3evm_ops = {
84274 +static const struct snd_soc_ops omap3evm_ops = {
84275 .hw_params = omap3evm_hw_params,
84276 };
84277
84278 diff -urNp linux-2.6.39.2/sound/soc/omap/omap3pandora.c linux-2.6.39.2/sound/soc/omap/omap3pandora.c
84279 --- linux-2.6.39.2/sound/soc/omap/omap3pandora.c 2011-05-19 00:06:34.000000000 -0400
84280 +++ linux-2.6.39.2/sound/soc/omap/omap3pandora.c 2011-05-22 19:36:35.000000000 -0400
84281 @@ -218,7 +218,7 @@ static int omap3pandora_in_init(struct s
84282 return snd_soc_dapm_sync(dapm);
84283 }
84284
84285 -static struct snd_soc_ops omap3pandora_ops = {
84286 +static const struct snd_soc_ops omap3pandora_ops = {
84287 .hw_params = omap3pandora_hw_params,
84288 };
84289
84290 diff -urNp linux-2.6.39.2/sound/soc/omap/omap-pcm.c linux-2.6.39.2/sound/soc/omap/omap-pcm.c
84291 --- linux-2.6.39.2/sound/soc/omap/omap-pcm.c 2011-05-19 00:06:34.000000000 -0400
84292 +++ linux-2.6.39.2/sound/soc/omap/omap-pcm.c 2011-05-22 19:36:35.000000000 -0400
84293 @@ -311,7 +311,7 @@ static int omap_pcm_mmap(struct snd_pcm_
84294 runtime->dma_bytes);
84295 }
84296
84297 -static struct snd_pcm_ops omap_pcm_ops = {
84298 +static const struct snd_pcm_ops omap_pcm_ops = {
84299 .open = omap_pcm_open,
84300 .close = omap_pcm_close,
84301 .ioctl = snd_pcm_lib_ioctl,
84302 diff -urNp linux-2.6.39.2/sound/soc/omap/osk5912.c linux-2.6.39.2/sound/soc/omap/osk5912.c
84303 --- linux-2.6.39.2/sound/soc/omap/osk5912.c 2011-05-19 00:06:34.000000000 -0400
84304 +++ linux-2.6.39.2/sound/soc/omap/osk5912.c 2011-05-22 19:36:35.000000000 -0400
84305 @@ -90,7 +90,7 @@ static int osk_hw_params(struct snd_pcm_
84306 return err;
84307 }
84308
84309 -static struct snd_soc_ops osk_ops = {
84310 +static const struct snd_soc_ops osk_ops = {
84311 .startup = osk_startup,
84312 .hw_params = osk_hw_params,
84313 .shutdown = osk_shutdown,
84314 diff -urNp linux-2.6.39.2/sound/soc/omap/overo.c linux-2.6.39.2/sound/soc/omap/overo.c
84315 --- linux-2.6.39.2/sound/soc/omap/overo.c 2011-05-19 00:06:34.000000000 -0400
84316 +++ linux-2.6.39.2/sound/soc/omap/overo.c 2011-05-22 19:36:35.000000000 -0400
84317 @@ -72,7 +72,7 @@ static int overo_hw_params(struct snd_pc
84318 return 0;
84319 }
84320
84321 -static struct snd_soc_ops overo_ops = {
84322 +static const struct snd_soc_ops overo_ops = {
84323 .hw_params = overo_hw_params,
84324 };
84325
84326 diff -urNp linux-2.6.39.2/sound/soc/omap/rx51.c linux-2.6.39.2/sound/soc/omap/rx51.c
84327 --- linux-2.6.39.2/sound/soc/omap/rx51.c 2011-05-19 00:06:34.000000000 -0400
84328 +++ linux-2.6.39.2/sound/soc/omap/rx51.c 2011-05-22 19:36:35.000000000 -0400
84329 @@ -139,7 +139,7 @@ static int rx51_hw_params(struct snd_pcm
84330 SND_SOC_CLOCK_IN);
84331 }
84332
84333 -static struct snd_soc_ops rx51_ops = {
84334 +static const struct snd_soc_ops rx51_ops = {
84335 .startup = rx51_startup,
84336 .hw_params = rx51_hw_params,
84337 };
84338 diff -urNp linux-2.6.39.2/sound/soc/omap/sdp3430.c linux-2.6.39.2/sound/soc/omap/sdp3430.c
84339 --- linux-2.6.39.2/sound/soc/omap/sdp3430.c 2011-05-19 00:06:34.000000000 -0400
84340 +++ linux-2.6.39.2/sound/soc/omap/sdp3430.c 2011-05-22 19:36:35.000000000 -0400
84341 @@ -87,7 +87,7 @@ static int sdp3430_hw_params(struct snd_
84342 return 0;
84343 }
84344
84345 -static struct snd_soc_ops sdp3430_ops = {
84346 +static const struct snd_soc_ops sdp3430_ops = {
84347 .hw_params = sdp3430_hw_params,
84348 };
84349
84350 @@ -130,7 +130,7 @@ static int sdp3430_hw_voice_params(struc
84351 return 0;
84352 }
84353
84354 -static struct snd_soc_ops sdp3430_voice_ops = {
84355 +static const struct snd_soc_ops sdp3430_voice_ops = {
84356 .hw_params = sdp3430_hw_voice_params,
84357 };
84358
84359 diff -urNp linux-2.6.39.2/sound/soc/omap/sdp4430.c linux-2.6.39.2/sound/soc/omap/sdp4430.c
84360 --- linux-2.6.39.2/sound/soc/omap/sdp4430.c 2011-05-19 00:06:34.000000000 -0400
84361 +++ linux-2.6.39.2/sound/soc/omap/sdp4430.c 2011-05-22 19:36:35.000000000 -0400
84362 @@ -62,7 +62,7 @@ static int sdp4430_hw_params(struct snd_
84363 return ret;
84364 }
84365
84366 -static struct snd_soc_ops sdp4430_ops = {
84367 +static const struct snd_soc_ops sdp4430_ops = {
84368 .hw_params = sdp4430_hw_params,
84369 };
84370
84371 diff -urNp linux-2.6.39.2/sound/soc/omap/zoom2.c linux-2.6.39.2/sound/soc/omap/zoom2.c
84372 --- linux-2.6.39.2/sound/soc/omap/zoom2.c 2011-05-19 00:06:34.000000000 -0400
84373 +++ linux-2.6.39.2/sound/soc/omap/zoom2.c 2011-05-22 19:36:35.000000000 -0400
84374 @@ -78,7 +78,7 @@ static int zoom2_hw_params(struct snd_pc
84375 return 0;
84376 }
84377
84378 -static struct snd_soc_ops zoom2_ops = {
84379 +static const struct snd_soc_ops zoom2_ops = {
84380 .hw_params = zoom2_hw_params,
84381 };
84382
84383 @@ -121,7 +121,7 @@ static int zoom2_hw_voice_params(struct
84384 return 0;
84385 }
84386
84387 -static struct snd_soc_ops zoom2_voice_ops = {
84388 +static const struct snd_soc_ops zoom2_voice_ops = {
84389 .hw_params = zoom2_hw_voice_params,
84390 };
84391
84392 diff -urNp linux-2.6.39.2/sound/soc/pxa/corgi.c linux-2.6.39.2/sound/soc/pxa/corgi.c
84393 --- linux-2.6.39.2/sound/soc/pxa/corgi.c 2011-05-19 00:06:34.000000000 -0400
84394 +++ linux-2.6.39.2/sound/soc/pxa/corgi.c 2011-05-22 19:36:35.000000000 -0400
84395 @@ -169,7 +169,7 @@ static int corgi_hw_params(struct snd_pc
84396 return 0;
84397 }
84398
84399 -static struct snd_soc_ops corgi_ops = {
84400 +static const struct snd_soc_ops corgi_ops = {
84401 .startup = corgi_startup,
84402 .hw_params = corgi_hw_params,
84403 .shutdown = corgi_shutdown,
84404 diff -urNp linux-2.6.39.2/sound/soc/pxa/imote2.c linux-2.6.39.2/sound/soc/pxa/imote2.c
84405 --- linux-2.6.39.2/sound/soc/pxa/imote2.c 2011-05-19 00:06:34.000000000 -0400
84406 +++ linux-2.6.39.2/sound/soc/pxa/imote2.c 2011-05-22 19:36:35.000000000 -0400
84407 @@ -56,7 +56,7 @@ static int imote2_asoc_hw_params(struct
84408 return ret;
84409 }
84410
84411 -static struct snd_soc_ops imote2_asoc_ops = {
84412 +static const struct snd_soc_ops imote2_asoc_ops = {
84413 .hw_params = imote2_asoc_hw_params,
84414 };
84415
84416 diff -urNp linux-2.6.39.2/sound/soc/pxa/magician.c linux-2.6.39.2/sound/soc/pxa/magician.c
84417 --- linux-2.6.39.2/sound/soc/pxa/magician.c 2011-05-19 00:06:34.000000000 -0400
84418 +++ linux-2.6.39.2/sound/soc/pxa/magician.c 2011-05-22 19:36:35.000000000 -0400
84419 @@ -258,12 +258,12 @@ static int magician_capture_hw_params(st
84420 return 0;
84421 }
84422
84423 -static struct snd_soc_ops magician_capture_ops = {
84424 +static const struct snd_soc_ops magician_capture_ops = {
84425 .startup = magician_startup,
84426 .hw_params = magician_capture_hw_params,
84427 };
84428
84429 -static struct snd_soc_ops magician_playback_ops = {
84430 +static const struct snd_soc_ops magician_playback_ops = {
84431 .startup = magician_startup,
84432 .hw_params = magician_playback_hw_params,
84433 };
84434 diff -urNp linux-2.6.39.2/sound/soc/pxa/mioa701_wm9713.c linux-2.6.39.2/sound/soc/pxa/mioa701_wm9713.c
84435 --- linux-2.6.39.2/sound/soc/pxa/mioa701_wm9713.c 2011-05-19 00:06:34.000000000 -0400
84436 +++ linux-2.6.39.2/sound/soc/pxa/mioa701_wm9713.c 2011-05-22 19:36:35.000000000 -0400
84437 @@ -156,7 +156,7 @@ static int mioa701_wm9713_init(struct sn
84438 return 0;
84439 }
84440
84441 -static struct snd_soc_ops mioa701_ops;
84442 +static const struct snd_soc_ops mioa701_ops;
84443
84444 static struct snd_soc_dai_link mioa701_dai[] = {
84445 {
84446 diff -urNp linux-2.6.39.2/sound/soc/pxa/poodle.c linux-2.6.39.2/sound/soc/pxa/poodle.c
84447 --- linux-2.6.39.2/sound/soc/pxa/poodle.c 2011-05-19 00:06:34.000000000 -0400
84448 +++ linux-2.6.39.2/sound/soc/pxa/poodle.c 2011-05-22 19:36:35.000000000 -0400
84449 @@ -148,7 +148,7 @@ static int poodle_hw_params(struct snd_p
84450 return 0;
84451 }
84452
84453 -static struct snd_soc_ops poodle_ops = {
84454 +static const struct snd_soc_ops poodle_ops = {
84455 .startup = poodle_startup,
84456 .hw_params = poodle_hw_params,
84457 .shutdown = poodle_shutdown,
84458 diff -urNp linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.c linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.c
84459 --- linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84460 +++ linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84461 @@ -40,7 +40,7 @@ static void pxa2xx_ac97_cold_reset(struc
84462 pxa2xx_ac97_finish_reset(ac97);
84463 }
84464
84465 -struct snd_ac97_bus_ops soc_ac97_ops = {
84466 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84467 .read = pxa2xx_ac97_read,
84468 .write = pxa2xx_ac97_write,
84469 .warm_reset = pxa2xx_ac97_warm_reset,
84470 diff -urNp linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.h linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.h
84471 --- linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84472 +++ linux-2.6.39.2/sound/soc/pxa/pxa2xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84473 @@ -15,6 +15,6 @@
84474 #define PXA2XX_DAI_AC97_MIC 2
84475
84476 /* platform data */
84477 -extern struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84478 +extern const struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84479
84480 #endif
84481 diff -urNp linux-2.6.39.2/sound/soc/pxa/raumfeld.c linux-2.6.39.2/sound/soc/pxa/raumfeld.c
84482 --- linux-2.6.39.2/sound/soc/pxa/raumfeld.c 2011-06-03 00:04:14.000000000 -0400
84483 +++ linux-2.6.39.2/sound/soc/pxa/raumfeld.c 2011-06-03 00:32:09.000000000 -0400
84484 @@ -145,7 +145,7 @@ static int raumfeld_cs4270_hw_params(str
84485 return 0;
84486 }
84487
84488 -static struct snd_soc_ops raumfeld_cs4270_ops = {
84489 +static const struct snd_soc_ops raumfeld_cs4270_ops = {
84490 .startup = raumfeld_cs4270_startup,
84491 .shutdown = raumfeld_cs4270_shutdown,
84492 .hw_params = raumfeld_cs4270_hw_params,
84493 @@ -221,7 +221,7 @@ static int raumfeld_ak4104_hw_params(str
84494 return 0;
84495 }
84496
84497 -static struct snd_soc_ops raumfeld_ak4104_ops = {
84498 +static const struct snd_soc_ops raumfeld_ak4104_ops = {
84499 .hw_params = raumfeld_ak4104_hw_params,
84500 };
84501
84502 diff -urNp linux-2.6.39.2/sound/soc/pxa/saarb.c linux-2.6.39.2/sound/soc/pxa/saarb.c
84503 --- linux-2.6.39.2/sound/soc/pxa/saarb.c 2011-05-19 00:06:34.000000000 -0400
84504 +++ linux-2.6.39.2/sound/soc/pxa/saarb.c 2011-05-22 19:36:35.000000000 -0400
84505 @@ -106,7 +106,7 @@ static int saarb_i2s_hw_params(struct sn
84506 return ret;
84507 }
84508
84509 -static struct snd_soc_ops saarb_i2s_ops = {
84510 +static const struct snd_soc_ops saarb_i2s_ops = {
84511 .hw_params = saarb_i2s_hw_params,
84512 };
84513
84514 diff -urNp linux-2.6.39.2/sound/soc/pxa/spitz.c linux-2.6.39.2/sound/soc/pxa/spitz.c
84515 --- linux-2.6.39.2/sound/soc/pxa/spitz.c 2011-05-19 00:06:34.000000000 -0400
84516 +++ linux-2.6.39.2/sound/soc/pxa/spitz.c 2011-05-22 19:36:35.000000000 -0400
84517 @@ -169,7 +169,7 @@ static int spitz_hw_params(struct snd_pc
84518 return 0;
84519 }
84520
84521 -static struct snd_soc_ops spitz_ops = {
84522 +static const struct snd_soc_ops spitz_ops = {
84523 .startup = spitz_startup,
84524 .hw_params = spitz_hw_params,
84525 };
84526 diff -urNp linux-2.6.39.2/sound/soc/pxa/tavorevb3.c linux-2.6.39.2/sound/soc/pxa/tavorevb3.c
84527 --- linux-2.6.39.2/sound/soc/pxa/tavorevb3.c 2011-05-19 00:06:34.000000000 -0400
84528 +++ linux-2.6.39.2/sound/soc/pxa/tavorevb3.c 2011-05-22 19:36:35.000000000 -0400
84529 @@ -106,7 +106,7 @@ static int evb3_i2s_hw_params(struct snd
84530 return ret;
84531 }
84532
84533 -static struct snd_soc_ops evb3_i2s_ops = {
84534 +static const struct snd_soc_ops evb3_i2s_ops = {
84535 .hw_params = evb3_i2s_hw_params,
84536 };
84537
84538 diff -urNp linux-2.6.39.2/sound/soc/pxa/tosa.c linux-2.6.39.2/sound/soc/pxa/tosa.c
84539 --- linux-2.6.39.2/sound/soc/pxa/tosa.c 2011-05-19 00:06:34.000000000 -0400
84540 +++ linux-2.6.39.2/sound/soc/pxa/tosa.c 2011-05-22 19:36:35.000000000 -0400
84541 @@ -92,7 +92,7 @@ static int tosa_startup(struct snd_pcm_s
84542 return 0;
84543 }
84544
84545 -static struct snd_soc_ops tosa_ops = {
84546 +static const struct snd_soc_ops tosa_ops = {
84547 .startup = tosa_startup,
84548 };
84549
84550 diff -urNp linux-2.6.39.2/sound/soc/pxa/z2.c linux-2.6.39.2/sound/soc/pxa/z2.c
84551 --- linux-2.6.39.2/sound/soc/pxa/z2.c 2011-05-19 00:06:34.000000000 -0400
84552 +++ linux-2.6.39.2/sound/soc/pxa/z2.c 2011-05-22 19:36:35.000000000 -0400
84553 @@ -187,7 +187,7 @@ err:
84554 return ret;
84555 }
84556
84557 -static struct snd_soc_ops z2_ops = {
84558 +static const struct snd_soc_ops z2_ops = {
84559 .hw_params = z2_hw_params,
84560 };
84561
84562 diff -urNp linux-2.6.39.2/sound/soc/pxa/zylonite.c linux-2.6.39.2/sound/soc/pxa/zylonite.c
84563 --- linux-2.6.39.2/sound/soc/pxa/zylonite.c 2011-05-19 00:06:34.000000000 -0400
84564 +++ linux-2.6.39.2/sound/soc/pxa/zylonite.c 2011-05-22 19:36:35.000000000 -0400
84565 @@ -156,7 +156,7 @@ static int zylonite_voice_hw_params(stru
84566 return 0;
84567 }
84568
84569 -static struct snd_soc_ops zylonite_voice_ops = {
84570 +static const struct snd_soc_ops zylonite_voice_ops = {
84571 .hw_params = zylonite_voice_hw_params,
84572 };
84573
84574 diff -urNp linux-2.6.39.2/sound/soc/s6000/s6000-pcm.c linux-2.6.39.2/sound/soc/s6000/s6000-pcm.c
84575 --- linux-2.6.39.2/sound/soc/s6000/s6000-pcm.c 2011-05-19 00:06:34.000000000 -0400
84576 +++ linux-2.6.39.2/sound/soc/s6000/s6000-pcm.c 2011-05-22 19:36:35.000000000 -0400
84577 @@ -420,7 +420,7 @@ static int s6000_pcm_hw_free(struct snd_
84578 return snd_pcm_lib_free_pages(substream);
84579 }
84580
84581 -static struct snd_pcm_ops s6000_pcm_ops = {
84582 +static const struct snd_pcm_ops s6000_pcm_ops = {
84583 .open = s6000_pcm_open,
84584 .close = s6000_pcm_close,
84585 .ioctl = snd_pcm_lib_ioctl,
84586 diff -urNp linux-2.6.39.2/sound/soc/s6000/s6105-ipcam.c linux-2.6.39.2/sound/soc/s6000/s6105-ipcam.c
84587 --- linux-2.6.39.2/sound/soc/s6000/s6105-ipcam.c 2011-05-19 00:06:34.000000000 -0400
84588 +++ linux-2.6.39.2/sound/soc/s6000/s6105-ipcam.c 2011-05-22 19:36:35.000000000 -0400
84589 @@ -55,7 +55,7 @@ static int s6105_hw_params(struct snd_pc
84590 return 0;
84591 }
84592
84593 -static struct snd_soc_ops s6105_ops = {
84594 +static const struct snd_soc_ops s6105_ops = {
84595 .hw_params = s6105_hw_params,
84596 };
84597
84598 diff -urNp linux-2.6.39.2/sound/soc/samsung/goni_wm8994.c linux-2.6.39.2/sound/soc/samsung/goni_wm8994.c
84599 --- linux-2.6.39.2/sound/soc/samsung/goni_wm8994.c 2011-05-19 00:06:34.000000000 -0400
84600 +++ linux-2.6.39.2/sound/soc/samsung/goni_wm8994.c 2011-05-22 19:36:35.000000000 -0400
84601 @@ -176,7 +176,7 @@ static int goni_hifi_hw_params(struct sn
84602 return 0;
84603 }
84604
84605 -static struct snd_soc_ops goni_hifi_ops = {
84606 +static const struct snd_soc_ops goni_hifi_ops = {
84607 .hw_params = goni_hifi_hw_params,
84608 };
84609
84610 @@ -227,7 +227,7 @@ static struct snd_soc_dai_driver voice_d
84611 .formats = SNDRV_PCM_FMTBIT_S16_LE,},
84612 };
84613
84614 -static struct snd_soc_ops goni_voice_ops = {
84615 +static const struct snd_soc_ops goni_voice_ops = {
84616 .hw_params = goni_voice_hw_params,
84617 };
84618
84619 diff -urNp linux-2.6.39.2/sound/soc/samsung/h1940_uda1380.c linux-2.6.39.2/sound/soc/samsung/h1940_uda1380.c
84620 --- linux-2.6.39.2/sound/soc/samsung/h1940_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84621 +++ linux-2.6.39.2/sound/soc/samsung/h1940_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84622 @@ -136,7 +136,7 @@ static int h1940_hw_params(struct snd_pc
84623 return 0;
84624 }
84625
84626 -static struct snd_soc_ops h1940_ops = {
84627 +static const struct snd_soc_ops h1940_ops = {
84628 .startup = h1940_startup,
84629 .hw_params = h1940_hw_params,
84630 };
84631 diff -urNp linux-2.6.39.2/sound/soc/samsung/jive_wm8750.c linux-2.6.39.2/sound/soc/samsung/jive_wm8750.c
84632 --- linux-2.6.39.2/sound/soc/samsung/jive_wm8750.c 2011-05-19 00:06:34.000000000 -0400
84633 +++ linux-2.6.39.2/sound/soc/samsung/jive_wm8750.c 2011-05-22 19:36:35.000000000 -0400
84634 @@ -92,7 +92,7 @@ static int jive_hw_params(struct snd_pcm
84635 return 0;
84636 }
84637
84638 -static struct snd_soc_ops jive_ops = {
84639 +static const struct snd_soc_ops jive_ops = {
84640 .hw_params = jive_hw_params,
84641 };
84642
84643 diff -urNp linux-2.6.39.2/sound/soc/samsung/neo1973_wm8753.c linux-2.6.39.2/sound/soc/samsung/neo1973_wm8753.c
84644 --- linux-2.6.39.2/sound/soc/samsung/neo1973_wm8753.c 2011-05-19 00:06:34.000000000 -0400
84645 +++ linux-2.6.39.2/sound/soc/samsung/neo1973_wm8753.c 2011-05-22 19:36:35.000000000 -0400
84646 @@ -128,7 +128,7 @@ static int neo1973_hifi_hw_free(struct s
84647 /*
84648 * Neo1973 WM8753 HiFi DAI opserations.
84649 */
84650 -static struct snd_soc_ops neo1973_hifi_ops = {
84651 +static const struct snd_soc_ops neo1973_hifi_ops = {
84652 .hw_params = neo1973_hifi_hw_params,
84653 .hw_free = neo1973_hifi_hw_free,
84654 };
84655 @@ -187,7 +187,7 @@ static int neo1973_voice_hw_free(struct
84656 return snd_soc_dai_set_pll(codec_dai, WM8753_PLL2, 0, 0, 0);
84657 }
84658
84659 -static struct snd_soc_ops neo1973_voice_ops = {
84660 +static const struct snd_soc_ops neo1973_voice_ops = {
84661 .hw_params = neo1973_voice_hw_params,
84662 .hw_free = neo1973_voice_hw_free,
84663 };
84664 diff -urNp linux-2.6.39.2/sound/soc/samsung/rx1950_uda1380.c linux-2.6.39.2/sound/soc/samsung/rx1950_uda1380.c
84665 --- linux-2.6.39.2/sound/soc/samsung/rx1950_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84666 +++ linux-2.6.39.2/sound/soc/samsung/rx1950_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84667 @@ -70,7 +70,7 @@ static struct snd_soc_jack_gpio hp_jack_
84668 },
84669 };
84670
84671 -static struct snd_soc_ops rx1950_ops = {
84672 +static const struct snd_soc_ops rx1950_ops = {
84673 .startup = rx1950_startup,
84674 .hw_params = rx1950_hw_params,
84675 };
84676 diff -urNp linux-2.6.39.2/sound/soc/samsung/s3c24xx_simtec.c linux-2.6.39.2/sound/soc/samsung/s3c24xx_simtec.c
84677 --- linux-2.6.39.2/sound/soc/samsung/s3c24xx_simtec.c 2011-05-19 00:06:34.000000000 -0400
84678 +++ linux-2.6.39.2/sound/soc/samsung/s3c24xx_simtec.c 2011-05-22 19:36:35.000000000 -0400
84679 @@ -228,7 +228,7 @@ static int simtec_call_startup(struct s3
84680 return 0;
84681 }
84682
84683 -static struct snd_soc_ops simtec_snd_ops = {
84684 +static const struct snd_soc_ops simtec_snd_ops = {
84685 .hw_params = simtec_hw_params,
84686 };
84687
84688 diff -urNp linux-2.6.39.2/sound/soc/samsung/s3c24xx_uda134x.c linux-2.6.39.2/sound/soc/samsung/s3c24xx_uda134x.c
84689 --- linux-2.6.39.2/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-19 00:06:34.000000000 -0400
84690 +++ linux-2.6.39.2/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-22 19:36:35.000000000 -0400
84691 @@ -210,7 +210,7 @@ static int s3c24xx_uda134x_hw_params(str
84692 return 0;
84693 }
84694
84695 -static struct snd_soc_ops s3c24xx_uda134x_ops = {
84696 +static const struct snd_soc_ops s3c24xx_uda134x_ops = {
84697 .startup = s3c24xx_uda134x_startup,
84698 .shutdown = s3c24xx_uda134x_shutdown,
84699 .hw_params = s3c24xx_uda134x_hw_params,
84700 diff -urNp linux-2.6.39.2/sound/soc/samsung/smartq_wm8987.c linux-2.6.39.2/sound/soc/samsung/smartq_wm8987.c
84701 --- linux-2.6.39.2/sound/soc/samsung/smartq_wm8987.c 2011-05-19 00:06:34.000000000 -0400
84702 +++ linux-2.6.39.2/sound/soc/samsung/smartq_wm8987.c 2011-05-22 19:36:35.000000000 -0400
84703 @@ -92,7 +92,7 @@ static int smartq_hifi_hw_params(struct
84704 /*
84705 * SmartQ WM8987 HiFi DAI operations.
84706 */
84707 -static struct snd_soc_ops smartq_hifi_ops = {
84708 +static const struct snd_soc_ops smartq_hifi_ops = {
84709 .hw_params = smartq_hifi_hw_params,
84710 };
84711
84712 diff -urNp linux-2.6.39.2/sound/soc/samsung/smdk_spdif.c linux-2.6.39.2/sound/soc/samsung/smdk_spdif.c
84713 --- linux-2.6.39.2/sound/soc/samsung/smdk_spdif.c 2011-05-19 00:06:34.000000000 -0400
84714 +++ linux-2.6.39.2/sound/soc/samsung/smdk_spdif.c 2011-05-22 19:36:35.000000000 -0400
84715 @@ -143,7 +143,7 @@ static int smdk_hw_params(struct snd_pcm
84716 return ret;
84717 }
84718
84719 -static struct snd_soc_ops smdk_spdif_ops = {
84720 +static const struct snd_soc_ops smdk_spdif_ops = {
84721 .hw_params = smdk_hw_params,
84722 };
84723
84724 diff -urNp linux-2.6.39.2/sound/soc/samsung/smdk_wm8580.c linux-2.6.39.2/sound/soc/samsung/smdk_wm8580.c
84725 --- linux-2.6.39.2/sound/soc/samsung/smdk_wm8580.c 2011-05-19 00:06:34.000000000 -0400
84726 +++ linux-2.6.39.2/sound/soc/samsung/smdk_wm8580.c 2011-05-22 19:36:35.000000000 -0400
84727 @@ -114,7 +114,7 @@ static int smdk_hw_params(struct snd_pcm
84728 /*
84729 * SMDK WM8580 DAI operations.
84730 */
84731 -static struct snd_soc_ops smdk_ops = {
84732 +static const struct snd_soc_ops smdk_ops = {
84733 .hw_params = smdk_hw_params,
84734 };
84735
84736 diff -urNp linux-2.6.39.2/sound/soc/sh/dma-sh7760.c linux-2.6.39.2/sound/soc/sh/dma-sh7760.c
84737 --- linux-2.6.39.2/sound/soc/sh/dma-sh7760.c 2011-05-19 00:06:34.000000000 -0400
84738 +++ linux-2.6.39.2/sound/soc/sh/dma-sh7760.c 2011-05-22 19:36:35.000000000 -0400
84739 @@ -311,7 +311,7 @@ static snd_pcm_uframes_t camelot_pos(str
84740 return bytes_to_frames(runtime, pos);
84741 }
84742
84743 -static struct snd_pcm_ops camelot_pcm_ops = {
84744 +static const struct snd_pcm_ops camelot_pcm_ops = {
84745 .open = camelot_pcm_open,
84746 .close = camelot_pcm_close,
84747 .ioctl = snd_pcm_lib_ioctl,
84748 diff -urNp linux-2.6.39.2/sound/soc/sh/hac.c linux-2.6.39.2/sound/soc/sh/hac.c
84749 --- linux-2.6.39.2/sound/soc/sh/hac.c 2011-05-19 00:06:34.000000000 -0400
84750 +++ linux-2.6.39.2/sound/soc/sh/hac.c 2011-05-22 19:36:35.000000000 -0400
84751 @@ -227,7 +227,7 @@ static void hac_ac97_coldrst(struct snd_
84752 hac_ac97_warmrst(ac97);
84753 }
84754
84755 -struct snd_ac97_bus_ops soc_ac97_ops = {
84756 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84757 .read = hac_ac97_read,
84758 .write = hac_ac97_write,
84759 .reset = hac_ac97_coldrst,
84760 diff -urNp linux-2.6.39.2/sound/soc/sh/migor.c linux-2.6.39.2/sound/soc/sh/migor.c
84761 --- linux-2.6.39.2/sound/soc/sh/migor.c 2011-05-19 00:06:34.000000000 -0400
84762 +++ linux-2.6.39.2/sound/soc/sh/migor.c 2011-05-22 19:36:35.000000000 -0400
84763 @@ -108,7 +108,7 @@ static int migor_hw_free(struct snd_pcm_
84764 return 0;
84765 }
84766
84767 -static struct snd_soc_ops migor_dai_ops = {
84768 +static const struct snd_soc_ops migor_dai_ops = {
84769 .hw_params = migor_hw_params,
84770 .hw_free = migor_hw_free,
84771 };
84772 diff -urNp linux-2.6.39.2/sound/soc/sh/siu_pcm.c linux-2.6.39.2/sound/soc/sh/siu_pcm.c
84773 --- linux-2.6.39.2/sound/soc/sh/siu_pcm.c 2011-05-19 00:06:34.000000000 -0400
84774 +++ linux-2.6.39.2/sound/soc/sh/siu_pcm.c 2011-05-22 19:36:35.000000000 -0400
84775 @@ -597,7 +597,7 @@ static void siu_pcm_free(struct snd_pcm
84776 dev_dbg(pcm->card->dev, "%s\n", __func__);
84777 }
84778
84779 -static struct snd_pcm_ops siu_pcm_ops = {
84780 +static const struct snd_pcm_ops siu_pcm_ops = {
84781 .open = siu_pcm_open,
84782 .close = siu_pcm_close,
84783 .ioctl = snd_pcm_lib_ioctl,
84784 diff -urNp linux-2.6.39.2/sound/soc/tegra/harmony.c linux-2.6.39.2/sound/soc/tegra/harmony.c
84785 --- linux-2.6.39.2/sound/soc/tegra/harmony.c 2011-05-19 00:06:34.000000000 -0400
84786 +++ linux-2.6.39.2/sound/soc/tegra/harmony.c 2011-05-22 19:36:35.000000000 -0400
84787 @@ -126,7 +126,7 @@ static int harmony_asoc_hw_params(struct
84788 return 0;
84789 }
84790
84791 -static struct snd_soc_ops harmony_asoc_ops = {
84792 +static const struct snd_soc_ops harmony_asoc_ops = {
84793 .hw_params = harmony_asoc_hw_params,
84794 };
84795
84796 diff -urNp linux-2.6.39.2/sound/soc/tegra/tegra_pcm.c linux-2.6.39.2/sound/soc/tegra/tegra_pcm.c
84797 --- linux-2.6.39.2/sound/soc/tegra/tegra_pcm.c 2011-05-19 00:06:34.000000000 -0400
84798 +++ linux-2.6.39.2/sound/soc/tegra/tegra_pcm.c 2011-05-22 19:36:36.000000000 -0400
84799 @@ -277,7 +277,7 @@ static int tegra_pcm_mmap(struct snd_pcm
84800 runtime->dma_bytes);
84801 }
84802
84803 -static struct snd_pcm_ops tegra_pcm_ops = {
84804 +static const struct snd_pcm_ops tegra_pcm_ops = {
84805 .open = tegra_pcm_open,
84806 .close = tegra_pcm_close,
84807 .ioctl = snd_pcm_lib_ioctl,
84808 diff -urNp linux-2.6.39.2/sound/soc/txx9/txx9aclc.c linux-2.6.39.2/sound/soc/txx9/txx9aclc.c
84809 --- linux-2.6.39.2/sound/soc/txx9/txx9aclc.c 2011-05-19 00:06:34.000000000 -0400
84810 +++ linux-2.6.39.2/sound/soc/txx9/txx9aclc.c 2011-05-22 19:36:36.000000000 -0400
84811 @@ -272,7 +272,7 @@ static int txx9aclc_pcm_close(struct snd
84812 return 0;
84813 }
84814
84815 -static struct snd_pcm_ops txx9aclc_pcm_ops = {
84816 +static const struct snd_pcm_ops txx9aclc_pcm_ops = {
84817 .open = txx9aclc_pcm_open,
84818 .close = txx9aclc_pcm_close,
84819 .ioctl = snd_pcm_lib_ioctl,
84820 diff -urNp linux-2.6.39.2/sound/sparc/amd7930.c linux-2.6.39.2/sound/sparc/amd7930.c
84821 --- linux-2.6.39.2/sound/sparc/amd7930.c 2011-05-19 00:06:34.000000000 -0400
84822 +++ linux-2.6.39.2/sound/sparc/amd7930.c 2011-05-22 19:36:36.000000000 -0400
84823 @@ -733,7 +733,7 @@ static int snd_amd7930_hw_free(struct sn
84824 return snd_pcm_lib_free_pages(substream);
84825 }
84826
84827 -static struct snd_pcm_ops snd_amd7930_playback_ops = {
84828 +static const struct snd_pcm_ops snd_amd7930_playback_ops = {
84829 .open = snd_amd7930_playback_open,
84830 .close = snd_amd7930_playback_close,
84831 .ioctl = snd_pcm_lib_ioctl,
84832 @@ -744,7 +744,7 @@ static struct snd_pcm_ops snd_amd7930_pl
84833 .pointer = snd_amd7930_playback_pointer,
84834 };
84835
84836 -static struct snd_pcm_ops snd_amd7930_capture_ops = {
84837 +static const struct snd_pcm_ops snd_amd7930_capture_ops = {
84838 .open = snd_amd7930_capture_open,
84839 .close = snd_amd7930_capture_close,
84840 .ioctl = snd_pcm_lib_ioctl,
84841 @@ -929,7 +929,7 @@ static int snd_amd7930_dev_free(struct s
84842 return snd_amd7930_free(amd);
84843 }
84844
84845 -static struct snd_device_ops snd_amd7930_dev_ops = {
84846 +static const struct snd_device_ops snd_amd7930_dev_ops = {
84847 .dev_free = snd_amd7930_dev_free,
84848 };
84849
84850 diff -urNp linux-2.6.39.2/sound/sparc/cs4231.c linux-2.6.39.2/sound/sparc/cs4231.c
84851 --- linux-2.6.39.2/sound/sparc/cs4231.c 2011-05-19 00:06:34.000000000 -0400
84852 +++ linux-2.6.39.2/sound/sparc/cs4231.c 2011-05-22 19:36:36.000000000 -0400
84853 @@ -1196,7 +1196,7 @@ static int snd_cs4231_capture_close(stru
84854 * XXX the audio AUXIO register...
84855 */
84856
84857 -static struct snd_pcm_ops snd_cs4231_playback_ops = {
84858 +static const struct snd_pcm_ops snd_cs4231_playback_ops = {
84859 .open = snd_cs4231_playback_open,
84860 .close = snd_cs4231_playback_close,
84861 .ioctl = snd_pcm_lib_ioctl,
84862 @@ -1207,7 +1207,7 @@ static struct snd_pcm_ops snd_cs4231_pla
84863 .pointer = snd_cs4231_playback_pointer,
84864 };
84865
84866 -static struct snd_pcm_ops snd_cs4231_capture_ops = {
84867 +static const struct snd_pcm_ops snd_cs4231_capture_ops = {
84868 .open = snd_cs4231_capture_open,
84869 .close = snd_cs4231_capture_close,
84870 .ioctl = snd_pcm_lib_ioctl,
84871 @@ -1789,7 +1789,7 @@ static int snd_cs4231_sbus_dev_free(stru
84872 return snd_cs4231_sbus_free(cp);
84873 }
84874
84875 -static struct snd_device_ops snd_cs4231_sbus_dev_ops = {
84876 +static const struct snd_device_ops snd_cs4231_sbus_dev_ops = {
84877 .dev_free = snd_cs4231_sbus_dev_free,
84878 };
84879
84880 @@ -1955,7 +1955,7 @@ static int snd_cs4231_ebus_dev_free(stru
84881 return snd_cs4231_ebus_free(cp);
84882 }
84883
84884 -static struct snd_device_ops snd_cs4231_ebus_dev_ops = {
84885 +static const struct snd_device_ops snd_cs4231_ebus_dev_ops = {
84886 .dev_free = snd_cs4231_ebus_dev_free,
84887 };
84888
84889 diff -urNp linux-2.6.39.2/sound/sparc/dbri.c linux-2.6.39.2/sound/sparc/dbri.c
84890 --- linux-2.6.39.2/sound/sparc/dbri.c 2011-05-19 00:06:34.000000000 -0400
84891 +++ linux-2.6.39.2/sound/sparc/dbri.c 2011-05-22 19:36:36.000000000 -0400
84892 @@ -2205,7 +2205,7 @@ static snd_pcm_uframes_t snd_dbri_pointe
84893 return ret;
84894 }
84895
84896 -static struct snd_pcm_ops snd_dbri_ops = {
84897 +static const struct snd_pcm_ops snd_dbri_ops = {
84898 .open = snd_dbri_open,
84899 .close = snd_dbri_close,
84900 .ioctl = snd_pcm_lib_ioctl,
84901 diff -urNp linux-2.6.39.2/sound/spi/at73c213.c linux-2.6.39.2/sound/spi/at73c213.c
84902 --- linux-2.6.39.2/sound/spi/at73c213.c 2011-05-19 00:06:34.000000000 -0400
84903 +++ linux-2.6.39.2/sound/spi/at73c213.c 2011-05-22 19:36:36.000000000 -0400
84904 @@ -319,7 +319,7 @@ snd_at73c213_pcm_pointer(struct snd_pcm_
84905 return pos;
84906 }
84907
84908 -static struct snd_pcm_ops at73c213_playback_ops = {
84909 +static const struct snd_pcm_ops at73c213_playback_ops = {
84910 .open = snd_at73c213_pcm_open,
84911 .close = snd_at73c213_pcm_close,
84912 .ioctl = snd_pcm_lib_ioctl,
84913 @@ -882,7 +882,7 @@ static int snd_at73c213_dev_free(struct
84914 static int __devinit snd_at73c213_dev_init(struct snd_card *card,
84915 struct spi_device *spi)
84916 {
84917 - static struct snd_device_ops ops = {
84918 + static const struct snd_device_ops ops = {
84919 .dev_free = snd_at73c213_dev_free,
84920 };
84921 struct snd_at73c213 *chip = get_chip(card);
84922 diff -urNp linux-2.6.39.2/sound/usb/6fire/midi.c linux-2.6.39.2/sound/usb/6fire/midi.c
84923 --- linux-2.6.39.2/sound/usb/6fire/midi.c 2011-05-19 00:06:34.000000000 -0400
84924 +++ linux-2.6.39.2/sound/usb/6fire/midi.c 2011-05-22 19:36:36.000000000 -0400
84925 @@ -134,14 +134,14 @@ static void usb6fire_midi_in_trigger(
84926 spin_unlock_irqrestore(&rt->in_lock, flags);
84927 }
84928
84929 -static struct snd_rawmidi_ops out_ops = {
84930 +static const struct snd_rawmidi_ops out_ops = {
84931 .open = usb6fire_midi_out_open,
84932 .close = usb6fire_midi_out_close,
84933 .trigger = usb6fire_midi_out_trigger,
84934 .drain = usb6fire_midi_out_drain
84935 };
84936
84937 -static struct snd_rawmidi_ops in_ops = {
84938 +static const struct snd_rawmidi_ops in_ops = {
84939 .open = usb6fire_midi_in_open,
84940 .close = usb6fire_midi_in_close,
84941 .trigger = usb6fire_midi_in_trigger
84942 diff -urNp linux-2.6.39.2/sound/usb/caiaq/audio.c linux-2.6.39.2/sound/usb/caiaq/audio.c
84943 --- linux-2.6.39.2/sound/usb/caiaq/audio.c 2011-05-19 00:06:34.000000000 -0400
84944 +++ linux-2.6.39.2/sound/usb/caiaq/audio.c 2011-05-22 19:36:36.000000000 -0400
84945 @@ -322,7 +322,7 @@ snd_usb_caiaq_pcm_pointer(struct snd_pcm
84946 }
84947
84948 /* operators for both playback and capture */
84949 -static struct snd_pcm_ops snd_usb_caiaq_ops = {
84950 +static const struct snd_pcm_ops snd_usb_caiaq_ops = {
84951 .open = snd_usb_caiaq_substream_open,
84952 .close = snd_usb_caiaq_substream_close,
84953 .ioctl = snd_pcm_lib_ioctl,
84954 diff -urNp linux-2.6.39.2/sound/usb/caiaq/midi.c linux-2.6.39.2/sound/usb/caiaq/midi.c
84955 --- linux-2.6.39.2/sound/usb/caiaq/midi.c 2011-05-19 00:06:34.000000000 -0400
84956 +++ linux-2.6.39.2/sound/usb/caiaq/midi.c 2011-05-22 19:36:36.000000000 -0400
84957 @@ -100,15 +100,13 @@ static void snd_usb_caiaq_midi_output_tr
84958 }
84959
84960
84961 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_output =
84962 -{
84963 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_output = {
84964 .open = snd_usb_caiaq_midi_output_open,
84965 .close = snd_usb_caiaq_midi_output_close,
84966 .trigger = snd_usb_caiaq_midi_output_trigger,
84967 };
84968
84969 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_input =
84970 -{
84971 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_input = {
84972 .open = snd_usb_caiaq_midi_input_open,
84973 .close = snd_usb_caiaq_midi_input_close,
84974 .trigger = snd_usb_caiaq_midi_input_trigger,
84975 diff -urNp linux-2.6.39.2/sound/usb/card.c linux-2.6.39.2/sound/usb/card.c
84976 --- linux-2.6.39.2/sound/usb/card.c 2011-05-19 00:06:34.000000000 -0400
84977 +++ linux-2.6.39.2/sound/usb/card.c 2011-05-22 19:36:36.000000000 -0400
84978 @@ -305,7 +305,7 @@ static int snd_usb_audio_create(struct u
84979 struct snd_usb_audio *chip;
84980 int err, len;
84981 char component[14];
84982 - static struct snd_device_ops ops = {
84983 + static const struct snd_device_ops ops = {
84984 .dev_free = snd_usb_audio_dev_free,
84985 };
84986
84987 diff -urNp linux-2.6.39.2/sound/usb/midi.c linux-2.6.39.2/sound/usb/midi.c
84988 --- linux-2.6.39.2/sound/usb/midi.c 2011-05-19 00:06:34.000000000 -0400
84989 +++ linux-2.6.39.2/sound/usb/midi.c 2011-05-22 19:36:36.000000000 -0400
84990 @@ -1146,14 +1146,14 @@ static void snd_usbmidi_input_trigger(st
84991 clear_bit(substream->number, &umidi->input_triggered);
84992 }
84993
84994 -static struct snd_rawmidi_ops snd_usbmidi_output_ops = {
84995 +static const struct snd_rawmidi_ops snd_usbmidi_output_ops = {
84996 .open = snd_usbmidi_output_open,
84997 .close = snd_usbmidi_output_close,
84998 .trigger = snd_usbmidi_output_trigger,
84999 .drain = snd_usbmidi_output_drain,
85000 };
85001
85002 -static struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85003 +static const struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85004 .open = snd_usbmidi_input_open,
85005 .close = snd_usbmidi_input_close,
85006 .trigger = snd_usbmidi_input_trigger
85007 diff -urNp linux-2.6.39.2/sound/usb/misc/ua101.c linux-2.6.39.2/sound/usb/misc/ua101.c
85008 --- linux-2.6.39.2/sound/usb/misc/ua101.c 2011-05-19 00:06:34.000000000 -0400
85009 +++ linux-2.6.39.2/sound/usb/misc/ua101.c 2011-05-22 19:36:36.000000000 -0400
85010 @@ -886,7 +886,7 @@ static snd_pcm_uframes_t playback_pcm_po
85011 return ua101_pcm_pointer(ua, &ua->playback);
85012 }
85013
85014 -static struct snd_pcm_ops capture_pcm_ops = {
85015 +static const struct snd_pcm_ops capture_pcm_ops = {
85016 .open = capture_pcm_open,
85017 .close = capture_pcm_close,
85018 .ioctl = snd_pcm_lib_ioctl,
85019 @@ -899,7 +899,7 @@ static struct snd_pcm_ops capture_pcm_op
85020 .mmap = snd_pcm_lib_mmap_vmalloc,
85021 };
85022
85023 -static struct snd_pcm_ops playback_pcm_ops = {
85024 +static const struct snd_pcm_ops playback_pcm_ops = {
85025 .open = playback_pcm_open,
85026 .close = playback_pcm_close,
85027 .ioctl = snd_pcm_lib_ioctl,
85028 diff -urNp linux-2.6.39.2/sound/usb/mixer.c linux-2.6.39.2/sound/usb/mixer.c
85029 --- linux-2.6.39.2/sound/usb/mixer.c 2011-05-19 00:06:34.000000000 -0400
85030 +++ linux-2.6.39.2/sound/usb/mixer.c 2011-05-22 19:36:36.000000000 -0400
85031 @@ -2201,7 +2201,7 @@ static int snd_usb_mixer_status_create(s
85032 int snd_usb_create_mixer(struct snd_usb_audio *chip, int ctrlif,
85033 int ignore_error)
85034 {
85035 - static struct snd_device_ops dev_ops = {
85036 + static const struct snd_device_ops dev_ops = {
85037 .dev_free = snd_usb_mixer_dev_free
85038 };
85039 struct usb_mixer_interface *mixer;
85040 diff -urNp linux-2.6.39.2/sound/usb/pcm.c linux-2.6.39.2/sound/usb/pcm.c
85041 --- linux-2.6.39.2/sound/usb/pcm.c 2011-05-19 00:06:34.000000000 -0400
85042 +++ linux-2.6.39.2/sound/usb/pcm.c 2011-05-22 19:36:36.000000000 -0400
85043 @@ -844,7 +844,7 @@ static int snd_usb_capture_close(struct
85044 return snd_usb_pcm_close(substream, SNDRV_PCM_STREAM_CAPTURE);
85045 }
85046
85047 -static struct snd_pcm_ops snd_usb_playback_ops = {
85048 +static const struct snd_pcm_ops snd_usb_playback_ops = {
85049 .open = snd_usb_playback_open,
85050 .close = snd_usb_playback_close,
85051 .ioctl = snd_pcm_lib_ioctl,
85052 @@ -857,7 +857,7 @@ static struct snd_pcm_ops snd_usb_playba
85053 .mmap = snd_pcm_lib_mmap_vmalloc,
85054 };
85055
85056 -static struct snd_pcm_ops snd_usb_capture_ops = {
85057 +static const struct snd_pcm_ops snd_usb_capture_ops = {
85058 .open = snd_usb_capture_open,
85059 .close = snd_usb_capture_close,
85060 .ioctl = snd_pcm_lib_ioctl,
85061 diff -urNp linux-2.6.39.2/sound/usb/usx2y/usbusx2yaudio.c linux-2.6.39.2/sound/usb/usx2y/usbusx2yaudio.c
85062 --- linux-2.6.39.2/sound/usb/usx2y/usbusx2yaudio.c 2011-05-19 00:06:34.000000000 -0400
85063 +++ linux-2.6.39.2/sound/usb/usx2y/usbusx2yaudio.c 2011-05-22 19:36:36.000000000 -0400
85064 @@ -919,8 +919,7 @@ static int snd_usX2Y_pcm_close(struct sn
85065 }
85066
85067
85068 -static struct snd_pcm_ops snd_usX2Y_pcm_ops =
85069 -{
85070 +static const struct snd_pcm_ops snd_usX2Y_pcm_ops = {
85071 .open = snd_usX2Y_pcm_open,
85072 .close = snd_usX2Y_pcm_close,
85073 .ioctl = snd_pcm_lib_ioctl,
85074 diff -urNp linux-2.6.39.2/tools/gcc/Makefile linux-2.6.39.2/tools/gcc/Makefile
85075 --- linux-2.6.39.2/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
85076 +++ linux-2.6.39.2/tools/gcc/Makefile 2011-06-03 01:19:01.000000000 -0400
85077 @@ -0,0 +1,11 @@
85078 +#CC := gcc
85079 +#PLUGIN_SOURCE_FILES := pax_plugin.c
85080 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
85081 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
85082 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
85083 +
85084 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
85085 +
85086 +hostlibs-y := pax_plugin.so
85087 +always := $(hostlibs-y)
85088 +pax_plugin-objs := pax_plugin.o
85089 diff -urNp linux-2.6.39.2/tools/gcc/pax_plugin.c linux-2.6.39.2/tools/gcc/pax_plugin.c
85090 --- linux-2.6.39.2/tools/gcc/pax_plugin.c 1969-12-31 19:00:00.000000000 -0500
85091 +++ linux-2.6.39.2/tools/gcc/pax_plugin.c 2011-06-03 23:14:36.000000000 -0400
85092 @@ -0,0 +1,242 @@
85093 +/*
85094 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
85095 + * Licensed under the GPL v2
85096 + *
85097 + * Note: the choice of the license means that the compilation process is
85098 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
85099 + * but for the kernel it doesn't matter since it doesn't link against
85100 + * any of the gcc libraries
85101 + *
85102 + * gcc plugin to help implement various PaX features
85103 + *
85104 + * - track lowest stack pointer
85105 + *
85106 + * TODO:
85107 + * - initialize all local variables
85108 + *
85109 + * BUGS:
85110 + */
85111 +#include "gcc-plugin.h"
85112 +#include "plugin-version.h"
85113 +#include "config.h"
85114 +#include "system.h"
85115 +#include "coretypes.h"
85116 +#include "tm.h"
85117 +#include "toplev.h"
85118 +#include "basic-block.h"
85119 +#include "gimple.h"
85120 +//#include "expr.h" where are you...
85121 +#include "diagnostic.h"
85122 +#include "rtl.h"
85123 +#include "emit-rtl.h"
85124 +#include "function.h"
85125 +#include "tree.h"
85126 +#include "tree-pass.h"
85127 +#include "intl.h"
85128 +
85129 +int plugin_is_GPL_compatible;
85130 +
85131 +static int track_frame_size = -1;
85132 +static const char track_function[] = "pax_track_stack";
85133 +static bool init_locals;
85134 +
85135 +static struct plugin_info pax_plugin_info = {
85136 + .version = "201106030000",
85137 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
85138 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
85139 +};
85140 +
85141 +static bool gate_pax_track_stack(void);
85142 +static unsigned int execute_pax_tree_instrument(void);
85143 +static unsigned int execute_pax_final(void);
85144 +
85145 +static struct gimple_opt_pass pax_tree_instrument_pass = {
85146 + .pass = {
85147 + .type = GIMPLE_PASS,
85148 + .name = "pax_tree_instrument",
85149 + .gate = gate_pax_track_stack,
85150 + .execute = execute_pax_tree_instrument,
85151 + .sub = NULL,
85152 + .next = NULL,
85153 + .static_pass_number = 0,
85154 + .tv_id = TV_NONE,
85155 + .properties_required = PROP_gimple_leh | PROP_cfg,
85156 + .properties_provided = 0,
85157 + .properties_destroyed = 0,
85158 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
85159 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
85160 + }
85161 +};
85162 +
85163 +static struct rtl_opt_pass pax_final_rtl_opt_pass = {
85164 + .pass = {
85165 + .type = RTL_PASS,
85166 + .name = "pax_final",
85167 + .gate = gate_pax_track_stack,
85168 + .execute = execute_pax_final,
85169 + .sub = NULL,
85170 + .next = NULL,
85171 + .static_pass_number = 0,
85172 + .tv_id = TV_NONE,
85173 + .properties_required = 0,
85174 + .properties_provided = 0,
85175 + .properties_destroyed = 0,
85176 + .todo_flags_start = 0,
85177 + .todo_flags_finish = 0
85178 + }
85179 +};
85180 +
85181 +static bool gate_pax_track_stack(void)
85182 +{
85183 + return track_frame_size >= 0;
85184 +}
85185 +
85186 +static void pax_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
85187 +{
85188 + gimple call;
85189 + tree decl, type;
85190 +
85191 + // insert call to void pax_track_stack(void)
85192 + type = build_function_type_list(void_type_node, NULL_TREE);
85193 + decl = build_fn_decl(track_function, type);
85194 + DECL_ASSEMBLER_NAME(decl); // for LTO
85195 + call = gimple_build_call(decl, 0);
85196 + if (before)
85197 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
85198 + else
85199 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
85200 +}
85201 +
85202 +static unsigned int execute_pax_tree_instrument(void)
85203 +{
85204 + basic_block bb;
85205 + gimple_stmt_iterator gsi;
85206 +
85207 + // 1. loop through BBs and GIMPLE statements
85208 + FOR_EACH_BB(bb) {
85209 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
85210 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
85211 + tree decl;
85212 + gimple stmt = gsi_stmt(gsi);
85213 +
85214 + if (!is_gimple_call(stmt))
85215 + continue;
85216 + decl = gimple_call_fndecl(stmt);
85217 + if (!decl)
85218 + continue;
85219 + if (TREE_CODE(decl) != FUNCTION_DECL)
85220 + continue;
85221 + if (!DECL_BUILT_IN(decl))
85222 + continue;
85223 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
85224 + continue;
85225 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
85226 + continue;
85227 +
85228 + // 2. insert track call after each __builtin_alloca call
85229 + pax_add_instrumentation(&gsi, false);
85230 +// print_node(stderr, "pax", decl, 4);
85231 + }
85232 + }
85233 +
85234 + // 3. insert track call at the beginning
85235 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
85236 + gsi = gsi_start_bb(bb);
85237 + pax_add_instrumentation(&gsi, true);
85238 +
85239 + return 0;
85240 +}
85241 +
85242 +static unsigned int execute_pax_final(void)
85243 +{
85244 + rtx insn;
85245 +
85246 + if (cfun->calls_alloca)
85247 + return 0;
85248 +
85249 + // 1. find pax_track_stack calls
85250 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
85251 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
85252 + rtx body;
85253 +
85254 + if (!CALL_P(insn))
85255 + continue;
85256 + body = PATTERN(insn);
85257 + if (GET_CODE(body) != CALL)
85258 + continue;
85259 + body = XEXP(body, 0);
85260 + if (GET_CODE(body) != MEM)
85261 + continue;
85262 + body = XEXP(body, 0);
85263 + if (GET_CODE(body) != SYMBOL_REF)
85264 + continue;
85265 + if (strcmp(XSTR(body, 0), track_function))
85266 + continue;
85267 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85268 + // 2. delete call if function frame is not big enough
85269 + if (get_frame_size() >= track_frame_size)
85270 + continue;
85271 + delete_insn_and_edges(insn);
85272 + }
85273 +
85274 +// print_simple_rtl(stderr, get_insns());
85275 +// print_rtl(stderr, get_insns());
85276 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85277 +
85278 + return 0;
85279 +}
85280 +
85281 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
85282 +{
85283 + const char * const plugin_name = plugin_info->base_name;
85284 + const int argc = plugin_info->argc;
85285 + const struct plugin_argument * const argv = plugin_info->argv;
85286 + int i;
85287 + struct register_pass_info pax_tree_instrument_pass_info = {
85288 + .pass = &pax_tree_instrument_pass.pass,
85289 +// .reference_pass_name = "tree_profile",
85290 + .reference_pass_name = "optimized",
85291 + .ref_pass_instance_number = 0,
85292 + .pos_op = PASS_POS_INSERT_AFTER
85293 + };
85294 + struct register_pass_info pax_final_pass_info = {
85295 + .pass = &pax_final_rtl_opt_pass.pass,
85296 + .reference_pass_name = "final",
85297 + .ref_pass_instance_number = 0,
85298 + .pos_op = PASS_POS_INSERT_BEFORE
85299 + };
85300 +
85301 + if (!plugin_default_version_check(version, &gcc_version)) {
85302 + error(G_("incompatible gcc/plugin versions"));
85303 + return 1;
85304 + }
85305 +
85306 + register_callback(plugin_name, PLUGIN_INFO, NULL, &pax_plugin_info);
85307 +
85308 + for (i = 0; i < argc; ++i) {
85309 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
85310 + if (!argv[i].value) {
85311 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85312 + continue;
85313 + }
85314 + track_frame_size = atoi(argv[i].value);
85315 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
85316 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85317 + continue;
85318 + }
85319 + if (!strcmp(argv[i].key, "initialize-locals")) {
85320 + if (argv[i].value) {
85321 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85322 + continue;
85323 + }
85324 + init_locals = true;
85325 + continue;
85326 + }
85327 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85328 + }
85329 +
85330 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_tree_instrument_pass_info);
85331 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_final_pass_info);
85332 +
85333 + return 0;
85334 +}
85335 Binary files linux-2.6.39.2/tools/gcc/pax_plugin.so and linux-2.6.39.2/tools/gcc/pax_plugin.so differ
85336 diff -urNp linux-2.6.39.2/tools/perf/builtin-lock.c linux-2.6.39.2/tools/perf/builtin-lock.c
85337 --- linux-2.6.39.2/tools/perf/builtin-lock.c 2011-05-19 00:06:34.000000000 -0400
85338 +++ linux-2.6.39.2/tools/perf/builtin-lock.c 2011-05-22 19:36:36.000000000 -0400
85339 @@ -635,14 +635,14 @@ end:
85340
85341 /* lock oriented handlers */
85342 /* TODO: handlers for CPU oriented, thread oriented */
85343 -static struct trace_lock_handler report_lock_ops = {
85344 +static const struct trace_lock_handler report_lock_ops = {
85345 .acquire_event = report_lock_acquire_event,
85346 .acquired_event = report_lock_acquired_event,
85347 .contended_event = report_lock_contended_event,
85348 .release_event = report_lock_release_event,
85349 };
85350
85351 -static struct trace_lock_handler *trace_handler;
85352 +static const struct trace_lock_handler *trace_handler;
85353
85354 static void
85355 process_lock_acquire_event(void *data,
85356 diff -urNp linux-2.6.39.2/tools/perf/builtin-sched.c linux-2.6.39.2/tools/perf/builtin-sched.c
85357 --- linux-2.6.39.2/tools/perf/builtin-sched.c 2011-05-19 00:06:34.000000000 -0400
85358 +++ linux-2.6.39.2/tools/perf/builtin-sched.c 2011-05-22 19:36:36.000000000 -0400
85359 @@ -845,7 +845,7 @@ replay_fork_event(struct trace_fork_even
85360 register_pid(fork_event->child_pid, fork_event->child_comm);
85361 }
85362
85363 -static struct trace_sched_handler replay_ops = {
85364 +static const struct trace_sched_handler replay_ops = {
85365 .wakeup_event = replay_wakeup_event,
85366 .switch_event = replay_switch_event,
85367 .fork_event = replay_fork_event,
85368 @@ -1183,7 +1183,7 @@ latency_migrate_task_event(struct trace_
85369 nr_unordered_timestamps++;
85370 }
85371
85372 -static struct trace_sched_handler lat_ops = {
85373 +static const struct trace_sched_handler lat_ops = {
85374 .wakeup_event = latency_wakeup_event,
85375 .switch_event = latency_switch_event,
85376 .runtime_event = latency_runtime_event,
85377 @@ -1353,7 +1353,7 @@ static void sort_lat(void)
85378 }
85379 }
85380
85381 -static struct trace_sched_handler *trace_handler;
85382 +static const struct trace_sched_handler *trace_handler;
85383
85384 static void
85385 process_sched_wakeup_event(void *data, struct perf_session *session,
85386 @@ -1719,7 +1719,7 @@ static void __cmd_lat(void)
85387
85388 }
85389
85390 -static struct trace_sched_handler map_ops = {
85391 +static const struct trace_sched_handler map_ops = {
85392 .wakeup_event = NULL,
85393 .switch_event = map_switch_event,
85394 .runtime_event = NULL,
85395 diff -urNp linux-2.6.39.2/usr/gen_init_cpio.c linux-2.6.39.2/usr/gen_init_cpio.c
85396 --- linux-2.6.39.2/usr/gen_init_cpio.c 2011-05-19 00:06:34.000000000 -0400
85397 +++ linux-2.6.39.2/usr/gen_init_cpio.c 2011-05-22 19:36:36.000000000 -0400
85398 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
85399 int retval;
85400 int rc = -1;
85401 int namesize;
85402 - int i;
85403 + unsigned int i;
85404
85405 mode |= S_IFREG;
85406
85407 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
85408 *env_var = *expanded = '\0';
85409 strncat(env_var, start + 2, end - start - 2);
85410 strncat(expanded, new_location, start - new_location);
85411 - strncat(expanded, getenv(env_var), PATH_MAX);
85412 - strncat(expanded, end + 1, PATH_MAX);
85413 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
85414 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
85415 strncpy(new_location, expanded, PATH_MAX);
85416 + new_location[PATH_MAX] = 0;
85417 } else
85418 break;
85419 }
85420 diff -urNp linux-2.6.39.2/virt/kvm/kvm_main.c linux-2.6.39.2/virt/kvm/kvm_main.c
85421 --- linux-2.6.39.2/virt/kvm/kvm_main.c 2011-05-19 00:06:34.000000000 -0400
85422 +++ linux-2.6.39.2/virt/kvm/kvm_main.c 2011-05-22 19:36:36.000000000 -0400
85423 @@ -73,7 +73,7 @@ LIST_HEAD(vm_list);
85424
85425 static cpumask_var_t cpus_hardware_enabled;
85426 static int kvm_usage_count = 0;
85427 -static atomic_t hardware_enable_failed;
85428 +static atomic_unchecked_t hardware_enable_failed;
85429
85430 struct kmem_cache *kvm_vcpu_cache;
85431 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
85432 @@ -1594,7 +1594,7 @@ static int kvm_vcpu_release(struct inode
85433 return 0;
85434 }
85435
85436 -static struct file_operations kvm_vcpu_fops = {
85437 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
85438 .release = kvm_vcpu_release,
85439 .unlocked_ioctl = kvm_vcpu_ioctl,
85440 .compat_ioctl = kvm_vcpu_ioctl,
85441 @@ -2063,7 +2063,7 @@ static int kvm_vm_mmap(struct file *file
85442 return 0;
85443 }
85444
85445 -static struct file_operations kvm_vm_fops = {
85446 +static struct file_operations kvm_vm_fops = { /* cannot be const */
85447 .release = kvm_vm_release,
85448 .unlocked_ioctl = kvm_vm_ioctl,
85449 #ifdef CONFIG_COMPAT
85450 @@ -2161,7 +2161,7 @@ out:
85451 return r;
85452 }
85453
85454 -static struct file_operations kvm_chardev_ops = {
85455 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
85456 .unlocked_ioctl = kvm_dev_ioctl,
85457 .compat_ioctl = kvm_dev_ioctl,
85458 .llseek = noop_llseek,
85459 @@ -2187,7 +2187,7 @@ static void hardware_enable_nolock(void
85460
85461 if (r) {
85462 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
85463 - atomic_inc(&hardware_enable_failed);
85464 + atomic_inc_unchecked(&hardware_enable_failed);
85465 printk(KERN_INFO "kvm: enabling virtualization on "
85466 "CPU%d failed\n", cpu);
85467 }
85468 @@ -2241,10 +2241,10 @@ static int hardware_enable_all(void)
85469
85470 kvm_usage_count++;
85471 if (kvm_usage_count == 1) {
85472 - atomic_set(&hardware_enable_failed, 0);
85473 + atomic_set_unchecked(&hardware_enable_failed, 0);
85474 on_each_cpu(hardware_enable_nolock, NULL, 1);
85475
85476 - if (atomic_read(&hardware_enable_failed)) {
85477 + if (atomic_read_unchecked(&hardware_enable_failed)) {
85478 hardware_disable_all_nolock();
85479 r = -EBUSY;
85480 }
85481 @@ -2509,7 +2509,7 @@ static void kvm_sched_out(struct preempt
85482 kvm_arch_vcpu_put(vcpu);
85483 }
85484
85485 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85486 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85487 struct module *module)
85488 {
85489 int r;
85490 @@ -2572,7 +2572,7 @@ int kvm_init(void *opaque, unsigned vcpu
85491 if (!vcpu_align)
85492 vcpu_align = __alignof__(struct kvm_vcpu);
85493 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
85494 - 0, NULL);
85495 + SLAB_USERCOPY, NULL);
85496 if (!kvm_vcpu_cache) {
85497 r = -ENOMEM;
85498 goto out_free_3;
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)